Frequently Asked Questions (FAQ)
The Chief Data Office has developed an FAQ section to help agencies, boards and commissions better understand how to comply with the
Information Asset Classification Policy.
The Chief Data Office does not assign classification levels to specific items; our guidance is only a preliminary estimate. For accurate classification, if your agency holds custody of the data, it must assess and determine the classification level. If not, confirmation should be sought from the custodial entity regarding the appropriate classification of any assets.
Data Governance
Please reference the Secretary of State (SOS) Retention Policy for more information. While retention does not fall directly under this policy, sensitivity labeling can assist with developing retention schedules for inventoried information assets (https://sos.oregon.gov/archives/Pages/records_retention_schedule.aspx).
Please reference the Secretary of State (SOS) Administrative Rules for disposing of electronic records (https://oregon.public.law/rules/oar_166-017-0090). If you have additional questions, please consult with SOS or CSS.
For questions related to ORMS, please contact the ORMS team (https://sos.oregon.gov/Pages/contactus.aspx#archivesCU). The use and standards surrounding ORMS are handled at the agency level, and your agency will likely have resources related to the use of ORMS already in place.
Security & Protection
The new Statewide IT Control Standards (replaces 2019 the Cyber Security Standards) can be found on the CSS page (https://security.oregon.gov) within our Guidance for State Agencies page, and addresses some of the focus areas for information protection at level 3 or above. Level-3 data maps to the State’s Moderate Controls. Additionally, many of the data areas within level 3 and level 4 may include Protected Critical Infrastructure Information (PCII), Personally Identifiable Information (PII), Federal Tax Information (FTI), and Health Insurance Portability and Accountability Act (HIPAA) data, to name a few. These areas contain data handling requirements that have already been established, and if conflict is discovered between Oregon policy and federal requirements, the more restrictive of the two shall be followed.
The current policy outlines the requirement, stating that Level-4 data is “intended for use by named individual(s) only” and is “exempt from public disclosure”. This implies an extra level of scrutiny with granting access, and public release is not an option. General access to these data assets by staff should be prohibited, and only be granted to those who have a specific need in order to perform a specific job function. Comparable frameworks involve the Statewide Standards “Moderate +” controls, as well as NIST SP800-53 High controls.
Information Classification is foundational so that the appropriate controls in handling labeled data are implemented, and mesh with technology and architecture security by protecting the underlying systems of the data being classified. While sensitivity labeling expands beyond technology to also include safety of Oregonians, information including Critical Infrastructure, network and system configurations and designs, internal audit reports, and vulnerability data in the hands of nation-state or malicious actors could cause grave damage to vital systems and services throughout the state.
Training & Resources
That information is contained within this statute (https://oregon.public.law/statutes/ors_192.355).
Yes, you can find more information on exemptions from the Department of Justice (https://justice.oregon.gov/PublicRecordsExemptions/).
Compliance & Legal
Per Policy #107-004-050 (https://www.oregon.gov/das/Policies/107-004-050.pdf), it is not acceptable to remove the “Level 3” or “Level 4” label. The footer can be manipulated but should not be removed. Please find information related to M365 Sensitivity Labels in the M365 Hub (https://stateoforegon.sharepoint.com/SitePages/Sensitivity-Label.aspx). For further information, please contact the M365 team at info.m365@oregon.gov.
This should be a decision made at the agency level, likely by legal counsel. While the information asset will have a sensitivity label (and thus a classification level) assigned to it, a discussion should be had with legal counsel prior to testifying to that effect.
Agencies are expected to resource and support their own internal efforts around data classification, ideally using the lead data steward and other resources required by the State Data Governance Policy. At this time there are no plans to develop tracking or reporting processes for training or compliance.
Technical
Ensure to label properly and have Level 4 data be auditable. If Level 4 data was shared in Teams Group chat, it would be stored in SharePoint. In addition, Level 4 data can be shared internally thus it could be possible there could be Level 4 data in SharePoint. Please find information related to M365 Sensitivity Labels in the M365 Hub (https://stateoforegon.sharepoint.com/SitePages/Sensitivity-Label.aspx). For further information, please contact the M365 team at info.m365@oregon.gov.
