The purpose of this standard is to define the ITS information classification scheme, and to describe the protection requirements for each level of classification.

  •  It mandates how information is classified in ITS.
  • The protection requirements in this standard are dependent on the classification of the information, the format of the information, and where the information is going. For example, if the information is staying within the internal UofT environment, the control requirements are less stringent than if it is travelling outside the UofT environment.
  • Information Security is defined as the concepts, techniques, measures, and controls used to protect UofT information assets from threats against confidentiality and integrity.
  • Confidentiality ensures that information is only disclosed to, accessed by, or used by those who have a specific and authorized business need. It also ensures that ITS is able to protect the privacy of clients and employees who have entrusted their personal information to ITS.
  • Integrity ensures that information cannot be created, changed, or deleted without the appropriate authority.

Assigning classification to information enables us to set requirements for how to treat the information, whether it is at rest, in transit, or in storage. Additionally, it helps determine the appropriate way to destroy information once it is no longer required.
Classifying information also helps those who come into contact with it understand what they need to do to protect it. Information may be accessed and handled by many different organizational units and individuals throughout its life cycle.

Date of Effectiveness

To Be Determined

Standard Owner

Director, Information Security, Information Technology Services

Version

Version 0.5

Summary showing Section Headings

ID Section Headings Brief Description
ICP-CL Classification
ICP-CS Classification Schema
ICP-DC Default Classification
ICP-CN Information Control
ICP-RD Re-using and Decommissioning Information Assets
ICP-DP Default Classification
ICP-EP Email Protection
ICP-FP Fax Protection
ICP-PP Print Media Protection
ICP-RP Portable Digital Media Protection
ICP-MP Magnetic Media Protection

Information Classification and Protection Standard Controls

Control ID Control Existing Status Public Confidential Restricted Effort
ICP-CL Classification Existing Status Public Confidential Restricted Effort
ICP-CL-01 Information can have different protection requirements based on how sensitive it is. In order to apply protection requirements, information must be classified according to its confidentiality (Public, Confidential, or Restricted) and its integrity (Normal, High) TRUE In Progress Required Required Required TBD
ICP-CL-02 The control requirements of this standard must be followed consistently when classifying information TRUE In Progress Required Required Required TBD
ICP-CL-03 All information must be subject to the controls required to protect it at all stages of its life cycle (see Appendix A) TRUE In Progress Required Required Required TBD
ICP-CL-04 Information Owners must also consider the age of information. Information that may be extremely sensitive one day may cease to be sensitive the next. TRUE In Progress Required Required Required TBD
ICP-CS Classification Schema Existing Status Public Confidential Restricted Effort
ICP-CS-01 The classification scheme tables within this standard (see Appendix B and Appendix C) describe each of these classifications and provide examples. The examples are not an exhaustive list and good judgement must be used when classifying information TRUE In Progress Required Required Required TBD
ICP-DC Default Classification Existing Status Public Confidential Restricted Effort
ICP-DC-01 All information that is not classified must be treated as Confidential and High integrity by default. TRUE In Progress Required Required Required TBD
ICP-CN Information Control Existing Status Public Confidential Restricted Effort
ICP-CN-01 Production environments are controlled environments to ensure that data is not disclosed inappropriately. Confidential and/or Restricted production data created or processed by systems or applications must not be moved into non-production environments without using approved methods to sanitize the data. Mandatory compensating security controls are detailed in the Compensating security controls governing the use of unsanitized production data in non-production environments Compensating Control guidelines. TRUE In Progress Required Required Required TBD
ICP-CN-02 The protection requirements in this standard are not an exhaustive list, and if there is a measure of uncertainty, the circumstances must be discussed with an ISEA Information Security Consultant to determine the appropriate set of controls TRUE In Progress Required Required Required TBD
ICP-AP Applicability of Information Classification – Systems and Applications Existing Status Public Confidential Restricted Effort
ICP-AP-01 When classifying information, Information Owners must consider that information classification can change. Information may have one classification if it is composed of only a single data element. When combined with other information or factors, however, the classification may change TRUE In Progress Required Required Required TBD
ICP-AP-02 All applications must be assigned one classification for confidentiality and one for integrity based on the highest level of native application data that the application processes. These classifications must be recorded in a master repository TRUE In Progress Required Required Required TBD
ICP-AP-03 Passwords are classified as Restricted and encryption is necessary at all times TRUE In Progress Required Required Required TBD
ICP-AP-04 Systems and applications must be designed and operated to ensure that access to and storage and control of data is based on the classification requirements TRUE In Progress Required Required Required TBD
ICP-AP-05 System and application classifications must be captured as part of the Threat Risk Assessment process (IRRM) TRUE In Progress Required Required Required TBD
ICP-RD Re-using and Decommissioning Information Assets Existing Status Public Confidential Restricted Effort
ICP-RD-01 With the exception of laptop computers, if re-using an information asset containing Confidential or Restricted information, the asset must be wiped three times with approved software. Servers and storage devices redeployed within the same physical data centre are excluded TRUE In Progress Required Required Required TBD
ICP-RD-02 If re-assigning a laptop computer containing Confidential or Restricted information, the laptop must be wiped using at minimum Criteria3 TRUE In Progress Required Required Required TBD
ICP-RD-03 If decommissioning media containing Confidential, or Restricted information, regardless of whether it is maintained within UofT’s premises or sent externally, the media must be:

  • Degaussed. – or –
  • Wiped three times with approved software. – or –
  • Physically destroyed. Physical destruction of media containing Confidential or Restricted information must follow UofT’s secure destruction process, and must occur in the presence of two approved individuals who must sign the procedures to indicate successful disposal. Procedures should be retained to maintain the audit trail of disposal. This requirement must only be met in the instance of Tapes where they contain Confidential or Restricted information
TRUE In Progress Required Required Required TBD
ICP-DP Default Classification Existing Status Public Confidential Restricted Effort
ICP-DP-01 For all Public information, no controls are required TRUE In Progress Required N/A N/A TBD
ICP-DP-02 For Confidential information maintained within a UofT internal network, no encryption is required TRUE In Progress N/A Required N/A TBD
ICP-DP-03 For Internal information being transmitted

  • a) UofT’s internal network must be used, if possible.
  • b) If UofT’s internal network cannot be used, the following controls must be applied, listed in order of preference
  • Send the information over a private network. – or –
  • Encrypt the information using approved tools before sending over an open public network. – or –
  • Encrypt the information using approved tools, place on portable digital storage media, and transport using UofT Approved Courier or hand-delivery by a single UofT staff or delegate. – or –
  • If the information cannot be encrypted, the capability to create unencrypted portable digital storage media must be approved by the CISO through an approved exemption process. Then the media must be transported using the UofT approved Secure Transport vendor or by dual custody of UofT staff or delegates
TRUE Deprecated Required Required Required TBD
ICP-DP-04 For Confidential information being transmitted

  • a) A UofT internal network must be used, if possible.
  • b) If a UofT internal network cannot be used, the following controls must be applied, listed in order of preference
  • Encrypt the information using approved tools. – or –
  • Encrypt the information using approved tools, place on portable digital storage media, and transport using UofT Approved Courier or hand-delivery by a single UofT staff or delegate. – or –
  • If the information cannot be encrypted, the capability to create unencrypted portable digital storage media must be approved by the CISO/Direcotor of Information Security through an approved exemption process. Then the media must be transported using the UofT approved Secure Transport vendor or by dual custody of UofT staff or delegates
TRUE In Progress Required Required Required TBD
ICP-DP-05 For all Restricted information: a) Must be encrypted at all times using approved tools. b) Audit trails of access to the information must be maintained TRUE In Progress N/A N/A Required TBD
ICP-DP-06 For Restricted information being transmitted: a) Transmissions must be approved by the Information Owner. b) Must be placed on portable digital storage media, and transported using the UofT approved Secure Transport vendor or by dual custody of UofT staff or delegates. TRUE In Progress N/A N/A Required TBD
ICP-EP Email Protection Existing Status Public Confidential Restricted Effort
ICP-EP-01 For all Public information, no controls are required. TRUE In Progress Required N/A N/A TBD
ICP-EP-02 For all Confidential information: a) A UofT e-mail facilities must be used TRUE In Progress N/A Required N/A TBD
ICP-EP-03 For Confidential information e-mailed externally:

  • a) Must be sent using the UofT Secure E-mail Solution.
  • E-mail transmission must be approved by Business Leaders, – and –
  • The compensating controls detailed in the Acceptable Use of Computing Systems and Information Policy must be applied, as well as any other local business controls deemed necessary
TRUE In Progress N/A Required N/A TBD
ICP-EP-04 Restricted information must never be e-mailed, either within UofT’s internal network, or externally TRUE In Progress N/A N/A Required TBD
ICP-FP Fax Protection Existing Status Public Confidential Restricted Effort
ICP-FP-01 The Fax Security Specifications supporting document must be reviewed at the same time as scheduled reviews of the parent standard TRUE In Progress N/A N/A N/A TBD
ICP-FP-02 A list of approved fax solutions (both software and hardware) must be developed and maintained TRUE In Progress N/A N/A N/A TBD
ICP-FP-03 All fax solutions must meet the specifications for acquisition, installation, and operation/usage, as detailed in the Fax Security Specifications TRUE In Progress Required Required Required TBD
ICP-FP-04 All fax lines/numbers must be ordered, used, and updated in accordance with the requirements in the Fax Security Specifications TRUE In Progress Required Required Required TBD
ICP-FP-05 An inventory of fax solutions and fax lines must be developed, maintained, and validated annually. Any irregularities found must be assessed in accordance with local procedures, and appropriate action must be taken to rectify the irregularity. Fax lines that cannot be confirmed to be operational must be cancelled TRUE In Progress Required Required Required TBD
ICP-FP-06 Disconnection of fax lines and decommissioning of fax solutions must meet the requirements in the Fax Security Specifications TRUE In Progress Required Required Required TBD
ICP-FP-07 All misdirected fax transmissions (incoming or outgoing) must be investigated as detailed in the Fax Security Specifications. Misdirected faxes that result in unauthorized information disclosure must be reported to the Privacy Office and dealt with according to Privacy Incident Escalation and Reporting Procedures TRUE In Progress N/A Required Required TBD
ICP-FP-08 Regardless of classification, information must only be faxed using an approved fax solution and following approved faxing guidelines TRUE In Progress Required Required Required TBD
ICP-FP-09 All faxed information  must include a  label identifying the confidentiality classification TRUE In Progress Required Required Required TBD
ICP-FP-10 Restricted information must only be faxed if approved by the Information Owner TRUE N/A N/A Required Required TBD
ICP-PP Print Media Protection Existing Status Public Confidential Restricted Effort
ICP-PP-01 Regardless of classification, all print media created after October 31, 2016, whether created by applications or by employees, must include a printed label identifying the confidentiality classification TRUE In Progress Required Required Required TBD
ICP-PP-02 For print media that cannot be labelled, (e.g. screen prints, etc.) employees must ensure that the protection mechanisms detailed in this standard are applied (e.g. locking up Confidential print media when it is not in use). TRUE In Progress Required Required Required TBD
ICP-PP-03 For print media stored in bulk that cannot be labelled, labelling the storage facility itself with the highest applicable classification is an acceptable control. For example, filing cabinets can be labelled with the highest applicable classification of the print media stored therein, if that print media can otherwise not be labelled TRUE In Progress Required Required Required TBD
ICP-PP-04 For all Confidential, or Restricted information MUST be shredded when no longer required TRUE In Progress Required Required Required TBD
ICP-PP-05 For Confidential information maintained or sent within UofT’s internal premises: a) Must be stored in a secure location when not in use. b) Must not be left at the printer TRUE In Progress Required Required Required TBD
ICP-PP-06 For Confidential information sent externally: a) Must be sent in a sealed container or envelope that obscures the contents within. b) Container or envelope must be marked with a specific recipient’s name or department/function name, i.e., not just addressed to an institution or business. c) Single client mailings sent to the same client may use postal service. d) All other Confidential information must be sent using a UofT Approved Courier or be hand-delivered by a single UofT staff or delegate TRUE In Progress Required Required Required TBD
ICP-PP-07 For Restricted information maintained within UofT’s internal premises: a) Must be controlled at all times and must be subject to specific handling procedures. b) Must not be left in plain view unattended. c) Shredded print media must have procedures and validation of secure disposal. For example, shredding must use a cross-cut shredder and must occur in the presence of two approved individuals who must sign the procedures to indicate successful shredding. Procedures should be retained to maintain the audit trail of disposal TRUE In Progress Required Required Required TBD
ICP-PP-08 For Restricted information sent externally: a) Must be sent one of the following methods: By dual custody of UofT staff or delegates; or By the UofT approved Secure Transport vendor. b) Must be in the custody of UofT personnel at all times until transferred to the Secure Transport vendor. c) Single client mailings sent to the same client may use postal service or UofT Approved Courier, e.g. join id mailers. TRUE In Progress Required Required Required TBD
ICP-RP Portable Digital Media Protection Existing Status Public Confidential Restricted Effort
ICP-RP-01 For Public information, no controls are required. TRUE In Progress Required N/A N/A TBD
ICP-RP-02 For Confidential information maintained within UofT’s internal premises:

  • a) Must be encrypted using approved tools.
  • b) If the information cannot be encrypted, media must be controlled at all times and locked up when not in use.
TRUE In Progress N/A Required N/A TBD
ICP-RP-03 For Confidential information sent externally: a) Must be encrypted using approved tools. TRUE In Progress N/A Required N/A TBD
ICP-RP-04 For Internal information sent externally:

  • a) Must be labelled with the classification.
  • b) If the information cannot be encrypted, media must be controlled at all times and locked up when not in use.
  • c) Must be sent using postal service or UofT Approved Courier.
TRUE Deprecated Required Required Required TBD
ICP-RP-05 For Confidential information sent externally: If the information cannot be encrypted, approval for the capability to create unencrypted portable digital storage media must be approved by the CISO/Director of Information Security through the exemption process. Then the media must be transported using the UofT approved Secure Transport vendor or by dual custody of UofT staff or delegates TRUE In Progress N/A Required N/A TBD
ICP-RP-06 For Restricted information maintained within UofT’s internal premises:

  • a) Must be encrypted using approved tools.
  • b) Must be in the custody of authorized UofT staff at all times.
  • c) Must be stored in a secure location when not in use.
TRUE In Progress N/A N/A Required TBD
ICP-RP-07 For Restricted information sent externally:

  • a) Must be encrypted using approved tools.
  • b) Must be sent one of the following methods: By dual custody of UofT staff or delegates; or By the UofT approved Secure Transport vendor.
  • c) Must be in the custody of authorized UofT staff at all times until transferred to the Secure Transport vendor.
TRUE In Progress N/A N/A Required TBD
ICP-MP Magnetic Media Protection Existing Status Public Confidential Restricted Effort
ICP-MP-01 Regardless of classification, and regardless of whether magnetic media is maintained within UofT’s internal premises or sent externally, approved tape and long-term storage procedures must be followed. TRUE In Progress Required Required Required TBD