The CC policy on security of information

Document Sample
The CC policy on security of information Powered By Docstoc
					Policy on Security of Information

           February 2010
Document control page

Version history

   Date       Version        Author                     Reason for change

  10/09/01      1.0           Claritas      First issue of document

  30/09/01      2.0            DSO          Second issue of document with changes
                                            from SWG and document review

  12/10/01      3.0            DSO          Third issue of the policy for the ADS,
                                            endorsed by the Secretary

  16/11/01      4.0            DSO          Fourth issue taking in amendments from
                                            GNC ready for general circulation

  27/10/06      4.1            DSO          Addition of annex on the handling of
                                            protectively marked papers

  15/09/07      4.2            DSO          Amended to take account of ‘PROTECT’

  11/01/08      4.3            DSO          Amended to take account of changes to use
                                            of RESTRICTED

  25/02/08      4.4            DSO          Amended to take account of Cabinet Office

11/06/2009      4.5            ITSO         Addition of Password Protecting Documents

10/02/2010      5.0            ITSO         Amended in line with SPF requirements

Amendments and comments

If you would like to give any feedback on the content or format of this Policy on Security of
Information, please email the Departmental Security Officer (DSO) so that your suggestions
can be considered for the next issue.

1.    Information is an asset which has value and consequently needs to be suitably pro-
      tected. Much of the information held by the CC has been obtained under statutory
      provisions which require that it shall not be disclosed without consent. The protection
      of information held by the CC is therefore critical to meeting our contractual and legal
      obligations, as well as to our credibility in the eyes of the public and the business

2.    Information security measures are necessary to protect information from a wide
      range of threats. Information security comprises the preservation of:

      (a) confidentiality: ensuring that information is accessible only to those authorised to
          have access;

      (b) integrity: safeguarding the accuracy and completeness of information and pro-
          cessing methods; and

      (c) availability: ensuring that authorised users have access to information and
          associated assets when required.

3.    This document defines the policy to be adopted for the protection of information
      security throughout the CC. The policy is set out in full in paragraph 5 below. Useful
      abbreviations are set out in Annex A.

Information classification scheme

4.    Anyone handling information generated by the CC must use the information classifi-
      cation scheme outlined below. A consistent approach to security classification helps
      to protect information and avoids the risk of information being compromised.

Information classification scheme

5.    The following information classification scheme set out by the Cabinet Office should
      be used throughout the CC.



UNCLASSIFIED             Information that:
                         • is available to the general public, such as information available on the
                           CC’s website; or
                         • would not cause any harm or infringe any law were it to be intentionally
                           or accidentally disclosed to the general public.

PROTECT                  Information or material that if compromised would be likely to:
Impact Level 1 and 2     • cause some embarrassment, some harm or inconvenience to the CC,
(IL1 & IL2)                third parties or individuals;
                         • cause substantial distress to individuals;
                         • breach proper undertakings to maintain the confidence of information
                           provided by third parties;
                         • breach statutory restrictions on the disclosure of information (except
                           the Data Protection Act which can be addressed with other impact
                           statements) ;
                         and, depending on the severity of the circumstances:
                         • cause financial loss or loss of earning potential to, or facilitate improper
                           gain or advantage for, individuals or companies;
                         • prejudice the investigation or facilitate the commission of crime; or
                         • disadvantage government in commercial or policy negotiations with

RESTRICTED               Information or material that if compromised would be likely to:
Impact Level 3 (IL3)     • cause substantial distress to individuals;
                         • cause financial loss or loss of earning potential to, or facilitate improper
                           gain or advantage for, individuals or companies;
                         • prejudice the investigation or facilitate the commission of crime;
                         • breach statutory restrictions on the disclosure of information (except
                           the Data Protection Act which can be addressed with other impact
                         • disadvantage government in commercial or policy negotiations with
                           others; or
                         • undermine the proper management of the public sector and its
                         Such information should not be disclosed to anyone who is not authorized
                         to see it and/or does not have a strict need to know.

