Näktergal Docs
Advanced search

Information Security Standard

Privacy by Design

Privacy and data protection are important to us, and we are entrusted with huge amounts of personal data. We will go above and beyond to design processes that treat personal data with the utmost care.

Classification of Data

Not all data merits the same levels of caution. We classify data according to three different aspects: confidentiality, integrity, and availability.

Confidentiality – characteristic of the information by which it is available only to authorized persons or systems.

Integrity – characteristic of the information by which it is changed only by authorized persons or systems in an allowed way.

Availability – characteristic of the information by which it can be accessed by authorized persons when it is needed.

Furthermore, we grade severity - how bad would be if the confidentiality, integrity, or availability were not upheld? 1 means unsensitive, 2 means severe and 3 critical.

Labelling

All files should be labelled with this classification, as in the ’Information Class C1I2A1’ that you see in the header of this document. If a file is not possible to label, such as a write-protected PDF from a customer, put it in a folder with the folder name suffixed by the information class label, as in ’Agreements C2I1A1’.

Code is a special case – we do not label each code file but consider code to be C2I2A2, except for code that is made publicly available by necessity (typically view-layer code such as HTML and JavaScript), that we consider C1I2A2.

Finally, documents that are C1I1A1 can be unlabelled, so no need to mark all marketing material, emails, or other C1I1A1-documents.

Requirements

A severity of 1 implies no special requirements.

C2 or C3 – must be stored digitally or in a locked vault. Must be transferred in secure fashion, for digital files this means using encryption (easily accomplished through a Dropbox-link or Slack) and never through unsecure channels (mail, e-mail, mobile devices).

I2 or I3 – requires version control and backup. For our code, this is handled through TFS or GIT. For other documents, backup is most easily handled through Dropbox that handles backup automatically. Version control is done through labelling – whenever you make any meaningful change (i.e. not correcting spelling errors, changing layout etc), update the version number in the page header.

A2 or A3 – requires redundancy (to avoid it being unavailable when you need it) as well as quick access.

As you can see, a combination of these such as C3I3A3 puts a lot of requirements in place and some of these can be in conflict – an A3 cannot be stored in a locked vault, so highly confidential data that also requires high accessibility typically needs some kind of specialised system to be compliant.

Data breach

Any data breach must be reported according to our Incident Management policy. A data breach is any incident that could potentially leak sensitive information (C2 or C3) to non-authorized people – it could be exposing a database publicly, sending an email to the wrong recipient or misplacing a phone.