Data Classification Standard
SOC 2 Criteria: C1.1, PI1.1
ISO 27001 Requirements: 7.5.2, 7.5.3
ISO 27001 Annex A: A.5.1.1, A.7.1.2, A.7.2.1, A.8.1.1, A.8.2.1, A.8.2.2, A.16.1.4, A.18.1.3
Keywords: Confidential Data, Internal Data, Public Information, Restricted Data, Classification
This policy will assist employees and other third-parties with understanding the Company’s information labeling and handling guidelines. It should be noted that the sensitivity level definitions were created as guidelines and to emphasize common sense steps that you can take to protect sensitive or confidential information (e.g., Company Confidential information should not be left unattended in conference rooms).
Information covered in this policy includes, but is not limited to, information that is received, stored, processed, or transmitted via any means. This includes electronic, hardcopy, and any other form of information regardless of the media on which it resides.
Bramble team members, contractors, consultants, vendors and other service providers are required to review and understand this policy, and to handle data according to the classification levels below unless otherwise noted.
Data Owners shall determine the classification of data in accordance with this standard. The Data Classification Index (internal only) provides a list of various types of data and their classification level. If you cannot identify the data element or are uncertain of the risk associated with the data and how it should be classified and handled, please contact The Security Compliance Team.
- Bramble customers are responsible for managing their own data, to include identification and classification according to their own internal requirements. Bramble handles Customer Data internally according to our non-disclosure obligations written in our Mutual Non Disclosure Agreement and the controls identified in this standard.
Personal Data: As defined by General Data Protection Regulation(GDPR): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Customer Data: Refers to the electronic data uploaded or created by Bramble customers and processed in the Bramble application labeled as Private by the customer and subject to legal or contractual obligations.
Confidential/Restricted Data: Data should be classified as Restricted or Confidential when the unauthorized disclosure, alteration, or destruction of that data could cause a serious or significant level of risk to Bramble or its customers. Examples of Sensitive data include data protected by state or federal privacy regulations (e.g. PHI & PII) and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted and Confidential Data:
Disclosure or access to Restricted and Confidential data is limited to specific use by individuals with a legitimate need-to-know. Explicit authorization by the Security Officer is required for access to because of legal, contractual, privacy, or other constraints.
Must be protected to prevent loss, theft, unauthorized access, and/or unauthorized disclosure.
Must be destroyed when no longer needed. Destruction must be in accordance with Company policies and procedures.
Will require specific methodologies, procedures, and reporting requirements for the response and handling of incidents.
Internal Data: All data owned or licensed by Bramble. Data should be classified as Internal Use when the unauthorized disclosure, alteration, or destruction of that data could result in a moderate level of risk to Bramble or its customers. This includes proprietary, ethical, or privacy considerations. Data must be protected from unauthorized access, modification, transmission, storage or other use. This applies even though there may not be a civil statute requiring this protection. Internal Use Data is restricted to personnel who have a legitimate reason to access it. By default, all data that is not explicitly classified as Restricted/Confidential or Public data should be treated as Internal Use data. A reasonable level of security controls should be applied to Internal Use Data.
Public Data: Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to Bramble and its customers. It is further defined as information with no existing local, national, or international legal restrictions on access or usage. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized alteration or destruction of Public Data.
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to Bramble should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All data should be classified into one of the four following classifications.
Restricted and must remain confidential. This is Bramble’s most sensitive data and access to it should be considered privileged and must be explicitly approved. Exposure of this data to unauthorized parties could cause extreme loss to Bramble and/or its customers. In the gravest scenario, exposure of this data could trigger or cause a business extinction event.
- Customer Data
Data subject to laws and regulation that should not be made generally available. Unauthorized access or disclosure could cause significant or financial material loss, risk of harm to Bramble if exposed to unauthorized parties, break contractual obligations, and/or adversely impact Bramble, its partners, employees, contractors, and customers.
- Personal Data
- Any vendor who is in possession of any form of Personal Data must have appropriate contractual terms that address Bramble data protection requirements (e.g. a Data Processing Agreement).
- Bramble Intellectual property
- Customer metadata
- Audit logs
- Open security incidents, vulnerabilities and risks
Data and information that should not be made publicly available that is created and used in the normal course of business. Unauthorized access or disclosure could cause minimal risk or harm and/or adversely impact Bramble, its partners, employees, contractors, and customers.
- Asset registers
- General internal company communications
- Vendor contracts
- Bramble runbooks/work instructions/manuals/policies/procedures containing data NOT appropriate for public consumption
Data that is publicly shareable, and does not expose Bramble or its customers to any harm or material impact.
- Bramble handbook
- Including most Bramble runbooks/work instructions/manuals/policies/procedures
- Public announcements
- Public product information
Credentials such as passwords, personal access tokens, encryption keys, and session cookies derive their importance from the data they protect.
If there is more than one data type residing in a system, the system should be classified at the highest data classification level of the data being stored, transmitted or processed on that system.
There is currently no internal requirement to label data according to this standard, however labels are encouraged. By labeling data according to classification level, individuals can quickly refer to this policy for proper handing. Issues that are confidential must be marked accordingly per our Communication Handbook Page. It is up to the data owner to ensure that security and privacy settings are applied as per their own requirements.
Here are the security and privacy controls to apply for each data classification. Each control listed in the tables is expected to be applied.
|Business need-to-know required for approved business functions||All copies of Red data outside of approved system(s) must be pre-approved by both Legal and Security||Do not share publicly||Data must be encrypted at rest|
|Manager and data owner approval required||Systems must have security controls equal to or greater than the approved system(s)||Data sharing with internal Bramble team members is authorized by the Data Owner and management after establishing “need-to-know”||Stored or processed on approved Bramble managed systems only unless otherwise approved|
|Logging and monitoring of access required||Data sharing with non Bramble team members is not allowed unless explicitly approved by Legal and Security||Electronic storage media must be irretrievably erased, degaussed and/or disposed of in a secure fashion|
|Quarterly access reviews required||API/Integrations must be approved by Security||When information is no longer valid or necessary, it should be completely and permanently destroyed in accordance with the Record Retention Policy.|
|NDA required (if disclosed to a 3rd party)||Data must be encrypted in transit|
|Background check required|
|Business need-to-know required||May be reproduced for Internal Use only||Do not share publicly||Stored or processed on approved Bramble managed systems only unless otherwise approved|
|Data owner approval required||Systems must have security controls equal to or greater than the approved system(s)||May be shared internally on a need-to-know basis||Data must be encrypted at rest if stored on third party system|
|NDA required||Data sharing with non Bramble team members is not allowed unless explicitly approved by data owner and management. Any vendor who is in possession of any form of Personal Data must have appropriate contractual terms that address Bramble data protection requirements (e.g. a Data Processing Agreement)||Electronic storage media must be irretrievably erased, degaussed and/or disposed of in a secure fashion|
|Encrypted or otherwise electronically protected when sent to a recipient outside the company||When information is no longer valid or necessary, it should be completely and permanently destroyed in accordance with the Record Retention Policy.|
|Email must be marked as confidential|
|Business need-to-know required||May be reproduced for Internal Use only||Do not share publicly||Normal deletion commands or utilities with operating systems are sufficient for online files.|
|NDA required||Can be shared internally and externally in alignment with the Acceptable Use Policy||When information is no longer valid or necessary, it should be completely and permanently destroyed in accordance with the Record Retention Policy.|
|Share externally via a secure mechanism (ie password protected zip file, access controlled Google Drive file, etc)|
|Public||Public Information requires no special handling||Public Information requires no special handling|
Exceptions to this policy will be tracked as per the Information Security Policy Exception Management Process.