IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...
|
|
- Willis Miles
- 8 years ago
- Views:
Transcription
1 IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This document is version controlled. The master copy is on Ourspace. Once printed, this document could become out of date. Check Ourspace for the latest version. Contents 1. Introduction Policy Statement Purpose Scope Content Risk Assessment Physical & Environmental Security Access Control to Secure IM&T Infrastructure Areas Access Control to the Network Third Party Access Control to the IM&T Infrastructure External Network Connections Maintenance Contracts Data and Software Exchange Fault Logging Data Backup and Restoration All backup systems will be stored securely off-site User Responsibilities, Awareness & Training Accreditation of IM&T infrastructure Systems Technical Security Measures... 7 IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 1 of 11
2 5.15 Secure Disposal or Re-use of Equipment System Change Control Reporting IM&T Security Incidents & Weaknesses System Configuration Management Business Continuity & Disaster Recovery Plans Roles and Responsibilities The Chief Executive The Senior Information Risk Owner (SIRO) Executive Directors and Strategic Business Unit Directors Information Governance Group Head of IM&T (HoIM&T) Information Security and Technical Assurance Manager (ISTAM) All Users of AWP IM&T Systems Line Manager's Responsibilities Standards Training Monitoring or Audit Associated and Related Procedural Documents References IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 2 of 11
3 1. Introduction Avon and Wiltshire Mental Health Partnership NHS Trust (AWP) is bound by the provisions of a considerable number of items of legislation and regulation affecting the stewardship of data and information. Information Governance (IG) ensures the Trust s compliance with applicable legislation, the regulatory framework, Common Law, and mandated Best Practice. In short, IG exists to ensure the Integrity, Availability, Confidentiality and Accountability of the Trust s operational, patient, staff and management information. The AWP Overarching Information Governance Policy defines the Trust s mandated base-line strategy for compliance and effective management in each of the following six areas of Information Governance. Information Governance Management Confidentiality & Data Protection Assurance Clinical Information Assurance Information Security Assurance Secondary Use Assurance Corporate Information Assurance Collectively the information governance policies constitute the top level documentation of the Trust s Information Governance Management System (IGMS). Compliance with all Policies, Procedures and Guidelines contained in the IGMS is mandatory for all persons and organisations operating under the auspices of, or delivering a service to the Trust, whether they are staff, students, volunteers, contractors or partner organisations. Staff should be aware that IGMS Policies are intended to protect the Trust and staff from adverse outcomes in terms of compliance with the law. Where IGMS policies are breached by staff it may be necessary for managers to consider retraining staff, or following the Trust s Disciplinary Procedures. Staff should also note that legal penalties could also be imposed upon the Trust or its employees for non-compliance with relevant legislation and NHS guidance, and in serious cases individuals may not be immune from prosecution or civil legal action by virtue of their employment within the Trust. 2. Policy Statement The AWP information IM&T infrastructure will be available when needed, can be accessed only by legitimate users and will contain complete and accurate information. The IM&T infrastructure must also be able to withstand or recover from threats to its availability, integrity and confidentiality. To satisfy this, AWP will undertake the following: Protect all hardware, software and information assets under its control. This will be achieved by implementing technical and non-technical measures; Provide both effective and cost-effective protection that is commensurate with the risks to its IM&T infrastructure information assets; Implement the IM&T Infrastructure Security Policy in a consistent, timely and cost effective manner; IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 3 of 11
4 Comply with other laws and legislation as appropriate. 3. Purpose The Information Management & Technology (IM&T) infrastructure is a collection of information Technology equipment, and it related software, such as servers, computers, printers, and routers and switches, which are inter-connected. This policy applies to all networks within AWP used for: The storage, sharing and transmission of clinical data and images; The storage, sharing and transmission of non-clinical data and images; Printing or scanning non-clinical or clinical data; The provision of Internet systems for receiving, sending and storing non-clinical or clinical data; To set out the Trust s policy on security of its IM&T infrastructure. This Infrastructure Security Policy applies to all business functions and information contained on the network, the physical environment and relevant people who support the network. It sets out the organisation s policy for the protection of the confidentiality, integrity and availability of the network; establishes the security responsibilities for IM&T infrastructure security and provides reference to documentation relevant to this policy. The aim of this policy is to ensure the security of AWP's network. To do this the Trust will: Ensure availability of the IM&T infrastructure