NEWS Information Security Policy
Title: Information Handling Policy
Date: May 2018
- Inventory and ownership of information assets
- Security classification
- Access to information
- Disposal of information
- Removal of information
- Using personally owned devices
- Information on desks, screens and printers
- Exchanges of information
- Reporting losses
- References and further guidance
This Information Handling Policy is a sub-policy of the Information Security Policy
(ISP1) and sets out the requirements relating to the handling of NEWS information assets. Information assets must be managed in order to protect against the consequences of breaches of confidentiality, loss of integrity, interruption to availability, and non-compliance with legislation which would otherwise occur.
For the purposes of this document, the term “personnel” will include staff, contractors and agents of NEWS together with any others who may have been granted permission to use NEWS information and communication technology facilities.
Inventory and ownership of information assets
An inventory of NEWS’s main information assets will be developed and maintained and the ownership of each asset clearly stated.
Each asset will have a nominated owner who will be assigned responsibility for defining the appropriate uses of the asset and ensuring that appropriate security measures are in place to protect the asset.
Each information asset will be assigned a security classification by the asset owner which reflects the sensitivity of the asset according to the following classification scheme:
- Public – available to any member of the public without restriction.
- Open – available to any authenticated member of NEWS.
- Confidential – available only to specified personnel, with appropriate authorisation.
- Sensitive – available to only a very small number of members, with appropriate authorisation.
Any information which is classified as personal data (or higher) under the EU General Data Protection Regulation (or its successor legislation) will be classified as sensitive. Any information which is commercially sensitive, e.g. competence assessment templates, training materials, or operating procedures, will be classified as confidential by default.
Access to information
Members of NEWS will be granted access to the information they need in order to fulfil their roles within NEWS. Members who have been granted access must not pass on information to others unless the others have also been granted access through appropriate authorisation.
Disposal of information
Great care needs to be taken to ensure that information assets are disposed of securely.
Confidential paper waste must be destroyed before disposal through the use of shredders unless the disposal is undertaken under contract by an approved contractor.
Electronic information must be securely erased or otherwise rendered inaccessible prior to leaving the possession of NEWS, unless the disposal is undertaken under contract by an approved contractor.
In cases where a storage system (for example a computer disc) is required to be returned to a supplier it should be securely erased before being returned unless contractual arrangements are in place with the supplier which guarantee the secure handling of the returned equipment. If this is not possible, then the storage system should not be returned to the supplier and should remain in the possession of NEWS until it is disposed of securely.
Removal of information
NEWS data which has a classification of confidential or above should be stored using NEWS facilities or with third parties subject to a formal, written legal contract with NEWS, wherever possible. In cases where it is necessary to otherwise remove data from NEWS, appropriate security measures must be taken to protect the data from unauthorised disclosure or loss.
Sensitive information in electronic form must be strongly encrypted prior to removal. Particular care needs to be taken when information assets are in transit. NEWS supplied mobile devices must always be fully encrypted.
Using personally owned devices
Any processing or storage of NEWS information using personally owned devices must be in compliance with NEWS Mobile and Remote Working Policy (ISP1.10).
Information on desks, screens and printers
Personnel who handle confidential paper documents should take appropriate measures to protect against unauthorised disclosure, particularly when they are away from their desks. Confidential documents should be locked away overnight, at weekends and at other unattended times.
Care should also be taken when printing confidential documents to prevent unauthorised disclosure.
Computer screens on which confidential or sensitive information is processed or viewed should be sited in such a way that they cannot be viewed by unauthorised persons and all computers should be locked while unattended.
Information owners must ensure that appropriate backup and system recovery measures are in place. Where backups are stored off site, appropriate security measures must be taken to protect against unauthorised disclosure or loss. Recovery procedures should be tested on a regular basis.
Information which is entrusted to the care of IT Services will meet these requirements.
Exchanges of information
Whenever significant amounts of personal data or other confidential information are exchanged with other organisations, appropriate information security measures must be established to ensure the integrity and confidentiality of the data transferred. Regular exchanges must be covered by a formal written agreement with the third party.
Information classified as sensitive may only be exchanged electronically with third parties if the information is strongly encrypted prior to exchange.
Unsolicited emails, faxes, telephone calls, instant messages or any other communication requesting information which is not classified as public should not be acted upon until and unless the authenticity and validity of the communication has been verified.
Personnel of NEWS must not disclose nor copy any information classified as confidential or above unless they are authorised to do so.
Personnel of NEWS have a duty to report the loss, suspected loss or unauthorised disclosure of any NEWS information asset to the IT Services team (firstname.lastname@example.org).
References and further guidance
Mobile and Remote Working Policy (ISP1.10):