Review of Education and Training on Law Enforcement Data Security in Victoria Police. March 2008 Commissioner for Law Enforcement Data Security

Size: px
Start display at page:

Download "Review of Education and Training on Law Enforcement Data Security in Victoria Police. March 2008 Commissioner for Law Enforcement Data Security"

Transcription

1 Review of Education and Training on Law Enforcement Data Security in Victoria Police March 2008 Commissioner for Law Enforcement Data Security

2 Acknowledgement This report was prepared for the Commissioner by Ros Carter, Senior Policy Advisor, Office of the Commissioner for Law Enforcement Data Security, in consultation with relevant areas and employees of Victoria Police. The cooperation of those members of Victoria Police who provided input to the review is gratefully acknowledged, as is the contribution made by Mr Gary Sauvarin, Senior Project Officer Information Security, Office of the Commissioner for Law Enforcement Data Security. Published by: The Commissioner for Law Enforcement Data Security PO Box 281 World Trade Centre Melbourne Victoria 8005 May 2008 Copyright State of Victoria, 2008

3 Table of Contents Executive Summary 5 1 Introduction Objective of Review Scope of Review Review Methodology 13 2 Information Security Awareness Training in Victoria Police Induction Training CLEDS Expectations Education Department School of Local Policing Induction Training for Victoria Police public 16 servant employees, consultants and contractors Training in the use of LEAP Observations and Analysis Discussion and Conclusions Assessment of Achievement against Standard Recommendations Ongoing Training on Information Security Awareness CLEDS Expectations Education Department: Victoria Police Academy Education Department: Training Consultancy Unit Airlie Leadership Development Centre Business Information Technology Services Ethical Standards Department Regional Training Officers Observations and Analysis Discussion and Conclusions Assessment of Achievement against Standard Recommendations 33 3 Victoria Police Agreements with Approved Third Party Organisations CLEDS Expectations Methodology Observations and Analysis Discussion and Conclusions 34

4 3.5 Assessment of Achievement against Standard Recommendations 37 4 Summary and Recommendations 38 Appendix A: Information Security Awareness Training provided 43 to Victoria Police Sworn Members and Public Servant Employees Appendix B: Survey of recently graduated Victoria Police Sworn 56 members: Key Findings Appendix C: Survey of Regional Training Officers 58 Appendix D: List of Victoria Police staff consulted for the Review 63 Appendix E: Review of MOU/Agreements between Victoria Police 64 and Approved Third Parties Appendix F: Response to the Report by the Chief Commissioner of Police 68

5 Executive Summary Background The Review Under the Commissioner for Law Enforcement Data Security Act 2005, the Commissioner is required to undertake monitoring activities, including audits, to monitor compliance by Victoria Police with standards and protocols established under the Act. A review has been conducted of the extent to which Victoria Police is meeting the requirements set in Standard 7 and protocol 7.1 of the Standards for Victoria Police Law Enforcement Data Security. The Review documents the information security awareness education and training provided to Victoria Police staff (sworn members and public servant employees) and the training requirements Victoria Police places on external agencies and organisations (Approved Third Parties) who have access to law enforcement data. An assessment rating of Compliant (where Standard requirements are implemented and operating), Partially Compliant (where not all requirements are implemented) or Non Compliant (where there is no evidence of action being taken to review and implement Standard requirements) is assigned as a result of the review. The review separately considered the delivery of induction and ongoing training to Victoria Police employees and the training requirements documented in Agreements with Approved Third Parties. A draft version of the report was provided to the Chief Commissioner of Police for information, factual review and consideration of the CLEDS recommendations. The Victoria Police response is provided at Appendix F. Results of Review Induction Training Induction training delivered to recruits and probationary constables, which includes information security awareness, is generally of a high quality, covers the required areas, is well retained by recruits, is well documented and regularly updated. A number of recommendations have been made for actions that would further improve the quality of the training delivered to recruits. First, the delivery of information security training must deal with all Victoria Police electronic systems and cover a broader range of law enforcement data, including information relating to the use of mobile and home computing devices such as radios, laptop computers and memory sticks. Second, a greater focus on examining recruits and probationary constables on their knowledge of information security is required, as is formal evaluation of the programs delivered. Third, greater clarity in what constitutes a breach of LEAP security is required, as is the need for a greater emphasis on the principle of privacy and respect for the personal data of others. That there is no standard induction package for public servant employees is a major cause for concern. However, a recently proposed plan for the Human Resources Department to develop an induction package for this group, in conjunction with the Airlie Leadership Development Centre, is a welcome development. 5

6 Finally there is a need for the coordination of LEAP training across Victoria Police, including the development of procedures to ensure access to the system is only provided to those who have completed appropriate training in its use. Ongoing Training Ongoing information security awareness training is delivered to employees in varying amounts and levels of sophistication in most areas of Victoria Police. While the training delivered with a number of the elements of Standard 7 and protocol 7.1, in some areas it appears not to be given a high priority. Particular issues that affect compliance are discussed below: that the Airlie Leadership Development Centre (ALDC) did not cover information security awareness in its programs at the time of the review, was a major concern given the stated role of the ALDC to significantly influence the cultural growth of Victoria Police through leadership development. ALDC has a responsibility to provide information security awareness training to senior staff and managers within Victoria Police who are responsible for driving the necessary cultural change regarding security of law enforcement data. the information security awareness training delivered is often a reinforcement of the basic skills and knowledge delivered in induction training. There is a need for an increasing level of complexity in the subject matter delivered as new technologies are introduced, staff move to more senior positions or are required to handle new and possibly more complex information security risks. there is a need to test participant knowledge of information security requirements and to conduct formal evaluations of courses delivered. there is a lack of coordination of the information security awareness material in courses across areas or Departments in the development and delivery of Leadership courses, particularly between the Education Department and the Airlie Leadership Development Centre. This contributes to a fragmented and piecemeal approach to the Victoria Police information security awareness effort. greater attention needs to be given to the requirement to provide sworn members with information security awareness training appropriate to the additional management responsibilities upon promotion to the rank of Sergeant and Inspector. the Sleepless Frights Information Security Awareness training package delivered by the Regional Training Officers appears to provide the most detailed information security training. However, its delivery is generally not formally evaluated and is skewed towards training sworn members. Numbers trained in some regions are also low. Use of the online version of the package is low and increased promotion of the package and of the online information security awareness posters and brochures produced by BITS is recommended. 6

