1.
Information Asset Classification Framework
This section outlines the schema to be used for security classification of information assets within
COMPANY. Any information received or collected by, or on behalf of COMPANY, and 3rd party vendors is
COMPANY information. All information assets:
• Must be handled with due care and in accordance with any authorized procedures
• Must be made available only to people who have a legitimate ‘need-to-know’ to fulfil their official
duties or contractual responsibilities
• Must only be released in accordance with the policies, legislative requirements and directives of
COMPANY.
Information assets held within COMPANY fall into two broad categories:
• Information intended for public use / consumption
• Information which, because of the adverse consequences of unauthorized disclosure, alteration,
or destruction requires appropriate controls for its protection
• Information assets whose classification cannot be readily determined must be, in default,
classified as a “Confidential” information. Appropriate controls with regards to the classification
must also be implemented and observed.
The diagram below provides a representation of various security classifications of COMPANY Information
Assets.
All information used in COMPANY
Non-Public Information
Classified Information
Public Secret
Internal Use
Confidential
2. Asset Classes
2.1. Public Information
Public information are information assets that has been explicitly authorized by the information asset
owner for public access. There is no such thing as unauthorized disclosure of this information and it may
be freely disseminated without potential harm to COMPANY.
Although confidentiality is not a requirement of this information asset, it is still necessary to maintain its
integrity (accuracy and completeness) prior to its release and its availability upon its release. Assuring the
integrity and availability of a PUBLIC document comes with a cost. As such, an information asset should
not be classified as PUBLIC until they are assessed and required to be made available.
Some information assets that requires disclosure to the public may have confidentiality requirements
�before actual release. As such, the point of the asset’s lifecycle where it needs to be reclassified as
PUBLIC must also be determined and explicitly indicated.
2.2. Internal Use
Internal Use classification is information that is not sensitive in nature, but is not expected to be
distributed to the public. This information is not generally known outside of COMPANY or available for
public use or from public sources. Internal Use information is generally intended for the use of
COMPANY’s employees, contractors, or other 3rd parties engaged in carrying out COMPANY business
operations while performing their assigned responsibilities.
While this information’s unauthorized disclosure, modification, or destruction is against policy, it is not
expected to seriously or adversely impact COMPANY, its employees, its customers, contractors, or other
third parties.
2.3. Confidential
Confidential information is a sensitive form of information asset that if disclosed, modified, or destroyed
could cause significant damage to COMPANY.
This information is distributed on a “need to know” basis only (e.g. employee performance evaluations,
employee salaries, internal audit reports, audit investigation reports). This classification must be used in
relation to the Group, Division or Section within COMPANY that owns and requires the protection of the
information asset (e.g., Confidential to Named Person X, Confidential to Named Group X).
Any information that has external mandate for protection either from contractual or regulatory requirement
form part of confidential information.
2.4. Secret
Secret information is the most private or otherwise sensitive form of information asset. Unauthorized
disclosure, modification, or destruction is expected to result in any of the following:
• Severe damage to operations
• Create major public embarrassment
• Loss of customer or investor trust and confidence
• Expose COMPANY to a significant monetary loss, or breach of regulatory obligations
• Significant competitive disadvantage
Assignment of Secret must require approval and must be owned by a SVP level individual.
Existence of “Secret” level documents are not disclosed. Access to Secret level documents must
be approved by the owner.
