Procedure for the Classification of Information Security
– [DATE] Page 1 of 7
PROCEDURE FOR THE CLASSIFICATION OF
INFORMATION SECURITY
Procedure
Type:
Management
Initially
Approved:
May 28,
2026
Procedure
Sponsor:
VP Finance &
Administration
Last Revised:
Primary
Contact:
Information
Technology
Services
Review
Scheduled:
May 28,
2031
Approver:
Executive Leadership Team
A.
PROCEDURES
1.
OVERVIEW OF CLASSIFICATION
1.1
In accordance with the Information Governance Policy, the privacy or confidentiality
of Information Assets must be informed by a security classification. This classification
determines the reasonable security measures required to mitigate risks such as
unauthorized access, collection, use, disclosure, or destruction of the information.
1.2
Taking reasonable security measures means that Employees must assess what kind
of foreseeable risks that may impact their Information Assets and then consider what
measures may reasonably be implemented to mitigate the identified risks.
1.3
Mount Royal University utilizes a standard four-level classification system to
categorize Information Assets based on their sensitivity and the potential injury or
harm that would result if the information were compromised.
2.
SECURITY CLASSIFICATION LEVELS
2.1
Information Assets can be classified into one of the following four categories based
on the sensitivity of the information. If an Information Asset does not clearly fall into
a category, Employees should apply the higher level of protection until a
determination is made.
Procedure for the Classification of Information Security
– [DATE] Page 2 of 7
Table: Information Security Classification
Procedure for the Classification of Information Security
– [DATE] Page 3 of 7
Classification
Description
Risk Assessment
Examples
Public
Applies to Information Assets that are
designated as not protected. The
public release of this information does
not violate confidentiality, not harm
the personal privacy of individuals
and will not result in injury to
individuals, the University, or private
sector institutions.
If compromised or
leaked outside the
University, no harm will
be done.
Published financial
statements, informational
web pages, external
employment opportunity
bulletins, promotional
materials, convocation
lists, academic calendars,
policies, and published
research.
Protected A
(Limited)
Applies to Information Assets that are
not sensitive to disclosure within the
University or for limited and
authorized external disclosures, but
could have impacts if disclosed
broadly to the public. This
classification applies to information
that, if compromised, could cause
injury to an individual, organization, or
government.
This classification would include
personal information where there is a
low likelihood of a real risk of
significant harm arising from the
release of the information.
Unauthorized release
would cause minimal
damage to a student,
employee, other
individuals or the
University.
Internal job postings,
internal policy or
procedure manuals,
minutes from standard
meetings, and general
planning documents.
Protected B
(Confidential)
Applies to Information Assets
designated as confidential. This
information must be protected from
unauthorized disclosure or
modification. Unauthorized release
could breach personal privacy,
discredit the
University’s reputation,
lessen competitive advantage, or
disclose intellectual property. This
classification applies where
compromise could cause serious
injury to an individual or organization.
This classification would include
personal information where if a
sufficient volume of the personal
information was released, then there
is a possibility this will lead to a real
risk of significant harm.
Unauthorized release
could cause serious
harm. This category
generally applies to
information containing
personal information
(PI), sensitive financial
information, or
information requiring a
specific operational
need-to-know.
Student grades or
academic records,
employee performance
evaluations, salary
information, financial
transaction records, and
personal information
such as home addresses
or banking details.
Protected C
(Highly
Confidential /
Restricted)
Applies to Information Assets
designated as highly confidential.
This is the strictest classification
requiring maximum security controls.
Unauthorized release would
significantly compromise the
Unauthorized release
could cause extremely
grave injury to an
individual, organization,
or government. Access
is strictly defined and
Legal litigation files,
corporate investigation
files, sensitive health
information, biometric
information, highly
sensitive research data,
Procedure for the Classification of Information Security
– [DATE] Page 4 of 7
2.2
In the absence of a label or other explicit identification of an Information Asset’s
classification, Employees should assess the information contained within the
Information Asset to classify it prior to any access, collection, use, disclosure or
destruction. Where an Employee is unsure, they should treat the information as, at
minimum, Protected A and seek further direction from the appropriate Departmental
Leader.
2.3
The security classification of an Information Asset may change over its lifecycle and
require reclassification.
3. RESPONSIBILITY FOR CLASSIFICATION
3.1
The Employee who creates or receives an Information Asset is responsible for
assessing its initial security classification.
3.2
When establishing information management practices (as further set out in the
Procedure for the Management of Information Assets), Department Leaders are
responsible for ensuring that those practices are appropriate given the security
classification of the Information Assets addressed within those practices.
3.3
Prior to accessing, collecting, using, disclosing or destroying Information Assets,
Employees must consider the security classification of those Information Assets and
ensure that appropriate steps are taken to mitigate against the risks presented given
the sensitivity of the information contained within those Information Assets.
