Security Incident Policy

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Security Incident Policy"

Transcription

1 Organisation Title Author Owner Protective Marking Somerset County Council Security Incident Policy Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council will ensure all users of Council are aware of the process of reporting a security incident or data breach and the importance of reporting these incidents as quickly as possible. This policy provides information process, the rules and guidance that must be followed, the standards to be maintained, the risk to users, clients and the Council and the potential consequences of not reporting these incidents. This document will be distributed to: All Elected Members, Somerset County Council Staff, 3 rd Party Contractors and Volunteers Key Messages All staff should report any incidents or suspected incidents immediately by informing the ICT Helpdesk, and the SCC Information Governance Team. All incidents that result in the unauthorised disclosure of personal or sensitive data must be reported to the Information Governance Manager who may inform the Information Commissioner s Office (ICO). All incidents that result in a potential breach to the network must be reported to the ICT Help-desk, as a result the ICT Security Manager may inform Gov-Cert and SWWARP. All Incidents will be taken through the following process - Detection, Assessment, Communication, Escalation, Resolution, Follow up and Lessons learned If you wish SCC can maintain your anonymity when reporting an incident. If you are unsure of anything in this policy you should ask for advice from the Information Governance Team. This policy on a page is a summary of the detailed policy document please ensure you read, understand and comply with the full policy Draft v.10 Page 1 of 14

2 Revision History Revision Editor Previous Description of Revision Date Version Peter Grogan Initial Draft Peter Grogan v.01 Comments from D.Littlewood Peter Grogan v.02 Comments from D.Littlewood Peter Grogan v.03 Additions P.Grogan Peter Grogan v.04 Additions P.Grogan Peter Grogan v.05 Additions P.Grogan Peter Grogan v.06 Revised Flow chart & Reformatting Peter Grogan v.07 New Title & Reformatting Peter Grogan v.08 Reformatting Peter Grogan v.09 HR Update & Union Approver Document Approvals This document requires the following approvals: Approval Name Date Information Governance Manager Peter Grogan Caldicott Guardians Clare Steel / John Kirby Information Governance Board Donna Fitzgerald Unions / JCC Carrie-Anne Hiscock SCC HR Richard Crouch Elected Members David Huxtable Document Distribution This document will be distributed to: All Elected Members, Somerset County Council Staff, 3 rd Party Contractors and Volunteers. Draft v.10 Page 2 of 14

3 FULL POLICY DOCUMENT 1. Policy Statement Somerset County Council will ensure that it reacts appropriately to any actual or suspected incidents relating to information systems and information within the custody of the Council. 2. Purpose The aim of this policy is to ensure that Somerset County Council reacts appropriately to any actual or suspected security incidents relating to information systems and data. Somerset County Council has a responsibility to monitor all incidents that occur within the organisation that may breach security and/or confidentiality of information. All incidents need to be identified, reported, investigated and monitored. The policy has been implemented so that Somerset County Council can learn from reported incidents. It is not the intention to apply or apportion any blame to members of staff and is only by adopting this approach that Somerset County Council can ensure that incidents of a particular nature do not keep re-occurring. 3. Scope This document applies to all Councillors, Committees, Departments, Partners, Employees of the Council, contractual third parties and agents of the Council who use Somerset County Council IT facilities and equipment, or have access to, or custody of, customer information or Somerset County Council information. All users must understand and adopt use of this policy and are responsible for ensuring the safety and security of the Council s systems and the information that they use or manipulate. All users have a role to play and a contribution to make to the safe and secure use of technology and the information that it holds. 4. Definition This policy needs to be applied as soon as information systems or data are suspected to be, or are actually affected by an adverse event which is likely to lead to a security incident. The definition of an information management security incident ( Information Security Incident in the remainder of this policy and procedure) is an adverse event that has caused or has the potential to cause damage to an organisation s assets, reputation and / or personnel. Incident management is concerned with intrusion, compromise and misuse of information and information resources, and the continuity of critical information systems and processes. Any employee who detects or suspects an information security incident has a personal responsibility to report it in accordance with this policy. The prime purpose of this policy is not to apportion blame but to contain problems and learn valuable lessons for improvement. Types of Incident The following are the main categories of incident; CRITICAL Incidents must be reported immediately SIGNIFICANT Incidents must be reported within 4 hours MINOR Incidents must be reported within 1 day Draft v.10 Page 3 of 14