for authorised users and protect it from unauthorised access. Preserve Integrity by protecting the IM&T infrastructure from unauthorised or accidental modification ensuring the accuracy and completeness of the organisation's information assets. Preserve Confidentiality by protecting information assets against unauthorised disclosures and ensuring it is capable of being audited and monitored for compliance and regulatory purposes 4. Scope This is a Trust-wide Policy and applies to IM&T systems and the data held, processed or transmitted by them, including staff, service user, management, audit and all other types of information used by the Trust. This Policy shall apply to all staff and personnel operating under the auspices of the Trust, including locums, contractors, temporary, students, service user representatives, volunteers and partner agency staff. Where a third party has an organisational policy that differs from this policy, a formal agreement as to which policy statement applies shall be outlined and agreed in an appropriate protocol if necessary. In the absence of such an agreement, this Policy shall be deemed to have precedence. IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 4 of 11
5 5. Content 5.1 Risk Assessment AWP will carry out security risk assessment(s) in relation to all the elements of its IM&T infrastructure. The risk assessments will identify the appropriate security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability. 5.2 Physical & Environmental Security All IM&T infrastructure equipment will be housed in a controlled and secure environment. Critical or sensitive IM&T infrastructure equipment will be housed in secure areas, protected by a secure perimeter, with appropriate security barriers and entry controls. Critical or sensitive IM&T infrastructure equipment will be housed in an environment that is monitored for temperature, humidity and power supply. The Head of IM&T (HoIM&T) is responsible for ensuring that door lock codes are changed periodically, and following a compromise of the code, or if they suspect the code has been compromised, or when required to do so by the Information Security and Technical Assurance Manager (ISTAM). Critical or sensitive IM&T infrastructure equipment will have precautions in place to protect from power supply failures. Critical or sensitive IM&T infrastructure equipment will be protected by intruder alarms and fire detection/suppression systems. Eating and drinking is forbidden in areas housing critical or sensitive IM&T infrastructure equipment. All visitors to secure IM&T infrastructure areas must be authorised by the HOIM&T or their delegates. All visitors to secure IM&T infrastructure areas must be logged in and out. The log will contain name, organisation, purpose of visit, date, and time in and out. The HOIM&T will ensure that all relevant staff are made aware of procedures for visitors and that visitors are monitored, when necessary. 5.3 Access Control to Secure IM&T Infrastructure Areas Entry to secure areas housing critical or sensitive IM&T infrastructure equipment will be restricted to those whose job requires it. The HOIM&T will maintain and periodically review a list of those with unsupervised access. 5.4 Access Control to the Network Access to the IM&T infrastructure will be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access. Remote access to the IM&T infrastructure will conform to the Trust's Remote Access Standards. IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 5 of 11
6 There must be a formal, documented user registration and de-registration procedure for access to the network. Security privileges to the IM&T infrastructure will be allocated on the requirements of the user's job, rather than on a status basis. All users to the IM&T infrastructure will have their own individual user identification and password. Users are responsible for ensuring their password is kept secret and accounts are not shared. User access rights will be immediately removed or reviewed for those users who have left the Trust or changed jobs. 5.5 Third Party Access Control to the IM&T Infrastructure Third party access to the IM&T infrastructure will be based on a formal contract that satisfies all necessary NHS security conditions. All third party access to the IM&T infrastructure must be logged by the appropriate IAO/IAA. 5.6 External Network Connections The HoIM&T shall ensure that all connections to external networks and systems have been documented by the IAA and approved by the ISTAM. Ensure that all connections to external networks and systems conform to the NHS-wide Network Security Policy, Code of Connection and supporting guidance. The ITSS must approve all connections to external networks and systems before they commence operation. 5.7 Maintenance Contracts The Information Asset Owner (IAO) will ensure that appropriate maintenance contracts are maintained and periodically reviewed for all IM&T infrastructure. All contract details will be included within the system documentation retained by the IAO/ISTAM. 5.8 Data and Software Exchange Formal agreements for the exchange of data between organisations must be established and approved by the Trusts Head of Compliance or ISTAM. 5.9 Fault Logging The IAO/Information Asset Administrator (IAA) is responsible for ensuring that a log of all faults on the IM&T infrastructure is maintained and reviewed. IM&T infrastructure Operating Procedures The IAO/IAA will produce Standard Operating Procedures and security contingency plans that reflect this policy Data Backup and Restoration The HoIM&T is responsible for ensuring that appropriate configuration information is recorded to allow the restoration of core systems. IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 6 of 11
