Skip to content | Change text size

Electronic Information Secure Handling and Protection Procedures

Parent Policy

Electronic Information Security Classification Policy

Definitions:

Approved encryption method:
A method of making data unreadable except to those in possession of special knowledge, usually referred to as a key, that has been approved by the Manager, Security and Risk Section, Information Technology Services.

Approved removal program:
A program to securely erase data from electronic media that has been approved by the Manager, Security and Risk Section, Information Technology Services.

Information Owner:
The Information Owner is an individual with the responsibility for coordinating the implementation of this policy for a functional area of the University. The table below shows the 11 functional areas relating to administrative data and their respective information owners.

Functional area

Information owner

Financial data

Divisional Director, Corporate Finance Division

Human Resources data

Divisional Director, Human Resources Division

Information Technology data

Executive Director, Information Technology Services Division

Student data

Divisional Director, Student & Community Services Division

Occupational Health & Safety data

Divisional Director, Student & Community Services Division

Registered records (Records and Archives Services)

Divisional Director, Student & Community Services Division

Health and associated records

Divisional Director, Student & Community Services Division

Facilities & Services data

Divisional Director, Facilities & Services Division

Planning & Budget data

Divisional Director, Financial Resources Management Division

Marketing data

Divisional Director, Marketing & Student Recruitment Division

Alumni data

Divisional Director, Alumni & Community Relations Division

Information Custodian:
An authorised individual who collects, stores or transmits electronic information pertaining to the university’s core activities of research, education and administration.

Information User:
An authorised individual who accesses electronic information pertaining to the university’s core activities of research, education and administration.

Information Register:
A catalogue of data sets detailing the Information Owner, server name, data description and Electronic Information Security Classification. Enhancements of the standard procedures for Electronic Information Secure Handling and Protection will also be documented in the Information Register.

Data sets:
Data related to a specific purpose or topic.

Critical: This classification applies to highly sensitive information

  • where the unauthorised disclosure would seriously and adversely impact the University, its employees, its students and/or its partner organisations; and
  • access to which is strictly limited to a selected group or process.

Critical Information is information that, if compromised, would:

  • place the University in breach of its legal and regulatory responsibilities.

Examples of critical information:

  • Credit card numbers: Credit card numbers are targeted by internet theft;
  • Tax file numbers: Tax file numbers are required by the Australian Tax Office to be stored and used securely. Failure to adopt appropriate measures could see the University in breach of its legal responsibilities;
  • Health Information: Health information is highly sensitive and subject to a number of statutory controls, including, but not limited to, the Privacy Act and the Health Records Act. The accidental disclosure of health information could result in significant adverse press for the University and fines for breaches of data confidentiality requirements.

Protected:     This classification applies to sensitive information:

  • that is related to University operations and where access is limited to a selected group or process; and
  • where unauthorised disclosure may adversely impact the University, its employees, its students and/or its partner organisations.

Examples of protected information:

  • financial information such as purchase orders
  • Disciplinary Committee Meeting Minutes
  • Staff Employment Contracts 

Restricted:   This classification applies to confidential information:

  • that does not include sensitive information, but is created or received within the University (including by students) and used internally; and
  • the release of this information would not cause damage to the University, its employees, its students and/or its partner organisations; and
  • approval from the information owner must be obtained before restricted information can be made public information.

Examples of restricted information:

  • course materials
  • employment opportunities at Monash (Staff Only).

Public: This classification applies to publicly available information:

  • public information that is made available, or released to the general public; and
  • where no adverse effects are expected to result from the wide circulation of this information.

Examples of public information:

  • the Monash University home page (www.monash.edu.au)
  • Faculty course lists
  • employment opportunities at Monash (Open).

Unclassified:  This classification relates to information that has not been classified:

  • unclassified information is to be treated as protected until classified

General Procedures

    1. In accordance with the Electronic Information Classification Policy the Information Owner will review and define information for their functional area on an annual basis.
    2. The Information Owner will promulgate information security classifications and procedures for handling data sets for their functional area to Information Custodians and Information Users.
    3. The Information Owner will conduct audits to identify critical information and ensure the defined procedures have been followed.
    4. The Information Owner will maintain Information Registers for their functional area with details as indicated in Appendix 1.
    5. The Information Owner will complete an annual return, in the format prescribed in Appendix 2, certifying that their responsibilities under the Electronic Information Security Classification Policy have been met.
    6. Any disputes regarding the appropriate classification of information will be resolved by a panel consisting of the University Privacy Officer, Human Resources Division, and representatives from the University Solicitor’s Office, Audit & Risk Management Office, and Security & Risk Section, Information Technology Services.
    7. Information Custodians and Information Users will discharge their responsibilities in accordance with the classification table in Appendix
    8. Any deviation from the requirements will necessitate a waiver in the form of written approval from the Information Owner. The waiver will be recorded on the Information Owner’s Information Register.
    Appendix 1: Table of Critical, Protected and Restricted Electronic Information

    CLASSIFICATION

    STORAGE

    ACCESS

    USE

    TRANSMISSION

    DISPOSAL

    Critical

    Information, other than that stored on secondary backup devices, must be stored on non-transportable, non-removable storage devices under the control of Information Technology Services (ITS).

     

     

     

     

     

     

     

     

     

    Relevant fields must be encrypted using an approved encryption method.

    Access to records and files must be restricted to specific job roles, requires authentication and password protection.

    Repairs to storage devices must be undertaken onsite and under supervision of ITS staff.

     

    Use is prescribed by the Information Owner and is generally not available outside the Information Owner’s domain (exceptions are Government bodies, financial institutions).

    Information must be encrypted using an approved encryption method when transmitted.

    Information must not be made available via the Internet, the wireless network or by facsimile.

