1 Information Transfer Policy Student Name Institution Affiliation Instructor Date 2 ISO 27001 Annex: A.13.2 Information Transfer Policy Synopsis Within the University of Hertfordshire, tons of information is conveyed to other public bodies, third-party service providers, other departments, and individuals, not to mention commercial organizations. It is achieved by applying an assortment of media and methods in whichever way the receiver prefers, whether on paper or electronic paper. In transferring data, there is a heightened hazard of losing the information accidentally, or the information may be misappropriated. It is the duty of The Council compelled to be careful when handling any form of communication. Information transfer at the University of Hertfordshire must be executed in a way that protects the data and maintains the expectations of the organization's users for data protection and confidentiality. Scope and aim of the report University of Hertfordshire stockpiles an enormous amount of data in paper and electronic forms. The information transfer policy provides guidelines on how to safeguard such information and also describes how confidential and sensitive information should be handled inside and outside of the school. The information transfer dogma applies to all parties who handle data transfer which includes staff members, workers, contractors apprentices, placement students documented in the university ICT Policy (Abhayaratna, et al., 2021). Storage and handling of data is determined by the Data Protection Act of the UK. . With regards to the aim of this report, data is both raw, unformatted data stored in backup drives and is also textual information, for instance, reports, spreadsheets, word documents, PDFs, and many more is transferred. 3 The information Transfer Policy cuts across all employees of the University of Hertfordshire, as well as any other third party who can handle the campus' information. Exclusions The policy fails to protect information passed over the Hertfordshire internal network since it has automated security controls. Similarly, since such platforms have independently implemented security prerequisites, it does not encompass copyrighted secure transfers using structures such as the BACS funding transferal. The Policy Statement The University of Hertfordshire identifies its roles in proper information handling that is achieved through legal means, in line with home policy requisites, and Information transfer policies and procedures (ISO: A.13.2.1) (CAF: B3.b). The sender is responsible for risk analysis of their intentions and working to ensure that all the risks are recognized and covered to make the transfer process seamless (Abhayaratna, et al., 2021). The primary safety requirements and security protocols are identified hereafter. Policy compliance is strictly carried out by an IT Auditor who will evaluate the systems. If an operator is seized with unquestionable evidence of violating the policy, as mentioned earlier, they are prone to facing the Council's disciplinary procedure (Concu, et al., 2020). If it is worse and they are found to have broken the law, there is a possibility of prosecution. Before a user starts working with this policy, they should take their time and read the terms and conditions and seek advice from their attorney or the Data Protection Officer. The policy's objective is to uphold the well-being of information distributed to whichever exterior body is inside the institute. 4 A.21.3.2 Information Transfer Policy Control: To safeguard the individuals transmitting information through every form of communication, procedures, official transfer policies, and authorities have to be established. Implementation management: Different entries shall be tackled, especially in the controls and procedures needed when passing information from one facility to the other. Systems created to prevent misrouting, altering, coping, destruction, and interception of transferred files Measures to identify and shield against malware from electronic forms of communication such as email, WhatsApp, etc. (Concu, et al., 2020). Other measures to safeguard information communicated electronically, especially information that involves the use of an attachment. The rules and guidelines determine the proper practice of communication facilities (turn to 8.2.4) (Bossman,et al., 2022). The ethical imperative of any user and external parties is not to misappropriate the channel seen by unauthorized purchases, the transmission of chain letters, impersonation, harassment, defamation, etc. For instance, the application of encryption systems safeguards privacy, authenticity, and information integrity following (clause 15) (Cook, & Overpeck, 2019). We are disposing and retaining policies to comply with the state and legislative requirements for the University, which cover the messages sent and the systems to be used. 5 Controls and constraints concerned with appropriate