3.4
Where an information management practice manages Information Assets which are
classified as Protected C, the practice should include a process to explicitly inform
Employees who may access, collect, use, disclose or destroy the Information Assets
that they contain information classified as Protected C. Department Leaders have
discretion to direct processes to identify the classification of information processed
through any other information management practices at any other classification level.
3.5
Employees should ensure that any Information Asset which contains information
classified as Protected C is labelled as containing information classified at this level.
This labelling may occur at a system level, where all records contained within a
specific system or storage mechanism are identified as potentially containing
information classified as Protected C. Employees should refer to established
information management practices with respect to labelling for Information Assets
classified at any other level. Employees responsible for the ongoing maintenance of
Information Assets must periodically review the classification to ensure the
Information Asset remains appropriately classified.
University’s legal position, decrease
competitive advantage, breach
personal privacy or cause extremely
grave injury.
This classification would include
personal information where any
release of the personal information is
likely to lead to a real risk of
significant harm.
limited to named
individuals due to legal,
privacy, or competitive
content.
IT security credentials,
and information
belonging to vulnerable
individuals.
Procedure for the Classification of Information Security
– [DATE] Page 5 of 7
4. IDENTIFICATION AND LABELLING
4.1
Where technically and administratively feasible, Information Assets may be labeled
or otherwise identified to reflect their security classification. This ensures that any
Employee accessing the record is aware of the sensitivity and the required security
measures.
4.2
If a specific label is not applied, the Information Asset must be assessed by the
Employee using it and managed according to the sensitivity of its content as defined
in the Security Classification Levels section above.
5. ACCESS AND SECURITY CONTROLS
5.1
Information Assets must be managed using reasonable security measures
proportionate to their classification.
● Public: No special storage requirements; may be published.
● Protected A: Limited to internal use and authorized external disclosures. Access
provided to Employees on a "need-to-know" basis for business-related purposes.
● Protected B: Restricted access. Limited to individuals in specific functions or roles.
Access provided to Employees on a strict "need-to-know" basis for business-
related purposes. Requires measures to prevent unauthorized access, collection,
use, disclosure or destruction, such as encryption or secure storage zones.
● Protected C: Highly restricted access. Limited to named individuals. Access
provided to Employees on a strict "need-to-know" basis for specific business-
related purposes. Requires maximum security controls, including audit trails for
access and strict physical or logical segregation.
B.
DEFINITIONS
(1)
Data:
means all recorded information in digital mediums, that is
collected, created or managed by the University in the course
of its operations
(2)
Department:
means a faculty within the Academic Division or a department
outside of the Academic Division.
(3)
Departmental Leader:
Includes the leader of a department or any other person
designated as a Departmental Leader by ELT. As illustration,
this includes Vice-Provosts, Deans, Vice-Deans, Associate
Vice-Presidents, Directors and Managers.
(4)
ELT:
means Executive Leadership Team.
(5)
Employee:
means individuals who are engaged to work for the University
under an employment contract, including but not limited to,
faculty, staff, exempt, casual and management employees.
Procedure for the Classification of Information Security
– [DATE] Page 6 of 7
(6)
Executive Leader:
means a member of the ELT who manages a University
Division.
(7)
Information Assets:
means Data or other record containing the University’s
information in any form or medium and includes, but is not
limited to, notes, emails, letters, images, audiovisual
recordings,
documents,
databases,
maps,
drawings,
photographs, invoices and any other information that is written,
photographed, recorded, captured or stored in any manner, but
does not include the materials specifically excluded in the
Scope of this Policy. The definition includes Data itself, but
does not include software or any mechanism that stores,
produces or reads the Data.
(8)
Official Records:
means an Information Asset that is categorized as an Official
Record under section 3.5 of the Policy.
(9)
Policy:
means the Information Governance Policy.
(10)
Principles:
means the principles for the management of Information Assets
set out in the Procedure for the Management of Information
Assets.
(11) University:
means Mount Royal University.
C. RELATED POLICIES
● Information Governance Policy
● Access to Information Policy
● Privacy Policy
● Information Security Policy
D. RELATED LEGISLATION
● Access to Information Act, SA, 2024, c.A-1.4
● Protection of Privacy Act, SA, 2024, c P-28.5
E. RELATED DOCUMENTS
● Procedure for the Categorization of University Official Records
● Procedure for the Management of Information Assets
● International Standard: ISO 24143 - Information Governance - Concepts and Principles
(2022)
F.
REVISION HISTORY
Date
(mm/dd/yyyy)
Description of
Change
Sections
Person who
Entered Revision
(Position Title)
Person who
Authorized
Revision
(Position Title)
Procedure for the Classification of Information Security
– [DATE] Page 7 of 7