Information Classification Policy

Introduction

This document outlines how Redgate classifies internal and external (e.g. customer) data.

Information classification is crucial in information security because it helps Redgate identify and prioritize the level of protection needed for different types of information. By classifying information, such as documents or data, based on its sensitivity and importance, Redgate can determine how to securely handle, store, and transmit that information. This classification allows for the implementation of appropriate security controls and safeguards, reducing the risk of unauthorised access, disclosure, or misuse, and ensuring that information is protected according to its value and potential impact on Redgate and its customers.

As such, this policy explains how to classify data. It may be useful to read this policy alongside our Information Classification Guidelines (internal document - link removed).

Scope

This policy applies to all information held by and on behalf of Redgate, extending to all Redgaters, contractors, suppliers, and third-party entities that have access to Redgate’s information systems and data.

Classifications explained

Redgate is determined to make it as easy as possible to ensure the security of our data. To facilitate this, four levels of classification have been identified. These are described in brief below, with further details on each classification provided in Appendix A.

Restricted

Where the inappropriate disclosure of the data will cause long term and/or severe damage or distress to Redgate, our customers, or to an individual. Access to Restricted information would usually be restricted to the author and a small number of named individuals, or small distribution group.

Used when the document owner would not want the information to be shared further without being consulted first.

Internal – Default Status

Where the inappropriate disclosure of the data may have a short-term negative impact on Redgate, our customers, or to an individual. Access to Internal information would usually be restricted to user groups with a business requirement for access. Use where the document author would not want to be notified before the information was shared (internally) with others outside the original distribution group.

Information not carrying a label will be considered Internal unless obviously intended for public consumption in which case it will be classed as Public.

External Confidential

Used to classify information shared between Redgate and Customers or Suppliers. Low sensitivity data where inappropriate disclosure may have minimal impact on Redgate, our customers.

Redgate requires no controls in place between ourselves and interested parties.

Public

Data that can be made freely available to the public.

How to share documents externally

Where a restricted or internal classified document needs to be shared externally, Redgate requires either a signed NDA, or a signed contractual agreement in place between Redgate and the organisation the document will be shared with. Contact █████

When transferring information externally, you should take suitable steps to ensure the protection of the information at all times. Please refer to Restricted or Internal classification for further information on handling guidelines. See Appendix A for more information.

Quotes, Invoices, Supplier Discussions and Sales Material have a status of “External Confidential” and Redgate require no NDA or contractual agreement in place between ourselves and interested parties for this type of information.

Roles and responsibilities

The creator/owner of information is responsible for ensuring that the appropriate information classification is assigned and where appropriate, labelled, to ensure correct handling. Recipients of documents are responsible for ensuring information is handled appropriately.

The classification assigned shall be reviewed periodically by the asset owner to ensure it is still appropriate in the light of changes to legal and regulatory requirements as well as changes in the use and handling of data or its value to Redgate.

All individuals who access, use or manage our data are responsible for handling the data securely, and to seek advice from the Info Security Team where they require more clarification.

The Director of IT is responsible for maintaining this policy and providing support and advice during its implementation.

All managers are directly responsible for implementing the policy and ensuring staff compliance in their respective departments.

APPENDIX A

Classification Type: Restricted

Examples

• Highly sensitive commercial information relating to the organisation or another organisation, (e.g. a trade secret; commercially sensitive strategy);
• Sensitive financial information, (e.g. contractual information at time of tender);
• Special category personal information, (as defined by GDPR, e.g. race or ethnicity, political opinions, religious beliefs, trade union membership, physical or mental health, sexual orientation, information to do with criminal offences);
• Sensitive IT information, (e.g. authentication details (passwords)).
• Sensitive personal information about individuals who can be identified from it, (e.g. salary information)
• HR Records
• Long Term Incentive Plan details
• Data shared by customers that contains customer-scoped personal data

Level of Protection Required

Restricted information requires a high level of security controls that will ensure its confidentiality and integrity are maintained at all times.

System controls consisting of Role Based Access Control (RBAC), Multi-Factor Authentication (MFA), Single Sign On (SSO), Audit Logs.

