Information Technology and Governance Committee
|
|
- Jessica Payne
- 8 years ago
- Views:
Transcription
1 Information Technology and Governance Committee Paper Title: Enhancing Information Governance at Loughborough University Author: Information Governance Sub-Committee 1. Specific Decision Required by Committee ITGC is asked to note: The overall progress made in the three key strands of activity that have been identified as priority areas following work previously undertaken by the Sub- Committee. And comment on: Progress made to date on specific draft policies (Appendix 1 and Appendix 2). These policies are not yet complete and further work is required to ensure that they meet the requirements of the revised framework previously approved by ITGC. 2. Relevance to University Strategy Contributes to Para 4.1 of the strategic implementation plan: Ensure that our governance and infrastructure are: - efficient - able to support change effectively - able to support collaborative initiatives - valued by staff and students Also contributes to risk management and effective legal compliance. 3. Executive Summary This paper presents an update on recent work undertaken to improve the University s approach to Information Governance and security. An action plan has been developed to address gaps in policy, training and procedures in the area of information governance in order to reduce risk, provide reassurance to partners, individuals and Council that data is held and used appropriately and securely and that the institution is compliant with relevant legislation and good practice. 4. Essential Background Information ITGC15-P19 5. Risks, Risk Mitigation and Governance/ Accountability 6. Implications for other activities This is a potential area of major risk for the institution. A recent incident involving personal data highlighted some of the issues. The CUC governance code expects the governing body to manage risk and ensure legal compliance across the institutions activities. The implementation of the wider Information Governance action plan will require input from various key stakeholders from across the campus and commitment from the majority of staff. If approved, mandatory training will need to be incorporated into the staff probationary period and staff development portfolio. 7. Resource and Cost 16k for initial training package for staff and research students over three years. Page 1 of 12
2 8. Alternative Options considered 9. Other Groups/Individuals consulted. 10. Future Actions, Timescales & Frequency of Review by this Committee. Other resource implications may emerge as work proceeds. ITGC15-P27 Do nothing significant risk and potential that some research partners would refuse to work with us. A wide range of professional staff representing all of the key services within the University have been involved in this work to date. Greater academic staff input will be sought in the next stages of the action plan. Further information provided with the main body of the paper. 11. Success Criteria (KPIs) No negative information related incidents, increased speed of handling of Data Protection and Freedom of Information requests. Straightforward responses to requirements of research funders and partners. 12. University Executive comment (required for Council papers only) Page 2 of 12
3 1. Background ITGC15-P27 Following initial work undertaken by the Information Governance Sub-Committee and IT and Governance Committee, an overarching policy for Information Governance was approved by Senate and Council in March The following three strands of core activity have been identified as priority areas for action to enabling the University to identify and address gaps in policy, training and procedures in the area of information governance. (a) (b) (c) Plan and deliver effective staff communications and training. Develop and implement a comprehensive set of Information Governance and Security subpolicies. Conduct an initial University-wide Data Review, to be undertaken via self-assessment, by each of the Schools and Professional Services. Work has commenced in each of these areas and progress has been detailed below. 2. All-Staff and Research Student Training Embedded within the high level Information Governance Policy is a commitment to delivering compulsory training to all staff and research students. Following a review of materials available, two online training packages were considered in detail and a proposed option proposed to Operations Committee. Approval has now been given to purchase the module provided by LEO Learning Ltd at a total cost of around 16,000 for a three year licence covering 4,000 users. Following successful procurement of the training module (currently in process), an IT development project will be undertaken to enable a) the module to be incorporated into the LEARN environment and b) for completion data to be imported into itrent to allow for accurate monitoring and reporting on engagement by staff. It is anticipated that this work will be completed to enable launch of the training in the autumn term The training module will be mandatory for all-staff and probationary sign off for new staff will be subject to it being completed. Further work will now be undertaken with Human Resources and Staff Development to agree how this will be implemented. An effective communications strategy will also be agreed to ensure that staff are aware of the importance of completing the module and the context within which they are being required to undertake it. Arrangements are being discussed to incorporate the training into the Graduate School programme for research students. 3. Information Governance and Security Sub Policies: Following approval of the revised policy framework by ITGC (ITGC15-P19), further work has been undertaken on a number of the draft Sub Policies. The main focus of this work is to ensure that the policies are; Policies must have a clear audience and be accessible to that audience. Page 3 of 12