7 The following proposed training programs, when fully implemented, should help Victoria Police to improve and increase the information security content of courses delivered and provide the training to a greater number of sworn members and public servant employees as they move towards promotion to higher ranks or more senior positions within the organisation: the Transition to Middle Management Program due to be launched by the ALDC in May 2008; the Transitional Training and Development Strategy for Sworn members who have been identified as suitable for promotion to sergeant and senior sergeant (Education Department); and new training for the LINK system (BITS). Other initiatives (planned or in progress) will help to resolve the current fragmented approach to information security awareness training. These include: a training needs analysis in progress of the courses delivered or overseen by the Education Department s School of Leadership and Management Development (Promotional Programs); a proposed project to review the curriculum and structure of all programs delivered by the Education Department to ensure internal consistency and appropriate progression from Recruit through to Post Foundational studies; and a proposed project that will examine the alignment of all areas within Victoria Police that develop or deliver education and training, including the Airlie Leadership Development Centre and the Education Department. Victoria Police Agreements with Approved Third Party Organisations 50% of Agreements between Victoria Police and Approved Third Parties (ATPs) did not meet the requirements of Standard 7 and Protocol 7.1. This is a cause for considerable concern. In half of these cases Agreements do not require users of Victoria Police law enforcement data to be provided with either induction or ongoing training in information awareness and in the remaining cases there is no Agreement at all. Of the remaining Agreements, only one is considered to be compliant. However, even in this case there is a lack of detail specified, with only a broad reference made to the requirement to comply with the directions of the Commissioner for Law Enforcement Data Security. The remaining Agreements (35%) partially comply in that they require information security awareness training to be undertaken prior to the user gaining access to the production law enforcement data bases but do not require ongoing training. Appendix E provides detail of Agreement status. It is understood that a recently revised model Memorandum of Understanding for Victoria Police to negotiate with Approved Third Parties in relation to LEAP addresses the requirement for all ATP users of the Victoria Police law enforcement data systems to undergo induction and ongoing training in law enforcement data security. However, the Agreements in relation to access to Interpose, ROCSID and TIS are not included in this revision. 7

8 Compliance with Standard 7 The table below provides an assessment of the extent to which Victoria Police with Standard 7 and Protocol 7.1. It should be noted that the ratings provided represent an assessment summarising the extent of compliance across all Victoria Police Departments. An assessment of Complies under the Induction and Ongoing training columns refers to the fact that where the training is delivered it is compliant. There are instances in both these areas where training is not delivered at all or where it is judged not to fully comply with the standard or protocol. This is reflected in the overall rating of Partial Compliance. Summary of Victoria Police Compliance with Standard 7 and Protocol 7.1 Level of Compliance Standard/Protocol Induction Training Ongoing Training ATP Agreements Standard 7 All Victoria police Employees, Contractors and Consultants must receive appropriate induction and ongoing information security awareness training as relevant for their job functions. Partially Partially Not applicable Standard 7 Victoria Police must ensure that Agreements with Approved Third Parties include the requirement for all law enforcement data users to receive appropriate induction and ongoing information security awareness training as relevant for their job functions. Protocol 7.1 The training addresses general responsibilities and basic information security procedures affecting all persons who use, or provide services in support of, law enforcement data. Not applicable Not applicable Partially Complies Complies Partially Protocol 7.1 The training provides awareness of the Victoria Police Information Security Policy for all existing and new users of Victoria police law enforcement data Complies Partially Partially Protocol 7.1 The training provides individual staff with documentation of, and training in, key operating procedures for security-related tasks relevant to their position and/or responsibilities. Complies Complies Partially Protocol 7.1 The training provides awareness of the Victoria Police auditing capability and its aims to proactively detect the misuse of law enforcement data. Complies Partially Partially Protocol 7.1 The training includes identification, reporting and response procedures for information security incidents. Complies Complies Partially 8

9 Level of Compliance Standard/Protocol Induction Training Ongoing Training ATP Agreements Protocol 7.1 The training is updated as the Victoria Police information security policies, standards, guidelines, procedures and system security plans are revised. Complies Partially Partially Protocol 7.1 Victoria Police sworn members must be provided with information security awareness training upon promotion to the rank of Sergeant and Inspector. Not applicable Partially Not applicable Evidence of Compliance: Information security awareness induction training is documented in course materials such as training manuals and/or training session plans and notes. Complies Partially Not applicable Recommendations Induction Training To achieve full compliance with CLEDS Standard 7 and Protocol 7.1, Victoria Police needs to strengthen the law enforcement data security awareness induction training provided to Victoria Police sworn members and introduce such training to all public servant employees, contractors and consultants. The following specific actions are recommended to achieve compliance. 1. Develop and implement a standard induction package for mandatory use across Victoria Police for public servant employees, consultants and contractors that covers information security. The induction package could include the requirement for inductees to complete the Sleepless Frights Information Security Awareness training package either delivered in a face-to-face session or to be completed online. 2. Amend the School of Local Policing current course content and delivery methods to ensure that: a. training in information security awareness includes security principles and practices for all Victoria Police electronic systems, not just LEAP, and that the focus of the training covers all relevant situations including for example, the use of mobile and home computing devices. Such training could incorporate the Sleepless Frights Information Security Awareness training package either face-to-face or to be completed online; b. recruits are fully aware of and clear about what constitutes a breach of law enforcement data; c. efforts are made to ensure that recruits are confident to use Victoria Police electronic systems, within the necessary constraints; and d. greater emphasis is given to the need to respect the privacy of personal data on the LEAP system. 9

10 Ongoing Training 3. Conduct formal evaluations of training sessions on information security awareness provided during recruit and probationary constable training and use the findings to modify and strengthen future training. 4. Include questions that test the information security knowledge of participants in examinations conducted during recruit and probationary constable training. 5. Develop a coordinated approach to the delivery of training in the use of LEAP and other Victoria Police law enforcement information systems, to ensure all employees, consultants and contractors receive appropriate training prior to gaining access to the information system production database. 6. The LEAP Management Unit must provide access to LEAP only to those who can demonstrate that they have undertaken training. Victoria Police needs to implement the following in order to strengthen the delivery of ongoing law enforcement data security awareness training provided to Victoria Police sworn members and public servant employees, contractors and consultants: 7. Develop and implement an integrated strategy for the delivery of ongoing training in information security awareness for all sworn members, public servant employees, contractors and consultants. 8. Deliver ongoing training in information security awareness that is progressively more complex following induction training. Such training is particularly relevant when new technologies are introduced, information security risks change or when a member undertakes a new role with a greater level of responsibility for the security of law enforcement data. 9. Incorporate training in information security awareness into all current professional development training programs as relevant. 10. The Airlie Leadership Development Centre develop a strategy for the inclusion of management and leadership responsibilities for information security awareness and the cultural change issues involved into its core programs where appropriate. 11. Raise awareness of how to access and the importance of accessing the Sleepless Frights Information Security Awareness training package across all areas of Victoria Police (both the online and hard copy versions) and ensure managers are aware of the posters and brochures available from BITS. 12. Deliver train-the-trainer sessions in the delivery of the Sleepless Frights Information Security Awareness package to all training units within Victoria Police. 13. Conduct formal evaluations of all information security awareness training delivered, on a regular basis. 14. Ensure that the reviews of Education Department curriculum content and structure and of the alignment of education and training courses across Victoria Police, include consideration of the information security training needs of the course participants consistent with the Standards for law enforcement data security. 15. Increase the amount and complexity of the information security awareness content of courses delivered by the School of Leadership and Management Development (Promotional Programs) at the Victoria Police Academy, so that members promoted 10

