GREATER SASKATOON CATHOLIC SCHOOLS

I.T. Data Classification Guidelines

1.0 Overview

Information assets are assets to Greater Saskatoon Catholic Schools (GSCS) just like physical property. In order to determine the value of the asset and how it should be handled, data must be classified according to its importance to GSCS operations and the confidentiality of its contents. Once this has been determined, GSCS can take steps to ensure that data is treated appropriately.


2.0 Purpose

The purpose of these guidelines is to detail a method for classifying data and to specify how to handle this data once it has been classified.


3.0 Scope

The scope of these guidelines covers all GSCS data stored on GSCS-owned, GSCS-leased, and otherwise GSCS-provided systems and media, regardless of location. Also covered by the guidelines are hardcopies of GSCS data, such as printouts, faxes, notes, etc.

 

4.0 Policy

 

4.1 Data Classification

Data residing on corporate systems will be continually evaluated and classified into the following categories:

1.    Personal: includes user's personal documents, etc. This data is often mixed with the operational data outlined below.

2.    Public: includes already-released marketing material, commonly known information, information that is posted to web sites around future events, etc. There are no requirements for public information.

3.    Operational: includes data for basic school operations, communications with students, parents, vendors, employees, etc. (non-confidential). The majority of data will fall into this category.

4.    Critical: any information deemed critical to division operations (often this data is operational or confidential as well). It is extremely important to identify critical data for security and backup purposes.

5.    Confidential: any information deemed proprietary to the school division. See the Confidential Data Policy for more detailed information about how to handle confidential data.



 

4.2 Data Storage

The following guidelines apply to storage of the different types of GSCS data.


4.2.1 Personal

This data should be stored on the GSCS provided servers commonly referred to as the m: drive. Often it is mixed with the Operational data listed below.


4.2.2 Public

There are no requirements for public information.


4.2.3 Operational

Operational data must be stored where the backup schedule is done nightly.


4.2.4 Critical

Critical data must be stored on a server that gets the most frequent backups (refer to the Backup Policy for additional information). System- or disk-level redundancy is required.


4.2.5 Confidential

Confidential information must be removed from desks, computer screens, and common areas unless it is currently in use. Confidential information should be stored under lock and key (or keycard/keypad), with the key, keycard, or code secured.


4.3 Data Transmission

The following guidelines apply to transmission of the different types of GSCS data.


4.3.1 Personal

There are no requirements for personal information.


4.3.2 Public

There are no requirements for public information.



4.3.3 Operational

No specific requirements apply to transmission of Operational Data, however, as a general rule, the data should not be transmitted unless necessary for business purposes.


4.3.4 Critical

There are no requirements on transmission of critical data, unless the data in question is also considered operational or confidential, in which case the applicable policy statements would apply.



4.3.5 Confidential

Confidential data must not be 1) transmitted outside GSCS network without the use of strong encryption, 2) left on voicemail systems, either inside or outside GSCS's network.


4.4 Data Destruction

The following guidelines apply to the destruction of the different types of GSCS data.


4.4.1 Personal

There are no requirements for personal information.


4.4.2 Public

There are no requirements for public information.


4.4.3 Operational

Cross-cut shredding is required for documents. Storage media should be appropriately sanitized/wiped or destroyed.


4.4.4 Critical

There are no requirements for the destruction of Critical Data, though shredding is encouraged. If the data in question is also considered operational or confidential, the applicable policy statements would apply.

 

 

 

4.4.5 Confidential

Confidential data must be destroyed in a manner that makes recovery of the information impossible. The following guidelines apply:


         Paper/documents: cross cut shredding is required.

         Storage media (CD's, DVD's): physical destruction is required.

         Hard Drives/Systems/Mobile Storage Media: at a minimum, data wiping must be used. Simply reformatting a drive does not make the data unrecoverable. If wiping is used, GSCS must use the most secure commercially-available methods for data wiping. Alternatively, GSCS has the option of physically destroying the storage media.


5.0 Enforcement

This policy will be enforced by Superintendents of Education. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of GSCS property (physical or intellectual) are suspected, GSCS may report such activities to the applicable authorities.

 

6.0 Definitions

Authentication-A security method used to verify the identity of a user and authorize access to a system or network.

Backup-To copy data to a second location, solely for the purpose of safe keeping of that data.

Encryption-The process of encoding data with an algorithm so that it is unintelligible without the key. Used to protect data during transmission or while stored.

Mobile Data Device-A data storage device that utilizes flash memory to store data. Often called a USB drive, flash drive, or thumb drive.

Two-Factor Authentication-A means of authenticating a user that utilizes two methods: something the user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a password.

7.0 Revision History

Revision 1.0, 8/9/2011

Revision 2.0, 8/13/2012