4 Roles and responsibilities identified within policies should be explicit (as far as possible by naming job roles, and/or making reference to whether the School/Professional Service or IT Services are responsible) Policies should be as short as is consistent with being fit for purpose. New policies should incorporate/supercede all existing information related policies and ensure proper cross referencing/updating to other policies (e.g. HR policies) to avoid duplication and inconsistency and minimise the updating burden. In the less technical policies (i.e. the ones not specifically about IT), the wording must be inclusive and/or address all formats in which information might be held (e.g. electronic or hardcopy) Policies should address both corporate systems (managed by IT Services) and local systems throughout (mainly or wholly managed by Schools and Professional Services), as determined by the outcomes of the upcoming Data Review. As has been specified in previous papers; IGSC recognises the importance of consultation with relevant stakeholders to ensure that the policies remain workable in practise (e.g. a Research Data Management group is being convened to review specific draft policies within the context of the research activities undertaken by the University). Work will continue on each policy and final drafts will be submitted to ITGC for further comment and approval, before formal approval is sought from Senate/Council in the autumn term. ITGC is asked to review the initial drafts of the Information Sharing Policy (Appendix 1) and the Bring Your Own Device Policy (Appendix 2) and comment upon their future development in the context of the principles outlined above. 4. Data Review A Data Review pro-forma, requesting details of information types held and the formats in which it is held, was circulated for completion by all Schools and Professional Services in May To date we have received 14 returns. The initial findings of the returns received thus far suggest that a significant amount of the data held by the University is stored securely in systems that are monitored and maintained by IT Services. However, it also clear that in some cases data may be being stored in less secure environments, which do not have oversight by IT Services and may lack appropriate security arrangements. Once all returns have been received, more detailed analysis of the data will be undertaken in order to identify further areas of good practise as well as those areas that might be identified as areas of concern. A report will be prepared and circulated to Schools and Services providing detailed analysis of the findings of the Review and planned follow up work to be undertaken as a result. Further updates will be provided to Senate and Council in the autumn term. Page 4 of 12
5 APPENDIX 1 ITGC15-P27 Information Sharing Policy NOTE: This draft remains at an early stage, and further work is required to ensure that the technical aspects of the policy are balanced by the relevant context and guidance. Most importantly, whilst ensuring compliance with legislation; the policy must also remain applicable to activity being undertaken by users within the University. Policy Overview The sharing of information is an integral part of many of the core processes that are undertaken on a daily basis by individuals within the University. In many cases, information is shared internally and can be done so via University maintained systems (shared workspaces, networked databases etc.). In other cases, there may be a requirement to share information externally with a third party (e.g. for reporting purposes.) PROVIDE MORE DETAILED EXAMPLES/CONTEXT In all cases, information sharing should only be undertaken in a manner that reference the following; Data integrity/accuracy Securely protect against loss Complies with FOI/DP legislation where relevant Provide examples of the above? The University handles a large amount of data classified at different levels. This policy section looks to minimize the loss, unauthorized disclosure, modification or removal of sensitive information maintained by the University while trying to maintain the open nature of the organisation. Policy Audience This policy applies to all members of staff, research students and third parties (third parties will be covered by Information Sharing Agreements) who have access to and share Loughborough University information as part of their job role or studies. Policy Introduction This policy covers the sharing of information, which has been classified at different levels, and the mechanisms used to share such data. This policy covers the following sharing mechanisms: Networked storage systems (workspaces, databases) Removable Electronic media; Cloud Services. Prior to being shared, it is important that the information is correctly classified. [FURTHER CONTEXT RE: HOW THE CLASSIFICATION OF INFORMATION SHOULD DETERMINE HOW IT IS SHARED Page 5 of 12
