Skip to main content Skip to site utility navigation Skip to main site navigation Skip to site search Skip to footer
Login
Hide Menu
Menu

Information Security Classification Procedure

Ref. No. Executive sponsor Policy steward Approval authority First approved Last reviewed Effective date Next review
64.02 Vice President, College Services and Strategy Director, Digital Innovation & Technology Executive Council Feb. 19, 2019   Feb. 19, 2019 Jan. 2020
  1. Purpose
    1. The purpose of this procedure is to set out the minimum standards necessary for classifying various types of College Information Resources so that reasonable security arrangements and Records Management protocols can be applied to such information.
  1. Scope
    1. This procedure applies to all data, documents and images (paper and electronic) created and managed for any business purpose by the College.
    2. NSCC’s Records Management Program (RMP) (currently under development) will use this procedure to classify security levels for all College Records.
    3. This procedure will be used to support the development of consistent policies and procedures for appropriate access, transmission, storage, and destruction of College Records
    4. This procedure will serve as guidelines to College employees tasked with managing requests for disclosure of information under the Nova Scotia Freedom of Information and Protection of Privacy Act (FOIPOP), and Access to / Correction of Personal Information under said Act.
  1. Definitions
    1. Acronyms will be used in this document as follows: The first reference to a term or title will include the full text followed by the (ACRONYM). All subsequent references will use only the ACRONYM.
      1. FOIPOP refers to the Nova Scotia Freedom of Information and Protection of Privacy Act.
      2. PIIDPA stands for the Personal Information International Disclosure Protection Act
      3. PCI-DSS refers to Payment Card Industry Data Security Standards
      4. REB refers to the NSCC Research Ethics Board
      5. RMP refers to the NSCC Records Management Program
      6. SLF refers to the NSCC Senior Leadership Forum
    2. Administrative Authority means Senior Leadership Forum (SLF) members with administrative responsibility for Units (including Vice Presidents, Associate Vice-Presidents, Deans, Directors, and Campus Principals) and individuals with functional stewardship of College Information Resources.
    3. Unit means a group of Users, linked by a common interest or purpose, including but not limited to:
      1. academic schools, campuses, departments, etc.
      2. specifically identified Information Resource user groups (e.g. Peoplesoft HR, Student, Finance users)
    4. User means any individual or Unit that uses or accesses College Information Resources.
    5. Information Resources means assets and infrastructure owned by, explicitly controlled by, or in the custody of the College including but not limited to Records, data, electronic services, network services, software, computers, and Information Systems.
    6. Multi-factor authentication is a method of confirming a user's claimed identity in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).
    7. Personal Information as defined in PIIDPA: is information about an identifiable individual as defined in the FOIPOP. The FOIPOP definition of Personal Information includes:
      1. the individual’s name, address or telephone number,
      2. the individual’s race, national or ethnic origin, colour, or religious or political beliefs or associations,
      3. the individual’s age, sex, sexual orientation, marital status or family status,
      4. an identifying number, symbol, or other particular assigned to the individual,
      5. the individual’s fingerprints, blood type or inheritable characteristics,
      6. information about the individual’s health-care history, including a physical or mental disability,
      7. information about the individual’s educational, financial, criminal or employment history,
      8. anyone else’s opinion about the individual, and
      9. The individual’s personal views or opinions, except if they are about someone else.
    8. Records means documents created or received, and retained in the day-to-day operations of business. This includes, but is not limited to, documents, maps, drawings, photographs, letters, vouchers, papers, and any other thing on which information is recorded or stored by graphic, electronic, mechanical, or other means, but does not include a computer program or any other mechanism that produces records.
    9. Records Management means the creation, use, maintenance, storage, retrieval, disposition, and preservation of all forms of recorded information produced by the College in the conduct of its operations.
  1. Policy
