Escolar Documentos
Profissional Documentos
Cultura Documentos
Governmentownsandmanagesawiderangeof
informationfrompublictopersonalandextremely
sensitiveinformation.Inprinciple,informationis
protectedcommensuratewithitsvalueandsensitivity.
Thevalueandsensitivityoftheinformationisthekeyto
classifyinformation.Informationsecurityclassification
isafundamentalstepinprotectingagainsttherisks
associatedwiththeunauthorizeddisclosure,useorloss
ofgovernmentinformationassets.Allsecurity
countermeasurestoprotecttheinformationare
determinedbyitssecurityclassificationlevel.
Ifinformationisnotclassified,programareasmayapply
eitheroverlyexpensivecontrolsunnecessarilyor
inappropriatelyweakcontrols.Itmayresultsinthe
wasteofresourcesorhighriskofinformationmisuse,
lossordisclosure.Informationsecurityclassification
enablestheselectionandimplementationofadequate
securitycontrols.
Ministryisrequiredtoidentifyandcategorize
information,basedonthedegreeofdamagethatcould
reasonablybeexpectedtoresultfromcompromiseof
theinformation.
Governmentusestheclassificationcriteriadefinedin
theInformationSecurityClassificationFramework.In
thenextpage,thedefinitionandexamplesofeach
classificationlevelarepresentedinthecontextofthe
ministrybusinesses.
Abriefdescriptionoftheframeworkisasfollows:
Asdefinedintheinformationsecurityclassification
standard,therearethreeinformationsecurity
classificationlevels:High,MediumandLow.These
securitylevelsareconsistentwithriskclassifications
usedinotherareasofgovernment.
Foreachclassificationlevel,adetaileddescriptionis
providedtodescribethepotentiallevelofriskor
harminthefinancial,personal,andoperational
aspects.
Illustrativeexamplesareprovidedtoshowthatthere
isanassociatedfinancial,personaland/or
operationalharmwhenbusinessinformationor
systemsissubjecttoabreach.Theseexamplesare
providedforabetterunderstandingofeach
classificationlevel.
Onceinformationisclassified,theinformationneeds
tobelabelled.Labelsarelinkedtoanassociated
classificationlevel.Informationinthesamelevelcan
belabelleddifferentlysincetheyneedtobehandled
differentlythoughtheyareprotectedwiththesame
levelofprotectionmeasures.Forexample,Cabinet
ConfidentialinformationandHighSensitivity
informationwillreceivethesamelevelofprotection
buttheywillbehandleddifferentlyduetobusiness
processesandhandlingrequirements.
Therearesixlabels:CabinetConfidential(High),High
Sensitivity(High),Personal(Medium),Medium
Sensitivity(Medium),LowSensitivity(Low),and
Public(Low).
ThegovernmentsInformationSecurityClassification
Frameworkisflexibleenoughtoclassifythesecurity
requirementsofallgovernmentrecordsasdefinedin
theInterpretationAct:
recordincludesbooks,documents,maps,
drawings,photographs,letters,vouchers,
papersandanyotherthingonwhich
informationisrecordedorstoredbyanymeans
whethergraphic,electronic,mechanicalor
otherwise.
Asinformationsecurityclassificationiscloselyrelatedto
recordsmanagementandriskmanagement,the
applicationoftheframeworkandlabellingcouldbe
appliedthroughtheministryprocessesand/orthe
followingmeans:
TRIM,thecorporaterecordsmanagementsystem,
whichcanfacilitatethelabellingofrecords.
CiticusONE,thecorporateriskdirectory,which
currentlycapturestheriskassessmentsfor
governmentsystems,canfacilitatetheapplicationof
theinformationsecurityclassification.
Thedatacustodianshipprovisionsofdata
governance,whichrequiresthatdataatalllevels
haveanunderstoodsecurityreview.
TheMinistryInformationSecurityOfficer(MISO)isthe
singlepointofcontactforadvice,guidanceand
communicationaboutinformationsecurityclassification.
TheMinistrysinglepointofcontactworkscloselywith
theMinistryRecordsOfficerandtheInformationAccess
OperationsofSharedServicesBCtoimplementthe
informationsecurityclassificationintheaspectof
recordsmanagementandFOIPP(Freedomof
InformationandProtectionofPrivacy).
