Information Classification and Protection Policy
Section 1 - Executive Summary
(1) The University of Newcastle (
(2) Establishing an information classification scheme and the controls appropriate for each classification level is essential for protecting information throughout its lifecycle.
(3) Formalising information classification and protection requirements also enables the
Section 2 - Purpose
(4) This document articulates the
(5) The appropriate information classification level is determined by the
(6) This policy is intended to protect the confidentiality, integrity and availability of information.
Top of PageSection 3 - Scope
(7) This Policy applies to all information created, processed, stored, or communicated by the
Section 4 - Audience
(8) All
Section 5 - Information Handling Principles
(9) The following principles apply to the creation, storage, processing, and communication of all
- information is a core strategic
asset and is aligned to support business needs, informed decision making and customer outcomes; information assets are secure, valued, authentic, ethically managed, trustworthy, and ready for use and re-use for as long as they are needed;information assets are managed using a defined lifecycle, from creation to classification, storage, use, archival, and destruction;- information is managed in line with external and internal statutory requirements;
information assets are discoverable across theUniversity and used by those with legitimate need;University systems, processes and people protect privacy and confidentiality of ourinformation assets and protect against unauthorised disclosure, alteration, deletion or misuse.
Section 6 - Information Handling Requirements
Information Classification
(10) Information must be managed to ensure the confidentiality, integrity, and availability of that information, and to meet the
(11) The
(12) Information classifications take into account:
- the broader goals of the
University relating to the generation and sharing of information; - the value of information to the
University ; and - the
risks associated with sharing information.
(13)
(14)
(15) All
(16) If information is received from an external source, the information must be classified by the Information Custodian.
(17)
(18) Any disputes regarding the appropriate classification of information will be resolved by the Legal and Compliance team.
(19)
(20)
Table 1 – The University of Newcastle Information Classification Scheme
Impact Type | Severity | |||
---|---|---|---|---|
Lowest | <----------> | Highest | ||
Impact | Insignificant to Minor | Moderate | Major | Severe |
Security – What advantage does this information provide? | Little or no advantage. | Might provide some advantage. | Definite advantage. | Significant advantage. |
Likelihood of malicious persons searching for this information. | Low or no likelihood. | Low | Medium | High |
If this asset or information is disclosed, stolen or lost. | ||||
Provision of business operation and service. | Some localised inconvenience, but no impact to the |
Some impact on the |
Significant effect on operational performance. | Achievement of operational and strategic goals in the medium term jeopardised. Existence of the |
Compliance / Legal | Breach of legislation, contract, rule or policy that does not have any penalty or litigation impact. Breach of legislation contract, rule or policy that may have an impact on the relationships with third party or the legislator, but no long lasting effect. No litigation or prosecution and/or penalty. Regulatory consequence limited to standard inquiries. | Breach of legislation, contract rule or policy leading to escalated legal enquiries. Regulatory or legal consequence limited to additional questioning or review by legislator. | Breach of legislation contract, rule or policy leading to possible legal action. Possible litigation or criminal prosecution and/or penalty. External enquiry or regulatory review and/or possible negative sanction by a regulatory body. | Breach of legislation, contract, rule or policy leading to significant and costly legal action with widespread potential impact for the |
Employees / WHS | No impact to employees / WHS. | Continuity of employment concerns across the |
Significant (up to 15%) loss of |
Significant loss of |
Financial | Less than 1% of budget or up to $25k. 1 to 2% of budget or $25-50k. | 2-5% budget or $250k-$1m. | 5-10% budget or $1m – $5m. | Over 10% of budget or over $5m. |
Reputation | No impact to reputation. | Loss of |
Loss of |
|
Service Levels | Loss of less than one day’s teaching, research and/or business functions. Loss of one full day of teaching, |
Loss of 1-7 days of teaching, |
Loss of two weeks to two months of teaching, |
Loss of over two months of teaching, |
Example information types | Business unit process and procedure. Unpublished |
Data subject to regulatory control. Employee relations and complaints information. Medical, Children & Young person’s information. Credit card information. |
||
Recommended information classification | Public | X-in-confidence | Restricted | Highly restricted |
Alignment with Government Security Classification
(21) The
Table 2 – Alignment of University Information Classification Scheme with Government Security Classification
University | NSW Government | Commonwealth Government |
---|---|---|
Public | Unofficial and Official | Unofficial and Official |
X-in-Confidence | Official: Sensitive | Official: Sensitive |
Restricted | Protected | Protected |
Highly-Restricted | Secret | Secret |
N/A | Top Secret | Top Secret |
(22) The NSW and Commonwealth classifications and associated protections must be applied when dealing with state and federal government information. In these scenarios, guidance on implementing appropriate controls must be sought from the
Information Ownership
(23) The ownership of information must be clearly identified, stated, and discoverable.
(24) In cases where the
(25) In cases where information ownership cannot be clearly established, the organisational value of information cannot be clearly identified, and the information has not been accessed in greater than twelve months, the information may be considered inactive.
