LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Size: px
Start display at page:

Download "LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction"

Transcription

1 LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed to efficient and effective information security management in ensuring that all the information and information systems on which the University depends are adequately protected. 1.2 Information can be stored on computers, printed out, written down, transmitted across networks and spoken in conversations. Our University s information and the IT systems and networks that they support are important institutional assets. 1.3 All organisations are facing increased security threats from a number of sources. Systems and networks may be the target of serious threats including computer based fraud, computer viruses and computer hackers which are becoming more widespread, more ambitious and increasingly sophisticated. At the same time our increasing dependence on IT services and systems makes us more vulnerable to these threats and the growth of networking, in all its forms, presents new opportunities for unauthorised access to information and reduces the scope for central control of IT facilities Legal and regulatory framework 2.1 The University has a statutory duty to ensure to that the information it holds complies with the law and the regulations to which it is accountable. 2.2 The Model Financial Memorandum between HEFCE and higher education institutions (July 2010/19) requires our University to have effective arrangements for the management and quality assurance of data submitted to HEFCE, HESA and other funding bodies. This includes student, staff, financial and estates data. 2.3 The loss or unauthorised disclosure of information has the potential to damage our reputation and cause financial loss. The Information Commissioner s Office (ICO) has the power to fine organisations up to 500,000 for breaches of the Data Protection Act. 2.4 The Freedom of Information Act 2000 also provides a general right of public access to all types of recorded information held by public authorities in order to promote a culture of openness and transparency. 1 University and Colleges Information Systems Association (UCISA), Information Security Toolkit, Edition 3.0, page 12. 1

2 2.5 In addition we are also subject to the terms of the contractual obligations we enter into and are required to abide by all UK and EU legislation relating to the management of information, including but not limited to the following statutes: Computer Misuse Act 1990 Copyright Designs and Patents Act 1988 Data Protection Act 1988 Human Rights Act 1998 Freedom of Information Act 2000 Regulation of Investigatory Powers Act Policy Aims and approach 3.1 This Policy sets out the framework through which the information we manage shall be appropriately secured to protect against the consequences of breaches of confidentiality, failures of integrity, or interruptions to the availability of that information. 3.2 The University is committed to protecting the security of its information and information systems and our approach shall reflect the relevant University values which guide the way we do things in delivering the following commitments: Professional (a) Ensuring we have the right policies, procedures, training, support and guidance in place for our staff, students and partners who create, access, use and distribute our information. (b) Managing information in the most efficient and effective ways which deliver value for money. Purposeful (c) Ensuring that information is always available to those who need it and there is no disruption to the business of the University (d) Maintaining the integrity of our information so that it is accurate, up to date and fit for purpose. (e) Safeguarding the reputation of the University. Respectful (f) Taking account of the wider professional, regulatory and statutory context in which the University operates (g) Being appropriately accountable, open and transparent as a recipient of public funding in a way that meets our legal requirements, including those applicable to personal data under the Data Protection Act. (h) Ensuring that confidentiality is not breached and information is accessed only by those authorised to do so. 2

3 Enterprising (i) Protecting and exploiting our information resources wisely as appropriate depending on the nature of the information concerned and the different stages of its lifecycle. 3.3 This approach to information security management is a key part of our risk management framework in both mitigating threats and exploiting opportunities in the achievement of our strategic objectives. 3.4 To determine the appropriate levels of security measures applied to information systems, a process of risk assessment shall be carried out for each system to identify the probability and impact of security failures. 4.0 Policy Structure 4.1 The Information Security Policy sets out the wider framework of policies and procedures that will deliver our commitment to this important agenda, which is essential to the whole University in its teaching, research, enterprise and administrative functions. 4.2 The structure and content of this policy framework is based on the approach set out in the Universities and Colleges Information Systems Association (UCISA) Toolkit. The toolkit is based on British Standard BS 7799 which is a code of practice and comprehensive guide to good information security practice. 4.4 This overarching Policy is underpinned by other policy commitments and procedures which can be grouped under three main headings, namely: Business continuity (section A) Governance, risk and compliance (section B) IT Security (section C) which seek to clarify management actions as well as the individual and collective responsibilities of staff, students and partners to enable them to use information securely and in appropriate and informed ways in carrying out all their activities across the University. 4.5 This subsidiary information, policy and guidance shall be considered part of this Policy and shall have equal standing. 4.6 This Information Security Policy forms part of the University s wider policy and procedural framework, including its General Regulations for students and the contractual terms and conditions of staff. It is applicable to and will be communicated to staff, students and other relevant parties. 3

