A NSW Government website

Data.NSW
Data.NSW

Assessing information for its security classification and sensitivity

Information is a valuable resource. Protecting the confidentiality, integrity and availability of information is critical to business operations.

  • Confidentiality of information refers to limiting access to information to authorised persons for approved purposes.
  • Integrity of information refers to the assurance that information is authentic, correct and valid and can be trusted.
  • Availability of information refers to allowing authorised persons to access information for authorised purposes at the time they need to do so.

Each agency must identify information holdings, for example their customer relationship management programs, assess the sensitivity and security classification of information, and implement operational controls for these information holdings proportional to their value, importance and sensitivity (see steps below).

Note: The person or agency responsible for generating, preparing or actioning information is called the originator.

Three step process to identify, assess and implement protective controls

Identify information holdings

The originator must determine whether information being generated is official information (intended for use as an official record) and whether that information is sensitive or security classified

Assess the sensitivity and security classification of information holdings

To decide which security classification to apply, the originator must: 

  • assess the value, importance, or sensitivity of official information by considering the potential damage to government, national interest, organisations, or individuals, if the information’s confidentiality was compromised
  • set the security classification at the lowest reasonable level. 

The originator must assess the information with a prefix of OFFICIAL: Sensitive if: • a security classification does not apply • compromise of the information’s confidentiality may result in limited damage to an individual, organisation or government.

Implement operational controls

Operational controls change depending upon the sensitivity or security classification of the information. Operational controls include limiting user access, controlling how the information is transmitted or handled.
 

 

Assessing sensitivity and security classified information

As the importance of the information increases, so does the level of control – from few controls for UNOFFICIAL information to very tight controls for TOP SECRET information. The level of damage caused by a compromise of the information confidentiality also increases, as shown below.

Using business impact levels (BIL) to assess sensitive and security classified information

Figure 2

 

Over-classification

NSW Government agencies are expected to use a DLM or security classification only when there is a clear and justifiable need to do so. 

Over-classification can have a range of undesirable outcomes, including:

  • unnecessary limitation of public access to information
  • unnecessary imposition of extra administrative arrangements and additional cost
  • excessively large volumes of protected information, which is harder for an agency to protect
  • devaluing protective markings so that they are ignored or avoided by staff, contractors or receiving agencies.