EIM-POL-001 - Information Security Classification Policy v1.1 · 2016-01-26 · EIM-POL-001 -...

Author: ElenaMenendez-Alonso(DataArchitect)&PaulFerrier(EnterpriseSecurityArchitect)

Date: 11/01/2016 SecurityLevel:Status:Version:

PUBLICPublished1.1

Reference: EIM-POL-001DocumentLink: EIM-POL-001 – Information Security Classification Policy v1.1

ReviewDate: 08/2016

PlymouthUniversity

EIM-POL-001-InformationSecurityClassificationPolicy


Page2of14

DocumentControlVersion Contributors Details Date Approvedby Position Date

0.1 EMA Initialdraft 19/03/2014 - - -

0.2 EMA,TAG TAGandEAreview:Addedinformationlifecycleanddatastorageoptions.Variousotherminorcorrections.

07/04/2014 - - -

0.3 EMA,TAG AdditionalTAG/EAreview.Minorcorrections

09/04/2014 - - -

0.4 EMA,PF Newlevel1and2classificationlabels:standard(previously‘internal’)andrestricted(previously‘confidential’)

12/08/2014 - - -

0.5 EMA Contentmovedtostandarddocumenttemplate.Renamed‘InformationClassificationPolicy’andstandardisedterminology(data/information).Otherminorcorrections

09/01/2015 - - -

0.6 TAG,EMA TAGreviewCreatedseparatetablefortechnicalrequirements

14/01/2015 - - -

0.7 PW,EMA Addedtechnicallimitationsparaandmappingtogovernmentclassifications.

22/01/2015

0.8 PF,CD,EMA,AH,JG

Updatedtoincludeafourthcategory(“Confidential”)ofclassification

16/07/2015

0.9 PF,CD FinaltweaksbeforeDataQualityreview

31/07/2015

0.91 PF UpdatedfollowingcommentsfromDeanofScienceandEnvironment

17/08/2015

0.92 PF,EW AlterationfollowingcommentsfromDPOandDigitalCurator

25/09/2015

0.95 PF,GR,JL,CD,EMA,JG,MC

AlterationfollowingEUSafeHarborEuropeanCourtRulingandOffice365projectcomments

14/10/2015

0.97 PF,EMA AlterationfollowingDQCfeedback

09/12/2015 DQC

1.0 PF,EMA Publishedversion 05/01/2016

1.1 PF,EMA RemovedOneDriveforBusinessrestrictionin“storage”section

11/01/2016 UEG 13/01/2016


Page3of14

1. Introduction1.1 Purpose:

TheInformationSecurityClassificationPolicysetsaframeworkforclassifyingandhandlingPlymouthUniversity(PU)informationbasedonitslevelofsensitivity,anditsvaluetotheUniversity.

1.2 Audience:ThispolicyappliestoallmembersoftheUniversityanditspartnerorganisationsthathaveresponsibilityforanyaspectofinformationcreation,collection,dissemination,maintenance,disposalorconsumption.FailuretocomplywiththispolicymayresultinactionundertheUniversity’sHumanResourcespolicies.

1.3 Scope:ThispolicyappliestoallUniversityinformationandtoanyactivityresultingonthecreation,collection,dissemination,maintenance,disposalorconsumptionofsuchinformationthroughitslifecycle.

1.4 Limitations:

Itisrecognisedthat,atthetimeofwriting,someofthetechnicalrequirementsspecifiedinthepolicycannotbemet(e.g.,thosearoundencryptionandback-upof'restricted'data).Nonetheless,therequirementsshouldbeadheredtoascloselyaspossible.Thepolicywillinformdecisionmakingwheneversystemsandprocessesarereviewedorreplaced.

ExceptionstothispolicyshouldonlybemadewhentherearesignificantreasonsthatpreventitfrombeingadheredtoandtheymustberecordedbytheEnterpriseArchitectordelegate,throughtheEnterpriseArchitectureWaiverProcedure,mustonlybeforadefinedperiodoftimeandmaybereviewedonceexpiredbytheEnterpriseArchitectordelegate.

2. DefinitionsAudit Anindependentexaminationofpracticetodetermineitscompliancewithasetof

requirements.Anauditmaybecarriedoutbyinternalorexternalgroups.

