Professional Documents
Culture Documents
Table of Contents
Global Information Risk Management ................................................................................................. 1
Logical Access Management (LAM) .................................................................................................... 2
Information Classification and Handling .............................................................................................. 4
Preventing Loss and Leakage of information ................................................................................... 14
Using other media ............................................................................................................................. 17
Records Management ....................................................................................................................... 18
How to Report Information Incidents/Risk Events ............................................................................. 25
Summary ........................................................................................................................................... 26
Assessment ....................................................................................................................................... 27
At the end of the course, there is an assessment with a pass mark of 80%.
Page 3
Consequences
Barclays creates and handles large volumes of information every day. Imagine for a moment the
consequences of misusing, inappropriately disclosing or losing that information. We can all recall
newspaper headlines about such incidents.
Internal Only
Example
In 2013, Richard Joseph was convicted of six counts of conspiracy to deal as an insider and was
sentenced to four years on each count, which will be served concurrently. Joseph, a former futures
trader, was provided with confidential and price-sensitive information by Ersin Mustafa, a print room
manager at JP Morgan Cazenove. The Mergers and Acquisitions information was placed in filesharing sites and used to make spreadbets on share price movements.
Source: https://www.fca.org.uk/news/insider-dealers-ordered-to-pay-32m-in-confiscation
Misuse, inappropriate disclosure, or loss of information can lead to reputational and financial damage
to Barclays. We all have a responsibility to ensure that the information we deal with on a day to day
basis is handled responsibly in accordance with Barclays' policies and procedures to minimise the risk
of it being compromised.
Page 4
Information Risk Management
Information is an essential business asset for Barclays and we are committed to protecting
information throughout its lifecycle in line with the following three factors:
We must also manage information and records in line with legal, regulatory and contractual
arrangements.
If you have access that you do not need to do your job, you should discuss it with your line
manager so that the appropriate steps can be taken to address any adjustments that are
needed
If you are a line manager, you are responsible for ensuring that system and application
access is adjusted or removed when someone changes roles or leaves your team/business. It
is important that you raise the relevant requests promptly to ensure that they can be
Internal Only
processed in a timely manner and ensure any equipment provided to the person is
surrendered to you upon exit
As a line manager you must record all known leavers in the HR system (MyHR Portal) at the
earliest opportunity and no later than the leavers last day in the office, to ensure the
termination of individuals access rights for Barclays systems and buildings. Where MyHR
Portal is not deployed or functionality is not operating, Line managers should adhere to local
arrangements or notify HR no later than the last day in office to ensure removal of all access
rights from Barclays systems
If you are a line manager, application owner or other delegated authorised approver, you will
be required periodically to recertify colleagues' access. Consideration must be given to
combinations of access permissions within a system and between systems to ensure
segregation of duty requirements are met.
Page 7
Password security
Your password protects you from others abusing your access.
Choose a password that is easy to remember but difficult to guess. Make your password of sufficient
length using upper and lower case letters as well as numbers and special characters (such as @ and
$).
Change your password frequently and not just when the system prompts you.
If you think that your password has been compromised, change it and report your concerns
immediately to the IT Helpdesk and report the incident see the How to Report Information
Incidents/Risk Events section in this training;
1.
2.
3.
4.
5.
Make it strong
Keep it secret
Dont share it
Dont write it down
Dont let people see you type it
Page 8
Shared folders and directories
Where you own folders and directories e.g. shared drives, shared mailboxes, SharePoint sites and
email public folders, you are responsible for reviewing the access permissions. You should ensure
that access permissions to these repositories are restricted to only those users authorised to see it.
Regularly review the access permissions - at least annually, or immediately when employees
leave or move positions
Ensure information is only accessible to those authorised to see it
If you have access to folders or directories that you do not need, you should advise the
owner/your line manager so that appropriate action can be taken
If you notice Secret or Confidential information in a shared repository that you would expect to
be restricted, you must advise the folder owner/your line manager immediately.
Internal Only
Page 9
End User Developed Applications (EUDA)
End User Developed Applications (EUDA) are tools or applications built using standard desktop
software (e.g. Microsoft Excel or Access) that are developed and managed outside the Technology
function, and automate or facilitate a business process on an on-going basis.
EUDAs usually contain complex formulas where the output is used for management decision-making
or financial reporting, and are considered business critical. Applications or tools may also be
considered EUDAs if they have an impact on Barclays reputation.
Failure to identify and control EUDAs could result in financial loss or misstatement, reputational
impact, regulatory impact, legal challenges or disruption of business operations.
Colleagues using or developing EUDAs must ensure that they work within the defined controls as
stated in the Barclays EUDA Risk Management Policy.