use of communication amenities, for example, electronic mail computerized dispatching to external third parties (Cook, & Overpeck, 2019). Operatives are advised not to give out information such as passwords and take significant measures to protect against unauthorized access. Employees are advised not to leave behind vital information on platforms such as answering machines since others can easily access, replay, store, and take them due to carelessness (Yue, et al., 2020) (Xia,et al., 2022). Highlight the problems associated with using fax machines and, more specifically, from unauthorized access and retrieval of data stored in such devices. Address the unintended computerized programming to send messages and information to different people. The policy against sending data to the wrong unintended audience. A.21.2.3 Agreements on Information Transfer Control: Settlements should deal with the protected sharing of information interdepartmental or outside to third parties. Execution guidelines- The information transfer agreements as per 9ISO: A.13.2.2 includes the following elements: 1. Control of notification responsibilities, dispatch, transmission as well, as receipt control 2. Policy against non-repudiation and ensuring traceability of information (Schumacher, 2022). 3. Required packaging as well as broadcasting procedural specifications 4. Escrowed deals 6 5. A criterion of courier recognition 6. In case of data loss, liabilities, responsibilities, and security incidents. 7. Proper labeling systems ensure priorities are identified and sensitive information is protected against unauthorized access. 8. Exclusive mechanisms to cover things, especially cryptography and encryption, are needed for special services. 9. Limiting the levels of control and access. To safeguard data and physical resources that are in transit according to (cap 9.1.2) (Peregrino, et al., 2022), protocols, procedures, policies, and guidelines should be established and implemented, maintained, and appropriate follow-up should be conducted regularly to see the reliability of the systems. The information presented in any agreement should be listed in order of data sensitivity. There are unique methods of signing agreements that are either manual or electronic. To protect confidential data, the University of Hertfordshire's particular type of agreement shall be consistent in all systems used to transfer information in line with Agreement on information transfers 9ISO: A.13.2.2 (Varjú, 2022). Risk assessment Whenever a sender passes information and transfers data, there is countless risk, as seen in the case where data may be lost, accidentally released, or misappropriated. Therefore, it is mandatory for the sender to be liable for any damage caused and to ensure that adequate levels of control are applied in line with the policy guidelines (Lee, & Ma, 2020). The following section provides different procedures and rules to be put in place before transmitting any data. It provides an assessment of appropriate security to the network. Whenever an employee is in 7 doubt, they must contact the Data Protection Officer and review the guidelines (Siarova, & van der Graaf, 2022). Is the transmission legal and necessary? There is a lot of harm in supposing that since a person requests access to data, they are personally entitled to have authorized access and legally permitted. If an employee working for the University of Hertfordshire has any doubt, then they should consult the data manager. It is only when the employee is guaranteed that the transfer is necessary and legal is when they will determine which type of data they are allowed to disseminate (LaCroix, 2020). This is crucial because it defines what security is appropriate for the context. Additionally, the organization risks reputational damage when sending confidential or personal information without implementing proper checks and balances (Scagliarini, et al., 2020). As mentioned above, the employee responsible for the action is liable for disciplinary action. Is it dealing with Personal information? Personal information concerns a private person and it encompasses aspects of religious beliefs, sexual life, court appearances, sentences, physical or mental health, ethnic or racial origins, the commission of offenses, and any other sensitive information about an individual. It is considered to be personal information. Any activity done to personal information should be in line with the Data Protection Act of 1998 (Ling, et al., 2019). Some of the indispensable requirements of the Act are listed in Appendix 1. If an employee is in doubt, they must contact the data protection officer. Before initiating any form of information transfer, the employee must: Confirm that the communications department permits the transfers. They have to obtain and file the authorization of the information owner before the transfer. 