Availability Preservingtimelyandreliableaccesstoinformation

Confidentiality Protectingpersonalandproprietaryinformationfromunauthoriseddisclosure

DataandInformation

‘Data’arefactsandstatisticscollectedtogetherforreferenceoranalysis1.Whendataisprocessed,organised,structuredorpresentedinawaythatgivesitcontextandthereforemakesitmoreuseful,itiscalled‘information’.InthecontextofthisdocumentandtheUniversity’sInformationGovernanceframework,theterms‘data’and‘information’canbeusedinterchangeably.

EUSafeHarbor WasastreamlinedprocessthatUScompaniesusetocomplywithEUDirective94/46/EContheprotectionofpersonaldata.Thisisnolongervalidasof07/10/2015.

InformationAsset

InformationwhichisvaluabletotheUniversityandismanagedwiththeexpectationthatitwillprovidefuturebenefit.

1OxfordDictionariesonline,2014:http://www.oxforddictionaries.com/definition/english/data.Accessed:2014-11-20.


Page4of14

InformationAssetOwner

IndividualsorgroupofpeoplewhohavebeenofficiallydesignatedasaccountableforspecificinformationassetsandforensuringthatprocedureshavebeenputinplacetomaintainandimprovestandardsofdataqualityandtoensurethattheInformationismanagedsecurelyandincompliancewithUniversityregulationsandstatutoryobligations.

Integrity Preservingtheauthenticity,accuracyandcompletenessofinformationagainstunauthorisedmodificationordestruction

LifecycleManagement Theprocessofmanaginginformationthroughitslifecycle(seeFigure1)

PrivateCloud Thecloudinfrastructureisprovisionedforexclusiveusebyasingleorganisationcomprisingmultipleconsumers(e.g.,businessunits);itdeliverstheagility,scalabilityandefficiencyofthepubliccloud,butinadditionprovidesgreaterlevelsofcontrolandsecurity.Itmaybeowned,managed,andoperatedbytheorganisation,athirdparty,orsomecombinationofthem,anditmayexistonoroffpremise.2

PublicCloud Thecloudinfrastructureisprovisionedforopenusebythegeneralpublic.Itmaybeowned,managed,andoperatedbyabusiness,academic,orgovernmentorganisation,orsomecombinationofthem.Itexistsonthepremisesofthecloudprovider.2

SensitiveInformation

Informationthatisprivate,personal,orproprietaryandmustbeprotectedfromunauthorisedaccess

Figure 1. Information lifecycle

Filestorageandsharing Contentismainlystatic,thoughitmaymovequicklytothenextstagetosupportcollaboration.

2DefinitiontakenfromNISTSpecialPublication800-145(TheNISTDefinitionofCloudComputing,September2011)http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf


Page5of14

Collaboration Thisistheworkinprogress,thedraftcontent;oncereadytopresentthisiswheretheapprovalprocessresides.

Informationpublishing Thisisthefinalversionofthecontent.Itisofficialandpublishedfortherelevantaudiencetoconsume.Itisanticipatedasmuchinformationismadepublicallyavailableaspossible.

3. Assigningclassificationlevels3.1 TheclassificationofinformationisbasedonitslevelofsensitivityandtheimpacttotheUniversity

(e.g.:impacttoorganisationaloperations,organisationalassets,orindividuals)iftheconfidentiality,integrityoravailabilityoftheinformationiscompromised.

3.2 Table1outlinestherelationshipbetweenthelevelofdamage,thesecurityimpactandtheinformationsecurityclassificationlevel.

Table 1. Relationship between the level of damage, security impact and information classification level

Damagelevel Securityimpact Informationclassification

Minimal Low Public–Level4

Moderate Moderate Standard–Level3

Serious High Confidential-Level2

Severetocatastrophic Extreme Restricted–Level1

of14

4. Informationsecurityclassificationlevels

4.1 Table2liststheinformationsecurityclassificationlevelsacrossvariousstagesofthelifecycle.Table 2. Information security classification levels

Public–Level4 Standard–Level3 Confidential–Level2 Restricted–Level1

Securityimpact Negligibletolow Moderate High Extreme

Description InformationshouldbeclassifiedasPublicwhentheunauthoriseddisclosure,alterationordestructionofthatinformationwouldresultinlittleornorisktotheUniversityanditsaffiliates(inconvenientbutnotdebilitating).TheUniversityhasadoptedandabidesbythemodelpublicationschemeissuedbytheInformationCommissioner’sOffice.ThismeansthattheUniversitycommitstomakingasignificantamountofitsinformationpublicallyavailable3.

