Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Size: px
Start display at page:

Download "Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2"

Transcription

1 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications Technology Responsible work team: ICT Security Contents Key point summary Introduction Objective, position and scope of the information security policy Policy compliance, measurement, dispensation and risk management...6 Policy statements Responsibilities and accountabilities Laws and regulations Information security incident management Access and authorisation System design Development environment Production systems and networks Third party access Business continuity management Information security education, training and awareness Use of technology Appendix 1 Glossary of terms Document history Review date: 11 July 2017 Last amended date: 16 October Issue date: 1 of 24

2 Key point summary Information and information systems are critical and vitally important LFEPA assets. Without reliable information LFEPA would be severely disadvantaged. This information security policy is designed to provide a framework for the protection of information and ICT resources used to hold and process information. The Authority is committed to ensuring that information, including that relating to its clients, partners and staff, along with the ICT systems that process, store, display or transmit this information, are properly protected against malicious or accidental loss, damage or abuse. This policy sets out the mandatory requirements that all employees, contractors including third parties, and managers must follow to make sure the Authority's information assets are kept secure. It is essential that all staff familiarise themselves with this policy along with Policy Number ICT Acceptable Use Policy and understand responsibilities relevant to their role within the organisation. The information security policy has been approved and mandated by the Information Governance Group (the IGG) and will apply consistently across all parts of the Authority. The Information Governance Group (IGG) owns the information security policy. All queries relating to policy implementation or compliance should be directed to the Head of ICT Security and Governance. 442 Issue date: 2 of 24

3 1 Introduction 1.1 This document defines the LFEPA information security policy. It provides an agreed framework for the management of the security of the Authority s information assets and technology environment. Definition 1.2 The policy is based on ISO/IEC 27001, the British Standard for Information Security Management, and reflects industry best practice. 1.3 It aims to implement and enforce the LFEPA Information Security Strategy. 1.4 The scope of this document is currently limited to IT-based information security. Policies relating to controls for paper-based records are documented in the Records Management Strategy (policy number 605) and supporting policies. 1.4 The rules set out in this policy are not exhaustive and must not be treated as such. Staff are expected to use prudence and care when using computers. 1.5 The Authority reserves the right to amend this policy and the rules it contains. Staff will be informed of any changes made to the policy. It may also modify, restrict or prohibit the use of computers by individuals or any or all groups or categories of employees on such terms and conditions as it determines. Purpose 1.6 The information security policy applies to all parts of the Authority and covers the information, information systems, networks and physical environment as well as staff and manager responsibilities, third party access and access to LFEPA s information beyond the Authority s environment. 1.7 It defines the Authority s policy for the protection of its information assets including hardware, software, information/data, information systems, networks, applications and cloud services. 1.8 This policy with supporting documents and processes will ensure that: Confidentiality of information is appropriately maintained. Integrity of information can be relied upon. Availability of information is ensured where and when required. The reputation of LFEPA is maintained. All applicable laws, regulations and contractual obligations are met. The information security responsibilities are established. Individual users of LFEPA ICT resources and third parties, who process information relevant to our business, will be identifiable and accountable for their use of ICT resources (refer to paragraph 7.2 below). Access to LFEPA ICT resources and information is permitted based on the principle of the need to know (or by knowing could reap benefits that are positive for LFEPA). Access to LFEPA ICT applications, systems and services will be assigned to users on the basis of least privilege"; users will be granted the minimum access required to fulfil their job function. All access to information and ICT resources must be properly authorised. The requirements for information security compliance are defined, understood and fully implemented. 442 Issue date: 3 of 24

4 2 Objective, position and scope of the information security policy Information security policy objectives 2.1 The objective of this policy is to ensure that the security applied to LFEPA information and information systems adequately safeguards and protects those assets, supports our control requirements and maintains our reputation. 2.2 The information security policy reflects the scope, objectives and approach defined in the Information Security Strategy. The IGG determines the Information Security Strategy and Policy. Position of information security policy 2.3 The following diagram illustrates the position of the information security policy within the information security management system (ISMS). Information Security Management System 442 Issue date: 4 of 24

5 ISO/IEC Compliance 2.4 A fundamental aim of the LFEPA Information Security Strategy is to comply with the ISO/IEC standard for information security. This is an internationally recognised standard and represents best practice within the security industry. The aim of LFEPA is to comply with the standard and not necessarily to gain accreditation. Scope of information security policy 2.5 The IGG has approved the policy for implementation across the Authority, and has delegated responsibility for the ownership and communication of the policy to the Head of ICT. 2.6 The Senior Information Risk Owner (the SIRO), working through the IGG, will monitor policy implementation, verify the level of compliance and will ensure that heads of service respond promptly to any security incident or audit report that highlights a risk to the security of information or information systems, to ensure that remedial action is taken. 2.7 The information security policy addresses the following areas: Responsibilities and accountabilities. Laws and regulations. Information security incident management. Access and authorisation. System design. Development environment. Production systems and networks. Third party access. Business continuity management. Education, training and awareness. Technology. 2.8 The policy have been derived from: LFEPA business requirements. Legal and regulatory requirements. ISO/IEC British Standard for Information Security Management. LFEPA ICT security documentation and practices. 2.9 The following controls will be implemented: Specific policies will be developed to address particular issues relating to legal, regulatory or technology requirements that have an impact on information security within the Authority. A formal process of risk management will be employed to ensure that information assets are protected in a manner appropriate to their sensitivity, value, and criticality. A business continuity management process will provide protection to the availability of LFEPA business critical activity. Staff will be provided with information security education and awareness training and supporting awareness material to allow them to effectively protect and manage LFEPA information assets. An information security incident reporting procedure will enable all staff to report security incidents, software malfunctions, viruses, faults, weaknesses or threats observed or suspected that pose a risk to systems or services. A security incident management process will ensure presparedness for incidents as well as a timely and effective response to and recovery from incidents and learning from incidents to implement security improvements. 442 Issue date: 5 of 24

