Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Size: px
Start display at page:

Download "Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager"

Transcription

1 Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security and Compliance Manager Information and Library Services Issue th January th January 2017 Information Assurance and Security Committee 1

2 1.0 Introduction University of Greenwich Information Security and Assurance Policy University of Greenwich information assets are valuable to its objectives. The confidentiality, integrity and availability of University information assets are essential to the success of its operational and strategic activities. The University aims to secure its information assets by establishing an information security strategy that will enable the implementation of a robust information security risk management system and foster good security practices across its campuses. The Information Security Policy is a key component of the University s Information Security Strategy built on a framework of information security management standards and best practices. The Information Security Policy will serve as an overarching policy document to provide a high level overview of information security management within the University. The Information Security Policy will be supplemented by a suite of policies, processes, standards and procedures that will set out the expectations for information security within the University, and will provide clear guidelines to staff, students and other users of University information assets of their responsibilities for appropriate use and safety of these assets, and their legal obligations to comply with related statutory requirements. 2.0 Objectives The objectives of the Information Security Policy are: a) To ensure that University information assets are available when required to authorised users. b) To ensure that University information assets are adequately protected against unauthorised access, malicious or accidental loss, misuse or damage. c) To ensure that all users of University information assets are aware of and fully comply with this policy and supplementary policies, processes, standards, procedures and guidelines. d) To ensure that all users of University information assets understand their responsibilities for protecting the confidentiality and integrity of University information assets. e) To ensure that the risks to University information assets are appropriately managed. f) To ensure that information security incidents are resolved promptly and appropriately. g) To ensure that the University meets relevant audit and statutory requirements. h) To ensure there is an efficient disaster recovery plan in place. 2

3 i) To protect the University from any legal liability resulting from information security incidents. 3.0 Scope The Information Security Policy and supplementary policies, processes, standards and procedures apply to all forms of information stored, used or processed by the University including but not limited to all paper records and information held on electronic devices. The policy also applies to all information systems owned or leased by the University including information systems managed by third parties on behalf of the University. The policies apply to all staff, students, contractors and third party agents who access, use, handle or manage all University information assets. 4.0 Principles The following principles govern the University's information security approach: a) The University will adopt ISO Information Security Management Standard as a framework for its Information Security Strategy along with other supporting good practices from JISC and UCISA, and will ensure continuous assessment, development and maturity of the strategy. b) The University will adopt an information security risk management approach in line with the Institutional Risk Management Policy to ensure information security risk mitigation efforts reflect the University s risk appetite. c) The Information Security Policy and supplementary policies, processes, standards, procedures and guidelines will be communicated to all users via training and awareness sessions, inductions, University intranet and internet, bulletins and other appropriate communication channels. d) University data (information) will be classified and provided with appropriate safeguards commensurate to their value, ensuring they are available when needed and protected against unauthorised or inappropriate access or use. e) User access to the University s information assets will be based on job requirements rather than job titles. Access rights will be reviewed at regular intervals and revoked if or where necessary. f) The University believes that information security is the responsibility of its information asset users, and will set out the responsibilities for the strategic leadership, management and coordination of the information security strategy, and use of its information assets via relevant policies, job descriptions and terms and conditions of employments. 3

4 g) The University will establish and promote an information security awareness culture amongst its information asset users through user awareness and training, publications on information security risks and incidents, and guidelines for managing them. h) Disaster recovery plans for mission critical information assets and related services will be established, tested and maintained. i) The University will implement an incident reporting and management system to enable prompt and appropriate incident resolution activities and inform risk assessments and management. j) The University will enforce and monitor compliance with the Information Security Policy, supplementary policies, processes, standards, procedures and guidelines. 5.0 Compliance The University has an obligation to comply with relevant legal and statutory requirements. The Information Security Policy and supplementary policies, processes, standards, procedures and guidelines are to promote and enforce compliance with applicable laws by providing directions and guidelines on good information security practices to underpin the University s compliance with these laws. The applicable laws include but are not limited to: a) Data Protection Act (1998) b) Copyright, Designs and Patents Act (1988) c) Computer Misuse Act (1990) d) Counter- Terrorism and Security Act 2015 and Prevent Duty Guidance: for Higher Education Institutions in England and Wales e) Public Interest Disclosure Act f) Computer related legislation g) Other relevant legislations that may influence this policy 5.1 Relationship with other policies The Information Security Policy is related to the University s data privacy, risk and information management policies to facilitate the implementation of relevant requirements set out in the related policies in order to assure compliance with the statutory laws that govern these policies. These policies include: a) Data Protection Policy b) Information and Records management Policy 4

