Safeguarding RoS Information

Introduction

All RoS staff have a duty of care to protect and apply appropriate protection to information processed and held in RoS to avoid unauthorised access and loss.

It is important that you know how to apply our security rules, so please familiarise yourself with this guide.

The procedures in this guide will enable you to undertake your responsibility for keeping RoS information and assets safe. This guide provides practical instructions about handling information and summarises the standards in operation in RoS.

Refer to this guide regularly to help you:

• Understand your security responsibilities.
• Decide the right level of protection for information.
• Choose a safe method to transfer information.
• Select a safe method to dispose of information.
• Report incidents.

Information security is not the responsibility of someone else – everyone working in RoS has a part to play.

Ensure your office security pass is worn and visible when in RoS premises

RoS information security golden rules

In the office

• Follow the RoS clear desk and screen policy.
• Lock your computer screen when leaving your desk.
• Choose your password carefully and never disclose it to others.
• Always wear your office security pass when in RoS premises.
• Avoid leaving portable equipment (such as laptops, mobile phones) unattended unless physically secured.
• Take the appropriate level of care with the information as specified by its sensitivity and value.
• Take appropriate care of deeds and other documents belonging to other parties submitted to RoS, treat with confidentiality and do not copy or disclose without prior written approval of RoS.
• Take care not to open email attachments and embedded links in emails from unknown, suspicious, or untrustworthy sources.

At the end of the day

• Comply with the RoS log out and power off procedures of your equipment.
• Clear your desk in line with the RoS clear desk and screen policy.
• Check nearby colleagues’ desks who have left for the day or have not been in office to ensure that there is no sensitive material lying unsecured on their work desks.

Out of the office

• Never take sensitive or valuable information out of the office without permission.
• Keep your laptop, tablet, Blackberry, mobile phone and any RoS documentation secure at all times.
• Remove your office security pass and keep it safe when you leave the office.
• Do not discuss sensitive material in public places if you could be overheard.
• Do not work on sensitive material in public places if your work could be overseen.

RoS information

What we mean by information

By ‘information’, we mean knowledge of specific events or situations that has been gathered or received by communication; intelligence or news. Information in RoS care, includes deeds and other documents belonging to other parties which are submitted to RoS. Information might be held or moved in a number of different ways, such as:

• on paper
• on a CD or DVD or USB flash drive
• on a RoS computer system, hard disk, back-up tape
• by e-mail
• by fax
  spoken word, in person, over the telephone or by video conference

What we mean by sensitive information

By ‘sensitive information’, we mean information that must only be granted on the basis of a genuine ‘need to know’. Information such as:

• Sensitive personal data as defined by the Data Protection Act (see Annex A)
• Senior management papers
• Commercial  tenders / contractual negotiations
• Security documentation (firewall configurations etc.)

Under the new Government Security Classification System which came into force on 2 April 2014, the majority of this sensitive information will no longer display a classification marking, this does not mean it should be treated with any less care than before.

Information asset owners

Each RoS business directorate has an Information Asset Owner (IAO), whose role is to understand what information is held in their business areas, what is added and what is removed, how information is moved, and who has access and why.

The IAOs act as agents of the Senior Information Risk Owner (SIRO) on information security matters.

Each IAO maintains an Information Asset Register which details all the types of material their directorate handles and the sensitivity level of the material.

The IAOs are supported by Area Information Managers (AIMs).

Area information managers

AIMs provide day to day information management support locally to staff in their business areas. An up-to date list of AIMs is maintained on the RoS Intranet.

Don’t open email attachments or embedded links unless you know who it is coming from and you trust them.

Your responsibility for looking after information

Although RoS has many technical and procedural solutions in place to minimise the occurrences of information security incidents, the security of information depends primarily upon staff, since it is staff who use and maintain RoS information. It is therefore important that all staff understand they have a part to play in ensuring that information handled and processed by RoS is kept safe and secure.

Everyone in RoS has to comply with relevant legislation, regulation and internal procedures, rules and instructions which protects information held by RoS, including the:

• RoS Information Policy
• Civil Service Code and Management Code
• RoS ICT Code of Conduct
• Freedom of Information (Scotland) Act 2002
• Official Secrets Act 1989
• Government Security Classification System
• Data Protection Act 1998
• Public Records (Scotland) Act 2011

Take appropriate care of deeds and other documents belonging to other parties submitted to RoS, treat with confidentiality and do not copy or disclose without prior written approval of RoS.

Handling and classifying information

Government security classification system

RoS uses the UK Government’s Security Classification System which consists of three classifications.

• official
• secret
• top secret

The system establishes a consistent approach across Government for handling and protecting information.