4 These categories cover a range of incidents and breaches that are actions of either a physical or non physical nature. For example, this can include. Site Breach - This could include unauthorised access to the site, with the intent to cause criminal damage. Network Breach - This could include network violation and/or breach of firewalls etc. Security Hardware Incident - This could include a failure with any site security hardware including cameras, gates, doors, failure of firewall etc. Building Incident - This could include a problem within the offices, such as fire or flood. Area Breach within the building - This could include person or persons intentionally gaining access to areas within the building they are not authorised to be in. 5. Risks Somerset County Council recognises that there are risks associated with users accessing and handling information in order to conduct official Council business. This policy aims to mitigate the following risks: To reduce the impact of security breaches by ensuring incidents are followed up correctly. To help identify areas for improvement to decrease the risk and impact of future incidents. To ensure impact is reduced to other organisations associated with WARP To ensure impact is reduced for Somerset County Council in respect of the Information Commissioner s Office. Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and fines and an inability to provide necessary services to our customers. 6. Applying the Policy 6.1 Procedure for Incident Handling Events and weaknesses need to be reported at the earliest possible stage as they need to be assessed by both the Information Governance (IG) Team and the ICT Security Team. The technical advice from the ICT Advisor will enable the IG Team to identify when a series of events or weaknesses have escalated to become an incident. It is vital for the IG Team to gain as much information as possible from the users to identify if an incident is occurring. Information Governance and ICT Security team will validate the impact of the incident ensuring: the incident is with the appropriate technical/operational team/s using internal or external teams at the appropriate level the incident progresses in a timely manner through the identification, incident routing, isolation and resolution phases management escalation where deemed applicable for invoking the Management Escalation of High Severity Incident process communication to appropriate management escalation of incident where applicable Draft v.10 Page 4 of 14

5 Dependant on the severity and identified impact of the incident, timely updates shall be provided to the Information Governance Manager until the incident is resolved, either temporarily or permanently. The Incident Owner will decide whether to engage with other appropriate personnel as part of the technical or management escalation process to gain further advice and/or guidance and/or for communication. The Incident Management Process is managed using the following stages and is depicted in diagrammatic form in Appendix 1 Stage 1 Incident Detection Three types of information sources feed information regarding the incident: The Service Desk receives notification from the end-user community Operational Personnel detect incidents in the infrastructure which could provide service disruption which could be experienced by the end user Management Systems monitor and detect incidents automatically triggering alerts based on system thresholds and failures Stage 2 Incident Assessment The aim of this stage is to quickly and accurately determine whether the incident is a serious incident. Initial Problem Input Data - The details are entered in to the Service Desk system and an appropriate Impact classification is applied (see Appendix 1). Incident Assessment - the incident is assessed and appropriate category is confirmed by selected Incident owner Serious Incident - If the incident is classified as Critical, assessment should be confirmed with 60 mins of incident initiation. Stage 3 Communication and Escalation The communication and escalation processes aim to ensure that all parties are kept informed of the incident status. Management Escalation - The relevant Service Managers must be notified of the incident and kept up to date with progress to allow them to manage their customers. Security Management Escalation - Where it is deemed that this is a High security related incident, the Senior Information Risk Officer and the Support Services Group Manager must be notified and kept up to date with progress. Stage 4 Incident Resolution The Incident Resolution phase covers all the various technical investigations that will be required in order to bring the incident into resolution. This may require various personnel from various technical and non technical business areas to provide effective resolution it is expected that resources are made available as required. Stage 5 Incident Post Resolution The post resolution process is initiated once the incident has been resolved. Draft v.10 Page 5 of 14

6 Critical Incident Review - The Senior Information Risk Owner (SIRO) chairs a Serious Incident Review within 3 working days of incident resolution. This is attended by all key support staff involved in the incident Critical Incident Report taken from the Service Desk system - The output of the Serious Incident Review is the Serious Incident Report. This summarises the events of the incident, the impact, actions taken to resolve the incident and further actions being taken to mitigate the risk of future occurrence/impact. The completed Government Emergency Response Team (Gov Cert) Incident Report is ed to Non Critical Incidents - The SIRO chairs a Information Governance Meeting (IGB) quarterly and a report of this incident is included. Stage 6 - Recording of Incidents and Follow Up ICT will log all incidents on the Service Desk system to enable a central register to be maintained of all incidents occurring and affecting the organisation. If there is no reduction in the volume of each type of incident the Information Governance Board will be alerted by the Information Governance Manager and appropriate action taken. Draft v.10 Page 6 of 14