For additional guidance see the Barclays EUDA Risk Management Policy.
[web address: http://teams.barclays.intranet/sites/groupirm/SitePages/Governance,%20Risk%20and%20Control.aspx]
An application form
A customer profile
A transaction
A printed document
A report
Source Code
Network diagrams
IT configuration details.
Information Classification
Information Classification is the process of identifying, classifying, and labelling Information Assets
based on their value to Barclays, their sensitivity and associated risks.
There are four Classifications; Unrestricted, Internal Only, Confidential and Secret. You must apply
and use only these four defined Classifications to comply with the Barclays IRM Policy.
There are exceptional circumstances where alternative labelling is applied, for example, Strictly
Private and Confidential, and these must only be used by relevant colleagues. You must escalate the
use of these through your Business Unit/local IRM team or IRM/RM Champion/Coordinator for
approval, prior to implementing any alternative labelling.
Internal Only
Page 12
Labelling information
Information classified as Internal Only, Confidential and Secret needs to be labelled where it is
feasible and appropriate to do so.
This is to inform those that handle the information what the Classification is and how they need to
treat that information.
Documents
Documents should be labelled and you should be familiar with how to do this as part of your role. For
example, this will often be achieved by adding the appropriate Classification label, such as
'Confidential', in the footer of the page.
Information and data accessed through a customer application
This information and data might not be labelled in some cases, as it may not be feasible to do so.
However, the permissions and levels of access to these applications must be restricted to those
individuals that require it to do their job and by following the correct processes and procedures.
Emails
When you distribute information by email, you should ensure that the Classification label applied is
easily visible and replicates the Classification of the information within and/or documents attached.
The Classification can be applied in the Subject Line, as a heading or included in your email
signature.
Page 13
Information Asset Lifecycle
The Information Asset Lifecycle defines the various stages Information Assets pass through during
their existence:
Internal Only
Page 14
Information Owners
Information must be allocated an owner. Ownership will lie with the person/leader of the team who
created the information or the person who owns the process by which the information was created,
introduced or stored.
The owner of an Information Asset is responsible for classifying that information and ensuring that it is
handled correctly. Information Owners must:
Page 15
Classification categories
Internal Only
Image description: A pyramid with four sections, each labelled with an information classification. The
point of the pyramid is labelled Secret, the larger section underneath is Confidential, below that is
Internal only and below that is Unrestricted.
Where you create and/or own a piece of information, you must apply the correct Classification to
ensure that it is dealt with correctly by others authorised to see it. Classification is the process of
identifying, classifying and labelling information to ensure that it is handled, distributed, stored and
disposed of in accordance with its criticality and sensitivity.
Failure to classify and handle information correctly could lead to potential data leakage or loss and
ultimately regulatory fines, reputational and financial damage as well as disciplinary proceedings or
contract termination.
A PDF of how to classify and label information is also available to download and print here.
The contents are also available in this section of this workbook.
Secret
This Classification applies to Information Assets for which unauthorised disclosure (internally
or externally) may cause serious financial or reputational damage, significant loss of
competitive advantage, or regulatory sanction or legal action.
Some Information Assets may only be 'Secret' for a short period of time. Annual results, for example,
will be classified as 'Secret' prior to board approval and will then become 'Unrestricted' once published
in the public domain.
Specific labelling requirements:
Hard copy assets must carry a visible Classification label on every page
Envelopes containing Hard copy assets must carry a visible Classification label on the
front and be sealed with a tamper-evident seal. They must be placed inside an unlabelled
secondary envelope prior to distribution
Electronic assets must carry an obvious Classification label; multi-page documents must
carry a visible Classification label on every page.
Confidential
This Classification applies to Information Assets which are exclusive to Barclays or related to
a sensitive business process and to which access by all employees is not necessary or
appropriate.
Access to these Information Assets is only required by those with a 'need to know' to fulfil their
responsibilities. This information may have a negative impact if it were disclosed to unauthorised
personnel either internally or externally. Customer Information Assets must always be classified as at
least 'Confidential'. Never share customer information with anyone, including the customer, unless
you are authorised to do so and where it is a responsibility of your role.
Specific labelling requirements:
Hard copy assets must be given a visible Classification label; at a minimum the label must
be on the title page and should preferably be included in the footer of each page
Envelopes containing Hard copy assets must carry a visible Classification label on the
front
Electronic assets must carry an obvious Classification label; multi-page documents must
carry a visible Classification label on every page.
Internal only
Internal Only
This Classification applies to Information Assets related to Barclays' internal operations, nonconfidential information, internal communications, and general communications that are
appropriate for distribution throughout the organisation.
