Procedures for Electronic Information Secure Handling and Protection
Parent Policy
Electronic Information Security Classification Policy
Definitions
Approved encryption method:
a method of making data unreadable except to those in possession of special knowledge, usually referred to as a key, that has been approved by the Manager, Security and Risk Section, Information Technology Services.
Approved removal program:
a program to securely erase data from electronic media, that has been approved by the Manager, Security and Risk Section, Information Technology Services.
Information Owner:
The Information Owner is an individual with the responsibility for coordinating the implementation of this policy for a functional area of the University. The table below shows the 11 functional areas relating to administrative data and their respective information owners.
|
Functional area
|
Information owner
|
|
Financial data
|
Divisional Director, Corporate Finance Division
|
|
Human Resources data
|
Divisional Director, Human Resources Division
|
|
Information Technology data
|
Executive Director, Information Technology Services Division
|
|
Student data
|
Divisional Director, Student & Community Services Division
|
|
Occupational Health & Safety data
|
Divisional Director, Student & Community Services Division
|
|
Registered records (Records and Archives Services)
|
Divisional Director, Student & Community Services Division
|
|
Health and associated records
|
Divisional Director, Student & Community Services Division
|
|
Facilities & Services data
|
Divisional Director, Facilities & Services Division
|
|
Planning & Budget data
|
Divisional Director, Financial Resources Management Division
|
|
Marketing data
|
Divisional Director, Marketing & Student Recruitment Division
|
|
Alumni data
|
Divisional Director, Alumni & Community Relations Division
|
Information Custodian:
An authorised individual who possesses, accesses or uses information electronically.
Information Register:
A catalogue of data sets detailing the Information Owner, server name, data description and Electronic Information Security Classification. Enhancements of the standard procedures for Electronic Information Secure Handling and Protection will also be documented in the Information Register.
Data sets:
A collection of data related to a purpose or topic.
Waivers:
A deviation from a requirement always necessitates that written approval be obtained from the information owner and recorded on the information owner’s Information Register.
Definitions of Information Security Classifications:
Critical This classification applies to highly sensitive information:
- Where the unauthorised disclosure would seriously and adversely impact the University, its employees, its students and/or its partner organisations and
- access to which is strictly limited to a selected group or process.
Critical Information is information that, if compromised, would:
- place the University in breach of its legal and regulatory responsibilities.
Examples of critical information:
- Credit card numbers: Credit card numbers are targeted by internet theft;
- Tax file numbers: Tax file numbers are required by the Australian Tax Office to be stored and used securely. Failure to adopt appropriate measures could see the University in breach of its legal responsibilities;
- Health Information: Health information is highly sensitive and subject to a number of statutory controls, including, but not limited to, the Privacy Act and the Health Records Act. The accidental disclosure of health information could result in significant adverse press for the University and fines for breaches of data confidentiality requirements.
Protected This classification applies to sensitive information:
- that is related to University operations and where access is limited to a selected group or process;
- where unauthorised disclosure may adversely impact the University, its employees, its students and/or its partner organisations.
Examples of protected information:
- financial information such as purchase orders
- Disciplinary Committee Meeting Minutes
- Staff Employment Contracts
Restricted This classification applies to confidential information:
- that does not include sensitive information, but is created or received within the University (including by students) and used internally;
- the release of this information would not cause damage to the University, its employees, its students and/or its partner organisations;
- approval from the information owner must be obtained before restricted information can be made public information.
Examples of restricted information:
- course materials
- employment opportunities at Monash (Staff Only).
Public This classification applies to publicly available information:
- public information that is made available, or released to the general public;
- where no adverse effects are expected to result from the wide circulation of this information.
Examples of public information:
- the Monash University home page (www.monash.edu.au)
- Faculty course lists
- employment opportunities at Monash (Open).
Unclassified This classification relates to information that has not been classified:
- information that is to be treated as protected until classified.
General Procedures
-
Guidelines for Dealing with Critical, Protected and Restricted Electronic Information
|
CLASSIFICATION
|
STORAGE
|
ACCESS
|
USE
|
TRANSMISSION
|
DISPOSAL
|
|
Critical
|
Non-transportable, non-removable storage devices under the control of Information Technology Services (ITS).
|
Relevant fields must be encrypted.
Access to records and files must be restricted to specific job roles, requires authentication and password protection.
Repairs to storage devices must be undertaken onsite and under supervision of ITS staff.
|
Prescribed by Information Owner. Generally not available outside the Information Owner’s domain (exceptions are Government bodies, financial institutions).
|
Information must be encrypted when transmitted.
