Sample Information Labeling Standard:
Sample Information Labeling Standard
The <Your Company Name> (the "Company") Sample Asset Identification and Classification Policy defines objectives for establishing specific standards on the identification, classification, and labeling of Company information assets.
This Information Labeling Standard builds on the objectives established in the Sample Asset Identification and Classification Policy, and provides specific instructions and requirements for labeling information assets. These instructions address labeling requirements for printed and electronically stored information.
I. Scope
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises, or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.
Information assets are defined in the Sample Asset Identification and Classification Policy.
Confidentiality/privacy classifications are defined in the Sample Information Classification Standard.
Exchangeable media refers to diskettes, tapes, removable hard drives, compact disks, etc.
Sensitive information refers to information that has been classified as Restricted, Confidential, or Internal Use Only.
II. Requirements
- A. Printed Information
- All printed sensitive information must be appropriately labeled or marked to indicate its confidentiality classification.
- All printed sensitive information must be appropriately labeled or marked to indicate its confidentiality classification.
- The appropriate labels for cover/title pages and headers or footers are provided in the following table:
- The appropriate labels for cover/title pages and headers or footers are provided in the following table:
Confidentiality Classification Cover/Title Page Label Header or Footer Label (each page) Restricted Confidential Internal Use Only
- B. Electronically Stored Information
- All exchangeable media that stores sensitive information must be appropriately labeled or marked to indicate its confidentiality classification.
- All exchangeable media that stores sensitive information must be appropriately labeled or marked to indicate its confidentiality classification.
- The appropriate external and electronic labels are provided in the following table:
- The appropriate external and electronic labels are provided in the following table:
Confidentiality Classification External Label Electronic Label (if available) Restricted Confidential Internal Use Only
III. Responsibilities
The Chief Information Security Officer (CISO) approves the Information Labeling Standard. The CISO also is responsible for the development, implementation, and maintenance of the Information Labeling Standard.
Legal counsel is responsible for informing company management about data labeling requirements generated by legislation, regulations, or contractual agreements, and ensuring that those requirements are covered by the Information Labeling Standard and associated procedures.
Company management, including senior management and department managers, is accountable for ensuring that the Information Labeling Standard is properly communicated and understood within their respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Information Labeling Standard.
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. Owners are responsible for ensuring the proper labeling of sensitive information, and ensuring the information labeling requirements for electronically stored and printed information are properly communicated and understood by the Custodians and Users.
Asset Custodians (Custodians) are the managers, administrators, and those designated by the Owner to manage, process, or store information assets. Custodians are responsible for understanding the information classifications and labeling requirements; applying the necessary controls, in accordance with the Sample Asset Protection Policy, to maintain and conserve the established information labels; and contacting the Owner when sensitive information is unmarked or labeled improperly.
Users are the individuals, groups, or organizations authorized by the Owner to access information assets. Users are responsible for familiarizing themselves with the Information Labeling Standard and associated guidelines and procedures; maintaining and conserving the established information classification and labeling; and contacting the Owner when sensitive information is unmarked or labeled improperly.
IV. Enforcement and Exception Handling
Failure to comply with the Information Labeling Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to the Information Labeling Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Information Labeling Standard.
V. Review and Revision
The Information Labeling Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Security Officer
- Chief Information Security Officer