Enterprise Information Security Procedures

Size: px
Start display at page:

Download "Enterprise Information Security Procedures"

Transcription

1 GHL Network Services Ltd Enterprise Information Security Procedures Prepared By Nigel Gardner Date 16/11/09 1

2 Contents 1. Openwork s Information Security Policy Enterprise Information Security Procedures Physical Security - Business Premises...3 IT Security Staff Recruitment and Leavers Training Third Party Vetting & Contracts...5 & Fax Procedures Fax Caller Verification - Release of Client Information Retention & Disposal of Client Information and IT Hardware Methods of destruction - Physical files Electronic files and documents Reporting the loss or theft of information...7 Information Classification and Ownership Monitoring...9 2

3 1. Openwork s Information Security Policy Openwork s Policy and procedures are intended to ensure that personal information is hard to steal or lose and that only authorised people have access to it. Openwork will ensure client information is treated as a precious resource. This means: - We keep it secure - We only share it when we need to - We only allow fit and proper people to see it - We use it skilfully. This policy is driven from the need to support statements we have made to our clients and to fulfil our obligations to our regulators: - We ve told the client, in the DP leaflet, You can be sure we ll keep your personal information confidential and use it with care FSA connection between the loss of personal information, identity theft and financial crime they therefore require all FSA regulated firms to take appropriate care of client personal information as made clear in the FSA papers: - o Fact Sheet Your responsibilities for customer data security (April 2008) o Data Security in Financial Services (April 2008) The Data Protection Act requires you to keep information secure Principle 7 Appropriate measures shall be taken against unauthorised or unlawful processing or accidental loss of personal data 2. GHL Network Services Ltd ( GHL ) Information Security Procedures This document draws all the Information Security Policy and Procedures into one place. The procedures define the minimum standards that must be achieved. Everyone in GHL will have received a copy of these procedures and confirmed they have been received and the content understood. GHL will maintain a record of when they were seen. 3. Physical Security - Business Premises Access to client information is controlled by: - Locked building, room or cabinet as appropriate. - Clear Desk policy - Screen Savers which are password protected, automatically activated after 10 minutes (see IT Security Standards on the Portal - Home -> Financial Crime Prevention - > Information Security -> Procedure Templates and Guides->IT Security Standards ) - Desktops and laptops that have whole disk encryption (see IT Security Standards on the Portal - Home -> Financial Crime Prevention - > Information Security -> Procedure Templates and Guides->IT Security Standards ) - Locking business premises when unattended Access restrictions - Computer security when out of office e.g. not left in the boot of a car Clear Desk Policy In accordance with Openwork s requirements GHL operate a clear desk policy. This means keeping desks and other surfaces clear of any client information and records of logon IDs and passwords. 3

4 4. IT Security The security of computer hardware and the client information held on them are documented in the IT Security Standards on the Portal (Home -> Financial Crime Prevention -> Information Security -> Procedure Templates and Guides -> IT Security Standards) This covers high level requirements including: - - Encryption - Anti-virus - Passwords (changes & complexity) - Maintenance of computer equipment logs (records of serial numbers and encryption keys etc - Backups & safe storage - Networks wireless internet - External storage (CD, Data Stick, Smart Phones and other portable media) - Data bases - Access rights limiting access to systems (such as Senro or Quay) - Specialist IT consultancy All PC s ( laptops & desktops ) must be encrypted to protect clients against the possibility of their details being lost or stolen. In addition, all USB data sticks used must similarly be encrypted using AES 256 bit hardware encryption. 5. Staff Recruitment and Leavers Taking on staff GHL will ensure that all staff have the honesty and integrity to handle client information. GHL has staff that are subject to vetting by Openwork and also those with access to client information that are not. These are, for example, Category 2 PAs, Admin Plus, receptionists and admin staff and it may also have temporary and contract staff (see also Third Party Vetting and Contracts). Staff not vetted by Openwork. With access to client information: - GHL is responsible for the vetting of all staff with access to client information - A record of the information obtained is kept on the staff members personnel files to show why it was satisfied that the person was fit and proper - For evidence of identification GHL will complete a proof of identity (similar to the client CVI form) template form on the Portal (Financial Crime Prevention -> Information Security -> Related Documents). The authenticity of this identification should be tested as far as is reasonably possible with recourse to publicly available information sources - References from previous employers are obtained covering the last 12 months where appropriate. - References provided by the staff member are not appropriate to accept - If a credit check is to be undertaken the staff member must give permission - Where GHL decides to carry out a Criminal Records Bureau check it must obtain permission before doing so Staff with no access to client information - Where staff members do not have access to client information, it is not necessary to carry out a fit and proper check, however, evidence will be retained of why the staff member does not require the vetting Changes in Role and Responsibilities GHL must be alert to the risk that a change of role or multi-tasking may allow a non-vetted staff member to handle client information. If this happens, the vetting procedure above must be applied and the information collected recorded on the Personnel File. 4

