Information Security Classification Procedures

Information Security Classification Procedures

Legislative History:

Reviewed by UEC 2015/06/24; Reviewed by PVP 2015/09/23; Approved by the President 2015/09/23

Approval Authority: President

Signature: Mamdouh Shoukri


1.  PURPOSE

1.1 To support the information security and privacy goals of the University, it is important to ensure effective and appropriate measures and controls are utilized in the handling and processing of institutional information and data. This procedure establishes the framework for classification of information based on its level of sensitivity, value and criticality to the University. The classification of information helps determine the appropriate baseline measures and controls for safeguarding of that information.

2.  SCOPE

2.1  In accordance with the York University Information Security Policy, this procedure applies to all faculty, staff and third-party agents of the University as well as any other University affiliate who is authorized to access institutional information and data.

2.2  This procedure applies to all institutional information and data in any format or medium in the custody or under the control of the University including information excluded from the scope of the Freedom of Information and Protection of Privacy Act (FIPPA).

3.  DEFINITIONS

3.1 Institutional Information means any information or data that is owned, licensed, or otherwise under the custody or control of the University, including University administrative records, research data, and information associated with teaching and learning.

3.2 Custody of information means the keeping, care, watch, preservation, or security of information for a legitimate business purpose.

3.3 Control of information means the power or authority to make a decision about the access to, collection, storage, transmission, processing, destruction or disclosure of information.

4.    ROLES AND RESPONSIBILITIES

4.1 Information Governance Committee (IGC)

On behalf of the University, the IGC is an executive-level committee that:

  1. Defines who has primary accountability (i.e. Information Stewardship) for Institutional Information types or collections.
  2. Reviews and approves proposed information security classification guidelines, procedures and standards.
  3. Oversees the review and approval of exceptions to the policies, guidelines and procedures.

4.2  Information and Privacy Office

Defines and implements guidelines and procedures related to information classification, access and privacy, and records and information management.  Specific responsibilities include:

  1. In conjunction with the Information Security Office, proposes new or updated policy, guidelines, procedures and standards related to the secure control of institutional information and data to the IGC.
  2. Defines and implements information privacy guidelines, standards and related documentation.
  3. Monitors and reports to the IGC on compliance with information privacy standards.
  4. Assists Information Stewards and Information Custodians with the assessment of risk and selection of appropriate security controls.

4.3 Information Security Office

Defines and implements the Information Security Program that relates to information security classification. Specific responsibilities include:

  1. In conjunction with the Information and Privacy Office, proposes new or updated policy, guidelines, procedures and standards related to the secure control of institutional information and data to the IGC.
  2. Defines and implements information security classification guidelines, security control standards and related documentation.
  3. Monitors and reports to the IGC on compliance with security standards.
  4. Assists Information Stewards and Information Custodians with the assessment of risk and selection of appropriate security controls.

4.4  Information Steward

An Information Steward is normally a senior-level employee of the University who has been granted authority and accountability by the IGC for the handling and protection of a specific type or collection of institutional information. For all information for which the Information Steward is designated, responsibilities include:

  1. Ensuring the information has been properly classified according to the University Information Security Classification Standard.
  2. Ensuring that responsibility for operational handling and reporting has been defined and is being carried out effectively (i.e. by a designated Information Custodian).
  3. Ensuring that access to such information is appropriate, that there are defined and documented criteria for determining who has access, and that requests for access are properly vetted and reviewed as appropriate.
  4. Implementing reasonable and appropriate security controls to protect the information, at minimum following the baseline security standards published by the Information Security Office.
  5. Having oversight, understanding and approval of how the information is stored, processed, and transmitted by the University or any third-party agents that have access.
  6. Understanding how the information is governed by University policy, provincial and federal regulations, contracts and other legally binding agreements.
  7. Understanding privacy and security risks to the information and assigning necessary resources to mitigate those risks as appropriate.

4.5 Information Custodian

An Information Custodian is an employee of the University, or an external entity operating under contract with the University, who has operational responsibility for the effective and secure handling and protection of, and reporting on, a specific type or collection of institutional information as required and designated by an Information Steward. Specific responsibilities include:

  1. Understanding and reporting on how the information is stored, processed and transmitted by the University or any third-party agents that have access.
  2. Implementing reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of the information, at minimum following the baseline security standards published by the Information Security Office.
  3. Documenting administrative and operational procedures for how the information is stored, processed, and transmitted, and ensuring such procedures are followed consistently.
  4. Granting and revoking access to the information according to the criteria or approval process identified by the Information Steward.
  5. Understanding the systems and processes for handling the information thoroughly, and using that knowledge to effectively identify, prioritize and report on risks to the privacy and security of the information to the Information Steward.

4.6 Users

A User is a member of the University community who accesses institutional information. A User is responsible for secure handling of institutional information to which they have access. Specific responsibilities include:

  1. Using information only for the purposes specified by the appropriate Information Steward.
  2. Adhering to University policies, guidelines and procedures pertaining to information security and privacy, including appropriate and secure information handling and protection procedures.
  3. Reporting actual or suspected security or privacy vulnerabilities and breaches.

5.    PROCEDURES

5.1 Assigning an Information Security Classification Category

  1. For each information resource, the Information Security Classification Standard shall be used to determine the appropriate category.
  2. Prior to assigning a security classification level, be aware of relevant legislative or regulatory requirements, and University policy and procedures.
  3. Security classifications are applied to information resource types rather than individual records.
  4. Where an information resource contains multiple different type and categories of information, employ the highest relevant classification category.
  5. Take into account the volume of information; information resources with large volumes of information should consider employing a higher classification category than the type of information alone may necessitate.
  6. Maintain an inventory of the information resource by utilizing the University records directory.

5.2 Reporting to IGC

The Information Security Office will produce a report to the IGC, on an annual basis or upon their request, containing:

  1. A list of the known Information Resources classified as confidential or regulated.
  2. For each information resource in (a), the date of the last sign-off provided from the relevant Information Steward attesting to compliance with relevant information security classification standards and procedures.
  3. For each information resource in (a), a list of any significant security incidents involving that resource.
  4. For each information resource in (a), the date of the last compliance review by the Information Security Office.
  5. For each information resource in (a), a list of any known non-compliance with security standards related to that resource and the Information Steward’s mitigation plan or response.

5.3 Monitoring and Compliance

The Information Security Office will utilize information provided by Information Stewards and Custodians to implement appropriate compliance monitoring. Such monitoring will include:

  1. Review of description of information resources and relevant documentation by the Steward or Custodian related to their compliance, including system documentation, evidence of information handling procedures in place, system logs or configuration, etc.
  2. Regular vulnerability detection scans of the information resource.
  3. Upon a completed compliance review that results in an unsatisfactory result, the Information Steward will indicate, in a timely fashion, the intended mitigation plan or response to Information Security.
  4. In the event of non-compliance that presents a clear risk, Information Security is authorized to take immediate action to contain the information resource and/or restrict access to reduce the risk until mitigation plans can be developed and implemented.
  5. Such reviews shall normally be done upon or prior to the introduction of a new system or information resource, or upon significant change of an existing one, and at a regular interval appropriate for the scale and risk level of the information resource.

5.4 Reporting a Breach

All Users, Stewards and Custodians of University information resources shall report any indication of actual or suspected security breach according to the Information Security Incident Handling Procedures.