6.40.02 Information Security Classification

Procedures

Procedures

Information Security Classification - Procedure

Metadata

Document Number:

6.40.02b

Topic:

6.40.02 Information Security Classification

Approval Authority:

Chief Information Officer

Last Approval Date:

Wednesday, June 22, 2022

Review date:

Sunday, June 22, 2025

Audience:

All Staff

All Students

Document Web Links:

IT Governance

Information Technology Governance Committee

Australian Government Information Security Manual

Information security classification framework (QGISCF)

University Sector Retention and Disposal Schedule

General Retention and Disposal Schedule

Information Governance and Management Framework

Notes:

July 2020 - updated scope and definition of information security classification. September 2020 - URL links restored. November 2020 - web links updated. July 2021 - Administrative amendments. June 2022 - Administrative amendments

Body

1.0 Purpose and Scope

This procedure outlines information security classification requirements for information, both digital and/or physical, at The University of Queensland (UQ) and should be read in conjunction with the Information Management Policy and the Information Governance and Management Framework. This procedure applies to:

All data or information that is created, collected, stored or processed by UQ, in electronic or physical formats.
All University staff and individuals or groups authorised by UQ to access University information.

The objectives of this procedure are to:

Provide for a consistent approach to the management of UQ information in all formats, including electronic and physical records.
Provide guidance for evaluating UQ information and applying the appropriate security classification.
Ensure UQ information security classifications are informed by confidentiality, integrity and availability requirements.
Protect and manage UQ information in accordance with relevant UQ policies and regulatory requirements.

2.0 Process and Key Controls

Information Creators (as defined in the Information Governance and Management Framework) that create UQ information or receive information from an external third party must apply an information security classification to the information (as specified in section 3.1 of this procedure).
Information Stewards (as defined in the Information Governance and Management Framework) must ensure an appropriate information security classification has been assigned to the information that they are responsible for.
Where UQ information is shared with external parties there is an expectation that the third party will apply equivalent controls as per its information security classification.
UQ information that is classified SENSITIVE and PROTECTED must not be stored using:
- Non-UQ accounts on external storage services (e.g. Dropbox, Google Drive, Trello).
- USB drives, CDs or DVDs.
- Unsecure physical storage (e.g. paper records left on desks).
- Local hard drives.

3.0 Key Requirements

3.1 Information Security Classifications

Information Creators are responsible for applying information security classifications to UQ information, taking into account the need to maintain and ensure the confidentiality, integrity and availability requirements.

Information Confidentiality – Ensure the information is only accessible to authorised UQ consumers. Consider the risks associated with unauthorised or inappropriate disclosure of the information.
Information Integrity – Ensure the quality, completeness and accuracy of the information. Consider the risks associated with changes to the information.
Information Availability – Ensure the information is available in the right format when it is needed. Consider the risks associated with information not being available or accessible.

All information at the University must be assigned one of the classifications in the table below. If a collection of information contains elements with different security classifications, the collection should be classified and handled based on the highest (most secure) classification level of information within the collection.

Information Security Classification	Description	Example data types
UNOFFICIAL	Information that is non-work related.	Personal holiday itinerary Email for personal dinner reservation
OFFICIAL – PUBLIC	Information that if breached owing to accidental or malicious activity would have an insignificant impact. The information is authorised for public access, however it may not be made available in the public domain.	University strategy Published course outline Academic calendar Published research data
OFFICIAL – INTERNAL (Default for all information)	Information that if breached owing to accidental or malicious activity would be unlikely to cause harm to UQ, another organisation or an individual if released publicly. The information has a restricted audience, and access must only be authorised based on academic, research or business need.	Identity information of staff members or students (e.g. employee number or position title) Internal correspondence Business unit process and procedure Team leave calendar
SENSITIVE (Default for all research projects)	Information that if breached owing to accidental or malicious activity could reasonably be expected to cause harm to UQ, another organisation or an individual if released publicly. The information has a restricted audience, and access must only be authorised based on strict academic, research or business need.	Student and staff HR data (e.g. Tax File Numbers, passport details, bank account details) Organisational financial data Exam material Exam results Unpublished research data
PROTECTED	Information that if breached owing to accidental or malicious activity could reasonably be expected to cause serious harm to UQ, another organisation or an individual if released publicly. The information has a restricted audience, and access must only be authorised based on very strict academic, research or business need.	Medical data Personal data regarding persons under the age of 18 Credit card data Commercially significant research results

