Data Classification - Data Sensitivity & Management Matrix
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
View only
 
 
ABCDEFGH
1
The CEnet Data Classification Policy can be found here.
2
CEnet Data Classification: Sensitivity & Management Matrix
3
Level 1: ‘Public’ DataLevel 2: ‘Administrative’ DataLevel 3: ‘Confidential’ Data
4
Verison Tracking:17th October 2016: IG - Adjusted storage requirements for Level 3 data to cater for the distinction of mobile devices vs. secure data centre infrastructure.
5
ExamplesExamples include, but are not limited to:
CEnet or member diocese staff, Wide and Open Distribution Publications,
press releases, information posted on and meant for open websites, brochures, news releases, customer information, most public web site content, information in the public domain, business contact (directory) information, public blog and wiki postings, some organisational email (e.g., public broadcast notices)
Examples include, but are not limited to:
Internal memos and emails, planning documents, logs and audit trails, routine correspondence, newsletters, phone directories, in-office memoranda, internal policies, processes, guidelines, and procedures, most email content, limited-distribution contact (directory) information, operational data of the organisation, Intranet content etc.
Examples include, but are not limited to:
Identifiable student and staff data (assesment marks, reports), financial data, purchasing information, vendor contracts, risk assessments, and internal auditing reports and findings, statutorily protected and sensitive information, and corporate information such as strategic corporate plans/financial information, student/staff records (health, assesment, personal), investigation reports and findings, identifiable personal financial data (including credit card numbers, bank accounts), restricted-use identifiers (e.g., tax file, medicare or passport numbers etc).
6
Information SourcesDiocesan source systems, Regulatory bodies/GovernmentDiocesan source systemsDiocesan source systems, CEnet systems, and Regulatory bodies/Government (such as CECs, ACARA, BoS, AGDoE etc).
7
CriteriaPublic data that is meant for staff of CEnet or its member dioceses and in some cases wide and open distribution to the public at large. This corporate data does not contain regulated or confidential information. In other words, information, which can be made available to anyone without exception. It is neither sensitive nor controlled.Corporate data that is meant for a limited distribution; available only to staff of CEnet or the member dioceses that need the corporate data to support their work. This corporate data derives its value for the CEnet federation in part from not being publicly disclosed. In other words, information which management believes requires limitations on internal access on a “need-to-know” basis, Information, which must be available; or is needed in order for CEnet or its members to effectively perform its mission and meet legally, assigned responsibilities.

