Security Incident Management Policy

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Security Incident Management Policy"

Transcription

1 Security Incident Management Policy January 2015 Document Version 2.4 Document Status Owner Name Owner Job Title Published Martyn Ward Head of ICT Business Delivery Document ref. Approval Date 27/01/2015 Review Date 27/01/2016

2 Document Control and Information ICT Business Delivery Status Approval Date Review Date Published 27/01/ /01/2016 Document Owner s Name Martyn Ward Job Title Head of ICT Business Delivery Do not alter, copy, publish or distribute without the approval of the Document Owner This instruction applies to:- This document applies to all Councillors, Committees, Departments, Partners, Employees of the Council both permanent and temporary, contractual third parties and agents of the Council who use Oxfordshire County Council ICT facilities and equipment, or have access to or custody of, sensitive or personal information held by the County Council. For Action by As above. For Information As above. Revision History Version Date Author / Reviewer Notes /01/2015 IGG Approval /01/2015 James Willoughby Further changes to content and layout following review by Information Services management /01/2015 Maggie Donaldson Incorporating further changes after team discussion, including shorter title and incorporation into new layout 2.2 5/12/2014 Maggie Donaldson Further refinement after Karen Wilson reviewed, to ensure consistency of terminology Distribution and/or Publication All Customers All ICT Staff Location OCC Intranet ICT SharePoint site Date Page 2 of 18

3 Contents 1. Policy Statement Purpose Scope Risks Procedure for Incident Handling Policy Compliance Review and Revision Definition... 6 Appendix 1 Process Flow; Reporting an Information or Personal Data Security Event or Weakness... 7 Appendix 2 Procedure for Incident Handling... 8 Appendix 3 Examples of Information and Personal Data Security Incidents Appendix 4 Report on an Information or Personal Data Security related incident. 15 Appendix 5 Risk Impact Matrix... 1 Appendix 6 Definitions... 1 Page 3 of 18

4 1. Policy Statement ICT Business Delivery The aim of this policy is to ensure that Oxfordshire County Council reacts appropriately to any actual or suspected security incidents relating to information systems and personal data. 2. Purpose Council staff, contractors and Councillors will be required to have access to the Council s ICT systems, applications and equipment in the performance of their duties. For all users of the Council s ICT facilities, this policy describes the Council s requirements for security incident management. 3. Scope This document applies to all Councillors, Committees, Departments, Partners, Employees of the Council both permanent and temporary, contractual third parties and agents of the Council who use Oxfordshire County Council ICT facilities and equipment, or have access to or custody of, sensitive or personal information held by the County Council. Sensitive or personal data may be held by the County Council in electronic or paper format. It may also be communicated verbally. All media forms and methods of communication fall within the scope of this policy. All users must understand and adopt use of this policy and are responsible for ensuring the safety and security of the Council s systems and the information that they use or manipulate. All users have a role to play and a contribution to make to the safe and secure use of technology and the information that it holds. 4. Risks Oxfordshire County Council recognises that there are risks associated with users accessing and handling data and information in the conduct of official Council business. This policy aims to mitigate risk by: Reducing the impact of data and information security breaches by ensuring incidents are followed up correctly. Identifying areas for improvement to decrease the risk and impact of future incidents. Lessening the likelihood of data and information security incidents by raising staff awareness and understanding. Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers. Page 4 of 18

5 5. Procedure for Incident Handling If any Security event is detected, all users must: Immediately report it to the ICT Service Desk on or internally 1000 so they can be assessed and investigated. Note the symptoms and any error messages on screen. Disconnect the workstation from the network if an infection is suspected (with assistance from the ICT Service Desk). Not use any removable media (for example USB memory sticks) that may also have been infected. If the Security event relates to paper or hard copy information, it must be reported to Senior Management within the Service Area and the Directorate Information Governance (IG) Lead for the impact to be assessed. Some examples of security events can be found in Section 8, below. ICT Services needs to identify when a series of events or weaknesses have escalated to become an incident and so it is vital to gain as much information as possible from the business users to identify if an incident is occurring. For a flowchart of the process for incident handling, please see Appendix 1, and for full details, please refer to Appendix 2. Where any member of staff wishes to raise concerns regarding poor practice around information systems or personal data, they must approach their line manage, Directorate IG Lead or the ICT Information Services Manager. Where any incident is of sufficient severity to notify the Information Commissioner Office (ICO), this should be informed by the Risk Matrix set out in Appendix 5. The decision to notify the ICO must be made by the Deputy Head of Law and Culture acting on advice from Head of ICT Services and the Council s Data Controller. 6. Policy Compliance If any user is found to have breached or disregarded this policy, they may be subject to Oxfordshire County Council s disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s). If you do not understand the implications of this policy or how it may apply to you, seek advice from your line manager or your Directorate IG Lead. 7. Review and Revision This policy, and all related appendices, will be reviewed as it is deemed appropriate, but no less frequently than every 12 months. Policy review will be undertaken by the Head of ICT Business Delivery. Page 5 of 18

