INFORMATIONSECURITYCLASSIFICATIONGUIDELINES

Governmentownsandmanagesawiderangeof
informationfrompublictopersonalandextremely
sensitiveinformation.Inprinciple,informationis
protectedcommensuratewithitsvalueandsensitivity.
Thevalueandsensitivityoftheinformationisthekeyto
classifyinformation.Informationsecurityclassification
isafundamentalstepinprotectingagainsttherisks
associatedwiththeunauthorizeddisclosure,useorloss
ofgovernmentinformationassets.Allsecurity
countermeasurestoprotecttheinformationare
determinedbyitssecurityclassificationlevel.

Ifinformationisnotclassified,programareasmayapply
eitheroverlyexpensivecontrolsunnecessarilyor
inappropriatelyweakcontrols.Itmayresultsinthe
wasteofresourcesorhighriskofinformationmisuse,
lossordisclosure.Informationsecurityclassification
enablestheselectionandimplementationofadequate
securitycontrols.

Ministryisrequiredtoidentifyandcategorize
information,basedonthedegreeofdamagethatcould
reasonablybeexpectedtoresultfromcompromiseof
theinformation.

Governmentusestheclassificationcriteriadefinedin
theInformationSecurityClassificationFramework.In
thenextpage,thedefinitionandexamplesofeach
classificationlevelarepresentedinthecontextofthe
ministrybusinesses.

Abriefdescriptionoftheframeworkisasfollows:
Asdefinedintheinformationsecurityclassification
standard,therearethreeinformationsecurity
classificationlevels:High,MediumandLow.These
securitylevelsareconsistentwithriskclassifications
usedinotherareasofgovernment.
Foreachclassificationlevel,adetaileddescriptionis
providedtodescribethepotentiallevelofriskor
harminthefinancial,personal,andoperational
aspects.
Illustrativeexamplesareprovidedtoshowthatthere
isanassociatedfinancial,personaland/or
operationalharmwhenbusinessinformationor
systemsissubjecttoabreach.Theseexamplesare
providedforabetterunderstandingofeach
classificationlevel.
Onceinformationisclassified,theinformationneeds
tobelabelled.Labelsarelinkedtoanassociated
classificationlevel.Informationinthesamelevelcan

belabelleddifferentlysincetheyneedtobehandled
differentlythoughtheyareprotectedwiththesame
levelofprotectionmeasures.Forexample,Cabinet
ConfidentialinformationandHighSensitivity
informationwillreceivethesamelevelofprotection
buttheywillbehandleddifferentlyduetobusiness
processesandhandlingrequirements.
Therearesixlabels:CabinetConfidential(High),High
Sensitivity(High),Personal(Medium),Medium
Sensitivity(Medium),LowSensitivity(Low),and
Public(Low).

ThegovernmentsInformationSecurityClassification
Frameworkisflexibleenoughtoclassifythesecurity
requirementsofallgovernmentrecordsasdefinedin
theInterpretationAct:
recordincludesbooks,documents,maps,
drawings,photographs,letters,vouchers,
papersandanyotherthingonwhich
informationisrecordedorstoredbyanymeans
whethergraphic,electronic,mechanicalor
otherwise.

Asinformationsecurityclassificationiscloselyrelatedto
recordsmanagementandriskmanagement,the
applicationoftheframeworkandlabellingcouldbe
appliedthroughtheministryprocessesand/orthe
followingmeans:
TRIM,thecorporaterecordsmanagementsystem,
whichcanfacilitatethelabellingofrecords.
CiticusONE,thecorporateriskdirectory,which
currentlycapturestheriskassessmentsfor
governmentsystems,canfacilitatetheapplicationof
theinformationsecurityclassification.
Thedatacustodianshipprovisionsofdata
governance,whichrequiresthatdataatalllevels
haveanunderstoodsecurityreview.

TheMinistryInformationSecurityOfficer(MISO)isthe
singlepointofcontactforadvice,guidanceand
communicationaboutinformationsecurityclassification.
TheMinistrysinglepointofcontactworkscloselywith
theMinistryRecordsOfficerandtheInformationAccess
OperationsofSharedServicesBCtoimplementthe
informationsecurityclassificationintheaspectof
recordsmanagementandFOIPP(Freedomof
InformationandProtectionofPrivacy).

