9-2 Information Technology Use and Security Policy Manual - Chapter V: Data Classification Policy
Approved by: Board of Supervisors of the County of Sonoma (“County”), and the Boards of Directors of the Northern Sonoma County Air Pollution Control District, the Russian River County Sanitation District, Sonoma Valley County Sanitation District, Occidental County Sanitation District, South Park County Sanitation District, and the Board of Directors of the Sonoma County Agricultural Preservation and Open Space District (collectively referred to hereinafter as “Special Districts”), and the Sonoma County Water Agency (“Agency”), and the Board of Commissioners of the Sonoma County Community Development Commission (“Commission”). The County, Special Districts, Agency and Commission are collectively referred to herein as “Local Agencies” or singularly as “Local Agency.”
What's on this Page
This Policy directs Local Agencies to classify their data to ensure the required security measures are applied.
Local Agencies may not rely on this Policy to make determinations or implement the requirements of the California Public Records Act (Government Code Sections 6250-6265).
A. Data Categories
Data Owners must classify Local Agency data into one of the following categories:
- Confidential – Information protected from use and/or disclosure by law, regulation or standard, and for which the highest level of security measures are required.
- Restricted – Information that requires special precautions to protect from unauthorized use, access, or disclosure.
- Public - Information that is available for general access without review by the Data Owner and/or County Counsel.
B. Data Classification Assignment
- Default classification assignment for data is Restricted.
- Any collection of data containing different classification assignments must be classified as a whole at the level applicable to the data with the highest assignment.
- Classifications assigned to Local Agency data must be reviewed upon changing usage or law, and reclassified if necessary.
- The classification level of replicated data must remain consistent with the original data.
C. Security Requirements
- Each data category has security requirements based on law, regulation, common business practice, liability or reputational factors.
- Security controls must be applied to each data category based upon the identified security requirements, and commensurate with the value of the information and risk of loss.