4 4.8 This policy shall be reviewed and updated regularly to ensure that it remains appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations. 5.0 Scope of the Policy 5.1 The Information Security Policy applies to: (a) all those with access to University information systems, including staff, students, visitors and contractors (b) any systems attached to the University computer or telephone networks and any systems supplied by the University (c) all information (data) processed by the University pursuant to its operational activities, regardless of whether it is processed electronically or in paper (hard copy) form, any communications sent to or from the University and any University information (data) held on systems external to the University s network (d) all external parties that provide services to the University in respect of information processing facilities and business activities (e) principal information assets including the physical locations from which the University operates. 6.0 Responsibilities for Information Security Policy 6.1 This policy forms part of the University s risk management framework which is overseen by the Board of Governors through its Audit Committee and reviewed on a regular basis. 6.2 The Board of Governors has ultimate responsibility for information security within the University. More specifically, it is legally responsible for ensuring that the University complies with relevant external requirements, including legislation. 6.3 The Information Governance Steering Group has responsibility for overseeing the approach, development and review of the information security policy framework across the University and reports to the Secretary and Registrar and Corporate Management Team as necessary. 6.4 The Information Governance Steering Group is chaired by a senior manager, nominated by the Secretary and Registrar, and comprises managers from across the institution as information governance champions. 4

5 6.5 One of the objectives of the Information Governance Steering Group shall be to ensure that there is clear direction and visible management support, appropriate commitment and adequate resourcing for information security initiatives. 6.6 A Data Protection Steering Group is responsible for co-ordinating the implementation, review and development of the University s Data Protection Policy and in particular issues arising from any reported breaches of the data security. This Group reports to the Information Governance Steering Group as a standing item of business at each of its meetings. 6.7 The responsibility for ensuring the protection of information systems and ensuring that specific security processes are carried out shall lie with the Dean of each Faculty and Director of each Service managing that information system. 6.8 However, achieving our policy commitments largely depends on staff, students and partners working within the University s policies, regulations and best practice guidelines. 7.0 Reporting breaches of information security 7.1 If any staff, students or partners become aware of an information security incident they should report it to their Dean or Director of Service in the first instance who shall then report it to the Secretary and Registrar for monitoring purposes. 7.2 The Secretary and Registrar will consider the nature of the incident and actions required by the University which may include reporting it to the Information Commissioner and/or the Police or taking legal advice as necessary. 7.3 Financial Services should also be notified of any incidents where there may be insurance implications to the University. 7.4 The University will establish and maintain appropriate contacts with other organisations, law enforcement authorities, regulatory bodies, and network and telecommunications operators in respect of its information security. 7.5 Should a member of staff, student or partner feel it necessary and appropriate, the University also has a Whistleblowing (Public Interest Disclosure) Complaints Policy 7.6 The Board of Governors has designated the Secretary and Registrar, as Clerk to the Board of Governors, as the Designated Officer to whom a whistleblowing complaint should normally be made in the first instance. 7.7 However, if the complainant prefers, or if the complaint is about or implicates the Designated Officer, then it should be made to the Vice-Chancellor, Chair of the Board of Governors or Chair of Audit Committee. 5

6 7.8 The implementation of the information security policy shall be reviewed independently of those charged with its implementation, predominantly through the University s programme of internal audit reviews and will be reported to the Board of Governors through its Audit Committee. Document History Policy Owner: Secretary & Registrar Author: Deputy Secretary Date created: 31 January 2014 Next Review Date: January 2016 Approved by: Information Governance Steering Group 6 March 2014 Secretary & Registrar 14 March 2014 Version control Date Version Author Comments/amendments 31/1/14 01 Caroline Thomas Policy created. 6

