
Organizations can use this sample policy to define how sensitively classified data should be handled.
Sample procedures include: company classifications must be applied to an information asset as soon as they are created or received; all documents stored or processed in company electronic systems must have the classification attached to them; paper and removable computer media containing company data must be stored in lockable storage when not in use; company data must not be left unattended on desks; and printers, copiers and fax machines must be locked or require authentication outside normal working hours.