INTERNAL AUDIT FINAL REPORT CNES FINANCE AND CORPORATE RESOURCES DEPARTMENT CLOUD IT SYSTEMS AND THE CRM SYSTEM OFFICIAL OFFICIAL

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "INTERNAL AUDIT FINAL REPORT CNES FINANCE AND CORPORATE RESOURCES DEPARTMENT CLOUD IT SYSTEMS AND THE CRM SYSTEM OFFICIAL OFFICIAL"

Transcription

1 INTERNAL AUDIT FINAL REPORT CNES FINANCE AND CORPORATE RESOURCES DEPARTMENT CLOUD IT SYSTEMS AND THE CRM SYSTEM AUTHOR DISTRIBUTION David Beaton Director of Finance and Corporate Resources Internal Audit Customer Service Manager (for info) Finance Service IT Manager (for info) Highland Council DRAFT DATE: 29/09/15 REF: WE23/002 FINAL DATE: 28/10/15

2 Contents 1. INTRODUCTION REVIEW OBJECTIVES SCOPE, METHOD & COVERAGE MAIN FINDINGS CONCLUSION AUDIT OPINION ACTION PLAN... 10

3 1. INTRODUCTION The purpose of this report is to record the findings of a recently completed computer audit review of the controls surrounding Comhairle IT systems hosted in the cloud and the Customer Relationship Management (CRM) System. The CNES has four systems which are externally hosted, namely: 1) The Capita Payments System 2) The SEEMiS Education Management Information System 3) The Interplan Performance Management System 4) The Northgate Social Fund The provision, licensing, operation and support are controlled by supplier license and support contracts for each system. The Information Commissioner s Office (ICO) Guidance on the Use of Cloud Computing and the government s Communications-Electronics Security Group (CESG) guidance entitled Summary of Cloud Security Principles provide guidance on the assurances a customer should obtain with regard to placing their data in the cloud. The CRM System supports the CNES Customer Service Strategy of handling all customer interactions related to enquiries, service requests, payments, appointments and bookings through a single customer service function. It went live on 29 October 2009 and since its implementation it has helped to provide a consistent, corporate approach to customer service delivery by providing a single customer service function. Using the CRM system means all interactions with customers are now recorded in one system which makes it much easier to for staff to track the progress of any ongoing queries. What is more it has enabled the Comhairle to provide a cost effective 24/7 internet service. 2. REVIEW OBJECTIVES The objectives of the review were to ensure that: (i) (ii) IT Systems operating within the cloud are in accordance with expected cloud good practice (see 4.1). Customer Relationship Management (CRM) System has the expected application controls in place (see 4.2). 3. SCOPE, METHOD & COVERAGE The review checked that the Comhairle IT Systems hosted in the cloud: 1) Have all been clearly identified 2) Have all been subject to an internal cloud governance process including a risk assessment 3) Are ISO 27001, or equivalent, certified 4) Are operated by suppliers who have secure physical infrastructure and facilities in place 5) Are operated by suppliers who have adequate HR, data protection and audit arrangements 6) Are supported by adequate service level agreements 7) Have a documented exit process. In addition the review checked that the CRM System: Page 3

4 1) Has strong user access controls 2) Contains complete and accurate data 3) Has adequate data processing arrangements in place, e.g. for any interfaces 4) Provides sufficient data quality and management reports which are properly verified and distributed 5) Has its electronic audit trails properly configured and monitored 6) Has a signed license and support agreement containing appropriate contract clauses 7) Operates efficiently. 4. MAIN FINDINGS The main findings of the review, referenced to the above review objectives, are as follows. 4.1 Systems Hosted in the Cloud This objective was partially achieved Comhairle IT Systems hosted in the cloud are expected to follow good practice. Examples of good practice are set out by Information Commissioner s Office Guidance on the Use of Cloud Computing and the government s Communications-Electronics Security Group (CESG) guidance entitled Summary of Cloud Security Principles. These guidance documents discuss subjects an organisation should consider when placing its data in the cloud. They include ensuring CNES cloud systems: 1) Have all been clearly identified 2) Have all been subject to an internal cloud governance process including a risk assessment 3) Are ISO 27001, or equivalent, certified 4) Are operated by suppliers who have secure physical infrastructure and facilities in place 5) Are operated by suppliers who have adequate HR, data protection and audit arrangements 6) Are supported by adequate service level agreements 7) Have a documented exit process. With reference to the above, the findings were: The CNES identified four systems during the review which are externally hosted in the cloud, namely: (i) The Capita Payments System (ii) The SEEMiS Education Management Information System (iii) The Interplan Performance Management System (iv) The Northgate Social Fund A member of the Procurement Section reported that CNES contracts are issued with standard terms and conditions. Some suppliers simply accept them whereas others respond with changes. These standard terms and conditions refer to: Confidentiality and security of information Page 4

5 Data protection Audit Governing law and jurisdiction Termination and exit However, there is not a specific CNES cloud checklist or risk assessment to ensure that all security aspects of cloud systems have been properly considered and are in place. A check of the various supplier agreements provided for review with regard to numbers 3) to 7) of the above guidance produced the following results: Capita Payments System The Capita Agreement and Addendum: Did not mention of ISO accreditation, but Capita is known to hold ISO accreditation Refer to a service level agreement Contains confidentiality and data protection clauses Is in accordance with the laws of Scotland Contains a termination clause. SEEMiS Integrated Education Management System The Memorandum of Understanding: Did not mention ISO 27001, but it is known the supplier is working towards ISO although it is not yet accredited Did not mention a service level agreement, but it is known the supplier is currently producing a service level agreement Is in accordance with the laws of Scotland Contains a confidentiality clause. The Interplan Performance Management System The Comhairle s contract for payment of the Interplan CAM Management Solutions proposal: Did not mention a requirement of ISO accreditation, however it was reported that the system does not contain confidential data Is accordance with the laws of Scotland Contains a termination clause Northgate Social Fund The Northgate Social Fund as a Service document: States the supplier is accredited to ISO Contains confidentiality and data protection clauses Contains a document service level and support clause Is in accordance with the laws of England Contains a documented termination clause Hence the above agreements have some, but not all, of the expected controls/assurances in place. This has to be expected as different cloud providers and cloud services have reached different stages in the development and maturity of their services. Page 5

