Policy University Management Information Classification Policy

Information Classification Policy


Print Friendly and PDFPrint Friendly

Intent

This Policy establishes the framework for classifying information assets at James Cook University (JCU; the University) based on sensitivity and business impact levels. Its primary objective is to ensure the confidentiality, integrity, and availability of these information assets are adequately protected.

Scope

This Policy applies to all Authorised Users of the University’s information management systems regardless of location, whether during or after business hours or whether on JCU-owned or privately owned devices.

Definitions

Except where otherwise defined in this policy, definitions for terms used in this policy are located in the Digital Policy Glossary.

Business Impact Levels (BILs)

BILs categorise the severity of risks based on their potential impact on the organisation's operations and assets. BILs help prioritise risk management efforts by assigning levels of severity, guiding resource allocation and mitigation measures.

Principle of Least Privilege

Means individuals or systems should only be granted the minimum level of access rights and permissions necessary to perform their designated tasks effectively.

Data

Refer to Data Governance Policy.

Information

Refer to Data Governance Policy.

For the purposes of this Policy, the term 'information' will be used to encompass both data and information, recognising that all data, once processed or contextualised, becomes information subject to the same classification and protection standards.

Sensitive Information

Refer to Digital Policy Glossary, noting this term is distinct from the SENSITIVE Classification Label.

Policy

1. Policy Alignment

This Policy aligns with advice contained in the Queensland Government Information Security Classification Framework (QGISCF) which supports the Australian Government’s Information Security Policy (IS 18:2018) and the Singapore Personal Data Protection Act (PDPA).

Building upon this framework, the University recognises the importance of classifying information assets to protect sensitive information, maintain operational effectiveness, and comply with legal and regulatory requirements within both jurisdictions.

2. Introduction

The University employs diverse risk assessment methodologies, such as scenario planning exercises, control assessments, and information security risk assessments. These methods aim to quantify and prioritise potential impacts, including loss, compromise, and misuse of its information assets. They also assist in determining Business Impact Levels (BILs) which involves identifying potential threats, vulnerabilities, and at-risk assets, and then evaluating scenarios for likelihood and severity.

Understanding these risks facilitates the implementation of suitable risk mitigation measures to safeguard University interests and ensure operational continuity. Information classification, a vital component of this process, is crucial for allocating resources effectively to safeguard information based on its sensitivity and criticality, ensuring the implementation of effective risk mitigation measures.

3. Principles

The guiding principles of this Policy are:

3.1 Risk-Based Classification: Information assets are classified based on an assessment of their sensitivity and potential risk to JCU. This assessment considers factors such as confidentiality, integrity, availability, and regulatory requirements.

3.2 Clear and Consistent Criteria: Established criteria are used to provide clear guidance on how data and information is to be classified, ensuring consistency and accuracy across JCU.

3.3 Need-to-Know Principle: Access to information is restricted to individuals with a legitimate need-to-know based on their roles and responsibilities. This principle minimises the inappropriate or unauthorised access and ensures that information is only accessed by those who require it for their duties.

3.4 Integration with Data Governance: Information classification practices are integrated into JCU’s broader data governance framework. This integration aligns classification decisions with data lifecycle management, data protection measures, and regulatory compliance initiatives.

3.5 Training and Awareness: Training and awareness programs are provided to staff and students on the importance of information classification. These programs cover the criteria for classification and educate individuals on their responsibilities in securely handling data and information.

3.6 Continuous Improvement: Processes for the regular review and continuous improvement of information classification are implemented to ensure the classification framework remains accurate and up to date. This ensures classification practices evolve in response to changes in business requirements, regulatory mandates, and technological advancements.

4. Responsibilities

4.1 Authorised Users will be responsible for determining the appropriate classification of assets under their custody and applying the relevant classification labels in accordance with this Policy. This responsibility extends to information received from or shared with external or third parties, with the expectation that equivalent controls are applied to these assets.

4.2 The Privacy Officer (Australia) and the Data Protection Officer (Singapore) are responsible for their respective jurisdictions in:

  • Implementing data protection policies;
  • Conducting data protection and privacy compliance risk assessments;
  • Providing staff training and briefings on data protection policies;
  • Handling data protection-related complaints and queries; and
  • Advising on relevant data retention and disposal practices.

5. Classification Framework

5.1 Classification Criteria: Information assets will be classified based on their confidentiality, integrity and availability requirements, taking into account their sensitivity and business impact levels.

5.2 Classification Label: The classification labels OFFICIAL (PUBLIC), OFFICIAL (INTERNAL), SENSITIVE and PROTECTED will be used to indicate the sensitivity and handling requirements of the information assets. A fifth level, RESTRICTED, is widely used in other contexts but will not be utilised in this Policy as it exceeds JCU’s current capacity or requirements – i.e., this classification level is reserved for circumstances affecting national security. An overview of each classification label is provided at Table 1 below.

5.3 Default Classification: Unclassified information will be handled as follows:

  • Corporate information will be initially treated as OFFICAL (INTERNAL).
  • Research information will be initially treated as PROTECTED.

Table 1: Classification Label Overview

Classification Label

Sensitivity Level

Description

Access and Handling

Examples

Official (Public)

Low - Public

  • Information where an accidental or malicious breach would have an insignificant impact.
  • Low or negligible confidentiality impact.
  • Includes routine information without special sensitivity.
  • Authorised for public access but may not be proactively released.
  • Security measures proportionate to business requirements.
  • Public announcements.
  • General notices.
  • Published research.
  • Employee handbooks.

