You are now in the main content area

Information Classification Standard and Handling Guidelines

I.    Purpose

  1. The purpose of this Standard is to:
    1. define an information classification scheme that is:
      1. consistent with information security, access and privacy and records management policies and procedures; and
      2. consistent with regulatory and legislative requirements, including Freedom of Information Protection and Privacy Act (“FIPPA”) and Personal Health Information Protection Act (“PHIPA”).
    2. provide direction to Information Custodians regarding the appropriate protection of Toronto Metropolitan University (the "University") information throughout the information lifecycle.

II.   Application and Scope 

  1. This Standard applies to all University information.

III.  Definitions 

  1. Information Custodians” are persons responsible and accountable for the safekeeping of information.
  2. University Information” refers to all information within the custody and control of the University in all media and formats, including but not limited to paper, electronic, digital, e-mail, film, print, graphics, audio and video recordings, and any other form of recorded information regardless of location.

IV.  Standard 

  1. Principles
    1. Information Custodians shall classify University information according to its sensitivity in order to ensure that the information is handled appropriately.
    2. Information Custodians shall manage the risks of deviating from the Standard.
    3. Information Custodians shall obtain explicit approval for exceptions to the Standard from the Executive Group. 
    4. As a condition of handling University information, Information Custodians must review the Standard and Guidelines.
    5. Information Custodians shall resolve any ambiguity regarding the interpretation and implementation of this Standard through consultation with the Standard Owners. 
  2. Information Classification
    1. The level of classification assigned to University information must be based on its confidentiality, integrity and availability requirements, and the possible harm that could result from the unauthorized access, use, or disclosure of University information by an Information Custodian.
    2. Table 1 describes the classification for high, medium, and low sensitivity University information.
    3. When classifying information, the Information Custodian considers: 
      1. Mixed sensitivity of University information:  Always classify according to the most sensitive information, particularly when there is information of varying sensitivities in a single information repository.  For example: 
        1. If much of a document is low sensitivity, but there is a section that contains highly-sensitive information, the document’s overall sensitivity classification is High.
      2. Context: Information sensitivity is contextual. For example:
        1. A last name by itself may be considered Low sensitivity if it is a common name.  However, the inclusion of a first name and a date of birth may render the subject of the information uniquely identifiable, which moves the sensitivity level to High.
        2. Large volumes of Low or Medium sensitivity information may become High sensitivity due to the aggregate value of the University information repository as a whole.  A collection of the entire student population’s student ID numbers is considerably more sensitive than for a single class or an individual student.
      3. Third party information:  Be aware of situations where information is owned by a third party as there may be separate information-handling requirements described in the agreement with the third party.

Table 1: Information Classification

Sensitivity

Description

Potential Harms

Examples

High

Information that is extremely sensitive and intended for handling only by named individuals or roles for specific purposes

Could reasonably be expected to cause extremely serious harm to individuals or the university, loss of life or public safety,  major political or economic impact, sabotage/terrorism, significant financial loss, social hardship or loss of life.

 

 

 

 

 

 

 

 

 

● Health information (which includes mental health data), date of birth, driver's license number, etc. Personal information such as Social Insurance Number (SIN).

● Details about individuals involved in campus security threats or incidents

● Research or intellectual property proprietary to the University

● Financial information regulated by Payment Card Industry Data Security Standards (PCI DSS) or other contractual obligations

● Authentication credentials needed to access sensitive information or critical systems, e.g. passwords, passcodes or PINs

● Location of critical assets such as biohazardous materials, keys, etc.

● Vulnerabilities in the University processes or systems

● Solicitor-client privilege information

● Legal opinions

Medium

Information that is sensitive within the University and intended for handling only by specified groups

 

 

Could reasonably be expected to cause serious harm to individuals or the University, loss of competitive advantage, loss of confidence in the University, moderate financial loss, damage to partnerships, relationships and reputation, or loss of Intellectual Property.

● Student IDs, grades, class lists, student work

● Alumni contact information

● Sensitive data that has been moderately de-identified, aggregated, or pseudonymized

● Draft internal documentation

● Departmental budgets

● Impactful organizational changes prior to publication or announcement

Low

Information that is generally available within the University

 

Could reasonably be expected to cause injury that would result in minor financial loss, embarrassment and inconvenience.

● Operational procedures generally available within the University 

● Finalized and released internal reports, outcomes, plans, etc.

● Department meeting minutes

● Anonymized information

Public

Information that is available to the public

Will not result in harm or injury

 

● Public-facing University websites

● Employee directories

● Publications

● Board meeting information, including agendas, materials and minutes

Unclassified*

Information that is not  classified

Sensitive information may not be handled appropriately

*Until information is classified, assume that sensitivity is High.

V.   Information Handling Guidelines 

  1. Safeguards
    1. The broad guidelines below recommend generic safeguards for handling University information according to the sensitivity classification.  After Information Custodians have classified University information according to sensitivity, the University information must be safeguarded based on an assessment of the security and privacy risks.  
    2. Information Custodians shall apply people, process, and technology safeguards in accordance with the findings of the security and privacy risk assessment. 
    3. The outcome of a risk assessment is assurance, which defined as the Information Custodian’s degree of confidence that appropriate safeguards are in place and performing as intended in order to address  security and privacy risks.
    4. Information custodians should apply the security principle of defense in depth as a safeguard for University information. This is a practical strategy that implements multiple layers of safeguards.  If one safeguard should fail or get exploited by a threat, other safeguards should maintain the security of the overall system and the sensitive information contained within. While it is not necessary to implement all of the safeguards identified below, an appropriate combination of safeguards can be identified through security and privacy assessments. There may also be more specific safeguards prescribed by regulation, legislation, or legal agreement for certain types of information.
    5. Note that there are no handling restrictions for Public information.