SecurityClassification:PUBLIC

Sensitivity
Classification

HIGH

IllustrativeExamples

Definition

Couldpossiblybeexpectedtocause
extremelyseriouspersonalorenterprise
injury,includinganycombinationof:

Financialharm,suchas:
a.Extremelysignificantlossofmoneyor
tangibleassets
b.Extremelysignificantpenaltiesor
recoverycostsincurred

Operationalharm,suchas:
a.Severelyimpaireddecisionmaking,
resultinginseverelossofprogramcontrol
b.Programclosureorserioussanctionsasa
resultofbreachoflegislation,contractor
regulatorystandards
c.Majorpoliticalimpactcompleteand
extendedlossofpublictrustofor
confidenceingovernment

Personalharm,suchas:
a.Lossoflife
b.Extremehazardtopublicsafety
c.Widespreadsocialhardship
d.Majorprovincialeconomichardship

Couldpossiblybeexpectedtocauseserious
personalorenterpriseinjury,includingany
combinationof:

Financialharm,suchas:
a.Significantfinancialloss,penalty,or
recoveryexpense

Operationalharm,suchas:
a.Significantimpactonservicelevels
b.Seriouslossofconfidenceina
governmentprogram
c.Damagetopartnerships,relationships
andreputation
d.Staffforcedtoresign

Personalharm,suchas:
a.Seriouspersonalhardshipor
embarrassment

LOW

Personalinformationcombinedwithanyhighlysensitive
information.
Cabinetdocuments.
Extremelyconfidentialinformationandinformationthat
isintendedforaccessbynamedindividualsorpositions
only.
Justicesectorconfidentialinformation(e.g.,law
enforcementinformation,courtinformation,witness
protectionprograms).
Provincialbudgetpriortopublicrelease.
Crisiscommunicationduringemergenciesandprovincial
responseplanandlogs.
Emergencyinformation(e.g.,pandemic,natural
disasters).
Informationsystemsusedfortestingfoodorwater
suppliesthatcouldresultinlossoflifeorsevereillness.
Extremelylargefinancialtransactions(e.g.,over$1
million).

HighSensitivity
CabinetConfidential

MEDIUM

Labels

Couldreasonablybeexpectedtocause
limitedornoinjurytoindividualsor
enterprises,includinganycombinationof:

Financialharm,suchas:
a.Limitedfinancialloss

Operationalharm,suchas:
a.Limitedimpactonservicelevels
b.Reducedstaffeffectivenessduetolossof
morale

Personalharm,suchas:
a.Minorembarrassmentorinconvenience

Sensitivepersonalinformation(personalmedicalor
healthinformation,taxinformation,information
describingpersonalfinances,eligibilityinformationfor
socialbenefits).
Informationintendedforaspecificgrouponly.
Tradesecretsorintellectualproperty.
Businessorotherthirdpartyinformation.
Provincialstandardizedtestsforschools.
Informationrelatingtominors(e.g.,adoptionandfoster
records,medicalandforensicpsychiatricservices).
Informationonyoungoffenders.
Citizenpaymentsofbenefits(e.g.,BCBenefits,Disability
Benefits,GuaranteedAvailableIncomeforNeed).
BusinessContinuityPlaninformation.
Identityinformationthatcouldbeusedforcriminal
purposes(e.g.,fromVitalStats,ICBC).
Informationoninvestigationsandactiveincidents.
Lawenforcementrecords.
Employeepersonnelfilesandworkhistorydata.
Informationsystemsthatmustnotbeunavailable
beyond1businessday.
Financialmanagementinformationsystems(e.g.,
payroll,payments,accountsreceivables,over$100,000).
Preapprovedpersonalinformationforrelease.
Informationthatisgenerallyavailabletoemployeesand
approvednonemployees(e.g.,contractors,vendors,
serviceproviders,orconsultants).
Nonsensitiveinformation,suitabletorelease.
Ordinarymeetingagendasandminutes.
Communicationstoclaimsclerks.
Jobapplicantsnames.
Externalpressreleases,media/publicdistribution.
Operationalproceduresrelatedtononcriticalactivities.
Provincialbudgetafterpublicrelease.
Publicaccountsafterpublication.
Publiceducationmaterials.
Informationsystemsthatcanbedownforupto3days.
Financialtransactions(e.g.,under$100,000).
Informationpublishedbygovernment,whichrequires
integrityprotection

SecurityClassification:PUBLIC

MediumSensitivity
Personal*

*Personallabelis
usedforinformation
thatidentifiesa
personandits
disclosuremaycause
aseriousharmtothe
person.Whenthe
"personal"
informationis
combinedwithhigher
sensitiveinformation,
itshouldbeclassified
as"High".

LowSensitivity
Public