6 RECOMMENDATIONS] The following information classifications are covered under this section (cross reference to the Information Classification Policy and ensure that there is consistency across both policies): Highly sensitive (medical records etc); Sensitive (commercially sensitive, PPI); Restricted (research data, teaching and learning information). Before classified information is copied, transported or shared, consent must be obtained from the data owner. Networked storage systems [GIVE EXAMPLES OF WHERE SHARING INFORMATION VIA THIS MEDIUM IS APPROPRIATE RECOMMENDED] Networked storage systems refer to maintained spaces that [FILL] Shared workspaces Networked databases Removable Electronic Media [GIVE EXAMPLES OF WHERE SHARING INFORMATION VIA THIS MEDIUM IS APPROPRIATE/RECOMMENDED] Electronic media refers to all types of computer storage which are not physically fixed inside a computer and includes the following: Memory cards (like those used in cameras), USB pen drives etc; Removable or external hard disk drives; Newer Solid State (SSD) drives Mobile devices (ipod, iphone, ipad, MP3 player); Optical disks i.e. DVD and CD; Floppy disks; Backup Tapes. The use of electronic media is not prohibited and is an essential part of everyday business within some parts of the University. All users of electronic media must ensure: That anti virus software is present and up to date on machines which data is taken from and machines which data is transferred to; Only information, which has been classified, as not classified and/or published is transported on standard devices. Users wishing to transport and/or share classified information using electronic media MUST ensure: When electronic media is used to transport classified information, the data on the device is encrypted to the highest recommended encryption standard (AES-256) IT Services Recommended devices; Research grants may require a certified level of encryption to a standard such as FIPS If this is stipulated by the research contract, please contact IT Services for further assistance; Page 6 of 12
7 Mobile devices and/or electronic storage devices containing classified information should not be sent off site without prior agreements. IT Services should be consulted to ensure the level of security is appropriate for the type of data being transferred; Electronic media used to store classified information shall only be used by authorised individuals and where there is a clear business need; Data sorted on the electronic media is the responsibility of the individual who operates the device. That should the encryption password is forgotten, the information held on the electronic media will be rendered unreadable. Therefore electronic media should not be used to store information which is not securely backed-up in a central location. That the electronic media is physically protected against loss, damage, abuse or misuse when in use, storage and transmit. That electronic media, which may have become damaged, should had the media back to local IT Support or IT Services to guarantee it is disposed of securely to avoid any data leakage. That when the business purpose has been satisfied, the content of the media used is securely removed through a destruction method that makes the recovery of data impossible. Where electronic media containing classified information needs to be posted to third parties, services that provide tracking and audited should be favored. Decrypting password should not be in the same package as the media in question. Passwords should be provided to third parties either in person or via a telephone call. Cloud Services The use of cloud-based storage makes collaboration and sharing of information very easy and convenient [PROVIDE EXAMPLES]. The University does not prohibit the use of cloud services. [NEED TO GIVE EXAMPLES OF WHERE SUCH USE WOULD BE RECOMMENDED] This policy refers to but is not limited to the following cloud-based storage: Dropbox; Google Drive; Microsoft OneDrive. Where possible classified information should not be stored or shared via cloud-based storage services. Cloud-based storage should only be used with the approval of the data owner. IT Services should also be consulted to evaluate the sensitivity of the information and to investigate alternate options. Where cloud-based storage is the only viable option, users of such services MUST ensure: All classified information is encrypted prior to being stored, transmitted or shared; No encryption password are stored within the same storage provider; Decryption of encrypted information must never take place within the cloud environment; For research data, research grant contracts should be consulted, as many organisations prohibit the use of cloud-based storage for the research data; When sharing classified information, passwords should not be shared via unsecure means such as ; The encrypted version of the information is not the sole source and that secure back-ups are stored on a central location; Classified information stored on cloud-based storage is the responsibly of the individual [LINK TO ROLES AND RESPONSIBILITIES RESPONSIBILITIY OF MANAGER TO ENSURE THAT ADEQUATE TRAINING/GUIDANCE IS PROVIDED]. Page 7 of 12
