Security Management. Security is taken for granted until something goes wrong.
|
|
- Derek Logan
- 7 years ago
- Views:
Transcription
1 Security Management
2 Security Management Security is taken for granted until something goes wrong. Concerns about security have existed for as long as has mankind. The most obvious manifestation of this relates to ourselves, where we rely on basic needs such as food, clothing and security to be satisfied in order for the more discretionary aspects to be enjoyed. One popular attribution about security was voiced by William Shakespeare in Macbeth, from where the quotation Security is mortals chiefest enemy came in the 16th Century. This white paper explains how security management and service management are part of the same overall remit to run an effective enterprise information architecture. As they are but different aspects of the same objective, it can be argued that security management can sit in the service department. Security is taken for granted until something goes wrong, when visibility goes through the roof and management start to hunt for someone to blame. Whilst this is understandable, it can also be quickly recognised that exactly the same characteristic applies to service delivery as well. Information Security is a topic that has its own terminology, standards and champions and is either given too much prominence or not enough, depending on who is involved. However, we use information more today than at any time in our collective past and access to and the accuracy of that information is an assumed right. So what is Information Security and why is it relevant to the discipline of Service Delivery? SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 2
3 Definition of Security Information is an asset which, like any other business asset, has value to an organisation and so needs protecting. Whether that information is in paper or electronic format doesn t matter in terms of the business safeguards needed, although our main interest level is clearly in the electronic format as this is what IT deals with everyday. Information Security is defined here as representing the preservation of: Good security is achieved by implementing a set of controls, policies, practices and procedures along with organisational structures and software support. Confidentiality ensuring that information is accessible only to those authorised to access it Integrity safeguarding the accuracy & completeness of information and its processing Availability ensuring that users can get access to information and any associated assets when required So it isn t hard to understand the correlation between the objectives of information security management and what service managers should be doing everyday. For instance, good security is achieved by implementing a set of controls, policies, practices and procedures along with organisational structures and software support. This is so like how formal service management disciplines are structured that information security management should become a natural extension to scope, especially once it is realised that 42 of the 133 control objectives within the security world are also described in ISO 20000, the standard for service management. Security controls and regulation There are few formal controls governing service management in isolation but there are many concerning security management. These actually determine what controls should exist and what level of compliance with rules, statutes, regulations and industry standards must be achieved. There are several control regimes that govern security, with the most obvious one being ISO/IEC 27001, the international standard for information security management. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 3
4 Figure 1 The control objectives of ISO ISO clause Security Categories Control Objectives Security policy 1 2 Organising security Asset management Human Resources security Physical and environmental security Communications and operations management Access control Systems development and maintenance Security incident management Business continuity management Compliance Security policy Total This standard details 133 control objectives grouped in 11 key clauses, as shown in figure 1, although not all of these will be needed in every organisation and many of them are capable of interpretation. This is where care is needed because unlike service management, security management can be overdone to be on the safe side and organisations end up being burdened by the weight of control. Whilst we do not want just anyone to be able to see our bank accounts, the protection needed over, say, our social media profile is a bit less important and so the controls need to be different. It is this aspect of security which confuses people most, because an element of judgement is required and this is exercised by means of Risk Assessments, which will return different results for different types of enterprise. The process for carrying out risk assessments is described by ISO and there are common themes in every organisation highlighted below, along with some of the underlying legal and regulatory requirements. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 4
5 Figure 2 Laptop theft reported in The Times newspaper Data Protection all organisations have to comply with the 1998 Data Protection Act (DPA), which came into effect in Do you know what your responsibilities for this are? Enforcement of the DPA is the responsibility of the Information Commissioner who can impose heavy fines for data loss and non-compliance with the Act. Into this category also comes the Regulation of Investigatory Powers (RIP) Act 2000 which specifies who can take responsibility for the interception, monitoring and investigation of incidents and this is of particular relevance to organisations who need to determine who had access to information held or processed electronically. Use of and telephone call monitoring procedures by an employer of its staff is covered by this RIP legislation. Business Continuity all organisations need to protect their equipment, software and data from intentional or unintentional loss. Do you have a plan to show how your business operates when key information goes missing? Business continuity in a 24x7x52 business environment is far more complex than having a Disaster Recovery plan involving cold standby facilities for if you are on online retailer handling 2500 revenue a minute, can the business cash flow survive a 36 hour restore period? And would your customers accept this even if the business did? SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 5