InformationshouldbeclassifiedasStandardwhentheunauthoriseddisclosure,alterationordestructionofthatinformationcouldresultinamoderatelevelofrisktotheUniversityoritsaffiliates.AreasonablelevelofsecuritycontrolsshouldbeappliedtoStandardinformation.

InformationshouldbeclassifiedasConfidentialwhenunauthoriseddisclosure,alterationordestructioncouldresultineitherpersonal(orsensitivepersonal)4orinternalserviceconfigurationdatabeingdivulged;thisequatestotheUniversitybeingatriskfromInformationCommissioner’sOfficesanctionsandshouldbeconsideredasahighrisk.AsignificantlevelofsecuritycontrolsshouldbeappliedtoConfidentialinformation.

InformationshouldbeclassifiedasRestrictedwhentheunauthoriseddisclosure,alterationordestructionofthatinformationcouldcauseanextremelevelofrisktotheUniversityoritsaffiliates.Thehighestlevelofsecuritycontrolsshouldbeapplied.

Examples

Mayinclude,butnotlimited

to

ProgrammeandcourseinformationPressreleasesResearchpublicationsandresearchdatasetsclearedforpublicationApprovedUniversityoperatingpolicies,e.g.Teaching&Learning,UniversityServicesandgovernanceinformation

InternaldocumentsCollaborativedocumentsofanon-confidentialnatureBuildingplansandinformationabouttheUniversity’sinfrastructure

PayrollStudentgradesHomeaddressDisabilityinformationEmergencycontactdetailsNotesrelatingtodisciplinaryprocessesResearchdatacontainingpersonalinformationorinformationwhichisofahighvalue

CommerciallysensitivebusinessoperationsandstrategiesMedical(includingtissue)orClinicaltrialresearchdataAnyotherresearchdatastipulatedthroughtheresearchcontractoragreementtobehandledwithutmostcareAccountpasswordsthatcanbeusedtoaccessconfidentialinformation

3Forfurtherdetails,pleaseseehttp://www.plymouth.ac.uk/your-university/governance/information-governance/publication-scheme4Personaldetailsincludeanythingthatcanprovidereasonabledeductionaboutwhothedatabelongsto–i.e.forenameandsurnameorpostcode(specificallyinremotelocations)

of14


Accesscontrol

Viewing:

Accesscontrolsmustbeobservedfromcreationtodestruction.Viewing:

Accesscontrolsmustbeenforcedfromcreationtodestruction.Viewing:

Tightaccesscontrolsmustbeenforcedfromcreationtodestruction.Viewing:

Unrestricted. LimitedtomembersoftheUniversity,partnerorganisationsandindividuals.Notintendedforthegeneralpublic.Informationmayhavelimitedaccessforaspecificsubsetofmembers.Accesstoinformationmustberequestedfrom,andauthorisedby,theInformationAssetOwner(ortheirdelegate)whoisresponsiblefortheasset.Accessmaybeauthorisedtogroupsofpersonsbytheirjobclassificationorresponsibilities(rolebasedaccess),andmayalsobeconstrainedbyone’sdepartment.

LimitedtomembersoftheUniversity,partnerorganisations(wherecoveredbydatasharingagreements)andindividuals,asauthorisedbyInformationAssetOwners(ortheirdelegate).Cannotbedisclosedtothegeneralpublic.Informationshouldhavelimitedaccessforaspecificsubsetofmembers.Accessshouldbeauthorisedtogroupsofpersonsbytheirjobclassificationorresponsibilities(rolebasedaccess),andshouldalsobeconstrainedbyone’sdepartment.

AccessmustbeindividuallyrequestedandwillbegrantedbytheInformationAssetOwnerresponsiblefortheasset(ortheirdelegate),onlytothosepersonsaffiliatedwiththeUniversitywhorequiresuchaccessinordertoperformtheirjob(‘need-to-know’).Mustnotbedisclosedtothegeneralpublic.Wherefeasibleaccessshouldbeauthorisedtoindividualpersons,asopposedtogroups,ifthisisnotfeasiblethensmallgroupswithappropriatebusinessneedshouldbepermitted.

Printingandcopying: Printingandcopying: Printingandcopying: Printingandcopying:

Unrestricted. Limited.Printingandcopyingwillbepermitted,unlessstatedotherwise.

Limited.Printingandcopyingmaybepermitted,unlessstatedotherwise.

