Skip to content

Information classification policy

To understand its potential exposure from a security risk, issue or incident, Vihanti regularly catalogues and classifies its data and other in-scope assets, in order to apply risk-based controls.

Assets are anything that has value to the organization, including but not limited to, customer data, production data, financial data, intellectual property, and any material non-public information.

Asset cataloging

Vihanti catalogues assets with several pieces of information, to help identify the potential risk of the asset. Information collected is as follows:

  • Description, i.e. what is the asset?
  • Risk, i.e. what is the asset risk classification?
  • Use, i.e. how is this asset used?
  • Location, i.e. where is it stored, used, and backed up?
  • Sharing, i.e. is it shared with any third parties, such as vendors? Which specific third parties?

If new data is catalogued, or data use changes, it should be specifically reviewed to verify that its collection and use is in line with Vihanti’s Privacy Policy.

Asset risk classification

Vihanti classifies assets into three risk categories: Low Risk, Medium Risk, and High Risk. Definitions are as follows:

Risk category Definition
High risk
  • Data: protection is mandated by confidentiality agreements, labor codes, specific laws and regulations (e.g. PCI DSS, HIPAA, GDPR), or data is subject to breach reporting requirements, or disclosure would have a significant adverse impact on Vihanti (e.g., user accounts database).
  • Hardware and software systems: compromise would have a significant adverse impact on Vihanti (e.g. login services).
Medium risk
  • Data: not generally available to the public, and disclosure would have some adverse impact on Vihanti (e.g. internal documentation).
  • Hardware and software systems: compromise would have some adverse impact on Vihanti (e.g. cloud VM running production monitoring system).
Low risk
  • Data: publicly available, or disclosure would have no adverse operational or financial impact on Vihanti (e.g. website source code). May still have some limited reputational impact.
  • Hardware and software systems: compromise would have no adverse impact on Vihanti (e.g. testbed cloud VM with no user data or privileged access).

When multiple classifications may apply, the highest applicable classification is used. For example, if a machine is low-risk by itself, but can be used to access high-risk data, its overall classification is also high-risk.

Schedule

Vihanti should review the data it collects and processes, and update the data register, quarterly.