Information Classification Policy
I. Purpose:
The purpose of this policy is to ensure workforce members responsible for technology asset ownership and support establish and control the level of potential risk and adverse impacts to technology assets by classifying the technology asset using a consistent citywide approach.
II. Applicability and Audience
A. Users
This policy applies to all City of Olympia Workforce Members responsible for technology asset ownership and support.
B. Technology Assets
This policy applies to all City of Olympia technology assets.
C. Exceptions
Requests for exceptions to this policy must follow the Information Services information security policy exceptions handling process. Please open a ticket with the service desk to request a policy exception.
III. Definitions
All definitions are contained within the City of Olympia Information Security Policy and Standards Glossary.
IV. Policy
A. Impact and Classification
Understanding the sensitivity of and potential impact to technology assets is key to managing risk and applying appropriate controls.
1. Technology assets must be managed in compliance with the IT Asset Management Policy which includes identifying the classification and impact of the asset. Technology asset owners are required to determine and document the impact and classification of their assets for inclusion in the asset management system(s) of record defined in the asset management standards developed by the Information Services.
2. Technology asset and support owners are responsible for prioritizing and implementing protections and security controls using Impact and Classifications as determined by the Technology Asset Owner.
3. Impact must be determined using the following table (for purposes of determining impact, low impact includes no impact) by selecting either Low, Moderate, or High impact. Only one value should be selected overall for impacts to confidentiality, integrity, and availability. For example, if low and moderate impacts to confidentiality and integrity are possible but the possible impacts to availability are high, the Impact overall would be selected as high.
|
|
Impact |
||
|---|---|---|---|
|
Objective |
Low |
Moderate |
High |
|
Confidentiality Preventing unauthorized information access and disclosure, including preserving privacy and proprietary information. |
An unauthorized disclosure of information or data could have a negative effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals. |
An unauthorized disclosure of information or data could have a serious adverse effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals. |
An unauthorized disclosure of information or data could have a severe or catastrophic adverse effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals. |
|
Integrity Protecting against unauthorized modification or destruction of information and includes ensuring information non- repudiation and authenticity. |
An unauthorized modification or destruction of information or data could have a negative effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals. |
An unauthorized modification or destruction of information or data could have a serious adverse effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals. |
An unauthorized modification or destruction of information or data could have a severe or catastrophic adverse effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals. |
|
Availability Ensuring timely and reliable access to and use of information |
A disruption of access to or use of information, data, or system could have a negative effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals. |
A disruption of access to or use of information, data, or system could have a serious adverse effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals. |
A disruption of access to or use of information, data, or system could have a severe or catastrophic adverse effect on strategic objectives, operations, assets, finance, compliance, safety, reputation, or individuals. |
4. Classification must be determined using the following table:
|
Classification |
|||
|---|---|---|---|
|
Category 1 |
Category 2 |
Category 3 |
Category 4 |
|
Public Information |
Sensitive Information |
Confidential Information |
Confidential Information Requiring Special Handling |
|
Public information is information that can be or currently is released to the public. It does not need protection from unauthorized disclosure but may need integrity and availability protection controls. |
Sensitive information may not be specifically protected from disclosure by law and is for official use only (FOUO). Sensitive information is generally not released to the public unless specifically requested. Sensitive or higher classification information may have been designated by third parties (e.g., federal government) using schemes like the Traffic Light Protocol (TLP) or other designation schemes. |
Confidential information is information that is specifically protected from either release or disclosure by law. This includes, but is not limited to personal information as defined in RCW 42.56.230 and RCW 19.255.10, information about public employees as defined in RCW 42.56.250, information about infrastructure and the security of computer and telecommunication networks as defined in RCW 42.56.420(4). |
Confidential information requiring special handling is information that is specifically protected from disclosure by law and for which especially strict handling requirements are dictated, such as by statutes, regulations, or contractual agreements. Serious consequences could arise from unauthorized disclosure such as threats to health and safety, or legal sanctions. |
|
Examples: Olympia Municipal Code Real Property Information Recreation Program Schedules |
Examples: Purchase Requests or Preliminary Budget Documentation Email Communications not covered by a disclosure exemption Non-essential non- archival day to day administrative files used by non- elected, non- executive, non- department directors |
Examples: Application for Public Employment Network Infrastructure Diagram Usernames and Passwords used to access City of Olympia technology assets Personally Identifiable Information or PII |
Examples: Protected Health Information as defined by the Health Insurance Portability and Accountability Act (HIPAA) Criminal Justice Information as defined by the Criminal Justice Information Services Security Policy 911 Computer Aided Dispatch System |
5. Changes to classification levels during the lifecycle of technology assets can be made by the asset owner as necessary to comply with federal, state, or local law. If you have any questions or concerns about changing classification levels or disclosing information, please contact your department Records Coordinator or the City of Olympia Public Records Program.