6.     The appropriate classification for most CC documents, including the majority of
       inquiry papers (for example, provisional findings, working papers and draft final
       reports where there is no implication for national security), is Protect, or IL1 and IL2.
       Restricted, or IL3, will only be appropriate in very limited number of cases. The
       decision as to whether a paper should be classified as RESTRICTED will rest with
       the Inquiry Director (ID).

Classifications higher than Restricted

7.    Should the CC be involved in an inquiry or appeal case that requires the handling of
      material classified higher than RESTRICTED, or IL4 or above, the CC will comply
      with HM Government’s classification scheme. The inquiry team will need to work
      closely with the DSO or Deputy DSO to ensure that the correct procedures are

Business Impact Levels

8.    Business Impact Levels are published in HMG infosec standard No.1 (IS1), Technical
      Risk Assessment, Part 1, Appendix A.

9.    There are seven Impact Levels defined, Impact Levels 0–6.

10.   For confidentiality, the Impact Levels relate directly to protective markings: Impact
      Levels 1 and 2—Protect; Impact Level 3—Restricted; Impact Level 4—Confidential;
      Impact Level 5—Secret; and Impact Level 6—Top Secret. However, there are no
      equivalent markings for Integrity (i.e. the information is correct and complete) or
      Availability (i.e. assurance that the systems responsible for delivering, storing and
      processing information are accessible when needed, by those who need them).


11.   Certain descriptors may be used in association with the classification markings to
      describe further the sensitivity of a document and the type of data it contains.

12.   The descriptors, however, do not change how a document is treated: this is
      determined by the documents classification.

13.   These are shown in Table 2.


          Descriptor                                        Description

PROTECT - COMMERCIAL         Material which relates to a commercial undertaking’s processes or

PROTECT - MARKET             Material which may reasonably be expected to affect a share price
SENSITIVE                    (e.g. material in Conclusions and Summary of a draft inquiry report).

PROTECT - PERSONAL           Material which should only be seen by the individual to whom it is
                             addressed (e.g. a letter on a pay award, or disciplinary action).

PROTECT - STAFF               Material exchanged between managers, where references are made
                              to named or identifiable individual(s) (e.g. a discussion on plans to
                              reallocate staffing roles). The CC includes in this descriptor members
                              and third-party contractors, their directors, partners and employees.

PROTECT - MANAGEMENT         Material which concerns policy and planning affecting the interests of
                             groups of employees, members or third-party contractors.

PROTECT -                    Material concerning actual or potential appointments that have not yet
APPOINTMENTS                 been announced.

PROTECT - CONTRACTS          Material concerning tenders under consideration and the terms of
                             tenders accepted.

        These descriptors can also be used with RESTRICTED.

Extra measures

14.     Occasionally it may be necessary to put in place extra security measures to protect
        or track a document, or to indicate to a third party how you wish the material to be
        treated. In these cases there are some extra measures listed below which may be

TABLE 3 [Title?]

      Extra measure                                       Description

CONTROLLED                To be used when the distribution of documents is to be so restricted that
DISTRIBUTION              a numbered record of the copies, the recipients and the eventual
                          disposal is made (e.g. for controlled distribution of particularly sensitive
                          data from the main parties).

NOT FOR DISCLOSURE        To be used if the information is to be confined solely to the recipient (e.g.
                          early drafts of staffing plans)

IN-CONFIDENCE             To be used if the document is being sent to an outside body who could
or                        not be expected to understand the main CC classification scheme. This
COMMERCIAL-IN-            should be used in addition to the classification marking.

        Additionally, inquiry teams need to take account of any documents received from the
        EU that are protectively marked. For ease of reference, material marked:

         • RESTREINT UE is equivalent to UK RESTRICTED;

         • CONFIDENTIEL UE is equivalent to UK CONFIDENTIAL;

         • SECRET UE is equivalent to UK SECRET; and

         • TRES SECRET UE/TOP SECRET EU is equivalent to UK TOP SECRET.

Personal data

15.      Government must be particularly careful to protect personal data whose release or
         loss could cause harm or distress to individuals. All data must be marked as at least
         ‘Protect – personal data’ while it is processed or stored within Government or its
         delivery partners.