7 LEEDS BECKETT UNIVERSITY Business Continuity Planning & Information Security SECTION A Policy Statement 1. The Corporate Management Team shall assess business continuity requirements and identify appropriate areas for further action through its periodic review of the University s business continuity arrangements. 2. A formal risk assessment exercise will be conducted to classify all information systems according to their level of criticality to the University and to determine where business continuity planning is needed. 3. A business continuity plan will be developed for each information system or activity. The nature of the plan and the actions it contains will be commensurate with the criticality of the information system or activity to which it relates. 4. All business continuity plans will be periodically tested. The frequency of testing will be as defined for the appropriate criticality level and will include tests to verify whether management and staff are able to put the plan into operation. 5. All relevant staff will receive appropriate training to be able to carry out their roles with respect to business continuity plans. 6. Each business continuity plan will be reviewed, and if necessary updated. The frequency of reviews will be as defined for the appropriate criticality level. Related policies: Risk Management Policy Crisis Management Plan (including Crisis Response and Business Recovery Plans) 7

8 LEEDS BECKETT UNIVERSITY SECTION B Governance, Risk & Compliance & Information Security Policy Statement 1. The Terms and Conditions of Employment set out all employees responsibilities with respect to their use of computer based information systems and data. Line managers must provide specific guidance on legal compliance to any member of staff whose duties require it. 2. The General Regulations set out all students responsibilities with respect to their use of computer based information systems and data. 3. All members of the University will comply with the Information Security Policy and, where appropriate, their compliance will be monitored. 4. Before any new systems are introduced, a risk assessment process will be carried out which will include an assessment of the legal obligations that may arise from the use of the system. These legal obligations will be documented and a named system controller, with responsibility for updating that information, will be identified. 5. Guidance documents will be made available to all computer users covering the key aspects of the law of copyright, in so far as they relate to the use of information systems. Guidance is also available on the key aspects of computer misuse legislation. 6. The institution s policies forbid the use of information systems to send or publish derogatory remarks about people or organisations. 7. The University s data retention policy defines the appropriate length of time for different types of information to be held. Data will not be destroyed prior to the expiry of the relevant retention period and will not be retained beyond that period. During the retention period appropriate technical systems will be maintained to ensure that the data can be accessed. 8. The University will only process personal data in accordance with the requirements of the data protection legislation. Personal or confidential information will only be disclosed or shared where an employee has been authorised to do so. 9. Where it is necessary to collect evidence from the information systems, it shall be collected and presented to conform to the relevant rules of evidence. Expert guidance will normally be sought. 8

9 10. All of the organisation s information systems will be operated and administered in accordance with documented procedures. Third Party Access Policy & Information Security 11. All third parties who are given access to the University s information systems, whether suppliers, customers or otherwise, must agree to follow the University s information security policies. A summary of the information security policies and the third party s role in ensuring compliance will be provided to any such third party, prior to their being granted access. 12. The University will assess the risk to its information and, where deemed appropriate because of the confidentiality, sensitivity or value of the information being disclosed or made accessible, the University will require external suppliers of services to sign a confidentiality agreement to protect its information assets. 13. Those responsible for agreeing maintenance and support contracts will ensure that the contracts being signed are in accord with the content and spirit of the University s information security policies. 14. All contracts with external suppliers for the supply of services to the University must be monitored and reviewed to ensure that information security requirements are being satisfied. Contracts must include appropriated provisions to ensure the continued security of information and systems in the event that a contract is terminated or transferred to another supplier. 15. Any facilities management, outsourcing or similar company with which this University may do business must be able to demonstrate compliance with the University s information security policies and enter into binding service level agreements that specify the performance to be delivered and the remedies available in case of non-compliance. Human Resource Policy & Information Security 16. All employees must comply with the information security policies of the University. 17. Any information security incidents resulting from non-compliance should result in appropriate disciplinary action. 18. If, after investigation, a user is found to have violated the University s information security policy and/or procedures, they may be disciplined in line with the University s formal disciplinary process. 19. The Terms and Conditions of Employment of the University include requirements to comply with information security policies. 9

