London School of Economics

& Political Science IMT

Version Release 1.0

Date 09/12/16

Library reference ISM-PY-142

Policy Confidential Information Transfer

Jethro Perkins Information Security Manager

For latest version and information about, see lse.ac.uk/policies and search by title.

Policy –Confidential Information Transfer Version Release 1.0

IMT reference: ISM – PY-119 Page 2 of 7

1 Introduction

1.1 Overview Information transfer refers to the method of sending and receiving data either internally or with third parties. Confidential and business critical data needs to be protected during transfer across all types of communication facilities. Breaches of confidential data during transfer could lead to:

• Reputational damage • Withdrawal of contractual rights to access third party research data • A fine of up to £500,000 from the Information Commissioner’s Office for breaking the Data

protection Act • A fine of up to 4% of turnover for breaking the EU General Data Protection Regulation

(effective wherever the data of EU nationals is stored) This policy formalises LSE’s approach to confidential information transfer

1.2 Scope • All data classified as Confidential under LSE’s Information Classification Standard • Data classified under the Data Protection Act (1998) and the EU General Data Protection

Regulation (2016) as sensitive personal data. • Research data received from third parties that does or may contain confidential data • Research data generated by LSE that may be passed on to third parties

1.3 Out of Scope • Information transfers into the organisation from third parties, that are conducted on specific

terms contractually required by the third party and/or with a requirement to use a third party’s technology

o e.g. the transfer of Health Episode Statistics from NHS Digital, covered by a Data Sharing Agreement wherein the form of the transfer is explicitly mandated

o Once the information is within LSE-owned or used systems, any further information transfer falls within the scope of this policy

• Transfers contained within single machines or “secure bubbles” e.g. securely segregated and access controlled environments containing multiple machines.

For latest version and information about, see lse.ac.uk/policies and search by title.

Policy –Confidential Information Transfer Version Release 1.0

IMT reference: ISM – PY-119 Page 3 of 7

2 Policy

2.1 General principles

1. Confidential information must be protected from interception, copying, modification, mis-routing and destruction;

2. This will be achieved: a. by encryption of the information itself, b. by using encrypted transport facilities or secure file exchange facilities, c. or a combination of these methods.

2.2 Files 1. Files sent individually or in an archive must be encrypted to AES256 (e.g. using 7-zip), using

a key (password) that meets the LSE password policy at minimum. 2. At the point the file/archive is encrypted to such a standard, it may be sent across an open

network – e.g. email, FTP, placed in Dropbox or OneDrive or any other insecure cloud storage medium.

3. The file password must be sent via a different medium, e.g. SMS, over the phone, email if the file is placed in dropbox

2.3 Encrypted/controlled transfer facilities and secure file exchange facilities

Confidential files and folders might alternatively and where contractually acceptable be made accessible for ingestion into a secure system via encrypted and controlled transfer facilities. These include

1. A secure FTP server (using sFTP or FTPs) that required explicit username or password access and that send any information via encrypted transport protocols (e.g. via TLS1.2).

a. Depending on the access controls of the storage area on the server, encryption of the file/archive might still be required.

b. In all circumstances where the access control is not known, file/archive encryption must still be used

2. Any other secure file transfer system provided by LSE’s Information Management and Technology Division, requiring explicit authorisation and authentication before a file is sent or registered for pick-up

3. LSE-provided SharePoint or OneDrive, where Information Rights Management options (such as encryption at rest, blocking download, printing or screenshotting rights) are deployed, and access to third parties is provided via the External Collaborator Access Framework

2.4 Malware detection and prevention All LSE’s provided file transfer mechanisms will run malware-detection programs

1. On servers and systems provided for file transfer 2. As incorporated in Cloud services we consume from Microsoft. 3. As incorporated in any other Cloud services we choose to consume

2.5 Transfer File Retention

For latest version and information about, see lse.ac.uk/policies and search by title.

Policy –Confidential Information Transfer Version Release 1.0

IMT reference: ISM – PY-119 Page 4 of 7

1. Data placed on specialised file transfer systems (e.g. sFTP servers) will be deleted after a period of 72hrs, unless

a. specific business reasons, b. licence agreements or c. contracts

require otherwise.

2.6 Physical Information Transfer 1. Information that is to be transferred via portable media: compact disc, DVD, usb flash drive,

external hard drive etc. must either be a. stored on the transportation media in encrypted form (e.g. using file/archive

encryption) b. or else the media must be encrypted (e.g. using BitLocker, VeraCrypt).

