Training Session 1-APPENDIX B - Data Classification and Handling Guidelines

APPENDIX B - Data Classification and Handling Guidelines
Pdf Summary
The Data Classification and Handling Guidelines provide a framework for protecting Oakleaf’s information assets based on a four-level data classification scheme: Restricted, Confidential, Private, and Public. Each classification defines the sensitivity of data, access controls, and handling requirements to mitigate risks associated with unauthorized disclosure or loss.<br /><br />1. Data Classifications:<br />- Restricted: Most sensitive data subject to external legal or contractual controls, including PII and NPI such as loan files, contracts, Social Security numbers, and health information. Loss can cause significant damage including regulatory violations, lawsuits, and reputational harm. Access is strictly limited and encryption is required for storage and transmission.<br />- Confidential: Internally designated sensitive business data, including employee PII/NPI, accounting, payroll, and financial information. Loss can cause moderate damage. Encryption and access controls are mandatory; printing or copying requires management approval.<br />- Private: Information owned or entrusted to Oakleaf, shared only with authorized insiders and partners. Loss causes minimal or no damage but can still affect reputation or contracts. Encryption is recommended, less restrictive access and transmission controls apply.<br />- Public: Information approved for general release. No special handling or restrictions are required.<br /><br />2. General Practices:<br />Default classification is Private unless otherwise designated. When combining data with varying sensitivity, the highest classification governs overall handling. Data labeled Restricted, Confidential, or Private must never be publicly released but can be shared with authorized third parties under protection.<br /><br />3. Personally Identifiable Information (PII) and Non-Public Information (NPI):<br />PII/NPI refers to identification data such as government-issued IDs, Social Security numbers, financial accounts, and protected health info. These are handled as Restricted or Confidential depending on context.<br /><br />4. Handling Requirements:<br />Detailed controls are prescribed for storage, transmission, printing, copying, mailing, disposal, labeling, and access rights. For example, Restricted data must be encrypted at rest and in transit, prohibits storage on mobile devices or cloud, disallows faxing, and restricts printing. Confidential requires encryption and approval for printing or copying. Private has recommended encryption and less stringent controls. Public has no special requirements.<br /><br />5. Examples:<br />The document includes comprehensive examples of data mapped to classification levels, covering client data, employee data, financial and marketing information, and system credentials.<br /><br />This classification scheme and handling procedures ensure Oakleaf’s compliance with regulatory mandates, protect sensitive information, prevent data breaches, and maintain customer and business partner trust. Exceptions require CEO and CISO approval.
Keywords
Data Classification
Restricted Data
Confidential Data
Private Data
Public Data
PII
NPI
Data Handling Guidelines
Encryption Requirements
Access Controls