This information would not typically have any significant impact or consequences for Barclays, its
customers, or its business partners if disclosed to unauthorised persons, but could provide knowledge
of Barclays' internal operations that may not be appropriate for non-employees.
'Internal Only' information may only be sent outside the organisation where appropriate (e.g. to third
parties where work has been outsourced) if authorisation from the Information Asset owner has been
acquired.
Specific labelling requirements:
Hard copy assets must be given a visible Classification label when circulated; at a minimum
the label must be on the title page and should preferably be included in the footer of each
page
Electronic assets must carry an obvious Classification label.
Unrestricted
This Classification applies to Information Assets that are already available or has been
authorised for public disclosure. It does not have a negative impact or consequences for
Barclays, its customers or its business partners.
Unrestricted information does not require any label to be applied to Hard copy or Electronic assets.
Page 16
Classification Conundrum
You have been asked to classify the following Information Assets by your line manager.
State which classification each of the documents below should have and then check the feedback on
the next page to see how many you classified correctly.
Document
Internal Only
PDF: Classifying information How to guide This table explains the labelling requirements for each Classification.
Classification
Definition
Examples
Labelling
Secret
Profit forecasts or
annual results (prior
to public release)
Information on
potential mergers or
acquisitions
Market- or pricesensitive disposals
or restructuring
documentation
Confidential
Classification label,
including labels within each
page of multi-page
documents.
Internal Only
Unrestricted
Internal Only
Customer/client
information
New product plans
Client contracts
Audit findings and
reports
Legal contracts
Performance
appraisals
Staff remuneration
and personal
information
Policies and
standards
Process documents
Internal
announcements
Staff handbook
Newsletters
Internal
communications
that do not contain
Confidential
information
Marketing materials
Job advertisements
Public
announcements
Publicly-accessible
websites
n/a
Envelopes containing
Confidential information
must have a visible
Classification label on the
front. Electronic information
must have an obvious
Classification label,
including labels within each
page of multi-page
documents.
10
Answers
Secret
Confidential
Legal contracts
Performance appraisals
Internal Only
Unrestricted
Page 17
Can you assist Andrew?
Andrew has drafted a new policy for employees that is in the process of being reviewed and signed
off by a small group of senior colleagues within the Bank. Due to the content of the material, he
classified the draft as 'Confidential'.
The content has now been finalised and signed off and Andrew is preparing the material for
distribution to all employees within the Bank.
Andrew asks you how he should classify the final version. What is your advice?
Choose one option and then check the feedback on the next page to see the answer.
Secret
Confidential
Internal Only
Unrestricted
Internal Only
11
Feedback
The correct advice is that it should be classified as Internal Only.
Information Assets may change over time and, as a result, the Classification of an Information Asset
may change. You must be alert to this and remember to ensure that the Classification is changed
accordingly so that the Information Asset is neither under nor over protected.
Page 18
Handling information
Regardless of the Classification of the information you handle as part of your job, you have been
provided with the tools e.g. systems, secure email options (where available), to communicate and
store it. It is important that you use only these tools and follow any security procedures.
If you are responsible for new applications or systems (build, development etc.) being deployed into
Barclays, please engage with your Business Unit/local IRM team or IRM/RM Champion/Coordinator
during each phase of development to ensure that Information Risks have been addressed prior to golive.
We will look at the handling requirements next.
Page 19
Sharing and distributing information
All Information Assets must only be shared and distributed using Barclays approved systems and
applications e.g. Outlook, shared drives.
Information Assets must only be provided to people employed by or under an appropriate contractual
obligation to Barclays and specifically authorised to receive them.
Additional specific controls for Secret and Confidential Information Assets:
Secret
Confidential
Printing must be retrieved immediately from the printer. If this is not possible, secure printing
tools must be used
Must not be faxed unless the sender has confirmed that the recipients are ready to receive
the information
Electronic information must be encrypted using an approved cryptographic protection
mechanism when in transit outside the Barclays internal network.
Internal Only
12
Page 20
Storing Information
You must only use Barclays approved systems and applications to store Information Assets e.g.
Shared drives.
Hard copy and Electronic assets must be stored where only authorised people can access them.
Additional Secret and Confidential controls
In addition to the above, Electronic Secret and Confidential Information Assets must be protected
through encryption or appropriate compensating controls if there is a significant risk that unauthorised
people may be able to access them.
Page 21
Disposing of information
All Hard copy Information Assets must be disposed of using Confidential waste facilities e.g.
confidential waste bins/services and shredders.
