Data Classification Policy¶
Document ID: POL-004 Document owner: Jan Marc Castlunger (ISO) Classification: Confidential Version: 1.0 Approved: March 2026 Next review: March 2027 Frameworks: ISO 27001 (A.5.12, A.5.13) | SOC 2 (CC6.1, CC6.7, C1.1, C1.2)
1. Purpose¶
This policy defines the classification scheme for all information assets at CTW Data Solutions GmbH and the handling requirements for each level.
2. Classification Levels¶
| Level | Label | Description | Examples |
|---|---|---|---|
| 🔴 | Top Secret | Highest sensitivity — breach would cause severe harm to individuals or the company | Government ID images, private keys, SSL certificates |
| 🟡 | Confidential | Sensitive business or personal data — breach would cause significant harm | OCR data, API keys, source code, HR data, customer contracts |
| 🔵 | Internal | Non-public operational information — breach would cause minor impact | Infrastructure configs, internal docs, meeting notes |
| ⚪ | Public | Approved for external disclosure | Public API documentation, marketing materials, job postings |
3. Handling Requirements¶
| Requirement | 🔴 Top Secret | 🟡 Confidential | 🔵 Internal | ⚪ Public |
|---|---|---|---|---|
| Encryption at rest | Required (AES-256) | Required (AES-256) | Recommended | Not required |
| Encryption in transit | Required (TLS 1.3) | Required (TLS 1.2+) | Required (TLS 1.2+) | Recommended |
| Access control | Named individuals only | Role-based (RBAC) | All employees | No restriction |
| Storage location | Azure Key Vault only | Approved systems only | Approved systems | Any |
| Sharing | ISO approval required | Need-to-know basis | Internal only | Unrestricted |
| Printing | Prohibited | Minimise; secure disposal | Permitted | Permitted |
| Labelling | Mandatory | Mandatory | Recommended | Not required |
| Retention | Delete immediately after use | Per retention schedule | Per retention schedule | No limit |
| Disposal | Cryptographic erasure | Secure deletion | Standard deletion | Standard deletion |
4. Classification Responsibilities¶
| Role | Responsibility |
|---|---|
| Data Owner (asset owner) | Assign initial classification; review annually |
| All Employees | Handle data according to its classification; report misclassifications |
| ISO | Maintain classification scheme; audit compliance |
| DPO | Ensure personal data is classified at minimum Confidential |
5. Labelling¶
- Documents must include a classification label in the header or footer
- Digital files should include classification in the filename or metadata where practical
- Email containing Confidential or Top Secret data must include the classification in the subject line prefix:
[CONFIDENTIAL]or[TOP SECRET]
6. Reclassification¶
- Data may be reclassified when its sensitivity changes (e.g., public announcement of previously confidential information)
- Reclassification requires approval from the data owner and the ISO
- All reclassification events are recorded in the asset register
7. Review¶
This policy is reviewed annually by the ISO, or when changes to the business require updates to the classification scheme.
Approved by: CEO / Information Security Officer, CTW Data Solutions GmbH Date: March 2026