Policy Name: 2.1.
Data Classification
1. Purpose
To provide a framework for information owners to determine and classify the sensitivity levels for the
information that Organization uses, processes, and stores.
The unauthorized disclosure, modification, accidental or intentional damage, or loss of sensitive
Organization information could constitute a violation of laws and/or regulations, may negatively
affect customers, and impact Organization’s image as well as competitiveness in the market. Hence
data needs to be classified based on its criticality to enable implementation of security controls
commensurate with its criticality.
2. Scope
This policy applies to information systems, including IT applications, IT infrastructure and physical
information channels, and the information assets that Organization uses, process, and stores using
those systems. It also applies to the business processes and procedures at Organization regarding data
processing.
This policy applies to all individuals handling data as well as technology systems where
Organization’s information assets are stored or processed.
Technology Systems, communications and network connections include but are not limited to
network devices such as routers and firewalls, storage devices such as USB drives, and disk drives,
servers and mainframes, operating systems, databases and applications.
All Business Units or Departments shall comply with this information security policy.
3. Policy
The Information Owner shall only classify information assets within their purview using one of the
following four classification levels:
Public
Internal
Restricted
Confidential
Classification levels shall be defined based on the information asset’s relative risk, value, and
sensitivity.
Further, any personally identifiable information (PII), shall be identified and classified as PII in
addition to being classified as per above data classification policy. Organization shall employ
reasonable and appropriate safeguards to protect the integrity, confidentiality, and security of all PII.
Any breach of this policy shall be considered as an incident and shall be treated as per the incident
management policy.
�3.1
Data Ownership
All information assets within Organization shall have a designated owner. Managers responsible for
business processes that utilize information assets are considered the owners of that information.
Information owners may delegate ownership of some or all of their information systems to other
persons; however, owners shall remain accountable and oversee that delegated owners fulfill their
responsibilities.
3.3
Data Classification Process
Information owners shall ensure that the information assets for which they are responsible are
assigned a classification rating (Confidential, Restricted, Internal, and Public) that properly indicates
its business value and criticality to the organization. Owners shall review the assigned classification
label at least every two years to address changed business value and risks, or as required by laws and
regulations that impact Organization.
3.3.1
Confidential:
Personal or company information that is classified as highly sensitive by senior management or laws
and regulations that impact Organization. Normally this concerns personally identifiable information
(PII) about customers, business partners such as agents, distributors, suppliers etc., or employees, or
information that is of vital or strategic importance to
Page 31 of 175
the success of the organization (e.g., financial statements) and can provide it with a significant
competitive edge (e.g., new product designs). Unauthorized disclosure of confidential information
could substantially impact Insurance Company, its brand and/or reputation, and its customers.
3.3.2
Restricted:
Will constitute of Information assets, which, if disclosed, would result in significant adverse impact,
embarrassment, financial penalties, loss of stakeholder confidence and compliance penalties.
3.3.3
Internal Use Only:
Will constitute of Information that is not intended for use by the public. This can include information
posted on company intranet for employee use, such as phone directories or the Employee Handbook.
Unauthorized disclosure of Internal Use Only information could moderately impact Insurance
Company, its brand and/or reputation, and its customers.
3.3.4
Public:
Will constitute of Information that is approved for release to the public by Organization’s senior
management. Examples include information that is available from public or government sources,
�advertising, or information posted on official; website. Disclosure of Public information will likely
have little or no impact on Insurance Company, its brand and/or reputation, and its customers.
3.3.5
Technical Standards
Technical standards should be based on the life cycle process defined below in this document. Section
3.5 ‘Lifecycle Processes’ outlines the specific controls to protect the confidentiality and integrity of
Organization’s information assets.
3.4
Lifecycle Processes
3.4.1
Confidential Information
Page 32 of 175
3.4.1.1
Labeling Requirements
A label of “CONFIDENTIAL” shall, at a minimum, be legible on every page of the physical or
electronic document
1. Any device or object (including portable devices) that contains CONFIDENTIAL information shall
be labelled as “CONFIDENTIAL”.
2. Systems that contain CONFIDENTIAL information shall be identified and mentioned in “Asset
Library”.
3. Storage repositories that maintain CONFIDENTIAL information shall be known and controls
implemented to effectively protect the information
4. Emails that contain CONFIDENTIAL information shall, at a minimum, contain
“CONFIDENTIAL” in the subject line, header, or footer.
3.4.1.2
Storage Requirements
1. Storage environments shall require user authentication that can uniquely identify each user or
administrator.
2. Storage environments shall be periodically reviewed and audited to help ensure that information is
sufficiently secured.
3. Storage environments shall be monitored to help ensure that access control systems are functioning
properly.
4. CONFIDENTIAL information shall be stored on company owned or controlled systems or on
equivalently secured systems with which Organization has an approved partnership.
3.4.1.3
Transfer Requirements
�1. When CONFIDENTIAL information is transmitted outside of the Organization network, including
the Internet, it shall be sent in encrypted form or via a secured channel. Encryption keys shall be
managed and protected by authorized resources as defined in the Cryptographic Security policy.
