Appendix 8.2 Minimum descriptive metadata for managing and preserving security classified records

  • 1 Security classification
  • 2 Classification authority
  • 3 Eligible date for downgrading and declassification
  • 4 Reclassification/declassification date
  • 5 Reclassification/declassification authority
  • 6 Eligible date for public disclosure
  • 7 Public disclosure date
  • 8 Public disclosure authority
  • 9 Withheld date (if applicable)
  • 10 Reasons for withholding (if applicable)
  • 11 Audit trail of persons who accessed the information/document
  • 12 Version history

Appendix 8.3 Categories of roles and responsibilities for managing security classified records

Each of the roles outlined below represents general descriptive designations (e.g., infomration security coordinators, etc.) related to their functions, and not necessarily their real position titles, which will vary across organizations. Additionally, within organizations there may be more than one person fulfilling a role or fulfilling specific aspects of a role.

Senior management

  • • Are responsible for the protection of SCRs within the organization. This includes SCRs gathered or generated by the organization, as well as those received from member parties in the case of international organizations;
  • • Appoints the organization’s infomration security coordinator(s) or ISC(s);
  • • Approves the organization’s procedures and infomration security classification levels;
  • • Acts as the final authority on the application of infomration security classification levels for their area of functional responsibility, in consultation with the ISC(s), in cases of disagreement or uncertainty among staff;
  • • Coordinates regulatory compliance in the management of SCRs;
  • • Approves, on a case-by-case basis, any exceptions to this procedure.

Information security coordinator(s) (ISCs)

• ISCs are responsible for all institution-wide infomration security issues and provide guidance regarding infomration asset classification and protection. Specific duties of ISCs include, but are not limited to:

  • • Ensure effective controls for the protection of classified information assets are implemented — technically as well as administratively;
  • • Support qualified staff and originators (if possible) in determining the level of classification of an infonnation asset;
  • • Maintain the organization’s information security policy;
  • • Provide assistance for the protection of classified infonnation assets.

Information asset originators

  • • Classification decisions should be made by staff with knowledge of the contents of the information asset and the classification criteria. In most cases this will be the originator of the infonnation asset.
  • • The originator is the staff member who creates an infonnation asset (such as a document). This staff member is thus the first person within the institution to encounter the infonnation asset and to determine the proper classification. For example, a staff member drafting a document should make a determination of the classification level based upon its content and the classification criteria.
  • • In case of uncertainty about the classification level, the responsible supervisor in the hierarchy should be consulted.

Initial classifiers

  • • The majority of the time the initial classifier is the infonnation asset originator. However, in the situation where the organization receives the infonnation asset, and therefore is not the originator, the receiver within the institution is the initial classifier and must make the classification determination based on the institution’s classification definitions.
  • • The initial classifier could be a staff member receiving infonnation directly from a member party, or could be the archives and records management unit as the initial recipient of official infonnation received.

Information asset stewards

  • • The institution is the owner of all infonnation assets that are created by its staff. The organization is responsible for ensuring an asset’s confidentiality, authenticity, reliability, integrity, and availability.
  • • The infonnation asset steward (hereinafter referred to as steward) is responsible for the classification and proper handling of the infonnation assets.
  • • The originator of the SCR may in some cases also be the designated steward. However, in most cases, stewardship is vested in the supervisor of the administrative unit in which the infonnation asset originates.

Authorized derivative classifiers

  • • In the case of a question or difference of opinion regarding the security classification of an infonnation asset, the authorized derivative classifier is a staffmember who is authorized and certified to determine the security classification of an infonnation asset, over and above the decisions of the initial classifier and infonnation asset steward.
  • • The authorized derivative classifier bases their infonnation security classification assessments on defined organizational guidance and policies.

Declassification and reclassification authorities

  • • Declassification and reclassification authorities are the issuers of authorized declassification and/or reclassification decisions resulting from the proper enactment of declassification/reclassification policies and procedures of the organization.
  • • In many cases there will be several parties involved in declassification/reclassification decisions and procedures, such as designated staff members, committee members, and/or member state parties.
  • • Declassification and reclassification authorities are distinct from any of these roles in that they are authorized to issue the final declassification decision on behalf of the organization. In some cases they may be a committee of representatives rather than a single person or staff member, or they may be a combination of a committee and one or several designated staff members.
  • • In many organizations, the original classifier may also act as a declassification and reclassification authority.

Users of information assets

  • • Users of information assets must protect the information asset in accordance with the requirements outlined in organizational policies governing SCRs. This includes the security requirements for handling, storing, marking, protection from unauthorized or incidental viewing, and for reporting security incidents to the ISC.
  • • Before sharing SCRs with another staff member, the user is responsible for ensuring the recipient is authorized to receive such information and is aware of the protection requirements.
  • • It is also the responsibility of the users of SCRs to bring to the attention of their supervisors, and the ISC, situations where infonnation is not being adequately protected or where the current procedures do not provide sufficient or consistent guidance.
  • • Each user is encouraged to raise issues on appropriateness of classification if he or she believes the SCR is not correctly classified.

Records custodians

  • • The records custodian is a staff member or an organizational unit that has been assigned the responsibility for safekeeping of records, such as recordkeepingand information management staff/units, and information technology staff who have technical responsibility for supporting systems in which SCRs are managed. All records custodians are responsible for complying with relevant records policies.
  • • This might happen on a temporary or permanent basis. The custodian must ensure that the record is protected in accordance with the requirements set in the relevant policies governing the management of SCRs.
 
Source
< Prev   CONTENTS   Source   Next >