11 to the rank of Sergeant and Inspector understand the additional management responsibilities of the rank and are fully capable of dealing with complex situations and incidents that may arise regarding the security of law enforcement data. Agreements with Approved Third Party Organisations 16. That Agreements be negotiated with Queensland, South Australian and Western Australian Police, the Liquor Licensing Commission and VicRoads which include reference to the requirement to comply with Standard 7 and Protocol That Agreements between Victoria Police and the Australian Crime Commission, the Australian Customs Service, the Federal Police, NSW Police, Emergency Services Telecommunications Authority, Melbourne Custody Centre, the Office of Police Integrity, Sheriff s Office Victoria, the Traffic Camera Office, VicRoads, the Transport Accident Commission and the Victorian Workcover Authority that do not currently fully comply with Standard 7 and Protocol 7.1, are amended to achieve compliance. 18. That Victoria Police require the Department of Justice to ensure that the Agreements between Corrections Victoria and Port Phillip Prison and the Fulham Correctional Centre are amended to ensure the Department of Justice can comply with Standard 7 and Protocol That CMRD conduct an audit of Agreements between Victoria Police and Approved Third Party organisations after a period of twelve months from this Review to determine whether all Agreements have become compliant with Standard 7 and protocol

12 1 Introduction Among the key functions of the Commissioner for Law Enforcement Data Security (CLEDS), outlined in the Commissioner for Law Enforcement Data Security Act 2005 (the Act), is the conduct of monitoring activities, including audits, to monitor Victoria Police compliance with the standards and protocols established by the Commissioner and to refer the findings of these activities to an appropriate person or body for further action. Standards and Protocols for access to, and release of, law enforcement data were promulgated by the Commissioner in February These Standards and Protocols were incorporated into the Standards for Victoria Police Law Enforcement Data Security in July Standard 7 of these Standards states that: All Victoria Police Employees, Contractors and Consultants must receive appropriate induction and ongoing information security awareness training as relevant for their job functions. Victoria Police must ensure that Agreements with Approved Third Parties include the requirement for all law enforcement data users to receive appropriate induction and ongoing information security awareness training as relevant for their job functions. Protocol 7.1 states: Victoria Police must ensure that information security awareness training is provided for all Victoria Police employees who use or provide services in support of law enforcement data. Victoria Police must require that any Approved Third Parties provide all training necessary to safeguard the security of law enforcement data that is accessed, managed, developed or implemented by them to all relevant staff. The Information Security Awareness Training must: a. provide awareness of the Victoria Police Information Security Policy for all existing and new users of Victoria Police law enforcement data; b. address general responsibilities and basic information security procedures affecting all persons who use, or provide services in support of, law enforcement data; c. provide individual staff with documentation of, and training in, key operating procedures for security-related tasks relevant to their position and/or responsibilities; d. provide awareness of the Victoria Police auditing capability and its aims to proactively detect the misuse of law enforcement data; e. include identification, reporting and response procedures for information security incidents; and f. be updated as the Victoria Police Information Security policies, standards, guidelines, procedures and System Security Plans are revised. Victoria Police sworn members must be provided with information security awareness training as part of their recruit training and upon promotion to the rank of Sergeant and Inspector. 12

13 1.1 Objective of Review To conduct a review of: the information security awareness education and training provided to Victoria Police staff (Sworn members and public servant employees); and the training requirements placed on external agencies and organisations who have access to law enforcement data, by Victoria Police, in order to determine the extent to which Victoria Police is currently meeting the requirements set in Standard 7 and protocol 7.1 in the Standards for Victoria Police Law Enforcement Data Security Scope of Review The review examined the extent to which the following meet the CLEDS standards: information security awareness education and training provided to Victoria Police sworn members and public servant employees at recruitment and during ongoing employment; and information security awareness training requirements documented in Agreements between Victoria Police and external agencies and organisations who have access to law enforcement data. Education and training services are delivered to sworn Victoria Police members and public servant employees by a number of Departments or areas within Victoria Police. The areas holding major responsibility for training and education services, which were therefore the focus of this review are the: Education Department; Airlie Leadership Development Centre (ALDC); Business Information Technology Services (BITS); Ethical Standards Department; and Regional Training Officers. 1.3 Review Methodology Notification of the Review The Chief Commissioner of Police was informed in writing of the intention for the review to be conducted on 13 September Meetings and interviews Meetings or interviews were held with relevant education and training staff to discuss their role in, or contribution to, the provision of information security awareness training or knowledge in Victoria Police. Areas included Education Department staff located at the Victoria Police Academy and the Victoria Police Centre, the Airlie Leadership Development Centre, Business Information Technology Services, the Ethical Standards Department and the LEAP Management Unit. A full list of people consulted for the Review is provided at Appendix D. 13

14 1.3.3 Observation of a Recruit LEAP Training day at the School of Local Policing at the Victoria Police Academy Two CLEDS staff members observed a one day LEAP training session delivered at the School of Local Policing during Week 6 of Recruit Phase One training, to evaluate the delivery of information security awareness training to Recruits during this training Survey of recently graduated recruits to Victoria Police A survey was sent by and post to 786 Victoria Police sworn members who completed recruit training between 12 and 36 months from the date of the Review, to seek their feedback on the information security awareness training provided to them, including: when the training was provided; how it was provided; the content of what was provided; retention of material; the impact of the training on their behaviour regarding the use and handling of law enforcement data; and ideas they may have for improvements to the training provided Survey of Regional Training Officers (RTO) A survey was sent to all current RTOs to obtain information about the amount and type of training in information security awareness they have provided to Victoria Police Sworn members and public servant employees in their Divisions/Regions over the past 18 months. Details were also requested of any feedback received through evaluation of the training conducted Review of Agreements between Victoria Police and Approved Third Parties 1 A review was undertaken to determine whether existing Agreements between Victoria Police and Approved Third Parties included the requirement for these parties to deliver education and training in law enforcement data security to staff who have access to Victoria Police law enforcement data Consultation on the Final Report The Chief Commissioner of Police was provided with a draft version of the report for information, factual review and consideration of the CLEDS recommendations. The Victoria Police response is provided at Appendix F. 1 An Approved Third Party is an organisation or individual external to Victoria Police that has been granted direct access to Victoria Police law enforcement data repositories. 14

15 2 Information Security Awareness Training in Victoria Police A summary of information security awareness training currently delivered by those areas within Victoria Police with a major training responsibility is given in this section. Reference is also made to information security awareness training proposed for the future. Appendix A provides a more detailed account of the information security awareness training provided. Section 2.0 should therefore be read with reference to Appendix A. 2.1 Induction Training CLEDS Expectations Standard 7 of the Victoria Police Standards for Law Enforcement Data Security requires that all Victoria Police employees, contractors and consultants receive appropriate induction information security awareness training as relevant for their job functions. It is expected that: 1. Information security awareness training is provided to Victoria Police Sworn members during their Recruit and Probationary Constable Training Phases. 2. Information security awareness training is provided to public servant employees of Victoria Police at commencement of their employment. 3. The training: a. addresses general responsibilities and basic information security procedures affecting all persons who use, or provide services in support of, law enforcement data; b. provides individual staff with documentation of, and training in, key operating procedures for security-related tasks relevant to their position and/or responsibilities; c. provides awareness of the Victoria Police auditing capability and its aims to proactively detect the misuse of law enforcement data; d. includes identification, reporting and response procedures for information security incidents; and e. is updated as the Victoria Police information security policies, standards, guidelines, procedures and system security plans are revised. 4. Information security awareness induction training is documented in course materials such as training manuals and/or training session plans and notes Education Department School of Local Policing: Recruit and Probationary Constable Training Information security awareness is initially raised with Victoria Police recruits during their third week of recruit training through discussions about the use of and the internet. Recruits are directed to, or provided with copies of relevant sections of the Victoria Police Manual for further information. Training in the use of the Law Enforcement Assistance Program (LEAP) is delivered in week 6 and revised in weeks 14 and