7 Appendix 1 Governance Arrangements Policy Compliance If any user is found to have breached this policy, they will be subject to Somerset County Council s disciplinary procedure. Where it is considered that a criminal offence has potentially been committed, the Council will consider the need to refer the matter to the police. If you do not understand the implications of this policy or how it may apply to you, seek advice from the Information Governance Team Policy Governance The following table identifies who within Somerset County Council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply: Responsible the person(s) responsible for developing and implementing the policy. Accountable the person who has ultimate accountability and authority for the policy. Consulted the person(s) or groups to be consulted prior to final policy implementation. Informed the person(s) or groups to be informed after policy implementation or amendment. Responsible Accountable Consulted Informed Information Governance Manager SIRO - Head of Client Services Senior Management Team, HR, Unions All, Members, staff, contractors, volunteers and 3 rd parties. Review and Revision This policy, and all related appendices, will be reviewed as it is deemed appropriate, but no less frequently than every 12 months. Policy review will be undertaken by Information Governance Manager. References The following Somerset County Council policy documents are directly relevant to this policy: Corporate Information Security Policy Data Protection Policy Information Transparency Policy Acceptable Use Policy Legal Responsibility Policy Draft v.10 Page 7 of 14

8 Appendix 1 Reporting and escalation Process Draft v.10 Page 8 of 14

9 Appendix 2 Examples of Information Security Incidents Examples of the most common Information Security Incidents are listed below. It should be noted that this list is not exhaustive. Malicious Giving information to someone who should not have access to it - verbally, in writing or electronically. Computer infected by a Virus or other malware. Sending a sensitive to 'all staff'. Receiving unsolicited mail of an offensive nature. Receiving unsolicited mail which requires you to enter personal data. Finding data that has been changed by an unauthorised person. Receiving and forwarding chain letters including virus warnings, scam warnings and other s which encourage the recipient to forward onto others. Unknown people asking for information which could gain them access to council data (e.g. a password or details of a third party). Misuse Use of unapproved or unlicensed software on Somerset County Council equipment. Accessing a computer database using someone else's authorisation (e.g. someone else's user id and password). Writing down your password and leaving it on display / somewhere easy to find. Printing or copying confidential information and not storing it correctly or confidentially. Theft / Loss Theft / loss of a hard copy file. Theft / loss of any Somerset County Council computer equipment or media. Draft v.10 Page 9 of 14

10 Appendix 3 - Procedure for Incident Handling 1. Reporting Information Security Events or Weaknesses The following sections detail how users and ICT Support Staff must report information security events or weaknesses. Appendix 1 provides a process flow diagram illustrating the process to be followed when reporting information security events or weaknesses. 1.1 Reporting Information Security Events for all Employees Security events, for example a virus infection, could quickly spread and cause data loss across the organisation. All users must understand, and be able to identify that any unexpected or unusual behaviour on the workstation could potentially be a software malfunction. If an event is detected users must: Note the symptoms and any error messages on screen. Disconnect the workstation from the network if an infection is suspected (with assistance from ICT Support Staff). Not use any removable media (for example USB memory sticks) that may also have been infected. All suspected security events should be reported immediately to the ICT Helpdesk on and SCC Information Governance on If the Information Security event is in relation to paper or hard copy information, for example personal information files that may have been stolen from a filing cabinet, this must be reported to Senior Management, the Information Governance Team and the relevant Caldicott Guardian for the impact to be assessed. The ICT Helpdesk will require you to supply further information, the nature of which will depend upon the nature of the incident. However, the following information must be supplied: Contact name and number of person reporting the incident. The type of data, information or equipment involved. Whether the loss of the data puts any person or other data at risk. Location of the incident. Inventory numbers of any equipment affected. Date and time the security incident occurred. Location of data or equipment affected. Type and circumstances of the incident (loss / theft). 1.2 Reporting Information Security Weaknesses for all Employees Security weaknesses, for example a software malfunction, must be reported through the same process as security events. Users must not attempt to prove a security weakness as such an action may be considered to be misuse. Weaknesses reported to application and service providers by employees must also be reported internally to ICT Helpdesk and the Information Governance Team. The service provider s response must be monitored and the effectiveness of its action to repair the weakness must be recorded by Somerset County Council. Draft v.10 Page 10 of 14

