Training Course 1-APPENDIX A

APPENDIX A

Pdf Summary

This document outlines Oakleaf’s Data Classification and Handling Guidelines within its Information Security Program, using a four-level scheme: Restricted, Confidential, Private, and Public. “Restricted” is the most sensitive information, typically governed by legal or contractual requirements (e.g., client loan-file NPI/PII, certain contracts). Unauthorized disclosure could cause significant damage, including regulatory violations, reputational harm, lawsuits, and exposure of individuals’ locations. “Confidential” is internally designated highly sensitive business information (e.g., employee PII/NPI, accounting, payroll, financial data) where loss would cause moderate damage. “Private” is the default classification for information created/received in the course of work; it may be shared only with authorized parties with a business need and is not for public release. “Public” information is approved for broad internal and external sharing and poses no damage risk if disclosed.<br /><br />General rules include: classify information as Private by default unless it requires stronger protection or is approved Public; when combining data of different classifications, apply the most restrictive level; and do not change data format/media if equivalent controls are not maintained (e.g., exporting Restricted data to an unencrypted spreadsheet is prohibited). Exceptions may be approved by the CEO and CISO.<br /><br />The document defines NPI/PII as a person’s name plus identifiers such as SSN/TIN, passport, driver’s license, financial account numbers, or ePHI. It specifies detailed handling controls per classification, covering encryption, access controls, mobile and cloud storage restrictions, allowed transmission methods (e.g., SFTP and encrypted email), prohibitions (e.g., IM/FTP for sensitive data; faxing for Restricted/Confidential), printing/copying rules, labeling, physical mail requirements, disposal (shredding/secure bins), and third-party release approvals (including NDA requirements).<br /><br />An examples table maps common data types (client data, employee data, marketing, infrastructure credentials/keys, legal/strategic financials, operating financials) to the appropriate classification, noting that client engagement data may also have client-specific security requirements.

Keywords

data classification

information security program

Restricted Confidential Private Public

handling guidelines

PII NPI NPI/PII

encryption requirements

access controls

secure transmission SFTP encrypted email

data disposal shredding secure bins

third-party release NDA approvals