Peninsula Community Health. Mobile IT Security Policy
|
|
- Pierce Berry
- 8 years ago
- Views:
Transcription
1 Peninsula Community Health Mobile IT Security Policy Title: Mobile IT Security Policy Procedural Document Type: Policy & Procedure Reference: ITP14 CQC Outcome: Version: V2.1 Approved by: Information Governance Sub Committee Ratified by: Clinical Quality & Safety Committee Date ratified: 5 August 2014 Freedom of Information: Not Applicable Name of originator/author: IT Security Manager/IG Manager Name of responsible team: IT Modernisation Team Review Frequency: 3 Years Review Date: August 2017 Target Audience: Staff, contractors. Executive Signature (Hard Copy Only): Registered in England and Wales No: Registered office: Peninsula Community Health CIC, Sedgemoor Centre, Priory Road, St Austell PL25 5AS Quality care, closer to you Peninsula Community Health is a not for profit Community Interest Company responsible for providing NHS adult community health services in Cornwall and the Isles of Scilly
2 Contents 1. Introduction Definitions Duties The Development and Management of Procedural Documents... Error! Bookmark not defined. 5. Risk Management Strategy Implementation Implementation Training and Support Dissemination Storing the Procedural Document Equality Impact Assessment Process for Monitoring Effective Implementation Error! Bookmark not defined. 7. Associated Documentation Appendix Please Note the Intention of this Document This Policy is to prevent unauthorised disclosure, modification, removal or destruction of Peninsula Community Health (PCH) information assets, and disruption to business activities. This policy must be read in conjunction with: the Information Security Policy the IT Security Policy the Acceptable Use Policy Confidentiality: NHS Code of Practice Records Management: NHS Code of Practice This policy applies to staff members or contractors of PCH who have access to mobile computing facilities and herein referred to as mobile computing users. All mobile IT devices and facilities for use on information systems owned or operated by PCH are covered by this policy. Review and Amendment Log Version No Type of Change Date Description of change 1.0 Drafting 06/03/2013 n/a 2.0 Insertion 08/03/2013 Included Appendix 1 and section on use of devices outside of the UK. 2.1 Update 01/04/2014 Updated to reflect changes in Countywide Policy 2 of 18
3 1. Introduction Mobile computing is a term used to describe the use of a number of mobile IT devices and storage media to process and store information electronically. Typically this will include items such as: Mobile devices laptop, notebook and tablet PCs smartphones, Blackberries and iphones Storage media smartphones, Blackberries and iphones solid state memory devices (e.g. USB memory sticks, ipods and MP3 players) optical discs (DVD and CD-ROM) removable or external hard disc drives floppy discs tape This list is not exhaustive. It allows for information to be available whilst working on the move, at home or in a remote location. This facility can greatly improve patient care services and also contributes to the improvement of working lives and organisational efficiency. These benefits, however, present significant risks. Information is no longer retained within the security systems provided with the hospital, Practice or office it is moving around the city, country and potentially even abroad. Mobile IT devices taken outside the Cornwall NHS managed network are subject to special security risks: they may be misused, lost, damaged, accidentally destroyed or stolen and may be exposed to unauthorised access or tampering. Mobile IT devices taken abroad may also be at risk from confiscation by police or customs officials. The loss of a mobile IT device will not only mean the loss of availability of the device and its data, but may also lead to the disclosure of patient or other sensitive information. This loss of confidentiality, and potential integrity, will be considered more serious than the loss of the physical asset. Where large quantities of NHS information are held on a single laptop, or other storage device, risk assessments must consider the impacts of loss and potential disclosure of the data. Note that deleted files should be assumed to persist on the laptop s hard disk. Information should only be stored on a mobile device temporarily, whilst working away from the office and should be returned to the network drive (storage area) as soon as the work has been completed. If there is a need to remotely work for an extended period of time (i.e. several days), information must be regularly copied to your network drive to ensure that the information is included in the normal back up/ restoration process. Failure to copy your information to a network storage area may result in the permanent loss of information due to the failure or loss/theft of the mobile device. 3 of 18
4 All mobile devices used for processing/storing NHS information must be encrypted. This was mandated in 2008 by David Nicholson, NHS Chief Executive, and is a required standard from HSCIC, via the Information Governance Toolkit. 2. Definitions CITS Cornwall IT Services, Royal Cornwall Hospitals Trust. CITS provide comprehensive Information and Communications support for the Cornwall Health Community and also varying levels of support to the wider Cornwall Health bodies (e.g. GP Practices, etc.). CITS Service Desk can be contacted by calling Extension 1717 ( ) or non-urgent requests can be sent via to CITS.ServiceDesk@cornwall.nhs.uk. Cornwall Health Community (CHC) all organisations with a connection to the Cornwall COIN (including Kernow Clinical Commissioning Group (KCCG), Royal Cornwall Hospitals Trust (RCHT), Cornwall Partnership NHS Foundation Trust (CFT), Peninsula Community Health (PCH), GP s and other partner organisations). Cornwall COIN a CITS managed N3 community of interest network (COIN). This wide area network links all the computers across all Cornwall Health Community sites with the national N3 network. Encryption The means of automating the protection of IT systems, information and data by making them unreadable without an electronic code from outside influences, e.g. computer viruses, unauthorised access to Cornwall Health Community hardware and software. HSCIC Health and Social Care Information Centre. IT Information Technology is the application of computers and telecommunications equipment to store, retrieve, transmit and manipulate data. Memory Sticks a portable (pocket sized) storage device used to transfer information between computers via the Universal Serial Bus (USB) port. Mobile Computer User a person who uses technology to work whilst not at their normal workplace. This is not normally whilst on the move, but will be applicable for people who have multiple places of work, whilst at home or even in a hotel. Mobile IT Device These IT devices were designed to be able to provide PC functionality to support working whilst on the move or provide portable PC functionality which can be taken to different locations, e.g. laptops, tablets, Notebooks, PDA s, smart phones, etc. N3 The National NHS Network is a UK wide network connecting NHS organisations together (a private WAN) Network Connects IT equipment together to enable the transfer of information. Networks fall into one of these categories: LAN Local Area Network, joining computers and IT equipment in close proximity such as an office or building using wires. 4 of 18