5 Leavers When any staff leave, precautions are taken to ensure they no longer have access to client information. Where appropriate the following will take place: - Return of keys / swipe cards - Cancellation of personal computer passwords and user accounts - Return of all portable IT equipment and software provided by GHL - Providers microsites will be notified for cancellation of logon rights - Where leavers have their own machines, Openwork software and client data belonging to GHL will be removed (e.g. OTPm and ETi software and databases) - Regulated Support will be notified of any staff member that leaves in order to remove Portal access. - Change of other user passwords if there is a possibility they are known to the leaver 6. Training It is important that everyone, the Practice Principals, the Advisers and the administrators, understands the importance and relevance of information security and how to keep client information secure. Openwork has training modules, available through the Portal, on Financial Crime (FC) and Data Protection (DP). All Advisers and Enterprise staff must complete the FC and DP modules before they start handling client information: - - Advisers the training modules are available through Insight and are part of the annual refresher cycle (and induction training) - Enterprise Staff - with Portal access - the training modules are available on the FC and DP pages (Home->Quality->Financial Crime, and Home->Quality->Data Protection) - Enterprise Staff - without Portal access print off the training modules from the FC and DP pages and log the completion of the training on their personnel file. Manual records will be kept of the date of the training in order that refresher training can be undertaken once a year 7. Third Party Vetting & Contracts GHL may involve third parties in a number of aspects of its activities which may allow access to or the opportunity to access client information. These are (but may not be limited to): - Maintenance of premises (including landlords) - Physical security of premises - Cleaning - Secure disposal of waste, including waste containing client information - Delivery of urgent documents - Remote back-up of computer records - IT support - File Archiving - Appointment making Vetting of Third Parties A reasonable risk based approach is taken when carrying out due diligence checks on third parties. The arrangements may not be as formal as a contract as they may be with an individual on a personal arrangement (e.g. a cleaner) - Evidence of identity will be obtained from each company or individual providing a service. This may be a certificate of incorporation or evidence of the company s existence taken from Companies House. GHL takes account of Openwork s CVI Procedures. - For individuals doing some work for GHL evidence of identification is required. GHL will complete a proof of identity (similar to the client CVI form) template form on the Portal (Financial Crime Prevention -> Information Security -> Related Documents). The authenticity of this identification should be tested as far as is reasonably possible with recourse to publicly available information sources - Where a contract exists between GHL and a third party; this will contain specific clauses detailing the third parties obligations in respect of information security where appropriate - Copies of the third parties recruitment and information security procedures should be reviewed. These should be equivalent to those in place at GHL - Evidence of the checks carried out and the procedures reviewed, evidence of the assessment carried out and a copy of the contract, should be retained on a file specific to each third party supplier 5