6 Information security policy and supporting documentation (procedures and principles) exist to ensure that, in conjunction with the process of risk management, appropriate controls are implemented to enable information assets and information systems to be adequately protected. Policy number ICT Acceptable use policy will provide information on the acceptable use of the Authority s ICT resources. 3 Policy compliance, measurement, dispensation and risk management Responsibility for compliance 3.1 LFEPA heads of service are responsible for ensuring the implementation of, and compliance with, the information security policy. In order to achieve compliance, heads of service must ensure that the appropriate knowledge, skills, resources and expertise are available to enable staff to meet the security requirements of the Authority. 3.2 Compliance with the information security policy is an ongoing process incorporating: Implementation. Dispensation. Measuring compliance. Reporting. Implementation 3.3 Implementation is ongoing, with compliance to the information security policy being mandatory for all staff, contractors, third parties, suppliers and ICT resources. 3.4 It is acknowledged that there may be occasions when a department is identified as being noncompliant with a particular policy. In this case the head of department must request a temporary dispensation that will be granted on a risk and time limited basis. Dispensation 3.5 Dispensations are temporary and must be viewed in terms of impact, risk and duration. The IGG may only approve them if they are considered acceptable and appropriate. Dispensations will be reviewed as part of the ongoing compliance measurement process. Measuring compliance 3.6 Each head of department is responsible for ensuring that compliance with the information security policy is regularly evidenced, reviewed and documented. 3.7 The level of policy compliance across the Authority will be monitored on an ongoing basis, and where appropriate, verified by the Head of Strategy and Performance. 3.8 The Head of Strategy and Performance will work with other heads of service to collate evidence for the production of the statements of assurance and the annual governance statement. 3.9 The Head of Strategy and Performance, in conjunction with the Director of Finance and Contractual Services (internal audit), will also audit compliance on a periodic basis Any non-compliance with policy, highlighted by compliance reviews, dispensations, audit findings or security incidents, will be reviewed and may be challenged by the Head of Strategy and Performance, and escalated to the SIRO. 442 Issue date: 6 of 24

7 Obtaining dispensation approval 3.11 All policy dispensation requests must be justified, documented and approved by the Head of ICT Security and Governance or an appropriate head of department before submission to the IGG for approval The IGG will review each dispensation request on its merits and grant a temporary dispensation if it is considered to be: An acceptable level of risk. Supported by an appropriate level of mitigating controls. That the request is to support a business critical system or service. That an action plan of corrective action to ensure compliance has been identified Non-compliance with the information security policy will be assessed by the SIRO to ensure that the risks to LFEPA information and ICT resources are known, understood and formally accepted The Head of Strategy and Performance will maintain a record of LFEPA information security risks. Reporting 3.15 On an annual basis each head of department is required to report on the level of compliance with the information security policy The Head of Strategy and Performance will provide a consolidated report to IGG on the level of compliance across the Authority by policy and department This report will provide management information on the overall level of policy compliance across the Authority and will be the basis of a programme of corrective action aimed at addressing areas of non-compliance or weakness. Risk management 3.18 The Head of ICT Security and Governance will carry out security risk assessment(s) in relation to the business process covered by this policy, as is deemed necessary. These risk assessments will cover all information systems, applications and networks that are used to support those business processes. The risk assessment will identify the appropriate security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability. Type of risk assessment 3.19 Formal risk assessments will be conducted using an appropriate risk assessment methodology for business critical applications, systems and networks. Policy statements 4 Responsibilities and accountabilities Information security roles 4.1 The following table illustrates the generic information security roles typically found within an organisation and shows the corresponding LFEPA roles. 442 Issue date: 7 of 24

8 Generic Role Definition of Role LFEPA Role Senior Manager Executive manager ultimately responsible for the organisation s information security and the protection of its assets. Approves information security strategy and policy. The Siro (as Chair of the IGG). Security Professional Governance Manager Data Owner Data Custodian Professionally qualified Information Security Manager. Functionally responsible for security management and implementation of information security strategy and policy. Monitors and reviews effectiveness of security strategy and policy ensuring continuous improvement. Member of senior management who is ultimately responsible for the protection and use of the data. The person who creates data or allows access to it. The data owner usually delegates the responsibility of the day to day maintenance of the data to the Data Custodian, e.g. data processing. Manages access to the data and carries out the Data Owners wishes with regard to access. Maintains data in ways to preserve and protect its confidentiality, integrity and availability. Responsible for data processing. ICT Security Manager Head of ICT Security and Governance Application Sponsor Head of ICT Head of ICT Security and Governance (IT Data ) User Individual who uses data for work related tasks IT End User (IT Data) Manager Compliance / Data Controller Manager Risk Manager Auditor Departmental manager required to implement and comply with the Information Security Policy Functionally responsible for compliance with legal and regulatory requirements relating to Information, e.g. Data Protection Act, Freedom of Information Act Functionally responsible for the management of all Information Security risks. Monitors and reports the level of compliance with the Information Security Policy, maintains Risk Log. Examines security practices and mechanisms within the organisation Heads of Service / Departmental Managers Head of Strategy and Performance (who is also Strategic Information RiskOwner (SIRO) Head of Strategy and Performance Director of Finance and Contractual Services (Internal Audit) & External Auditor 442 Issue date: 8 of 24

