Information Classification and. Handling Policy



Similar documents
Message Classification user guide

How To Protect Decd Information From Harm

INFORMATION SECURITY POLICY

DATA PROTECTION CORPORATE POLICY

Records Management Policy & Guidance

Information Security Policy. Appendix B. Secure Transfer of Information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Somerset County Council - Data Protection Policy - Final

Data Protection Policy

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

How To Protect School Data From Harm

Information Security Incident Management Policy and Procedure

PS177 Remote Working Policy

Privacy and Electronic Communications Regulations

University of Aberdeen Information Security Policy

Information Security Incident Protocol

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Document and Record Control Procedures

Information Security Incident Management Policy

Information Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy

INFORMATION SECURITY INCIDENT REPORTING POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Council Policy. Records & Information Management

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy

Security Incident Management Policy

So the security measures you put in place should seek to ensure that:

RECORDS MANAGEMENT POLICY

Records and Document Management

Corporate Information Security Policy

Legal and statutory obligations, in particular under the Data Protection Act, will be followed, whatever the protective marking used.

Information Security Management System (ISMS) Policy

Information Governance Framework. June 2015

Caedmon College Whitby

Scotland s Commissioner for Children and Young People Records Management Policy

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Human Resources Policy documents. Data Protection Policy

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Corporate Affairs Overview and Scrutiny Committee

Data Protection Policy

Human Resources and Data Protection

Virginia Commonwealth University School of Medicine Information Security Standard

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

INFORMATION SECURITY POLICY

RECORDS MANAGEMENT POLICY

WEST LOTHIAN COUNCIL RECORDS MANAGEMENT POLICY. Data Label: Public

INFORMATION SECURITY MANAGEMENT POLICY

OFFICIAL. NCC Records Management and Disposal Policy

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Information Security Policy

Highland Council Information Security Policy

Merthyr Tydfil County Borough Council. Data Protection Policy

COUNCIL POLICY R180 RECORDS MANAGEMENT

Harper Adams University College. Information Security Policy

DATA PROTECTION AND DATA STORAGE POLICY

Data Protection in Ireland

Norwich University Information Assurance Security Policy. Final Version 10.0 for Implementation

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014

Information Governance

Guidance on the Use of Portable Storage Devices 1

Privacy Policy. Federal Insurance Company, Singapore Branch Singapore Personal Data Protection Privacy Policy. 1. Introduction

EA-ISP-001 Information Security Policy

Clause 1. Definitions and Interpretation

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Lord Chancellor s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1

Data Protection Breach Management Policy

University of Liverpool

INFORMATION TECHNOLOGY SECURITY STANDARDS

Corporate Information Security Management Policy

Outsourcing and third party access

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

Dublin City University

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

IT ACCESS CONTROL POLICY

Policy Document. Communications and Operation Management Policy

Office 365 Data Processing Agreement with Model Clauses

The CPS incorporates RCPO. CPS Data Protection Policy

LORD CHANCELLOR S CODE OF PRACTICE ON THE MANAGEMENT OF RECORDS UNDER

Records Management. 1. Introduction. 2. Strategic Plan Desired Outcomes

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Personal Data Protection Policy

Acceptable Use Guidelines

SECURITY POLICY REMOTE WORKING

Information Security Policy for Associates and Contractors

LSE PCI-DSS Cardholder Data Environments Information Security Policy

DURHAM COUNTY COUNCIL CORPORATE RECORDS MANAGEMENT POLICY

Rotherham CCG Network Security Policy V2.0

Data Transfer Policy. Data Transfer Policy London Borough of Barnet

Information Security Policy. Chapter 10. Information Security Incident Management Policy

Coffey International Limited Privacy Policy. July 2014

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

Corporate Records Management Policy

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures

Derbyshire Constabulary GUIDANCE ON THE SAFE USE OF THE INTERNET AND SOCIAL MEDIA BY POLICE OFFICERS AND POLICE STAFF POLICY REFERENCE 09/268

Information Governance and Assurance Framework Version 1.0

BARNSLEY CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLICY

Council, 14 May Information Governance Report. Introduction

Transcription:

Information Security Document Information Classification and 1

Version History Version Date Detail Author 1.0 27/06/2013 Approved by Information Governance Jo White Group 2.0 31/07/2013 Approved by Information Governance Jo White Group 3.0 13/10/2014 Reviewed by Information Governance Jo White Group 4.0 11/05/2015 Reviewed by Information Governance Jo White Group. Classification for removable media added. 5.0 16/11/2015 Reviewed by Information Governance Group. Jo White This document has been prepared using the following ISO27001:2013 standard controls as reference: ISO Control Description A.8.2.1 Classification guidelines A.8.2.2 Information labelling and handling A.18.1.3 Protection of Organisational Records 2