6 8. & Fax Procedures is not a confidential means of communication. GHL recognises that messages can be very easily read by those for whom they were not intended and recognises particularly that s can be: - intercepted by third parties (legally or otherwise) - wrongly addressed - forwarded accidentally - forwarded by initial recipients to third parties against our wishes - viewed accidentally on recipients computer screens Personal information is not communicated by unless the express permission of the subject has been obtained and can be evidenced or unless adequate protection (password or encryption) has been employed. See Portal Home -> IT Support - > IT How To Guides -> IT Security and Guidelines. is not relied on for record-keeping purposes. Where long term accessibility is an issue records are transferred to a more lasting medium or other electronic environment. Your GHL Network Services address must be used for all business communications and personal data relating to clients must be encrypted. Further details of the procedures are documented in the Openwork IT Security and Guidelines (see Portal Home -> IT Support - > IT How To Guides -> IT Security and Guidelines ). 8.2 Fax Fax services are not reliable and are replaced with secure wherever possible as documents may be intercepted or misdirected due to operator or technical error. Personal medical details are not faxed. When sending a fax, it is good practice to check the recipient's number before sending. The person sending the fax will phone ahead to warn the recipient of the transmission of personal information. 9. Caller Verification - Release of Client Information. Before personal client information is released the identity of the caller will be verified using the table below: Who s calling? Client Openwork Support Centre Adviser / Administrator Who s answering? Adviser / Administrator Adviser / Administrator If the callers have a well established relationship 1 Client Voice recognition Voice recognition Voice recognition Compulsory Caller Full Name Caller Full Name information 2 Caller Address Caller Job Role Caller DOB Caller phone number Caller to inform Client who they are and who they represent Two items of Optional Information required 3 Plan Number NI Number Product Held Provider/Lender Maiden name Partners name Partners DOB Full Plan Numbers Case ID If Adviser / Administrator is concerned, offer them the opportunity to call back via the switchboard number from the Portal If client is concerned, offer client the opportunity to check the callers identity via the published phone number /switchboard of the firm ID Checks fail 4 The call may be returned but If the Adviser / Administrator If the client does not wish to 6

7 only to a number that was previously known to belong to the caller does not wish to proceed, end the call politely and write to them proceed, end the call politely and write to them 1. Voice recognition alone is an acceptable verification, but only if the caller is known well enough. If the caller can be confidently verified from their voice, then the compulsory or optional information is not needed. Relying solely on voice recognition must be used with extreme caution and should be backed up by conversational identification checks. The FSA has cast doubt on the ability of an adviser or other person to recognise the voice of all their clients. The reliance on voice recognition must be proportionate to the number of clients you have and how often you speak to them. 2. If the caller cannot quickly confirm the details, i.e. without stuttering or unreasonable delay, then the call will be ended without releasing the requested information. 3. These lists are not exhaustive and are provided to indicate the nature of information that may be considered suitable. 4. If the ID checks fail, the call may still be returned but only to a number that was known to belong to the caller prior to the call e.g. previously noted home number, SWIFT recorded phone number or via the appropriate switchboard. If this approach is used, the verification checks will still be made but different optional information will be used to identify the person being spoken to. 10. Retention & Disposal of Client Information and IT Hardware Personal information will only be collected and kept if there is a regulatory requirement or a good business reason to do so. Keeping information for longer than is necessary increases the risk of information loss. GHL follows Openwork s guidance on the retention period for client information as set out in the Compliance Manual and the Data Protection pages (see Portal Home -> Quality > Data protection ) Methods of destruction - Physical files These are treated as confidential waste and disposed of securely Electronic files and documents Electronic material and computer memories (hard drives, magnetic tapes, CDs, DVDs etc.) are erased prior to (or as part of) the disposal procedure. This is done by: - Physical destruction of the hard drive or other storage medium - or - Specialist software is used to ensure computer disks are completely erased before they are disposed of Records of the date and method of destruction including which software was used are retained in the GHL s Computer Equipment Log. 11. Reporting the loss or theft of information Loss of or theft of information could include: - Laptop being lost or stolen - Missing memory stick - Paper records missing or stolen - Back-up disks lost or stolen - Misdirected fax or - Physical damage (by, for example, fire, flood etc.) Action for Advisers and administrators Immediately report discovery or suspicion to the GHL Data Protection Officer (DPO) and the Openwork DPO) providing as much detail as possible as to the circumstances and the nature of the information at risk. 7

