Background
Classifying data according to its sensitivity level is a common practice that provides insight into how certain data should be protected across a firm. Adequately protecting data according to its classification level reduces risk and supports the appropriate allocation of resources (e.g., resources are not spent “overprotecting” low-risk data).
Risk Identification
[401 Financial, LLC ] conducts a risk assessment reasonably designed to identify foreseeable internal and external risks to the security, confidentiality, and integrity of data and the systems used by [401 Financial, LLC ] and critical third-parties to process that data, where such risks could result in the unauthorized disclosure, misuse, alteration, or destruction of that information or those systems. This risk assessment includes the following:
- Data Inventory – This is completed to detail what data [401 Financial, LLC ] has, where it is kept, how it is protected, and who can access it.
- Data Classification – Data classification is one of the most important steps in data security. Not all data is created equal, and few businesses have the time or resources to provide maximum protection to all of their data. In order to understand what our most sensitive data is, where it is, and how well it is protected, [401 Financial, LLC ] has applied to following data classifications:
- HIGHLY CONFIDENTIAL – This applies to the most sensitive business information that is intended strictly for use within [401 Financial, LLC ]. Its unauthorized disclosure could seriously and adversely impact [401 Financial, LLC ], business partners, vendors, and clients. This includes, but not limited to:
- Personal Information of Clients and employees,
- Employee payroll files,
- Social Security Numbers,
- Account Numbers
- SENSITIVE – This classification applies to sensitive business information that is intended for use within [401 Financial, LLC ], and information that would be considered to be private. This includes, but not limited to:
- Employee performance evaluations,
- Internal Audit Reports
- Financial Reports
- Partnership Agreements
- Marketing Plans
- INTERNAL USE ONLY – This classification applies to sensitive information that is generally accessible by a wide audience and is intended for use only within [401 Financial, LLC ]. While its unauthorized disclosure to outsiders is against policy and may be harmful, it is not expected to impact [401 Financial, LLC ], employees, business partners, vendors, etc.
- Security Control Analysis – Analyze how [401 Financial, LLC ] protects its systems, identify security weaknesses, and create remediation plansX$.
Evaluation
[401 Financial, LLC ] evaluates the Date Security Program, on at least an annual basis, based on the following:
- Those matters identified as material risks in the Risk Assessment;
- Relevant changes in technology and business processes, if any;
- Any material changes in or to [401 Financial, LLC ]’s operations or business arrangements, including any material change in technology or technology-based services provided by a Vendor; and
- Any other circumstance that [401 Financial, LLC ] reasonably believes may have a material impact on the Program.
In addition, [401 Financial, LLC ] will not implement a material enhancement to the technology it utilizes (regardless of whether it is maintained by [401 Financial, LLC ] or by a Vendor) to conduct its principal business until and unless [401 Financial, LLC ] determines that the enhancement will not result in unreasonable risk of creating a weakness in the Program.