KEMBAR78
P57 Information Transfer Policy | PDF | Information Security | Encryption
Scribd
Upload
210 views6 pages

P57 Information Transfer Policy

The Information Transfer Policy outlines Greenbank's procedures for securely transferring information, emphasizing compliance with the Data Protection Act and the importance of risk assessment. It details the necessary approvals and methods for transferring personal, confidential, and public information, including guidelines for electronic communication, physical delivery, and compliance monitoring. The policy is reviewed annually and aims to protect the organization from legal sanctions and maintain trust with stakeholders.

Uploaded by

mitu22btcsd017
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
210 views6 pages

P57 Information Transfer Policy

The Information Transfer Policy outlines Greenbank's procedures for securely transferring information, emphasizing compliance with the Data Protection Act and the importance of risk assessment. It details the necessary approvals and methods for transferring personal, confidential, and public information, including guidelines for electronic communication, physical delivery, and compliance monitoring. The policy is reviewed annually and aims to protect the organization from legal sanctions and maintain trust with stakeholders.

Uploaded by

mitu22btcsd017
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Information Transfer

Policy

Document History

Author Ian Grice Ref and Document Information


Version Transfer Policy
V3_IG230923
Reviewed by Ian Grice Reviewed Date 23/09/2023

Approval Board of Trustees Approval Date 02/10/2023

Next Review 20/07/2024 Policy Number P57


Date
Publication Intranet; Reception
R:/Policies/Information Transfer Policy.pdf

1
P57
1 Policy Statement
1.1 This control procedure defines Greenbank’s approach to information transfer, and
directly supports the following policy statement from the Information Security Policy:

Greenbank will ensure the correct and secure operations of information processing
systems.

This will include documented operating procedures; the use of formal change and
capacity management; controls against malware; defined use of logging;
vulnerability management.

2 Audience
2.1 This procedure is intended to be read and understood by all staff responsible for
ensuring the security of information and software when they are exchanged within
or outside the organisation.

3 Risk Assessment
3.1 With each information transfer there is a risk that the information may be lost,
misappropriated, or accidentally released. It is the responsibility of the sender to
assess all risks and ensure that adequate controls are in compliance with this policy.

3.2 It is incumbent on the sender to ensure that the request is from an authorised source
and they are legally entitled to have the information. If you are in doubt, then you
should check with your line manager.

3.3 Once you are sure that the transfer is legal and necessary, then you must decide
what kind of information you are dealing with. This will determine what level of
security is appropriate.

4 Types of Information
4.1 Personal information is about a living, identifiable individual. If it contains details of
racial or ethnic origin, political opinions, religious beliefs, trade union membership,
physical or mental health, sexual life commission of offences, court appearances and
sentences it is further classified as sensitive personal information.

4.2 Anything which relates to personal information must comply with the Data
Protection Act 1998. Basic requirements of the Act are listed in Appendix 1.

Before you make any information transfer you must:


2
 Obtain and document the approval of the Information Owner for transfer.
 Ensure the transfer is legal.
 Ensure the transfer is necessary (is there a less intrusive way).
 Remove or redact anything not essential for the recipient’s purpose.
 Ensure there is a documented procedure in place to ensure the recipient
understands the responsibilities under the law, particularly what to do with
the transfer file after they have extracted the information to their system.

4.3 Greenbank has a duty of confidentiality when handling confidential information. This
may include information that affects the business interests of a third party, or for
which the sender does not hold copyright, e.g. bank details, salary details, contract
details. Unauthorised release of confidential information can leave Greenbank open
to legal sanctions or litigation. It can also erode the trust of the public, partners and
stakeholders.

Before instigating a transfer of information staff must:


 Obtain and document the approval of the Information Owner for transfer.
 Ensure you are not breaching a Duty of Confidentiality.
 Ensure the transfer is necessary (is there a less intrusive way).
 Remove or redact anything not essential for the recipient’s purpose.
 Ensure there is a documented procedure in place to ensure the recipient
understands the responsibilities under the law, particularly what to do with
the transfer file after they have extracted the information to their system.

4.4 Public information is any information that is freely available and present minimal risk
to Greenbank in terms of content, quality or timeliness, e.g. promotional brochures.
There are no special security requirements for transfer of public information because
their release represents no special risk. Public information will be transferred in the
most cost-effective method available.

However, before you transfer you must still seek the permission of the Department
that produced or owns the information before making any transfer, even if the
transfer seems harmless.

