Corporate policy on information sensitivity classification
This policy outlines the requirements and best practices that the Ontario government uses to classify and secure sensitive information and information systems.
Preamble
Effective information security involves addressing the confidentiality, integrity and availability requirements of information and information systems.
Confidentiality
Requirements relate to the relative harm or injury that would result from unauthorized access or inadvertent release of information. This may be assured through a variety of business processes and technical means.
Integrity
Requirements relate to the harm or injury that would result if an information asset was compromised by manipulation. This is usually assured via technical means being implemented to prevent unauthorized access to information systems, thereby limiting the possibility of tampering.
Availability
Requirements relate to the harm or injury that could result if particular information is not available for authorized access and use. This is usually addressed through contingency plans and efforts to ensure the resilience of information systems.
Although all three aspects of information security are important, confidentiality is most likely to be ensured by user behaviour, whereas integrity and availability are most commonly assured through technical means.
It should be noted that the methods and degree of protection recommended to ensure confidentiality will not necessarily be identical to those used to ensure integrity or availability. Similarly, the same information asset may require that different safeguards be implemented to ensure its confidentiality when it is created, stored or shared in different technical contexts (for example, printed documents; documents stored on an internal application; or documents that are accessible via the Internet).
Nevertheless, the type and degree of safeguard(s) recommended to ensure the security of a given information asset must always be proportionate to the risk of unauthorized access, inadvertent release, manipulation or non-availability.
Authority
This policy is issued by the Secretary of Treasury Board and Management Board of Cabinet under authority of the Management and Use of Information & Information Technology (I&IT) Directive which delegates the responsibility to establish, amend, replace or rescind policies on the management of I&IT, and also to set out more detailed operational requirements for ministries, I&IT clusters and agencies.
Effective date
This policy is effective August 28, 2018.
Application and scope
This policy applies to:
- information in all its forms that is created, received, or held by/on behalf of the Government of Ontario
- information systems and resources that are used by/on behalf of Government of Ontario ministries to create, enter, process, communicate, transport, disseminate, store or dispose of such information
This policy applies to all provincial ministries, board-governed, non-board governed and advisory agencies, and any other agency defined under the Agencies & Appointments Directive unless an exemption has been granted by Management Board of Cabinet.
These requirements also apply in situations where information is created, entered, processed, transmitted, or stored by third party service delivery partners and their subcontractors.
Appropriate safeguards must be implemented to secure information, information systems and other program resources to a degree that is consistent with the requirements outlined here or as may be outlined in other applicable Ontario Public Service (OPS) policies or laws. Additional safeguards for information systems may also be recommended in a Threat Risk Assessment/Risk Mitigation Plan, Vulnerability Management Report or other documents that identify risks to information security.
Principles
The following statements provide the principles on which this policy is based:
- Information and information systems are critical government assets, like physical infrastructure and financial resources, and must be safeguarded deliberately, appropriately and consistently throughout their life cycle.
- Efforts taken to safeguard information must be proportionate to the possible harm or injury that could result if confidentiality, integrity and availability are not assured.
- A thorough analysis of all security risks to information systems may include not only the protection requirements for the information’s confidentiality, but also its integrity and availability.
- Reducing risks and managing protection costs are both important considerations when planning, selecting, and implementing safeguards. Accountability for risks rests with the Ministries.
- Mandatory user training is a fundamental component of a successful information sensitivity classification program.
Mandatory requirements
Classifying and safeguarding information
All information must be evaluated, classified and safeguarded in accordance with its sensitivity level. Ratings are to be based on a consideration of the legal obligations and business requirements to protect the confidentiality of the information, as well as the harm and injury that may be caused by the information’s unauthorized access, manipulation or inadvertent disclosure.
Wherever possible, information of varying classification levels should be segregated and stored with other similarly classified information to avoid under or over-safeguarding. This must be done in a manner that meets the requirements of the Corporate Policy on Recordkeeping. If information of various classifications must co-exist within a system, or in some other context that does not enable adequate technical segregation, all co-existing information must be safeguarded in accordance with the highest classification level identified.
