A Guide to Employee Data Security

Why Data Classification Matters to You

Data classification isn't just for IT—it's everyone's responsibility. By properly classifying and handling data, you help protect our organization from potential breaches and ensure compliance with legal and regulatory requirements. Understanding the value and sensitivity of the data you work with is key to maintaining a secure environment.

Understanding Data Classification Levels

• Public: Information that can be shared freely with the public. Examples include marketing materials and press releases.
• Internal: Information meant for internal use only. Examples include internal memos and company policies.
• Confidential: Sensitive information that should only be shared with specific, authorized personnel. Examples include employee records and internal financial reports.
• Restricted: Highly sensitive information requiring maximum protection. Examples include customer data, intellectual property, and legal documents.

Handling Classified Data Safely

• Access Control: Only access data you are authorized to handle. Do not share classified data with unauthorized personnel.
• Storage: Store classified data in secure, approved locations. Avoid storing sensitive data on personal devices or unsecured cloud services.
• Sharing Data: When sharing classified data, ensure you use secure methods. Do not use personal email accounts, unencrypted USB drives, or unsecured file-sharing services.

Unsafe Ways to Transmit Sensitive Data

• Unencrypted Emails: Sending sensitive data through unencrypted emails exposes it to interception and unauthorized access.
• Personal Cloud Services: Using personal cloud storage (like Google Drive or Dropbox) that is not approved by IT can lead to data leaks.
• Public Wi-Fi: Transmitting sensitive data over unsecured public Wi-Fi networks increases the risk of interception by malicious actors.
• Unencrypted USB Drives: Transferring data via unencrypted USB drives can lead to data breaches if the drive is lost or stolen.

Safe Ways to Transmit Sensitive Data

• Encrypted Emails: Always encrypt emails that contain sensitive information. Use the organization’s approved email encryption tools.
• Secure File Sharing Services: Use IT-approved secure file-sharing platforms that offer encryption and access control.
• Virtual Private Network (VPN): When working remotely, use a VPN to encrypt your internet connection and protect sensitive data.
• Encrypted Storage Devices: If you must use a USB drive, ensure it is encrypted to protect the data in case of loss or theft.

Encryption and Security Methods

When sending sensitive information via email, it’s crucial to ensure that your communication is secure. Below are methods to send sensitive data safely using email encryption and other techniques:

Encrypt Email Messages

Email encryption scrambles the contents of an email, ensuring that only authorized recipients can read it. Here are the steps to encrypt email messages in Microsoft Outlook:

1. Compose a new email.
2. Go to the Options tab.
3. Click the lock icon and select Encrypt.
4. Complete your message and send it. The email is now encrypted.

Password-Protect Email Attachments

If you're sending sensitive files via email, consider password-protecting the attachments. For example, you can password-protect a PDF created in Microsoft Office by following these steps:

1. Create your document in Word or any other application.
2. Go to File → Save As and choose PDF.
3. Click Options and select Encrypt the document with a password.
4. Enter and confirm the password.

Ensure that the password is shared securely, perhaps via a phone call or a separate communication method, to avoid exposing the file's contents.

Use a Client Portal

A safer alternative to email is to use a secure client portal. A client portal is an encrypted online platform that requires authentication to access sensitive information. It provides a secure space for sharing and managing files, eliminating many of the risks associated with email transmissions.

Client portals also maintain logs of activity, enabling you to track who accessed the information and when. This ensures greater transparency and compliance with data protection regulations.

Skip Email Altogether

If possible, avoid using email to share sensitive information. As email is often a target for phishing and hacking, opting for other secure platforms can reduce risks significantly. Some of these include:

• Secure file transfer services with encryption
• Client portals with multi-factor authentication
• Document management systems that offer encrypted storage

Your Role in Data Security

As an employee, you play a vital role in protecting our organization's data. By following these guidelines, you help ensure that sensitive information is handled securely and responsibly.

• Report Incidents: If you suspect a data breach or have received suspicious communication, report it immediately to infosec@passivelogic.com.
• Stay Informed: Keep up-to-date with our data protection policies and best practices.
• Ask for Help: If you're unsure about how to handle or classify certain data, don't hesitate to reach out to our IT team for guidance.

External Resources

• NIST Guide to Protecting Sensitive Information
• (ISC)² Data Classification Best Practices
• SANS Data Classification Poster
• ISO/IEC 27040:2015 Information Technology — Security Techniques