6 4.2 Customer Relationship Management System This objective was mainly achieved Access Control The expected access controls are that: 1) There is an approved and documented access control policy and a formal user registration system which provides evidence that all users of the system have been properly approved. 2) Unique usernames are used to ensure staff can be held accountable for their actions and protected from unnecessary investigation in the event of misuse 3) Strong passwords are forced to be sufficiently complex and long such that they are not easily guessed and can resist brute force hacking attacks. 4) System administration activities are properly documented to ensure that they can be carried out by more than one member of staff The actual controls are that: 1) A set of user access groups have been set up and the system administrator sets up users following an or phone request for access. However there is no documented access control policy for the system administrator to follow. An /phone authorisation from the system owner is also required. Given the use of phone authorisations and that the authorisation s are not always retained, there is not a complete set of documentary evidence to prove that all the requests for access have been properly authorised. 2) Customer services staff members have been allocated unique usernames to access the CRM System. However they share generic usernames to access Street Lighting System and the IDOX System. 3) Passwords are in place, but they are only forced to be a minimum of 4 characters and there is no enforcement of mixed characters, e.g. upper and lower case. This means that users can create weak passwords. 4) System administration and support is carried out by one key member of staff who has an in-depth knowledge of the system. However although the supplier manuals document some of the system administration processes, not all the in-house system administration procedures are documented, e.g. how user access should be properly authorised and how evidence of authorisation should be retained for the lifetime of the system. The risks associated with the above findings are: 1) Increased chance of errors in setting up user access given there is no clearly documented policy 2) In the event of a user misusing his/her access privileges it is more difficult to hold the user accountable for his/her actions and other staff who share the generic username could be subjected to an unnecessary and upsetting investigation 3) Passwords are easy to guess meaning it is easier to hack a user s ID 4) The CNES is overly reliant on the knowledge of a single member of key staff Data Input The expected control with regard to data input is that it is complete, accurate and up to date. Page 6

7 The sample data examined was on the whole satisfactory. However, two concerns were identified: 1) The client case history search, in every example checked, shows under the interactions tab that the client is not verified even although the Customer Services Team Leader stated the client is always verified in the case of council tax queries. Therefore the system is not recording correctly what is actually happening. 2) There is a section for recording notes relating to conversations with customers or members of staff. One example of these notes recorded details a dispute between staff which is not in accordance with the guidance issued by the Customer Services Manager. As the data for the notes field can be very varied it can be difficult for staff to enter the correct balance of information, therefore it should be monitored by management Interface and Integration Processing The expected control with regard to interface processing is that control totals are used to verify that the number of records extracted from one system equates to the number of records loaded into the receiving system. The CRM System receives data from the Corporate Address Gazetteer (CAG) on a monthly basis via a partially automated interface. The data is extracted manually from CAG by a member of staff and loaded automatically via Windows Scheduler into the CRM System. A member of the IT Unit checks that no error message appears in the Windows Scheduler after the load program has run. Therefore the controls are largely as expected. However there is no check within the CRM System to verify the data has loaded correctly. The CRM System is also integrated with the Council Tax System such that some customer services staff members who are CRM System users can log directly into the Council Tax System without entering a separate username and password. Although their access within the Council Tax System is limited to setting up or stopping direct debits this situation means that user access control for the Council Tax System being correct depends directly on user access control for the CRM System being correct. The Council Tax System Access Control Policy should take this type of access into account and section above shows that the CRM System access controls require improvement Reports With regard to CRM System reporting, it was expected that data quality reports would exist to provide assurance that the data entered into the system was complete and correct. In addition it was expected management reports would exist to report both trends and performance in order to assist the Customer Services Manager and other senior staff with efficient and effective decision making. Only one report was provided for review which shows types of interaction and the number of each type of interaction. It was reported that the CRM System reporting module has not been purchased and there is an intention to develop reports using Jaspersoft reporting software which can take data from one or more data sources and provide easy to read and interactive reports. Page 7

8 4.2.5 Audit Trail User activities should be clearly identifiable in the audit trail and the CRM System does have an electronic audit trail which normally identifies the activities a user has carried out. However, the user flguest sometimes appears on the audit trail for starting and closing customer cases and staff do not know who this user is. They think it may be a system user, but this needs to be clarified with the system supplier License and Support Agreement The expected CRM System license and support agreement is that it should comply with the CNES standard contract terms and conditions. However it is accepted that this may not always be possible and exceptions may have to be agreed. The CRM supplier s Master Software License, Service and Support Agreement was found to be broadly as expected. However it is governed by and construed in accordance with the laws of England and Wales as opposed to Scotland. This means that the supplier did not accept the CNES standard contract terms and conditions. In addition it means that it will be more costly to go to court in the event of a serious dispute arising. One CNES lawyer is qualified in both Scottish and English law, but there would be higher travel expenses involved if a CNES lawyer had to go to an English court Efficiency With regard to efficiency, it is expected that full use is made of the system and the intended benefits identified in the business case to purchase the system will be realised. The Comhairle has made a significant investment in the CRM system. A Customer Service Project report that went to the ICT, Procurement and Asset Management Sub-Committee on 3 December 2007 stated the estimated cost of implementing the Lagan solution amounted to 450K. This 450K cost included 47K of annual support costs over 2 years. Since then another 5 years of annual support costs have been paid at a cost of approximately 22K per year. Hence the CNES has spent approximately 560K implementing and operating the CRM system. The system implementation did receive 170K contribution from the Modernising Government Fund. As well as the significant non-cashable improvements made by the system which were identified in the introduction above, a CRM Progress Report to the Policy and Resources Committee dated 13 October 2011 stated it had assisted in making cashable savings of 215K. Hence many of the intended benefits of the system are being realised. In addition the IT Manager has stated he is considering making use of the CRM System to carry out the IT Helpdesk function which could add further value to the investment. Part of the vision recorded in the 2008 Customer Service Strategy was that the Comhairle would have the ability to measure the effectiveness of service delivery given that all customer interactions were being recorded in one place. However the successful results of these interactions are not being recorded in the system, i.e. if a pothole is reported, this information is passed on the relevant staff and the outcome of the pothole actually being fixed is not then recorded within the CRM System. Therefore, although the CRM System has successfully pulled together all customer interactions, it cannot currently be used to report their successful resolution. Instead performance is monitored by the use of a sample of customer satisfaction reports and staff knowledge of how the system is operating. Page 8

9 The Comhairle should consider increasing the use of the system so that it can obtain a complete set of performance information. 5. CONCLUSION The Comhairle has placed four sets of data within the cloud and has signed up to a different agreement with each one. These agreements contain some of the expected cloud controls, but not all. When placing its data within the cloud, the Comhairle needs to be sure that it has carried out, and retained evidence of, the expected checks. If the supplier s cloud service does not meet a cloud service expectation, then the Comhairle should be aware of this and seek to mitigate the risk. With regard to the CRM System many of the expected controls were found to be in place. Users must be set up by a system administrator and they are allocated access levels appropriate to their post. Customer interactions are recorded and processed. An electronic audit trail monitors user activity. However a number of improvements are required. With regard to efficiency, the implementation of the CRM System has assisted in making a significant improvement to the customer services function and many of the benefits have already been realised. There are eight recommendations in this report all classified as medium priority. All of the recommendations are due to implemented by the end of July AUDIT OPINION The opinion is based upon, and limited to, the work performed in respect of the subject under review. Internal Audit cannot provide total assurance that control weaknesses or irregularities do not exist. It is the opinion that Reasonable Assurance can be given in that whilst the system is broadly reliable, areas of weakness have been identified which put some of the system objectives at risk, and/ or there is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk. The levels of assurance and their definitions can be found at Appendix 1. Page 9

