If you handle Network Information you will need to be aware of how to classify information so you can determine what level of protection should be applied. This is especially important where information is shared between Network Members or externally, as it helps to ensure a consistent approach is taken when the information is no longer under the direct control of the person that created it / owns it. By classifying information you can also ensure that information is not over-protected and identify which of the information security standards apply to you.
Information classifications applied are:
**Information processed on behalf of a client using their information classification schemes shall be labelled and handled according to rules agreed with the individual client. This includes labelling of digital and hard copy information. Such rules may be provided in a Security Aspects Letter, Security Requirements document, contract clauses or prepared scheme such as the UK Government Classification Scheme. This is a very limited dataset within the Network’s operations so are not explicitly handled within the Information Security Classification and Handling Standard beyond recognising that it may exist and be subject to specific controls that must be followed.
The Information Security Classification and Handling Standard (see below) presents a matrix approach to identifying and mapping controls to information classification against an activity within the information lifecycle or key activities, e.g. creating or acquiring, storing, sharing and so on. Network Members should refer to this document to assist with data handling activities.
For more information specifically about managing and protecting personal data, see the Network’s Data Protection Policy.
Document Version: V1.0