1. Overview
This policy governs the security of all company and customer data to ensure its confidentiality, integrity, and availability. It establishes the framework for data classification and handling, and defines the responsibilities for data protection.
2. Scope
This policy applies to all employees, contractors, and third parties who have access to company or customer data, regardless of its format (electronic, paper) or location (on-premises, cloud). It covers all systems, applications, and devices used to store, process, or transmit this data.
3. Policy Statements
- PS-1: Data Classification: All company and customer data must be classified according to the
data-classification-standard.md. Data owners are responsible for ensuring their data is classified correctly upon creation.
- PS-2: Data Handling: Data must be handled in accordance with its classification level. The
data-classification-standard.md defines the minimum required protections for each level.
- PS-3: Encryption: Data classified as Confidential or Restricted must be encrypted both at rest and in transit using company-approved encryption algorithms and key management practices.
- PS-4: Data Retention and Disposal: Data must be retained only for as long as required for legal, regulatory, or business purposes. All data must be securely disposed of at the end of its lifecycle in accordance with the Data Retention Schedule.
4. Roles and Responsibilities
- Data Protection Officer (DPO): The DPO is responsible for overseeing the data protection strategy and its implementation to ensure compliance with legal and regulatory requirements.
- Data Owners: Data owners are senior staff members who are ultimately responsible for the data assets within their business unit, including assigning classification and ensuring appropriate controls are in place.
- Data Stewards: Data stewards are responsible for the day-to-day management of data assets on behalf of data owners.
- All Employees: All employees are responsible for understanding and adhering to this policy in their daily work.
5. Compliance
- Measurement: Compliance with this policy will be measured through regular internal and external audits, security assessments, and monitoring of data handling practices.
- Exceptions: Any exception to this policy must be formally documented and approved by the Data Protection Officer and the CISO. All exceptions will be reviewed annually.
- Enforcement: Violation of this policy may result in disciplinary action, up to and including termination of employment, and legal action where applicable.
Applicable Controls
- ISO 27001: A.8.1, A.8.2, A.8.3
- SOC 2: CC7.1, CC7.2, CC7.3
- NIST CSF: PR.DS-1, PR.DS-2, PR.DS-5