IMST 03: Handling Information Standard
Purpose
The purpose of this standard is to set out requirements for:
- Handling both hardcopy and digital information
- Clear desk and secure working
The aim of this standard is to ensure that requirements that cover the above areas are set out to support the security of information assets at the University. Adherence to this standard is achieved by following the practices it contains.
The University handles various types of information, including sensitive data that might include personal data, or other information for which access should be limited to those who need to know for their work. Proper arrangements are essential for working with, storing, transferring and securely disposing of information (this list is not exhaustive). Following the practices set out in this standard, it helps mitigate against potential data breaches and helps provide assurance to those with a relationship with the University that information is securely managed throughout its lifecycle.
The parent policy for this Standard will be IMP 01: Information Management Framework Policy when this new policy is published in early 2025. This standard supports the principles of that policy.
Scope
All the University’s information, in both hardcopy and digital format, is considered within the scope of this standard. This includes all information held for the purposes of the University’s operations including, but not limited to; the provision of teaching and education, research, student and staff support, internal and external reporting, and publications and information related to the operation of the University. It applies to information created by members of the University and to information received from third parties (unless otherwise approved by IDG). Definitions, as applied to the University of Warwick Information Management activities, can be found in the Information Management Glossary of Terms.
Responsibilities
It is expected that anyone working within the University is responsible for ensuring that any information they create, use, and retain is managed according to the good practice stated in this standard. Specific responsibilities associated to the standard are:
| Role | Function |
|---|---|
| Designate of Head of Department (e.g. academic lead on research, individuals with delegated authority for information, system administrators) | Responsible - for overseeing the use of the standard, within areas of responsibility |
| Head of Department | Accountable - for use of the standard within departments |
| Information Risk and Compliance Team (with escalation to CISO and CITO required) | Consult - to discuss organisational level use of the standard |
| IDG Digital Business Partners | Inform - must be informed of the content of the standard to communicate it to their departments |
Classification
Information must be classified, based on its sensitivity, according to IMST 01: Information Classification Standard. How information is handled, whether hardcopy or digital, is then determined by that classification and the associated risks.
Procedure
1. General guidance
How information can and will be handled is dependent upon the assigned classification level and the associated risk. The greater the potential risk to the University, then the more limitations there are on how that information needs to be handled. This includes the creation, access, dissemination, sharing, printing and storage of that information.
Access to information must be on a least privileged basis. This is that the information must only be shared with those that have a legitimate need to access it.
Where there is a need to retain paper records these must be managed by the relevant Head of Department, or their designate. Access limitations for paper records applies primarily to Internal, Confidential and Highly Confidential Information. This access is normally limited through controlling access to central or managed storage areas, including filing cabinets, storerooms or off-site storage facilities.
It is strongly recommended that information is only printed if there is a genuine need to do so. This not only reduces the risk of security incidents and breaches, but also helps us achieve our sustainability goals.
Practices for clear desks and working securely at workstations
The principles of clear desk and secure working with information at workstations must always be followed. These requirements support the principles of the Information Management Framework Policy and maintain, Confidentiality, Integrity and Availability of information assets.
- Screens must be locked when workstations are out of sight of the individual.
- Those who regularly work with ‘Internal’ or ‘Confidential’ information must ensure – where possible – that monitors are positioned to minimise the visibility of any sensitive information to non-authorised people.
- When working with High Confidential Information monitors must be positioned to minimize visibility to non-authorised people or privacy screens must be used.
- To support the limited visibility requirement Departmental Heads/Line Managers must consider the layout of offices, offering more discreet/less visible working spaces for those staff who regularly handle ‘Confidential’ or Highly Confidential’ data.
- Papers containing ‘Confidential’ or ‘Highly Confidential’ data – must be locked away when staff are away from the desk or workstation, and always at the end of the day.
- Laptops, tablets and other University devices must be adequately secured from theft. Passwords must be managed in line with the IMST 02: Password Management Standard (currently in development).
