Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

Classification and Protection of Data Policy

advertisement 
Cummins Inc.
Corporate Offices Building
BOX 3005 500 JACKSON ST. COLUMBUS, IN 47201
THIS DOCUMENT CONTAINS CONFIDENTIAL INFORMATION. Its use is restricted to
employees with a need to know and third parties with a need to know and who have signed a nondisclosure agreement.
Classification and Protection of Data Policy
1.0
Doc number: CORP-00-24-00-00
PURPOSE
The purpose of this policy is to provide details on the significance of data security and the
value of information, and to define employee obligations in identifying, classifying, and
safeguarding information in order to protect the privacy, confidentiality, integrity and
availability of Cummins information assets.
2.0
SCOPE
2.1
This policy applies to Cummins organizations world-wide, including Cummins Business
Units, subsidiaries, wholly owned Distributors and joint ventures in which Cummins has
a controlling interest or the management responsibility and their personnel, business
partners, agents, customers, consultants, suppliers and vendors.
2.2
The words “shall” and “must” in this document indicate mandatory requirements. The
word “should” indicates a preferred approach. Organizations choosing other approaches
must be able to show that their approaches meet the intent of TQS.
3.0
POLICY STATEMENT
All Cummins information is a critical resource and shall be classified and protected
according to its sensitivity, criticality and value regardless of the manner of creation,
access, storage or distribution. Access to Restricted Confidential and Confidential
information are solely based on a need-to-know business purposes.
Employee and management responsibilities will be detailed in the process document
(CORP-25-01-01-02)
1
This document is the property of Cummins, Inc. and may not be duplicated, copied, altered or removed from the facility
without prior approval of the Documentation Department.
Cummins information classified as Restricted Confidential, Confidential, and InternalUse-Only must be clearly labeled so its classification is readily apparent. Items such as
diskettes, CD devices, and printed material must be externally labeled. All pages in a
document must be sufficiently labeled. Information classification must be communicated
regardless of the technology in use.
4.0
TERMS
4.1
Cummins Information Assets
Information Assets are defined pieces of information that are valuable to the Company
and have recognizable risk, content and lifecycle. This information is created by or for
Cummins and is used in the execution of Cummins business. Examples of Cummins
information assets include, but are not limited to:




4.2
Product Designs
Company Trade Secrets
Process Information
Software applications which create or house information (internal or external to
Cummins) and physical media (print outs, CD-ROMs, thumb drives, PDAs,
laptops, etc).
Information Asset Owner
Information Asset owner is the primary department or user responsible for creating and
storing the piece of information. Information Asset Owner also implies the user is
responsible for the information asset, while the Company retains actual legal ownership.
4.3
ITAR
Internal Traffic in Arms Regulations (ITAR) is a set of United States government
regulations that control the export and import of defense-related articles and services on
the United States Munitions List.
4.4
Need-to-Know Function
Information shall be disclosed only to people who have both appropriate classification
level access and a legitimate business need for the information.
4.5
PCI Payment Card Data
Cummins Customer Credit Card Information including: Primary Account Number
(PAN), cardholder name, expiration date, and service code. PCI Payment Card Data is
considered Restricted Confidential.
2
This document is the property of Cummins, Inc. and may not be duplicated, copied, altered or removed from the facility
without prior approval of the Documentation Department.
4.6
PCI Sensitive Authentication Data
Cummins customer sensitive credit card authentication data including full magnetic strip
data/chip data, CAV2/CVC2/ CVV2/CID, PINs/PIN Blocks. PCI Sensitive
Authentication Data may not be stored under any circumstances.
4.7
Special Circumstances
All Information Assets which relate to International Traffic in Arms Regulations (ITAR)
and Export Administration Regulations (EAR) information must adhere to this document
and CORP-19-01-00-00 Export Compliance Manual
5.0
CLASSIFYING COMPANY INFORMATION
Data classification is the classification of information based on its level of sensitivity and
the impact to our Company should the information be disclosed, altered or destroyed
without authorization. Determining whether a document is classified as Restricted
Confidential, Confidential, Internal Use Only or Public is critical to protecting employee
privacy and the Company’s reputation and competitive advantage. These classifications
must be implemented and adhered to by all Cummins and non-Cummins entities.
5.1
Restricted Confidential
Restricted Confidential information, if disclosed, poses a high risk and could violate the
privacy of individuals or customers, reduce the Company’s competitive advantage, or
cause significant damage to Cummins’s reputation. This category of information is highly
sensitive in nature and is released only on a need-to-know basis and with permission of
the data owner or Program Lead. This information is not generally known or readily
accessible, has independent economic value due to its secrecy, and therefore requires
reasonable measures to protect its secrecy. Restricted Confidential information requires
the information asset owner to mark as “Restricted Confidential” and recipients must use
good business judgment to protect from disclosure to individuals who do not have the
approved need-to-know access. Examples of Restricted Confidential information
includes, but are not limited to:





Government Identifiers such as: Social Security Number, Drivers License
Number, Credit Card Information
ITAR Information
Financial results prior to announcement
Strategic Business plans and patents
RND Package
Restricted Confidential information could, if released to unauthorized individuals, result
in criminal or civil litigation. Protection controls as outlined by Cummins policies and
processes as well as governing laws and regulations must be adhered to at all times.
3
This document is the property of Cummins, Inc. and may not be duplicated, copied, altered or removed from the facility
without prior approval of the Documentation Department.
5.2
Confidential
Confidential information, if disclosed, poses a moderate to high risk to the Company’s
competitive advantage and reputation. This category of information is moderately
sensitive and is owned or licensed by Cummins. Confidential information is protected
from both internal and external disclosure. Access to this information is solely based on a
need-to-know business purposes. Confidential information requires the information asset
owner to mark as “Confidential” and recipients must use good business judgment to
protect from disclosure to internal and external parties. Examples of Confidential
information include, but are not limited to:







Salary / Payroll information
Cummins pricing
Supplier pricing
Manufacturing related costs
Test data for Products
Practices & Standards
Product Design
Confidential information has potential to create a loss of competitive advantage,
moderate financial loss, and reputational damage. Protection controls as outlined by
Cummins policies and processes as well as governing laws and regulations must be
adhered to at all times.
5.3
Internal Use Only
Internal Use Only information, if disclosed, would not pose a loss of competitive
advantage, impact to the Company’s reputation, violate the law or breach of contract.
This information is intended for business use only by employees, and authorized nonCummins entities with a need-to-know basis. Internal information requires the
information asset owner to mark as “Internal Use Only” and recipients must use good
business judgment to protect from disclosure to employees who do not need the
information or to outsiders. Examples of Internal Use Only information includes, but are
not limited to:




Internal Web Sites
Internal phone lists,
Internal Training & Procedures,
Application Engineering Bulletins
Internal Use Only information does not pose a loss of competitive advantage, financial
loss, or reputational damage, however information asset owners are still required to
adhere to the protection controls outlined by Cummins policies and processes as well as
governing laws and regulations.
4
This document is the property of Cummins, Inc. and may not be duplicated, copied, altered or removed from the facility
without prior approval of the Documentation Department.
5.4
Public
Public information is non-sensitive information available for public disclosure. This
information may or must be open to the general public. It is defined as information with
no existing local, national, or international legal restrictions on access or usage. Public
information, while subject to Cummins disclosure rules, is available to all Cummins and
non-Cummins entities external to the Company. Examples include product and service
brochures, advertisements, job opening announcements, and press releases. This type of
information does not require special handling, marking or storage; however, only
authorized associates should make public information known to the general public (i.e.
public relations). Examples of Public information include, but are not limited to:



6.0
Press Releases
External Web Sites
Journal Trade Publications
AWARENESS, AND SEEKING HELP
If you become aware of a situation that is not consistent with this policy, or the
Company’s Code of Business Conduct, you are required to seek immediate assistance.
For questions and concerns relating to Data Classification issues, or to report possible
violations of Company security policies, you can seek assistance by contacting:

Your Manager

Human Resource Representative

IT Security (InfoSecAware@cummins.com)

Information Asset Protection Group
(http://mycummins.cummins.com/safe.sure.secure)
5
This document is the property of Cummins, Inc. and may not be duplicated, copied, altered or removed from the facility
without prior approval of the Documentation Department.
7.0
APPENDICES
The table below offers additional guidance on data classification. The examples below
are not all inclusive, yet are there simply to offer additional examples on the
classification process. Please reference the Information Handling Procedure for more
detail (CORP-25-01-01-02).
Public
Adversiting information
Internal Use Only
Internal communications
Confidential
Product Analysis
Company Brochures
Internal phone/Email lists Cummins' pricing
Securities and Exchange
Commission (SEC) Filings
Intranet sites
Vendor pricing
Published Corporate
Information Annual Report
Quarterly Financial
Results/Dividends
Declaration
Manufacturing related costs
IT system/security
configurations
Restricted databases
Salary/Payroll Information
8.0
Restricted
Intellectual Property
PII/PCI Data
Strategic Business Plans
SSN
Marketing plans
Drivers license #
Engine Designs
Passport #
Advanced Product Plans (APP)
Product Preceding Technology
(PPT)
Patent Applications
Trade Secrets
Home Addresses
Finance
Detailed financial results prior to
announcement
personal telephone numbers
DOB
Personal Email Address
Digital Signatures
Names of Children
Personal System Access Info
Answers to security challenge Q
Password Information
Personal Insurance Info
Insurance provider #
Insurance policy #
Insurance policy details
insurance policy claim #
Personal Financial Info
Banking Institution name
Banking account # and/or routing #
Credit/Debit card #
Credit/Debit card PIN
Credit/Debit card security code (CVV2,
CVC2, CID)
credit/Debit card expiration date
credit/debit card magnetic strip
Sensitive Personal Data
Race
Religious belief
other belief
sexual life
physical health
criminal proceedings or criminal
ethnic origin
ASSOCIATED DOCUMENTS
Record Retention (CORP-07-11-00-00)
Information Handling Procedure (CORP-25-01-01-02)
Remote Access – Modern Usage (CORP-10-01-05-01)
Cummins Information Security Policy (CORP-10-01-00-00)
9.0
DOCUMENT REVISION HISTORY
Version
Description of Revision
1
Revised Draft to include new Data Classification Level and Policy Development
6
This document is the property of Cummins, Inc. and may not be duplicated, copied, altered or removed from the facility
without prior approval of the Documentation Department.
7
This document is the property of Cummins, Inc. and may not be duplicated, copied, altered or removed from the facility
without prior approval of the Documentation Department.
Related documents
HVAC
HVAC
Company Brochure - Suneet Engineering Pvt. Ltd.
Company Brochure - Suneet Engineering Pvt. Ltd.
Main Title 48 pt Arial Black
Main Title 48 pt Arial Black
NtregaBusinessPlanExpress 1.1 MB
NtregaBusinessPlanExpress 1.1 MB
Cummins Westport Inc.
Cummins Westport Inc.
Fluid Mechanics Review
Fluid Mechanics Review
learn English
learn English
EAL Pedagogy - Teacherworld
EAL Pedagogy - Teacherworld
Download
advertisement