Organizations increasingly rely on digital information and information systems to serve the public and fulfill their mandates.
You have an important role in protecting the information you handle and the systems and devices you use.
Not all information and systems are protected in the same way. Identifying what needs to be protected and how is critical to effective cyber security.
Effective information security involves addressing the confidentiality, integrity and availability requirements of information and information systems.
These are commonly referred to as the CIA triad.
Requirements relate to the relative harm or injury that would result from unauthorized access or inadvertent release of information. This may be assured through a variety of business processes and technical means.
Requirements relate to the harm or injury that would result if an information asset was compromised by manipulation. This is usually assured via technical means being implemented to prevent unauthorized access to information systems, thereby limiting the possibility of tampering.
Requirements relate to the harm or injury that could result if particular information is not available for authorized access and use. This is usually addressed through contingency plans and efforts to ensure the resilience of information systems.
Let’s think about how the confidentiality, integrity and availability of information could be breached. How would this affect the work you do?
If sensitive information was inadvertently disclosed to the public in error, this would be a compromise in confidentiality. What harm or injury could this cause? Would this impact the trust placed in your organization?
If important client information was manipulated by someone intending to harm the reputation of your organization, this would be an integrity compromise. If client data were no longer reliable, how would this affect your organization?
If malicious software, known as malware, was installed in your systems and you were locked out of a database that you needed to do your work, this would be an availability compromise. What consequences might follow?
We often think about information only while we’re using it. However, cyber security requires us to carefully consider the risks to information throughout its entire life cycle.
Here are some questions to consider:
- If you are creating or entering sensitive information on your computer, is your screen shielded from other people or can they see what you’re doing?
- When you store information, are you storing it in a location that suitably protects it? How do you know if the location is protected? Your organization should have policies that clarify where to store information
- If you are destroying information or disposing of assets that may contain information, are you complying with organizational policies, procedures, and standards ensuring that information is properly destroyed or disposed of based on its sensitivity level?
The information you handle and the information systems you use are important and you have a responsibility to protect them.
When in doubt, ask your manager or security official. They should be able to guide you on how to best fulfill your cyber security responsibilities.
Information Sensitivity Classification
When it comes to information, one size does not fit all.
Information classification is fundamental to an effective cyber security program.
All information must be evaluated, classified and safeguarded in accordance with its sensitivity level.
|High Sensitivity||Unauthorized disclosure could result in loss of life or impact to public safety, significant loss of confidence in or embarrassment to government, extremely serious personal or enterprise injury, major economic impact, sabotage or terrorism, or significant financial loss or social hardship.|
|Medium Sensitivity||Unauthorized disclosure could result in serious personal or enterprise injury, loss of competitive advantage, loss of confidence in a government program, moderate financial loss, or damage to partnerships or reputations.|
|Low Sensitivity||Unauthorized disclosure could result in minor injury to persons, minor financial loss, slight embarrassment, or inconvenience.|
|Unclassified||Disclosure will not result in any harm or injury and does not require prior authorization.|
Information Sensitivity Classification
Here are the steps you need to take:
- Classify the information to one of the four sensitivity levels
- Label all information with the appropriate sensitivity level
- Safeguard the information in accordance with its sensitivity level
When determining the sensitivity classification levels consider the following:
Consider the information in context
Take a look at the information and decide:
- What type of information is it?
- Where does the information appear?
- How is the information being used?
- What other information appears with it?
- What legislation applies to it?
Think about the potential for harm and injury if the information was ever disclosed without authorization
- It might be physical injury, or even loss of life
- It might be business disruption or financial hardship – for example, unauthorized disclosure of corporate taxes or job tenders
Determine the business requirement for the information (is it governed by legislation?) and how much confidentiality the information requires (who should have access to it?).
- Should access be restricted to named individuals or positions only?
- Should access be restricted to specific work groups or units?
- Should access be restricted to people in your organization?
- Is this information designated for public consumption?
Once you’ve classified your information, you need to label it so you can safeguard it.
Why label information?
Label information to indicate that its sensitivity has been assessed. A label helps us know how to safeguard the information properly.
Information sensitivity classification labels provide information about what handling measures are required. In the same way washing symbols tells us how to care for our clothes, information sensitivity labels communicate requirements for handling to protect the information’s confidentiality, integrity and availability.
Information should be labelled in all stages of its life cycle. Over time, the sensitivity level may change. For example, once approval is given to release information publicly, the label might change from medium to unclassified.
All formats of information should be classified, labelled and safeguarded. This includes paper records and digital documents including Microsoft Offices files, USB flash drives, hard drives, videos and voice recordings.
It is a good practice to put the classification label in a clearly visible spot so others can find it easily, and on each page of documents. Labelling even “unclassified” information lets everyone know it was properly assessed.
Consider the work you do. Is the information you handle appropriately classified?
When you see a sensitivity label, it is your responsibility to know the required safeguards to protect that information.
If the required safeguards are not clear to you, speak with your manager.