The objective of this procedure to identify type of information , classification and labeling at XXX so that all the personnel follow a common framework and understanding of Information security.The purpose of this procedure is to establish a framework for classifying data based on its level of sensitivity, value and criticality to XXX as required by the information security policy. Classification of data will aid in determining baseline security controls for the protection of data.
2.0 Scope :
This procedure applies to all the business processes, its information and information system.
- IT dept.
- Process Owners/HOD
4.0 Procedure :
The following procedures cover how to label, store, dispose of, communicate, physically transfer or copy different types of information, depending on its classification and media (e.g. paper, electronic transmission (email) or electronic
The distribution of data should be kept to a minimum. However when data is required to be distributed it is required to be validated and have appropriate marking:
- To the authorized recipient (a formal record shall be maintained and reviewed at appropriate intervals by the authorized recipients of data); and
- Commensurate to its classification. That classification of data is split in to three categories as defined in the Information Classification and Handling Policy.
All information assets must be classified into one of three categories. The information asset must be appropriately labelled to ensure that its classification is readily identifiable.
Where information is grouped together, the highest classification shall be applied to all information in the group.
The agreed classification categories are:
|1||Confidential||Information is restricted to management approved internal access and protected from external access. Unauthorized access could influence XXX’s operational effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in customer confidence or customer confidentiality clause. Information integrity is vital.|
|2A||Controlled (Internal – Department)||Information collected and used by respective department of XXX to the conduct its process and fulfill customer / client requirements. Access to this information is very restricted within the department. The highest possible levels of integrity, confidentiality, and restricted availability are vital.|
|2B||Controlled (Internal – XXX)||Information that can be made shared to other departments within XXX without any implications for XXX, this information is not be shared outside XXX without authorizations. Integrity within XXX is important.|
|3||Public||Information is not confidential and can be made public without any implications for XXX. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital.|
Document authors will need to ensure that classification status markings are applied manually to all documents using the appropriate classifications of ‘PUBLIC’,‘INTERNAL’ or ‘CONFIDENTIAL’.
All data must be marked with the appropriate classification clearly as a minimum in the document header prior to printing. If the material is already printed or has not been word-processed, the marking ‘PUBLIC’, ‘INTERNAL’ or ‘CONFIDENTIAL’ as appropriate, must be written, at the top of every page as a minimum. Multiple page documents must be stapled together.
Any information that is not specifically marked as being ‘INTERNAL’ or ‘CONTROLLED’ will be deemed to be ‘PUBLIC’. Therefore, the person responsible for processing or handling a document, particularly if consideration is
being given as to whether a document should be disclosed, MUST consider the content of the document in determining how that document should be processed and not rely on its classification under this policy. The labeling of a document as Internal, Confidential or public does not override the XXX’s duties under the Data Protection Act or Information Act
Removable media such as CDs or DVDs, USB data sticks etc. used to store XXX information must always be classified as ‘CONFIDENTIAL’ and do not require individual labeling or marking.
Information should be stored in accordance with contractual or legislative requirements and in a manner commensurate to its classification, as follows:
- PUBLIC data: Does not require any access restrictions or specific safe storage.
- INTERNAL data: If information is removed from the xxx for use by home employee it must not be left unsecured in employee’s vehicles or left in public places. Information and data must be stored wherever possible, in a lockable area when at the employee’s home that cannot be accessed by any unauthorized person, including family members.
- CONFIDENTIAL data: This information is sensitive information of which access must be restricted – securely locked away at the end of each working day or when no longer needed. This applies regardless of the format which this information is held on e.g. paper, disk, files, tapes, faxes, post.
When stored in an electronic format, data must be protected by the use of both technical and physical access controls.
The following must be in place for:
CONFIDENTIAL Data stored on servers:
- Servers must be located within secure rooms at XXX premises and access must be restricted to authorized personnel only.
- Logical access controls must be used with authorized user ID and strong passwords.
- Data stored in defined areas of the network must only be available to those authorized users with a need-to-know
- Encryption must be employed wherever possible
CONFIDENTIAL Data processed on laptops:
- Laptop hard drives must have full disk encryption applied
- Only authorised users with XXX network domain credentials are authorised to use laptops.
- Authorised users viewing restricted data on a computer screen must observe the XXX guidance with particular attention to preventing the possibility of ‘Shoulder Surfing’ or casual viewing by unauthorised people
- Data must be moved from the laptop to a secure area on the XXX network as soon as possible
CONFIDENTIAL Data held in hard copy:
- Within XXX buildings must be locked away in secure storage
- Within Employees homes must be stored, wherever possible, in a lockable area that cannot be accessed by any unauthorised person, including family members
- At premises other than XXX locations if used for reference by third parties must remain within the XXX employee’s line of sight/possession and only made available to those with a need-to-know before retrieval
- In transit must not be left unsecured in employee’s vehicles or left in public places.
- Data held on portable (removable) media, such as (but not limited to) CD, DVD, USB and Tape (including backup media) must have protection and encryption measures in order to protect against loss, theft, unauthorised access and unauthorised disclosure or;
- When stored in an other form, must be stored only in a locked drawer or room or an area where access control measures exist to provide adequate protection and prevent unauthorised access by members of the public, visitors, or other persons without a need-to-know.
- When verbally discussing Confidential information in public places or on public transport (including mobile phone conversations) care should also be taken in order that the conversation is not overheard. These rules also apply to verbal messages that might be left on answering machines or voicemail and also to information which is sent or received by email, fax, text or multimedia messages sent by mobile phone or other messaging services.
DISPOSAL OF INFORMATION
Information which is no longer required must be disposed of safely and securely and in accordance with its protective marking. There are many reasons why care must be taken when sensitive information is to be disposed as follows:
- It may cause damage to the Council’s reputation if the information fell into the wrong hands;
- It would be a breach of the Data Protection Act .
- It could result in costly litigation and financial loss to the XXX
- It could cause irreparable damage to individuals and families.
The ways in which we can prevent the above scenarios from occurring include the following disposal methods:
- To ensure that all information other than PUBLIC is securely shredded
- Any media (tapes, USB memory sticks etc.) must be securely destroyed through the XXX’s disposal procedure
Records must be maintained of all media disposals and must be made readily available
Employees should be aware that they should not copy by any means, information which is marked ‘INTERNAL’ or ‘CONFIDENTIAL’ unless they are authorized to do so, under the ‘need-to-know’ principle.
This procedure applies to all information and documents produced by the XXX which have been deemed to have a security classification applied to them. The information covered in this procedure includes, but is not limited to, information that is either stored or shared via any means. This includes electronic information, information on paper, and information shared orally or visually (e.g. telephone conversations or video conferencing).
All XXX information has a value to the organisation, however not all of the information has an equal value or required the same level of protection. Being able to identify the value of information assets is key to understanding the level of security that they require. Once the appropriate level of security is identified the appropriate control can be implemented to prevent loss, damage of compromise of the asset, disruption of business activities, and prevention of the compromise or theft of information and information processing facilities. Incorrect classification of assets might result in inadequate or incorrect controls being implemented to protect them.
If you need assistance or have any doubt and need to ask questions contact me at firstname.lastname@example.org. You can also contribute to this discussion and I shall be happy to publish them. Your comment and suggestion are also welcome.