All future information assets that are created within the M365 environment will be required to have sensitivity labels applied. M365 will prompt this upon the creation of any new document, whether online or in network drives/ORMS. The policy does not require agencies to update older information assets (i.e. you do not need to go back through and label all existing documents from before the sensitivity labeling change). For further information, please contact the M365 team at info.m365@oregon.gov.
Yes this can be enabled manually via PowerShell. Please open an Ivanti Service Manager System (https://oregondcsesm-amc.ivanticloud.com/) ticket with M365 or reach out to the M365 team at info.m365@oregon.gov for guidance and consultation if this feature is desirable to your agency.
Please consult the M365 hub site for additional information (https://stateoforegon.sharepoint.com/SitePages/Sensitivity-Label.aspx).
*requires M365 account
Currently the M365 team is reviewing options for this level of functionality. For further information on the M365 Roadmap, please visit the M365 Hub (https://stateoforegon.sharepoint.com/SitePages/M365-Roadmap.aspx).
Classification Assessment
This is largely context-dependent, and will be determined by your agency using the best information available at the time. There is no hard-and-fast rule for 2 vs. 3 as it pertains to personal information, so please consult with your agency data governance structure if you have questions.
Not exactly- the Information Asset Classification Policy specifies that the classification of the system these information assets are stored in is the determining factor. If usernames and passwords are the only sensitive information within the system they are stored in, then the system would be considered level 2. This is in line with the CSS security standards, which are addressing the system rather than the individual data field classifications.
This will likely be level 2 while in draft format, and level 1 once published. Make sure to consult with your vendor to ensure they do not have additional sensitivity or privacy concerns, but barring that, any document planned for public distribution should be considered level 2 during draft and level 1 after publishing.
This will likely be level 2 while in draft format, and level 1 once published. Make sure to consult with your vendor to ensure they do not have additional sensitivity or privacy concerns, but barring that, any document planned for public distribution should be considered level 2 during draft and level 1 after publishing.
This would be considered a draft document (as it has not been approved until signed), so it would be level 2 until its publication. The presence of data should not have any bearing on the classification of the plan as an information asset.
So long as the contract has been executed, it will be available on OregonBuys, and thus be level 1 (publicly available without restriction). There may be rare cases where a vendor would request a redaction of proprietary information or trade secrets, but those would be an exception, and would be classified at level 2.
A contract still in the negotiation period would be privileged information, and would likely be a level 3 information asset. Typically this is due to risk present in an in-progress negotiation as well as the potential for privileged (read: confidential) comments from legal. There are cases where this could be level 2, but in most cases we would expect it to be level 3.
First, a point of clarification- the document format does not have an impact on the information asset classification level; the classification level is based on the information the document contains, regardless of format. The information itself would likely be level 2- not publicly available, but available to be requested and distributed at the agency's discretion. The key here is that personal information being published is not in and of itself a privacy issue, but when numerous pieces of information are able to be pieced together to learn specific information about (supposedly) de-identified individuals, it becomes an issue. This would ultimately be decided by a determination of risk made by the agency.
This information would likely be at least level 3, but could be level 4 depending on the individual or their circumstances. This is part of a broader conversation ongoing within DAS HR, as they are the custodians of this data. Please contact them with any additional questions.
This is ultimately a question for Oregon State Police, as they are the custodians of the data for their employees and officers. At a minimum this would be level 3, as this would certainly be protected information with limited distribution and higher standards of care.
This is ultimately up to the agency that is the custodian of this data, and does not have a consistent 'answer' within the policy. It would be a minimum of level 3, most likely, but all decisions related to this information would be at the agency level. Quote what level 4 is in the policy.
The data in business intelligence dashboards carry the same classification as the source datasets, unless the owner has aggregated, transformed or otherwise neutralized all sensitive data that might justify a higher classification. It is the responsibility of agencies to manage their own privacy and data classification so they would be responsible for governing their own dashboard and BI tool use.