10 7. ACTION PLAN The Action Plan contains 8 recommendations as follows: Description Priority Number Major issues that managers need to address as a matter of urgency. High 0 Important issues that managers should address and will benefit the Organisation if implemented. Medium 8 Minor issues that are not critical but managers should address. Low 0 Total recommendations 8 REPORT REFS. GRADES FINDINGS RECOMMENDATIONS Medium Cloud Hosted CNES Systems MANAGEMENT AGREED ACTIONS IMPLEMENTATION RESPONSIBLE OFFICERS TARGET DATES There is not a specific CNES cloud checklist based on either the ICO or CESG guidance in place to ensure that all security aspects of cloud systems have been properly considered and are either in place, or are known not to be. 1) The IT Unit should produce a checklist, based on the ICO and CESG guidance to ensure that all security aspects of systems to be hosted in the cloud are considered and evaluated. 2) This checklist should be used by existing CNES cloud system owners and IT Unit staff to ensure they are fully aware of the current security arrangements. If they find any deficiencies they should seek to have them addressed. For example if a supplier stores CNES personal data and is not ISO 27001, CNES staff should try to address this risk, e.g. by raising this fact at the relevant supplier user group. Agreed. A checklist for cloud suppliers will be produced in accordance with CESG guidelines. Agreed. The status of our cloud suppliers and their ISO certifications will be checked and we will bring to their attention any risks we encounter. IT Manager IT Manager 31/07/16 31/07/16 Page 10

11 REPORT REFS. GRADES FINDINGS RECOMMENDATIONS Medium CRM - Access Control MANAGEMENT AGREED ACTIONS IMPLEMENTATION RESPONSIBLE OFFICERS TARGET DATES 1) There is no access control policy and there is not a complete set of documentary evidence to prove that all the requests for access have properly authorised. 1) An access control policy should be produced and documentary evidence of all further user access requests retained. An annual review of user access settings should be carried out and evidence that existing user access levels have been verified as correct should be retained Agreed. User Access Control Form has been set up and requires a signature from Authorising Manager. Business Analyst Complete 2) Generic usernames are shared by customer services staff to access Street Lighting System and the IDOX System. 2) Unique usernames should be used where possible to protect staff from investigation in the event of computer misuse Limited licences for the uniform and IDOX systems currently prevent unique usernames for each officer accessing these systems. Raised with System Administrators of these systems. Business Analyst Complete 3) Forced password complexity is weak. 3) The supplier should be asked whether forced password complexity can be brought up to the current expected practice. Agreed. Password complexity changed to 7 characters 3 of which must be either upper, lower case or numbers Business Analyst Complete 4) System administration procedures are all not documented meaning there is an over reliance on one key member of staff. 4) All system administration procedures should be documented. Agreed. Cross Training and documenting procedures to be addressed. IT Manager/ Business Analyst 31/07/16 Page 11

12 REPORT REFS. GRADES FINDINGS RECOMMENDATIONS Medium CRM - Data Input MANAGEMENT AGREED ACTIONS IMPLEMENTATION RESPONSIBLE OFFICERS TARGET DATES 1) In every example checked the client case history search shows under the interactions tab that the client is not verified even although the Customer Services Team Leader stated the client is always verified in the case of council tax queries. Therefore the system is not recording correctly what is actually happening. 1) The record of client not being verified should be queried with the supplier. The aim should be to get the system to record what is actually taking place with regard to client verification. Agreed. Verified check box on a case form needs to be marked as confirmation that the client has been verified all staff have been informed of this. Customer Services Manager Complete 2) There is a section for recording notes relating to conversations with customers or members of staff. One example of these notes recorded details a dispute between staff which is not in accordance with the guidance issued by the Customer Services Manager. As the data for the notes field can be very varied it can be difficult for staff to enter the correct balance of information, therefore it should be monitored by management. 2) Staff should be reminded of the guidance when entering notes. In addition a report of notes should be produced so that it can be reviewed easily and quickly by management to check it is correct. Agreed. Customer Service Manager receives an of all cases so is able to monitor notes; reminder will be issued to all staff to follow guidance previously issued when entering notes. Customer Services Manager 31/10/ Medium CRM - Interface Processing 1) The CRM System receives data from the Corporate Address Gazetteer (CAG) on a monthly basis via a partially automated interface. The data is extracted 1) The system administrator should check with the supplier whether there is a facility within the CRM system to verify whether a data load has been carried out The process is currently run automatically on the first Friday of each month and there is no success/fail feedback Business Support Team Complete Page 12

13 REPORT REFS. GRADES FINDINGS RECOMMENDATIONS manually from CAG by a member successfully. of staff and loaded automatically via Windows Scheduler into the CRM System. A member of the IT Unit checks that no error message appears in the Windows Scheduler after the load program has run. However there is no check within the CRM System to verify the data has loaded correctly. MANAGEMENT AGREED ACTIONS from this automatic process. To remedy this situation the following change to the Gazetteer upload process has been implemented. All console output from the Lagan upload application is captured and ed to the Gazetteer and CRM Administrators. If for any reason this process fails then it will be clearly visible in this . If for any reason there isn t a DFT Gazetteer extract in place for the Gazetteer sync/upload then the admins will be notified so that a DFT extract can be manually extracted and processed. IMPLEMENTATION RESPONSIBLE OFFICERS TARGET DATES 2) The CRM System is also integrated with the Council Tax System such that some customer services staff members who are CRM System users can log directly into the Council Tax System without entering a separate username and password. This means that user access control for the Council Tax System being correct depends 2) The Council Tax Access Control Policy should include consideration of access control via the CRM System. Review with Council Tax System Administrator Business Analyst 30/11/15 Page 13

