ADMINISTRATIVE POLICY TYPE: ADMINISTRATION
POLICY TITLE: Information Classification and Risk Management
In order to properly and cost-effectively protect information, the college will undertake the steps outlined below to identify information, its value to the organization, and risks related to its management to determine the appropriate means and levels of protection.
TERMS AND DEFINITIONS
For the purposes of this document, the following terms and definitions apply:
A staff member to whom a data owner may delegate responsibilities to maintain the day-to-day operations of a system using the approved safeguards as defined by the data owner.
The manager of a department or division who is responsible for the proper safeguarding and access to data contained on a system.
A computer or system that stores or disseminates information.
A person who is authorized by the data owner to access data.
All employees are responsible for the protection of college information from unauthorized access, modification, destruction, or disclosure, whether accidental or intentional. To facilitate the protection of this information, three levels of employee responsibilities have been established: data owner, data custodian, and user.
Data owners have the responsibility to:
- Conduct the risk assessment and data classification of information assets according to this policy.
- Provide safeguards to ensure compliance.
- Authorize access to those who have a business need for the information.
- Revoke the access when no longer needed.
These responsibilities may be delegated to a data custodian, but accountability remains with the data owner.
Data custodians are trained staff members who are responsible for maintaining the safeguards established by the owner.
Users are people authorized by the data owner to access information and follow the safeguards established by the data owner.
The Chief Information Officer is responsible for the classification and risk assessment process and general oversight to ensure that this policy is consistently applied across the college.
II. Information Asset Classification
College information assets will be classified according to sensitivity and value/criticality using standard and consistent classifications. Information assets will be identified, described and classified in accordance with the following requirements:
A. Information Identification
The contents, fields or attributes of the information assets and the associated systems must be defined so that the information assets may be clearly classified into an information classification category.
B. Information OwnershipAll information assets must have a designated data owner identified by name. Records must be maintained so as to provide a complete and uninterrupted history of ownership over the life of the asset.
C. Classification of InformationData owners must classify information assets in accordance with the classifications provided in the Data Classification Matrix. The classification assigned to the information assets must reflect a class that is at least equivalent to the most sensitive data element. For example, an application that contains both operational and confidential data must be assigned a classification of confidential. Information assets may be assigned a classification that is higher than that of any individual element in situations where the composite value of the asset is determined to be greater than the value of any of the constituent parts.
D. Value/Impact Assessment
The data owner must determine the potential adverse impact (e.g. cost or loss) to both the business unit and the college that could result from the unauthorized disclosure, access, modification, or destruction of the information assets using the categories provided in the Impact Assessment Matrix.
Table II.D.1: Data Classification Matrix
|CLASS|| DEFINITION||EXAMPLE |
| Confidential||Assets for which unauthorized disclosure, access, modification, or destruction, whether the result of inadvertent or deliberate actions, could have legal, statutory, or regulatory repercussions. Very strict rules must be adhered to in the usage of this data. Data integrity is vital.|
- Personal health information
| Operational||Assets for which unauthorized disclosure, access, modification, or destruction, whether the result of inadvertent or deliberate actions, could have a negative impact to the college’s reputation or loss of intellectual property. Internal access is selective. Data integrity is vital.|
- Policy or process documentation
- Most operational communications such as email and instant messaging.
|Public||Data on these systems could be made public without any implications to the college.|
- Public marketing materials
- Information which has been approved for public disclosure by college administration
Table II.D.2: Impact Assessment Matrix
|TYPE OF IMPACT||DESCRIPTION|
|Loss/Fraud||The potential for financial loss from unauthorized access to an application, data, or system.|
|Direct value||The value of the information measured by the college’s direct expense required for its creation, storage, and manipulation.|
|College image impact||The value of the college’s image as reflected by the loyalty and trust of its customers.|
|Operational impact||The extent to which the loss of the information or its integrity impacts management decisions, system operations, or business functions. The impact also includes the costs of correcting mistakes so that they do not recur and the costs of recreating the information.|
|Competitive value||The value of the information to competitors of the college, including the amount of income, business, or market share that could be lost if they obtained the information.|
|Compliance impact||The extent to which regulatory agencies or governing bodies mandate retention and integrity of the information.|
III. Risk Assessment
Risk assessments will be performed on all new applications prior to being introduced into the college production environment. Risk assessments for existing or legacy applications will be performed based on the amount of risk and value the information assets provide to the business and/or to address legal or regulatory obligations.
Risks to college information assets will be determined by documenting the following:
- Information asset description and classification.
- Threat identification of internal and external threats to those information assets (e.g. theft, compromise, physical destruction etc.).
- Vulnerabilities and the likelihood that a given threat is likely to affect an information system or asset.
Security measures, both technical and procedural, will be implemented to manage risk to college information assets as required by college’s information security charter and determined by this risk assessment.
IV. Disciplinary Action
Exceptions to this policy must have prior authorization from the Executive Team. Any violations of this policy may result in disciplinary action.
Administrative Policy I.C
Administrative Policy I.D