Author: ElenaMenendez-Alonso(DataArchitect)&PaulFerrier(EnterpriseSecurityArchitect)
Date: 11/01/2016 SecurityLevel:Status:Version:
PUBLICPublished1.1
Reference: EIM-POL-001DocumentLink: EIM-POL-001 – Information Security Classification Policy v1.1
ReviewDate: 08/2016
PlymouthUniversity
EIM-POL-001-InformationSecurityClassificationPolicy
EIM-POL-001-InformationSecurityClassificationPolicy
Page2of14
DocumentControlVersion Contributors Details Date Approvedby Position Date
0.1 EMA Initialdraft 19/03/2014 - - -
0.2 EMA,TAG TAGandEAreview:Addedinformationlifecycleanddatastorageoptions.Variousotherminorcorrections.
07/04/2014 - - -
0.3 EMA,TAG AdditionalTAG/EAreview.Minorcorrections
09/04/2014 - - -
0.4 EMA,PF Newlevel1and2classificationlabels:standard(previously‘internal’)andrestricted(previously‘confidential’)
12/08/2014 - - -
0.5 EMA Contentmovedtostandarddocumenttemplate.Renamed‘InformationClassificationPolicy’andstandardisedterminology(data/information).Otherminorcorrections
09/01/2015 - - -
0.6 TAG,EMA TAGreviewCreatedseparatetablefortechnicalrequirements
14/01/2015 - - -
0.7 PW,EMA Addedtechnicallimitationsparaandmappingtogovernmentclassifications.
22/01/2015
0.8 PF,CD,EMA,AH,JG
Updatedtoincludeafourthcategory(“Confidential”)ofclassification
16/07/2015
0.9 PF,CD FinaltweaksbeforeDataQualityreview
31/07/2015
0.91 PF UpdatedfollowingcommentsfromDeanofScienceandEnvironment
17/08/2015
0.92 PF,EW AlterationfollowingcommentsfromDPOandDigitalCurator
25/09/2015
0.95 PF,GR,JL,CD,EMA,JG,MC
AlterationfollowingEUSafeHarborEuropeanCourtRulingandOffice365projectcomments
14/10/2015
0.97 PF,EMA AlterationfollowingDQCfeedback
09/12/2015 DQC
1.0 PF,EMA Publishedversion 05/01/2016
1.1 PF,EMA RemovedOneDriveforBusinessrestrictionin“storage”section
11/01/2016 UEG 13/01/2016
EIM-POL-001-InformationSecurityClassificationPolicy
Page3of14
1. Introduction1.1 Purpose:
TheInformationSecurityClassificationPolicysetsaframeworkforclassifyingandhandlingPlymouthUniversity(PU)informationbasedonitslevelofsensitivity,anditsvaluetotheUniversity.
1.2 Audience:ThispolicyappliestoallmembersoftheUniversityanditspartnerorganisationsthathaveresponsibilityforanyaspectofinformationcreation,collection,dissemination,maintenance,disposalorconsumption.FailuretocomplywiththispolicymayresultinactionundertheUniversity’sHumanResourcespolicies.
1.3 Scope:ThispolicyappliestoallUniversityinformationandtoanyactivityresultingonthecreation,collection,dissemination,maintenance,disposalorconsumptionofsuchinformationthroughitslifecycle.
1.4 Limitations:
Itisrecognisedthat,atthetimeofwriting,someofthetechnicalrequirementsspecifiedinthepolicycannotbemet(e.g.,thosearoundencryptionandback-upof'restricted'data).Nonetheless,therequirementsshouldbeadheredtoascloselyaspossible.Thepolicywillinformdecisionmakingwheneversystemsandprocessesarereviewedorreplaced.
ExceptionstothispolicyshouldonlybemadewhentherearesignificantreasonsthatpreventitfrombeingadheredtoandtheymustberecordedbytheEnterpriseArchitectordelegate,throughtheEnterpriseArchitectureWaiverProcedure,mustonlybeforadefinedperiodoftimeandmaybereviewedonceexpiredbytheEnterpriseArchitectordelegate.
2. DefinitionsAudit Anindependentexaminationofpracticetodetermineitscompliancewithasetof
requirements.Anauditmaybecarriedoutbyinternalorexternalgroups.
