Security Management. Security is taken for granted until something goes wrong.

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Security Management. Security is taken for granted until something goes wrong."

Transcription

1 Security Management

2 Security Management Security is taken for granted until something goes wrong. Concerns about security have existed for as long as has mankind. The most obvious manifestation of this relates to ourselves, where we rely on basic needs such as food, clothing and security to be satisfied in order for the more discretionary aspects to be enjoyed. One popular attribution about security was voiced by William Shakespeare in Macbeth, from where the quotation Security is mortals chiefest enemy came in the 16th Century. This white paper explains how security management and service management are part of the same overall remit to run an effective enterprise information architecture. As they are but different aspects of the same objective, it can be argued that security management can sit in the service department. Security is taken for granted until something goes wrong, when visibility goes through the roof and management start to hunt for someone to blame. Whilst this is understandable, it can also be quickly recognised that exactly the same characteristic applies to service delivery as well. Information Security is a topic that has its own terminology, standards and champions and is either given too much prominence or not enough, depending on who is involved. However, we use information more today than at any time in our collective past and access to and the accuracy of that information is an assumed right. So what is Information Security and why is it relevant to the discipline of Service Delivery? SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 2

3 Definition of Security Information is an asset which, like any other business asset, has value to an organisation and so needs protecting. Whether that information is in paper or electronic format doesn t matter in terms of the business safeguards needed, although our main interest level is clearly in the electronic format as this is what IT deals with everyday. Information Security is defined here as representing the preservation of: Good security is achieved by implementing a set of controls, policies, practices and procedures along with organisational structures and software support. Confidentiality ensuring that information is accessible only to those authorised to access it Integrity safeguarding the accuracy & completeness of information and its processing Availability ensuring that users can get access to information and any associated assets when required So it isn t hard to understand the correlation between the objectives of information security management and what service managers should be doing everyday. For instance, good security is achieved by implementing a set of controls, policies, practices and procedures along with organisational structures and software support. This is so like how formal service management disciplines are structured that information security management should become a natural extension to scope, especially once it is realised that 42 of the 133 control objectives within the security world are also described in ISO 20000, the standard for service management. Security controls and regulation There are few formal controls governing service management in isolation but there are many concerning security management. These actually determine what controls should exist and what level of compliance with rules, statutes, regulations and industry standards must be achieved. There are several control regimes that govern security, with the most obvious one being ISO/IEC 27001, the international standard for information security management. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 3

4 Figure 1 The control objectives of ISO ISO clause Security Categories Control Objectives Security policy 1 2 Organising security Asset management Human Resources security Physical and environmental security Communications and operations management Access control Systems development and maintenance Security incident management Business continuity management Compliance Security policy Total This standard details 133 control objectives grouped in 11 key clauses, as shown in figure 1, although not all of these will be needed in every organisation and many of them are capable of interpretation. This is where care is needed because unlike service management, security management can be overdone to be on the safe side and organisations end up being burdened by the weight of control. Whilst we do not want just anyone to be able to see our bank accounts, the protection needed over, say, our social media profile is a bit less important and so the controls need to be different. It is this aspect of security which confuses people most, because an element of judgement is required and this is exercised by means of Risk Assessments, which will return different results for different types of enterprise. The process for carrying out risk assessments is described by ISO and there are common themes in every organisation highlighted below, along with some of the underlying legal and regulatory requirements. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 4

5 Figure 2 Laptop theft reported in The Times newspaper Data Protection all organisations have to comply with the 1998 Data Protection Act (DPA), which came into effect in Do you know what your responsibilities for this are? Enforcement of the DPA is the responsibility of the Information Commissioner who can impose heavy fines for data loss and non-compliance with the Act. Into this category also comes the Regulation of Investigatory Powers (RIP) Act 2000 which specifies who can take responsibility for the interception, monitoring and investigation of incidents and this is of particular relevance to organisations who need to determine who had access to information held or processed electronically. Use of and telephone call monitoring procedures by an employer of its staff is covered by this RIP legislation. Business Continuity all organisations need to protect their equipment, software and data from intentional or unintentional loss. Do you have a plan to show how your business operates when key information goes missing? Business continuity in a 24x7x52 business environment is far more complex than having a Disaster Recovery plan involving cold standby facilities for if you are on online retailer handling 2500 revenue a minute, can the business cash flow survive a 36 hour restore period? And would your customers accept this even if the business did? SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 5