14 REPORT REFS. GRADES FINDINGS RECOMMENDATIONS directly on user access control for the CRM System being correct and the Council Tax System Access Control Policy should take this type of access into account MANAGEMENT AGREED ACTIONS IMPLEMENTATION RESPONSIBLE OFFICERS TARGET DATES Medium CRM - Reports Only one report was provided for review which shows types of interaction and the number of each type of interaction. It was reported that the CRM System reporting module has not been purchased and there is an intention to develop reports using Jaspersoft reporting software which can take data from one or more data sources and provide easy to read and interactive reports. A complete list of the required management and data quality reports should be identified and the corresponding Jaspersoft reports should be developed to provide this information and assurance. Agreed. The executive report that has been produced covers the high level reporting needs currently. Additional reports will be developed using a centralised reporting service, namely Jaspersoft Business Support Team 31/07/ Medium CRM - Audit Trail User activities should be clearly identifiable in the audit trail. However, the user flguest sometimes appears on the audit trail for starting and closing customer cases and staff do not know who this user is. They think it maybe a system user, but this needs to be clarified with the system supplier The system administrator should contact the supplier to obtain an explanation as to why flguest appears on the audit trail. Agreed. Flguest appears because all the council tax cases have been submitted using webservices. The user that the webservices has been authenticated against to create the case is flguest which is why it appears in the audit trail. Business Analyst Complete Medium CRM License Agreement The CRM supplier s Master Software License, Service and Support If it has not already been done, the supplier should be asked whether Agreed. Will be discussed in annual Customer Services 31/03/16 Page 14

15 REPORT REFS. GRADES FINDINGS RECOMMENDATIONS Agreement is governed by and this Agreement can be amended to construed in accordance with the laws be in accordance with the laws of of England and Wales as opposed to Scotland. Scotland. This means that it will be more costly to go to court in the event of a serious dispute. MANAGEMENT AGREED ACTIONS review IMPLEMENTATION RESPONSIBLE TARGET OFFICERS DATES Manager Medium CRM - Efficiency The CRM System has made significant improvements and savings with regard to CNES customer services. Part of the vision recorded in the 2008 Customer Service Strategy was that the Comhairle would have the ability to measure the effectiveness of service delivery given that all interactions were being recorded in one place. However the successful results of these interactions are not being recorded in the system. The CNES should consider recording the successful outcomes of customer interactions within the CRM system. This would enable it then to report on performance and provide a complete and documented assurance to both the CNES management and the public that the complete customer services function was operating successfully. Will raise with departmental representatives and Customer Service Steering Group. Departments currently report KPI s separately and use corporate satisfaction surveys. Customer Services Manager 31/07/16 Page 15

16 Appendix 1 Internal Audit Opinion Level Definition Full Assurance Substantial Assurance There is a sound system of control designed to achieve the system objectives and the controls are being consistently applied. While there is a generally a sound system, there are areas of weakness which put some of the system objectives at risk, and/ or there is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk. Reasonable Assurance Limited Assurance No Assurance Whilst the system is broadly reliable, areas of weakness have been identified which put some of the system objectives at risk, and/ or there is evidence that the level of noncompliance with some of the controls may put some of the system objectives at risk. Weaknesses in the system of controls are such as to put the system objectives at risk, and/ or the level of non-compliance puts the system objectives at risk. Control is generally weak, leaving the system open to significant error or abuse, and/ or significant non-compliance with basic controls leaves the system open to error or abuse. Page 16

Guidance for Third Party Users of ECOES

Guidance for Third Party Users of ECOES Guidance for Third Party Users of ECOES 1. Introduction The Electricity Central Online Enquiry Service (ECOES) is governed under the Master Registration Agreement (MRA) and funded by all licensed electricity

More information

External Audit Reviews. Report by Director of Finance

External Audit Reviews. Report by Director of Finance THE HIGHLAND COUNCIL AUDIT AND STANDARDS COMMITTEE 4 DECEMBER 2003 Agenda Item Report No External Audit Reviews Report by Director of Finance SUMMARY The pages that follow contain a report from the Council's

More information

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority Internal Audit Progress Report (19 th August 2015) Contents 1. Introduction 2. Key Messages for Committee Attention 3. Work in progress Appendix A: Risk Classification and Assurance Levels Appendix B:

More information

Invitation to Tender

Invitation to Tender Provision of a Customer Satisfaction Tool Ref: BS/14/C/0192 Page 1 of 12 Table of Contents 1. Introduction... 3 1.1 Background... 3 1.2 Structure of this Document... 3 1.3 Confidentiality... 3 1.4 Use

More information

IT ACCESS CONTROL POLICY

IT ACCESS CONTROL POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INCIDENT AND PROBLEM MANAGEMENT

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INCIDENT AND PROBLEM MANAGEMENT Appendix 1c DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INCIDENT AND PROBLEM MANAGEMENT DISTRIBUTION LIST Audit Team David Esling, Head of Audit Assurance, Risk

More information

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating:

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating: Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory Assurance Rating: Distribution List: Draft Report: Principal Vice Principal, (Finance, Estates and Information Services) Clerk to the Corporation

More information

Supervisory Policy Manual

Supervisory Policy Manual This module should be read in conjunction with the Introduction and with the Glossary, which contains an explanation of abbreviations and other terms used in this Manual. If reading on-line, click on blue

More information

Solihull Metropolitan Borough Council. IT Audit Findings Report September 2015

Solihull Metropolitan Borough Council. IT Audit Findings Report September 2015 Solihull Metropolitan Borough Council IT Audit Findings Report September 2015 Version: Responses v6.0 SMBC Management Response July 2015 Financial Year: 2014/2015 Key to assessment of internal control

More information

SALARIES & WAGES

SALARIES & WAGES CORPORATE CENTRE AUDIT, PERFORMANCE & PARTNERSHIPS DEPARTMENT FINAL INTERNAL AUDIT REPORT SALARIES & WAGES 2010-11 AUDITORS: L.BALLINGER I.KENT APRIL 2011 Table of Contents Area of Report Page Number 1.0

More information

7 Directorate Performance Managers. 7 Performance Reporting and Data Quality Officer. 8 Responsible Officers

7 Directorate Performance Managers. 7 Performance Reporting and Data Quality Officer. 8 Responsible Officers Contents Page 1 Introduction 2 2 Objectives of the Strategy 2 3 Data Quality Standards 3 4 The National Indicator Set 3 5 Structure of this Strategy 3 5.1 Awareness 4 5.2 Definitions 4 5.3 Recording 4

More information

Appendix 1e DIRECTORATE OF AUDIT, RISK AND ASSURANCE INTERNAL AUDIT SERVICE TO THE GLA

Appendix 1e DIRECTORATE OF AUDIT, RISK AND ASSURANCE INTERNAL AUDIT SERVICE TO THE GLA Appendix 1e DIRECTORATE OF AUDIT, RISK AND ASSURANCE INTERNAL AUDIT SERVICE TO THE GLA REVIEW OF PAYROLL February 2012 DISTRIBUTION LIST Audit Team Karen Welsh, Auditor Prakash Gohil, Audit Manager Distribution

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Procurement Policy Note Use of Cyber Essentials Scheme certification

