Information Security Assignment: Information Classification & Handling Policy for University of Hertfordshire

Question

Task:
Information Security Assignment Task:
Imagine that you are employed by the University of Hertfordshire. Your task is to research and draft an Information Classification and Handling Policy along the lines of the ISO27000 family for the university. In particular you may wish to refer to ‘ISO 27001 A.8.2 Information Classification’ to ensure that information receives an appropriate level of protection in accordance with its importance to the organisation. You are advised to include an appropriate classification scheme and a clear set of policy statements with controls and examples of how the information should be handled.

You should also research the General Data Protection Regulation (GDPR) and any other relevant legislation and incorporate this into your policy.

You should take into consideration any confidentiality, integrity, and availability (CIA) issues of the information assets for the university and assess all relevant risks. Any work as part of your research on security policies, consideration of issues and risk assessment MUST be provided as an appendix. (Hint: do the research and risk assessment first as this will inform your policy) Please note that you will NOT be producing a typical academic report, but a policy document. As a general guideline your policy should not be more than three (3) pages long and approximately 1500 words excluding references and appendices. You will need to be concise and precise.

You are expected to use appropriate peer reviewed sources for developing your arguments and use Harvard style referencing.

This is an individual assessment and it is essential that you develop your own policy based on your consideration and analysis of the issues that lead to the statements in your policy. Supporting information should be included in the appendix.

Answer

Introduction
The policy discussed in this information security assignmentaims to strengthen the practices of the University of Hertfordshire concerning appropriate security of information. The policy statements have also identified various ways of classifying and handling the information effectively. Required research on required policies, issues, and risks has been done to formulate the policy. The discussions have focused on analysing the security policy framework, information security issues and developing recommended control actions for the University of Hertfordshire.

Description of the Policy
The policy
Information protection through effective classification and control Incorporation of Legislations and Regulations
The above-mentioned policy has been developed by considering the legislative guidelines under ISO27000. The important legislations considered for the development of the measures in the policy include - ISO/IEC 27001:2013, ISO/IEC 27002:2013, and UK GDPR guidelines.

Purpose
The primary purpose of the policy under ISO/IEC 27001:2013 have been used for the formulation of the measures. As per the guidelines in Annex A.8.2, it is feasible to rely on a simple information classification system instead of developing multiple layers (ISMS, 2021)(Refer to appendix). Three layers or levels will be used for classifying the wide range of information retained by the University. The three levels will be - confidential, restricted, and public. Information categorized as confidential is to be accessed only by the staff of the University. Special categories concerning personal information (racial origin, religious beliefs, mental or physical health condition, etc.), staff bank details, University central data, HR system data, passwords, salary details, and so on are various categories of information that must be classified as confidential (LSE, 2021).

Scope and application
The policy will be used to establish appropriate information security management practices for the University. User permission is needed to be established and must rely on the two principles outlined by clause 9 of the standard (ISO/IEC 27002, 2013)(Refer to appendix).

All departments of the University will have a clear idea about which information they can access.
The policy will ensure that violation of the principles must be made punishable through effective fines and penalties.
Each department will have unique access credentials (ID and password) which should not be shared with other department staff or the public. Only the University administration will have access to all department-related information.

Following clause 11 there is a necessity to establish security perimeters across the University premises (ISO/IEC 27002, 2013). A specific site needs to be selected where information processing facilities will be installed. In this area, any unauthorized access must be prevented by utilizing appropriate applications - digitized locks, bars, password-protected access, biometric identification,etc. There must be a presence of manned reception to prevent anyone (student and public from entering the security perimeter). Clause 13 is also an important area to be taken into account at the time of ensuring information security management. Procedures are needed to detect and prevent the transfer of malware along with crucial information so that they do not affect the entire information processing and storing facility.

Responsibilities
Personal data (name, contact, location details, email, etc.), information associated with the specific license, draft reports, and papers are to be regarded as restricted information. Information about different courses, company policies, pay scales, annual accounts, etc. is to be listed under public information.

After classification, correct labelling of information and handling of assets is required. Appropriate labels need to be used during communication (sending emails, sharing and storing records, etc.). Employees must have clear knowledge about the list of labels to be used for communicating information (ISO/IEC 27001, 2013). For handling of assets an appropriate record of the authorized recipients needs to be maintained.

Special attention is needed in case of sensitive data outlined by the GDPR (Refer to appendix). Information falling under the confidential classification must be protected through effective measures. CIA (confidentiality, integrity, and availability) elements need to be considered for supporting the protection of confidential data. Periodic reviewing of the information management facilities is necessary for the identification of gaps and further improvement of the measures. Following the guidelines, regular testing of the University security measures needs to be carried out. Approaches including advanced lock systems and improvement of the existing measures are needed to prevent the violation of the GDPR guidelines (GOV.UK, 2021). The data owners must maintain transparency with the stakeholders regarding the usage of personal data. For example, staff must know how the University administration is using their information and whether correct data is retained by the employer or not. A similar approach is needed to be maintained for investors, students, suppliers, and other partner companies. The information records maintained by the administration must be updated from time to time.

