Information Classification Policy

I. Purpose:

The purpose of this policy is to ensure workforce members responsible for technology asset ownership and support establish and control the level of potential risk and adverse impacts to technology assets by classifying the technology asset using a consistent citywide approach.

II. Applicability and Audience

A.    Users

This policy applies to all City of Olympia Workforce Members responsible for technology asset ownership and support.

B.    Technology Assets

This policy applies to all City of Olympia technology assets.

C.    Exceptions

Requests for exceptions to this policy must follow the Information Services information security policy exceptions handling process. Please open a ticket with the service desk to request a policy exception.

III. Definitions

All definitions are contained within the City of Olympia Information Security Policy and Standards Glossary.

IV. Policy

A.    Impact and Classification

Understanding the sensitivity of and potential impact to technology assets is key to managing risk and applying appropriate controls.

1.    Technology assets must be managed in compliance with the IT Asset Management Policy which includes identifying the classification and impact of the asset. Technology asset owners are required to determine and document the impact and classification of their assets for inclusion in the asset management system(s) of record defined in the asset management standards developed by the Information Services.

2.    Technology asset and support owners are responsible for prioritizing and implementing protections and security controls using Impact and Classifications as determined by the Technology Asset Owner.

3.    Impact must be determined using the following table (for purposes of determining impact, low impact includes no impact) by selecting either Low, Moderate, or High impact. Only one value should be selected overall for impacts to confidentiality, integrity, and availability. For example, if low and moderate impacts to confidentiality and integrity are possible but the possible impacts to availability are high, the Impact overall would be selected as high.

 

Impact

Objective

Low

Moderate

High

Confidentiality Preventing unauthorized information access and disclosure, including preserving privacy and proprietary information.

An unauthorized disclosure of information or data could have a negative effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals.

An unauthorized disclosure of information or data could have a serious adverse effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals.

An unauthorized disclosure of information or data could have a severe or catastrophic adverse effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals.

Integrity Protecting against unauthorized modification or destruction of information and includes ensuring information non- repudiation and authenticity.

An unauthorized modification or destruction of information or data could have a negative effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals.

An unauthorized modification or destruction of information or data could have a serious adverse effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals.

An unauthorized modification or destruction of information or data could have a severe or catastrophic adverse effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals.

Availability Ensuring timely and reliable access to and use of information

A disruption of access to or use of information, data, or system could have a negative effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals.

A disruption of access to or use of information, data, or system could have a serious adverse effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals.

A disruption of access to or use of information, data, or system could have a severe or catastrophic adverse effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals.

4.    Classification must be determined using the following table:

Classification

Category 1

Category 2

Category 3

Category 4

Public Information

Sensitive Information

Confidential Information

Confidential Information Requiring Special Handling

Public information is information that can be or currently is released to the public. It does not need protection from unauthorized disclosure but may need integrity and availability protection controls.

Sensitive information may not be specifically protected from disclosure by law and is for official use only (FOUO). Sensitive information is generally not released to the public unless specifically requested.

Sensitive or higher classification information may have been designated by third parties (e.g., federal government) using schemes like the Traffic Light Protocol (TLP) or other designation schemes.

Confidential information is information that is specifically protected from either release or disclosure by law. This includes, but is not limited to personal information as defined in RCW 42.56.230 and RCW 19.255.10, information about public employees as defined in RCW 42.56.250, information about infrastructure and the security of computer and telecommunication networks as defined in RCW 42.56.420(4).

Confidential information requiring special handling is information that is specifically protected from disclosure by law and for which especially strict handling requirements are dictated, such as by statutes, regulations, or contractual agreements.

Serious consequences could arise from unauthorized disclosure such as threats to health and safety, or legal sanctions.

Examples:

Olympia Municipal Code

Real Property Information

Recreation Program Schedules

Examples:

Purchase Requests or

Preliminary Budget Documentation

Email Communications not covered by a disclosure exemption

Non-essential non- archival day to day administrative files used by non- elected, non- executive, non- department directors

Examples:

Application for Public Employment

Network Infrastructure Diagram

Usernames and Passwords used to access City of Olympia technology assets

Personally Identifiable Information or PII

Examples:

Protected Health Information as defined by the Health Insurance Portability and Accountability Act (HIPAA)

Criminal Justice Information as defined by the Criminal Justice Information Services Security Policy

911 Computer Aided Dispatch System

5.    Changes to classification levels during the lifecycle of technology assets can be made by the asset owner as necessary to comply with federal, state, or local law. If you have any questions or concerns about changing classification levels or disclosing information, please contact your department Records Coordinator or the City of Olympia Public Records Program.

