Information Classification and Handling Policy

• Table of Contents

  • EDC Inc Information Classification and Handling Policy
  • 1. Purpose
  • 2. Scope
  • 3. Information Classification
  • 4. Information Handling
  • 5. Roles and Responsibilities
  • 6. Compliance
  • 7. Policy Review
  • Summary

EDC Inc Information Classification and Handling Policy

This policy outlines the guidelines and procedures for the classification and handling of information at EDC Inc. It is designed to ensure the confidentiality, integrity, and availability of all data in our possession, in compliance with legal and contractual obligations.

1. Purpose

The purpose of this policy is to provide a framework for classifying and handling information in a manner that reduces risk and ensures compliance with applicable laws and regulations. This policy applies to all EDC Inc employees, contractors, and third parties who have access to EDC Inc information.

2. Scope

This policy applies to all information assets owned or managed by EDC Inc, including but not limited to, data stored in Active Directory user and service accounts, data managed through the CMDB inventory management tool, and data subject to review by the CAB Change Audit Board.

3. Information Classification

All information at EDC Inc is classified into one of the following categories:

• Public: Information that can be disclosed to the public without any risk of harm to EDC Inc or its stakeholders.
• Internal: Information that is not intended for public disclosure but whose disclosure would not cause significant harm to EDC Inc or its stakeholders.
• Confidential: Information whose unauthorized disclosure could harm EDC Inc or its stakeholders.
• Restricted: Highly sensitive information whose unauthorized disclosure would cause severe harm to EDC Inc or its stakeholders.

4. Information Handling

Information handling procedures vary depending on the classification of the information. The IT Security Operations department is responsible for defining and implementing these procedures.

5. Roles and Responsibilities

Each department within EDC Inc has specific roles and responsibilities related to information classification and handling:

• IT Server Operations: Responsible for OS patching every 30 days, unless an IT Exception is approved by IT Security.
• IT Server Build Operations: Responsible for building and maintaining servers in compliance with this policy.
• IT-SOC (Incident management): Responsible for managing incidents related to information security.
• Corporate Physical Security: Responsible for physical security measures to protect information assets.
• IT Security Operations: Responsible for defining and implementing information handling procedures.
• IT Monitoring Operations: Responsible for monitoring compliance with this policy.
• IT Database Operations: Responsible for managing and securing databases in compliance with this policy.
• IT Audit and Compliance: Responsible for auditing compliance with this policy and reporting non-compliance to the relevant IT Director.

6. Compliance

All EDC Inc employees, contractors, and third parties who have access to EDC Inc information are required to comply with this policy. Non-compliance may result in disciplinary action, up to and including termination of employment or contract.

7. Policy Review

This policy will be reviewed at least annually by the IT Audit and Compliance department. Any changes to the policy will be approved by the relevant IT Director and communicated to all EDC Inc employees, contractors, and third parties who have access to EDC Inc information.

Summary

The EDC Inc Information Classification and Handling Policy provides a framework for managing the confidentiality, integrity, and availability of information. It outlines the roles and responsibilities of each department and the procedures for handling different types of information. Compliance with this policy is mandatory for all EDC Inc employees, contractors, and third parties who have access to EDC Inc information.