Data & Information Security Classification

This reference describes the four levels of security classifications that Alberta Gaming, Liquor and Cannabis (AGLC) applies to data and information. Classifying data and information is the first step in ensuring the confidentiality, integrity, trustworthiness, availability and protection of privacy of AGLC data and information. These standards are in alignment with the Government of Alberta (GoA) and the Government of Canada’s information security classification scheme.

Relation to Previous Classification Standard

Some data and information within AGLC may already have a security classification attached to it as a result of the previous Information Security Classification Standard used by AGLC and GoA. The table below maps the categories from the previous standard to the new standard.

Previous Classification Standard

 

New Classification Standard

Unrestricted

Public

(available to employees & public)

Protected

Protected A

(available to employees and stakeholders on a need to know basis)

Confidential

Protected B

(available only to specific functions, groups or roles)

Restricted

Protected C

(available to specified positions only)

Below are the four data and information security classification levels used to classify all data and information assets received, created, stored by or retained by AGLC.

Data & Information Security Classification Levels

Classification Level Description Example of Risk Impacts

Public

Applies to information assets that will not result in injury to individuals, governments or to private sector institutions; and financial loss will be insignificant.

  • No minimal impact

  • No or minimal inconvenience if not available

  • No or minimal impact if lost or altered

Protected A

Applies to information assets that, if compromised, could cause injury to an individual, organization or government.

  • Unfair competitive advantage
  • Disruption to business if not available or inaccessible

Protected B

Applies to information assets that, if compromised, could cause serious injury to an individual organization or government.

  • Loss of reputation or competitive advantage
  • Loss of confidence in the government program
  • Loss of personal or individual privacy
  • Loss of trade secrets or intellectual property
  • Loss of opportunity (e.g., insurance, health coverage)
  • Financial loss

Protected C

Applies to information assets that, if compromised, could cause extremely grave injury to an individual, organization or government.

  • Loss of life
  • Loss of public safety
  • Significant Financial loss
  • Compromise of legal system
  • Compromise of Cabinet deliberations
  • Destruction of partnerships and relationships
  • Significant damage
  • Sabotage/terrorism

The above standards apply to all departments defined under schedule 11 section 14(1) of the Government Organization Act.

Storing & Access of Information

AGLC information assets are stored and controlled in a manner consistent with their classification.

Classification Storing Print/Hard Media Storing Digital Files Access Restrictions
Public
  • No special storage requirements
  • Cloud Service Information stored in Canada. Exceptions approved by CIO
  • No special storage requirements
  • Regular back-ups to ensure availability and integrity
  • Can be made open to the public and all employees, contractors, sub-contractors and agents
  • Can be published, but does not have to if it is of no value/interest to the public
  • Determination to publish material is made by the business area
Protected A
  • Secure location (e.g., locked office locked file room)
  • All media under physical and/or logical access control of protected zone (e.g., group authorized access)
  • Authorized access (employees, contractors, sub-contractors and agents) on a “need–to-know” basis for business related purposes
Protected B
  • Secure location with restricted access
  • Clean desk policy
  • Cloud Service Information stored in Canada. Exceptions approved by CIO
  • All media under physical and/or logical access control of confidential zone (e.g., authorized access and authenticated access)
  • Limited to individuals in a specific function, group or role

Protected C

  • Stored in a highly secure zone, with access tracking 

  • Clean desk policy

  • Audit trail for all access points (e.g., signatures)

  • Cloud Service Information stored in Canada. Exceptions approved by the CEO

  • All media under physical and/or logical access control of restricted zone (e.g., singled or double authentication, encrypted data, audit and monitoring)

  • Limited to named individuals (positions)

 

Responsibilities

AGLC employees are responsible for ensuring the security of data and information and data and information technology systems.

Acts and Regulations

Government Organization Act
Records Management Regulation