A data classification policy is in place to define data classes. The policy is available in the Employee Handbook to all internal and external system users and reviewed and approved by management annually. Treatment of confidential data is determined by classification level.
This control demonstrates that a data classification policy is currently in place, available, and reviewed annually. It provides classification coverage and handling requirements for various data levels.
This control applies to all data managed by IllumiDesk and IllumiDesk employees
Control Owner: IT Ops
Process owner(s):
IT Ops: 100%
The policy outlines proper handling and storage requirements for Red, Orange, Yellow and Green data.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in this control issue.
Examples of evidence an auditor might request to satisfy this control:
Screenshot or link to the data classification policy
Screenshot of Version history and issue noting approval by management
Data Classification Policy
SOC2
CC3.2
CC6.5