The Ministry of IT has classified cloud data into five types, namely Open, Public, Restricted, Sensitive, and Secret, linked to the nature of its usage, in the Cloud-First Policy. These five kinds are based on the data classification standards derived from appropriate data classification guidelines of the Government of Pakistan.
Under this policy, cost-efficient technology resources can be procured on a ‘pay as you use’ basis. The resources of a cloud data center are shared among many organizations, which is why fewer servers, storage, network equipment, and power & cooling equipment are utilized.
Cloud Service Providers will hold internationally recognized security certifications and will implement technical and administrative controls to protect data – both stored and in transit.
Explained below are the five different types of data under this policy.
Open Data
Open Data is publicly available data that is structured so that the data is fully discoverable and usable by end-users. The implementation of open data principles in the public sector makes the government open and accountable and increases citizen participation in government.
Public Service Entities classifying any data as Open Data must share the criteria with Cloud Office. This type of data needs baseline security and will be placed on the public cloud by registered cloud service providers.
Public Data
Public data is related to the public sector and is non-confidential and publicly available. It will also need baseline security arrangements and will be placed on a public cloud accredited by Cloud Service Provider.
Restricted Data
Data related to public sector businesses, operations, and services, which even if publicly available but when compromised, can undermine Pakistan’s reputation internationally. It will need intermediate security arrangements and will be placed on Government Cloud by an accredited Cloud Service Provider.
Sensitive/Confidential Data
- Information that is not intended to be published and will only be accessible by certain people with proper authorization, and which justifies moderate protective measures.
- Includes phone numbers, registration numbers (BVN, vehicle, etc.), passport numbers, etc.
- Information that contains at least one personally identifiable information (PII) like names (first and last), address, biometrics, etc.
- Data classified as ‘confidential’ and perhaps, certain categories of ‘secret data’ (such as obsolete or archived ‘secret’ information).
- Information that is only accessible through Intranet but available to broadly defined categories of authorized officials and public servants. Also, drafts of laws and regulations that are not yet in the public domain.
This data will need enhanced security arrangements and will also be placed on Government Cloud by an accredited Cloud Service Provider.
Secret Data
Secret information requires the highest level of protection from serious threats, which, if breached, can potentially threaten life or public security, and cause financial losses or serious damage to public interests. This may lead directly to:
- The widespread loss of life.
- A direct threat to the internal stability of Pakistan or its friendly nations.
- Raised international tension.
- Exceptionally grave damage to Pakistan’s relations with its friendly nations.
- Exceptionally grave damage to the continuing effectiveness of extremely valuable security or intelligence operations.
- Long-term damage to the economy.
- Major, long-term impairment to the ability to investigate or prosecute serious organized crime.
This type of data will need the highest security arrangements and will be placed on a private Cloud (in use by a single organization) or Government Cloud by an accredited Cloud Service Provider.
Cloud Office established in the Ministry of IT and Telecommunication will be responsible to set terms of reference (ToRs) of baseline, intermediate, enhanced, and highest security in line with domestic and international benchmarks.