11 1.3 Reporting Information Security Events for ICT Support Staff Information security events and weaknesses must be reported to a nominated central point of contact within ICT (Security team ) as quickly as possible and the incident response and escalation procedure must be followed. Security events can include: Uncontrolled system changes. Access violations e.g. password sharing. Breaches of physical security. Non compliance with policies. Systems being hacked or manipulated. Security weaknesses can include: Inadequate firewall or antivirus protection. System malfunctions or overloads. Malfunctions of software applications. Human errors. The reporting procedure must be quick and have redundancy built in. All events must involve both the Information Governance Team and also the nominated person within ICT who must both be required to take appropriate action. The reporting procedure must set out the steps that are to be taken and the time frames that must be met An escalation procedure must be incorporated into the response process so that users and support staff are aware who else to report the event to if there is not an appropriate response within a defined period. Incidents must be reported to the Business Development teams in relevant Directorates should the incident directly affect the Service. 2. Management of Information Security Incidents and Improvements A consistent approach to dealing with all security events must be maintained across the Council. The events must be analysed and the Information Governance Team must be consulted to establish when security events become escalated to an incident. The incident response procedure must be a seamless continuation of the event reporting process and must include contingency plans to advise the Council on continuing operation during the incident. All high and medium incidents should be reported to the Head of Client Services. All low incidents should be reported to the Information Governance Manager. To decide what level of impact an incident has users should refer to the Risk Impact Matrix in Appendix Collection of Evidence If an incident may require information to be collected for an investigation, strict rules must be adhered to. The collection of evidence for a potential investigation must be approached with care. Internal Audit (SWAudit Partnership) must be contacted immediately for guidance and strict processes must be followed for the collection of forensic evidence. If in doubt about a situation, for example, concerning computer misuse, contact the Security Manager in ICT for advice. Draft v.10 Page 11 of 14

12 2.2 Responsibilities and Procedures Management responsibilities and appropriate procedures must be established to ensure an effective response against security events. The Information Governance Team must decide when events are classified as an incident and determine the most appropriate response. An incident management process must be created and include details of: Identification of the incident, analysis to ascertain its cause and vulnerabilities it exploited. Limiting or restricting further impact of the incident. Tactics for containing the incident. Corrective action to repair and prevent reoccurrence. Communication across the Council to those affected. The process must also include a section referring to the collection of any evidence that might be required for analysis as forensic evidence. The specialist procedure for preserving evidence must be carefully followed. The actions required to recover from the security incident must be under formal control. Only identified and authorised staff should have access to the affected systems during the incident and all of the remedial actions should be documented in as much detail as possible. The officer responsible for an incident should risk assess the incident based on the Risk Impact Matrix (please refer to Appendix 4). If the impact is deemed to be high or medium this should be reported immediately to the Head of Client Services. 2.3 Learning from Information Security Incidents To learn from incidents and improve the response process incidents must be recorded and a Post Incident Review conducted. The following details must be retained: Types of incidents. Volumes of incidents and malfunctions. Costs incurred during the incidents. The information must be collated and reviewed on a regular basis by ICT services and any patterns or trends identified. Any changes to the process made as a result of the Post Incident Review must be formally noted. The information, where appropriate, should be shared with the Warning, Advice and Reporting Point (WARP) to aid the alert process for the region. Draft v.10 Page 12 of 14