Procurement Policy Note Use of Cyber Essentials Scheme certification Procurement Policy Note Use of Cyber Essentials Scheme certification Action Note 09/14 25 September 2014 Issue 1. Government is taking steps to further reduce the levels of cyber security risk in its supply

More information

SOUTH NORTHAMPTONSHIRE COUNCIL 10/11 REMOTE WORKING FINAL REPORT MARCH 2011

SOUTH NORTHAMPTONSHIRE COUNCIL 10/11 REMOTE WORKING FINAL REPORT MARCH 2011 SOUTH NORTHAMPTONSHIRE COUNCIL 10/11 REMOTE WORKING FINAL REPORT MARCH 2011 This report and the work connected therewith are subject to the Terms and Conditions of the contract dated 18/06/07 between South

More information

Spillemyndigheden s change management programme. Version 1.3.0 of 1 July 2012

Spillemyndigheden s change management programme. Version 1.3.0 of 1 July 2012 Version 1.3.0 of 1 July 2012 Contents 1 Introduction... 3 1.1 Authority... 3 1.2 Objective... 3 1.3 Target audience... 3 1.4 Version... 3 1.5 Enquiries... 3 2. Framework for managing system changes...

More information

Federal Communications Commission Office of Inspector General. FY 2003 Follow-up on the Audit of Web Presence Security

Federal Communications Commission Office of Inspector General. FY 2003 Follow-up on the Audit of Web Presence Security Federal Communications Commission Office of Inspector General FY 2003 Follow-up on the Audit of Web Presence Security Audit Report No. 03-AUD-09-21 October 20, 2004 TABLE OF CONTENTS Page EXECUTIVE SUMMARY

More information

Information Governance Standards in Relation to Third Party Suppliers and Contractors

Information Governance Standards in Relation to Third Party Suppliers and Contractors Information Governance Standards in Relation to Third Party Suppliers and Contractors Document Summary Ensure staff members are aware of the standards that should be in place when considering engaging

More information

December 21, 2012. The services being procured through the proposed amendment are Hosting Services, and Application Development and Support for CITSS.

December 21, 2012. The services being procured through the proposed amendment are Hosting Services, and Application Development and Support for CITSS. Justification for a Contract Amendment to Contract 2012-01: Interim Hosting and Jurisdiction Functionality for the Compliance Instrument Tracking System Service (CITSS) December 21, 2012 Introduction WCI,

More information

Information Security Team

Information Security Team Title Document number Add document Document status number Draft Owner Approver(s) CISO Information Security Team Version Version history Version date 0.01-0.05 Initial drafts of handbook 26 Oct 2015 Preface

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

Identity Cards Act 2006

Identity Cards Act 2006 Identity Cards Act 2006 CHAPTER 15 Explanatory Notes have been produced to assist in the understanding of this Act and are available separately 6 50 Identity Cards Act 2006 CHAPTER 15 CONTENTS Registration

More information

CONTRACTS REVIEW FOR INFORMATION GOVERNANCE COMPLIANCE PROCEDURE

CONTRACTS REVIEW FOR INFORMATION GOVERNANCE COMPLIANCE PROCEDURE This document is uncontrolled once printed. Please check on the CCG s Intranet site for the most up to date version CONTRACTS REVIEW FOR INFORMATION GOVERNANCE COMPLIANCE PROCEDURE Document Title: Contracts

More information

Dodo Power & Gas Complaint Management Policy

Dodo Power & Gas Complaint Management Policy DODO POWER & GAS PTY LTD Dodo Power & Gas Complaint Management Policy Jurisdiction: All 2013 Policy Reference ref DPG 100-004 Version: 1.2 Author: Status Andrew Mair Draft Publication Date 7/06/2013 Location:

More information

Cyber Essentials Scheme

Cyber Essentials Scheme Cyber Essentials Scheme Assurance Framework January 2015 December 2013 Contents Introduction... 3 Change from June 2014 version... 3 Overview... 4 Stage Definitions... 5 Stage 1 Cyber Essentials: verified

More information

South Northamptonshire Council

South Northamptonshire Council South Northamptonshire Council Windows Active Directory Final Internal Audit Report - September Distribution list: Mike Shaw IT & Customer Services Manager David Price Director of Community Engagement

More information

Procuring Penetration Testing Services

Procuring Penetration Testing Services Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat

More information

OPERATING PROCEDURE IT CHANGE MANAGEMENT PROCEDURES MANUAL. PREPARED BY: AEMO DOCUMENT NO: Enter Document ID VERSION NO: 6.

OPERATING PROCEDURE IT CHANGE MANAGEMENT PROCEDURES MANUAL. PREPARED BY: AEMO DOCUMENT NO: Enter Document ID VERSION NO: 6. OPERATING PROCEDURE IT CHANGE MANAGEMENT PROCEDURES MANUAL PREPARED BY: AEMO DOCUMENT NO: Enter Document ID VERSION NO: 6.6 STATUS FINAL Approvals The undersigned have approved the release of Version 6.6

More information

Operations. Group Standard. Business Operations process forms the core of all our business activities

Operations. Group Standard. Business Operations process forms the core of all our business activities Standard Operations Business Operations process forms the core of all our business activities SMS-GS-O1 Operations December 2014 v1.1 Serco Public Document Details Document Details erence SMS GS-O1: Operations

More information

Business Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:

Business Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL: Module Db Technical Solution Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL: Cost is reduced through greater economies of scale, removal of duplication

More information

AUDIT COMMITTEE 25 JUNE 2015

AUDIT COMMITTEE 25 JUNE 2015 AUDIT COMMITTEE 25 JUNE 2015 AGENDA ITEM 13 Subject: ANNUAL INTERNAL AUDIT REPORT 2014/15 Report by: AUDIT AND INVESTIGATIONS MANAGER Enquiries contact: Ray Joy (01245 606424) Email ray.joy@chelmsford.gov.uk

More information

Information Paper for the Legislative Council Panel on Financial Affairs. Protection of Consumer Credit Data

Information Paper for the Legislative Council Panel on Financial Affairs. Protection of Consumer Credit Data LC Paper No. CB(1)691/03-04(01) Information Paper for the Legislative Council Panel on Financial Affairs Protection of Consumer Credit Data Purpose Pursuant to the request by the Panel vide the Clerk to

More information

<INSERT PROJECT NAME> DATA MIGRATION CHECKLIST

<INSERT PROJECT NAME> DATA MIGRATION CHECKLIST DATA MIGRATION CHECKLIST Ensure you always have the latest version of this document. Document Location This document is only valid on the day it was printed. The source of the document

More information

Internal Audit Report Business Continuity Planning Arrangements

Internal Audit Report Business Continuity Planning Arrangements The Highland Council Community Services Committee 6 November 2014 Agenda Item Report No 19 COM 45/14 Internal Audit Report Planning Arrangements Report by Director of Community Services Summary This report