5 c) Archiving Policy d) Risk Management Policy All users of University information assets must comply with the Information Security Policy and supplementary policies, processes, standards, procedures and guidelines and must also keep abreast of updates to these policies. Failure to adhere to the Information Security Policy and supplementary policies, processes, standards, procedures and guidelines will be addressed by necessary disciplinary actions in accordance to the University s Staff Disciplinary Procedures, Student Disciplinary Regulations and Procedures and relevant contractor and third party contractual clauses relating to non- conformance with the Information Security Policy and related policies. 6.0 Responsibilities for Information Security 6.1 Vice Chancellor s Group The Vice Chancellor s Group is ultimately responsible for information security management and compliance with related statutory laws in the University. The Vice Chancellor s Group is responsible for the strategic direction of information security within the University including: a) Ensuring the information security strategy aligns with University objectives. b) Endorsing the implementation of approved policies, processes, standards and procedures. c) Resourcing and supporting information security initiatives. d) Ensuring risks are mitigated to acceptable levels. 6.2 IT Strategy Board The IT Strategy Board will be responsible for: a) Ensuring that information security is properly managed across the University. b) Driving the allocation of resources and supporting the implementation of information security initiatives. c) Engaging with the Information Assurance and Security Committee (IASC) to facilitate an information security awareness culture in the University. d) In collaboration with the Information Assurance and Security Committee, advise the Vice Chancellor s Group on matters relating to information security management and compliance assurance. 6.3 Information Assurance and Security Committee (IASC) 5

6 The Information Assurance and Security Committee will provide leadership on the management of information security within the University and serve as an advisory body to the Vice Chancellor s Group (VCG) via the IT Strategy Board on information security matters. The committee s responsibilities are: a) To facilitate the establishment of the Information Security Management Strategy. b) To facilitate the development, implementation and evolvement of the strategy. c) To define the University s information security risks appetite and approach for mitigating related risks. d) To facilitate an information security awareness culture. e) To review, recommend and approve relevant policies, procedures, standards and processes. f) To ensure compliance with relevant policies, audit and statutory requirements. g) To facilitate the implementation of information security initiatives and provide governance oversight on progress and outcomes. h) To review information security requirements for major IT and data sharing/migration projects and recommend best practices. i) To review major information security incidents and lessons learned and make recommendations. j) To advise and recommend response plans to related internal and external audit findings. k) To engage and advise the VCG on information security management and compliance assurance via the IT Strategy Board. 6.4 Information Security Management (Information and Library Services) Information Security Management sits within the Information and Library Services (ILS) Directorate and is responsible for: a) Coordinating the implementation of the Information Security Strategy and Policy, and supplementary policies, processes, standards, procedures and guidelines across the University. b) Communicating the Information Security Policy and supplementary policies, processes, standards, procedures and guidelines to all users of its information assets. c) Coordinating the implementation of the Information Security Awareness and Training Plan. d) Monitoring compliance with the Information Security Policy and supplementary policies, processes, standards, procedures and guidelines. e) Updating the Information Security Policy and supplementary policies, processes, standards, procedures and guidelines to ensure they remain fit for purpose. f) Managing the implementation of information security risk assessments and relevant mitigation controls; monitoring and reporting on risks to the IASC. 6