2. Any media containing confidential data using postal systems or couriers must be sent recorded delivery. Details for LSE’s courier facilities can be found here: http://www.lse.ac.uk/intranet/LSEServices/postRoom/couriers.aspx

2.7 Physical Media Storage 1. If there are third party requirements for the original physical media to be retained, this must be

kept in secure locked storage. 2. Otherwise, physical media must be either destroyed (e.g. compact discs, DVDs) or wiped

(external hard drives, usb flash storage) using a secure eraser program (.e.g. ‘Eraser’) to US DoD standards (7 passes).

2.8 Phones 1. Do not leave messages containing confidential information on answering machines or call

recording services a. these may be replayed by unauthorized persons, b. stored on communal systems c. stored incorrectly as a result of misdialling;

2.9 Fax machines 1. Unless explicitly and contractually required to do so, avoid transmitting any confidential data

over fax machines. 2. Fax machines pose a number of high risks to the confidentiality, integrity and availability of

confidential data, namely: a. unauthorized access to built-in message stores to retrieve messages; b. deliberate or accidental programming of machines to send messages to specific

numbers; c. sending documents and messages to the wrong number either by misdialling or using

the wrong stored number.

2.10 Internal information transfers 1. IMT operates a zero-trust network model, where internal communications cannot be assumed

secure. 2. Therefore any internal system to system communication that includes or may include

Confidential information must be encrypted to modern strong encryption standards. 3. Intra-system communication and system to system communication within logically-segregated

“secure bubbles” does not have to be encrypted; appropriate security is applied at the boundaries

2.11 Encryption standards for server-side transport.

For latest version and information about, see lse.ac.uk/policies and search by title.

Policy –Confidential Information Transfer Version Release 1.0

IMT reference: ISM – PY-119 Page 5 of 7

1. LSE uses the ‘modern’ list of ciphers contained in the Mozilla Foundation’s server-side TLS documentation: https://wiki.mozilla.org/Security/Server_Side_TLS

2. All use of server-side information transfer facilities must meet at the least the ‘modern’ cipher list

2.12 Chain of custody A clear chain of custody must be recorded for all confidential information transfers to or from third parties.

2.13 Review and Development This policy, and its subsidiaries, shall be reviewed by the Information Security Advisory Board (ISAB) and updated regularly to ensure that they remain appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations.

Additional regulations may be created to cover specific areas.

ISAB comprises representatives from all relevant parts of the organisation. It shall oversee the creation of information security and subsidiary policies.

The Information Security Manager will determine the appropriate levels of security measures applied to all new information systems

2.14 ISO27001 Controls A.13.2.1 Information transfer policies and procedures.

For latest version and information about, see lse.ac.uk/policies and search by title.

Policy –Confidential Information Transfer Version Release 1.0

IMT reference: ISM – PY-119 Page 6 of 7

3 Responsibilities Data Owners and Custodians

• Ensure all Confidential information is correctly identified. • Ensure all Confidential information is transferred according to this policy, the applicable laws

and contractual agreements. • Ensure data is deleted according the requirements of the policy • Ensure there are documented chains of custody for confidential information transfer with third

parties Department of Information Management and Technology:

• Providing encryption methods and programs • Ensuring appropriate encrypted transport between internal systems, and between internal

systems and Cloud systems • Maintaining the External Collaborator Access Framework • Providing access to appropriate information security functionality within Office365 • Maintaining deletion schedules on centrally-provided information transfer systems

Research Lab

• Responsible for providing secure transfer methods for RLAB users, in accordance with this policy.

Information Security Advisory Board

• Responsible for the advising on and recommending information security policies to the Information Technology Committee, assessing information security risks, identifying and implementing controls to risks.

Information Technology Committee

• Responsible for approving information security policies.

For latest version and information about, see lse.ac.uk/policies and search by title.

Policy –Confidential Information Transfer Version Release 1.0

IMT reference: ISM – PY-119 Page 7 of 7

Document control Distribution list Name Title Department Information Security Advisory Board

Information Technology Committee

External document references Title Version Date Author Information Security Policy 3.12 06/10/16 Jethro Perkins Information Classification Standard Cryptography standards server-side Encryption Guidelines

3.0 1 1

15/03/13 16/03/16 29/05/16

Jethro Perkins Jethro Perkins Jethro Perkins

Version history Date Version Comments 02/12/16 09/12/16

0.1 0.2 1.0

Initial version Incorporating observations from the ISO27001 Project Board concerning the ingestion of data from third parties, and effective boundaries within secure systems or networks that render encryption unnecessary. Approved by Information Technology Committee on 05/12/16. Moved to release version.

Review control Reviewer Section Comments Actions agreed ISO27001 Project Board

1 Third party data once ingested would no longer fall out of scope

Policy updated

ISO27001 Project Board

1, 2.10 Confidential data within secure areas would no longer need to be encrypted in transit

Policy updated

For latest version and information about, see lse.ac.uk/policies and search by title.