9 The SIRO (as Chair of the IGG) 4.2 The SIRO (as Chair of the IGG) is responsible for: The effective implementation of an Authority-wide framework for managing Information Security. Ownership, development, maintenance and communication of the information security policy. Monitoring the level of compliance with the information security policy. Reviewing, challenging, any non-compliance with the information security policy as highlighted by compliance reports, dispensations, audit findings or the incident management processes. The escalation of any significant risk or non-compliance to the Corporate Management Board. The development of Authority-wide information security strategy and architecture in line with LFEPA business requirements. Providing an interface between LFEPA and external regulatory and industry bodies in relation to all aspects of information security. In conjunction with the Head of Strategy and Performance and the Head of ICT ensuring that Business Contingency Plans (BCP) and IT Disaster Recovery (IT DR) plans respectively are developed implemented and tested to protect all critical information, information systems and functions of LFEPA. 4.3 Functional leadership provided by the SIRO is required to ensure the effective implementation of a consistent framework for the management of information security across the Authority. ICT security manager 4.4 The ICT security manager is responsible for: Assisting the Head of ICT Security and Governance in the functional management of information security. The project management of the ISO/IEC compliance project. Building and maintaining the LFEPA information security management system. Implementation of the LFEPA information security policy. Create and maintain policy. Providing support, advice and guidance to facilitate the implementation of the information security policy, this will include: Policy compliance. Security alerts and incident investigation. Information security education, awareness and training. Security of external service provision. Information security input into the IT business continuity plan and IT disaster recovery plan. Participating in and reporting to the Head of ICT Security and Governance on matters relating to information security. Representing LFEPA on matters relating to information security. Ensuring that risks to information systems are reduced to an acceptable level by applying security countermeasures identified following an assessment of the risk. Ensuring that access to the organisation s assets is limited to those who have the necessary authority and clearance. 442 Issue date: 9 of 24

10 4.5 To ensure the effective functional management of the information security management system across the authority. Application sponsor 4.6 The application sponsor is responsible for: The protection and use of the data. Safeguarding the confidentiality, integrity and availability of the data. Ensuring that due care is taken to protect the data from any negligent acts that result in the corruption or disclosure of the data. Creating data and allowing access to it. Deciding the security classification of the data. Managing a particular individual or end-to-end system, network and/or service. Referring business requirements for Internet-based applications and services (Software as a Service (SaaS)) to the Head of ICT Business Engagement. 4.7 To ensure senior management accountability for the protection of the LFEPA data. Each application should have an application sponsor. 4.8 The application sponsor may delegate the responsibility of day-to-day maintenance of the IT data to the Head of ICT Security and Governance or to the Head of Information Management and Performance. Head of ICT 4.9 The Head of ICT is responsible for: The IT business continuity plan and IT disaster recovery plan. Participating in and reporting to the IGG on matters relating to information assurance. Representing LFEPA on matters relating to information security Required to ensure that the IT Business Continuity Plan and Disaster Recovery Plan are implemented appropriately. The Head of ICT must ensure that heads of service and users understand why business continuity and disaster recovery is needed, and their individual responsibilities. Head of ICT security and governance 4.11 The Head of ICT Security and Governance is responsible for: Building and maintaining the Information Security Management System. Providing support, advice and guidance to facilitate the implementation of the information security policy, this will include: Policy compliance. Security alerts and incident investigation. Information security education, awareness and training. Information systems accreditation. Security of external service provision. Participating in and reporting to the IGG on matters relating to information security. 442 Issue date: 10 of 24

11 Creating, maintaining, giving guidance on and overseeing the implementation of Information Security. Representing LFEPA on matters relating to information security. Ensuring that risks to information systems are reduced to an acceptable level by applying security countermeasures identified following an assessment of the risk. Ensuring that access to the organisation s assets is limited to those who have the necessary authority and clearance. Approving system security policies for the infrastructure and common services. Approving tested systems and agreeing rollout plans Required to ensure that the Information Security Management System is implemented appropriately. The Head of ICT Security and Governance must monitor and review the effectiveness of information security, maintaining a process of continuous improvement. The Head of ICT Security and Governance must ensure that heads of service and users understand why information security is needed, and their individual responsibilities. IT end user 4.13 Staff who are users of LFEPA ICT resources and information are responsible for: The security of LFEPA ICT resources and information. Operating only within the scope of their job function. Only accessing the systems they are authorised to use. Safeguarding the hardware, software and information in their care. Preventing the introduction of malicious software on the organisation's Information systems. Reporting any suspected breach of the information security policy. Ensuring that they are aware of their information security responsibilities, relevant to their job function To achieve a consistent standard of information security across the Authority requires that all users of LFEPA ICT resources and information have their information security roles and responsibilities clearly defined so that they are fully aware of, and accountable for them. Heads of service 4.15 In addition to their individual security responsibilities, heads of service are responsible for: Ensuring that the security of the organisation s assets, information, hardware and software used by staff and, where appropriate, by third parties is consistent with legal and management requirements and obligations. Implementing the information security policy within their area of responsibility. Ensuring that their staff are aware of their information security responsibilities. Developing a security risk aware culture within LFEPA. Ensuring that all ICT systems and services have a nominated application sponsor. Ensuring that a risk assessment is performed for all new ICT systems and services, and for major changes to existing ICT systems and services, to ensure that they comply with the information security policy. Informing the Head of ICT Security and Governance of all new developments to ensure the correct implementation and use of information security mechanisms and procedures. Ensuring that their staff have the appropriate skills, expertise and training to enable them to perform their security responsibilities. 442 Issue date: 11 of 24