16.      Personal data is defined by Government as:

A. Any information that links one or more identifiable living person with information
about them whose release would put them at significant risk of harm or distress.

1. One or more of the pieces of            combined   2. Information about that individual whose
information which can be used              with       release is likely to cause harm or distress
along with public domain
information to identify an

Name/addresses (home or business                      Sensitive personal data as defined by section
or both)/postcode/email/telephone                     2 of the Data Protection Act, including records
numbers/driving licence number/date                   relating to the criminal justice system, and
of birth                                              group membership
[Note that driving licence number is                  DNA or fingerprints/bank, financial or credit
included in this list because it yields               card details/National Insurance number/tax,
directly date of birth and first part of              benefit or pension records/health records/
surname]                                              employment record/school attendance or
                                                      records/material relating to social services
                                                      including child protection and housing

         These are not exhaustive lists. Departments should determine whether other
         information they hold should be included in either category.

B. Any source of information about 1000 or more identifiable individuals, other than
information sourced from the public domain.

         This could be a database with 1,000 or more entries containing facts mentioned in
         box 1, or an electronic folder or drive containing 1,000 or more records about
         individuals. Again, this is a minimum standard. Information on smaller numbers of
         individuals may warrant protection because of the nature of the individuals, nature or
         source of the information, or extent of information.

         The CC’s staff records are significantly below the data levels mentioned above;
         however, the CC makes it explicit to all staff—and particularly those in HR—that
         personal data belongs to the individual to whom it refers and that we take seriously
         any failure to follow established guidelines on how to secure sensitive or personal

GSi compliance

17.   The GSi allows the CC to carry out its own risk assessment of what can and cannot
      be emailed over the internet. The CC has taken the view that protected papers can
      be emailed over the internet. Restricted papers can only be sent by email if

18.   The CC’s marking system uses the ‘Protect’ and ‘Restricted’ descriptors and these
      terms are commonly in use around HMG to imply ‘not in the public domain’.

Guidance for inquiry teams

Protective markings on inquiry papers


19.   This section sets out the revised procedure for protective marking of inquiry papers.
      Full details of the CC policy on the CC’s Information Classification Scheme can be
      found in paragraphs 9 to 18 above. It sets out some detail on how Protect and
      Restricted inquiry papers should be identified and marked up and then how these
      need to be treated differently in terms of handling, distribution and filing.

Marking of inquiry papers

20.   Markings should reflect the security classification of the data and the nature of the
      data contained in the document. Whilst descriptors are optional, we expect inquiry
      staff to mark papers as best suits the contents of the documents. Many of these are
      likely to be commercial or market sensitive in nature.

21.   Markings fall into the following categories:

      • No marking (U - unclassified)

         There is no need to mark up an inquiry paper as protected if it contains data which
         is already in the public domain. Any papers containing data already in the public
         domain can be marked as U, but CC practice is normally to leave documents un-

      • Protect

         It assumes a standard level of confidentiality or sensitivity and documents need to
         be handled sensitively and with care.

      • Protect - Commercial (P-C)

         It assumes a standard level of confidentiality or sensitivity and documents need to
         be handled sensitively and with care taking into account the commercial nature of
         the nature of the information contained in the document.

      • Protect - Market sensitive (P-MS)

         It assumes a standard level of confidentiality or sensitivity and documents need to
         be handled sensitively and with care taking into account the market sensitive
         nature of the information contained in the document.

      • Restricted

         This marking is given to papers which contain data which is extremely sensitive.
         They contain data that, if it fell into the wrong hands, could cause exceptional

      • Restricted - Market Sensitive (R-MS) and Restricted Commercial (R-C)

         These markings are given to papers which contain data which is extremely market
         sensitive to either the CC or the parties.

Restricted documents

22.   Restricted classifications are likely to be appropriate in a limited number of circum-
      stances. Documents classified as Restricted are those that are extremely sensitive
      and whose disclosure could cause exceptional ‘harm’ to any party (whether a finan-
      cial loss or non-financial).

