Laserfiche WebLink
Security Policies and Procedures <br />Data Types <br />The security classification of an information asset is assigned according to the highest <br />of these dimensions. As an example, if an asset is regulated by law, then it needs the <br />highest classification, even if the asset is not critical to Virtru's business. Virtru deals <br />with two main kinds of data: <br />1. Company -owned data that relates to such areas as corporate financials, <br />employment records, payroll, etc. <br />2. Personally Identifiable Information (PII) that is the property of our clients or <br />workforce members, such as Protected Health Information, social security numbers, <br />credit card information, contact information, etc. <br />D. Setting requirements for business continuity <br />The requirements for an information asset relating to business continuity are not set by <br />classification, but are specific to that asset. They include: <br />1. Required uptime for the information asset <br />2. Required restoration time if the data must be restored <br />3. Required frequency of backups <br />4. Requirements for storage of backups <br />S. Requirements for testing of the recovery process <br />The default requirements for business continuity are listed in the information handling <br />rules' section. See Handling rules for the information classifications in this document <br />and Disaster Recovery Plan for detailed information. <br />This section outlines the basic rules for handling information types according to the <br />classifications. More specific standards for platforms, processes and networks appear <br />in each topic section of this standards document. <br />E. Enforcement <br />It is the responsibility of everyone who works at Virtru to protect our data. Even <br />unintentional abuse of classified data will be considered punishable in accordance with <br />the extent and frequency of the abuse. <br />Rev.2015.8.6 <br />17 <br />