|CEnet Data Classification: Sensitivity & Management Matrix|
CEnet's Data Management & Stewardship Policy
|Version Tracking:||17th October 2016: IG - Adjusted storage requirements for Level 3 data to cater for the distinction of mobile devices vs. secure data centre infrastructure.|
|Level 1: ‘Public’ Data||Level 2: ‘Administrative’ Data||Level 3: ‘Confidential’ Data|
|Examples||Examples include, but are not limited to: |
Wide and Open Distribution Publications,
press releases, information posted on and meant for open websites, brochures, news releases, customer information, most public web site content, information in the public domain, business contact (directory) information, public blog and wiki postings, some organisational email (e.g., public broadcast notices)
|Examples include, but are not limited to: |
Internal memos and emails, planning documents, logs and audit trails, routine correspondence, newsletters, phone directories, in-office memoranda, internal policies, processes, guidelines, and procedures, most email content, limited-distribution contact (directory) information, operational data of the organisation, Intranet content etc.
|Examples include, but are not limited to:|
Personally identifiable student and staff information (assessment marks, reports), financial data, purchasing information, vendor contracts, risk assessments, and internal auditing reports and findings, statutorily protected and sensitive information, and corporate information such as strategic corporate plans/financial information, student/staff records (health, assessment, personal), investigation reports and findings, identifiable personal financial data (including credit card numbers, bank accounts), restricted-use identifiers (e.g., tax file, medicare or passport numbers etc).
|Information Sources||Diocesan / enterprise source systems, Regulatory bodies/Government||Diocesan / enterprise source systems||Diocesan source systems, CEnet systems, and Regulatory bodies/Government (such as CECs, ACARA, BoS, AGDoE etc).|
|Criteria||Public data that is meant for staff of CEnet or its member dioceses and in some cases wide and open distribution to the public at large. This corporate data does not contain regulated or confidential information. In other words, information, which can be made available to anyone without exception. It is neither sensitive nor controlled.||Corporate data that is meant for a limited distribution; available only to staff of CEnet or the member dioceses that need the corporate data to support their work. This corporate data derives its value for the CEnet federation in part from not being publicly disclosed. In other words, information which management believes requires limitations on internal access on a “need-to-know” basis, Information, which must be available; or is needed in order for CEnet or its members to effectively perform its mission and meet legally, assigned responsibilities.|
Sensitive information requires that special precautions be taken to ensure its accuracy, relevance, timeliness, and completeness. This information, if lost, could cause significant financial loss, inconvenience, or delay in performance of CEnet and/or its members missions and a loss of public trust.
|Corporate data that is meant for a very limited distribution—available only to members of the CEnet federation on a strictly need-to-know basis. In other words, confidential information that has limitations placed upon its internal access and that may be disclosed only in accordance with an executive order, public law, legal statute and CEnet and/or member policies, guidelines and procedures.|
|Risks to operational continuity||Low or none||Moderate||High|
|Risks to financial viability||Low or none||Moderate||High|
|Risks to reputation and "good will"||Low or none||Moderate||High|
|Civil and criminal risks||Low or none||Moderate||High|
|Consequences of unauthorised disclosure||Some of the consequences may include but are not limited to:|
- Violating license agreements,
- Loss of access to subscription resources, or
- A financial loss for CEnet and/or its member dioceses.
|Some of the consequences may include but are not limited to: |
- Reputational and financial loss,
- A hindrance to productivity,
- A competitive disadvantage for CEnet and/or its member dioceses.
|Some of the consequences may include but are not limited to:|
- Legal sanctions for CEnet and/or its member dioceses,
- Violations of personal privacy,
- Reputational and financial loss,
- A competitive disadvantage for the CEnet and/or its member dioceses.
|Access security||No requirement.||Authentication and access controls required, but set of permitted users may be large.||Authentication required, preferably with a multi-factor process. Set of permitted users is usually small. Need-to-know (a.k.a., minimum necessary) access enforced by strong access controls.|
|Storage security||No requirement. Backups and redundant storage recommended.||Backups and redundant storage required.||Backups and redundant storage required.|
Encrypted storage (and transfer to storage) recommended.