B. Data Asset and Information Protection
Data Asset owners are responsible for ensuring data assets are protected in accordance with the Data Security Policy.
1. Data Asset Owners must develop a classification map or training document for workforce members accessing data assets classified as category 3 or higher. (See example below in Section D).
2. Information Services is responsible for providing enterprise technology solutions that support labeling or specifying the information classification of electronic records (e.g., Word and PDF documents, email messages) where possible.
3. Data asset owners are responsible for labeling solutions for physical records.
4. Classification maps and labeling schemes must be approved by the City of Olympia Public Records Program in the City Clerk’s office and should be limited to the program level or higher within a department in order to reduce complexity and administrative overhead. Cross departmental classification schemes are acceptable where needed.
5. Classification (e.g., labels, tags in asset management database, documentation about the asset) must be applied to all information and data assets classified as category 3 or higher.
6. All City of Olympia customer information and personally identifiable information must be classified as Category 3 or higher unless otherwise determined by state or federal law, Olympia Municipal Code, City of Olympia Policy, or a legal opinion provided by the City Attorney’s Office.
7. Data Asset Owners and Custodians are required to ensure that workforce members are trained to manage and protect information and data assets in accordance with its classification and impact.
C. Reclassification
Technology asset owners shall reevaluate classification and impact of assets as needed to update classification and impact procedures based on changes such as legal and contractual obligations or changes in the use of the asset.
D. Example

V. Implementation Plan
This policy becomes effective for Citywide use on the date that it is signed by the City Manager. All new technology implementations and new material changes to existing technology implementations must ensure compliance with this policy as of the effective date. All other technology implementations must be brought into compliance within four years after the effective date.
VI. Maintenance
A. This policy will be maintained by Information Services. This includes, but may not be limited to:
1. Interpretation of this policy
2. Ensuring this policy content is kept current
3. Recommending updates to this policy and related resources
4. Developing an escalation and mitigation process if an Organization is not in compliance
5. Assisting Organizations to understand how to comply with this policy
6. Monitoring annual compliance by Organizations
B. This policy will automatically expire five (5) years after its effective date. A new, revised, or renewed policy will be initiated by Information Services prior to the expiration date.
VII. Consequences for Noncompliance
Violations of this policy may be grounds for disciplinary action, up to and including termination and enforcement action which may include civil or criminal charges.
VIII. Appendix A: References
• RCW 19.255.10
• RCW 42.56.070(8)
• RCW 42.56.250
• RCW 42.56.420(4)
• RCW 42.56.230
• Information Security Policy and Standards Glossary
IX. Appendix B: Relevant Compliance Requirements
This section provides references to key regulations and standards that apply to City of Olympia. This section does not replace the authoritative source and is just a reference to assist with further research. Please use the Compliance Standard and Section No. to further research the entirety of the regulation, framework or standard from the authoritative source.
|
Compliance Standard |
Section No. |
Description |
|---|---|---|
|
HIPAA |
Security Standards for the Protection of Electronic Protected Health Information |
|
|
|
164.308(a)(1)(ii)(A) |
Risk Analysis |
|
|
164.308(a)(7)(ii)(E) |
Applications and Data Criticality Analysis |
|
CJIS Policy v5.9 |
5.1.1.1 |
Information Handling |
|
|
5.2.1 |
Basic Security Awareness Training |
|
PCI DSS v3.2.1 |
9.6.1 |
Classify media so the sensitivity of the data can be determined. |
|
NIST CSF |
ID.AM(5) |
Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value. |
|
|
ID.RA |
Risk Assessment |
|
NIST 800-53r5 |
AC-16 |
Security and Privacy Attributes |
|
|
AC-21 |
Information Sharing |
|
|
RA-2 |
Security Categorization |
|
CIS Controls v7.1 |
13 |
Data Protection |
History: New August 2023.