More information

Vauxhall International Challenge Match Scotland v Denmark Tuesday 29 March pm Hampden Park Glasgow Ticket Terms and Conditions

Vauxhall International Challenge Match Scotland v Denmark Tuesday 29 March pm Hampden Park Glasgow Ticket Terms and Conditions Vauxhall International Challenge Match Scotland v Denmark Tuesday 29 March 2016 8.00 pm Hampden Park Glasgow Ticket Terms and Conditions These terms and conditions (the Terms and Conditions ) govern the

More information

Quality Management System Process/ Management Review

Quality Management System Process/ Management Review Directorate in charge: Process concerned: Process owner: Executive Directorate Quality Management System Process/ Management Review Quality Section Manager Véronique Magnier Purpose and Scope of the :

More information

ARGYLL & BUTE COUNCIL Internal Audit Section INTERNAL AUDIT REPORT

ARGYLL & BUTE COUNCIL Internal Audit Section INTERNAL AUDIT REPORT ARGYLL & BUTE COUNCIL Internal Audit Section INTERNAL AUDIT REPORT CUSTOMER DEPARTMENT AUDIT DESCRIPTION AUDIT TITLE CUSTOMER SERVICES SYSTEM BASED AUDIT REVIEW OF ELECTRONIC SIGNATURES AND AUTHORISATION

More information

Avon & Somerset Police Authority

Avon & Somerset Police Authority Avon & Somerset Police Authority Internal Audit Report IT Service Desk FINAL REPORT Report Version: Date: Draft to Management: 19 February 2010 Management Response: 12 May 2010 Final: 13 May 2010 Distribution:

More information

Appendix 1e. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Performance Management Framework

Appendix 1e. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Performance Management Framework Appendix 1e DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA Performance Management Framework DISTRIBUTION LIST Audit Team David Esling, Head of Audit and Assurance - Risk Management

More information

Audit Report AS/NZS ISO 9001:2008. RRW and Co Pty Ltd trading as National On Site Training

Audit Report AS/NZS ISO 9001:2008. RRW and Co Pty Ltd trading as National On Site Training Audit Report AS/NZS ISO 9001:2008 RRW and Co Pty Ltd trading as National On Site Training AUDIT D E T A I L S Invoice Reference Number Certificate Number Review Date/s Review Time Hours S12627 158 10 th

More information

Nuclear Safety Council Instruction number IS-19, of October 22 nd 2008, on the requirements of the nuclear facilities management system

Nuclear Safety Council Instruction number IS-19, of October 22 nd 2008, on the requirements of the nuclear facilities management system Nuclear Safety Council Instruction number IS-19, of October 22 nd 2008, on the requirements of the nuclear facilities management system Published in the Official State Gazette (BOE) number 270 of November

More information

Tenable for CyberArk

Tenable for CyberArk HOW-TO GUIDE Tenable for CyberArk Introduction This document describes how to deploy Tenable SecurityCenter and Nessus for integration with CyberArk Enterprise Password Vault. Please email any comments

More information

GUIDELINE NO. 22 REGULATORY AUDITS OF ENERGY BUSINESSES

GUIDELINE NO. 22 REGULATORY AUDITS OF ENERGY BUSINESSES Level 37, 2 Lonsdale Street Melbourne 3000, Australia Telephone.+61 3 9302 1300 +61 1300 664 969 Facsimile +61 3 9302 1303 GUIDELINE NO. 22 REGULATORY AUDITS OF ENERGY BUSINESSES ENERGY INDUSTRIES JANUARY

More information

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) (NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) 1. Approval and Authorisation Completion of the following signature blocks signifies

More information

Report 6c. Final Internal Audit Report Network and Communications. April 2008

Report 6c. Final Internal Audit Report Network and Communications. April 2008 Report 6c Final Internal Audit Report Network and Communications April 2008 Contents Page Executive Summary 3 Observations and Recommendations 4 Appendix 2 - Staff Interviewed 14 Appendix 3 Benchmark Results

More information

Electronic business conditions of use

Electronic business conditions of use Electronic business conditions of use This document provides Water Corporation s Electronic Business Conditions of Use. These are to be applied to all applications, which are developed for external users

More information

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31 THE MORAY COUNCIL Guidance on data security breach management Information Assurance Group DRAFT Based on the ICO Guidance on data security breach management under the Data Protection Act 1 Document Control

More information

ARTL PKI. Certificate Policy PKI Disclosure Statement

ARTL PKI. Certificate Policy PKI Disclosure Statement ARTL PKI Certificate Policy PKI Disclosure Statement Important Notice: This document (PKI Disclosure Statement, PDS) does not by itself constitute the Certificate Policy under which Certificates governed

More information

CERTIFIED SMS SERVICES UK ADVICE

CERTIFIED SMS SERVICES UK ADVICE MEMORANDUM CERTIFIED SMS SERVICES UK ADVICE October 2009 1 The two issues that this Memorandum address are: 1. A summary of the UK telecoms regulatory requirements to provide the Certified SMS service

More information

Scottish Sports Council Group and Lottery Fund

Scottish Sports Council Group and Lottery Fund Scottish Sports Council Group and Lottery Fund Annual Audit Report 2012-13 September 2013 2 2013 Grant Thornton UK LLP. All rights reserved Scottish Sports Council Group and Lottery Fund 2012-13 Annual

More information

COMPANY NAME. Environmental Management System Manual

COMPANY NAME. Environmental Management System Manual Revision No. : 1 Date : DD MM YYYY Prepared by : Approved by : (EMR) (Top Management) Revision History Revision Date Description Sections Affected Revised By Approved By Table of Content 0.0 Terms and

More information

Guidance document for EMIS Web EPS Release 2 deployment

Guidance document for EMIS Web EPS Release 2 deployment Guidance document for EMIS Web EPS Release 2 deployment Crown Copyright 2011 Contents Guidance document for EMIS Web EPS Release 2 deployment... 1 1 Introduction... 4 1.1 Background... 4 1.2 Purpose...

