1. Objective

To ensure that company and project-related records are accessible, easily retrieved, and disposed of once the retention period is reached. This policy is also intended to help team members determine what information can be disclosed to non-team members and determine the relative sensitivity of information that should not be disclosed outside Infinit Outsourcing, Inc. without proper authorization. 

2. Scope

This procedure covers the identification of records, updating of the Master List of Records, and disposal of obsolete records. The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).

3. Provisions

1. General

3.1.1  Master List of Records must contain the type of records, location/storage, and retention period.

3.1.2 Master List of Records that are stored in an offsite location is maintained for easy identification and retrieval from the offsite storage provider.

2. Data Classification

1. Restricted - Restricted data includes data that if compromised or accessed without authorization, could lead to criminal charges and massive legal fines or cause irreparable damage to the company.

Examples include but are not limited to 

1. Client Information/Data

2. Personal Identifiable Information/201 Files 

3. Credit card PAN (Primary Account Numbers), CVV

4. Trade secrets

5. Critical infrastructure details

6. Trade secrets

2. Confidential - Confidential data is generally restricted to smaller teams within an organization. This data, such as pricing information or key marketing strategies, should be kept within the respective team. If data that is classified as confidential is not kept secure, it could harm the organization, such as reputational risk.

Examples include but are not limited to 

1. Contracts, Service Agreements, and Statement of Work

2. Business Leads

3. Financial Reports

3. Private data or information is considered internal only to an organization, such as policies and memos distributed amongst employees. Although this type of data may not pose a severe risk if leaked, it should still be kept somewhat protected as there is some risk if disclosed. 

Examples include

1. Team-Centric Operational Procedures

2. Intranet

3.2.2.3 Company Policies and Procedures

3.2.2.4 ISO processes

4. Public information is the data declared public knowledge by Execom and given to anyone without any possible damage to Infinit-O. 

Examples include but are not limited to 

1. Brochures

2. Posters

3. Flyers

4. Company Website

3. Labeling

1. Data must be labeled or accessed only by authorized people to prevent mishandling that may result in information leakage.

2. Data should have markings or labeling located at a very conspicuous place on or in the information in question.

3. When applicable, confidential electronic data are encrypted.

4. When labeling is not feasible, other controls such as the Access Control List, and handling procedures stated in Section 3.4 of this document shall be applied.

4. Handling

1. Public

1. Data should only be distributed to intended recipients.

2. Data may be distributed using public or private carriers and approved electronic file transmission methods.

2. Private

1. Data should only be distributed to authorized recipients.

2. Data may be distributed using public or private carriers (please see 3.5) and approved electronic file transmission methods employing strong encryption methods if available and required.

3. Data should be stored to physically or electronically access controlled locations or servers.

4. Access restrictions to data must be in place.

3. Confidential/Restricted

1. Data should only be distributed to authorized recipients.

2. Data may be distributed using public or private carriers (please see 3.5) and approved electronic file transmission methods employing strong encryption methods when applicable.

3. Data should be stored in physically or electronically access-controlled locations or in servers employing encryption when available.

4. Access restrictions to data must be in place.

5. Data masking should be applied when possible if sharing to or viewing of unauthorized parties is inevitable such as credit card numbers of team members' personally identifiable information.

5. Removable Media

1. Removable media include but are not limited to tapes, disks, flash drives, removable hard drives, CDs, DVDs, and printed media.

2. All media should be stored in accordance with manufacturer specifications.

3. Removable media must not be removed from office premises without proper authorization.

6. Physical Media in transit

1. Approved external courier services are used only when an internal courier is not available or is not capable of such transmittal requirements.

2. Only company-approved courier service providers are authorized to deliver.

3. Tamper-evident packaging should be used for media containing private, restricted, and confidential information.

4. Packaging must comply with the Manufacturer's specifications.

5. Media must have password protection and/or encryption in place when available.

7. Electronic media in transit

1. Information shall only be transmitted electronically through company-approved/supplied electronic transmittal systems such as electronic mail, instant messaging, VPN and remote desktop connection, and File Transfer Protocol (FTP) over VPN/SSL.

2. Use of non-company email accounts or file transfer systems for sending work-related data is prohibited. 

3. Encryption technologies must be implemented, whenever available when sending private, restricted, and confidential data.

4. Attachment must be compressed and password-protected when applicable.

5. Emails should have the appropriate company-approved disclaimer notice.

8. Information exchange with new parties

1. A signed Non-Disclosure agreement must be completed when exchanging private, restricted, and confidential information with new parties.

