Data Classification Policy
In order to effectively secure WeSalute's data, Team Members must have a shared vocabulary to describe the data and the corresponding protection it requires. This policy describes how company data is classified and the levels of protection required for each classification.
Data Classification Standards
All WeSalute information and all information entrusted to WeSalute from third parties falls into one of four classifications, in order of increasing sensitivity.
| Category | Description | Examples |
|---|---|---|
| Public | Public information is not confidential and can be made public without any implications for WeSalute. | Press releases, Public websites, External documentation, Brand and Design Guidelines |
| Internal | Access to internal information is approved by ExecutiveOps and is protected from external access. | Internal documents and memos, Design documents, Product specifications , Correspondence |
| Company confidential | Information collected and used by WeSalute to operate the business. WeSalute must uphold the highest possible levels of integrity, confidentiality, and restricted availability for this information. | legal documents, security practices, operations documents, internal taxonomy, employee PII, employee salaries, contractual agreements, data dictionaries, product performance, user counts, performance metrics, financial data, accounting data |
| Customer confidential | Information received from customers for processing or storage by WeSalute. WeSalute must uphold the highest possible levels of integrity, confidentiality, and restricted availability for this information. | Customer operating data, Customer PII, Customers' customers' PII, anything subject to a confidential agreement with a customer |
Public
Public data is information that may be disclosed to any person regardless of their affliction with WeSalute. The "public" classification is not limited to data that is of public interest or intended to be distributed to the public; the classification applies to any data that does not require any level of protection from disclosure. While it might be necessary to protect original (source) documents from unauthorized modification, public data may be shared with a broad audience both within and outside WeSalute, and no steps need be taken to prevent its distribution.
Internal
Internal data is information that is potentially sensitive and should not be shared with the public. Internal data generally should not be disclosed outside of WeSalute without the permission of WeSalute management. It is the responsibility of the data owner to designate information as internal where appropriate. Unauthorized access has the potential to influence WeSalute's operational effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in customer confidence.
Company Confidential
Company-confidential data is information that, if made available to unauthorized parties, might adversely affect WeSalute. This information is to be protected against unauthorized disclosure or modification, and might be limited to executives, HR, and legal parties employed by or under contract with WeSalute. Company-confidential data should be used only by pre-authorized parties and should be protected both when it is in use and when it is being stored, processed, or transmitted. Unauthorized access has the potential to influence WeSalute's operational effectiveness, violate contractual confidentiality agreements, initiate a security incident, or cause a major drop in employee, customer, and industry confidence.
Customer Confidential
Customer-confidential data is information that, if made available to unauthorized parties, may adversely affect WeSalute customers. This classification also includes data that WeSalute is required to keep confidential, either by law or under a confidentiality agreement with non-customer third parties, such as vendors. This information is to be protected against unauthorized disclosure or modification. Customer-confidential data should be used only when necessary for business purposes with the permission of the customer and should be protected both when it is in use and when it is being stored, processed, or transmitted. Unauthorized access has the potential to influence WeSalute's operational effectiveness, violate contractual confidentially agreements, initiate a security incident, or cause a major drop in both customer and industry confidence.
Scope
This data classification standard and policy is to be applied to all WeSalute data, both physical and electronic. No data item is too small to be classified.
Policy
WeSalute managers or information owners shall be responsible for assigning classifications to information assets according to WeSalute Data Classifications Standards.
-
Whenever possible, clearly label each piece of information with its data classification.
-
All WeSalute Team Members shall be guided by the information category in their handling of all WeSalute information.
Policy Review, Disciplinary, & Responsibility
Disciplinary and Non-Compliance
Since classifying data is an important part of protecting data and systems for WeSalute, Team Members who purposely violate this policy are subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their Manager or other authorized representative from PeopleOps, ExecutiveOps, and/or SystemsOps.
Responsibility
The CTO is responsible for communicating and upholding the Data Classification Policy and Standards. All Team Members, contractors, agencies, freelancers are responsible for following the Data Classification Policy and Standards.
This Policy currently does not have the required policy footer content standard on WeSalute Policies. This may be intentional by the nature of the content.