6 Internet Threats anyone with PC based systems and/or internet access is vulnerable to information being lost or rendered inaccessible due to a virus. This can also seriously affect service stability it is estimated that 50% of all s contain a virus and there are 62tn of them annually around the world. Courts of law can use s as formal records of the company that you work for, which is why they are sequestered by the police. We can see that the is often more deadly than the mail! A recent issue of Internal Auditing magazine stated that the biggest risks facing organisations are now technologybased. Denial of Service most often interpreted as being a sustained bombardment of your website, denial of service can be achieved in other ways, often inadvertently if your network is not in a Closed User Group or has not been designed to use alternate routing and you get cut off from the outside world. This happens and if you do online business, then you re out of it until the outage is repaired and service is restored. Theft and Loss of Assets the growth in the number of laptops, tablets and smart phones means that both the hardware and information contained on them can and do go missing. Would you be happy if it was your medical records that were left behind on the bus? Or that your company tax return was being examined by your competitors? Security is a deeply personal issue as well as one of corporate embarrassment witness the high profile information leaks in recent years, such as that in figure 2 and the theft of identity of two high profile banking executives. ISO is not the only control regime that can be applied to security management, however. Another mature offering is CobiT, standing for Control Objectives for Information and related Technology and this methodology has been in existence since It is positioned as a practical toolkit for IT governance because following the Turnbull report, corporate governance and risk management have become increasingly important issues to businesses. A recent issue of Internal Auditing magazine stated that the biggest risks facing organisations are now technology-based. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 6
7 Figure 3 How ISO and ISO clauses overlap Change Management Clause ISO ISO Planning and implementation ; Control of implementation Clause Clause Clause Clause Closing and reviewing Emergency changes Reporting and analysis Verification and audit ; Formal change procedures Control of essential changes Review, reporting and auditing Compliance with software IPR Just as the role of any auditor will, as a matter of course, include an information systems component, so effective corporate governance and risk management necessitates effective IT governance and risk management. CobiT is primarily an auditing tool but offers an alternative to ISO by introducing controls from a much wider set of standards; however, ISO has always relied on a security standard like ISO to discharge security specific requirements and a third of controls are shared between ISO and ISO An example, using change management, of how these controls are evidenced in the two standards is shown in figure 3. Service and Security synergy This paper has already asserted that there is significant synergy between the disciplines of security management and service management. If this is made obvious by a few examples, such as Disaster Management, then it can be readily seen how close the disciplines are. However, it is important not to take the leap towards organisational synergy without considering an important aspect of governance segregation of duties. IT staff with deep technical skills are the ones who have the means and arguably the time to hack into systems for their own ends and it is necessary to establish effective monitoring and control procedures to ensure they don t. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 7
8 Figure 4 An example of an ISO controls assessment Business Continuity Management Compliance Security policy 100% 75% Organisation of security 50% Asset management 25% Security Incident Management 0% Human Resources Security System Development & MTCE Access control Operations management Physical & environmental security Score This may be more difficult when everyone is under the same management umbrella but given that the benefits of synergy can outweigh the drawbacks then self policing, assuming suitable external oversight and effective access control systems, becomes possible even in the most highly regulated organisations. The way ahead for organisations All good ideas start off with either a feasibility study or a visionary statement. There are a number of ways that the security management regime appropriate to your organisation can be determined and a survey, taking no more than a few hours to complete, that will assess conformance to ISO is a very good start. An example of the output from a security assessment is shown in figure 4 and provides an overview of control status. Management of security can be made cost effective if taken alongside a service improvement programme where the changes can be dovetailed together and this approach works in practice. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 8
9 If you are seeking the most effective way of delivering high quality services alongside robust operational KPIs and security appropriate for the Electronic Business, then consider making security management part of your IT service improvement programme. This can be regarded as offering savings of about 10% of the cost of having separate teams, whilst delivering better service. Anyone considering accreditation to ISO will know that a key focus area for compliance is information security management. An organisation having accreditation to ISO is deemed to have fully satisfied the requirements of ISO in this regard, thus proving the link between Security Management and Service Delivery. For More Information: Contact Fruition Partners at or info@fruitionpartners.com. You can also browse some related resources on our website: ESM Showcase Case Studies Webinars SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 9
10 SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 10
Need to protect your business from potential disruption? Prepare for the unexpected with ISO 22301.