6 Internet Threats anyone with PC based systems and/or internet access is vulnerable to information being lost or rendered inaccessible due to a virus. This can also seriously affect service stability it is estimated that 50% of all s contain a virus and there are 62tn of them annually around the world. Courts of law can use s as formal records of the company that you work for, which is why they are sequestered by the police. We can see that the is often more deadly than the mail! A recent issue of Internal Auditing magazine stated that the biggest risks facing organisations are now technologybased. Denial of Service most often interpreted as being a sustained bombardment of your website, denial of service can be achieved in other ways, often inadvertently if your network is not in a Closed User Group or has not been designed to use alternate routing and you get cut off from the outside world. This happens and if you do online business, then you re out of it until the outage is repaired and service is restored. Theft and Loss of Assets the growth in the number of laptops, tablets and smart phones means that both the hardware and information contained on them can and do go missing. Would you be happy if it was your medical records that were left behind on the bus? Or that your company tax return was being examined by your competitors? Security is a deeply personal issue as well as one of corporate embarrassment witness the high profile information leaks in recent years, such as that in figure 2 and the theft of identity of two high profile banking executives. ISO is not the only control regime that can be applied to security management, however. Another mature offering is CobiT, standing for Control Objectives for Information and related Technology and this methodology has been in existence since It is positioned as a practical toolkit for IT governance because following the Turnbull report, corporate governance and risk management have become increasingly important issues to businesses. A recent issue of Internal Auditing magazine stated that the biggest risks facing organisations are now technology-based. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 6

7 Figure 3 How ISO and ISO clauses overlap Change Management Clause ISO ISO Planning and implementation ; Control of implementation Clause Clause Clause Clause Closing and reviewing Emergency changes Reporting and analysis Verification and audit ; Formal change procedures Control of essential changes Review, reporting and auditing Compliance with software IPR Just as the role of any auditor will, as a matter of course, include an information systems component, so effective corporate governance and risk management necessitates effective IT governance and risk management. CobiT is primarily an auditing tool but offers an alternative to ISO by introducing controls from a much wider set of standards; however, ISO has always relied on a security standard like ISO to discharge security specific requirements and a third of controls are shared between ISO and ISO An example, using change management, of how these controls are evidenced in the two standards is shown in figure 3. Service and Security synergy This paper has already asserted that there is significant synergy between the disciplines of security management and service management. If this is made obvious by a few examples, such as Disaster Management, then it can be readily seen how close the disciplines are. However, it is important not to take the leap towards organisational synergy without considering an important aspect of governance segregation of duties. IT staff with deep technical skills are the ones who have the means and arguably the time to hack into systems for their own ends and it is necessary to establish effective monitoring and control procedures to ensure they don t. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 7

8 Figure 4 An example of an ISO controls assessment Business Continuity Management Compliance Security policy 100% 75% Organisation of security 50% Asset management 25% Security Incident Management 0% Human Resources Security System Development & MTCE Access control Operations management Physical & environmental security Score This may be more difficult when everyone is under the same management umbrella but given that the benefits of synergy can outweigh the drawbacks then self policing, assuming suitable external oversight and effective access control systems, becomes possible even in the most highly regulated organisations. The way ahead for organisations All good ideas start off with either a feasibility study or a visionary statement. There are a number of ways that the security management regime appropriate to your organisation can be determined and a survey, taking no more than a few hours to complete, that will assess conformance to ISO is a very good start. An example of the output from a security assessment is shown in figure 4 and provides an overview of control status. Management of security can be made cost effective if taken alongside a service improvement programme where the changes can be dovetailed together and this approach works in practice. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 8