8 Action for GHL s Data Protection Officer Inform the Openwork DPO immediately (See Portal Home -> Quality > Data protection -> Loss or theft of data. Openwork Support Openwork will support GHL to ensure appropriate action is taken to mitigate the risks of Clients, Advisers, Enterprises, Openwork and its partner businesses falling victim to financial crime. GHL and Openwork will work together to: - Inform the Police if theft or criminal activity is suspected and obtain a crime report number - Review the circumstances leading to the information loss to assess whether new procedures or controls are required, or whether existing ones need updating - Contact clients and providers (where necessary) to ensure they ll be able to take steps to prevent loss (they may both seek compensation if loss can be demonstrated as arising from the compromised information) 12. Information Classification and Ownership This table lists the information classifications for Openwork. When determining how information is to be treated these criteria are referred to: UNCLASSIFIED/INTERNAL USE Low Risk Low to Medium Value UNCLASSIFIED information can be disclosed to anyone. It is known to the market and would not violate an individual s right to privacy. Knowledge of this information does not expose the Enterprise or Openwork, to financial loss, embarrassment, or jeopardise the security of our assets. INTERNAL USE ONLY information, due to its technical or business sensitivity, is limited to the Enterprise or Openwork, staff or personnel covered by a non-disclosure agreement. If there is unauthorised disclosure, there would be minimal impact to the Enterprise, Openwork, its clients, or staff. Examples Unclassified Marketing information Published annual and interim reports Business cards Interviews with news media Issued press releases Internets (unless otherwise marked) Internal Use Only Routine administrative & office information Policies and procedures System requirements CONFIDENTIAL /HIGHLY CONFIDENTIAL High Risk High Critical Value CONFIDENTIAL information is defined as information whose unauthorised disclosure, compromise, or destruction would have an adverse impact on the Enterprise, Openwork, its clients, or staff. Financial loss, damage to reputation, loss of business, and potential legal action could occur. It is intended solely for use within the Enterprise or Openwork and is limited to those with a business need-to-know. HIGHLY CONFIDENTIAL information (the highest level of classification) is information that is shareprice sensitive or whose unauthorised disclosure, compromise, or destruction would result in severe damage, provide a significant advantage to a competitor, or cause penalties or great embarrassment to the Enterprise, Openwork, its clients or staff. It is intended solely for restricted use within the Enterprise or Openwork and is limited to those explicitly identified in advance as requiring access to the information. Examples Confidential Business plans Budget information System configurations Proprietary software Highly Confidential Credit card/bank account details Client databases Client personal or policy Information Sensitive personal information (which include data on racial or ethnic origin, political, religious 8

9 UNCLASSIFIED/INTERNAL USE CONFIDENTIAL /HIGHLY CONFIDENTIAL Telephone directory or philosophical opinions, beliefs or activities, trade union membership and related activities and opinions, health, private life or sex life, social welfare measures, administrative and criminal prosecution and sanctions 13. Monitoring GHL will conduct an annual Data Security Controls Assessment (DSCA) see Portal Home -> Quality -> Information Security -> DSCA) GHL will make an Annual Declaration that the assessment has been done. 9

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

ABERDARE COMMUNITY SCHOOL

ABERDARE COMMUNITY SCHOOL ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been

More information

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION AND DATA STORAGE POLICY DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

Career Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity

Career Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity Career Connection, Inc. Data Privacy Objectives This course is intended for CCI employees. The course gives guidance on data privacy concepts and describes how data privacy is relevant when delivering

More information

Protection of Computer Data and Software

Protection of Computer Data and Software April 2011 Country of Origin: United Kingdom Protection of Computer Data and Software Introduction... 1 Responsibilities...2 User Control... 2 Storage of Data and Software... 3 Printed Data... 4 Personal

More information

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011) Security Awareness A Supplier Guide/Employee Training Pack May 2011 (updated November 2011) Contents/Chapters 1. How do I identify a DWP asset 2. Delivering on behalf of DWP - Accessing DWP assets 3. How

More information

This factsheet is for: Senior management of small firms that handle, store or dispose of customers personal data in the course of their business.

This factsheet is for: Senior management of small firms that handle, store or dispose of customers personal data in the course of their business. FSA factsheet for All firms This factsheet is for: Senior management of small firms that handle, store or dispose of customers personal data in the course of their business. It explains: What you should

More information

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data Data Protection and Information Data - Guidelines for the use of Personal Data Page 1 of 10 Created on: 21/06/2013 Contents 1. Introduction... 3 2. Definitions... 3 4. Physical... 4 5 Electronic... 6 6

More information

Information Security Policy for Associates and Contractors

Information Security Policy for Associates and Contractors Policy for Associates and Contractors Version: 1.12 Status: Issued Date: 30 July 2015 Reference: 61418080 Location: Livelink Review cycle: Annual Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...

