The Standard on Security Categorization took effect on July 1, 2019. It replaced parts of the Security Organization and Administration Standard that was in effect from June 1, 1995 to June 30, 2019).This standard takes effect on July 1, 2019. This standard provides details on the requirements set out in subsection 4.3.1.
The procedures and subsections are as follows:
Procedure
Subsection
The security categorization process
J.2.2
General security categories
J.2.3
Information confidentiality categories
J.2.4
The security categorization process is as follows:
Examine separately the potential for injury that results from a loss of confidentiality, integrity or availability. Assign security categories as follows:
A single security category that indicates the overall impact of a compromise (see subsection J.2.3); or Separate security categories that indicate potential impacts of losses of confidentiality, integrity and availability (see subsection J.2.4), as applicable. Apply the following considerations, as appropriate, when assigning a security category:
Confidentiality pertains mainly to information but can also pertain to assets;The security category of services pertains mainly to their availability but can also pertain to their integrity; andAssigning a security category for information and assets must also consider the following:
Overall monetary and non-monetary value; and
The impact that could result from unauthorized destruction, theft or removal;
The security category for information or asset repositories reflects the impact of aggregation, where more significant injury may occur when a group of information resources or assets is compromised; The security category determines, in part, security requirements and, consequently, needs to balance the risk of injury against the cost of applying safeguards throughout the life cycle of information, assets, facilities or services; and From a confidentiality standpoint, the security category for information considers the exemption and exclusion criteria of the Access to Information Act and the Privacy Act to ensure that resources are not applied to protect information that can be made public. General security categories (impact levels) are as follows:
Information, assets and services are categorized as “very high,” “high,” “medium” or “low” impact to reflect the degree of injury that could reasonably be expected as a result of a loss of confidentiality (resulting from unauthorized disclosure), loss of integrity (resulting from unauthorized modification or destruction), or loss of availability (resulting from unauthorized removal or other disruption):
Very high: Applies when a compromise could reasonably be expected to cause severe to exceptionally grave injury;High: Applies when a compromise could reasonably be expected to cause serious to severe injury;Medium: Applies when a compromise could reasonably be expected to cause moderate to serious injury; andLow: Applies when a compromise could reasonably be expected to cause limited to moderate injury.Information, assets and services are considered non-sensitive if no injury would result from their compromise. For the purpose of assigning a security category, such information, assets and services can be assigned an impact level of “low.”Information confidentiality categories are as follows:
Classified: Information is categorized as “classified” (that is, “Confidential,” “Secret” or “Top Secret”) when unauthorized disclosure could reasonably be expected to cause injury to the national interest:
Top Secret: Applies to the very limited amount of information when unauthorized disclosure could reasonably be expected to cause exceptionally grave injury to the national interest; Secret: Applies to information when unauthorized disclosure could reasonably be expected to cause serious injury to the national interest; andConfidential: Applies when unauthorized disclosure could reasonably be expected to cause limited or moderate injury to the national interest; Protected: Information is categorized as “Protected A,” “Protected B” or “Protected C” when unauthorized disclosure could reasonably be expected to cause injury outside of the national interest:
Protected C: Applies to the very limited amount of information when unauthorized disclosure could reasonably be expected to cause extremely grave injury outside the national interest, for example, loss of life;Protected B: Applies to information when unauthorized disclosure could reasonably be expected to cause serious injury outside the national interest, for example, loss of reputation or competitive advantage; and Protected A: Applies to information when unauthorized disclosure could reasonably be expected to cause limited or moderate injury outside the national interest, for example, disclosure of an exact salary figure.