Copies of Electronic assets must also be deleted from system recycle bins or similar facilities in a
timely manner (refer to the Records Management Disposal requirements).
Additional Secret control
Media on which Secret Electronic assets/information have been stored must be securely wiped prior
to, or during, disposal, to ensure the information cannot be reconstructed. For secure destruction
contact your local IT or local facilities management.
A PDF of how to handle information is also available to download and print.
The contents are available below.
Unrestricted
Internal Only
Confidential
Secret
Only share
with Barclays
colleagues.
Only share
with
colleagues
that have a
genuine
business need
to see the
information.
There are no
additional
requirements around
storage/distribution
or disposal.
Always use
Confidential
waste bins.
Use secure
printing
whenever
possible and
make sure that
no one without
authorisation
to view the
Internal Only
If someone
offers to share
Secret
13
Know how
to handle
information
Unrestricted
Internal Only
Confidential
Secret
information
can do so as a
result of your
actions.
Always use
Confidential
waste bins.
information with
you that you are
not authorised
to see, refuse.
Never store
Confidential
information on
laptops,
removable
media etc
unless you are
sure they are
encrypted.
Envelopes
containing
Secret
information
must carry a
visible
Classification
label on the
front and be
sealed with a
tamper-evident
seal. They must
be placed
inside an
unlabelled
secondary
envelope prior
to distribution.
Always use
Confidential
waste bins.
Never store
Secret
information on
laptops,
removable
media etc
unless you are
sure they are
encrypted.
Documents
must be printed
using secure
printing tools.
Share
Distribute
Barclays
supplied
systems
Labelled
envelope
Double
envelope:
internal Secret,
external blank
Internal Only
All colleagues
Colleagues
with a genuine
business need
Named
individuals
14
Know how
to handle
information
Unrestricted
Internal Only
Confidential
Secret
Locked
drawers/cabinets
Encrypted
portable and
removable
media
Encrypted
electronic
external
communications
Barclays
supplied
systems
Store
Destroy
Hard copy
Confidential
waste
Electronic copy
delete from
Recycle bin
Internal Only
15
Page 24
Working remotely and in dynamic workspaces
You must always ensure that you have the appropriate approval for working away from the office and
you must always comply with the Group Acceptable Use Dos and Donts Procedures, which can be
found on the IRM Group Risk intranet here.
[web address: http://teams.barclays.intranet/sites/groupirm/SitePages/Governance,%20Risk%20and%20Control.aspx]
Only work remotely if you are able to use Barclays approved remote access technology and ensure
that any portable storage media are encrypted.
Be aware of the risks of taking equipment and documents to public places and ensure you take
everything with you before you leave.
Further guidance:
It is important to be conscious of your environment (e.g. in coffee shops and when travelling)
and who might be able to see your documents (including family and friends), your screen, you
entering your password or even overhear your conversations
Do not leave your laptop, phone, or documents unattended or on display; keep them secure
at all times including whilst travelling and carry them as hand luggage if flying
Always keep your remote access token, passcode and laptop separate from one another
Only take paper copies of documents off Bank premises where this is necessary, limit the
information being transported to what is required, and return this to a Bank site as soon as
possible
Documents should not be stored at home and should be brought back to the office for secure
disposal.
Page 25
Portable devices
As technology evolves, we are utilising a wider variety of mobile electronic devices for business use,
such as laptops, smartphones and tablets.
The loss or theft of these portable devices could lead to the unauthorised disclosure of information.
You are responsible for protecting devices under your control from loss or theft and for using them in
accordance with the Group Acceptable Use Dos and Donts Procedures, which can be found on the
IRM Group Risk intranet.
[web address: http://teams.barclays.intranet/sites/groupirm/SitePages/Governance,%20Risk%20and%20Control.aspx]
Contact your IT Help Desk as soon as you become aware that a portable device has been lost or
stolen.
Can you guess how many laptops go missing from UK businesses every year?
A recent report by Sony VAIO estimated that a million laptops go missing each year, with one in four
UK businesses reporting that laptops had been lost or stolen in the previous 12 months.
Internal Only
16
Page 26
Emails
Do not send Internal Only, Confidential, or Secret information to your own or any personal email
address such as Hotmail, Gmail, etc. The only exception to this is where this is formally approved as
part of a recognised business process and the information is encrypted.
Email traffic is monitored, investigated and escalated in line with applicable laws and business rules.
It is your responsibility to ensure that you only email information to individuals that are authorised to
see it using the appropriate level of security.
Outlook
Do not attach Secret or Confidential documents to your Outlook calendar invitations, as anyone who
has access to your calendar can view these.