More information

The supplier shall have appropriate policies and procedures in place to ensure compliance with

The supplier shall have appropriate policies and procedures in place to ensure compliance with Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations

More information

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013 Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page

More information

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has

More information

Information Security Policy. Appendix B. Secure Transfer of Information

Information Security Policy. Appendix B. Secure Transfer of Information Information Security Policy Appendix B Secure Transfer of Information Author: Data Protection and Information Security Officer. Version: 0.7 Date: March 2008 Document Control Information Document ID Document

More information

LSE PCI-DSS Cardholder Data Environments Information Security Policy

LSE PCI-DSS Cardholder Data Environments Information Security Policy LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project

More information

SECURITY POLICY REMOTE WORKING

SECURITY POLICY REMOTE WORKING ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY REMOTE WORKING Introduction This policy defines the security rules and responsibilities that apply when doing Council work outside of Council offices

More information

CIPFA DATA MANAGEMENT POLICY AND PROCEDURES

CIPFA DATA MANAGEMENT POLICY AND PROCEDURES INTRODUCTION These Policies and Procedures apply to all CIPFA volunteers that have access to, use, store and share significant amounts of personal data. It is critically important that this data is handled

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

CORK INSTITUTE OF TECHNOLOGY

CORK INSTITUTE OF TECHNOLOGY CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of

More information

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_00161706 Effective 2.0 1 of 7 Title: Corporate Information Technology Usage Policy

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_00161706 Effective 2.0 1 of 7 Title: Corporate Information Technology Usage Policy Policy LDMS_001_00161706 Effective 2.0 1 of 7 AstraZeneca Owner Smoley, David Authors Buckwalter, Peter (MedImmune) Approvals Approval Reason Approver Date Reviewer Approval Buckwalter, Peter (MedImmune)

More information

Sample Data Security Policies

Sample Data Security Policies This document provides three example data security policies that cover key areas of concern. They should not be considered an exhaustive list but rather each organization should identify any additional

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Portable Devices and Removable Media Acceptable Use Policy v1.0

Portable Devices and Removable Media Acceptable Use Policy v1.0 Portable Devices and Removable Media Acceptable Use Policy v1.0 Organisation Title Creator Oxford Brookes University Portable Devices and Removable Media Acceptable Use Policy Information Security Working

More information

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index Index Section 5.1 Purpose.... 2 Section 5.2 Definitions........2 Section 5.3 Validation Information.....2 Section 5.4 Procedures for Opening New Accounts....3 Section 5.5 Procedures for Existing Accounts...

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Incident reporting procedure

Incident reporting procedure Incident reporting procedure Responsible Officer Author Date effective from Aug 2009 Date last amended Aug 2009 Review date July 2012 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance

More information

Ixion Group Policy & Procedure. Remote Working

Ixion Group Policy & Procedure. Remote Working Ixion Group Policy & Procedure Remote Working Policy Statement The Ixion Group (Ixion) provide laptops and other mobile technology to employees who have a business requirement to work away from Ixion premises

More information

Data Protection Guidance

Data Protection Guidance 53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection

More information

Small businesses: What you need to know about cyber security

Small businesses: What you need to know about cyber security Small businesses: What you need to know about cyber security Contents Why you need to know about cyber security... 3 Understanding the risks to your business... 4 How you can manage the risks... 5 Planning

More information

Access to Information: Data Protection and Freedom of Information

Access to Information: Data Protection and Freedom of Information Access to Information: Data Protection and Freedom of Information Records Management Section Data protection: key concepts Personal data Sensitive personal data Data subjects Data protection principles

More information

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING Introduction and Policy Aim The Royal Borough of Windsor and Maidenhead (the Council) recognises the need to protect Council

More information

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name Introduction Removable Media and Mobile Device Policy Removable media and mobile devices are increasingly used to enable information access

More information

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014 HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors

More information

Policy Document. Communications and Operation Management Policy

Policy Document. Communications and Operation Management Policy Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Data and Information Security Policy

Data and Information Security Policy St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration

More information

Acceptable Use of Information Systems Standard. Guidance for all staff

Acceptable Use of Information Systems Standard. Guidance for all staff Acceptable Use of Information Systems Standard Guidance for all staff 2 Equipment security and passwords You are responsible for the security of the equipment allocated to, or used by you, and must not

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

www.neelb.org.uk Web Site Download Carol Johnston

www.neelb.org.uk Web Site Download Carol Johnston What I need to know about data protection and information security when purchasing a service that requires access to my information by a third party. www.neelb.org.uk Web Site Download Carol Johnston Corporate

More information

Information Security

Information Security Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

Paperless World Limited

Paperless World Limited Paperless World Limited Security Policy Statement Contents Section 1: Paperless World Limited Security Policy Statement... 2 Section 2: The Data Protection Act 1998... 2 Section 3: Definitions... 2 Personal

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

Highland Council Information Security Policy

Highland Council Information Security Policy Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third

More information

Why do we need to protect our information? What happens if we don t?