9 If you are seeking the most effective way of delivering high quality services alongside robust operational KPIs and security appropriate for the Electronic Business, then consider making security management part of your IT service improvement programme. This can be regarded as offering savings of about 10% of the cost of having separate teams, whilst delivering better service. Anyone considering accreditation to ISO will know that a key focus area for compliance is information security management. An organisation having accreditation to ISO is deemed to have fully satisfied the requirements of ISO in this regard, thus proving the link between Security Management and Service Delivery. For More Information: Contact Fruition Partners at or You can also browse some related resources on our website: ESM Showcase Case Studies Webinars SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 9

10 SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 10

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY ISO 27002 5.1 Author: Owner: Organisation: Chris Stone Ruskwig TruePersona Ltd Document No: SP- 5.1 Version No: 1.0 Date: 10 th January 2010 Copyright

More information

Brain-CODE. Security Policies. Version 1.4

Brain-CODE. Security Policies. Version 1.4 Brain-CODE Security Policies Version 1.4 May 09, 2014 Brain-CODE Information Security Policy May 09, 2014 Introduction Information stored in Brain-CODE is an asset that OBI has a duty and responsibility

More information

Compliance and Governance

Compliance and Governance Compliance and Governance Compliance and Governance Governance is concerned with accountability and responsibility in terms of the standards that are used to direct and control an IS department. The wave

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Best Value toolkit: Information management

Best Value toolkit: Information management Best Value toolkit: Information management Prepared by Audit Scotland July 2010 Contents Introduction 2 The Audit of Best Value 2 The Best Value toolkits 4 Using the toolkits 4 Auditors evaluations 5 Best

More information

Application Lifecycle Management

Application Lifecycle Management Application Lifecycle Management Application Lifecycle Management It is important to ensure that the way applications are delivered meets the needs of the customer as defined in any SLAs. Much of the thrust

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Information Security: Business Assurance Guidelines

Information Security: Business Assurance Guidelines Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

Need to protect your business from potential disruption? Prepare for the unexpected with ISO 22301.

Need to protect your business from potential disruption? Prepare for the unexpected with ISO 22301. Need to protect your business from potential disruption? Prepare for the unexpected with. Why BSI? Keep your business running with and BSI. Our knowledge can transform your organization. For more than

More information

Business Opportunity Enablement through Information Security Compliance

Business Opportunity Enablement through Information Security Compliance Level 3, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 Business Opportunity Enablement through Information Security Compliance Page No.1 Business Opportunity Enablement

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

Information Governance Strategy :

Information Governance Strategy : Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update

More information

Information Security Policy

Information Security Policy Information Security Policy Revised: September 2015 Review Date: September 2020 New College Durham is committed to safeguarding and promoting the welfare of children and young people, as well as vulnerable

More information

Information and Communication Technology. Information Security Policy

Information and Communication Technology. Information Security Policy BELA-BELA LOCAL MUNICIPALITY - - Chris Hani Drive, Bela- Bela, Limpopo. Private Bag x 1609 - BELA-BELA 0480 - Tel: 014 736 8000 Fax: 014 736 3288 - Website: www.belabela.gov.za - - OFFICE OF THE MUNICIPAL

More information

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998.

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998. BHCC Policy Summary 1 Policy Name Data Protection Policy. 2 Purpose of Policy To define the standards expected of all Brighton & Hove City Council employees, and any third parties, when processing information

More information

SOA ISO Statement of Applicability

SOA ISO Statement of Applicability SOA ISO 27001 2005 Statement of Applicability A.5 Security A.5.1 Information Security A.5.1.1 A.5.1.2 Information security policy document Review of the information security policy A.6 Organisation of

More information

Data security and cloud adoption myths, realities and the future.

Data security and cloud adoption myths, realities and the future. Data security and cloud adoption myths, realities and the future. Prepared By Information security concerns arguably remain the single biggest barrier to the adoption of cloud services. It is often said

More information

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical

More information

Smart DCC Ltd Information Security Policy. Version: 3.0

Smart DCC Ltd Information Security Policy. Version: 3.0 Version: 3.0 Date: 14 July 2015 Classification: DCC Public 1 Introduction 1.1 This (ISP) defines the (Smart DCC) approach to information security. An effective ISP provides a sound basis for defining and

More information

UoB Risk Assessment Methodology

UoB Risk Assessment Methodology [Type here] UoB Risk Assessment Methodology The Risk Assessment Methodology describes how information security risk will be managed, including guidance for assessing, scoring, choosing acceptance or treatment

