Protecting and securing sensitive company information: New data classification standard outlines our responsibilitiesMarch 29, 2013

We’re all aware of the sea of data consuming us each day in our personal and professional lives. Company information continues to grow at an alarming rate, often exists in multiple locations, is easily accessed and quickly distributed.

Some of this data contains sensitive and confidential information that needs to be properly handled and secured. A fast-paced environment and a busy work schedule have the potential to compromise our decisions about how this information is handled.

We each have a responsibility to be more aware of the information that we create, store or use every day. Just as we tend to treat a personal credit card like cash, the company’s information should be similarly treated like a company asset, and protected as such.

We must protect our sensitive and valuable information from unauthorized access, use, disclosure, modification and destruction.

A new data classification standard has been established to help employees make informed decisions about how to deal with certain categories of company information. These categories – Public, Internal, Confidential and Special Controls – all have varying requirements based on the level of data sensitivity.

Under the new standard, you are expected to:

Know what information you have. Classify it appropriately. Take the right precautions to protect it.

Most company data loss occurs as a result of careless behavior and a general lack of awareness. What may seem relatively harmless, can in fact, have serious consequences. In general, just being aware and using common sense judgment minimizes the likelihood of sensitive company data loss or data misuse.

Simple actions can prevent significant losses:

Use strong computer passwords.

Lock your computer screen when away from your desk. Establish appropriate access administration procedures for sensitive electronic

records. Avoid suspicious email and ‘phishing’ scams. Get familiar with the company’s Mobile Device Policy. Password-protect your

smartphones and mobile devices. Promptly report lost USB devices, flash drives, laptops, tablets and/or mobile devices. Use only secured Wi-Fi internet connections when accessing company networks or

data (e.g. hotels, coffee shops, public places); be aware of your surroundings when discussing sensitive information verbally and electronically.

Get familiar with the company’s Social Media Guidelines and use good judgment when using social media. (e.g. Facebook, LinkedIn, Twitter, blogs, wikis).

Do not send, save or share sensitive data using ‘non-GMI’ cloud technology internet services, without first consulting with IS Security (e.g. Dropbox, YouSendIt, GoogleDocs, Prezi).

Do not post sensitive information on public websites. Shred sensitive company information when disposing.

Consequences of negligent employee behavior related to company information include damage to our brands, loss of competitive advantage, loss of market share, erosion of shareholder value, unnecessary fines, and, potentially, sanctions or legal action.

Please take note of the data classification matrix and the data classification standard for more information regarding requirements for handling various types of company information.