B.    Data Asset and Information Protection

Data Asset owners are responsible for ensuring data assets are protected in accordance with the Data Security Policy.

1.    Data Asset Owners must develop a classification map or training document for workforce members accessing data assets classified as category 3 or higher. (See example below in Section D).

2.    Information Services is responsible for providing enterprise technology solutions that support labeling or specifying the information classification of electronic records (e.g., Word and PDF documents, email messages) where possible.

3.    Data asset owners are responsible for labeling solutions for physical records.

4.    Classification maps and labeling schemes must be approved by the City of Olympia Public Records Program in the City Clerk’s office and should be limited to the program level or higher within a department in order to reduce complexity and administrative overhead. Cross departmental classification schemes are acceptable where needed.

5.    Classification (e.g., labels, tags in asset management database, documentation about the asset) must be applied to all information and data assets classified as category 3 or higher.

6.    All City of Olympia customer information and personally identifiable information must be classified as Category 3 or higher unless otherwise determined by state or federal law, Olympia Municipal Code, City of Olympia Policy, or a legal opinion provided by the City Attorney’s Office.

7.    Data Asset Owners and Custodians are required to ensure that workforce members are trained to manage and protect information and data assets in accordance with its classification and impact.

C.    Reclassification

Technology asset owners shall reevaluate classification and impact of assets as needed to update classification and impact procedures based on changes such as legal and contractual obligations or changes in the use of the asset.

D.    Example

V. Implementation Plan

This policy becomes effective for Citywide use on the date that it is signed by the City Manager. All new technology implementations and new material changes to existing technology implementations must ensure compliance with this policy as of the effective date. All other technology implementations must be brought into compliance within four years after the effective date.

VI. Maintenance

A.    This policy will be maintained by Information Services. This includes, but may not be limited to:

1.    Interpretation of this policy

2.    Ensuring this policy content is kept current

3.    Recommending updates to this policy and related resources

4.    Developing an escalation and mitigation process if an Organization is not in compliance

5.    Assisting Organizations to understand how to comply with this policy

6.    Monitoring annual compliance by Organizations

B.    This policy will automatically expire five (5) years after its effective date. A new, revised, or renewed policy will be initiated by Information Services prior to the expiration date.

VII. Consequences for Noncompliance

Violations of this policy may be grounds for disciplinary action, up to and including termination and enforcement action which may include civil or criminal charges.

VIII. Appendix A: References

•    IT Asset Management Policy

•    RCW 19.255.10

•    RCW 42.56.070(8)

•    RCW 42.56.250

•    RCW 42.56.420(4)

•    RCW 42.56.230

•    Information Security Policy and Standards Glossary

IX. Appendix B: Relevant Compliance Requirements

This section provides references to key regulations and standards that apply to City of Olympia. This section does not replace the authoritative source and is just a reference to assist with further research. Please use the Compliance Standard and Section No. to further research the entirety of the regulation, framework or standard from the authoritative source.

Compliance Standard

Section No.

Description

HIPAA

45 CFR 164 Subpart C

Security Standards for the Protection of Electronic Protected Health Information

 

164.308(a)(1)(ii)(A)

Risk Analysis

 

164.308(a)(7)(ii)(E)

Applications and Data Criticality Analysis

CJIS Policy v5.9

5.1.1.1

Information Handling

 

5.2.1

Basic Security Awareness Training

PCI DSS v3.2.1

9.6.1

Classify media so the sensitivity of the data can be determined.

NIST CSF

ID.AM(5)

Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.

 

ID.RA

Risk Assessment

NIST 800-53r5

AC-16

Security and Privacy Attributes

 

AC-21

Information Sharing

 

RA-2

Security Categorization

CIS Controls v7.1

13

Data Protection

History: New August 2023.