Confidential Data Policy
Section of: Corporate Security Policies
Target Audience: Users, Technical
Phoenix Lithographing is hereinafter referred to as “the company.”
Confidential data is typically the data that holds the most value to a company. Often, confidential data is valuable to others as well, and thus can carry greater risk than general company data. For these reasons, it is good practice to dictate security standards that relate specifically to confidential data.
The purpose of this policy is to detail how confidential data, as identified by the Data Classification Policy, should be handled. This policy lays out standards for the use of confidential data, and outlines specific security controls to protect this data.
The scope of this policy covers all company-confidential data, regardless of location. Also covered by the policy are hardcopies of company data, such as printouts, faxes, notes, etc.
Some services that the company provides require that we handle customer-owned data that is confidential, such as mailing lists. This policy also covers all confidential customer-owned data. It is important to note that the requirements for the treatment of confidential customer-owned data may differ from those of company-owned data. Any and all additional requirements for the treatment of confidential customer-owned data must be detailed in a Service Agreement between the customer and the company and will apply in addition to this policy.
4.1 Treatment of Confidential Data
For clarity, the following sections on storage, transmission, and destruction of confidential data are restated from the Data Classification Policy. Guidelines are issued by the organization on the ownership, classification, retention, storage, handling and disposal of all records and information. Designated senior management within the organization reviews and approves the security categorizations and associated guidelines.
Confidential information must be removed from desks, computer screens, and common areas unless it is currently in use. Confidential information should be stored under lock and key (or keycard/keypad), with the key, keycard, or code secured.
- The organization restricts the location of facilities that process, transmit or store covered information (e.g., to those located in the United States), as needed, based on its legal, regulatory, contractual and other security and privacy-related obligations.
- Important records, such as contracts, personnel records, financial information, client/customer information, etc., of the organization are protected from loss, destruction and falsification through the implementation of security controls such as access controls, encryption, backups, electronic signatures, locked facilities or containers, etc.
Confidential data must not be:
- Transmitted outside the company network without the use of strong encryption,
- Left on voicemail systems, either inside or outside the company’s network.
- Recording or photography of any Electronic Protected Health Information (ePHI) is strictly prohibited.
- The organization never sends unencrypted sensitive information by end-user messaging technologies (e.g., email, instant messaging, and chat).
The organization ensures the risk of information leakage to unauthorized persons during secure media disposal is minimized. If collection and disposal services offered by other organizations are used, care is taken in selecting a suitable contractor with adequate controls and experience. Disposal methods are commensurate with the sensitivity of the information contained on the media. Confidential data must be destroyed in accordance with NIST SP800-88 Guidelines for Media Sanitation. The following guidelines apply:
- Paper/documents: Shredding is required. Shred size of the refuse should be small enough that there is reasonable assurance in proportion to the data confidentiality level that the information cannot be reconstructed.
NOTE: Document Shredder bins are self-service and are available for use in the following locations:
- Sales Offices – First Floor – Beside the Copier
- Accounting Departments – First Floor – Beside the Copier
- Production Department – Second Floor – Beside the Copier
- Storage media (CD’s, DVD’s): Physical destruction or disintegration that reduces media to particles that have nominal edge dimensions of five millimeters (5 mm) and surface area of twenty-five square millimeters (25 mm2).
NOTE: Storage Media destruction must be specially arranged by the Information Technology department.
- Hard Drives/Systems/Mobile Storage Media: At a minimum, data wiping must be used. Simply reformatting a drive does not make the data unrecoverable. If wiping is used, the company must use the most secure commercially-available methods for data wiping. Alternatively, the company has the option of physically destroying the storage media.
NOTE: Drive destruction or wipe must be specially arranged by the Information Technology department.
4.2 Use of Confidential Data
A successful confidential data policy is dependent on the users knowing and adhering to the company’s standards involving the treatment of confidential data. The following applies to how users must interact with confidential data:
- Users must be advised of any confidential data they have been granted access. Such data must be marked or otherwise designated “confidential.”
- Users must only access confidential data to perform his/her job function.
- Users must not seek personal benefit, or assist others in seeking personal benefit, from the use of confidential information.