Availability Preservingtimelyandreliableaccesstoinformation
Confidentiality Protectingpersonalandproprietaryinformationfromunauthoriseddisclosure
DataandInformation
‘Data’arefactsandstatisticscollectedtogetherforreferenceoranalysis1.Whendataisprocessed,organised,structuredorpresentedinawaythatgivesitcontextandthereforemakesitmoreuseful,itiscalled‘information’.InthecontextofthisdocumentandtheUniversity’sInformationGovernanceframework,theterms‘data’and‘information’canbeusedinterchangeably.
EUSafeHarbor WasastreamlinedprocessthatUScompaniesusetocomplywithEUDirective94/46/EContheprotectionofpersonaldata.Thisisnolongervalidasof07/10/2015.
InformationAsset
InformationwhichisvaluabletotheUniversityandismanagedwiththeexpectationthatitwillprovidefuturebenefit.
1OxfordDictionariesonline,2014:http://www.oxforddictionaries.com/definition/english/data.Accessed:2014-11-20.
EIM-POL-001-InformationSecurityClassificationPolicy
Page4of14
InformationAssetOwner
IndividualsorgroupofpeoplewhohavebeenofficiallydesignatedasaccountableforspecificinformationassetsandforensuringthatprocedureshavebeenputinplacetomaintainandimprovestandardsofdataqualityandtoensurethattheInformationismanagedsecurelyandincompliancewithUniversityregulationsandstatutoryobligations.
Integrity Preservingtheauthenticity,accuracyandcompletenessofinformationagainstunauthorisedmodificationordestruction
LifecycleManagement Theprocessofmanaginginformationthroughitslifecycle(seeFigure1)
PrivateCloud Thecloudinfrastructureisprovisionedforexclusiveusebyasingleorganisationcomprisingmultipleconsumers(e.g.,businessunits);itdeliverstheagility,scalabilityandefficiencyofthepubliccloud,butinadditionprovidesgreaterlevelsofcontrolandsecurity.Itmaybeowned,managed,andoperatedbytheorganisation,athirdparty,orsomecombinationofthem,anditmayexistonoroffpremise.2
PublicCloud Thecloudinfrastructureisprovisionedforopenusebythegeneralpublic.Itmaybeowned,managed,andoperatedbyabusiness,academic,orgovernmentorganisation,orsomecombinationofthem.Itexistsonthepremisesofthecloudprovider.2
SensitiveInformation
Informationthatisprivate,personal,orproprietaryandmustbeprotectedfromunauthorisedaccess
Figure 1. Information lifecycle
Filestorageandsharing Contentismainlystatic,thoughitmaymovequicklytothenextstagetosupportcollaboration.
2DefinitiontakenfromNISTSpecialPublication800-145(TheNISTDefinitionofCloudComputing,September2011)http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
EIM-POL-001-InformationSecurityClassificationPolicy
Page5of14
Collaboration Thisistheworkinprogress,thedraftcontent;oncereadytopresentthisiswheretheapprovalprocessresides.
Informationpublishing Thisisthefinalversionofthecontent.Itisofficialandpublishedfortherelevantaudiencetoconsume.Itisanticipatedasmuchinformationismadepublicallyavailableaspossible.
3. Assigningclassificationlevels3.1 TheclassificationofinformationisbasedonitslevelofsensitivityandtheimpacttotheUniversity
(e.g.:impacttoorganisationaloperations,organisationalassets,orindividuals)iftheconfidentiality,integrityoravailabilityoftheinformationiscompromised.
3.2 Table1outlinestherelationshipbetweenthelevelofdamage,thesecurityimpactandtheinformationsecurityclassificationlevel.
Table 1. Relationship between the level of damage, security impact and information classification level
Damagelevel Securityimpact Informationclassification
Minimal Low Public–Level4
Moderate Moderate Standard–Level3
Serious High Confidential-Level2
Severetocatastrophic Extreme Restricted–Level1
Page6of14
4. Informationsecurityclassificationlevels
4.1 Table2liststheinformationsecurityclassificationlevelsacrossvariousstagesofthelifecycle.Table 2. Information security classification levels
Public–Level4 Standard–Level3 Confidential–Level2 Restricted–Level1
Securityimpact Negligibletolow Moderate High Extreme
Description InformationshouldbeclassifiedasPublicwhentheunauthoriseddisclosure,alterationordestructionofthatinformationwouldresultinlittleornorisktotheUniversityanditsaffiliates(inconvenientbutnotdebilitating).TheUniversityhasadoptedandabidesbythemodelpublicationschemeissuedbytheInformationCommissioner’sOffice.ThismeansthattheUniversitycommitstomakingasignificantamountofitsinformationpublicallyavailable3.