5 WLAN Wireless Local Area Network, the same as a LAN but using wireless technology (electronic signals/radio transmissions). WAN Wide Area Network, joining computers or other LANs across a large geographical area. PC Personal Computer a generic term used to describe most computers designed for use by one person at a time. PID Personal Identifiable Data/Information is information about a person which would enable that person's identity to be established by one means or another. This might be detail that would make it easy for someone to identify a person, such as an unusual surname or isolated Postcode or bits of different information which if taken together could allow the person to be identified. Person identifiable data includes one or more of the following; Name Postcode NHS Number or other identifiable number Date of Birth Clinical Diagnosis, where this is unusual or rare Recovery Restoration of a system to it s desired state following a failure in the operation of the system. Remote Access The ability to access information stored on the Cornwall NHS Network from a device not directly connected to it. This could be to support mobile working whilst not on Cornwall Health Community premises, home working or access by a third party organisation for the maintenance and support of a system/application. Remote access is via a number of approved, secure channels, but the preferred option is via Microsoft s Unified Access Gateway (UAG) which requires username, password and either a generated key from a Vasco token or a smartcard. Server A computer on a network that runs one or more applications/ services (as a host) that can be accessed by other authorised users. This could be a database, file share, mail/printing services, etc. UPS Uninterruptable Power Supply, a power supply that typically includes a battery to maintain power in the event of power outage. These can provide power for varying periods of time, but are primarily used within Cornwall COIN to provide protection from damage to servers from fluctuating power input and from short term power loss and resumption of power. The UPS is not for the purposes of business continuity as it will not provide power for a building. User Any person that accesses the Cornwall COIN. This includes, but is not limited to, Non Executive Directors, GP s, organisation employees, consultants, contractors, researchers, trainees, students and temporary staff. 3. Duties 5 of 18
6 IT Security Manager Operational (Cornwall shared service) The IT Security Manager Operational is responsible for: Ensuring that the organisation has appropriate data encryption capabilities in order to protect data that is processed on mobile IT devices. Data encryption capabilities may include built-in encryption within the hardware itself or the application used for processing where this contains relevant encryption capabilities or through the use of an additional security product with this encryption functionality. Ensuring that the data encryption functionality and procedures used have been implemented correctly, are of appropriate strength and fit for purpose. Cornwall IT Services Cornwall IT Services are responsible for: Cornwall IT Services are responsible for maintaining a safe and secure computing environment. More specifically, they are responsible for ensuring that mobile computing users are fully aware of any IT security policy relating to the use of mobile devices or removable media. To advise staff how best to operate remotely and ensure compliance through monitoring. Information Governance Sub Committee The Information Governance Sub Committee is responsible for: Reviewing and ratifying the Policy. To receive reports of any risks or incidents associated with mobile working. Line Managers Line managers are responsible for: Ensuring that mobile devices (such as laptops) are required and justified for staff and/or contractors and that alternative (more secure) methods of working, such as a desktop, have been fully considered and a risk assessment undertaken. Ensuring that all mobile computing users are fully aware of the IT Security Polices relating to the use of mobile IT devices. In collaboration with the IT Security Manager, responsible for the day to day management and oversight of mobile IT devices and storage media used within their work areas to ensure this policy is adhered to. Ensuring that where data encryption is used, a full auditable record is maintained of the media devices and data involved and its intended purposes including dates of encrypted file creation, transmission and destruction 6 of 18
7 A documented risk assessment in accordance with NHS Information Governance guidance and organisational policy is carried out to help determine if that data should be encrypted. Ensure that any PCH mobile IT device is returned when a staff member or contractor leaves or no longer requires the use of it. Role of Mobile Computing Users The mobile computing user must accept responsibility for the proper use and security of any mobile IT device in their care. Any misuse of mobile IT devices may be investigated and may lead to disciplinary action being taken, and possibly criminal prosecution. Mobile IT devices supplied by Cornwall IT Services remain the property of PCH When purchasing mobile IT devices through Cornwall IT Services it is recommended that the budget holder also purchases adequate support and insurance against damage and theft. In advance of any sharing of removable media/storage (such as memory sticks, DVDs etc.) the mobile computing user should ensure that: information has either been stored to an encrypted device or has been encrypted at the time of storage (e.g. when storing information to a DVD or CD) any intended recipient has the correct technical capability to de-crypt the data on receipt and that the intended recipient has the necessary authority to view, modify and store the data as necessary in line with the Records Management: NHS Code of Practice the pass-phrase or decryption key used for encryption/decryption for files stored to media devices such as DVD s is sufficiently long and complex to prevent access to the encrypted information by unauthorised persons removable media is only used as a temporary storage medium, particularly for sensitive or Personal Identifiable Data (PID) and any data stored on removable media is deleted at the earliest opportunity any data copied to non-pch owned computers from removable media is permanently deleted at the earliest opportunity (normal deletion will move the data to the recycle bin) the loss (including temporary misplacement) or misuse of removable media holding PCH data is reported immediately to the Cornwall IT Services Service Desk in accordance with the Procedure for Reporting IM&T Security Incidents, including details of any data stored on it any faults on or failures of removable media are reported to Cornwall IT Services at the earliest opportunity. Mobile computing users must: apply data encryption procedures in accordance with NHS Information Governance guidelines and in accordance with procedures provided by the IT Security Manager 7 of 18
