The purpose of this standard is to define the ITS information classification scheme, and to describe the protection requirements for each level of classification.
- It mandates how information is classified in ITS.
- The protection requirements in this standard are dependent on the classification of the information, the format of the information, and where the information is going. For example, if the information is staying within the internal UofT environment, the control requirements are less stringent than if it is travelling outside the UofT environment.
- Information Security is defined as the concepts, techniques, measures, and controls used to protect UofT information assets from threats against confidentiality and integrity.
- Confidentiality ensures that information is only disclosed to, accessed by, or used by those who have a specific and authorized business need. It also ensures that ITS is able to protect the privacy of clients and employees who have entrusted their personal information to ITS.
- Integrity ensures that information cannot be created, changed, or deleted without the appropriate authority.
Assigning classification to information enables us to set requirements for how to treat the information, whether it is at rest, in transit, or in storage. Additionally, it helps determine the appropriate way to destroy information once it is no longer required.
Classifying information also helps those who come into contact with it understand what they need to do to protect it. Information may be accessed and handled by many different organizational units and individuals throughout its life cycle.
Date of Effectiveness |
To Be Determined |
|
Standard Owner |
Director, Information Security, Information Technology Services |
|
Version |
Version 0.5 |
Summary showing Section Headings
| ID | Section Headings | Brief Description |
| ICP-CL | Classification | |
| ICP-CS | Classification Schema | |
| ICP-DC | Default Classification | |
| ICP-CN | Information Control | |
| ICP-RD | Re-using and Decommissioning Information Assets | |
| ICP-DP | Default Classification | |
| ICP-EP | Email Protection | |
| ICP-FP | Fax Protection | |
| ICP-PP | Print Media Protection | |
| ICP-RP | Portable Digital Media Protection | |
| ICP-MP | Magnetic Media Protection |
Information Classification and Protection Standard Controls
| Control ID | Control | Existing | Status | Public | Confidential | Restricted | Effort |
| ICP-CL | Classification | Existing | Status | Public | Confidential | Restricted | Effort |
| ICP-CL-01 | Information can have different protection requirements based on how sensitive it is. In order to apply protection requirements, information must be classified according to its confidentiality (Public, Confidential, or Restricted) and its integrity (Normal, High) | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-CL-02 | The control requirements of this standard must be followed consistently when classifying information | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-CL-03 | All information must be subject to the controls required to protect it at all stages of its life cycle (see Appendix A) | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-CL-04 | Information Owners must also consider the age of information. Information that may be extremely sensitive one day may cease to be sensitive the next. | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-CS | Classification Schema | Existing | Status | Public | Confidential | Restricted | Effort |
| ICP-CS-01 | The classification scheme tables within this standard (see Appendix B and Appendix C) describe each of these classifications and provide examples. The examples are not an exhaustive list and good judgement must be used when classifying information | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-DC | Default Classification | Existing | Status | Public | Confidential | Restricted | Effort |
| ICP-DC-01 | All information that is not classified must be treated as Confidential and High integrity by default. | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-CN | Information Control | Existing | Status | Public | Confidential | Restricted | Effort |
| ICP-CN-01 | Production environments are controlled environments to ensure that data is not disclosed inappropriately. Confidential and/or Restricted production data created or processed by systems or applications must not be moved into non-production environments without using approved methods to sanitize the data. Mandatory compensating security controls are detailed in the Compensating security controls governing the use of unsanitized production data in non-production environments Compensating Control guidelines. | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-CN-02 | The protection requirements in this standard are not an exhaustive list, and if there is a measure of uncertainty, the circumstances must be discussed with an ISEA Information Security Consultant to determine the appropriate set of controls | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-AP | Applicability of Information Classification – Systems and Applications | Existing | Status | Public | Confidential | Restricted | Effort |
