1 Version: 5.4 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low Management of Police Information (MoPI) The Hampshire Constabulary recognises that any information it holds must be for a policing purpose and managed in accordance with the force policy on MOPI 1. About This Policy 1.1. This policy outlines the mandatory security requirements and management arrangements to which Hampshire Constabulary employees and those working on behalf / for the Hampshire Constabulary must adhere This policy applies to all personnel (police officers, police staff, special constabulary, contractors, temporary staff and volunteers) who have access to protectively marked material in any form This policy is in support of the current version of the Corporate Information Management Strategy The Hampshire Constabulary has a responsibility to ensure that its information systems meet the standards set by the ACPO/ACPO(S) Information Systems Community Security Policy. 2. General Principles 2.1. This policy Deals with: a). b). c). d). e). Governance, Risk Management and Compliance; Protective Marking and Asset Control; Personnel Security; Information Security and Assurance; Physical Security.
2 3. Statement of Policy 3.1. Governance, Risk Management & Compliance This section deals with: a). b). c). d). e). f). g). h). i). Governance; Roles, accountability and responsibilities; Risk management; Assurance; Self assessment; Central reporting; Audit and review; Culture, training and professionalism; International Agreements; Governance Hampshire Constabulary employees and those working on behalf / for the Hampshire Constabulary are required to familiarise themselves with the requirements of the Security & Information Assurance Procedures and comply with their provisions Security requirements for the Force originate from the Cabinet Office. The Hampshire Constabulary Policies and Procedures are aligned to the Cabinet Office Security Policy Framework to enable the effective protection and utilisation of Force assets (people, information and equipment) The Security & Information Assurance Policies and Procedures outline the mandatory security policy requirements that all must meet when using Force assets or attending Force premises. Under certain circumstances additional security will be required. This could be due to threat levels, threat actors, impact levels etc. The Security & Information Assurance Policies and Procedures must also be extended, where necessary, to any organisations working on behalf of, or handling Force assets, such as contractors, Local
3 Authorities, or regular suppliers of goods and / or services Roles, accountability and responsibilities Hampshire Constabulary have designated personnel who have overall responsibility for security within the Force The day to day responsibilities for all aspects of Protective Security are managed by the Security & Information Assurance Unit Overall responsibility for Force Security rests with the Deputy Chief Constable who takes the role of the Senior Information Risk Owner (SIRO) Managers To be aware of Information Security Policies and Procedures and their individual responsibility as well as those of their staff; to ensure compliance in their area of responsibility To regularly monitor staff IT accounts and information processes to ensure compliance Employees, volunteer and non police personnel working on behalf or with the Constabulary Are responsible for compliance with the Information Security Policies and Procedures to ensure that security measures are adhered to in order to prevent / minimise vulnerabilities to the organisation, it s staff and it s assets Risk Management The Hampshire Constabulary have adopted a risk management approach to cover all areas of protective security across the organisation All Hampshire Constabulary assets must be registered and the person responsible for those assets must be identified and aware of their responsibilities Asset owners will need to understand the vulnerability and likelihood of attack from various threats, value them in terms of the impact from loss or failure of
4 confidentiality, integrity and availability and assign a proportionate level of protection to mitigate, and / or recover from, the potential loss or failure of those assets. The identified risk should be reviewed annually Audit and review The Security & Information Assurance Unit will conduct internal reviews of security arrangements throughout the Force. These will include OpSec and Protective Security reviews The Security & Information Assurance Unit must demonstrate compliance with the controls contained within the Information Assurance Maturity Model Culture, training and professionalism Hampshire Constabulary will ensure that: a). b). c). d). e). Board members responsible for security undergo security and risk management familiarisation upon appointment; All members of the Security & Information Assurance Unit will receive relevant training from agencies such as the Centre for Protection of National Infrastructure (CPNI) at the earliest opportunity after appointment; Security education and awareness will be built into all staff inductions, with regular familiarisation thereafter; Hampshire Constabulary plan to foster a culture of proportionate protective security; All security incidents will be reported as per The HANTSPOL Guidance and Instruction for Information Security to the Sy & IA Unit or via Confide in Us to allow for anonymous reporting of security incidents International Security agreements Hampshire Constabulary will ensure that they will adhere to any UK obligations in multilateral or bilateral international agreements Protective marking and asset control