6 8. Definition ICT Business Delivery This policy needs to be applied to Information and Personal Data Security Incidents where information systems or data are suspected to be, or are actually affected by an adverse event. An adverse event is one that has caused or has the potential to cause damage to an organisation s assets, reputation and / or personnel. An Information or Personal Data Security Incident could include, but is not restricted to, the following: The loss or theft of data or information or equipment in which sensitive or critical information is stored. The transfer of data or information to those who are not entitled to receive that information. Attempts (either failed or successful) to gain unauthorised access to data or information storage or a computer system. Changes to data or information or system hardware, firmware, or software characteristics without the Council's knowledge, instruction, or consent. Unwanted disruption or denial of service to a system. The unauthorised use of a system for the processing or storage of data by any person. The unauthorised downloading of software or firmware using council equipment or networks Examples of some of the more common forms of Information and Personal Data Security Incidents have been provided in Appendix 3. Page 6 of 18

7 Appendix 1 Process Flow; Reporting an Information or Personal Data Security Event or Weakness Service Area ICT Services Information Management Team and IG Lead IG & Compliance Manager / OCC IG Lead Information Security related incident occurs Call logged with ICT Service Desk Incident involves sensitive or critical information? No Follow ICT Incident Management Process Assess impact - see Appendix 4 and advise relevant ICT staff Yes Yes Call passed to Information Management Team Yes Pass incident to appropriate IG Lead(s) for investigation 2 working days Initial report by IG Lead on incident to IM Team Initial assessment of need to report to SIRO, Chief Exec, DoH* and ICO as applicable Action taken as applicable to findings of incident investigation Call updated and closed 5 working days Final report to IM Team Actions required agreed with OCC IG Lead / SIRO and passed to appropriate Manager Final decision on need to report to SIRO, Chief Exec, DoH* and ICO Incident discussed at next IG Group meeting Page 7 of 18

8 Appendix 2 Procedure for Incident Handling Reporting Procedures for all Employees Please see Appendix 1 for a flow diagram illustrating the process to be followed when reporting information or personal data security events or weaknesses. To prevent further damage or risk to the Council, all users must: Immediately report it to the ICT Service Desk on or internally Note the symptoms and any error messages on screen. Disconnect the workstation from the network if an infection is suspected (with assistance from the ICT Service Desk). Not use any removable media (for example USB memory sticks) that may also have been infected. If the Security event relates to paper or hard copy information (e.g. personal information files stolen from a filing cabinet), this must be reported to Senior Management within the Service Area and the Directorate IG Lead for the impact to be assessed. The ICT Service Desk will require further information depending on the nature of the incident; including: Contact name and number of person reporting the incident (unless anonymity is requested). The type of data, information or equipment involved. Whether the loss of the data puts any person or other data at risk. Location of the incident. Inventory numbers of any equipment affected. Date and time the security incident occurred. Location of data or equipment affected. Type and circumstances of the incident. Actions for Directorate IG Leads Where the incident is a security weakness (e.g. a software malfunction) the Directorate IG Lead must: Take immediate steps to determine if there are risks to anyone else, for instance a service user or member of staff whose personal information may have been lost or mislaid. Ensure that the manager responsible for the information and/or persons involved in the breach have been made aware of the incident. Have regard to the Risk Impact Matrix in Appendix 5 when assessing the seriousness of the incident. Page 8 of 18

