Policy 117 - Information Classification and Handling

Approved Administration Committee 2288.3

1. PURPOSE

1.1 This Policy outlines the classification of electronic information, security measures and responsibilities required for securing electronic information and preventing unauthorized destruction, modification, disclosure, access, use, and removal. It also serves as an information security classification reference for other University policies, procedures, standards, academic regulations, or other directives relating to the classification of information.

Note: The term classification is used to define categories of information based on its sensitivity.  It doesn't represent a broader university classification system.

2. APPLICATION, SCOPE AND INTERPRETATION

2.1 This Policy must be read in conjunction with Policy #116 (IT Resources Acceptable Use), Policy #23 (University of Ottawa Archives) and IT Security Procedures.
2.2 This Policy applies to all electronic information that is in the custody or control of the University.
2.3 This Policy does not provide an exhaustive list of safeguards.
2.4 The VP Governance is responsible for the interpretation of this Policy.
2.5 For the purposes of this Policy:

a) “Information Owner” means the relevant designated senior administrative authority of the faculty, administrative service or organizational unit who is the final authority and decision-maker with respect to University information. Information owners have decision-making authority over any information used by the unit’s administrative function, as well as any data, forms, files, information, and records, regardless of format;

b) “Information Custodian” is the person responsible for overseeing and implementing the necessary safeguards to protect the IT assets, at the level classified by the information owner;

c) “Public” refers to information that is open to the general public that has no existing local, national, or international legal restrictions on access;

d) “Internal” refers to University information intended only for employees and approved non-employees such as contractors, vendors or students. Internal information is normally not accessible by outside parties without the organization’s or information owner’s express permission;

e) “Confidential” means information protected due to proprietary, ethical, or privacy considerations. This classification applies even if there is no law requiring this protection;

f) “Restricted” refers to information protected by law or by University policies, procedures or regulations. This classification also represents information that isn't by default protected by law, but for which the information owner has exercised his or her right to restrict access.

3. RESPONSIBILITIES

a) Information Owner

Facilitate the interpretation and implementation of policies, procedures and guidelines to meet the needs of the University for the use of information. The information owner is responsible for:

1. Ensuring that the use and protection of information is consistent with all applicable University policies, standards, procedures, regulations, and applicable laws;

2. Establishing guidelines, procedures, or other requirements as necessary to appropriately handle and protect information used in their unit;

3. Consulting with users regarding the type of information handled on a regular basis and classifying it, taking into consideration information use, sensitivity, and importance to the University, into one of the four risk categories: public, confidential, internal or restricted. This is to ensure adequate control measures remain appropriate and comply with all applicable policies, regulations and legislation;

4. Participating with information owners, IT data administration employees, application development teams, and knowledgeable departmental employees on projects creating, maintaining, and using University data;

5. Authorizing access to restricted, confidential and internal information and ensuring that confidentiality agreements are signed by those employees or other individuals who are given access to restricted, confidential or internal information;

6. Assigning operational responsibility for information to one or more information custodians;

7. Ensuring that information custodians provide reasonable security controls to protect information and automated systems, and that users comply with procedures established for such protection;

8. Documenting variances from IT general control practices and promptly initiating corrective action;

9. The information owner may implement procedures that are more restrictive than the ones identified in this Policy.

b) Information Custodian

An information custodian is an employee of the University or an external entity operating under contract with the University who is responsible for overseeing and implementing the necessary safeguards to protect the IT assets at the level classified by the information owner.

An information custodian is responsible for one or more of the following:

1. Understanding the policy and procedures for the appropriate use and protection of information;

2. Understanding the flow of information in relevant operational processes, both manual and automated;

3. Implementing and maintaining physical and logical controls that enforce established policy and procedures;

4. Granting and revoking access to information, under the direction of the information owner;

5. Enabling the timely detection, reporting, and analysis of incidents where circumvention, or attempted circumvention, of controls takes place;

6. Following the information handling requirements and guidelines issued by the information owner;

7. Complying with policies and related procedures, guidelines, and standards issued by the University in support of this Policy.

c) Non-Employee (Third-Party) Users of University Information

1. Be familiar with and comply with the University’s Policy 116 on IT Resources Acceptable Use, with this Policy and other University policies and procedures.

d) Security Architect

The University’s Security Architect is tasked to coordinate, develop, implement, and maintain an organization-wide information security program. The Security Architect is responsible for:

1. Overall information risk posture of the University and ensuring that the security objectives listed in this Policy are adequately addressed;