5 This section deals with: a). b). Legal Requirements; Official Secrets Acts; c). Data Protection Act 1998; d). e). f). g). h). i). j). k). Freedom of Information Act; The need to know principle; International Security Standards; International Security Agreements; Material originating outside of HMG; The Government Protective Marking Scheme; Universal Controls; Breaches; Legal requirements Hampshire Constabulary staff are to familiarise themselves with the Official Secrets Acts, Data Protection Act and Freedom of Information Act. Staff handling protectively marked information will be given guidance on how this legislation relates to their role Official Secrets Acts Hampshire Constabulary employees will sign up to the Official Secrets Act on the signing of their contract Data Protection Act 1998 (DPA) All Hampshire Constabulary employees must follow the minimum standards and procedure for handling citizen or personal data Procedure Data Protection describes Hampshire Constabulary employees responsibility under the Data Protection Act Freedom of Information Act (FOIA)
6 Any protectively marked material that is to be released under the Freedom of Information Act is de-classified first and is marked as such. The originator, or specified owner, must be consulted before protectively marked material can be de-classified Procedure Freedom of Information Responding to Requests describes the procedure to be followed by Hampshire Constabulary when dealing with FOIA requests MOPI The Hampshire Constabulary will manage police information in accordance with the principles of the Code of Practice on the Management of Police Information, and the MoPI guidance For more information see Policy Management of Police Information (MoPI) The need to know principle Access to protectively marked assets is only to be granted on the basis of the need to know principle For more information see The Hantspol guidance & Instruction on Information Security International security standards The GPMS is designed to meet the principles of the international standard of Information Security Management Systems (ISO/IEC series) Material originating outside of Her Majesty s Government (HMG) Hampshire Constabulary employees must ensure that non-hmg material which is marked to indicate sensitivity is handled at the equivalent level within the Protective Marking Scheme, or where there is no equivalence, to the level offered by PROTECT as minimum The Government Protective Marking System (GPMS)
7 All personnel must apply the Protective Marking in accordance with Government Protective Marking Scheme (GPMS) and the necessary controls and measures as outlined in this policy and subordinate linked documentation For more information see Procedure and the Security & Information Assurance Intranet pages: Universal controls The following baseline controls must be followed for all protectively marked material: Access is granted on a genuine need to know and use basis Assets must be clearly and conspicuously marked. Where this is not possible staff must have the appropriate security control and be made aware of the protection and controls required Only the originator or the designated owner can protectively mark an asset. Any change to the protective marking requires the originator or designated owner s permission. If they cannot be traced, a marking may be changed, but only by consensus with other key recipients Assets sent overseas must be protected as indicated by the originator s marking and in accordance with any international agreement. Particular care must be taken to protect assets from foreign Freedom of Information legislation by use of national prefixes and caveats of special handling instructions When destroying official records, held on any media, consideration must be given to those records that may be of historical interest the following link refers: Disposal Schedule Historical Records A file, or group of protectively marked documents or assets, must carry the protective marking of the highest marked document or asset contained within it (e.g. a file containing CONFIDETIAL and RESTRICTED material must be marked CONFIDENTIAL Breaches
8 Deliberate or accidental compromise of protectively marked assets may lead to disciplinary, performance and / or criminal proceedings All security breaches will be reported to the Security & Information Assurance Unit: a). Phone: ; b). Security Incident Mailbox For more information on Security Breaches see Procedure Personnel Security This Section Deals with: a). b). c). d). e). Risk Management; Force Security Vetting; National Security Vetting; Ongoing personnel security management ( Aftercare ); Appeals; Risk Management Hampshire Constabulary, as a part of the risk management approach to protective security, will assess the need to apply personnel security controls against specific posts and the access to sensitive assets (designated posts) Hampshire Constabulary employ a risk management approach to Personnel Security in accordance with protective security principles. These seek to reduce the risk of damage, loss, or compromise of Hampshire Constabulary assets and/or reputation by application of personnel security controls before and during employment. These controls do not provide a guarantee of reliability and must be supported by effective line management, nor should they be considered an alternative to the correct application of the need to know principle.