    1. Assigning an Information Security Classification Level
      1. All College Information Resources require security classification at the level appropriate for that resource, in accordance with the classification levels set out in sections 4.2 and 4.3
      2. The security classification level of the Information Resource establishes the extent and type of security arrangements that must be implemented in order to protect the Information Resource.
      3. Prior to assigning a security classification level, Units must be aware of relevant legislative requirements, regulatory obligations, and relevant College policies and procedures. Units may also refer to industry standards and best practices for further direction where applicable.
      4. Administrative Authorities are expected to classify and manage the Information Resources for which they are responsible based on a reasonable understanding of the overall importance of the Information Resource to the College.
      5. Where appropriate, Administrative Authorities should refer to the Archival Records Policy (TBD) to determine when and how resources should be retained and managed as an archival record of the Nova Scotia Community College and its predecessor institutions.
      6. Administrative Authorities are expected to ensure that Users in their Units manage Information Resources according to the assigned security classification.
      7. Security classification levels are applied to broad information types or categories, rather than individual records.
      8. Where it is unclear which security classification level is most appropriate or when dealing with large volumes of information, Units should employ the highest appropriate classification level.
      9. Where an Information System or Record contains information that is classified as both public and information classified at a higher level, the combined information must be managed at the higher confidentiality level. e.g when redacting sensitive information from information requested under FOIPOP.
      10. In deciding which security classification level is most appropriate, units will take into account that a large volume of information could result in an increase in risk of disclosure of sensitive information, necessitating the use of a higher security classification level. e.g. In managing the disposition of e-mail files, it would be impractical to differentiate message contents and would be contingent on the availability of systematic controls.
    2. Information Classification – Risk Assessment Guidelines
      Units will classify their Information Resources using the classification levels in the following chart as a guide.
      Highly Confidential Confidential Internal Public
      Definition Information Resource is so sensitive or critical that it is entitled to extraordinary protections, as defined in section 4.3. Information Resource is considered to be highly sensitive business or Personal Information, or a critical system. It is intended for a very specific use and may not be disclosed except to those who have explicit authorization to review such information, even within a workgroup or Unit. Information that is intended for use within the College or within a specific workgroup, Unit or group of individuals with a legitimate need-to know. Internal Information is not approved for general circulation outside the workgroup or Unit. Information that has been approved for distribution to the public by the information owner or Administrative Authority or through some other valid authority such as legislation or policy.
      Legal Requirement Protection of information where it is required by law or regulation (e.g. FOIPOP or PCIDSS), or as determined by contractual obligation. The College has a contractual or legal obligation to protect the information. The College has a contractual obligation to protect the information. Information may be mandated by legislation (e.g. FOIPOP) to be public information.
      Reputational Risk Critical loss of trust/credibility. Significant media attention. Business unit will be subject to special training and processes. Significant loss of trust/credibility. Guaranteed to generate media attention and increased scrutiny. Potential for lost trust/credibility. May generate some media attention and result in increased scrutiny. No impact on reputation.
      Operational Risk Risk will render the business unit unable to achieve its overall objectives or mandate. Significant impact on business unit’s ability to achieve its objectives. Moderately impacts business unit’s ability to achieve its objectives. Little or no impact on the business unit’s ability to achieve its objectives.
