This policy seeks to outline the guidelines and practices that govern decisions on data classification at Door to ensure Door accomplishes its mission of providing high-quality products in a sustainable and safe environment.
This policy applies to all data assets owned by Door and all aspects of each asset. This policy applies to all employees, contractors and consultants at Door.
The intent of this policy is to ensure all employees and functions of Door are aligned with the goals of Door as they relate to data asset management and to ensure assets are managed in a manner that maximizes benefits, reduces risk and provides satisfactory levels of service to customers in a safe and sustainable manner.
The purpose of this data classification policy is to provide a system for protecting information that is critical to the organization. All workers who may come into contact with confidential information are expected to familiarize themselves with this data classification policy and to consistently use it.
Door’s data classification system has been designed to support the need to know so that information will be protected from unauthorised disclosure, use, modification, and deletion. Consistent use of this data classification system will facilitate business activities and help keep the costs for information security to a minimum. Without the consistent use of this data classification system, Door unduly risks loss of customer relationships, loss of public confidence, internal operational disruption, excessive costs, and competitive disadvantage.
Applicable Information: This data classification policy is applicable to all information in Door’s possession.
Consistent Protection: Information must be consistently protected throughout its life cycle, from its origination to its destruction. Information must be protected in a manner commensurate with its sensitivity, regardless of where it resides, what form it takes, what technology was used to handle it, or what purpose(s) it serves. Although this policy provides overall guidance, to achieve consistent information protection, workers will be expected to apply and extend these concepts to fit the needs of day-to-day operations.
Public: This classification applies to information that is available to the general public and intended for distribution outside the organisation. This information may be freely disseminated without potential harm. Examples include product and service brochures, advertisements, job opening announcements, and press releases.
For Internal Use Only: This classification applies to all other information that does not clearly fit into the other classifications. The unauthorised disclosure, modification or destruction of this information is not expected to seriously, or adversely, impact the organisation, its employees, or its business partners. Examples include new employee training materials and internal policies.
Confidential: This classification applies to information that is intended for use within the organisation. Its unauthorised disclosure could adversely impact the organisation, its employees and its business partners. Information that some people would consider private is included in this classification. Examples include account records, department financial data, purchasing information, vendor contracts.
Restricted Confidential: This classification applies to the most sensitive business information that is intended strictly for use within the organisation. Its unauthorised disclosure could seriously and adversely impact the organisation, its employees and its business partners. For example, corporate level strategic plans.
The guidance for secure handling of information assets of Door is as follows:
All employees are responsible for understanding the type of information they handle and ensuring the information is classified, labelled, handled and protected appropriately. Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.
Door will review information regularly to ensure that it is:
Factors which may impact on the retention of information are:
When the retention target is reached, the information will be reviewed to confirm that the information is to be further retained or destroyed. It will be destroyed if there is no further business, statutory or historical reason to keep them or to select them for rereview at a later date; either because the business need is ongoing or because of potential historical value.
Door does not currently have a preferred supplier for asset procurement. As such, as procurement must be approved by the Business Manager using the company purchasing mechanisms. All technology procurement must also be approved by the Head of Infrastructure.
All assets must be registered within the Asset Management tool before being deployed.
All assets are registered within the Asset Management tooling. Physical maintenance dates are captured if applicable. All software license renewal dates are also captured.
The disposal of assets, due to its need for replacement or upgrade, or merely because it has become obsolete, surplus or redundant, is an issue because:
Door aims to ensure that all IT equipment is managed effectively, including its disposal. The organisation understands that responsible IT asset management and disposal is essential for GDPR compliance. The Head of Infrastructure is responsible for overseeing this process.
All IT equipment that is identified for disposal should be updated in the asset register to confirm Asset disposal. Any IT equipment that has the potential to store sensitive data and which is no longer needed or has reached its “end of life” must have its data securely deleted/wiped and sensitive data deemed unreadable and unrecoverable before:
All such equipment should be processed by a registered and approved contractor to securely remove any personal data. When agreeing a contract with a professional equipment disposal service, department should obtain clear evidence of sufficient data security arrangements, including a written statement regarding confidentiality, destruction methods, and indemnity should the contractor fail to adequately destroy information; companies should comply with the ISO 27001:2013 IT Asset Disposal Standard
Computer monitors, printers, scanners and fax machines are defined as hazardous waste due to the metals and chemicals used in their construction, and arrangements for their disposal must be handled in compliance with the organisation’s waste policies.
This organisation must comply with its requirements under the Waste Electronic and Electrical Equipment Directive (WEEE). Small amounts of obsolete or broken IT equipment that has been effectively wiped of any data or does not contain any data storage potential can be disposed of through the electrical waste stream at a municipal site, or disposed of via the manufacturer or an electrical supplier.
IT equipment must never be disposed of through general waste routes. It is illegal to mix computer waste with general waste or to send untreated computer waste to landfill.
This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.
Further information and advice on this policy can be obtained from the Door Team, policies@doorfunds.com.