9 Hampshire Constabulary when making a decision on a security clearance will take into account all information available to them and will evidence their decision When making a vetting decision judgement is exercised and all the information obtained during the clearance process is taken into consideration. The existence of one or more factors of concern does not necessarily or conclusively demonstrate unreliability or present an unmanageable risk. The PSVU will consider the nature, likelihood and credibility of the threat and adopts the ACPO National Vetting Policy as guidance for all of the Units processes and assessment criterion Force Security Vetting All personnel wishing to join Hampshire Constabulary, or provide a service which requires access to its premises or information assets, must be subject to the appropriate vetting process as per the Association of Chief Police Officers (ACPO) National Vetting Policy National Security Vetting Hampshire Constabulary will apply National Security Vetting only where it is necessary, proportionate and adds real value and in accordance with the ACPO National Vetting Policy and Government Protective Marking Scheme Ongoing personnel security management ( Aftercare ) Hampshire Constabulary will conduct aftercare as required by the ACPO National Vetting Policy. This will include formal reviews of all vetting clearances, managers and individuals must participate in the process and are responsible for informing the Personnel Security & Vetting Unit (PSVU) if any change in circumstance that may impact on the suitability to hold security clearance Appeals Vetting Unit Homepage Hampshire Constabulary record all vetting results and will report where appropriate to the Professional Standards Tactical and Strategic TCG.
10 3.4. Information Security & Assurance This Section deals with: a). b). c). d). e). f). g). h). i). j). k). l). Information security; Managing information risk; Business impact; Personal data; Roles and responsibilities; Accreditation and audit; Codes of connection and technical controls; Cryptography; Eavesdropping and Electro-magnetic countermeasures; Remote working / mobile media; Procurement; Reporting incidents; m). Secure disposal; n). o). Education, training and awareness; Business continuity and disaster recovery planning; Information Security Hampshire Constabulary employees, and those working on behalf / for the Hampshire Constabulary MUST adhere to all Hampshire Constabulary security policies and supporting procedures Managing information risk As a part of the risk management and accreditation process an annual technical risk assessment of Hantspol and other relevant systems and applications will be completed.
11 Business impact Hampshire Constabulary will in conjunction with the Protective Marking System, use Business Impact Levels (ILs) to assess and identify the impacts to the business through the loss of Confidentiality, Integrity and / or Availability of data and / or assets, should the risk be realised. Aggregation of data will be considered as a factor determining ILs Personal data Hampshire Constabulary employees and those who work for / on behalf of the Constabulary must comply with the data protection principles as set out in the Data Protection Act 1998 and Procedure to ensure a high level of confidence that personal data is handled correctly Roles and responsibilities Information risk must be specifically addressed in the departmental annual Statement on Internal Control (SIC), which is signed off by the Chief Constable Accreditation and audit All Hampshire Constabulary Information Systems will be formally accredited prior to installation. Accreditation will be reviewed annually or more often where re-accreditation conditions apply The HANTSPOL Accreditation Document Set contains the necessary information security assurance and risk calculations All new information assets and ICT systems will have an audit functionality to enable regular compliance checks and which will include a forensic readiness plan that will maximise the ability to preserver and analyse data generated by an ICT system, that may be required for legal and management purposes All new ICT systems must have suitable identification and authentication controls to enable the risk of unauthorised access to be managed and to enable auditing and the correct management of user accounts.
12 Codes of connection and technical controls Hampshire Constabulary will follow the requirements of any codes of connection and / or shared services security policies to which they are signatories Hampshire Constabulary have the following technical policies in place, policy refers: a). b). c). d). e). Patching policy; Policy to manage risks posed by all forms of malicious software ( malware ), including viruses, spyware and phishing etc; Boundary security devices (e.g. firewalls); Content checking / blocking policy; Lockdown policy to restrict unnecessary services and ensure that no user has more privileges than required; Cryptography The Hampshire Constabulary will ensure that information where appropriate will be encrypted to the appropriate level. All CAPS approved encryption is kept in accordance with HMG IA Standard No For more information contact the Security & Information Assurance Unit Remote working / mobile media See Procedure for information on remote working (e.g. home or mobile). This procedure sets out the correct practices when working remotely Procurement Security requirements will be specified in all contracts where applicable. Security requirements are mandatory for all ICT contracts and those contracts where personal data is involved Reporting incidents
