It should comprise
- Creation -
- Classification - sensitivity, ownership and custody includes labelling
- Transmission - respond to risk of inadvertent transmission (e.g logical and physical access control, clear desk, clear screen, storage encryption policies), deliberate attempts to access or steal documents and confidentiality of documents sent to 3rd parties*
- Retention & - should take into account commercial value and regulatory requirements. May be a minimum/maximum rule
- Destruction - should require heightened control where the risks associated with failure to destroy are high. Ideas include destruction certificates, outsourcing, management oversight, formal destruction process.
- Management responsibilities and procedures for controlling and notifying transmission,despatch and receipt.
- Minimum standards for packaging and transmission.
- Responsibilities and liabilities in the event of loss of data.
- Use of an agreed labelling system for sensitive or critical information, ensuring that the labels are immediately understood and that the information is appropriately protected.
- Information ownership and responsibilities for data protection.
- Technical standards for recording and reading information.
- Any special controls that may be required to protect information in transit, such as passwords.
- Splitting the consignment into more than one delivery and/or despatching