Aramco data is not yours to classify however you see fit. SACS-002 requires that every vendor handling Aramco information maintains a formal Data Classification Policy that defines how data is categorized, stored, transmitted, and eventually destroyed. Without this policy, your team has no rules governing which data can be shared, where it can be stored, or who can access it -- and auditors will flag this gap immediately. This guide explains exactly what your Data Classification Policy must contain, how Aramco's own classification levels interact with your policy, and the common failures that cost vendors their CCC certification.
What the SACS-002 Standard Requires
Multiple TPC controls feed into data classification requirements. While there is no single "data classification" TPC number, the requirement emerges from the intersection of several controls:
Key controls: TPC-1 (Acceptable Use Policy must reference data handling), TPC-19 (media sanitization before disposal), TPC-52 (encryption of data in transit), and the overarching SACS-002 requirement that vendors protect Aramco information according to its classification level.
Auditors expect to see a standalone Data Classification Policy or a clearly defined section within your Information Security Policy that addresses classification levels, handling rules, and Aramco-specific data restrictions.
Aramco's Data Classification Levels
Aramco classifies its own information into distinct levels, and as a vendor, you must understand and respect these classifications. Your policy must define how each level is handled within your organization:
| Classification Level | Description | Handling Requirements |
|---|---|---|
| Restricted | Highly sensitive information whose disclosure could cause severe damage to Aramco | Encrypted at rest and in transit, access limited to named individuals, no copies without authorization, secure destruction required |
| Confidential | Sensitive business information not intended for public disclosure | Encrypted in transit (TPC-52), access controlled by role, stored on authorized systems only, no sharing via personal channels |
| Internal | Information intended for use within the vendor-Aramco relationship | Access limited to employees with business need, stored on company systems, not to be shared externally without approval |
| Public | Information approved for public disclosure | No special handling requirements, but verify classification before treating data as public |
The critical principle: when you receive data from Aramco, it retains Aramco's classification. You cannot reclassify it to a lower level. If Aramco marks a document as Confidential, it remains Confidential in your systems regardless of your own internal classification scheme.
Required Policy Sections
A compliant Data Classification Policy must include the following sections. Auditors will check for each one and verify that handling rules are specific enough to be actionable.
1. Purpose and Scope
Define the policy's objective (protecting information assets according to their sensitivity) and scope (all data created, received, stored, or transmitted in connection with Aramco work, across all systems, devices, and media).
2. Classification Levels and Definitions
Define your organization's classification levels and map them to Aramco's levels. Your internal scheme can use different names, but you must document the mapping. For example:
- Your "Top Secret" = Aramco "Restricted"
- Your "Confidential" = Aramco "Confidential"
- Your "Internal" = Aramco "Internal"
- Your "Public" = Aramco "Public"
If your organization does not have its own classification scheme, adopt Aramco's levels directly. This is simpler and avoids mapping confusion during the audit.
3. Data Handling Rules by Classification
For each classification level, define specific rules covering:
Storage
- Where the data may be stored (authorized servers, encrypted file hosting, approved cloud platforms)
- Where the data must not be stored (personal devices, consumer cloud services like Google Drive personal accounts, USB drives without encryption)
- Encryption requirements for data at rest (Restricted and Confidential data must be encrypted)
Transmission
- Encryption requirements for data in transit (TPC-52 mandates encryption for all Aramco data transmitted over networks)
- Approved transmission channels (company email, encrypted file sharing, VPN-protected connections)
- Prohibited transmission channels (personal email, consumer messaging apps, unencrypted FTP)
Access Control
- Who may access each classification level (named roles, not just "employees")
- How access is granted and revoked (links to your access control procedures)
- Multi-factor authentication requirements for accessing Confidential and Restricted data
Sharing and Disclosure
- Rules for sharing within the organization (need-to-know basis for Confidential and above)
- Rules for sharing with third parties (requires Aramco approval for Confidential and Restricted data)
- Absolute prohibition on public disclosure of any Aramco data classified as Internal or above
Retention and Destruction
- How long each data classification level is retained
- Destruction procedures when data is no longer needed (TPC-19 requires media sanitization)
- Documentation of destruction events (certificates of destruction for auditor review)
4. Data Labeling Requirements
Define how data is labeled with its classification: document headers/footers, email subject line tags, file naming conventions, or metadata tags. Auditors may ask to see examples of properly labeled documents.
