Introduction
The Sensitivity Guidelines provide details on how to protect information at varying sensitivity levels. Use these guidelines as a reference only, as information in each category may necessitate more or less stringent measures of protection depending upon the circumstances and the nature of the information in question. Information includes electronic information, information on paper, and information shared orally or visually. This includes documentation, configuration, system access, personal notes, and all other forms of information. It should be noted that confidential information should not be left unattended at any time.
PCI Pal staff are encouraged to use common sense judgment in securing PCI Pal information to the proper extent whilst still allowing for its rightful and productive use. If an employee is uncertain of the sensitivity of a particular piece of information, they should contact their manager and treat information as being sensitive until confirmed elsewise.
In general, unless specifically agreed with the Information Security & Compliance (ISC) team in advance, all PCI Pal data and work must be conducted on hardware provided by PCI Pal. Personal phones, computers, tablets etc are not appropriate access or storage devices for PCI Pal data and systems. Paper documents should not be stored on desks or in filing cabinets that non-staff can access. Contact the ISC team if you require suitable hardware for your role and responsibilities.
Classifications
There are four classifications for PCI PAL information, in order from least to most restricted:
Public
Declared non-commercial sensitive and can freely be given to staff, customers and suppliers without any possible damage to PCI Pal. Suitable for full public releases outside of customers, suppliers etc. .
General corporate information; some personnel and technical information. No commercially sensitive data. Marking is at the discretion of the owner or custodian of the information, but if no marking is present, PCI Pal information (aside from standard marketing publications) is presumed to be Internal Only unless expressly determined to be otherwise by an PCI Pal employee with authority to do so.
Access: PCI Pal employees, contractors, people with a business need to know, prospective customers. General release to public permissible where appropriate.
Distribution within PCI Pal: Approved electronic mail and electronic file transmission methods.
Distribution outside PCI Pal: Approved electronic mail and electronic file transmission methods, or any public or private Postal carriers.
Electronic distribution: No restrictions, save Director approval for general public release.
Storage: Basic theft-avoidance methods such as locking computers and drawers – see Clear Desks and Clear Screens policy.
Disposal/Destruction: Deposit outdated paper information in shredders (preferably those in PCI Pal offices), electronic data should be archived or deleted as standard. Reliably erase or physically destroy other media – this may be notified to ISC team to handle.
Confidential
The majority of information. Some information is more sensitive than other information and should be protected in a more secure manner, with some fringe cases being arguable on the classification boundaries. Included is information that is less critical than Internal Only but is still somewhat sensitive, such as contact information, general corporate information, personnel information, etc. Business, financial, technical and most personnel information. Commercially sensitive data such as designs, methods or procedures. Data shared with PCI Pal under non-disclosure agreements is at least Confidential.
All Confidential documents should be marked as such. Other labels may be used at the discretion of your individual department that reflect the sensitivity of the information or to demark a more specific protection scheme, such as ”For Prospects only", the name of the specific customer it is intended for, or other similar labels..
Access: PCI Pal employees as needed, non-employees under non-disclosure agreements with a business need to know.
Distribution within PCI Pal: Approved electronic mail and electronic file transmission methods.
Distribution outside PCI Pal: Approved and encrypted electronic file transmission methods, Royal Mail or approved private Postal carriers.
Electronic distribution: No restrictions to approved recipients within PCI Pal, but requires signed NDA and specific business need to know prior to sharing with approved recipients outside PCI Pal.
Storage: Individual access controls are highly recommended for electronic information. Erase from whiteboards after discussion, lock paper documents away in designated storage, avoid leaving open on working surfaces for prolonged periods. See Clear Desks and Clear Screens policy.
Disposal/Destruction: Deposit outdated paper information in shredders on PCI Pal premises (or shredders meeting approved standards), electronic data may be archived securely at need but elsewise be deleted from all individual devices. Reliably erase or physically destroy other media and ensure secure disposal of drives containing such data.
Internal Only
Trade secrets and marketing, operational, personnel, financial, and technical information integral to the success of our Organisation. Highly commercially sensitive documents such as business strategies or plans. Highly sensitive data of other organisations entrusted to PCI Pal.
All Internal Only documents must be marked as such. Other labels may be used at the discretion of your individual department that reflect the sensitivity of the information or to demark a more specific protection scheme, such as “PCI Pal Engineering”, “PCI Pal News”, or “Incident Response”.
Users should be aware that this information is very sensitive and should be protected as such and any uncertainty over classification should result in the presumption of Internal Only status until and unless expressly determined to be otherwise by an PCI Pal employee with authority to do so.
Access: Only PCI Pal employees.
Distribution within PCI Pal: Approved electronic file transmission methods, or direct delivery.
Distribution outside PCI Pal: Should not be applicable. Where specifically required, only by approved and encrypted electronic mail or file transmission methods, or signature-required direct delivery by approved private Postal carriers.
Electronic distribution: No restrictions to recipients within PCI Pal, but it is recommended that all Internal Only information be strongly encrypted and password protected even for internal distribution.
Storage: Individual access controls are recommended for electronic information. Physical security should also be guaranteed, e.g. information should be stored in a physically secured computer or container. Erase from whiteboards immediately after use, only work on such data in secured and private areas. Do not print or move paper copies of this information outside of PCI Pal premises. See Clear Desks and Clear Screens policy.
Disposal/Destruction: Deposit outdated paper information in shredders on PCI Pal premises; electronic data should be expunged and securely erased, not merely ‘deleted’. Devices that have handled this information must be protected until scheduled for disposal, then securely disposed regardless of other concerns.
Restricted Access
Source code, elevated access credentials, HR records, financial reports. Highly commercially sensitive documents such as business strategies or plans. Anything which should not be freely released even within PCI Pal, anything which is only appropriate, safe or legal to share with specific personnel.
All Restricted Access documents must be marked as such, with no exceptions. Accompanying labels are recommended at the discretion of your individual department. These accompanying labels should reference a specific protected data type or the specific intended recipient, such as “HR - Sensitive”, “Emergency Access Credentials”, or “PCI Pal Management Report”.
Access: Only those PCI Pal employees designated with approved access by an appropriate authority.
Distribution within PCI Pal: Approved electronic file transmission methods, or direct delivery preferably in envelopes stamped ‘Confidential’, ‘Restricted Access’, or similar.
Distribution outside PCI Pal: Should not be applicable. Where specifically required, only by approved and encrypted electronic mail or file transmission methods, or signature-required direct delivery by approved private Postal carriers.
Electronic distribution: No restrictions to approved recipients within PCI Pal, but it is highly recommended that all information be strongly encrypted and password protected even for internal distribution.
Storage: Individual access controls are very highly recommended for electronic information. Physical security should also be guaranteed, e.g. information should be stored in a physically secured computer or container. Erase from whiteboards immediately after use, only work on such data in secured and private areas. Do not print or move paper copies of this information outside of PCI Pal premises. Storage on removal storage media is not recommended. See Clear Desks and Clear Screens policy.
Disposal/Destruction: Deposit outdated paper information in shredders on PCI Pal premises; electronic data should be expunged and securely erased, not merely ‘deleted’. Devices that have handled this information must be protected until scheduled for disposal, then securely disposed regardless of other concerns.
Enforcement
Depending on the severity of any violations any employee found to have violated this Policy may be subject to retraining, restrictions on future activities, disciplinary action (up to and including termination of employment), and/or civil/criminal prosecution to the full extent of the law.