9 Work with the manager and team as applicable to determine exactly what happened to trigger the incident, why it happened and how a similar incident can be avoided in future. Within 2 working days - Produce an initial report on the nature, seriousness of and reason for the incident; it must be sent to the ICT Service Desk quoting the incident reference number. Within 5 working days - Produce a final report using the form at Appendix 4; it must be sent to the ICT Service Desk quoting the incident reference number. Actions for ICT Support Staff All users must report an information or personal security event to the ICT Service Desk immediately they become aware of it. The ICT Service Desk must: Inform the ICT Duty Manager and / or ICT Senior Manager as quickly as possible. Follow the incident response and escalation procedure as described in the ICT Services Information Security Incident Handling Process. Where an incident becomes service affecting it must be reported to the ICT Information Services Manager and/or the Information Governance and Compliance Manager. Management of Information and Personal Data Security Incidents and Improvements To ensure a consistent approach across the Council all Security Incidents will be handled in accordance with the procedures in this document. The Head of ICT Business Delivery is responsible for managing and coordinating the response to personal data security breaches. Lead officers in the directorates and other managers and staff are required to cooperate and prioritise any request for assistance from ICT Services in the discharge of this responsibility. The incident response procedure is a seamless continuation of the event reporting process; it includes contingency plans to advise the Council on continuing operation during the incident. Reported breaches must be contained, assessed, notified, and a full response evaluated. Page 9 of 18

10 Collection of Evidence ICT Business Delivery If an incident requires information to be collected for an investigation, strict rules must be adhered to. The collection of evidence for a potential investigation must be approached with care. Internal Audit must be contacted immediately for guidance and strict processes must be followed for the collection of forensic evidence. Where evidence collection involves a member of staff s account, HR approval must be sought. If in doubt about a situation, for example concerning computer misuse, contact your line manager or another manager within your Service, or the ICT Service Desk, for advice. Responsibilities and Procedures The ICT Service Desk Duty Manager working in conjunction with an ICT Senior Manager must decide when events are classified as an incident and determine the most appropriate response. The incident management process includes details of: Identification of the incident, analysis to ascertain its cause and vulnerabilities it exploited. Limiting or restricting further impact of the incident. Tactics for containing the incident. Corrective action to repair and prevent reoccurrence. Communication across the Council to those affected. The process also refers to the collection of any evidence that might be required for analysis as forensic evidence. The specialist procedure for preserving evidence must be carefully followed. The actions required to recover from the security incident must be under formal control. Only identified and authorised staff should have access to the affected systems during the incident and all of the remedial actions should be documented in as much detail as possible. The officer responsible for an incident should risk assess the incident based on the Risk Impact Matrix (please refer to Appendix 5). If the impact is deemed to be high or medium this should be reported immediately to the Head of ICT Business Delivery. Learning from Information and Personal Data Security Incidents Post Incident Reviews are conducted; these enable the Council to learn and to improve its procedures. To do this these details must be retained: Types of incidents. Volumes of incidents and malfunctions. Page 10 of 18

11 Costs incurred during the incidents. Any changes to the process made as a result of any Post Incident Review are formally noted. The information is collated and reviewed by ICT Services Management on a regular basis and any patterns or trends identified Where appropriate the Deputy Head of Law and Culture will share the information with the Warning, Advice and Reporting Point (WARP) to aid the alert process for the region. When to Notify Individuals, Other organisations and the Information Commissioner Informing people and organisations about data security breaches must serve a clear purpose to inform and protect. Informing people about a breach is not an end in itself. The following guidance should be followed: Step Description Are there any legal, contractual or service requirements that apply? At present, there is no law expressly requiring that a breach should be notified but the individual circumstances need to be considered Can notification help meet security obligations with regard to the 7th Data Protection principle? Can notification help the individual i.e. to protect them now or at some point in the future If a large number of people are affected and/or there are likely to be serious consequences, then the Information Commissioner should be informed 5 Notifications should be appropriate to the group concerned 6 Be wary of the dangers of over notifying as too wide a notification may cause disproportionate enquiries and work Who to Notify and How to Notify How to notify will depend on the nature of the breach but it is important to give proper consideration to who to notify, what they will be told and how the message will be communicated. The following guidance from the Information Commissioner should be followed: Notify the appropriate regulatory body. In some Services, there may be a need to notify a specific regulator. Directorate Information Governance Leads should be aware of this. Page 11 of 18

