Standard: Infrastructure security classification
To establish the infrastructure security classification standards for University information infrastructure, information systems and assets.
Definitions of additional terms used in this document are provided in the overarching Information technology security policy.
Encryption: A cryptographic function used to ensure the confidentiality of data. The University considers an appropriate level of encryption to be the standards specified in the Australian Government Information Security Manual. See section “ASD Approved Cryptographic Algorithms”.
Information asset: any set of information or part of the information infrastructure critical to the functioning of the University, with a designated system owner.
- The University is committed to providing a secure yet open information infrastructure that protects the integrity of its information assets (data and other information), and confidentiality of information without compromising its availability. Systems hosting the University's information or data sets are required to be appropriately classified and secured.
- It is recommended that University data is backed up and primarily stored on University provided storage infrastructure. Data owners that choose to store University data elsewhere are responsible for maintaining appropriate backups.
- The University recognises three broad categories of data held within its systems:
- public data;
- sensitive data (formerly referred to as internal data); and
- highly sensitive data (formerly referred to as confidential data).
- Responsibility for the classification of data rests with the system owner.
- Data users comply with all relevant non-disclosure agreements, copyright restrictions, confidentiality agreements and ANU disclosure rules.
- All systems, regardless of their classification include the following measures:
- access control;
- asset management; and
- communication and operations management.
- Public data is defined as that which would have an insignificant impact on the University if breached.
- Public data is available to all members of the University community and all individuals and entities outside ANU. Disclosure of public data is generally unrestricted, providing the disclosure does not violate non-disclosure agreements.
- Encryption is permitted but not required for the transmission of public data.
- Examples of public data include:
- publicly posted press releases;
- published research data;
- publicly available marketing materials; and
- publicly posted job announcements.
- Sensitive data is defined as that which would have a low or medium impact on the University if breached.
- Sensitive data is restricted on a need to know basis, and may only be accessed, transmitted, modified, or stored for a legitimate academic, research or business purpose.
- Encryption is recommended but not required for the transmission of sensitive data.
- Sensitive data is:
- protected to prevent loss, theft, malicious activity, unauthorised access and/or unauthorised disclosure;
- protected by confidentiality agreements before access is permitted; and
- the default classification for data if a classification level has not been explicitly defined.
- Hard copies of sensitive data are stored in a closed container (filing cabinet, closed office, secure area etc). Sensitive data in electronic format is stored on a system that requires user authentication.
- Examples of sensitive data include:
- employment data;
- business partner information (in the absence of more restrictive arrangements);
- internal directories and organisational charts; and
- planning documents.
Highly sensitive data
- Highly sensitive data is defined as that which would have a high impact on the University if breached.
- Highly sensitive data is restricted on a need to know basis, and is only accessed, transmitted, modified, or stored for legitimate academic, research or business purposes.
- Disclosure of highly sensitive data to parties outside the University is authorised by executive management, or covered by a binding confidentiality agreement.
- Highly sensitive data is protected by statutes, regulations, policies and contractual obligations.
- When storing and transmitting highly sensitive data, the following measures are undertaken:
- hard copies are stored in a locked drawer, cabinet, room or area where access is controlled or has sufficient access control measures;
- electronic copies are stored on a system that requires ANU-based user authentication;
- in the event that it is recorded to an external data storage device, such as a flash drive, all data is encrypted;
- electronic copies are encrypted when transferring to an external entity;
- not posted to a public website;
- not sent to an external email account; and
- not stored on non ANU-managed storage.
- The Information Technology Services (ITS) Cyber and Digital Security Team is notified if data classified as highly sensitive is lost, disclosed to an unauthorised party, is suspected of being lost or disclosed, or if any unauthorised use of ANU information systems has taken place, or is suspected of taking place.
- Examples of highly sensitive data include:
- medical records and clinical trial data;
- safety data;
- personnel and/or payroll records;
- student records;
- data identified under the Australian government security classification system as confidential (refer to www.protectivesecurity.gov.au);
- data belonging to a third party that may contain personal or identifiable information;
- contracts; and
- patent information.
System owner responsibilities
- Physical and logical access to systems is granted by the system owner if access is appropriately controlled, and formal procedures are implemented to permit access to the system.
- The allocation and use of system privileges is restricted and controlled.
- A formal review of user privileges is conducted on a regular basis to ensure that they remain appropriate. Accounts that are no longer required or appropriate are closed or disabled.
- When users leave the University, or change roles, access rights on systems are reviewed and adjusted appropriately.
- System resources are monitored, tuned, and projections made for future capacity requirements to ensure the required system performance.
- For each new and ongoing activity, capacity requirements are identified. System tuning and monitoring are applied to ensure and improve the availability and efficiency of systems. Detective controls are put in place to indicate problems in due time, and projections of future capacity requirements take account of new business and system requirements, and current and projected trends in information processing capabilities.
- Operating procedures are documented, maintained and made available to all users. Sensitive documentation is protected, and access restricted on a need-to-know basis.
- The allocation, management, and use of passwords and other forms of authentication is controlled in accordance with the Passwords procedure.
- All remote access connections made to the information infrastructure are made through approved University secure connections.
- Portable computing devices owned by the University, or that contain non-public University information, are physically secured when unattended by either; locked drawer, cabinet or room, or with a cable-lock system.