S 2.217 Careful classification and handling of information, applications and systems

Initiation responsibility: IT Security Officer, Head of IT, Top Management

Implementation responsibility: Head of IT, IT Security Officer

As a general rule, employees should handle all information with care. In many areas, though, there will also be data requiring higher protection or subject to special restrictions. Examples of such data include personal, financial, confidential or copyright-protected data. Different restrictions apply to the handling of this data depending on how the data is categorised. For this reason, it is important to inform all employees of the restrictions applying to this data (see also S 3.2 Commitment of staff members to compliance with relevant laws, regulations, and provisions).

The protection requirements of data naturally have a direct effect on all media on which the data is stored or processed. Data with special protection requirements can arise in a wide variety of areas, for example in faxes or e-mails. There should therefore be rules for all areas specifying, for example, who is allowed to read, edit or transmit such data (see S 2.42 Determination of potential communications partners, for example). This also includes regular examinations of the data for correctness and completeness (see also S 4.64 Verification of data before transmission / elimination of residual information).

A lot of information and numerous applications are copyrighted or are subject to transmission restrictions ("for internal use only"). All employees must be informed that they are not allowed to copy any documents, files or software without taking into consideration possible copyrights or license agreements.

Special attention must be paid to all information that is essential for the organisation's ability to perform their tasks. Such information includes all business data, for example any data the loss of which would make the organisation unable to operate, could adversely affect business relationships with partner companies, or would enable third parties (e.g. competing companies) who obtain this information to gain a financial advantage. Every government agency and every company should have an overview of all data categorised as critical to business. In addition to the general obligation to exercise due care, there could be other special rules and regulations that apply to the storage, processing, disclosure, and destruction of this data. Business-critical information must be protected against loss, manipulation, and falsification. Data that has been placed in long-term storage or has been archived must be checked regularly to ensure it can still be read. Information not needed any more must be deleted reliably (see also S 1.15 Deleting and destroying data).

Review questions:

• Are the employees regularly informed of the need to handle information with care?
• Has all information been categorised according to its protection requirements?