12 Reporting any security incident or breach of the information security policy that presents a risk to the security of information or systems to the Head of ICT Security and Governance. Rationale and Scope 4.16 Achieving a consistent standard of information security across LFEPA; this requires clear direction and support from senior management. Head of Strategy and Performance 4.17 The Head of Startegy and Performance is responsible for: Ensuring that appropriate data protection act notifications are maintained. Dealing with enquires in relation to the data protection act, including subject access requests. Advising users of information systems, applications and networks on their responsibilities under the data protection act, including subject access. Advising the IGG on breaches of the act and the recommended actions. Monitoring and checking compliance with the data protection act. Liaising with external organisations on data protection act matters. Promoting awareness and providing guidance and advice on the data protection act as it applies within the Authority Required to ensure that LFEPA is compliant with the terms and conditions of the data protection act. The Head of Strategy and Performance must ensure that heads of service and users understand their responsibilities under the data protection act The Head of Strategy and Performance is also the Authority s Senior Information Risk Owner (SIRO) and responsible for: Ensuring that all information security related risks are effectively managed. Monitoring and reporting the level of compliance with the information security policy. Advising the IGG on areas of non-compliance, and remedial action plans. Maintaining the LFEPA risk log Required to ensure that LFEPA is compliant with the information security policy. The Head of Strategy and Performance must ensure that all information security risks are known, documented and effectively managed. Director of Finance and Contractual Services (Internal Audit and External Auditor) 4.21 The audit function is responsible for: Undertaking a programme of audits designed to verify LFEPA's compliance with: Legal and regulatory controls. Information security policy. Best practice guidelines (ISO/IEC 27001, ITIL). Report findings and recommendations to senior management Provides an independent verification of the effectiveness of the ISMS. 442 Issue date: 12 of 24

13 Ownership and accountability 4.23 All LFEPA IT services, (including operating systems, networks and business applications) shall have a nominated application sponsor The application sponsor is accountable for ensuring that ICT systems and services comply with the information security policy Where appropriate the application sponsor may delegate the responsibility for compliance with the information security policy to the Head of ICT Security and Governance who will ensure that: The confidentiality, integrity and availability of the information processed, stored, displayed or transmitted, is maintained commensurate to its sensitivity and criticality as established via the risk assessment process. ICT service providers (both internal and external), are aware of the business specific security and control requirements, and that these are agreed and formally signed off by the Head of ICT Governance. ICT systems and services meet the requirements of the business, as defined within an appropriately documented set of requirements and/or service agreements. The security measures and controls surrounding a business system and its associated information are suitable and effective. Accountability for any associated security risk is accepted and signed off. A documented agreement exists in order to control and manage the activities of internal or external service providers in accordance with the information security policy Business requirements for internet-based applications and services (Software as a Service (SaaS)) must be referred by the application sponsor to the Head of ICT Business Engagement in the first instance. Potential SaaS solutions will be subject to a detailed security and governance review prior to product evaluations taking place. Rationale and Scope 4.27 Establishing ownership and accountability for all LFEPA ICT resources and information ensures that they are safeguarded by individuals responsible for their continued protection. 5 Laws and regulations Legal and regulatory compliance 5.1 All information systems used to process, store, display or transmit LFEPA information shall always operate in accordance with applicable laws and regulations. 5.2 The IGG will ensure the development and review of specific information security policies to address issues that may have a legal or regulatory impact on the Authority. 5.3 The Head of Legal and Democratic Services will formally review and approve all such policies. 5.4 To avoid breaches of external obligations and of staff rights, resulting in legal or financial penalties and loss of reputation, LFEPA must design, operate and use it s information systems in line with all relevant legal and regulatory requirements. 5.5 The specific legislative requirements that LFEPA has identified as relevant are listed below: 442 Issue date: 13 of 24

14 Act Data Protection Act, 1998 Copyright Designs and Patents Act Computer Misuse Act, 1990 Police and Criminal Evidence Act, 1984 Terrorism Act 2000 Communications Act 2003 Malicious Communications Act 1988 Human Rights Act, 1998 Freedom of Information Act, 2000 Regulation of Investigatory Powers Act, 2000 Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 URL Links Information security incident management Preparing for information security incidents 6.1 The Head of ICT Security and Governance will ensure that policies and procedures are in place in preparedness for information security incidents in order to minimise adverse impact on LFEPA s business operations. 6.2 A structured approach exists to detect, report and assess information security incidents. 6.3 In the event of a security incident occurring, tested recovery procedures are in place that will facilitate prompt recovery, in conjunction with business continuity processes where appropriate. Responding to information security incidents 6.4 Operating procedures exist to assist specialist staff in responding to an incident and recovery activities. 6.5 Staff involved in investigation into security incidents, recovery procedures and collection of evidence are appropriately trained. 6.6 Evidence gathered in responding to an incident is reliable and legally admissible. 6.7 Crisis activities are instigated for incidents that can not be quickly contained or controlled. Post-incident 6.8 The costs arising from an incident are reported, including the cost of both responding to the incident and the damage caused by its impacts. 6.9 Lessons are learnt and improvements implemented where appropriate, cost-effective and proportionate, with the aim of preventing recurrence. 442 Issue date: 14 of 24