10 20. All employees are required to sign a formal undertaking concerning the need to protect the confidentiality of information, both during and after their employment with the University. 21. Non-disclosure agreements must be used in all situations where the confidentiality, sensitivity or value of the information being disclosed is important. 22. New employees references must be verified appropriately, and the employees must undertake to abide by the University s information security policies. 23. All external suppliers who are contracted to supply services to the University must agree to follow the information security policies of the University. 24. All staff are to be provided with information security awareness tools to enhance awareness and educate them regarding the range of threats, the appropriate safeguards, and the need for reporting suspected problems. 25. An appropriate summary of the information security policies must be formally delivered to, and accepted by, all temporary staff, prior to their starting any work for the University. 26. The University is committed to providing training to all users of new systems to ensure that their use is both efficient and does not compromise information security. 27. Periodic training for those predominantly responsible for information security on a day-to-day basis is to be prioritised to educate and train in the latest threats and information security techniques. 28. All new staff are to receive mandatory information security awareness training, including Data Protection training, as part of induction. 29. Where staff change jobs, their information security needs must be reassessed and any new training provided as a priority. 30. Training in information security threats and safeguards for technical staff is mandatory, with the extent of technical training to reflect the job holder s individual responsibility for configuring and maintaining information security safeguards. 31. Where IT staff change jobs, their information security needs must be reassessed and any new training provided as a priority. 32. Upon notification of staff resignations, the Human Resources team must consider in consultation with the appropriate Faculty or Service whether the member of staff s continued system access rights constitute an unacceptable risk to the University and, if so, revoke all access rights. 10

11 33. Departing staff are to be treated sensitively, particularly with regard to the termination of their access privileges. 34. Departing staff must return all information assets and equipment belonging to the University, unless agreed otherwise with the designated owner responsible for the information asset. Related polices: Terms and Conditions of Employment Data Protection Policy Data Retention Policy Information Handling Policy Information Asset Register Intellectual Property Policy (subject to approval) Data Quality Policy Accuracy of Published Information Procedures General Regulations Social Media Policy (in development) Research Ethics Policy and Procedures Code of Good Practice and Regulations relating to Misconduct in Academic Research Student Code of Discipline Policy, Regulations, and Procedures Relating to Professional Suitability or Professional Misconduct Whistleblowing (Public Interest Disclosure) Complaints Procedure Regulations for the Use of Institutional IT, Library and Media Facilities Policy and Procedures on the Appropriate Use of University Electronic Information and Communications Facilities and Services Code of Practice on the Freedom of Speech and Expression 11

12 LEEDS BECKETT UNIVERSITY SECTION C IT Security Policy Policy Statement Measures will be taken by the University to implement information technology and security policies including: 1. Ensuring that all individuals who use information technology systems, or otherwise handle information, understand the policies that are relevant to them and any consequences for noncompliance. 2. Using physical security measures when deemed necessary. 3. Applying technology where considered appropriate and feasible. For example, to control and log access to systems, data and functionality. 4. Using various lawful forms of monitoring activities, data and network traffic to detect policy infringements. 5. Taking into account relevant information security policy requirements when planning and undertaking activities involving IT-based information technology systems. 6. Formal or informal risk assessment, to identify the probability and impact that various hazards could have on information technology systems. 7. Monitoring effectiveness of its information security policy implementation. This may involve review independent from those charged with its implementation. 8. The Director of IMTS is responsible for the implementation and management of Information Technology Security Policies at the University. 9. It is the responsibility of the University to sufficiently resource and direct implementation of these policies. 10. Individuals must understand and agree to abide by University IT policies and Regulations before being authorised for access to any information technology systems for which the University has responsibility. Related policies: Information Handling Policy The purpose of the Information Handling Policy sets out Leeds Beckett University s definition of, commitment to, and requirements for Information Handling. It sets out the 12