2. Determining the risk tolerance to threats that affect information security;

3. Developing, maintaining, and circulating policies, standards, guidelines and procedures relating to information security;

4. Designing and implementing secure computing environments;

5. Coordinating and assisting with the response to breaches involving unauthorized use of information.

e) User

A user is a member of the University community who has the authorization to accesses information that is in the custody or control of the University. A user is responsible for the following:

1. Using the information in a manner consistent with its intended purpose;

2. Restricting the use of information to only the purposes specified by the information owner;

3. Complying with policies, related procedures, guidelines and standards in force regarding the use of information;

4. Complying with controls implemented by the information custodian.

An authorized user who duplicates and stores confidential or restricted information, or any subset of such information, including paper copies, assumes the responsibilities of information custodian for that information.

4. INFORMATION SECURITY CLASSIFICATION

a. The Restricted classification is for the most sensitive information whose access must be stringently controlled. Access to information in this classification is usually restricted to a small number of individuals, and the information usually has a very limited controlled audience or is not distributed. The unauthorized disclosure, unauthorized modification, or inaccessibility of this information would have a severe effect on the University, its employees, students, contractors, partners, and/or its customers. The strength of security controls for information classified as restricted will normally exceed those for information classified as confidential.

b. The Confidential classification is for sensitive information that does not meet the criteria of restricted, and whose access must be granted on a need-to-know basis according to job responsibilities. The unauthorized disclosure, unauthorized modification, or inaccessibility of this information would have an adverse effect on the University, its employees, students, contractors, partners, and/or its customers.

c. The Internal classification is for information that is proprietary or produced only for use by a specific workgroup, department, group of individuals, or affiliates with a legitimate need. Information should be classified as internal when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the University or its affiliates. By default, all IT assets that are not explicitly classified as restricted, confidential or public should be treated as internal.

d. The Public classification is for information which is not sensitive and requires no protection. The classification is generally used for information that is intended for public use. Its disclosure will not result in any loss or harm to an individual or the University.

Examples

NOTE: these examples are not exhaustive and are to be used for illustrative purposes (most information should fit accordingly).

 Restricted information is comprised of:
1. Social Insurance Numbers
2. Health insurance identification numbers
3. Credit card numbers
4. Passwords and private encryption keys

 Confidential information includes, but is not limited to:
1. Information supplied in confidence
2. Any information covered by a non-disclosure agreement
3. Commercially sensitive information, including related financial transactions
4. Driver's license numbers
5. Bank account numbers
6. Personal information as defined by the Freedom of Information and Protection of Privacy Act (FIPPA) Section 2.1
7. Personal health information as in accordance with the requirements of the Ontario Personal Health Information Protection Act (PHIPA) or equivalent applicable legislation.

 Confidential information may also be found in forms such as:

Student Records: This applies to applicants, enrolled students and prospective student information:

a) Identification numbers (student number, PIN)
b) Student grades
c) Student financials, bank accounts, payment history, financial aid/grants, student bills
d) Demographic information (name, marital status, date of birth, race, ethnic origin)
e) Personal information of students (email address, religion, educational level)

• Employee Information

a) Identification numbers (employee ID)
b) Personal financial information
c) Insurance and benefit information
d) Demographic information (name, marital status, date of birth, race, ethnic origin)
e) Personal information of employees (email address, religion, educational level, tax return information)
f) Certain management information (performance evaluations, agreements, employment history, etc.)

• Donor/Alumni Information

a) Identification numbers (alumni ID)
b) Personal financial information
c) Family information
d) Demographic information (name, marital status, date of birth, race, ethnic origin)
e) Personal information (email address, telephone of fax numbers, educational level)

• Examinations
• Correspondences in the form of electronic mail, electronic real-time communications, and hard copy communications
• Employment applications
• Records of closed meetings
• Records subject to solicitor-client privilege
• Institutional plans, policies, and projects while in development
• Employment files of regular faculty members
• Employment files of regular employees
• Draft planning documents
• Internal intranet websites
• Official meeting minutes before approval
• RFP processes
• Other institutional information such as critical infrastructure detail (network topology, security apparatus, etc.)

