On $8$ August $2023,$ the names of police officers and staff in Northern Ireland, where they were based and their roles were published on the internet. The data was made public, in error, by police as they responded to a routine freedom of information $($FOI$)$ request. Links to an external site.

Data leakage prevention can be supported by standard security controls. Your task is to research and draft a Secure Access and Document Management Policy along the lines of the ISO$27000$ family for the Police Service of Northern Ireland $($PSNI$).$ You are advised to create a clear set of policy statements with controls and examples. You may wish to refer to $$ISO $27002$ Links to an external site. $5\mathrm{.}1$ Policies for Information Security, $5\mathrm{.}12$ Classification Information and $5\mathrm{.}15$ Access control and $8\mathrm{.}12$ Data leakage prevention to ensure that the policy aligns requirements for ISO compliance.

You should take into consideration any confidentiality, integrity, and availability $($CIA$)$ issues of the information assets for the PSNI and assess all relevant risks, taking into account the PSNI$$s overall organisational strategy and objectives. This can be facilitated or supported through an information security specific risk assessment. This should result in the determination of the controls necessary to ensure that the residual risk to the organisation meets its risk acceptance criteria.

You should also research the General Data Protection Regulation $($GDPR$)$ and any other relevant legal, statutory, regulatory and contractual requirements that PSNI and its interested parties $($government$,$ public, media, partners, service providers, etc.$)$ have to comply with and their sociocultural environment;

Brief relevant description of the PSNI will help to set a personalised case study scenario of the assessment. You may also research publicly available information on the principles, objectives and organisational requirements of PSNI and make assumptions for the "life cycle of information" it may have to support its operations. You may also have to identify information classification Where relevant you may make assumptions$/$fictitious data $($but indicate it$).$