Information classification

Action points

  • Consider the nature and value of the information you are managing online.
  • Ensure all information has an appropriate level security marker or classification.
  • Use the quick reference guide below to manage this information appropriately.

All government-held information requires appropriate protection in order to preserve its integrity, availability and confidentiality. To properly manage risk, government departments must consider the nature and value of the information they are managing online, in addition to the technical landscape and threat environment.

A good security approach to online information is one in which risks to the confidentiality, availability and integrity of information have been evaluated relative to the value of the information, with appropriate controls implemented to mitigate risks, and residual risks formally acknowledged and accepted.

Correct classification of information

All the information government deals with has some form of protective requirement attached to it. It may range from none (Unclassified) to extremely high (Top Secret). Most, if not all, of the information published by agencies in the public web domain is Unclassified.

Web publishers and site owners/managers need confidence in their agencies processes to ensure that protectely marked material will not be inadvertently published online.

If this is not the case, the matter should be raised with the CISO who is responsible for ensuring that agency business and security practices are in alignment with the Government’s security objectives.

Step 1 — Classification of information on the web

All government-held information should have a protective marking or classification to ensure it is treated appropriately.

This can often be applied in default document templates and email signatures or extensions to email clients. You can combine this with techniques such as outbound filtering and inspection by mail servers to lessen the risk of inadvertent information leakage via email.

There are three basic classifications for information that is relevant to the web:

  • Unclassified — for information where there is no reason to restrict access to it, although the baseline protections for availability and integrity still apply. This describes all information published to the government web domain that is not protected by access controls (i.e. requiring user login and authentication)
  • In Confidence — for all personal information provided by users through online sites or services. The Privacy Act requires agencies to take reasonable steps to protect that information from unauthorised disclosure or access. Large collections or aggregations of “In Confidence” information, or information that if compromised could cause harm to an individual or organisation, may need to be classified as “Sensitive”.
  • Sensitive — information requiring greater protection than a classification of “In Confidence” (such as sensitive personal information) should not generally be stored on a server connected to the public web. If you are unsure whether to treat information as “Sensitive” consult your IT Security Manager (ITSM) or Chief Information Security Officer (CISO) about additional protection that may be required.

Step 2 – How to handle the information once classified

Refer to this quick-reference guide to help you understand how to classify information and how it should be handled once classified.

You can seek detailed advice from the Protective Security Requirements, but following the practices indicated in the quick reference should help keep you within the bounds of those documents.

If your practices or processes are different to those outlined in the quick reference, you should get them validated by your ITSM and/or your CISO.

More resources