Classification of material processed in RoS

RoS currently operates exclusively at the official level however some staff may occasionally handle and process information with the official-sensitive caveat, this will be a rare occurrence.

In the highly unlikely event that you come across information with a Government classification of secret or top secret then the Security and Information Assurance (SIA) team should be immediately advised.

Non Government material

Where private sector material is received into RoS with no classification marking it will be handled and protected in line with official level.

Where private sector material is received into RoS with classification markings such as ‘Commercial In Confidence’ and ‘Private in Confidence’, this material should be protected and handled, as a minimum to same level as we protect our own sensitive material.

Handling sensitive information

Prior to the new Government Security Classification system coming into force, RoS marked sensitive information with the protect classification marking. The vast majority of this sensitive information does not meet the criteria for official-sensitive as defined by the Government Security Classification system and is now classified as official. As there is no requirement to apply a marking for official, then staff need to be vigilant in recognising our sensitive assets and ensuring that they are protected and handled in line with the guidance contained herein and Data Protection principles.

The official-sensitive handling caveat should only be used by exception in limited circumstances where there is a clear and justifiable requirement to reinforce the ‘need to know’ as compromise or loss could have damaging consequences for an individual (or group of individuals), an organisation or for HMG more generally.

The caveat should be conspicuously marked as detailed in Annex B. A descriptor can be applied with official-sensitive as detailed in Annex B.

Disclosure

Every effort should be made to consult the originating organisation / third party before a sensitive asset is considered for disclosure, including release under Freedom of Information.

Filing and storage of sensitive information

Paper documentation should be locked within secure storage when not in use or unattended. Electronic information should be stored in ‘Approved’ folders with a ‘need to know’ (e.g. limited access).

Note: When material is added to a file/folder, either paper or electronic, that file/folder must immediately attract the same marking of the highest classified document/data within that file – for example if an official-sensitive letter is added to a file including routine official information the cover must be marked as official-sensitive.

Report immediately to your manager any loss of information or suspected loss of information.

Carriage of sensitive assets outside RoS

Sensitive assets are at risk during transit from accidental or deliberate compromise. To protect such assets when in transit the means of carriage must be reliable, the packaging robust, and the attractiveness, identity and source of the assets concealed under plain cover.

Destruction of information

Dispose of RoS hard copy information in the waste bins designated for secure paper waste. Where the hard copy information is of a sensitive nature, then dispose of in person using a RoS shredder.

Portable media such as CDs, DVDs, USB flash drives etc. should be passed for secure destruction to the IT Service Desk.

When should a privacy impact assessment be completed

A Privacy Impact Assessment is a process which helps assess privacy risks to individuals in the collection, use and disclosure of information. A template for conducting Privacy Impact Assessments is available on the RoS intranet.

A Privacy Impact Assessment must be conducted before personal information relating to identifiable individuals is shared with non RoS parties.

Handling instructions

If the information is sensitive and / or valuable and you intend to share it with others, then you should ask yourself will the persons I am sharing this information with recognise and understand the RoS handling, protection and disposal arrangements for this type of information. If not then you should include appropriate handling instructions. For example:
“Note this document contains sensitive material and must not be copied or shared with others without the explicit consent of the author. As soon as the document is no longer required it should be destroyed using a secure method.”

Sensitive hard copy documentation should be locked within secure storage when not in use or unattended.

Aggregation and Accumulation

Where a significant quantity of information is to be moved together (over 1000 records), on a CD, DVD, USB flash drive, in a container etc., the protective measures used to cover the collection as a whole may need to be higher than for any of the individual items. This reflects the impact should the whole collection be lost or otherwise be compromised.

Decisions about the appropriate protective measures for bulk transfers of information should be taken by IAOs.

Before bulk data transfer is established with another organisation / third party the following must be considered.

• That there is a valid business requirement to perform bulk data transfers.
• That RoS understands the nature of bulk data transfers and can ensure that all transfers are legal, appropriate and acceptable.
• That the recipient, where appropriate, is contractually aware of the use that they can make of the data RoS provides to them.
• That the minimum amount of data is transferred to meet the business requirement and not the entire data set simply because this is the easiest or cheapest option.
• Any bulk transfer process should be recorded in a local transfer log, an appropriate risk assessment carried out and an Incident Management plan completed to be activated in the event of a process failure resulting in the loss of confidentiality, integrity or availability of the data in transit.

Ensure access to sensitive material is granted on a genuine ‘need to know’ basis.

