sos template - policy · web view4.2. data processing facilities must be protected by appropriate...

Government of AlbertaStatement of Sensitivity (SoS)

<Title of assessment/target assessed>

<Date>

<Branch><Division><Ministry>

<Sector>

Statement of Sensitivity: Self-Assessment - <Title of assessment / target assessed>

Statement of Sensitivity (SoS)Template developed by the CISOVersion 3.5June 12, 2018

of 31


Table of Contents

1. Introduction.........................................................................................................42. Policy Requirements.........................................................................................43. Purpose..................................................................................................................44. System Information...........................................................................................55. Business Purpose...............................................................................................66. Concept of Operation........................................................................................77. System Technology............................................................................................88. Value.......................................................................................................................99. Information Sensitivity..................................................................................10

9.1 Confidentiality...............................................................................................................10

9.2 Integrity..........................................................................................................................14

9.3 Availability.....................................................................................................................15

10. Interdependency and Information Sharing.........................................1711. STRA Required?..............................................................................................1812. Other Comments............................................................................................1813. Endorsement....................................................................................................1914. Appendix............................................................................................................20

14.1 Table 1: Sample Handling Procedures..................................................................20

14.2 Table 2: Sample Appropriate Access and Disclosure.........................................20

14.3 Table 3: Magnitude of Impact.................................................................................21

14.4 Table 4: Sample Consequences...............................................................................22

14.5 Table 5: Comparison of Classification Schemes..................................................22

History VersionDate Author Versio

nDescription of Change

of 31


of 31


1. IntroductionAs the Government of Alberta (GoA) seeks to maintain and improve service delivery to Albertans, it is important to ensure that GoA information and communications technology (ICT) solutions protect the integrity, accessibility and, when necessary, the privacy and confidentiality of information held or controlled by the GoA. The GoA must meet its fiduciary obligations as the custodian of information for and about Albertans.

2. Policy RequirementsThe GoA Corporate Information Security Office (CISO) has developed a set of ten Information Security Management Directives (ISMDs) 1. The ISMDs have stated that:2.2. All Ministries must document, classify and maintain an inventory of their information assets and IT systems.2.5. Information must be classified and managed in accordance with GoA Information Management standards.4.2. Data Processing Facilities must be protected by appropriate access controls based on the security classification of the data stored within the facilities to ensure that only authorized personnel are allowed access.6.1. Access to IT systems and services must be consistent with business needs and based on security requirements. Additional security requirements are determined by Security Threats and Risks Assessments and by the asset’s information security classification.7.9. The use of cryptographic controls must be based on the risk of unauthorized access and the security classification of the information or system that is to be protected, and must follow approved GoA encryption standards.

1 GoA Directives - http://www.servicelink.gov.ab.ca/security/ISMDirectives.cfm

of 31


3. PurposeThe purpose of this document is to support the classification of GoA’s data, including Public and Protected data. During this initiative, stakeholders will be able to capture the Confidentiality, Integrity, Availability (CIA) and value properties of the information assets for a system2. This provides a vetting process for system deployment into a variety of environments as part of a Certification and Accreditation (C&A) process, and as a precursor to a system Security Threat and Risk Assessment (STRA).The Statement of Sensitivity (SoS) also supports the following business linkages:

Acts as a Memorandum of Understanding (MOU) between the Ministry Information Security Office and the Business Unit/Service Owner;

Business Units must take ownership of their information assets and classification of those assets;

Advises and informs Business Units of their responsibilities in understanding their information assets values, and appropriately classifying them prior to conducting security risk assessments;

Initiates a common language and perspective within the Business Units of the security risks, and potential liability if the CIA of their information asset was compromised;

Can help to spot any over-classification as it is costly and it minimizes the potential uses of the information assets;

Can be used as an indication to proceed with other GoA risk-based processes and practices, such as a Security Threat & Risk Assessment (STRA) and/or Privacy Impact Assessment (PIA);

Can help with the identification of the existed and required safeguards to meet CIA requirements;

Can help establish the investigation of options, and priorities for the recovery of information assets. Recovery is essential for sensitive information, services and business functions.

The SoS is not intended to replace your Ministry's Business Impact Assessment (BIA).