Sharing

Restricted information should only be shared where required, such as:

• Only share digital information through file sharing links to Redgate approved services (e.g. Sharepoint)
• Only provide hard copies to authorised individuals in face-to-face meetings and retrieve those copies at the completion of any meeting. Where this is not possible, post or hand delivery with the appropriate marking in place.

Do not share information externally unless a signed NDA/agreement is in place.

Those receiving Restricted information must only make additional copies or edits with the originator’s permission and only on a 'need-to-know' basis within Redgate or external to the company, to fulfil statutory and legal requirements.

Restricted information can be shared externally to named individuals if appropriate controls are in place but only with permission of the document owner or c-suite level approval.

Storage

Restricted information should be maintained and stored in either:

• secure centrally managed storage with named access; or
• secure physical storage areas.

Access should be limited to named data owners and authorised individuals. Appropriate monitoring controls and backup arrangements must be put in place. Only Redgate approved storage facilities should be used where third parties are responsible for data management.

Transfer

Transfer of Restricted information should be carefully considered, and the information protected at all times. Suitable transfer methods are:

• Shared link to the file within SharePoint/OneDrive, thereby retaining ownership and control of the data.
• By post – recorded delivery.

Disposal

Restricted information should be securely wiped off electronic devices where the device has been decommissioned or the data uploaded (as per Storage above). Disposal of paper records requires shredding.

Classification Type: Internal

Examples

• Commercial performance data
• Product source code
• Solution Group Strategies
• Strategies
• Company plans and OKRs
• Company comms
• Commercially sensitive information

Level of protection required

Internal information requires suitable security controls that will ensure confidentiality and integrity are maintained at all times.

System controls consisting of Role Based Access Control (RBAC), Multi-Factor Authentication (MFA), and Single Sign On (SSO) for systems classified as Critical.

Sharing

Access to Internal information should be limited to those with reasonable business requirement.

Storage

Internal information should be stored within centrally managed shared areas, cloud storage, or restricted physical storage areas.

Access should be limited to named data owners and named roles.

Transfer

Transfer of Internal information should be carefully considered, and the information protected at all times.

Do not share information externally unless a signed NDA/agreement is in place.

Suitable transfer methods include:

• Email or file-sharing having first encrypted the information using strong encryption and a password that meets the requirements described in A.9.4 - Password Policy
• Share the link to the file within SharePoint/OneDrive, thereby retaining ownership and control of the data.
• Shared link to the file/data/record thereby retaining ownership and control of the data requiring authentication.

Disposal

Internal information should be securely wiped off electronic devices where the device has been decommissioned or the data uploaded (as per Storage above). Disposal of paper records requires shredding.

Classification Type: External Confidential

Examples

• Quotes
• Invoices
• Sales Conversations
• Supplier Quotes

Level of protection required

Document can be shared with external suppliers. Document can be forwarded on to others at Redgate without the document creator being asked.

Minimal protection required. It should be stored on centrally managed shared areas or cloud storage areas with appropriate backup arrangements in place.

Sharing

Access to “External Confidential” information should be limited to internal and specific external parties with reasonable business requirement.

Storage

Information should preferably be stored within centrally managed shared areas, cloud storage.

Transfer

Transfer of information should be carefully considered, best efforts taken to protect the information.

Information can be shared externally without pre-existing agreements in place.

Suitable transfer methods include:

• Email or file-sharing
• Share the link to the file within SharePoint/OneDrive, thereby retaining ownership and control of the data.
• Shared link to the file/data/record thereby retaining ownership and control of the data requiring authentication.

Disposal

Disposal should follow normal file deletion or non-confidential paper record disposal procedures.

Classification Type: Public

Examples

• Information which is in the public domain, (e.g. annual financial accounts, published reports);
• Information which should be routinely disclosed, (e.g. some minutes of meetings)
• Information that Redgate would happily publish on its websites.

Level of protection required

Such information should be available to Redgate staff and the general public.

It should be stored on centrally managed shared areas or cloud storage areas with appropriate backup arrangements in place.

It should be kept up-to-date and access to make changes to it should be limited to only those authorised to make relevant changes.

Disposal should follow normal file deletion or non-confidential paper record disposal procedures.