7 g) Managing and monitoring incidents and reporting findings to the IASC. h) Monitoring the state of University information security and reporting on findings and key performance indicators to the IASC to inform the Statement of Internal Control. i) Monitoring and analysing external information security attack trends and advising the IASC of related risks to the University. 6.5 All Users (staff, students, contractors and third party agents) All individuals who access, use, handle and manage University information assets are responsible for: a) Familiarising themselves with the Information Security Policy, related policies, processes, standards, procedures and guidelines. b) Familiarising themselves and agreeing to comply with their legal responsibilities for appropriate use and safety of University information assets. c) Completing relevant information security awareness and training courses. d) Reporting information security incidents via the appropriate procedure promptly. 7.0 Risk Management The University s Risk Management Policy is a high level document that sets out the University s approach for managing and reducing risks to an acceptable level. In line with the Risk Management Policy, the University will develop an information security risk management system to support faculties and administrative offices in identifying internal and external risks to the security of the University s information assets they are responsible for. Relevant, appropriate and cost effective controls along with necessary training where applicable will be implemented in a timely manner to mitigate identified risks. In addition, the information security risk management system will be a tool for evaluating the effectiveness of risk mitigation controls, and will inform the recommendation and implementation of new or additional controls where necessary, and ensure continuous monitoring of risks. 8.0 Awareness and Training Information Security awareness and training will be a key component of the University s information security strategy designed to strengthen users compliance with University information security policies and the University s compliance with audit and statutory requirements. 7

8 Through information security awareness and training, the University aims to establish an information security conscious culture, providing basic knowledge and relevant skills that will enable users to carry out their information security responsibilities, and promoting good security practices amongst users of its information assets. University staff and students must complete relevant awareness and training courses made available by the University. Contractors and third parties will be responsible for providing necessary awareness and training to their staff. 9.0 Data Classification and Information Handling Data classification and appropriate information handling procedures will facilitate good information management within the University to ensure that University data (from creation to retention and/or destruction) is handled in a manner that safeguards the confidentiality, integrity and availability of the data. In order to achieve this, The University will establish a Data Classification Policy and Information Handling Procedures that will set out how University data should be accessed, used and handled, and the appropriate controls that should be implemented commensurate with the sensitivity and criticality of the data. All users of University data are required to familiarise themselves with the Data Classification Policy and information handling procedures in order to engage in suitable security practices to protect University data from unauthorised access, disclosure, modification, loss, theft or damage Disaster Recovery Plan The University has a responsibility to establish processes that will ensure essential business operations and services are sustained while recovering from a major information system failure or a disaster. There is a University Business Continuity Plan (BCP), covering all essential and critical business activities, and is supplemented by the IT Disaster Recovery Plan, which provides the procedures to be followed in order to optimise continuity of IT services, and then enable a return to normal operations in the event of a disaster. Information Security Management in consultation with relevant staff and parties across the University will undertake business impact analyses and risk assessments of critical systems and services within the University s IT infrastructure, identifying the levels of risks to the Institution as a result of a system 8

9 or service unavailability. This includes the risk to operations, teaching, research, legal obligations and reputation. The outcomes of the risk assessments will serve to indicate the criticality of each system and related service and therefore determine the appropriate recovery and continuity provision for each component Incident Management The management of information security incidents in a prompt and appropriate manner will enable the University to efficiently mitigate the risks and any legal implications that may be associated with information security incidents. The University s Data Security Breach Policy sets out the procedure and guidelines for reporting information security and data breach incidents. The Data Security Breach Policy is available to all users via the University s internet and intranet. All users are responsible for complying with the statements and steps detailed in the Policy. In addition, the University aims to implement a problem management system that will facilitate an optimised incident notification, escalation, response, and resolution process allowing efficient use of relevant resources in addressing information security incidents Policy Review and Maintenance This policy will be reviewed and updated regularly to ensure that it remains appropriate in light of changes to business requirements, statutory laws or contractual obligations Definitions Authorised Users (in the context of this policy and related documents) Availability Business Impact Analysis Confidentiality All users who access, handle, process, store, share or manage the University s information assets. These are University staff, students, contractors and third party agents. Information assets are accessible only to authorised users when required. A process for determining the impact of a loss or unavailability of an information asset or service to an organisation. Access to and sharing of sensitive or personal information is restricted only to authorised users. 9

