Information Classification (Draft)

What is Information Classification?

Information classification is a way to communicate the sensitivity of information that you come in contact with, providing a framework for how all of RRC Polytech’s information assets must be classified. The purpose of an information classification system is to recognize that different data requires different levels of controls, helping employees take appropriate actions to protect information and ensure proper safeguards are in place.

Information Classification covers all information, whether physical or digital.

Physical information is usually paper including posters and diagrams.  Physical information are also the objects or media used to store digital information, such as USB keys, CD/DVDs, and hard drives.

Digital information refers to documents, spreadsheets, presentations, video and audio recordings, email and social media.  This information may be stored on a network folder, OneDrive, email, systems, or physical media such as USB keys, hard drives etc..

Your Role in Information Classification

We all play a role in protecting and securing the RRC Polytech’s data from risk, including unauthorized access, modification, use, disclosure and removal. In order to help ensure our data is protected from potential breaches, RRC Polytech has developed a four-level information classification system. Classifying information helps the author communicate the sensitivity of the information to people who may come in contact with it. And it helps those people treat it appropriately, making sure our sensitive information is always secured.

Information Classification Levels

RRC Public

• Information that is not confidential and is created to be shared or made available to the public. E.g., marketing materials or published policies and/or strategies.
• Information with this label can be freely shared without restriction.
• Most staff are UNLIKELY to create this kind of information unless it is specifically part of their job. Usually this information is created as part of formal processes.
  Learn more about protecting RRC Public information .

RRC Internal

• Information that is relevant to an internal RRC Polytech audience and not confidential within the College. This information is not intended to be shared externally but poses no harm if made public. E.g., Staff News posts or Staff Forum (Intranet) content.
• The MAJORITY of the documents staff create are likely to be Internal.
• In general, this information can be shared with RRC employees as required.
• Learn more about protecting RRC Internal information.

RRC Protected

• Information that is confidential, sensitive externally, and access is limited to specific roles or groups of individuals at RRC Polytech. E.g., Vendor contracts or student and/or employee records, business plans, etc.
• Protected documents tend to be limited to your own workgroup or a few other specific workgroups or individuals
• Learn more about protecting RRC Protected information.

RRC Restricted

• Highly confidential information both externally and internally within the College. This information is restricted to specific named individuals or very specific roles. E.g., Legal files, personal health information, planning document drafts.
• Most staff RARELY create Restricted documents.
• Learn more about protecting RRC Protected information.

Information Classification Labelling

Documents should be clearly labeled by the author with the appropriate information classification. They may also include actions required by the user regarding disclosure or sharing of the information.

• Documents and systems should include a prominent label indicating the classification of the information, e.g., “RRC Internal” or “RRC Public.”
• Where possible, the label should include a hyperlink to the corresponding information classification level page, which contains details and the appropriate controls. As follows:

     ■      [RRC Public]

     ■      [RRC Internal]

     ■      [RRC Protected]

     ■      [RRC Restricted]

• Documents should include a label:

     ■      In the footer of the document, centred; or

     ■      On the cover page of a document, centred at the bottom; or

     ■      Appropriately prominent as to be easily found.

• Labeling for RRC Restricted Information
  Documents that are RRC Restricted should include a cover or title page to ensure information is not accidently disclosed. This cover page should include the following information:

• • Variants are acceptable, providing they indicate
    • That the information is confidential; and
    • Who the information is intended for (or generally “a specific audience”)
    • That disclosure is not permitted; and
    • Who is permitted to authorize disclosure; and
    • A link to the website defining what RRC Restricted means.

• Labeling for Systems and Electronic Information
  Systems and other electronic tools should indicate the classification:
  • Of a particular screen of information; and/or
  • Of the system at the login or main access screen.

What Should You Do When You Suspect a Breach Has Taken Place?

A breach is defined as information that is disclosed, or potentially disclosed, inappropriately or to inappropriate or unintended audiences.

If you know or suspect a breach has taken place, please contact

Need More Information?

Please review the Directive concerning Information Classification located on the RRC ITS Book of Standards pages within Staff Forum.

Please review the Standard concerning Information Classification located on the RRC ITS Book of Standards pages within Staff Forum.

For any questions regarding Information Classification, please contact Neil Fogg