17.3.9 Information Asset classification
Information Asset manager shall assign information assets into one of the four classifications listed below, based upon determined value, confidentiality, integrity and availability. Where information assets with different levels of classification are grouped together, the highest classification shall be applied.
Further guidance on the handling of information assets is detailed under PRP 17.8.9 “information classification and device eligibility” [link: 17.8.9].
Information assets assigned the ‘Public’ classification should either be by their nature a matter of public record, or have been deemed safe to be publicly disclosed or to provide positive or neutral impact to OIST business, reputation or personnel.
Information assets to be assigned the ‘Internal’ classification are those for which disclosure is not appropriate, and may result in a moderate negative impact to OIST business, reputation or personnel. These assets are to be made accessible to OIST users on a need to know basis. Unpublished research data or papers are in general deemed to fall under this classification.
Third parties may be granted access to information assets with an ‘Internal’ classification where a business need exists.
This classification should be regarded as the default for OIST information assets.
Information assets assigned the ‘Confidential’ classification are those for which disclosure would result in significant negative impact to OIST business, reputation or personnel. This classification includes information assets subject to protection under law or government regulation, including but not limited to personal information such as My Number, credit card and passport information. These assets are to be made accessible only to small restricted groups of users by Information Asset Managers, on a need to know basis. Access is to be regularly audited.
Information assets assigned the ‘Critical’ classification are those for which disclosure would result in severe negative impact to OIST business, reputation or personnel. Access to ’Critical’ information assets shall be granted only to small, tightly restricted groups of authorized users. The strict system access and data access controls must be applied, and access audited regularly.
Information assets can only be assigned the ’Critical’ classification upon approval by the Provost or the Secretary General.