12 Consider the security and the urgency of the situation when deciding on the medium for notification. Any notification should include at least a description of the how the breach occurred and what data was involved. Details of the response made to contain and address risks should be given. When notifying individuals, advice should include steps the individual could take to protect themselves and any further assistance that can be provided. Provide contact details. Notifying the Information Commissioner s Office (ICO) From data protection and electronic communications to freedom of information and environmental regulations - the ICO is the UK's independent public body set up to protect personal information and promote public access to official information. Full guidance is available on the ICO website and this should be consulted for the latest updates: If a large number of people are affected by a breach of a personal data security, or there are likely to be very serious consequences for individuals, the Council is required to contact the ICO. When notifying the Information Commissioner, the following must be included; Details of the security measures in place at the time the breach occurred. Details of any information provided to the media. Any decision to notify the Information Commissioner; should be informed by the Risk Matrix set out in Appendix 5. The decision to notify the Information Commissioner must be made by the Deputy Head of Law and Culture acting on advice from Head of ICT Services and the Council s Data Controller. Notifying the Department of Health Since June 2013 any public body with adult social care responsibility must notify certain serious breaches to the Department of Health. More information can be found at the Health and Social Care Information Centre website. Roles and Responsibilities - Within ICT Services Principal Support Analysts take control of any data security breach reported via the ICT Service Desk. ICT Senior Management Team takes charge of the containment, assessment and communication of any breach. Head of ICT Business Delivery is responsible for the Council s response to any reported data security breach. Head of ICT Business Delivery is responsible for compiling a quarterly report on all Data security breaches and outcomes. Page 12 of 18

13 Roles and Responsibilities Outside ICT Services All users must follow instructions and must report any actual or suspected data security breach to the ICT service desk. Line managers must apply procedures and ensure systems are in place to support their staff who need to report a Data Security Breach and help them to obtain answers to any questions they may have. Directorate Information Governance (IG) Leads must act as the liaison, information and communication point for all data security breaches within their Directorate. Assistant Head of Law and Governance must decide on whether the Information Commissioner should be informed about any Data Security breach and acts as Data Controller for the County Council and provides advice on contractual obligations for data security. Head of Internal Audit must provide a representative to participate in formal reviews of Data Security Breaches. Head of HR provides staff support in the event that their personal information has been disclosed. Page 13 of 18

14 Appendix 3 Examples of Information and Personal Data Security Incidents Examples of the most common Information and Personal Data Security Incidents are listed below. It should be noted that this list is not exhaustive. Giving data or information to someone who should not have access to it - verbally, in writing or electronically. Computer infected by a Virus or other malware. Sending a sensitive to unintended recipients by mistake. Receiving unsolicited mail of an offensive nature. Receiving unsolicited mail which requires you to enter personal data. Receiving and forwarding chain letters including virus warnings, scam warnings and other s which encourage the recipient to forward onto others. Unknown people asking for information which could gain them access to council data (e.g. a password or details of a third party). Blagging offences where data is obtained by deceit. Use of unapproved or unlicensed software on Oxfordshire County Council equipment. Printing or copying confidential information or personal data and not storing it correctly or confidentially. Theft / loss of a hard copy file. Theft / loss of any Oxfordshire County Council computer equipment. Theft / loss of personal data. Access violations e.g. password sharing or writing a password down where someone else may find and use it. Non-compliance with policies. Systems being hacked or manipulated; including: o Finding data that has been changed by an unauthorised person. o Uncontrolled system changes. Inadequate firewall or antivirus protection. System malfunctions or overloads. Malfunctions of software applications. Human errors. Page 14 of 18

15 Appendix 4 Report on an Information or Personal Data Security related incident Date & time of Incident: Service area: ICT Service Desk Call No: Was personal data involved: Assessed Impact Level (see Security Incident Management Procedure Appendix 5 for guidance): Description of incident: Findings of investigation into incident: Assessment of reason for incident (please highlight) Human error Lack of training Theft of equipment / data Process / practice issue Technical failing Loss of equipment or data Misuse of equipment / data Actions taken to mitigate incident and prevent similar future incidents: If personal data involved, were the data subjects told of the incident: Name: Service Area/Directorate: Date: PLEASE RETURN TO ICT VIA THE SERVICE DESK, QUOTING THE CALL REFERENCE AT THE TOP OF THE FORM Page 15 of 18