- Users must protect any confidential information to which they have been granted access and not reveal, release, share, email unencrypted, exhibit, display, distribute, or discuss the information unless necessary to do his or her job or the action is approved by his or her supervisor.
- Users must report any suspected misuse or unauthorized disclosure of confidential information immediately to his or her supervisor and/or a member of the Information Technology Team.
- If confidential information is shared with third parties, such as contractors or vendors, a confidential information or non-disclosure agreement must govern the third parties’ use of confidential information. Refer to the company’s outsourcing policy for additional guidance.
- Phoenix will not host any ecommerce or online sites which handle PHI/PII
- The organization takes specific steps to ensure the confidentiality and integrity of electronic commerce are maintained.
- Data involved in electronic commerce and online transactions is checked to determine if it contains covered information.
- The organization permits an individual to request restriction of the disclosure of the individual’s covered information to a business associate for purposes of carrying out payment or health care operations, and is not for purposes of carrying out treatment, and responds to any requests from an individual on the disclosure of the individual’s covered information.
4.3 Security Controls for Confidential Data
Confidential data requires additional security controls in order to ensure its integrity. The company requires that the following guidelines are followed:
- Strong Encryption. Strong encryption must be used for confidential data transmitted external to the company. If confidential data is stored on laptops or other mobile devices, it must be stored in encrypted form.
- Network Segmentation. Separating confidential data by network segmentation is strongly encouraged.
- Strong passwords must be used for access to confidential data.
- Physical Security. Systems that contain confidential data should be reasonably secured.
- Printing. When printing confidential data the user should use best efforts to ensure that the information is not viewed by others. Office printers that are used for confidential data must be located in secured areas.
- The organization does not send PII over facsimile (FAX), unless it cannot be sent over other, more secure channels, e.g., delivery by hand, secure email. When faxing confidential data, users must use cover sheets that inform the recipient that the information is confidential. Faxes should be set to print a confirmation page after a fax is sent; and the user should attach this page to the confidential data if it is to be stored. Fax machines that are regularly used for sending and/or receiving confidential data must be located in secured areas.
- Confidential data must not be emailed outside the company without the use of strong encryption.
- If confidential information is sent outside the company, the user must use a service that requires a signature for receipt of that information. Covered information must be protected so not viewable without opening the piece/package.
- When confidential information is discussed it should be done in non-public places, and where the discussion cannot be overheard.
- Documents Confidential data must be removed from doc. unless its inclusion is absolutely necessary.
- Home Computer Confidential data must never be stored on non-company-provided machines (i.e., home computers).
- Whiteboard If confidential data is written on a whiteboard or other physical presentation tool, the data must be erased after the meeting is concluded.
- Listing The organization maintains a current listing of all workforce members (individuals, contractors, vendors, business partners, etc.) with access to covered information (e.g., PII).
4.4 Examples of Confidential Data
The following list is not intended to be exhaustive, but should provide the company with guidelines on what type of information is typically considered confidential. Confidential data can include:
- Employee or customer social security numbers or personal information
- Medical and healthcare information
- Electronic Protected Health Information (ePHI)
- Customer data
- Company financial data (if company is closely held)
- Sales forecasts
- Product and/or service plans, details, and schematics
- Network diagrams and security configurations
- Communications about corporate legal matters
- Bank account information and routing numbers
- Payroll information
- Credit card information
- Any confidential data held for a third party (be sure to adhere to any confidential data agreement covering such information).
4.5 Emergency Access to Data
A procedure for accessing confidential and critical data during an emergency is often a good idea if the company handles information that is integral to the health, well-being, or protection of other persons or entities. If the company maintains this type of data, it should consider establishing such a procedure in case the normal mechanism for access to the data becomes unavailable or disabled due to system or network problems.
4.6 Applicability of Other Policies
This document is part of the company’s cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.
This policy will be enforced by the Chief Technology Officer and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.
- Authentication A security method used to verify the identity of a user and authorize access to a system or network.
- Encryption The process of encoding data with an algorithm so that it is unintelligible without the key. Used to protect data during transmission or while stored.
- Mobile Data Device A data storage device that utilizes flash memory to store data. Often called a USB drive, flash drive, or thumb drive.
- Two-Factor Authentication A means of authenticating a user that utilizes two methods: something the user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a password.