23.   If necessary, the Inquiry Director will assess the risk associated with a paper being
      classified as Protect rather than Restricted and determine whether a paper should be
      classified as Restricted. The CC’s risk register contains details on how the CC is
      placed at risk by this category of papers.

24.   The three main types of harm that might arise if sensitive data gets into the wrong
      hands are:

      • Commercial secrets of the parties. This data falls either into their competitors’
        hands or into the public domain (press report). The parties could suffer a loss,
        share prices could be affected and the CC could be sued by the parties as well as
        suffer reputational damage.

      • The CC’s likely decisions. These are leaked prior to becoming public knowledge.
        This could affect share prices. The CC’s internal procedures are called into

      • Personal gain where an individual may be able to obtain a financial benefit from
        use of certain information available to an inquiry (ie the individual deals in shares
        to take advantage of the data). Whilst the individual’s gain may not, on the
        surface, be visible, where one person gains, another must lose.

Protect documents

25.   Most inquiries will have no documents with a security classification higher than

26.   In particular, the following documents are all likely to be classified no more highly
      than Protect:

      • most draft and final versions of working papers;

      • the draft or unexcised versions of provisional findings in respect of unquoted and
        quoted companies;

      • the unexcised/confidential versions of main and third-party submissions; and

      • other submissions containing sensitive data.

Personal data and inquiries

27.   Extra care needs to be taken where we are working with personal data. Inquiry teams
      are advised to contact the CC’s ITSO if they are required to handle personal data as
      part of their inquiry.

General procedure for marking up inquiry papers

CC-originated papers

28.   Papers can be originated by any staff member on the inquiry team including the
      members. However, the papers must all go through the Inquiry Coordinator (IC) as
      part of overall administrative controls. Overall the Inquiry Manager (IM) is responsible
      for papers on their respective inquiry.

29.   The originator will mark up the paper based on its content; papers will normally be
      classified as Unclassified or Protect. If the originator believes a paper should be
      classified as Restricted, the originator must advise the IM. In these cases the IM
      must consult with the ID.

30.   The IM is responsible for the confirming that each paper is correctly classified (with
      the exception of restricted documents). They will assess the originator’s recom-
      mended marking, change it as needs be and make it official. If this has been
      delegated to an IC and they are unsure, they should consult with the IM, who is
      responsible for the decision.

31.   The official marking is finalised and the paper ready for distribution (see next

Third-party-originated papers

32.   The third party will send its paper to the CC via whatever method it chooses, at its
      own risk (although electronic communication is preferred if the parties are willing to
      carry the risk). These papers should go to the IC for forward distribution to inquiry
      staff. When the IC receives them they will classify each document. If they are unsure
      they should consult with the IM who is responsible for the decision. If the IM believes
      a document should be classified as Restricted they will need to consult with the ID
      who will decide whether a paper should be classified as Restricted.

33.   Papers which are received but not distributed should still be classified. With elec-
      tronic filing the classification marking should be incorporated into the title the
      document is saved with or saved into a folder indicating the protective marking.

34.   If the third party paper goes direct to another member of the team, then they should
      take a view on the confidentiality of the material and mark it out as appropriate. The
      IM is responsible for confirming that each paper is correctly classified. They will
      assess the team member’s recommended marking, change it as needs be and make
      it official. If this has been delegated to an IC and they are unsure, they should consult
      with the IM, who is responsible for the decision. If the IC or IM believes a document
      should be classified as Restricted, they will need to consult with the ID.

Treatment and distribution of papers according to markings. Do’s and don’ts

                                     If:                                      If:
 Communication           Protect—including market               Restricted—including market
    route              sensitive and commercial (IL1         sensitive and commercial including
                                  and IL2)                  market sensitive and commercial (IL3)

Email to CC staff/    OK to use                             OK to use
members using CC
email address
Email to an email     OK to use                             OK to use
address within the

Email to members      ok not use                            Do not use
at their personal
email address
Email to parties to   OK to use.                            Do not use unless encrypted. Use
work-based email      If parties want to set up encrypted   protected disc or courier (disc or hard
accounts              facilities for the duration of an     copy).
                      inquiry we can do this if necessary   The exception to this is if parties give
                      —but this is not the preferred        their express permission in writing (by
                      option                                email, fax or letter).
Email to an email     OK to use                             Do not use. Use protected disc or courier
address outside the                                         (disc or hard copy).
GSi                                                         The exception to this is if parties and
                                                            recipients give their express permission
                                                            in writing (by email, fax or letter).

