Information Security Classification and Handling

Home / Information Security Classification and Handling

Apr 29, 2019

0

Information Security Classification and Handling

Why do you need to know about this?

If you handle Network Information you will need to be aware of how to classify information so you can determine what level of protection should be applied. This is especially important where information is shared between Network Members or externally, as it helps to ensure a consistent approach is taken when the information is no longer under the direct control of the person that created it / owns it. By classifying information you can also ensure that information is not over-protected and identify which of the information security standards apply to you.

Information classifications applied are:

  • Public
  • Internal
  • Confidential
  • Secret / Client Classified**

**Information processed on behalf of a client using their information classification schemes shall be labelled and handled according to rules agreed with the individual client. This includes labelling of digital and hard copy information. Such rules may be provided in a Security Aspects Letter, Security Requirements document, contract clauses or prepared scheme such as the UK Government Classification Scheme. This is a very limited dataset within the Network’s operations so are not explicitly handled within the Information Security Classification and Handling Standard beyond recognising that it may exist and be subject to specific controls that must be followed.

The Information Security Classification and Handling Standard (see below) presents a matrix approach to identifying and mapping controls to information classification against an activity within the information lifecycle or key activities, e.g. creating or acquiring, storing, sharing and so on. Network Members should refer to this document to assist with data handling activities.

What do you need to do?

DO…

  • Read the Information Security Classification and Handling Standard Matrix (below)
  • Ensure you understand what type of Network Information falls in to each category
  • Start labelling information, where required, so that yourself and others are aware of how the information should be protected and handled
  • Ensure you know what is expected of you if CONFIDENTIAL or SECRET Network information is shared with you. If unclear, seek advice
  • Ensure that requests for information, such as Subject Access Requests or Freedom of Information Requests, are handled formally via the established Network processes.

DON’T…

  • Share CONFIDENTIAL or SECRET Network Information unless there is a genuine ‘need to know’.

For more information specifically about managing and protecting personal data, see the Network’s Data Protection Policy.

Information Security Classification and Handling Standard

Document Version: V1.0

Date Adopted:

Chair’s Signature:

Skip to toolbar