Security Classification of UBC Electronic Information
Introduction
- UBC Electronic Information used by Users has varying degrees of sensitivity which have corresponding levels of risk and protection requirements; therefore, it is necessary to classify this information to ensure it has the appropriate level of protection.
- UBC Electronic Services have varied risk based on their confidentiality, integrity and availability requirements to University operations and the volume and nature of the UBC Electronic Information they process; therefore, it is necessary to classify services to ensure they have appropriate level of protection.
- This standard explains how UBC Electronic Information and UBC Electronic Services are risk classified.
- The Chief Information Officer has issued this standard under the authority of Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems. Questions about this standard may be referred to information.security@ubc.ca.
- This standard applies to all UBC Electronic Information and UBC Electronic Services.
Information Security Classification Model
- UBC Electronic Information is classified as follows:
Definition Examples Potential Impact of Loss Low Risk UBC Electronic Information that would cause minimal harm if disclosed, or may be freely disclosed - Names and work contact information of UBC faculty and staff members
- Information that is posted on our public website
- Research information of a non-personal, non-proprietary nature
Minor embarrassment, minor operational disruptions Medium Risk UBC Electronic Information that is not protected by law or industry regulation from unauthorized access, use or destruction, but could cause harm to UBC or others if released to unauthorized individuals - Proprietary information received from a third party under a non-disclosure agreement
- Restricted circulation library journals
- Confidential financial information and records
- Information that could allow somebody to harm the security of individuals, systems or facilities
- Research information of a non-personal, proprietary nature
Reputational and financial impact, loss of priority of publication, loss of access to journals and other copyrighted materials High Risk UBC Electronic Information that must be protected by law or industry regulation from unauthorized access, use or destruction, and could cause moderate harm if disclosed - Personal Information, which must be protected under the BC Freedom of Information and Protection of Privacy Act (FIPPA), including:
- Full face photographic images
- Student name
- Student or Employee ID
- Student grades
- Home address
- Payment Card Industry (PCI) Information, which must be protected under the Payment Card Industry – Data Security Standard (PCI-DSS) (e.g. credit card numbers, names, expiry dates or PINs)
Moderate harm to one or more individuals, identity theft, impact to University reputation or operations, financial loss, such as regulatory fines and increased credit card transaction fees Very High Risk UBC Electronic Information that must be protected by law or industry regulation from unauthorized access, use or destruction, and could cause significant harm if disclosed - Social Insurance Number (SIN)
- Official government identity card (e.g. Passport ID, Driver’s License No.)
- Bank account information (e.g. direct deposit details)
- Personal Health Information (PHI)
- Biometric data
- Personally identifiable genetic data
- Date of Birth (DoB)
Significant harm to one or more individuals, identity theft, severe impact to University reputation or operations, financial loss, such as regulatory fines or damages from litigation - The classification of information may change over time. For example, unpublished research data may be classified as Medium Risk, but after publication, it may change to Low Risk.
Electronic Service Risk Classification Model
- Factors to consider when assessing the risk of an Electronic Service include:
- Reputational harm
- Financial losses
- Number of affected Constituents
- Volume of High or Very High Risk Information
- Operational impact
- UBC Electronic Information is classified as follows:
Definition | ||
---|---|---|
Low Risk Electronic Service | ||
Loss of confidentiality, integrity or availability in a Low Risk Electronic Service would cause minimal impact to UBC’s mission, safety, finances or reputation. The incident will display one or more of the following characteristics and no characteristics of higher risk classifications:
|
||
Medium Risk Electronic Service | ||
Loss of confidentiality, integrity or availability in a Medium Risk Electronic Service would cause minor impact to UBC mission, safety, finances, or reputation. The incident will display one or more of the following characteristics and no characteristics of higher risk classifications:
|
||
High Risk Electronic Service | ||
Loss of confidentiality, integrity or availability in a High Risk Electronic Service would have a significant business impact to one or more portfolios, but not the whole University. The incident will display one or more of the following characteristics and no characteristics of higher risk classifications:
|
||
Very High Risk Electronic Service | ||
Loss of confidentiality, integrity or availability in a Very High Risk UBC Electronic Service would have a major business impact to the University. The incident will display one or more of the following characteristics:
|
Responsibilities
- The Information Steward/Owner is responsible for determining the information security classification based on the definitions and examples in the table above. Based on other relevant factors, information may be classified at a higher level than indicated above, but not at a lower level.
- The Administrative Head of Unit is responsible for ensuring completion of an inventory and classification of UBC Electronic Services under their control using the Electronic Services Risk Classification model. This must be recorded in the enterprise asset inventory system, if it is available.
- The Administrative Head of Unit is responsible for knowing the types of UBC Electronic Information under their control, its information security classification and where it is stored. In order to comply with our legal obligations, it is recommended that the Administrative Head of Unit keep an inventory of types of records that contain High Risk and/or Very High Risk Information. At a minimum, the inventory should contain the type of information, description and storage location. Refer to the sample inventory attached to this standard. This responsibility may be delegated to the Information Steward/Owner.
- For UBC Electronic Services classified as Very High Risk, the Administrative Head of Unit is responsible for having documented assurance of compliance with the Information Security Standards. This is usually attained by sourcing Security Threat Risk Assessments at various stages in the information systems lifecycle (implementation, significant change, retirement).
Related Documents and Resources
- Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems
- BC Freedom of Information and Protection of Privacy Act (FIPPA)
- What is Personal Information? [Privacy Fact Sheet]
- Sample Inventory
Standard Last Revised: 2021-01