16 The Ethical Standards Department (ESD) of Victoria Police delivers three sessions during Recruit Phase. The second and third of these sessions include the (mis)use of law enforcement data, including the inappropriate use of the internet and browsing facilities, confidential information and access and release of such information. During Probationary Constable training ESD provides another session which includes an overview of ESD and a facilitated discussion based on scenarios including LEAP and information security matters. Training in the use of the Traffic Incident System (TIS) is delivered during recruit training by the TIS Training Unit. The focus of the session is on the use of TIS. Information security is briefly included with reference made to the warning message on the Victoria Police network logon page, reminding users about issues of inappropriate disclosure and the principle that law enforcement data is for business use only Information Security Awareness Induction Training for Victoria Police Public Servants, Consultants and Contractors A number of Departments within Victoria Police have developed their own internal induction processes and manuals. 2 There is, however, no standard induction training process or program for delivery across Victoria Police. In October 2007 the Victoria Police Human Resources Department (HRD) submitted a proposal to the Human Resources Board of Management for the development of a standard Victoria Police Induction Manual. The proposal did not specify the proposed content of the manual nor any information security awareness content. This was to be included in a scoping paper to be developed following approval. Following the announcement in February 2008 by the Airlie Leadership Development Centre of a half day high level orientation for new Victoria Police public service employees, which is intended to complement local workplace induction packages, the HRD is preparing an updated orientation program project brief which will focus on partnering with ALDC on both the induction package and orientation sessions. The brief will be resubmitted to the HRD Board for approval. It has been acknowledged by HRD staff responsible for this project that information security awareness must be included in the package and training Training in the use of LEAP The Education Department s Training Consultancy Unit (TCU) delivers training in the use of the Law Enforcement Assistance Program (LEAP) to a small number of mainly public servant employees who require access to LEAP and who request such training. Thirty-one public servant employees and 3 sworn members attended the LEAP training course delivered by TCU between January and October However, there is no system to ensure that all new LEAP users have received the training. The training is based on the manual Introduction to LEAP developed by the LEAP Management Unit. Information security is raised in the manual and reinforced verbally during the course in relation to issues, including password confidentiality, good practice regarding password selection, requirement to change password regularly, LEAP audit, the need to log off computer when unattended, document security and issues of access and release. 2 See Appendix A Section for a description of BITS Induction Training. 16

17 2.1.5 Observations and Analysis Observation of Recruit LEAP training session As well as providing recruits with training on how to use LEAP, the session included some practical information and discussion about information security including: what is and is not appropriate use of LEAP; operational security issues including password security, locking computers while the user is absent, never writing daily codes on station whiteboards and printer security; that all access to LEAP is logged and is subject to random audits; that LEAP is the best work tool a member has but that it must only be used for genuine operational police work; that they should not be afraid to use LEAP; if they use it properly, there will be no problem. If they are unsure about use for a specific purpose, they should ask a superior; processes to be followed to report and respond to suspected incidents of misuse of the system; the concept of conflict of interest; and the requirement to always complete the Reason for Access field. When presenting recruits with an Accessing of Information Statement of Responsibility and Acknowledgement form for their signature for access to the LEAP production database the Senior Sergeant in Charge explained that: it was a privilege for them to have access to the personal data of others, a privilege that other citizens do not have and that recruits should behave accordingly; and LEAP security breaches are considered serious breaches of police ethics and that disciplinary measures reflect the seriousness of such breaches. Reference was made to the office and the role of the Commissioner for Law Enforcement Data Security, including the requirement for Victoria Police Sworn members and public servant employees to adhere to the Standards and Protocols for access to, and release of, law enforcement data Survey of recently graduated Sworn members: Key Findings The survey was sent by and post to 786 Victoria Police sworn members who completed recruit training between 12 and 36 months from the date of the Review. 165 of 786 surveys (21%) were returned and included in the analysis below. Further detail of the survey results is found in Appendix B. a. Training delivery 88% of respondents indicated that the information on law enforcement data security was provided in a way that was easily understood. 84% of respondents indicated that the training was of sufficient depth and detail and was clear. 3 The Standards and protocols for access to, and release of, law enforcement data were incorporated into the Standards for Victoria Police law enforcement data security, promulgated by CLEDS in July

18 26 respondents (16%) indicated that the training was not sufficient. Reasons given included that there were not enough sessions; that more practical sessions would have been useful; the issue of what constitutes a breach of LEAP security was not clearly defined. Seven respondents (4%) reported a fear of using LEAP, in some instances stating that the issue of misuse had been overemphasised, leading to such fear. b. Implementation of training learnings 36% of respondents indicated that information security training provided during Recruit training had been very helpful in their subsequent role as a Sworn member; 55% said it had been helpful sometimes and 6% said it was not helpful at all, commenting that it was too vague and ambitious ; need to get a better idea of what misuse is ; too much emphasis on security has members not wanting to use LEAP as much. 87% said it had not been difficult at all since graduation to adhere to the principles of information security training taught during Recruit training; 9% said it has been a little difficult and 2% said it was fairly difficult. The only comment made by those who said it was fairly difficult was that there is pressure from other members and more senior officers to not log off each time the respondent left the shared computer and that the user was encouraged to trust others with the user s personal password. 90% of respondents found the practices in relation to information security provided during Recruit training to be consistent with actual practices once in the workforce. c. Training Impact The following two questions were asked to determine the impact the training had on recruits in their subsequent role as a Victoria Police Sworn member. Question 1: Why do you think Information Security is important in your role as a sworn member of Victoria Police? Responses: 135 (82%) of the 165 respondents provided one or more responses to this question. 59% of those who responded provided reasons relating to privacy laws and the need to observe confidentiality surrounding personal or sensitive data. 18% of responses related to the need to maintain community trust and confidence in Victoria Police. Other responses included the importance of using the data for business needs only (10%); that breaching data security may endanger police or the public (9%) or jeopardise Police investigations (5%). 5% responded that it was important in order to retain their employment in Victoria Police or to avoid disciplinary action. 18% of survey respondents did not provide a response to this question. Question 2: What do you remember as the most important lesson/s about information security? Responses: 141 (85%) survey respondents provided one or more answers to this question. 18