5 Requirements for Transferring Personal or


Confidential Information
5.1 Having established what kind of information you possess, and prepared it for
transfer, the sender must determine the most appropriate method of transfer. This
section lists the main methods and sets out any restrictions and requirements for
secure transfer of personal or confidential information.

5.2 Electronic Mail

Information must be enclosed in an attachment and encrypted using a product


approved by the Information Security Team. Minimum standard for encryption is
3
AES (245-bit). WinZip 11.1 and above offers this.
 Passwords must comply with organisation standard. 7 characters and a mix
of alpha and numeric. Further details of the password policy can be found
in the Password Management Policy.
 Any password to open the attached file must be transferred to the
recipient using a different method than email, e.g. a telephone number to
an agreed telephone number.
 Email messages must contain clear instructions on the recipient’s
responsibilities and instructions on what to do if they are not the correct
recipient.
 Check with recipient that their system will not filter out or quarantine
the transferred file.
 The sender must check at an appropriate time that the transfer has
been successful and report any issues to their line manager.

5.3 Electronic Data Transfer (FTP, Secure FTP, BACS)

Standard FTP without encryption is inherently insecure and should not be used for
transmitting personal or confidential information.
 SFTP file transfers are acceptable, but such transfers must be set up
and administered by the Technical Support Team.
 External secure transmission systems such as BACS or DCSF’s COLLECT system
are designed to be secure provided they are implemented, configured, and
used correctly. However, it tis the responsibility of the sender to ensure that
the use of such systems is appropriate. if in doubt, advice should be sought
from the Information Asset Manager.

5.4 Electronic Memory (CD, DVD, USB drive, Memory Card)

Information must be enclosed in a file and encrypted using a product approved by


the Information Security Team set at an appropriate strength. Minimum strength for
encryption is AES (256-bit). WinZip 11.1 and above offers this.
 Passwords must comply with organisation standard. 7 characters and a mix of
alpha and numeric. Further details of the password policy can be found in
the Password Management Policy.
 Any password to open the attached file must be transferred to the
recipient using a different method than email, e.g. a telephone number to
an agreed telephone number.
 An accompanying message should obtain clear instructions regarding the
recipient’s responsibilities, and instructions on what to do if they are not
the correct recipient.
 An accompanying message and the filename must not reveal the contents of
the encrypted file.
 The sender must check at an appropriate time that the transfer has
been successful and report any issues to their line manager.

5.5 Fax Transmission


4
FAX is inherently insecure and is not recommended for transfer of sensitive
information. However, it is acknowledged that certain circumstances demand it.
 Sender must check that the Fax number is correct, and that the receiver
is awaiting transmission.
 For highly sensitive information the number must be double-checked by
a colleague before transmission, and telephone contact must be
maintained throughout transmission,
 Both sender and receiver must have an agreed process to avoid their copy
being left on the Fax machine, and a clear requirement to securely destroy the
message when no longer required.
 The message should contain clear instructions on the recipient’s
responsibilities and instructions on what to do if they are not the correct
recipient.
 The sender must check at an appropriate time that the transfer has
been successful and report any issues to their line manager.

5.6 Delivery by Post or by Hand

It is essential that the file, whether electronic or paper is kept secure in transit,
tracked under transit, and delivered to the correct individual.

 An appropriate delivery mechanism must be used.


 Package must be securely and appropriately packed, clearly labelled and have
a seal, which must be broken to open the package.
 Package must have a return address and contact details.
 The label must not indicate the nature or value of the contents.
 Package must be received and signed for by addressee.
 The sender must check at an appropriate time that the transfer has
been successful and report any issues to their line manager.

5.7 Telephone or Mobile Phone

As phone calls may be monitored, overheard or intercepted either deliberately or


accidently, care must be taken as follows:
 Transferred information must be kept to a minimum.
 Personal or confidential information must not be transferred over the
telephone unless the identity and authorisation of the receiver has bene
deliberately confirmed.

5.8 Internet Based Collaborative Sites


 Must not be used to transfer personal or confidential information.

5.9 Text Messaging (SMS), Instant Messaging (IM)


 Must not be used to transfer personal or confidential information.

5
6 Compliance
6.1 Compliance with the controls in this policy will be monitored by the Information
Security Team and reported to the Information Governance Board.

7 Related Documents
7.1 This control procedure needs to be understood in the context of other policies and
procedures constituting Greenbank’s Information Security Management System.

8 Review
8.1 A review of this policy will be undertaken by the Information Security Team annually
or more frequently as required and will be approved by the Information Governance
Board.

Author: Ian Grice Document version: V3_IG230923

Agreed by Greenbank Board of Trustees

Dr Alan Irving, Chairman

You might also like