InformationshouldbeclassifiedasStandardwhentheunauthoriseddisclosure,alterationordestructionofthatinformationcouldresultinamoderatelevelofrisktotheUniversityoritsaffiliates.AreasonablelevelofsecuritycontrolsshouldbeappliedtoStandardinformation.
InformationshouldbeclassifiedasConfidentialwhenunauthoriseddisclosure,alterationordestructioncouldresultineitherpersonal(orsensitivepersonal)4orinternalserviceconfigurationdatabeingdivulged;thisequatestotheUniversitybeingatriskfromInformationCommissioner’sOfficesanctionsandshouldbeconsideredasahighrisk.AsignificantlevelofsecuritycontrolsshouldbeappliedtoConfidentialinformation.
InformationshouldbeclassifiedasRestrictedwhentheunauthoriseddisclosure,alterationordestructionofthatinformationcouldcauseanextremelevelofrisktotheUniversityoritsaffiliates.Thehighestlevelofsecuritycontrolsshouldbeapplied.
Examples
Mayinclude,butnotlimited
to
ProgrammeandcourseinformationPressreleasesResearchpublicationsandresearchdatasetsclearedforpublicationApprovedUniversityoperatingpolicies,e.g.Teaching&Learning,UniversityServicesandgovernanceinformation
InternaldocumentsCollaborativedocumentsofanon-confidentialnatureBuildingplansandinformationabouttheUniversity’sinfrastructure
PayrollStudentgradesHomeaddressDisabilityinformationEmergencycontactdetailsNotesrelatingtodisciplinaryprocessesResearchdatacontainingpersonalinformationorinformationwhichisofahighvalue
CommerciallysensitivebusinessoperationsandstrategiesMedical(includingtissue)orClinicaltrialresearchdataAnyotherresearchdatastipulatedthroughtheresearchcontractoragreementtobehandledwithutmostcareAccountpasswordsthatcanbeusedtoaccessconfidentialinformation
3Forfurtherdetails,pleaseseehttp://www.plymouth.ac.uk/your-university/governance/information-governance/publication-scheme4Personaldetailsincludeanythingthatcanprovidereasonabledeductionaboutwhothedatabelongsto–i.e.forenameandsurnameorpostcode(specificallyinremotelocations)
Page7of14
Public–Level4 Standard–Level3 Confidential–Level2 Restricted–Level1
Accesscontrol
Viewing:
Accesscontrolsmustbeobservedfromcreationtodestruction.Viewing:
Accesscontrolsmustbeenforcedfromcreationtodestruction.Viewing:
Tightaccesscontrolsmustbeenforcedfromcreationtodestruction.Viewing:
Unrestricted. LimitedtomembersoftheUniversity,partnerorganisationsandindividuals.Notintendedforthegeneralpublic.Informationmayhavelimitedaccessforaspecificsubsetofmembers.Accesstoinformationmustberequestedfrom,andauthorisedby,theInformationAssetOwner(ortheirdelegate)whoisresponsiblefortheasset.Accessmaybeauthorisedtogroupsofpersonsbytheirjobclassificationorresponsibilities(rolebasedaccess),andmayalsobeconstrainedbyone’sdepartment.
LimitedtomembersoftheUniversity,partnerorganisations(wherecoveredbydatasharingagreements)andindividuals,asauthorisedbyInformationAssetOwners(ortheirdelegate).Cannotbedisclosedtothegeneralpublic.Informationshouldhavelimitedaccessforaspecificsubsetofmembers.Accessshouldbeauthorisedtogroupsofpersonsbytheirjobclassificationorresponsibilities(rolebasedaccess),andshouldalsobeconstrainedbyone’sdepartment.
AccessmustbeindividuallyrequestedandwillbegrantedbytheInformationAssetOwnerresponsiblefortheasset(ortheirdelegate),onlytothosepersonsaffiliatedwiththeUniversitywhorequiresuchaccessinordertoperformtheirjob(‘need-to-know’).Mustnotbedisclosedtothegeneralpublic.Wherefeasibleaccessshouldbeauthorisedtoindividualpersons,asopposedtogroups,ifthisisnotfeasiblethensmallgroupswithappropriatebusinessneedshouldbepermitted.
Printingandcopying: Printingandcopying: Printingandcopying: Printingandcopying:
Unrestricted. Limited.Printingandcopyingwillbepermitted,unlessstatedotherwise.
Limited.Printingandcopyingmaybepermitted,unlessstatedotherwise.