The SoS is a living document and must be completed or updated: during the initiation phase of IT projects, and whenever it is needed. When the information asset has not been assigned a classification

rating; When there is a change in the information being collected for a

system; When there is a change in the handling, use, and/or delivery of an

information asset with an existing SoS; this includes revisiting the SoS between project phases.

2 A system can also mean: application, business solution, service, initiative, business case title, project

of 31


4. System InformationSystem Name:Business Unit:Business Unit Representative:Project Lead:Ministry Info Security Officer3:Information Custodian3:Information Controller3:Days/Hours of Operation:

Project’s Phase:

Initiation Planning Executing

Controlling Closing

Has a Business Case been approved?

Yes / No

Has a previous Privacy Impact Analysis (PIA) been performed on the system?

Yes / No If “Yes”, please provide a link to previous PIA document.

Has a previous Statement of Sensitivity (SoS) been performed on the system?

Yes / NoIf “Yes”, then when and by whom?

3 Refer to Directive 1 for definitions on Information Controllers & Information Custodians - http://www.servicelink.gov.ab.ca/security/docs/1-_Organization_of_Information_Security_Directive_20131021.pdf

of 31


Please provide a link to the previous SoS document.

5. Business PurposePlease provide a description of the business purpose of the system:

of 31


6. Concept of OperationA conceptual model can serve as a representation of the proposed system. Insert a diagram, model or a description here of how the system will function. Please include all interdependencies with other systems.

of 31


7. System TechnologyWhat is the type of system? (check all that apply)

Commercial-Off-The-Shelf (COTS)4 COTS Modified SaaS (Software as a Service) Custom

Other

What is your technology platform? (check all that apply) Windows Web Application Mobile Cloud

Other:

What is the target audience or user community? (check all that apply) Intranet: Inter-connected network within one organization for

the sharing of information internally. Example: A system that only ministry users can access or within GoA.

Extranet: A network to access information that allows controlled access to an authorized set of customers. Example: a site to site VPN between the ministry and agency.

Internet/External:

A global network; an interconnection of large and small networks around the world. Example: a system accessible to anyone on the internet.

Other:

Number of End-Users:Identify an estimated total for users of the system. Please include both network connected and remote users.

<25 100 – 500 > 1000 25 – 100 500 – 1000

4 COTS products include software and hardware products that are ready-made and available for sale to the general public. COTS products are typically installed in existing systems and do not require customization.

of 31


of 31


8. ValueFor each type of information asset associated with the system, please indicate the estimated value of each type of information asset using the following four-point scale:5

Low ($1 – $10,000) Medium ($10,001 – $100,000) High ($100,001 – $1,000,000) Very High (Greater than $1,000,000)

Please consider the following when determining where each type of information assets falls on the scale:

Importance of the information to the GoA or the Ministry in meeting its objectives;

Cost of recreating the data should it be corrupted or destroyed; Potential legal costs that could be incurred by the GoA or the Ministry

should the data be compromised or disclosed; Monetary value of the data to partners or clients; Monetary or strategic value of the data to other parties, e.g. industrial

spies, criminals, terrorists, etc.

Description of Information Asset Value (Low to Very High)Choose an item.

Choose an item.

Choose an item.

Total Estimated Value of Information Asset(s): Choose an item.

Note: Add or delete lines to the above table, as required

Additional Comments (if any):

5 An alternative is the RCMP’s Harmonized TRA Methodology: Asset Valuation Table: https://www.cse-cst.gc.ca/en/publication/tra-1

of 31


of 31


9. Information SensitivityThe following section captures the Confidentiality, Integrity, Availability (CIA) properties of the information and associated information technology assets for a system. Each section includes the specific classification definitions. Apply each of these properties to all systems and data, and measure the impact and consequences. This analysis will assist in prioritizing risks and identifying areas for immediate improvement in addressing the vulnerabilities.

9.1 ConfidentialityConfidentiality:

System and data confidentiality refers to the protection of information from unauthorized, unanticipated, or unintentional disclosure. Unauthorized, unanticipated, or unintentional disclosure could result in loss of public confidence, embarrassment, legal action, or injury against the GoA or Albertans.

Please describe, as clearly as possible, the types of information that will be going into the system:

The GoA’s Data and Information Security Classification Standard 6 describes four levels or categories of security classifications that Ministries must apply to data and information. These categories, with descriptions and examples of the types of records that might be found in each category are outlined in the next table.

