Information Security Info Classification + Handling

Info Classification + Handling

A key output of the Information Security Framework programme is the Cardiff University Information Handling Procedures. These procedures provide a clear framework for how to handle and protect information and where it’s okay to store different types of information. The intention is that following a period of University-wide consultation, the procedures held within these pages will become policy. A pdf version of the procedures and associated policy can also be downloaded here: ISFInfoClassfnHndlngPolicyv3 or here in Welsh: ISFInfoClassfnHndlngPolicyv3Welsh
Modular versions of the handling procedures can be accessed via the links below the Information Classification table.

Information Classification:

Category title Classified C1

Highly Confidential
 Classified C2

Confidential
 NC

Non-Classified
Headline Has the potential to cause serious damage or distress to individuals or serious damage to the University’s interests (including its relationships with other partners) if disclosed inappropriately.  Has the potential to cause a negative impact on individuals’ or the University’s interests (but not falling into C1). Information not falling into either of the Classified categories.
Description Refer to Impact levels of ‘high’ or ‘major’ on the Risk Measurement Criteria.

  • Data contains highly sensitive private information about living individuals and it is possible to identify those individuals e.g. Medical records, serious disciplinary matters.
  • Non-public data relates to business activity and has potential to seriously affect commercial interests and/or the University’s corporate reputation e.g. REF strategy.
  • Non-public information that facilitates the protection of individuals’ personal safety or the protection of critical functions and key assets e.g. access codes for higher risk areas, University network passwords.
 Refer to Impact levels ‘Minor’ or ‘Moderate’ on the Risk Measurement Criteria.

  • Data contains private information about living individuals and it is possible to identify those individuals e.g. individual’s salaries, student assessment marks.
  • Non-public data relates to business activity and has potential to affect financial interests and/or elements of the University’s reputation e.g. tender bids prior to award of contract, exam questions prior to use.
  • Non-public information that facilitates the protection of the University’s assets in general e.g. access codes for lower risk areas.
 e.g. Current courses, Key Information Sets, Annual Report and Financial Statements, Freedom of Information disclosures.
Key security requirement Confidentiality and integrity. Confidentiality and integrity. Availability.
Type of protection required This information requires significant security measures, strictly controlled and limited access and protection from corruption.

Back up requirements will need to be considered in relation to the importance of the information: is it the master copy of a vital record, how difficult would it be to recreate and how much resource would it require to recreate it?

 This information requires security measures, controlled and limited access and protection from corruption.

Back up requirements will need to be considered in relation to the importance of the information: is it the master copy of a vital record, how difficult would it be to recreate and how much resource would it require to recreate it?

 This information should be accessible to the University whilst it is required for business purposes.

Back up requirements will need to be considered in relation to the importance of the information: is it the master copy of a vital record, how difficult would it be to recreate and how much resource would it require to recreate it?

Handling Procedures For:

General advice:

  • Always aim to keep Classified Information (C1 and C2) within the University’s secure environment.
  • Where this is not possible consider whether the information can be redacted or anonymised to remove confidential or highly confidential information, thereby converting it to Non-Classified Information (NC).
  • Report any potential loss or unauthorised disclosure of Classified Information to the IT Service Desk on 74487
  • Seek advice on secure disposal of equipment containing Classified Information via the IT Service Desk on 74487
  • Use the Confidential Waste Service for disposal of paper and small electronic media Handling@cardiff.ac.uk

Follow us on Twitter @CU_InfoSec