8 never send or store the decryption pass-phrase or key with encrypted removable media be made aware of the IT Security Policy, legislation covering IT security, their accountability, and any disciplinary procedures which may be invoked in the event of a breach of IT security. 4. Standards and Practice Off-Site Usage It is recognised that the provision of a mobile IT device allows the device to be used both within the Cornwall NHS managed network and away from the normal office environment in locations such as: the staff members home a suitably equipped hotel room whilst away on PCH business within range of a wireless internet connection (such as a hotspot ) This list is not exhaustive and the connection to a third-party network (any network other than the Cornwall NHS network, e.g. another corporate network or to a wireless internet connection whilst working within different offices or in a hotel) may require the use of additional hardware and/or software. If there is any doubt as to the suitability of a particular environment advice should be sought from the Cornwall IT Services Service Desk. In particular, mobile computing users should ensure that: the password used to access any third-party network or the Trust network is not saved electronically any password used is entered manually on each login attempt the login name and password for a third-party network is different to that which is used to access the Cornwall NHS managed network the environment in which the mobile IT device is to be used is suitable, appropriate and has the necessary technical capability to allow the safe use of the device. Advice should also be sought with regard to the remote working environment and, in particular, the following: Health and safety issues health and safety issues are beyond the scope of this document and mobile computing users are responsible for ensuring that the working environment and equipment is used in a way that will not cause harm to the individual or the device. Advice can be sought from a Health and Safety representative or your line manager. Physical security issues mobile computing users should ensure that their monitor cannot be overlooked by unauthorised persons or that information is not stored in a way that can be accessed by unauthorised persons (such as at home on a family PC). It is essential that sensitive, highly confidential and PID should only be stored on a mobile IT device with the permission of the data system owner and after notifying the Information Governance Manager and should be safely removed from the device at the earliest opportunity. 8 of 18
9 Connecting and Using a Mobile Device Potential mobile computing users must confirm acceptance and understanding of this policy prior to use. Cornwall IT Services will maintain a list of generic authorised mobile IT devices. Prior to use the device will be checked against this list and approved as necessary. Once approved the mobile IT device will be configured in accordance with the IT Security Policy and good practice guidelines ensuring that where relevant: the mobile IT device is capable of accessing the Internet staff and contractors are provided with the relevant user name and password to ensure they are able to logon to and access a mobile IT device whilst away from their normal office environment any additional hardware and software dictated by the nature of the connection and the access required is purchased, installed and configured correctly. In the unlikely event that the proposed mobile IT device is not approved, the IT Security Manager will contact the staff member in order to communicate the reasons for rejection. Application Access Control Full access to applications stored on a mobile IT device is permitted whilst the mobile IT device user is away from the normal office environment but it should be borne in mind that the IT Security Policy strictly forbids the downloading, installation or use of unauthorised software onto such devices whether used in a remote environment or not. The use of freeware or shareware that does not benefit from independent security evaluation or that is not approved by the IT Security Manager is not permitted. Access to applications and systems that contain sensitive or PID is only permissible on authorised mobile IT devices and should only be accessed by authorised mobile computing users. Remote access users will only gain access to the Cornwall Trust Network via an authorised encrypted channel (such as ichain/uag) and a recognised strong authentication token, usually a key fob token. If a token is lost or stolen it must be reported immediately to the Cornwall IT Services Service Desk in accordance with the Procedure for Reporting IM&T Security Incidents. File Transfer, Storage and Backups Before any PCH owned data can be copied and transported on any mobile IT device permission should be granted by the line manager responsible for the work area or the Information Asset Owner. Before the transfer of PID permission should also be granted by the Caldicott Guardian or Information Governance Manager. Sensitive information or PID must not be stored on any unauthorised mobile IT device. Data intended for storage on a mobile IT device must be considered for its potential impacts if lost, stolen or otherwise compromised. If large amounts of PID is to be 9 of 18