Highlylimited.AuthorisationbyInformationAssetOwner(ortheirdelegate)requiredandavailableonlytoindividualswhichrequireaccessinordertoperformtheirduties.

Modification: Modification: Modification: Modification:

Unrestricted,althoughmoderationisadvised.

Limited.AuthorisationformodificationbyInformationAssetOwner(ortheirdelegate)required.

Limited.AuthorisationformodificationbyInformationAssetOwner(ortheirdelegate)required.

Highlylimited.ModificationshouldonlybeperformedbyInformationAssetOwner(ortheirdelegate).

of14


Storage Electronic: Electronic: Electronic: Electronic:

Norestrictions. Workingcopiesofdocumentscanresideonanindividual’sworkstationoramobiledevice(e.g.alaptopcomputer).Deviceencryptionissuggested.

Workingcopiesofdocumentscanresideonanindividual’sworkstationoramobiledevice(e.g.alaptopcomputer).Thedeviceshouldbeencryptedusingwhole-diskencryption.FinalorapprovedcopiesofdocumentsmustbestoredwithinaDocumentManagementSystemorasharedstorageareawithappropriatepermissionsaddedtopreventunauthorisedaccess.

Canbestoredinanypubliccloud,includingpersonalandcorporateaccounts(forexample,DropBox,GoogleDriveorOneDrive).

Cannotbestoredinanypersonalpubliccloudaccount.

CanbestoredintheUniversity’spubliccloud(i.e.PlymouthUniversityOffice365environment),includingOneDriveforBusiness.Canbesharedwithpartnerswithouttherequirementforanondisclosureagreement.

CanbestoredintheUniversity’spubliccloud(i.e.PlymouthUniversityOffice365environment),withrestrictionsonwhocanaccessthematerials.Cannotbesharedpublically.CanbesharedwithpartnerswithaNonDisclosureAgreementbeinginplacebetweenthetwoparties.SharingpermissionsmustbecontrolledbytheInformationAssetOwner.

CanbestoredintheUniversity’spubliccloud(i.e.PlymouthUniversityOffice365environment);wherenotcontraveninganylicenseorcontractualarrangements,withrestrictionsonwhocanaccessthematerials.Cannotbesharedpublically.CanbesharedwithstrategicpartnersbutaNonDisclosureAgreementmustbeinplacebetweenalloftherelevantparties.SharingpermissionsmustbecontrolledbytheInformationAssetOwner.

Paper/hardcopy: Paper/hardcopy: Paper/hardcopy: Paper/hardcopy:

Norestrictions. Norestrictions. Donotleaveunattendedwhereothersmayseeit;storeinasecurelocation

Donotleaveunattendedwhereothersmayseeit;storeinasecurelocation

of14


Transmissionand

collaboration

Norestrictions. DocumentorFileencryptionsuggested.Anydistributeddocuments(electronicorpaper)shouldinclude‘STANDARD’inthedocumentheader,alignedtotherightofthepage.Hardprintedcopycanbetransmittedthroughthenormalmailchannels.

DocumentorFileencryptionrequiredforelectronictransmission(forexample,viaemailorsecurefiletransferprotocols).Anydistributeddocuments(electronicorpaper)mustbewatermarkedas‘CONFIDENTIAL’andtheintendedrecipientsclearlyindicated;ifwatermarkingisnotpossible‘CONFIDENTIAL’mustbeincludedinthedocumentheader,alignedtotherightofthepage.Printedcopiestobedeliveredinsealedenvelopesmarked‘Personal’or’Confidential’.

DocumentorFileencryptionrequiredforelectronictransmission(forexample,viaemailorsecurefiletransferprotocols).Anydistributeddocuments(electronicorpaper)mustbewatermarkedas‘RESTRICTED’andtheintendedrecipientsclearlyindicated;ifwatermarkingisnotpossible‘RESTRICTED’mustbeincludedinthedocumentheader,alignedtotherightofthepage.Printedcopiestobedeliveredinsealedenvelopesmarked‘Personal’or‘Restricted’.

Forcollaborationwithexternalpartiesanon-disclosureagreement(NDA)isrequired.ASecurityRiskAssessment5shouldbeperformedandapprovedpriortofirstuse,orafteranysignificantchangetotheexistingservice.