19 29% of those who provided a response stated that the most important lesson was that law enforcement data was to be used for business need only, and was not for their personal use. 26% referred to the consequences of misuse or breaching law enforcement data. 17% recalled the message not to misuse the system or give out data inappropriately. Other responses included the need to adhere to the Privacy Laws (7%); the need to document the Reason for Access (6%); and the need to maintain ethical behaviour in relation to the use of law enforcement data systems (5%). 15% of the 165 survey respondents did not provide a response to this question. d. Ideas for improvement to information security training Suggestions made to improve induction training were: the need for more expansive and detailed information and for more sessions on information security and LEAP generally, with more time to practice LEAP navigation; clearer guidelines on what constitutes a security breach with discussion of more real life examples; and that there was too much emphasis on the consequences of misuse. Others commented that recruits are made well aware of information security during their training Other Observations of Recruit and Probationary Constable Training Other observations and findings by the Reviewer are: testing of recruit s knowledge of information security awareness is not included in examinations held during Recruit or Probationary Constable training; no formal evaluation is conducted of Recruit training generally or on information security awareness training specifically. An informal process exists whereby School of Local Policing Reference Groups consisting of operational members may raise issues about the performance of new recruits in the workplace, that may be addressed by strengthening or changing the training content or practices; the course content for Recruit training including information security is continuously updated based on the implementation of new policies, systems and practices and on feedback provided by the School of Local Policing Reference Groups; the content of the ESD training sessions is updated as required. For example, when new issues are raised by participants during training sessions or based on specific complaints made to ESD regarding the behaviour of Victoria Police members when on duty; evaluation of the Probationary Constable Training course is conducted via the collection of course feedback/evaluation sheets at the end of each week of training. While the evaluation does not seek feedback specifically about the sessions delivered by ESD during this Phase, 96% of respondents were satisfied or very satisfied with the quality of external presenters. The question does not seek feedback on the quality of the session content. A small number of participants in each course provided some written comments on the ESD sessions but were too few to be considered a representative sample; 19

20 participants in the ESD Ethics training session regularly raised their fear of using the LEAP system; and the Information Security Awareness Sleepless Frights training package 4 is currently not used at the Police Academy for Recruit training Training in the use of LEAP The LEAP training manual, used by the Training Consultancy Unit in the provision of LEAP training, states that on completion of the training participants will be familiar with their information security responsibilities. However, there is no formal testing of participant s knowledge following the training upon which to base a judgement of whether this has been accomplished. There is no central coordination across Victoria Police of training in the use of the LEAP system. The 34 members to whom TCU provided LEAP training between January and October 2007 represents only 21% of the 161 new LEAP accounts established by the LEAP Management Unit over the same period for Victoria Police public service employees, contractors and consultants. 5 The LEAP Management Unit indicated that LEAP training is provided for new employees requiring LEAP access on an informal basis by a number of areas within Victoria Police. There is no central list of these areas and the training is usually provided informally by staff members who had previously been trained in the use of LEAP. Victoria Police staff responsible for the development of training for users of the LINK system, which is being developed to replace LEAP, indicate that while details are not final, the training will be role-based and will aim to address cultural change through information security awareness training Discussion and Conclusions Based on the observation of the recruit LEAP training day, the findings of the survey of recently graduated sworn members, review of the recruit training manual and interviews and discussions with key staff, information security awareness training delivered during Recruit and Probationary Constable training is generally well covered and of a high quality. Information security training is understood by recruits and well retained. A number of matters were noted however, that reduce the completeness and quality of the Victoria Police information security training effort. These include: a. The absence of a standard Victoria Police induction program for public servant employees is a major gap in ensuring information security awareness of all employees. The proposed development of a full orientation package developed collaboratively by the Human Resources Department and the Airlie Leadership Development Centre is a welcome step forward. b. Information security awareness training is delivered to recruits and probationary constables either as part of a session on the use of internal and external systems and the internet, or as part the LEAP training sessions. There is a need to broaden the focus of this training by teaching information security principles and practices for all Victoria Police electronic systems and data, not just LEAP. The training also needs to 4 See Appendix A for a description of the Sleepless Frights Information Security Awareness training package. 5 These figures do not include new LEAP accounts created for new Sworn members as they graduate from the Victoria Police Academy. 20

Independent Auditors Report to the Commissioner for Law Enforcement Data Security -

Independent Auditors Report to the Commissioner for Law Enforcement Data Security - Commissioner for Law Enforcement Data Security Audit of Victoria Police Compliance with CLEDS standards on Access Control and Release June 2008 Reference: Version: FY07/08 Final Date of review: April -

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

HIGH LEVEL COMPLIANCE REVIEW SECURITY CLASSIFIED LAW ENFORCEMENT DATA

HIGH LEVEL COMPLIANCE REVIEW SECURITY CLASSIFIED LAW ENFORCEMENT DATA HIGH LEVEL COMPLIANCE REVIEW SECURITY CLASSIFIED LAW ENFORCEMENT DATA Standards for Victoria Police Law Enforcement Data Security (Standards 27, 28, 29 & 30) November 2008 Commissioner for Law Enforcement

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION AND DATA STORAGE POLICY DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether

More information

Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection

Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection Crime Statistics Data Security Standards Office of the Commissioner for Privacy and Data Protection 2015 Document details Security Classification Dissemination Limiting Marker Dissemination Instructions

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information: Information and Privacy Commissioner of Ontario Report of the Information & Privacy Commissioner/Ontario Review of the Canadian Institute for Health Information: A Prescribed Entity under the Personal

More information

LGRF. Procurement Probity Plan. July 2012

LGRF. Procurement Probity Plan. July 2012 LGRF July 2012 When to develop a : A probity plan is best used for any procurement of medium complexity and size and above. A probity plan can be implemented without use of a probity advisor/auditor. Description

More information

Berwick Academy Policy on E Safety

Berwick Academy Policy on E Safety Berwick Academy Policy on E Safety Overview The purpose of this document is to describe the rules and guidance associated with E Safety and the procedures to be followed in the event of an E Safety incident

More information

Government Owned Corporations. Corporate Governance Guidelines for Government Owned Corporations

Government Owned Corporations. Corporate Governance Guidelines for Government Owned Corporations Government Owned Corporations Corporate Governance Guidelines for Government Owned Corporations Version 2.0 The State of Queensland (Queensland Treasury) The Queensland Government supports and encourages

More information

Mandatory Provident Fund Schemes Authority COMPLIANCE STANDARDS FOR MPF APPROVED TRUSTEES. First Edition July 2005. Hong Kong

Mandatory Provident Fund Schemes Authority COMPLIANCE STANDARDS FOR MPF APPROVED TRUSTEES. First Edition July 2005. Hong Kong Mandatory Provident Fund Schemes Authority COMPLIANCE STANDARDS FOR MPF APPROVED TRUSTEES First Edition July 2005 Hong Kong Contents Glossary...2 Introduction to Standards...4 Interpretation Section...6

More information

16 Electronic health information management systems

16 Electronic health information management systems 16 Electronic health information management systems Section 16: Electronic information management systems The continued expansion and growth in global technologies is aiding the development of many new

More information

CIHI Submission: 2011 Prescribed Entity Review

CIHI Submission: 2011 Prescribed Entity Review pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health

More information

HIGH LEVEL COMPLIANCE REVIEW ELECTRONIC DATA STORAGE DEVICES

HIGH LEVEL COMPLIANCE REVIEW ELECTRONIC DATA STORAGE DEVICES HIGH LEVEL COMPLIANCE REVIEW ELECTRONIC DATA STORAGE DEVICES Standards for Victoria Police Law Enforcement Data Security (Standard 22) November 2008 Commissioner for Law Enforcement Data Security Acknowledgement

More information

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY OBJECTIVE To provide users with guidelines for the use of information technology resources provided by Council. SCOPE This policy

More information

Customer Feedback Management Policy

Customer Feedback Management Policy Customer Feedback Management Policy Version 2.0 Table of Contents 1 Document Control... 3 1.1 Document Information... 3 1.2 Document History... 3 1.3 Scheduled amendments... 3 1.4 Document Approvals...

