Information Security
Framework
Information Classification and Handling Procedure
1.
Why is this important?
The University uses large volumes and diversity of information to support its activities and to
achieve its strategic aims. Information that the University manages shall be appropriately
secured to protect against consequences of breaches of confidentiality, failures of integrity,
interruption to availability and failure to comply with legal requirements.
In order to protect information consistently, it is necessary to define a University-wide
scheme for classifying (describing) information and how it should be handled according to its
requirements for confidentiality, integrity and availability.
We should classify information so that it is clear to everyone with access to know how best
to protect it. Everyone should use the University Information Classification and Handling
Procedure.
2.
What is the Information Classification and Handling Procedure?
The procedure describes how information and systems should be classified and marked,
according to their confidentiality, criticality or value. Decisions around the appropriate
protection and use of the information in each classification are based on the consequences
of the loss or disclosure of the information.
The procedure relates to all types of information and formats and applies in particular to staff
but also covers students and third parties wherever appropriate.
The procedure is a mandatory part of the University Information Security Framework and is
overseen by the Institutional Governance Team. The University recognises that there may
be legitimate circumstances where it is not possible to adhere to this procedure. In these
cases, you must seek advice from the Institutional Governance Team
(www.warwick.ac.uk/gov/informationsecurity).
3.
What do I need to do?
You should assess the sensitivity of the information you create and receive using the table in
Annex A; and take proportionate measures to ensure that information is used securely – the
key controls for protecting information are available in Annexes B and C.
Where information classified as Protected, Restricted or Reserved is shared with others for a
valid University business reason, everyone should ensure that the recipient is aware of the
information’s classification and their obligation to protect it. Access to information in these
classifications by a third party requires a data sharing or confidentiality agreement in place,
signed on behalf of the University and the other party. The Legal Services team can help you
with this (www.warwick.ac.uk/legalservices).
Information Classification and Handling Procedure v1.2.1 Approved
4.
What should I do if something goes wrong?
The University is expected to inform the Information Commissioner’s Office of any significant
information security breach relating to personal data as per the Data Protection Act 1998
and has an obligation to report any significant breaches pertaining to other types of
‘sensitive’ information to the data owner and other relevant parties. The University
recognises that failure to adhere to its legislative, regulatory and contractual obligations may
result in significant financial and legal penalties and reputational damage. 1
It is therefore vital that everyone reports any observed or suspected security incidents where
a breach of the University’s security policies has occurred, any security weaknesses in, or
threats to, systems or services.
You should immediately report any actual or suspected information security breaches
by emailing Informationsecurity@warwick.ac.uk and informing your line
manager/Head of Department.
Document History
13 May
2013
J. Findlay
31
2
Jul
Sep
2013
2013
J.Findlay
J.Findlay
16
Apr
2014
J.Findlay
Created document with comments from Dr Duncan Hine (WMG, Cyber Security
specialist), Verification Group members and Head of Service Development (ITS),
Senior Assistant Registrar (Governance, Risk and Continuity) and Head of
Institutional Governance Services (v1)
Revised classification labels and examples (v1.1)
Labels finalised as Public/Protected/Restricted/Reserved. Approved for release
by Head of Institutional Governance Services (v1.2)
Minor - ID number reclassified as Protected from Restricted due to use of ID
number as usercode from March 2014. Inclusion of One Drive for Business in
Annex B.
Approved for release by Head of Institutional Governance Services (v1.2.1)
The official version of this document will be maintained online. Before referring to any printed copies
please ensure they are up to date
Next Review
Summer 2014
1
The Information Commissioner’s Office can issue a monetary penalty up to £500, 000 if it were determined that the University
did not take reasonable steps to secure personal information or acted in such a way as to knowingly put information security at
risk.