Please also check the items (Protected C/B/A or Public data) that apply to your information:PROTECTEDInformation or assets that are not related to the national interest, but if compromised, may cause injury to private or other non-national interests (individual, company, or province).

6 - Refer to Appendix: Table 5: Comparison of Classification Schemes; - Data and Information Security Classification Standard: https://imtdocs.internal.alberta.ca/standards/information-security-classification-.aspx

of 31


Protected “C”Applies to information assets that, if compromised, could cause extremely grave injury to an individual, organization or government. Examples: police informant documents, criminal records, criminal investigations. Restricted information is available only to named individuals or specified positions. ‘Protected C’ information and data SHOULD NOT be stored in, or processed by Cloud services. See the GoA cloud standard, Data Security in the Cloud 7 for more information.

Sensitive Cabinet documents Information that can cause loss of

life Information that can cause

extremely significant financial losses Information regarding undercover

operatives/agents, covert law enforcement operations, surveillance reports, witness protection, or human sources

Criminal investigations Trade secrets on which the survival

of a corporation depends Other:

Protected “B”Applies to information assets that, if compromised, could cause serious injury to an individual, organization or government. Examples: personnel evaluations and investigations, provincial grade 12 exams, industrial trade secrets, financial records, solicitor-client confidence, 3rd party business information submitted in confidence. Protected “B” information is available only to a specific function, group or role.

7 Data Security in the Cloud: https://imtdocs.internal.alberta.ca/standards/data-security-in-the-cloud.aspx

of 31


Personal case files such as benefits, program files, or personnel files

Industrial trade secrets Registration information Medical, psychiatric, or

psychological descriptions Complaints against government

employees or policing agency members A large quantity of personal

information Code of conduct investigations Criminal records check and

fingerprints Contingency planning involving

corrections, emergency response teams, and tactical operations

Grade 12 Provincial Examinations

Policy advice 3rd party business information

submitted in confidence Personal recommendations or

evaluations, character references, performance evaluations, etc.

An individual’s finances, such as income, assets, liabilities, net worth, bank balances, financial history or activities, bankruptcies, creditworthiness, etc.

Results of blood or DNA samples Crime stoppers tips provided to

policing agencies Information pertaining to the

protection or threats against VIPs Other:

Protected “A”Applies to information assets that, if compromised, could cause injury to an individual, organization or government. Examples: home addresses, dates of birth, SIN numbers, other personal information (low-sensitivity, could cause injury). Protected “A” information is available to employees and authorized non-employees (contractors, sub-contractors and agents) possessing a need to know for business-related purposes.

Policy interpretation Draft request for proposals Business information Applications Planning documents Information/content posted on the

intranet General e-mail inquiries

Personal information such name, home address, home telephone, date of birth, gender, fingerprint, linguistic profile, criminal record, SIN, etc.

General investigation information such as break and enter, possession of drugs, general complaints, etc.

General Human Resources (HR) information

Other:

of 31


PUBLICApplies to information assets that will not result in injury to individuals, governments or to private sector institutions; and financial loss will be insignificant.

Communications to claims clerks Ordinary staff meeting agendas and

minutes Business contact information Public survey results

Information readily available to the public such as public health information, information for public awareness, job postings, media communications, etc…

Research and background papers (with no copyright restrictions)

Other:

Note: Information that has been received from another jurisdiction MUST:a) maintain the classification level assigned by the originating

jurisdiction; andb) be handled according to the rules and procedures established by that

jurisdiction.

Final Classification Level: (Check 1 only) Public Protected A Protected B Protected C

Impact:Please describe the consequence8, including the magnitude of impact8, if the information in the system were compromised. Examples: financial, contractual, regulatory, or embarrassment to GoA Ministries.

