Data Classification Policy
1.0 OVERVIEW
NEO acknowledges an obligation to ensure appropriate security for all Information technology data, equipment, and processes in its domain of ownership and control. This obligation is shared, to varying degrees, by every member of the organization.
2.0 PURPOSE & BACKGROUND
The purpose of the Data Classification policy is to establish a framework for classifying NEO data (electronic and hardcopy) based on its level of sensitivity, value and criticality to the company as required by the NEO Information Security Policy. The classification of data will aid in determining baseline security controls for the protection of data.
Data Classification Controls
- Access to all systems containing classified, sensitive, or personal data is protected by Multi-Factor Authentication (MFA/2FA). MFA/2FA is mandatory for AWS, email, and any other critical platforms, ensuring only authorized users can access protected information. This control is part of compliance with ISO 27001:2022 and reflects the organization’s security posture.
3.0 SCOPE
All officers, employees, contractors, consultants, external parties or any person doing work on behalf of NEO are subject to this and all Information Technology polices. All areas of electronic data, services, applications, hardware, and software are also subject to this and all Information Technology policies.
4.0 POLICY
4.1 Data Loss Prevention (DLP) Rationale
No Data Loss Prevention (DLP) tools are implemented on endpoints, as no critical or sensitive data is stored locally on company laptops or desktops. All confidential and proprietary data is stored and processed exclusively in AWS cloud infrastructure, which is managed according to industry best practices and ISO 27001:2022 requirements. DLP requirements are addressed through policy and user training, not through technical endpoint solutions.
Classification Levels
This policy describes the classification levels that are applied to company data. The below table gives definitions and examples for each type of data.
| Classification | Classification Definition |
|---|---|
| Public | Data shall be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to NEO, its employees and clients. Examples of Public data include press releases, housing data, travel costs, or any other data readily available on the Internet. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data when used by NEO in the creation or maintenance of a product or service. |
| Private or Sensitive | Data shall be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to NEO, its employees and clients. Examples of this data include some forms of marketing data and emails which do not contain Confidential data, customer data, or personally identifiable information (PII). A commercially reasonable level of security controls shall be applied to Private data. |
| Confidential | Data shall be classified as Confidential when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to NEO its employees and clients. Examples of Confidential data include data protected by state and/or federal regulations and data protected by confidentiality agreements or other contractual obligations. Additional examples include NEO contracts with clients or vendors, personally identifiable information (PII), customer data, bank/routing numbers. The highest level of security controls shall be applied to Confidential data. |
| Proprietary or Regulated | Data shall be classified as Proprietary when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to NEO its employees and clients. Items like NEO trade secrets, business logic, custom applications, methodology, pricing, and data sources would fall into this category. The highest level of security controls shall be applied to Proprietary data. |
Protections Required by Classification Level
Each data classification level requires baseline protections that will be implemented to provide adequate protection according to data sensitivity, regulatory requirements and best practice security principles. Private, Confidential and Proprietary levels all require that data is kept within the United States if stored in cloud or third party hosted environments. The table below describes the baseline protections for each classification level of company data. When multiple classification categories apply, the data shall be protected using the highest level of security. For example, a document containing both Private and Confidential information shall require the baseline protections of a Confidential document.
| Classification | Protections Required |
|---|---|
| Public | – Controls to protect integrity of data – Controls to protect availability of data |
| Private or Sensitive | – Authentication – Data Loss Prevention requirements are addressed through policy controls. No technical DLP is implemented on endpoints, as no critical data is stored locally; all sensitive data is stored and processed in AWS, which provides robust security controls. – Audit tracking of data movement – Encryption where feasible – Alerting of suspicious activity |
| Confidential | – Two-factor authentication where feasible – Role-based authorization – Data Loss Prevention Controls – Audit tracking of data movement – Encryption where feasible – Alerting of suspicious activity – All Confidential data located in a 3rd party cloud environment must have the same or greater security controls as it would have if it were located within the internal NEO environment |
| Proprietary or Regulated | – Two-factor authentication where feasible – Role-based authorization – Data Loss Prevention requirements are addressed in policies. No DLP tools are deployed on endpoints, as critical data is not stored locally and all proprietary or regulated data is securely managed in AWS. – Audit tracking of data movement – Encryption – Alerting of suspicious activity – Video/Audio – Other regulatory/industry controls implemented where applicable – All Proprietary or Regulated data located in a 3rd party cloud environment must have the same or greater security controls as it would have if it were located within the internal NEO environment |
5.0 ROLES & RESPONSIBILITIES
Any employee, contractor, consultant, external party or any person doing work on behalf of NEO found to have violated any policy, standard or procedure may be subject to disciplinary action, up to and including termination of employment or contract. Violators of local, state, Federal, and/or international law may be reported to the appropriate law enforcement agency for civil and/or criminal prosecution.
6.0 COMPLIANCE
In order for security measures to be effective, periodic reviews (Internal Audits) shall be performed to ensure compliance with the established guidelines, polices, and procedures. The Internal Audits will be initiated by the Information Security team and supported by the executive management team with cooperation from all employees, consultants, contractors or anyone doing work on behalf of NEO. Information Security will publish a report to the executive management team to include any deficiencies found during the audit. The report will include a plan of corrective actions to address the discrepancies and deficiencies discovered by the security review and audit. The frequency of these internal audits is dependent on the security domain and will be identified in the supporting subject matter policies.
