Information Classification And Handling Policy

Purpose

The University of Hertfordshire holds an extensive variety of data that must be endangered against unofficial access, exposure, alteration, or other misappropriation. Efficient management of such properties is also essential to obey permissible and supervisory obligations such as applicable Data Protection regulation and to safeguard efficient treatment of Autonomy of Information requirements. Different types of data require dissimilar protection actions and consequently, applying cataloguing patterns of information properties is energetic to confirming operative information safety and management. Information cataloguing is applied to safeguard that data assets accept a suitable level of defence. The appropriate classification, management, and storing of data is the accountability of every University of Hertfordshire staff member. This policy is obligatory and spread on to all University of Hertfordshire staff, students, servicers, sub-contractors, intervention workers, and third gatherings that consume access to University of Hertfordshire information.

• The purpose of the Information Classification Policy composed with the associated technical pattern controls are envisioned to assistance staff and scholars’ control what data can be revealed to exterior parties, as well as the comparative sensitivity of data that must not be revealed external of the University of Hertfordshire deprived of appropriate authorisation.
• This policy also aims to help all associates of the University to safeguard that precise classification and management methods are functional to the day-to-day activities of University of Hertfordshire and accomplished consequently. Information assets of University of Hertfordshire must only be completed obtainable to altogether individuals that have an authentic need to admittance them.
• The truthfulness of data must be continued; data must be precise, comprehensive, appropriate and reliable with additional connected data and events.

• This policy instruction and guidance also covers data that is whichever stored or communal through any income counting those shaped preceding to the publication of this strategy. This information handling policy includes: electronic data, evidence on paper and data shared verbally or visually.
• Where the University of Hertfordshire holds data on behalf of additional administration with its individual classification scheme, an arrangement intends to be stretched as to that set of mechanical controls and management procedures shall apply.
• In addition to this it can be also stated that with the successful application of this information classification and handling policyUniversity of Hertfordshire ensure effective declaration of the roles and responsibilities of the personnel to support the security and management operations of information.

This is a plan that outlines the way to generate, collect as well as store data. The application of a data management plan safeguards the process of sharing and preserving information in a long-term agreement. Organizations are more interested in adopting data management plans with the aim to advance the information regulatory compliance is and its reviews for continuous improvements in data management.

This is one of the approaches that is applied in the field of information security management to identify and address privacy risks in compliance with GDPR requirements.

An information administrator stands for an individual who is responsible for maintaining and protecting the information generated and collected by the organization.

In the field of information security management, the CIA stands for information confidentiality, information integrity as well as information availability. Information confidentiality stands for an aspect that ensures the security of collected data to protect the sensitive information of users from unauthorized access. Information integrity stands for the management of data originality that restricts unauthorized professionals to manipulate the stored data. Information availability refers to an aspect that offers 24/7 availability of the data stored to ensure the data can be used whenever it is required (Yin et al., 2020).

This element stands for the core aspects of information that is structured and managed as a single entity and value for the information generated by the university.

An information asset owner stands for an individual that has the responsibility for managing the data liability and data protection against any threat and negligence. This is to mention that the information asset owner is the head of a specific department present in the data security management operation that takes care of information asset protection and security of the organizational data.

This is one of the important aspects that need to be considered while performing information classification and handling in university as the classification arrangement identifies data that is applied by the university. And in this policy, the information is classified or restricted considering their usability and disability.

Topic	Public	Internal	Confidential
Backup & Recovery	The backup and recovery files will not be available for the public and only the general information about the university will be accessible by the public.	The Backup & Recovery will be kept as internal factor by ensuring their security and integrity.	The confidential data present in the Backup & Recovery file will be managed and protected by the Information Administrator and Information Asset Owner.
Student Record	The Student Record files will not be available for the public and only the general information about the university students will be accessible by the public.	The Student Record will be kept as internal factor by ensuring their security and integrity.	The confidential data present in the Student Record file will be managed and protected by the Information Administrator and Information Asset Owner.
University Computer Server	The university computer server will be protected from public access.	The university computer server will be protected by considering it as an internal document to ensure effective handling of information and its security.	The data present in the University Computer Server will be handled by Information Asset Owner.
University Network	The university network server will be protected from public access.	The university computer network server will be protected by considering it as an internal document to ensure effective handling of information and its network security.	The data present in the University network Server will be handled by Information Asset Owner.
The university payment data	The university payment data will be protected from the unauthorised access.	The university payment data will be protected from the unauthorised access considering it as information asset.	The university payment data will be protected from the unauthorised access by protecting the user confidentiality.

• IT experts-will ensure the operational compliance with the policies applied.
• Information Governance and Security Steering Group-will take care of the approval processes and ensure effective classification of the data. They are also responsible for handling the data management policies.
• Information Asset Owners and Information Administrators-will be responsible for the management of policies and information collected and stored.
• Member of University of Hertfordshire-are responsible for the handling the information as per the data classification and compliance policy.

Following policies will be applied in the University of Hertfordshire: –

• The personal data will be identified using Data Protection Act 1998.
• The data classification will be performed under the GDPR act.
• Data Breach Response Policy will be used in case of any identification of the data threat.

