Introduction
- UBC Electronic Information used by Users, has varying degrees of sensitivity which have corresponding levels of risk and protection requirements; therefore, it is necessary to classify this information to ensure it has the appropriate level of protection.
- This standard explains how UBC Electronic Information is classified using UBC's four-level Information Security Classification Model.
- The Chief Information Officer has issued this document under the authority of Policy 104, Acceptable Use and Security of UBC Electronic Information and Systems. Questions about this standard may be referred to information.security@ubc.ca.
- This standard applies to all UBC Electronic Information.
Information Security Classification Model
- UBC Electronic Information is classified as follows:
Definition |
Examples |
Potential Impact of Loss |
Low Risk |
||
|---|---|---|
UBC Electronic Information that would cause minimal harm if disclosed, or may be freely disclosed |
|
Minor embarrassment, minor operational disruptions |
Medium Risk |
||
UBC Electronic Information that is not protected by law or industry regulation from unauthorized access, use or destruction, but could cause harm to UBC or others if released to unauthorized individuals |
|
Reputational and financial impact, loss of priority of publication, loss of access to journals and other copyrighted materials |
High Risk |
||
UBC Electronic Information that must be protected by law or industry regulation from unauthorized access, use or destruction, and could cause moderate harm if disclosed |
|
Moderate harm to one or more individuals, identity theft, impact to University reputation or operations, financial loss, such as regulatory fines and increased credit card transaction fees |
Definition |
Examples |
Potential Impact of Loss |
|
under the Payment Card Industry – Data Security Standard (PCI-DSS) (e.g. credit card numbers, names, expiry dates, or PINs) |
|
Very High Risk |
||
UBC Electronic Information that must be protected by law or industry regulation from unauthorized access, use or destruction, and could cause significant harm if disclosed |
|
Significant harm to one or more individuals, identity theft, severe impact to University reputation or operations, financial loss, such as regulatory fines or damages from litigation |
- The classification of information may change over time. For example, unpublished research data may be classified as Medium Risk, but after publication, it may change to Low Risk.
Responsibilities
- The Information Steward/Owner is responsible for determining the information security classification based on the definitions and examples in the table above. Based on other relevant factors, information may be classified at a higher level than indicated above, but not at a lower level.
- The Administrative Head of Unit is responsible for knowing the types of UBC Electronic Information under their control, its information security classification and where it is stored. In order to comply with our legal obligations, it is recommended that the Administrative Head of Unit keep an inventory of types of records that contain High Risk and/or Very High Risk Information. At a minimum, the inventory should contain the type of information, description and storage location. Refer to the sample inventory attached to this standard. This responsibility may be delegated to the Information Steward/Owner.
Related Documents
Policy 104, Acceptable Use and Security of UBC Electronic Information and Systems
What is Personal Information? [Privacy Fact Sheet]
How different combinations of information can affect risk [Privacy Fact Sheet]
Sample Inventory