Why do we need to protect our information? What happens if we don t? Warwickshire County Council Why do we need to protect our information? What happens if we don t? Who should read this? What does it cover? Linked articles All WCC employees especially mobile and home workers

More information

Data Protection and Data security Policy

Data Protection and Data security Policy Data Protection and Data security Policy Statement of policy and purpose of Policy 1. Somer Valley Community Radio Ltd (the Employer) is committed to ensuring that all personal information handled by us

More information

Introduction to the NHS Information Governance Requirements

Introduction to the NHS Information Governance Requirements Introduction to the NHS Information Governance Requirements 2 Version April 2014 Information Governance ensures necessary safeguards for, and appropriate use of, patient and personal information. The widely

More information

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Information and Resources for Small Medical Offices Introduction The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario s health-specific

More information

43: DATA SECURITY POLICY

43: DATA SECURITY POLICY 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:

More information

Small businesses: What you need to know about cyber security

Small businesses: What you need to know about cyber security Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...

More information

Information Security Policy London Borough of Barnet

Information Security Policy London Borough of Barnet Information Security Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Document Description Information Security Policy Policy which sets out the council s approach to information

More information

SERVER, DESKTOP AND PORTABLE SECURITY. September 2014. Version 3.0

SERVER, DESKTOP AND PORTABLE SECURITY. September 2014. Version 3.0 SERVER, DESKTOP AND PORTABLE SECURITY September 2014 Version 3.0 Western Health and Social Care Trust Page 1 of 6 Server, Desktop and Portable Policy Title SERVER, DESKTOP AND PORTABLE SECURITY POLICY

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

Authorised Acceptable Use Policy 2015-2016. Groby Community College Achieving Excellence Together

Authorised Acceptable Use Policy 2015-2016. Groby Community College Achieving Excellence Together Groby Community College Achieving Excellence Together Authorised Acceptable Use Policy 2015-2016 Reviewed: Lee Shellard, ICT Manager: May 2015 Agreed: Leadership & Management Committee: May 2015 Next review:

More information

Life Cycle of Records

Life Cycle of Records Discard Create Inactive Life Cycle of Records Current Retain Use Semi-current Records Management Policy April 2014 Document title Records Management Policy April 2014 Document author and department Responsible

More information

Data Security Policy. 1. Document Status. Version 1.0. Approval. Review By June 2011. Secure Research Database Analyst. Change History. 1 Version 1.

Data Security Policy. 1. Document Status. Version 1.0. Approval. Review By June 2011. Secure Research Database Analyst. Change History. 1 Version 1. Data Security Policy 1. Document Status Security Classification Level 4 - PUBLIC Version 1.0 Status DRAFT Approval Life 3 Years Review By June 2011 Owner Secure Research Database Analyst Change History

More information

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

DSHS CA Security For Providers

DSHS CA Security For Providers DSHS CA Security For Providers Pablo F Matute DSHS Children's Information Security Officer 7/21/2015 1 Data Categories: An Overview All DSHS-owned data falls into one of four categories: Category 1 - Public

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval

More information

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology

More information

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy DOCUMENT INFORMATION Author: Vince Weldon Associate Director of IM&T Approval: Executive This document replaces: IM&T Policy No. 1 Anti Virus Version

More information

Senior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES

Senior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES Senior School 1 PURPOSE The policy defines and describes the acceptable use of ICT (Information and Communications Technology) and mobile phones for school-based employees. Its purpose is to minimise the

More information

Information Governance

Information Governance Information Governance Information for Patients Information Governance (IG) Contents: Identifying the IG Lead for the Practice. This identifies the main people responsible for Information Governance Policy.