10 Information Assets (in the context of this policy and related documents) Information Processing Facilities Information Systems Integrity Key information assets Risk Risk Assessment A collection of information (paper or digital format), hardware, software, infrastructure and services that support the implementation of University strategic and operational activities. IT system or service, location, building or infrastructure that houses information processing systems and services. Information processing computers or data communication systems. The preservation of the complete, accurate and validate state of information assets. Information assets that are highly essential to University critical activities and services. The probability of an exploited weakness and its resulting consequence leading to an adverse event. A process for identifying and evaluating risks Links Links to University related information security policies, processes, standards, procedures and guidelines. Links to the Data Protection policy and related documents. 10

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY ISO 27002 5.1 Author: Owner: Organisation: Chris Stone Ruskwig TruePersona Ltd Document No: SP- 5.1 Version No: 1.0 Date: 10 th January 2010 Copyright

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

Information Security Policy

Information Security Policy You can learn more about the programme by downloading the information in the related documents at the bottom of this page. Information Security Document Information Security Policy 1 Version History Version

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Information Security Policy

Information Security Policy Information Security Policy Reference No: Version: 5 Ratified by: CG007 Date ratified: 26 July 2010 Name of originator/author: Name of responsible committee/individual: Date approved by relevant Committee:

More information

INFORMATION SECURITY MANAGEMENT POLICY

INFORMATION SECURITY MANAGEMENT POLICY INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June

More information

Information security policy

Information security policy Information security policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review of IS Policy\Current

More information

NHS Business Services Authority Information Security Policy

NHS Business Services Authority Information Security Policy NHS Business Services Authority Information Security Policy NHS Business Services Authority Corporate Secretariat NHSBSAIS001 Issue Sheet Document reference NHSBSARM001 Document location F:\CEO\IGM\IS\BSA

More information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information 6 th Floor, Tower A, 1 CyberCity, Ebene, Mauritius T + 230 403 6000 F + 230 403 6060 E ReachUs@abaxservices.com INFORMATION SECURITY POLICY DOCUMENT Information Security Policy Document Page 2 of 15 Introduction

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core

More information

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

IT Security Policy - Information Security Management System (ISMS)

IT Security Policy - Information Security Management System (ISMS) IT Security Policy - Information Security Management System (ISMS) Responsible Officer Contact Officer Vice-President, Finance & Operations Chief Digital Officer Superseded Documents IT Security Policy,

More information

Information Security: Business Assurance Guidelines

Information Security: Business Assurance Guidelines Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

Procedures. Issue Date: June 2014 Version Number: 2.0. Document Number: POL_1009. Status: Approved Next Review Date: April 2017 Page 1 of 17

Procedures. Issue Date: June 2014 Version Number: 2.0. Document Number: POL_1009. Status: Approved Next Review Date: April 2017 Page 1 of 17 Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:

More information

Information and Communication Technology. Information Security Policy

Information and Communication Technology. Information Security Policy BELA-BELA LOCAL MUNICIPALITY - - Chris Hani Drive, Bela- Bela, Limpopo. Private Bag x 1609 - BELA-BELA 0480 - Tel: 014 736 8000 Fax: 014 736 3288 - Website: www.belabela.gov.za - - OFFICE OF THE MUNICIPAL

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

Brain-CODE. Security Policies. Version 1.4

Brain-CODE. Security Policies. Version 1.4 Brain-CODE Security Policies Version 1.4 May 09, 2014 Brain-CODE Information Security Policy May 09, 2014 Introduction Information stored in Brain-CODE is an asset that OBI has a duty and responsibility

More information

Information Security Policy

Information Security Policy Central Bedfordshire Council www.centralbedfordshire.gov.uk Information Security Policy January 2016 Security Classification: Not Protected 1 Approval History Version No Approved by Approval Date Comments