2. Handling digital information
Handling electronic information must follow the requirements set out below. The Risk Levels for each of the classifications are set out in IMST01: Information Classification Standard. In instances where OneDrive, SharePoint or Teams is mentioned in the table below, this refers to the University of Warwick’s instance of these applications, rather than personal or non-University of Warwick instances.
| Handling consideration | Public | Internal | Confidential | Highly confidential |
|---|---|---|---|---|
| Risk level | None | Low | High | Critical |
| Creating | As stated in the Information Classification Standard, when information is created or updated an information classification should be applied according to its sensitivity. Consideration should be given to how the content is arranged when creating the information. For example, in some instances more sensitive information might be separated into separate documents (e.g. an appendix) where possible, so the main body can be distributed widely with fewer restrictions. It is advisable that digital documents that are classified as ‘Confidential’ or ‘Highly Confidential’ should carry a header or watermark similar to the following ‘information classification – confidential'. |
|||
| Emailing | Yes | Yes Exercise extra caution and diligence:
It is good practice to reference the classification in the subject line and/or text of email communications. |
No Put information in SharePoint with access permissions provided only to those that need to use the information. |
No Put information in SharePoint with access permissions provided only to those that need to use the information. Passwords may be applied to documents in line with the password standard to afford additional protections. However, caution must be taken in doing so as applying passwords to documents risks loss of access to them in the long term (e.g. if colleagues move on). |
| Printing | Yes Only when necessary, i.e. an online/electronic file is not available. |
Yes Only when necessary, i.e. an online/electronic file is not available. Any printouts should be appropriately marked as if it is newly created, copies limited and then shredded on disposal. Printouts should have the classification clearly marked at the top of each page. If information is printed out for a particular purpose then it should be disposed of in confidential waste once that purpose has been concluded. Copies of printouts should not be stored in the long term. |
Printing is actively discouraged. Documents must be securely disposed of in a confidential waste bin, or by cross cut shredder as soon as business requirement for their use has ended. For other information data i.e. meeting papers, and client information – printing rules should be agreed by the meeting chair or by the client. |
Only via the IDG exception process. |
| Sharing and attachments The default should be to share documents via a OneDrive, SharePoint or Teams link rather than an attached document. |
No restrictions | Sharing should be related to a legitimate business need to circulate the information beyond the individual or team, that is in initial receipt of the information. Attachments must be the exception, rather than the normal distribution method; links must be used via OneDrive, SharePoint or Teams or via another sharing method approved by IDG. |
Put information in a Restricted file and share via SharePoint, Teams or via another sharing method approved by IDG. | Put information in a Restricted file and share via SharePoint, Teams or via another sharing method approved by IDG. Passwords may be applied to documents in line with the password standard to afford additional protections. However, caution must be taken in doing so, as applying passwords to documents risks loss of access to them in the long term (e.g. if colleagues move on). |
| Travelling outside of the UK | No restrictions Adhere to the Red/Amber/Green risk categories for the destination on the Travel Hub. |
Access in line with the provisions of: IS10: Mobile & Remote Working Policy. Adhere to the Red/Amber/Green risk categories for the destination on the Travel Hub. |
To be defined in a Working Abroad-Information Security Policy. Adhere to the Red/Amber/Green risk categories for the destination on the Travel Hub. |
To be defined in a Working Abroad-Information Security Policy. Adhere to the Red/Amber/Green risk categories for the destination on the Travel Hub. |
| Store on local device storage (e.g. hard drive) | Yes | Some equipment used for research purposes relies on the use of local storage. And some research setups render networked storage unusable. In these circumstances, these classifications of data can be stored locally on a device, provided efforts are made to mitigate the additional risks this incurs. In other circumstances storage locally on a device is prohibited. | ||
