Policy for Classification of Information Assets - Kunnskapsbasen
Policy for Classification of Information Assets
Policy for classification of information
Norwegian version - Retningslinje for klassifisering av informasjonsverdier
Topic page about Information security | Pages labeled with information security
- Document type: Topic specific Policy
- Managed by : Head of IT Division
- Approved by :Director of Organization and Infrastructure
- Valid from : 01.10.2025
- Next revision within: 01.10.2027
- Classification: No
- Reference ISO: ISO27002:2022 5.9,5.10,5.12,5.13,8.12
- Reference NSMs principles for ICT-security : 2.7.5
- Reference Law/Rule: Act relating to national security (Security Act) (Sikkerhetsloven), Act relating to the processing of personal data (The Personal Data Act) (Personvernloven),(Sikkerhetsinstruksen [The Safety Instruction]
- Reference internal documents: Policy for Information Security
Purpose
The purpose of classifying information is to have an overview of the information assets managed by NTNU.
Applies to
This policy applies to all individuals who have access to, process and manage information at NTNU, including through NTNU's information systems, services, and equipment (NTNU's IT infrastructure).
Roles and responsibilities
Information security work affects the organization at all levels. Responsibility and authority for information security follow the regular line management structure. All roles associated with the management system are defined in the Information Security Policy
For the Policy for Classification of Information, line managers, project managers, and system owners have key roles with corresponding responsibilities.
General principles
- To meet the requirements for proper handling of information assets, information objects produced and managed by NTNU should be classified.
- The classification of information produced or accessed within an ICT system or process establishes requirements for securing the ICT system and the workflow involving the use, transport, or storage of the information.
Value Assessment and Classification
An information value refers to information that is defined as something we, as individuals, NTNU, or society, want to protect. Information values can be divided into primary information values, the information itself, and secondary information values, which include premises, systems, and individuals who handle and store information.
a. Information stored and produced at NTNU should undergo a value assessment1. This involves determining the value of the object for NTNU and other stakeholders. Examples of information values at NTNU include:
- Research – valuable to NTNU as a university, to researchers, and potentially to society.
- Documentation – system documentation, plans, etc.
- Systems – some systems are valuable because we depend on them to perform our work, while others are used to store valuable data.
- Personal data – this is not valuable to NTNU, but it is valuable to the individuals involved. As a result, NTNU is required to store personal data in a specific manner.
- Physical areas – labs, archive rooms, server rooms, etc., where information and research are created, processed, and stored.
b. Based on the value assessment, the information object is classified according to internal and external requirements for confidentiality, integrity, and availability.
- Confidentiality implies access control, which means ensuring that information and information systems are only accessible to those with a legitimate need.
- Integrity means ensuring that information is accurate, valid, and complete, and cannot be unintentionally or maliciously modified.
- Ensuring availability means that information and information systems are available within the specified availability requirements.
c. The requirements for accurate classification of information values come from various parties and have different goals:
- Have an overview of the values possessed by NTNU.
- Determine which information/system/object is most important for achieving NTNU's goals, complying with applicable regulations, and fulfilling contractual agreements.
- Prioritize information and IT systems in the event of limited capacity.
- Simplify the process of building an efficient and cost-effective information architecture.
Classification in Practice
Data and information processed at NTNU have varying levels of protection. All information and data must be classified with regard to confidentiality in order to select the appropriate tools and infrastructure. Integrity is also important to ensure that data/information is accurate and not altered by mistake. Availability is often the most critical aspect for system owners, who are responsible for the systems themselves, to ensure they function properly. In practice, the integrity and availability of data will be well maintained if you use one of the solutions presented in the Storage Guide.
Accessibility Assessment
| Classification | Level | Description |
| Very High | 4 | The information value affects the core operations and is critical for the function of the university. |
| High | 3 | The information value affects departments, sections, or shared functions, but not the overall functioning of the university. |
| Moderate | 2 | The information value affects only certain isolated systems, services, or functions. |
| Low | 1 | The information value is isolated and only affects a single system, service, or a small number of users and has no impact on the functioning of the university or important functions. |
Integrity Assessment
| Classification | Level | Description | Examples |
| Very High | 4 | It is critical that authentic and valid information is delivered. Unintentional or intentional misinformation could lead to misjudgments or decisions with fatal consequences. Errors in the information can result in loss of life, such as incorrect patient treatment or faulty construction in buildings. Breaches can result in corrupt data in central systems, leading to extensive consequential errors and subsequent significant loss of materials produced at NTNU. |
- Errors in health records may result in loss of life
- Errors in building plans or foundational infrastructure documentation
- Errors in risk assessments of critical importance
| High | 3 | The user of the information relies on it being authentic and valid. Unintentional or intentional misinformation could lead to misjudgments or decisions that could cause significant financial loss, damage to the reputation, or other harm to NTNU, individuals, or partners. |
- Master Data
- Research data and publications where authenticity is critically important.
- Errors in personal data of special categories.
| Moderate | 2 | The user of the information expects it to be authentic and valid Errors in the information can result in moderate financial damages and/or reputational damage to NTNU, individuals, or partners. |
- Errors in personal data
| Low | 1 | Errors do not affect decision-making processes. |
- Working documents where errors in the information do not have negative consequences in the decision-making processes of those using the information.
Confidentiality assessment
| Classification | Level | Description | Examples |
| Strictly Confidential | 4 | Strictly confidential is used when the disclosure of information to unauthorized individuals could cause significant harm to public interests, NTNU, individuals, or partners. The information should only be accessible to employees with strictly controlled rights who have a legitimate need for this information to perform assigned tasks. |
- Large volumes of special category (“sensitive”) personal data
- Large volumes of health data
- Research data and datasets of high economic value
- Directly identifiable health data in medical and health-related research
*You must assess what constitutes large volumes of data in your work based on context, quantity, and type of data.
|
| Confidential | 3 | Confidential is used when the disclosure of information to unauthorized individuals could harm public interests, NTNU, individuals, or partners. The information should only be accessible to employees with controlled rights who have a legitimate need for this information to perform assigned tasks. |
- Special categories of personal data, including health data, confidential information, and trade secrets
- Knowledge/research subject to export control
- Personnel files
- Certain information about infrastructure (e.g., building security and ICT systems)
| Internal | 2 | Internal is used for information that is limited to be accessible to employees to carry out assigned tasks. The information may be accessible to external parties with controlled access rights. |
- Internal case documents
- Working documents
- Information exempt from public disclosure
- Various types of personal data (national ID number, name, email address, employee ID, employment details, etc.)
- Various types of research data during project phases (unpublished work and research data)
- Grades
- Exam submissions
| Open | 1 | Open information that is accessible to everyone without specific access rights. Information that does not harm anyone or anything and is available to all. |
- Open source information
- Public websites
- Course overviews and content
- Published research
Labelling Requirements
- Use sensitivity labeling with tags/labels on documents and emails when the information requires a high level of confidentiality (internal, confidential, strictly confidential, and restricted according to the Security Act).
- Use appropriate professional systems or tools to process, store, and manage the information securely and efficiently, in line with the system owner's recommendations.
