Information & Technology Department. Data Protection Policy

TABLE OF CONTENTSVersion Control11. policy overview#2. purpose of policy#3. Scope#4. Target Audience#5. data classification#5.1. Confidential Data #5.2. Official Business Data :#5.3. Unrestricted Common Shared Data :#5.4. personal data folder:#6. Statement of policy#A. General #B. DATA SAFEGUARDS.#C.

6.1. Network Data Folder#6.1.1. Business Data Folder;:#6.1.2. Server (Shared) Folders;#6.1.3. Departmental (Shared) Folders;#6.1.4. Common Folder;:#7. Best Practice guidelines#7.1. Network Storage Guidelines:#7.2. Eligibility for Frequent Travelers Laptop:#

1. Policy OverviewThis policy covers Protection of data that is owned or acquired by the ABPT and specific roles and functions for individuals that govern the data Also, this policy primarily addresses to the Integrity, management, transmission, use, availability and security of the ABPT data.2. PurposeThe purpose of this policy and guidelines document is to improve the integrity, management, storage, transmission, usage and security of the ABPT Business data. It also provides instructions and safeguards for managing data by adopting an Data Protection policy based on assigned data classification and the level of data privacy, confidentiality, unauthorized access and Inappropriate use of data.3. ScopeThis policy governs the privacy, security, and integrity of ABPT data, especially confidential data, and the responsibilities of ABPT Departments and Employees to guard against unauthorized or unlawful processing of Business data.

4. Target AudienceThis Policy and Guideline is applicable to all users of the ABPT Co. Ltd, Who uses centralized network file storage, Business shared Data over the ABPT Network.

5. Data ClassificationAll ABPT data are classified into three levels of sensitivity, Confidential, Official Business, and Unrestricted. Once data has been classified, appropriate ate safeguards are implemented to protect data from theft, loss, and/or unauthorized disclosure, use, access, and/or destruction.Confidential Data: Confidential data are considered the most sensitive and require the highest level of protection. Confidential data includes data that the ABPT must keep private under Companys Rules and Regulation, contractual arrangements, or based on its proprietary worth. Confidential data may be disclosed to individuals on a strict need-to-know basis only. Official Business Data: Official Business data is generally private to the ABPT. Access is limited to Department and it is not generally available to any other Department or external users.Unrestricted Common Shared Data: Unrestricted Data has no legal or other restrictions on access or usage and may be open to the users

6. Statement of policy

A. General

1. General. All members of the ABPT have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored, or used by the ABPT, irrespective of the medium on which the data reside and regardless of format (such as in electronic, paper, or other physical form).2. Any Electronic data used in an ABPT system must be kept confidential and secure by the user. The fact that the data may be stored electronically does not change the requirement to keep the information confidential and secure3. As defined by the Data Access Policy, sensitive data is information that is considered confidential and should be guarded from disclosure; disclosure of the information may contribute to financial fraud or can use for competitor / personal gain.4. All departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure or loss of the data for which they are responsible. 5. Users must respect ABPT data confidentiality and others privacy. And are responsible for upholding the confidentiality, integrity and safeguarding of data to which they have access. 6. In receiving access to privileged or sensitive data, authorized users accept responsibility to protect the information accessed and used on their computer. 7. Attempts to gain unauthorized access to private information will be treated as violations of privacy, even if the information is publicly available through authorized means.8. External Hard Drives/USB Drive: special access should be required to copy business data on External hard drives including USB drives any Information or Business Data obtained through special privileges is to be treated as confidential.Note:Access to copy Business Data on External Hard Drives/USB Drive is restricted however users can access data from External Hard Drives/USB Drive which required Special access permission.

B. DATA SAFEGUARDS. Departments must classify data into the appropriate category. ABPT Data are assets belonging to the ABPT Co and should be classified according to the risks associated with the data being stored or processed. Confidential Data are considered the most sensitive and require the highest level of protection to prevent unauthorized disclosure or use. Data which are not confidential may be given proportionately less protection.

This policy provides examples of safeguards. However, departments may implement procedures more restrictive than the ones identified in this policy. 1. General Safeguards for All Dataa) Data must be protected in accordance with the security controls specified for the classification level that it is assigned.b) Destruction of data (electronic or physical) or systems storing data must be done in accordance with the ABPT Disposal Policy.c) Before systems or media are reused they should be Backup & erased according to ABPT guidelines to ensure no residual data.2. Safeguards for Confidential Data a) Must be protected to prevent loss, theft, and/or unauthorized access, disclosure, modification, and/or destruction.b) When stored in an electronic format must be protected with strong passwords and stored on servers that have protection and encryption measures.c) May only be disclosed on a strict need-to-know basis and consistent with applicable ABPT policies. d) Must not be posted on any website unless secured authentication methods are used.3. Safeguards for Official Business Data

a) Must be protected to prevent loss, theft, and/or unauthorized access, disclosure, modification, and/or destruction.b) May only be disclosed to members of the ABPT Department who have a legitimate purpose for accessing such data.c) Must not be posted on any public website unless secured authentication methods are used.4. Safeguards for Unrestricted Common DataUnrestricted common data are available to all users of the ABPT Co. While the requirements for protection of Unrestricted Data are less restrictive than for Official Business Data, protection considerations should be applied to maintain data integrity and prevent unauthorized modification of such data. Safeguards for Unrestricted Data may include:

7. Best Practice Guidelines

A. User Data Guidelines

7.1.1. Helpdesk can never guarantee data recovery but can try best effort to do so.

B. Network Storage Guidelines

7.2.1. If individual or departmental needs arise for storage for legitimate business needs, your designated IT Support should be contacted to assist with the request.

Version1.0Issue DateNovember 18, 2013File Name:Laptop