Information security classifications
What are information security classifications?
Information security classifications are designed to categorise UQ’s information assets (physical or digital) based on its confidentiality, availability and integrity needs. A holistic, risk-based approach will consider the impact a compromise to the information asset might have on the University’s broader profile.
All data and information at UQ must have an information security classification applied.
See which information security classification to apply
Information Security Classifications are typically applied during the ‘create, capture and classify’ stage of the information lifecycle.
At UQ, the following information security classifications exist:
| Classification | Description | Example data types |
|---|---|---|
| OFFICIAL - PUBLIC |
Information that if breached owing to accidental or malicious activity would have an insignificant impact. The information is authorised for public access, however it may not be made available in the public domain. |
University strategy; published course outlines; academic calendar; published research data. |
| OFFICIAL - INTERNAL |
Information that if breached owing to accidental or malicious activity would be unlikely to cause harm to UQ, another organisation or an individual if released publicly. The information has a restricted audience, and access must only be authorised based on academic, research or business need. |
Identity information of staff members or students (e.g. employee number or position title); internal correspondence; business unit process and procedure; team leave calendar. |
| SENSITIVE |
Information that if breached owing to accidental or malicious activity could reasonably be expected to cause harm to UQ, another organisation or an individual if released publicly. The information has a restricted audience, and access must only be authorised based on strict academic, research or business need. |
Student and staff human resources data (e.g. Tax File Numbers, passport details, bank account details); organisational financial data; exam material; exam results; unpublished research data. |
| PROTECTED |
Information that if breached owing to accidental or malicious activity could reasonably be expected to cause serious harm to UQ, another organisation or an individual if released publicly. The information has a restricted audience, and access must only be authorised based on very strict academic, research or business need. |
Health records; personal data regarding persons under the age of 18; credit card data; commercially significant research results. |
The way information is then handled, shared, protected and treated is dependent upon its information security classification.
-
Refer to the Information Security Classifications Procedure and Data Handling Procedure for more information.
-
See Where to store your files and information for more information on what storage solutions are appropriate for different information security classifications.
Why are information security classifications important?
Information security classifications inform the implementation of appropriate security and other mechanisms to control the information from being leaked, manipulated or becoming unavailable.
Which information security classification should you apply?
Follow the decision tree to determine which information security classification you should apply:
Information security classification decision tree (PDF, 81.8 KB).
Information security classifications in Office 365
UQ is in the process of rolling out Office 365 Sensitivity Labels in Office 365.
Office 365 Sensitivity Labels are persistent labels assigned to an Office 365 document or email, that indicate its Information Security Classification. Additional controls to protect the information (e.g. encryption, restriction on access/sharing) are also applied to some labels.
This will help protect information and enable better clarity over the confidentiality of documents.