Date effective: 1988-06-06
Authorized by: Secretary of the University
EDP INFORMATION ASSETS CLASSIFICATION SYSTEM
1. To define a Classification System that identifies Electronic Data Processing information assets and specifies their individual needs for protection.
2. The security of valuable EDP information assets depends on first identifying them, then assigning Ownership, and then labelling them as to how much protection they need, and for how long.
3. The initial classification of all EDP information assets is the determination by the Owner as to whether they are sensitive (to disclosure) or critical (to loss) in case of disaster. If neither, they are denoted non-sensitive and non-critical and are exempted from further classification. The Custodian of the EDP system on which they are maintained may require that they be identified and their exempt status recorded, along with any specified retention period, (see item19).
4. All academic and administrative EDP information assets that are sensitive or critical (or include essential records) must be assigned a classification by their Owner. This should be maintained in an inventory. Private EDP information assets may be classified at the Owner's discretion, or to meet custodial or University archival policy requirements.
5. Ownership, as here defined, is the exercise of management responsibility over an EDP information asset on behalf of the University, with corresponding accountability. It does not imply any personal title of the "Owner" to the asset.
6. Responsibilities of Owners and Custodians for administrative and academic EDP information assets, including their classification, are described in Procedures 21-1 and 21-4 respectively. No special provisions are made for private information.
7. EDP information assets are also documents, and as such are subject to Policy 23. They must be assigned a retention period. Owners must add this archival attribute to those for EDP security, according to procedures established by the Chief Archivist.
8. A preliminary classification of an EDP information asset should be assigned by the creator, if other than the Owner. Only the Owner, or the Owner's supervisor, is authorized to change the classification. Reassignment of Ownership of an EDP information asset that was exclusively held by a single individual Owner (i.e. not shared with others owning duplicate copies), requires the approval of the Owner's superior.
9. Electronic Data Processing Information Assets comprise computer systems software, application systems software, programs, associated data, and copies thereof on paper or other media.
10. There are three types of EDP information assets.
- a) Academic EDP Information Assets: EDP information assets created, used or maintained on a computer or on electronic data storage media for students or academic personnel, for the purpose of teaching or research (see notes of item 10b and c).
- b) Administrative EDP Information Assets: EDP information assets created, used or maintained on a computer or on electronic data storage media for the purpose of administration or management. Note that marks and other personal EDP information (see item 11e below) about the student that are maintained by professors, teaching assistants etc. are administrative EDP information assets.
- c) Private EDP Information Assets: EDP information assets created, used or maintained on a computer or on electronic data storage media for professional or private purposes rather than for University purposes, and which are not the responsibility of the University. (Note that a student's work done or stored on a University computer is a private EDP information asset, belonging to the student and not the University, even if it is to be evaluated as part of the course requirements and even if the use of the computer in its preparation was authorized by the University).
11. Some other definitions are as follows.
- a) Owner (or Guardian): The Owner is that individual who is guardian of, and has management responsibility for, an EDP information asset (see item 5). Guardian is an alternate name. The Owner is normally the Department manager/chairperson or delegated representative of the Service or Faculty that created the information asset, or is its primary user. By default, the creator is Owner until ownership is assigned elsewhere.
- b) Custodian: One who has authorized possession of an EDP information asset and is entrusted by the Owner to provide proper protection and care of the asset in an ongoing, operational environment; frequently the supplier of computing services.
- c) User: A person (or group) authorized by the Owner of an EDP information asset to use it for approved University purposes.
- d) Disaster: An event (fire, flood, evacuation,electrical damage, etc) that causes prolonged unavailability of EDP services or facilities.
- e) Personal EDP Information: Information about identifiable individuals that requires protection under University-approved access to information or privacy regulations, and that exists as a University EDP information asset.
EDP INFORMATION ASSET CLASSIFICATION SYSTEM
12. For the purposes of EDP security, EDP information assets are identified as being administrative, academic or private, as defined in items 10a, b and c, above.
13. EDP information assets should be classified according to:
- a) the sensitivity to disclosure;
- b) the criticality in event of a disaster;
- c) the need for retention.