| ICP-AP-01 | When classifying information, Information Owners must consider that information classification can change. Information may have one classification if it is composed of only a single data element. When combined with other information or factors, however, the classification may change | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-AP-02 | All applications must be assigned one classification for confidentiality and one for integrity based on the highest level of native application data that the application processes. These classifications must be recorded in a master repository | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-AP-03 | Passwords are classified as Restricted and encryption is necessary at all times | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-AP-04 | Systems and applications must be designed and operated to ensure that access to and storage and control of data is based on the classification requirements | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-AP-05 | System and application classifications must be captured as part of the Threat Risk Assessment process (IRRM) | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-RD | Re-using and Decommissioning Information Assets | Existing | Status | Public | Confidential | Restricted | Effort |
| ICP-RD-01 | With the exception of laptop computers, if re-using an information asset containing Confidential or Restricted information, the asset must be wiped three times with approved software. Servers and storage devices redeployed within the same physical data centre are excluded | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-RD-02 | If re-assigning a laptop computer containing Confidential or Restricted information, the laptop must be wiped using at minimum Criteria3 | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-RD-03 | If decommissioning media containing Confidential, or Restricted information, regardless of whether it is maintained within UofT’s premises or sent externally, the media must be:
|
TRUE | In Progress | Required | Required | Required | TBD |
| ICP-DP | Default Classification | Existing | Status | Public | Confidential | Restricted | Effort |
| ICP-DP-01 | For all Public information, no controls are required | TRUE | In Progress | Required | N/A | N/A | TBD |
| ICP-DP-02 | For Confidential information maintained within a UofT internal network, no encryption is required | TRUE | In Progress | N/A | Required | N/A | TBD |
| ICP-DP-03 | For Internal information being transmitted
|
TRUE | Deprecated | Required | Required | Required | TBD |
| ICP-DP-04 | For Confidential information being transmitted
|
TRUE | In Progress | Required | Required | Required | TBD |
| ICP-DP-05 | For all Restricted information: a) Must be encrypted at all times using approved tools. b) Audit trails of access to the information must be maintained | TRUE | In Progress | N/A | N/A | Required | TBD |
| ICP-DP-06 | For Restricted information being transmitted: a) Transmissions must be approved by the Information Owner. b) Must be placed on portable digital storage media, and transported using the UofT approved Secure Transport vendor or by dual custody of UofT staff or delegates. | TRUE | In Progress | N/A | N/A | Required | TBD |
| ICP-EP | Email Protection | Existing | Status | Public | Confidential | Restricted | Effort |
| ICP-EP-01 | For all Public information, no controls are required. | TRUE | In Progress | Required | N/A | N/A | TBD |
| ICP-EP-02 | For all Confidential information: a) A UofT e-mail facilities must be used | TRUE | In Progress | N/A | Required | N/A | TBD |
| ICP-EP-03 | For Confidential information e-mailed externally:
|
TRUE | In Progress | N/A | Required | N/A | TBD |
| ICP-EP-04 | Restricted information must never be e-mailed, either within UofT’s internal network, or externally | TRUE | In Progress | N/A | N/A | Required | TBD |
| ICP-FP | Fax Protection | Existing | Status | Public | Confidential | Restricted | Effort |
| ICP-FP-01 | The Fax Security Specifications supporting document must be reviewed at the same time as scheduled reviews of the parent standard | TRUE | In Progress | N/A | N/A | N/A | TBD |
| ICP-FP-02 | A list of approved fax solutions (both software and hardware) must be developed and maintained | TRUE | In Progress | N/A | N/A | N/A | TBD |
| ICP-FP-03 | All fax solutions must meet the specifications for acquisition, installation, and operation/usage, as detailed in the Fax Security Specifications | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-FP-04 | All fax lines/numbers must be ordered, used, and updated in accordance with the requirements in the Fax Security Specifications | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-FP-05 | An inventory of fax solutions and fax lines must be developed, maintained, and validated annually. Any irregularities found must be assessed in accordance with local procedures, and appropriate action must be taken to rectify the irregularity. Fax lines that cannot be confirmed to be operational must be cancelled | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-FP-06 | Disconnection of fax lines and decommissioning of fax solutions must meet the requirements in the Fax Security Specifications | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-FP-07 | All misdirected fax transmissions (incoming or outgoing) must be investigated as detailed in the Fax Security Specifications. Misdirected faxes that result in unauthorized information disclosure must be reported to the Privacy Office and dealt with according to Privacy Incident Escalation and Reporting Procedures | TRUE | In Progress | N/A | Required | Required | TBD |