If High Sensitivity information relates to national or provincial interests or national or provincial security, additional safeguards must be implemented. Please follow the federal guidelines for classified assets and information.
Information labelling
Sensitivity level | Description |
---|---|
High sensitivity | Unauthorized disclosure could result in loss of life or impact to public safety, significant loss of confidence in or embarrassment to government, extremely serious personal or enterprise injury, major economic impact, sabotage or terrorism, or significant financial loss or social hardship. |
Medium sensitivity | Unauthorized disclosure could result in serious personal or enterprise injury, loss of competitive advantage, loss of confidence in a government program, moderate financial loss, or damage to partnerships or reputations. |
Low sensitivity | Unauthorized disclosure could result in minor injury to persons, minor financial loss, slight embarrassment, or inconvenience. |
Unclassified | Disclosure will not result in any harm or injury and does not require prior authorization. |
As evidence of having been classified, all information must be labelled with one of the four sensitivity ratings described above. The label applied to a particular piece of information will indicate its confidentiality requirement and will guide the safeguards that must be implemented to ensure that confidentiality can be maintained. Selecting and applying the appropriate label will involve a careful consideration of the harm and injury that could result from the information’s unauthorized access or disclosure.
At this time, the OPS does not mandate labelling information to indicate its integrity or availability requirements as these aspects of information security are more commonly achieved through the implementation of safeguards and/or technical measures aimed at protecting information systems.
Assessing and safeguarding information systems
The sensitivity of all information systems must be assessed and a Statement of Sensitivity (SoS) must document the aggregate sensitivity rating of the information and assets involved. The SoS, often prepared as part of a Threat Risk Assessment, will then guide the implementation of safeguards aimed at ensuring the confidentiality, integrity and availability of an information system or systems.
Sensitivity level | Description |
---|---|
High sensitivity | Unauthorized disclosure, unauthorized modification or loss of availability could result in loss of life or impact to public safety, significant loss of confidence in or embarrassment to government, extremely serious personal or enterprise injury, major economic impact, sabotage or terrorism, or significant financial loss or social hardship. |
Medium sensitivity | Unauthorized disclosure, unauthorized modification or loss of availability could result in personal or enterprise injury, loss of competitive advantage, loss of confidence in the government program, moderate financial loss, or damage to partnerships or reputations. |
Low sensitivity | Unauthorized disclosure, unauthorized modification or loss of availability could result in minor injury to persons, minor financial loss, slight embarrassment, or inconvenience. |
Unclassified | Disclosure, modification or unavailability will not result in any harm or injury, and disclosure does not require prior authorization. |
Information systems with low confidentiality requirements may, nevertheless, have a medium or high requirement for protection of the information’s integrity (for example, websites that host government news releases may not include any personal or sensitive information but must be adequately protected against unauthorized access and/or manipulation). Similarly, systems that support time critical service delivery may have high availability requirements which may translate into requirements for robust protections to ensure their continuous availability, even though they may not contain any personal or highly sensitive information. Although integrity and/or availability are valid information security objectives, efforts to maintain them must not be allowed to undermine or negatively impact efforts to ensure confidentiality.
Ongoing risk management
The classification assigned to a particular information asset should be reviewed periodically to ensure that it remains appropriate. Over time, the sensitivity of some information assets may change; assigned classifications should be amended to indicate any change as this may also result in a corresponding change to the measures required to safeguard the information.
Information owner and custodian
Information owners must be identified for all information. Information owners are the individuals who create the information, or those who have been delegated formal responsibility for the information. Only the information owner can classify or reclassify sensitive information.
As custodians of personal information, Government of Ontario ministries are also responsible for classifying and protecting the personal information of the people of Ontario. Ministries have an obligation to protect personal information according to the rules of the Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Health Information Protection Act (PHIPA) which prohibit an institution from disclosing those categories of personal information except under very specific, defined and limited circumstances.