More information

Intel Enhanced Data Security Assessment Form

Intel Enhanced Data Security Assessment Form Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized

More information

Employee Payroll Deduction Scheme. Protocol for direct deductions from wages between. [ ] ( the Credit Union ) and

Employee Payroll Deduction Scheme. Protocol for direct deductions from wages between. [ ] ( the Credit Union ) and Employee Payroll Deduction Scheme Protocol for direct deductions from wages between [ ] ( the Credit Union ) and Cumbria County Council of the Courts, English Street, Carlisle, CA3 8LZ ( the Council )

More information

A Guide to Clinical Coding Audit Best Practice 2015-16

A Guide to Clinical Coding Audit Best Practice 2015-16 A Guide to Clinical Coding Audit Best Practice 2015-16 Authors: Clinical Classifications Service Contents 1 Introduction 3 1.1 Purpose of Document 3 1.2 Audience 3 1.3 Background 3 1.3.1 Information Governance

More information

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader AGENDA ITEM: SUMMARY Report for: Committee Date of meeting: 30 May 2012 PART: 1 If Part II, reason: Title of report: Contact: Purpose of report: Recommendations Corporate objectives: Implications: INFORMATION

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom

More information

Records Management & Data Quality in the Contact Centre. Internal Audit Report 2013/14

Records Management & Data Quality in the Contact Centre. Internal Audit Report 2013/14 Records Management & Data Quality in the Report 2013/14 Records Management & Data Quality in the Ann Kirk & Julie Ball 19 May 2014 Contents Audit: Auditor: Records Management & Data Quality in the Ann

More information

Project Proposal Apparels Listing Website Development

Project Proposal Apparels Listing Website Development Project Proposal Apparels Listing Website Development Doc Version: 1.0 3/11/2015 Punit Garg punit.garg@fabletechnologies.com Business Development Manager Fable IT Solutions Pvt. Ltd. Table of Contents

More information

PROJECT MANAGEMENT FRAMEWORK

PROJECT MANAGEMENT FRAMEWORK PROJECT MANAGEMENT FRAMEWORK DOCUMENT INFORMATION DOCUMENT TYPE: DOCUMENT STATUS: POLICY OWNER POSITION: INTERNAL COMMITTEE ENDORSEMENT: APPROVED BY: Strategic document Approved Executive Assistant to

More information

Procurement guidance Managing and monitoring suppliers performance

Procurement guidance Managing and monitoring suppliers performance Procurement guidance Managing and monitoring suppliers performance Procurement guidance: Managing and monitoring suppliers performance Page 2 of 16 Table of contents Table of contents... 2 Purpose of the

More information

DBC 999 Incident Reporting Procedure

DBC 999 Incident Reporting Procedure DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible

More information

IT OUTSOURCING SECURITY

IT OUTSOURCING SECURITY IT OUTSOURCING SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

DRAFT. Internal Audit Report. Computer Recycling

DRAFT. Internal Audit Report. Computer Recycling DRAFT Internal Audit Report Computer Recycling Document Details: Reference: 2.7/2013.14 Senior Manager, Internal Audit & Assurance: ext. 6567 Engagement Manager: ext. 6572 Auditor: ext. 6244 Date: 4 th

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Dacorum Borough Council Final Internal Audit Report

Dacorum Borough Council Final Internal Audit Report Dacorum Borough Council Final Internal Audit Report ICT Change Management Distribution list: Chris Gordon Group Manager Neil Telkman - Information, Security and Standards Officer Gary Osler ICT Service

More information

STANDARD TERMS AND CONDITIONS FOR PROVISION OF MEDICAL REPORTING SERVICES BY MEDICAL PRACTITIONERS

STANDARD TERMS AND CONDITIONS FOR PROVISION OF MEDICAL REPORTING SERVICES BY MEDICAL PRACTITIONERS STANDARD TERMS AND CONDITIONS FOR PROVISION OF MEDICAL REPORTING SERVICES BY MEDICAL PRACTITIONERS 1. DEFINITIONS AND INTERPRETATION 1.1 In these Conditions the following words and expressions shall have

More information

Independent Auditors Report to the Commissioner for Law Enforcement Data Security -

Independent Auditors Report to the Commissioner for Law Enforcement Data Security - Commissioner for Law Enforcement Data Security Audit of Victoria Police Compliance with CLEDS standards on Access Control and Release June 2008 Reference: Version: FY07/08 Final Date of review: April -

More information

Draft Information Technology Policy

Draft Information Technology Policy Draft Information Technology Policy Version 3.0 Draft Date June 2014 Status Draft Approved By: Table of Contents 1.0 Introduction... 6 Background... 6 Purpose... 6 Scope... 6 Legal Framework... 6 2.0 Software

More information

Compliance. Group Standard

Compliance. Group Standard Group Standard Compliance Serco is committed to good governance practices and the management of risks supported by a robust business compliance process SMS-GS-G2 Compliance July 2014 v1.0 Serco Public

More information

CAMMS ONLINE SUPPORT PORTAL USER MANUAL

CAMMS ONLINE SUPPORT PORTAL USER MANUAL CAMMS ONLINE SUPPORT PORTAL USER MANUAL September 2014 PREPARED BY CAM Management Solutions Level 17, 45 Grenfell St, Adelaide SA 5000 Telephone: 08 8212 5787 Facsimile: 08-8212-5288 www.cammanagementsolutions.com

More information

14. Privacy Policies. 14.1. Introduction

14. Privacy Policies. 14.1. Introduction 14. Privacy Policies 14.1. Introduction 14.2. Policy Accent Media Ltd, incorporated in England, is the Registry Operator for the Top Level Domain TLD.tickets ( the Registry ). As a company registered in

More information

INTERNAL OVERSIGHT SERVICES INTERNAL OVERSIGHT AND ETHICS OFFICE

INTERNAL OVERSIGHT SERVICES INTERNAL OVERSIGHT AND ETHICS OFFICE INTERNAL OVERSIGHT SERVICES INTERNAL OVERSIGHT AND ETHICS OFFICE SUMMARY OF INTERNAL AUDIT ACTIVITIES AND REPORTS FOR THE REPORTING YEAR ENDING 31 DECEMBER 2014 MARCH 2015 SUMMARY OF INTERNAL AUDIT ACTIVITIES

More information

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities: Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 26/10/2015 HSCIC Audit of Data Sharing

More information

Vauxhall International Challenge Match Scotland v Denmark Hampden Park Glasgow Ticket Terms and Conditions

Vauxhall International Challenge Match Scotland v Denmark Hampden Park Glasgow Ticket Terms and Conditions Vauxhall International Challenge Match Scotland v Denmark Hampden Park Glasgow Ticket Terms and Conditions These terms and conditions (the Terms and Conditions ), together with the Membership Terms and

More information

Application for accreditation of a Voluntary Product Stewardship Arrangement

Application for accreditation of a Voluntary Product Stewardship Arrangement Application for accreditation of a Voluntary Product Stewardship Arrangement User s guide for completing the online application Welcome to the PSOnline application for accreditation of a Voluntary Product

More information

INTRODUCTION 1. Janet(UK) agrees to provide to the Customer the JVCRS subject to these Terms.