13 All actual and suspected security incidents must be reported to the Security & Information Assurance Unit by ing the Security Incidents Mailbox or calling For more information on reporting security incidents see procedure Secure disposal All media used for storing or processing protectively marked or otherwise sensitive information must be disposed of or sanitised securely For more information on secure disposal see procedure Education, training and awareness All Hampshire Constabulary employees will receive appropriate security awareness and training, be familiarised with Security Operating Procedures (SyOPs) and will be made aware of the process for reporting incidents Business continuity and disaster recovery planning Hampshire Constabulary will ensure that Business Continuity and Disaster Recovery Plans are in place at all relevant locations For more information on Business Continuity see Policy Extensions to the Force Network Extending the Force data network into premises that are not under the control of the Hampshire Constabulary will incur vulnerabilities and, impacts on the confidentiality, integrity and availability of our information systems. For further details on the process for extending the force data network into new locations and premises see link to Remote Access (Network Extensions) 3.6. Physical Security This section deals with:
14 a). b). c). d). e). f). g). h). i). j). Purpose; Defence in Depth; Storage of sensitive assets; Secure containers; Secure rooms; Office areas; Building security; Physical access control; Incoming mail and deliveries; CCTV Purpose Physical security involves the appropriate layout and design of facilities, combined with suitable security measures, to prevent unauthorised access and protection of Hampshire Constabulary, people, information, materials and infrastructure. This requires putting in place, or building into design, measures that prevent, deter, delay and detect, attempted or actual unauthorised access, acts of damage and or violence, and triggers an appropriate response Hampshire Constabulary s Baseline Objectives for the access, storage, control and transmission and disposal and destruction of assets can be found here Defence in Depth Hampshire Constabulary will adopt a layered approach to physical security Storage of sensitive assets In order to identify appropriate security measures the Security & Information Assurance Unit will conduct a Physical Security Assessment.
15 Critical, sensitive and protectively marked assets must be located in secure Hampshire Constabulary premises or approved premises and be protected by a defined perimeter where possible, with appropriate security barriers and entry controls Security containers Protectively Marked or valuable material must be secured in appropriate security containers. Large amounts of protectively marked material or equipment which cannot be stored in a security container, must be stored in a secure room For more information on Protective Marking see Procedure Secure rooms Rooms holding protectively marked material or sensitive assets will have windows, doors, locks and entry control which meets the appropriate standard Offices must be adequately secured when unoccupied, e.g. windows and doors closed and where applicable locked Office areas Hampshire Constabulary recognise and use the Need to Know principle. This is used to ensure that access to protectively marked material by individuals who do not have a need to access it is avoided Where practicable (adequate storage is available) a clear desk policy will exist. The purpose of a clear desk policy is to ensure that sensitive material is not left unattended A clear screen and wall policy will be enforced, screens must be positioned to prevent overlooking (e.g. overlooked by a window or reflective surfaces), where this is not possible other measures must be introduced, for example blinds Buildings Hampshire Constabulary will assess the security risks to it s estate ensuring that security is fully integrated
16 at an early in the process of planning, selecting, designing and modifying their facilities In any building in which protectively marked or other valuable assets are stored physical security controls will exist these will take into account the level of sensitivity and the level of threat to the site or assets Sensitive / covert sites and areas These sites / areas will include but are not limited to: a). Special Branch; b). Major Crime; c). Specialist Investigations; d). Scientific Services; e). Serious and Organised Crime; f). Intelligence Directorate; g). Professional Standards Department Anti- Corruption Unit; h). Professional Standards Department Security and Information Assurance Those sites listed above and those that use CONFIDENTIAL systems will require a higher level of security For advice of additional Security measures please contact the Security & Information Assurance Unit Physical Access Control Hampshire Constabulary will control access to its estate using safeguards that will prevent unauthorised access Hampshire Constabulary staff must familiarise themselves with this policy and this guidance on physical access Access control refers to the practice of controlling and monitoring access to a property or asset.
