Info sec classification

OIST Information classification

OIST Information Assets must be classified into four level listed below upon its determined value, sensitivity, integrity and availability by OIST Information Asset Manager.

OIST Information Asset Manager and its user should identify appropriate systems and services to process the information asset, and how to apply security controls in a manner consistent with the information classification

When information assets of different level of classification are grouped together, highest classification should be applied.

Special note to researchers: Except for regulated data such as protected health information (PHI), Donar information, research data and systems predominately fall into the Public or Internal classification. Review the classification definitions and examples below to determine the appropriate risk level to apply.

Information classification Device access

Information classification definition and sample

Classification Public Internal Confidential Critical
  • Public information is general information with a need to know.
  • All information which does not fall into Internal, Confidential or Strictly confidential
  • Internal information is accessible to all OIST users, but it is not intended for wider publication.
  • Third party may be granted access to this information for business reason from relevant responsible person.
  • Confidential information should be accessible only to OIST users predefined by the data custodian.
  • Protection of the information is required by law or government regulation.
  • In principle, personal information is classified as confidential.
  • Strictly confidential information should be accessible only to small, tightly restricted groups of authorized users

  • The critical can be classified only by President Office, HR or Secretary General.

  • Low risk to privacy and legal liability, but medium reputational risk if publically facing information had unauthorized modification
  • Medium risk of harm to reputation with financial costs, impact on workload.
  • High risk of loss of intellectual property, harm to reputation or legal position with financial costs, loss of personal privacy
  • Very high risk of legal compliance, significant loss of reputation with financial cost, serious impact and disadvantage to funding and commercial interests.
  • Published research data/report (at data custodian’s discretion)
  • General course/program information
  • Publicly available business contact information
  • Publicly available campus maps
  • Policy and procedure manuals
  • Brochures
  • University Prospectus
  • News releases
  • General websites
  • Unpublished research data/ report/ Laboratory notebooks (at data custodian’s discretion)
  • Internal meeting agenda/minutes
  • Routine correspondence
  • Internal policies and procedures
  • Internal Directories
  • Non-personally identifiable information
  • Employee newsletters
  • Purchasing information
  • Non-public vendor contracts
  • Every piece of data at OIST defaults to this classification until it is further classified or permission is granted to public.
  • Intellectual Property (patents)
  • Research Protocols
  • Patient/ donor information
  • Personally Identifiable Information (PII)
  • Personal Health Information (PHI)
  • Credit card information (PCI)
  • Faculty, Student and staff files
  • Visa and passport numbers
  • Legal record
  • Strategic organizational plans
  • Exams
  • Financial documents
  • Procurement / Tender documents
  • Official financial report
  • Passwords
  • Information provided by a third party under a Non-Disclosure Agreement
  • Information identified by government laws and regulation to be treated as confidential
  • Information those disclosure could damage the competitive position of OIST
  • Critically sensitive information
  • Accident report
  • Case files and correspondence surrouding investigations by a Regulatory body
  • Board meeting or sensitive meeting minutes



Any information makes available to the public.

Intended for sharing with OIST stakeholders but not particularly sensitive.
Accessible to OIST users on a need to know basis. 

Subjectto protection under law or government regulation

 - Personal Information Protection Law / 個人情報保護法

 - The Social Security and Tax Number System Law / マイナンバー法

 - Unfair Competition Prevention Act / 不正競争防止法

Very confidential information. Unexpected exposure may result in greatest risk to OIST.

Its should have been classified and managed by Information Asset Manager.

Accessible to a small, tightly restricted groups of authorized users assigned by Information Asset Manager on a need to know basis.


Device access to OIST IT resources, and data handling on the devices

Access to OIST internal system Public Internal Confidential Critical
BYOD upon approval
End user managed client
(Administrative unit)
OIST IT managed client upon approval
Unit managed client
(Research unit)
upon OIST information asset owner's approval
VDI upon approval