Information Classification Policy

The information treatment policy defines information classification and sets out rules for how information must be treated.

The policy is applicable to all internal and external personnel.

Principles

Our organization distinguishes the following levels of information classification:

Public

Information of this kind can be freely distributed to anyone.
  • Information on our public website
  • Brochures and leaflets
  • Marketing and recruitment materials

No special measures need to be taken to protect this information.

Internal

Information of this kind is meant to be kept internally, but no harm would be done if it would fall into wrong hands. This information can be shared with all Stakeholders when deemed necessary.
  • Policies and Procedures
  • Assets
  • Statement of Applicability

No special measures need to be taken to protect this information.

Confidential

The loss of confidential information can pose a threat to the organization.
  • Personal Data for which Sana is Controller
  • Financial information
  • Audit reports
  • Risk assessment
  • Assurance statement
  • Customer business confidential information
  • Information can only be shared or distributed with permission from the owner, and when an NDA is in place.
  • Transmission or storage should be encrypted.
  • The use of Removable Media for the storage of Confidential and Sensitive information is explicitly prohibited as stated in our Code of conduct.
  • Destruction via Hardware disposal process.

Sensitive

The loss of sensitive information can pose a threat to the persons involved. Theft or loss should be reported to the authorities.

Special categories of personal information, such as

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Personal health data
  • Biometric data
  • Sex life or sexual orientation

And

  • Pentest results and (potential) exploits
  • Decryption keys
  • Personal Data for which Sana is Processor
  • Card (Holder) Data (including but not limited to PAN and CVV)
  • Information can only be shared or distributed with permission from the owner.
  • Transmission or storage must be encrypted.
  • Two-factor authentication (2FA).
  • No read access by own/maintenance personnel.
  • Access to this kind of information must be logged and audited.
  • The use of Removable Media for the storage of Confidential and Sensitive information is explicitly prohibited as stated in our Code of conduct.
  • It is explicitly prohibited to store Card (Holder) Data anywhere other than Sana-approved PCI DSS Certified Payment Service Provider.
  • Destruction via Hardware disposal process.