More information

Pursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data;

Pursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data; Decision No. 2011-316 dated 6 October 2011 adopting a standard for delivering privacy seals in audit procedures covering the protection of persons with regard to the processing of personal data The French

More information

Demonstrating Regulatory Compliance

Demonstrating Regulatory Compliance White Paper Demonstrating Regulatory Compliance Simplifying Security Management November 2006 Executive Summary Increasingly, organizations throughout Europe are expected to comply (and to demonstrate

More information

10 Hidden IT Risks That Might Threaten Your Law Firm

10 Hidden IT Risks That Might Threaten Your Law Firm (Plus 1 Fast Way to Find Them) Your law firm depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine

More information

Developing your business case for investment in identity and access management

Developing your business case for investment in identity and access management Developing your business case for investment in identity and access management INTRODUCTION Identity and access management (IAM) offers many business enhancement opportunities. This management discipline

More information

Business Continuity Management Framework 2014 2017

Business Continuity Management Framework 2014 2017 Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity

More information

Civil Aviation Authority. Regulatory Enforcement Policy

Civil Aviation Authority. Regulatory Enforcement Policy Civil Aviation Authority Regulatory Enforcement Policy PAGE 2 REGULATORY ENFORCEMENT POLICY Civil Aviation Authority This policy is subject to a phased implementation process please therefore check applicability

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

Email Archiving, Retrieval and Analysis The Key Issues

Email Archiving, Retrieval and Analysis The Key Issues Email Archiving, Retrieval and Analysis The "If you are going to find a smoking gun, you will find it in email." Abstract Organisations are increasingly dependent on email for conducting business, internally

More information

Information Security Policy

Information Security Policy Information Security Policy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

Outsourcing and third party access

Outsourcing and third party access Outsourcing and third party access This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security

More information

A risky business. Why you can t afford to gamble on the resilience of business-critical infrastructure

A risky business. Why you can t afford to gamble on the resilience of business-critical infrastructure A risky business Why you can t afford to gamble on the resilience of business-critical infrastructure Banking on a computer system that never fails? Recent failures in the retail banking system show how

More information

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes INFORMATION SECURITY POLICY Ratified by RCA Senate, February 2007 Contents Introduction 2 Policy Statement 3 Information Security at RCA 5 Annexes A. Applicable legislation and interpretation 8 B. Most

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement.

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement. Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement June 2011 DISCLAIMER: This document is intended as a general guide only.

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy THCCGCG9 Version: 01 The information governance strategy outlines the CCG governance aims and the key objectives of its governance policies. The Chief officer has the overarching

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Scotland s Commissioner for Children and Young People Records Management Policy

Scotland s Commissioner for Children and Young People Records Management Policy Scotland s Commissioner for Children and Young People Records Management Policy 1 RECORDS MANAGEMENT POLICY OVERVIEW 2 Policy Statement 2 Scope 2 Relevant Legislation and Regulations 2 Policy Objectives

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature Demystifying Cyber Insurance Jamie Monck-Mason & Andrew Hill Introduction What is cyber? Nomenclature 1 What specific risks does cyber insurance cover? First party risks - losses arising from a data breach

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

Il nuovo standard ISO 22301 sulla Business Continuity Scenari ed opportunità

Il nuovo standard ISO 22301 sulla Business Continuity Scenari ed opportunità Il nuovo standard ISO 22301 sulla Business Continuity Scenari ed opportunità Massimo Cacciotti Business Services Manager BSI Group Italia Agenda BSI: Introduction 1. Why we need BCM? 2. Benefits of BCM

More information

NHS Commissioning Board: Information governance policy

NHS Commissioning Board: Information governance policy NHS Commissioning Board: Information governance policy DOCUMENT STATUS: To be approved / Approved DOCUMENT RATIFIED BY: DATE ISSUED: October 2012 DATE TO BE REVIEWED: April 2013 2 AMENDMENT HISTORY: VERSION