Highlylimited.AuthorisationbyInformationAssetOwner(ortheirdelegate)requiredandavailableonlytoindividualswhichrequireaccessinordertoperformtheirduties.
Modification: Modification: Modification: Modification:
Unrestricted,althoughmoderationisadvised.
Limited.AuthorisationformodificationbyInformationAssetOwner(ortheirdelegate)required.
Limited.AuthorisationformodificationbyInformationAssetOwner(ortheirdelegate)required.
Highlylimited.ModificationshouldonlybeperformedbyInformationAssetOwner(ortheirdelegate).
Page8of14
Public–Level4 Standard–Level3 Confidential–Level2 Restricted–Level1
Storage Electronic: Electronic: Electronic: Electronic:
Norestrictions. Workingcopiesofdocumentscanresideonanindividual’sworkstationoramobiledevice(e.g.alaptopcomputer).Deviceencryptionissuggested.
Workingcopiesofdocumentscanresideonanindividual’sworkstationoramobiledevice(e.g.alaptopcomputer).Thedeviceshouldbeencryptedusingwhole-diskencryption.FinalorapprovedcopiesofdocumentsmustbestoredwithinaDocumentManagementSystemorasharedstorageareawithappropriatepermissionsaddedtopreventunauthorisedaccess.
Canbestoredinanypubliccloud,includingpersonalandcorporateaccounts(forexample,DropBox,GoogleDriveorOneDrive).
Cannotbestoredinanypersonalpubliccloudaccount.
CanbestoredintheUniversity’spubliccloud(i.e.PlymouthUniversityOffice365environment),includingOneDriveforBusiness.Canbesharedwithpartnerswithouttherequirementforanondisclosureagreement.
CanbestoredintheUniversity’spubliccloud(i.e.PlymouthUniversityOffice365environment),withrestrictionsonwhocanaccessthematerials.Cannotbesharedpublically.CanbesharedwithpartnerswithaNonDisclosureAgreementbeinginplacebetweenthetwoparties.SharingpermissionsmustbecontrolledbytheInformationAssetOwner.
CanbestoredintheUniversity’spubliccloud(i.e.PlymouthUniversityOffice365environment);wherenotcontraveninganylicenseorcontractualarrangements,withrestrictionsonwhocanaccessthematerials.Cannotbesharedpublically.CanbesharedwithstrategicpartnersbutaNonDisclosureAgreementmustbeinplacebetweenalloftherelevantparties.SharingpermissionsmustbecontrolledbytheInformationAssetOwner.
Paper/hardcopy: Paper/hardcopy: Paper/hardcopy: Paper/hardcopy:
Norestrictions. Norestrictions. Donotleaveunattendedwhereothersmayseeit;storeinasecurelocation
Donotleaveunattendedwhereothersmayseeit;storeinasecurelocation
Page9of14
Public–Level4 Standard–Level3 Confidential–Level2 Restricted–Level1
Transmissionand
collaboration
Norestrictions. DocumentorFileencryptionsuggested.Anydistributeddocuments(electronicorpaper)shouldinclude‘STANDARD’inthedocumentheader,alignedtotherightofthepage.Hardprintedcopycanbetransmittedthroughthenormalmailchannels.
DocumentorFileencryptionrequiredforelectronictransmission(forexample,viaemailorsecurefiletransferprotocols).Anydistributeddocuments(electronicorpaper)mustbewatermarkedas‘CONFIDENTIAL’andtheintendedrecipientsclearlyindicated;ifwatermarkingisnotpossible‘CONFIDENTIAL’mustbeincludedinthedocumentheader,alignedtotherightofthepage.Printedcopiestobedeliveredinsealedenvelopesmarked‘Personal’or’Confidential’.
DocumentorFileencryptionrequiredforelectronictransmission(forexample,viaemailorsecurefiletransferprotocols).Anydistributeddocuments(electronicorpaper)mustbewatermarkedas‘RESTRICTED’andtheintendedrecipientsclearlyindicated;ifwatermarkingisnotpossible‘RESTRICTED’mustbeincludedinthedocumentheader,alignedtotherightofthepage.Printedcopiestobedeliveredinsealedenvelopesmarked‘Personal’or‘Restricted’.
Forcollaborationwithexternalpartiesanon-disclosureagreement(NDA)isrequired.ASecurityRiskAssessment5shouldbeperformedandapprovedpriortofirstuse,orafteranysignificantchangetotheexistingservice.