15 6.10 Information security incidents are detected, reported and responded to effectively Adverse impacts arising from information security incidents are minimised and future recurrences are prevented. 7 Access and authorisation Logical access 7.1 The Head of ICT Security and Governance, in conjunction with the application sponsor, will manage all access or connection to information systems and resources used to process, store, display or transmit LFEPA information. 7.2 Access shall be: Granted only where there is a clearly established business need. Formally authorised via an approved authentication process (i.e. positively recognised). Accountable to an individual. A dispensation may be granted to waive this requirement for accountability only in exceptional circumstances where operational circumstances are formally assessed to over-ride the risk of loss of accountability. Recorded via an appropriate audit trail. Restricted to functionality and data appropriate to an individuals job function (i.e. access based on the principle of "least privilege"). Permitted based on the principle of the need to know (or by knowing could reap benefits that are positive for LFEPA). Administered in a controlled manner. Revoked promptly when no longer required. The level and stringency of security facilities used to achieve this shall be determined by risk assessment. Note: It is a criminal offence to gain unauthorised access to a computer system. See Policy Number 485 ICT acceptable use policy for further guidance. A copy of the computer misuse act can be found at: To maintain the security of information systems resources by reducing the risk of unauthorised access and enabling unauthorised access and/or activity to be quickly and easily identified. Physical access to ICT resources 7.4 The Head of ICT Security and Governance in conjunction with the heads of service will ensure that all ICT resources used to process, store, display or transmit LFEPA information shall be physically protected by suitable mechanisms or methods in order to minimise the risk of malicious damage, tampering and unauthorised use. The Head of Technical and Service Support has responsibility for building security. 7.5 The level and stringency of security facilities used to achieve this shall be determined by risk assessment. 7.6 Unauthorised physical access to ICT resources may compromise or bypass other security mechanisms and controls. Therefore, control over physical access is crucial to the confidentiality, integrity and availability of ICT resources. 442 Issue date: 15 of 24

16 8 System design 8.1 The application sponsor with the Head of ICT Security and Governance will ensure that systems have been appropriately designed to incorporate the controls necessary to meet LFEPA information security requirements. The level and stringency of these controls must be commensurate with the sensitivity, criticality or value of the business process and associated data. 8.2 Systems, which are unable to meet LFEPA information security requirements, shall not be approved for use and will therefore be required to either: Be redesigned and amended so that they comply with the requirements of the information security policy. Meet the conditions of the dispensation process outlined in section 3 - policy compliance, measurement, dispensation and risk management. 8.3 The correct functioning of information systems and the accuracy of data are critical to LFEPA. 8.4 Information systems must incorporate the controls necessary to meet the information security requirements of the Authority. To facilitate this, the following areas of control must be formally considered during system design: Access and authorisation. Input and output processing controls. Technical security architecture. Monitoring and audit logging. Contingency. Production of appropriate documentation, e.g. security profile, operational procedures, security standards. Connectivity controls. Current and emerging security standards and legal, regulatory and contractual requirements. 8.5 When designing a new system or enhancing an existing one, the application sponsor must assess the impact that this development or enhancement will have on the overall business process, system design and interfaces. 8.6 The Head of ICT Security and Governance may require checks on, or an audit of, actual implementations based on the information security policy. 9 Development environment 9.1 The Head of ICT Security and Governance will manage and control the ICT technical environment, in which systems are developed, established, tested, enhanced or maintained, to ensure that products incorporate appropriate security controls and function as required by the application sponsor. 9.2 The level and stringency of these controls must be commensurate with the sensitivity, criticality or value of the relevant business process and associated data, which the system supports. 9.3 Development environments and associated processes, whether in-house or managed by a third party, should incorporate appropriate controls to ensure the security of the systems throughout their development lifecycle. 442 Issue date: 16 of 24

17 9.4 Failure to manage systems development environments properly could result in the accidental or deliberate implementation of incorrect, inaccurate, malicious or otherwise unauthorised software into a production environment. 9.5 This policy applies to the use of all development tools, methodologies and techniques as well as manual procedures surrounding the preparation of all new systems or changes for production implementation. The following areas of control must be formally considered to ensure the security of the development environment: Access and authorisation. Separation of production, test and development environments. Segregation of duties. Testing controls. Depersonalisation of live data used in test environments. Version controls. Monitoring and audit. Contingency. Connectivity controls. Specific development methodologies. 10 Production systems and networks 10.1 The Head of ICT Security and Governance will ensure that the security of production systems, networks and associated data is maintained and that: All production systems and networks comply with appropriate, documented security and control acceptance criteria for the production environment in which they function, which shall be based on approved risk management recommendations. Adequate operating procedures, which detail how the system and network environments are managed, are documented and maintained. Change management and version control procedures are implemented to maintain the integrity of the production systems and networks environment. A physical and/or logical segregation between the production and non-production systems (e.g. test), is established. An appropriate segregation of duties exists to reduce the risk of accidental or deliberate system misuse. An effective and timely response procedure for the management of incidents exists in line with the other risk type policies on incident management. Capacity planning and IT continuity facilities and processes, ensuring the ongoing, optimum level of system or network performance, are documented and maintained. All connections between LFEPA network and externally owned or managed ICT resources is documented and formally agreed by the application sponsor. Appropriate administration and monitoring processes to provide assurance as to the security of the operational environment are documented and maintained. Appropriate environmental controls exist to support the requirements of the ICT resources This policy ensures the correct and secure operation of production ICT resources that process, store, display or transmit LFEPA related information The correct functioning of systems together with the confidentiality and accuracy of data are fundamental to LFEPA. 442 Issue date: 17 of 24