13 need to define classes of information handled by the organisation and the requirements for the storage, transmission, processing and disposal of each. Cryptography Policy The purpose of the Cryptography Policy is to set out when and how encryption should (or should not) be used. It includes protection of personal, confidential and commercially sensitive information and communications. System Planning and Management Policy The purpose of the System Planning and Management Policy is to define how Leeds Beckett University information technology systems are specified, designed and managed. It includes processes for identifying requirements and risks, and designing appropriately configured systems to meet them. Use of Computers Policy The purpose of the Use of Computers Policy is to define the acceptable actions of any individual who interacts with Leeds Beckett University s information technology systems. User Management Policy The purpose of the User Management Policy governs the creation, management and deletion of user accounts. It also sets out the principles for the granting and revocation of privileges associated with user accounts. Computer Protection Policy The Computer Protection Policy defines how university-controlled end-point devices servers and user devices - are protected from security vulnerabilities. It includes appropriate technical and procedural controls to reduce risk and meet the requirements of other university IT Security Policies. Computer Password Policy The Computer Password Policy defines how the University utilises and manages passwords to ensure the security of devices and systems. It includes the appropriate technical and procedural controls to reduce risk and meet the requirements of other related IT security policies. Network Management Policy The purpose of the Network Management Policy is to define how the Leeds Beckett University networks are designed and how systems are connected to them. It includes appropriate technical and procedural controls to reduce risk and meet the requirements of the Information Handling Policy. Software Management Policy The Software Management Policy sets out how the software which runs on the Leeds Beckett University s information technology systems is managed. It includes controls on the installation, maintenance and use of software, with appropriate procedures for upgrades to minimise the risk to information and information technology systems. 13

14 Mobile Computing Policy The purpose of the Mobile Computing Policy is to maintain the security of the Leeds Beckett University s information assets when they are used from mobile devices (such as PDA s, mobile phones, laptops, tablets). These devices need not be owned by Leeds Beckett University but are being used to access its information technology systems. Bring Your Own Device Policy The purpose of the BYOD Policy is to maintain the security of the Leeds Beckett University s information assets when they are being accessed from devices personally owned by users (such as PDA s, mobile phones, laptops, tablets). Wireless Communications Policy The Wireless Communication policy establishes standards that must be met when wireless communications equipment is connected to Leeds Beckett University s networks. Only wireless systems that meet the criteria of this policy are approved for connectivity to Leeds Beckett University s networks. 14

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

INFORMATION SECURITY MANAGEMENT POLICY

INFORMATION SECURITY MANAGEMENT POLICY INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June

More information

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes INFORMATION SECURITY POLICY Ratified by RCA Senate, February 2007 Contents Introduction 2 Policy Statement 3 Information Security at RCA 5 Annexes A. Applicable legislation and interpretation 8 B. Most

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY Information Security Policy INFORMATION SECURITY POLICY Introduction Norwood UK recognises that information and information systems are valuable assets which play a major role in supporting the companies

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

Ulster University Standard Cover Sheet

Ulster University Standard Cover Sheet Ulster University Standard Cover Sheet Document Title IT Monitoring Policy 1.5 Custodian Approving Committee Deputy Director of Finance and Information Services (Information Services) Information Services

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Harper Adams University College. Information Security Policy

Harper Adams University College. Information Security Policy Harper Adams University College Information Security Policy Introduction The University College recognises that information and information systems are valuable assets which play a major role in supporting

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

NHS Business Services Authority Information Security Policy

NHS Business Services Authority Information Security Policy NHS Business Services Authority Information Security Policy NHS Business Services Authority Corporate Secretariat NHSBSAIS001 Issue Sheet Document reference NHSBSARM001 Document location F:\CEO\IGM\IS\BSA

More information

Information security policy

Information security policy Information security policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review of IS Policy\Current

More information

Outsourcing and third party access

Outsourcing and third party access Outsourcing and third party access This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security

More information

University of Sunderland Business Assurance Over-arching Information Governance Policy

University of Sunderland Business Assurance Over-arching Information Governance Policy University of Sunderland Business Assurance Over-arching Information Governance Policy Document Classification: Public Policy Reference Central Register IG001 Policy Reference Faculty / Service IG 001

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY ISO 27002 5.1 Author: Owner: Organisation: Chris Stone Ruskwig TruePersona Ltd Document No: SP- 5.1 Version No: 1.0 Date: 10 th January 2010 Copyright

More information

information systems security policy...

information systems security policy... sales assessment.com information systems security policy... Approved: 2nd February 2010 Last updated: 2nd February 2010 sales assessment.com 2 index... 1. Policy Statement 2. IT Governance 3. IT Management