13 Appendix 4 - Risk Impact Matrix 1. Risk Impact Matrix Type of Impact Reputational Media and Member Damages Reputational Loss within Government and / or Failure to Meet Statutory / Regulatory Obligations Contractual Loss Failure to meet Legal Obligations Financial Loss / Commercial Confidentiality Loss Disruption to Activities Personal Privacy Infringement Low Contained internally within the council Internal investigation or disciplinary involving one individual Minor contractual problems / minimal SLA failures Small fine - less than 1K Less than 1,000 Minor disruption to service activities that can be recovered Small numbers of personal details revealed or compromised within department Medium Unfavorable local media interest Unfavorable council member response Government authorised investigation by nationally recognised body or disciplinary involving 2 to 9 people Significant client dissatisfaction. Major SLA failures. Failure to attract new business Less than 50K Damages and fine 1,000-50,000 Disruption to service that can be recovered with an intermediate level of difficulty. One back up not backing up for 2 or more days Small numbers of personal details revealed or compromised external to the authority Sustained local media coverage, extending to national media coverage in the short term Government intervention leading to significant business change. Internal disciplinary involving 10 or more people Failure to retain contract(s) at the point of renewal Greater than 50K damages and potential fine from ICO 50,000-1,000,000 Major disruption to service which is very difficult to recover from. Two or more systems not being backed up for two or more days Large numbers of personal details revealed or compromised external to the authority Harm mental or physical to one member of staff or public. High Sustained unfavorable national media coverage Service or product outsourced through Government intervention Client contract(s) cancelled Over 1M damages and / or fine Custodial sentence(s) imposed More than 1,000,000 Catastrophic disruption - service activities can no longer be continued Detrimental effect on personal & professional life OR large scale compromise affecting many people. Harm mental or physical to two or more members of staff or public Draft v.10 Page 13 of 14

14 Appendix 5 - Security Incident and Time Frames CRITICAL - Report Immediately User Account compromised Changes to System Hardware, Firmware or Software without the System Owners Authorisation Corruption of data/information Physical Damage to systems Denial of Service attack Fraud Intrusion/Hack Protectively marked material/equipment found Major damage to building Network compromise Property destruction relating to an incident more than 50,000 Unauthorised System downtime Theft Data Theft Physical Unauthorised physical access to building Unauthorised disclosure or misuse of data/information Illegal Software download/sale Web site defacement Social Engineering misuse Sending an containing sensitive information to 'all staff' by mistake. Malicious Code Virus/Worms SIGNIFICANT Report Within 4 hours Use of unapproved or unlicensed software Use of unapproved or unlicensed software Misuse of computer equipment eg. Connecting unauthorised devices to the Council network Pornography Property destruction relating to an incident less than 50,000 Sharing of account details Unauthorised access and/or use of a system using another user s user-id/password Violation of Special Access Requirements to a computer or computing facility Writing down your password and leaving it on display Receiving unsolicited mail which requires you to enter personal data Receiving unsolicited mail of an offensive nature, e.g. containing pornographic, obscene, racist, sexi grossly offensive or violent material. Software vulnerability Minor damage to building Suspected sharing of account details Unsuccessful ICT Penetration Scans/Probes Sending inappropriate s MINOR Report Within 1 DAY Draft v.10 Page 14 of 14

Information Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy

Information Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy Bolsover District Council North East Derbyshire District Council & Rykneld Homes Ltd Information Security Incident Management Policy September 2013 Version 1.0 Page 1 of 13 CONTROL SHEET FOR Information

More information

Information Security Incident Management Policy and Procedure

Information Security Incident Management Policy and Procedure Information Security Incident Management Policy and Procedure Version Final 1.0 Document Control Organisation Title Author Filename Owner Subject Protective Marking North Dorset District Council IT Infrastructure

More information

Security Incident Management Policy

Security Incident Management Policy Security Incident Management Policy January 2015 Document Version 2.4 Document Status Owner Name Owner Job Title Published Martyn Ward Head of ICT Business Delivery Document ref. Approval Date 27/01/2015

More information

RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1

RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1 RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1 Revised and effective from 1st April 2012 Document Control Organisation Title Author Filename Owner

More information

Information Security Policy. Chapter 10. Information Security Incident Management Policy

Information Security Policy. Chapter 10. Information Security Incident Management Policy Information Security Policy Chapter 10 Information Security Incident Management Policy Author: Policy & Strategy Team Version: 0.4 Date: December 2007 Version 0.4 Page 1 of 6 Document Control Information

More information

Policy and Procedure Document. Information Security Incident Management Policy and Procedure

Policy and Procedure Document. Information Security Incident Management Policy and Procedure Policy and Procedure Document Information Security Incident Management Policy and Procedure [23/08/2011] Page 1 of 9 Document Control Organisation Redditch Borough Council Title Information Security Incident

More information

Information Incident Management Policy

Information Incident Management Policy Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit

More information

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013 Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page

More information

DBC 999 Incident Reporting Procedure

DBC 999 Incident Reporting Procedure DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible

More information

Information Security Incident Management Policy

Information Security Incident Management Policy Information Security Incident Management Policy Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT Policy & Regulation

More information

Islington Security Incident Policy A council-wide information technology policy. Version 0.7.1 July 2013