Retention Allinformationmustberetainedforthelegallyorcontractuallyrequiredminimumandmaximumperiodsoftime6.Thiswillvarydependingonthetypeofinformationunderconsideration.Itisveryimportantthatifyouunsureoftheretentionperiod,pleaserefertotheUniversity’sRecordsRetentionSchedule.

5PleaserefertoSection6-SecurityRiskAssessment,ExemptionprocessandAuthorisation6DataProtectionAct–Principe5–RetainingPersonalDataandPrinciple4–DataAccuracymayapplydirectlyhere

of14


Disposal Electronic Electronic Electronic Electronic

NospecialrequirementsotherthancompliancewithRetentionSchedule(seeabove).

NospecialrequirementsotherthancompliancewithRetentionSchedule(seeabove).

MustcomplywithRetentionSchedule(seeabove).Ondecommissioningofequipmentusedtostoretheinformation,thestoragemustbesecurelywipedtoCESGEnhancedstandard7,orphysicallydestroyed.Anaccompanyingcertificateofdestructionisrequiredtobeobtainbythepersonfacilitatingthedestruction;thecertificatemustbestoredsecurelybytheEnterpriseSecurityArchitect.

MustcomplywithRetentionSchedule(seeabove).Ondecommissioningofequipmentusedtostoretheinformation,thestoragemustbesecurelywipedtoCESGEnhancedstandard7,orphysicallydestroyed.Anaccompanyingcertificateofdestructionisrequiredtobeobtainbythepersonfacilitatingthedestruction;thecertificatemustbestoredsecurelybytheEnterpriseSecurityArchitect.

Paper/hardcopy Paper/hardcopy Paper/hardcopy Paper/hardcopy

Printedcopiescanberecycledinthegreenbagsprovidedaroundthecampus.

Printedcopiescanberecycledinthegreenbagsprovidedaroundthecampus.

Printedcopiesshouldbecross-cutshredtoDIN663998P-3standardanddisposedofinconfidentialwaste(blue)bags.

Printedcopiesmustbecross-cutshredtoDIN663998P-4orP-5standardandthendisposedofinconfidentialwaste(blue)bags.

Training Generaldataprotectionandinformationsecurityawarenesstrainingmandatory.

Refreshertrainingcarriedoutyearly.

Applicablepolicyandregulationtrainingrequired.

Applicablepolicyandregulationtrainingrequired.

Userdevices Passwordprotectionsuggested;lockedwhennotinuse.

Passwordprotectionrequired,lockedwhennotinuse.Encryptionsuggested.

Passwordprotectionrequired,lockedwhennotinuse.Encryptionrequired.

Passwordprotectedrequired,lockedwhennotinuseEncryptionrequired.

7CESGEnhancedstandard-UKCommunicationsElectronicsSecurityGroup(CESG)Enhancedstandards8DIN66399istheEuropeanSecurityStandardfortheShreddingorDestructionofalltypesofDataMedia,asofSeptember2012

of14

4.2 Table3outlinestechnicalrequirementsassociatedwiththeinformationclassificationlevels.

Table 3. Information classification levels – technical requirements


Storage(technical)9

Storageonasecureserverrecommended.StorageinasecureDataCentrerecommended.Encryptionnotrequired.

Storageonasecureserverrequired.StorageinasecureDataCentrerequired.Encryptionoptional.

Storageonasecureserverrequired.StorageinsecureDataCentrerequired.Encryptionrequired.

Storageonasecureserverrequired.StorageinsecureDataCentrerequired.Encryptionrequired.

Backupanddisasterrecovery

Backupssuggestedwhereappropriate.

Backupsrequiredwhereappropriate. Encryptedbackupsrequiredwhereappropriate,withPUholdingtheencryptionkeys.Off-sitestorageinasecure10locationrequired.

Encryptedbackupsrequired,withPUholdingtheencryptionkeys.Off-sitestorageinasecure10locationrequired.

Backupfrequencycommensuratewithrequirementstorestoreserviceinservicelevelagreement.

Networksecurity

Mayresideonanopenpublicnetwork. Shouldnotresideonanopenpublicnetwork.

Mustnotresideonanopenpublicnetwork.

Mustnotresideonanopenpublicnetwork.

Protectionwithanetworkfirewallrequired,withtherulesetreviewedatleastquarterly,orafteranysignificantbusinesschangeorincident.

Additionalnetworksecuritymeasures(forexampleintrusionpreventionorintrusiondetection)availablebasedonsystemorservicerequirements.

