S 2.217 Careful classification and handling of information, applications and systems

Initiation responsibility: Agency/company management, Head of IT Section, IT Security Management

Implementation responsibility: Head of IT Section, IT Security Management

It goes without saying that as a matter of principle staff should handle all information carefully. In addition, however, in many areas there will be data which has a higher protection requirement or is subject to special restrictions, e.g. personnel-related, financial, confidential or copyright-protected data. For data which falls in these categories, depending on the nature of the data concerned, different restrictions as to how it should be handled apply. It is therefore important to refer all staff to the restrictions applicable to this data (see also S 3.2 Commitment of staff members to compliance with relevant laws, regulations and provisions).

The protection requirement of data naturally affects all media on which it is stored or processed. Data with special protection requirements can arise in quite different areas, e.g. by fax or e-mail. There should be procedures in all areas in which, for example, it is specified who may read, process or pass on such data (see S 2.42 Determination of potential communications partners, for example). It is also important to regularly check the data for correctness and completeness (see also S 4.64 Verification of data before transmission / elimination of residual information).

A lot of information, and also IT applications, is subject to copyright notices or to restrictions regarding passing on of the information ("Only for internal use"). All staff must be advised that no documents, files or software may be copied without considering any copyright notices or licence conditions that may apply to it.

Special attention is required for all information which forms the basis for task performance. This includes all business-relevant data, i.e. for example data, whose loss would render the organisation incapable of pursuing its business objectives, which could harm financial relationships with partner companies or knowledge of which could confer financial advantage on a third party (e.g. a competitor). Every agency or company should have a schedule of what data is business-critical (on this point see also Section 2.2 "Assessment of protection requirements"). In addition to general duties of care, special regulations and procedures may apply to the storage, processing, disclosure and destruction of this data. Business-critical information must be protected from loss, tampering and corruption. Data stored or archived in the longer term must be tested at regular intervals to ensure that it is still readable. Information that is no longer required must be reliably destroyed (see also S 2.167 Secure deletion of data media).

Additional controls:

• Is the attention of staff regularly drawn to the need to handle information carefully?

• Has all information been classified according to its protection requirement?