Instructor Resources-APPENDIX B - Data Classification and Handling Guidelines

APPENDIX B - Data Classification and Handling Guidelines

Pdf Summary

This document defines Oakleaf’s four-level data classification scheme and the required handling controls for each level to protect company and client information.

<strong>Classifications</strong>
- <strong>Restricted</strong>: The most sensitive information, typically driven by external legal/contractual requirements (e.g., client loan-file NPI/PII, certain contracts). Unauthorized disclosure would cause <strong>significant damage</strong>, including regulatory/contract violations, reputational harm, competitive harm, location exposure, and legal liability.
- <strong>Confidential</strong>: Highly valuable internal business information (e.g., employee PII/NPI, accounting, payroll, financials). Unauthorized disclosure would cause <strong>moderate damage</strong>.
- <strong>Private</strong>: Default classification for information created/received in the course of work; shareable only with authorized parties with a business need. Not for public release; disclosure generally causes <strong>minimal/no damage</strong> but may still harm reputation or contracts.
- <strong>Public</strong>: Approved for general public release; disclosure causes <strong>no damage</strong>.

<strong>General rules</strong>
- All work information is <strong>Private by default</strong> unless designated otherwise or approved as Public.
- When data of different levels is combined, the asset must take the <strong>most restrictive</strong> classification.
- Restricted/Confidential/Private data must not be released publicly; third-party sharing requires a business need and appropriate controls.
- Do not change data format/media if the new environment lacks equivalent controls (e.g., no exporting Restricted data to unencrypted spreadsheets).
- Exceptions require <strong>CEO and CISO</strong> approval.

<strong>NPI/PII definition</strong>
First name/initial + last name combined with identifiers such as SSN/TIN, passport/resident card, driver’s license, financial account/payment card numbers, or ePHI.

<strong>Handling highlights</strong>
- <strong>Restricted</strong>: Encryption required; no mobile or cloud storage; encrypted transmission only (SFTP or encrypted email); IM/FTP/fax/copying prohibited; printing only with senior approval; strict mailing, labeling, disposal, and third-party approval (CEO/Managing Director + NDA).
- <strong>Confidential</strong>: Encryption required at rest; no mobile storage; secure cloud allowed; encrypted external transmission; IM/FTP/fax prohibited; controlled printing/copying; labeling and secure disposal.
- <strong>Private</strong>: Encryption recommended (including mobile); IM/FTP prohibited externally; basic printing/mail controls; shredding recommended.
- <strong>Public</strong>: Minimal controls; labeling includes release date/classification where applicable.

The appendix also provides example data types mapped to classifications and notes that client engagement data may have client-specific requirements.

Keywords

Oakleaf data classification

four-level classification scheme

Restricted data handling

Confidential information controls

Private by default rule

Public information release

NPI PII definition

encryption requirements

third-party sharing approvals

most restrictive classification rule