Systemsecurity Mustfollowgeneralbestpracticesforsystemmanagementandsecurity.Host-basedsoftwarefirewallsuggested.

MustfollowUniversity-specificandOS-specificbestpracticesforsystemmanagementandsecurity.Additionalsystemsecuritymeasures(forexamplesoftwarefirewall,fileintegritymonitoring)availablebasedonsystemorservicerequirements.

Virtualenvironments

Maybehostedinavirtualserverenvironment.Allothersecuritycontrolsapplytoboththehostandtheguestvirtualmachines.

Datashouldbelogicallyseparated(ataminimum)fromotherclassificationsofinformation.

Datamustbelogicallyseparated(ataminimum)fromotherclassificationsofinformation.

9SeealsoEA-POL-014–EnterpriseArchitecturePolicy–Hosting10Pleaserefertosection5-Locationrestrictionsforstorageandtransmission.

of14


Remoteaccess Norestrictions. AccessrestrictedtolocalnetworkorPlymouthUniversity’swirelessserviceforonpremiseresources.

AccessrestrictedtolocalnetworkorPlymouthUniversity’swirelessserviceusingasecureVPNserviceforonpremiseresources.

AccessrestrictedtolocalnetworkorPlymouthUniversity’swirelessserviceusingasecureVPNserviceforonpremiseresources.Two-factorauthenticationrecommended.

AccesstocloudresourcesrestrictedtoauthorisedpartiesusingsecureprotocolsovertheInternet.Remoteaccessfor3rdpartiesrestrictedtotemporaryauthenticatedviasecureprotocolsovertheInternet.

Unsupervised3rdpartyremoteaccessisnotallowed.RemoteaccessforUniversitypersonnelmaybelimitedbasedonanycontractualobligationssurroundingresearchdata.

Auditing Notrequired. Logins,successfulandfailedattempts. Logins,successfulandfailedattempts,access,modificationsandpermissionchanges.

Logins,successfulandfailedattempts,access,modificationsandpermissionchanges.

of14

5. Locationrestrictionsforstorageandtransmission

5.1 Inlinewithdataprotectionlegislation,personalinformationshouldnotbetransferredtocountriesorterritoriesoutsidetheEuropeanEconomicArea(EEA).TheICOprovidesadvicetohelporganisationsdecidewhethertheirstoragesolutionsmeetdataprotectionrequirements11.

5.2 Table4showshowclassificationlevelsaffectthechoiceofstoragelocation.

Table 4. Storage options

Public(L4) Standard(L3) Confidential(L2) Restricted(L1)

On-site

Off-site(UKonly) Off-site

(EEAonly) 12Off-site

(Non-EEA) 12 12

Key: Suitable Additionalchecksrequired Networkpasswordprotected Encrypted12

6. SecurityRiskAssessment,ExemptionprocessandAuthorisation

6.1 Whereprojects,elementsofserviceorresearchrequirementsarenotabletoaccommodatethedataclassificationlevelsstatedpreviously,asecurityriskassessmentmustbeperformedbytheEnterpriseSecurityArchitectordelegate.

6.2 Theriskassessmentrankingsareprovidedbelow:

RiskRating Low Medium High

SignOff EnterpriseSecurityArchitect

Strategy&ArchitectureManager

ITDirectororChiefInformationOfficer

6.3 ThesecurityriskassessmentwillfeedintotheEnterpriseArchitectureWaiverProcess,highlightinghowanyidentifiedrisksaretobeaccepted,reducedortransferred,butnotavoidedforadesignatedperiodoftime.

7. Relateddocumentsandfurtherinformation• InformationGovernanceRoles&Responsibilities• EIM-POL-002-DataQualityPolicy

11http://ico.org.uk/for_organisations/data_protection/the_guide/principle_812MeetsPUencryptionkeymanagementrequirements

of14

• EIM-POL-003-RecordRetentionPolicy[underdevelopment]• EA-POL-014–EnterpriseArchitecturePolicy–Hosting• EA-POL-015–EnterpriseArchitecturePolicy–Encryption• PlymouthUniversity–InformationGovernance:www.plymouth.ac.uk/your-

university/governance/information-governance

EIM-POL-001 - Information Security Classification Policy v1.1 · 2016-01-26 · EIM-POL-001 -...

Documents

Transcript of EIM-POL-001 - Information Security Classification Policy v1.1 · 2016-01-26 · EIM-POL-001 -...