    Transmission must only be by a dedicated secure link (e.g. DEEWR, credit card gateway) or transported by hand.

     

    Information must be removed before the storage device is retired or reused. If not able to be removed, the device must be destroyed.

    Information must only be stored on transportable and removable storage devices if they are secondary (backup) devices under the control of ITS.

     

    Relevant fields must be encrypted using an approved encryption method.

    Record and file access must be password protected.

    Repairs to secondary storage devices must be undertaken onsite and under supervision of ITS staff.

    Devices must be stored in a secured (locked) location. 

    Backup devises must only be accessed in an emergency or failure of non-removable storage devices.

     

    Information must be encrypted using an approved encryption method during transmission and whilst stored on secondary devices.

     

    Information must be removed before the secondary storage device is retired or reused. If not able to be removed, the device must be destroyed.

     

    Protected

    All storage devices[1]

    Access to records and files must be restricted to specific job roles, requires authentication and password protection.

    Repairs to storage devices must be undertaken onsite and under supervision of Monash staff.

    Transportable devices must be stored in a secured (locked) location. 

     

    Use is prescribed by the Information Owner and is

    available within the Information Owner’s domain and to specific University domains. Generally not available outside the University (exceptions are Government bodies, financial institutions).

    Information must be encrypted using an approved encryption method if transmitted outside the Monash network. Information may be transmitted unencrypted within the Monash network.

    Information must be removed before the storage device is retired or reused. If not able to be removed, the device must be destroyed.

    Restricted

    All storage devices.

    Access to records and files requires authentication and password protection.

    Transportable devices should be stored in a secured (locked) location.

     

    Use is prescribed by the Information Owner.

     

    Information may be transmitted unencrypted inside and outside of the Monash network. 

    Information should be removed before the storage device is retired or re-used.

    [1]Includes all non-transportable storage devices and transportable devices such as floppy discs, removable hard drives, CDs, DVDs, USB flash drives and memory sticks, laptops, tablet computers, PDAs, mobile phones with text capability, other devices.

    Interpretation

    Keyword

     

    Interpretation

    MUST

     

    The item is mandatory. See also ‘waivers against must and must not’ below.

    MUST NOT

    Non-use of the item is mandatory. See also ‘waivers against must and must not’ below.

     

    SHOULD

    Valid reasons to deviate from the item may exist in particular circumstances, but the full implications need to be considered before choosing an alternative course. See ‘deviations from should and should not’ below.

     

    SHOULD NOT

    Valid reasons to implement the item may exist in particular circumstances, but the full implications need to be considered before choosing this course. See ‘deviations from should and should not’ below.

     

    Waivers against ‘MUST’ and ‘MUST NOT’: Where it is required to deviate from a MUST’ or ‘MUST NOT’ statement in these procedures, written approval must be obtained from the Information Owner and maintained in the Information Register for the functional unit. The following details must be supplied:

    (a)              The reasons for the deviation,
    (b)              An assessment of the residual risk resulting from the deviation,
    (c)              A date by which to review the decision, and
    (d)              Management’s approval.

    Deviations from ‘SHOULD’ and ‘SHOULD NOT’: Where it is required to deviate from a ‘SHOULD’ or ‘SHOULD NOT’ statement, written approval must be obtained as for a waiver, and should be retained by the unit.

    Information Classification Register Worksheet - EXAMPLE

    This table is designed to allow Information Owners to record what data is stored on computer systems and to classify that information.

    INFORMATION OWNER:     Divisional Director, Corporate Finance

    Functional

    Area

    Person Responsible for server

    Server Name and data location

    Datasets

    Data  Elements

    Data Classification

    Waiver

    details

    Financial data

    Victor I. King

    Valhalla, /export/data/widget

    Design of new super-gizmo widget

     

    Critical

     

     

     

    Valhalla, /export/data/staff

    Personnel and payroll information

    Tax file numbers

    Critical

     

     

     

     

     

    Payroll transactions(including bank accounts)

    Critical

     

     

     

     

     

    Personnel records

    Protected

     

     

     

     

     

    Leave records

    Protected

     

     

     

    Valhalla, /export/data/finance

    Financial information

    Vendor credit card details

    Critical

     

     

     

     

     

    Purchasing  transactions

    Protected

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     
    Appendix 2

    Information Classification Certification by Information Owners for the year ended 30 June 2008

    INSTRUCTIONS

    1. A tick in a ‘YES’ box indicates that you agree with the statement.
    2. A tick in a ‘NO’ box implies appropriate action will be taken in the following calendar year to rectify the situation. Provide a short description of the action to be taken in the ‘Actions’ section provided below.
    3. If you wish to qualify your response, please do so in the ‘Comments’ section provided below and reference your comments to the appropriate response.

    1.              All {functional area} information throughout Monash has been identified, classified and included in the {functional area} information register.

                                                                       Yes                           No

    2.              Access, storage, use, transportation and disposal procedures have been defined for all {functional area} information and details included in the information register.

                                                                        Yes                          No

    3.        I have reviewed information for my functional area annually.

                                                                        Yes                           No

    Actions:

          __________________________________________________________________________________

          __________________________________________________________________________________

          __________________________________________________________________________________

          __________________________________________________________________________________

          __________________________________________________________________________________

    Comments:

          __________________________________________________________________________________

          __________________________________________________________________________________

          __________________________________________________________________________________

          __________________________________________________________________________________

          __________________________________________________________________________________

    Name (please print)                               ..............................................

    Signature of Information Owner            ..............................................           

    Date                                                            ………………………….

    Functional area                                     ..............................................

    To be completed and returned to the Director, Audit and Risk

    Responsibility

    Executive Director ITS

Contact Person: Policy Role