12 July 2020
myroyalmail is updated daily
Think Secure welcomes you to the start of the Information Lifecycle

 Think Secure

How to create information securely:

  • Start with a protective mark
  • Classification is key
  • Ask yourself what measures are needed to protect your information.

We all have a responsibility to understand the value of the information we create and ensure it is handled securely throughout its lifecycle.

What kind of information does this include?

Any kind! The Information Lifecycle begins when any piece of information is created. This can take many forms, for example; a paper document, an email, a report on your computer, a diagram on a whiteboard, or even a conversation.

So where to start?

Follow these top tips when you create information:

1. Start with a protective mark! Correctly classify your information using the Royal Mail Group (RMG) Information Security Classifications (Public, Internal, Confidential or Strictly Confidential). This protective mark will point out how sensitive the content is and how you and others should handle it, making sure that the right safeguards are in place as the piece of information starts its journey.

2. Information about your information, known as ‘metadata’ is equally important. Classify your information by ensuring it includes details of the document owner, last modified, creation date, edited page numbers, headers, footers (this is where the information security classification goes) and version control. When information is well managed, it helps to prevent data getting lost or even worse, ending up in the wrong hands.

3. Think Secure and Be Secure whenever you are creating new information. Consciously ask yourself; what is the security classification (the protective mark) and what, if any security measures should be in place to protect it.

See our How To Create Information Securely guide for more information, and here are some useful digests to support you when you create information:

Information Security Classification Policy
How to use a Locked Print User Guide
How to Classify Information 
Applying Retention Periods to Records  

Let’s remind ourselves of some important things to consider when correctly classifying information:

If it’s CONFIDENTIAL restrict access so that only the right people can see it and if sharing with others, ensure it is protected on the move using a password or Mimecast (see Share for more information)

If STRICTLY CONFIDENTIAL, access must be restricted to only those who are authorised and have a genuine need to know. Ensure it is protected on the move and at rest by using our security tools and keep it safeguarded out of reach (see Share and Store for more information).

To guide you through our classification, always consider the sensitivity and the volume of records.

For example with volume: The financial and reputational impact of a report with 10 individuals’ names, addresses and employee IDs being lost or stolen, compared to that of a full business unit, or entire organisation is quite different, because the volume of possible colleagues impacted. 

When considering sensitivity: is the content particularly sensitive so that if it were left on the train, sent to the wrong person or stolen and put on the web, it could cause damage to Royal Mail? For example: a business report, a commercially sensitive project update or some personal data like an absence sheet should be classified CONFIDENTIAL.

Is the content particularly sensitive? For example:  A strategic board paper, a collection of payslips, or an acquisition report must be classified as STRICTLY CONFIDENTIAL.

Consider the case where something containing strictly confidential information is lost or stolen and there are thousands of volumes of records. Imagine the impact this could have on you, your colleagues, or our customers if we had not taken the necessary steps to safeguard the information.

So now you know WHEN you need to classify. Here is WHERE you put the classification (i.e. the protective mark):

Documents: e.g. Word, pdfs, PowerPoints, etc. – add the protective mark in the footer on the bottom left of the document.

Emails: Here you have several choices - the subject header, the body of the email or even in your signature using the format below. This not only clearly marks the type of information contained in the email, it also protects it should it be sent outside of the Royal Mail network (see Share for more information).

‘Please treat the contents of this email as [confidential] or

‘Please treat the contents of this email as [strictly confidential]’

Remember to use these questions to help you and ‘Think Secure’ when creating information. Considering security at the start of the journey will set the controls and protect valuable information at the different stages of its lifecycle, as it is shared, stored and accessed.

Click here to see more of our how to guides and Think Secure documents.