More information

PRIVATE HEALTH INSURANCE INTERMEDIARIES PRACTICE CODES JUNE 2015 VERSION 2

PRIVATE HEALTH INSURANCE INTERMEDIARIES PRACTICE CODES JUNE 2015 VERSION 2 PRIVATE HEALTH INSURANCE INTERMEDIARIES PRACTICE CODES JUNE 2015 VERSION 2 CONTENTS PART A - Pages 3-4 INTRODUCTION 1. ACCEPTANCE OF CODES 2. CODE COMPLIANCE 2.1 CODE COMPLIANCE COMMITTEE 3. REVIEW AND

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Director of Human Resources

Director of Human Resources POSITION DESCRIPTON POSITION: Director of Human Resources STATUS: Contract 5 Years, commencing January 2014 TIME: LOCATION: VISION / CONTEXT: Part-time (0.8FTE averaged over the full year). Either full-time

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

2014 Whistleblower Policy. Calibre Group Limited ABN 44 100 255 623. Version 1.5

2014 Whistleblower Policy. Calibre Group Limited ABN 44 100 255 623. Version 1.5 Version 1.5 Calibre Group Limited ABN 44 100 255 623 REVISION DATE AUTHOR APPROVED BY SIGNATURE 0 07-08-2014 M Silbert Chief Legal Counsel RELATED DOCUMENTS CHG-POL-CPL-05 Calibre Group Code of Conduct

More information

PS 172 Protective Monitoring Policy

PS 172 Protective Monitoring Policy PS 172 Protective Monitoring Policy January 2014 Version 2.0 Statement of legislative compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010;

More information

A guide to building workplace integrity. Indicators and practice

A guide to building workplace integrity. Indicators and practice A guide to building workplace integrity Indicators and practice The Prevention and Education Unit of the Office of Police Integrity has produced this publication. Other types of publications available

More information

We then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.

We then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective. Good Practice Audit outcomes analysis Police Forces April 2013 to April 2014 This report is based on the final audit reports the ICO completed in the Criminal Justice sector, specifically of Police forces,

More information

SAFETY and HEALTH MANAGEMENT STANDARDS

SAFETY and HEALTH MANAGEMENT STANDARDS SAFETY and HEALTH STANDARDS The Verve Energy Occupational Safety and Health Management Standards have been designed to: Meet the Recognised Industry Practices & Standards and AS/NZS 4801 Table of Contents

More information

Standard 1. Governance for Safety and Quality in Health Service Organisations. Safety and Quality Improvement Guide

Standard 1. Governance for Safety and Quality in Health Service Organisations. Safety and Quality Improvement Guide Standard 1 Governance for Safety and Quality in Health Service Organisations Safety and Quality Improvement Guide 1 1 1October 1 2012 ISBN: Print: 978-1-921983-27-6 Electronic: 978-1-921983-28-3 Suggested

More information

Audit and Performance Committee Report

Audit and Performance Committee Report Audit and Performance Committee Report Date: 3 February 2016 Classification: Title: Wards Affected: Financial Summary: Report of: Author: General Release Maintaining High Ethical Standards at the City

More information

Guide to the National Safety and Quality Health Service Standards for health service organisation boards

Guide to the National Safety and Quality Health Service Standards for health service organisation boards Guide to the National Safety and Quality Health Service Standards for health service organisation boards April 2015 ISBN Print: 978-1-925224-10-8 Electronic: 978-1-925224-11-5 Suggested citation: Australian

More information

Policy Number: 054 Work Health and Safety July 2015

Policy Number: 054 Work Health and Safety July 2015 Policy Number: 054 Work Health and Safety July 2015 TRIM Ref: TD14/318 Policy Details 1. Owner Manager, Business Operations 2. Compliance is required by Staff, contractors and volunteers 3. Approved by

More information

Victorian Training Guarantee Compliance Framework

Victorian Training Guarantee Compliance Framework Victorian Training Guarantee Compliance Framework Published by the Communications Division for Higher Education and Skills Group Department of Education and Early Childhood Development Melbourne October

More information

Internal Audit Charter. June 2016

Internal Audit Charter. June 2016 Internal Audit Charter June 2016 1 Introduction 1.1 The Internal Audit Charter is a formal document that defines Internal Audit s purpose, authority and responsibility. The charter establishes Internal

More information

Information Governance Strategy :

Information Governance Strategy : Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update

More information

CareNZ Job Description GENERAL MANAGER HUMAN RESOURCES

CareNZ Job Description GENERAL MANAGER HUMAN RESOURCES CareNZ Job Description GENERAL MANAGER HUMAN RESOURCES Responsible to: Responsible for: Chief Executive HR and Payroll Administrator HR Interns and Volunteers Dimensions Location of work Other information

More information

HIPAA Privacy Rule Policies

HIPAA Privacy Rule Policies DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment

More information

Lawlink NSW: Guide to the Workplace Video Surveillance Act

Lawlink NSW: Guide to the Workplace Video Surveillance Act Guide to the Workplace Video Surveillance Act A Guide to the Workplace Video Surveillance Act 1998 (NSW) Privacy NSW February 2002 CONTENTS The Workplace Video Surveillance Act 1998 Coverage of the Act

More information

1.1 Terms of Reference Y P N Comments/Areas for Improvement

1.1 Terms of Reference Y P N Comments/Areas for Improvement 1 Scope of Internal Audit 1.1 Terms of Reference Y P N Comments/Areas for Improvement 1.1.1 Do Terms of Reference: a) Establish the responsibilities and objectives of IA? b) Establish the organisational

More information

Remote Access Policy

Remote Access Policy BASINGSTOKE AND NORTH HAMPSHIRE NHS FOUNDATION TRUST Remote Access Policy Summary This is a new document which sets out the policy for remote access to the Trust s network and systems. Remote access is

More information

We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.

We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards. Inspection Report We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards. Bury DCA United Response, City View Business Centre, 9 Long

More information

Information for applicants. Working life. Benefits and conditions. 1. Flexibility. 2. Equal employment opportunity (EEO) employer

Information for applicants. Working life. Benefits and conditions. 1. Flexibility. 2. Equal employment opportunity (EEO) employer Information for applicants This guide is provided to assist you in applying for a job with the Department of National Parks, Sport and Racing and to provide you with information on our benefits and conditions.