7 The HoIM&T will produce an overarching back up strategy and supporting procedures for the backing up of all data. The IAOs are responsible for ensuring that the backup regime for their information assets meet their requirements for business continuity and is included in the back up strategy All backup systems will be stored securely off-site. The HoIM&T will be responsible for the physical integrity of the back-up. The IAO/IAAs are responsible for ensuring that their data is fit for purpose by implementing a suitable testing program User Responsibilities, Awareness & Training The Trust will ensure that all users of the IM&T infrastructure are provided with the necessary security guidance, awareness and where appropriate training, to discharge their security responsibilities. All users of the IM&T infrastructure must be made aware of the contents and implications of the Acceptable Use Policy and associated procedures. All IAO/IAAs must be aware of the contents and implications of this IM&T infrastructure policy Accreditation of IM&T infrastructure Systems All IM&T infrastructure systems within the Trust must be accredited in line with the Trusts Information Asset release procedure and must be approved by the ISTAM and HoIM&T Technical Security Measures Malicious Software: the HoIM&T will ensure that sufficient technical measures are in place to minimise the risk of intrusion from malicious software. All users will be trained and alerted to their responsibility not to take any actions which may result in malicious software entering the system. Data Loss: the HoIM&T will ensure that sufficient technical measures are in place to minimise the risks of data loss. All users will be trained and alerted to their responsibility with regard to data loss. Zero day vulnerabilities: the HoIM&T will ensure that sufficient technical measures are in place to minimise the risks of zero day vulnerabilities. Unauthorised software: the HoIM&T will ensure that sufficient technical measures are in place to minimise the risks of unauthorised software. All users will be trained and alerted to their responsibility with regard to unauthorised software. System misconfiguration: the HoIM&T will ensure that sufficient technical and operational measures are in place to minimise the risks due to misconfiguration of systems. Unauthorised access to Trust systems: the HoIM&T will ensure that sufficient technical measures are in place to minimise the risks of data loss. All users will be trained and alerted to their responsibility with regard to unauthorised access. Access to inappropriate or dangerous web content: the HoIM&T will ensure that sufficient technical measures are in place to allow the Trust to effectively manage and monitor internet usage. Any other identified risk: the HoIM&T will ensure that, where warranted, technical measures will be implemented to detect and protect the IM&T infrastructure systems as they are identified. IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 7 of 11
8 5.15 Secure Disposal or Re-use of Equipment All IM&T equipment must be disposed of by the IM&T department adhering to the Trust procedures and legal compliance requirements as referred to in the Confidential Disposal of Media Waste procedure System Change Control The relevant IAO will approve the relevant change control procedure; the IAA will be responsible for operating the change control procedure Reporting IM&T Security Incidents & Weaknesses IM&T Security incidents will be reported through the adverse incident reporting procedure Any identified weaknesses will be reported on the IAOs own departmental risk register System Configuration Management There should be effective configuration management system for all elements of the IM&T infrastructure Business Continuity & Disaster Recovery Plans The HoIM&T is responsible for maintaining the Trusts IT Disaster Recovery Plan The IAOs/IAAs are responsible for the Business Continuity plans for their identified information assets. 6. Roles and Responsibilities 6.1 The Chief Executive The Chief Executive is responsible for ensuring the Trust s compliance with applicable legislation and regulation. The Chief Executive has delegated the overall IT security responsibility for policy and implementation to the Head of Information Systems and Technology. Responsibility for implementing this policy within the context of IT systems development and use in the organisation is delegated further to the IT Security Specialist. 6.2 The Senior Information Risk Owner (SIRO) The Executive Director of Finance and Commerce and Deputy Chief Executive shall be the Trust Senior Information Risk Owner (SIRO) and shall represent any relevant information risk to the Board of Directors. The SIRO shall receive specialist advice from the IT Security Specialist. 6.3 Executive Directors and Strategic Business Unit Directors IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 8 of 11