10 stored on a mobile IT device then a formal risk assessment is required and authorisation from the Head of Information Governance. Mobile computing users should be trained in the use of encryption tools or application facilities provided, and for the handling of encrypted mobile IT devices. Mobile computing users are not permitted to download offensive material to any authorised mobile IT device. All files intended for storage on an authorised mobile IT device will be checked for viruses and malicious content in accordance with current policy, procedures, antivirus configuration and best practice recommendations. File storage must only be carried out in accordance with the laws that protect copyright, designs and patents and in line with the Records Management: NHS Code of Practice. Mobile computing users should ensure that information stored on a mobile IT device is backed up to ensure that the data can be recovered for business continuity. Staff and contractors must also take account of the limitations, including those contained within the manufacturer s specification or guarantee, of certain mobile IT devices for the short or long-term storage of data archives or backups. All files and information saved on the Cornwall NHS network will automatically be backed up overnight. Failure to comply with policy may endanger the information services of the organisation and may result in disciplinary or criminal action. Off-Site Storage of the Mobile IT Device Any mobile IT device should be stored safely and securely whilst not in use. Staff and contractors should be reminded to: never leave a mobile IT device unattended in a public place never leave a mobile IT device unattended in a non-secure area of your work environment as it could be used or stolen by other individuals avoid leaving the mobile IT device within sight of ground floor windows or within easy access of external doors store authentication tokens separately from the mobile IT device return to the office environment and securely store any mobile IT device if you are not intending to use the device for any period of time (e.g. on holiday) report the loss or theft of any authorised mobile IT device or the loss or theft of any authentication token to the Cornwall IT Services Service Desk, including details of any sensitive data or PID stored on the mobile IT device, in accordance with the Procedure for Reporting IM&T Security Incidents. Access for Others Authorised mobile IT devices are only for use by authorised mobile computing users to carry out approved duties on behalf of PCH and are subject to the Information and Technology Systems Acceptable Use Policy. Usernames and passwords are for the authorised mobile computing users individual use. Mobile computing users will not share their username or password with anyone. 10 of 18
11 Usernames and passwords provide audit trails for monitoring purposes and sharing of passwords may lead to disciplinary action. Use of Mobile IT Device outside of the UK Mobile IT devices taken outside the Cornwall NHS managed network are subject to special security risks: they may be misused, lost, damaged, accidentally destroyed or stolen and may be exposed to unauthorised access or tampering. Mobile IT devices taken abroad may also be at risk from confiscation by police or customs officials. The use of PCH Mobile IT equipment outside of the UK is prohibited unless special permission has been granted. Requests should be made using the Application for approval to use mobile IT equipment, outside of the UK form (see appendix 1). IT Security Requirements PCH has limited or no control over the IT security environment of any network/ internet connections made whilst away from the normal office environment. Therefore, before an authorised mobile IT device is connected to a third party network, suitable security precautions should be implemented (such as installation/enabling of a firewall or other suitable IT security software). The mobile computing user must ensure that the proposed working environment is suitable and secure when working away from the office with regard to the use of mobile IT devices and storage media. Where practical and technically possible, it is recommended that any authorised mobile IT device is protected by a suitable web content filter before any off-site connection is made. The web content filter client should be configured to restrict the categories of websites that are accessible in line with the office based environment. Mobile computing users using mobile IT devices supplied by Cornwall IT Services are not permitted to alter the configuration of the device, or any software application installed, unless express permission has been obtained from the IT Security Manager. Software updates and patches for mobile IT devices must be installed on a regular basis. Auditing Cornwall IT Services may monitor or audit all activity on any authorised mobile IT device. This includes, but is not limited to, internet and access. The audit tools may report usage which logs user name and password, material accessed, date and time stamped and the duration of access. Mobile IT device users should be aware of their responsibilities with regard to the Data Protection Act 1998, the Freedom of Information Act 2000 and the Environmental Information Regulations Any questions as to whether documents stored on the mobile IT device should be declared under any of the above mentioned acts should be directed to their line manager. 11 of 18
12 5. Risk Management Strategy Implementation 5.1 Dissemination & Implementation The Mobile IT Security Policy will be stored electronically on the Trust s Document Library. Mobile computing users will be informed of their responsibilities, monitoring and enforcement for mobile IT device use at the following intervals: deployment a copy of this policy will be made available to the mobile computing user upon initial deployment of the mobile IT device; ongoing mobile computing users will be notified periodically of their responsibilities via splash screens displayed when the user accesses the Internet or when they access GroupWise Webmail 5.2 Training and Support The Cornwall IT Services Service desk should be contacted for support or to report an incident on ( ) 1717 or via cits.servicedesk@cornwall.nhs.uk Support is available 8am midnight, 7 days a week Whilst every endeavour will be made by Cornwall IT Services to assist a mobile computing user whilst working away from their normal office environment, it must be stressed that support for an authorised mobile IT device may be limited to basic troubleshooting procedures via telephone support. Any work requiring a site visit may only be carried out at a recognised work premises. 5.3 Monitoring Compliance and effectiveness The IT Security and Registration Authority Manager is responsible for the monitoring of this policy and its supporting documentation. Monitoring will be conducted via regular audits and staff briefing/training sessions delivered locally to ensure that Cornwall IT Services personnel are kept up to date on the latest procedures and processes. Element to be monitored Lead Tool Frequency Reporting arrangements All mobile IT use is subject to monitoring to mitigate against data loss/unauthorised disclosure. IT Security Manager - Operational Monitoring will be conducted via regular audits and staff briefing/training sessions delivered locally to ensure that Cornwall IT Services personnel are kept up to date on the latest procedures and processes. A mixture of real time monitoring/event reporting and review of historic logs. Incidents or breaches of this policy are reported to the Information Governance Manager, which may also be reported to the Information Governance Sub Committee or SIRO depending on their seriousness. 12 of 18