Information Classification and Handling Procedure v1.2.1 Approved
Annex A – Classifying Information
Classification
Public
Protected
Restricted
Reserved
Risk
None confidentiality is
of no particular
significance to
this information
Low inappropriate
disclosure would
have minimum
significance
Medium - inappropriate
disclosure could adversely
affect the University's
reputation or operations,
substantial distress to
individuals or breach
statutory restrictions on
disclosure of information;
likely financial or legal
penalties
High - inappropriate
disclosure could cause
significant damage to the
University's reputation or
operations, great distress to
individuals, pose a danger
to personal safety or to life or
impede the investigation or
facilitate the commission of
serious crime; substantial
financial or legal penalties
Access
May be viewed by
anyone,
anywhere in the
world
Available to all
University of
Warwick
members (e.g.
secured behind a
login screen)
Available only to specified
authorised University of
Warwick members (e.g.
secured behind a login
screen, requires
authorisation to gain access)
Access is controlled and
restricted to a small number
of authorised University of
Warwick members (e.g.
secured behind a login
screen, requires
authorisation to gain access)
PERSONAL
Information
Anonymised
2
information
Student Names
and Email
addresses
Individual’s home addresses,
contact details and passport
or NI number
Financial information relating
to individuals e.g. banking
information, salary details,
indebtedness (student fees)
Staff Work
Contact Details
(incl job titles)
Individual’s name, home
addresses, contact details
and age
Staff Details
shared publically
by the University
Examples
(nonexhaustive)
As defined by
the Data
Protection Act
1998
Information on
individuals made
public with their
consent including
on social media
sites or
departmental
websites
Academic Staff
Qualifications and
Publication
Details
List of student or
staff names and
ID number
Individual’s image (incl CCTV
footage)
Student registration and
attendance details
Exam
scripts/marks/comments on
student’s performance
Prospective Students’
contact details
Information on individual’s,
racial or ethnic origin,
political option, religious or
other beliefs, physical or
mental health or criminal
record
Student academic
progression details including
details of disciplinary
proceedings
Provisional degree
classification prior to formal
approval and any publication
Staff appointment,
promotion or details of
personal affairs
(see University
Data Protection
Policy)
References for staff or students
UCAS forms
Dates of birth
(DoB)
Individual’s name plus DoB
or national insurance
4
number(NI)
3
Individual’s name plus DoB
or NI number, passport
details, home address and
4
telephone number
Hundreds of individuals’
names plus date of birth or
NI number
2
For these purposes anonymised information is information which cannot identify an individual either in isolation or when combined with
other information (Section 1 (1) of the DPA 1998). Anonymised data may also carry other handling requirements – please see below.
3
Content dependent e.g. information relating to health, criminal record or disciplinary matters would make the reference or form Reserved
4
Adding additional combinations of data can change the overall classification (sensitivity) of the information. Increasing the volume can
also increase the classification level.
Information Classification and Handling Procedure v1.2.1 Approved
Page 3 of 6
Classification
Public
Protected
Restricted
5
NONPERSONAL
Information
Examples
(nonexhaustive)
Research proposals prior to award
Information relating to supply or procurement of
goods/services prior to approved publication.
Anything subject
to disclosure
under the
Freedom of
Information Act
HR Policies and
Guidance
'Trade' secrets, intellectual
property intended for
commercialisation
Department and
Course details
Marketing or
Press Information
Factual and
general
organisational for
public
dissemination incl
annual reports or
accounts
5
Reserved
Research data which is
security-sensitive or has
been similarly classified by
an external body (e.g.
