This document outlines how Redgate classifies internal and external (e.g. customer) data.
Information classification is crucial in information security because it helps Redgate identify and prioritize the level of protection needed for different types of information. By classifying information, such as documents or data, based on its sensitivity and importance, Redgate can determine how to securely handle, store, and transmit that information. This classification allows for the implementation of appropriate security controls and safeguards, reducing the risk of unauthorised access, disclosure, or misuse, and ensuring that information is protected according to its value and potential impact on Redgate and its customers.
As such, this policy explains how to classify data.
This policy applies to all information held by and on behalf of Redgate, extending to all Redgaters, contractors, suppliers, and third-party entities that have access to Redgate’s information systems and data.
Redgate is determined to make it as easy as possible to ensure the security of our data. To facilitate this, four levels of classification have been identified. These are described in brief below, with further details on each classification provided in Appendix A.
Where the inappropriate disclosure of the data will cause long term and/or severe damage or distress to Redgate, our customers, or to an individual. Access to Restricted information would usually be restricted to the author and a small number of named individuals, or small distribution group.
Used when the document owner would not want the information to be shared further without being consulted first.
Where the inappropriate disclosure of the data may have a short-term negative impact on Redgate, our customers, or to an individual. Access to Internal information would usually be restricted to user groups with a business requirement for access. Use where the document author would not want to be notified before the information was shared (internally) with others outside the original distribution group.
Information not carrying a label will be considered Internal unless obviously intended for public consumption in which case it will be classed as Public.
Used to classify information shared between Redgate and Customers or Suppliers. Low sensitivity data where inappropriate disclosure may have minimal impact on Redgate, our customers.
Redgate requires no controls in place between ourselves and interested parties.
Data that can be made freely available to the public.
Where a restricted or internal classified document needs to be shared externally, Redgate requires either a signed NDA, or a signed contractual agreement in place between Redgate and the organisation the document will be shared with. Contact █████
When transferring information externally, you should take suitable steps to ensure the protection of the information at all times. Please refer to Restricted or Internal classification for further information on handling guidelines. See Appendix A for more information.
Quotes, Invoices, Supplier Discussions and Sales Material have a status of “External Confidential” and Redgate require no NDA or contractual agreement in place between ourselves and interested parties for this type of information.
The creator/owner of information is responsible for ensuring that the appropriate information classification is assigned and where appropriate, labelled, to ensure correct handling. Recipients of documents are responsible for ensuring information is handled appropriately.
The classification assigned shall be reviewed periodically by the asset owner to ensure it is still appropriate in the light of changes to legal and regulatory requirements as well as changes in the use and handling of data or its value to Redgate.
All individuals who access, use or manage our data are responsible for handling the data securely, and to seek advice from the Info Security Team where they require more clarification.
The Director of IT is responsible for maintaining this policy and providing support and advice during its implementation.
All managers are directly responsible for implementing the policy and ensuring staff compliance in their respective departments.
Restricted information requires a high level of security controls that will ensure its confidentiality and integrity are maintained at all times.
System controls consisting of Role Based Access Control (RBAC), Multi-Factor Authentication (MFA), Single Sign On (SSO), Audit Logs.
Restricted information should only be shared where required, such as:
Do not share information externally unless a signed NDA/agreement is in place.
Those receiving Restricted information must only make additional copies or edits with the originator’s permission and only on a 'need-to-know' basis within Redgate or external to the company, to fulfil statutory and legal requirements.
Restricted information can be shared externally to named individuals if appropriate controls are in place but only with permission of the document owner or c-suite level approval.
Restricted information should be maintained and stored in either:
Access should be limited to named data owners and authorised individuals. Appropriate monitoring controls and backup arrangements must be put in place. Only Redgate approved storage facilities should be used where third parties are responsible for data management.
Transfer of Restricted information should be carefully considered, and the information protected at all times. Suitable transfer methods are:
Restricted information should be securely wiped off electronic devices where the device has been decommissioned or the data uploaded (as per Storage above). Disposal of paper records requires shredding.
Examples
Internal information requires suitable security controls that will ensure confidentiality and integrity are maintained at all times.
System controls consisting of Role Based Access Control (RBAC), Multi-Factor Authentication (MFA), and Single Sign On (SSO) for systems classified as Critical.
Access to Internal information should be limited to those with reasonable business requirement.
Internal information should be stored within centrally managed shared areas, cloud storage, or restricted physical storage areas.
Access should be limited to named data owners and named roles.
Transfer of Internal information should be carefully considered, and the information protected at all times.
Do not share information externally unless a signed NDA/agreement is in place.
Suitable transfer methods include:
Internal information should be securely wiped off electronic devices where the device has been decommissioned or the data uploaded (as per Storage above). Disposal of paper records requires shredding.
Examples
Document can be shared with external suppliers. Document can be forwarded on to others at Redgate without the document creator being asked.
Minimal protection required. It should be stored on centrally managed shared areas or cloud storage areas with appropriate backup arrangements in place.
Access to “External Confidential” information should be limited to internal and specific external parties with reasonable business requirement.
Information should preferably be stored within centrally managed shared areas, cloud storage.
Transfer of information should be carefully considered, best efforts taken to protect the information.
Information can be shared externally without pre-existing agreements in place.
Suitable transfer methods include:
Disposal should follow normal file deletion or non-confidential paper record disposal procedures.
Such information should be available to Redgate staff and the general public.
It should be stored on centrally managed shared areas or cloud storage areas with appropriate backup arrangements in place.
It should be kept up-to-date and access to make changes to it should be limited to only those authorised to make relevant changes.
Disposal should follow normal file deletion or non-confidential paper record disposal procedures.
