Information Classification & Handling Policy

Information Classification & Handling Policy

Revision 1.1

Policy Statement

To meet the enterprise business objectives and ensure continuity of its operations, CCE Technologies Inc. (hereinafter “CCET”) shall adopt and follow well-defined and time-tested plans and procedures, to ensure that sensitive information is classified correctly and handled as per organizational policies. Information is considered as primary asset of an organization. An organization uses different types of information assets. The sensitivity of these information assets may vary and similarly, their handling mechanisms are also different.

Purpose

CCET is in the business of providing a cloud-based productivity application or Software-as-a-Service (SaaS) offering that incorporates a repository of confidential information belonging to users of the application/service. The purpose of this policy is to ensure confidential information gathered as part of CCET’s conduct of business is protected from unauthorized use and disclosure. This policy helps to facilitate the identification of information to support routine disclosure and active dissemination of information. It also helps to protect the intellectual property of CCET.

Scope

Employees

This policy applies to all Managers, employees, contractors, and third party employees who have access to IT assets of CCET and may be bound by contractual agreements.

IT Assets

This policy applies to all information assets of CCET, and particularly to the information collection, storage, and handling related to the Clariti application.

Documentation

The policy documentation shall consist of Information Classification and Handling Policy and related procedures & guidelines.

Document Control

The Information Classification and Handling Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purpose.

Records

Records being generated as part of the Information Classification and Handling Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.

Distribution and Maintenance

The Information Classification and Handling Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of this document shall be with the Chief Information Security Officer (CISO) and website (www.clariti.app) administrator.

Privacy

The Information Classification and Handling Policy document shall be considered as “Confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.

Responsibility

The CISO/designated personnel is responsible for proper implementation of the Information Classification and Handling Policy.

Policy

CCET uses four classifications for data: public, internal-only, confidential, and restricted.

Public data: This type of data is freely accessible to the public (i.e. all employees/company personnel). It can be freely used, reused, and redistributed without repercussions. An example might be first and last names, job descriptions, or press releases.

Internal-only data: This type of data is strictly accessible to internal company personnel or internal employees who are granted access. This might include internal-only memos or other communications, business plans, etc.

Confidential data: Access to confidential data requires specific authorization and/or clearance. Types of confidential data might include source code for software, performance data, subscription data, customer data submitted for debugging, data gathered for error identification, etc.

Restricted data: Restricted data includes data that, if compromised or accessed without authorization, could lead to criminal charges and massive legal fines or cause irreparable damage to the company. Among restricted data, customer and client authentication credentials are the most sensitive with potential to cause significant harm to the product and the company. Additional examples of restricted data include client, customer and other proprietary information stored in Clariti app databases that are protected by state and federal regulations.

Following are the policies for secure handling of information assets of CCET:

  1. Handling and labeling of all media shall be according to its indicated classification level.
  2. Depending on the classification of information, electronic transmission, copying and distribution of copies of such information, shall require prior approval of CISO or CEO, as applicable.
  3. Mailing and/or shipment of confidential information shall require that information be sent through a reputed mail service or courier with proper authentication.
  4. Confidential information shall be stored with proper security and/or in safe lockers.
  5. Disposition of confidential and Project or Department specific information shall require controlled process conducted in the presence of CISO or the Department Manager in charge, as applicable.
  6. Appropriate access restrictions shall be applied to prevent access from unauthorized personnel.
  7. Formal record of the authorized recipients of data and information shall be maintained.
  8. Information processing operations shall ensure the following: that input data is complete, that processing is properly completed, and that output validation is applied.
  9. All copies of information shall be clearly marked for the attention of the authorized recipient.
  10. Distribution of data shall be based on “need to know” and “need to use” principles.
  11. Distribution lists and lists of authorized recipients shall be reviewed at regular intervals.

Enforcement

Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR policies in effect in CCET.

Revision History

Version Number Reason of Revision Created by Effective Date
1.0 Creation K. Rajan Oct 21, 2020
1.1 Designation of Jayaraj R as CISO K. Rajan Jan 4, 2021