More information

DATA PROTECTION (JERSEY) LAW 2005 SOCIAL NETWORKING WEBSITES: A GUIDE FOR USERS AND PROVIDERS GD18

DATA PROTECTION (JERSEY) LAW 2005 SOCIAL NETWORKING WEBSITES: A GUIDE FOR USERS AND PROVIDERS GD18 DATA PROTECTION (JERSEY) LAW 2005 SOCIAL NETWORKING WEBSITES: A GUIDE FOR USERS AND PROVIDERS GD18 Part 1 Guidance for Users Using social networking sites safely Social networking websites, where people

More information

ISO 9001 Quality Management System

ISO 9001 Quality Management System White paper ISO 9001 Quality Management System Essential best practice for small businesses ISO 9001 - Quality Management System best practice for small businesses ISO 9001 Overview ISO 9001 is an International

More information

Appendix 1 Information Security Information Security Policy Document

Appendix 1 Information Security Information Security Policy Document Appendix 1 Information Security Information Security Policy Document Responsible Officers: Approved by Version: Date: Hayley Green, Head of Buildings and Facilities Final (to be added) Contents 1 Introduction...

More information

F Organisation s SANAS No/s. 4. General requirements 4.1 Impartiality and independence Are Inspection activities undertaken impartially?

F Organisation s SANAS No/s. 4. General requirements 4.1 Impartiality and independence Are Inspection activities undertaken impartially? Checklist for Accreditation of Diagnostic X-Ray Imaging System Inspection Bodies to SANS/ISO/IEC 17020: 2012 incorporating TR 78: Technical Requirements for the Application of ISO/IEC 17020 Organisation

More information

Data Protection Policy. Leeds City Council. Information Governance team, Intelligence & Performance - 1 -

Data Protection Policy. Leeds City Council. Information Governance team, Intelligence & Performance - 1 - Leeds City Council Data Protection Policy - 1 - Document Control Organisation Leeds City Council Title Data Protection Policy Author Mark Turnbull, Legal Services Filename DPA policyvr1.doc Owner Assistant

More information

Information Security Incident Management Policy September 2013

Information Security Incident Management Policy September 2013 Information Security Incident Management Policy September 2013 Approving authority: University Executive Consultation via: Secretary's Board REALISM Project Board Approval date: September 2013 Effective

More information

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013 Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009 Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Legislative Council Panel on Information Technology and Broadcasting. Information Security

Legislative Council Panel on Information Technology and Broadcasting. Information Security LC Paper No. CB(1)2407/10-11(05) For Information on 13 June 2011 Legislative Council Panel on Information Technology and Broadcasting Information Security Purpose This paper informs Members about the progress

More information

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9

More information

Bridgend County Borough Council. Corporate Risk Management Policy

Bridgend County Borough Council. Corporate Risk Management Policy Bridgend County Borough Council Corporate Risk Management Policy December 2014 Index Section Page No Introduction 3 Definition of risk 3 Aims and objectives 4 Strategy 4 Accountabilities and roles 5 Risk

More information

Understanding Agile Project Management

Understanding Agile Project Management Understanding Agile Project Management Author Melanie Franklin Director Agile Change Management Limited Introduction This is the transcript of a webinar I recently delivered to explain in simple terms

More information

Information Security Policy

Information Security Policy Central Bedfordshire Council www.centralbedfordshire.gov.uk Information Security Policy January 2016 Security Classification: Not Protected 1 Approval History Version No Approved by Approval Date Comments

More information

Response to NAF Consulting Paper

Response to NAF Consulting Paper Response to NAF Consulting Paper Author: Tan Chuan Jin Email: chuanjin.tan@atosorigin.com Yeo Chien Jen Email: chienjen.yeo@atosorigin.com Version: 1.3 Document date: 21 September 2008 All rights reserved.

More information

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services Issue 1.0 (Effective 27 June 2012) This document contains a copy of the STFC policy statements outlining

More information

PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Records Management Policy. Version 4.0. Page 1 of 11 Policy PHSO Records Management Policy v4.

PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Records Management Policy. Version 4.0. Page 1 of 11 Policy PHSO Records Management Policy v4. PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN Records Management Policy Version 4.0 Page 1 of 11 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: File Location: Approval

More information

Cumbria Constabulary. Business Continuity Planning

Cumbria Constabulary. Business Continuity Planning Cumbria Constabulary Business Continuity Planning 0 Cumbria Shared Internal Audit Service Images courtesy of Carlisle City Council except: Parks (Chinese Gardens), www.sjstudios.co.uk, Monument (Market

More information

How we deal with complaints and concerns

How we deal with complaints and concerns I Data Protection Act How we deal with complaints and concerns A guide for data controllers 1 Data Protection Act How we deal with complaints and concerns The ICO is the UK s independent public authority

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Corporate Information Security Management Policy

Corporate Information Security Management Policy Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core

More information

10 Hidden IT Risks That Threaten Your Financial Services Firm

10 Hidden IT Risks That Threaten Your Financial Services Firm Your firm depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine your business without IT. Today,

More information

A six step plan for CII members approached by someone with a whistleblowing concern

A six step plan for CII members approached by someone with a whistleblowing concern Guidance paper June 2014 How to manage a whistleblower: A six step plan for CII members approached by someone with a whistleblowing concern Summary This brief guidance paper is a supplement to the main

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

HOSTING. Managed Security Solutions. Managed Security. ECSC Solutions

HOSTING. Managed Security Solutions. Managed Security. ECSC Solutions Managed Security Managed Security MANAGED SECURITY SOLUTIONS I would highly recommend for your company s network review... were by far the best company IT Manager, Credit Management Agency Presenting IT

More information

Information Security Policy. Information Security Policy. Working Together. May 2012. Borders College 19/10/12. Uncontrolled Copy

Information Security Policy. Information Security Policy. Working Together. May 2012. Borders College 19/10/12. Uncontrolled Copy Working Together Information Security Policy Information Security Policy May 2012 Borders College 19/10/12 1 Working Together Information Security Policy 1. Introduction Borders College recognises that

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact

More information

Security Solutions. Protecting your data.

Security Solutions. Protecting your data. Security Solutions Protecting your data. Ricoh your reliable partner Innovations in information technology have radically changed the way information is created, managed, distributed and stored. This tremendous

More information

The Regulatory Framework for Social Housing in England Governance and Financial Viability standard requirement: Governance Annual Assessment

The Regulatory Framework for Social Housing in England Governance and Financial Viability standard requirement: Governance Annual Assessment East Thames Group The Regulatory Framework for Social Housing in England Governance and Financial Viability standard requirement: Governance Annual Assessment 1 Context 1.1 Under the Regulatory Framework,

More information

Information Governance Strategy Includes Information risk & incident management methodology

Information Governance Strategy Includes Information risk & incident management methodology Version 2.0 LOGOLOGO Information Governance Strategy Includes Information risk & incident management methodology Approved by: Quality & Governance Committee Ratification date: May 2014 Review date: May

More information

NORTH SOMERSET COUNCIL. Corporate Information Security Policy

NORTH SOMERSET COUNCIL. Corporate Information Security Policy Corporate Information Security Policy NORTH SOMERSET COUNCIL Corporate Information Security Policy Version 1_8 FINAL Author Date Approved Review Date Contents Authorisation Statement... 3 Document Amendment

More information

Ten Tips for Managing Risks on Convergent Networks The Risk Management Group

Ten Tips for Managing Risks on Convergent Networks The Risk Management Group Ten Tips for Managing Risks on Convergent Networks The Risk Management Group April 2012 Sponsored by: Lavastorm Analytics is a global business performance analytics company that enables companies to analyze,

More information

Information Security Policy

Information Security Policy You can learn more about the programme by downloading the information in the related documents at the bottom of this page. Information Security Document Information Security Policy 1 Version History Version

More information

Information security policy

Information security policy Information security policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review of IS Policy\Current

More information

2.0 RECOMMENDATIONS Members of the Committee are asked to note the information contained within this report.

2.0 RECOMMENDATIONS Members of the Committee are asked to note the information contained within this report. REPORT TO: SCRUTINY COMMITTEE 25 JUNE 2013 REPORT ON: REPORT BY: INTERNAL AUDIT REPORTS CHIEF INTERNAL AUDITOR REPORT NO: 280-2013 1.0 PURPOSE OF REPORT To submit to Members of the Scrutiny Committee a