8 Make sure that the transmission is legal and follows provisions listed under the Data Protection Act. Have to ensure that the transmission is required and if there is a less intrusive way of sending information. Blackout and remove all the ideologies regarded as non-essential for the recipient. Is it confidential information? Additionally, they have to determine if the information is confidential and one which the council has labeled as private. It may encompass data that affects the interest of the University of Hertfordshire or the interests of the third party. In other forms of communication, the sender does not hold the copyright of the information. Thus it can leave private details at risk, including salary details, agreements, contracts, and bank details (Shugurov, 2018). In the unauthorized dispatch of personal data, the person responsible for the action is liable for legal sanction and litigation (Katsinas, et al., 2019). At the same time, dispatching confidential information can break the trust of the public and the partners of the business. Thus, before initiating any transfer, a person has to ensure that the transfer is approved by obtaining a copy of the approval of the transfer. Data transfer considerations After complete data preparations have been established, one should countercheck on appropriate ways of channeling the information to the correct recipient. This report section outlines the proper channels, principles, and restrictions to maintain data privacy. Legal authorization should be obtained from the client by the sender. The following tracks are available; Electronic Mail 9 Whenever any information is sent via email, it must be approved by the appropriate council. After that, the data is locked in encryption, such as AEC (262-bit).WINZIP (Hwang, & Song, 2019). The passwords must be a mixture of numbers and signs and agreed upon by the organization. All emails transferred should have the required specific data to o ensure specificity of reaching the correct client without any messages leaking and must guide on what to do if they land with untargeted recipients. The system should ensure accessible communication with recipients on whether the message channeling was successful. Fax transmission This is not applied in many circumstances except on demand due to poor information security. It requires a ton of work to check fax and telephone numbers to ensure the correct client gets the required information. The information must be terminated once the right client gets information, and clear responsibility should be stated on the way forward if landing on an inappropriate recipient (Kolisnyk, 2021). Time must be recorded on the time the target client attains the message, and if there are any issues, inform the manager. Text messaging (SMS), Instant Messaging (IM) This is a fast data transmission mode, but the information should be private as it may land to inappropriate recipients. Proper checking of clients' contacts is encouraged, as any inaccuracy May lead to sharing confidential information with a stranger. Therefore, it must contain guidelines on how to respond to whether the client got the data, and if it lands on the unintended client, policies should be made on retrieving it. Telephone/Mobile Phone The information in calls may be shared or overheard accidentally, but the information channeling should be minimum. Formal confirmation of the recipient should be considered before sharing 10 any information in a phone call to ensure confidentiality. Private and personal information should not be channeled in the phone conversation except when the client allows it legally and gives a cozener identified appropriately in collaborative internet sites that are restricted from personal information sharing. Electronic memory The data must be stored in products agreeable to the company setting; the preferential encryption in many organizations is the AES (256bit) WINZIP 11.1 with an appropriate password for the various numbers and letters (Adam, 2020). The passwords should be transmitted in another form rather than email to reach the recipient without any leakages in the file information. The information should remain untouched until it comes to appropriate recipients, with measures kept on what to do if the content lands on any other person. Delivery by post or hand Paperwork or files must be secured on transmission and effectively tracked until reaching the target individual. The paperwork should be securely packaged and sealed with appropriate labeling without any breaks in the seal (Zhang, & Yu, 2021). The package should have the recipient's name, address, and place to sign after the delivery with the correct time indicated and should contain the return address and the contacts to ensure the right client gets the required information. 