Why is this important?
The University uses large volumes and diversity of information to support its activities and to achieve its strategic aims. Information that the University manages shall be appropriately secured to protect against consequences of breaches of confidentiality, failures of integrity, interruption to availability and failure to comply with legal requirements.
In order to protect information consistently, it is necessary to define a University-wide scheme for classifying (describing) information and how it should be handled according to its requirements for confidentiality, integrity and availability.
We should classify information so that it is clear to everyone with access to know how best to protect it. Everyone should use the University Information Classification and Handling Procedure.
What is the Information Classification and Handling Procedure?
The procedure describes how information and systems should be classified and marked, according to their confidentiality, criticality or value. Decisions around the appropriate protection and use of the information in each classification are based on the consequences of the loss or disclosure of the information.
The procedure relates to all types of information and formats and applies in particular to staff but also covers students and third parties wherever appropriate.
The procedure is a mandatory part of the University Information Security Framework and is overseen by the Institutional Resilience Team. The University recognises that there may be legitimate circumstances where it is not possible to adhere to this procedure. In these cases, you must seek advice from the Institutional Resilience Team (informationsecurity at warwick dot ac dot uk).
What do I need to do?
You should assess the sensitivity of the information you create and receive using the table in Annex A or online; and take proportionate measures to ensure that information is used securely – the key controls for protecting information are available in Annexes B and C.
- Annex B - Handling Electronic Information or as PDF
- Annex C - Handling Paper or other media or as PDF
Where information classified as Protected, Restricted or Reserved is shared with others for a valid University business reason, everyone should ensure that the recipient is aware of the information’s classification and their obligation to protect it. Access to information in these classifications by a third party requires a data sharing or confidentiality agreement in place, signed on behalf of the University and the other party. The Legal Services team can help you with this (www.warwick.ac.uk/legalservices).
What should I do if something goes wrong?
The University is expected to inform the Information Commissioner’s Office of any significant information security breach relating to personal data as per the Data Protection Act 1998 and has an obligation to report any significant breaches pertaining to other types of ‘sensitive’ information to the data owner and other relevant parties. The University recognises that failure to adhere to its legislative, regulatory and contractual obligations may result in significant financial and legal penalties and reputational damage.
It is therefore vital that everyone reports any observed or suspected security incidents where a breach of the University’s security policies has occurred, any security weaknesses in, or threats to, systems or services.
You should immediately report any actual or suspected information security breaches by emailing informationsecurity at warwick dot ac dot uk and informing your line manager/Head of Department