17 All Hampshire Constabulary employees and non-police personnel working for or on behalf of the Constabulary are required to wear (if not in uniform) / carry their ID / Warrant Card when on Hampshire Constabulary premises (See procedure 06104) Hampshire Constabulary employees are encouraged to challenge any individual who is not wearing an authorised identity card or uniform To restrict entry, Hampshire Constabulary premises will have either an automatic access control system (AACS) which works in conjunction with the ID / Warrant card to allow access for authorised personnel only or alternatively Mechanical Push Button Locks (MPBL) will be used A visitor is classed as someone which the station they are attending is not their normal place of work and/or they are not employed by Hampshire Constabulary e.g. contractor, from another agency. Visitors must report to either the reception or a staff member to advise of their presence Visitors must: a). b). c). d). Sign in and out of Hampshire Constabulary premises; Wear a temporary pass which must be returned on leaving; Be escorted whilst in the building; Regular contractors who have free and unsupervised access to the building must be vetted CCTV Where CCTV is installed it will be done in accordance with the Data Protection Act Working away from Hampshire Constabulary Premises For information on how to securely work away from Hampshire Constabulary premises see procedure
18 4. Implications of the Policy 4.1. Financial Implications / Best Value The implementation of the required information security standards will incur substantial resource implications for the Hampshire Constabulary. The cost of physical and technical security controls required for new initiatives will be included in their procurement Staffing / Training All staff in the Force will receive relevant training with regard to information security and will be required to reaffirm compliance with the Security Operating Procedures annually. Computer based training has been developed for Information Security and Data Protection this must be completed by all new starters Bureaucracy It is not envisaged that this policy will produce any undue bureaucracy Risk The main risk attached to the implementation of this policy would be through budgetary restriction Consultation In Creating this policy, consultation has been carried out with: 5. Monitoring/ Evaluation 5.1. The Professional Standards Department is responsible for the monitoring and, where appropriate, the enforcement of all breaches of Policy - Information Security and associated procedures.
19 6. Review 6.1. This policy will be reviewed every three years or more frequently as deemed necessary 7. Related Policies, Procedures and Information Sources 7.1. Related Force Policies/Procedures Professional Standards IT Security Management Security at Police Buildings 7.2. Information Security Procedures The HANTSPOL Guidance & Instruction for Information Security User s Responsibilities in Respect of Information Systems Remote Working / Mobile Media Force Identity & Warrant Cards & PCSO Designation Cards Protective Marking Secure Erasure / Disposal Data Protection Freedom of Information Responding to Requests Information Sharing Use of Internet Web Browsing
20 Security at Police Buildings 7.3. Information Sources HMG Security Policy Framework HMG Information Assurance Standards ACPO / ACPOS Information Systems Community Security Policy AD203 Equality Impact Assessment Origin: Information Management
HMG Security Policy Framework May 2011 2 May 2011 Contents Page Foreword by Sir Gus O Donnell 5 Introduction to the Security Policy Framework 7-8 Overarching Security Policy Statement 9 Core Security Principles
Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October
HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of
POLICY Security Classification Disclosable under Freedom of Information Act 2000 Yes POLICY TITLE Information Assurance POLICY REFERENCE NUMBER A022 Version 1.1 POLICY OWNERSHIP DIRECTORATE BUSINESS AREA
Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
Central Bedfordshire Council www.centralbedfordshire.gov.uk Information Security Policy January 2016 Security Classification: Not Protected 1 Approval History Version No Approved by Approval Date Comments
TITLE CCMT Sponsor Department/Area Section/Sector INFORMATION SECURITY POLICY Deputy Chief Constable Professional Standards Department Force Security 1.0 Rationale 1.1 This policy sets out the approach
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee
IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This
developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience
Version: 1.2 Last Updated: 15/06/15 Review Date: 25/06/18 ECHR Potential Equality Impact Assessment: Low 1. About This Policy 1.1. This policy describes how Hampshire Constabulary s use of social media
HMG Security Policy Framework Version 11.0 October 2013 Contents Introduction... 4 Government Security Responsibilities... 4 Role of the Centre... 5 Policy Context... 7 Critical National Infrastructure
IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service
IT Infrastructure Security Policy Policy and Guidance June 2013 Project Name Product Title IT Infrastructure Security Policy Policy and Guidance Version Number 1.2 Final Document Control Organisation Mendip
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
Information Security Policy Reference No: Version: 5 Ratified by: CG007 Date ratified: 26 July 2010 Name of originator/author: Name of responsible committee/individual: Date approved by relevant Committee:
UK SBS Physical Security Policy Version Date Author Owner Comments 1.0 16 June 14 Head of Risk, Information and Security Compliance (Mel Nash) Senior Information Risk Owner (Andy Layton) Ist Issue following
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
PS177 Remote Working Policy January 2014 Version 2.0 Statement of Legislative Compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010; Data Protection
Government Security Classifications April 2014 Version 1.0 October 2013 THE GOVERNMENT SECURITY CLASSIFICATIONS WILL COME INTO FORCE ON 2 APRIL 2014 Page 1 of 35 Version 1.0 October 2013 Version History