8 Please refer to Appendix: Table 3 and Table 4.

of 31


Privacy:If the information in the system falls under the Health Information Act (HIA), it is a legal requirement to complete a Privacy Impact Assessment (PIA) 9. If a PIA has been completed for the system, please identify the OIPC10 file number.Furthermore, if the initiative collects, uses, or discloses personal information as defined in section 1(n) of the FOIP Act, a PIA is required. In addition, a Personal Information Bank (PIB) may need to be identified for “any collection of personal information that is organized or retrievable by the name of an individual or by an identifying number, symbol or other particular assigned to an individual.” (Section 87.1(5))

Please contact your Ministry FOIP department for assistance. Visit the following links for more information:PIA Questionnaire: http://www.servicealberta.gov.ab.ca/foip/documents/2016_PIA-AB_Provincial.docGuide to Identify PIB: http://www.servicealberta.gov.ab.ca/foip/documents/pibguide.pdfPIB Directories: https://www.alberta.ca/personal-information-banks.aspx

If a PIA is required, then an STRA should be created as well. Please provide comments below:

9 Privacy Impact Assessment (PIA): https://www.oipc.ab.ca/action-items/privacy-impact-assessments.aspx10 Office of the Information and Privacy Commissioner (OIPC): https://www.oipc.ab.ca

of 31

https://www.alberta.ca/personal-information-banks.aspx

http://www.servicealberta.gov.ab.ca/foip/documents/pibguide.pdf

http://www.servicealberta.gov.ab.ca/foip/documents/2016_PIA-AB_Provincial.doc

http://www.servicealberta.gov.ab.ca/foip/documents/2016_PIA-AB_Provincial.doc


9.2 IntegrityIntegrity:

System and data integrity refers to the requirement that information be protected from improper modification. Integrity is lost if unauthorized changes are made to the data or IT system by either intentional or accidental acts. If the loss of system or data integrity is not corrected, continued use of the contaminated system or corrupted data could result in inaccuracy, fraud, or erroneous decisions.

Please describe the magnitude of impact to the user if there is unauthorized input, falsification, concealment, alteration, or destruction of information:

Low Integrity is of minor importance to the user. Medium Integrity is of concern to the user and will result in a

reduction in capability and/or credibility. High Integrity is of very serious to the user and will result in a

serious reduction of capability and/or credibility. Very

HighIntegrity is of critical concern to the user and will result in a critical reduction of capability and/or credibility.

Impact:Please describe the consequence8, including the magnitude of impact8, if there were unauthorized input, alteration or destruction of the information in the system. Examples: financial, contractual, regulatory, or embarrassment to GoA Ministries.

of 31


9.3 AvailabilityAvailability:

If a key IT system is unavailable to its end users, the organization’s mission may be affected. Loss of system functionality and operational effectiveness, for example, may result in loss of productive time or reputation; thus impeding the end users’ performance of their functions in supporting the organization’s mission.

To avoid duplication of effort and to ensure application information remains consistent, please obtain the data for this section from the GoA Application Catalogue. Your Application Catalogue representative can be found here: http://www.servicelink.gov.ab.ca/688.html#Subgroup If this information is missing or is not what you expected, please contact your Ministry IT Disaster Recovery Coordinator or Business Continuity Officer for assistance. Please choose one of the following restoration timelines that best relates to the system. This numeric-based rating system will help prioritize recovery of multiple critical systems in a mass outage scenario11.

Recovery Time Objective (RTO) - The allowable duration of time the application must be restored after a disaster.

No Downtime - Example of what may be required – Hot/Hot; mirrored site in 2nd location; highly available.

0 to 24 hours - Example of what may be required – Hot/Warm; duplicate production is setup and pre-configured.

24 to 72 hours

- Example of what may be required – Hot/Cold; a recovery site allocated; hardware not configured.

72 hours to 2 weeks

- Example of what may be required – Hot/Cold; a recovery site allocated; hardware not allocated.

More than 2 weeks

- Example of what may be required – Hot/Cold; A recovery site allocated; hardware not allocated; significant downtime; lowest priority.

Recovery Point Objective (RPO) - The allowable period of time the application can go without quantity of data loss.

No Data Loss - Little to no interruption or data loss

11 Impact Assessment Tool: http://www.servicelink.gov.ab.ca/security/IT_DR_Documents_and_Tools.cfm

of 31

http://www.servicelink.gov.ab.ca/688.html#Subgroup


Up to 1 hour - Minimal data loss 1 to 4 hours - Some data loss 4 to 24 hours - Moderate data loss More than 24

hours- Significant data loss

Note: In instances where specific information technology pieces support more than one classification of essential services they should be restored using the priority of the highest classification level.

For a more detailed impact assessment, refer to the Impact Assessment Tool11 link below.

Impact:Please describe the consequence8, including the magnitude of impact8, if the information in the system was unavailable for longer than the indicated acceptable limit, i.e. 72 hrs.