More information

Audit of Business Continuity Planning

Audit of Business Continuity Planning Cumbria Office of the Police & Crime Commissioner Audit of Business Continuity Planning 0 Cumbria Shared Internal Audit Service Images courtesy of Carlisle City Council except: Parks (Chinese Gardens),

More information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

More information

Understanding Principles and Concepts of Quality, Safety and Environmental Management System Graham Caddies

Understanding Principles and Concepts of Quality, Safety and Environmental Management System Graham Caddies Understanding Principles and Concepts of Quality, Safety and Environmental Management System Graham Caddies Owner / Principal Advance Profitplan Understanding Principles & Concepts Page 1 of 10 Revision

More information

VEHICLE LOCATION SYSTEM POLICY. Version 0.2. Paul Robinson, Strategic Director, Richard Kniveton, Fleet and Depot Manager

VEHICLE LOCATION SYSTEM POLICY. Version 0.2. Paul Robinson, Strategic Director, Richard Kniveton, Fleet and Depot Manager VEHICLE LOCATION SYSTEM POLICY Version 0.2 Document owner Paul Robinson, Strategic Director, Neighbourhoods Document author Richard Kniveton, Fleet and Depot Manager Document manager Richard Kniveton,

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

Security. CLOUD VIDEO CONFERENCING AND CALLING Whitepaper. October 2015. Page 1 of 9

Security. CLOUD VIDEO CONFERENCING AND CALLING Whitepaper. October 2015. Page 1 of 9 Security CLOUD VIDEO CONFERENCING AND CALLING Whitepaper October 2015 Page 1 of 9 Contents Introduction...3 Security risks when endpoints are placed outside of firewalls...3 StarLeaf removes the risk with

More information

Staffordshire County Council. Records Management Policy

Staffordshire County Council. Records Management Policy Staffordshire County Council Records Management Policy Version Author Approved By Date Published Review V. 2.0 Information Governance Unit Philip Jones, Head of Information Governance 2/11/2012 November

More information

Security & Privacy Current cover and Risk Management Services

Security & Privacy Current cover and Risk Management Services Security & Privacy Current cover and Risk Management Services Introduction Technological advancement has enabled greater working flexibility and increased methods of communications. However, new technology

More information

Rulebook on Information Security Incident Management General Provisions Article 1

Rulebook on Information Security Incident Management General Provisions Article 1 Pursuant to Article 38 of the Law on State Administration (Official Gazette of the Republic of Montenegro 38/03 from 27 June 2003, 22/08 from 02 April 2008, 42/11 from 15 August 2011), The Ministry for

More information

Achieve. Performance objectives

Achieve. Performance objectives Achieve Performance objectives Performance objectives are benchmarks of effective performance that describe the types of work activities students and affiliates will be involved in as trainee accountants.

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

INFORMATION SECURITY: UNDERSTANDING BS 7799. BS 7799 is the most influential, globally recognised standard for information security management.

INFORMATION SECURITY: UNDERSTANDING BS 7799. BS 7799 is the most influential, globally recognised standard for information security management. FACTSHEET The essence of BS 7799 is that a sound Information Security Management System (ISMS) should be established within organisations. The purpose of this is to ensure that an organisation s information

More information

This Time. Safety & Security in ICT Systems INFO 2. Threats to ICT systems. Hacking

This Time. Safety & Security in ICT Systems INFO 2. Threats to ICT systems. Hacking This Time Safety & Security in ICT Systems INFO 2 Oliver Boorman-Humphrey www.oliverboorman.biz This time we look at the need to protect data in ICT systems and the subsequent threats if these measures

More information

Inspection Wales Remit Paper

Inspection Wales Remit Paper Inspection Wales Remit Paper A summary of the remits of the Welsh public sector audit and inspection bodies and the Inspection Wales Programme Issued: July 2015 Document reference: 376A2015 Contents Summary

More information

Information Security Policy

Information Security Policy Information Security Policy Reference No: Version: 5 Ratified by: CG007 Date ratified: 26 July 2010 Name of originator/author: Name of responsible committee/individual: Date approved by relevant Committee:

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information