SENSITIVITY TO DISCLOSURE
14. EDP information assets are either sensitive or non-sensitive to disclosure. This sensitivity is time-dependent, usually decreasing with time. An expiry date should be attached to any sensitivity category assigned. The new classification after that date should be stated, or the need to reclassify at that time. Those EDP information assets that Highly Confidential, Confidential and Restricted with decrare currently for internal University use only are called "sensitive". They are further divided into the three categories of easing sensitivity. Some sensitive EDP information assets may be subject to restrictions on disclosure of personal information similar to those of Ontario privacy legislation (see item 11e). Non-sensitive EDP information assets may be distributed inside or outside the University and are classified as Unrestricted.
15. Sensitive EDP information assets should be assigned one of the following categories by their Owner, on the basis of guidelines formulated for that purpose and available from the Chief Archivist or the EDP Security Administrator.
- a) Highly Confidential
- Description: Contains information whose unauthorized disclosure could have substantial negative impact for the University or cause it major public embarrassment.
Distribution: Restricted to designated persons with an explicit need to know.
Identified on each screen, copy or listing as Highly Confidential, with an associated expiry date for that classification. This may be coded but the words HIGHLY CONFIDENTIAL should also be explicitly written, except as provided through 15d, below.
- b) Confidential
- Description: Contains information whose unauthorized disclosure could cause damage to an individual or would be prejudicial to the interests of the University, (e.g. personnel or medical records, financial information, proprietary information, etc.).
Distribution: Limited to employees who need to know it to perform their work.
Identified explicitly on each screen, copy, or listing by code letters meaning Confidential and an associated expiry date. The word CONFIDENTIAL should be explicitly written, except as provided through15d, below.
- c) Restricted
- Description: Contains information which itself, or in published form, has personal, technical or administrative sensitivity and is intended for internal use only, and should not be published or communicated externally except for official purposes. Examples would be certain correspondence, memoranda, procedures, minutes, contracts, etc.
Distribution: Not to be published or communicated outside the University except for official purposes. They should be identified on each screen, copy, or listing as Restricted by a code letter and associated expiry date. They may be further identified by the words RESTRICTED (or INTERNAL USE ONLY) at the discretion of the Owner, or if otherwise specified. An expiry date for the written classification should be given.
- d) There may be a justification for omitting the written words HIGHLY CONFIDENTIAL or CONFIDENTIAL from a record classified as such. This should be treated as a case of risk acceptance. The Owner would document the case and follow the steps described in section 8 of Policy No. 116 on IT Resources Acceptable Use.
CRITICALITY IN CASE OF DISASTER
16. An EDP information asset, such as a computerized application or computer system, or collection of data is classified as critical or non-critical in case of disaster according to whether or not it needs priority in being restored to normal operation within one month. If it can be unavailable as long as thirty days without serious disruption, it is deemed non-critical. Lower priority critical applications are labelled semi-critical. As part of contingency planning, the Owner states the estimated number of days that the system or application can reasonably be unavailable. This number is appended to the classification as the duration within which recovery should be achieved. This designation is based on guidelines formulated for that purpose. An overall Disaster Recovery Committee will review all critical or semi-critical applications and the desired recovery time and recommend what should be their relative priority.
17. Three categories of criticality are defined for EDP information assets.
- a) Critical: Those which must be restored within one week.
- b)Semi-critical: Those which must be restored within one month of a disaster, but not within one week.
- c) Non-critical: Those which can be unavailable for more than one month.
18. Any system required in less than 24 hours following a disaster is a special case and special emergency measures will be developed for it.
19. Because EDP information assets are records, they must also be assigned a retention period to permit them to be eliminated in due time or retained permanently for archival reasons. Further information on required retention periods is available from the Chief Archivist.
20. Criticality here indicates the need to protect University records so that the University can be restored to normal. It is the need to restore, on a priority basis, the services to customers that are normally provided by EDP systems.
21. Critical and semi-critical EDP information assets are both essential records, and special measures must be taken to protect them against disaster and allow their recovery. Non-critical EDP information assets are non-essential records and no special measures are taken to protect them.
22. Preservation of EDP back-up data shall be in a suitably maintained physical environment on certified magnetic tape or diskette, or other media approved by the EDP Security Administrator.
23. Where a decision has been taken for the disposal of EDP information assets on magnetic (or optical) media, this shall only require complete erasure of data, or destruction of diskettes, where their current classification is Highly Confidential. Paper copies must then also be shredded. The Owner or Custodian shall supervise the erasure, destruction or shredding in this case.
Published June 6, 1988
(Office of the Secretary)