Need to protect your business from potential disruption? Prepare for the unexpected with. Why BSI? Keep your business running with and BSI. Our knowledge can transform your organization. For more than
More informationCompliance and Governance
Compliance and Governance Compliance and Governance Governance is concerned with accountability and responsibility in terms of the standards that are used to direct and control an IS department. The wave
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationInformation Security: Business Assurance Guidelines
Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies
More informationApplication Lifecycle Management
Application Lifecycle Management Application Lifecycle Management It is important to ensure that the way applications are delivered meets the needs of the customer as defined in any SLAs. Much of the thrust
More information10 Hidden IT Risks That Might Threaten Your Law Firm
(Plus 1 Fast Way to Find Them) Your law firm depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine
More informationBest Value toolkit: Information management
Best Value toolkit: Information management Prepared by Audit Scotland July 2010 Contents Introduction 2 The Audit of Best Value 2 The Best Value toolkits 4 Using the toolkits 4 Auditors evaluations 5 Best
More informationSecuring Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement.
Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement June 2011 DISCLAIMER: This document is intended as a general guide only.
More informationISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters
When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9
More informationINFORMATION SECURITY: UNDERSTANDING BS 7799. BS 7799 is the most influential, globally recognised standard for information security management.
FACTSHEET The essence of BS 7799 is that a sound Information Security Management System (ISMS) should be established within organisations. The purpose of this is to ensure that an organisation s information
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationKEELE UNIVERSITY IT INFORMATION SECURITY POLICY
Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationAchieve. Performance objectives
Achieve Performance objectives Performance objectives are benchmarks of effective performance that describe the types of work activities students and affiliates will be involved in as trainee accountants.
More informationIl nuovo standard ISO 22301 sulla Business Continuity Scenari ed opportunità
Il nuovo standard ISO 22301 sulla Business Continuity Scenari ed opportunità Massimo Cacciotti Business Services Manager BSI Group Italia Agenda BSI: Introduction 1. Why we need BCM? 2. Benefits of BCM
More informationEPA Victoria Engagement Policy ENVIRONMENT PROTECTION AUTHORITY
EPA Victoria Engagement Policy ENVIRONMENT PROTECTION AUTHORITY The aspirations of the people of Victoria for environmental quality shall drive environmental improvement Environment Protection Act 1970
More informationDemystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature
Demystifying Cyber Insurance Jamie Monck-Mason & Andrew Hill Introduction What is cyber? Nomenclature 1 What specific risks does cyber insurance cover? First party risks - losses arising from a data breach
More informationBusiness Opportunity Enablement through Information Security Compliance
Level 3, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 Business Opportunity Enablement through Information Security Compliance Page No.1 Business Opportunity Enablement
More informationInformation Governance Strategy :
Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update
More informationWe are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.