 Internal information includes, but is not limited to:
• Internal operating procedures and operational guides
• Financial accounting information
• Purchase orders
• Admission metrics and statistics
• Non-public reports, budgets, plans and financial information
• Non-public contracts
• Internal memoranda, emails and other documents
• Personal telephone number of employees
• Home addresses of employees
• Technical documents such as system configurations and floor plans

 Public information includes, but is not limited to:
• The University’s public website
• Publicly posted press releases
• Publicly posted schedules of classes or course catalog
• Publicly posted interactive University maps, directories, calendars, newsletters, newspapers, Ontario’s Sunshine list of employees earning more than $100k, job announcements and magazines.

5. POLICY

5.1 Information Governance and Classification

a) Every piece of information owned, used, or maintained by any of the organizational units of the University must have one or more information owner identified;
b) Any information that is not classified will be assumed to be of the internal classification unless the information is known to be addressed by applicable University policies, procedures, regulations or by law.

5.2 Information Safeguards

a) Using the categories restricted, confidential, internal or public, all University information must be classified, as soon as possible after the creation or acceptance of ownership by the University;

b) Following initial classification, University information must remain classified at the initial level or reclassified as needed due to changes in usage, sensitivities, law or other relevant circumstances;

c) Information must be protected to prevent loss, theft, and/or unauthorized access, disclosure, modification, and/or destruction;

d) Restricted information, when stored in an electronic format, must be protected with strong passwords (reference: Password Protection Procedure) and stored on servers or databases that have protection and encryption measures;

e) Confidential information, when stored in an electronic format, must be protected with strong passwords and stored on servers or databases that have appropriate protection measures;

f) Restricted or confidential information must be stored only in a locked drawer, room or an area where access is controlled using sufficient physical access control measures to detect and prevent unauthorized access by members of the public, visitors, or other persons without a need-to-know;

g) Restricted, confidential or internal information sent via fax must be sent only to a known number;

h) Restricted, confidential or internal information must not be posted on any website without prior authorization from the dean or director of the affected organizational unit;

i) Restricted or confidential information must not be exchanged via SMS text, picture, voice or video message;

j) Restricted, confidential or internal information may only be disclosed on a strict need-to-know basis and consistent with applicable University policies, procedures, regulations;

k) The classification level and associated protection of replicated information must remain consistent with the original information, e.g.:
• confidential HR data copied to a CD-ROM or other removable media such as a flash drive or from one server to another, retains its confidential classification;
• printed copies of confidential information is also confidential.

l) Any physical or logical collection of information stored, in transit, or during electronic transfer (e.g., file, database, emails and attachments, filing cabinet, backup media, electronic memory devices, sensitive operation logs, configuration files) containing differing classification levels must be classified as a whole at the highest information classification level within the collection. Any information subset that has been separated from any such collection must be protected in accordance with the protection specified for the classification level of the information subset if assigned; otherwise the information subset retains the classification level of the original collection and requires the same degree of protection;

m) Destruction of information (electronic or physical) or systems storing information must be done in a secure manner such as overwriting information on a hard drive with random patterns of ones and zeros or physically destroying the hard drives;

n) Restricted, confidential or internal information in hard copy format (paper, microfilm, microfiche, etc.) must be shredded or incinerated;

o) Before systems or media are reused, they should be erased to ensure no residual information remains (reference: IT Asset Disposal Procedure);

p) Some information may have little or no sensitivity in isolation but may be highly sensitive in aggregate. In general, the sensitivity of information is likely to be greater in aggregate than when it is in isolation (e.g., association of a student ID with the identity of an individual). If review reveals increased sensitivity or criticality associated with information aggregates, then the classification level may need to be adjusted to a higher level than it would be when the information is isolated;

q) Users must notify the information owner and the IT Service Desk immediately if internal, confidential or restricted information:

a. is lost or disclosed to unauthorized parties;
b. is suspected of being lost or disclosed to unauthorized parties.

6. COMPLIANCE

6.1 Any instances of non-compliance with this Policy should be reported to the VP Governance for investigation.

6.2 Requests for an exception to this Policy must be documented and then reviewed by the VP Governance. The request must include the reasons for the exception and the planned alternative control measures. Such requests will be decided by the VP Governance on a case-by-case basis, and communicated in writing.

6.3 No exclusions or exceptions may be made to this Policy without consulting with and obtaining a written consent from the VP Governance.

6.4 The Administrative Committee will be informed annually on the exceptions and non-compliance matters.

7. MAINTENANCE

This Policy will be reviewed by the Office of the VP Governance on a regular basis, or as deemed appropriate based on changes in technology or regulatory requirements.

8. EFFECTIVE DATE

The Policy comes into effect on June 15, 2016.

Back to top