| Store on personally owned devices and cloud storage not managed by the University | Yes | No | No | No |
| Suitable storage |
|
|
|
|
| Removable media (e.g. USB) Cloud storage (e.g. OneDrive, SharePoint, Teams) is the default storage location and removal media must only be used when this is not an option. |
Removable media must be encrypted and be stored in a locked cupboard. | Removable Media must be encrypted. Stored in a locked cupboard and in a lockable room or room with access controls in place. |
Removable Media must be encrypted. Stored in a locked cupboard and in a lockable room or room with access controls in place. |
Not permitted. Would need to be applied for through the IDG Exception Process. |
3. Paper and other physical records
| Handling consideration | Public | Internal | Confidential | Highly confidential |
|---|---|---|---|---|
| Risk Level | None | Low | High | Critical |
| Creating | N/A | Discouraged unless there is a business need. Visibly marked ‘internal’. |
Discouraged unless there is a business need. Visibly marked ‘confidential’. |
Only via the IDG exception process. |
| Travelling | Yes | For the shortest time possible and documents to be always kept securely and with person. | No If there is a business requirement a request should be made via the Research Ethics Committee or the IDG Exceptions Process. |
No If there is a business requirement a request should be made via the IDG Exceptions Process. |
| Posting | Yes | Yes If an internal addressee is unavailable, documents should be placed in a secure pre-designated location for storing post (such as a locked post box or reception), given to the PA of the addressee, given to a manager of the addressee or given to a named individual designated by the addressee. |
Secure electronic means must be used as the first option. Where digitisation is not an option with approval from Head of Department or their nominated deputy. Double envelope with inner envelope marked ‘CONFIDENTIAL’, hand delivered, track and trace service or courier delivery. All assets should be delivered next day or within 24hrs. |
Secure electronic means must be used as the first option. Where digitisation is not an option with approval from Head of Department or their nominated deputy. Double envelope with inner envelope marked ‘HIGHLY CONFIDENTIAL’, hand delivered, track and trace service or courier delivery. All assets should be delivered next day or within 24hrs. The sender needs to confirm within 24hrs with the receiver safe receipt of the asset. |
| Disposing | Non-confidential recycling bin. | Confidential waste bin/cross cut shredder. | Confidential waste bin/cross cut shredder. | Confidential waste bin/cross cut shredder. |
| Suitable storage | As appropriate to enable the future use and disposal of the information at the appropriate time. | In a locked cupboard. | In a locked cupboard, and in a lockable room or room with access controls in place. | In a locked cupboard, and in a lockable room or room with access controls in place. |
Exceptions
Exception requests under this standard are processed through the IDG Exceptions process with the delegated authority of the CITO.
Activities that have received prior approval by the Research Governance and Ethics Committee are not required to go through the exceptions process.
This standard may have an impact on users of assistive technology, or assistive software due to their circumstances. These individual cases, will be considered on a case by case basis.
Review
The aim is that this standard will be refined and improved through active use and regular review. If you have any comments, suggested amendments or issues with this standard please contact the Service Desk.
References
- HM Government Security Classifications
- ISO/IEC 27001:2022 and ISO/IEC 27002:2022 (8.2 Information Classification)
- Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000
- UK Data Protection Act 2018
- Gartner - ID G00764590 - How to Succeed With Data Classification Using Modern Approaches
- National Institute of Standards and Technology (NIST) - Cyber Security Framework 2.0 (Function - Identify - ID.M-05 and ID.AM-07)
Version control/document history
| Version | Date created | Date published | Next review | Notes and review outcome |
|---|---|---|---|---|
| 0.1 | 11/02/2021 | N/A | N/A | First draft based on early draft of IS04: Information Handling Policy and Government Security Classification Standard. |
| 0.2 | 11/05/2021 | N/A | N/A | Amalgamation of versions (following review by CTU & DSG) and inclusion of updated ED&I statement and feedback process. |
| 1.0 | 19/05/2021 | N/A | N/A | First version following final SIM Team review. |
| 1.0 | 28/05/2021 | N/A | N/A | First published on IDG/SIM website. |
| 2.0 | 05/06/2024 | 11/12/2024 | Revised from a SOP into a standard, which incorporated the previous IS03: Clear Desk Safe Working Policy and replaced IS04: Information Handling Policy and IMSOP 02: Handling Information Paper and Digital. |