Sensitive information requires that special precautions be taken to ensure its accuracy, relevance, timeliness, and completeness. This information, if lost, could cause significant financial loss, inconvenience, or delay in performance of CEnet and/or its members missions and a loss of public trust.
Corporate data that is meant for a very limited distribution—available only to members of the CEnet federation on a strictly need-to-know basis. In other words, confidential information that has limitations placed upon its internal access and that may be disclosed only in accordance with an executive order, public law, legal statute and CEnet and/or member policies, guidelines and procedures.
8
Risks to operational continuityLow or noneModerateHigh
9
Risks to financial viabilityLow or noneModerateHigh
10
Risks to reputation and "good will"Low or noneModerateHigh
11
Civil and criminal risksLow or noneModerateHigh
12
Consequences of unauthorised disclosureSome of the consequences may include but are not limited to:
Violating license agreements, loss of access to subscription resources, or a financial loss for CEnet and/or its member dioceses
Some of the consequences may include but are not limited to:
Reputational and financial loss, a hindrance to productivity, a competitive disadvantage for CEnet and/or its member dioceses.
Some of the consequences may include but are not limited to:
Legal sanctions for CEnet and/or its member dioceses, violations of personal privacy, reputational and financial loss, a competitive disadvantage for the CEnet and/or its member dioceses.
13
Access securityNo requirement.Authentication and access controls required, but set of permitted users may be large.Authentication required, possibly with multi-factor process. Set of permitted users is usually small. Need-to-know (a.k.a., minimum necessary) access enforced by strong access controls.
14
Storage securityNo requirement. Backups or redundant storage recommended.Backups or redundant storage required.Backups or redundant storage required. Encrypted storage (and transfer to storage) recommended. Encrypted storage particularly appropriate for mobile devices (or non-mobile devices in less secure settings) for "special status" data.
15
Electronic (direct) Transmission securityNo requirement.Transmission protections recommended, including use of encryption (e.g. SSL/HTTPS).Transmission protections required, including use of encryption for message confidentiality, integrity and non-repudiation.
16
Release To Third PartiesAvailable to the general public and for distribution outside of CEnet.Intended for use only within CEnet and/or its member dioceses. May be shared outside of the federation only if there is a legitimate business need to know, and is approved by the data owner and users manager.Access limited to as few persons as possible on a need to know basis. Information is very sensitive and closely monitored using auditing tools. Information is controlled from creation or acceptance to destruction or return of information. Release only permitted by appropriate policies and procedures.
17
Transmission By:PostWithin the organisation (interoffice).No special handling required.No special handling required.Sealed inter-office envelope marked and labeled “sensitive or confidential Information”. Notify recipient in advance.
18
Outside of the organisation1st class (registered) mail preferred.1st class mail service. Registered (traceable) post required, e.g. Registered Post, or Trackable courier.
19
ElectronicWithin the organisationNo special handling required.The use of encryption in data transfers is mandatory and locally hosted (interim) data stores are preferred.
The use of e-mail is strongly discouraged unless encrypted.
20
Outside of the organisation
21
FaxLocation of fax machineLocated in area not accessible to general public.Located in area not accessible to general public.Located in area not accessible to general public and unauthorised persons.
22
Use of fax coversheetRequired.Required.Required. Coversheet labeled “Sensitive/Confidential Information”.
23
Transmission safeguardsReasonable care in dialingReasonable care in dialing.Telephone notification prior to transmission and subsequent telephone confirmation of receipt required.
24
Transmission By Spoken Word StandardsConversation/ MeetingsNo special precautions required.Reasonable precautions to prevent inadvertent disclosure.Active measures and close control to limit information to as few persons as possible. Enclosed meeting area. Public areas prohibited.
25
TelephoneAvoid proximity to unauthorised listeners. Speakerphone in enclosed area. Use generally discouraged.
26
Cellular TelephoneUse of digital telephones discouraged, landline preferred.
27
Lobby/PA announcementLobby/PA announcements not permitted.
28
Print, Film, Video StandardsPrinted MaterialsNo special precautions required.Reasonable precautions to prevent inadvertent disclosure. Store out of sight of non authorised people.Active measurers and close control to limit information to as few persons as possible. Store out of sight in a lockable enclosure.
29
Monitors/Computer ScreensPositioned or shielded to prevent viewing by non authorised peoplePosition or shield to prevent viewing by unauthorised parties. Possible measurers include, physical location in secure area, positioning of screen, use of password screen saver, etc.
30
Copying StandardsNo special precautions required.No special precautions.Photocopying with approval by Data Owner. (Note: If a digital copier is used, cache needs to be erased.)
31
Storage Standards
Printed MaterialNo special precautions required.Reasonable precautions to prevent access by non-employees.Storage in a lockable enclosure.
32
Electronic InformationStorage permitted on all drives.Storage on secure drives or repositories only.
For stationary (secure) data centre infrastructure, encryption through password protection of documents or Authentication, Authorisation & Accounting (AAA) applied to databases is preferred.
Storage of data sets on mobile devices (including laptop and desktop computers) is permitted only when the devices volume is encrypted, and the device is password protected.
Use of Object Reuse to erase sensitive information is required, or complete destruction of drive.
33
EmailReasonable precautions to prevent access by unauthorised personnel.Encrypted storage and backup tape in a secure place or container
34
LocationNo special precautions required.Must comply with regularly reviewed standardsMust comply with regularly reviewed standards
35
Destruction Standards



DestructionNo special precautions required.Destroy in a manner that protects sensitive information.Destroy in a manner that protects restricted information.
36
Location of disposal depots (e.g. paper bins, digital recycling etc)Area not accessible to general public.Secure area not accessible to unauthorised persons.
37
Paper recycling.Permitted.Shredding or secure recycling preferred.Prohibited. Destruction or shredding required.
38
Magnetic media/Digital media.No special precautions required.Positive destruction or overwrite sensitive information.Certified destruction.
39
Physical Security StandardsComputer/WorkstationsPassword screen-saver to be used when briefly unattended. Sign-off or power-off work stations or terminals when not in use or leaving work.Password screen-saver to be used when briefly unattended. Sign-off or power-off work stations or terminals when not in use or leaving work.Do not leave data unattended. Sign-off or power-off workstation or terminals not in use or leaving work area.
40
Printing DocumentsNo special precautions required.Printing of documents when necessary must not be left unattended.Printing of documents when necessary must not be left unattended. The person attending the printer must be authorised to examine the restricted information being printed.
41
Office AccessAccess to areas containing sensitive information should be physical restricted..Access to areas containing restricted information should be physically restricted. Restricted information must be locked when left in an unattended room.
42
Laptops, devices, etc.Password screen-saver to be used when briefly unattended. Sign-off or power-off when not in use. Password to be required to access device.Computer must not be left unattended at any time unless the Restricted information is encrypted or the hardware is secured in a locked file cabinet, room, or safe.
43
Retention RequirementsNo special precautions required.Must comply with regularly reviewed standardsMust comply with regularly reviewed standards
44
Loading...
 
 
 
Classifications
Archive