Information Classification and Handling Policy for University of Hertfordshire

Imagine that you are employed by the University of Hertfordshire. Your task is to research and draft an Information Classification and Handling Policy along the lines of the IS027000 family for the university. In particular you may wish to refer to 'ISO 27001 A.8.2 Information Classification' to ensure that information receives an appropriate level of protection in accordance with its importance to the organisation.

You are advised to include an appropriate classification scheme and a clear set of policy statements with controls and examples of how the information should be handled.

You should also research the General Data Protection Regulation (GDPR) and any other relevant legislation and incorporate this into your policy.

You should take into consideration any confidentiality, integrity, and availability (CIA) issues of the information assets for the university and assess all relevant risks. Any work as part of your research on security policies, consideration of issues and risk assessment Must be provided as an appendix.

(Hint: do the research and risk assessment first as this will inform your policy)

Please note that you will Not be producing a typical academic report, but a policy document.

As a general guideline your policy should not be more than three (3) pages long and approximately 1500 words excluding references and appendices. You will need to be concise and precise.

You are expected to use appropriate peer reviewed sources for developing your arguments and use Harvard style referencing.

This is an individual assessment and it is essential that you develop your own policy based on your consideration and analysis of the issues that lead to the statements in your policy. Supporting information should be included in the appendix.

You are strongly encouraged to make use of Turnitin prior to submitting your policy and avoid the direct use of publicly available policies.

• Cover Page

o Module code

o Module title

o ID number (the submission MUST be anonymous)

o Month and year, e.g. December 2020

• Policy

• References

• Appendices

• The same font should be used throughout. We would prefer you to use 12-point Times, though any reasonable alternative (such as Arial) will be accepted.

• Lines should be single-spaced, with between 1/2 a line and a whole line of extra space after each paragraph.

• Margins: at least 20mm left and right; 25mm top and bottom.

You are required to submit the final report as one document via StudyNet in a .doc or .docx format using your student number as the filename.

This Assignment assesses the following module Learning Outcomes (from Definitive Module Document):

1. A systematic application of the tools, methods and procedures (theoretical and methodological) used within the cyber security arena under the context of a risk and threat assessment.

2. Critically demonstrate self-direction and creativity in managing the security of an information environment at the strategic, tactical and operational levels, effectively developing information security policies.

3. Use initiative to autonomously conduct and manage a risk assessment of a complex and unpredictable environment;

4. Demonstrating a systematic approach of creatively applying security standards to unfamiliar contexts for solving problems.