Islington Security Incident Policy A council-wide information technology policy. Version 0.7.1 July 2013 A council-wide information technology policy Version 0.7.1 July 2013 Copyright Notification Copyright London Borough of Islington 2014 This document is distributed under the Creative Commons Attribution

More information

Somerset County Council - Data Protection Policy - Final

Somerset County Council - Data Protection Policy - Final Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council

More information

U07 Information Security Incident Policy

U07 Information Security Incident Policy Dartmoor National Park Authority U07 Information Security Incident Policy June 2010 This document is copyright to Dartmoor National Park Authority and should not be used or adapted for any purpose without

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Quick Guide To Information Governance Policies

Quick Guide To Information Governance Policies Quick Guide To Information Governance Policies Data Protection The Data Protection Act 1998 established principles and rights in relation to the collection, use and storage of personal information by organisations.

More information

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31 THE MORAY COUNCIL Guidance on data security breach management Information Assurance Group DRAFT Based on the ICO Guidance on data security breach management under the Data Protection Act 1 Document Control

More information

Guidance on data security breach management

Guidance on data security breach management Guidance on data security breach management Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures SECURITY INCIDENT REPORTING AND MANAGEMENT Standard Operating Procedures Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme.

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Guidance on data security breach management

Guidance on data security breach management ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...

More information

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom

More information

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful

More information

Information Security

Information Security Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff

More information

Schedule 13 Security Incident and Data Breach Policy. January 2015 v2.1

Schedule 13 Security Incident and Data Breach Policy. January 2015 v2.1 Schedule 13 Security Incident and Data Breach Policy January 2015 v2.1 Document History Purpose Document Purpose Document developed by Document Location To provide a corporate policy for the management

More information

Data Protection Breach Management Policy

Data Protection Breach Management Policy Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/

More information

INFORMATION SECURITY INCIDENT REPORTING POLICY

INFORMATION SECURITY INCIDENT REPORTING POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT

DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT GD21 2 DATA PROTECTION (JERSEY) LAW 2005: GUIDANCE ON DATA SECURITY BREACH MANAGEMENT Introduction Organisations which process

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Incident Response Plan for PCI-DSS Compliance

Incident Response Plan for PCI-DSS Compliance Incident Response Plan for PCI-DSS Compliance City of Monroe, Georgia Information Technology Division Finance Department I. Policy The City of Monroe Information Technology Administrator is responsible

More information

Data Protection Breach Reporting Procedure

Data Protection Breach Reporting Procedure Central Bedfordshire Council www.centralbedfordshire.gov.uk Data Protection Breach Reporting Procedure October 2015 Security Classification: Not Protected 1 Approval History Version No Approved by Approval

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Data Security Breach Management Procedure

Data Security Breach Management Procedure Academic Services Data Security Breach Management Procedure Document Reference: Data Breach Procedure 1.1 Document Type: Document Status: Document Owner: Review Period: Procedure v1.0 Approved by ISSG

More information

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level

More information

Policy Document. IT Infrastructure Security Policy

Policy Document. IT Infrastructure Security Policy Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

ABERDARE COMMUNITY SCHOOL

ABERDARE COMMUNITY SCHOOL ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been

More information

Standard: Information Security Incident Management

Standard: Information Security Incident Management Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY ISO 27002 5.1 Author: Owner: Organisation: Chris Stone Ruskwig TruePersona Ltd Document No: SP- 5.1 Version No: 1.0 Date: 10 th January 2010 Copyright

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities

NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities Information Governance Untoward Incident Reporting and Management Advice for Local Authorities March 2013 Contents Page 1. The Role of the NIGB.....3 2. Introduction...4 3. Background Information...6 4.

More information

Policy Document. Communications and Operation Management Policy

Policy Document. Communications and Operation Management Policy Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Information Incident Management and Reporting Procedures

Information Incident Management and Reporting Procedures ` Information Incident Management and Reporting Procedures Compliance with all CCG policies, procedures, protocols, guidelines, guidance and standards is a condition of employment. Breach of policy may

More information

Working Practices for Protecting Electronic Information

Working Practices for Protecting Electronic Information Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that

More information

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document

More information

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

SLMS Incident Reporting Procedure

SLMS Incident Reporting Procedure LONDON S GLOBAL UNIVERSITY SLMS Incident Reporting Procedure 1 Document Information Document Name SLMS-IG15 SLMS Incident Reporting Procedure Author Shane Murphy Issue Date 12/06/15 Approved By Chair of

More information

Incident Reporting Guidelines for Constituents (Public)

Incident Reporting Guidelines for Constituents (Public) Incident Reporting Guidelines for Constituents (Public) Version 3.0-2016.01.19 (Final) Procedure (PRO 301) Department: GOVCERT.LU Classification: PUBLIC Contents 1 Introduction 3 1.1 Overview.................................................