Government, commercial
partner with a confidentiality
agreement)
Legal advice or other
information relating to legal
action against or by the
University
Content dependent e.g. information relating to industry collaborators or world leading new ideas may lead to this being Restricted
Information Classification and Handling Procedure v1.2.1 Approved
Page 4 of 6
Annex B – Handling Electronic Information
Activity
Creation
University Information Classifications
Protected
Restricted
Public
N/A
Reserved
N/A
Visibly marked
‘CONFIDENTIAL’
Visibly marked ‘STRICTLY
CONFIDENTIAL’;
To be created (and stored) only
in a secure environment and
copies be limited and recorded
Only as encrypted/password
8
protected attachment
(take care to check address of
recipient(s))
Can Email
Yes
Yes
Only to @warwick addresses or
other internal domains e.g.
wbs.ac.uk or jobs.ac.uk (take
care to check address of
recipient(s))
Need to Password Protect file
in transit
N/A
N/A
Password to meet University
standard
Can access remotely
Using myfiles or VPN
Can share via
Teambuilder/Files.Warwick
(www.warwick.ac.uk/its)
Yes
7
Using myfiles or VPN
7
Yes
Can share via One Drive for
Business
Yes
Yes
Can keep on University laptops
or other portable media
Yes
Only on temporary basis, taking
care to avoid loss or theft
Can keep on personally owned
devices
Yes
No
Store on University servers
Preferably in backed up
personal or shared network
spaces
Only in backed up personal or
shared network spaces with
access restricted to only those
with a valid right to access the
information (either by adding a
password to the document,
encrypting it or apply
permissions to a folder)
Using myfiles or VPN
Password to meet University
standard, consider using PGP
6
encryption
7
Using myfiles or VPN
Consider encrypting/password
protecting files also for extra
8
security
Yes
Only to @warwick addresses or
other internal domains e.g.
wbs.ac.uk or jobs.ac.uk (take
care to check address of
recipient(s))
Only on temporary basis and if
encrypted/ password protected,
taking care to avoid loss or theft
Only on temporary basis and if
encrypted/password protected,
taking care to avoid loss or theft
No
No
Only in backed up personal or
shared network spaces with
access restricted to only those
with a valid right to access the
information
(either by adding a password to
the document, encrypting it or
apply permissions to a folder)
Only in backed up personal or
shared network spaces with
access restricted to only those
with a valid right to access the
information
(either by adding a password to
the document, encrypting it or
apply permissions to a folder)
Only as encrypted/password
8
protected attachment
(take care to check address of
recipient(s))
6
Available via the IT Services Helpdesk (ext 73737 or http://www2.warwick.ac.uk/services/its/)
http://www2.warwick.ac.uk/services/its/servicessupport/networkservices/vpn/
8
Passwords to be communicated via mechanism separate to sharing the link to the files with colleagues.
7
Information Classification and Handling Procedure v1.2.1 Approved
7
Page 5 of 6
Annex C – Handling Paper or other media
Activity
Public
University Information Classifications
Protected
Restricted
Reserved
Visibly marked ‘STRICTLY
CONFIDENTIAL’
Creation
N/A
Visibly marked
‘CONFIDENTIAL’
Locked filing cabinet or
equivalent
Locked filing cabinet or
equivalent in office which is
locked or attended at all times
Storage in University
N/A
Can take off or around site
Yes
Can Fax
Ensure fax number is correct
and entered correctly
Can Post
Yes
Yes
Disposal
Recycling
Recycling (shredding if
available)
Information Classification and Handling Procedure v1.2.1 Approved
To be created (and stored)
only in a secure environment
and copies be limited,
numbered and recorded.
N/A
For shortest time possible and
documents to be kept securely
and with person
Ensure fax number is correct
and entered correctly
For shortest time possible
documents to be kept securely
and with person
Ensure fax number is correct
and entered correctly
Double envelope with inner
envelope marked as stated
above,
hand delivered, recorded or
courier delivery
Shredding,
Confidential Waste
Copies delivered by hand.
Locked filing cabinet or
equivalent in office which is
locked or attended at all times
Only exceptionally and with
authorisation from line
manager; documents to be
kept securely and with person
No
(unless to ‘safe haven
machine’)
Double envelope with inner
envelope marked as stated
above,
hand delivered, recorded or
courier delivery
Shredding,
Confidential Waste
Page 6 of 6