      Financial Risk Major revenue loss, or impact on business unit budget, including research funding, or fines. Significant revenue loss, or impact on business unit budget, including research funding, or fines. Minor negative financial impact for the business unit. Impact is within normal operating budget margin fluctuations.
      Disclosure Risk Highly-adverse negative impact on the College, individuals or affiliates, including identity theft. Moderately-adverse negative impact on the College, individuals or affiliates, including identity theft. Possible adverse impact on the College, individuals or affiliates. Disclosure of public information requires no further authorization and may be freely disseminated without potential harm to the College or its affiliates.
    3. Information Classification – Protection Practices for Access, Transmission, Storage and Destruction
      Units will implement protection practices for their Information Resources according to the classification levels in the following chart.
      Highly Confidential Confidential Internal Public
      Access Access is limited to specific named individuals or positions. Access is limited to individuals in a specific function, group, or role. Access is limited to employees and other authorized Users for business related purposes. No access restrictions
      Access Multi-factor authentication will be enabled for those named individuals granted access Principles of least-privilege and need-to-know must be applied. Access must be revoked as soon as reasonably possible when Users leave the College or the custodial Unit. No access restrictions
      Access Principles of least-privilege and need-to-know must be applied Access must be revoked as soon as reasonably possible when Users leave the College or custodial Unit Access must be revoked as soon as reasonably possible when Users leave the College or the custodial Unit. No access restrictions
      Access Access must be revoked immediately when users leave the College or the custodial Unit.
      Transmission Encryption for public networks (e.g. wireless, Internet). Encryption for public networks (e.g. wireless, Internet). Encryption strongly recommended on public networks (e.g. wireless, Internet) No special handling required.
      Transmission Encryption strongly-recommended on trusted, internal networks Encryption strongly recommended on trusted, internal networks. Third-party email providers are not appropriate for transmitting. Encryption strongly recommended on public networks (e.g. wireless, Internet) No special handling required.
      Transmission Third-party email providers are not appropriate for transmitting. Encryption strongly recommended on trusted, internal networks. Third-party email providers are not appropriate for transmitting. Encryption strongly recommended on public networks (e.g. wireless, Internet) No special handling required.
      Transmission Data may be masked instead of encrypting. Data may be masked instead of encrypting. Clearly marked "confidential" on sealed mailings. Encryption strongly recommended on trusted, internal networks. Third-party email providers are not appropriate for transmitting. No special handling required.
      Transmission Double envelope mailings for hardcopy records Data may be masked instead of encrypting. Clearly marked "confidential" on sealed mailings. Encryption strongly recommended on trusted, internal networks. Third-party email providers are not appropriate for transmitting. No special handling required.
      Storage Stored within a controlled-access system (e.g., password protected file or file system, locked file cabinet, alarmed area). Stored within a controlled-access system (e.g., password protected file or file system, locked file cabinet, alarmed area). Stored within a controlled- access system (e.g., password protected file or file system, locked file cabinet). No special safeguards required.
      Storage Additional controls implemented as necessary to comply with relevant legislation or other requirements. Encryption mandatory on mobile devices and workstations, and strongly-recommended in all environments Encryption strongly recommended in all environments. No special safeguards required.
      Storage Encryption mandatory on mobile devices and workstations, and strongly recommended in all environments Implement “clean desk” policy
      Must be stored in Canada
      Storage Implement “clean desk” policy
      Storage Must be stored in Canada
      Destruction Shredded or erased in accordance with the College’s Guidelines for the Secure Destruction of Information Shredded or erased in accordance with the College’s Guidelines for the Secure Destruction of Information Shredded or erased in accordance with the College’s Guidelines for the Secure Destruction of Information Recycle
    4. Information Classification Examples
      The following chart provides examples of the types of information and their security classification.

