Data Classification

Purpose

This policy establishes a framework for classifying organizational data based on its level of sensitivity, value and criticality to OSTA-AECO. Classification of data will aid in determining baseline security controls for the protection of data.

Policy statement

Data classification

Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to OSTA-AECO should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of four sensitivity levels, or classifications:

Restricted

Data should be classified as Restricted when the unauthorized disclosure, alteration, or destruction of that data could cause a significant level of risk to OSTA-AECO or its partners. Data classified as Restricted is intended for a select audience, unlike Confidential data, which may require high security controls but may still have a broad internal audience. The highest level of security controls should be applied to Restricted data.

Audience: Directors

Examples: Unaudited financial statements, human resources grievances, contract negotiations, legal proceedings, and other documents of this nature.

Confidential

Data should be classified as Confidential when the unauthorized disclosure, alteration, or destruction of that data could cause a great level of risk to OSTA-AECO or its partners.

Audience: Executive Council and/or Directors

Examples: Employee and customer information, passwords, source code, pre- announced financial reports, contracts, and data protected by confidentiality agreements.

Internal

Data should be classified as Internal when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to OSTA-AECO or its partners. By default, all data that is not explicitly classified as Confidential, Restricted, or Public data should be treated as Internal data. A reasonable level of security controls should be applied to Internal data.

Audience: Members of OSTA-AECO, Executive Council, Directors, Auditors

Examples: Meeting materials, outcomes reports

Public

Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to OSTA-AECO and its partners. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.

Audience: All
Examples: Press releases, conference packages, and research publications.

Reclassification

On a periodic basis, it is important to re-evaluate the classification of OSTA-AECO’s data to ensure the assigned classification is still appropriate based on changes to legal and obligations as well as changes in the use of the data or its value to OSTA-AECO. If it is determined that the classification of certain documentation has changed, an analysis of security controls should be performed to determine whether existing controls are consistent with the new classification. If gaps are found in existing security controls, they should be corrected in a timely manner, commensurate with the level of risk presented by the gaps.