Encrypted storage particularly appropriate for mobile devices (or non-mobile devices in less secure settings) for "special status" data.
|Electronic (direct) Transmission security||No requirement.||Transmission protections recommended, including use of encryption (e.g. SSL/HTTPS) using modern ciphers.||Transmission protections required, including use of encryption for message confidentiality, integrity and non-repudiation.|
|Release To Third Parties||Available to the general public and for distribution outside of CEnet.||Intended for use only within CEnet and/or its member dioceses. May be shared outside of the federation only if there is a legitimate business need to know, and is approved by the data owner and users manager.||Access limited to as few persons as possible on a need to know basis. Information is very sensitive and closely monitored using auditing tools. Information is controlled from creation or acceptance to destruction or return of information. Release only permitted by appropriate policies and procedures.|
|Transmission By:||Post||Within the organisation (interoffice).||No special handling required.||No special handling required.||Sealed interoffice envelope marked and labeled “sensitive or confidential Information”. Notify recipient in advance.|
|Outside of the organisation||1st class (registered) mail preferred.||1st class mail service. Registered (traceable) post required, e.g. Registered Post, or Trackable courier.|
|Electronic||Within the organisation||No special handling required.||The use of encryption in data transfers is mandatory and locally hosted (interim) data stores are preferred. |
The use of e-mail is strongly discouraged unless encrypted.
|Outside of the organisation|
|Fax (legacy)||Location of fax machine||Located in area not accessible to general public.||Located in area not accessible to general public.||Located in area not accessible to general public and unauthorised persons.|
|Use of fax cover sheet||Required.||Required.||Required. Cover Sheet labeled “Sensitive/Confidential Information”.|
|Transmission safeguards||Reasonable care in dialing||Reasonable care in dialing.||Telephone notification prior to transmission and subsequent telephone confirmation of receipt required.|
|Transmission By Spoken Word Standards||Conversation/ Meetings||No special precautions required.||Reasonable precautions to prevent inadvertent disclosure.||Active measures and close control to limit information to as few persons as possible. Enclosed meeting area. Public areas prohibited.|
|Telephone||Avoid proximity to unauthorised listeners. Speakerphone in enclosed area. Use generally discouraged.|
|Cellular Telephone||Use of digital telephones discouraged, landline preferred.|
|Lobby/PA announcement||Lobby/PA announcements not permitted.|
|Print, Film, Video Standards||Printed Materials||No special precautions required.||Reasonable precautions to prevent inadvertent disclosure. Store out of sight of non authorised people.||Active measurers and close control to limit information to as few persons as possible. Store out of sight in a lockable enclosure.|
|Monitors/Computer Screens||Positioned or shielded to prevent viewing by non authorised people||Position or shield to prevent viewing by unauthorised parties. Possible measures include, physical location in secure area, positioning of screen, use of password screen saver, etc.|
|Copying Standards||No special precautions required.||No special precautions.||Photocopying with approval by Data Owner. (Note: If a digital copier is used, cache needs to be erased.)|
|Storage Standards||Printed Material||No special precautions required.||Reasonable precautions to prevent access by non-employees.||Storage in a lockable enclosure.|
|Electronic Information||Storage permitted on all drives.||Storage on secure drives or repositories only. |
For stationary (secure) data centre infrastructure, encryption through password protection of documents or Authentication, Authorisation & Accounting (AAA) applied to databases is preferred.
Storage of data sets on mobile devices (including laptop and desktop computers) is permitted only when the devices volume is encrypted, and the device is password protected.
Use of Object Reuse to erase sensitive information is required, or complete destruction of drive.
|Reasonable precautions to prevent access by unauthorised personnel.||Encrypted storage and backup tape in a secure place or container|
|Location||No special precautions required.||Must comply with regularly reviewed standards||Must comply with regularly reviewed standards|
|Destruction Standards||Destruction||No special precautions required.||Destroy in a manner that protects sensitive information.||Destroy in a manner that protects restricted information.|
|Location of disposal depots (e.g. paper bins, digital recycling etc)||Area not accessible to general public.||Secure area not accessible to unauthorised persons.|
|Paper recycling.||Permitted.||Shredding or secure recycling preferred.||Prohibited. Destruction or shredding required.|
|Magnetic media/Digital media.||No special precautions required.||Positive destruction or overwrite sensitive information.||Certified destruction.|
|Physical Security Standards||Computer/Workstations||Password screen-saver to be used when briefly unattended. Sign-off or power-off workstations or terminals when not in use or leaving work.||Password screen-saver to be used when briefly unattended. Sign-off or power-off workstations or terminals when not in use or leaving work.||Do not leave data unattended. Sign-off or power-off workstation or terminals not in use or leaving work area.|
|Printing Documents||No special precautions required.||Printing of documents when necessary must not be left unattended.||Printing of documents when necessary must not be left unattended. The person attending the printer must be authorised to examine the restricted information being printed.|
|Office Access||Access to areas containing sensitive information should be physical restricted..||Access to areas containing restricted information should be physically restricted. Restricted information must be locked when left in an unattended room.|
|Laptops, devices, etc.||Password screen-saver to be used when briefly unattended. Sign-off or power-off when not in use. Password to be required to access device.||Computer must not be left unattended at any time unless the Restricted information is encrypted or the hardware is secured in a locked file cabinet, room, or safe.|
|Retention Requirements||No special precautions required.||Must comply with regularly reviewed standards||Must comply with regularly reviewed standards|