1. The Information Owner will review and define information for their functional area on an annual basis.
2. The Information Owner will promulgate information classifications and procedures for handling data sets for their functional area to Information Custodians.
3. The Information Owner will conduct audits to identify critical information and ensure the defined procedures have been followed.
4. The Information Owner will maintain Information Registers for their functional area with details as indicated in Appendix 1.
5. The Information Owner will complete an annual return, in the format prescribed in Appendix 2, certifying that their responsibilities under the Electronic Information Security Classification Policy have been met.
6. Any disputes regarding the appropriate classification of information will be resolved by a panel consisting of the University Privacy Officer, Human Resources Division, and representatives from the University Solicitor’s Office, Audit & Risk Management Office, and Security & Risk Section, Information Technology Services.
Guidelines for Dealing with Critical, Protected and Restricted Electronic Information
|
CLASSIFICATION
|
STORAGE
|
ACCESS
|
USE
|
TRANSMISSION
|
DISPOSAL
|
|
Critical
|
Non-transportable, non-removable storage devices under the control of Information Technology Services (ITS).
|
Relevant fields must be encrypted.
Access to records and files must be restricted to specific job roles, requires authentication and password protection.
Repairs to storage devices must be undertaken onsite and under supervision of ITS staff.
|
Prescribed by Information Owner. Generally not available outside the Information Owner’s domain (exceptions are Government bodies, financial institutions).
|
Information must be encrypted when transmitted.
Information must not be made available via the Internet, the wireless network or by facsimile.
Transmission must only be by a dedicated secure link (e.g. DEEWR, credit card gateway) or transported by hand.
|
Information must be removed before the storage device is retired or reused. If not able to be removed, the device must be destroyed.
|
|
Transportable and removable storage devices are permitted only for secondary (backup) devices under the control of ITS.
|
Relevant fields must be encrypted.
Record and file access must be password protected.
Repairs to secondary storage devices must be undertaken onsite and under supervision of ITS staff.
Devices must be stored in a secured (locked) location.
|
Only accessed in an emergency or failure of non-removable storage devices.
|
Information must be encrypted during transmission and whilst stored on secondary devices.
|
Information must be removed before the secondary storage device is retired or reused. If not able to be removed, the device must be destroyed.
|
Protected
|
All storage devices
|
Access to records and files must be restricted to specific job roles, requires authentication and password protection.
Repairs to storage devices must be undertaken onsite and under supervision of Monash staff.
Transportable devices must be stored in a secured (locked) location.
|
Prescribed by Information Owner.
Available within the Information Owner’s domain and to specific University domains. Generally not available outside the University (exceptions are Government bodies, financial institutions).
|
Must be encrypted if transmitted outside the Monash network. May be transmitted un-encrypted within the Monash network.
|
Information must be removed before the storage device is retired or reused. If not able to be removed, the device must be destroyed.
|
|
Restricted
|
All storage devices.
|
Access to records and files requires authentication and password protection.
Transportable devices should be stored in a secured (locked) location.
|
Prescribed by Information Owner.
|
May be transmitted unencrypted inside and outside of the Monash network.
|
Information should be removed before the storage device is retired or re-used.
|
Interpretation
|
Keyword
|
Interpretation
|
|
MUST
|
The item is mandatory. See also ‘waivers against must and must not’ below.
|
|
MUST NOT
|
Non-use of the item is mandatory. See also ‘waivers against must and must not’ below.
|
|
SHOULD
|
Valid reasons to deviate from the item may exist in particular circumstances, but the full implications need to be considered before choosing an alternative course. See ‘deviations from should and should not’ below.
|
|
SHOULD NOT
|
Valid reasons to implement the item may exist in particular circumstances, but the full implications need to be considered before choosing this course. See ‘deviations from should and should not’ below.
|
Waivers against ‘MUST’ and ‘MUST NOT’: Where it is required to deviate from a MUST’ or ‘MUST NOT’ statement in these procedures, written approval must be obtained from the Information Owner and maintained in the Information Register for the functional unit. The following details must be supplied:
(a) The reasons for the deviation,
(b) An assessment of the residual risk resulting from the deviation,
(c) A date by which to review the decision, and
(d) Management’s approval.
Deviations from ‘SHOULD’ and ‘SHOULD NOT’: Where it is required to deviate from a ‘SHOULD’ or ‘SHOULD NOT’ statement, written approval must be obtained as for a waiver, and should be retained by the unit.
Information Classification Register Worksheet - EXAMPLE
This table is designed to allow Information Owners to record what data is stored on computer systems and to classify that information.
INFORMATION OWNER: Divisional Director, Corporate Finance
|
Functional
Area
|
Person Responsible for server
|
Server Name and data location
|
Data Type or description
|
Data Classification
|
Waiver
details
|
|
Financial data
|
Victor I. King
|
Valhalla, /export/data/widget
|
Design of new super-gizmo widget
|
Critical
|
|
|
|
|
Valhalla, /export/data/staff
|
Staff organisation chart & home contact details
|
Restricted
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Appendix 2
Information Classification Certification by Information Owners for the year ended 30 June 2008
INSTRUCTIONS
- A tick in a ‘YES’ box indicates that you agree with the statement.
- A tick in a ‘NO’ box implies appropriate action will be taken in the following calendar year to rectify the situation. Provide a short description of the action to be taken in the ‘Actions’ section provided below.
- If you wish to qualify your response, please do so in the ‘Comments’ section provided below and reference your comments to the appropriate response.
1. All {functional area} information throughout Monash has been identified, classified and included in the {functional area} information register.
q Yes q No
2. Access, storage, use, transportation and disposal procedures have been defined for all {functional area} information and details included in the information register.
q Yes q No
3. I have reviewed information for my functional area annually.
q Yes q No
Actions:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Comments:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Name (please print) ..............................................
Signature of Information Owner .............................................. Date ………………………….
Functional area ..............................................
To be completed and returned to the Director, Audit and Risk
Responsibility
Director, ITS Services