Hard copy—leave       OK                                    Generally OK, but some judgement
unattended at desk                                          required according to sensitivity. Put
in office hours                                             away if there is a risk.
Hard copy—leave       No                                    No. Lock securely away overnight
out overnight, on
desk or wherever.
Outside of 9am to
Hard copy—leave       No                                    No. Ensure securely sealed in envelopes
in pigeon holes for                                         or, better still, hand deliver to the
receivers, not                                              recipient.
sealed in
Hard copy—distri-     The majority of documents should      Use courier only, not post. Confirm
bution to members     be emailed to members. Large          verbally with member to ensure receipt.
                      documents only can be posted to
                      members or collected from the CC
                      on the day of the Group meeting
                      on request. Couriers should only
                      be used if absolutely essential

Fax—to members        OK to use                             No
Fax—to parties        OK to use                             Do not use unless the party agrees (in
                                                            email, by fax or in writing) to accept the
                                                            risk and responsibility. Ensure the
                                                            recipient is at the fax machine to collect

                                                            at the time of submission.

Disposal of papers     Confidential disposal only, using    Only use the ‘blue sacks’ for secure
                       shredding or the blue sacks          external shredding.
Read in a public       Only where there is no opportunity   Under no circumstances to be read in a
place including        for others to read the documents     public place.
trains etc

Rules for sending documents to members

35.       We can email Protect documents to nominated non-CC email accounts to give
          members maximum choice and flexibility around how they manage their inquiry-
          related work. We still, however, need to ensure that others cannot read emails and
          documents that we send to members, whether by accessing the member’s email
          account or accessing cached documents.

36.       Members will therefore need to agree to a minimum number of conditions before we
          can email inquiry and other CC documents outside the CC network:

          • Other users, such as family members who share the PC/laptop, must not have
            access to the email account. This can easily be ensured by the member agreeing
            to enter their password when they log on, rather than have the PC remember it.

          • The PC must have up-to-date virus scanning and security software to be agreed
            with the IT team.

          • The email provider must be approved by the CC: Microsoft’s Hotmail will be OK
            but some other web-based accounts may be too vulnerable.

          • Approval will be done on a case by case basis.

          • Email accounts may not be accessed from internet cafes and other public PCs
            including PCs in hotels, the IOD etc, to stop third parties accessing cached files
            (please note: CC laptops and personal laptops can be used in hotels).

37.       Please note members will need to retain their CC laptops, and use them for
          accessing Restricted documents, claiming expenses, and to access EDRM, the
          Intranet and the Members Extranet site.

38.       In summary, the rules for members are as follows:

      •   Paper(s) less than 30 pages should be:

          o   If marked ‘Protect’ or ‘Restricted’, e-mailed to Members’ CC email addresses, as
              hyperlinks, under the cover of a note; or e-mailed to Members’ non-CC email
              addresses, as attachments; or

          o   If marked ‘Restricted’, e-mailed to Members’ CC email addresses only

      •   Paper(s) more than 30 pages only should be:

          o   at the Members request and marked ‘Protect’, posted via First Class service (not
              Standard or Recorded delivery) unless urgent in which case Couriers can be
              used; or

      o   If marked ‘Restricted’, emailed to Members CC email address; or couriered using
          the CC’s official courier company, not by post.

Rules for sending documents to staff:

39.   Staff are still required to use the CC network and laptops and are not expected to
      email document to, for example, their home PCs or laptops.

Rules for sending documents outside the CC

40.   We can email PROTECT documents to nominated non-CC email accounts including
      main and third parties; however we still need to ensure that others cannot read our
      emails and documents.

