Classified information is any information requiring protection against unauthorised disclosure, modification or destruction. The objective of this policy is to define the information classification levels used relating to the confidentiality, integrity and availability of information, whilst labelled and handled in accordance with its classification level.
The scope of this policy applies to any and all information processed by, stored or related to WeThrive.
Information must be accessed and protected against unauthorised disclosure based on its classification level assigned by the respective owner of the information.
Processes, information systems, mobile devices, services (i.e. email, telephony etc.), storage devices, areas (i.e. server rooms) must automatically be assigned the highest classification level of the information they carry with respect to protecting that information accordingly. For example, if a filing cabinet contains both information made available to anyone and confidential information made available only to authorised people, then that cabinet must be safeguarded with security controls that apply to protecting confidential information to prevent unauthorised disclosure.
Distribution lists of confidential information must be maintained by the respective Information Asset Owners and access to those lists shall be granted and made possible only after obtaining their authorisation.
Information Classification Levels and Criteria
Public information is that which if disclosed to the public would not cause damage to the Company or its business, including its employees, clients or affiliates. Disclosure of such information is usually required to facilitate WeThrive regular business processes.
Public information includes but is not limited to:
Informative material relating to client service.
Information on public events organised by WeThrive.
Employment opportunities released to Job websites.
Generic information of WeThrive profile, mission, vision, values, principles, interests, awards, and responsibilities towards its clients.
Disclaimers added on documents or emails.
Information provided on the internal network or email system such as:
Standards, policies, procedures, guidelines, forms, abbreviations and other information relating to specific departments.
Information related to the list of vendors, affiliates, or other third parties with whom WeThrive maintain agreements.
Inventories of hardware, software and tools installed and used by WeThrive.
Emails/usernames/contact information or other types of user identification used to identify an employee.
Personal or sensitive data of the employees’ or WeThrive clients or affiliates that can be used on its own or with other information to identify, contact or locate a single person, or to identify an individual in context including:
Personal data: Full name, date of birth, birthplace, home address, ID number, driver’s licence number, passport number, credit/debit card number, signature, salary.
Sensitive data: Racial or ethnic origin, political opinions, religious beliefs, memberships in organisations/clubs, physical or mental health conditions, sexual life, commission or alleged commission of any offense or any proceedings for any offense committed or alleged to have been committed.
Strategic plans and financial reports.
Audit reports or findings.
Agreements with third parties.
Information related to incidents reported by employees or affiliated or had an impact to the business of WeThrive or its information systems.
Technical manuals and configuration details of Information Systems including all IT Security systems (i.e. firewalls, IDS/IPS, anti-virus) and Information Systems accessible from the Internet.
Audit trails, physical or digital, containing information related to accessing areas, devices, systems or equipment by authorised people.
Active passwords, digital cards, door PINS for accessing facilities and encryption keys.
Security assessment reports.
Labelling and Handling Information
Acquisition and Creation
When information is acquired or created, it must be given its Information Security Classification and handled appropriately for that Information Security Classification and any additional particular requirements.
The Information Asset Owners and Users have a responsibility to classify information which must be clearly labelled with its security classification. Information must be marked with the highest security level that has been given to any item of data within that information.
Electronic information must state the classification level within the document (i.e. in the header, footer, subject line etc.).
Hard-copy information must be clearly marked with the classification level on the document.
NOTE: Information deemed public does not need to be labelled in any way.
When anyone stores information on any WeThrive systems, the stored information must be relevant to their duties, and this must only be done in the course of those duties.
This restriction does not apply to information temporarily stored as a result of personal use of email or the Internet. WeThrive reserves the right to monitor and investigate any information stored on its systems.
All information files must be labelled with the highest level of security classification required within the file. Handling rules for each classification are described in the Information Transfer Policy.
Sensitive electronic information must be stored and kept an access-controlled directory.
Sensitive hard-copy information must be stored in a locked drawer or cabinet within a locked office.
Access rights to information (manual or computer information systems) must be role based and not individually based: that means that a particular individual can access Confidential or Internal information in the course of their work only if it is their job.
Access to information classified as Confidential or Internal, (which will include all sensitive personal information), must be limited to those authorised to view it.
Classified or Internal information must always be safeguarded by authentication formalities, whatever storage system is used.
Transfer or Exchange of Information
Any information transfer is subject to the Information Transfer Policy.
Disposing of information is subject to the Retention & Disposal Policy.