Data Classification Policy

Data classification provides a way to categorize data processed by RD&X Network, its software and systems, based on levels of sensitivity. The purpose of this policy is to establish a framework for classifying data based on its sensitivity, value and criticality to the organization. By understanding the types of available data, its classification and access level, you can map the appropriate access/protection of the data. This ensures that sensitive corporate and customer data can be secured appropriately.

Scope

The RD&X Network Data Classification Policy applies to all data handled, managed, stored, or transmitted by RD&X Network and RD&X Network staff. Managers and/or information owners are responsible for assigning the appropriate classification as and when required. 

Roles and Responsibilities

Everyone at RD&X Network is responsible to review, adhere to and handle data according to the classification levels below. The Data Classification definitions (described below) provide a list of various types of data and their classification level. If you cannot identify the data element or are uncertain of the risk associated with the data and how it should be classified and handled, please contact the Information Security Officer. 

Data Classification Definitions

We classify data in to the following types 

  1. Public 

This is data or information that can be shared with any person, organization, system regardless of their relationship with RD&X Network. This classification is not limited to data or information that is meant for public consumption, but includes any data or information that requires no special handling, or any kind 

of safeguarding from disclosure. Distribution of such data does not expose RD&X Network, its customers or its partners to any harm. 

Examples of public data: Product blog, Company product website, Press releases, Company marketing collateral, Careers page etc

  1. Company classified 

This is data and information that should not be made generally available. Unauthorized access or disclosure could cause significant or financial material loss, risk of harm to RD&X Network if exposed to unauthorized parties, break contractual obligations, and/or adversely impact RD&X Network, its partners, employees, and eventually customers. Such information is to be protected from unauthorized access or changes. Company classified data should only be accessible to pre-authorized staff members. Note that access to such data can also be limited to specific staff members or groups of staff members (like executives, human resources, legal teams etc). 

Unauthorized access to company classified information could violate privacy policies, contractual agreements, cause security incidents, cause financial loss, crucial gains for competitors, and/or adversely impact RD&X Network, its partners, staff. 

Examples of Company classified data: Employee salaries, Legal documents, Internal product specifications, customer lists, Strategy documents, internal roadmaps, design documents, Internal memos or emails etc 

  1. Customer classified 

Customer classified data is one that if accessed by unauthorized parties may adversely affect RD&X Network’s customers. This includes data that RD&X Network is required to keep confidential, either by law or under a customer agreement. We have to protect such information from not just unauthorized access but also unauthorized modification. Customer-classified data should be safeguarded both when it is stored as well as being processed/used/transmitted. 

Unauthorized access to such data can potentially violate contractual confidentiality agreements with customers, cause a security incident, or affect RD&X Network’s customer and industry confidence. 

Examples of Customer classified data: Information provided by customers by the way of using our system, information of users of customer accounts, personally identifiable information of customers (or customer’s customers) etc. 

Non Compliance 

Compliance with this policy will be verified through various methods, including but not limited to, automated reporting, audits, and feedback to the policy owner. 

Any staff member found to be in violation of this policy may be subject to disciplinary action, up to and including termination of employment, or contractual agreement. The action will depend on the extent,

intent and repercussions of the specific violation(s).

Questions

If you have any questions regarding this policy, please reach out to: Prabhat Kumar at (prabhat.kumar@rebid.co)

â•ł