2. Sections 3.5 and 3.6 must be enforced.

9. Retention and Storage

1. Data retention must conform to the agreed retention period.

2. Original copies of corporate files are stored in a bank safety deposit box.

3. Other pertinent corporate financial files/records and some project records are stored in an approved offsite storage provider. 

10. Disposal

1. Media containing information, regardless of classification, must be disposed of securely and reliably. (i.e., shredding, destruction)

2. Records that are discarded after the retention schedule shall be permanently destroyed.

11. Verbal Information

1. Verbal Information or verbal data are also covered by the protection of this policy. Hence, when communication involves private, confidential, and restricted information. Team members need to follow ensure the following:

1. The exchange of information should only happen within a secure location where team members or individuals not privy to the relevant information are unable to hear or listen.

2.  The secure location should allow minimal to no sound leakage when conveying the aforementioned type of information.

3.  Since the organization promotes hybrid work setups, team members are required to have a secure location described prior when attending meetings.

4.  Only approved software/applications for meetings will be used during meetings.

5. Team members must use headsets for online meetings conducted outside the meeting room or the IO offices.

6. At any point, team members shall not conduct any meetings discussing restricted, confidential, and private data or information in public. 

12. Protection of Records during Incidents:

1. General Considerations

1. Digital evidence is defined as information and data of potential value to an investigation that is stored or transmitted in digital form. Digital evidence differs from traditional evidence in multiple ways:  

1. It is often highly complex, frequently scattered among different physical or virtual locations, and requires expertise and tools to collect.  

2. It can easily be altered, accidentally or intentionally, possibly without leaving any trace.  

3. It can easily be copied and distributed, presenting challenges to preserving confidentiality.  

4. It can be temporary: network logs, Internet browsing history, social media posts, instant messages, cached data, and deleted data can be lost if not preserved promptly. 

2. As a result, special consideration is necessary to establish authenticity, protect integrity and maintain the confidentiality of digital evidence. These considerations include: 

1. Ensuring that the collection of digital evidence is properly authorized, documented, and conducted in compliance with Organisational policies. 

2. Backing up the digital evidence and only working with copies.  

3. Ensuring that evidence and all copies are securely stored, transported, and disposed of. 

3. Identification

1. At the beginning of an investigation, all possible sources of digital evidence potentially relevant to the investigation should be identified and preserved immediately or 5 hours upon discovery.

2. In the event of an incident, team members/leaders who have identified the incident should contact IT to take over the issue.

4. Physical Evidence Protection/Collection

1. To ensure the reliability of digital evidence, do not modify the evidence. Any action on the evidence should only be undertaken by a person specifically trained to do so and be documented.

2. Interactions with live (powered-on) devices should be kept to a minimum. Mobile devices should be disconnected from all networks to prevent remote wipes.  

3. If the device is powered on, it should be turned off as soon as possible. For live data where encryption is enabled, or a passcode is required and cannot be obtained, the device should be kept powered on and a digital forensic expert should be consulted. 

4. Do not perform a proper shutdown to prevent data from being overwritten, a device can be powered off by removing the power cord and/or batteries.  

5. Examination

1. Examination of digital evidence should only be performed on work copies.  

2. Computers, mobile devices, and original external storage media should only be examined by trained digital forensic examiners. 

3. For data and network security reasons, digital evidence is examined on a dedicated computer isolated from all networks. 

6. Storage, Transport, and Disposal

1. Ensure that all evidence are identified uniquely, labelled (if possible) and securely stored for review by authorized personel.

2. To maintain confidentiality, access to all digital evidence (including work copies) should be limited to authorized personnel only.  

3. If evidence is stored on networked servers, or is being transmitted through networks, strict access control and encrypted transmissions should be used. Portable storage devices used to transport evidence should be encrypted.  

4. Digital evidence should be transported in appropriate packaging and protected from extreme temperatures or damage.

5. Every computer and storage device used to store or view digital evidence should be properly sanitized before it is transferred to another user or recycled. 

4. Responsibility 

1. It is the responsibility of the asset owner and/or team leader to define the classification and sensitivity of the information asset.

2. The asset owner and/or team head are responsible for identifying the records for filing and safekeeping as well as determining the retention period of each record type.

3. Protection of the confidentiality, integrity, and availability of the asset information is the responsibility of each team member.

5. Frequency – n/a

6. Distribution – Refer to respective Master List Of Records

7. Usage – n/a

8.0 References

QISM-INFINIT-O-0001

9.0 Records

Master Lists of records of each team

Various records of each team