Вы находитесь на странице: 1из 38

1

Global Information Risk Management

Table of Contents
Global Information Risk Management ................................................................................................. 1
Logical Access Management (LAM) .................................................................................................... 2
Information Classification and Handling .............................................................................................. 4
Preventing Loss and Leakage of information ................................................................................... 14
Using other media ............................................................................................................................. 17
Records Management ....................................................................................................................... 18
How to Report Information Incidents/Risk Events ............................................................................. 25
Summary ........................................................................................................................................... 26
Assessment ....................................................................................................................................... 27

Page 1: Global Information Risk Management


Page 2
Welcome
This course provides you with knowledge about Information Risk Management (IRM).
It will take approximately 45 minutes to complete.
The course has a brief introduction and six chapters:

Logical Access Management (LAM)


Information Classification and Handling
Preventing loss and leakage of information
Using other media
Records Management
Information Incidents/Risk Events.

At the end of the course, there is an assessment with a pass mark of 80%.

Page 3
Consequences
Barclays creates and handles large volumes of information every day. Imagine for a moment the
consequences of misusing, inappropriately disclosing or losing that information. We can all recall
newspaper headlines about such incidents.

Internal Only

Example
In 2013, Richard Joseph was convicted of six counts of conspiracy to deal as an insider and was
sentenced to four years on each count, which will be served concurrently. Joseph, a former futures
trader, was provided with confidential and price-sensitive information by Ersin Mustafa, a print room
manager at JP Morgan Cazenove. The Mergers and Acquisitions information was placed in filesharing sites and used to make spreadbets on share price movements.
Source: https://www.fca.org.uk/news/insider-dealers-ordered-to-pay-32m-in-confiscation
Misuse, inappropriate disclosure, or loss of information can lead to reputational and financial damage
to Barclays. We all have a responsibility to ensure that the information we deal with on a day to day
basis is handled responsibly in accordance with Barclays' policies and procedures to minimise the risk
of it being compromised.

Page 4
Information Risk Management
Information is an essential business asset for Barclays and we are committed to protecting
information throughout its lifecycle in line with the following three factors:

The value of the information


The sensitivity of the information
The risks it could be exposed to.

We must also manage information and records in line with legal, regulatory and contractual
arrangements.

Page 5: Logical Access Management (LAM)


Page 6
Protecting and managing access
During your employment with Barclays, you are given permissions to systems and applications which
provide you with the ability to access information to enable you to do your job.
Your user account is unique to you, and you are held accountable for all activity carried out by it. It is
protected by a username and password that only you should know, and your level of access is
granted based on the principle of least privilege, i.e. the minimum access that you require to get the
job done.
Once approved and granted, your access will be reviewed periodically to ensure that it is still
appropriate for your role.
Here are some things that you can do to help ensure your access to information remains
appropriate:

If you have access that you do not need to do your job, you should discuss it with your line
manager so that the appropriate steps can be taken to address any adjustments that are
needed
If you are a line manager, you are responsible for ensuring that system and application
access is adjusted or removed when someone changes roles or leaves your team/business. It
is important that you raise the relevant requests promptly to ensure that they can be

Internal Only

processed in a timely manner and ensure any equipment provided to the person is
surrendered to you upon exit
As a line manager you must record all known leavers in the HR system (MyHR Portal) at the
earliest opportunity and no later than the leavers last day in the office, to ensure the
termination of individuals access rights for Barclays systems and buildings. Where MyHR
Portal is not deployed or functionality is not operating, Line managers should adhere to local
arrangements or notify HR no later than the last day in office to ensure removal of all access
rights from Barclays systems
If you are a line manager, application owner or other delegated authorised approver, you will
be required periodically to recertify colleagues' access. Consideration must be given to
combinations of access permissions within a system and between systems to ensure
segregation of duty requirements are met.

Page 7
Password security
Your password protects you from others abusing your access.
Choose a password that is easy to remember but difficult to guess. Make your password of sufficient
length using upper and lower case letters as well as numbers and special characters (such as @ and
$).
Change your password frequently and not just when the system prompts you.
If you think that your password has been compromised, change it and report your concerns
immediately to the IT Helpdesk and report the incident see the How to Report Information
Incidents/Risk Events section in this training;
1.
2.
3.
4.
5.

Make it strong
Keep it secret
Dont share it
Dont write it down
Dont let people see you type it

For additional guidance, see the IRM LAM Standard.


[web address: http://teams.barclays.intranet/sites/groupirm/SitePages/Governance,%20Risk%20and%20Control.aspx]

Page 8
Shared folders and directories
Where you own folders and directories e.g. shared drives, shared mailboxes, SharePoint sites and
email public folders, you are responsible for reviewing the access permissions. You should ensure
that access permissions to these repositories are restricted to only those users authorised to see it.

Regularly review the access permissions - at least annually, or immediately when employees
leave or move positions
Ensure information is only accessible to those authorised to see it
If you have access to folders or directories that you do not need, you should advise the
owner/your line manager so that appropriate action can be taken
If you notice Secret or Confidential information in a shared repository that you would expect to
be restricted, you must advise the folder owner/your line manager immediately.

Internal Only

Page 9
End User Developed Applications (EUDA)
End User Developed Applications (EUDA) are tools or applications built using standard desktop
software (e.g. Microsoft Excel or Access) that are developed and managed outside the Technology
function, and automate or facilitate a business process on an on-going basis.
EUDAs usually contain complex formulas where the output is used for management decision-making
or financial reporting, and are considered business critical. Applications or tools may also be
considered EUDAs if they have an impact on Barclays reputation.
Failure to identify and control EUDAs could result in financial loss or misstatement, reputational
impact, regulatory impact, legal challenges or disruption of business operations.
Colleagues using or developing EUDAs must ensure that they work within the defined controls as
stated in the Barclays EUDA Risk Management Policy.
For additional guidance see the Barclays EUDA Risk Management Policy.
[web address: http://teams.barclays.intranet/sites/groupirm/SitePages/Governance,%20Risk%20and%20Control.aspx]

Page 10: Information Classification and Handling


Page 11
What is an Information Asset?
An Information Asset is any information that has value to Barclays. It can be created or received in
any media format and processed, used or stored by us.
This includes, for example:

An application form
A customer profile
A transaction
A printed document
A report
Source Code
Network diagrams
IT configuration details.

Information Classification
Information Classification is the process of identifying, classifying, and labelling Information Assets
based on their value to Barclays, their sensitivity and associated risks.
There are four Classifications; Unrestricted, Internal Only, Confidential and Secret. You must apply
and use only these four defined Classifications to comply with the Barclays IRM Policy.
There are exceptional circumstances where alternative labelling is applied, for example, Strictly
Private and Confidential, and these must only be used by relevant colleagues. You must escalate the
use of these through your Business Unit/local IRM team or IRM/RM Champion/Coordinator for
approval, prior to implementing any alternative labelling.