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Information Incident Management and Reporting Procedures

Information Incident Management and Reporting Procedures Information Incident Management and Reporting Procedures Compliance with all policies, procedures, protocols, guidelines, guidance and standards is a condition of employment. Breach of policy may result

More information

IT ACCESS CONTROL POLICY

IT ACCESS CONTROL POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012 Monitoring and Logging Policy Document Status Security Classification Version 1.0 Level 1 - PUBLIC Status DRAFT Approval Life 3 Years Review By June 2012 Owner Secure Research Database Analyst Change History

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY Information Security Policy INFORMATION SECURITY POLICY Introduction Norwood UK recognises that information and information systems are valuable assets which play a major role in supporting the companies

More information

Data Security Breach Incident Management Policy

Data Security Breach Incident Management Policy Data Security Breach Incident Management Policy Contents 1. Background... 1 2. Aim... 1 3. Definition... 2 4. Scope... 2 5. Responsibilities... 2 6. Data Classification... 2 7. Data Security Breach Reporting...

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Implementation date: 30 September 2014 Control schedule Approved by Corporate Policy and Strategy Committee Approval date 30 September 2014 Senior Responsible Officer Kirsty-Louise

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

DATA BREACH COVERAGE

DATA BREACH COVERAGE THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ THIS CAREFULLY. DATA BREACH COVERAGE SCHEDULE OF COVERAGE LIMITS Coverage Limits of Insurance Data Breach Coverage $50,000 Legal Expense Coverage $5,000

More information

Incident reporting procedure

Incident reporting procedure Incident reporting procedure Responsible Officer Author Date effective from Aug 2009 Date last amended Aug 2009 Review date July 2012 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

Acceptable Use of Information Systems Standard. Guidance for all staff

Acceptable Use of Information Systems Standard. Guidance for all staff Acceptable Use of Information Systems Standard Guidance for all staff 2 Equipment security and passwords You are responsible for the security of the equipment allocated to, or used by you, and must not

More information

Information Security Incident Management Guidelines. e-governance

Information Security Incident Management Guidelines. e-governance Information Security Incident Management Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014 Document Control Policy Title Data Breach Management Policy Policy Number 086 Owner Information & Communication Technology Manager Contributors Information & Communication Technology Team Version 1.0 Date

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

43: DATA SECURITY POLICY

43: DATA SECURITY POLICY 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:

More information

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical

More information

The Wellcome Trust Sanger Institute IT Acceptable Use Policy (AUP) Version 1.8

The Wellcome Trust Sanger Institute IT Acceptable Use Policy (AUP) Version 1.8 The Wellcome Trust Sanger Institute IT Acceptable Use Policy (AUP) Version 1.8 Introduction The IT systems must be used in a reasonable manner and in such a way that does not affect their efficient operation,

More information

Software Policy. Software Policy. Policy and Guidance. June 2013

Software Policy. Software Policy. Policy and Guidance. June 2013 Software Policy Policy and Guidance June 2013 Project Name Software Policy Product Title Policy and Guidance Version Number 1.2Final Page 1 of 8 Document Control Organisation Title Author Filename Owner

More information

Physical Security Policy

Physical Security Policy Physical Security Policy Author: Policy & Strategy Team Version: 0.8 Date: January 2008 Version 0.8 Page 1 of 7 Document Control Information Document ID Document title Sefton Council Physical Security

More information

TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & EMAIL POLICY AND CODE

TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & EMAIL POLICY AND CODE GENERAL STATEMENT TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & EMAIL POLICY AND CODE 1.1 The Council recognises the increasing importance of the Internet and email, offering opportunities for improving

More information

Summary Electronic Information Security Policy

Summary Electronic Information Security Policy University of Chichester Summary Electronic Information Security Policy 2015 Summary Electronic Information Security Policy Date of Issue 24 December 2015 Policy Owner Head of ICT, Strategy and Architecture

