Info sec classification

• Public information is general information with a need to know.
• All information which does not fall into Internal, Confidential or Strictly confidential
   

• Internal information is accessible to all OIST users, but it is not intended for wider publication.
• Third party may be granted access to this information for business reason from relevant responsible person.
   

• Confidential information should be accessible only to OIST users predefined by the data custodian.
• Protection of the information is required by law or government regulation.
• In principle, personal information is classified as confidential.

• Strictly confidential information should be accessible only to small, tightly restricted groups of authorized users

• The critical can be classified only by President Office, HR or Secretary General.

• Low risk to privacy and legal liability, but medium reputational risk if publically facing information had unauthorized modification

• Medium risk of harm to reputation with financial costs, impact on workload.

• High risk of loss of intellectual property, harm to reputation or legal position with financial costs, loss of personal privacy

• Very high risk of legal compliance, significant loss of reputation with financial cost, serious impact and disadvantage to funding and commercial interests.

• Published research data/report (at data custodian’s discretion)
• General course/program information
• Publicly available business contact information
• Publicly available campus maps
• Policy and procedure manuals
• Brochures
• University Prospectus
• News releases
• General websites

• Unpublished research data/ report/ Laboratory notebooks (at data custodian’s discretion)
• Internal meeting agenda/minutes
• Routine correspondence
• Internal policies and procedures
• Internal Directories
• Non-personally identifiable information
• Employee newsletters
• Purchasing information
• Non-public vendor contracts
• Every piece of data at OIST defaults to this classification until it is further classified or permission is granted to public.

• Intellectual Property (patents)
• Research Protocols
• Patient/ donor information
• Personally Identifiable Information (PII)
• Personal Health Information (PHI)
• Credit card information (PCI)
• Faculty, Student and staff files
• Visa and passport numbers
• Legal record
• Strategic organizational plans
• Exams
• Financial documents
• Procurement / Tender documents
• Official financial report
• Passwords
• Information provided by a third party under a Non-Disclosure Agreement
• Information identified by government laws and regulation to be treated as confidential
• Information those disclosure could damage the competitive position of OIST

• Critically sensitive information
• Accident report
• Case files and correspondence surrouding investigations by a Regulatory body
• Board meeting or sensitive meeting minutes

Any information makes available to the public.

Intended for sharing with OIST stakeholders but not particularly sensitive.
Accessible to OIST users on a need to know basis. 

Subjectto protection under law or government regulation

 - Personal Information Protection Law / 個人情報保護法

 - The Social Security and Tax Number System Law / マイナンバー法

Very confidential information. Unexpected exposure may result in greatest risk to OIST.

Its should have been classified and managed by Information Asset Manager.

Accessible to a small, tightly restricted groups of authorized users assigned by Information Asset Manager on a need to know basis.