13 Acting on recommendations and Lead(s) Change in practice and lessons to be shared Recommendations will be made by the Clinical Informatics Development Plan Board, IGSC, IT Security Management Team and National best practice. Implementation action plans will be agreed by PCH IGSC, Clinical Informatics Development Plan Board and updates reports will be provided as appropriate. Any lessons learnt during the reviews and audits will inform and update the Acceptable Use Policy which will be presented to the appropriate IGSC for consultation and ratification. 5.4 Updating and Review This Policy will be reviewed no later than every three years. Revisions can be made ahead of the review date when the procedural document requires updating. Where the revisions are significant and the overall policy is changed, the IT Security Management Team will re-submit the Policy to the organisations IGC/IGSC for consultation, ratification and dissemination. Where the revisions are minor, e.g. amended job titles or changes in the organisational structure, approval can be sought from the Executive Director responsible for signatory approval, and can be re-published accordingly without having gone through the full consultation and ratification process. Any revision activity is to be recorded in the version control table as part of the document control process. 5.5 Equality Impact Assessment This Policy complies with the PCH Equality and Diversity Policy and will be reviewed by the organisations Information Governance Sub Committee to ensure compliance with the local Equality and Diversity Policies. The organisation is committed to a Policy of Equal Opportunities in employment. The aim of this policy is to ensure that no job applicant or employee receives less favourable treatment because of their race, colour, nationality, ethnic or national origin, or on the grounds of their age, gender, gender reassignment, marital status, domestic circumstances, disability, HIV status, sexual orientation, religion, belief, political affiliation or trade union membership, social or employment status or is disadvantaged by conditions or requirements which are not justified by the job to be done. This policy concerns all aspects of employment for existing staff and potential employees. 6. Associated Documentation This document references the following supporting documents which should be referred to in conjunction with the document being developed. 13 of 18
14 Links to key external standards Related Documents: Records Management: NHS Code of Practice Confidentiality: NHS Code of Practice The Data Protection Act 1998 HMG Security Policy HSCIC IG Toolkit The Health and Safety at Work Act 1974 Companies Act 1985 Copyright, Designs and Patents Act 1988 Computer Misuse Act 1990 Human Rights Act 1998 Regulation and Investigatory Powers Act 2000 Freedom of Information Act 2000 Health and Social Care Act 2000 Electronic Communications Act 2000 Private Security Industry Act 2001 Copyright and Related Rights Regulations 2003 Police and Justice Act 2006 Fraud Act 2006 The IT Security Policy Acceptable Use Policy Policy for the safe disposal of IM&T equipment and electronic media Malicious Software Policy Policy Policy for managing health records Policy for Recordings and Photography Disciplinary Policy Equality and Diversity policies Fraud and Corruption Policy/Counter Fraud and Corruption Policy 14 of 18
15 7. Appendix 1 Application for approval to use mobile IT equipment, outside of the UK. Section 1 - Request Details Name: Tel No: Job title: address: Device Make/Model: Asset / CITS Reference No: Date Leaving the UK: / / Date Returning: / / Countries being visited: Reason for request: Type of Person Identifiable Data (PID): Is this data sensitive e.g. health or corporate? How will the data be used? Will the data be anonymised? Signature: Date: / / Upon completion please forward to the next section signatory, all sections of this form must be signed and dated for authorisation to be granted. Following CITS signoff this form should be returned to the IG Manager. 15 of 18
16 Section 2 Information Asset Owner (IAO) Carry out a risk assessment based on the information provided in section 1 and attach completed paperwork to this form. Consider the following: The extent to which the Country has adopted data protection standards within its laws - Ways to ensure standards are achieved in practice - Is there an effective procedure in place to ensure that individuals can enforce their rights, or claim compensation? IAO Name: Tel No: Assessment Attached: YES / NO Reference Number: Signature: Date: / / Section 3 Information Governance Manager Name: Tel No: Recommendations: Signature: Date: / / Section 4 Senior Information Risk Owner (SIRO) Name: Tel No: Recommendations: Signature: Date: / / Section 5 Cornwall Information Technology Service (CITS) Actions Carried Out: Name: Tel No: Signature: Date: / / 16 of 18
17 8. Appendix 2. Initial Equality Impact Assessment Form Name of Name of the strategy / policy /proposal / service function to be assessed (hereafter referred to as policy) : Mobile IT Security Policy Directorate and service area: Is this a new or existing Policy? Cornwall IT Services Existing Name of individual completing Telephone: assessment: Andrew Mann 1. Policy Aim* This Policy is to protect against the unauthorised disclosure of patient Who is the strategy / or organisationally sensitive information for individuals who are policy / proposal / working away from the normal security controls applied at main places service function of work. These individuals are referred to as mobile workers, aimed at? although it does include temporary home working, as these controls are to protect the information whilst in transit. 2. Policy Objectives* To define the equipment, standards and behaviour to protect information whilst working in a more flexible environment. 3. Policy intended Outcomes* 4. *How will you measure the outcome? 5. Who is intended to benefit from the policy? 6a) Is consultation required with the workforce, equality groups, local interest groups etc. around this policy? b) If yes, have these *groups been consulted? C). Please list any groups who have been consulted about this procedure. To protect patient and organisationally sensitive information from unauthorised disclosure. Incident monitoring and external penetration testing. Patients, the organisation and users of the Cornwall Health Community ICT infrastructure and devices. No n/a Cornwall Health Community Information Governance Sub Committee. 7. The Impact Please complete the following table. Are there concerns that the policy could have differential impact on: Equality Strands: Yes No Rationale for Assessment / Existing Evidence Age 17 of 18