The Information Classification and Handling Policy will be reviewed, evaluated and updated yearly or additional frequently if required with the aim to ensure that any changes to the University of Hertfordshire structure and organizational practices are appropriately replicated in the policy. In addition to this it is also need to mentioned that the Information Classification and Handling Policy will be reviewed, evaluated and updated to identify the existing gap and response to it quickly. The Information Governance and Security Steering Group and Information Asset Owners and Information Administrators with perform the evaluation. The findings will be reported to the executive head of the University of Hertfordshire.

In the following table the risks associated with the information handling and management are listed. The risk register will also contain of the demonstration of likelihood, consequences, risk rating as well as responsible practitioner.

ID	Risk	Consequences	Likelihood	Score	Mitigation	Responsible Professional
1.	Data Breach	Loss is confidentiality	Certain	Medium	Implementation of firewall.	IT expert
2.	Poor alignment with the security policy.	Loss of reputation	Rare	Major	Better need analysis and its alignment.	IT expert
3.	Lack of expertise to support the information handling	Information handling inefficiency	Certain	Medium	Hire skilled expertise.	Information Governance and Security Steering Group
4.	Inappropriate data classification	Information handling inefficiency	Rare	Major	Application of recommended data classification policy and instruction.	Information Asset Owners and Information Administrators

In the following table the risk register, risk rating and its associated definition are mentioned: –

Likelihood	Consequence
Insignificant	Minor	Moderate	Major	Severe
Almost Certain	Medium	High	Extreme	Extreme	Extreme
Likely	Medium	Medium	High	Extreme	Extreme
Possible	Low	Medium	Medium	High	Extreme
Unlikely	Low	Low	Medium	Medium	High
Rare	Low	Low	Low	Medium	Medium

Descriptor	Level	Definition
Insignificant	1	No mutilation
Minor	2	Impairment requiring first aid
Moderate	3	Impairment needs higher attention
Major	4	Impairment needs immediate attention
Severe	5	Loss

Descriptor	Level	Definition
Rare	1	May occur uncommonly.
Unlikely	2	May occur uncommonly or more that rate cases.
Possible	3	May occur numerous times.
Likely	4	May occur quite a lot of times.
Almost Certain	5	Prone to occur commonly.

Descriptor	Definition
Extreme:	Advise the department directly.  Corrective activities would be taken proximately.
High:	Advise the project manager proximately. Counteractive movements would be occupied within 48 hours of announcement.
Medium:	Inform the project manager.  Counteractive movements would be occupied within 7 days.
Low	Counteractive movements would be occupied in approximately times to treat the danger.

Policy:

Following policies will be applied in the University of Hertfordshire: –

• The personal data will be identified using Data Protection Act 1998. This is one of the effective data protection policies that offers an individual the right to access to information associated with themselves that is held by an association alongside setting out the process of how the information should we collected, secured, and processed. Furthermore, it is identified that the Data Protection Act stands for the key policy to protect personal data which is applicable in computerized data as well as pen-paper data in order to offer an individual the right to know the usage of information and organization is collecting from them to ensure that their data is secured and stored as per the regulatory compliance. Application of this data security policy will ensure the enhancement in data analysis automation; it will also increase the credibility and trust in the data management offering a better understanding of the data that are being stored and collected by eventually improving the data management.  Furthermore, it can be stated that protection and enhancement in data quality alongside maintaining privacy in the playing field is one of the important aspects that has been addressed by this data security policy.
• The data classification will be performed under the GDPR act. The general data protection regulation GDPR is one of the data protection acts applied by the consumer and personal data user across the European Union nation with the aim to ensure that every organization is collecting the consent of subject for data processing from the owner of the data, the organization is empowered to notify the author about the data breach as well as safe handling the data transformation across the border (Chico 2018). From this aspect, it can be stated that using this data security policy in the university information handling will help in easy business process automation as well as appropriate compliance with the company and security policy (Zaeem & Barber 2020). Thus, it is instructed in the policy that all the data classifications will be performed under the general data protection regulation act with the aim to ensure that there are no such violations to user data that are sensitive and not sensitive.
• Data Breach Response Policy will be used in case of any identification of the data threat. This is one of the important aspects of data security that needs to be addressed by the university as informing the owners of the data about the data breaches is one of the essential aspects which will help the organization to maintain its transparency and professionalism (Loideain & Adams 2020). However only informing the user of data is not enough to protect its confidentiality, thus it is recommended to opt for a data breach response policy that will help the university to adopt quick responses against the data breaches to limit its impact and reduce data losses.

Reference:

Zaeem, R. N., & Barber, K. S. (2020). The effect of the GDPR on privacy policies: Recent progress and future promise. ACM Transactions on Management Information Systems (TMIS), 12(1), 1-20.

Chico, V. (2018). The impact of the general data protection regulation on health research. British medical bulletin, 128(1), 109-118.

Loideain, N. N., & Adams, R. (2020). From Alexa to Siri and the GDPR: the gendering of virtual personal assistants and the role of data protection impact assessments. Computer Law & Security Review, 36, 105366.

Yin, L., Fang, B., Guo, Y., Sun, Z., & Tian, Z. (2020). Hierarchically defining Internet of Things security: From CIA to CACA. International Journal of Distributed Sensor Networks, 16(1), 1550147719899374.