Information is critical to ACME’s business and its dealings with clients and third parties. ACME’s Partners, staff and authorized contractors (ACME Personnel) are entrusted with this information based upon their need to access it in order to perform their jobs. Not all of the information handled by ACME Personnel needs the same level of protection; much of it is confidential in that it relates to the work we do for our clients, and much smaller volumes of information are either intended for consumption by the public or are regarded as highly sensitive.
This document provides sample guidance on how to implement ACME’s Information
Classification within member firms and is directed at NITSOs and Quality & Risk Management as they develop local implementation procedures..
This document sets out end user guidance for all ACME Personnel in the handling of information they encounter. Member firms may at their own discretion elect to expand the scope of this guidance.
Links to key documents:
All ACME information or information entrusted to ACME by our clients or other parties should be identified and classified by the Information Owner according to its level of confidentiality. For the purposes of information handling in ACME, the information owner is by default (unless explicitly identified) either the creator of information or the authorized recipient of information from outside of ACME.
The Information Classification Policy establishes three discrete levels of information classification. These are named ACME Public, ACME Confidential and ACME Highly Confidential and can be found here.
When ACME Personnel receive information, they must determine the appropriate level of classification required. In most cases this will be the default “ACME Confidential” but in cases where additional assurance is required, it should be classified as “ACME Highly Confidential”. If the determination is not clear, ACME Personnel should treat the information as “ACME Confidential” and consider consulting their manager, local risk management or the Office of General Counsel.
In certain circumstances, the client may determine how their information should be handled and protected during the course of the engagement. Where there is a specific client requirement for additional protection (that exceeds the ACME standard), this will be the overriding priority. In those cases where specific requirements are set out by a client, these should be documented and communicated to all affected ACME Personnel; for example in an ‘information protection plan’ (which may be as simple as a Word document outlining the special handling requirements). In other cases, the minimum level of protection required for certain types of information may be established by local laws or regulations. These specific requirements, be they established by the client or by local laws & regulations must be complied with; explicit acknowledgement of such compliance may be required.
There may also be occasions, where the client (for example Government clients) determines that the information is so sensitive that it should not be handled by ACME other than on client premises. Typically in these circumstances the information should not be processed via the ACME network or using ACME IT assets. Where there is such a specific requirement, this will be the overriding priority and the requirements should be documented and communicated to all affected ACME Personnel. If there is any doubt about this type of requirement, please consult the lead/ engagement partner and with local Risk Management or Office of General Counsel.
When ACME Personnel create materials either relating to a client or to proprietary ACME subject matter, they must determine the appropriate level of classification required. In most cases this will be the default “ACME Confidential” but in cases where additional assurance is required or demanded by a client, it should be classified as “ACME Highly Confidential”. If the determination is not clear, ACME Personnel should treat the information as “ACME Confidential” and consider consulting their manager, local Risk Management or the Office of General Counsel.
This section provides guidance on the handling and labelling of information based upon the ACME Information Classification Policy to ensure that information is accessed only by those with the appropriate authority.
Labelling of information created by ACME Personnel may take a variety of forms, for example:
- Header & footer
An information classification label should be clearly visible on the material whether viewed on screen or in printed form; in addition, the classification should where possible be included in the document properties (metadata) associated with the material. ACME Personnel must follow the local established mechanisms.
■ ACME Public – this must be explicitly labelled as “ACME Public”
■ ACME Confidential – as the default classification for all ACME information, ACME Confidential information should be labelled as such. Where this labelling is absent, this classification applies nonetheless.
■ ACME Highly Confidential – this must be explicitly labelled as “ACME Highly Confidential” wherever a higher level of protection is required.
The requirements for the handling of information are set out in detail in a separate Information Classification Requirements document. A subset of those requirements, pertinent to the end-user, is included here below. Local ITS groups should be consulted regarding the specific technical solutions implemented in member firms.
|Accessing||Permanent Storage||Temporary Storage or Transfer||E-Mailing||End user Back Up||Disposal|
|ACME Public||No restrictions||No restrictions||No restrictions||No restrictions||No restrictions||Delete files when no longer required|
|ACME Confidential||Business need to know||In approved central repository or on encrypted ACME laptop||Approved encrypted ACME removable media (e.g. USB device)||Approved ACME e-mail only. Encryption of attachments recommended e.g. WinZip||Use only ACME approved encrypted external storage device||Secure disposal using approved local processes|
|ACME Highly Confidential||All further controls (beyond those required for Confidential) must be determined case by case by the Information Owner and the information security specialists (see section 4.2 below for examples).|
This section sets out general guidance as to the types of information that will fall into the three different Information Classification levels.
|Description||Examples / Comment|
|ACME Public||This classification applies to information intended for publication, or that is likely to be publicized outside of ACME to the general public. Information classified as ACME Public may be accessed and used by members of the public without restriction. Information must be explicitly classified as ACME Public (not by default) and must go through the appropriate redaction and management approval processes prior to materials being designated for public dissemination.||Much of this information is made available through the ACME external Website www.Acme.com, Other examples include press releases, marketing brochures, published annual reports, business cards, and interviews with news media.|
|Description||Examples / Comment|
|ACME Confidential||This classification applies to information generally available for ACME use only. Information classified as ‘Confidential’ is not intended to be shared outside of ACME (other than with explicit exceptions). Information may be shared with select approved external parties that have a business relationship with ACME, have signed a non-disclosure agreement but only when necessary based on a business need-to-know. This classification applies to information that is considered sensitive or internal to ACME and as a result is subject to limited access. Access to ACME Confidential information should be restricted to discrete groups of users. Such access should be controlled by appropriate authentication and authorization systems. Access to this information may be restricted either by client relationship, position in the firm, by office etc. The primary control over confidential information will be the competent management of user access rights based on the business need-to-know and least privilege principles. By default, information within ACME is assumed to require protection as ACME Confidential. Any ACME information that is not explicitly labeled as to its sensitivity is by default regarded to be ACME Confidential.||The working papers and final product from client engagements, information received by ACME member firms from their clients, and ACME proprietary information are all ACME Confidential. Most human resource and payroll information would be classified as ACME Confidential. Internal information including material distributed in newsletters, directories, internal web pages is also considered ACME Confidential.|
|Description||Examples / Comment|
|ACME Highly Confidential||This classification applies to information that for whatever reason requires controls beyond those provided for ACME Confidential information. The information may be highly sensitive; as a result access is restricted to uniquely identified individuals. These heightened requirements may result from business relationships/client demands or transactions, legal or regulatory requirements or the need for discretion in the conduct of ACME’s internal business. Access to information that is classified as Highly Confidential must be controlled through the rigorous management of individual user access rights. Information must be explicitly classified as Highly Confidential (not by default) by the information owner. It should also be periodically reviewed by the owner to determine if this classification level remains appropriate.||Examples include: engagements for certain government entities and those relating to highly sensitive transactions may fall into this classification; Financial forecasts or results prior to public disclosure, information on mergers, acquisitions or divestitures prior to general or public disclosure; passwords and other forms of security keys. This classification should be used if the information owner determines that the information requires a high level of confidentiality control. A client may require that their data be retained in certain jurisdictions, or be physically isolated from all other data. In such cases, non-standard tailored control measures will be required.|