18 10.4 The scope of this policy includes the use of individual or shared services such as spreadsheets; documents, databases, application systems and networks used to store, process, and display or transmits LFEPA information. 11 Third party access 11.1 When the management, operation or supply of LFEPA information, IT functions, systems, services or development services are to be undertaken by a third party, in order to manage associated risks the Head of ICT Security and Governance, with the Head of Procurement, must ensure that: Security measures are consistent with the information security policy, are agreed with the third party and incorporated into the contract. Third party access to LFEPA s network is approved by the system owner and the third party enters into an agreement that sets out LFEPA s security standards, including compliance with the ICT acceptable use policy. LFEPA information and assets are protected via an appropriate contract which should include a non-disclosure agreement (subject to the requirements of the freedom of information act). Appropriate business continuity plans are developed, tested and approved. Security compliance processes are established. Due diligence checks are performed to ensure compliance with the information security policy. The right to audit compliance against agreed security targets is agreed contractually. Penetration testing against agreed security targets is conducted where appropriate. Responsibilities and procedures for reporting and handling security incidents are established between LFEPA and the third party. Third party user access is revoked promptly when no longer required Internet-based software and services must be rigorously evaluated for compliance with LFEPA s security standards commensurate with the risks presented Where LFEPA enters into shared service arrangements requiring access by the shared services partner to LFEPA s network, policies applicable to third party access shall apply Third party/outsourcing proposals that are unable to meet the appropriate LFEPA security requirements shall not be approved This policy highlights the specific information security requirements related to third party access, including the outsourcing of ICT systems, services and software, that process, store, display or transmit LFEPA information and defines those areas where security controls are necessary in order to manage the associated risks Third party access includes: The concept of facilities management, where the organisation s facilities are operated by a third party but the information and/or assets continue to be owned by LFEPA. Third party development work. Operational management of outsourced facilities. Maintenance and support services. Software as a Service internet-based applications. Cloud computing internet-based file storage and file sharing services. 442 Issue date: 18 of 24

19 11.7 A risk assessment must be used to ascertain the level of risk associated with outsourcing a system or service, and to ensure that the appropriate level of security controls are implemented to safeguard the LFEPA information / information system Based upon the outcome of the risk assessment the approval to outsource must then be obtained from the head of department, in conjunction with the Head of ICT Security and Governance and the Head of Procurement. 12 Business continuity management Business continuity management 12.1 The Head of Strategy and Performance must ensure that there is an effective enterprise-wide business continuity plan (BCP) in place for the Authority This will incorporate an ICT Business Continuity Plan (ICT BCP) and ICT Disaster Recovery (ICT DR) Plan (for which the Head of ICT has responsibility) The plans should ensure: That the strategy for business continuity and IT disaster recovery are clearly documented and understood. The continuity of critical business functions and provides rapid recovery to reduce the overall disruption of a disaster or a disruption. That ICT DR provides procedures for emergency response, extended backup operations, and post disaster recovery. That a process of risk management is used to produce a formal business impact analysis. That a programme of BCP and ICT DR education, training and awareness is implemented to communicate its requirements and procedures to staff. BCP and ICT DR plans are tested and updated on a regular basis, with a minimum requirement being an annual test. Rationale and Scope 12.4 Recovery plans are required to ensure that LFEPA can comply with its statutory responsibility BCP and ICT DR plans protect critical applications, systems, networks and departments from loss and unavailability caused by threats Threats can be natural, human error or technical The recovery planning process should include the following steps: Project initiation. Business impact assessment. Develop recovery strategy. Develop a recovery plan (BCP and ICT DR). Implement, test and maintain the BCP and ICT DR. 13 Information security education, training and awareness Education, training and awareness 13.1 The Head of ICT Security and Governance will maintain an information security education, training and awareness programme. 442 Issue date: 19 of 24

20 13.2 The programme will deliver the most appropriate and cost effective methods for delivering the necessary awareness and training to all levels of staff Heads of service are responsible for ensuring that their staff receive information security training to an appropriate level for their job role and for making sure that all staff are aware of their responsibilities for information security, and the actions that they need to undertake in order to discharge those responsibilities Each member of staff should understand the importance of information security to LFEPA and be made aware of their responsibilities and the consequences of non-compliance with the information security policy. See Policy number 485 ICT acceptable use policy for further guidance on the consequences All staff have a responsibility to ensure the security of LFEPA ICT and information assets (hardware, software and data) The information security education, training and awareness programme communicates responsibilities and liabilities and provides guidance on acceptable behaviours and best practise, as well as the possible outcomes of non-compliance. The training will include but will not be limited to: Information security management. Legal and regulatory requirements. Business continuity management. Incident management Security training happens periodically and continually. 14 Use of technology Technology 14.1 Technology solutions used to process, store, and display or transmit LFEPA information, whether internally or externally sourced, must be appropriately controlled and users of those systems must understand what is acceptable and proper behaviour The Head of ICT Security and Governance will ensure the development and review of specific policies governing the use of technology; in order to provide continued protection of ICT resources and data, against threats associated with the changing use of current technologies and the emergence of new technologies In particular these policies will cover: General computer use. Protecting personal data and other sensitive data, including the use of security classifications in documents (refer to policy number 619 LFB Security Classifications System). Use of electronic communication, including . Use of the Internet. Acceptable standards of behaviour when using ICT equipment and systems. Use of social media, both externally and internally. Policies relating to personally owned equipment. Use of mobile devices and supporting security controls to protect LFB data. Remote working. 442 Issue date: 20 of 24

21 Use of encryption to protect sensitive information when stored or in transit, or to authenticate users, devices or other system resources The details of the LFEPA acceptable use policies are outlined in the ICT acceptable use policy The IGG will formally review and approve all such policies The use of technology, to address LFEPA business initiatives, is constantly evolving and changing, and it is not always possible to predict what security requirements will emerge from future technology developments. It is therefore essential that our policies evolve to reflect and address the latest technological developments and in order to manage the risks inherent in a changing ICT environment The use of technology policy exists to ensure that LFEPA information remains adequately protected as industry developments change the way in which ICT resources process information. 442 Issue date: 21 of 24