16 Appendix 5 Risk Impact Matrix To decide on the potential or actual impact of an information security incident, the impact matrix below should be used Type of Impact Low Medium Reputational Media and Member Damages Reputational Loss within Government and / or Failure to Meet Statutory / Regulatory Obligations Contractu al Loss Failure to meet Legal Obligations Financial Loss / Commercial Confidential ity Loss Disruption to Activities None None None None None None None Contained internally within the council Unfavourable council member response Unfavourable local media interest Unfavourable council member response Internal investigation or disciplinary involving one individual Government authorised investigation by nationally recognised body or disciplinary involving 2 to 9 people Minor contractual problems / minimal SLA failures Significant client dissatisfact ion. Major SLA failures. Failure to attract new business Civil lawsuit / small fine - less than 10K Less than 100K Damages and fine Less than 100, , ,000 Minor disruption to service activities that can be recovered Disruption to service that can be recovered with an intermediate level of difficulty. One back up not backing up for 2 or more days Personal Privacy Infringement Personal details revealed or compromised within department Personal details revealed or compromised internally within authority. Harm mental or physical to one members of staff or public

17 High Sustained local media coverage, extending to national media coverage in the short term Government intervention leading to significant business change. Internal disciplinary involving 10 or more people Failure to retain contract(s) at the point of renewal Greater than 100K damages and fine 500,000-1,000,000 Major disruption to service which is very difficult to recover from. Two or more systems not being backed up for two or more days Severe embarrassment to individual(s). Loss or theft of personal data relating to an individual employee or citizen Sustained unfavourable national media coverage Service or product outsourced through Government intervention Client contract(s) cancelled Over 1M damages and / or fine Custodial sentence(s) imposed More than 1,000,000 Catastrophic disruption - service activities can no longer be continued Detrimental effect on personal & professional life OR large scale compromise affecting many people. Harm mental or physical to two or more members of staff or public Page 2 of 18

18 Appendix 6 Definitions Data Term Information Information Asset Information Governance Definition Data are raw facts. This would include for example Dates of Birth, phone numbers, addresses, etc. Data is always correct although it can be erroneously recorded and can also change over time. Please note that a different definition applies to Personal Data and Sensitive Personal Data as defined under the Data Protection Act Please see the definitions below. Information is the organisation and/or capture of data and/or knowledge in a meaningful manner. This would include, for example, a written report, an , a spreadsheet etc. Information can be wrong. Information captures data at a single point and as data can be erroneously recorded or can change over time, information is not always an accurate reflection of data. Information Asset is a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles. Information Governance is a holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a valuable business asset.

Information Security Incident Management Policy and Procedure

Information Security Incident Management Policy and Procedure Information Security Incident Management Policy and Procedure Version Final 1.0 Document Control Organisation Title Author Filename Owner Subject Protective Marking North Dorset District Council IT Infrastructure

More information

Information Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy

Information Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy Bolsover District Council North East Derbyshire District Council & Rykneld Homes Ltd Information Security Incident Management Policy September 2013 Version 1.0 Page 1 of 13 CONTROL SHEET FOR Information

More information

Security Incident Policy

Security Incident Policy Organisation Title Author Owner Protective Marking Somerset County Council Security Incident Policy Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council will

More information

RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1

RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1 RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1 Revised and effective from 1st April 2012 Document Control Organisation Title Author Filename Owner

More information

Policy and Procedure Document. Information Security Incident Management Policy and Procedure

Policy and Procedure Document. Information Security Incident Management Policy and Procedure Policy and Procedure Document Information Security Incident Management Policy and Procedure [23/08/2011] Page 1 of 9 Document Control Organisation Redditch Borough Council Title Information Security Incident

More information

Information Security Policy. Chapter 10. Information Security Incident Management Policy

Information Security Policy. Chapter 10. Information Security Incident Management Policy Information Security Policy Chapter 10 Information Security Incident Management Policy Author: Policy & Strategy Team Version: 0.4 Date: December 2007 Version 0.4 Page 1 of 6 Document Control Information

More information

DBC 999 Incident Reporting Procedure

DBC 999 Incident Reporting Procedure DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible

More information

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013 Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page

More information

Islington Security Incident Policy A council-wide information technology policy. Version 0.7.1 July 2013

Islington Security Incident Policy A council-wide information technology policy. Version 0.7.1 July 2013 A council-wide information technology policy Version 0.7.1 July 2013 Copyright Notification Copyright London Borough of Islington 2014 This document is distributed under the Creative Commons Attribution

More information

Information Incident Management Policy

Information Incident Management Policy Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit

More information

Information Security Incident Management Policy

Information Security Incident Management Policy Information Security Incident Management Policy Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT Policy & Regulation

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Quick Guide To Information Governance Policies

Quick Guide To Information Governance Policies Quick Guide To Information Governance Policies Data Protection The Data Protection Act 1998 established principles and rights in relation to the collection, use and storage of personal information by organisations.

