Skip to main content

Data Governance & Policies

1. Data Classification

Not all data is equal. We classify data into 3 tiers.

Tier 1: Public

  • Definition: Data meant for external consumption.
  • Examples: Blog posts, Marketing site, Published prices.
  • Protection: None.

Tier 2: Internal

  • Definition: Standard business operations. Harmful if leaked, but not catastrophic.
  • Examples: Slack chats, internal SOPs, Project plans, Meeting notes.
  • Protection: M365 Login required.

Tier 3: Restricted (Confidential)

  • Definition: Sensitive personal or financial data. Leakage causes legal/financial ruin.
  • Examples: Employee SSNs, Bank details, Passwords, Client Contracts.
  • Protection: MFA enforced. Access restricted to specific Group. No external sharing.

2. Retention Policy

  • Email: Archived for 7 years (Legal requirement).
  • Slack/Teams: Messages deleted after 2 years (To reduce liability).
  • Financial Records: Kept for 7 years (Tax requirement).
  • Client Data: Deleted 3 years after contract end (unless requested sooner).

3. Backup & Recovery

  • M365 Data: We use a third-party backup (e.g., SkyKick/Datto) because Microsoft does not backup data (they only ensure uptime).
  • Frequency: 4x Daily snapshot.
  • Retention: Indefinite.

4. External Sharing Policy

  • Default: "Anyone with the link" is DISABLED.
  • Allowed: "Specific People" (Client email must be entered).
  • Expiration: External links expire after 30 days.

5. Incident Response (Data Breach)

If a breach is suspected:

  1. Contain: Change passwords. Disconnect devices.
  2. Assess: What was stolen? (Tier 2 or Tier 3?)
  3. Notify: Inform the System 06 Owner.
  4. Legal: Consult counsel if Tier 3 data involved.

Related Documents: