I have just started to consolidate several best practices and operational procedures for handling confidential information. I am using the results of this effort to set a confidential information handling policy. It seems that the policy itself may turn out to be very simple:

  1. Confidential information may only be collected, stored and processed if a need to do so exists, and if that need cannot be satisfied in any other way.
  2. Confidential information must be destroyed when it is no longer needed.
  3. Confidential information must be handled with due care.
  4. When loss of or unauthorized access to information has been detected,
    or if it is suspected, the Information
    Security Officer
    must be notified and an information security incident
    will be declared.

Is there anything I need to address at the policy-level? Obviously, at the level of the supporting standard, the requirements for due care must be established in more detail, but this seems to mostly cover it.