      Highly Confidential
      Information Resource is so sensitive or critical that it is entitled to extraordinary protections, as defined in 4.3. Authentication Credentials Appeals and grievances

      Survey Data containing personal information      		 *Personal Information about students and employees (see Appendix A)
      Information Resource is so sensitive or critical that it is entitled to extraordinary protections, as defined in 4.3. Legal Suits Appeals and grievances

      Survey Data containing personal information      		 *Personal Information about students and employees (see Appendix A)
      Information Resource is so sensitive or critical that it is entitled to extraordinary protections, as defined in 4.3. Academic concessions Closed or In Camera Board documents *Personal Information about students and employees (see Appendix A)


      Confidential
      Research Information: Research Information: Donor/Alumni Information:
      Information Resource is considered to be highly sensitive business or Personal Information, or a critical system. It is intended for a very specific use and may not be disclosed except to those who have explicit authorization to review such information, even within a workgroup or Unit. Sensitive Research Data Certificate/ license numbers, devices IDs and serial #'s, email, URLs, IP Addresses Donor profile (personal & family history)
      Research information (Granting Agency Agreements, Other IRB Governance Information protected by non-disclosure agreements
      Employee Information: Business/Vendor Data: Enrolled/Prospective Student: Enrolled/Prospective Student: Other Institutional Date:
      Access device numbers (keys, building access codes) Contract information (between NSCC and a 3rd party) Student financials Information protected by non-disclosure agreements Confidential information in contracts
      Information protected by non-disclosure agreements Access device numbers (building access code, etc) Access device numbers (keys, building access codes) Payment Guarantor's and Beneficiary Information Physical plant detail
      Personal financial information, including non-NSCC income level and sources Biometric identifiers

      Enrolment status of an individual      		 Reference letters

      User Account passwords      		 Student contact/class lists Critical infrastructure detail


      Internal
      Information that is intended for use within the College or within a specific workgroup, Unit or group of individuals with a legitimate need-to-know. Internal Information is not approved for general circulation outside the workgroup or Unit. Budget Information Student Number (W#) CCTV/Video Recordings?
      Information that is intended for use within the College or within a specific workgroup, Unit or group of individuals with a legitimate need-to-know. Internal Information is not approved for general circulation outside the workgroup or Unit. Department procedures Employee Number (W#) Survey Data not containing personal information
      Information that is intended for use within the College or within a specific workgroup, Unit or group of individuals with a legitimate need-to-know. Internal Information is not approved for general circulation outside the workgroup or Unit. Card Swipe/ Security Data?


      Public
      Information that has been approved for distribution to the public by the information owner or Administrative Authority or through some other valid authority such as legislation or policy. Annual Reports

      Advertising and Media Releases      		 Employee Directory Listings

      Academic Calendar      		 Job Postings

      Training Manuals
      Information that has been approved for distribution to the public by the information owner or Administrative Authority or through some other valid authority such as legislation or policy. Product and Service Information Campus Maps Open-Session Board Minutes
      Information that is intended for use within the College or within a specific workgroup, Unit or group of individuals with a legitimate need-to-know. Internal Information is not approved for general circulation outside the workgroup or Unit. Name of diploma and certificate recipients Published Research presentations or papers Open-Session Board Minutes


      Prohibited
      Certain information may be deemed by industry regulations, legislation, or other mechanism to be Prohibited. Such information may not be collected or stored by the College in any form. PCI Card Holder Data
  1. Policy Supports

Related Policies and Procedures

64.01 Information Security Policy
64.02 Information Security Classification Procedure
64.03 Password Management Procedure
64.04 Access Control Procedure
64.05 Physical and Environmental Security Procedure
64.06 Physical Access to IT Infrastructure Procedure
64.07 Secure Disposal or Reuse of Equipment Procedure

Relevant Legislation

Nova Scotia Freedom of Information and Protection of Privacy Act
Nova Scotia Government Records Act
Nova Scotia Community Colleges Act

  1. Appendix A - Field Level Data Classified as Personal Information
Field Level Data Classified as Personal Information
Personal Information
SIN
Name
Address
Phone Numbers
Health care data
Diversity Information (Human Rights)
Financial information
Personnel Files
Personal vehicle information
Criminal Record checks
Health, Disability or counselling information
Personally-identifiable research information
Harassment and discrimination reports
Personal Information Student Employee Donor
Driver's License #
License Plate #
Biometric identifiers
Student grades
Any other identifying number, characteristic or code
Home/ Personal Address, phone number, cell number, email address
Payment Guarantor's and Beneficiary Information
Accounting information (tax records, employee payroll, etc.)
Insurance benefit information
Pension records
Employee demographic information
Donor's Name
Bank account numbers, amount donated
Top