More information

INVESTIGATION OFFICER POSITION DESCRIPTION

INVESTIGATION OFFICER POSITION DESCRIPTION DEPARTMENT/UNIT Department: Technical Operations INVESTIGATION OFFICER POSITION DESCRIPTION Unit: Development Position Number: 225001 REMUNERATION Classification: Band 5 of Golden Plains Shire Council

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

JOB AND PERSON SPECIFICATION

JOB AND PERSON SPECIFICATION JOB AND PERSON SPECIFICATION Title Position: Clinical Nurse Agency: Country Health SA Supervisor Classification Code: RN3 Division: Aboriginal Health Type of Appointment: Branch: Ceduna Koonibba Aboriginal

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

Compliance and Enforcement Policy. November 2013

Compliance and Enforcement Policy. November 2013 Compliance and Enforcement Policy November 2013 Contents 1. Context... 3 2. VBA compliance and enforcement public value... 3 2.1 Purpose...3 2.2 Outcome...3 2.3 Authority...3 2.4 Capability...3 2.4.1 Building...

More information

FACS Community Complaints Guidelines for Ageing and Disability Direct Services

FACS Community Complaints Guidelines for Ageing and Disability Direct Services FACS Community Complaints Guidelines for Ageing and Disability Direct Services Summary: This is designed to guide FACS staff when handling community complaints and is an extension of the FACS Community

More information

VIDEO SURVEILLANCE GUIDELINES

VIDEO SURVEILLANCE GUIDELINES VIDEO SURVEILLANCE GUIDELINES Introduction Surveillance of public spaces has increased rapidly over recent years. This growth is largely attributed to the significant advances in surveillance technology

More information

APES 320 Quality Control for Firms

APES 320 Quality Control for Firms APES 320 Quality Control for Firms APES 320 Quality Control for Firms is based on International Standard on Quality Control (ISQC 1) (as published in the Handbook of International Auditing, Assurance,

More information

Essex County Council Policy for Information Management and Security

Essex County Council Policy for Information Management and Security Essex County Council Policy for Information Management and Security Title Author/Owner Status Essex County Council Policy for Information Management and Security Information Management IS Final Version

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting

More information

Case Recording Practice Adults Services

Case Recording Practice Adults Services Case Recording Practice Adults Services Guidance on case recording practice and on document management Version: 3.3 Effective from: 1 st October 2014 Next review date: 1 st Nov 2015 Signed off by: Jenny

More information

POSTAL REGULATORY COMMISSION

POSTAL REGULATORY COMMISSION POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1

More information

Human Services Quality Framework. User Guide

Human Services Quality Framework. User Guide Human Services Quality Framework User Guide Purpose The purpose of the user guide is to assist in interpreting and applying the Human Services Quality Standards and associated indicators across all service

More information

Protective security governance guidelines

Protective security governance guidelines Protective security governance guidelines Security awareness training Version 1.0 Approved September 2010 Contents Introduction... 1 Who gets of security awareness training/briefings?... 2 Security awareness

More information

PRIVACY BREACH POLICY

PRIVACY BREACH POLICY Approved By Last Reviewed Responsible Role Responsible Department Executive Management Team March 20, 2014 (next review to be done within two years) Chief Privacy Officer Quality & Customer Service SECTION

More information

RTO Delegations Guidelines

RTO Delegations Guidelines RTO Delegations Guidelines ISBN 0 7594 0389 9 Victorian Qualifications Authority 2004 Published by the Victorian Qualifications Authority This publication is copyright. Apart from any use permitted under

More information

Security Awareness and Training

Security Awareness and Training T h e A u d i t o r - G e n e r a l Audit Report No.25 2009 10 Performance Audit A u s t r a l i a n N a t i o n a l A u d i t O f f i c e Commonwealth of Australia 2010 ISSN 1036 7632 ISBN 0 642 81115

More information

Procurement Capability Standards

Procurement Capability Standards IPAA PROFESSIONAL CAPABILITIES PROJECT Procurement Capability Standards Definition Professional Role Procurement is the process of acquiring goods and/or services. It can include: identifying a procurement

More information

JOB DESCRIPTION. Information Governance Manager

JOB DESCRIPTION. Information Governance Manager JOB DESCRIPTION POST TITLE: Information Governance Manager DIRECTORATE: ACCOUNTABLE TO: BAND: LOCATION: CSS Head of Information Governance 8a CSS Job Purpose The Information Governance Manager will ensure

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

In the latter half of 2011, AIB assisted ACIF to develop a Work Health and Safety (WHS policy), and this is listed in Appendix 1.

In the latter half of 2011, AIB assisted ACIF to develop a Work Health and Safety (WHS policy), and this is listed in Appendix 1. Australian Institute of Building Submission to the Draft Australian Work Health and Safety Strategy 2012 2022: Healthy, Safe and Productive Working Lives Introduction The Australian Institute of Building

More information

Queensland Taxi Security Camera Program Changes

Queensland Taxi Security Camera Program Changes Queensland Taxi Security Camera Program Changes Frequently Asked Questions GENERAL INFORMATION 1. What is the taxi security camera program? It is a program administered by the Department of Transport and

More information

Information Management Advice 50 Developing a Records Management policy

Information Management Advice 50 Developing a Records Management policy Information Management Advice 50 Developing a Records Management policy Introduction This advice explains how to develop and implement a Records Management policy. Policy is central to the development

More information

Case study 1. Security operations. Step 1: Identify core skills required for work. Step 2: Identify learner s core skill levels

Case study 1. Security operations. Step 1: Identify core skills required for work. Step 2: Identify learner s core skill levels Model for LLN skills analysis Case study 1 Joe Smith (fictitious character) is about to commence training as a security guard in the CPP20207 Certificate II in Security Operations qualification. He is

More information

Position Description

Position Description Position Description Position Title Human Resources Officer Position No 5023 Directorate Department Unit Appointment Type Chief Executive Officer Organisational Development Human Resources Permanent Full

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

Chief Information Officer

Chief Information Officer Security manager Job description Job title Security manager Location Wellington Group Organisation Development Business unit / team IT Solutions Grade and salary range Pay Group 1, Pay Band 6 Reports to

More information

Client complaint management policy

Client complaint management policy Client complaint management policy 1. Policy purpose This policy implements section 219A of the Public Service Act 2008 in the Department of Justice and Attorney-General (DJAG). Under this section, Queensland

More information

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé NHS HDL (2006)41 abcdefghijklm = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé Dear Colleague NHSSCOTLAND INFORMATION SECURITY POLICY Summary 1. NHSScotland IT Security Policy was

More information

Procedure for Managing a Privacy Breach

Procedure for Managing a Privacy Breach Procedure for Managing a Privacy Breach (From the Privacy Policy and Procedures available at: http://www.mun.ca/policy/site/view/index.php?privacy ) A privacy breach occurs when there is unauthorized access

More information

POSITION DESCRIPTION, PERFORMANCE MEASURES AND TARGETS

POSITION DESCRIPTION, PERFORMANCE MEASURES AND TARGETS POSITION DESCRIPTION, PERFORMANCE MEASURES AND TARGETS Attachment 1 Position Title: Programs & Client Relations Manager Responsible to: Chief Executive Officer Responsibility: Programs Management and Client

