Internal Documentation

Data Classification Policy

Purpose

The purpose of this policy is to detail a method for classifying data and to specify how to handle this data once it has been classified.

Scope

The scope of this policy covers all Cadence OneFive confidential data, regardless of location. Also covered by the policy are hardcopies of company data, such as printouts, faxes, notes, etc.

Policy

Data Classification

Data residing on Cadence OneFive systems must be continually evaluated and classified into the following categories:

  • Internal: includes internal Cadence OneFive documents.
  • Public: includes already-released marketing material, commonly known information, etc. There are no unique security requirements for public information.
  • Customer: includes data provided by a customer. Treated as confidential by default.
  • Confidential: includes all forms of consumer identifiable data. Confidential data is not to be shared with anyone who does not have a confidentiality agreement in place.
  • Restricted: To be shared with specific audiences only.

Any potentially sensitive information, such as names, email addresses, and loan numbers should be formally classified in one of these categories. When in doubt about the category, employees should consult with the Chief Information and Security Officer, or the Head of Engineering.

Data Storage, Transmission, & Destruction

The following requirements for storage, transmission, and destruction apply to data based on the classification of the different types of Cadence OneFive data:

General guidelines

  • Storage: Data must be stored where the backup schedule is appropriate to the importance of the data, at the discretion of the user.
  • Transmission: As a general rule, non-public data should not be transmitted unless necessary for business purposes.
  • Destruction: Crosscut shredding is not required as there is no physical office, and all documents are digital. Storage media is not used, storage is exclusively in cloud services.

Confidential / Restricted Data

  • Storage: Critical data is to be encrypted and stored on a server that receives at minimum daily backups. Disk-level redundancy is required on drives containing confidential data. Confidential information must be removed from desks, computer screens, and common areas unless it is currently in use and should be securely stored.
  • Transmission: Strong encryption must be used when transmitting confidential data, regardless of whether such transmission takes place inside or outside the company’s network. Confidential data must not be left on voicemail systems, either inside or outside the company’s network, or otherwise recorded.
  • Destruction: Confidential data must be destroyed in a manner that makes recovery of the information impossible. Crosscut shredding is not required as there is no physical office, and all documents are digital. Storage media is not used, storage is exclusively in cloud services.

Visibility

This document is confidential and is a proprietary work product of Cadence OneFive. The information contained herein may not be copied or distributed without the specific written consent of Cadence OneFive.