Guidance on checking recipients' names:
With over 140,000 employees in Barclays, some people may share the same name, therefore ensure
that when selecting the recipient of your email you choose the correct person.
Make sure when using Distribution Lists in Outlook that you select the correct one and ensure they
are kept up to date.
If you don't take care with your outgoing email, regardless of how good your intentions, you could be
exposing the organisation and yourself to the risk of data loss and its consequences.
Page 27
Conference calls
Conference calls are not always considered a media for data leakage, however,
uninvited/unauthorised individuals can access the call if they have the conference code and may gain
knowledge of sensitive information.
Audio accounts are only issued to individuals and not teams; this ensures a named individual is
responsible for the service. An individual can have multiple audio conferencing accounts, which they
may share with others, however, that individual remains the owner.
Guidance on conference calls:
If you are the owner of an audio account and/or lead conference calls using the leader code ensure
that you:
Do not include your leader code in meeting invitations, only provide the conference code
Know who is on the call i.e. only the individuals invited/authorised to attend the call
If you have reason to believe that someone has joined a call where sensitive information will
be discussed e.g. they have not provided their name, then close the call and re-schedule the
call with new conference codes
Review the distribution list of the meeting invitation prior to sending new a conference code
Regularly review meeting distribution lists to ensure the participant list is up to date
Internal Only
17
Page 30
Social Media
Just as with traditional media, we have an opportunity - and a responsibility - to effectively manage
Barclays' reputation online. Any content posted on social media, including using social media as a
tool as part of a business process must be compliant with relevant policies, regulations and with any
guidelines that apply.
The Barclays Social Media Knowledge Hub outlines the processes to follow when setting up a new
social media presence and provides guidelines for Personal and Professional use.
[web address: http://groupspaces.intranet.barclays.co.uk/sites/smedia/default.aspx]
If you are in any doubt seek clarification from your line manager, your Business Unit Social Media
team and/or your Business Unit Media Relations team.
Remember that content you post which negatively impacts Barclays, our customers or third parties
with whom we do business, may result in disciplinary action, regardless of whether the content was
posted in a personal or professional capacity.
Page 31
The Internet, chat and web forums
The Internet contains a wealth of information, however, don't be lured into visiting inappropriate
websites. Most sites hold some information about their visitors and therefore may detect and record
information about you.
Barclays uses monitoring software that tracks employee Internet usage.
Internal Only
18
Regulatory agencies consider inactive communications, such as online chat and interactive web
forums, to be electronic communications, and therefore require controls in relation to this content.
Do not discuss business-related content via such communication systems. Where you use them in a
personal capacity, remember, if you identify yourself as a Barclays employee you must not suggest
that your personal views are also the views of the firm.
Page 32
Social Engineering
Social Engineering is where someone external to Barclays tries to manipulate an employee into
providing information or unauthorised access to systems.
Never provide information (including client or employee names, titles, coverage areas, telephone
numbers, reporting lines and email addresses) over the telephone or by email unless you are sure of
the enquirer's identity and the validity of their request.
This information can be used to perpetrate fraud or be used to gain competitive advantage.
Acceptable Use Dos and Donts
For additional guidance and support see the Acceptable Use Dos and Donts Procedures on the
IRM Group Risk intranet.
[web address: http://teams.barclays.intranet/sites/groupirm/SitePages/Governance,%20Risk%20and%20Control.aspx]
No matter what the format, the Barclays Records Management requirements apply equally to all.
Internal Only
19
Page 35
Classes of Records
Barclays has two classes of Records:
Relevant Records are Records which must be created, retained, and managed to comply with specific
legal, regulatory, or business requirements.
Relevant Records
Examples include:
Non-Relevant Records are Records which are created, retained and managed for information value or
for convenience purposes and do not meet the definition of a Relevant Record.
Non-Relevant Records
Examples include:
Internal Only
20
Page 36
Records Management
Image description: Diagram which shows a ring divided into four segments, surrounding a circle also
divided into four segments. The ring contains labels for stages of Records Management, and the
segments within the ring a bit more information on what each of the labels means.
Records Management is the way we identify, retain, retrieve and dispose of/destroy information in the
form of 'Records'.
We will now explore these four stages of Records Management.
Internal Only
21
Page 37
Stage 1 - Identification
Each team must have their Relevant Records identified and indexed on a Business List of
Records (BLoR), which must be reviewed by the 'owner' at least annually and approved by a member
of management after each review.