More information

Harper Adams University College. Information Security Policy

Harper Adams University College. Information Security Policy Harper Adams University College Information Security Policy Introduction The University College recognises that information and information systems are valuable assets which play a major role in supporting

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

Information Security Policy

Information Security Policy Information Security Policy v2.0 Target Audience: Policy Endorsed by: ESCC Staff, members and other agencies handling ESCC information Governance Committee Final V2.0 Page 1 of 13 Information Security

More information

Data Protection Breach Management Policy

Data Protection Breach Management Policy Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/

More information

Quick Guide To Information Governance Policies

Quick Guide To Information Governance Policies Quick Guide To Information Governance Policies Data Protection The Data Protection Act 1998 established principles and rights in relation to the collection, use and storage of personal information by organisations.

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

Information Security Program

Information Security Program Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security

More information

Information Security Management System Policy

Information Security Management System Policy Information Security Management System Policy Public Version 3.3 Issued Document Name Owner P079A ISMS Security Policy Information Security Security Policies, Standards and Procedures emanate from the

More information

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter Pennsylvania State System of Higher Education California University of Pennsylvania UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter Version [1.0] 1/29/2013 Revision History

More information

Information Security Policy

Information Security Policy Information Security Policy Revised: September 2015 Review Date: September 2020 New College Durham is committed to safeguarding and promoting the welfare of children and young people, as well as vulnerable

More information

Information Management Responsibilities and Accountability GUIDANCE September 2013 Version 1

Information Management Responsibilities and Accountability GUIDANCE September 2013 Version 1 Information Management Responsibilities and Accountability GUIDANCE September 2013 Version 1 Document Control Document history Date Version No. Description Author September 2013 1.0 Final Department of

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

Information Security Policy

Information Security Policy Information Security Policy Version 2 Date Approved by Board 8 March 2016 Date of previous approval 4 February 2014 Date of next Review February 2018 You may also be interested in the following policies:

More information

IT Governance Charter

IT Governance Charter Version : 1.01 Date : 16 September 2009 IT Governance Network South Africa USA UK Switzerland www.itgovernance.co.za info@itgovernance.co.za 0825588732 IT Governance Network, Copyright 2009 Page 1 1 Terms

More information

Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection

Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection Crime Statistics Data Security Standards Office of the Commissioner for Privacy and Data Protection 2015 Document details Security Classification Dissemination Limiting Marker Dissemination Instructions

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Information Governance Framework. June 2015

Information Governance Framework. June 2015 Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review

More information

Information and Compliance Management Information Management Policy

Information and Compliance Management Information Management Policy Aurora Energy Group Information Management Policy Information and Compliance Management Information Management Policy Version History REV NO. DATE REVISION DESCRIPTION APPROVAL 1 11/03/2011 Revision and

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY Information Security Policy INFORMATION SECURITY POLICY Introduction Norwood UK recognises that information and information systems are valuable assets which play a major role in supporting the companies

More information

Mike Casey Director of IT

Mike Casey Director of IT Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

Information Security Policy

Information Security Policy Information Security Policy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION

Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION The purpose of this policy is to outline essential roles and responsibilities within the University community for

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

DWP INFORMATION SECURITY POLICY

DWP INFORMATION SECURITY POLICY DWP INFORMATION SECURITY POLICY Contents Background... 1 Scope... 1 Accountabilities... 2 Policy Statements... 2 Responsibilities... 3 Background 1.1 DWP is committed to ensuring that effective security

More information

Information governance strategy 2014-16

Information governance strategy 2014-16 Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope

More information

Information Security Policy

Information Security Policy Information Security Policy Contents 1. Introduction...2 2. Purpose...2 3. Governance and responsibility for information security...3 4. Risk Management...3 5. Asset Management and Classification...3 6.