Inspection Report We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards. Bury DCA United Response, City View Business Centre, 9 Long
More informationSomerset County Council - Data Protection Policy - Final
Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council
More informationIssue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager
Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security
More informationParticipants Manual Video Seven The OSCAR Coaching Model
Coaching Skills for Managers Online Training Programme Part One Fundamentals of Coaching Participants Manual Video Seven The OSCAR Coaching Model Developed by Phone: 01600 715517 Email: info@worthconsulting.co.uk
More informationChallenges in Improving Information Security Practice in Australian General
Research Online Australian Information Security Management Conference Security Research Institute Conferences 2009 Challenges in Improving Information Security Practice in Australian General Donald C.
More informationLegislative Council Panel on Information Technology and Broadcasting. Information Security
LC Paper No. CB(1)2407/10-11(05) For Information on 13 June 2011 Legislative Council Panel on Information Technology and Broadcasting Information Security Purpose This paper informs Members about the progress
More informationwww.aspireeurope.com
The blueprint has been one of the key concepts within the Managing Successful Programmes framework since it was first released in 1999. In 2007 it had a chapter dedicated to it, which has been enhanced
More informationThe ISO 14001 standard
The ISO 14001 standard ISO14001 is designed for any organisation wishing to demonstrate to customers, insurers, regulators, the public and financial institutions, that the organisation is committed to
More informationOperational Risk Publication Date: May 2015. 1. Operational Risk... 3
OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...
More informationWe are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.
Inspection Report We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards. The Manor House Whitton Road, Alkborough, Nr Scunthorpe, DN15
More informationOutsourcing and third party access
Outsourcing and third party access This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security
More informationEmail Archiving, Retrieval and Analysis The Key Issues
Email Archiving, Retrieval and Analysis The "If you are going to find a smoking gun, you will find it in email." Abstract Organisations are increasingly dependent on email for conducting business, internally
More informationAN OVERVIEW OF THE QUALITY ASSURANCE OF SCQF CREDIT RATING BODIES
AN OVERVIEW OF THE QUALITY ASSURANCE OF SCQF CREDIT RATING BODIES ///////////////////////////////////////////////////////////////////////////////////////////////////////////////// 1 PURPOSE OF THIS GUIDE
More informationThe Big Assurance Picture
The Big Assurance Picture Stuart Wooldridge, Partner in Internal Audit Services at PwC, spoke at the joint ACCA/IIA networking forum on 25 October 2011 on The Big Assurance Picture. This is an overview
More informationTechnology and Cyber Resilience Benchmarking Report 2012. December 2013
Technology and Cyber Resilience Benchmarking Report 2012 December 2013 1 Foreword by Andrew Gracie Executive Director, Special Resolution Unit, Bank of England On behalf of the UK Financial Authorities
More informationCorporate Risk Management Policy
Corporate Risk Management Policy Managing the Risk and Realising the Opportunity www.reading.gov.uk Risk Management is Good Management Page 1 of 19 Contents 1. Our Risk Management Vision 3 2. Introduction
More informationService Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard
Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,
More informationNeed to protect your information? Take action with BSI s ISO/IEC 27001.
Need to protect your information? Take action with BSI s. BSI s your first choice for information security. BSI is the business standards company that helps organizations make excellence a habit all over
More informationComparison of internet connection records in the Investigatory Powers Bill with Danish Internet Session Logging legislation
Comparison of internet connection records in the Investigatory Powers Bill with Danish Internet Session Logging legislation We consider that, on balance, there is a case for Internet Connection Records
More informationBusiness Continuity Management Framework 2014 2017
Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity
More informationUoB Risk Assessment Methodology
[Type here] UoB Risk Assessment Methodology The Risk Assessment Methodology describes how information security risk will be managed, including guidance for assessing, scoring, choosing acceptance or treatment
More informationGENERIC STANDARDS CUSTOMER RELATIONSHIPS FURTHER EXCELLENCE CUSTOMISED SOLUTIONS INDUSTRY STANDARDS TRAINING SERVICES THE ROUTE TO
PROCESSES SUPPLY CHAIN SKILLED TALENT CUSTOMER RELATIONSHIPS FURTHER EXCELLENCE GENERIC STANDARDS INDUSTRY STANDARDS CUSTOMISED SOLUTIONS TRAINING SERVICES THE ROUTE TO ISO 9001:2015 FOREWORD The purpose
More informationScotland s Commissioner for Children and Young People Records Management Policy
Scotland s Commissioner for Children and Young People Records Management Policy 1 RECORDS MANAGEMENT POLICY OVERVIEW 2 Policy Statement 2 Scope 2 Relevant Legislation and Regulations 2 Policy Objectives
More informationWhen being a good lawyer is not enough: Understanding how In-house lawyers really create value
When being a good lawyer is not enough: Understanding how In-house lawyers really create value Contents Foreword... 3 Do you really understand how In-house lawyers create value?... 4 Why creating value
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen
ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure
More informationAUDITOR GUIDELINES. Responsibilities Supporting Inputs. Receive AAA, Sign and return to IMS with audit report. Document Review required?
