Information Security Classification Standard

Legislative History:

Reviewed by UEC 2015/06/24; Reviewed by PVP 2015/09/23; Approved by the President 2015/09/23

Approval Authority: President

Signature: Mamdouh Shoukri


Purpose

This standard establishes the classification categories to be used in accordance with the Information Security Classification Procedures.

Information Security Classification Categories

University information resources are classified according to the following categories:

A. Public Information

Information deemed to be public by legislation or policy.  Information in the public domain, for example: annual reports; public announcements and news releases; contact information; University calendars and policies; published research; job postings; publicly posted newsletters and magazines.

B. Information for Internal Use

Information that is used in the day-to-day operations of the University or a department intended for internal use only, for example: minutes of meetings, internal memos; project reports; unit budgets; accounting information; physical plant details, floor plans; location of hazardous materials.

C. Confidential Information

Information given or used in confidence that may be disclosed only to authorized individuals on a need-to-know basis, for example: contracts and other legal documents protected by legal privilege; internal audit reports and working files; research in progress, intellectual property; tenure and promotion files; drafts of strategic plans, annual reports, financial statements not yet published; proprietary software source code.

D. Regulated Information

Information that, in addition to being confidential, is subject to requirements and/or regulations specified by external entities that the University is obligated to be compliant with. Please note that some information may subject to multiple, separate regulatory requirements. Examples of Regulated information include:

D1. Credit Card-Holder Data

The Payment Card Institute Data Security Standard (PCI DSS) is an industry regulation that defines how credit card-holder data (CHD) is stored, processed and transmitted. CHD is defined as:

– Primary Account Number
– Cardholder Name
– Expiration Data
– Service Code

The University PCI DSS policy, guidelines and procedures apply, and provide specific direction on the governance and handling of this type of data.

D2.  Personal Health Information

Identifying information about an individual that is:  (1) maintained by a Health Information Custodian as defined by the Personal Health Information Protection Act (PHIPA) for the primary purpose of providing health care, including information relating to: the physical or mental health of the individual, and information that consists of the health history of the individual’s family; (2) clinical research data provided for research under an authorized research agreement.

D3.  Personal Information

Recorded information about an identifiable individual as defined by the Freedom of Information and Protection of Privacy Act (FIPPA) including: ethnic origin, race, religion, age, sex, sexual orientation, marital status, etc.; information regarding educational, financial, employment, medical, psychiatric, psychological or criminal history; identifying numbers, e.g., S.I.N., student number; home address, telephone number; employee files, grievances; student coursework, grades.

D4. Research Data

Information and data where funding agency rules and/or specific security agreements for use of, apply.

Information Handling Requirements

Information resources shall have secure handling practices in place according to their category.   The following sets our minimum appropriate practices for each category:

A. Public Information

No specific handling requirements.

B. Information for Internal Use

  1. Access
    1. is limited to employees and authorized users as determined by the Information Steward.
    2. shall be revoked as soon as reasonably possible when users leave the University, change role, or are otherwise no longer authorized for access.
  2. Transmission
    1. Encryption is highly recommended when transmitting over non-trusted networks (e.g. Internet).
  3. Storage
    1. Information shall be stored with a system or media that has access control, either by physical access (locked cabinet), or password protected files/file systems.
    2. Encryption is highly recommended for all mobile data media or devices utilized.
  4. Destruction
    1. Shred or erase in accordance with Procedures for Secure Destruction of Information

C. Confidential Information

  1. Access
    1. Is limited to employees and authorized users as determined by the Information Steward.
    2. Principles of least-privilege and need-to-know must be applied.
    3. Shall be revoked as soon as reasonably possible when users leave the University, change role, or are otherwise no longer authorized for access.
  2. Transmission
    1. Strong encryption or data masking/tokenization is required when transmitting over non-trusted networks (e.g. Internet).
    2. Encryption is highly recommended when transmitting over trusted networks (e.g. internal University network)
    3. Use sealed mailing clearly marked “Confidential”.
  3. Storage
    1. Information shall be stored with a system or media that has access control, either by physical access (locked cabinet), or password protected files/file systems.
    2. Encryption is required for all mobile data media or devices utilized.
    3. Implement “clean desk” policy.
  4. Destruction
    1. Shred or erase in accordance with Procedures for Secure Destruction of Information

D. Regulated Information

This category has specific measures and controls required by third-parties. The following are general requirements set out by the University for such information, but additional measures may also be required.

  1. Access
    1. Is limited to specific named individuals or positions.
    2. Principles of least-privilege and need-to-know must be applied.
    3. Shall be revoked immediately when users leave the University, change role, or are otherwise no longer authorized for access.
  2.  Transmission
    1. Strong encryption or data masking/tokenization is required when transmitting over any network other than purpose-designed secure and isolated network segments.
    2. Use of any third-party service is not appropriate without specifically ensuring compliance with regulated security requirements.
    3. Double envelopes should be used for hard-copy mailings.
    4. Use sealed mailing clearly marked “Confidential”.
  3. Storage
    1. Information shall be stored with a system or media that has access control, either by physical access (locked cabinet), or password protected files/file systems
    2. Use of any third-party service is not appropriate without specifically ensuring compliance with regulated security requirements.
    3. Encryption is required for all mobile data media or devices utilized.
    4. Implement “clean desk” policy.
  4.  Destruction
    1. Shred or erase in accordance with Procedures for Secure Destruction of Information