2. CONFIDENTIAL information entrusted to Organization by a third party shall be encrypted when
sent over external network systems.
3. CONFIDENTIAL designations shall appear on the cover sheet of transmitted documents (i.e.,
facsimile transmissions).
4. Phone calls, SMS or electronic communications that discuss CONFIDENTIAL information shall be
preceded by a statement about the sensitivity of the information involved.
5. When distributing CONFIDENTIAL information via physical format (paper, disks, etc.), enclose
the information in an envelope labelled “CONFIDENTIAL” even when delivered by hand.
Page 33 of 175
6. Intellectual Property shall not be transmitted without prior authorization from the Information
Owner.
3.4.1.4
Tracking Requirements
1. Tracking techniques, systems capabilities, or manual efforts shall indicate who has accessed the
CONFIDENTIAL information, from where is it access (e.g. MAC ID, IP address) and when it was
accessed.
2. This access shall be audited by the Information Owner and deficiencies corrected in a timely
manner
3.4.1.5
Disposal Requirements
CONFIDENTIAL information shall be completely and securely destroyed at the end of its retention
period OR at the release of a litigation or audit hold, if such hold extends beyond the retention period.
Sensitive data or systems not regularly accessed by the Organization shall be removed from the
network. These systems shall only be used as stand-alone systems (disconnected from the network) by
the business unit needing to occasionally use the system or completely virtualized and powered off
until needed
3.4.2
Restricted Information
3.4.2.1
Labeling Requirements
1. A label of “RESTRICTED” shall, at a minimum, be legible on every page of the physical or
electronic document. Any device or object that contains RESTRICTED information shall be labelled
as “RESTRICTED”.
2. Systems, applications, and databases that contain RESTRICTED information shall provide a legible
label of “RESTRICTED” on appropriate output or displays.
�3. Storage repositories that maintain RESTRICTED information shall be known to the Information
Owner and controls implemented to effectively protect the information (i.e., physical locks, door
locks).
4. Communications that contain RESTRICTED information, at a minimum, shall contain a statement
that helps ensure the recipient understands the sensitivity of RESTRICTED information and the
handling procedures for RESTRICTED information.
5. Emails that contain RESTRICTED information shall, at a minimum, contain “RESTRICTED” in
the subject line, header, or footer
Page 34 of 175
3.4.2.2
Storage Requirements
1. Portable media, hard copy documents, diskettes, or tapes containing RESTRICTED information
shall be secured at all times (either through lock and key or electronic authorization processes) and
shall be kept under direct control by authorized personnel.
2. Storage environments shall require user authentication wherever possible that can uniquely identify
each user or administrator, even for portable electronic devices.
3. RESTRICTED information shall be stored on company owned or controlled systems, or on
equivalently secured systems with which Organizationhas an approved partnership.
4. Storage environments shall be periodically reviewed and audited to help ensure they are sufficiently
secured.
5. Storage environments shall be monitored to help ensure that access control systems are functioning
properly.
6. Hard copy RESTRICTED information shall be stored in a secured container, such as a locked
cabinet or locked desk when not in use or when not under direct visual supervision.
3.4.2.3
Transfer Requirements
1. When RESTRICTED information is transmitted electronically outside of the Organization’s
network, including the Internet, it shall be sent over a secured channel or in encrypted form.
2. Encryption keys shall be managed and protected by authorized resources as defined in the
Cryptographic Security policy.
3. RESTRICTED information transmitted electronically shall be accompanied by a caution to the
recipient as to how the RESTRICTED information shall be handled and protected.
4. When transmitting RESTRICTED information via physical format (paper, disks, etc.), enclose the
RESTRICTED information within double envelopes. The internal envelope shall be labelled
“RESTRICTED”. The external envelope shall have no special markings and shall be delivered by
hand or as appropriate.
5. RESTRICTED designations shall appear on the cover sheet of transmitted documents (ex. facsimile
transmissions).
�6. RESTRICTED information shall not be discussed with anyone, including associates, contractors, or
other third parties who do not have a “need-to-know” and have not been expressly authorized by the
Information Owner
7. RESTRICTED information shall not be verbally communicated within insecure facilities.
Individuals shall ensure that there are no unauthorized persons within earshot before conversation
begins.
Page 35 of 175
3.4.2.4
Tracking Requirements
1. Tracking techniques, systems capabilities, or manual efforts shall indicate who has accessed the
RESTRICTED information, from where is it accessed (e.g. MAC ID, IP address) and when it was
accessed.
2. This access shall be audited by the Information Owner and deficiencies corrected in a timely
manner
3.4.2.5
Disposal Requirements
1. RESTRICTED information and all related copies and back-ups shall be completely and securely
destroyed at the end of its retention period OR at the release of a litigation or audit hold, if such hold
extends beyond the retention period
3.4.3
Internal use only Information
3.4.3.1
Labeling Requirements
1. INTERNAL USE ONLY information does not have any specific labelling requirements. However,
if information or an information source is not labelled, at a minimum it shall be treated as
INTERNAL USE ONLY.