22 Appendix 1 Appendix 1 Glossary of terms Term Acceptable use Dispensation Cloud computing Compliance Formally consider ICT resources Least privilege Need to know Non compliance Policy Practices Procedures Risk assessment Definition Describes the ways in which ICT resources can and cannot be used. A temporary exemption from compliance with the information security policy granted by the IGG. Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand. The security controls meet the requirements defined in the information security policy. To consider formally embraces the use of risk assessment techniques to ascertain the appropriate level of security control to be applied. ICT resources refers to all technical ICT components that store, process, display or transmit LFEPA information. This includes; networks, servers, workstations, software, monitors, backup media, telephony, faxes, video conferencing, printer's etc. A process has the minimum level of privilege required to perform its functions. A principle by which information is only provided to those with a legitimate need for that information. Failure to adhere to the minimum security controls defined in the Information Security Policy. The mandatory rules as defined by the IGG that govern the management of LFEPA information and information systems. The LFEPA information security policy defines the minimum security controls that must be adhered to. Practices support adherence to the policies, by providing a detailed framework of security and control techniques and guidance that should be used to help the business and project management to design appropriate security and control facilities. These provide prescriptive guidelines for specific system, service and component implementations. They will be used by ICT operational and support areas and end users to support and operate the implemented controls. Risk assessment is a formal method of identifying and assessing the possible damage that could be caused in order to justify security safeguards. The cost of the safeguards should not be greater than the value of the asset it s protecting. 442 Issue date: 22 of 24

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

Information security policy

Information security policy Information security policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review of IS Policy\Current

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

NHS Business Services Authority Information Security Policy

NHS Business Services Authority Information Security Policy NHS Business Services Authority Information Security Policy NHS Business Services Authority Corporate Secretariat NHSBSAIS001 Issue Sheet Document reference NHSBSARM001 Document location F:\CEO\IGM\IS\BSA

More information

How To Protect Decd Information From Harm

How To Protect Decd Information From Harm Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

Network Security Policy

Network Security Policy IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Mike Casey Director of IT

Mike Casey Director of IT Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Corporate Information Security Management Policy

Corporate Information Security Management Policy Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

Harper Adams University College. Information Security Policy

Harper Adams University College. Information Security Policy Harper Adams University College Information Security Policy Introduction The University College recognises that information and information systems are valuable assets which play a major role in supporting

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25

Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25 Information Security Policy Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25 Document Information Trust Policy Number : ULH-IM&T-ISP01 Version : 3.1 Status : Approved Issued by : Information Governance

More information

Version 1.0. Ratified By

Version 1.0. Ratified By ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

Network Security Policy

Network Security Policy Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

Highland Council Information Security Policy

Highland Council Information Security Policy Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...

More information

Ulster University Standard Cover Sheet

Ulster University Standard Cover Sheet Ulster University Standard Cover Sheet Document Title IT Monitoring Policy 1.5 Custodian Approving Committee Deputy Director of Finance and Information Services (Information Services) Information Services

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY Information Security Policy INFORMATION SECURITY POLICY Introduction Norwood UK recognises that information and information systems are valuable assets which play a major role in supporting the companies

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet

More information

information systems security policy...

information systems security policy... sales assessment.com information systems security policy... Approved: 2nd February 2010 Last updated: 2nd February 2010 sales assessment.com 2 index... 1. Policy Statement 2. IT Governance 3. IT Management

More information

Financial Services Guidance Note Outsourcing

Financial Services Guidance Note Outsourcing Financial Services Guidance Note Issued: April 2005 Revised: August 2007 Table of Contents 1. Introduction... 3 1.1 Background... 3 1.2 Definitions... 3 2. Guiding Principles... 5 3. Key Risks of... 14

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact

More information

Information Security Program

Information Security Program Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security

More information

Information Security Policy. Information Security Policy. Working Together. May 2012. Borders College 19/10/12. Uncontrolled Copy

Information Security Policy. Information Security Policy. Working Together. May 2012. Borders College 19/10/12. Uncontrolled Copy Working Together Information Security Policy Information Security Policy May 2012 Borders College 19/10/12 1 Working Together Information Security Policy 1. Introduction Borders College recognises that

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

TELEFÓNICA UK LTD. Introduction to Security Policy

TELEFÓNICA UK LTD. Introduction to Security Policy TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15

More information

INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Appendix 1 INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Author Information Governance Review Group Information Governance Committee Review Date May 2014 Last Update February 2013 Document No. GV

More information

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical

More information

Information Incident Management Policy

Information Incident Management Policy Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit

More information

Information Governance Framework

Information Governance Framework Information Governance Framework March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aim 2 3 Purpose, Values and Principles 2 4 Scope 3 5 Roles and Responsibilities 3 6 Review 5 Appendix 1 - Information

More information

How To Ensure Network Security

How To Ensure Network Security NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

Lancashire County Council Information Governance Framework

Lancashire County Council Information Governance Framework Appendix 'A' Lancashire County Council Information Governance Framework Introduction Information Governance provides a framework for bringing together all of the requirements, standards and best practice

More information

Information Security and Governance Policy

Information Security and Governance Policy Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

INFORMATION SECURITY MANAGEMENT POLICY

INFORMATION SECURITY MANAGEMENT POLICY INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June

More information

How To Ensure Information Security In Nhs.Org.Uk

How To Ensure Information Security In Nhs.Org.Uk Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:

More information

Working Practices for Protecting Electronic Information

Working Practices for Protecting Electronic Information Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that

More information

Draft Information Technology Policy

Draft Information Technology Policy Draft Information Technology Policy Version 3.0 Draft Date June 2014 Status Draft Approved By: Table of Contents 1.0 Introduction... 6 Background... 6 Purpose... 6 Scope... 6 Legal Framework... 6 2.0 Software