Training and awareness
The requirements in this policy must be conveyed to all Ontario Public Service employees, as well as to contractors and third-party service delivery partners that ministries may engage to assist them with program delivery. Learning tools will also be provided to help all users meet their obligation to routinely implement these requirements.
Storing, emailing & transporting information
To learn more about how to adequately safeguard all sensitive information, whether in transit or at rest, please see the Information Sensitivity Classification Guidelines.
When in digital format, high sensitivity information must be encrypted in storage and transit, including via email, using only approved encryption methods (see GO-ITS 25.12 Security Requirements for the Use of Cryptography for details).
If high sensitivity information must be stored or transported on mobile computing or digital storage devices (including laptops, USBs and portable hard drives) the information must be encrypted and its handling must comply with all requirements outlined in GO-ITS 25.10 Security Requirements for Mobile Devices.
Service delivery partner obligations
Contracts and service level agreements with third party service providers who have access to — or share custody of OPS information and/or information systems — must include the obligation to follow the requirements of this policy and its corresponding guidelines. This requirement must extend to any sub-contractors on whom the service providers rely to deliver services to the Ontario Government or to citizens.
Classifying information from other organizations or jurisdictions
All information received from other program areas, Ministries, organizations or jurisdictions must be safeguarded according to the classification it bears. If a different classification scheme has been used, the recipient of the information should clarify the handling requirements with the information owner or originating jurisdiction.
If information received from other organizations or jurisdictions does not bear a sensitivity classification, it must be classified and labelled in accordance with this policy and safeguarded accordingly while it is in the custody and control of the OPS.
Appropriate recordkeeping processes to identify what records to retain, transfer or dispose of
The Archives and Recordkeeping Act 2006 states that the retention, transfer and disposition of records in any format is governed by a records schedule approved by the Archivist of Ontario. The records schedule determines how long records must be retained in the ministry, and their final disposition (i.e. transfer to the Archives of Ontario, or destroy). If transferring archival digital records, please refer to the Guideline for Transferring Archival Digital Records to the Archives.
Appropriate disposal of information
Paper documents
All sensitive paper documents must be placed in the secure disposal containers provided by the Secure Document Destruction Vendor of Record. Paper documents labelled as Unclassified may be recycled.
Information on computerized devices & digital storage media
Information on computerized devices and digital storage media must be made inaccessible using the sanitization process and hardware destruction procedures approved for use in the OPS. Please refer to the GO-ITS 25.20 Disposal, Loss and Incident Reporting of Computerized Devices & Digital Storage Media and the corresponding Disposal, Loss and Incident Reporting of Computerized Devices & Digital Storage Media Guidelines.
Roles and responsibilities
Users
All users of information and information systems in the custody and/or under the control of the Government of Ontario must:
- classify and safeguard information in accordance with the requirements of this policy and the associated guidelines
- label all information or documents they create according to the four sensitivity levels defined in this policy and its corresponding guidelines
- recognize the sensitivity ratings assigned to information assets created by others and safeguard those assets accordingly
- review Information Sensitivity Classification learning materials/courses
- comply with government legislation, directives, policies, operating procedures and standards when using I&IT resources
- report any actual or suspected information security or privacy breaches to their manager in a timely manner and notify the OPS IT Service Desk of any suspected security breach
Program owners
All Program Owners must:
- ensure that all users in their program area are made aware of this policy and its corresponding guidelines
- complete the Information Sensitivity Classification training and oversee its completion by all direct reports
- ensure that all staff in their program area understand the importance of classifying, labelling and safeguarding sensitive information
- identify the sensitivity classification level of all program-related information and information systems and take steps to secure them accordingly
- ensure that the aggregate sensitivity of all record series developed for or used by their program area is documented, and that records are managed accordingly
- where appropriate, ensure that a Statement of Sensitivity exists for all information systems under their control