1 Overview of Audit Process The flow chart below shows the overall process for auditors carrying out audits for IMS International. Stages within this process are detailed further in this document. Scheme
More informationInclusion in the Mainstream. The Challenge for Childcare Providers
Inclusion in the Mainstream The Challenge for Childcare Providers DESSA National Community Development organisation Human rights perspective on the rights of people with disabilities Operates within two
More informationHSCIC Audit of Data Sharing Activities:
Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 20/04/2016 HSCIC Audit of Data Sharing
More informationEMBEDDING BCM IN THE ORGANIZATION S CULTURE
EMBEDDING BCM IN THE ORGANIZATION S CULTURE Page 6 AUTHOR: Andy Mason, BSc, MBCS, CITP, MBCI, Head of Business Continuity, PricewaterhouseCoopers LLP ABSTRACT: The concept of embedding business continuity
More informationNo More Disks. No More Data. No More Doubt. Goodbye Disks. Goodbye Doubt.
No More Disks. No More Data. No More Doubt. Goodbye Disks. Goodbye Doubt. Data disposal can be a tricky path to navigate. You re looking for an answer, but there aren t many that are 100% reliable, can
More informationOur Code is for all of us
This is Our Code This is Our Code Our Code How we behave forms the character of our company and dictates how others see us. How we conduct ourselves determines if people want to do business with us, work
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationwww.transition-support.com
Can we include all products and services in the QMS but limit the scope of registration? According to ISO/TC 176/SC 2/N 524, organizations are not obliged to include all the products that it provides within
More informationBBA submission on the HM Treasury (HMT) Consultation Competition in banking: improving access to SME credit data
BBA submission on the HM Treasury (HMT) Consultation Competition in banking: improving access to SME credit data The British Bankers Association (BBA) is the leading association for the United Kingdom
More informationResponse to NAF Consulting Paper
Response to NAF Consulting Paper Author: Tan Chuan Jin Email: chuanjin.tan@atosorigin.com Yeo Chien Jen Email: chienjen.yeo@atosorigin.com Version: 1.3 Document date: 21 September 2008 All rights reserved.
More informationTG 47-01. TRANSITIONAL GUIDELINES FOR ISO/IEC 17021-1:2015, ISO 9001:2015 and ISO 14001:2015 CERTIFICATION BODIES
TRANSITIONAL GUIDELINES FOR ISO/IEC 17021-1:2015, ISO 9001:2015 and ISO 14001:2015 CERTIFICATION BODIES Approved By: Senior Manager: Mpho Phaloane Created By: Field Manager: John Ndalamo Date of Approval:
More informationData Protection and Information Security. Procedure for reporting a breach of data security. April 2013
Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009 Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is
More informationThe Department for Business, Innovation and Skills IMA Action Plan PRIORITY RECOMMENDATIONS
PRIORITY RECOMMENDATIONS R1 BIS to elevate the profile of information risk in support of KIM strategy aims for the protection, management and exploitation of information. This would be supported by: Establishing
More informationIndependent Trustee (Corporate)
Independent Trustee (Corporate) Your guide to applying for a market service licence In this guide 2 Introduction 5 Getting started 7 Fit and proper 9 Capability 11 Financial resources 12 Governance 13
More informationISO 9001:2015. A look at the Revised Standard 9/23/2015 1
ISO 9001:2015 A look at the Revised Standard 9/23/2015 1 Quotes Quality management is a journey, not just a destination. Emily Rhinehart If you can t explain it simply, you don t understand it well enough.
