Majmaah University Logo
Toggle grayscale mode

Data Classification Policy

Overview:

The Data Classification Policy establishes set a unified framework for classifying data into four levels based on the impact of unauthorized disclosure or unauthorized access to the data or its contents. This policy helps achieve a balance between the benefits and risks associated with data sharing among entities in both the public and private sectors. It also organizes the process of publishing open data, making public information accessible, and sharing protected data, including personal data. This contributes to increasing transparency, promoting integrity, and eliminating unnecessary confidentiality regarding university activities by regulating the practice of accessing or obtaining public information.

Objectives:

This policy aims to define and establish the requirements related to data classification at Majmaah University through the optimal implementation of legislative requirements outlined in the document titled “Data Management, Governance, and Personal Data Protection Controls – Version 1.5, January 2021”, and the document titled “National Data Governance Policies – Second Edition, 26/05/2021”, both issued by the National Data Management Office.

Purpose of Data Classification Policy:

  • To unify the controls and mechanisms for data classification.

  • To classify data in accordance with its nature and sensitivity.

  • To reduce the risks caused by misuse or unauthorized access to data.

  • To implement security controls to ensure the protection of confidential and restricted data.

  • Principles of Data Classification 

  • Principle 1: Data Should Be Presumed Accessible by Default

     

    By default, data should be made available (in the developmental domain) unless its nature or sensitivity requires elevating its current classification to a higher level.                                         
    Principle 2: Necessity and Proportionality

     

    Data is classified based on its level of confidentiality into four levels: Top Secret, Secret, Restricted, and Public. The appropriate level of confidentiality is determined according to the data’s value, sensitivity, and required level of secrecy.

     

Data Classification Levels:

Data is classified based on its nature, value, and sensitivity into four levels:

  • Top Secret

  • Secret

  • Restricted

  • Public

Data Classification Controls:

  • The necessary security controls must be identified and applied to protect data according to its classification to ensure its secure processing, storage, and sharing.

  • Any unclassified data must be assigned the classification "Restricted", and appropriate security controls must be applied accordingly.

  • All university departments must develop a plan to classify previously unclassified data, including data created prior to the adoption of this policy.

  • University departments are required to review classified data to ensure compliance with this policy, and the classification plan must be approved by the entity's primary responsible authority.

  • All classified data must be protected by applying the necessary security controls as issued by the National Cybersecurity Authority.