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

University of Sunderland Business Assurance. Over-arching Information Governance Policy. Document Classification: Public

University of Sunderland Business Assurance. Over-arching Information Governance Policy. Document Classification: Public University of Sunderland Business Assurance Over-arching Information Governance Policy Document Classification: Public Policy Reference Central Register IG001 Policy Reference Faculty / Service IG 001

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Information Governance Framework

Information Governance Framework Information Governance Framework March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aim 2 3 Purpose, Values and Principles 2 4 Scope 3 5 Roles and Responsibilities 3 6 Review 5 Appendix 1 - Information

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services Issue 1.0 (Effective 27 June 2012) This document contains a copy of the STFC policy statements outlining

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

Mike Casey Director of IT

Mike Casey Director of IT Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

43: DATA SECURITY POLICY

43: DATA SECURITY POLICY 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Standard Operating Procedure. Authority to access and monitor University IT Account holder communications and data

Standard Operating Procedure. Authority to access and monitor University IT Account holder communications and data Standard Operating Procedure Title: Authority to access and monitor University IT Account holder communications and data Version: 2.0 Effective Date March 2016 Summary Describes the approval process and

More information

Highland Council Information Security Policy

Highland Council Information Security Policy Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...

More information

EA-ISP-001 Information Security Policy

EA-ISP-001 Information Security Policy Technology & Information Services EA-ISP-001 Information Security Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 13/03/2015 Document Security Level: PUBLIC Document Version: 2.41 Document Ref:

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy THCCGCG9 Version: 01 The information governance strategy outlines the CCG governance aims and the key objectives of its governance policies. The Chief officer has the overarching

More information

Network Security Policy

Network Security Policy IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service

More information

Audit and Risk Management Committee. IT Security Update

Audit and Risk Management Committee. IT Security Update Audit and Risk Management Committee 26 th February 2015 IT Security Update Description of paper 1. The purpose of this paper is to update the Committee on current security issues and what steps are being

More information

Regulation 8.3.R2 COMPUTING AND NETWORK FACILITIES RULES. 1. Definitions. In this regulation unless a contrary intention appears.

Regulation 8.3.R2 COMPUTING AND NETWORK FACILITIES RULES. 1. Definitions. In this regulation unless a contrary intention appears. Regulation 8.3.R2 COMPUTING AND NETWORK FACILITIES RULES 1. Definitions In this regulation unless a contrary intention appears Authority means (i) in relation to the central facilities and computing and

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

Information Security: Business Assurance Guidelines

Information Security: Business Assurance Guidelines Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

Information Governance Strategy :

Information Governance Strategy : Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5 Information Security Policy Type: Administrative Responsible Office: Office of Technology Services Initial Policy Approved: 09/30/2009 Current Revision Approved: 08/10/2015 Policy Statement and Purpose

More information

Guidelines. London School of Economics & Political Science. Remote Access and Mobile Working Guidelines. Information Management and Technology

Guidelines. London School of Economics & Political Science. Remote Access and Mobile Working Guidelines. Information Management and Technology London School of Economics & Political Science Information Management and Technology Guidelines Remote Access and Mobile Working Guidelines Jethro Perkins Information Security Manager Summary This document

More information

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

CIHI Submission: 2011 Prescribed Entity Review

CIHI Submission: 2011 Prescribed Entity Review pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

I S O I E C 2 7 0 0 2 2 0 1 3 I N F O R M A T I O N S E C U R I T Y A U D I T T O O L

I S O I E C 2 7 0 0 2 2 0 1 3 I N F O R M A T I O N S E C U R I T Y A U D I T T O O L 15.1 ESTABLISH SECURITY AGREEMENTS WITH SUPPLIERS 15.1.1 EXPECT SUPPLIERS TO COMPLY WITH RISK MITIGATION AGREEMENTS Do you clarify the information security risks that exist whenever your suppliers have

More information

Data Security Breach Incident Management Policy

Data Security Breach Incident Management Policy Data Security Breach Incident Management Policy Contents 1. Background... 1 2. Aim... 1 3. Definition... 2 4. Scope... 2 5. Responsibilities... 2 6. Data Classification... 2 7. Data Security Breach Reporting...

