Data Classification Policy
Purpose
This policy defines the classification of information managed by the Skpr hosting platform, ensuring data is appropriately protected according to its sensitivity and impact level. It aligns with Australian government classification standards for agencies and regulated industries.
Scope
This policy applies to:
- All digital assets across AWS environments
- Infrastructure as Code (e.g. Terraform state files and modules)
- Internal documentation
- Client data
Classification Levels
The Skpr hosting platform
| Level | Description | Typical Impact | Examples |
|---|---|---|---|
| OFFICIAL | Non-sensitive information with low or negligible confidentiality impact | Minor business or reputational impact if disclosed | General website content, public knowledge base articles |
| OFFICIAL: Sensitive | Medium confidentiality impact. Requires controlled access | Limited operational disruption, reputational damage | Internal system designs, infrastructure docs, non-prod credentials |
| PROTECTED | High confidentiality impact. Must comply with ACSC ISM | Significant harm to individuals, clients, or operations | Customer data, Terraform secrets, production configurations |
Controls by Classification
| Classification | Storage | Access Control | Transmission | Destruction |
|---|---|---|---|---|
| OFFICIAL | Standard AWS services | Role-based IAM | TLS-encrypted channels | Normal deletion policies |
| OFFICIAL: Sensitive | Encrypted (AES-256), IAM, audit logging | MFA, access logging, mandatory tagging | TLS 1.2+ with endpoint validation | S3 Object Lock |
| PROTECTED | Encrypted storage (AWS KMS), logging | Fine-grained IAM, audit trails | Encrypted + monitored transmission | ISM-compliant sanitisation or key revocation |
Roles & Responsibilities
- Skpr platform team - Oversees implementation and compliance with this policy.
- PreviousNext Operations Lead - Responsible for the enforcement and auditing of this policy.
Review & Updates
This policy will be reviewed annually or upon significant changes to infrastructure or regulatory requirements.