Data Classification Policy

1.0 Purpose

This policy identifies a data classification schema, which will provide a framework for classifying FinGoal’s sensitive information. This policy is necessary because FinGoal must maintain compliance with federal and state laws regarding data privacy and must meet the standards of private organizations established to protect an individual’s personal and financial information.

2.0 Scope

This policy will define how data is classified by the owners of sensitive data. This policy applies to all FinGoal data and the systems which host and access that data regardless of the environment or media where the data resides. This includes data centers, personal computers, mobile devices, removable drives, optical storage, and even paper, and is inclusive of any FinGoal-owned information regardless of type, location or storage medium.

This policy also governs all manner of data communications including electronic, voice, print and written communications.

This policy applies to all members of the FinGoal team including employees, contractors, and temporary workers.

2.1 Out of Scope

This policy does not cover the handling and protection requirements of information. Also excluded are availability and integrity concerns.

3.0 Policy

3.1 Statement

All information at FinGoal will be considered to be one of the data classifications provided below, whether formally or informally.
Data classification is based on the criticality of the loss of confidentiality, that is, the impact of exposure of data to unauthorized parties.
Data classification mandates from federal and state laws, contractual obligations, and industry best practices shall be considered when providing the data classification.
Data should not be classified higher than is necessary. More highly classified data requires additional security protections, management, and cost.

3.2 Data Classification Categories

Restricted

Restricted data is the most sensitive category of information. The consequences of the loss of confidentiality are grave.
Restricted data shall be maintained in accordance with the FinGoal Data Handling Policy to provide sufficient protection at all times, whether in transit or at rest.
Examples include data such as Identifiable Financial Information and credit card full stripe data. More detailed guidance shall be provided below.