Internal Only

Page 12
Labelling information
Information classified as Internal Only, Confidential and Secret needs to be labelled where it is
feasible and appropriate to do so.
This is to inform those that handle the information what the Classification is and how they need to
treat that information.
Documents
Documents should be labelled and you should be familiar with how to do this as part of your role. For
example, this will often be achieved by adding the appropriate Classification label, such as
'Confidential', in the footer of the page.
Information and data accessed through a customer application
This information and data might not be labelled in some cases, as it may not be feasible to do so.
However, the permissions and levels of access to these applications must be restricted to those
individuals that require it to do their job and by following the correct processes and procedures.
Emails
When you distribute information by email, you should ensure that the Classification label applied is
easily visible and replicates the Classification of the information within and/or documents attached.
The Classification can be applied in the Subject Line, as a heading or included in your email
signature.

Page 13
Information Asset Lifecycle
The Information Asset Lifecycle defines the various stages Information Assets pass through during
their existence:

Internal Only

Page 14
Information Owners
Information must be allocated an owner. Ownership will lie with the person/leader of the team who
created the information or the person who owns the process by which the information was created,
introduced or stored.
The owner of an Information Asset is responsible for classifying that information and ensuring that it is
handled correctly. Information Owners must:

Assign an appropriate Classification to each of their information assets, in accordance with


the IRM Policy. New information assets must be classified when they are created or
introduced.
Review the Classification of their Information Assets at least once every 12 months, and each
time the circumstances of the asset change significantly (for example, if the asset falls within
the scope of a new regulatory requirement).

Page 15
Classification categories

Internal Only

Image description: A pyramid with four sections, each labelled with an information classification. The
point of the pyramid is labelled Secret, the larger section underneath is Confidential, below that is
Internal only and below that is Unrestricted.
Where you create and/or own a piece of information, you must apply the correct Classification to
ensure that it is dealt with correctly by others authorised to see it. Classification is the process of
identifying, classifying and labelling information to ensure that it is handled, distributed, stored and
disposed of in accordance with its criticality and sensitivity.
Failure to classify and handle information correctly could lead to potential data leakage or loss and
ultimately regulatory fines, reputational and financial damage as well as disciplinary proceedings or
contract termination.
A PDF of how to classify and label information is also available to download and print here.
The contents are also available in this section of this workbook.
Secret
This Classification applies to Information Assets for which unauthorised disclosure (internally
or externally) may cause serious financial or reputational damage, significant loss of
competitive advantage, or regulatory sanction or legal action.
Some Information Assets may only be 'Secret' for a short period of time. Annual results, for example,
will be classified as 'Secret' prior to board approval and will then become 'Unrestricted' once published
in the public domain.
Specific labelling requirements:

Hard copy assets must carry a visible Classification label on every page
Envelopes containing Hard copy assets must carry a visible Classification label on the
front and be sealed with a tamper-evident seal. They must be placed inside an unlabelled
secondary envelope prior to distribution
Electronic assets must carry an obvious Classification label; multi-page documents must
carry a visible Classification label on every page.

Confidential
This Classification applies to Information Assets which are exclusive to Barclays or related to
a sensitive business process and to which access by all employees is not necessary or
appropriate.
Access to these Information Assets is only required by those with a 'need to know' to fulfil their
responsibilities. This information may have a negative impact if it were disclosed to unauthorised
personnel either internally or externally. Customer Information Assets must always be classified as at
least 'Confidential'. Never share customer information with anyone, including the customer, unless
you are authorised to do so and where it is a responsibility of your role.
Specific labelling requirements:

Hard copy assets must be given a visible Classification label; at a minimum the label must
be on the title page and should preferably be included in the footer of each page
Envelopes containing Hard copy assets must carry a visible Classification label on the
front
Electronic assets must carry an obvious Classification label; multi-page documents must
carry a visible Classification label on every page.

Internal only

Internal Only

This Classification applies to Information Assets related to Barclays' internal operations, nonconfidential information, internal communications, and general communications that are
appropriate for distribution throughout the organisation.
This information would not typically have any significant impact or consequences for Barclays, its
customers, or its business partners if disclosed to unauthorised persons, but could provide knowledge
of Barclays' internal operations that may not be appropriate for non-employees.
'Internal Only' information may only be sent outside the organisation where appropriate (e.g. to third
parties where work has been outsourced) if authorisation from the Information Asset owner has been
acquired.
Specific labelling requirements:

Hard copy assets must be given a visible Classification label when circulated; at a minimum
the label must be on the title page and should preferably be included in the footer of each
page
Electronic assets must carry an obvious Classification label.

Unrestricted
This Classification applies to Information Assets that are already available or has been
authorised for public disclosure. It does not have a negative impact or consequences for
Barclays, its customers or its business partners.
Unrestricted information does not require any label to be applied to Hard copy or Electronic assets.

Page 16
Classification Conundrum
You have been asked to classify the following Information Assets by your line manager.
State which classification each of the documents below should have and then check the feedback on
the next page to see how many you classified correctly.
Document

An advertisement for a job at Barclays


Barclays staff names and directories
Barclays policy documents
Legal contracts
An unpublished Barclays profit forecast
Monthly Business Reviews prepared for
Barclays EXCO
Publications available on the Barclays website
Performance appraisals

Internal Only

Classification: Secret, Confidential, Internal Only


or Unrestricted

PDF: Classifying information How to guide This table explains the labelling requirements for each Classification.
Classification

Definition

Examples

Labelling

Secret

Information for which


unauthorised disclosure
(internally or externally)
may cause serious
financial or reputational
damage, significant loss
of competitive
advantage, or regulatory
sanction or legal action.
Note: some information
may only be considered

Hard copies must be given


a visible Classification label
on each page. Secret
information must not be
sent in single envelopes;
an envelope labelled as
Secret must be sent within
another envelope that is
not labelled. Electronic
information must have an
obvious.

Profit forecasts or
annual results (prior
to public release)
Information on
potential mergers or
acquisitions
Market- or pricesensitive disposals
or restructuring
documentation

Secret for a short


period of time.

Confidential

Intended for a limited


distribution on a need to
know basis, where the
impact of unauthorised
disclosure (internally or
externally) could be
significant, including
financial or reputational
risk.

Classification label,
including labels within each
page of multi-page
documents.

Internal Only

Unrestricted

Intended for distribution


within Barclays whether
to just one, some, or all
colleagues. We would
not want or need to
publicise the information
but the impact of
unauthorised disclosure
(internally or externally)
could be a financial or
reputational risk if it
became public.

Intended for the public


or zero impact if the
information is made
public.

Internal Only

Customer/client
information
New product plans
Client contracts
Audit findings and
reports
Legal contracts
Performance
appraisals
Staff remuneration
and personal
information

Hard copies must have a


visible Classification label
on the title page as a
minimum, and preferably in
the footer of each page.

Policies and
standards
Process documents
Internal
announcements
Staff handbook
Newsletters
Internal
communications
that do not contain
Confidential
information

Hard copies must be given


a visible.

Marketing materials
Job advertisements
Public
announcements
Publicly-accessible
websites

n/a

Envelopes containing
Confidential information
must have a visible
Classification label on the
front. Electronic information
must have an obvious
Classification label,
including labels within each
page of multi-page
documents.

Classification label on the


title page as a minimum,
and preferably in the footer
of each page.
Electronic information must
have an obvious.
Classification label.

10

Answers
Secret

An unpublished Barclays profit forecast


Monthly Business Reviews prepared for Barclays EXCO

Confidential

Legal contracts
Performance appraisals

Internal Only

Barclays staff names and directories


Barclays policy documents

Unrestricted

An advertisement for a job at Barclays


Publications available on the Barclays website

Page 17
Can you assist Andrew?
Andrew has drafted a new policy for employees that is in the process of being reviewed and signed
off by a small group of senior colleagues within the Bank. Due to the content of the material, he
classified the draft as 'Confidential'.
The content has now been finalised and signed off and Andrew is preparing the material for
distribution to all employees within the Bank.
Andrew asks you how he should classify the final version. What is your advice?
Choose one option and then check the feedback on the next page to see the answer.
Secret
Confidential
Internal Only
Unrestricted

Internal Only

11

Feedback
The correct advice is that it should be classified as Internal Only.
Information Assets may change over time and, as a result, the Classification of an Information Asset
may change. You must be alert to this and remember to ensure that the Classification is changed
accordingly so that the Information Asset is neither under nor over protected.

Page 18
Handling information
Regardless of the Classification of the information you handle as part of your job, you have been
provided with the tools e.g. systems, secure email options (where available), to communicate and
store it. It is important that you use only these tools and follow any security procedures.
If you are responsible for new applications or systems (build, development etc.) being deployed into
Barclays, please engage with your Business Unit/local IRM team or IRM/RM Champion/Coordinator
during each phase of development to ensure that Information Risks have been addressed prior to golive.
We will look at the handling requirements next.

Page 19
Sharing and distributing information
All Information Assets must only be shared and distributed using Barclays approved systems and
applications e.g. Outlook, shared drives.
Information Assets must only be provided to people employed by or under an appropriate contractual
obligation to Barclays and specifically authorised to receive them.
Additional specific controls for Secret and Confidential Information Assets:
Secret

Secure printing tools must be used when printing documents


Must not be faxed
Electronic information must be encrypted using an approved cryptographic protection
mechanism when in transit outside the Barclays internal network.

Confidential

Printing must be retrieved immediately from the printer. If this is not possible, secure printing
tools must be used
Must not be faxed unless the sender has confirmed that the recipients are ready to receive
the information
Electronic information must be encrypted using an approved cryptographic protection
mechanism when in transit outside the Barclays internal network.

Internal Only

12

Page 20
Storing Information
You must only use Barclays approved systems and applications to store Information Assets e.g.
Shared drives.
Hard copy and Electronic assets must be stored where only authorised people can access them.
Additional Secret and Confidential controls
In addition to the above, Electronic Secret and Confidential Information Assets must be protected
through encryption or appropriate compensating controls if there is a significant risk that unauthorised
people may be able to access them.

Page 21
Disposing of information
All Hard copy Information Assets must be disposed of using Confidential waste facilities e.g.
confidential waste bins/services and shredders.
Copies of Electronic assets must also be deleted from system recycle bins or similar facilities in a
timely manner (refer to the Records Management Disposal requirements).
Additional Secret control
Media on which Secret Electronic assets/information have been stored must be securely wiped prior
to, or during, disposal, to ensure the information cannot be reconstructed. For secure destruction
contact your local IT or local facilities management.
A PDF of how to handle information is also available to download and print.
The contents are available below.

PDF: Handling information How to guide


Know how
to handle
information

Unrestricted

Internal Only

Confidential

Secret

Can be shared with


anyone.

Only share
with Barclays
colleagues.

Only share
with
colleagues
that have a
genuine
business need
to see the
information.

Only share with


individuals you
are sure have
been
specifically
authorised to
view the
information (i.e.
on an insiders
list, has signed
a NonDisclosure
Agreement).

There are no
additional
requirements around
storage/distribution
or disposal.

Always use
Confidential
waste bins.

Use secure
printing
whenever
possible and
make sure that
no one without
authorisation
to view the

Internal Only

If someone
offers to share
Secret

13

Know how
to handle
information

Unrestricted

Internal Only

Confidential

Secret

information
can do so as a
result of your
actions.
Always use
Confidential
waste bins.

information with
you that you are
not authorised
to see, refuse.

Never store
Confidential
information on
laptops,
removable
media etc
unless you are
sure they are
encrypted.

Envelopes
containing
Secret
information
must carry a
visible
Classification
label on the
front and be
sealed with a
tamper-evident
seal. They must
be placed
inside an
unlabelled
secondary
envelope prior
to distribution.
Always use
Confidential
waste bins.
Never store
Secret
information on
laptops,
removable
media etc
unless you are
sure they are
encrypted.
Documents
must be printed
using secure
printing tools.

Share

Distribute

Barclays
supplied
systems
Labelled
envelope
Double
envelope:
internal Secret,
external blank

Internal Only

Anyone including the


general public

All colleagues

Colleagues
with a genuine
business need

Named
individuals

14

Know how
to handle
information

Unrestricted

Internal Only

Confidential

Secret

Locked
drawers/cabinets

Encrypted
portable and
removable
media

Encrypted
electronic
external
communications
Barclays
supplied
systems

Store

Destroy

Hard copy
Confidential
waste

Electronic copy
delete from
Recycle bin

Page 22: Preventing Loss and Leakage of information


Page 23
Overview
Information can be leaked accidentally as well as intentionally, and whilst Barclays has a number of
controls to prevent data loss, the most effective control is for you to be aware of the value of the
information you handle and treat it appropriately.
Be aware of your environment, position computer/laptop screens and documents to ensure others
unauthorised to see the information displayed cannot see it.
Information can be shared with authorised third parties but only as a result of a specific business
need. Do not share any information with a third party unless you have been specifically authorised to
do so as part of your role.
Useful guidance:

Use secure printing where possible


Never leave documents unattended on the fax, printer, or copier
Use confidential/secure waste bins or shredding for disposing of Internal Only, Confidential
and Secret information on Bank premises
Log off or lock your computer when leaving it unattended
Keep your desk clear - ensure information is not on display, especially when you leave at the
end of the day; keep all information, laptops and other devices safely locked away
Make sure you exercise due diligence when responding to requests for information.

Internal Only

15

Page 24
Working remotely and in dynamic workspaces
You must always ensure that you have the appropriate approval for working away from the office and
you must always comply with the Group Acceptable Use Dos and Donts Procedures, which can be
found on the IRM Group Risk intranet here.
[web address: http://teams.barclays.intranet/sites/groupirm/SitePages/Governance,%20Risk%20and%20Control.aspx]
Only work remotely if you are able to use Barclays approved remote access technology and ensure
that any portable storage media are encrypted.
Be aware of the risks of taking equipment and documents to public places and ensure you take
everything with you before you leave.
Further guidance:

It is important to be conscious of your environment (e.g. in coffee shops and when travelling)
and who might be able to see your documents (including family and friends), your screen, you
entering your password or even overhear your conversations
Do not leave your laptop, phone, or documents unattended or on display; keep them secure
at all times including whilst travelling and carry them as hand luggage if flying
Always keep your remote access token, passcode and laptop separate from one another
Only take paper copies of documents off Bank premises where this is necessary, limit the
information being transported to what is required, and return this to a Bank site as soon as
possible
Documents should not be stored at home and should be brought back to the office for secure
disposal.

Page 25
Portable devices
As technology evolves, we are utilising a wider variety of mobile electronic devices for business use,
such as laptops, smartphones and tablets.
The loss or theft of these portable devices could lead to the unauthorised disclosure of information.
You are responsible for protecting devices under your control from loss or theft and for using them in
accordance with the Group Acceptable Use Dos and Donts Procedures, which can be found on the
IRM Group Risk intranet.
[web address: http://teams.barclays.intranet/sites/groupirm/SitePages/Governance,%20Risk%20and%20Control.aspx]
Contact your IT Help Desk as soon as you become aware that a portable device has been lost or
stolen.
Can you guess how many laptops go missing from UK businesses every year?
A recent report by Sony VAIO estimated that a million laptops go missing each year, with one in four
UK businesses reporting that laptops had been lost or stolen in the previous 12 months.

Internal Only

16

Page 26
Emails
Do not send Internal Only, Confidential, or Secret information to your own or any personal email
address such as Hotmail, Gmail, etc. The only exception to this is where this is formally approved as
part of a recognised business process and the information is encrypted.
Email traffic is monitored, investigated and escalated in line with applicable laws and business rules.
It is your responsibility to ensure that you only email information to individuals that are authorised to
see it using the appropriate level of security.
Outlook
Do not attach Secret or Confidential documents to your Outlook calendar invitations, as anyone who
has access to your calendar can view these.
Guidance on checking recipients' names:
With over 140,000 employees in Barclays, some people may share the same name, therefore ensure
that when selecting the recipient of your email you choose the correct person.
Make sure when using Distribution Lists in Outlook that you select the correct one and ensure they
are kept up to date.
If you don't take care with your outgoing email, regardless of how good your intentions, you could be
exposing the organisation and yourself to the risk of data loss and its consequences.

Page 27
Conference calls
Conference calls are not always considered a media for data leakage, however,
uninvited/unauthorised individuals can access the call if they have the conference code and may gain
knowledge of sensitive information.
Audio accounts are only issued to individuals and not teams; this ensures a named individual is
responsible for the service. An individual can have multiple audio conferencing accounts, which they
may share with others, however, that individual remains the owner.
Guidance on conference calls:
If you are the owner of an audio account and/or lead conference calls using the leader code ensure
that you:

Do not include your leader code in meeting invitations, only provide the conference code
Know who is on the call i.e. only the individuals invited/authorised to attend the call
If you have reason to believe that someone has joined a call where sensitive information will
be discussed e.g. they have not provided their name, then close the call and re-schedule the
call with new conference codes
Review the distribution list of the meeting invitation prior to sending new a conference code
Regularly review meeting distribution lists to ensure the participant list is up to date

Internal Only

17

Page 28: Using other media


Page 29
External media
As well as ensuring that you apply the controls for handling and protecting information used and held
within Barclays systems and applications, you must also apply the relevant controls when using
external media.
If you connect to the Barclays Wireless Network using a personal device you must adhere to certain
principles when undertaking any form of electronic communication whether through email, instant
messaging, social media, text messaging, voice, video or similar form.
Principles:
Business communication must only take place using Barclays supplied secure applications (e.g. Good
For Enterprise) so that the communications are supervised and archived as they are subject to
regulatory requirements.
Any communications made outside of Barclays supplied secure applications must only be personal
and not business-related e.g. using Personal Email, Facebook, Twitter, Messaging, FaceTime or
similar applications.

Page 30
Social Media
Just as with traditional media, we have an opportunity - and a responsibility - to effectively manage
Barclays' reputation online. Any content posted on social media, including using social media as a
tool as part of a business process must be compliant with relevant policies, regulations and with any
guidelines that apply.
The Barclays Social Media Knowledge Hub outlines the processes to follow when setting up a new
social media presence and provides guidelines for Personal and Professional use.
[web address: http://groupspaces.intranet.barclays.co.uk/sites/smedia/default.aspx]
If you are in any doubt seek clarification from your line manager, your Business Unit Social Media
team and/or your Business Unit Media Relations team.
Remember that content you post which negatively impacts Barclays, our customers or third parties
with whom we do business, may result in disciplinary action, regardless of whether the content was
posted in a personal or professional capacity.

Page 31
The Internet, chat and web forums
The Internet contains a wealth of information, however, don't be lured into visiting inappropriate
websites. Most sites hold some information about their visitors and therefore may detect and record
information about you.
Barclays uses monitoring software that tracks employee Internet usage.

Internal Only

18

Regulatory agencies consider inactive communications, such as online chat and interactive web
forums, to be electronic communications, and therefore require controls in relation to this content.
Do not discuss business-related content via such communication systems. Where you use them in a
personal capacity, remember, if you identify yourself as a Barclays employee you must not suggest
that your personal views are also the views of the firm.

Page 32
Social Engineering
Social Engineering is where someone external to Barclays tries to manipulate an employee into
providing information or unauthorised access to systems.
Never provide information (including client or employee names, titles, coverage areas, telephone
numbers, reporting lines and email addresses) over the telephone or by email unless you are sure of
the enquirer's identity and the validity of their request.
This information can be used to perpetrate fraud or be used to gain competitive advantage.
Acceptable Use Dos and Donts
For additional guidance and support see the Acceptable Use Dos and Donts Procedures on the
IRM Group Risk intranet.
[web address: http://teams.barclays.intranet/sites/groupirm/SitePages/Governance,%20Risk%20and%20Control.aspx]

Page 33: Records Management


Page 34
What do we mean by a Record?
Simply put, a 'Record' is information kept in permanent form about facts, events, transactions or
opinions, which is generated by or on behalf of Barclays, including Third Parties, in carrying out its
activities.
The way in which records are managed must be consistent with the Barclays Group Information Risk
Management Policy. Failure to adhere to Policy can lead to reputational risks for Barclays with
possible fines or sanctions against the firm or accountable individuals.
Records are commonly created in many formats including:

Hard copies e.g. paper document, files and microfiche


Electronic data e.g. databases and desktop documents
Electronic communications e.g. emails and internet pages.

No matter what the format, the Barclays Records Management requirements apply equally to all.

Internal Only

19

Page 35
Classes of Records
Barclays has two classes of Records:
Relevant Records are Records which must be created, retained, and managed to comply with specific
legal, regulatory, or business requirements.
Relevant Records
Examples include:

Barclays' policies and procedures


Invoices, financial statements
Transactions, orders, trade tickets
Customer product applications
Employee contracts
Legal case files.

Non-Relevant Records are Records which are created, retained and managed for information value or
for convenience purposes and do not meet the definition of a Relevant Record.
Non-Relevant Records
Examples include:

Personal paper notes


Convenience copies
Emails of no lasting value
Blank forms.

Internal Only

20

Page 36
Records Management

Image description: Diagram which shows a ring divided into four segments, surrounding a circle also
divided into four segments. The ring contains labels for stages of Records Management, and the
segments within the ring a bit more information on what each of the labels means.

Records Management is the way we identify, retain, retrieve and dispose of/destroy information in the
form of 'Records'.
We will now explore these four stages of Records Management.

Identification: Know what you need to keep


Retention: Know how to keep records and how long to keep them
Retrieval: Know how to find/search what you have when you need it
Disposal: Know when your records should be destroyed

Internal Only

21

Page 37
Stage 1 - Identification
Each team must have their Relevant Records identified and indexed on a Business List of
Records (BLoR), which must be reviewed by the 'owner' at least annually and approved by a member
of management after each review.
A BLoR will help you to:

Know what Relevant Records your business area holds and where they can be found
Know which category (bucket) each Relevant Record belongs to
Know the Classification of your Relevant Records
Know which Country Records Retention Schedule relates to your Relevant Records
Know how long your Relevant Records should be retained

Duplicates/copies of Relevant Records do not need to be recorded on your BLoR. However, if the
duplicate/copy is used to create a new Relevant Record, the new Record should be recorded on the
BLoR.
Your Records Management (RM)/Information Risk Management (IRM) Champion/Coordinator can
confirm where your BLoR is stored as well as help you to ensure that your team's records are listed.

Page 38
Stage 2 Retention
Records are retained to ensure compliance with regulation, legal and business requirements,
guaranteeing they are available for future use.
It is important to remember that there are legislative reasons and business rules for keeping records
that are explicit, specific and define what we keep and why.
Each country in which Barclays operates has its own Country Records Retention Schedule.
A Country Records Retention Schedule is a summary of record-keeping requirements which Barclays
must comply with in that specific country, and is based on the underlying law and regulations. These
should be used to determine the Retention Period for Relevant Records. The most up to date Country
Records Retention Schedules must always be used. To access the Country Records Retention
Schedules go to the IRM Group Risk intranet.
[web address: http://teams.barclays.intranet/sites/groupirm/Country%20Records%20Retention%20Schedules/Forms/AllItems.aspx]

Internal Only

22

Page 39
Failure to retain records
Failure to retain and produce records in accordance with the relevant Country Records Retention
Schedule can result in severe reputational damage or direct financial impact to Barclays. For example
as a result of:
1.
2.
3.
4.

Censure by local regulators


Financial penalties imposed by regulators or courts
Inability to evidence Barclays liabilities and defend or prosecute legal cases
Inability to satisfy regulatory enquiries.

Page 40
Managing authenticity and integrity
When considering how records are retained and stored it is important to maintain controls to ensure
that they are:

Accessible
Usable
Readable

for the entire Retention Period.


Controls that safeguard the authenticity, integrity and evidential weight of a record must be applied to
ensure the records are a true reflection of the facts. In some countries there are regulations which
require the preservation of records using specific types of media to ensure they are unalterable
throughout their retention. For example US regulators require certain Broker Dealer Records to be
retained on WORM (Write Once Read Many) compliant electronic media. This will ensure that these
records cannot be altered or manipulated and satisfy the need for them to be Accessible, Usable, and
Readable.
Usability - can be located, retrieved and provided when required i.e. is recorded on the BLoR,
properly indexed and can be retrieved from storage quickly and easily throughout the duration of the
Retention Period.
Authenticity - must reflect true facts, evidence that it has been created or sent by the person
declared as having created or sent it and has been created or sent at the time declared i.e. is a
statement of fact and can be proven to be so through audit trails and metadata attaching to the
records.
Integrity - refers to a record being complete, unaltered and incapable of being amended e.g. ensuring
records are maintained in a format and location which supports appropriate description (metadata),
version control and restricts unauthorised access.
A Relevant Record may be required as proof, for example, as evidence in court. In order for the court
to trust that the evidence is reliable and for it to be admissible as evidence in court, we must
demonstrate that controls have been maintained.
The controls must demonstrate that the records have been protected against unauthorised
addition, deletion, alteration and concealment.

Internal Only

23

Page 41
Managing retention
It is essential to manage record retention in line with Barclays Policy at all times.
There may be circumstances where the usual procedures are suspended, most likely as a result of a
Disposal Hold instructed by our Legal Department.
You must comply immediately and completely with any instruction to suspend the usual record
retention process.
A Disposal Hold can apply to both Relevant and Non-Relevant Records.
You should also be aware that Non-Relevant Records are also discoverable and may end up as court
evidence; therefore it is important that they are kept to a minimum and are destroyed regularly, in line
with policy.

Page 42
Disposal Holds
A 'Disposal Hold' is a notice issued by the Barclays Legal team for one or a number of
Business Units, or Group wide, to temporarily suspend the destruction of specific records, or
series of records.
The Disposal Hold is mandatory and is issued to ensure that documents relevant to a known or
anticipated legal action or regulatory investigation are preserved and retained. You must not destroy
any records that are identified as subject to a hold.
When advised of a Disposal Hold notice, all records covered by the Disposal Hold must be identified,
located, and withheld from destruction in accordance with the requirements of the Disposal Hold
notice.
Upon receipt of legal authorisation to lift a Disposal Hold, business as usual retention periods must be
reapplied within 6 months, so long as no other Disposal Hold applies.

Page 43
Good storage management
The key elements of good storage management are summarised below.
Secure storage
You must always ensure that records are stored securely. Physical and Electronic Records should be
indexed appropriately for ease of retrieval, and should at all times be stored and handled so that they
are accessible only to authorised individuals.
Filing
You should file records in a logical structure that enables you to easily find the record you are looking
for.

Internal Only

24

Access
If you do not need regular access to your record, consider sending Physical Relevant Records to an
appropriate storage provider.
Think about the purpose of the Relevant Record and why you need to keep it. Believe it or not cups
have been found in storage boxes - these are not Relevant Records!
Cost
Physical storage is a cost to Barclays so make sure you utilise this effectively.

Page 44
Stage 3 - Retrieval
Relevant Records are listed on the BLoR. We must be able to retrieve them when needed. This may
be in response to business as usual queries or legal/regulatory challenges.
You should store a record in a manner that means if we must retrieve it, we can do so.
You should make sure records are retrievable within applicable timescales. Please note that some
Business Units may have retrieval requirements that are shorter than those listed below:
Electronic Relevant Records

within a period required by any applicable legislative or statutory requirements or within 5


working days - whichever is shorter

Physical and archived Electronic Relevant Records

within a period required by any applicable legislative or statutory requirements or within 15


working days - whichever is shorter

Ensure Physical Records are returned to storage when no longer required.

Page 45
Stage 4 - Disposal
Records that reach the end of their Retention Period should be destroyed.
Non-Relevant Records must be reviewed for disposal at least every 12 months, except where a
Disposal Hold notice applies.
Relevant Records must be destroyed within 6 months of the retention expiry date, except where a
Disposal Hold notice applies.

Page 46
There are many reasons not to retain records beyond their required Retention Period, including
compliance with the Data Protection Act, Data Privacy legislation, business rules and not least simply
avoiding incurring unnecessary cost.
When your record is ready for deletion or destruction, it is important that this is done securely
so that information does not get into the wrong hands.

Internal Only

25

Corporate Banking and Investment Banking colleagues ONLY must obtain formal approval to destroy
records in accordance with their business Records Management Policy - please contact your RM/IRM
Champion/Coordinator for details.
Take care when deleting or destroying Non-Relevant Records to ensure that you do not inadvertently
dispose of records that must be retained.
Scheduled destruction of records that are no longer required for legal or operational reasons is an
essential component of good Records Management.
As an alternative to destruction, certain Relevant Records may be transferred to Barclays Group
Archive for permanent preservation. Where applicable/available in your country please refer to the
Group Archives Policy for guidance.

Page 47
The benefits of good Records Management
Managing our records benefits our customers, colleagues and Barclays. It is our aim to make sure our
customers view us as professional and trust us to protect their information.
As a company we benefit from reduced risk of regulatory fines, lower risk of reputational damage,
reduced storage costs and you'll benefit from higher productivity as you no longer have to waste time
searching for documents.

Page 48: How to Report Information Incidents/Risk Events


Page 49
What is an Information Incident/Risk Event?
An Information Incident/Risk Event is an event that results in a threat or risk to Barclays.
This may include the loss of information, an employee not adhering to the Bank's policies or
standards, attacks on the Bank's IT systems and networks, theft of bank information or equipment,
physical damage to buildings, or threats to employees.
Types of Information Incidents/Risk Events:

Misuse of information - e.g. a former colleague taking customer records with them on leaving
the Bank in order to contact them in a new role
Unauthorised disclosure or loss of information - e.g. an unencrypted laptop being lost or
stolen
The loss of an employee's briefcase will be regarded as an incident if it contained, for
example, documents with customer account details. If it only contained publicly available
information and personal belongings, it will not result in a threat to the Bank and it is not
considered an incident
Any incident relating to information, whether printed or electronic. This includes insecure
disposal or transfer of information, loss or theft of information, unauthorised disclosure or
leakage of information and unauthorised access to information
Unauthorised destruction of records; missing records or the inability to retrieve records
Disclosure of information to recipients who have no legal right to receive it, or where it is
transmitted without adequate security controls in place (e.g. encryption).

Internal Only

26

Page 50
Reporting an Information Incident/Risk Event
Any Information Risk Event should be reported as soon as possible, following the Operational Risk
Event process.
An Information Incident/Risk Event should be raised regardless of whether or not there has been a
financial loss and even where a near miss has occurred.
If you're not sure, report it and let the relevant incident team decide on the appropriate action. It is
important to ensure that you receive confirmation that your Information Incident/Risk Event has been
recorded.
When reporting an Information Incident/Risk Event, you must provide as much information as
possible, including but not limited to:

Who saw the Incident/Risk Event or who was involved?


What happened?
When did the Incident/Risk Event occur?
Where did the Incident/Risk Event occur?
What caused the Incident/Risk Event?
What initial actions were taken, if any?

Page 51
Support
Our customers trust us with their information. It is everyone's responsibility to respect that trust and
ensure that their information is appropriately protected at all times.
As the 2nd Line of Defence, IRM Group Risk set the Policy requirements of managing Information
Risk across Barclays.
The Business Unit IRM teams are the 1st Line of Defence, and you should contact them in the first
instance with any questions or concerns.
[web address: http://teams.barclays.intranet/sites/group-

irm/SitePages/Raising%20issues%20and%20concerns.aspx ]
Your RM/IRM Champion/Coordinator is there to support you with managing your information and
records effectively.

Page 52: Summary


Having completed this training you should now know:

What IRM is and why it is important to Barclays


How to manage your access to applications and systems to protect information
Your responsibilities and how to classify, label and handle information that you create and
deal with
How to protect information to prevent loss and leakage of information
Your responsibilities and how to manage Relevant and Non-Relevant Records
How to report an Information Incident/Risk Event.

In order to complete this training you now need to achieve 80% in the assessment.

Internal Only

27

Assessment
Section 1: Information Risk Management

Information Risk Management


Question 1
Barclays is committed to protecting information throughout its lifecycle in line with
which of the following?
A. The value of the information
B. The sensitivity of the information
C. The risks it could be exposed to

Information Risk Management


Question 2
You must manage information and records in line with which of the following?
A. Laws
B. Regulation
C. Contractual arrangements

Classification categories
Question 3
Failure to classify and handle information correctly could lead to which of the
following?
A.
B.
C.
D.

Regulatory fines
Reputational damage
Disciplinary proceedings
Contract termination

Section 2: Logical Access Management

Protecting and managing access


Question 4 - Mandatory
Who is accountable for all activity carried out by your user account?
A. You
B. Your line manager
C. Your IRM team

Internal Only

28

Protecting and managing access


Question 5
Who is responsible for ensuring that system and application access is adjusted or
removed when someone changes roles or leaves a team/business?
A. You
B. Line managers
C. IRM teams

Protecting and managing access


Question 6
If you have access to information through systems, applications or
directories/repositories that you do not need to do your job, you should discuss it
with your line manager so that appropriate adjustments can be made.
A. True
B. False

Password security
Question 7 - Mandatory
Which of the following will help to keep your password secret?
A.
B.
C.
D.

Make it strong
Dont share it
Dont write it down
Dont let people see you type it

Shared folders and directories


Question 8
What must owners of shared folders and directories e.g. shared drives, shared
mailboxes, SharePoint sites and email public folders ensure regarding access
permissions?
A. Access permissions are granted to any colleagues that are a Vice
President or above
B. Access permissions to these repositories must be restricted to users
authorised to see it
C. Access permissions must be regularly reviewed at least annually or
immediately when employees leave or move positions

Internal Only

29

Logical Access Management


Question 9
Which of the following will help to prevent unauthorised access of information and
records?
A. Reviewing access permissions to shared folder and directories that you
own e.g. shared drives, shared mailboxes and email public folders
B. Updating access permissions to applications and systems to ensure
appropriateness and to remove movers and leavers
C. Lending your username and password to a colleague to access a system
or application

Section 3: Information Classification and Handling

What is an Information Asset?


Question 10
Which of the following could be an Information Asset?
A.
B.
C.
D.

A customer transaction
IT configuration details
Performance plans
Minutes from a supplier contract review meeting

Information Owners
Question 11
The owner of an Information Asset is responsible for which of the following:
A. Assigning an appropriate Classification to each of their Information Assets,
in accordance with the IRM Policy
B. Reviewing the Classification of their Information Assets at least once every
12 months
C. Reviewing the Classification Information Assets each time the
circumstances of the asset change significantly.

What is an Information Asset?


Question 12
What are the four Classifications defined in the Barclays IRM Policy that you must
apply and use?
A.
B.
C.
D.

Internal Only

Restricted, Internal, Confidential and Secret


Unrestricted, Internal, Company Confidential and Secret
Unrestricted, Internal Only, Confidential and Secret
Internal Only, Restricted, Company Confidential and Top Secret

30

Labelling information
Question 13 - Mandatory
Which of the following Classifications must be labelled where it is feasible and
appropriate to do so?
A.
B.
C.
D.

Unrestricted
Internal Only
Confidential
Secret

Section 4: Classifying and Labelling Information

Classification categories
Question 14
You have written a colleague newsletter; which Classification must be applied and
how must 'Hard copies' be labelled at minimum?
A. Internal Only Hard copies must be given a visible Classification label on
the title page at minimum, and preferably in the footer of each page
B. Internal Only Hard copies must be given a visible Classification label on
each page
C. Confidential Hard copies must have a visible Classification label on the
title page at minimum, and preferably in the footer of each page
D. Confidential Hard copies must be given a visible Classification label on
each page

Classification categories
Question 15 Mandatory
What Classification must be applied to Customer Information Assets and how must
'Electronic assets' be labelled?
A. Confidential Electronic assets must have an obvious Classification label
B. Confidential Electronic assets, where appropriate and feasible, must
have an obvious Classification label, including labels within each page of
multi-page documents
C. Secret Electronic assets must have an obvious Classification label
D. Secret Electronic assets must have an obvious Classification label,
including labels within each page of multi-page documents

Internal Only

31

Classification categories
Question 16
What Classification must be applied to information regarding Barclays profit
forecasts and how must 'Envelopes containing Hard copy assets' be labelled?
A. Confidential Envelopes must carry a visible Classification label on the
front
B. Confidential Envelopes must carry a visible Classification label on the
front, sealed with a tamper-evident seal and placed inside an unlabelled
secondary envelope
C. Secret Envelopes must carry a visible Classification label on the front
D. Secret Envelopes must carry a visible Classification label on the front,
sealed with a tamper-evident seal and placed inside an unlabelled
secondary envelope

Section 5: Information Handling

Sharing and distributing information


Question 17
Which of the following are correct when Sharing and Distributing information
classified and labelled as 'Secret'?
A. To be shared only with individuals that have been specifically authorised to
see it, using Barclays approved systems and applications
B. Secure printing tools must be used when printing documents
C. Must not be faxed
D. External electronic communications must be encrypted

Sharing and distributing information


Question 18
Which of the following are correct when Sharing and Distributing information
classified and labelled as 'Confidential'?
A. To be shared only with individuals that have been specifically authorised to
see it, using Barclays approved systems and applications
B. Printed documents must be received immediately from the printer or
secure printing tools must be used
C. Must not be faxed unless the sender has confirmed that the recipients are
ready to receive the information
D. External electronic communications must be encrypted

Internal Only

32

Storing information
Question 19
Which of the following are correct when Storing information classified as
'Confidential' and 'Secret'?
A. Barclays approved systems and applications must be used
B. Hard copy assets must be stored where only authorised people can access
them
C. Electronic assets must be stored where only authorised people can access
them
D. Electronic assets must be protected through encryption or appropriate
compensating controls

Disposing of information
Question 20
Which of the following are correct when Disposing of information classified as
'Internal Only', 'Confidential' and 'Secret'?
A.
B.
C.
D.

Hard copies confidential waste bins/services or shredders


Hard copies normal rubbish bins
Electronic copies not required
Electronic copies delete from the system recycle bin

Section 6: Preventing Data Loss and Leakage of Information

Overview
Question 21
When colleagues leave the office at the end of the day, they notice some
'Confidential' information left on the printer by another colleague. What should they
do?
A.
B.
C.
D.

