To understand its potential exposure from a security risk, issue or incident, Oso catalogues and classifies its data and other in-scope assets, in order to apply risk-based controls.
Assets are anything that has value to the organization, including but not limited to, customer data, production data, financial data, intellectual property, and any material non-public information.
Data classification
Oso classifies data and where assets where it resides into 4 risk categories: Critical, Sensitive, Private and Public. Definitions are as follows:
| Classification |
Definition |
| CRITICAL |
- Data where protection is mandated by confidentiality agreements, labor codes, specific laws and regulations (e.g. PCI DSS, HIPAA, GDPR), or data is subject to breach reporting requirements, or disclosure would have a significant adverse impact on Oso (e.g., user accounts database).
- Customer data provided to us only for purposes of providing the Oso Service for which we are a Data Processor and not the Data Controller.
- Credentials, secret keys, or any other material that can be used to access CRITICAL data.
|
| SENSITIVE |
- Oso's own customer records, instrumentation, service usage, correspondence, and other data used for the purposes of operating the Oso Cloud service.
- All data for which Oso is the Data Controller.
|
| PRIVATE |
- Any confidential or otherwise proprietary data that is not Personally Identifiable Information.
- Private employee correspondence i.e. email, Slack, issue tracking and other tools.
- Application source code (without credentials which are classified CRITICAL)
|
| PUBLIC |
- All material purposely made available for public consumption.
- Blogs, documentation, public source code, and other material relating to the Oso service.
|
When multiple classifications may apply, the highest applicable classification is used. For example, if a machine is low-risk by itself, but can be used to access high-risk data, its overall classification is also high-risk.