18 Sex (male, female, transgender / gender reassignment) Race / Ethnic communities /groups Disability - Learning disability, physical disability, sensory impairment and mental health problems Religion / other beliefs Marriage and civil partnership Pregnancy and maternity Mobile working enables access to information regardless of physical location. This reduces the need for travelling to specific locations and therefore is of benefit to those with mobility requirements. Sexual Orientation, Bisexual, Gay, heterosexual, Lesbian You will need to continue to a full Equality Impact Assessment if the following have been highlighted: You have ticked Yes in any column above and No consultation or evidence of there being consultation- this excludes any policies which have been identified as not requiring consultation. or Major service redesign or development 8. Please indicate if a full equality analysis is recommended. Yes No 9. If you are not recommending a Full Impact assessment please explain why. Signature of policy developer / lead manager / director Date of completion and submission Names and signatures of members carrying out the Screening Assessment of 18
Policy: Remote Working and Mobile Devices Policy
Policy: Remote Working and Mobile Devices Policy Exec Director lead Author/ lead Feedback on implementation to Clive Clarke SHSC Information Manager SHSC Information Manager Date of draft 16 February 2014
More informationRemote Working and Portable Devices Policy
Remote Working and Portable Devices Policy Policy ID IG04 Version: V1 Date ratified by Governing Body 29/09/13 Author South Commissioning Support Unit Date issued: 21/10/13 Last review date: N/A Next review
More informationHow To Ensure Network Security
NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:
More informationIM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers
IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy DOCUMENT INFORMATION Author: Vince Weldon Associate Director of IM&T Approval: Executive This document replaces: IM&T Policy No. 1 Anti Virus Version
More informationNetwork Security Policy
Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant
More informationBARNSLEY CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLICY
Putting Barnsley People First BARNSLE CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLIC Version: 2.0 Approved By: Governing Body Date Approved: Feb 2014 (initial approval), March
More informationData Encryption Policy
Data Encryption Policy Please be aware that this printed version of the Policy may NOT be the latest version. Staff are reminded that they should always refer to the Intranet for the latest version. Purpose
More informationNETWORK SECURITY POLICY
NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet
More informationMOBILE COMPUTING & REMOTE WORKING POLICY AND PROCEDURE. Documentation Control. Consultation undertaken Information Governance Committee
MOBILE COMPUTING & REMOTE WORKING POLICY AND PROCEDURE Documentation Control Reference GG/INF/020 Date Approved 13 Approving Body Directors Group Implementation date 13 Supersedes Not Applicable Consultation
More informationIxion Group Policy & Procedure. Remote Working
Ixion Group Policy & Procedure Remote Working Policy Statement The Ixion Group (Ixion) provide laptops and other mobile technology to employees who have a business requirement to work away from Ixion premises
More informationBOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
More informationLAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY
LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Policy approved by: Audit and Governance Committee Date: 4 th December 2014 Next Review Date: December 2016 Version: 1 Information Security Policy Page 1 of 17 Review and Amendment
More informationSummary Electronic Information Security Policy
University of Chichester Summary Electronic Information Security Policy 2015 Summary Electronic Information Security Policy Date of Issue 24 December 2015 Policy Owner Head of ICT, Strategy and Architecture
More informationSafe Haven Policy. Equality & Diversity Statement:
Title: Safe Haven Policy Reference No: 010/IT Owner: Deputy Chief Officer Author Information Governance Lead First Issued On: November 2012 Latest Issue Date: March 2015 Operational Date: March 2015 Review
More informationInformation Management Policy CCG Policy Reference: IG 2 v4.1
Information Management Policy CCG Policy Reference: IG 2 v4.1 Document Title: Policy Information Management Document Status: Final Page 1 of 15 Issue date: Nov-2015 Review date: Nov-2016 Document control
More informationINFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK
INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic
More informationPeninsula Community Health. Server Back Up Procedures
Peninsula Community Health Server Back Up Procedures Title: Local Server Back Up Procedures Procedural Document Type: Procedure Reference: ITP12 CQC Outcome: Outcome 21 Version: 1.0 Approved by: Information
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationAccounts Receivable - Guidance to staff responsible for the collection of income following the supply of goods or services V4.0
Accounts Receivable - Guidance to staff responsible for the collection of income following the supply of goods or services V4.0 June 2015 Table of Contents Accounts Receivable - Guidance to staff responsible
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationGuidance on Leases and other Agreements V4.0
Guidance on Leases and other Agreements V4.0 August 2014 Table of Contents 1. Introduction... 3 2. Purpose of this Policy/Procedure... 3 3. Scope... 3 4. Definitions / Glossary... 3 5. Ownership and Responsibilities...
More informationNotice: Page 1 of 11. Internet Acceptable Use Policy. v1.3
Notice: Plymouth Community Healthcare Community Interest Company adopted all Provider policies from NHS Plymouth when it became a new organisation on 1 October 2011. Please note that policies will be reviewed
More informationTameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Policy for the electronic transfer of Person Identifiable Data - harmonised Version: 5 Reference Number: CO51 Supersedes Supersedes: 4 Description of Amendment(s):
More informationSecure Storage, Communication & Transportation of Personal Information Policy Disclaimer:
Secure Storage, Communication & Transportation of Personal Information Policy Version No: 3.0 Prepared By: Information Governance, IT Security & Health Records Effective From: 20/12/2010 Review Date: 20/12/2011
More informationAll CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.
Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,
More informationCCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY
CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review
More information2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy
Version History Author Approved Committee Version Status date Eddie Jefferson 09/15/2009 Full Governing 1.0 Final Version Body Eddie Jefferson 18/08/2012 Full Governing Body 2.0 Emended due to the change
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationNETWORK SECURITY POLICY
NETWORK SECURITY POLICY Version: 0.2 Committee Approved by: Audit Committee Date Approved: 15 th January 2014 Author: Responsible Directorate Information Governance & Security Officer, The Health Informatics
More informationNHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction
NHSnet : PORTABLE COMPUTER SECURITY POLICY 9.2 Introduction This document comprises the IT Security policy for Portable Computer systems as described below. For the sake of this document Portable Computers
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact
More informationInformation Security
Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff
More informationInformation Governance Policy
Information Governance Policy Policy ID IG02 Version: V1 Date ratified by Governing Body 27/09/13 Author South Commissioning Support Unit Date issued: 21/10/13 Last review date: N/A Next review date: September
More informationOccupational Therapy Service in the Emergency Department at Royal Cornwall Hospital V1.0
Occupational Therapy Service in the Emergency Department at Royal Cornwall Hospital V1.0 January 2014 Table of Contents 1. Introduction... 3 2. Purpose of this Policy/Procedure... 3 3. Scope... 3 4. Ownership
More informationINFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
More informationData Protection and Information Security Policy and Procedure
Data Protection and Information Security Policy and Procedure Document Detail Category: Data Protection Authorised By: Full Governing Body Author: School Business Manager Version: 1 Status: Approved May
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title
More informationInformation Security Policy London Borough of Barnet
Information Security Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Document Description Information Security Policy Policy which sets out the council s approach to information
More informationABERDARE COMMUNITY SCHOOL
ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been
More informationULH-IM&T-ISP06. Information Governance Board
Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible
More informationRotherham CCG Network Security Policy V2.0
Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October
More informationUSE OF PERSONAL MOBILE DEVICES POLICY
Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014
More informationINFORMATION GOVERNANCE STRATEGY
INFORMATION GOVERNANCE STRATEGY Page 1 of 10 Strategy Owner Valerie Penn, Head of Governance Strategy Author Caroline Law, Information Governance Project Manager Directorate Corporate Governance Ratifying
More informationPolicy Document. Communications and Operation Management Policy
Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September
More informationInformation Governance Policy
Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting
More informationCCG: IG06: Records Management Policy and Strategy
Corporate CCG: IG06: Records Management Policy and Strategy Version Number Date Issued Review Date V3 08/01/2016 01/01/2018 Prepared By: Consultation Process: Senior Governance Manager, NECS CCG Head of
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date
More informationAccess Control Policy V1.0
V1.0 January 2014 Table of Contents 1. Introduction... 3 2. Purpose of this Policy/Procedure... 3 3. Scope... 3 4. Definitions / Glossary... 4 5. Ownership and Responsibilities... 4 5.1. Role of the Chief
More informationSERVER, DESKTOP AND PORTABLE SECURITY. September 2014. Version 3.0
SERVER, DESKTOP AND PORTABLE SECURITY September 2014 Version 3.0 Western Health and Social Care Trust Page 1 of 6 Server, Desktop and Portable Policy Title SERVER, DESKTOP AND PORTABLE SECURITY POLICY
More informationMOBILE DEVICE SECURITY POLICY
State of Illinois Department of Central Management Services MOBILE DEVICE SECURITY Effective: October 01, 2009 State of Illinois Department of Central Management Services Bureau of Communication and Computer
More informationInformation Governance Policy
Information Governance Policy Information Governance Policy Issue Date: June 2014 Document Number: POL_1008 Prepared by: Information Governance Senior Manager Insert heading depending on Insert line heading
More informationBusiness Continuity Access to Personally Stored Corporate Electronic Data (CED) Policy
Business Continuity Access to Personally Stored Corporate Electronic Data (CED) Policy Reference No: Version: 2 Ratified by: P_IG_05 LCHS Trust Board Date ratified: 16 th December 2014 Name of originator/author:
More informationYMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY
YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY Author Head of IT Equality impact Low Original Date September 2003 Equality No This Revision September
More informationInformation Security Policy. Version 2.0
1 Intranet and Website Upload: Intranet Website Keywords: Electronic Document Library CCGs G Drive Location: Location in FOI Publication Scheme Information, Security, Information Governance, IG, Data Protection.