41.   Inquiry staff should endeavour to ensure that emails are sent to work based email
      accounts. If an inquiry team member is unsure about the status of an email address
      they should consult with the IT security team.

Distribution methods for Restricted papers and Personal Data


42.   Email including information classified as restricted must be encrypted before they are
      sent to a non GSI email address. Having third parties adhere to specific technical
      requirements can often be time consuming and in some instances not possible.
      When email encryption cannot be utilised, protected disc is the next best method..

Protected disc

43.   When email encryption cannot be utilised, restricted and personal, should be burnt to
      CD/DVD and password encrypted. The third party should collect the disc in person
      from Victoria House, otherwise arrange for the disc to be couriered to the recipient.
      When the third party have confirmed receipt of the protected disc, the password to
      decrypt the contents of the disc will be issued over the phone or email


44.   When sending hard copy papers or discs via courier, use the CC’s official courier
      company and phone through to the recipient to establish that they will be available to
      take receipt of the package when the courier arrives. Ensure the courier returns the
      package to the CC if not delivered in a secure manner, rather than leaving the
      package unattended at the destination. It is acceptable for the Courier to ‘post’ the
      package through the letter if the recipient is out .

Faxing papers

45.   Only do this if you are sure that the recipient is at the receiving fax machine when
      you send it and therefore cannot be intercepted. Generally not recommended as a
      means of communication. If you do need to use it ask the recipient to send you a test
      page from the fax machine to prove that they are at the number and are able to take
      responsibility for the fax.

Password Protecting Documents

46.    Password protecting Competition Commission documents is discouraged as
       passwords can be forgotten or become revealed to unauthorised persons. Controlling
       access to information on a need to know basis is managed through Wisdom EDRM.

      If you have a specific requirement to password protect a document, please liaise with
      the IT Service desk for advice. Should the need arise for document password
      protection, the password should be written down, and placed in a sealed envelope with
      details of the document/ inquiry that it relates to. This should then be stored in the CC’s
      security safe on the second floor where access will be granted on a need to know

Annex A: Abbreviations

GSi       Government Secure Intranet

P-C       Protect-Commercial

R-C-MS    Restricted-Commercial-Market Sensitive

IC        Inquiry Coordinator

IM        Inquiry Manager

ID        Inquiry Director

DSO       Departmental Security Officer

ITSO      IT Security Officer

SPF       Security Policy Framework

Annex B: Regulatory and legal requirements

The following sections of legislation are of particular relevance for CC policy on security of

(a)   Part 9 of the Enterprise Act 2002: this applies to information obtained in the course of
      merger and market investigations. It contains:

         •   a general prohibition on disclosure of specified information;

         •   the exceptions to the prohibition;

         •   the considerations which the CC must have regard to before disclosing any
             specified information;

         •   a criminal offence of improperly disclosing or using specified information.

(b)   The provisions on non-disclosure of information in the various regulatory statutes
      which apply to price control and other regulatory references:

         •   The Airport Act 1986, section 74

         •   The Airports (Northern Ireland) Order 1994, Article 49

         •   The Communications Act 2003, Article 393

         •   The Electricity (Northern Ireland) Order 1992, Article 61

         •   The Energy Act 2004

         •   The Financial Services and Markets Act 2000, section 348

         •   The Gas (Northern Ireland) Order 1996, Article 44

         •   The Postal Services Act 2000, Schedule 7

         •   The Railways Act 1993, section 145

         •   The Regulation and Investigatory Powers Act 2000

         •   The Telecommunications Act 1984, section 101

         •   The Transport Act 2000, Schedule 9

         •   The Utilities Act 2000, section 105

         •   The Water Industry Act 1991, section 206

         •   The Water Services etc (Scotland) Act 2005 (Consequential Provisions and
             Modifications) Order 2005

(c)   Other legislation imposing general non-disclosure or use of information obligations

         •   The Computer Misuse Act 1990

         •   The Copyright, Designs and Patents Act 1988

•   The Data Protection Act 1998

•   The Human Rights Act 1998

•   The Official Secrets Act 1989, section 5