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Information Integrity & Data Management

Information Integrity & Data Management Group Standard Information Integrity & Data Management Serco recognises its responsibility to ensure that any information and data produced meets customer, legislative and regulatory requirements and is

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT

More information

R345, Information Technology Resource Security 1

R345, Information Technology Resource Security 1 R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013 Information Governance Policy Version 1.0 June 2013 Copyright Notification Copyright London Borough of Islington 2012 This document is distributed under the Creative Commons Attribution 2.5 license. This

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Information Management and Security Policy

Information Management and Security Policy Unclassified Policy BG-Policy-03 Contents 1.0 BG Group Policy 3 2.0 Policy rationale 3 3.0 Applicability 3 4.0 Policy implementation 4 Document and version control Version Author Issue date Revision detail

More information

PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Records Management Policy. Version 4.0. Page 1 of 11 Policy PHSO Records Management Policy v4.

PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Records Management Policy. Version 4.0. Page 1 of 11 Policy PHSO Records Management Policy v4. PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN Records Management Policy Version 4.0 Page 1 of 11 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: File Location: Approval

More information

COMMERCIALISM INTEGRITY STEWARDSHIP. Security Breach and Weakness Policy & Guidance

COMMERCIALISM INTEGRITY STEWARDSHIP. Security Breach and Weakness Policy & Guidance Security Breach and Weakness Policy & Guidance Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Security Breach & Weakness

More information

Ulster University Standard Cover Sheet

Ulster University Standard Cover Sheet Ulster University Standard Cover Sheet Document Title IT Monitoring Policy 1.5 Custodian Approving Committee Deputy Director of Finance and Information Services (Information Services) Information Services

More information

Compliance Policy AGL Energy Limited

Compliance Policy AGL Energy Limited Compliance Policy AGL Energy Limited November 2013 Table of Contents 1. About this Document... 3 2. Policy Statement... 4 3. Purpose... 4 4. AGL Compliance Context... 4 5. Scope... 5 6. Objectives... 5

More information

Information Security Policy

Information Security Policy Office of the Prime Minister document CIMU P 0016:2003 Version: 2.0 Effective date: 01 Oct 2003 Information 1. statement i) General The Public Service of the Government of Malta (Public Service) shall

More information

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2. Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments

More information

Highland Council Information Security Policy

Highland Council Information Security Policy Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...

More information

Information Governance Management Framework

Information Governance Management Framework Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date

More information

Staffordshire County Council. Records Management Policy

Staffordshire County Council. Records Management Policy Staffordshire County Council Records Management Policy Version Author Approved By Date Published Review V. 2.0 Information Governance Unit Philip Jones, Head of Information Governance 2/11/2012 November

More information

9. GOVERNANCE. Policy 9.8 RECORDS MANAGEMENT POLICY. Version 4

9. GOVERNANCE. Policy 9.8 RECORDS MANAGEMENT POLICY. Version 4 9. GOVERNANCE Policy 9.8 RECORDS MANAGEMENT POLICY Version 4 9. GOVERNANCE 9.8 RECORDS MANAGEMENT POLICY OBJECTIVES: To establish the framework for, and accountabilities of, Lithgow City Council s Records

More information

WEST MIDLANDS POLICE Force Policy Document

WEST MIDLANDS POLICE Force Policy Document WEST MIDLANDS POLICE Force Policy Document POLICY TITLE: POLICY REFERENCE NO: Information Security Incident Management Inf/09 Executive Summary. In accordance with the HMG Security Policy Framework, West

More information

Health and Safety Management Standards

Health and Safety Management Standards Health and Safety Management Standards Health and Safety Curtin University APR 2012 PAGE LEFT INTENTIONALLY BLANK Page 2 of 15 CONTENTS 1. Introduction... 4 1.1 Hierarchy of Health and Safety Documents...