More informationHow To Ensure Information Security In Nhs.Org.Uk
Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:
More informationVersion Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation
Northumberland, Newcastle North and East, Newcastle West, Gateshead, South Tyneside, Sunderland, North Durham, Durham Dales, Easington and Sedgefield, Darlington, Hartlepool and Stockton on Tees and South
More informationDene Community School of Technology Staff Acceptable Use Policy
Policy Overview Dene Community School of Technology The school provides computers for use by staff as an important tool for teaching, learning, and administration of the school. Use of school computers,
More informationCLINICAL IMAGING REFERRAL PROTOCOL FOR REGISTERED HEALTHCARE PRACTITIONERS EMPLOYED WITHIN MINOR INJURY UNITS IN CORNWALL
CLINICAL IMAGING REFERRAL PROTOCOL FOR REGISTERED HEALTHCARE PRACTITIONERS EMPLOYED WITHIN MINOR 1. Aim/Purpose of this Guideline This Protocol applies to Registered Healthcare Practitioners in the Minor
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationEncryption Policy Version 3.0
Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
More informationPolicy Information Management
Policy Information Management Document Title: Policy Information Management Issue date: October 2013 Document Status: Approved IGC 23 Oct 2013 Review date: October 2014 Page 1 of 17 Document control Document
More informationICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee
More informationInformation Technology and Governance Committee
Information Technology and Governance Committee Paper Title: Enhancing Information Governance at Loughborough University Author: Information Governance Sub-Committee 1. Specific Decision Required by Committee
More informationINFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
More informationRemote Working and Portable Devices Policy
Remote Working and Portable Devices Policy Policy Number: 037 Version: 2 V2 Ratified by: Audit Committee 16 December 2015 Document Location: Policies\01 Final Policies Name of originator/author: Information
More informationUniversity of Liverpool
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
More informationVersion: 2.0. Effective From: 28/11/2014
Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationInformation & ICT Security Policy Framework
Information & ICT Security Framework Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT & Regulation Group and IMG January
More informationData and Information Security Policy
St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration
More informationINFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK
INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire
More informationMobile Phone and Remote Access Policy
Mobile Phone and Remote Access Policy Reference No: Version: 2 Ratified by: P_IG_23 LCHS Trust Board Date ratified: 29 th July 2014 Name of originator/author: Name of approving committee/responsible individual:
More informationAcceptable Use Guidelines
Attachment to the Computer and Information Security and Information Management Policies Acceptable Use Guidelines NZQA Quality Management System Supporting Document Purpose These Acceptable Use Guidelines
More informationREMOTE WORKING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationBring Your Own Device (BYOD) Policy
Bring Your Own Device (BYOD) Policy Document History Document Reference: Document Purpose: Date Approved: Approving Committee: To set out the technical capabilities of the chosen security solution Airwatch
More informationVersion 1.0. Ratified By
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience
More informationProtection of Computer Data and Software
April 2011 Country of Origin: United Kingdom Protection of Computer Data and Software Introduction... 1 Responsibilities...2 User Control... 2 Storage of Data and Software... 3 Printed Data... 4 Personal
More informationCOVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name
COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name Introduction Removable Media and Mobile Device Policy Removable media and mobile devices are increasingly used to enable information access
More informationInformation Incident Management. and Reporting Policy
Information Incident Management and Reporting Policy Policy ID IG10 Version: 1 Date ratified by Governing Body 21/3/2014 Author South CSU Date issued: 21/3/2014 Last review date: N/A Next review date:
More informationInformatics Policy. Information Governance. Network Account and Password Management Policy
Informatics Policy Information Governance Policy Ref: 3589 Document Title Author/Contact Document Reference 3589 Document Control Network Account Management and Password Policy Pauline Nordoff-Tate, Information
More informationPolicies and Procedures. Policy on the Use of Portable Storage Devices
Policies and Procedures Policy on the Use of Date Approved by Trust Board Version Issue Date Review Date Lead Person One May 2008 Dec 2012 Head of ICT Two Dec 2012 Dec 2014 Head of ICT Procedure /Policy
More informationThe Ministry of Information & Communication Technology MICT
The Ministry of Information & Communication Technology MICT Document Reference: ISGSN2012-10-01-Ver 1.0 Published Date: March 2014 1 P a g e Table of Contents Table of Contents... 2 Definitions... 3 1.
More informationBulk Data Transfer Guidelines
Bulk Data Transfer Guidelines This procedural document supersedes: CORP/ICT 20 v.1 Bulk Data Transfer. Did you print this document yourself? The Trust discourages the retention of hard copies of policies
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third
More informationLSE PCI-DSS Cardholder Data Environments Information Security Policy
LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project
More informationNetwork Security Policy
IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service
More informationCORPORATE POLICY & PROCEDURE NO. 7 INFORMATION GOVERNANCE POLICY. December 2014
CORPORATE POLICY & PROCEDURE NO. 7 INFORMATION GOVERNANCE POLICY December 2014 DOCUMENT INFORMATION Author: Barbara Sansom Information Governance Manager Equality Impact Assessment Consultation & Approval
More informationAccess Control Policy
Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
More informationRecords Management Policy
Records Management Policy Document information Document type: Operational Policy Document title: Records Management Policy Document date: November 2014 Author: NHS South Commissioning Support Unit, Information
More informationDOCUMENT CONTROL PAGE
DOCUMENT CONTROL PAGE Title: Title Version: 0.2a Reference Number: Supersedes Supersedes: IT Encryption and Security Policy and Guidelines Description of Amendment(s): Clarification of document approval
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:
More informationName: Position held: Company Name: Is your organisation ISO27001 accredited:
Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held:
More informationE-Mail and Internet Policy
E-Mail and Internet Policy Document reference Title: E-Mail and Internet Policy Product ID: Version Number: 8.0 Status: Live Distribution / Issue date: 12 November 2014 Author: K. Fairbrother Review Period:
More informationMike Casey Director of IT
Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date
More informationNHS Waltham Forest Clinical Commissioning Group Information Governance Strategy
NHS Waltham Forest Clinical Commissioning Group Governance Strategy Author: Zeb Alam, CCG IG Lead, (NELCSU) David Pearce, Head of Governance, WFCCG Version 3.0 Amendments to Version 2.1 Annual Review Reference
More information