Version: 1.1

Approved By: Richard D’Lonesteen

Created at: 11/11/2023

Data Security Manual

This Data Security Manual outlines the protocols and procedures that should be implemented to ensure data protection and manage data security risks effectively within the organization.

1. Scope and Objectives of Data Security Efforts The primary objective is to safeguard critical data assets by analyzing both internal and external business requirements. Essential areas to address include:

• Regulatory and legal compliance
• Ownership requirements
• Strategic leadership directives
• Internal operational demands
• External business expectations and requirements This step involves classifying data assets as critical and integrating them into the Data Security Management System for ongoing risk evaluations. Documentation for this phase is captured in the "Data Security Requirements and Stakeholder Analysis".

2. Data Classification Each data asset is categorized based on confidentiality, availability, and integrity attributes across four defined protection levels based on the potential impact of a data breach or loss:

• Public
• Internal Use Only
• Confidential
• Restricted The classification framework is captured in the "Data Classification Register".

3. Impact Levels for Data Security To guide the data classification, the following impact levels are used to assess the potential adverse effects on the business or individuals: Low Impact

• Data breaches may cause negligible disruption or damage. Moderate Impact
• Potential disruptions could slightly impair operational capacities or result in minor financial losses. High Impact
• Significant damage to operational capacities, major financial losses, or severe reputational damage. Critical Impact
• Severe and lasting damage where the business might fail to perform essential functions, resulting in extensive financial and reputational ruin.

4. Risk Assessment and Management Regular risk assessments identify and evaluate threats in terms of potential impacts and likelihood of occurrence. Assessments are conducted annually or alongside significant business modifications, utilizing a blended approach:

• Expert consultations utilizing the Delphi method to leverage organizational knowledge.