1 Introduction Derbyshire County Council is committed to the secure management of its information and the identification of assets that require protection. For the purpose of this policy an asset is defined as functions, equipment and information that are deemed to have value to the organisation. 2 Purpose The purpose of this policy is to establish the key principles of appropriate information classification and handling which applies to information both in electronic and physical forms. 3 Scope The scope of this policy extends to all information and documents produced by the Council which have been deemed to have a security classification applied to them. Leaflets, information packs and blank application forms are excluded. The information covered in this policy includes, but is not limited to, information that is either stored or shared via any means. This includes electronic information, information on paper and information shared orally or visually (e.g. telephone conversations or video conferencing). 4 Policy Statement All council information has a value to the organisation, however not all of the information has an equal value or requires the same level of protection. Being able to identify the value of information assets is key to understanding the level of security that they require. Once the appropriate level of security is identified the appropriate control can be implemented to prevent loss, damage or compromise of the asset, disruption of business activities, and prevention of the compromise or theft of information and information processing facilities. Incorrect classification of assets may result in inadequate or incorrect controls being implemented to protect them. 4.1 Information Classification All information assets will be classified into one of three categories. The information asset must be appropriately labelled to ensure that its classification is readily identifiable. Classification Description Restrictions Examples Restricted Information whose unauthorised disclosure (even within the organisation) would cause serious damage in terms of financial loss, legal action or loss of reputation Access is restricted to personnel with specific roles and clearance or with statutory rights of access Adoption records. Child Protection records. Disciplinary records. Social Care files with local restrictions eg family members. Court Proceedings. Public Health 3

Controlled Public Information generally available to anyone within areas of DCC and which contains business value to the organisation or which requires protection due to personal data Information that can be made available in the public domain and which would not cause damage or harm if released Access is restricted to staff within the organisation in connection with their employment 4 data containing PCD. Audit Reports. Personal occupational health referrals and reports. Applications under RIPA and reports of the Commissioner. Certain Council exempt papers Business Continuity Plans. Social Care information not in Restricted. IT Procedures relating to the Data Centres, Network, Backups etc. Personnel files. My Plans Contracts. Council exempt papers unless with a restricted section. Commercially sensitive files. Draft service plans. Restructuring documentation. None Office opening times. Business numbers. Press releases. Policies & Procedures. Forms. Minutes other than exempt. Statistics & Performance Indicators. General recruitment

information and terms of conditions of employment. Trading Standards Judgements. Where information is grouped together, the highest classification shall be applied to all information in the group. All information must be categorised using either PUBLIC, CONTROLLED or RESTRICTED and must be appropriately labelled. Any information that is not specifically marked as being RESTRICTED or CONTROLLED will be deemed to be PUBLIC. Therefore, the officer responsible for processing or handling a document, particularly if consideration is being given as to whether a document should be disclosed, MUST consider the content of the document in determining how that document should be processed and not rely on its classification under this policy. The labelling of a document as controlled, restricted or public does not override the Council s duties under the Data Protection Act or the Freedom of Information Act 2000. Once a document ceases to be active and is transferred to the Derbyshire Record Office for permanent preservation its classification status will be reviewed by departmental staff prior to transfer. Where an individual document is being created that has not been tagged with classification metadata by EDRM or by having its classification pre-populated from a template, the document author must add the classification status to the document, preferably to the header of the document. The classification status of a document may change over time (i.e. a document may have a Restricted classification early in its lifecycle, but this may be downgraded to a Controlled classification as time progresses). Regular reviews of classifications are vital. 4.2 Information Handling The following table provides electronic information handling guidance for classifications described in section 4.1. All hardcopy information needs to be stored and handled as specified in the Information Classification and Handling Procedures. Removable media such as CDs or DVDs, USB data sticks etc. used to store Council information must always be classified as RESTRICTED and do not require individual labelling or marking. Action Public Controlled Restricted View/process on internal network within organisation s premises 5

View/process on internal network away from organisation s premises View/process away from internal network X X View/process across encrypted remote access View/process across unencrypted remote access X X 4.3 Information Transmission The following table provides guidelines on methods of information transmission for classifications as described in 4.1. Transmission Method Public Controlled Restricted By internal mail within the same building By internal mail between buildings By standard post to UK/EU Destinations* By recorded/special delivery to UK/EU destinations By courier to UK/EU destinations By facsimile to UK/EU destinations By encrypted email internal to the organisation** By unencrypted email external to Derbyshire County Council to UK/EU destinations By encrypted email external to Derbyshire County Council to UK/EU destinations X X 6

Across secure transmission link i.e. VPN By encrypted media (e.g. encrypted data sticks) Telephone & Video Conferences provided the caller has been identified and is entitled to receive the information and the call is not in a public area. provided the caller has been identified and is entitled to receive the information and the call is not in a public area. Text/Multimedia/Instant Messaging X X * consideration should be given to whether special or recorded delivery is required. ** Derbyshire County Council email is encrypted in transit only. Delegates to mailboxes must be deemed to have the same access rights to the information held in the email as the mailbox owner. The mailbox owner is responsible for reviewing who has delegate access to their mailbox. All Derbyshire County Council emails will be classed as CONTROLLED. The status may be changed to PUBLIC or RESTRICTED by the user. Whenever data classified higher than Public is to be transmitted to a destination outside of the European Union (EU), advice must be sought from the Transformation Service. 5 Breaches Of Policy Breaches of this policy and/or security incidents can be defined as events which may have/have resulted in, loss or damage to Council assets, or an event which is in breach of the Council s security procedures and policies. All Council employees, elected members, partner agencies, contractors and vendors have a responsibility to report security incidents and breaches of this policy as quickly as possible through the Council s Incident Reporting Procedure. This obligation also extends to any external organisation contracted to support or access the Information Systems of the Council. In the case of third party vendors, consultants or contractors non-compliance will result in the immediate removal of access to the system. If damage or compromise of the Council s ICT systems or network result from the non-compliance, the Council may consider legal action against the third party. The Council will take appropriate measures to remedy any breach of the policy through the relevant frameworks in place. In the case of an employee, the matter may be dealt with under the Council s disciplinary process. This document forms part of the Council's ISMS Policy and as such, must be fully complied with. 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information