(1) The Information Asset Classification Policy provides direction for University users to label their information according to its sensitivity. (2) This Policy acknowledges and aims to safeguard the University's information systems as crucial assets, ensuring their integrity, security and constant availability. (3) This Policy applies to: (4) For the purposes of this Policy, the following definitions apply: (5) A risk-based approach to information security and information sharing requires clear oversight of the University’s information assets. Information classification is a responsibility shared by the entire business. Integrating information classification into all areas of the business, with full corporate oversight, ensures that information classification is properly planned, implemented, and resourced according to business needs and risk appetite. (6) In-line with the NSW Government Information Classification, Labelling and Handling Guidelines and the Australian Government’s Protective Security Policy Framework, it is important that information is labelled correctly so that the users within SCU know how to manage information in a secure which is consistent with the Australian Government and other states and territories. (7) Information which is unrelated to University study or business operations. (8) This information can be openly shared or distributed to the general public. It requires minimal protection and, when used as intended, has minimal to no negative impact on the University's operations, assets, or reputation, or on the University’s obligations regarding information privacy. (9) This information is intended for general internal use within the University and should not be externally distributed. It may be accessed by authorised staff and students. (10) This information is also for internal use but is restricted to staff who need it to perform their university duties. It includes information protected under federal or state legislation or by university contractual obligations and requires enhanced privacy and security protections. (11) This information must be kept strictly confidential and accessed only on a "need to know" basis. It includes data that could affect national interests or security or information where accidental or malicious breach could reasonably be expected to cause serious harm to the University, third party or an individual if released publicly. (12) The access, distribution, storage and disposal of Protected information may be subject to applicable state and federal legislation and review by the Senior Manager – Cyber Security to ascertain appropriate levels of controls which are commensurate with the environment. (13) All staff must understand their legal and corporate responsibilities regarding the appropriate use, sharing, or release of information. Any third party receiving Sensitive or Protected information must be authorised to do so, and they or their organisation must adhere to information security measures that ensure the confidentiality, integrity and availability of the information. (14) Wherever practicable, information assets should be labelled as follows: (15) Identifying the integrity and availability levels of information assets assists Technology Services to apply risk management techniques across all ICT systems and University processes, allowing the University to appropriately plan, resource and maintain effective information security controls. The process recognises that information for the public may require exceptionally high degrees of integrity (accuracy) and availability.Information Asset Classification Policy
Section 1 - Purpose and Scope
Purpose
Scope
Top of PageSection 2 - Definitions
Top of PageSection 3 - Policy
Risk Based Approach
Information Classification, Labelling, Handling and Distribution
Classification of Information Assets
Unofficial: (UO)
Official: Public (PUB)
Official: (O)
Official: Sensitive (O:S)
Protected: (P)
Labelling of Information Assets
Classification
Labelling
Integrity and Availability Classification
Availability Classification Scheme
Classification
Description
Integrity Classification Scheme
Classification
Description
View Current
This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.
Unofficial
None required
Official: Public
None required
Official
Official
Official: Sensitive
Official: Sensitive - Personal Information
Official: Sensitive - Health information
Official: Sensitive - Legal privilege
Official: Sensitive - Commercial-in-Confidence
Protected
Protected
A4
ABSOLUTE requirement, indicating that the University would be severely impaired by the loss and recovery must occur almost instantly (within a few minutes).
A3
HIGH requirement, meaning that a loss would lead to major University disruption and recovery should be accomplished within hours (typically within the same business day).
A2
MODERATE requirement, suggesting that the loss would significantly affect operations and recovery should be completed within a few days (usually no more than three business days).
A1
LOW requirement, meaning that the data loss would have a minor impact on University operations over a prolonged period (recovery on a "best-effort" basis).
I4
ABSOLUTE requirement, implying that the data must be completely accurate without any inaccuracies or omissions.
I3
HIGH requirement, meaning that any loss of integrity could lead to significant embarrassment and disruption, and might be challenging to detect.
I2
MODERATE requirement, indicating that the University would experience some effects from a loss of integrity, though issues could be readily detected and remedied.
I1
LOW requirement, where there would be minimal impact from data being inaccurate or incomplete.