1 Introduction
All our information, across the University, needs to be given an appropriate level of protection. This level depends on the risk associated with improper use of that information: the greater the impact of a compromise, the higher the level of classification required.
1.1 Purpose of Policy
To ensure that all information held by the University of Bath, including that of our stakeholders and partners, is appropriately protected.
This document is designed to promote an understanding of the need for protection, the classifications used, the purpose of labelling, and usage of appropriate handling controls for each class of information.
1.2 Scope
All information held on behalf of the University, its partners and stakeholders is subject to classification. All employees of the University of Bath, contractors, and partners with access to our data are subject to this Policy.
There are three aspects of information security covered by this policy:
- Classification
- Labelling
- Handling
These are described below.
2 Classification
All information held is required to be classified: this is usually the responsibility of the operational function that needs it, processes it, and handles it. This ‘information owner’ is responsible for choosing what level of classification is assigned to their information.
Where multiple functions require access to information, it may be appropriate to agree classifications based on wider processing and access requirements.
2.1 Types of Classification
To ensure we are aware of the level of protection required, and how to handle it appropriately, all University of Bath information is assigned to one of three classifications. The classification is based on the degree of harm that would arise to the University, its partners and stakeholders, should the information be inadvertently disclosed.
- Public: disclosure causes no harm to the University. This information may be shared without additional safeguards.
- Internal: disclosure may cause some short-term harm to the University. This information may not be shared outside the University without appropriate additional safeguards.
- Confidential: disclosure may cause significant or long-term harm to the University. This information may not be shared beyond a restricted (documented/agreed) circulation.
2.2 Responsibility for Classification
For the purposes of this policy, responsibility for classification rests within the creator of the relevant documentation. Where relevant, this should be decided in consultation with the department from which it originates and those who will need to use the information.
Guidelines are provided by the Information Security Team to help University functions determine which classification is appropriate.
3 Labelling of Information
Once classified, the information (and any associated documentation) must be labelled, and then handled as described below. Labelling is essential to help the University’s Information Security team keep track of University information, and to ensure that it is handled (and therefore protected) correctly – whether stored, viewed, modified, or shared.
All new documentation should be labelled with its classification: when using Microsoft Office, creators of University documentation will be prompted by our automatic labelling feature to add a classification label to the document before saving. Existing documents may also be updated with labels when saving.
For documents created outside Microsoft Office, it may be necessary to manually insert classification labels into footers, or to use physical labels, watermarking, or rubber stamps.
Public information does not require a label: all documents that have no label are therefore to be treated as ‘public.’
Labelling allows the Information Security Team to track what is happening to information that we have classified, and by tracking the way a document is used we can add-in controls which can help us be aware of internal or confidential documents which are disclosed - whether accidentally or deliberately.
4 Handling and Transfer of Information
Once labelled, information should be handled and transferred appropriately to ensure it remains suitably protected by safeguards. As noted above, information which is classified as ‘Public’ does not require any additional safeguards when handling.
The controls associated with handling both internal and confidential information need to ensure that appropriate levels of confidentiality, integrity, and availability are preserved.
For Internal and Confidential information, individuals are responsible for familiarity with the guidelines on information security and how to handle and share.
Appropriate handling and disclosure agreements should be in place when transferring non-public information (whether University, partner or stakeholder) outside the University to ensure the security of our information is maintained by any external interested party.
Agreements as to transfer and handling should reflect the requirements of our partners and stakeholders.
Protection of our information while being shared or in transit should follow the guidelines for each classification. These may include sending files with password protection, recipient authentication, and encryption.
When exchanging information verbally, avoid confidential conversations in public places or over insecure communication channels and ensure any messages left do not contain confidential information; also ensure that appropriate sound-proofing or closed doors are in place, and that sensitive conversations begin with a disclaimer so those present know the classification.
The University uses electronic transfer procedures to assist with secure information transfer. In addition to controls which detect and protect against malware, attachments may be scanned to ensure classification-appropriate controls are in place.
When using physical transfer, guidelines require suitable protection e.g. the use of opaque envelopes, approved couriers, tamper evident or tamper-resistant containers, verification of couriers, recording authorised recipients, recording any transit custodians, and receipt at destination.
Depending on circumstances, certain types of information may need to be handled with more security because of context, before reverting to the handling normally appropriate to its classification. In such cases, classification should remain at the appropriate lower level, while handling follows the higher level until such time as it is not required - as may happen in the case of embargoed public announcements, strategic decisions, examination results, etc. The guidelines suggest marking such documents (with stamps or watermarks), documenting the key dates: “Handle as Confidential before DDMMYYYY” or similar.
5 Additional Information
There is no requirement to alter the University classification scheme to enable accommodation with a third-party scheme. When sharing information between organisations which vary in classification schemes, information owners should ensure that both sides understand how the information needs to be protected, handled and transferred.
This is particularly relevant to Confidential information, and it may be necessary to agree additional steps to protect information which others may classify as Secret, Highly Restricted, or similar. Differences in classification names are best resolved by examining handling requirements for both parties.
While labelling of classified information is a key requirement for information sharing, it may also be appropriate to identify which organizational process created the information, even dates and times.
Where the classification, labelling or handling requirements are not clear, or present technical difficulties, the Information Security Team will advise.
The University Information Transfer Policy and Acceptable Use Guidelines provide more details.
6 Roles and Responsibilities
Appropriate classification, labelling and handling remain the responsibility of all employed by the University.
This policy is the responsibility of the Information Security Team, who will review our classification scheme as part of our regular information security policy reviews.