Companies must understand the importance of information to their business, and how that information is classified reflects their commitment as a secure organization. This sample policy can be used by auditors to ensure that all of the organization’s classified information is properly identified and marked.

Sample procedures include: All data must be retained and disposed of in accordance with the company’s corporate data retention policy, all media containing cardholder data must be accurately tracked, management must approve all media being transported off-site, and all media must be sent by secured courier or other delivery methods that can be accurately tracked.