Version | 1.0 |
Date Published | December 16, 2022 |
Date Revised | |
Date Approved | December 12, 2022 |
Authority |
Director, IT Operations |
Purpose
The purpose of this policy is to establish a framework for classifying Lifemark data based on its level
of sensitivity, value, and criticality. Classification of data will
aid in determining baseline security controls for the protection of data.
Scope
This policy applies to Lifemark Health management, staff, contractors, students, and volunteers who is authorized to access Lifemark Data.
Information Classification
Data classification, in the context of information security, is the classification of data based on its level
of sensitivity and the impact to Lifemark should that data be disclosed, altered, or destroyed
without authorization. The classification of data helps determine what baseline security controls are
appropriate for safeguarding that data. All Lifemark data should be classified into one of three
sensitivity levels, or classifications:
1.1“Public”: Classify and label information as “Public” if it is intended for public use. This information, when used as intended, will not adversely affect Enterprise operations, assets, reputation, or legal obligations
1.2"Internal”: Classify and label information as “Internal Use” if it is not intended for parties external to Enterprise. This information can, dependent on the business requirement, be provided on a need-to-know basis to third parties. This information, if disclosed, will minimally affect Enterprise operations, assets, reputation, or legal obligations.
1.3“Confidential”: Classify and label information as “Confidential” if it is intended for limited use within the Enterprise. This information, if disclosed inappropriately, will seriously affect Enterprise operations, assets, reputation, or legal obligations
1.4“Restricted”: Classify and label information as “Restricted” if it is highly sensitive and/or regulated by law (e.g., personally identifiable information and personal health information), and/or intended for very limited use within the Enterprise. This information, if disclosed inappropriately, will significantly affect Enterprise operations, assets, reputation, or legal obligations.
Document Control:
This Process is an evolving document and shall be reviewed annually. Updates are made to respond or reflect changes to business, information processing, and regulatory environments, or introduction of infrastructure change/modification.
Owner
This document is owned and managed by Director of IT Operations
Comments
0 comments
Please sign in to leave a comment.