A BLoR will help you to:
Know what Relevant Records your business area holds and where they can be found
Know which category (bucket) each Relevant Record belongs to
Know the Classification of your Relevant Records
Know which Country Records Retention Schedule relates to your Relevant Records
Know how long your Relevant Records should be retained
Duplicates/copies of Relevant Records do not need to be recorded on your BLoR. However, if the
duplicate/copy is used to create a new Relevant Record, the new Record should be recorded on the
BLoR.
Your Records Management (RM)/Information Risk Management (IRM) Champion/Coordinator can
confirm where your BLoR is stored as well as help you to ensure that your team's records are listed.
Page 38
Stage 2 Retention
Records are retained to ensure compliance with regulation, legal and business requirements,
guaranteeing they are available for future use.
It is important to remember that there are legislative reasons and business rules for keeping records
that are explicit, specific and define what we keep and why.
Each country in which Barclays operates has its own Country Records Retention Schedule.
A Country Records Retention Schedule is a summary of record-keeping requirements which Barclays
must comply with in that specific country, and is based on the underlying law and regulations. These
should be used to determine the Retention Period for Relevant Records. The most up to date Country
Records Retention Schedules must always be used. To access the Country Records Retention
Schedules go to the IRM Group Risk intranet.
[web address: http://teams.barclays.intranet/sites/groupirm/Country%20Records%20Retention%20Schedules/Forms/AllItems.aspx]
Internal Only
22
Page 39
Failure to retain records
Failure to retain and produce records in accordance with the relevant Country Records Retention
Schedule can result in severe reputational damage or direct financial impact to Barclays. For example
as a result of:
1.
2.
3.
4.
Page 40
Managing authenticity and integrity
When considering how records are retained and stored it is important to maintain controls to ensure
that they are:
Accessible
Usable
Readable
Internal Only
23
Page 41
Managing retention
It is essential to manage record retention in line with Barclays Policy at all times.
There may be circumstances where the usual procedures are suspended, most likely as a result of a
Disposal Hold instructed by our Legal Department.
You must comply immediately and completely with any instruction to suspend the usual record
retention process.
A Disposal Hold can apply to both Relevant and Non-Relevant Records.
You should also be aware that Non-Relevant Records are also discoverable and may end up as court
evidence; therefore it is important that they are kept to a minimum and are destroyed regularly, in line
with policy.
Page 42
Disposal Holds
A 'Disposal Hold' is a notice issued by the Barclays Legal team for one or a number of
Business Units, or Group wide, to temporarily suspend the destruction of specific records, or
series of records.
The Disposal Hold is mandatory and is issued to ensure that documents relevant to a known or
anticipated legal action or regulatory investigation are preserved and retained. You must not destroy
any records that are identified as subject to a hold.
When advised of a Disposal Hold notice, all records covered by the Disposal Hold must be identified,
located, and withheld from destruction in accordance with the requirements of the Disposal Hold
notice.
Upon receipt of legal authorisation to lift a Disposal Hold, business as usual retention periods must be
reapplied within 6 months, so long as no other Disposal Hold applies.
Page 43
Good storage management
The key elements of good storage management are summarised below.
Secure storage
You must always ensure that records are stored securely. Physical and Electronic Records should be
indexed appropriately for ease of retrieval, and should at all times be stored and handled so that they
are accessible only to authorised individuals.
Filing
You should file records in a logical structure that enables you to easily find the record you are looking
for.
Internal Only
24
Access
If you do not need regular access to your record, consider sending Physical Relevant Records to an
appropriate storage provider.
Think about the purpose of the Relevant Record and why you need to keep it. Believe it or not cups
have been found in storage boxes - these are not Relevant Records!
Cost
Physical storage is a cost to Barclays so make sure you utilise this effectively.
Page 44
Stage 3 - Retrieval
Relevant Records are listed on the BLoR. We must be able to retrieve them when needed. This may
be in response to business as usual queries or legal/regulatory challenges.
You should store a record in a manner that means if we must retrieve it, we can do so.
You should make sure records are retrievable within applicable timescales. Please note that some
Business Units may have retrieval requirements that are shorter than those listed below:
Electronic Relevant Records
Page 45
Stage 4 - Disposal
Records that reach the end of their Retention Period should be destroyed.
Non-Relevant Records must be reviewed for disposal at least every 12 months, except where a
Disposal Hold notice applies.
Relevant Records must be destroyed within 6 months of the retention expiry date, except where a
Disposal Hold notice applies.
Page 46
There are many reasons not to retain records beyond their required Retention Period, including
compliance with the Data Protection Act, Data Privacy legislation, business rules and not least simply
avoiding incurring unnecessary cost.
When your record is ready for deletion or destruction, it is important that this is done securely
so that information does not get into the wrong hands.
