Information Classification Policy¶
| Owner | Classification | Review Date | Status |
|---|---|---|---|
| CDO Office | Internal | April 2027 | Active |
|
---|---
Document Type| Policy
Document #| SP-ICP-016
Owner| Chief Technical Officer; Head of Compliance; Chief Financial Officer
Classification| Confidential (Class 2 — Private Data)
Version| V1.2
Issue Date| 04/09/2025
Review Cycle| Annual
Authorised By| Yassir Pasha
Document Information¶
| Field | Details |
|---|---|
| Document # | SP-ICP-016 |
| Document Title | Information Classification Policy |
| Version | V1.2 |
| Confidentiality Level | Class 2 (Private Data / Confidential) |
| Date Created | 23/03/2021 |
| Issue Date | 04/09/2025 |
| Document Owner | Chief Technical Officer, Head of Compliance, Chief Financial Officer |
| Author(s) | Simpaisa |
| Purpose | To define a standardised approach for classifying and protecting information based on its sensitivity, value, and risk to the organisation |
| Authorised By | Yassir Pasha |
Reviewed By Steering Committee¶
| Name | Role |
|---|---|
| Yassir Pasha | Chief Executive Officer |
| Kamil Shaikh | Chief Operating Officer |
| Osama Hashmi | Chief Financial Officer |
| Bachir Njeim | Chief Strategy and Operations Officer |
| Saqlain Raza | Acting Chief Technology Office |
| Rizwan Zafar | Chief Product Officer |
| Ahsan Hussain | Payment Channel Partnerships |
| Danish Abdul Hameed | Chief Information Security Officer |
| Shahroze Khan | Head of International Merchant Sales and Strategic Alliances |
| Noor Ali | Country Head Pakistan |
| Shoukat Bizinjo | Global Head of Regulatory Affairs · Regulatory |
Change Control¶
| Version | Date of Issue | Author(s) | Brief Description of Changes | Approved By |
|---|---|---|---|---|
| V1.0 | 08/04/2021 | Rizwan Zafar | Initial release | Salim Karim |
| V1.1 | 07/02/2022 | Rizwan Zafar | Annual review | Salim Karim |
| V1.2 | 02/02/2023 | Rizwan Zafar | Annual review | Salim Karim |
| V1.2 | 27/09/2024 | Syed Zubair Ahmed | Annual review | Yassir Pasha |
| V1.2 | 04/09/2025 | Simpaisa | Annual Review | Yassir Pasha |
1 Introduction¶
Information asset classification is required to determine the relative sensitivity and criticality of information assets, which provide the basis for protection efforts and access control. This document provides guidelines for the classification of information as well as its labelling, handling, retention and disposition.
This policy applies to any form of data, including paper documents and digital data stored on any type of media. It applies to all of the organisation's employees, as well as to third-party agents authorised to access the data.
2 Roles and Responsibilities¶
Data owner is ultimately responsible for the data and information being collected and maintained by his or her department or division, usually a member of senior management.
3 Data Classification¶
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the Company. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data.
All Simpaisa data must be broken into the following three sensitivity classifications:
| Class | Label | Description |
|---|---|---|
| 03 | Restricted Data | Data should be classified as Restricted when the unauthorised disclosure, alteration or destruction of that data could cause a significant level of risk to the Company. The highest level of security controls should be applied to Restricted data. |
| 02 | Private Data / Confidential | Data should be classified as Private when the unauthorised disclosure, alteration or destruction of that data could result in a moderate level of risk to the Company or its affiliates. |
| 01 | Public Data | Data should be classified as Public when the unauthorised disclosure, alteration or destruction of that data would result in little or no risk to the Company. |
Any Restricted and Private documents should be stored in a safe place, or in a cabinet which is locked and only accessible to authorised people.
4 Data Classification Procedure¶
The goal of information security, as stated in the Company's Information Security Policy, is to protect the confidentiality, integrity and availability of Institutional Data. Data classification reflects the level of impact to the Company if confidentiality, integrity or availability is compromised.
-
Data owners review each piece of data they are responsible for and determine its overall impact level.
-
The data owner assigns each piece of data a classification label based on the overall impact level:
| Overall Impact Level | Classification Label |
|---|---|
| High | Restricted |
| Moderate | Confidential |
| Low | Public |
-
The data owner records the classification label and overall impact level for each piece of data.
-
The data owner applies appropriate security controls to protect each piece of data according to the classification label and overall impact level.
5 Calculating Classification¶
The below should be used by data owners to assess the potential impact to the Company of a loss of the confidentiality, integrity or availability of a data asset.
| Security Objective | Low | Moderate | High |
|---|---|---|---|
| Confidentiality — Preserving authorised restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. | The unauthorised disclosure of information could be expected to have a limited adverse effect on organisational operations, organisational assets, or individuals. | The unauthorised disclosure of information could be expected to have a serious adverse effect on organisational operations, organisational assets, or individuals. | The unauthorised disclosure of information could be expected to have a severe or catastrophic adverse effect on organisational operations, organisational assets, or individuals. |
| Integrity — Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. | The unauthorised modification or destruction of information could be expected to have a limited adverse effect on organisational operations, organisational assets, or individuals. | The unauthorised modification or destruction of information could be expected to have a serious adverse effect on organisational operations, organisational assets, or individuals. | The unauthorised modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organisational operations, organisational assets, or individuals. |
| Availability — Ensuring timely and reliable access to and use of information. | The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organisational operations, organisational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organisational operations, organisational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organisational operations, organisational assets, or individuals. |
6 Default Classification¶
The Company and asset owners should use at least the default classification of the following information:
| Data Examples | Default Classification (not less than) |
|---|---|
| Network data | Class 3 (Restricted) |
| Application data | Class 3 (Restricted) |
| Access data (logins, passwords etc.) | Class 3 (Restricted) |
| Legal agreements including SLA | Class 3 (Restricted) |
| Data protected by the privacy regulations | Class 3 (Restricted) |
| Transactional data | Class 3 (Restricted) |
| Personal identification data | Class 3 (Restricted) |
| Human resource documents | Class 3 (Restricted) |
| Employee directory | Class 3 (Restricted) |
| Other company related IT data | Class 3 (Restricted) |
| Data protected by confidentiality agreements | Class 3 (Restricted) |
| Payroll, personnel, and financial information | Class 3 (Restricted) |
| Product documentation | Class 2 (Private Data / Confidential) |
| Financial data | Class 3 (Restricted) |
| Internal communication data including emails and internal project management related systems | Class 2 (Private Data / Confidential) |
| Press releases | Class 1 (Public data) |
| Course information | Class 1 (Public data) |
| Research publications | Class 1 (Public data) |
| API Document for merchant Integrations | Class 1 (Public data) |
By default, all Company Data that which is not explicitly classified as Restricted or Public data, or data where the data owner is not sure which classification should be used, should be treated as Private/Confidential data.
While little or no controls are required to protect the confidentiality of public data, some level of control is required to prevent unauthorised modification or destruction of Public data. On formal data request, data can be provided to the requesting party; the data owner retains complete rights to approve or reject a data request with a defined reason mentioned on the request.
Reference Documents¶
| Reference Number | Document Name | Responsible | Retention Time |
|---|---|---|---|
| PEX-LDTR-45 | Data request logs | PMO | 1 Year |
| PEX-DTR-5287 | Data request form | PMO | 3 Years |