More information

Information Security: Business Assurance Guidelines

Information Security: Business Assurance Guidelines Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

How To Protect School Data From Harm

How To Protect School Data From Harm 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987 GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987 CONTENTS Page 1. Introduction 3-4 2. The Commission s Policy 5 3. Outsourcing

More information

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2. Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments

More information

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK This Guideline does not purport to be a definitive guide, but is instead a non-exhaustive

More information

University of Liverpool

University of Liverpool University of Liverpool IT Asset Disposal Policy Reference Number Title CSD 015 IT Asset Disposal Policy Version Number v1.2 Document Status Document Classification Active Open Effective Date 22 May 2014

More information

Security Incident Management Policy

Security Incident Management Policy Security Incident Management Policy January 2015 Document Version 2.4 Document Status Owner Name Owner Job Title Published Martyn Ward Head of ICT Business Delivery Document ref. Approval Date 27/01/2015

More information

Access Control Policy

Access Control Policy Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you

More information

Information Security Incident Management Policy and Procedure

Information Security Incident Management Policy and Procedure Information Security Incident Management Policy and Procedure Version Final 1.0 Document Control Organisation Title Author Filename Owner Subject Protective Marking North Dorset District Council IT Infrastructure

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY Policy approved by: Audit and Governance Committee Date: 4 th December 2014 Next Review Date: December 2016 Version: 1 Information Security Policy Page 1 of 17 Review and Amendment

More information

Corporate Policy and Strategy Committee

Corporate Policy and Strategy Committee Corporate Policy and Strategy Committee 10am, Tuesday, 30 September 2014 Information Governance Policies Item number Report number Executive/routine Wards All Executive summary Information is a key asset

More information

Policy Document. Communications and Operation Management Policy

Policy Document. Communications and Operation Management Policy Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author

More information

An Approach to Records Management Audit

An Approach to Records Management Audit An Approach to Records Management Audit DOCUMENT CONTROL Reference Number Version 1.0 Amendments Document objectives: Guidance to help establish Records Management audits Date of Issue 7 May 2007 INTRODUCTION

More information

INFORMATION SECURITY PROCEDURES

INFORMATION SECURITY PROCEDURES INFORMATION AN INFORMATION SECURITY PROCEURES Parent Policy Title Information Security Policy Associated ocuments Use of Computer Facilities Statute 2009 Risk Management Policy Risk Management Procedures

More information

BARRAMUNDI L IMITED RISK MANAGEMENT POLICY

BARRAMUNDI L IMITED RISK MANAGEMENT POLICY BARRAMUNDI L IMITED RISK MANAGEMENT POLICY Last updated: 25 August 2014 THE OBJECTIVES OF RISK MANAGEMENT Risk management is the systematic process of managing an organisation's risk exposures to achieve

More information

NOT PROTECTIVELY MARKED. Suffolk County Council DATA QUALITY POLICY

NOT PROTECTIVELY MARKED. Suffolk County Council DATA QUALITY POLICY Suffolk County Council DATA QUALITY POLICY This policy is sponsored by the Director of Resource Management on behalf of the Chief Executive of Suffolk County Council. Responsibility for maintaining, reviewing

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Version: 0.2 Committee Approved by: Audit Committee Date Approved: 15 th January 2014 Author: Responsible Directorate Information Governance & Security Officer, The Health Informatics

More information

Scotland s Commissioner for Children and Young People Records Management Policy

Scotland s Commissioner for Children and Young People Records Management Policy Scotland s Commissioner for Children and Young People Records Management Policy 1 RECORDS MANAGEMENT POLICY OVERVIEW 2 Policy Statement 2 Scope 2 Relevant Legislation and Regulations 2 Policy Objectives

More information

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE.

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE. Title: Information Governance Policy Date Approved: Approved by: Date of review: Policy Ref: Issue: January 2015 Information Governance Group Division/Department: January 2016 Policy Category: ISP-04 5

More information

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) (NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) 1. Approval and Authorisation Completion of the following signature blocks signifies

More information

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES Final Report Prepared by Dr Janet Tweedie & Dr Julie West June 2010 Produced for AGIMO by

More information

Management Standards for Information Security Measures for the Central Government Computer Systems

Management Standards for Information Security Measures for the Central Government Computer Systems Management Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013 Information Governance Policy Version 1.0 June 2013 Copyright Notification Copyright London Borough of Islington 2012 This document is distributed under the Creative Commons Attribution 2.5 license. This

More information

Information Security Policy

Information Security Policy Information Security Policy Last updated By A. Whillance/ Q. North/ T. Hanson On April 2015 This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Review Policy Reference Number Title CSD-014 Information Security Review Policy Version Number 1.2 Document Status Document Classification Active Open Effective

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

Part A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

Part A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES... Part A OVERVIEW...1 1. Introduction...1 2. Applicability...2 3. Legal Provision...2 Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...3 4. Guiding Principles...3 Part C IMPLEMENTATION...13 5. Implementation

More information

University of Liverpool

University of Liverpool University of Liverpool Card Payment Policy Reference Number Title Version Number 1.0 Document Status Document Classification FIN-001 Card Payment Policy Active Public Effective Date 03 June 2014 Review

More information

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012 Monitoring and Logging Policy Document Status Security Classification Version 1.0 Level 1 - PUBLIC Status DRAFT Approval Life 3 Years Review By June 2012 Owner Secure Research Database Analyst Change History

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé NHS HDL (2006)41 abcdefghijklm = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé Dear Colleague NHSSCOTLAND INFORMATION SECURITY POLICY Summary 1. NHSScotland IT Security Policy was

More information