Internal Only
25
Corporate Banking and Investment Banking colleagues ONLY must obtain formal approval to destroy
records in accordance with their business Records Management Policy - please contact your RM/IRM
Champion/Coordinator for details.
Take care when deleting or destroying Non-Relevant Records to ensure that you do not inadvertently
dispose of records that must be retained.
Scheduled destruction of records that are no longer required for legal or operational reasons is an
essential component of good Records Management.
As an alternative to destruction, certain Relevant Records may be transferred to Barclays Group
Archive for permanent preservation. Where applicable/available in your country please refer to the
Group Archives Policy for guidance.
Page 47
The benefits of good Records Management
Managing our records benefits our customers, colleagues and Barclays. It is our aim to make sure our
customers view us as professional and trust us to protect their information.
As a company we benefit from reduced risk of regulatory fines, lower risk of reputational damage,
reduced storage costs and you'll benefit from higher productivity as you no longer have to waste time
searching for documents.
Misuse of information - e.g. a former colleague taking customer records with them on leaving
the Bank in order to contact them in a new role
Unauthorised disclosure or loss of information - e.g. an unencrypted laptop being lost or
stolen
The loss of an employee's briefcase will be regarded as an incident if it contained, for
example, documents with customer account details. If it only contained publicly available
information and personal belongings, it will not result in a threat to the Bank and it is not
considered an incident
Any incident relating to information, whether printed or electronic. This includes insecure
disposal or transfer of information, loss or theft of information, unauthorised disclosure or
leakage of information and unauthorised access to information
Unauthorised destruction of records; missing records or the inability to retrieve records
Disclosure of information to recipients who have no legal right to receive it, or where it is
transmitted without adequate security controls in place (e.g. encryption).
Internal Only
26
Page 50
Reporting an Information Incident/Risk Event
Any Information Risk Event should be reported as soon as possible, following the Operational Risk
Event process.
An Information Incident/Risk Event should be raised regardless of whether or not there has been a
financial loss and even where a near miss has occurred.
If you're not sure, report it and let the relevant incident team decide on the appropriate action. It is
important to ensure that you receive confirmation that your Information Incident/Risk Event has been
recorded.
When reporting an Information Incident/Risk Event, you must provide as much information as
possible, including but not limited to:
Page 51
Support
Our customers trust us with their information. It is everyone's responsibility to respect that trust and
ensure that their information is appropriately protected at all times.
As the 2nd Line of Defence, IRM Group Risk set the Policy requirements of managing Information
Risk across Barclays.
The Business Unit IRM teams are the 1st Line of Defence, and you should contact them in the first
instance with any questions or concerns.
[web address: http://teams.barclays.intranet/sites/group-
irm/SitePages/Raising%20issues%20and%20concerns.aspx ]
Your RM/IRM Champion/Coordinator is there to support you with managing your information and
records effectively.
In order to complete this training you now need to achieve 80% in the assessment.
Internal Only
27
Assessment
Section 1: Information Risk Management
Classification categories
Question 3
Failure to classify and handle information correctly could lead to which of the
following?
A.
B.
C.
D.
Regulatory fines
Reputational damage
Disciplinary proceedings
Contract termination
Internal Only
28
Password security
Question 7 - Mandatory
Which of the following will help to keep your password secret?
A.
B.
C.
D.
Make it strong
Dont share it
Dont write it down
Dont let people see you type it
Internal Only
29
A customer transaction
IT configuration details
Performance plans
Minutes from a supplier contract review meeting
Information Owners
Question 11
The owner of an Information Asset is responsible for which of the following:
A. Assigning an appropriate Classification to each of their Information Assets,
in accordance with the IRM Policy
B. Reviewing the Classification of their Information Assets at least once every
12 months
C. Reviewing the Classification Information Assets each time the
circumstances of the asset change significantly.
Internal Only
30
Labelling information
Question 13 - Mandatory
Which of the following Classifications must be labelled where it is feasible and
appropriate to do so?
A.
B.
C.
D.
Unrestricted
Internal Only
Confidential
Secret
Classification categories
Question 14
You have written a colleague newsletter; which Classification must be applied and
how must 'Hard copies' be labelled at minimum?
A. Internal Only Hard copies must be given a visible Classification label on
the title page at minimum, and preferably in the footer of each page
B. Internal Only Hard copies must be given a visible Classification label on
each page
C. Confidential Hard copies must have a visible Classification label on the
title page at minimum, and preferably in the footer of each page
D. Confidential Hard copies must be given a visible Classification label on
each page
Classification categories
Question 15 Mandatory
What Classification must be applied to Customer Information Assets and how must
'Electronic assets' be labelled?