- respond to any reports of an information security or privacy breach
Cyber Security Division
Cyber Security Division must:
- maintain this policy and the corresponding guidelines
- provide policy interpretation and guidance as required
- provide tools to raise awareness about these requirements and help all users meet their obligations to implement them
- provide information security risk assessment services including Asset Classification Reports, Statements of Sensitivity, Threat Risk Assessments, Vulnerability Assessment/Penetration Tests, etc., as may be required to assist ministries in the implementation of this policy
- work with Infrastructure Technology Services, IT Clusters and relevant program managers to investigate information security breaches
- work with OPS partners to ensure that appropriate security tools and services (for example, data and email encryption, system logging, intrusion detection/prevention systems) as well as hosting and storage environments are made available to enable the appropriate safeguarding of information and information systems of all sensitivity levels
Chief Information Officers, I&IT Clusters
- design and build I&IT systems that address the information sensitivity classification as identified by the Program Manager, and that take into consideration the statement of sensitivity, the results of any security and/or privacy assessments and the requirements of other applicable corporate policies
- ensure that they and their Cluster staff operate I&IT systems in a manner that meets business requirements and is consistent with information sensitivity classifications
- provide, or assist with, electronic and paper-based information and document management practices as appropriate
Infrastructure Technology Services
- work with Cyber Security Division to ensure that appropriate security tools and services (for example, data and email encryption, system logging, intrusion detection/prevention systems) as well as hosting and storage environments are made available to enable the appropriate safeguarding of information and information systems of all sensitivity levels
- work with Cyber Security Division, IT Clusters and relevant program managers to investigate information security breaches
Information Privacy & Archives (IPA)
- work with Cyber Security Division to ensure legislative requirements under the Freedom of Information and Protection of Privacy Act (FIPPA) and the Archives and Recordkeeping Act (ARA) are addressed in Cyber Security policies, standards and procedures
Glossary
- Availability
- Present and ready for authorized use.
- Confidentiality
- The condition of, or the requirement for, privacy or secrecy.
- Control
- Not in the physical possession of information, but with a legal/contractual right or responsibility to deal with it.
- Custody
- In the physical possession of the information (excluding unsolicited or accidental possession).
- Digital signature
- A mathematical scheme for demonstrating the authenticity of a digital message or document, identifying the sender and proving that the message was not altered in transit.
- Disclosure
- Any exposure to recorded information, whether deliberate or accidental, authorized or unauthorized and includes the ability to read only, or to read and also manipulate the information.
- Disposal
- The act or process of getting rid of something that is no longer required and does not need to be retained.
- Disposition
- The final action taken with a record when its retention period is over.
- Enterprise
- An entire organization or business; may be used to refer to the Ontario government, Ontario Public Service, or a private business.
- Extremely serious personal or enterprise injury
- Catastrophic physical harm or even death, or ruinous financial injury, or permanent loss of reputation to an individual, the Government of Ontario, or a third party company or organization that does business with the government.
- Harm
- The physical, mental or emotional damage to an individual or an organization’s reputation, assets, or the ability to serve clients that could result from a business injury.
- Information
- Recorded information in any form, in any medium, and at all stages of its life cycle including information created, recorded, transmitted or stored in digital form or in other intangible forms by electronic, magnetic, optical or any other means, but does not include a mechanism or system for creating, sending, receiving, storing or otherwise processing information.
- Information asset
- A body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognizable and manageable value, risk, content and lifecycles; for example, a database of contacts, all the files associated with a specific project, or all the financial data for an organization.
- Information custodian
- A person in whom trust is given for the safe-keeping of classified information. The person responsible for securing the information according to its sensitivity classification.
- Information owner
- A person who created the information or is delegated formal responsibility for the information.
- Information system
- Any system or technology resource that is used by/on behalf of the Ontario Government ministries to create, enter, process, communicate, send/receive, publish/disseminate, store or dispose of information.
