RFC: Data Classification Policy

Meta RFC
1

Please share your comments about this draft of our Data Classification Policy.

Data Classification Policy

Superseded by:

Table of Contents

  1. Introduction
  2. Classification Levels
  3. References

Introduction

Security, integrity, and transparency need to be at the forefront of every decision that The Rocky Linux Foundation, Inc (the “Foundation”) and its community make. It is of vital importance that the assets of the Foundation, including those of the Rocky Linux Project (the “Project”), are properly identified and classified, in order to properly secure those assets from attack.

While the Foundation believes that community transparency and involvement is very important, there are a number of things that must inherently be shielded from the public in order to ensure the security and integrity of the Project. As a result of this, all information related to the Foundation will be classified into one of the following five (5) classifications:

  1. Open Source
  2. Public
  3. Non-Public
  4. Confidential
  5. Restricted

The intention of these data classification levels is to ensure that only that data which must be classified actually is. To that end, and to ensure complete transparency with the public, once identified, any data that is not explicitly listed in this policy will be classified as open source after a period of 90 days. The purpose of this 90 day provision is to ensure that the Foundation has ample time to properly classify any new data types, and to ensure that data is not inadvertently released as open source due to a simple lack of pre-existing classification.

It is for the longevity and success of both the Foundation and the Project that some information must be kept out of the public domain, which is true for every company/organization. However, the Foundation will be as open and transparent as possible. As a result, anything not classified as open source will have a public description and justification included in this policy or related addendums. This is to ensure that the public has a full understanding both of the types of data and the justification for why the information is not being released as open source.

In the event that any data that could be interpreted to be in two different classification types, the more restrictive of the two classification types should be assumed.

Classification Levels

Open Source

Description

Data under this classification is accessible to be read by anyone, without restriction. For the purposes of the Foundation, any work that is not already covered by another license will be released under the [INSERT LICENSE AND LINK TO LICENSE HERE].

Additionally, any individual who would like to contribute/modify/distribute the open source data created by the Foundation is free to do so, assuming that individual adheres to the legal restrictions of the license referenced above.

Any data that is classified as open source must be released onto an Internet-facing system that allows for public access and/or contribution. For systems that allow contribution, these systems may, but are not required to, use registration for contribution. There will not be any registration required to view data with an open source classification.

Examples

  • Rocky Linux Public Source Code Repositories
  • The Rocky Linux Public Wiki
  • Rocky Linux Distribution Releases
  • Anything otherwise required to be open source due to legal/licensing restrictions
  • Any other data that has been identified but has spent more than 90 days without being assigned a classification.

Public

Description

Data under this classification is accessible to be read by anyone, without restriction. However, this classification of data explicitly has not been released under an open-source license, and the rights to the data under this classification remain the exclusive property of the Foundation.

Data falling under this classification (or any other classification other than open source) must be attributable to a single individual or legal entity, as rights to this data must belong to or have been assigned to the Foundation.

Data Classified as Public

  • The Rocky Linux Foundation and Rocky Linux brand, logos, and trademarks
  • The Policies and Procedures of the Foundation
  • Information contained on the rockylinux.org public website
  • The Rocky Linux Project Management tools
  • Rocky Linux public collaboration tools (Slack, Matrix, IRC, Mattermost, etc.)
  • Information about the secure Project build and distribution pipeline (excluding information that may compromise the integrity of the pipeline)

Non-Public

Description

Data under this classification is generally available only to members of the Foundation. This information may be released to non-members at the discretion of the Foundation, and does not require an NDA for release.

In general, data that is classified as non-public is classified as such in order to protect the members of the Foundation, or the integrity of the Project.

Data Classified as Non-Public

  • Draft versions of data that is intended to be classified as public or open-source upon release
  • Private communication between members of the foundation and the general public.
  • Internal productivity tools, including non-public collaboration in otherwise public tools (including, but not limited to, invite-only chat channels, project management tools, forums, and wikis).

Confidential

Description

Data under this classification represents significant risk to the Foundation, Project, or its members, and should only be accessible by Members of the Foundation or vetted 3rd parties that are bound by an NDA or other legally-binding form of protection.

In general, this data includes information that could compromise the security or integrity of the Project build and distribution pipeline.

Data Classified as Confidential

  • The Personally Identifiable Information (PII) of our Members or Contributors
  • Internal systems documentation that does not pertain to the Project build pipeline
  • Communications between vetted members of the Foundation
  • Communications between the Foundation and its affiliates
  • Foundation Infrastructure documentation (excluding the aforementioned publicly-classified data related to the Project build and distribution pipeline)
  • Data that is otherwise required by law to remain confidential

Restricted

Description

Data under this classification is only able to be accessed by formally vetted members of the Foundation or its affiliates. If released to the public, this information would cause irreparable damage to the Foundation, the Project, its members, its customers, its affiliates, or its community members.

Access to data with this classification must be explicitly granted as defined by the Foundation’s Access Control Policy. [LINK THIS ONCE WRITTEN]

Under no circumstance should this data be shared without appropriate legal protections in place.

Data Classified as Restricted

  • Data that is covered under legal privilege
  • Data that is protected by law (PCI, PHI, PII, HIPAA, GLBA, etc.)
  • Foundation/Project Security Data (Keys, Credentials, secrets)

Authors’ Information

Benjamin Agner
bagner@rockylinux.org
The Rocky Linux Foundation, Inc

Rob Felsberg (@rfelsburg)
rfelsberg@rockylinux.org
The Rocky Linux Foundation, Inc

Neil Hanlon (@neil)
neil@rockylinux.org
The Rocky Linux Foundation, Inc

3 Likes
3

Great job on this policy. Can we get it posted on a website after a sufficient period for comments has elapsed?

Presumably the classification on this policy itself is “Public” because it is not marked as Open Source. :slightly_smiling_face:

1 Like
4

@jorp Chinese translation: Rocky Linux 数据分类策略[2021-01-25] | Rocky Linux 中文社区

5

Yup absolutely, this is the plan. I’ll be updating with a closing date in the near future.