8 Once the classified information is no longer required, that it be removed from cloud-based storage. Document Control Version Author Date Version Detail V0.1 Niraj Kacha 22 nd May 2015 First draft Review/Approval History Organisation Action Date Page 8 of 12
9 APPENDIX 2 ITGC15-P27 Bring Your Own Device NOTE: This draft remains at an early stage, and further work is required to ensure that the technical aspects of the policy are balanced by the relevant context and guidance. Most importantly, whilst ensuring compliance with legislation; the policy must also remain applicable to activity being undertaken by users within the University. Policy Overview The University recognises the benefits bought by the use of personal devices in work and welcomes it. [EXAMPLES OF BENEFITS AND SCENARIOS] The purpose of this section is to reduce the risk in using BYOD (Bring Your Own Device). Such risks may come from devices being lost or stolen, exploited or used in such a way to take advantage of the user or the University [EXAMPLES OF HOW DEVICES MIGHT BE COMPROMISED]. Policy Audience This policy applies to all members of staff, students and external contractors using personally owned devices to store, access, carry, transmit, receive or use Loughborough University information systems. The following types of devices are covered, but not limited to in this section: Laptops; Notebooks; Tablet computers; Smart phones; Smart watches. Policy Introduction This policy covers the use of non-university (personally) owned electronic devices to access corporate systems and store University information, alongside their own data. If you wish to BYOD to access University systems, data and information you may do so, provided that you follow the provisions of this policy. [GIVE EXAMPLES OF WHEN DEVICES MIGHT BE USED] It is the University s intention to place as few technical and policy restrictions as possible on BYOD subject to the University meeting its legal and duty of care obligations. [RE-WORD AND ADD CONTEXT] Responsibilities of BYOD Users The University takes Information and Systems Security very seriously and invests significant resources to protect data and information in its care. Page 9 of 12
10 Individuals who make use of BYOD must take responsibility for their own devices and how they use them [ROLES AND RESPONSIBILITIES SENIOR MANAGEMENT SHOULD ENSURE THAT USE OF BYOD IS APPROPRIATE AND THAT USERS ARE AWARE OF POLICY]. They must: Familiarise themselves with their device and its security features so they and ensure the safety of University information (as well as their own); Invoke the relevant security features; Maintain the device themselves ensuring it is regularly patched and upgraded. Individuals using BYOD must take all responsible steps to: Prevent the theft and loss of data; Keep information confidential where appropriate; Maintain the integrity of data and information; Take responsibility for any software that is downloaded onto the device. Individuals using BYOD must: Set up passwords, passcodes, passkeys or biometric equivalents. These must be sufficient length and complexity for the particular type of device; Set up location tracking services and remote wipe facilities where available and implement a remote wipe if the devices is lost or stolen; Devices must be encrypted where possible; Not hold any information that is sensitive, personal, confidential or of commercial value on personally owned devices. Where access to such data is required, staff should make use of the VPN service; Ensure relevant information is copied back to central University information systems and managing any potential data integrity issues with existing information; Be aware of any Data Protection issues to ensure personal data is handled correctly; Report any security breach immediately to IT Servicedesk in accordance with the Information Security Policy; Ensure that no University information is left on any personal device indefinitely. Particular care must be taken if a device is disposed of/sold/transferred to a third party. Monitoring and access The University will not monitor the content of your personal devices, however the University has the right to monitor and log data traffic transferred between your device and University systems, both over internal networks and entering the University via the Internet. The University also reserves the right to: Prevent access to a particular device from either wired or wireless networks or both; Prevent access to a particular system; Disable user accounts if deemed to have been compromised; Take all necessary and appropriate steps to retrieve information owned by the University. From time to time, the University may require that you install or update University-approved device management software on your own device. Page 10 of 12