Official (Internal)

Low - Internal

  • Information where a   breach would be unlikely to cause harm to the University, another   organisation, or an individual.
  • Not intended for public   distribution.
  • Default classification   for most corporate information.
  • Access based on general   academic, research, or business need.
  • While primarily   restricted to University members, access can be extended to external   collaborators under controlled conditions, particularly within research   projects or academic collaborations where sharing is necessary for project   success.
  • Compromise may cause   minor inconvenience or limited operational impact.
  • Internal memos.
  • Team meeting minutes.
  • Non-sensitive project   documentation.
  • Staff directories.

Sensitive

Medium - Internal

  • Information   where a breach could   reasonably be expected to cause harm to the University,   another organisation, or an individual.
  • Moderate   confidentiality impact.
  • Access is typically restricted to a specific audience within the University.
  • For research projects or collaborations, access may be extended to trusted   external parties (such as external researchers or collaborators) under strict   authorisation and clear data-sharing agreements.
  • Strict controls on sharing and distribution.
  • Personal information.
  • Confidential business information.
  • Unpublished research information not including personal identifiable information.
  • Commercial interests.

Protected

High - Confidential

  • Information   where a breach could reasonably be expected to cause serious   harm to the University, another organisation, or an individual.
  • High confidentiality   impact.
  • Requires the most careful   safeguards.
  • Default for research information and data unless classified.
  • Highly   restricted audience.
  • Access authorised only on a strict need-to-know basis.
  • Rigorous security measures and monitoring required.
  • Financial records.
  • Intellectual property.
  • Sensitive personal information / personal identifiable information including unpublished research information.
  • Confidential research with commercial potential.

6. Controls

6.1 Controls will be implemented based on the assessed BILs of information assets to safeguard sensitive and protected information, ensuring confidentiality, integrity and availability are maintained.

6.2 Control measures will be tailored to align with the assessed BILs of information assets, considering factors such as the:

6.2.1 Differing requirements for confidentiality, integrity and availability associated with each information asset.

6.2.2 The aggregation or disaggregation of information assets – e.g., heightened controls may be warranted when consolidating multiple low-impact assets onto a single server, increasing the risk of compromise. Conversely, controls may be adjusted when disaggregating information assets to mitigate risks effectively while maintaining operational efficiency.

6.2.3 Segmentation of information assets. Where information is assessed as having different BILs, segmenting or segregating high business impact data or information from others may enable differential controls to be applied rather than raising the security of all information holdings.

7. Implementation

7.1 Integration Classification Criteria into University Systems: The classification criteria will be incorporated into relevant University systems and processes. This integration will involve key stakeholders, ensure consistent application across the University, and align with existing governance frameworks. Specific implementation details will be determined collaboratively and documented in supporting procedures.

7.2 Access Control: Access to all information, regardless of classification status, will be restricted to authorised personnel based on the principle of least privilege and legitimate need-to-know. The level of restriction and access controls will be commensurate with the sensitivity of the information as defined by its classification level (OFFICIAL (PUBLIC), OFFICIAL (INTERNAL), SENSITIVE, or PROTECTED), with higher classifications requiring more stringent controls.

7.3 Labelling and Tagging: Information assets will be labelled or tagged according to their classification to the extent feasible with available resources and tools. This process aims to ensure appropriate security measures such as access controls, encryption and backups are appropriately applied. Where appropriate, manual application of labels or tags will be utilised, emphasising the importance of robust security measures.

7.4 Storage and Transmission: Information assets will be stored and transmitted in accordance with their classification labels, ensuring appropriate safeguards are in place to maintain confidentiality, integrity, and availability.

7.5 Disposal: Information assets will be securely disposed of in accordance with JCU’s authorised disposal procedures to prevent unauthorised access or disclosure.

7.6 Review: Periodic reviews will be conducted to ensure appropriate labelling for the required level of protection through the implementation of Control Objectives and Attestations.

Related policy instruments

Information Privacy Policy

Information Security Policy

Singapore Campus Privacy Policy

Personal Information - Data Breach Management Procedure

Records Management Policy

Right to Information Policy

Risk Management Policy

Related documents and legislation

Copyright Act 2021 (Singapore)

Information Privacy Act 2009 (Qld)

Personal Data Protection Act 2012 (Singapore)

Public Records Act 2002 (Qld)

Queensland Information Security Policy (IS18:2018)

Queensland Government Information Security Classification Framework (QGISCF)

SPAM Control Act (Cap 311A) (Singapore)

The Computer Misuse Act (Cap 50A) (Singapore)

Undesirable Publications Act (Cap 338) (Singapore)

Administration

NOTE: Printed copies of this policy are uncontrolled, and currency can only be assured at the time of printing.

Approval Details

Policy Domain

University Management

Policy Sub-domain

Corporate Administration

Policy Custodian

Chief of Staff

Approval Authority

Vice Chancellor

Date for next Major Review

06/11/2029

Revision History

Version no.

Approval date

Approved by

Implementation date

Details

Author

24-1

06/11/2024

Vice Chancellor

06/01/2025

Policy established.

Manager, Information Security – Governance, Risk and Compliance

Keywords

Sensitivity levels; business impact; confidentiality; integrity; availability; information assets; security framework; protection measures

Contact person

Chief of Staff