ISO:Information Classification & Handling
Information Classification & Handling
Hornbill classifies information into 3 levels of classification Confidential, restricted and public. Information that is classified as restricted must, in addition, identify the individuals or roles to whom the information is restricted.
Where indicated below, the classification information must be included in the document footer, which must be manually set to appear on all pages of the document, or on the media on which it is recorded.
Information received from outside the organisation is re-classified by its recipient so that, within the organisation, it complies with this classification.
Information sent and received internally that is not marked with a classification level is treated as confidential.
Information that is sent externally must be marked with its classification level; any unmarked information sent externally is classified as public information.
If any Confidential or Restricted information is sent externally without the correct classification marking then that action is classed as breaching the company regulations and may be considered mis-conduct.
The classifications of information assets are reviewed at least once a year by their owners and if the classification level can be reduced, it will be. The asset owner is responsible for de-classifying information.
This class of information is only for use by Directors or specialist persons within the company. This information should be only communicated, to employees for whom it is meant for and access to this information is allocated on a “need to know” basis only. Restricted is restricted for release to employees on specific grade levels and third party contractors whose contracts with the organisation authorise such access to confidential information.
Restricted information is stored either in a secured directory / folder with strict access restrictions or in a system requiring password access. Examples: Contracts, planning documents, specifications, systems administration guides, network diagrams, drafts of internal documents, staff appraisals, personnel records, expense reports, individual salary letters, payslips, client contracts, third party contracts, new patent submissions, data falling under Data Protection Act, Business Continuity Plan.
Everyone on a permanent employment contract with Hornbill is entitled to access information with this classification, as are third party contractors whose contracts with Hornbill authorise such access. This information has no restrictions in terms of how it is communicated, other than that it is not cleared for release outside the organisation or to those individuals and/or organisations who sub-contract with the organisation other than where it is has been specifically authorized in advance and contractually documented with that third party.
Examples: Internal memos, routine reports, monthly reports, corporate policies, company procedures, incident reporting, general HR forms, training materials, internal telephone directory.
This is information which can be released outside the organisation and includes documents or information intended for public disclosure. Everything on this Wiki is deemed public.
Examples: Information widely available in the public domain, public facing website pages, marketing materials, demonstration software.