Information Classification Standard and Handling Guidelines

Related Documents: Information Protection Policy, Information Protection and Access - Restricted Information Policy, Information Protection and Providing Access to Restricted Information Procedure (Privacy Procedure), Records Management Policy, CCS Access Control Standard, Glossary, CCS IT Security, Minimum Cybersecurity Controls
Owner(s): Chief Information Officer; Privacy Officer
Approval Date(s): July 2018

I. Purpose

The purpose of this Standard is to:
1. define an information classification scheme that is:
  1. consistent with information security, access and privacy and records management policies and procedures; and
  2. consistent with regulatory and legislative requirements, including Freedom of Information Protection and Privacy Act (“FIPPA”) and Personal Health Information Protection Act (“PHIPA”).
2. provide direction to Information Custodians regarding the appropriate protection of Toronto Metropolitan University (the "University") information throughout the information lifecycle.

II. Application and Scope

This Standard applies to all University information.

III. Definitions

“Information Custodians” are persons responsible and accountable for the safekeeping of information.

“University Information” refers to all information within the custody and control of the University in all media and formats, including but not limited to paper, electronic, digital, e-mail, film, print, graphics, audio and video recordings, and any other form of recorded information regardless of location.

IV. Standard

Principles
1. Information Custodians shall classify University information according to its sensitivity in order to ensure that the information is handled appropriately.
2. Information Custodians shall manage the risks of deviating from the Standard.
3. Information Custodians shall obtain explicit approval for exceptions to the Standard from the Executive Group.
4. As a condition of handling University information, Information Custodians must review the Standard and Guidelines.
5. Information Custodians shall resolve any ambiguity regarding the interpretation and implementation of this Standard through consultation with the Standard Owners.
Information Classification
1. The level of classification assigned to University information must be based on its confidentiality, integrity and availability requirements, and the possible harm that could result from the unauthorized access, use, or disclosure of University information by an Information Custodian.
2. Table 1 describes the classification for high, medium, and low sensitivity University information.
3. When classifying information, the Information Custodian considers:
  1. Mixed sensitivity of University information: Always classify according to the most sensitive information, particularly when there is information of varying sensitivities in a single information repository. For example:
    1. If much of a document is low sensitivity, but there is a section that contains highly-sensitive information, the document’s overall sensitivity classification is High.
  2. Context: Information sensitivity is contextual. For example:
    1. A last name by itself may be considered Low sensitivity if it is a common name. However, the inclusion of a first name and a date of birth may render the subject of the information uniquely identifiable, which moves the sensitivity level to High.
    2. Large volumes of Low or Medium sensitivity information may become High sensitivity due to the aggregate value of the University information repository as a whole. A collection of the entire student population’s student ID numbers is considerably more sensitive than for a single class or an individual student.
  3. Third party information: Be aware of situations where information is owned by a third party as there may be separate information-handling requirements described in the agreement with the third party.

Table 1: Information Classification

Sensitivity	Description	Potential Harms	Examples
High	Information that is extremely sensitive and intended for handling only by named individuals or roles for specific purposes	Could reasonably be expected to cause extremely serious harm to individuals or the university, loss of life or public safety, major political or economic impact, sabotage/terrorism, significant financial loss, social hardship or loss of life.	● Health information (which includes mental health data), date of birth, driver's license number, etc. Personal information such as Social Insurance Number (SIN). ● Details about individuals involved in campus security threats or incidents ● Research or intellectual property proprietary to the University ● Financial information regulated by Payment Card Industry Data Security Standards (PCI DSS) or other contractual obligations ● Authentication credentials needed to access sensitive information or critical systems, e.g. passwords, passcodes or PINs ● Location of critical assets such as biohazardous materials, keys, etc. ● Vulnerabilities in the University processes or systems ● Solicitor-client privilege information ● Legal opinions
Medium	Information that is sensitive within the University and intended for handling only by specified groups	Could reasonably be expected to cause serious harm to individuals or the University, loss of competitive advantage, loss of confidence in the University, moderate financial loss, damage to partnerships, relationships and reputation, or loss of Intellectual Property.	● Student IDs, grades, class lists, student work ● Alumni contact information ● Sensitive data that has been moderately de-identified, aggregated, or pseudonymized ● Draft internal documentation ● Departmental budgets ● Impactful organizational changes prior to publication or announcement
Low	Information that is generally available within the University	Could reasonably be expected to cause injury that would result in minor financial loss, embarrassment and inconvenience.	● Operational procedures generally available within the University ● Finalized and released internal reports, outcomes, plans, etc. ● Department meeting minutes ● Anonymized information
Public	Information that is available to the public	Will not result in harm or injury	● Public-facing University websites ● Employee directories ● Publications ● Board meeting information, including agendas, materials and minutes
Unclassified*	Information that is not classified	Sensitive information may not be handled appropriately	*Until information is classified, assume that sensitivity is High.

V. Information Handling Guidelines

Safeguards
1. The broad guidelines below recommend generic safeguards for handling University information according to the sensitivity classification. After Information Custodians have classified University information according to sensitivity, the University information must be safeguarded based on an assessment of the security and privacy risks.
2. Information Custodians shall apply people, process, and technology safeguards in accordance with the findings of the security and privacy risk assessment.
3. The outcome of a risk assessment is assurance, which defined as the Information Custodian’s degree of confidence that appropriate safeguards are in place and performing as intended in order to address security and privacy risks.
4. Information custodians should apply the security principle of defense in depth as a safeguard for University information. This is a practical strategy that implements multiple layers of safeguards. If one safeguard should fail or get exploited by a threat, other safeguards should maintain the security of the overall system and the sensitive information contained within. While it is not necessary to implement all of the safeguards identified below, an appropriate combination of safeguards can be identified through security and privacy assessments. There may also be more specific safeguards prescribed by regulation, legislation, or legal agreement for certain types of information.
5. Note that there are no handling restrictions for Public information.

