Information is a valuable resource. Protecting the confidentiality, integrity and availability of information is critical to business operations.
- Confidentiality of information refers to limiting access to information to authorised persons for approved purposes.
- Integrity of information refers to the assurance that information is authentic, correct and valid and can be trusted.
- Availability of information refers to allowing authorised persons to access information for authorised purposes at the time they need to do so.
Each agency must identify information holdings, for example their customer relationship management programs, assess the sensitivity and security classification of information, and implement operational controls for these information holdings proportional to their value, importance and sensitivity.
Process to identify, assess and implement protective controls
Three step process to identify, assess and implement protective controls
Assessing sensitivity and security classified information
As the importance of the information increases, so does the level of control – from few controls for UNOFFICIAL information to very tight controls for TOP SECRET information. The level of damage caused by a compromise of the information confidentiality also increases, as shown in figure below.
Using business impact levels (BIL) to assess sensitive and security classified information
Over-classification
NSW Government agencies are expected to use a DLM or security classification only when there is a clear and justifiable need to do so.
Over-classification can have a range of undesirable outcomes, including:
- unnecessary limitation of public access to information
- unnecessary imposition of extra administrative arrangements and additional cost
- excessively large volumes of protected information, which is harder for an agency to protect
- devaluing protective markings so that they are ignored or avoided by staff, contractors or receiving agencies.
Last updated 16 Dec 2020