You are on page 1of 3

INFORMATION CLASSIFICATION MATRIX AND HANDLING GUIDE

PHYS & ADMIN DESTRUCTION/


CATEGORY DESCRIPTION Sample Documents/Records MARKING REPRODUCTION DISTRIBUTION
CONTROLS DISPOSAL

Information that may be broadly


distributed without causing damage
to the organization, its employees
Marketing materials authorized for public
and stakeholders. The [PR
release such as advertisements,
Office/Marketing Dept/Information
PUBLIC or open brochures, published annual accounts, None None Unlimited No restrictions Recycling/trash
Security Management dept/etc.] must
Internet Web pages, catalogues, external
pre-approve the use of this
vacancy notices
classification. These documents may
be disclosed or passed to persons
outside the organization.

Most corporate information falls into this


category.
Internal: use an internal mail envelope.
Paper documents:
Information whose unauthorized Departmental memos, information on Limited copies may be
shred.
disclosure, particularly outside the internal bulletin boards, training materials, Author: responsible for made only by External: use a sealed envelope.
organization, would be inappropriate policies, operating procedures, work INTERNAL USE ONLY" proper markings. employees, or by
Electronic data: erase
INTERNAL or and inconvenient. instructions, guidelines, phone and email contractors and third Electronic: use internal email system.
or degauss magnetic
proprietary directories, marketing or promotional Apply to bottom left User: responsible for parties who have signed Encryption is required for transmission
media. Send CDs,
Disclosure to anyone outside of information (prior to authorized release), corner of each page. proper storage and an appropriate to external email addresses.
DVDs, dead hard drives,
[Company name] requires investment options. transaction data, document control. nondisclosure
laptops etc. to IT for
management authorization. productivity reports, disciplinary reports, agreement. FAXing: take care over the FAX
appropriate disposal
contracts, Service Level Agreements, number!
internal vacancy notices, intranet Web
pages

Originator: responsible Internal: use a sealed envelop inside


for ensuring that an internal mail envelope. Hand deliver Paper documents:
confidential information if possible. shred using an approved
Highly sensitive or valuable Passwords and PIN codes, VPN tokens, is distributed on a strict Limited copies may be External: use a plain sealed envelope. cross-cut shredder.
information, both proprietary and credit and debit card numbers, personal CONFIDENTIAL" need-to-know basis. made only by permission Hand deliver or send by registered
CONFIDENTIAL personal. Must not be disclosed information (such as employee HR of originator or his/her mail, courier etc. Electronic data: erase
or restricted outside of the organization without records, Social Security Numbers), most Apply to bottom left Recipient: responsible designates. A signed Electronic: use internal email system or degauss magnetic
the explicit permission of a Director- accounting data, other highly sensitive or corner of each page. for ensuring that authorization slip will be only. Encyrpt data. media. Send CDs,
level senior manager. valuable proprietary information confidential information presented. FAXing: requires phone confirmation of DVDs, dead hard drives,
is encrypted and/or kept receipt of a test page immediately prior laptops etc. to IT for
under lock & key when to sending the FAX, and phone appropriate disposal.
not in use. confirmation of full receipt.

This work is copyright 2009, Richard O. Regalado and ISO27k implementers' forum, some rights reserved. It is
licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce,
circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product,
(b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c) derivative works are
shared under the same terms as this.

Note: this classification scheme only relates to the confidentiality of the information. Similar schemes are feasible for integrity and availability requirements.
Copyright

This work is copyright 2007, ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Att
to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated in
Forum at www.ISO27001security.com, and (c) if they are published or shared, derivative works are shared under the