- Injury
- A security incident or breach (for example, unauthorized disclosure) that causes harm.
- Integrity
- The condition of or requirement for assurances that information that has not been modified or deleted in an unauthorized or undetectable manner.
- Ministry
- A ministry of the Government of Ontario and includes all information and information technology clusters and associated agencies.
- Personal health information
- Means identifying information about an individual in oral or recorded form, if the information:
- relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family
- relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual
- is a plan of service within the meaning of the Home Care and Community Services Act, 1994 for the individual
- relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual
- relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance
- is the individual’s health number, or
- identifies an individual’s substitute decision-maker
- Personal information
- Recorded information about an identifiable individual as described in the Freedom of Information and Protection of Privacy Act.
- Privacy impact assessment
- Is both a due diligence exercise and risk management tool. It is a proactive approach designed to help protect privacy by identifying and analyzing privacy-related risks early enough to be able to take appropriate action; avoiding, eliminating or minimizing negative impacts on privacy; and complying with relevant privacy legislation and assessing broader privacy implications.
- Program owner
- Means any program director or equivalent having authority and accountability under legislation, regulation, policy or other instrument for particular business activities and for the business records relating to those activities.
- Record
- Information in context, however recorded, whether in printed form, on film, by electronic means or otherwise, including:
- correspondence, a memorandum, a book, a plan, a map, a drawing, a diagram, a pictorial or graphic work, a photograph, a film, a microfilm, a sound recording, a videotape, a machine-readable record, any other documentary material, regardless of physical form or characteristics and any copy thereof;
- any record that is capable of being produced from a machine-readable record under the control of an institution by means of computer hardware and software or any other information storage equipment and technical expertise normally used by the institution (“document”).
footnote 3
- Record schedule
- An Archivist of Ontario-approved document that identifies and describes the records made and received by public bodies and sets out retention periods and final dispositions for those records, the format in which the records are to be kept and which records. Records schedules consist of records series (Page 11, Corporate Policy on Recordkeeping, 2015).
- Risk
- A measure of the extent to which an entity is threatened by a potential circumstance or event — typically calculated by a consideration of the adverse impacts that would arise if a circumstance/event occurs, as well as the likelihood of it occurring.
- Safeguard
- A protective and precautionary measure intended to prevent a threat agent from causing harm and injury.
- Sensitive information
- Information, that if released without authorization, would cause harm (personal or enterprise injury, embarrassment, unfair economic advantage, etc.).
- Statement of sensitivity
- An analysis of information or information system which defines the sensitivity of the information within the system and the importance of the supporting services of the system. A statement of sensitivity may also define the sensitivity requirements of supporting assets (that is, hardware and software, interfaces, personnel, supporting systems and utilities, and access control measures). A statement of sensitivity is an important component of a Threat/Risk Assessment.
- Threat/Risk Assessment
- A formalized process to determine the risks to information and information systems. Based on the sensitivity of all information and associated assets, the TRA will assess the appropriateness of the safeguards currently in place to protect the information’s confidentiality, integrity, and availability. It will also offer recommendations about additional measures to mitigate risk or to increase the efficiency and effectiveness of existing safeguards, as required.
- Unauthorized
- Without the permission of the accountable program manager or his/her delegate.
- Unclassified
- Information that if accessed without authorization will cause no harm or injury.
- Unauthorized disclosure
- Any unapproved exposure to recorded information, whether deliberate or accidental, and includes the ability to just read, or also to read and edit the information.
- User
- Anyone authorized to access information in the custody or under the control of the Government of Ontario.
Footnotes
- footnote[1] Back to paragraph Personal Information must be classified as Medium Sensitivity at minimum.
- footnote[2] Back to paragraph For example, before a news release about a major government announcement is made, the information involved may be considered high sensitivity. However, upon its release to the public, the same information would then be re-labelled as unclassified.
- footnote[3] Back to paragraph As per the Freedom of Information and Protection of Privacy Act, 1990