11 Public Cloud Services Cloud-based storage facilities, such as Dropbox or Google Drive, allow individuals to access and share files. Any information owned by the University that is confidential, sensitive, personal or of commercial value must not be stored on public cloud-based storage facilities. Private secure storage From time to time, staff will be required to store information on private secure storage owned by partner organisations e.g. when collaborating with another University or industry partner. Individuals using such facilities are responsible for ensuring that they meet a suitable level of security to comply with all legal and commercial needs of the University and that all Data Protection Legislation is complied with prior to using the facility. Social Networking Sites No information of confidential, sensitive, personal or commercially valuable nature belonging to the University should ever be posted on to a social networking site. Loss, Theft or Damage of Device If a device is lost of stolen that holds confidential, sensitive or commercially valuable information belonging to the University, this should be reported to the IT Servicedesk, regardless of who owns the device. Staff should also make appropriate enquiries in attempts to locate the device and report to the appropriate authorities. The University takes no responsibility for supporting, maintaining, repairing, insuring or otherwise funding employee-owned devices, or for any loss or damage resulting from support and advice provided. Data Protection and BYOD The University must process personal data i.e. data about identifiable living individuals in accordance with the Data Protection Act (1998). Sensitive personal data is information that relates to race/ethnic origin, political opinions, religious beliefs, trade union membership, health (mental or physical) or details of criminal offences. This category of information should be handled with a higher degree of protection at all times. The University recognises that there are inherent risk with using personal devices to hold personal data. Therefore, staff must follow the guidance provided in this section when considering using BYOD to process personal data. A breach of the Data Protection Act can lead to the University being fined up to 500,000. Any member of staff found to have deliberately breached the act may be subject to disciplinary measures, having access to the University s facilities being withdrawn or even criminal prosecution. Page 11 of 12
12 Document Control ITGC15-P27 Version Author Date Version Detail V0.1 Niraj Kacha 22 nd May 2015 First draft Review/Approval History Organisation Action Date Page 12 of 12
Senate. SEN15-P17 11 March 2015. Paper Title: Enhancing Information Governance at Loughborough University
SEN15-P17 11 March 2015 Senate Paper Title: Enhancing Information Governance at Loughborough University Author: Information Technology & Governance Committee 1. Specific Decision Required by Committee
More informationBring Your Own Device Policy
Bring Your Own Device Policy Purpose of this Document This document describes acceptable use pertaining to using your own device whilst accessing University systems and services. This document will be
More informationSummary Electronic Information Security Policy
University of Chichester Summary Electronic Information Security Policy 2015 Summary Electronic Information Security Policy Date of Issue 24 December 2015 Policy Owner Head of ICT, Strategy and Architecture
More informationSchool of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy
School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy Page 1 of 10 Contents 1 Preamble...3 2 Purpose...3 3 Scope...3 4 Roles and responsibilities...3
More informationPolicy Document. Communications and Operation Management Policy
Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author
More informationINFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
More informationPolicy: Remote Working and Mobile Devices Policy
Policy: Remote Working and Mobile Devices Policy Exec Director lead Author/ lead Feedback on implementation to Clive Clarke SHSC Information Manager SHSC Information Manager Date of draft 16 February 2014
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third
More informationEncryption Policy Version 3.0
Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
More informationUniversity of Liverpool
University of Liverpool IT Asset Disposal Policy Reference Number Title CSD 015 IT Asset Disposal Policy Version Number v1.2 Document Status Document Classification Active Open Effective Date 22 May 2014
More informationCITY UNIVERSITY OF HONG KONG. Information Classification and
CITY UNIVERSITY OF HONG KONG Handling Standard (Approved by the Information Strategy and Governance Committee in December 2013) PUBLIC Date of Issue: 2013-12-24 Document Control Document Owner Classification
More informationLSE PCI-DSS Cardholder Data Environments Information Security Policy
LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project
More informationRemote Working and Portable Devices Policy
Remote Working and Portable Devices Policy Policy ID IG04 Version: V1 Date ratified by Governing Body 29/09/13 Author South Commissioning Support Unit Date issued: 21/10/13 Last review date: N/A Next review
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationInformation Security Policy. Appendix B. Secure Transfer of Information
Information Security Policy Appendix B Secure Transfer of Information Author: Data Protection and Information Security Officer. Version: 0.7 Date: March 2008 Document Control Information Document ID Document
More informationData Protection Act 1998. Bring your own device (BYOD)
Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...
