Policies and Procedures
  • Kredit Policies and Procedures
  • Human Resources Policies
    • Background Screening Policy
    • Hiring Policy
    • Training Policy
  • Information Security Policies
    • Acceptable Use Policy
    • Access Control Policy
    • Anti-Virus & Malware Guidelines
    • Asset Inventory and Management Policy
    • Business Continuity and Disaster Recovery Plan
    • Data Governance & Classification Guidelines
    • End User Encryption Key & Storage Guidelines
    • Firewall Guidelines and Policy
    • Internal Use of Email Policy
    • Incident Response Plan
    • Information Security Policy
    • Password Construction & Security Policy
    • Password Protection Policy
    • System & Network Monitoring and Filtering Policy
    • Vulnerability and Threat Management Policy Policy
    • Large Language Model Policy
  • Operations Policies
    • Inquiry Handling Policy and Procedure
    • Operations Security Policy
  • Regulatory Policies
    • Anti-Money Laundering & Know Your Customer Screening Policy & Procedure
    • Electronic Fund Transfer Act, Regulation E, Nacha Operating Rules, & E-Sign Act Policy & Procedure
    • Electronic Communications Policy
    • Equal Credit Opportunity Act and UDAAP Policy & Procedure
    • Fair Credit Reporting Act Permissible Purpose Policy
    • Fraud Monitoring Policy
    • Gramm-Leach Bliley Act – Safeguards Rule Policy
    • Web Content Accessibility Guidelines Policy
  • Vendor Management Policies
    • Service Provider Oversight Policy
Powered by GitBook
On this page
  • DATA GOVERNANCE & CLASSIFICATION GUIDELINES
  • PURPOSE
  • DATA GOVERNANCE
  • GOVERNING DATA IN PRACTICE
  • ROLES REQUIRED TO GOVERN DATA
  • DATA CLASSIFICATION
  • CHANGE SUMMARY

Was this helpful?

Export as PDF
  1. Information Security Policies

Data Governance & Classification Guidelines

DATA GOVERNANCE & CLASSIFICATION GUIDELINES

PURPOSE

The purpose of this policy is to establish a framework for classifying data based on its level of sensitivity, value and criticality to Kredit. Classification of data will aid in determining baseline security controls for protection of data.

DATA GOVERNANCE

Data governance focuses on improving data quality, protecting access to data, establishing business definitions, maintaining metadata, and documenting data policies. Kredit’s information is a valuable asset and must be maintained and protected as such. It is vital to have accurate, trusted data in order to make sound decisions at all levels of an organization. Data governance helps to provide data transparency and results in confidence among Kredit and its customers to trust and rely on data for information and decision support.

GOVERNING DATA IN PRACTICE

The following principles are set forth as minimum standards to govern the appropriate use and management of institutional data:

  • Institutional data is the property of Kredit and shall be managed as a key asset.

  • Unnecessary duplication of data is discouraged.

  • Data shall be protected.

  • Data shall be accessible according to defined needs and roles.

  • Necessary maintenance of data shall be defined.

  • Resolution of issues related to data shall follow consistent processes.

  • Data stewards are responsible for the subset of data in their charge.

ROLES REQUIRED TO GOVERN DATA

Several roles and responsibilities govern the management of, access to, and accountability for data.

  • Executive team: The team comprises of the CEO and CTO of the company. While the Kredit platform is being fully built, overall data governance falls into this group.

  • Data users: Senior-level employee of the company that has been granted access to one or more sets of data in order to directly support the Kredit application.

DATA CLASSIFICATION

Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to Kredit should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels, or classifications:

CLASSIFICATION
DEFINITION

Restricted

Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to Kredit. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted data.

Private

Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to Kredit. By default, all Data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data.

Public

Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to Kredit. Examples of Public data include press releases, course information and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.

CHANGE SUMMARY

Purpose: Internal Policy

Category: Information Security Policy

Policy Name: Data Governance & Classification Guidelines

Event
Event Date
Event By
Date Reviewed
Reviewed By
Version

Creation and Implementation

01/10/2022

Kenny Lai, CTO

Dave Hanrahan, CEO

01/10/2022

1.0

PreviousBusiness Continuity and Disaster Recovery PlanNextEnd User Encryption Key & Storage Guidelines

Last updated 2 years ago

Was this helpful?