Data Governance & Classification Guidelines
DATA GOVERNANCE & CLASSIFICATION GUIDELINES
PURPOSE
The purpose of this policy is to establish a framework for classifying data based on its level of sensitivity, value and criticality to Kredit. Classification of data will aid in determining baseline security controls for protection of data.
DATA GOVERNANCE
Data governance focuses on improving data quality, protecting access to data, establishing business definitions, maintaining metadata, and documenting data policies. Kredit’s information is a valuable asset and must be maintained and protected as such. It is vital to have accurate, trusted data in order to make sound decisions at all levels of an organization. Data governance helps to provide data transparency and results in confidence among Kredit and its customers to trust and rely on data for information and decision support.
GOVERNING DATA IN PRACTICE
The following principles are set forth as minimum standards to govern the appropriate use and management of institutional data:
Institutional data is the property of Kredit and shall be managed as a key asset.
Unnecessary duplication of data is discouraged.
Data shall be protected.
Data shall be accessible according to defined needs and roles.
Necessary maintenance of data shall be defined.
Resolution of issues related to data shall follow consistent processes.
Data stewards are responsible for the subset of data in their charge.
ROLES REQUIRED TO GOVERN DATA
Several roles and responsibilities govern the management of, access to, and accountability for data.
Executive team: The team comprises of the CEO and CTO of the company. While the Kredit platform is being fully built, overall data governance falls into this group.
Data users: Senior-level employee of the company that has been granted access to one or more sets of data in order to directly support the Kredit application.
DATA CLASSIFICATION
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to Kredit should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels, or classifications:
| CLASSIFICATION | DEFINITION |
|---|---|
Restricted | Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to Kredit. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted data. |
Private | Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to Kredit. By default, all Data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data. |
Public | Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to Kredit. Examples of Public data include press releases, course information and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data. |
CHANGE SUMMARY
Purpose: Internal Policy
Category: Information Security Policy
Policy Name: Data Governance & Classification Guidelines
| Event | Event Date | Event By | Date Reviewed | Reviewed By | Version |
|---|---|---|---|---|---|
Creation and Implementation | 01/10/2022 | Kenny Lai, CTO | Dave Hanrahan, CEO | 01/10/2022 | 1.0 |
Last updated