More information

Authorized. User Agreement

Authorized. User Agreement Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

A common sense guide to the Data Protection Act 1998 for volunteers

A common sense guide to the Data Protection Act 1998 for volunteers A common sense guide to the Data Protection Act 1998 for volunteers Why is it necessary? The Data Protection Act 1998 is a law introduced to control the way information held about individuals is handled

More information

BERKELEY COLLEGE DATA SECURITY POLICY

BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data

More information

John Leggott College. Data Protection Policy. Introduction

John Leggott College. Data Protection Policy. Introduction John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and

More information

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom

More information

Angard Acceptable Use Policy

Angard Acceptable Use Policy Angard Acceptable Use Policy Angard Staffing employees who are placed on assignments with Royal Mail will have access to a range of IT systems and mobile devices such as laptops and personal digital assistants

More information

Follow the trainer s instructions and explanations to complete the planned tasks.

Follow the trainer s instructions and explanations to complete the planned tasks. CERT Exercises Toolset 171 20. Exercise: CERT participation in incident handling related to Article 4 obligations 20.1 What will you learn? During this exercise you will learn about the rules, procedures

More information

A Guide to Information Technology Security in Trinity College Dublin

A Guide to Information Technology Security in Trinity College Dublin A Guide to Information Technology Security in Trinity College Dublin Produced by The IT Security Officer & Training and Publications 2003 Web Address: www.tcd.ie/itsecurity Email: ITSecurity@tcd.ie 1 2

More information

Secure Storage, Communication & Transportation of Personal Information Policy Disclaimer:

Secure Storage, Communication & Transportation of Personal Information Policy Disclaimer: Secure Storage, Communication & Transportation of Personal Information Policy Version No: 3.0 Prepared By: Information Governance, IT Security & Health Records Effective From: 20/12/2010 Review Date: 20/12/2011

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy Page 1 of 10 Contents 1 Preamble...3 2 Purpose...3 3 Scope...3 4 Roles and responsibilities...3

More information

BARNSLEY CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLICY

BARNSLEY CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLICY Putting Barnsley People First BARNSLE CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLIC Version: 2.0 Approved By: Governing Body Date Approved: Feb 2014 (initial approval), March

More information

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes

More information

PHI- Protected Health Information

PHI- Protected Health Information HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson

More information

Data Compliance. And. Your Obligations

Data Compliance. And. Your Obligations Information Booklet Data Compliance And Your Obligations What is Data Protection? It is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

IT Data Security Policy

IT Data Security Policy IT Data Security Policy Contents 1. Purpose...2 2. Scope...2 3. Policy...2 Access to the University computer network... 3 Security of computer network... 3 Data backup... 3 Secure destruction of data...

More information

HIPAA and Health Information Privacy and Security

HIPAA and Health Information Privacy and Security HIPAA and Health Information Privacy and Security Revised 7/2014 What Is HIPAA? H Health I Insurance P Portability & A Accountability A - Act HIPAA Privacy and Security Rules were passed to protect patient

More information

Tenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014

Tenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014 Tenth Judicial Circuit of Florida Information Systems Acceptable Use s Polk, Hardee and Highlands Counties as of January 2014 The following guidelines define the acceptable use of information technology

More information

Cellular/Smart Phone Use Procedure

Cellular/Smart Phone Use Procedure Number 1. Purpose This procedure is performed as a means of ensuring the safe and efficient use of cell/smart phones throughout West Coast District Health Board (WCDHB) facilities. 2. Application This

More information

Information Technology Services Guidelines

Information Technology Services Guidelines Page 1 of 10 Table of Contents 1 Purpose... 2 2 Entities Affected by These Guidelines... 2 3 Definitions... 3 4 Guidelines... 5 4.1 Electronic Sanitization and Destruction... 5 4.2 When is Sanitization

More information

University of Limerick Data Protection Compliance Regulations June 2015

University of Limerick Data Protection Compliance Regulations June 2015 University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational

More information

Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk

Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk 1 THE DATA PROTECTION ACT 1998 2 Requirements of the Act Roles & Responsibilities Best Practice 3 The

More information

Online Banking Customer Awareness and Education Program

Online Banking Customer Awareness and Education Program Online Banking Customer Awareness and Education Program Electronic Fund Transfers: Your Rights and Responsibilities (Regulation E Disclosure) Indicated below are types of Electronic Fund Transfers we are

More information