The purpose of this section of the policy is to determine the protective controls associated with each CX Index information asset and to provide a foundation for all employees (and contractors, third parties, etc. who deal with information assets) to understand the security and handling of such assets.
CX Index’s data classification system has been designed to support access to information based on the need to know so that information will be protected from unauthorised disclosure, use, modification, and deletion. Consistent use of this data classification system will facilitate business activities and help keep the costs for information security to a minimum. Without the consistent use of this data classification system, CX Index unduly risks loss of client relationships, loss of public confidence, internal operational disruption, excessive costs, and competitive disadvantage.
This data classification policy is applicable to all information in CX Index’s possession, including electronic data, printed reports, and backup media.
Information must be consistently protected throughout its life cycle, from its origination to its destruction. Information must be protected in a manner commensurate with its sensitivity, regardless of where it resides, what form it takes, what technology was used to handle it, or what purpose(s) it serves. Although this policy provides overall guidance, to achieve consistent information protection, all employees are expected to apply and extend these concepts to fit the needs of day-to-day operations.
Accountability for Assets
The purpose of this policy is to outline the methodology for identifying, classifying, and documenting assets in order to provide protection that is commensurate with the value and importance of each asset. All users are expected to be familiar with and comply with this policy.
In order to maintain accountability for assets, CX Index will compile a list of all its information assets, and establish the relative value and importance of each asset.
This policy requires that all information systems be identified and documented with a program in place to manage assets company-wide. The following will be included in the program:
- All assets associated with each information system shall be identified and documented.
- All assets shall have an owner.
- All assets shall be classified based upon their value and importance to CX Index and/or to CX Index’s clients.
- Classification of security assets will reflect their security protection levels and their handling.
- Assets will be categorised into logical categories such as logical assets, physical assets and service assets.