We’ve got some questions surrounding the development of our information classification policy.
The context is we are a three person company with literally tens of thousands of old documents spanning over a decade. Even the task of sorting through to purge them ( which I actually don’t think we would want to) would probably be in feasible for us.
My specific questions are:
1 - Is there anything that would stop us from simply having two classifications Public and Confidential?
2 - Assuming we adopted a mandatory classification protocol at an individual document level on say December 1. What would be the recommendation as to classification of all pre-existing documents
3 - ...If the response is that every old document must be classified this would be impossible for us. So therefore my next questions are around whether we can classify not at document level, but at a higher level.:
4 - Would it be legitimate to have a classification policy at a document type level?
5 - Or is it legitimate to classify based upon where the electronic document is stored (eg everything in this Microsoft Teams channel is Confidential?
6- Overall any general thoughts / advice you may have for creation of a workable classification policy for such a small company?