Internal Only

Throw them away in the rubbish bin


Nothing as the papers don't belong to them
Dispose of them in the confidential waste bin or secure service
Leave the printouts on the colleague's desk

33

Working remotely and in dynamic workspaces


Question 22 Mandatory
Which of the following must you comply with when working remotely?
A. Only work remotely if you are able to use Barclays approved remote
access technology, keep your remote access token, passcode and laptop
separate from each other, and ensure portable storage media are
encrypted
B. Be conscious of the environment and who might see your documents,
screen, password or overhear your conversations
C. Do not leave equipment and documentation unattended and always check
that you have everything before you leave
D. Group Acceptable Use Dos and Donts Procedures

Working remotely and in dynamic workspaces


Question 23
Which of the following will help to prevent loss and leakage of information?
A. Emailing 'Internal Only', 'Confidential' or 'Secret' information to your own or
any personal email address
B. Being aware of your environment and keeping your desk clear
C. Using secure printing where possible and not leaving documents
unattended on the fax, printer or copier
D. Using confidential waste bins or secure services for disposing of 'Internal
Only' 'Confidential' and 'Secret' information on Bank premises

Emails
Question 24 Mandatory
You have some work to do over the weekend and dont want to have to carry your
Barclays laptop home. You email the 'Confidential' documents to your personal
email account to use your personal computer. Is this acceptable?
A. Yes, I'm using my personal time for company business so I am permitted to
send the documents to my personal email account and to use my own
equipment
B. No, 'Confidential' documentation must not be sent to personal email
accounts and personal equipment can only be used with Barclays
approved remote access technology

Internal Only

34

Section 7: Using Other Media

External media
Question 25
What are the two principles that you must adhere to when connecting to the
Barclays Wireless Network using a personal device?
A. Business communications can take place using any application provided
by the device
B. Business communications must only take place using Barclays supplied
secure applications
C. Any communication made outside of Barclays supplied secure applications
must only be personal and not business related
D. Any communication made outside of Barclays supplied secure applications
can be personal or business related

Section 8: Records Management

What do we mean by a Record?


Question 26
There are many different records that you will see and use in your day to day role.
Which one of the following best describes what we mean by a 'Record'?
A.
B.
C.
D.

Information relating to customers stored on paper only


Information that is created and held by Barclays
Information relating to Barclays internal procedures only
Information that is received or created and held by Barclays that needs to
be kept for an amount of time

What do we mean by a Record?


Question 27 Mandatory
Which one of the following would you apply the Records Management
requirements to?
A. Paper records and electronic desktop files only
B. Paper, electronic desktop files and IT databases, electronic
communications e.g. email, instant messaging and social media, and
CCTV
C. Paper, electronic desktop files and IT databases with customer information
only
D. Electronic desktop files only

Internal Only

35

Classes of Records
Question 28
Which of the following are 'Relevant Records'?
A.
B.
C.
D.

Customer product applications


Blank forms
Personal Development Plans
Legal case files

Section 9: Identifying, Retaining, Retrieving and Disposing of Records

Stage 1 Identification
Question 29
Which of the following best describes the Business List of Records (BLoR)?
A.
B.
C.
D.

Stage 2 Retention
Question 30 Mandatory
Which of the following defines what records we must Retain?
A.
B.
C.
D.

It is a list of a teams Relevant Records


It details the Retention Period for the Relevant Records
It provides a list of tasks and activities completed by a team
It details the category (bucket) of the Relevant Records

Regulation and legislation


Customers and suppliers
Business rules
Country Records Retention Schedules

Failure to retain records


Question 31
Failure to retain and produce records in accordance with the relevant Country
Records Retention Schedule can result in severe reputational damage or direct
financial impact to Barclays.
A. True
B. False

Internal Only

36

Managing authenticity and integrity


Question 32
Where a Relevant Record is required as court evidence, it must be reliable and
admissible. Which of the following must you apply to safeguard the evidential
weight of Relevant Records?
A.
B.
C.
D.

Usability can be located, retrieved and provided when required


Authenticity must reflect true facts
Formatted within the Barclays brand guidelines
Integrity complete, unaltered and incapable of being amended

Stage 3 Retrieval
Question 33 Mandatory
What are the correct Retrieval timescales for Electronic Relevant Records, and
Physical and archived Electronic Relevant Records?
A. Electronic Relevant Records within a period required by any applicable
legislative or statutory requirements or within 5 working days, whichever is
shorter
B. Physical and archived Electronic Relevant Records within a period
required by any applicable legislative or statutory requirements or within 15
working days, whichever is shorter
C. Electronic Relevant Records within a period required by any applicable
legislative or statutory requirements or within 15 working days, whichever
is shorter
D. Physical and archived Electronic Relevant Records within a period
required by any applicable legislative or statutory requirements or within 5
working days, whichever is shorter

Stage 4 Disposal
Question 34
Select the correct answer to complete this requirement: Relevant Records must be
destroyed within
A. 1 month of the retention expiry date
B. 4 months of the retention expiry date, except where a Disposal Hold notice
applies
C. 6 months of the retention expiry date, except where a Disposal Hold notice
applies
D. 12 months of the retention expiry date

Internal Only

37

Stage 4 Disposal
Question 35
Select the correct answer to complete this requirement: Non-Relevant Records
must be reviewed for disposal
A.
B.
C.
D.

At least every 12 months, except where a Disposal Hold notice applies


At least every 6 months, except where a Disposal Hold notice applies
At least every 12 months
At least every 6 months

Disposal Hold
Question 36 Mandatory
Which of the following are correct with regards to a 'Disposal Hold' notice?
A. They are issued by a Barclays Legal team for one or a number of Business
Units, or Group wide, to temporarily suspend the destruction of specific
records, or series of records
B. They are mandatory
C. They are issued to ensure that documents relevant to a known or
anticipated legal action or regulatory investigation are preserved and
retained
D. Records identified under a hold must not be destroyed

Section 10: Reporting Information Incidents/Risk Events

What is an Information Incident/Risk Event?


Question 37
Which of the following are correct in terms of Information Incidents/Risk Events and
reporting them?
A. An Information Incident/Risk Event is an event that results in a threat or
risk to Barclays
B. An Information Incident/Risk Event should only be reported where there is
a financial loss
C. An Information Incident/Risk Event should be reported regardless of
whether or not there has been a financial loss and even where a near miss
has occurred
D. Any Information Incident/Risk Event must be reported as soon as possible

Internal Only

38

What is an Information Incident/Risk Event?


Question 38
Which of the following are examples of Information Incidents/Risk Events that
should be reported regardless of whether or not there has been a financial loss or
where a near miss has occurred?
A. Information shared with a third party that has not been authorised for them
to receive
B. Printed 'Secret' information left on a printer
C. 'Confidential' information being disposed of in a normal rubbish bin
D. Lost or stolen laptop

Score:

END OF COURSE

Internal Only