9 Executive Directors and Strategic Business Unit Directors are responsible for the implementation of the standards of compliance specified in this policy within their areas of responsibility. 6.4 Information Governance Group The Information Governance Group shall monitor and report on the implementation of the Trust s Information Governance Management System (IGMS). 6.5 Head of IM&T (HoIM&T) The Head of IM&T (HoIM&T) will define and implement effective security countermeasures. Produce all relevant security documentation, security operating procedures and contingency plans reflecting the requirements of the IM&T infrastructure Security Policy. All such documentation will be included in the IT Department's Asset register. 6.6 Information Security and Technical Assurance Manager (ISTAM) The ISTAM shall monitor system and user activity for compliance with this policy. Investigate reported Incidents or alerts have that may affect the organisation's systems, applications or networks and liaise with HR, IG and Security Management as appropriate Review and approve proposals for connecting the Trust s systems, applications or networks to third party systems, applications or networks. Produce organisational standards, procedures and guidance on Information Security matters for approval by the IGMG Working with the HOIM&T, IOAs and SIRO to ensure that risks to IT systems are reduced to an acceptable level by applying security countermeasures identified following an assessment of the risk. Approving system security measures for the infrastructure, systems and common services. 6.7 All Users of AWP IM&T Systems All users of AWP IM&T systems are responsible for ensuring that their use of Trust systems is conducted in compliance with this policy and have a duty to report any instances of noncompliance they witness to their managers. Prevent the introduction of malicious software on the organisation's IT systems. Report any suspected or actual breaches in information security 6.8 Line Manager's Responsibilities Line Managers are responsible for ensuring compliance with this policy through appropriate managerial arrangements including supervision, training, performance management and the use of disciplinary procedures where necessary. It is the responsibility of Line Managers to enable their staff to attend suitable information governance training. IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 9 of 11
10 7. Standards This policy shall be assessed against the Information Governance Toolkit standards. 8. Training The Trust's overarching policy for training is the Learning and Development Policy and this should be read in conjunction with this policy. The Learning and Development Policy also describes the Trust's arrangements for training, in particular how there are processes in place to ensure staff receive the training they require and how non-attendance is followed up. These arrangements are further supported by management supervision and appraisal processes. Individual Line Managers are responsible for ensuring their staff are aware and adhere to this policy. 9. Monitoring or Audit Monitoring shall be proactive and designed to highlight issues before an incident occurs, and should consider both positive and negative aspects of any examined process. Compliance with this policy shall be monitored by the ISTAM and formally reported to the Information Governance Group (IGG) quarterly, and shall be assessed annually using the Information Governance Toolkit. Internal Audit shall conduct an annual audit of Information Governance Assurance Statement and the NHS Operating Framework and report their findings and recommendations to the IGMG. Where failings have been identified, action plans shall be drawn up and changes made to arrangements to reduce the risks. The IGG shall facilitate the review and update of this policy and supporting IG policies. 10. Associated and Related Procedural Documents A list of related Trust policies can be found on Ourspace 11. References A full list of the applicable legislation referenced in the compilation of this policy can be viewed in the NHS Information Governance Guidance on Legal and Professional Obligations at the following link: DH_ IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 10 of 11
11 Version History Version Date Revision description Editor Status /01/2011 Review by Information Governance Group Information Technology Security Specialist Approved /03/2011 Reviewed by Quality & Healthcare Governance Committee /02/2013 Approved by Finance and Planning Committee Information Technology Security Specialist Information Technology Security Specialist Approved Approved /04/2016 Update and Tidy ISTAM /04/2016 Approved by Finance and Planning Committee ISTAM Approved IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 11 of 11
Mike Casey Director of IT
Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date
More informationRotherham CCG Network Security Policy V2.0
Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October
More informationICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact
More informationVersion 1.0. Ratified By
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date
More informationNetwork Security Policy
IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service
More informationULH-IM&T-ISP06. Information Governance Board
Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible
More informationICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen
ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure
More informationNetwork Security Policy
Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant
More informationHow To Ensure Network Security
NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:
More informationNETWORK SECURITY POLICY
NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet
More informationNETWORK SECURITY POLICY
NETWORK SECURITY POLICY Version: 0.2 Committee Approved by: Audit Committee Date Approved: 15 th January 2014 Author: Responsible Directorate Information Governance & Security Officer, The Health Informatics
More informationRecords management policy. Document author Assured by Review cycle. Audit and Risk Commitee. 1. Introduction...3. 2. Purpose or aim...3. 3. Scope...