A. Confidential Electronic assets must have an obvious Classification label
B. Confidential Electronic assets, where appropriate and feasible, must
have an obvious Classification label, including labels within each page of
multi-page documents
C. Secret Electronic assets must have an obvious Classification label
D. Secret Electronic assets must have an obvious Classification label,
including labels within each page of multi-page documents
Internal Only
31
Classification categories
Question 16
What Classification must be applied to information regarding Barclays profit
forecasts and how must 'Envelopes containing Hard copy assets' be labelled?
A. Confidential Envelopes must carry a visible Classification label on the
front
B. Confidential Envelopes must carry a visible Classification label on the
front, sealed with a tamper-evident seal and placed inside an unlabelled
secondary envelope
C. Secret Envelopes must carry a visible Classification label on the front
D. Secret Envelopes must carry a visible Classification label on the front,
sealed with a tamper-evident seal and placed inside an unlabelled
secondary envelope
Internal Only
32
Storing information
Question 19
Which of the following are correct when Storing information classified as
'Confidential' and 'Secret'?
A. Barclays approved systems and applications must be used
B. Hard copy assets must be stored where only authorised people can access
them
C. Electronic assets must be stored where only authorised people can access
them
D. Electronic assets must be protected through encryption or appropriate
compensating controls
Disposing of information
Question 20
Which of the following are correct when Disposing of information classified as
'Internal Only', 'Confidential' and 'Secret'?
A.
B.
C.
D.
Overview
Question 21
When colleagues leave the office at the end of the day, they notice some
'Confidential' information left on the printer by another colleague. What should they
do?
A.
B.
C.
D.
Internal Only
33
Emails
Question 24 Mandatory
You have some work to do over the weekend and dont want to have to carry your
Barclays laptop home. You email the 'Confidential' documents to your personal
email account to use your personal computer. Is this acceptable?
A. Yes, I'm using my personal time for company business so I am permitted to
send the documents to my personal email account and to use my own
equipment
B. No, 'Confidential' documentation must not be sent to personal email
accounts and personal equipment can only be used with Barclays
approved remote access technology
Internal Only
34
External media
Question 25
What are the two principles that you must adhere to when connecting to the
Barclays Wireless Network using a personal device?
A. Business communications can take place using any application provided
by the device
B. Business communications must only take place using Barclays supplied
secure applications
C. Any communication made outside of Barclays supplied secure applications
must only be personal and not business related
D. Any communication made outside of Barclays supplied secure applications
can be personal or business related
Internal Only
35
Classes of Records
Question 28
Which of the following are 'Relevant Records'?
A.
B.
C.
D.
Stage 1 Identification
Question 29
Which of the following best describes the Business List of Records (BLoR)?
A.
B.
C.
D.
Stage 2 Retention
Question 30 Mandatory
Which of the following defines what records we must Retain?
A.
B.
C.
D.
Internal Only
36
Stage 3 Retrieval
Question 33 Mandatory
What are the correct Retrieval timescales for Electronic Relevant Records, and
Physical and archived Electronic Relevant Records?
A. Electronic Relevant Records within a period required by any applicable
legislative or statutory requirements or within 5 working days, whichever is
shorter
B. Physical and archived Electronic Relevant Records within a period
required by any applicable legislative or statutory requirements or within 15
working days, whichever is shorter
C. Electronic Relevant Records within a period required by any applicable
legislative or statutory requirements or within 15 working days, whichever
is shorter
D. Physical and archived Electronic Relevant Records within a period
required by any applicable legislative or statutory requirements or within 5
working days, whichever is shorter
Stage 4 Disposal
Question 34
Select the correct answer to complete this requirement: Relevant Records must be
destroyed within
A. 1 month of the retention expiry date
B. 4 months of the retention expiry date, except where a Disposal Hold notice
applies
C. 6 months of the retention expiry date, except where a Disposal Hold notice
applies
D. 12 months of the retention expiry date
Internal Only
37
Stage 4 Disposal
Question 35
Select the correct answer to complete this requirement: Non-Relevant Records
must be reviewed for disposal
A.
B.
C.
D.
Disposal Hold
Question 36 Mandatory
Which of the following are correct with regards to a 'Disposal Hold' notice?
A. They are issued by a Barclays Legal team for one or a number of Business
Units, or Group wide, to temporarily suspend the destruction of specific
records, or series of records
B. They are mandatory
C. They are issued to ensure that documents relevant to a known or
anticipated legal action or regulatory investigation are preserved and
retained
D. Records identified under a hold must not be destroyed
Internal Only
38
Score:
END OF COURSE
Internal Only