More information

Somerset County Council - Data Protection Policy - Final

Somerset County Council - Data Protection Policy - Final Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council

More information

Guidance on data security breach management

Guidance on data security breach management Guidance on data security breach management Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction

More information

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful

More information

Guidance on data security breach management

Guidance on data security breach management ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...

More information

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31 THE MORAY COUNCIL Guidance on data security breach management Information Assurance Group DRAFT Based on the ICO Guidance on data security breach management under the Data Protection Act 1 Document Control

More information

U07 Information Security Incident Policy

U07 Information Security Incident Policy Dartmoor National Park Authority U07 Information Security Incident Policy June 2010 This document is copyright to Dartmoor National Park Authority and should not be used or adapted for any purpose without

More information

Data Security Breach Incident Management Policy

Data Security Breach Incident Management Policy Data Security Breach Incident Management Policy Contents 1. Background... 1 2. Aim... 1 3. Definition... 2 4. Scope... 2 5. Responsibilities... 2 6. Data Classification... 2 7. Data Security Breach Reporting...

More information

Information Security

Information Security Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff

More information

Information Incident Management and Reporting Procedures

Information Incident Management and Reporting Procedures ` Information Incident Management and Reporting Procedures Compliance with all CCG policies, procedures, protocols, guidelines, guidance and standards is a condition of employment. Breach of policy may

More information

Information Incident Management and Reporting Procedures

Information Incident Management and Reporting Procedures Information Incident Management and Reporting Procedures Compliance with all policies, procedures, protocols, guidelines, guidance and standards is a condition of employment. Breach of policy may result

More information

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY Information Security Policy INFORMATION SECURITY POLICY Introduction Norwood UK recognises that information and information systems are valuable assets which play a major role in supporting the companies

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT

DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT GD21 2 DATA PROTECTION (JERSEY) LAW 2005: GUIDANCE ON DATA SECURITY BREACH MANAGEMENT Introduction Organisations which process

More information

Corporate Information Security Management Policy

Corporate Information Security Management Policy Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY ISO 27002 5.1 Author: Owner: Organisation: Chris Stone Ruskwig TruePersona Ltd Document No: SP- 5.1 Version No: 1.0 Date: 10 th January 2010 Copyright

More information

Schedule 13 Security Incident and Data Breach Policy. January 2015 v2.1

Schedule 13 Security Incident and Data Breach Policy. January 2015 v2.1 Schedule 13 Security Incident and Data Breach Policy January 2015 v2.1 Document History Purpose Document Purpose Document developed by Document Location To provide a corporate policy for the management

More information

Harper Adams University College. Information Security Policy

Harper Adams University College. Information Security Policy Harper Adams University College Information Security Policy Introduction The University College recognises that information and information systems are valuable assets which play a major role in supporting

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Implementation date: 30 September 2014 Control schedule Approved by Corporate Policy and Strategy Committee Approval date 30 September 2014 Senior Responsible Officer Kirsty-Louise

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level

More information

INFORMATION SECURITY INCIDENT REPORTING POLICY

INFORMATION SECURITY INCIDENT REPORTING POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

Data Security Breach Management Procedure

Data Security Breach Management Procedure Academic Services Data Security Breach Management Procedure Document Reference: Data Breach Procedure 1.1 Document Type: Document Status: Document Owner: Review Period: Procedure v1.0 Approved by ISSG

More information

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures SECURITY INCIDENT REPORTING AND MANAGEMENT Standard Operating Procedures Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme.

More information

The Ministry of Information & Communication Technology MICT

The Ministry of Information & Communication Technology MICT The Ministry of Information & Communication Technology MICT Document Reference: ISGSN2012-10-01-Ver 1.0 Published Date: March 2014 1 P a g e Table of Contents Table of Contents... 2 Definitions... 3 1.