More information

Information Security Management System (ISMS) Policy

Information Security Management System (ISMS) Policy Information Security Management System (ISMS) Policy April 2015 Version 1.0 Version History Version Date Detail Author 0.1 18/02/2015 First draft Andy Turton 0.2 20/02/2015 Updated following feedback from

More information

University of Birmingham. Closed Circuit Television (CCTV) Code of Practice

University of Birmingham. Closed Circuit Television (CCTV) Code of Practice University of Birmingham Closed Circuit Television (CCTV) Code of Practice University of Birmingham uses closed circuit television (CCTV) images to provide a safe and secure environment for students, staff

More information

Data Protection Breach Management Policy

Data Protection Breach Management Policy Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/

More information

Information Security Incident Management Policy September 2013

Information Security Incident Management Policy September 2013 Information Security Incident Management Policy September 2013 Approving authority: University Executive Consultation via: Secretary's Board REALISM Project Board Approval date: September 2013 Effective

More information

Data Protection Policy. Information Security Review Group. Version Date Author Notes on Revisions

Data Protection Policy. Information Security Review Group. Version Date Author Notes on Revisions Document Control Table Document Title: Author(s) (name, job title and Division): Version Number: Document Status: Date Approved: Approved By: Effective Date: Date of Next Review: Superseded Version: Data

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

Information Governance Management Framework

Information Governance Management Framework Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

Network Security Policy

Network Security Policy Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant

More information

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology

More information

Small businesses: What you need to know about cyber security

Small businesses: What you need to know about cyber security Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...

More information

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level

More information

Small businesses: What you need to know about cyber security

Small businesses: What you need to know about cyber security Small businesses: What you need to know about cyber security Contents Why you need to know about cyber security... 3 Understanding the risks to your business... 4 How you can manage the risks... 5 Planning

More information

Management Standards for Information Security Measures for the Central Government Computer Systems

Management Standards for Information Security Measures for the Central Government Computer Systems Management Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...

More information

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé NHS HDL (2006)41 abcdefghijklm = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé Dear Colleague NHSSCOTLAND INFORMATION SECURITY POLICY Summary 1. NHSScotland IT Security Policy was

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

Corporate Policy and Strategy Committee

Corporate Policy and Strategy Committee Corporate Policy and Strategy Committee 10am, Tuesday, 30 September 2014 Information Governance Policies Item number Report number Executive/routine Wards All Executive summary Information is a key asset

More information

Information governance strategy 2014-16

Information governance strategy 2014-16 Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope

More information

Information Governance Framework. June 2015

Information Governance Framework. June 2015 Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review

More information

Information Security Policy

Information Security Policy Information Security Policy Last updated By A. Whillance/ Q. North/ T. Hanson On April 2015 This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

TELEFÓNICA UK LTD. Introduction to Security Policy

TELEFÓNICA UK LTD. Introduction to Security Policy TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15

More information

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect. PRIVACY POLICY 1. Introduction Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect. We will only collect information that

More information

Information Technology Services

Information Technology Services Responsible Officer Approved by Chief Information Officer Council Approved and commenced August, 2014 Review by August, 2017 Relevant Legislation, Ordinance, Rule and/or Governance Level Principle ICT

More information

Conditions of Use. Communications and IT Facilities

Conditions of Use. Communications and IT Facilities Conditions of Use of Communications and IT Facilities For the purposes of these conditions of use, the IT Facilities are [any of the University s IT facilities, including email, the internet and other

More information

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31 THE MORAY COUNCIL Guidance on data security breach management Information Assurance Group DRAFT Based on the ICO Guidance on data security breach management under the Data Protection Act 1 Document Control

More information

Corporate Information Security Management Policy

Corporate Information Security Management Policy Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification

More information

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information INTRODUCTION Privacy legislation establishes legal privacy rights for individuals and sets enforceable

More information

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012 Monitoring and Logging Policy Document Status Security Classification Version 1.0 Level 1 - PUBLIC Status DRAFT Approval Life 3 Years Review By June 2012 Owner Secure Research Database Analyst Change History

More information