Table 2: Minimum Safeguards for Information Handling by Sensitivity

Activity	Safeguard Type	High	Medium	Low
Authentication	Over an untrusted channel	Strong authentication	Single-factor authentication with strong password policy	Single-factor authentication
Authentication	Over a trusted channel	Single factor authentication with strong password policy	Single-factor authentication with strong password policy	Single-factor authentication
Authorization	Provisioning	Granular access control Grant on a business need-to-know basis If external third parties are involved, implement confidentiality agreements	Group or role-based access control Grant on a business need-to-know basis If external third parties are involved, implement confidentiality agreements	Grant to active community members
	Maintenance	Regularly review and audit access	Regularly review and audit access	N/A
	De-provisioning	Timely and managed revocation of access	Managed revocation of access	Revoke from inactive community members
Validation	Data Integrity, non-repudiation	Digital signature	Electronic signature	N/A
Use / Processing	Physical	Documented local handling policies/ procedures Clean desk policy Clean screen policy	Department clean desk policies and clean screen policies	N/A
Use / Processing	Logical	Use systems with high assurance in privacy and security	Use systems with medium assurance or higher in privacy and security	Use systems with low assurance or higher in privacy and security
Storage	Physical	Physically secured storage medium Dedicated secure area	Physically secured storage medium	N/A
Storage	Logical	Use systems with high assurance in privacy and security Secure SDLC environment Segregate from less sensitive information Data redundancy In the absence of other controls above: Strong encryption with strong password/key Strong key management	Use systems with medium assurance or higher in privacy and security Secure SDLC environment In the absence of other controls above: Strong encryption with strong password/key	Use systems with low assurance or higher in privacy and security
Electronic Transmission	Network- Level	Mutually authenticated and encrypted transport layer security, e.g. TLS Secure managed file transfer Secure fax or dedicated fax	Server- authenticated and encrypted transport layer security Fax with confirmation of receipt	N/A
	Application-Level	Use systems with high assurance in privacy and security	Use systems with medium assurance or higher in privacy and security	Use systems with low assurance or higher in privacy and security
	File-Level	Strong encryption with strong password/key Password/key sharing via separate transport mechanism	Password protection	N/A
Manual Transport	Accountability	Explicit approval of information custodian to transport Documented chain of custody Confirmation of receipt	Confirmation of receipt	N/A
	Physical	Approved private carriers Direct/hand delivery Never left unattended during transport Sealed/locked container	Registered mail Inter-office mail	Regular mail Inter-office mail
	Electronic	Strong encryption with strong password/key Password/key sharing via separate transport mechanism Use only authorized, strongly encrypted storage media	Strong encryption with strong password/key	N/A
Disposal	Physical	Cross-shred and eliminate particles	Cross-shred	Shred
Disposal	Electronic	Securely sanitize if unencrypted	Securely sanitize	Delete

Reducing the Scope of Risk
1. Information Custodians can limit or reduce their information classification and handling responsibilities through the following supplementary practices. Careful analysis by Information Custodians for their business requirements related to the collection, use, disclosure, retention, and destruction of University information will help identify which of these measures is applicable:
  1. De-identification and/or data minimization: Information sensitivity can be reduced by redacting, masking, or pseudonymization of identifying personal information, or by not collecting unnecessary sensitive information in the first place;
  2. Control data replication: Aside from the purpose of backups, avoid creating unnecessary copies of sensitive information that will have to be safeguarded to the same degree as the original information source, e.g. duplicate files, multiple file versions, backup copies, cached copies, test copies, etc. For instance, mobile computing makes it possible to work on information remotely without any unnecessary and vulnerable duplication of data on a user’s local hard drive; or
  3. Limit retention: Retain information only as long as necessary for the fulfillment of its purposes and in accordance with the University's Records Retention Schedule, and/or other regulatory requirements. Uncontrolled data replication (see above), such as copying University information to personal laptops, smartphones, or memory sticks, further increases the burden on the Information Custodian to track data retention.

VI. Roles and Responsibilities

Chief Information Officer (CIO) should work with IT Service Providers and others to help ensure compliance with the Standard. The Information Systems Security Officer maintains this Standard and conducts security assessments to help Information Custodians identify appropriate safeguards. The Information Systems Security Officer ensures that this Standard aligns with other information security policies.
Office of the General Counsel and Secretary of the Board of Governors: The Director, Compliance and Policy Management, and Privacy Officer maintains this Standard, defines personal information, and conducts privacy impact assessments to help Information Custodians identify appropriate safeguards. The Director also ensures that this Standard aligns with other information management and information governance policies including the Privacy Policy and the Records Management Policy.
Information Custodian:
1. An information Custodian shall:
  1. be an employee;
  2. be accountable for the classification and safeguarding of University information;
  3. communicate the classification and safeguards associated with University information to any other employee or third party that handles that University information; and
  4. immediately report any suspected compromise of University information and systems to the Chief Information Security Officer (CISO) and/or the Information Privacy Officer (IPO);
2. An Information Custodian may:
  1. periodically review and verify the classification assigned to information and the corresponding safeguards;
  2. consult with the Office of the General Counsel and Secretary of the Board of Governors to clarify any ambiguity with respect to the application of this Standard; and
  3. engage the Office of the General Counsel and Secretary of the Board of Governors for Privacy Impact Assessments, Security Assessments, and/or legal reviews, as necessary.