More informationIM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers
IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy DOCUMENT INFORMATION Author: Vince Weldon Associate Director of IM&T Approval: Executive This document replaces: IM&T Policy No. 1 Anti Virus Version
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationKEELE UNIVERSITY IT INFORMATION SECURITY POLICY
Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical
More informationBring Your Own Device
Bring Your Own Device Save costs, deliver flexible working and manage the risks Gary Shipsey Managing Director 25 September 2014 Agenda Bring Your Own Device (BYOD) and your charity and how to avoid the
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationThis policy outlines different requirements for the use of PSDs based on the classification of information.
POLICY OFFICE OF THE INFORMATION COMMISSIONER Use of portable storage devices 1. Purpose A Portable Storage Device (PSD) is a mobile device capable of storing and transferring digital information. Examples
More informationData Security and Extranet
Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:
More informationDOCUMENT CONTROL PAGE
DOCUMENT CONTROL PAGE Title: Title Version: 0.2a Reference Number: Supersedes Supersedes: IT Encryption and Security Policy and Guidelines Description of Amendment(s): Clarification of document approval
More informationINFORMATION UPDATE: Removable media - Storage and Retention of Data - Research Studies
INFORMATION UPDATE: Removable media - Storage and Retention of Data - Research Studies REMOVABLE MEDIA: NSW MoH are currently undergoing review with a state-wide working party developing the Draft NSW
More informationINFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
More informationMOBILE DEVICE SECURITY POLICY
State of Illinois Department of Central Management Services MOBILE DEVICE SECURITY Effective: October 01, 2009 State of Illinois Department of Central Management Services Bureau of Communication and Computer
More informationAcceptable Media Use and Bring Your Own Device (BYOD) Policy
Acceptable Media Use and Bring Your Own Device (BYOD) Policy Author: Mr Joe Cowell Headteacher Date Ratified by Governors: September 2015 Date of Review: September 2018 Wollaston School Acceptable Media
More informationVersion: 2.0. Effective From: 28/11/2014
Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director
More informationUniversity of Aberdeen Information Security Policy
University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationInformation Security It s Everyone s Responsibility
Information Security It s Everyone s Responsibility The University of Texas at Dallas Information Security Office (ISO) Purpose of Training Information generated, used, and/or owned by UTD has value. Because
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationAGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader
AGENDA ITEM: SUMMARY Report for: Committee Date of meeting: 30 May 2012 PART: 1 If Part II, reason: Title of report: Contact: Purpose of report: Recommendations Corporate objectives: Implications: INFORMATION
More informationInformation Governance Framework. June 2015
Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationEXECUTIVE DECISION NOTICE. ICT, Communications and Media. Councillor John Taylor. Deputy Executive Leader
EXECUTIVE DECISION NOTICE SERVICE AREA: SUBJECT MATTER: DECISION: DECISION TAKER(S): DESIGNATION OF DECISION TAKER(S): GOVERNANCE ICT, Communications and Media PERSONAL DEVICE POLICY That the Personal
More informationData Security Policy. 1. Document Status. Version 1.0. Approval. Review By June 2011. Secure Research Database Analyst. Change History. 1 Version 1.
