Updated: August 11, 2023
This Information Classification and Handling Policy (the “Policy”) outlines the principles and guidelines for classifying and handling information within Eagle Eye Power Solutions (EEPS). The purpose of this Policy is to protect EEPS sensitive and confidential information from unauthorized access, disclosure, alteration, or destruction. All employees, contractors, and third-party partners who handle or have access to EEPS information must comply with this Policy.
This Policy applies to all forms of information, regardless of format or medium, including but not limited to electronic, physical, oral, and visual information. It covers information created, received, stored, processed, transmitted, or disposed of by EEPS, regardless of whether it is owned by EEPS or entrusted to EEPS by a third party.
Information Classification Levels
EEPS classifies information into the following levels based on its sensitivity, criticality, and potential impact on EEPS’ business:
- Public Information (Level 1): Information intended for public dissemination and does not require protection from unauthorized access or disclosure. Public information does not require any special handling or labeling. Examples include:
- Press releases
- Marketing materials
- Public website content
- Internal Use Only (Level 2): Information intended for internal use within EEPS. It should be protected from unauthorized access or disclosure, and access should be limited to authorized personnel. Internal Use Only information requires special handling and clear labeling. This information type should only be available or transferred to Eagle Eye Power Solutions employees. Examples include:
- Internal memos
- Non-sensitive reports
- Meeting minutes
- Confidential (Level 3): Information requiring a higher level of protection due to its sensitivity. Unauthorized access, disclosure, or alteration of this information could have a significant adverse impact EEPS. Confidential information requires an approval process to transfer in any way and clear labeling, and should always be transferring via secure and encrypted means. Examples include:
- Trade secrets
- Financial records
- Customer data
- Intellectual property
- Management: Management is responsible for ensuring the implementation, enforcement, and regular review of this Policy. They must promote a culture of information security and provide appropriate resources to support compliance.
- Employees: All employees must be aware of and comply with this Policy. They should understand the classification criteria and handle information in accordance with its assigned level. Employees should report any suspected or actual breaches of this Policy to their immediate supervisor or the designated information security officer.
- Director of Technology (functioning as Information Security Officer): The information security officer is responsible for overseeing the implementation and maintenance of this Policy. They should provide guidance, training, and awareness programs to employees to ensure proper information handling.
Information Handling Procedures
- Classification: Information owners or custodians must classify the information they create or handle in accordance with the classification levels defined in this Policy. They should clearly label or mark the information with the appropriate classification level.
- Access Control: Access to information should be granted on a need-to-know basis. Employees must ensure that information at a higher classification level is not shared with individuals who do not have the appropriate clearance. Access controls, such as passwords and encryption, should be implemented to protect sensitive information.
- Storage and Transmission: Information should be stored and transmitted using secure methods appropriate to its classification level. Encryption and secure communication channels must be used when transmitting confidential information outside EEPS network. Physical documents should be stored in locked cabinets or secure areas when not in use.
- Disposal: Information and all backups of said information should be disposed of securely when it is no longer required. Paper documents should be shredded, and electronic files should be permanently deleted or securely wiped to prevent unauthorized recovery.
Training and Awareness
EEPS will provide training and awareness programs to ensure that all employees understand their responsibilities and obligations under this Policy. Training should cover information classification, handling procedures, and the importance of protecting sensitive and confidential information.
Any violation of this Policy may result in disciplinary action, up to and including termination of employment or termination of business contracts, as applicable. EEPS may also pursue legal action against individuals who breach this Policy or applicable laws.
This Policy will be reviewed periodically to ensure its effectiveness and compliance with applicable laws and regulations. Updates or amendments to this Policy may be made as deemed necessary.
Policy Distribution and Acknowledgment
A copy of this Policy will be provided to all employees, contractors, and third-party partners who handle or have access to EEPS information. They must acknowledge their understanding and compliance with this Policy in writing.
By implementing and adhering to this Information Classification and Handling Policy, Eagle Eye Power Solutions aims to safeguard its information assets, maintain the trust of its stakeholders, and mitigate potential risks associated with unauthorized access or disclosure of sensitive information.