INTRODUCTION 1. Janet(UK) agrees to provide to the Customer the JVCRS subject to these Terms. Terms and Conditions for use of the Janet Videoconferencing Recording Service ( Terms ) Reference: CONREF/LA/xxxx INTRODUCTION 1. Janet(UK) agrees to provide to the Customer the JVCRS subject to these

More information

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY Appendix 1c DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY DISTRIBUTION LIST Audit Team David Esling, Head of Audit Assurance, Risk

More information

Informatics Policy. Information Governance. Network Account and Password Management Policy

Informatics Policy. Information Governance. Network Account and Password Management Policy Informatics Policy Information Governance Policy Ref: 3589 Document Title Author/Contact Document Reference 3589 Document Control Network Account Management and Password Policy Pauline Nordoff-Tate, Information

More information

SQ 901 Version D. Railway Application Quality Specification REQUIREMENTS FOR THE QUALITY MANAGEMENT SYSTEM AND QUALITY PLAN

SQ 901 Version D. Railway Application Quality Specification REQUIREMENTS FOR THE QUALITY MANAGEMENT SYSTEM AND QUALITY PLAN SQ 901 Version D Railway Application Quality Specification OBTAINING QUALITY OF PRODUCTS PURCHASED BY SNCF REQUIREMENTS FOR THE QUALITY MANAGEMENT SYSTEM AND QUALITY PLAN Issue date March 2004 This English

More information

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure

More information

G-CLOUD 7 - VIRTUAL ASSET MANAGER (VAM) SPECIALIST CLOUD SERVICES (SCS)

G-CLOUD 7 - VIRTUAL ASSET MANAGER (VAM) SPECIALIST CLOUD SERVICES (SCS) G-CLOUD 7 - VIRTUAL ASSET MANAGER (VAM) SPECIALIST CLOUD SERVICES (SCS) Service Definition 6th October 2015 TABLE OF CONTENTS VIRTUAL ASSET MANAGER (VAM) SPECIALIST CLOUD SERVICES (SCS) 3 SERVICE SUMMARY

More information

University of New England Compliance Management Framework and Procedures

University of New England Compliance Management Framework and Procedures University of New England Compliance Management Framework and Procedures Document data: Document type: Administering entity: Framework and Procedures Audit and Risk Directorate Records management system

More information

Lexcel England and Wales v6 Standard for in-house legal departments Excellence in legal practice management and client care

Lexcel England and Wales v6 Standard for in-house legal departments Excellence in legal practice management and client care www.lawsociety.org.uk/lexcel Lexcel England and Wales v6 Standard for in-house legal departments Excellence in legal practice management and client care Lexcel England and Wales v6 Contents About Lexcel...

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

NSF Certification UK SERVICE PROTOCOL For Certification against ISO 22000 and FSSC 22000

NSF Certification UK SERVICE PROTOCOL For Certification against ISO 22000 and FSSC 22000 NSF Certification UK SERVICE PROTOCOL For Certification against ISO 22000 and FSSC 22000 The purpose of this protocol is to provide existing and prospective customers with information on the way in which

More information

Supply Chain Finance WinFinance

Supply Chain Finance WinFinance Supply Chain Finance WinFinance Customer User Guide Westpac Banking Corporation 2009 This document is copyright protected. Apart from any fair dealing for the purpose of private study, research criticism

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, C.P.A., C.I.A. AUDITOR GENERAL ENTERPRISE DATA WAREHOUSE

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, C.P.A., C.I.A. AUDITOR GENERAL ENTERPRISE DATA WAREHOUSE MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT PERFORMANCE AUDIT OF THE ENTERPRISE DATA WAREHOUSE DEPARTMENT OF TECHNOLOGY, MANAGEMENT, AND BUDGET August 2014 Doug A. Ringler, C.P.A., C.I.A. AUDITOR

More information

Cloud (educational apps) software services and the Data Protection Act

Cloud (educational apps) software services and the Data Protection Act Cloud (educational apps) software services and the Data Protection Act Departmental advice for local authorities, school leaders, school staff and governing bodies October 2014 Contents 1. Summary 3 About

More information

EUROPEAN QUALIFIERS SCOTLAND SEASON TICKET TERMS & CONDITIONS

EUROPEAN QUALIFIERS SCOTLAND SEASON TICKET TERMS & CONDITIONS EUROPEAN QUALIFIERS SCOTLAND SEASON TICKET TERMS & CONDITIONS These terms and conditions (the Terms and Conditions ), together with the Membership Terms and Conditions govern the Member s purchase of the

More information

SCOPE OF SERVICE Hosted Cloud Storage Service: Scope of Service

SCOPE OF SERVICE Hosted Cloud Storage Service: Scope of Service Hosted Cloud Storage Service: Scope of Service 1. Definitions 1.1 For the purposes of this Schedule: Access Account is an End User account with Data Storage requiring authentication via a username and

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

QUALITY ASSURANCE GUIDE FOR GREEN BUILDING RATING TOOLS

QUALITY ASSURANCE GUIDE FOR GREEN BUILDING RATING TOOLS World Green Building Council Rating Tools Task Group: QUALITY ASSURANCE GUIDE FOR GREEN BUILDING RATING TOOLS Version 1.0 _ 2013 /(DRAFT_01 /Sept_13) INTRODUCTION This guide has been developed as a part

More information

www.lawsociety.org.uk/lexcel Lexcel England and Wales v6 Standard for legal practices Excellence in legal practice management and client care

www.lawsociety.org.uk/lexcel Lexcel England and Wales v6 Standard for legal practices Excellence in legal practice management and client care www.lawsociety.org.uk/lexcel Lexcel England and Wales v6 Standard for legal practices Excellence in legal practice management and client care Lexcel England and Wales v6 Contents About Lexcel... 3 Glossary

More information

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

Proposed guidance for firms outsourcing to the cloud and other third-party IT services Guidance consultation 15/6 Proposed guidance for firms outsourcing to the cloud and other third-party IT services November 2015 1. Introduction and consultation 1.1 The purpose of this draft guidance is

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Corporate Policy and Strategy Committee

Corporate Policy and Strategy Committee Corporate Policy and Strategy Committee 10am, Tuesday, 30 September 2014 Information Governance Policies Item number Report number Executive/routine Wards All Executive summary Information is a key asset

More information

Aberdeen City Council

Aberdeen City Council Aberdeen City Council Internal Audit Report Final Contract management arrangements within Social Care & Wellbeing 2013/2014 for Aberdeen City Council January 2014 Internal Audit KPI Targets Target Dates

More information

The No.1 most configurable software to manage your Governance, Risk and Compliance

The No.1 most configurable software to manage your Governance, Risk and Compliance The No.1 most configurable software to manage your Governance, Risk and Compliance Configurable Reliable Secure Web-enabled technology Used by 30% of FTSE 100 companies Hosted by Rackspace Validated by

More information