| ICP-FP-08 | Regardless of classification, information must only be faxed using an approved fax solution and following approved faxing guidelines | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-FP-09 | All faxed information must include a label identifying the confidentiality classification | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-FP-10 | Restricted information must only be faxed if approved by the Information Owner | TRUE | N/A | N/A | Required | Required | TBD |
| ICP-PP | Print Media Protection | Existing | Status | Public | Confidential | Restricted | Effort |
| ICP-PP-01 | Regardless of classification, all print media created after October 31, 2016, whether created by applications or by employees, must include a printed label identifying the confidentiality classification | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-PP-02 | For print media that cannot be labelled, (e.g. screen prints, etc.) employees must ensure that the protection mechanisms detailed in this standard are applied (e.g. locking up Confidential print media when it is not in use). | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-PP-03 | For print media stored in bulk that cannot be labelled, labelling the storage facility itself with the highest applicable classification is an acceptable control. For example, filing cabinets can be labelled with the highest applicable classification of the print media stored therein, if that print media can otherwise not be labelled | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-PP-04 | For all Confidential, or Restricted information MUST be shredded when no longer required | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-PP-05 | For Confidential information maintained or sent within UofT’s internal premises: a) Must be stored in a secure location when not in use. b) Must not be left at the printer | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-PP-06 | For Confidential information sent externally: a) Must be sent in a sealed container or envelope that obscures the contents within. b) Container or envelope must be marked with a specific recipient’s name or department/function name, i.e., not just addressed to an institution or business. c) Single client mailings sent to the same client may use postal service. d) All other Confidential information must be sent using a UofT Approved Courier or be hand-delivered by a single UofT staff or delegate | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-PP-07 | For Restricted information maintained within UofT’s internal premises: a) Must be controlled at all times and must be subject to specific handling procedures. b) Must not be left in plain view unattended. c) Shredded print media must have procedures and validation of secure disposal. For example, shredding must use a cross-cut shredder and must occur in the presence of two approved individuals who must sign the procedures to indicate successful shredding. Procedures should be retained to maintain the audit trail of disposal | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-PP-08 | For Restricted information sent externally: a) Must be sent one of the following methods: By dual custody of UofT staff or delegates; or By the UofT approved Secure Transport vendor. b) Must be in the custody of UofT personnel at all times until transferred to the Secure Transport vendor. c) Single client mailings sent to the same client may use postal service or UofT Approved Courier, e.g. join id mailers. | TRUE | In Progress | Required | Required | Required | TBD |
| ICP-RP | Portable Digital Media Protection | Existing | Status | Public | Confidential | Restricted | Effort |
| ICP-RP-01 | For Public information, no controls are required. | TRUE | In Progress | Required | N/A | N/A | TBD |
| ICP-RP-02 | For Confidential information maintained within UofT’s internal premises:
|
TRUE | In Progress | N/A | Required | N/A | TBD |
| ICP-RP-03 | For Confidential information sent externally: a) Must be encrypted using approved tools. | TRUE | In Progress | N/A | Required | N/A | TBD |
| ICP-RP-04 | For Internal information sent externally:
|
TRUE | Deprecated | Required | Required | Required | TBD |
| ICP-RP-05 | For Confidential information sent externally: If the information cannot be encrypted, approval for the capability to create unencrypted portable digital storage media must be approved by the CISO/Director of Information Security through the exemption process. Then the media must be transported using the UofT approved Secure Transport vendor or by dual custody of UofT staff or delegates | TRUE | In Progress | N/A | Required | N/A | TBD |
| ICP-RP-06 | For Restricted information maintained within UofT’s internal premises:
|
TRUE | In Progress | N/A | N/A | Required | TBD |
| ICP-RP-07 | For Restricted information sent externally:
|
TRUE | In Progress | N/A | N/A | Required | TBD |
| ICP-MP | Magnetic Media Protection | Existing | Status | Public | Confidential | Restricted | Effort |
| ICP-MP-01 | Regardless of classification, and regardless of whether magnetic media is maintained within UofT’s internal premises or sent externally, approved tape and long-term storage procedures must be followed. | TRUE | In Progress | Required | Required | Required | TBD |