11 References Abhayaratna, T., Carter, A., & Johnson, S. (2021). The ATO Longitudinal Information Files (ALife): Individuals-a new dataset for public policy research. Adam, A. M. (2020). Susceptibility of stock market returns to international economic policy: evidence from effective transfer entropy of Africa with the implication for open innovation. Journal of Open Innovation: Technology, Market, and Complexity, 6(3), 71. Bossman, A., Umar, Z., Agyei, S. K., & Junior, P. O. (2022). A new ICEEMDAN-based transfer entropy quantifying information flow between real estate and policy uncertainty. Research in Economics, 76(3), 189-205. Concu, G. B., Atzeni, G., Meleddu, M., & Vannini, M. (2020). Policy design for climate change mitigation and adaptation in sheep farming: Insights from a study of the knowledge transfer chain. Environmental Science & Policy, 107, 99-113. Cook, B. R., & Overpeck, J. T. (2019). Relationship‐building between climate scientists and publics as an alternative to information transfer. Wiley Interdisciplinary Reviews: Climate Change, 10(2), e570. Hwang, S., & Song, H. (2019). Policy transfer and role of policy entrepreneur in international aid: exploring international development cases of Korea and Vietnam. Policy Studies, 40(1), 1-20. Kolisnyk, M. (2021). Vulnerability analysis and method of selection of communication protocols for information transfer in Internet of Things systems. Radioelectronic and computer systems, (1), 133-149. 12 Katsinas, S., Bray, N., Hagedorn, L., Dotherow, S., & Malley, M. (2019). From vertical to dynamic transfer: Recognizing continuous swirl in American higher education. Change: The Magazine of Higher Learning, 51(3), 44-51. LaCroix, T. (2020). Communicative bottlenecks lead to maximal information transfer. Journal of Experimental & Theoretical Artificial Intelligence, 32(6), 997-1014. Ling, H., Mclvor, G. E., Westley, J., Van der Vaart, K., Yin, J., Vaughan, R. T., ... & Ouellette, N. T. (2019). Collective turns in jackdaw flocks: kinematics and information transfer. Journal of the Royal Society Interface, 16(159), 20190450. Lee, C., & Ma, L. (2020). The role of policy labs in policy experiment and knowledge transfer: A comparison across the UK, Denmark, and Singapore. Journal of Comparative Policy Analysis: Research and Practice, 22(4), 281-297. Peregrino, P. F. M., Bonetti, T. C. D. S., Gomes, A. P., Martin, H. D., Soares Júnior, J. M., Baracat, E. C., & Monteleone, P. A. A. (2022). One Plus One is Better than Two: An Approach Towards a Single Blastocyst Transfer Policy for All IVF Patients. Revista Brasileira de Ginecologia e Obstetrícia, 44, 578-585. Shugurov, M. V. (2018). Promising policy efforts on development and transfer of environmentally sound technologies. Environmental Policy and Law, 48(6), 403-410. Scagliarini, T., Faes, L., Marinazzo, D., Stramaglia, S., & Mantegna, R. N. (2020). Synergistic information transfer in the global system of financial markets. Entropy, 22(9), 1000. 13 Siarova, H., & van der Graaf, L. (2022). Multi-stakeholder approach for better integration of refugee students: Stakeholder engagement in the practice-research-policy transfer in refugee education policy. Schumacher, C. (2022). Effectiveness of hospital transfer payments under a prospective payment system: An analysis of a policy change in New Zealand. Health Economics. Varjú, V. (2022). The policy transfer of environmental policy integration: path dependency, route flexibility, or the Hungarian way?. Policy Studies, 43(5), 943-961. Yue, P., Fan, Y., Batten, J. A., & Zhou, W. X. (2020). Information transfer between stock market sectors: A comparison between the USA and China. Entropy, 22(2), 194. Xia, L., Yang, D., Zhang, J., Yang, H., & Chen, J. (2022). Enhanced Semantic Information Transfer of Multi-Domain Samples: An Adversarial Edge Detection Method Using Few High-Resolution Remote Sensing Images. Sensors, 22(15), 5678. Zhang, Y., & Yu, X. (2021). Policy transfer: the case of European Union–China cooperation in public administration reform. International Review of Administrative Sciences, 87(1), 320. 14 Appendix 1 The Data Protection Act of 1998 The guidelines of information protection are covered by The Data Protection Act of 1998, which states that people who may be processing personal data have to be in line with Eight codes of appropriate practice. The law covers the guidelines. The following is required when dealing with confidential data: It will be dealt with lawfully and somewhat and, more particularly, shall not be processed without proper administrative approval. Data shall be obtained for specific lawful purposes and shall not be altered or handled in any manner deemed incompatible. Shall be relevant, adequate, and not excessive concerning the purpose for which it is intended. Shall be accurate and reliable and to be kept up to date Shall not be stored for a period longer than necessary and should be in line with the rights of the subject listed in the ACT. Shall be stored securely with the expected degree of security. Shall not be sent or transferred in a state outside of the UK except when adequate levels of data protection are guaranteed.