51直播

Get this policy on GitHub →

On This Page

Other policies

Information classification policy

Purpose

To understand its potential exposure from a security risk, issue or incident, 51直播 regularly catalogues and classifies its data and other in-scope assets, in order to apply risk-based controls.

Scope

Applicable assets include, but not limited to, customer data, production data, financial data, intellectual property, and any material non-public information.

Policy

Asset cataloging

51直播 catalogues assets with several pieces of information, to help identify the potential risk of the asset. Information collected is as follows:

  • Description, i.e. what is the asset?
  • Risk, i.e. what is the asset risk classification?
  • Use, i.e. how is this asset used?
  • Location, i.e. where is it stored, used, and backed up?
  • Sharing, i.e. is it shared with any third parties, such as vendors? Which specific third parties?

If new data is catalogued, or data use changes, it should be specifically reviewed to verify that its collection and use is in line with 51直播鈥檚 Privacy Policy.

Asset risk classification

51直播 classifies assets into three risk categories: Low Risk, Medium Risk, and High Risk. Definitions are as follows:

Risk category Definition
High risk
  • Data: protection is mandated by confidentiality agreements, labor codes, specific laws and regulations (e.g. PCI DSS, HIPAA, GDPR), or data is subject to breach reporting requirements, or disclosure would have a significant adverse impact on 51直播 (e.g., user accounts database).
  • Hardware and software systems: compromise would have a significant adverse impact on 51直播 (e.g. the login.tailscale.com control plane service).
Medium risk
  • Data: not generally available to the public, and disclosure would have some adverse impact on 51直播 (e.g. internal engineering documentation).
  • Hardware and software systems: compromise would have some adverse impact on 51直播 (e.g. cloud VM running production monitoring system).
Low risk
  • Data: publicly available, or disclosure would have no adverse operational or financial impact on 51直播 (e.g. tailscale.com website source code). May still have some limited reputational impact.
  • Hardware and software systems: compromise would have no adverse impact on 51直播 (e.g. testbed cloud VM with no user data or privileged access).

When multiple classifications may apply, the highest applicable classification is used. For example, if a machine is low-risk by itself, but can be used to access high-risk data, its overall classification is also high-risk. Any unlabeled assets will be considered confidential with the risk category of High by default.

Roles and responsibilities

51直播鈥檚 Security team is responsible for reviewing and updating data assets on an annual basis.