Data Security Policy 1. Document Status Security Classification Level 4 - PUBLIC Version 1.0 Status DRAFT Approval Life 3 Years Review By June 2011 Owner Secure Research Database Analyst Change History
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationPortable Devices and Removable Media Acceptable Use Policy v1.0
Portable Devices and Removable Media Acceptable Use Policy v1.0 Organisation Title Creator Oxford Brookes University Portable Devices and Removable Media Acceptable Use Policy Information Security Working
More informationWhy do we need to protect our information? What happens if we don t?
Warwickshire County Council Why do we need to protect our information? What happens if we don t? Who should read this? What does it cover? Linked articles All WCC employees especially mobile and home workers
More informationSmall businesses: What you need to know about cyber security
Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...
More informationSUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices
SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices 8-27-2015 4-007.1 Supersedes 4-007 Page Of 1 5 Responsible Authority Vice Provost for Information
More informationData Transfer Policy. Data Transfer Policy London Borough of Barnet
Data Transfer Policy Data Transfer Policy London Borough of Barnet Document Control POLICY NAME Data Transfer Policy Document Description Policy surrounding data transfers (electronic and paper based).
More informationUniversity of Sunderland Business Assurance Over-arching Information Governance Policy
University of Sunderland Business Assurance Over-arching Information Governance Policy Document Classification: Public Policy Reference Central Register IG001 Policy Reference Faculty / Service IG 001
More informationHow To Protect School Data From Harm
43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:
More informationRemote Access and Network Security Statement For Apple
Remote Access and Mobile Working Policy & Guidance Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Remote Access and
More informationCOVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name
COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name Introduction Removable Media and Mobile Device Policy Removable media and mobile devices are increasingly used to enable information access
More informationUSE OF PERSONAL MOBILE DEVICES POLICY
Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014
More informationICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation
ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationBARNSLEY CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLICY
Putting Barnsley People First BARNSLE CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLIC Version: 2.0 Approved By: Governing Body Date Approved: Feb 2014 (initial approval), March
More information1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...
Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless
More informationCorporate Information Security Policy
Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives
More informationData and Information Security Policy
St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationData Protection Policy June 2014
Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:
More informationUniversity of Liverpool
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
More informationECSA EuroCloud Star Audit Data Privacy Audit Guide
ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationMobile Devices Policy
Mobile Devices Policy Item Policy description Division Director Contact Description Guidelines to ensure that mobile devices are deployed and used in a secure and appropriate manner. IT Services and Records
More informationREMOTE WORKING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationDocument Type Doc ID Status Version Page/Pages. Policy LDMS_001_00161706 Effective 2.0 1 of 7 Title: Corporate Information Technology Usage Policy
Policy LDMS_001_00161706 Effective 2.0 1 of 7 AstraZeneca Owner Smoley, David Authors Buckwalter, Peter (MedImmune) Approvals Approval Reason Approver Date Reviewer Approval Buckwalter, Peter (MedImmune)
More informationUniversity of Limerick Data Protection Compliance Regulations June 2015
University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick
More informationCYBERSAFETY USE AGREEMENT for Cambridge High School Students
CYBERSAFETY USE AGREEMENT for Cambridge High School Students Cambridge High School This document is comprised of this cover page and three sections: Section A: Introduction Section B: Cybersafety Rules
More informationINITIAL APPROVAL DATE INITIAL EFFECTIVE DATE
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
More information1. (a) Full name of proposer including trading names if any (if not a limited company include full names of partners) Date established
Network Security ProPosal Form Important Please answer all questions from each section and complete in block capitals. Tick the appropriate boxes where necessary and supply any further information requested.
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationInformation Security Policy
Information Security Policy Last updated By A. Whillance/ Q. North/ T. Hanson On April 2015 This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is
More informationInformation Security Policy London Borough of Barnet
Information Security Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Document Description Information Security Policy Policy which sets out the council s approach to information
More informationOperational Risk Publication Date: May 2015. 1. Operational Risk... 3
OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...
