Guidance for classifying information

    Use these guidelines to help you classify your information and resources to determine necessary protective measures.

    Login to see more information on this page.

    1. Select the information or system to be classified

    When do we need to conduct an information classification?

    The classification of information should be the basis for the selection of appropriate safeguards in these situations:

    • Prior to processing of personal data.
    • Assessment of how research materials or data are be handled and thus protected.
    • • Current situation assessment or risk analysis of an information system.
    • Procurement, new development or changes to IT systems or infrastructure, such as data storage services.
    • Establishing the security design of an information system.
    • Changes in legal requirements.
    • New information in the organisation.
    • Approval of rules for processing information, such as requirements for encryption of emails and rules for communication by mobile phone

    2. Classifying information based on confidentiality, accuracy and availability

    Confidentiality

    Base your actions on the consequences that may arise if protection is deficient:

    Examples of consequences from deficient protection

    Class 1: No consequences
    Class 2: Moderate negative impact on one's own or another organisation and its assets or individuals. Limited dissatisfaction, expressed in national and local media. Significant loss of trust by collaborators or members of the public.
    Class 3: Significant negative impact on one's own or another organisation and its assets or individuals. Limited dissatisfaction, expressed in national and local media. Significant loss of trust by collaborators or members of the public.
    Class 4: Serious negative impact on one's own or another organisation and its assets or individuals. Many dissatisfied collaborators, heated discussions in national media and social media. Serious damage to trust.

     

    Confidentiality

    Protection level

    Consequence from deficient protection
    What are the consequences of unauthorised access to the data? K 1: The information is public and does not require protection No consequences
    K 2: The information requires basic protection Moderate negative impact on one's own or another organisation and its assets or individuals. A few dissatisfied collaborators, comments in social media. Mild loss of trust
    K 3: The information requires a high level of protection Significant negative impact on one's own or another organisation and its assets or individuals. Limited dissatisfaction, expressed in national and local media. Significant loss of trust by collaborators or members of the public.
    K 4:The information requires a very high level of protection Serious negative impact on one's own or another organisation and its assets or individuals. Many dissatisfied collaborators, heated discussions in national media and social media. Serious damage to trust.

     

    When handling information falling under the Protective Security Act (2018:585) or dual-use items, contact the security officer at the Property Management Office.

    Examples of information

    Class 1: Publicly published text on Umeå University's website.
    Class 2: Information contains personal data and caution applies when disseminating, sharing, publishing.
    Class 3: Personal data meriting special protection. Other valuable information such as research materials, data, documentation and access logs.
    Class 4: Classified information. Sensitive personal data, passwords, crypto keys, firewall rules or research materials especially worthy of protection, law violations, DUP (dual-use items).

    Accuracy

    Based on the consequences that may arise through inaccuracy

    Possible consequences of inaccuracy

    Class 1: No consequences
    Class 2: Moderate inconvenience or limited financial loss for individuals, or limited damage to one's own or another organisation
    Class 3: Significant inconvenience or financial loss for individuals, or extensive damage to one's own or another organisation.
    Class 4: Severe adverse impact on one's own or another organisation and its assets or individuals, or the cause of widespread inconvenience or financial loss to a large number of individuals. May cause harm to the life or health of individuals.

     

    Question Protection level Consequences of inaccuracy
    What can be the consequences if the data is incorrect or out of date? R 1: The information does not require protection No consequences
    R 2: The necessity of accuracy of the information is moderate Moderate negative impact on one's own or another organisation and its assets or individuals. A few dissatisfied collaborators, comments in social media. Mild loss of trust
    R 3: The necessity for accuracy of the information is high Significant negative impact on one's own or another organisation and its assets or individuals. Limited dissatisfaction, expressed in national and local media. Significant loss of trust by collaborators or members of the public.
      Serious negative impact on one's own or another organisation and its assets or individuals. Many dissatisfied collaborators, heated discussions in national media and social media. Serious damage to trust

    Examples of information

    Class 1:
    Class 2: General information to external users, internal/external communication via email
    Class 3: Research materials, undergraduate–doctoral education student assignments, personnel cases, logs
    Class 4: Particularly sensitive research material, data, documentation, passwords, crypto keys, firewall rules

    Availability

    Based on the consequences that may arise if not available:

    Possible consequences of lack of availability.

    Class 1: No consequences
    Class 2: Moderate negative impact on one's own or another organisation and its resources or individuals. A few disgruntled collaborators. Moderate declines in production.
    Class 3: Significant negative impact on one's own or another organisation and its resources or individuals. Limited dissatisfaction. Large production declines.
    Class 4: Serious negative impact on one's own or another organisation and its resources or individuals. Many dissatisfied collaborators. Very large production declines.

     

     

    Question Protection level Consequence of lack of availability
    What could be the consequences if someone (who is authorised) does not have access to the data? T 1 No consequences
    T 2: Access to the information requires basic protection System outages have a minor impact on operations.
    T 3: Access to information requires a high level of protection System outages require major re-prioritisation in operations
    T 4: Access to information requires a very high level of protection Loss of data results in very high recovery costs in time and money

    Exaples of information

    Class 1:
    Class 2: Personnel matters, financial data, payroll, logs
    Class 3: The University's archive and registry
    Class 4: National systems, such as Ladok

    Contact

    Questions regarding information security

    E-mail infosak@umu.se 

    Questions regarding IT-security 

    Contact Servicedesk 

    Legal Affairs Office
    3/5/2024