Retention Allinformationmustberetainedforthelegallyorcontractuallyrequiredminimumandmaximumperiodsoftime6.Thiswillvarydependingonthetypeofinformationunderconsideration.Itisveryimportantthatifyouunsureoftheretentionperiod,pleaserefertotheUniversity’sRecordsRetentionSchedule.
5PleaserefertoSection6-SecurityRiskAssessment,ExemptionprocessandAuthorisation6DataProtectionAct–Principe5–RetainingPersonalDataandPrinciple4–DataAccuracymayapplydirectlyhere
Page10of14
Public–Level4 Standard–Level3 Confidential–Level2 Restricted–Level1
Disposal Electronic Electronic Electronic Electronic
NospecialrequirementsotherthancompliancewithRetentionSchedule(seeabove).
NospecialrequirementsotherthancompliancewithRetentionSchedule(seeabove).
MustcomplywithRetentionSchedule(seeabove).Ondecommissioningofequipmentusedtostoretheinformation,thestoragemustbesecurelywipedtoCESGEnhancedstandard7,orphysicallydestroyed.Anaccompanyingcertificateofdestructionisrequiredtobeobtainbythepersonfacilitatingthedestruction;thecertificatemustbestoredsecurelybytheEnterpriseSecurityArchitect.
MustcomplywithRetentionSchedule(seeabove).Ondecommissioningofequipmentusedtostoretheinformation,thestoragemustbesecurelywipedtoCESGEnhancedstandard7,orphysicallydestroyed.Anaccompanyingcertificateofdestructionisrequiredtobeobtainbythepersonfacilitatingthedestruction;thecertificatemustbestoredsecurelybytheEnterpriseSecurityArchitect.
Paper/hardcopy Paper/hardcopy Paper/hardcopy Paper/hardcopy
Printedcopiescanberecycledinthegreenbagsprovidedaroundthecampus.
Printedcopiescanberecycledinthegreenbagsprovidedaroundthecampus.
Printedcopiesshouldbecross-cutshredtoDIN663998P-3standardanddisposedofinconfidentialwaste(blue)bags.
Printedcopiesmustbecross-cutshredtoDIN663998P-4orP-5standardandthendisposedofinconfidentialwaste(blue)bags.
Training Generaldataprotectionandinformationsecurityawarenesstrainingmandatory.
Refreshertrainingcarriedoutyearly.
Applicablepolicyandregulationtrainingrequired.
Applicablepolicyandregulationtrainingrequired.
Userdevices Passwordprotectionsuggested;lockedwhennotinuse.
Passwordprotectionrequired,lockedwhennotinuse.Encryptionsuggested.
Passwordprotectionrequired,lockedwhennotinuse.Encryptionrequired.
Passwordprotectedrequired,lockedwhennotinuseEncryptionrequired.
7CESGEnhancedstandard-UKCommunicationsElectronicsSecurityGroup(CESG)Enhancedstandards8DIN66399istheEuropeanSecurityStandardfortheShreddingorDestructionofalltypesofDataMedia,asofSeptember2012
Page11of14
4.2 Table3outlinestechnicalrequirementsassociatedwiththeinformationclassificationlevels.
Table 3. Information classification levels – technical requirements
Public–Level4 Standard–Level3 Confidential–Level2 Restricted–Level1
Storage(technical)9
Storageonasecureserverrecommended.StorageinasecureDataCentrerecommended.Encryptionnotrequired.
Storageonasecureserverrequired.StorageinasecureDataCentrerequired.Encryptionoptional.
Storageonasecureserverrequired.StorageinsecureDataCentrerequired.Encryptionrequired.
Storageonasecureserverrequired.StorageinsecureDataCentrerequired.Encryptionrequired.
Backupanddisasterrecovery
Backupssuggestedwhereappropriate.
Backupsrequiredwhereappropriate. Encryptedbackupsrequiredwhereappropriate,withPUholdingtheencryptionkeys.Off-sitestorageinasecure10locationrequired.
Encryptedbackupsrequired,withPUholdingtheencryptionkeys.Off-sitestorageinasecure10locationrequired.
Backupfrequencycommensuratewithrequirementstorestoreserviceinservicelevelagreement.
Networksecurity
Mayresideonanopenpublicnetwork. Shouldnotresideonanopenpublicnetwork.
Mustnotresideonanopenpublicnetwork.
Mustnotresideonanopenpublicnetwork.