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact
ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure
NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet
Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible
Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page
Information Security Policy Version 2 Date Approved by Board 8 March 2016 Date of previous approval 4 February 2014 Date of next Review February 2018 You may also be interested in the following policies:
Document Name File Name National Approach to Information Assurance 2014-2017 National Approach to Information Assurance v1.doc Author David Critchley, Dave Jamieson Authorisation PIAB and IMBA Signed version
Version: 2.2 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low 1. About This Policy 1.1. The objective of this policy is to provide direction and support for IT
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
Introduction This tool is designed to cover all the relevant control areas of ISO / IEC 27001:2013. All sorts of organisations and Because it is a general tool, you may find the language challenging at
You can learn more about the programme by downloading the information in the related documents at the bottom of this page. Information Security Document Information Security Policy 1 Version History Version
Information Security Policy Revised: September 2015 Review Date: September 2020 New College Durham is committed to safeguarding and promoting the welfare of children and young people, as well as vulnerable
Information Security Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Document Description Information Security Policy Policy which sets out the council s approach to information
Bolsover District Council North East Derbyshire District Council & Rykneld Homes Ltd ICT Infrastructure Security Policy September 2013 Version 1.0 Page 1 of 11 CONTROL SHEET FOR ICT Infrastrutcure Security
Information Security Policy 1 Version and Review Summary Rev Date Author Approver Revision description 1.00 April 2009 T Monachello Formal Review 1.01 1 st June 2009 T.Monachello Information Governance
6 th Floor, Tower A, 1 CyberCity, Ebene, Mauritius T + 230 403 6000 F + 230 403 6060 E ReachUs@abaxservices.com INFORMATION SECURITY POLICY DOCUMENT Information Security Policy Document Page 2 of 15 Introduction
Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant
Information Governance and Assurance Framework Version 1.0 Page 1 of 19 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: Meridio Location: Approval Body: Policy and Guidance
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
University of Brighton School and Departmental Information Security Policy This Policy establishes and states the minimum standards expected. These policies define The University of Brighton business objectives
THE OBLIGATIONS INTERCEPTION OF COMMUNICATIONS CODE OF PRACTICE If you ve been served with a Technical Capability Notice, here are some of things that will be required of you. v 8.3 The obligations the
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT
Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational
Information Security Policy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
Appendix 1 Information Security Information Security Policy Document Responsible Officers: Approved by Version: Date: Hayley Green, Head of Buildings and Facilities Final (to be added) Contents 1 Introduction...
Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security
Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director
Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications
Policy Title CCMT Sponsor Department/Area Section / Sector Gifts, Hospitality, Discounts, Travel, Concessions and Other Potential Conflicts of Interest Deputy Chief Constable Professional Standards Headquarters
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
Data Protection Policy Date approved by Heads of Service 3 June 2014 Staff member responsible Director of Finance and Corporate Services Due for review June 2016 Data Protection Policy Content Page 1 Purpose
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
TITLE CCMT Sponsor Department/Area Section/Sector VETTING POLICY Deputy Chief Constable Professional Standards Department Force Security 1.0 Rationale 1.1 This policy adopts the requirements of the ACPO
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives
Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages
Information Security Policy Last updated By A. Whillance/ Q. North/ T. Hanson On April 2015 This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is
Information Protective Marking and Handling Policy Change History Version Date Description Author 0.1 11/01/2013 First Draft Anna Moore 0.2 28/02/2013 Amended taking into account SSTP protective marking
Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
Quick Guide To Information Governance Policies Data Protection The Data Protection Act 1998 established principles and rights in relation to the collection, use and storage of personal information by organisations.
Risk Management Authority Records Management Plan RMA Records Management Plan 0 Contents Page 1. Introduction 2 1.1 Background 2 1.2 Records Management in the RMA 3 1.3 Records covered by this Plan 3 1.4
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
NCC Records Management and Disposal Policy Issue No: V1.0 Reference: NCC/IG4 Date of Origin: 12/11/2013 Date of this Issue: 14/01/2014 1 P a g e DOCUMENT TITLE NCC Records Management and Disposal Policy
Merthyr Tydfil County Borough Council Information Security Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of
London Borough of Enfield Data Protection Policy Author Mohi Nowaz Classification UNCLASSIFIED Date of First Issue 10/08/2012 Owner IGB Issue Status DRAFT Date of Latest Re-Issue 12/09/2012 Version 0.6
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
Information security policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review of IS Policy\Current