Skip to main content
Learn More

Information Security Program

Appendix D – How Information Guardians Assess Security Requirements

Appendix D – How Information Guardians Assess Security Requirements

DRAFT

As stated previously, Information Guardians are responsible for assessing the security requirements for each of their assigned information collections across three areas of concern: confidentiality, integrity and availability. To facilitate the assessment process and ensure that these requirements are expressed in a consistent manner across the University, Information Guardians and designates should categorize their information collections using the guidelines described in this section.


The confidentiality requirement for an information collection can be expressed in the following terms:

  • "Public" information can be freely shared with individuals on or off campus without any further authorization by the appropriate Information Guardian or designate.
  • "Internal" information can be freely shared with members of the University community. Sharing such information with individuals outside of the University community requires authorization by the appropriate Information Guardian or designate.
  • "Departmental" information can be freely shared with members of the owning department. Sharing such information with individuals outside of the owning department requires authorization by the appropriate Information Guardian or designate.
  • "Confidential" information can only be shared on a "need to know" basis with individuals who have been authorized by the appropriate Information Guardian or designate, either by their association with specific job functions or explicitly by name.
  • "Highly confidential" information can only be shared on a "need to know" basis with a limited number of individuals who have been authorized by the appropriate Information Guardian or designate explicitly by name


The integrity/availability requirement for an information collection can be expressed as follows:

  • "Non-critical" if its unauthorized modification, loss or destruction would cause little more than temporary inconvenience to the user community and support staff, and incur limited recovery costs. Reasonable measures to protect information deemed "non-critical" include storing physical information in locked cabinets and/or office space, using standard access control mechanisms that prevent unauthorized individuals from updating computer-based information, and making regular backup copies.
  • "Critical" if its unauthorized modification, loss, or destruction through malicious activity, accident or irresponsible management could potentially cause the University to:
    • Suffer significant financial loss or damage to its reputation,
    • Be out of compliance with legislative requirements,
    • Adversely impact its clients, or
    • Miss a legally mandated deadline.

    In addition to the protective measures described for information deemed "non-critical":

    • "Critical" information must be verified either visually or against other sources on a regular basis, and
    • A business continuity plan to recover "critical" information that has been lost or damaged must be developed, documented, deployed and tested annually.