SecurityClassification:PUBLIC
Sensitivity
Classification
HIGH
IllustrativeExamples
Definition
Couldpossiblybeexpectedtocause
extremelyseriouspersonalorenterprise
injury,includinganycombinationof:
Financialharm,suchas:
a.Extremelysignificantlossofmoneyor
tangibleassets
b.Extremelysignificantpenaltiesor
recoverycostsincurred
Operationalharm,suchas:
a.Severelyimpaireddecisionmaking,
resultinginseverelossofprogramcontrol
b.Programclosureorserioussanctionsasa
resultofbreachoflegislation,contractor
regulatorystandards
c.Majorpoliticalimpactcompleteand
extendedlossofpublictrustofor
confidenceingovernment
Personalharm,suchas:
a.Lossoflife
b.Extremehazardtopublicsafety
c.Widespreadsocialhardship
d.Majorprovincialeconomichardship
Couldpossiblybeexpectedtocauseserious
personalorenterpriseinjury,includingany
combinationof:
Financialharm,suchas:
a.Significantfinancialloss,penalty,or
recoveryexpense
Operationalharm,suchas:
a.Significantimpactonservicelevels
b.Seriouslossofconfidenceina
governmentprogram
c.Damagetopartnerships,relationships
andreputation
d.Staffforcedtoresign
Personalharm,suchas:
a.Seriouspersonalhardshipor
embarrassment
LOW
Personalinformationcombinedwithanyhighlysensitive
information.
Cabinetdocuments.
Extremelyconfidentialinformationandinformationthat
isintendedforaccessbynamedindividualsorpositions
only.
Justicesectorconfidentialinformation(e.g.,law
enforcementinformation,courtinformation,witness
protectionprograms).
Provincialbudgetpriortopublicrelease.
Crisiscommunicationduringemergenciesandprovincial
responseplanandlogs.
Emergencyinformation(e.g.,pandemic,natural
disasters).
Informationsystemsusedfortestingfoodorwater
suppliesthatcouldresultinlossoflifeorsevereillness.
Extremelylargefinancialtransactions(e.g.,over$1
million).
HighSensitivity
CabinetConfidential
MEDIUM
Labels
Couldreasonablybeexpectedtocause
limitedornoinjurytoindividualsor
enterprises,includinganycombinationof:
Financialharm,suchas:
a.Limitedfinancialloss
Operationalharm,suchas:
a.Limitedimpactonservicelevels
b.Reducedstaffeffectivenessduetolossof
morale
Personalharm,suchas:
a.Minorembarrassmentorinconvenience
Sensitivepersonalinformation(personalmedicalor
healthinformation,taxinformation,information
describingpersonalfinances,eligibilityinformationfor
socialbenefits).
Informationintendedforaspecificgrouponly.
Tradesecretsorintellectualproperty.
Businessorotherthirdpartyinformation.
Provincialstandardizedtestsforschools.
Informationrelatingtominors(e.g.,adoptionandfoster
records,medicalandforensicpsychiatricservices).
Informationonyoungoffenders.
Citizenpaymentsofbenefits(e.g.,BCBenefits,Disability
Benefits,GuaranteedAvailableIncomeforNeed).
BusinessContinuityPlaninformation.
Identityinformationthatcouldbeusedforcriminal
purposes(e.g.,fromVitalStats,ICBC).
Informationoninvestigationsandactiveincidents.
Lawenforcementrecords.
Employeepersonnelfilesandworkhistorydata.
Informationsystemsthatmustnotbeunavailable
beyond1businessday.
Financialmanagementinformationsystems(e.g.,
payroll,payments,accountsreceivables,over$100,000).
Preapprovedpersonalinformationforrelease.
Informationthatisgenerallyavailabletoemployeesand
approvednonemployees(e.g.,contractors,vendors,
serviceproviders,orconsultants).
Nonsensitiveinformation,suitabletorelease.
Ordinarymeetingagendasandminutes.
Communicationstoclaimsclerks.
Jobapplicantsnames.
Externalpressreleases,media/publicdistribution.
Operationalproceduresrelatedtononcriticalactivities.
Provincialbudgetafterpublicrelease.
Publicaccountsafterpublication.
Publiceducationmaterials.
Informationsystemsthatcanbedownforupto3days.
Financialtransactions(e.g.,under$100,000).
Informationpublishedbygovernment,whichrequires
integrityprotection
SecurityClassification:PUBLIC
MediumSensitivity
Personal*
*Personallabelis
usedforinformation
thatidentifiesa
personandits
disclosuremaycause
aseriousharmtothe
person.Whenthe
"personal"
informationis
combinedwithhigher
sensitiveinformation,
itshouldbeclassified
as"High".
LowSensitivity
Public