3.1.1 National Security Information (NSI)

Handling national security information, classified material or systems that are considered to have confidentiality requirements above PROTECTED should refer to the Australian Government Protective Security Policy Framework (PSPF) and the Security and Counter-Terrorism Group in Queensland Police Service. Telephone 07 3364 4549 or email counter.terrorism@police.qld.gov.au

The source of most NSI is the federal government and the information creator will be aware of the classification.

3.2 Information Reclassification

Information may be reclassified if its confidentiality changes, or if the information was incorrectly classified. Any protective marking must be amended to indicate the new classification.

3.3 Information Assets Held by UQ

The information asset register contains all information domains and the relevant security classification. The default classification may be overridden for sub-elements of the assets recorded in the register.

3.4 Information Handling Requirements

Information security classifications inform the minimum handling requirements for data, information and records in digital/electronic format. Refer to the Data Handling Procedure.

4.0 Roles, Responsibilities and Accountabilities

Roles and responsibilities as pertinent to this procedure are outlined in the subsections below. Further roles and responsibilities are detailed in the Information Governance and Management Framework.

4.1 Information Creators

UQ Information Creators who capture or create information are responsible for:

Classifying the information in accordance with this procedure and any rules or procedures specified by the Information Domain Custodian.
Ensuring that the information is appropriately labelled with a protective marking (if necessary).
Managing and storing the information in line with its information security classification.

4.2 Information Consumers

UQ Information Consumers are responsible for using the data and information they require as defined in the Information Governance and Manangement Framework.

4.3 Information Stewards

UQ's Information Stewards are responsible for ensuring all information within their information entities has an appropriate information security classification assigned.

5.0 Monitoring, Review and Assurance

The Chief Information Officer (CIO) will ensure periodic review and monitoring of information management (including classification) is conducted to determine how well information management supports UQ’s business and strategic goals, and for its compliance with legislation.

6.0 Recording and Reporting

UQ’s Information Asset Register will be used to record:

Information Domain Custodians, Information Stewards and information security classifications for each UQ information domain.
Information security classifications of UQ Information Assets (as a minimum, UQ Information Assets will be assigned a classification based on the highest classification rating of the information held).

The Information Technology Services Division will provide the Information Technology Governance Committee with regular reports on the Information Asset Register.

7.0 Transitional Arrangements

The UQ Enterprise Data Governance Program is developing operational models, training and detailed data handling guidelines to support this procedure. Please consult the Enterprise Data Governance Program for further information and guidance related to this procedure.

8.0 Appendix

8.1 Definitions

Data Element – Data elements are the smallest named item of data that conveys meaningful information or condenses lengthy description into a short code. Data elements are called ‘data field’ in the structure of a database.

Information – Includes, but is not limited to, physical (e.g. paper records) or digital files (e.g. email, voicemail, meeting minutes, video and audio recordings) in any format (e.g. PDF, .wav, .docx, or .jpeg) and data recorded by UQ applications (often in a database of some form).

Information Asset – A body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.

Information Domain – A broad category or theme under which UQ information can be identified and managed. UQ uses the Topics and Entities outlined in the CAUDIT Higher Education Data Reference Model, in the context of business capabilities and organisation structures, as a guide to determine appropriate information domains.

Information Standards – Define and promote best practice in the acquisition, development, management, support and use of information systems and technology infrastructure which support the business processes and service delivery of Queensland public authorities.

Record – Information in any format that has been generated or received by UQ in the course of its activities, and which must be retained by UQ as evidence of its actions and decisions. A record can consist of one or more pieces of information that together form a record or context of the activity, action or event.