Here's a concise summary of the university's information classification policy in English:
Objective: Protect all information, regardless of media, from unauthorized access, use, alteration, disclosure, or destruction, based on its sensitivity.
Policy Details:
- Information Definition: All types of information, electronic or non-electronic, including documents, conversations, and meetings.
- Information Handling: Classify information according to sensitivity and manage its lifecycle (creation, use, destruction).
- Information Classification Levels:
- "Limited"
- "Secret"
- "Top Secret"
- Information Management:
- Preservation: Based on classification level.
- Circulation: Protect from unauthorized access.
- Destruction: Appropriate to classification and legislation.
- Responsibility:
- Everyone dealing with information is responsible.
- Senior management has final responsibility.
- Information Security Manager: Monitors violations and ensures awareness.
- Labeling: Establish labeling instructions.
- Awareness: Understand classification for proper disclosure.
Information Classification Examples and Practices:
- Public Information:
- Acceptable: Free sharing.
- Unacceptable: Unauthorized modification.
- Internal Information:
- Acceptable: Sharing within university.
- Unacceptable: Sharing externally without permission.
- Confidential Information:
- Acceptable: Access only for authorized personnel.
- Unacceptable: Sharing with unauthorized parties.
- Highly Sensitive Information:
- Acceptable: Secure storage, restricted access.
- Unacceptable: Sharing outside authorized team, lack of protection.
Correct Implementation Mechanism:
- Definition: Each department defines information types.
- Classification: Classify based on sensitivity.
- Awareness: Train personnel on classification policies.
- Follow-up: Monitor information flow.
Conclusion:
- This policy explains how to implement information classification within a university, detailing acceptable and unacceptable practices.