More information

Information Technology Services Information Security Incident Response Plan

Information Technology Services Information Security Incident Response Plan Information Technology Services Information Security Incident Response Plan Authors: Peter Hamilton Security Manager Craig Collis Head of Risk, Quality and Continuity Date:1/04/2014 Version:1.3 Status:Final

More information

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by: Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

Harper Adams University College. Information Security Policy

Harper Adams University College. Information Security Policy Harper Adams University College Information Security Policy Introduction The University College recognises that information and information systems are valuable assets which play a major role in supporting

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

ICT POLICY AND PROCEDURE

ICT POLICY AND PROCEDURE ICT POLICY AND PROCEDURE POLICY STATEMENT St Michael s College regards the integrity of its computer resources, including hardware, databases and software, as central to the needs and success of our day-to-day

More information

Infrastructure Security Policy

Infrastructure Security Policy Bolsover District Council North East Derbyshire District Council & Rykneld Homes Ltd ICT Infrastructure Security Policy September 2013 Version 1.0 Page 1 of 11 CONTROL SHEET FOR ICT Infrastrutcure Security

More information

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) PURPOSE: The purpose of this procedure is to establish the roles, responsibilities, and communication procedures for the Computer Security Incident

More information

Authorised Acceptable Use Policy 2015-2016. Groby Community College Achieving Excellence Together

Authorised Acceptable Use Policy 2015-2016. Groby Community College Achieving Excellence Together Groby Community College Achieving Excellence Together Authorised Acceptable Use Policy 2015-2016 Reviewed: Lee Shellard, ICT Manager: May 2015 Agreed: Leadership & Management Committee: May 2015 Next review:

More information

Information Technology and Communications Policy

Information Technology and Communications Policy Information Technology and Communications Policy No: FIN-IT-POL-001 Version: 03 Issue Date: 10.06.13 Review Date: 10.06.16 Author: Robert Cooper Monitor Changes Approved by: Board of Governors Version

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

Recommendations. That the Cabinet approve the withdrawal of the existing policy and its replacement with the revised document.

Recommendations. That the Cabinet approve the withdrawal of the existing policy and its replacement with the revised document. Report to: Cabinet Date: 14 th October 2004. Report: of Head of Corporate Personnel Services Report Title: USE of INTERNET POLICY Summary of Report. The use of the Internet is growing rapidly. Over the

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

Information Security and Governance Policy

Information Security and Governance Policy Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information

More information

Information security incident reporting procedure

Information security incident reporting procedure Information security incident reporting procedure Responsible Officer Author Date effective from 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended

More information

Data Breach Management Policy and Procedures for Education and Training Boards

Data Breach Management Policy and Procedures for Education and Training Boards Data Breach Management Policy and Procedures for Education and Training Boards POLICY on DATA BREACHES in SCHOOLS/COLLEGES and OTHER EDUCATION and ADMINISTRATIVE CENTRES UNDER the REMIT of TIPPERARY EDUCATION

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

INFORMATION SECURITY MANAGEMENT POLICY

INFORMATION SECURITY MANAGEMENT POLICY INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June

More information

INTERNET, EMAIL AND COMPUTER USE POLICY.

INTERNET, EMAIL AND COMPUTER USE POLICY. INTERNET, EMAIL AND COMPUTER USE POLICY. CONSIDERATIONS Code of Conduct Discipline and termination policy Privacy Policy Sexual Harassment policy Workplace Health & Safety Policy LEGISLATION Copyright

More information

RULES FOR THE USE OF INFORMATION TECHNOLOGY SERVICES (ITS)

RULES FOR THE USE OF INFORMATION TECHNOLOGY SERVICES (ITS) RULES FOR THE USE OF INFORMATION TECHNOLOGY SERVICES (ITS) Policy Owner: ITS Manager Drafted/Amended: March 2013 Approved by: Academic Resources Committee Ratified by: Academic Board Next Review Date:

More information

AUDIT COMMITTEE 10 DECEMBER 2014

AUDIT COMMITTEE 10 DECEMBER 2014 AUDIT COMMITTEE 10 DECEMBER 2014 AGENDA ITEM 8 Subject Report by MANAGEMENT OF INFORMATION RISKS DIRECTOR OF CORPORATE SERVICES Enquiries contact: Tony Preston, Ext 6541, email tony.preston@chelmsford.gov.uk

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information