More information

Software Policy. Software Policy. Policy and Guidance. June 2013

Software Policy. Software Policy. Policy and Guidance. June 2013 Software Policy Policy and Guidance June 2013 Project Name Software Policy Product Title Policy and Guidance Version Number 1.2Final Page 1 of 8 Document Control Organisation Title Author Filename Owner

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

PRIVACY BREACH MANAGEMENT POLICY

PRIVACY BREACH MANAGEMENT POLICY PRIVACY BREACH MANAGEMENT POLICY DM Approval: Effective Date: October 1, 2014 GENERAL INFORMATION Under the Access to Information and Protection of Privacy Act (ATIPP Act) public bodies such as the Department

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical

More information

43: DATA SECURITY POLICY

43: DATA SECURITY POLICY 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:

More information

Data Protection Policy. Information Security Review Group. Version Date Author Notes on Revisions

Data Protection Policy. Information Security Review Group. Version Date Author Notes on Revisions Document Control Table Document Title: Author(s) (name, job title and Division): Version Number: Document Status: Date Approved: Approved By: Effective Date: Date of Next Review: Superseded Version: Data

More information

NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities

NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities Information Governance Untoward Incident Reporting and Management Advice for Local Authorities March 2013 Contents Page 1. The Role of the NIGB.....3 2. Introduction...4 3. Background Information...6 4.

More information

Data Protection Breach Reporting Procedure

Data Protection Breach Reporting Procedure Central Bedfordshire Council www.centralbedfordshire.gov.uk Data Protection Breach Reporting Procedure October 2015 Security Classification: Not Protected 1 Approval History Version No Approved by Approval

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

AUDIT COMMITTEE 10 DECEMBER 2014

AUDIT COMMITTEE 10 DECEMBER 2014 AUDIT COMMITTEE 10 DECEMBER 2014 AGENDA ITEM 8 Subject Report by MANAGEMENT OF INFORMATION RISKS DIRECTOR OF CORPORATE SERVICES Enquiries contact: Tony Preston, Ext 6541, email tony.preston@chelmsford.gov.uk

More information

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014 Document Control Policy Title Data Breach Management Policy Policy Number 086 Owner Information & Communication Technology Manager Contributors Information & Communication Technology Team Version 1.0 Date

More information

Data Breach Management Policy and Procedures for Education and Training Boards

Data Breach Management Policy and Procedures for Education and Training Boards Data Breach Management Policy and Procedures for Education and Training Boards POLICY on DATA BREACHES in SCHOOLS/COLLEGES and OTHER EDUCATION and ADMINISTRATIVE CENTRES UNDER the REMIT of TIPPERARY EDUCATION

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Council, 14 May 2015. Information Governance Report. Introduction

Council, 14 May 2015. Information Governance Report. Introduction Council, 14 May 2015 Information Governance Report Introduction 1.1 The Information Governance function within the Secretariat Department is responsible for the HCPC s ongoing compliance with the Freedom

More information

IT ACCESS CONTROL POLICY

IT ACCESS CONTROL POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

Working Practices for Protecting Electronic Information

Working Practices for Protecting Electronic Information Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that

More information

Information Security Code of Conduct

Information Security Code of Conduct Information Security Code of Conduct IT s up to us >Passwords > Anti-Virus > Security Locks >Email & Internet >Software >Aon Information >Data Protection >ID Badges > Contents Aon Information Security

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

USE OF PERSONAL MOBILE DEVICES POLICY

USE OF PERSONAL MOBILE DEVICES POLICY Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014

More information

Internet, E-mail and SMS Texting Usage Policy Group Policy

Internet, E-mail and SMS Texting Usage Policy Group Policy Internet, E-mail and SMS Texting Usage Policy Group Policy Scope: This Orbit Housing Group Limited ( Group ) policy provides a set of guidelines for all users within the Group on the proper usage of the

More information

Standard: Information Security Incident Management

Standard: Information Security Incident Management Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of

More information

Corporate Policy and Strategy Committee

Corporate Policy and Strategy Committee Corporate Policy and Strategy Committee 10am, Tuesday, 30 September 2014 Information Governance Policies Item number Report number Executive/routine Wards All Executive summary Information is a key asset

More information

Applying the legislation

Applying the legislation Applying the legislation GUIDELINE Information Privacy Act 2009 Privacy breach management and notification A privacy breach occurs when there is a failure to comply with one or more of the privacy principles

More information

Network Password Management Policy & Procedures

Network Password Management Policy & Procedures Network Password Management Policy & Procedures Document Ref ISO 27001 Section 11 Issue No Version 1.3 Document Control Information Issue Date April 2009, June 2010, September 2011 Status Approved By FINAL

More information

ICT POLICY AND PROCEDURE

ICT POLICY AND PROCEDURE ICT POLICY AND PROCEDURE POLICY STATEMENT St Michael s College regards the integrity of its computer resources, including hardware, databases and software, as central to the needs and success of our day-to-day

