This policy establishes a framework for classifying organizational data based on its level of sensitivity, value and criticality to OSTA-AECO. Classification of data will aid in determining baseline security controls for the protection of data.
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to OSTA-AECO should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of four sensitivity levels, or classifications:
Data should be classified as Restricted when the unauthorized disclosure, alteration, or destruction of that data could cause a significant level of risk to OSTA-AECO or its partners. Data classified as Restricted is intended for a select audience, unlike Confidential data, which may require high security controls but may still have a broad internal audience. The highest level of security controls should be applied to Restricted data.
Examples: Unaudited financial statements, human resources grievances, contract negotiations, legal proceedings, and other documents of this nature.
Data should be classified as Confidential when the unauthorized disclosure, alteration, or destruction of that data could cause a great level of risk to OSTA-AECO or its partners.
Audience: Executive Council and/or Directors
Examples: Employee and customer information, passwords, source code, pre- announced financial reports, contracts, and data protected by confidentiality agreements.
Data should be classified as Internal when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to OSTA-AECO or its partners. By default, all data that is not explicitly classified as Confidential, Restricted, or Public data should be treated as Internal data. A reasonable level of security controls should be applied to Internal data.
Audience: Members of OSTA-AECO, Executive Council, Directors, Auditors
Examples: Meeting materials, outcomes reports
Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to OSTA-AECO and its partners. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.
Audience: All Examples: Press releases, conference packages, and research publications.
On a periodic basis, it is important to re-evaluate the classification of OSTA-AECO’s data to ensure the assigned classification is still appropriate based on changes to legal and obligations as well as changes in the use of the data or its value to OSTA-AECO. If it is determined that the classification of certain documentation has changed, an analysis of security controls should be performed to determine whether existing controls are consistent with the new classification. If gaps are found in existing security controls, they should be corrected in a timely manner, commensurate with the level of risk presented by the gaps.