Table 2:  Minimum Safeguards for Information Handling by Sensitivity

Activity

Safeguard Type

High

Medium

Low

Authentication

Over an untrusted channel

Strong authentication

Single-factor authentication with strong password policy

Single-factor authentication

Over a trusted channel

Single factor authentication with strong password policy

Authorization

Provisioning

Granular access control

Grant on a business need-to-know basis

If external third parties are involved, implement confidentiality agreements

Group or role-based access control

Grant on a business need-to-know basis

If external third parties are involved, implement confidentiality agreements

Grant to active community members

Maintenance

Regularly review and audit access

Regularly review and audit access

N/A

De-provisioning

Timely and managed revocation of access

Managed revocation of access

Revoke from inactive community members

Validation

Data Integrity, non-repudiation

Digital signature

Electronic signature

N/A

Use / Processing

Physical

Documented local handling policies/

procedures

Clean desk policy

Clean screen policy

Department clean desk policies and

clean screen policies

N/A

Logical

Use systems with high assurance in privacy and security

Use systems with medium assurance or higher in privacy and security

Use systems with low assurance or higher in privacy and security

Storage

Physical

Physically secured storage medium

Dedicated secure area

Physically secured storage medium

N/A

Logical

Use systems with high assurance in privacy and security

Secure SDLC environment

Segregate from less sensitive information

Data redundancy

In the absence of other controls above:

Strong encryption with strong password/key

Strong key management

Use systems with medium assurance or higher in privacy and security

Secure SDLC environment

In the absence of other controls above:

Strong encryption with strong password/key

Use systems with low assurance or higher in privacy and security

Electronic Transmission

Network-

Level

Mutually authenticated and encrypted transport layer security, e.g. TLS

Secure managed file transfer

Secure fax or dedicated fax

Server-

authenticated and encrypted transport layer security

Fax with confirmation of receipt

N/A

 

Application-Level

Use systems with high assurance in privacy and security

Use systems with medium assurance or higher in privacy and security

Use systems with low assurance or higher in privacy and security

 

 

 

File-Level

Strong encryption with strong password/key

Password/key sharing via separate transport mechanism

Password protection

N/A

Manual Transport

Accountability

Explicit approval of information custodian to transport

Documented chain of custody

Confirmation of receipt

Confirmation of receipt

N/A

Physical

Approved private carriers

Direct/hand delivery

Never left unattended during transport

Sealed/locked container

Registered mail

Inter-office mail

 

Regular mail

Inter-office mail

Electronic

Strong encryption with strong password/key

Password/key sharing via separate transport mechanism

Use only authorized, strongly encrypted storage media

Strong encryption with strong password/key

 

N/A

Disposal

Physical

Cross-shred and eliminate particles

Cross-shred

Shred

Electronic

Securely sanitize if unencrypted

Securely sanitize

Delete

  1.  Reducing the Scope of Risk
    1. Information Custodians can limit or reduce their information classification and handling responsibilities through the following supplementary practices.  Careful analysis by Information Custodians for their business requirements related to the collection, use, disclosure, retention, and destruction of University information will help identify which of these measures is applicable:
      1. De-identification and/or data minimization: Information sensitivity can be reduced by redacting, masking, or pseudonymization of identifying personal information, or by not collecting unnecessary sensitive information in the first place;
      2. Control data replication: Aside from the purpose of backups, avoid creating unnecessary copies of sensitive information that will have to be safeguarded to the same degree as the original information source, e.g. duplicate files, multiple file versions, backup copies, cached copies, test copies, etc.  For instance, mobile computing makes it possible to work on information remotely without any unnecessary and vulnerable duplication of data on a user’s local hard drive; or
      3. Limit retention:  Retain information only as long as necessary for the fulfillment of its purposes and in accordance with the University's Records Retention Schedule, and/or other regulatory requirements.  Uncontrolled data replication (see above), such as copying University information to personal laptops, smartphones, or memory sticks, further increases the burden on the Information Custodian to track data retention.

VI.  Roles and Responsibilities

  1. Chief Information Officer (CIO) should work with IT Service Providers and others to help ensure compliance with the Standard.  The Information Systems Security Officer maintains this Standard and conducts security assessments to help Information Custodians identify appropriate safeguards.  The Information Systems Security Officer ensures that this Standard aligns with other information security policies.
  2. Office of the General Counsel and Secretary of the Board of Governors: The Director, Compliance and Policy Management, and Privacy Officer maintains this Standard, defines personal information, and conducts privacy impact assessments to help Information Custodians identify appropriate safeguards. The Director also ensures that this Standard aligns with other information management and information governance policies including the Privacy Policy and the Records Management Policy.
  3. Information Custodian: 
    1. An information Custodian shall:
      1. be an employee;
      2. be accountable for the classification and safeguarding of University information;
      3. communicate the classification and safeguards associated with University information to any other employee or third party that handles that University information; and
      4. immediately report any suspected compromise of University information and systems to the Chief Information Security Officer (CISO) and/or the Information Privacy Officer (IPO);
    2. An Information Custodian may:
      1. periodically review and verify the classification assigned to information and the corresponding safeguards;
      2. consult with the Office of the General Counsel and Secretary of the Board of Governors to clarify any ambiguity with respect to the application of this Standard; and
      3. engage the Office of the General Counsel and Secretary of the Board of Governors for Privacy Impact Assessments, Security Assessments, and/or legal reviews, as necessary.