Protectionwithanetworkfirewallrequired,withtherulesetreviewedatleastquarterly,orafteranysignificantbusinesschangeorincident.
Additionalnetworksecuritymeasures(forexampleintrusionpreventionorintrusiondetection)availablebasedonsystemorservicerequirements.
Systemsecurity Mustfollowgeneralbestpracticesforsystemmanagementandsecurity.Host-basedsoftwarefirewallsuggested.
MustfollowUniversity-specificandOS-specificbestpracticesforsystemmanagementandsecurity.Additionalsystemsecuritymeasures(forexamplesoftwarefirewall,fileintegritymonitoring)availablebasedonsystemorservicerequirements.
Virtualenvironments
Maybehostedinavirtualserverenvironment.Allothersecuritycontrolsapplytoboththehostandtheguestvirtualmachines.
Datashouldbelogicallyseparated(ataminimum)fromotherclassificationsofinformation.
Datamustbelogicallyseparated(ataminimum)fromotherclassificationsofinformation.
9SeealsoEA-POL-014–EnterpriseArchitecturePolicy–Hosting10Pleaserefertosection5-Locationrestrictionsforstorageandtransmission.
Page12of14
Public–Level4 Standard–Level3 Confidential–Level2 Restricted–Level1
Remoteaccess Norestrictions. AccessrestrictedtolocalnetworkorPlymouthUniversity’swirelessserviceforonpremiseresources.
AccessrestrictedtolocalnetworkorPlymouthUniversity’swirelessserviceusingasecureVPNserviceforonpremiseresources.
AccessrestrictedtolocalnetworkorPlymouthUniversity’swirelessserviceusingasecureVPNserviceforonpremiseresources.Two-factorauthenticationrecommended.
AccesstocloudresourcesrestrictedtoauthorisedpartiesusingsecureprotocolsovertheInternet.Remoteaccessfor3rdpartiesrestrictedtotemporaryauthenticatedviasecureprotocolsovertheInternet.
Unsupervised3rdpartyremoteaccessisnotallowed.RemoteaccessforUniversitypersonnelmaybelimitedbasedonanycontractualobligationssurroundingresearchdata.
Auditing Notrequired. Logins,successfulandfailedattempts. Logins,successfulandfailedattempts,access,modificationsandpermissionchanges.
Logins,successfulandfailedattempts,access,modificationsandpermissionchanges.
Page13of14
5. Locationrestrictionsforstorageandtransmission
5.1 Inlinewithdataprotectionlegislation,personalinformationshouldnotbetransferredtocountriesorterritoriesoutsidetheEuropeanEconomicArea(EEA).TheICOprovidesadvicetohelporganisationsdecidewhethertheirstoragesolutionsmeetdataprotectionrequirements11.
5.2 Table4showshowclassificationlevelsaffectthechoiceofstoragelocation.
Table 4. Storage options
Public(L4) Standard(L3) Confidential(L2) Restricted(L1)
On-site
Off-site(UKonly) Off-site
(EEAonly) 12Off-site
(Non-EEA) 12 12
Key: Suitable Additionalchecksrequired Networkpasswordprotected Encrypted12
6. SecurityRiskAssessment,ExemptionprocessandAuthorisation
6.1 Whereprojects,elementsofserviceorresearchrequirementsarenotabletoaccommodatethedataclassificationlevelsstatedpreviously,asecurityriskassessmentmustbeperformedbytheEnterpriseSecurityArchitectordelegate.
6.2 Theriskassessmentrankingsareprovidedbelow:
RiskRating Low Medium High
SignOff EnterpriseSecurityArchitect
Strategy&ArchitectureManager
ITDirectororChiefInformationOfficer
6.3 ThesecurityriskassessmentwillfeedintotheEnterpriseArchitectureWaiverProcess,highlightinghowanyidentifiedrisksaretobeaccepted,reducedortransferred,butnotavoidedforadesignatedperiodoftime.
7. Relateddocumentsandfurtherinformation• InformationGovernanceRoles&Responsibilities• EIM-POL-002-DataQualityPolicy
11http://ico.org.uk/for_organisations/data_protection/the_guide/principle_812MeetsPUencryptionkeymanagementrequirements
Page14of14
• EIM-POL-003-RecordRetentionPolicy[underdevelopment]• EA-POL-014–EnterpriseArchitecturePolicy–Hosting• EA-POL-015–EnterpriseArchitecturePolicy–Encryption• PlymouthUniversity–InformationGovernance:www.plymouth.ac.uk/your-
university/governance/information-governance