Information Retention
(26) Information retention periods vary subject to legislative requirements (see the
(27) Over-retention of information exposes the
(28) Storage of sensitive or high-
- determining a legitimate need to obtain and store the information;
- utilising a
University approved third-party organisation or system to store that information; and - employing methods of zero-knowledge proof. Zero-knowledge proof is about proving the validity of sensitive information without revealing it apart from the fact that it is true. An example is encryption.
(29) Information that is considered inactive may be subject to review and destruction in accordance with the Records Governance Policy. Digital Technology Solutions (DTS) will facilitate the destruction of
(30)
Section 7 - Information Protection Requirements
Information Protection Requirements
(31) Information protections are defined for each classification level and must be applied throughout the information lifecycle.
(32) Information protection requirements are described in Table 4.
Table 4 – Information Protection Requirements
Information Handling and Protections | |||||
---|---|---|---|---|---|
Control Category | Description of Controls | Public | X-In-Confidence | Restricted | Highly Restricted |
General | Storage and processing facilities are in Australia. | X | X | X | |
Only |
X | X | X | ||
Access Controls | No restriction on viewing. | X | |||
Role-based access to information. | X | X | X | ||
Access to authorised users only. | X | X | X | ||
Authentication required for access. | X | X | X | ||
X | X | ||||
Authorisation by |
X | X | X | X | |
Non-disclosure agreement required to be signed by third parties. | X | X | X | ||
Access should be removed as soon as it is no longer required. | X | X | |||
Copying / Printing (paper and electronic forms). | No restrictions. | X | |||
Should not be left unattended on a printer. | X | X | X | ||
Information should only be printed when there is a legitimate need. | X | X | X | ||
Electronic and physical copies must be labeled according to their classification. | X | X | X | ||
Copies must be limited to authorised individuals. | X | X | X | ||
Physical security | Facility that provides access to information |
X | X | X | |
Information |
X | X | X | ||
Physical access must be monitored, logged, and limited to authorised individuals. | X | X | |||
Access to information |
Remote access by third party limited to authenticated VPN, or via supervised session utilising Zoom, Webex or similar. | X | X | X | |
Unsupervised remote access by third party, such as an application vendor, for technical support is not allowed, unless covered by an appropriate formal agreement stipulating information handling requirements equivalent to or stronger than those in this document. | X | X | X | ||
Storage of information | PC hard drives and removable media must be encrypted. | X | X | ||
Information should not be stored or processed on PCs, portable devices, and removable media. | X | ||||
Strongest available encryption must be used. | X | X | |||
Only the minimum required personally identifiable information (PII) can be stored. Methods to achieve this include deleting unrequired PII, scrambling, masking and encrypting data. | X | X | |||
Transmission of information | Information must not be transmitted or shared unless encrypted. | X | X | X | |
Strongest available encryption must be used. | X | X | |||
Use of information assets for testing | Production information cannot be used for testing purposes unless approved by DTS and appropriate controls are applied to testing environments. | X | X | X | |
Personally identifiable information used for testing must be de-identified where possible. | X | X | |||
Backups | Daily backups required. | X | X | X | X |
Geographically dispersed storage required. | X | X | |||
Disposal | All disposals of information (electronic and hard copy) must be made in accordance with Records Governance Policy. | X | X | X | X |
Paper-based information must be shredded and placed in managed confidential bins. | X | X | X | ||
Wipe, erase or destroy electronic media such as hard drives, USBs, CD and DVDs. | X | X | X | ||
Information that is no longer required for business or legal needs should be disposed of to reduce the |
X | X | X |
Section 8 - Roles and Responsibilities
Information owner
(33) The
(34) The
(35) The
(36) The
- determine the statutory requirements regarding privacy and retention and any
risks associated with the information; - assign an appropriate classification based on Section 6, Table 1;
- define the method for applying classification labels based on Section 6, Table 2;
- authorise access to the information based on Section 6, Table 4 (c);
- specify any additional handling controls needed to ensure the confidentiality, integrity, and availability of the information;
- communicate the control requirements to the information custodian and to users of the information;
- continually evaluate the use and value of information to avoid over retention;
- develop an information disaster recovery or business continuity plan for the Information Custodian, which identifies:
- any potential
risks ; and - vital information.
Information Custodian
(37) Information Custodians are those individuals who control
(38) The Information Custodian defines information systems architecture and provides technical consulting assistance to
(39) Information Custodians are responsible for safeguarding the
(40) In cases in which the information being stored is paper-based, the Information Custodian responsibilities will logically fall to the business unit gathering the information. For such systems, DTS or Records Governance Services (RGS) can offer guidance and provide opportunities for digitisation.
Information User
(41) Information Users are individuals who have been granted explicit authorisation by the relevant
(42) Information User’s are responsible for:
- using the information only for the purpose intended and authorised by the
Information Owner ; - complying with all controls established in
University policies; - ensuring that Restricted and Highly-Restricted information is not disclosed to anyone without the permission of the
Information Owner ; - only destroying information in accordance with the requirements of the Records Governance Policy.
(43) When dealing with information classified by an external organisation, advice must be sought from the Cyber Security team to ensure appropriate controls are applied.