More information

Information Security Policy. Appendix B. Secure Transfer of Information

Information Security Policy. Appendix B. Secure Transfer of Information Information Security Policy Appendix B Secure Transfer of Information Author: Data Protection and Information Security Officer. Version: 0.7 Date: March 2008 Document Control Information Document ID Document

More information

Coláiste Pobail Bheanntraí

Coláiste Pobail Bheanntraí Coláiste Pobail Bheanntraí Seskin Bantry, Co. Cork. Principal: Dr. Kevin Healy B.A, H.D.E, M.Ed, Ed.D Deputy Principal: Mr. Denis O Sullivan, BSc. (Ed.), H.D.E Phone: 027 56434 Fax: 027 56439 E-mail: admin@colaistepobailbheanntrai.com

More information

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document

More information

REMOTE WORKING POLICY

REMOTE WORKING POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

Administrative Procedures Memorandum A1452

Administrative Procedures Memorandum A1452 Page 1 of 11 Date of Issue February 2, 2010 Original Date of Issue Subject References February 2, 2010 PRIVACY BREACH PROTOCOL Policy 2197 Management of Personal Information APM 1450 Management of Personal

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version

More information

Policy Document. IT Infrastructure Security Policy

Policy Document. IT Infrastructure Security Policy Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT

More information

ABERDARE COMMUNITY SCHOOL

ABERDARE COMMUNITY SCHOOL ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been

More information

Data Protection Breach Management Policy

Data Protection Breach Management Policy Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/

More information

Data Protection Policy. Leeds City Council. Information Governance team, Intelligence & Performance - 1 -

Data Protection Policy. Leeds City Council. Information Governance team, Intelligence & Performance - 1 - Leeds City Council Data Protection Policy - 1 - Document Control Organisation Leeds City Council Title Data Protection Policy Author Mark Turnbull, Legal Services Filename DPA policyvr1.doc Owner Assistant

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy DOCUMENT INFORMATION Author: Vince Weldon Associate Director of IM&T Approval: Executive This document replaces: IM&T Policy No. 1 Anti Virus Version

More information

The Bishop s Stortford High School Internet Use and Data Security Policy

The Bishop s Stortford High School Internet Use and Data Security Policy Internet Acceptance Use and Data Security Policy Last Updated: 08/10/2012 Date of Next Review: 08/10/2015 Approved by GB: 10/10/2012 Responsible Committee: Student Welfare and Development Internet Acceptable

More information

Merthyr Tydfil County Borough Council. Information Security Policy

Merthyr Tydfil County Borough Council. Information Security Policy Merthyr Tydfil County Borough Council Information Security Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes INFORMATION SECURITY POLICY Ratified by RCA Senate, February 2007 Contents Introduction 2 Policy Statement 3 Information Security at RCA 5 Annexes A. Applicable legislation and interpretation 8 B. Most

More information

Cork ETB Data Breach Management Policy and Procedures

Cork ETB Data Breach Management Policy and Procedures Cork ETB Data Breach Management Policy and Procedures POLICY ON THE MANAGEMENT OF DATA BREACHES IN SCHOOLS/COLLEGES AND OTHER EDUCATION AND ADMINISTRATIVE CENTRES UNDER THE REMIT OF CORK EDUCATION AND

More information

Information Incident Management. and Reporting Policy

Information Incident Management. and Reporting Policy Information Incident Management and Reporting Policy Policy ID IG10 Version: 1 Date ratified by Governing Body 21/3/2014 Author South CSU Date issued: 21/3/2014 Last review date: N/A Next review date:

More information

TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & EMAIL POLICY AND CODE

TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & EMAIL POLICY AND CODE GENERAL STATEMENT TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & EMAIL POLICY AND CODE 1.1 The Council recognises the increasing importance of the Internet and email, offering opportunities for improving

More information

Protection of Privacy

Protection of Privacy Protection of Privacy Privacy Breach Protocol March 2015 TABLE OF CONTENTS 1. Introduction... 3 2. Privacy Breach Defined... 3 3. Responding to a Privacy Breach... 3 Step 1: Contain the Breach... 3 Step

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Version: 2.0. Effective From: 28/11/2014

Version: 2.0. Effective From: 28/11/2014 Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director

More information

Angard Acceptable Use Policy

Angard Acceptable Use Policy Angard Acceptable Use Policy Angard Staffing employees who are placed on assignments with Royal Mail will have access to a range of IT systems and mobile devices such as laptops and personal digital assistants

More information