More informationGeneral Register Office for Scotland information about Scotland s people. Paper NHSCR GB 5/07. NHSCR s quality assurance procedures
General Register Office for Scotland information about Scotland s people Paper NHSCR GB 5/07 NHSCR s quality assurance procedures November 2007 NHSCR SCOTLAND INFORMATION GOVERNANCE STANDARDS Author: Muriel
More informationDo you know how your grants are being used?
Do you know how your grants are being used? Complying with the law and regulation of churches Stewardship Briefing Paper Stewardship, 1 Lamb s Passage, London EC1Y 8AB t: 020 8502 5600 e: enquiries@stewardship.org.uk
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationThe Regulatory Framework for Social Housing in England Governance and Financial Viability standard requirement: Governance Annual Assessment
East Thames Group The Regulatory Framework for Social Housing in England Governance and Financial Viability standard requirement: Governance Annual Assessment 1 Context 1.1 Under the Regulatory Framework,
More informationUnderstanding Principles and Concepts of Quality, Safety and Environmental Management System Graham Caddies
Understanding Principles and Concepts of Quality, Safety and Environmental Management System Graham Caddies Owner / Principal Advance Profitplan Understanding Principles & Concepts Page 1 of 10 Revision
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationUrban Big Data Centre. Data services: Guide for researchers. December 2014 Version 2.0 Authors: Nick Bailey
Urban Big Data Centre Data services: Guide for researchers December 2014 Version 2.0 Authors: Nick Bailey 1 Introduction... 3 UBDC Data Services... 3 Open Data and the UBDC Open Data portal... 4 Safeguarded
More informationExplanatory Memorandum to the Conservation of Habitats and Species (Amendment) Regulations 2012
Explanatory Memorandum to the Conservation of Habitats and Species (Amendment) Regulations 2012 This Explanatory Memorandum has been prepared by the Environment and Sustainable Development Department and
More informationCorporate Information Security Management Policy
Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification
More informationGovernance and Management of Information Security
Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information
More informationISO IEC 27002 2005 (17799 2005) TRANSLATED INTO PLAIN ENGLISH
13.1 REPORT INFORMATION SECURITY EVENTS AND WEAKNESSES 1 GOAL Make sure that information system security incidents are promptly reported. 2 GOAL Make sure that information system security events and weaknesses
More informationChecklist of ISO 22301 Mandatory Documentation
Checklist of ISO 22301 Mandatory Documentation 1) Which documents and records are required? The list below shows the minimum set of documents and records required by ISO 22301:2012 (the standard refers
More informationAn Introduction to in-depth Pest Control Surveys: The Role and Responsibilities of the Pest Control Field Biologist
An Introduction to in-depth Pest Control Surveys: BRC Global Standards. Trust in Quality Introduction to in depth Pest Control Surveys: Introduction to in depth Pest Control Surveys: In-depth pest control
More informationHousing Association Regulatory Assessment
Welsh Government Housing Directorate - Regulation Housing Association Regulatory Assessment Melin Homes Limited Registration number: L110 Date of publication: 20 December 2013 Welsh Government Housing
More informationOverview TECHIS60441. Carry out security testing activities
Overview Information, services and systems can be attacked in various ways. Understanding the technical and social perspectives, how attacks work, the technologies and approaches used are key to being
More informationMike Casey Director of IT
Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date
More informationKevin Hayler. Where I m from
THE PROPOSITION Where I m from I ve worked in the Credit Card industry for over 17 years, starting in 1995 with Barclaycard as a Sales Manager, progressing through the ranks before moving to Bank of Scotland
More informationBusiness Continuity Management
Business Continuity Management Policy Statement & Strategy July 2009 Basildon District Council Business Continuity Management Policy Statement The Council is committed to ensuring robust and effective
More informationINFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes
INFORMATION SECURITY POLICY Ratified by RCA Senate, February 2007 Contents Introduction 2 Policy Statement 3 Information Security at RCA 5 Annexes A. Applicable legislation and interpretation 8 B. Most
