Working With Information Classifications

Transcript

Working with Information Classifications Lancaster University Information Classifications Information Classification Description Examples • Information that has no constraints on its publication • Available to all including external parties Ordinary • Information of internal interest or being prepared for publication • Recipients may forward to others within the control of University, Confidential e.g. confidentiality agreement • Information which is for circulation to named recipients only Restricted • Contains personal data. Protected by law, Access should be by Personal Data relevant staff only • The information can be circulated to named recipients only • • • • • • • • • • Published Prospectus Information on website Job Description Documents being prepared for publication Unpublished research data (non-human) Committee papers Documents marked For the Attention Of… Student Contact Details Completed PDR form Completed Job Application Information Transfer Electronic Information Sending externally Ordinary Confidential Restricted Personal Data       ZendTo Email LU Box Encrypt and send using ZendTo Email (encryption recommended) LU Box  Encrypt and send using ZendTo  Emailing not recommended, if no other alternative, must encrypt  LU Box  Are the recipients registered as Data Processors? Are they allowed to have this information? Compliance team can do advice.  Is it possible to remove information (e.g. a Name) and send non personally identifiable information (e.g.ID number)  Encrypt and send using ZendTo  Emailing not recommended, if no other alternative, must encrypt personal information before emailing  LU Box (encrypt sensitive personal data before upload) Sending internally  Shared folders or SharePoint site with appropriate access permissions  ZendTo  Jabber File Transfer  Emailing acceptable  LU Box  Shared folders or SharePoint site with appropriate access permissions  ZendTo  Jabber File Transfer  Emailing not recommended, if no other alternative, must encrypt  LU Box  Shared folders or SharePoint site with appropriate access permissions  Is it possible to remove information (e.g. a Name) and send non personally identifiable information (e.g.ID number)  ZendTo- encrypt sensitive personal data  Jabber File Transfer- encrypt sensitive personal data)  Emailing not recommended, if no other alternative: o Encryption required if contains personal information of more than one person* o Encryption recommended if it’s about an individual and sent internally*  LU Box (encrypt sensitive personal data before upload) Paper Based Information Mail/ Internal Mail Recorded/ Special/ Courier delivery* Sealed envelope in internal mail (ideally hand deliver) * Depending on the content of the information you are transferring, you need to apply a s ensible/realistic level of protection (be pragmatic) Information Storage Information Classification Ordinary Confidential Paper Based Information Unlocked storage Locked storage recommended Electronic Information stored on (popular options – see the ‘Electronic File Storage Matrix’ for further information) Personal or Mobile/ External Departmental LU Box Other Cloud Storage Device Filestore Acceptable Encryption Recommended Acceptable Acceptable Acceptable Restricted Encryption required Locked storage required Personal Data Encryption required (FIPS 140-2 compliant) Acceptable, with restricted access sensitive personal data must be encrypted before upload Must not be processed on ad hoc Cloud Services (unless the University has an agreement with them, e.g. Office365) Disposal of Information Information should be disposed of once its useful life has ended. The University has a Records Retention Policy which states how long certain information should be kept for. The Data Protection Act states personal information should not be kept any longer than is necessary. Please remember, your department may have additional record retention information to follow. Information Classification Paper Based Information Hardware Ordinary Ordinary waste bin (ideally recycle waste bin) Ordinary disposal Confidential Restricted Ordinary disposal Confidential waste or shredder Personal Data Use a University approved computer disposal company that offers secure media disposal. If machine/device – contact ISS for disposal. Further Information • LancasterAnswers www.lancaster.ac.uk/answers provides further information and how to guidance. • Information Security online training: http://www.lancaster.ac.uk/iss/security/training • Your department may have additional Information Security guidance to follow. • The information in this document is based on Lancaster University policy: o Information Security Policy and Processes: https://gap.lancs.ac.uk/policy-info-guide/5-policies-procedures/Documents/ SEC-2016-4-0191-Information-Security-Policy-REVISED-FEB-2016.docx o Policy on Categorising and Protecting University Information Assets: http://www.lancs.ac.uk/depts/recman/docs/SEC-2011-4-0009-Policy-on-Categorising-andProtecting-University-Information-Assets.docx o Records Retention: https://gap.lancs.ac.uk/Records%20Management/Pages/default.aspx https://gap.lancs.ac.uk/Records%20Management/Downloads/Pages/default.aspx Version: 5.0 October 2016