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager. London School of Economics & Political Science IT Services Policy Remote Access Policy Jethro Perkins Information Security Manager Summary This document outlines the controls from ISO27002 that relate

More information

information systems security policy...

information systems security policy... sales assessment.com information systems security policy... Approved: 2nd February 2010 Last updated: 2nd February 2010 sales assessment.com 2 index... 1. Policy Statement 2. IT Governance 3. IT Management

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Information Security Policy

Information Security Policy Information Security Policy 1 Version and Review Summary Rev Date Author Approver Revision description 1.00 April 2009 T Monachello Formal Review 1.01 1 st June 2009 T.Monachello Information Governance

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

HMG Security Policy Framework

HMG Security Policy Framework HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of

More information

University of Sunderland Business Assurance. Over-arching Information Governance Policy. Document Classification: Public

University of Sunderland Business Assurance. Over-arching Information Governance Policy. Document Classification: Public University of Sunderland Business Assurance Over-arching Information Governance Policy Document Classification: Public Policy Reference Central Register IG001 Policy Reference Faculty / Service IG 001

More information

INFORMATION MANAGEMENT AND SECURITY POLICY

INFORMATION MANAGEMENT AND SECURITY POLICY INFORMATION MANAGEMENT AND SECURITY POLICY Technology Department 2016 Table of Contents 1. INTRODUCTION... 3 1.1 Preamble... 3 1.2 Objectives... 3 1.3 Scope... 4 2. LEGAL FRAMEWORK... 4 3. GUIDING PRINCIPLES...

More information

Information Security Management System Information Security Policy

Information Security Management System Information Security Policy Management System Policy Version: 3.4 Issued Document Name: Owner: P079A - ISMS Security Policy Classification: Public Security Policies, Standards and Procedures emanate from the Policy which has been

More information

Guidelines. London School of Economics & Political Science. Remote Access and Mobile Working Guidelines. Information Management and Technology

Guidelines. London School of Economics & Political Science. Remote Access and Mobile Working Guidelines. Information Management and Technology London School of Economics & Political Science Information Management and Technology Guidelines Remote Access and Mobile Working Guidelines Jethro Perkins Information Security Manager Summary This document

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Guideline for Roles & Responsibilities in Information Asset Management

Guideline for Roles & Responsibilities in Information Asset Management ISO 27001 Implementer s Forum Guideline for Roles & Responsibilities in Information Asset Management Document ID ISMS/GL/ 003 Classification Internal Use Only Version Number Initial Owner Issue Date 07-08-2009

More information

have adequate policies and practices for secure data disposal have not established a formal 22% risk management program

have adequate policies and practices for secure data disposal have not established a formal 22% risk management program do not have budgeted disaster 38% recovery plans do not use standardized data 37% classification do not have a plan for responding to 29% security breaches 23% have adequate policies and practices for

More information

NOT PROTECTIVELY MARKED. Suffolk County Council DATA QUALITY POLICY

NOT PROTECTIVELY MARKED. Suffolk County Council DATA QUALITY POLICY Suffolk County Council DATA QUALITY POLICY This policy is sponsored by the Director of Resource Management on behalf of the Chief Executive of Suffolk County Council. Responsibility for maintaining, reviewing

More information

Corporate Information Security Management Policy

Corporate Information Security Management Policy Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

IG: Third Party Contracts and Contractors Policy

IG: Third Party Contracts and Contractors Policy IG: Third Party Contracts and Contractors Policy Document Summary This policy provides guidance on the Information Governance arrangements that need to be considered and / or implemented when engaging

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Information Security and Governance Policy

Information Security and Governance Policy Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information

More information

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency

More information

Historic Environment Scotland

Historic Environment Scotland Historic Environment Scotland Data Protection Policy September 2015 Document Control Title Data Protection Policy Author Head of Records Management Approved by HES Board Date of Approval 16/11/2015 Version

More information

ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES

ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES THIS POLICY SETS OUT THE REQUIREMENTS FOR SAFEGUARDING COMPANY ASSETS AND RESOURCES TO PROTECT PATIENTS, STAFF, PRODUCTS, PROPERTY AND

More information

University of New England Compliance Management Framework and Procedures

University of New England Compliance Management Framework and Procedures University of New England Compliance Management Framework and Procedures Document data: Document type: Administering entity: Framework and Procedures Audit and Risk Directorate Records management system

More information