More informationCivil Aviation Authority. Regulatory Enforcement Policy
Civil Aviation Authority Regulatory Enforcement Policy PAGE 2 REGULATORY ENFORCEMENT POLICY Civil Aviation Authority This policy is subject to a phased implementation process please therefore check applicability
More informationInformation Governance Management Framework
Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date
More informationISO/IEC 27001:2013 Your implementation guide
ISO/IEC 27001:2013 Your implementation guide What is ISO/IEC 27001? Successful businesses understand the value of timely, accurate information, good communications and confidentiality. Information security
More informationPursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data;
Decision No. 2011-316 dated 6 October 2011 adopting a standard for delivering privacy seals in audit procedures covering the protection of persons with regard to the processing of personal data The French
More informationInternal Audit and supervisory expectations building on progress
1 Internal Audit and supervisory expectations building on progress Speech given by Sasha Mills, Director, Cross Cutting Policy, Bank of England Ernst & Young, London 3 February 2016 2 Introductions Hello,
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationWhite Paper. Managed IT Services as a Business Solution
White Paper Managed IT Services as a Business Solution 1 TABLE OF CONTENTS 2 Introduction... 2 3 The Need for Expert IT Management... 3 4 Managed Services Explained... 4 5 Managed Services: Key Benefits...
More informationDemonstrating Regulatory Compliance
White Paper Demonstrating Regulatory Compliance Simplifying Security Management November 2006 Executive Summary Increasingly, organizations throughout Europe are expected to comply (and to demonstrate
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationConsiderations for firms thinking of using third-party technology (off-the-shelf) banking solutions
Financial Conduct Authority Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions Introduction 1. A firm has many choices when designing its operating model
More informationSupporting information technology risk management
IBM Global Technology Services Thought Leadership White Paper October 2011 Supporting information technology risk management It takes an entire organization 2 Supporting information technology risk management
More informationPARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Records Management Policy. Version 4.0. Page 1 of 11 Policy PHSO Records Management Policy v4.
PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN Records Management Policy Version 4.0 Page 1 of 11 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: File Location: Approval
More informationCommittees Date: Subject: Public Report of: For Information Summary
Committees Audit & Risk Management Committee Finance Committee Subject: Cyber Security Risks Report of: Chamberlain Date: 17 September 2015 22 September 2015 Public For Information Summary Cyber security
More informationA risky business. Why you can t afford to gamble on the resilience of business-critical infrastructure
A risky business Why you can t afford to gamble on the resilience of business-critical infrastructure Banking on a computer system that never fails? Recent failures in the retail banking system show how
More informationWe are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.
Inspection Report We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards. Kumari Care Limited 5 Palace Yard Mews, Queen Square, Bath,
More informationInformation Governance Strategy
Information Governance Strategy THCCGCG9 Version: 01 The information governance strategy outlines the CCG governance aims and the key objectives of its governance policies. The Chief officer has the overarching
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationFramework for a Digital Forensic Investigation
Framework for a Digital Forensic Investigation Michael Kohn 1, JHP Eloff 2 and MS Olivier 3 1 mkohn@cs.up.ac.za, 2 eloff@cs.up.ac.za, 3 molivier@cs.up.ac.za Information and Computer Security Architectures
More informationWHITE PAPER. How to simplify and control the cardholder security environment
WHITE PAPER How to simplify and control the cardholder security environment Document Version V1-0 Document Set: QCC Information Security Prepared By Nick Prescot - QCC Information Security Ltd Sponsored
More information