This bulletin explains how you can help by applying the University’s information classification and handling rules to your work.
We live in an era where academia is under an increasing threat of cyber attack because our information is of value to others, be they criminal gangs or hostile nation-states.
The reputational damage of a successful attack could be immense. It may also have legal, regulatory and financial consequences, which could have a significant impact on research projects. It is therefore important for all of us working in research to play our part in securing information and this has to be balanced against the needs of collaborative working and data sharing.
The Information Security Team
The Information Security Team works hard to ensure appropriate security controls are in place around the systems you use and to and raise awareness of security threats to students and staff. We carry out security risk assessments on systems and infrastructure and assess many third-party services on behalf of researchers and our involvement should be considered at the planning stage of every research project.
In addition, every one involved in research has a personal role to play. Security metrics show that the greatest proportion of security incidents occur due to user error in handling information, leading to loss or unauthorised disclosure. This can happen through email, file-sharing or the use of removable media.
What you can do
To help you play your part, an information classification and handling scheme has been developed by the Information Security Team. This provides you with practical guidance on classifying and protecting information.
What is Information Classification?
The University’s scheme classifies information according to three levels of confidentiality:
Public – information intended for public release with no harm caused by anybody having access to this information.
Internal – information that is not sensitive but could cause some harm, such as reputational damage to the University or research sponsor if it fell into the wrong hands. Internal information should only be seen within the University and by authorised third parties.
Confidential – sensitive information that could cause serious harm if it fell into the wrong hands. Access should be restricted to those with a need to know.
The information owner, which maybe you or the person who is responsible for the information, should decide what level classification to use. If ownership is unclear, it should be referred upwards, to your head of Department if necessary. Consult your local information governance lead or the Information Compliance if you are unsure how to classify personal data.
So the first step in securing information is to decide how sensitive or valuable it is and give it a corresponding classification. The decision should be based on:
• Its intrinsic value - how valuable would it be to others, notably competitors, criminal groups looking to sell it on and hostile nation-states?
• Its criticality to research - what would the impact be if compromised?
• Its sensitivity - what would the effect be of unauthorised disclosure on the University, researchers and research subjects?
Some information should be labelled to ensure it is given an appropriate level of protection. However, most information will be classified as ‘internal’ and does not need to be marked. All unlabelled information is treated as ‘internal’.
Confidential information should always be labelled ‘CONFIDENTIAL’ in the header or footer in the subject line of emails. Information approved for public disclosure should always be marked ‘PUBLIC’ to distinguish it from internal information.
There will be times when information might be difficult to assign classify. The decision should be based on the risk of harm and if in doubt, you should assume the higher level. It can be helpful to add a descriptor, such as INTERNAL - SENSITIVE PERSONAL to some information.
Some organisations have many classification levels and insist on all information being marked. The University’s simplified approach is to make the job as easy as possible.
How do we protect information?
We have produced information handling guidelines based on best practices, to protect information that has been classified according to the scheme. The handling guidelines are different for each confidentiality category, and for common methods and media of information handling, transmission and storage.
The guidelines are not exhaustive and do not replace the need for common sense. Ultimately the information classification scheme is intended to encourage people to think about confidentiality and to handle information accordingly.
If you would like more advice or guidance on how to use the information classification and handling scheme, or how we can help assess the security of your research, please refer to the Information Security website or contact the Information Security Governance, Risk and Compliance Team via firstname.lastname@example.org.
You can also find broader advice and guidance for protecting critical research projects on the CPNI web site.