Processes to handle the identified issues and risks
Based on the identification of the issues and information risks appropriate measures are necessary to support better handling of information (Refer to appendix). There is a need for a security team or officer, who will be responsible for looking after the usage, access, storing, and other activities concerning information risk management. All infrastructure must be installed in secured areas of the University campus. Employees are required to be reminded about the policies and procedures. Lack of awareness and inability to keep the policies in mind will result in the occurrence of issues related to the CIA. Proper configuration is necessary for increasing the level of security and reliability of the systems used across the University campus (Ulven and Wangen, 2021). In the case of software utilization, limitations should be there for reducing the possibility of license violations. To comply with the availability component of the CIA it is essential to focus on the maintenance of the backup systems (ICO, 2021). The backup systems are required to be reviewed and tested periodically (monthly or quarterly) to ensure that information can be recovered at any point in time. Poor review of the backup systems will lead to loss of crucial data or re-configuration of the data because of any malware. Proper risk analysis is to be done to support early identification of the probable risks and threats existing to the information retained by the University (Dehdashti et al. 2020). The managers responsible for looking after the digital files must attend on-job training. This complies with clause 13 of ISO/IEC 27002:2013 which mandates provision of training to necessary staff. Training programs, workshops, seminars, and other appropriate formats of awareness sessions should be formulated by the management or the administration to increase the level of knowledge and competencies of the staff.

Regarding the training sessions, awareness about policies must be incorporated as a mandatory lecture. Staff must know which information they can access and which category of information they must not share with third-party entities. Along with the staff, managers, and the security team or officer need to maintain updated knowledge about the advances taking place in the field of security management (Li, 2021). A specific period for the retention of crucial information by the University needs to be determined. In addition to this, the University management also needs to come up with ways of dealing away with the information. In the case of student data, information needs to be retained even after the student completes their course for different reasons. In such cases, it is crucial to decide suitable storage and measures so that the personal information does not get mishandled or misplaced. Research data obtained by students during their projects and assignments often include the personal data of research participants. A time period of a maximum of three years will be allowed for the students to retain the data after the submission of their assignments. The students following the GDPR must abide by University-based solutions (deleting information stored on the University cloud and removing any data from personal systems) for destroying the information.

In the context of communication, restrictions are to be followed. Activities like automatic forwarding of electronic mails to arbitrary or external addresses need to be supervised. The content should be checked and validated before confirming the sending of the message or mail. Responsible individuals must have complete knowledge of the systems and processes they are using while transferring information and communicating with others. Lack of information can have a negative influence on the security of the information retained. Appropriate information transfer agreements should contain clear responsibilities of the management, acceptance criteria concerning information access, standards for courier identification, responsibilities in case of accidental data loss, and important clauses mentioned in ISO/IEC 27002:2013. All technological components to be used by the University need to be configured and the directions mentioned above need to be implemented without any failure.

Conclusion
The specific policy document is meant for improving information classification and handling of the same. Standards and regulations including ISO/IEC 27001:2013, ISO/IEC 27002:2013 and UK GDPR guidelines have been followed for the development of the statements along with control actions. Increased advances in the field of technology have made information retention and management difficult for the University. Various threats and risks exist concerning the information security system managed by the educational institution. The above actions and measures have been established in the form of policies based on identified risks and issues.

References
Dehdashti, A., Fatemi, F., Janati, M., Asadi, F., and Kangarloo, M.B., 2020. Data of risk analysis management in university campuses. BMC research notes, 13(1), pp.1-3. GOV.UK, 2021. Data protection. [online] GOV.UK. Available at: [Accessed 2 November 2021].

ICO, 2021. Security. [online] Ico.org.uk. Available at: [Accessed 2 November 2021].

ISMS, 2021. ISO 27001 Annex A.8 - Asset Management. [online] ISMS.online. Available at: [Accessed 2 November 2021]. ISO/IEC 27001, 2013. Information technology - Security techniques - Information security management systems - Requirements. [online] Trofisecurity.com. Available at: [Accessed 2 November 2021].

ISO/IEC 27002, 2013. Information technology — Security techniques — Code of practice for information security controls. [online] Trofisecurity.com. Available at: [Accessed 2 November 2021].

Li, S., 2021, February. Analysis of factors affecting the security and countermeasures of digital archives information in colleges and universities based on the Analysis of Big Data. Information security assignment In Journal of Physics: Conference Series (Vol. 1744, No. 3, p. 032219). IOP Publishing. LSE, 2021. Information Classification Standard. [online] Info.lse.ac.uk. Available at: [Accessed 2 November 2021].

Ulven, J.B. and Wangen, G., 2021. A Systematic Review of Cybersecurity Risks in Higher Education. Future Internet, 13(2), p.39.

Appendix
Security Policies
ISO/IEC 27001:2013
Annex A.8.2 under ISO/IEC 27001:2013 points out that too simple and too complex information classification reflects over or under-engineered controls. It is important to come up with a feasible classification to support effective information protection. ISO/IEC 27002:2013

Clause 9 - an access control policy is mandatory to be established, documented, and tested to ensure effective protection of information security.
Clause 11 - Security perimeters must be there to prevent damage and unauthorized physical access to sensitive and critical information.
Clause 13 - Networks must be controlled and managed through the establishment of efficient communication securities to protect information.

GDPR Regulation
There must be fairness and transparency in retaining and utilizing personal information by government, businesses, and other organizations.

Information Risks and CIA issues
• Lack of awareness of digital file management professionals
• Existence of malware
• Cyberattacks
• Poor competency of the security team
• Lack of reviewing of backup systems resulting in non-availability of crucial information
• Poor transparency concerning information usage