The university is an environment that accumulates both information

and processes from the facilities and the people within it. The
environment is an open space with a large amount of movement
occurring between both people and the information they bring and
take. These people can come from parties internal to the university
or externally from the outside.

In essence, classification allows the organisation to precisely

determine the importance of assets relative to each other and
allocate appropriate resources when designing controls. It also
shows underlying dynamics that are hard to recognise without the
process of information classification.

As the classification for information is separated into three tiers, it is

logical to start from the far end of the spectrum and work towards
the centre. Tier 1: Public information includes the likes of academic
papers, course introduction details and campus news. The key
attribute for classifying information of this tier is the fact this tier
exists for the sake of circulation(Talbot 2009, pp89). Impact to the
university can be used as another metric to classify assets of this
tier. As information is meant for circulation in this tier,
confidentiality is hardly an issue but unauthorised alteration and
destruction can cause minor impacts such as confusion and a slight
delay in plans(Talbot 2009, pp93). The low asset value of this tier
comes from a low comprised cost and a relatively low re-creation
cost(ISO/IEC 27005(2018), pp.32) and should be considered when
designing controls.

The Tier 3: Restricted Information contains the critical assets to the

university which may be personal details covered by the law,
processes that give a competitive edge(ISO/IEC 27005(2018),
pp.28), detailed plans for partnership/operations and etc. The
impacts the university can suffer if a compromise occurs could lead
to legal consequences, significant reputation/monetary loss(Talbot
2009, pp94), loss of competitive edge in the industry and the
university unable to carry out their mission((ISO/IEC 27005(2018),
pp.28-29)). Due to mentioned reasons, the asset value of this tier is
high due to a combination of original cost and compromise
cost(ISO/IEC 27005(2018), pp.32), thus exposure of this tier should
be kept as low as possible. The classification emphasis this tier’s
importance at the centre of control design, as failure to do so may
result in damages that overshadow everything else. It’s also
important to note, information that has a low original cost and
doesn’t have the compromise impact to meet the criteria of tier 3
can still be classified into this tier if another information from tier 3
is dependent on said information(ISO/IEC 27005(2018), pp.34-35).

Being in the middle of the two ends, Tier 2: Internal Information

comprises of assets like academic progress reports, non-sensitive
meeting reports, enrolment records and the such(Talbot 2009,
pp93-94). The compromise of assets may lead to moderate
monetary/reputation damage and delay of plans that cannot be
resolved shortly. The information of tier 2 needs circulation in a
controlled manner to achieve their business goal(Talbot 2009, pp88)
and contains the same dependency dynamic as tier 3 information.

The details listed for each tier of classification helps to determine

the control necessary that may be unique to each level. It provides
clear objectives that can be achieved in a systematic procedure
during the control design phase and also highlights some dynamics
such as asset value dependency which is hard to recognise without
asset classification.

References

ISO/IEC 27005(2018). Information technology - Security techniques

- Information security risk management. International Organization
for Standardization.
Talbot, J, Jakeman Gareth, M 2009, Security risk management body
of knowledge, Wiley Publishing, Hoboken.