Decision tree for sending / sharing information

Do you know what we mean by information? → NO

↓
YES
↓

Does the information need to be sent at all? → NO → Don’t send it

↓
YES
↓

Are you sure you have the authority, including the legal power, to release the information to the intended recipient? → NO →Don’t release it. If unsure, refer to your manager or Area Information Manager

↓
YES
↓

Are you certain you are only sending what you absolutely need to send and no more? → NO → Think again about what you are trying to send

↓
YES
↓

Is the information sensitive?

→ NO → No special handling necessary, can be sent by any reliable means

↓
YES
↓

Do you understand what options you have for sending sensitive information? → NO → Read following pages appropriate to sensitivity level of your information

↓
YES
↓

Is there anything you remain unsure about? →YES→ Refer to your manager, or Area Information Manager

↓
NO
↓

You can now send the information but you must  follow the transfer instructions on the following pages applicable to the level of sensitivity of your information

Transferring routine official information

(Official information which is not of a sensitive nature)

Internal carriage within RoS

• Can be delivered to unattended persons’ desks, mail room pigeon holes or left in correspondence ‘in trays’.
• Bulk material over 1000 records should be hand delivered and not left unattended on persons’ desks, mail room pigeon holes or in correspondence ‘in trays’.
• Bulk material should be placed inside RoS secure container bags, where feasible, when transmitted between RoS premises.

Postal service (external transfer)

• A return address should be applied to the cover to ensure that information is returned back to RoS in the event of non delivery.
• Any reputable postal service can be used. There is no requirement to use a registered or a track and trace service.
• Where a single delivery, both to UK and overseas address, contains over 1000 records, then a registered Royal Mail service or reputable commercial courier’s track and trace service should be considered. In addition, if the material is in electronic format (DVD, CD, USB flash drive etc.) then encryption should be considered.

Email within RoS (internal email)

• No specific handling or protective measures required.

Email to non RoS email addresses (external email)

• No specific handling or protective measures required.
• Management approval must be obtained for email transmissions containing bulk information.

Telephony / Facsimile - Internal and External

• No specific handling or protective measures required.

Do not provide non RoS parties with bulk information unless you have the authority of your Information Asset Owner.

Transferring sensitive information

(Sensitive information that falls under the OFFICIAL category but is not marked with the OFFICIAL-SENSITIVE classification marking)

Handling instructions

• If recipient is unaware of RoS protective handling and disposal arrangements for this type of material then handling and disposal guidance should be included.

Internal carriage within RoS

• The material must be hand delivered and not left unattended on persons’ desks, mail room pigeon holes or in correspondence ‘in trays’.
• The information should be placed inside RoS secure container bags when transmitted between RoS premises.

Postal service to UK or Overseas Address

• A return address should be applied to the cover to ensure that information is returned back to RoS in the event of non delivery.
• Consider using registered Royal Mail service or reputable commercial courier’s track and trace service.
• Where a single delivery, contains over 1000 records, management approval must be obtained. A registered Royal Mail service or reputable commercial courier’s track and trace service must be used. In addition, if the material is in electronic format (DVD, USB flash drive etc.) then encryption should be used.

Email within RoS (internal email)

• Only send to recipients on a “need to know” basis.

Email to non RoS email addresses (external email)

• Consider using a secure mechanism (such as email encryption). The SIA team can offer advice on this.
• Where a recipient has a PSN or GSI email address. RoS has the facility to email this material over the Government secure private network. The SIA team can advise on this.
• Where a single delivery, contains over 1000 records, management approval must be obtained. Encrypted email or transfer over the Government secure private network must be used.

Telephony / Facsimile - Internal and External

• Phone recipient to advise fax is being sent and confirm a trusted person is waiting at the fax machine that the document is being sent to.
• Detail of sensitive material should be kept to a minimum when leaving messages on answer phone or voice mail systems as recipient may not have setup their system securely and messages could be accessed by others.

Ensure that sensitive material is securely destroyed.

Transferring information marked official-sensitive

Handling instructions

• If recipient is unaware of RoS protective handling and disposal arrangements for this type of material then handling and disposal guidance should be included.

Internal carriage within RoS

• A classification must be clearly applied to the closed container / envelope.
• The material must be hand delivered and not left unattended on persons’ desks, mail room pigeon holes or in correspondence ‘in trays’.
• The information should be placed inside RoS secure container bags when transferred between RoS premises.

Postal service to UK or Overseas Address

• Single closed cover / envelope with no classification marking applied to the outside cover. Consider using double envelopes with the classification applied to inner envelope if you think may be opened by a central mail room.
• A return address should be applied to the cover to ensure that information is returned back to RoS in the event of non delivery.
• Must use registered Royal Mail service or reputable commercial courier’s track and trace service.
• Where a single delivery, contains over 1000 records, IAO approval must be obtained. A registered Royal Mail service or reputable commercial courier’s track and trace service must be used. In addition, if the material is in electronic format (DVD, USB flash drive etc.) then encryption must be used.