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Reporting of Suspected or Actual Child Abuse and Neglect

Reporting of Suspected or Actual Child Abuse and Neglect Reporting of Suspected or Actual Child Abuse and Neglect Protocol between the Ministry of Education, the New Zealand School Trustees Association and Child, Youth and Family 2009 Introduction The Ministry

More information

Information Governance Framework. June 2015

Information Governance Framework. June 2015 Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review

More information

Exit Questionnaire and Exit Interview Procedure

Exit Questionnaire and Exit Interview Procedure Exit Questionnaire and Exit Interview Procedure Procedure Reference Number: 2009.51 Approved: Name Date Author: Susan Poole 12/02/13 HR Advisor, Policy and Development Produced: 12/02/13 Review due: 3

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY MILNBANK HOUSING ASSOCIATION DATA PROTECTION POLICY LS/NOV.2011/REF.P14 1) INTRODUCTION Milnbank Housing Association recognises that the Data Protection Act 1998 is an important piece of legislation to

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

TABLE OF CONTENTS. University of Northern Colorado

TABLE OF CONTENTS. University of Northern Colorado TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...

More information

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07 EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014

More information

The organisation responsibilities of this position are outlined in the General Conditions of Employment (attached to this position description).

The organisation responsibilities of this position are outlined in the General Conditions of Employment (attached to this position description). HOLIDAY PARKS TRAINEE POSITION DESCRIPTION POSITION NO: 20141170 DIRECTORATE: BRANCH: UNIT: STATUS: CLASSIFICATION: OCCUPANT: LOCATION: City Growth Tourism Services Holiday Parks Temporary Full Time Trainee

More information

Performance Management Policy

Performance Management Policy FAPS Policies: Performance Management Policy Performance Management Policy National Quality Standard for Early Childhood Education and Care and School Age Care Quality Area 4 Staffing Arrangements Standard

More information

Guideline. Records Management Strategy. Public Record Office Victoria PROS 10/10 Strategic Management. Version Number: 1.0. Issue Date: 19/07/2010

Guideline. Records Management Strategy. Public Record Office Victoria PROS 10/10 Strategic Management. Version Number: 1.0. Issue Date: 19/07/2010 Public Record Office Victoria PROS 10/10 Strategic Management Guideline 5 Records Management Strategy Version Number: 1.0 Issue Date: 19/07/2010 Expiry Date: 19/07/2015 State of Victoria 2010 Version 1.0

More information

Complaints Management Policy

Complaints Management Policy Complaints Management Policy Effective date This policy will take effect from 15 March 2012. This document has an information security classification of PUBLIC. The State of Queensland (Department of Transport

More information

Contents. Before you begin. How to work through this learner guide Assessment. Introduction: Developing and managing performance management processes

Contents. Before you begin. How to work through this learner guide Assessment. Introduction: Developing and managing performance management processes Contents Contents Before you begin How to work through this learner guide Assessment Introduction: Developing and managing performance management processes v v vi 1 Chapter 1: Developing integrated performance

More information

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY Moorland is committed to ensuring that, as far as it is reasonably practicable, the way we provide services to the public and the way we treat

More information

COURSE INFORMATION BSB61015 Advanced Diploma of Leadership and Management

COURSE INFORMATION BSB61015 Advanced Diploma of Leadership and Management COURSE INFORMATION BSB61015 Advanced Diploma of Leadership and Management What is the Australian Qualifications Framework? The Australian Qualifications Framework (AQF) establishes the quality of Australian

More information

WEST MIDLANDS POLICE Force Policy Document

WEST MIDLANDS POLICE Force Policy Document WEST MIDLANDS POLICE Force Policy Document POLICY TITLE: POLICY REFERENCE NO: POLICE STAFF DISCIPLINARY PROCEDURE HR/06 Executive Summary The Force expects certain standards of conduct to be maintained

More information

POSITION DESCRIPTION

POSITION DESCRIPTION POSITION DESCRIPTION POSITION TITLE REPORTS TO AWARD/AGREEMENT/CONTRACT POSITION TYPE HOURS PER WEEK Nurse Unit Manager Business Director of Ambulatory and Continuing Care Professional Executive Director

More information

BMS/2.05 Whistleblowing (Raising Concerns at Work)

BMS/2.05 Whistleblowing (Raising Concerns at Work) BMS/2.05 Whistleblowing (Raising Concerns at Work) Document Author: Helen Inch Head of HR and Communications Document Owner: Helen Inch Head of HR and Communications Paper Copy Number 1 2 3 4 5 6 7 8 9

More information

Audit Report. University Medical Center HIPAA Compliance. June 2013. Angela M. Darragh, CPA, CISA, CFE Audit Director AUDIT DEPARTMENT

Audit Report. University Medical Center HIPAA Compliance. June 2013. Angela M. Darragh, CPA, CISA, CFE Audit Director AUDIT DEPARTMENT Audit Report AUDIT DEPARTMENT University Medical Center HIPAA Compliance June 2013 Angela M. Darragh, CPA, CISA, CFE Audit Director AUDIT COMMITTEE: Commissioner Steve Sisolak Commissioner Chris Giunchigliani

More information

PERFORMANCE AND DEVELOPMENT FRAMEWORK FOR PRINCIPALS, EXECUTIVES AND TEACHERS IN NSW PUBLIC SCHOOLS

PERFORMANCE AND DEVELOPMENT FRAMEWORK FOR PRINCIPALS, EXECUTIVES AND TEACHERS IN NSW PUBLIC SCHOOLS PERFORMANCE AND DEVELOPMENT FRAMEWORK FOR PRINCIPALS, EXECUTIVES AND TEACHERS IN NSW PUBLIC SCHOOLS Introduction and Context The NSW Department of Education and Communities is committed to attracting,

More information

Forms and Templates. Recognition of Prior Learning Initiative CHC50113

Forms and Templates. Recognition of Prior Learning Initiative CHC50113 Recognition of Prior Learning Initiative Forms and Templates RPL Assessment Toolkit for CHC50113 Diploma of Early Childhood Education and Care CHC50113 DIPLOMA Effective July 2013 Commonwealth of Australia

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

Roles and Responsibilities The following section outlines the e-safety roles and responsibilities of individuals and groups within Heath Farm School:

Roles and Responsibilities The following section outlines the e-safety roles and responsibilities of individuals and groups within Heath Farm School: Introduction This e-safety policy was approved by the School Senior Leadership Team: January2015 The implementation of this e-safety policy will be monitored by the: E-Safety Coordinator, Senior Leadership

More information

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework Putting Barnsley People First Barnsley Clinical Commissioning Group Information Governance Policy and Management Framework Version: 1.1 Approved By: Governing Body Date Approved: 16 January 2014 Name of

More information

Senior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES

Senior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES Senior School 1 PURPOSE The policy defines and describes the acceptable use of ICT (Information and Communications Technology) and mobile phones for school-based employees. Its purpose is to minimise the

More information