Standard: Infrastructure security classification
To establish the infrastructure security classification standards and guidelines for University information infrastructure, information systems and assets.
Definitions of additional terms used in this document are provided in the overarching policy, Information Technology security.
Encryption: The University considers an appropriate level of encryption to be the standards specified in the Australian Government Information Security Manual.
Information asset: any set of information or part of the information infrastructure critical to the functioning of the University, with a designated system owner.
- The University is committed to providing a secure yet open information infrastructure that protects the integrity of its information assets (data and other information), and confidentiality of information without compromising its availability. Systems hosting the University's information or data sets are required to be appropriately classified and secured.
- It is recommended that University data is backed up and primarily stored on University provided storage infrastructure. Data owners that choose to store University data elsewhere are responsible for maintaining appropriate backups.
- The University recognises three broad categories of data held within its systems:
- public data
- sensitive data (formerly referred to as internal data)
- highly sensitive data (formerly referred to as confidential data)
- Responsibility for the classification of data rests with the system owner.
- Data users must comply with all relevant non-disclosure agreements, copyright restrictions, confidentiality agreements and ANU disclosure rules.
- All systems, regardless of their classification, must include the following measures:
- access control
- asset management
- communication and operations management.
- Public data is defined as that which would have an insignificant impact on the University if breached.
- Public data is available to all members of the University community and all individuals and entities outside ANU. Disclosure of public data is generally unrestricted, providing the disclosure does not violate non-disclosure agreements.
- Encryption is permitted but not required for the transmission of public data.
- Examples of public data include:
- publicly posted press releases
- published research data
- publicly available marketing materials
- publicly posted job announcements.
- Sensitive data is defined as that which would have a low or medium impact on the University if breached.
- Sensitive data is restricted on a need to know basis, and may only be accessed, transmitted, modified, or stored for a legitimate academic, research or business purpose.
- Encryption is recommended but not required for the transmission of sensitive data.
- Sensitive data is:
- protected to prevent loss, theft, malicious activity, unauthorised access and/or unauthorised disclosure
- protected by confidentiality agreements before access is permitted
- the default classification for data if a classification level has not been explicitly defined.
- Hard copies of sensitive data must be stored in a closed container (filing cabinet, closed office, secure area etc.). Sensitive data in electronic format must be stored on a system that requires user authentication.
- Examples of sensitive data may include:
- employment data
- business partner information (in the absence of more restrictive arrangements)
- internal directories and organisational charts
- planning documents.
Highly sensitive data
- Highly sensitive data is defined as that which would have a high impact on the University if breached.
- Highly sensitive data is restricted on a need to know basis, and may only be accessed, transmitted, modified, or stored for legitimate academic, research or business purposes.
- Disclosure of highly sensitive data to parties outside the University must be authorised by executive management, or covered by a binding confidentiality agreement.
- Highly sensitive data is protected by statutes, regulations, policies and contractual obligations.
- When storing and transmitting highly sensitive data, the following measures must be undertaken:
- hard copies must be stored in a locked drawer, cabinet, room or area where access is controlled or has sufficient access control measures
- electronic copies must be stored on a system that requires ANU-based user authentication
- in the event that it must be recorded to an external data storage device, such as a flash drive, all data must be encrypted
- electronic copies must be encrypted when transferring to an external entity
- must not be posted to a public website
- must not be sent to an external email account
- must not be stored on non ANU-managed storage.
- The Information Technology Services (ITS) Cyber and Digital Security Team must be notified if data classified as highly sensitive is lost, disclosed to an unauthorised party, is suspected of being lost or disclosed, or if any unauthorised use of ANU information systems has taken place, or is suspected of taking place.
- Examples of highly sensitive data include:
- medical records and clinical trial data
- safety data
- personnel and/or payroll records
- student records
- data identified under the Australian government security classification system as confidential (refer to www.protectivesecurity.gov.au)
- data belonging to a third party that may contain personal or identifiable information
- patent information.
System owner responsibilities
- Physical and logical access to systems may be granted by the system owner if access is appropriately controlled, and formal procedures are implemented to permit access to the system.
- The allocation and use of system privileges must be restricted and controlled.
- A formal review of user privileges must be conducted on a regular basis to ensure that they remain appropriate. Accounts that are no longer required or appropriate must be closed or disabled.
- When users leave the University, or change roles, access rights on systems must be reviewed and adjusted appropriately.
- System resources must be monitored, tuned, and projections made for future capacity requirements to ensure the required system performance.
- For each new and ongoing activity, capacity requirements must be identified. System tuning and monitoring must be applied to ensure and improve the availability and efficiency of systems. Detective controls must be put in place to indicate problems in due time, and projections of future capacity requirements take account of new business and system requirements, and current and projected trends in information processing capabilities.
- Operating procedures must be documented, maintained and made available to all users. Sensitive documentation must be protected, and access restricted on a need-to-know basis.
- The allocation, management, and use of passwords and other forms of authentication must be controlled and in accordance with the Passwords procedure.
- All remote access connections made to the information infrastructure must be made through approved University secure connections.
- Portable computing devices owned by the University, or that contain non-public University information, must be physically secured when unattended by either; locked drawer, cabinet or room, or with a cable-lock system.