The purpose of the Data Classification Policy (the “Policy”) is to ascertain information and data of Voyages Encore Travel Inc.’s (“Encore”) systems are maintained in a secure, accurate, and reliable manner and be readily available for authorized use. It is to help classify, protect, and manage the data of Encore’s information assets.
Another purpose of this policy is to assist employees with the determination of what information can be disclosed externally, given proper authorization.
This policy applies to the owners, custodians and all Encore employees (also referred to as “users”) of such information assets. All of Encore’s information and all information entrusted to Encore from third parties will pertain to this policy including (but not limited to):
Information (electronic and non-electronic).
Associated IT infrastructures such as software, networks, desktops, laptops, and servers.
Intangible and physical assets shall inherit the classifications based on the information they process, store, and/or transmit. Handling of information assets will align to the classification category, Inventory Asset Listing, and Acceptable Use Policy.
All Encore employees and third parties who handle Encore information on behalf of Encore. All Information Users shall:
Read, Understand, and Comply with this policy.
Notify the Service Desk (servicedesk.encore.ca) immediately if secret, confidential or internal information is (or is suspected of being) lost or disclosed to unauthorized parties.
Any questions related to this policy can be directed to the Service Desk.
The designated owner of Encore information assets (information assets, physical IT assets and IT services). All Information Owners shall:
Classify and protect the information as per Section 4.0 of this Policy.
Comply with and action the annual review of information classification.
Approve and enforce compliance with this policy.
Manage and review this policy at least annually.
Conduct annual review of information classification.
Collect evidence as required.
Answer all questions or comments related to this policy.
Classification is defined as determining the level of impact and value of information.
All information held by Encore must be classified and protected based on its classification.
Information Owners are responsible for the classification of information on behalf of Encore.
Information classification of assets should be documented and reviewed annually within an Inventory Asset Listing.
Any information which is not explicitly classified will be classified as “Confidential” by default and where applicable, implement controls to prevent data leakages.
Information classification consists of 4 levels, as described in Table 1.
Level | Description | Examples |
|---|---|---|
Secret | Information whose disclosure without prior authorization is likely to cause a significant amount of harm to Encore. The effects of the disclosure of this information are critical, particularly regarding business operations, significant financial losses, or of serious impacts to the reputation of Encore. Accordingly, the number of people that can access this information must be very small and the rules for managing the access to this information must be very strict. |
|
Confidential | Information whose disclosure without prior authorization is likely to cause a significant amount of harm to Encore, its clients, or its vendors. The effects of the disclosure of this information are severe, it could affect Encore operations, cause moderate financial loss, provide information to competitors, or cause a violation of confidentiality with respect to a client’s information (e.g. security risk, prosecution risk, financial loss, fraud risk, etc.). In some circumstances, confidential information may have to be disclosed externally to statutory auditors, external consultants, regulatory and/or legislative bodies, etc. The asset owner shall use their discretion to make the confidential information available after the external party has signed a Non-Disclosure Agreement (“NDA”). Even after such disclosure, the classification still remains ‘confidential’. |
|
Internal | Information whose disclosure without prior authorization is likely to cause a moderate level of harm to Encore, but without impact on its activities (no critical consequences). This information is made available to Encore employees as a part of their work, internal access to this information, however, is selective. |
|
Public | Information whose public disclosure has been authorized by its owner and is not likely to cause any harm to Encore (no impact on its reputation or financial impact). |
|
The Information Security Office will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits. All those found in policy violation may be subject to disciplinary action, up to and including termination.
“Confidential Information” – means information that is not publicly available, may or may not have commercial value, is communicated in confidence, and is reasonably protected.
“Employee” – means all salaried and hourly paid Employees including the Steering Committee, Contractors, Consultants, Temporaries, Interns, Agents and other workers at Voyages Encore Travel Inc., including all personnel affiliated with third parties. Can be referred to by the pronoun ‘their’, ‘they’ or ‘them’.
"Encore" – for the purpose of this policy, refers to Voyages Encore Travel Inc. and Encore Travel Americas.
“Information Owners” – for the purpose of this policy, refers to the designated owner of Encore information assets (information assets, physical IT assets and IT services).
“Information Users” – for the purpose of this policy, refers to all Encore employees and third parties who handle Encore information on behalf of Encore.
“Internal Information” – means information that comes directly from Encore’s systems.
“Public Information” – means information that is publicly available.
“Steering Committee” – means the Chief Executive Officer; Chief Technology Officer; Head of Strategy, Growth & Corporate Development; Head of Product; Head of Commercial Strategy; and Head of Travel Technology & Operations.
“Their”, “They” or “Them” – means the person or entity previously referred to.