It is essential for “Organization” to classify its information assets to help manage and protect it. The various departments at “Organization” have a multitude types of documents and data, each business unit or department should classify its data by considering the potential for harm to individuals or the University in the event of unintended disclosure, modification, or loss. This can be done by identifying which information should be protected and which information shall be placed open to the public and third parties.
In order to preserve the appropriate confidentiality, integrity and availability of “Organization’s” information assets, the information classification policy describes principles that need to be followed to protect information through specifying how and to whom you can distribute information with a particular classification.
To provide the basis for protecting the confidentiality of data at “Organization” by establishing a data classification system. Further policies and standards will specify handling requirements for data based on their classification.
This policy applies to all data or information that is created, collected, stored or processed by “Organization”, in electronic or non-electronic formats, irrespective of the data location or the type of device it resides on. All staff should consequently use it, and third parties who interact with information held by and on behalf of “Organization”.
All data at “Organization” shall be assigned one of the following classifications. Collections of diverse information should be classified as to the most secure classification level of an individual information component with the aggregated information.
1. Confidential (restricted): Information that is classified as confidential or restricted includes data that can be catastrophic to one or more individuals and/or organizations if compromised or lost. Such information is frequently provided on a “need to know” basis and might include:
2. For internal use only (sensitive): Information that is classified as being of medium sensitivity includes files and data that would not have a severe impact on an individual and/or organization if lost or destroyed. Such information might include:
3. Public (unrestricted): Information that is classified as public includes data and files that are not critical to business needs or operations. This classification can also include data that has deliberately been released to the public for their use, such as marketing material or press announcements. In addition, this classification can include data such as spam email messages stored by an email service.
4.“Organization” associates shall be guided by the information category in their security-related handling “Organization” information.
Information is a major asset that “Organization” has a responsibility and requirement to protect. Differently classified information should appropriately protected in storage, transit, access etc. from modification or disclosure.
Information Protection Policy addresses the stocks of information (electronic data or paper records) that “Organization” maintains, and also the people that use them, the processes they follow and the physical computer equipment used to access them, all these areas addresses to ensure that high confidentiality, quality and availability standards of information are maintained.
The following policy details the basic requirements and responsibilities for the proper management of information assets at “Organization”. The policy specifies the means of information handling and transfer within the Business.
This Policy applies to all the systems, people and business processes that make up the Business’s information systems. This includes all Executives, Committees, Departments, Partners, Employees, contractual third parties and agents of “Organization” who have access to Information Systems or information used for “Organization” purposes.
Record retention and destruction is an important substantive component of many of the laws with which most corporations must comply, and it is often the vehicle by which compliance is established.
The purpose of this policy is to ensure that necessary records and documents of “Organization” are adequately protected and maintained and to ensure that records that are no longer needed by “Organization” or are of no value are discarded at the proper time.
This Policy applies to all records generated in the course of “Organization’s” operation, including both original documents and reproductions.
All employees should comply with any published records retention policies.
1Accounting and Finance records include, but may not be limited to, >
2. Contracts and Related Correspondence (including any proposal that resulted in the contract and all other supportive documentation) should be permanently retained.
3. “Organization” records (minute books, signed minutes of the Board and all committees, corporate seals, articles of incorporation, Contribution records and annual corporate reports) as well as licenses, property insurance and permits should have a permanent retention.
4.It is also possible to destroy documents considered in the judgment of a valuable documents and have never been used or modified for the last 5 years, only if these documents are subject to examination or review or were required in an ongoing legal proceeding, or Instructions/regulations set by the Ministry of Finance decides to keep them longer. Destruction of those documents only after taking the necessary procedures to record their data or its summary.
5. Electronic documents:
6. Legal files and papers :
Permanent retention of “Organization” legal archive as follows:
7. Personnel records:
8. Records and documents The “Organization” has the discretion to determine the time required to retain them and the discretionary authority is related to the continued need of the “Organization” :
9. Document destruction procedures:
This policy discuss the types of information that can be disseminated to internal and external groups, as well as the methods by which this information is disseminated. Moreover, this policy explains the specific type of information that will be disclosed and not to be disclosed.
Is to ensure personal information and confidential information are protected from unauthorized use and disclosure and also to facilitate the identification of information to support routine disclosure and active dissemination of information. This policy was also set to protect the intellectual property of “Organization”.
This policy applies to all information produced, collected and stored by “Organization”.
Information which is considered unrestricted can be open to the public and all employees as well as Third Parties.
Information which needs to be protected is accessed by authorized access such as employees, contractors and on a “need-to-know” basis for business related purposes. This access should be granted for a specific period required and set by higher level management.
Confidential information is limited to individuals in a specific function, group or role. pre clearance based on position is required in order to access confidential information held by “Organization”.
In term of restricted information where access is granted to limited named individuals based on job position.
“Organization” will determine the extent to which security classification needs to be applied to information assets. The security classification of information assets should highlight what type of information can be viewed or accessed by members of “Organization” staff or external parties. The different levels of information particularly sensitive or confidential information will require higher level of authorization for access.
The purpose of this policy is to limit the threat of losing or disclosing data that will affect the integrity, availability or confidentiality of data assets, by controlling the access to information with authorizations.
This policy applies to all reports, research information, and supporting documentation originally produced or collected by “Organization”.