Records management policy Board library reference Document author Assured by Review cycle P017 Head of Compliance Audit and Risk Commitee 3 Years This document is version controlled. The master copy is
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationSupplier Remote Access Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Purpose or aim...3. 3. Scope...3. 4. Definitions...
Supplier Remote Access Policy Board library reference Document author Assured by Review cycle P157 Information Security and Technical Assurance Manager Finance and Planning Committee 1 year This document
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationINFORMATION TECHNOLOGY SECURITY POLICY
INFORMATION TECHNOLOG SECURIT POLIC Document Author Written By: Deputy Director of IM&T / Interim Head of ICT Authorised Signature Authorised By: Chief Executive Date: February 2015 Date: 17 March 2015
More information1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...
Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September
More informationInformation security policy
Information security policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review of IS Policy\Current
More informationInformation Security
Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationINFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
More informationHead of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2
Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications
More informationNHS Business Services Authority Information Security Policy
NHS Business Services Authority Information Security Policy NHS Business Services Authority Corporate Secretariat NHSBSAIS001 Issue Sheet Document reference NHSBSARM001 Document location F:\CEO\IGM\IS\BSA
More informationHow To Ensure Information Security In Nhs.Org.Uk
Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Name of Policy Author: Name of Review/Development Body: Ratification Body: Ruth Drewett Information Governance Steering Group Committee Trust Board : April 2015 Review date:
More informationUniversity of Liverpool
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):
More informationIslington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014
Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document
More informationInformation Governance Strategy
Information Governance Strategy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationNHS Commissioning Board: Information governance policy
NHS Commissioning Board: Information governance policy DOCUMENT STATUS: To be approved / Approved DOCUMENT RATIFIED BY: DATE ISSUED: October 2012 DATE TO BE REVIEWED: April 2013 2 AMENDMENT HISTORY: VERSION
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationBOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationInformation Security Management System (ISMS) Policy
Information Security Management System (ISMS) Policy April 2015 Version 1.0 Version History Version Date Detail Author 0.1 18/02/2015 First draft Andy Turton 0.2 20/02/2015 Updated following feedback from
More informationInformation Governance Policy
Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date
More informationInformation Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
More informationUniversity of Brighton School and Departmental Information Security Policy
University of Brighton School and Departmental Information Security Policy This Policy establishes and states the minimum standards expected. These policies define The University of Brighton business objectives
More informationCCG: IG06: Records Management Policy and Strategy
Corporate CCG: IG06: Records Management Policy and Strategy Version Number Date Issued Review Date V3 08/01/2016 01/01/2018 Prepared By: Consultation Process: Senior Governance Manager, NECS CCG Head of
More informationHow To Protect School Data From Harm
43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationMusic Recording Studio Security Program Security Assessment Version 1.1
Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND
More informationInformation Governance Strategy. Version No 2.0
Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent
More informationPolicy Document. IT Infrastructure Security Policy
Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT
More informationINFORMATION SECURITY PROCEDURES
INFORMATION AN INFORMATION SECURITY PROCEURES Parent Policy Title Information Security Policy Associated ocuments Use of Computer Facilities Statute 2009 Risk Management Policy Risk Management Procedures
More informationPolicy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25
Information Security Policy Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25 Document Information Trust Policy Number : ULH-IM&T-ISP01 Version : 3.1 Status : Approved Issued by : Information Governance
More informationInformation Security Incident Management Policy
Information Security Incident Management Policy Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT Policy & Regulation
More informationInformation Governance Policy
Author: Susan Hall, Information Governance Manager Owner: Fiona Jamieson, Assistant Director of Healthcare Governance Publisher: Compliance Unit Date of first issue: February 2005 Version: 5 Date of version
More informationIS INFORMATION SECURITY POLICY
IS INFORMATION SECURITY POLICY Version: Version 1.0 Ratified by: Trust Executive Committee Approved by responsible committee(s) IS Business Continuity and Security Group Name/title of originator/policy
More informationLauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.