5. Aramco-Specific Disclosure Prohibitions
SACS-002 explicitly prohibits vendors from disclosing Aramco data to unauthorized parties. Your policy must include a clear section stating:
- Aramco data must not be disclosed to any third party without written Aramco approval
- Aramco data must not be used for any purpose other than fulfilling the vendor's contractual obligations
- Upon contract termination, all Aramco data must be returned or securely destroyed, with written confirmation provided to Aramco
- Employees who violate these restrictions are subject to disciplinary action
6. Roles and Responsibilities
Assign data classification responsibilities: who classifies data (the data owner or originator), who enforces handling rules (IT/security team), who audits compliance (internal audit or compliance officer), and who employees contact with classification questions.
7. Policy Review and Updates
The Data Classification Policy must be reviewed at least annually, or whenever Aramco updates its own classification requirements. Document the review schedule, approval process, and change history.
Common Audit Failures
- No classification policy exists: The vendor has never documented how data is classified or handled. This is a fundamental governance gap that affects multiple TPC controls.
- Generic policy without Aramco specifics: The vendor has an IT security policy that mentions "confidential data" but does not address Aramco's classification levels, disclosure prohibitions, or data return/destruction requirements.
- Policy exists but employees do not follow it: The auditor finds Aramco data stored on personal Google Drive accounts, shared via WhatsApp, or saved on unencrypted USB drives -- all violations of a policy that theoretically prohibits these actions.
- No data labeling: Documents containing Aramco data have no classification labels. Employees cannot tell whether a document is Confidential or Internal just by looking at it.
- Missing destruction procedures: The vendor has no documented process for destroying Aramco data when it is no longer needed. Old project files containing Aramco data sit on servers indefinitely with no review or cleanup.
- No mapping to Aramco levels: The vendor has its own classification scheme but has never mapped it to Aramco's levels. The auditor cannot determine whether "Level 2" in the vendor's system equates to Aramco's "Confidential" or "Internal."
Data Classification Audit Evidence Checklist
| Evidence Item | What to Prepare |
|---|---|
| Policy document | Current version with classification levels, handling rules, Aramco-specific sections, version number, and review date |
| Classification mapping | Table mapping your internal levels to Aramco's classification levels |
| Labeled document samples | Examples of properly classified and labeled documents (redacted if necessary) |
| Storage configuration | Evidence that Aramco data is stored on authorized, encrypted systems only |
| Encryption evidence | TLS configuration for data in transit, encryption-at-rest configuration for storage systems |
| Destruction records | Certificates of destruction or sanitization logs for any Aramco data that was disposed of |
| Employee acknowledgment | Evidence that employees acknowledged the data handling rules (typically covered by AUP acknowledgment per TPC-1) |
| Annual review record | Evidence that the policy was reviewed and approved within the last 12 months |
How MassiveGRID's Template Accelerates Compliance
Writing a Data Classification Policy that addresses Aramco-specific requirements -- classification level mapping, disclosure prohibitions, data return obligations, destruction procedures -- requires understanding both the SACS-002 standard and Aramco's contractual expectations. Most vendors either overlook critical sections or write policies that are too generic to satisfy auditors.
MassiveGRID's CCC-Compliant Infrastructure Package includes a ready-made Data Classification Policy template that:
- Includes all 7 required sections with pre-written content aligned to SACS-002 requirements
- Provides a pre-built Aramco classification level mapping table
- Covers handling rules for storage, transmission, access, sharing, and destruction at each level
- Includes Aramco-specific disclosure prohibitions and data return procedures
- Has placeholder fields for your company details, data owners, and approval signatures
- Is written in formal policy language accepted by authorized audit firms
The encrypted file hosting and secure remote desktop components of the infrastructure package provide the technical controls that enforce the policy -- data is automatically stored on encrypted systems, transmitted over encrypted channels, and access-controlled via MFA, matching the handling rules in the template.
Get the Data Classification Template as Part of the Full CCC Package
The Data Classification Policy template is one of six governance templates included in the MassiveGRID Aramco CCC-Compliant Infrastructure Package, alongside the Acceptable Use Policy, Incident Response Plan, Risk Assessment Template, Off-boarding Checklist, and Media Sanitization Procedure. Combined with 10 infrastructure components and direct access to authorized audit firm partners, it provides the full path from zero to certified.