Skip to Content
GuidelinesData Classification

Data Classification within our digital services

This section defines data categories and provides a matrix of security and privacy controls for the purposes of determining the level of protection to be applied to data throughout its lifecycle in our digital services.

Data definitions

Personal Data As defined by General Data Protection Regulation(GDPR): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Customer Data Refers to the electronic data uploaded or created by Truesec customers and processed in the Truesec application labeled as Private by the customer and subject to legal or contractual obligations.

Data Classification Levels

There is currently no internal requirement to label our data according to this classification, however labels are encouraged. By labeling data according to classification level, individuals can quickly refer to this SDLC section for proper handing. See full description in the document Information Classification Instructions

If there is more than one type of classification over the data identified residing in an application, then set the classification at the highest level overall.

TS Strictly Confidential information

Information that is extremely worthy of protection, e.g. Severe negative impact on the Company, another organization or individual and its assets, which e.g.:

  • May severely decrease or lose trust among a larger group of stakeholders
  • May cause severe financial damage or legal damages
  • May cause prosecution of management and legal sanctions
  • May put the lives and health of individuals at risk. Sensitive personal data may be widely disseminated and cause serious damage to personal privacy

Examples

  • Internal and external incident reports e.g. containing timeline, root cause analysis, lessons learned etc. which might reflect poorly on the customer or be used to raise claims against the customer.
  • Security analysis of customer and internal environments with detailed technical information that can be used by threat actors to gain access to the environment or reflect poorly on the customer (penetration tests, Red Teams, health checks)
  • Information that can be used to gain privileged access to customer and Truesec environments, e.g. encryption keys, passwords and access tokens
  • Continuity plans or disaster recovery plans that might be used by a threat actor to cause harm

TS Confidential information Information that is particularly worthy of protection, e.g. based on external requirements or security reasons.

Examples

  • Special categories of personal data which requires a higher level of protection, e.g.:
    • Personal data revealing racial or ethnic origins
    • Personal data revealing political opinions
    • Personal data revealing religious or philosophical beliefs
    • Personal data revealing trade union membership
    • Genetic data
    • Biometric data processed for the purpose of uniquely identifying a natural person
    • Data concerning health
    • Data concerning a person’s sex life or sexual orientation
  • Information covered by banking or other financial secrecy
  • Sensitive system documentation
  • Annual report material (before publication)
  • The company’s financial commitments
  • Reports from strategic assessments assessing the resilience of a company
  • Information of an identified True Positive of an incident on an internal or customer environment

Note: Any vendor we use who is in possession of any form of Personal Data shall have appropriate contractual terms that address our data protection requirements (e.g. a Data Processing Agreement).

TS Internal information

Information that may be shared with employees based on need.

Examples

  • Open information on Campfire
  • Internal policies or control documents
  • Instructions, processes and routine descriptions
  • Agreements and offers
  • Personal data such as email, addresses, phone numbers

TS Public information

Information intended to be shared with the public.

Examples

  • Advertising
  • Service information
  • Published annual report
  • Blogs

Uncertainty of the classification

If you have trouble mapping your data to a classification, please contact you architect for advice or privacy officer (CISO) of the company group.

Access control level and requirements for classified data access

This is a reference guide on what it takes to be able to access different data classifications (for administration).

Point levelData access level
1TS Public information
2TS Internal information
3TS Confidential information
4TS Strictly Confidential information

Basic access : One point for basic authentication.

Basic access with MFA : One extra point if second factor authentication comes through the proper channel (for our team this is service independent or SSO via AzureAD with federated MFA setup).

Managed Device : One extra point if the authentication comes via a managed device (a device issued to the team member).

Healthy managed device : One extra point ff the managed device is in proper health (passes checks for patches, proper configuration, etc).

Geolocation : On extra point is given for a managed device with proper health from proper geo location.

Last updated on