Document No: IG10d Version: 1.1 Name of Procedure: Third Party Due Diligence Assessment Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationInformation Governance Strategy
Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version
More informationINFORMATION GOVERNANCE AND DATA PROTECTION POLICY
INFORMATION GOVERNANCE AND DATA PROTECTION POLICY WN CCG Information Governance & Data Protection Policy July 2013 1 Document Control Sheet Name of Document: Information Governance & Data Protection Policy
More informationHow To Be A Senior Pharmacy Technician
JOB DESCRIPTION JOB TITLE : Senior Pharmacy Technician DEPARTMENT : Pharmacy Heartlands, Solihull & Good Hope Hospitals GRADE : Band 5 HOURS OF DUTY : 37.5 hours per week. The Trust operates a 7 day working
More informationICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation
ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette
More informationInformation Governance Strategy & Policy
Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information
More informationNHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé
NHS HDL (2006)41 abcdefghijklm = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé Dear Colleague NHSSCOTLAND INFORMATION SECURITY POLICY Summary 1. NHSScotland IT Security Policy was
More informationOperational Risk Publication Date: May 2015. 1. Operational Risk... 3
OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationAccess Control Policy
Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
More informationPhysical Security Policy Template
Physical Security Policy Template The Free iq Physical Security Policy Generic Template has been designed as a preformatted framework to enable your Practice to produce a Policy that is specific to your
More informationService Children s Education
Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and
More informationCaedmon College Whitby
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationInternet Use Policy and Code of Conduct
Internet Use Policy and Code of Conduct UNIQUE REF NUMBER: AC/IG/023/V1.1 DOCUMENT STATUS: Agreed by Audit Committee 18 July 2013 DATE ISSUED: July 2013 DATE TO BE REVIEWED: July 2014 1 P age AMENDMENT
More informationSTRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS
Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval
More informationInformation Security Programme
Information Security Programme Information Security Policy This document is issued in the strictest business confidence. It should be read in conjunction with a number of other supporting and complementary
More informationTELEFÓNICA UK LTD. Introduction to Security Policy
TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15
More informationInformation Governance Framework
Information Governance Framework March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aim 2 3 Purpose, Values and Principles 2 4 Scope 3 5 Roles and Responsibilities 3 6 Review 5 Appendix 1 - Information
More informationInformation Security and Governance Policy
Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information
More informationTameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
More informationInformation Governance Policy
Information Governance Policy Information Governance Policy Issue Date: June 2014 Document Number: POL_1008 Prepared by: Information Governance Senior Manager Insert heading depending on Insert line heading
More informationInformation Governance Policy
Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact
More informationRemote Network Access Procedure
Remote Network Access Procedure Version: 1.1 Bodies consulted: - Approved by: PASC Date Approved: 20.8.13 Lead Manager: Ade Sulaiman Responsible Director: Simon Young Date issued: Aug 13 Review date: Jul
More informationUniversity of Aberdeen Information Security Policy
University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...
More informationA Question of Balance
A Question of Balance Independent Assurance of Information Governance Returns Audit Requirement Sheets Contents Scope 4 How to use the audit requirement sheets 4 Evidence 5 Sources of assurance 5 What
More informationHighland Council Information Security Policy
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
More informationAn Approach to Records Management Audit
An Approach to Records Management Audit DOCUMENT CONTROL Reference Number Version 1.0 Amendments Document objectives: Guidance to help establish Records Management audits Date of Issue 7 May 2007 INTRODUCTION
More informationYMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY
YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY Author Head of IT Equality impact Low Original Date September 2003 Equality No This Revision September
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationNHS Information Governance:
NHS Information Governance: Information Risk Management Guidance: Maintenance and Secure Disposal of Digital Printers, Copiers and Multi Function Devices Department of Health Informatics Directorate July
More informationThird Party Security Requirements Policy
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationREMOTE WORKING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationInformation Security Policy
Information Security Policy Last updated By A. Whillance/ Q. North/ T. Hanson On April 2015 This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is
More informationBAND: 5. 37½ hours per week 1. JOB SUMMARY
POST TITLE: Software Developer BAND: 5 HOURS: ACCOUNTABLE TO: LOCATION: 37½ hours per week Head of Informatics Programme Mamhilad 1. JOB SUMMARY Reporting to Software Development Manager, the post holder
More informationInformation security and paper-based data storage and disposal. INFORMATION SECURITY POLICY Version 2.2
Information security and paper-based data storage and disposal NOT PROTECTIVELY MARKED INFORMATION SECURITY POLICY Version 2.2 Title Subject Version Date Author Protective Marking Classification INFORMATION
More information