2. A label of “INTERNAL USE ONLY” shall be legible on the first page of the file, document, or on
the front of the device.
3.4.3.2
Storage Requirements
1. The storage environment shall require user authentication that can uniquely identify each user who
accesses the information.
2. Appropriate controls shall be put in place to ensure that only authorized users get access to
“INTERNAL USE ONLY” information.
3.4.3.3
Transfer Requirements
�Generally, INTERNAL USE ONLY information is only transferred to and from those parties
requiring use of its content. It is the responsibility of the Information Owner to define and
communicate procedures and controls governing the transfer of INTERNAL USE ONLY information
3.4.3.4
Disposal Requirements
INTERNAL USE ONLY information shall be disposed of at the end of its retention period OR at the
release of a related litigation or audit hold, if such hold extends beyond the retention period
3.4.4
Public Information
Page 36 of 175
3.4.4.1
Labeling Requirements
No labels required
3.4.4.2
Storage Requirements
No specific storage requirements
3.4.4.3
Transfer Requirements
No specific transfer requirements
3.4.4.4
Disposal Requirements
PUBLIC information shall be disposed off at the end of its retention period OR at the release of a
related litigation or audit hold
3.5
Data Privacy
Personally Identifiable Information (PII) is information about a person that contains some unique
identifier, including but not limited to name, email, contact details or unique identification number,
from which the identity of the person can be determined. PII may be further bifurcated into –
1. Sensitive Personal Information
2. Other Personal Information
Any incident of data privacy violation must be reported immediately to the concerned authority so
that the exposure can be contained. Refer to Incident and Problem Management Policy.
3.5.1
Identification of Personally Identifiable Information (PII)
�Sensitive personal data or information of a person shall include information collected, received,
stored, transmitted or processed by body corporate or intermediary or any person, consisting of:
1. Password
2. User details as provided at the time of registration or thereafter
3. Information related to financial information such as Bank account / credit card / debit card / other
payment instrument details of the users
4. Physiological and mental health condition
5. Medical records and history
6. Biometric information
7. Information received by body corporate for processing, stored or
8. Processed under lawful contract or otherwise
9. Call data records
10. Any PII which is not considered SPI as per the above categorization will be treated as OPI.
Page 37 of 175
3.5.2
Collection of PII
Organization or any person on its behalf shall obtain consent of the provider of the information
regarding purpose, means and modes of uses before collection of such information
Organization or any person on its behalf shall not collect sensitive personal information unless –
The information is collected for a lawful purpose connected with a function or activity of the agency
The collection of the information is necessary for that purpose
While collecting information directly from the individual concerned, Organization or any person on
its behalf shall take such steps as are, in the circumstances, reasonable to ensure that the individual
concerned is aware of –
The fact that the information is being collected; and
1. The purpose for which the information is being collected; and
2. The intended recipients of the information
3. Organization or any person on its behalf holding sensitive personal information shall not keep that
information for longer than is required for the purposes for which the information may lawfully be
used.
4. The information collected shall be used for the purpose for which it has been collected
5. Organization or any person on its behalf shall permit the users to review the information they had
provided and modify the same, wherever necessary.
3.5.3
Storage, Transfer & Destruction of PII
�1. SPI will be accorded the same level of security as confidential information irrespective of the
classification of such information. Please refer to Lifecycle Processes for Confidential Information for
storage, transfer and destruction of SPI.
2. OPI will be accorded the same level of security as Restricted Information irrespective of the
classification of such information.
Page 38 of 175
Please refer to Lifecycle Processes for Restricted Information for storage, transfer and destruction of
OPI
3.5.4
Processing of PII
1. The entire customers’ / employees’ data shall be classified as per “Asset Management Procedure”
2. Personal data of customers/employees shall be securely stored, in manual or electronic form, and in
accordance with the IT Act.
3. Personal data of customers/employees shall not be stored for longer than is required unless
otherwise mandated by any law.
4. Personal data of customers/employees shall be used for the purpose for which it has been collected.
5. Access to the sensitive data shall be provided strictly on the basis of need to know.
6. Backup of sensitive data on a removable storage media shall be kept in safe and secure
environment.
3.5.5
Disclosure of PII
1. If any of the Organization’s customer/employee requests to view his/her own sensitive information
collected, it shall be made available.
2. Organization shall not disclose an individual's personal data outside Organization except:
When Organization expresses consent to do so, or in circumstances as agreed between Organization
and the individual
When necessary, to our regulatory bodies and auditors
When Organization is required or permitted to do so by law
To any persons, including insurers and lenders who supply benefits or services to the individual
To fraud prevention agencies where required
3. Data protection tools like data loss prevention, digital rights management etc. shall be implemented
to prevent unauthorized disclosure of sensitive data.
