7. Information Handling
All units should clearly identify their information assets and an inventory of all major assets should be maintained. Assets to the University include information, software, physical assets, services, people and intangibles (e.g. reputation). Ownership of all information assets should be defined and clearly stated. Information assets should be classified in terms of their sensitivity and criticality to the unit/University. Guidance for the classification of information will be issued under the authority of the PRAC ICT sub-committee. Where appropriate, information assets should be labeled and handled in accordance with their classification. Rules for the acceptable use of information assets should be identified, documented and implemented.
To determine the appropriate level of security control that should be applied to information assets, a process of risk assessment should be carried out in order to define the security requirements and identify the probability and impact of security breaches. Owners of information assets are responsible for undertaking risk assessments and issuing appropriate guidelines to all relevant users.
Information owners should ensure that appropriate backup and system recovery procedures are in place. Backup copies of all important information assets should be taken and tested regularly in accordance with such an appropriate backup policy.
Procedures should exist for the secure and safe disposal of media when it is no longer required. When permanently disposing of equipment containing storage media, all confidential/sensitive data and licensed software must be irretrievably deleted before the equipment is moved off-site using procedures authorised by the PRAC ICT sub-committee.
Removal off-site of the University's information assets should be properly authorised by the information owner. Prior to the authorisation, a risk assessment based on the criticality of the information asset should be carried out. Procedures for the handling and storage of such information should be established to protect it from unauthorised disclosure or misuse. Procedures should be in place to ensure that media containing information is protected against unauthorised access, misuse or corruption during transportation beyond the unit's/University's physical boundaries. Where appropriate, data in transit should be encrypted.
Controls should be implemented to ensure that electronic messaging is suitably protected. Email should be appropriately protected from unauthorised access and should only be used to send information and attachments that are not considered to be confidential or sensitive in accordance with the classification of that information. Where appropriate, encryption may be considered in order to send confidential or sensitive information to trusted recipients though this should be authorised by the information owner. Any information received by email should be treated with care owing to the inherent security risks.
A policy on the use of cryptographic controls for the protection of information should be developed and implemented. Recommendations and guidance for levels of cryptographic control appropriate to various classes of data, will be issued under the authority of the PRAC ICT Sub-committee, and will be revised and updated as necessary to ensure the adoption of best practice and compliance with legal requirements. [See University of Oxford Classification Scheme]
Confidential or sensitive information should only be taken away from the University in an encrypted form unless its confidentiality can otherwise be assured. Where appropriate according to its classification, information being transferred on portable media, or across networks, should be protected by the use of encryption techniques. Appropriate encryption should be used on all remote access connections to the University's network and resources.
Where units implement their own solutions involving cryptographic controls advice should be sought on policy and key management, to ensure that data are appropriately secured and that all legal and regulatory requirements have been considered.
A risk assessment should be carried out as part of the business case for any new ICT system that may be used to provide shared services, or to hold critical or sensitive data. The risk assessment should be repeated periodically on any existing systems.
- Classification of Information
- Asset Management
- Risk Assessment
- Media Handling
- Exchange of Information
- Guidlines for the use of Cryptographic Controls
- System Planning and Acceptance