Purpose
To ensure that information is classified, protected, retained, and securely disposed of in accordance with its importance to the organization.
Scope
All ecoPortal data, information, and information systems.
Policy
ecoPortal classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality in order to ensure that information is given the appropriate level of protection. Data owners are responsible for identifying any additional requirements for specific data or exceptions to standard handling requirements.
Information systems and applications shall be classified according to the highest classification of data that they store or process.
Data Classification
To help ecoPortal and its employees easily understand requirements associated with different kinds of information, the company has created three classes of data.
Confidential
Highly sensitive data requires the highest levels of protection; access is restricted to specific employees or departments, and these records can only be passed to others with approval from the data owner, or a company executive. Examples include:
Customer Data
Personally identifiable information (PII)
Company financial and banking data
Salary, compensation, and payroll information
Strategic plans
Incident reports
Risk assessment reports
Technical vulnerability reports
Authentication credentials
Secrets and private keys
Source code
Litigation data
Restricted
ecoPortal proprietary information requires thorough protection; access is restricted to employees with a “need-to-know” based on business requirements. This data can only be distributed outside the company with approval. This is a default for all company information unless stated otherwise. Examples include:
Internal policies
Legal documents
Meeting minutes and internal presentations
Contracts
Internal reports
Google messages
Email
Public
Documents intended for public consumption can be freely distributed outside ecoPortal. Examples include:
Marketing materials
Product descriptions
Release notes
External facing policies
Labeling
Confidential data should be labeled “confidential” whenever paper copies are produced for distribution.
Data Handling
Confidential Data Handling
Confidential data is subject to the following protection and handling requirements:
Access to non-preapproved-roles requires documented approval from the data owner
Access is restricted to specific employees, roles, and/or departments
Confidential systems shall not allow unauthenticated or anonymous access
Confidential Customer Data shall not be used or stored in non-production systems/environments
Confidential data shall be encrypted in transit over public networks
Mobile device hard drives containing confidential data, including laptops, shall be encrypted
Mobile devices storing or accessing confidential data shall be protected by a log-on password or passcode and shall be configured to lock the screen after five (5) minutes of non-use
Backups shall be encrypted
Confidential data shall not be stored on personal phones, devices, or removable media including USB drives, CDs, or DVDs
Paper records shall be labeled “confidential” and securely stored and disposed
Hard drives and mobile devices used to store confidential information must be securely wiped prior to disposal or physically destroyed
Transfer of confidential data to people or entities outside the company shall only be done in accordance with a legal contract or arrangement, and the explicit written permission of management or the data owner
Restricted Data Handling
Restricted data is subject to the following protection and handling requirements:
Access is restricted to users with a "need-to-know", based on business requirements
Restricted systems shall not allow unauthenticated or anonymous access
Transfer of restricted data to people or entities outside the company or authorized users shall require management approval and shall only be done in accordance with a legal contract or arrangement, or the permission of the data owner
Paper records shall be securely stored and disposed
Hard drives and mobile devices used to store restricted information must be securely wiped prior to disposal or physically destroyed
Public Data Handling
No special protection or handling controls are required for public data. Public data may be freely distributed.
Data Retention
ecoPortal shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data. Retention periods shall be documented in the Data Retention Matrix in Appendix A of this policy.
Data & Device Disposal
Data classified as restricted or confidential shall be securely deleted when no longer needed.
ecoPortal shall ensure that all restricted and confidential data is securely deleted from company devices prior to, or at the time of disposal.
Annual Data Review
Management shall review data retention requirements during the annual review of this policy. Data shall be disposed of in accordance with this policy.
Legal Requirements
Under certain circumstances, ecoPortal may become subject to legal proceedings requiring retention of data associated with legal holds, lawsuits, or other matters as stipulated by ecoPortal legal counsel. Such records and information are exempt from any other requirements specified within this Data Management Policy and are to be retained in accordance with requirements identified by the Legal department. All such holds and special retention requirements are subject to annual review with ecoPortal’s legal counsel to evaluate continuing requirements and scope.
Policy Compliance
ecoPortal will measure and verify compliance to this policy through various methods, including but not limited to; business tool reports, both internal and external audits.
Exceptions
Requests for an exception to this policy must be submitted to the CTO for approval.
Appendix A - Data Retention Matrix
System or Application | Data Description | Retention Period |
ecoPortal SaaS Products (AWS) | Customer Data | Up to 60 days after contract termination |
ecoPortal AutoSupport | Customer instance and metadata, debugging data | Indefinite |
ecoPortal Customer Support Tickets (HubSpot) | Support Tickets and Cases | Indefinite |
ecoPortal Security Event Data (GuardDuty, Inspector and CloudWatch) | Security and system event and log data, network data flow logs | AWS Instance - 1 year |
ecoPortal Vulnerability Scan Data (GuardDuty and Inspector) | Vulnerability scan results and detection data | 6 months |
Security Policies | Security Policies | 1 year after archive |
Temporary Files | AWS /tmp ephemeral storage | automatically deleted when process finishes |