More informationInformation Security Programme
Information Security Programme Information Security Policy This document is issued in the strictest business confidence. It should be read in conjunction with a number of other supporting and complementary
More informationConsumer Device Policy (Smartphones / Tablets) BYOD (Bring Your Own Device)
Consumer Device Policy (Smartphones / Tablets) BYOD (Bring Your Own Device) Policy Number: 422 Supersedes: - Standards For Healthcare Services No/s 1, 5, 19 New Version Date Of Reviewer Completed Date
More informationHow To Understand The Bring Your Own Device To School Policy At A School
The Thomas Hardye School Bring Your Own Device to School (BYOD) Policy for Students Adopted by Personnel & Resources Committee 1 st September 2014 Review date: 31 st August 2015 Signed by Chair:. CONTENTS
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online
More informationMapping the Technical Dependencies of Information Assets
Mapping the Technical Dependencies of Information Assets This guidance relates to: Stage 1: Plan for action Stage 2: Define your digital continuity requirements Stage 3: Assess and manage risks to digital
More informationStandard Operating Procedure. Secure Use of Memory Sticks
Standard Operating Procedure Secure Use of Memory Sticks DOCUMENT CONTROL: Version: 2.1 (Amendment) Ratified by: Finance, Infrastructure and Business Development Date ratified: 20 February 2014 Name of
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
More informationTitle: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION
Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION The purpose of this policy is to outline essential roles and responsibilities within the University community for
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationSomerset County Council - Data Protection Policy - Final
Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council
More informationInformation Governance Strategy
Information Governance Strategy THCCGCG9 Version: 01 The information governance strategy outlines the CCG governance aims and the key objectives of its governance policies. The Chief officer has the overarching
More informationData Encryption Policy
Data Encryption Policy Please be aware that this printed version of the Policy may NOT be the latest version. Staff are reminded that they should always refer to the Intranet for the latest version. Purpose
More informationAngard Acceptable Use Policy
Angard Acceptable Use Policy Angard Staffing employees who are placed on assignments with Royal Mail will have access to a range of IT systems and mobile devices such as laptops and personal digital assistants
More informationTameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
More informationUSB Data Stick Procedure
SH IG 41 INFORMATION SECURITY SUITE OF POLICIES Procedure for the Management of Personal Data Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: Next Review : This procedure
More informationScottish Rowing Data Protection Policy
Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this
More informationData Protection Policy
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
More informationCCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY
CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationRemote Access and Home Working Policy London Borough of Barnet
Remote Access and Home Working Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Remote Access and Home Working Policy Document Description This policy applies to home and
More information2.0 RECOMMENDATIONS Members of the Committee are asked to note the information contained within this report.
REPORT TO: SCRUTINY COMMITTEE 25 JUNE 2013 REPORT ON: REPORT BY: INTERNAL AUDIT REPORTS CHIEF INTERNAL AUDITOR REPORT NO: 280-2013 1.0 PURPOSE OF REPORT To submit to Members of the Scrutiny Committee a
More informationStorage, backup, transfer, encryption of data
Storage, backup, transfer, encryption of data Veerle Van den Eynden UK Data Archive Looking after your research data: practical data management for research projects 5 May 2015 Overview Looking after research
More informationThird Party Security Requirements Policy
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
More informationResearch Governance Standard Operating Procedure
Research Governance Standard Operating Procedure The Management and Use of Research Participant Data for Secondary Research Purposes SOP Reference: Version Number: 01 Date: 28/02/2014 Effective Date: Review
More informationPAPER RECORDS SECURE HANDLING AND TRANSIT POLICY
PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY CORPORATE POLICY Document Control Title Paper Records Secure Handling and Transit Policy Author Information Governance Manager ** Owner SIRO/CIARG Subject
More informationResearch Information Security Guideline
Research Information Security Guideline Introduction This document provides general information security guidelines when working with research data. The items in this guideline are divided into two different
More informationIxion Group Policy & Procedure. Remote Working
Ixion Group Policy & Procedure Remote Working Policy Statement The Ixion Group (Ixion) provide laptops and other mobile technology to employees who have a business requirement to work away from Ixion premises
More information