Does this system support Critical Service(s)12? Yes / NoIf “Yes”, identify the Critical Service(s) that the system supports:

If “Yes”, identify the alternate means of delivering the Critical Service(s):

12 Refer to BCI Glossary: http://www.servicelink.gov.ab.ca/security/IT_DR_Documents_and_Tools.cfm

of 31


10. Interdependency and Information Sharing

Due to interdependencies, the loss or degradation of one service and its associated assets may affect other services or assets. In the space below, please describe any interdependencies between this system and any other services or assets. Use a diagram if necessary:

From a privacy perspective, it is important to identify if the system involves other party stakeholders such as companies in the private sector, non-governmental organizations, other ministries, or governments.

Is there information sharing with the following? (Check all that apply) Other ministry business areas Other ministries Private sector companies Non-governmental organizations Government of Canada Other governments

Other:

Please describe the information sharing arrangement13, if any exist, or legislation that applies to any sharing arrangement. This includes identifying the information classification used to originally classify the information as well as handling procedures for that information. Use a diagram if necessary.

13 Guide for Developing Personal Information Sharing Agreements: http://www.servicealberta.ca/foip/documents/PerInfoSharingAgreements.pdf

of 31


of 31


11. STRA Required?Please answer the following questions to help determine whether a Security Threats and Risks Assessment (STRA) is required. If ANY of the questions are answered “YES”, then an STRA is required.

YES NOAssets estimated total value is rated Very High? (see pg.8)Data classified as Protected A, B, or C is identified? (see pg.9-11)A Privacy Impact Assessment is required? (see pg.12)Data Integrity is rated Very High? (see pg.13)The system is classified as a Critical Service? (see pg.14-15)

Please Note: The above is a general guideline. As a general rule of thumb, information technology systems are subjected to a Security Threat and Risk Assessment when new services are introduced, or existing services are significantly changed. Some projects may have special circumstances or requirements that may deviate from the above; always contact your MISO to determine whether or not an STRA is required if in doubt.

12. Other CommentsPlease use this space to provide any final comments on the sensitivity of the information or IT assets associated with the system.

of 31


13. Endorsement Information Controller SignatureThe Information Controller or delegate (Service/Risk Owner) has reviewed the assessment and validated the accuracy of the information in terms of the correct confidentiality, integrity, and availability sensitivity for the system and information assets.I have reviewed this SoS and concluded that:

1. If the system processes information covered under the Health Information Act and/or has personal information as defined in section 1(n) of the FOIP Act, a Privacy Impact Assessment (PIA) needs to be created before production implementation.

2. If the system processes PROTECTED information or required a PIA, a STRA will need to be conducted before the system goes live.

3. The system processes PROTECTED data will need safeguards appropriate for the level of information classification.

4. The system has identified integrity requirements.5. The system has identified RTO and RPO availability requirements.

Digital Signature14 _________________________________

MISO Signature The MISO has reviewed the risks and recommendations, and confirms that due diligence was used in the completion of this assessment. If required, the MISO will consult with the Information Management department. Please note, the MISO does not sign off risks or accuracy of this assessment.

Digital Signature14 _________________________________

Once this SoS is signed, the Ministry Information Security Officer (MISO) will perform the following:

Store this signed SoS in the SoS repository within the risk management system (aka IT STARR15 SharePoint site);

14 How to Add Digital Signature Boxes: http://www.servicelink.gov.ab.ca/security/docs/Add_Digital_Signatures_Boxes.pdf

of 31

https://sharedservices.gov.ab.ca/CISO/SRR

http://www.servicelink.gov.ab.ca/security/docs/1-_Organization_of_Information_Security_Directive_20131021.pdf


Follow up with a PIA and/or STRA if required.