Information must not be made available via the Internet, the wireless network or by facsimile.
Transmission must only be by a dedicated secure link (e.g. DEEWR, credit card gateway) or transported by hand.
|
Information must be removed before the storage device is retired or reused. If not able to be removed, the device must be destroyed.
|
|
Transportable and removable storage devices are permitted only for secondary (backup) devices under the control of ITS.
|
Relevant fields must be encrypted.
Record and file access must be password protected.
Repairs to secondary storage devices must be undertaken onsite and under supervision of ITS staff.
Devices must be stored in a secured (locked) location.
|
Only accessed in an emergency or failure of non-removable storage devices.
|
Information must be encrypted during transmission and whilst stored on secondary devices.
|
Information must be removed before the secondary storage device is retired or reused. If not able to be removed, the device must be destroyed.
|
Protected
|
All storage devices
|
Access to records and files must be restricted to specific job roles, requires authentication and password protection.
Repairs to storage devices must be undertaken onsite and under supervision of Monash staff.
Transportable devices must be stored in a secured (locked) location.
|
Prescribed by Information Owner.
Available within the Information Owner’s domain and to specific University domains. Generally not available outside the University (exceptions are Government bodies, financial institutions).
|
Must be encrypted if transmitted outside the Monash network. May be transmitted un-encrypted within the Monash network.
|
Information must be removed before the storage device is retired or reused. If not able to be removed, the device must be destroyed.
|
|
Restricted
|
All storage devices.
|
Access to records and files requires authentication and password protection.
Transportable devices should be stored in a secured (locked) location.
|
Prescribed by Information Owner.
|
May be transmitted unencrypted inside and outside of the Monash network.
|
Information should be removed before the storage device is retired or re-used.
|
Interpretation
|
Keyword
|
Interpretation
|
|
MUST
|
The item is mandatory. See also ‘waivers against must and must not’ below.
|
|
MUST NOT
|
Non-use of the item is mandatory. See also ‘waivers against must and must not’ below.
|
|
SHOULD
|
Valid reasons to deviate from the item may exist in particular circumstances, but the full implications need to be considered before choosing an alternative course. See ‘deviations from should and should not’ below.
|
|
SHOULD NOT
|
Valid reasons to implement the item may exist in particular circumstances, but the full implications need to be considered before choosing this course. See ‘deviations from should and should not’ below.
|
Waivers against ‘MUST’ and ‘MUST NOT’: Where it is required to deviate from a MUST’ or ‘MUST NOT’ statement in these procedures, written approval must be obtained from the Information Owner and maintained in the Information Register for the functional unit. The following details must be supplied:
- The reasons for the deviation,
- An assessment of the residual risk resulting from the deviation,
- A date by which to review the decision, and
- Management’s approval.
Deviations from ‘SHOULD’ and ‘SHOULD NOT’: Where it is required to deviate from a ‘SHOULD’ or ‘SHOULD NOT’ statement, written approval must be obtained as for a waiver, and should be retained by the unit.
Information Classification Register Worksheet - EXAMPLE
This table is designed to allow Information Owners to record what data is stored on computer systems and to classify that information.
INFORMATION OWNER: Divisional Director, Corporate Finance
|
Functional
Area
|
Person Responsible for server
|
Server Name and data location
|
Data Type or description
|
Data Classification
|
Waiver
details
|
|
Financial data
|
Victor I. King
|
Valhalla, /export/data/widget
|
Design of new super-gizmo widget
|
Critical
|
|
|
|
|
Valhalla, /export/data/staff
|
Staff organisation chart & home contact details
|
Restricted
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Appendix 2
Information Classification Certification by Information Owners for the year ended 30 June 2008
INSTRUCTIONS
- A tick in a ‘YES’ box indicates that you agree with the statement.
- A tick in a ‘NO’ box implies appropriate action will be taken in the following calendar year to rectify the situation. Provide a short description of the action to be taken in the ‘Actions’ section provided below.
- If you wish to qualify your response, please do so in the ‘Comments’ section provided below and reference your comments to the appropriate response.
- functional area} information throughout Monash has been identified, classified and included in the {functional area} information register.
_ Yes _ No
- functional area} information and details included in the information register.
_ Yes _ No
3. I have reviewed information for my functional area annually.
_ Yes _ No
Actions:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Comments:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Name (please print) ..............................................
Signature of Information Owner .............................................. Date ………………………….
Functional area ..............................................
To be completed and returned to the Director, Audit and Risk
Responsibility
Executive Director ITS
Contact Person: Policy Role
|