Email within RoS (internal email)

• Reference to the classification must be included in the subject line and at the start of the text of the email communication. A descriptor may also be included.
• Only send to recipients on a “need to know” basis.

Email to non RoS email addresses (external email)

• Reference to the classification must be included in the subject line and at the start of the text of the email communication. A descriptor may also be included.
• A secure mechanism such as email encryption must be used. Where a recipient has a PSN or GSI email address consider emailing over the Government secure private network, the SIA team can advise on these.
• Where a single delivery, contains over 1000 records, IAO approval must be obtained. Encrypted email or transfer over the Government secure private network must be used.

Telephony / Facsimile - Internal and External

• Reference to the classification must be clearly and conspicuously applied.
• Phone recipient to advise fax is being sent and confirm a trusted person is waiting at the fax machine for delivery.
• Detail of sensitive material should be kept to a minimum when leaving messages on answer phone or voice mail systems as recipient may not have setup their system securely and messages could be accessed by others.

Do not leave sensitive material unattended unless secured.

What to do if you lose equipment or information

Laptop, tablet or blackberry phone is stolen or lost

In office

• Report the loss / theft immediately to the IT Service Desk.
• Report the loss to your manager.

Out of office

• Report the loss / theft to the Police as quickly as possible.
• Report the loss / theft to your manager.
• Report the loss to the IT Service Desk as soon as the service desk is available.

CDs, DVDs or USB flash drives are stolen or lost

Report the loss / theft of storage media immediately to your manager and the SIA team.

Reporting information security incidents

All information security incidents should be immediately reported to the SIA team in line with the Information Security Incident Notification Procedures.

Ask yourself will the recipient know how to protect the information and securely dispose of it in line with its sensitivity and value?  If not then you should include handling instructions.

Where to get more help

Your manager or AIM should be your first point of contact to provide you with help and advice on information security matters.

For further help or advice on:

• Information losses or compromise
• Classification Marking

Information threats and risk assessments

• Disclosure of information
• Sharing information with non RoS parties
• Secure transmission of information
• Secure destruction of information
• Information security incident reporting
• Encryption of information
• Electronic access control to information

Contact the SIA team by email – it.security@ros.gov.uk

The following related documentation provides specific guidance on how the Government Security Classification System applies to RoS

• Security Classifications
• Information Handling quick reference guide

Ensure that a Privacy Impact Assessment has been conducted before you share personal information, relating to individuals, with non RoS parties

Annex A – Sensitive personal data as defined by DPA

Sensitive personal data as defined by the Data Protect Act means personal data consisting of information as to -
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c ) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) his physical or mental health or condition,
(f)  his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

You are personally responsible for protecting the information and other assets in your care, including deeds and other documents belonging to other parties submitted to RoS, and ensuring that you follow the guidance in this booklet

Annex B - Applying a security classification

Security classifications should be applied in the following manner for official-sensitive information.

To a document:

The security classification should be clearly given at the top and bottom of every page. It should be positioned in the centre of the page and should be in capitals and Font Style Bold so that it is conspicuous.

When producing a security classified document, page numbers should be appended in the following format “page n of n” (e.g. page 3 of 7).

To an email:

In an email the security classification should be added in bold by the sender to the start of the email subject header line and also the top of the body of the email message. This will ensure that all recipients, regardless of what email application they use, will see the sensitivity setting.

To a hard copy folder:

Each hard copy folder must show the correct security classification for the highest grade of security classified material contained within it.

Security classifications for file covers are to be written in CAPITALS on the centre of the file cover, top and bottom, front and back. The security classification should be in a contrasting colour to that of the file cover.

Descriptors

A descriptor can be applied with official-sensitive to identify certain categories of sensitive information and indicate the need for common sense precautions to limit access and should be used in format as follows official-sensitive [descriptor]

The Cabinet Office maintains the following list of core descriptors to ensure a consistent approach is adopted across all departments:

Commercial: Commercial or market-sensitive information, including that subject to statutory or regulatory obligations, that may be damaging to Government or to a commercial partner if improperly accessed.

Locsen: Sensitive information that locally engaged staff overseas cannot access.

Personal: Particularly sensitive information relating to an identifiable individual, where inappropriate access could have damaging consequences.

For example, where relating to investigations, vulnerable individuals, or the personal / medical records of people in sensitive posts (e.g. military personnel).

Always lock your computer screen when away from your desk.