14. Appendix14.1 Table 1: Sample Handling ProceduresClassification

Storage Procedures Transmission Procedures

Public No special storage requirements

Regular back-ups to ensure availability and integrity

No special procedures

Protected “A”

All media under physical and/or logical access control of protected zone (e.g. group authorized access)

If electronic message contains personal information, it must be transmitted in such a way to prevent interception, modification, or unauthorized receipt en route or at the destination (e.g., password protected file; encryption; personal information sent in separate e-mail)

Protected “B”

All media under physical and/or logical access control of confidential zone (e.g., authorized access and authenticated access)

Message sent in such a way to prevent interception, modification, or unauthorized receipt en route or at destination

Recipient confirmation required Audit of access points (suggested)

Protected “C”

All media under physical and/or logical access control of restricted zone (e.g., single or double authentication, encrypted data, audit and monitoring)

Message sent in such a way to prevent interception, modification or unauthorized receipt en route or at destination (e.g., encryption used to send/authenticate message)

Complete audit trail of each access point

14.2 Table 2: Sample Appropriate Access and DisclosureClassification

Access Restrictions Audit/Activity Files

15 Risk Management System (aka IT STARR): https://sharedservices.gov.ab.ca/CISO/SRR/

of 31


Public Open to the public and all employees, contractors, sub-contractors and agents

None

Protected “A”

Authorized access (employees, contractors, sub-contractors and agents) on a “need-to-know” basis for business related purposes

Periodic audits to show protection is, in fact, occurring

Protected “B”

Limited to individuals in a specific function, group or role

Pre-clearance based on position or contractor, sub-contractor or agent relationship

Log of access/actions Periodic audits of adequate

protectionProtected “C”

Limited to named individuals (positions)

All access or actions will be logged and subject to non-repudiation processes as appropriate

of 31


14.3 Table 3: Magnitude of ImpactImpact May Result InVery Low Insignificant: The event will have almost no impact if

realized.Low Minor: An event that can be absorbed.

Negotiable to minor disruption: short periodic delays to services. E.g.: The loss of some tangible assets or resources or may affect mission, reputation, or interest.Will generally result in such things as limited loss of public confidence, limited financial loss, limited damage to partnerships and relationships and limited disruption of internal government operations, leading to delays and loss of information.

Medium Moderate: Significant event that can be managed under normal circumstances.Moderate disruption; loss of service for several days. E.g.: Costly loss of tangible assets or resources, may violate, harm or impede mission, reputation, or interest, or may result in human injury.Will result in such things as injury or illness to individuals, inability to conduct criminal investigations or other impediments to effective law enforcement, serious loss of public confidence, compromise of particularly sensitive personal information, significant financial loss or disruption to the economy, serious harm to relations.

High Major: Major event that with proper management can be endured.Major disruption: isolation from key inputs or outputs for days or weeks. E.g.: Costly loss of major tangible assets or resources, may significantly violate, harm or impede a mission, reputation or interest, or may result in human death or serious injury.

of 31


Critical Catastrophic: A disaster with the potential to lead to long term damage or permanent outage.Will result in such things as loss of life, breakdown of civil order, loss of territorial sovereignty, irreparable loss of public confidence in the government, extremely large financial losses or severe disruption to the economy, disclosure of intelligence sources or methods of gathering intelligence, serious long term damage to relations and loss of the capability of the government to achieve its core services.

of 31


14.4 Table 4: Sample ConsequencesClassification

Sample Consequences

Public Little or no impact Minimal inconvenience if not available If lost, changed or denied would not result in injury to an

individual or government (that is, no legal effect)Protected “A”

Unfair competitive advantage Disruption to business if not available Low degree of risk if corrupted or modified

Protected “B”

Loss of reputation or competitive advantage Loss of confidence in the government program Loss of personal or individual privacy Loss of trade secrets or intellectual property Loss of opportunity (e.g., insurance, health coverage) Financial loss High degree of risk if corrupted or modified

Protected “C”

Loss of life Extreme or serious injury Loss of public safety Significant financial loss Compromise of the legal system Compromise of Cabinet deliberations Destruction of partnerships and relationships Significant damage Sabotage/terrorism Extreme risk if corrupted destination (e.g., encryption

used to send/authenticate message)

14.5 Table 5: Comparison of Classification SchemesOld Classification System

New Classification System

Unrestricted Unclassified / PublicProtected Protected “A”Confidential Protected “B”Restricted Protected “C”

For more info on, GoA’s Data and Information Security Classification Standard: https://imtdocs.internal.alberta.ca/standards/information-security-classification-.aspx

For more info on, GoA’s Data Security in the Cloud: https://imtdocs.internal.alberta.ca/standards/data-security-in-the-cloud.aspx

of 31

https://imtdocs.internal.alberta.ca/standards/data-security-in-the-cloud.aspx

https://imtdocs.internal.alberta.ca/standards/information-security-classification-.aspx


of 31