Information Security Classification Policy
| Document Number | 000814 |
|---|---|
| Date Approved | 23 April 2007 |
1.
1. Introduction
TheUniversity of Newcastle routinely gathers, stores, processes, transmits and disposes of records containing information. That information must be protected from unauthorised disclosure, misuse and misrepresentation while at the same time, made readily available to those who need it. Classification of information in terms of its business criticality is an essential element in achieving appropriate information security.
This policy supports the University’s legal obligation to ensure that private information is managed in accordance with the principles outlined in the Privacy and Personal Information Protection Act 1998 No133, the Health Records and Information Privacy Act 2002, the Protected Disclosures Act 1994 and the State Records Act 1998 and the Universities Privacy Management Plan. The provisions of these Acts must be taken into account when applying this policy.
2. Policy Intent
This policy seeks to apply effective security controls to the University’s information systems by establishing appropriate information classification labels. Those classifications – identified by the Information Owner - are based on the sensitivity of the information and the potential impact on the University in the event that the information is disclosed, misused, misrepresented or lost
This policy endorses the University’s Information Security Management System (ISMS).
3. Relevant Definitions
In this policy:
availability means the capacity of information systems (i) to be accessible and useable when required, and (ii) to be able to resist attacks and recover from failures;
confidentiality means the principle of protecting information and preventing its disclosure to anybody other thanthose who have a right and need to know;
information system means any University of Newcastle corporate telecommunications and/or computer related equipment or interconnected system or subsystem of equipment that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of voice and/or data;
information lifecycle means the series of stages in the life of information from inception to archiving or disposal;
integrity means a standard of performance that guarantees information is created, amended or deleted only by the intended authorised means;
information owner means a senior business, faculty or unit manager with the authority to collect, create, retain and maintain information and information systems within their assigned area of control;
security classification means the process of assigning value to data in order to organise it according to its sensitivity to loss or disclosure.
4. Policy
1. Information is an asset of the University.
2. The University uses information security classification levels to define the acceptable use of information.
3. Information security classifications take into account (i) the broader goals of the University both to share and restrict access to information and (ii) the impacts associated with such needs.
4. The Information Owner is responsible for determining the value of information within information systems and assigning an appropriate Security Classification label.
5. Information security classifications are assigned on the basis of the sensitivity level of the data.
6. Information within information systems is managed throughout its lifecycle (i) to ensure the confidentiality, integrity and availability of information and (ii) to achieve compliance with the University’s legal and regulatory responsibilities.
7. This policy applies to all information systems assets regardless of physical or logical location, storage medium, technology used, or the purpose(s) it serves.
8. A mechanism will exist to ensure that the classification level assigned to a particular subset of information is appropriate. This mechanism will take into account the need to re-classify information throughout its lifecycle.
9. Any disputes regarding the appropriate classification of information will be resolved by the University’s Legal Officer.
5. University Information Classifications
Highly Restricted
This classification applies to highly sensitive information:
(i) whose unauthorised disclosure could seriously and adversely impact the University, its employees, its students and/or its partner organisations; and
(ii) access to which is strictly limited to a selected group or process.
Highly restricted Information is information that, if compromised, would:
· cause significant damage to the University, and
· place the University in breach of its legal and regulatory responsibilities.
Restricted
This classification applies to less-sensitive business information:
(i) whose unauthorised disclosure could adversely impact the University, its employees, its students and/or partner organisations, and
(ii) whose use is restricted to people within the University of Newcastle.
Note: Information that some people would consider private is included in this classification.
X - In Confidence
This classification applies to information:
(i) that is related to business unit or faculty operations, but is not available outside the unit or faculty - and
(ii) whose unauthorised disclosure - while against policy - is not expected to seriously or adversely impact the University its employees, its students and/or its partner organisations.
Note: The ‘X’ refers to the staff of the University, or a business unit or faculty. e.g. Staff – In Confidence or Human Resource Services – In Confidence.
This classification label applies to all other information that does not clearly fit into the previous two classifications.
Public
This classification applies to information which:
(i) requires no special protection or rules for use, and
(ii) may be freely disseminated without potential harm.
6. Essential Supporting Documents
Information Security Policy.
Information Security Roles and Responsibilities Policy
Network Security Policy
University of Newcastle Computing and Communications Facilities Conditions of Use
Records Management Policy
University of Newcastle Privacy management Plan
5. Related Documents:
AS/NZS 7799.2:2003: Information Security Management - Specification for information security management systems
Information Security Guideline for NSW Government – Part 1 Information Security Risk Management
NSW Department of Commerce Information Management - Classification Guideline
Privacy and Personal Information Protection Act 1998 No 133
Health Records and Information Privacy Act 2002
State Records Act 1998
Australian Copyright Act 1968
Copyright Amendment (Digital Agenda) Act 2000
Protected Disclosures Act 1994
NSW State Records Authority Standard on Counter Disaster Strategies for Records and Recordkeeping systems (No. 6)
NSW State Records Authority Standard on Managing a Records Management Program (No. 8)
NSW State Records Authority Standard on Physical Storage of State Records (No. 3)
| Approval Authority | Vice-Chancellor |
|---|---|
| Date Approved | 23 April 2007 |
| Date for Review | 23 April 2010 |
| Policy Sponsor | Deputy Vice-Chancellor (Services) |
| Policy Owner | Chief Information Officer |
| Policy Contact | Associate Director, Infrastructure |