Schedule 13 Security Incident and Data Breach Policy. January 2015 v2.1

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Schedule 13 Security Incident and Data Breach Policy. January 2015 v2.1"

Transcription

1 Schedule 13 Security Incident and Data Breach Policy January 2015 v2.1

2 Document History Purpose Document Purpose Document developed by Document Location To provide a corporate policy for the management of any Security Incidents and Data Breaches Principal Information Governance Officer This document is located on the council s web site and on the network at: Revision Revision date January 2015 Version Final v2.1 Status Summary of changes Awaiting approval by the II&VFM board Addition made to section 9 to inform the relevant Caldicott Guardian of breaches in either Social Services or Public Health. Approvals Head of Information Management Assistant Director, Business Support Improvement & VFM Group Cabinet Lead the review of the framework and policies Oversee the document through the council s approval process Approve the Framework and the Freedom of Information Act Policy and any changes made, recommending adoption to the Cabinet Member Approve the review of the framework and policies Page 2 of 19

3 Contents Page Document History... 2 Contents... 3 Introduction Policy Statement Purpose Scope Implementation and Review Schedule Legislation Types of Security Incident... 5 Reporting Serious Security Incidents (Including potential or actual data breaches) - Responsibility of Council Departments Identification and Classification of serious security incidents... 6 Other Policies - Joint Responsibility between Departments & the Investigation Lead Links to other Departments... 7 Data Breach Management Plan - Responsibility of Information Governance Breach Management Plan Containment and Recovery Assessment of Ongoing Risk / Investigation Notification Review and Evaluation Information Governance Contact Details Serious Security Incident (Non Data Breach) - Responsibility of Security Incident Team Serious Security Incident Management Plan Containment and Recovery Assessment of Ongoing Risk / Investigation Review and Evaluation Serious Security Incident Group Appendices Page 3 of 19

4 Introduction 1. Policy Statement North Lincolnshire Council is responsible for protecting the information it holds and is legally required under the Data Protection Act 1998 to ensure the security and confidentiality of personal information processed. These responsibilities also apply to other organisations working on behalf of the council. Every care is taken to protect information and to avoid a security incident, especially where the result is a data breach when personal information is lost or disclosed inappropriately to an unauthorised person. In the unlikely event of such a security incident it is vital that appropriate action is taken to minimise any associated risk as soon as possible. We will investigate all security incidents classified as serious using a set plan and follow a Breach Management Plan in the event of a data breach. 2. Purpose The purpose of this policy is to ensure a standardised management approach throughout the council in the event of a serious security incident, including the handling of a data breach. Security incident management is the process of handling security incidents in a structured and controlled way ensuring security incidents are dealt with:- Speedily and efficiently; Consistently; To ensure damage is kept to a minimum; To ensure the likelihood of recurrence is reduced by the implementation of appropriate measures. 3. Scope This policy applies to all information held by the council and to organisations working on behalf of the council who have access to our information. Schools may choose to adopt this policy but where this is not the case it is expected that they will have their own appropriate policy. Page 4 of 19

5 4. Implementation and Review Schedule This policy takes effect immediately and all managers should ensure employees are aware of security incident requirements. If employees have any queries they should discuss these with their line manager or the Information Governance Team. This policy may need to be reviewed after a security incident or data breach or after legislative changes, new case law or new guidance. Ordinarily an annual review should take place. 5. Legislation The council has an obligation to abide by all relevant UK and European legislation. The acts that apply include but are not limited to: - Data Protection Act Computer Misuse Act Criminal Damages Act The Data Protection Act 1998 provides a regulatory framework for the processing of personal information, including the holding, use or disclosure of such information. Principal seven of this Act requires that an organisation complies with the following for personal information: - Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal information and against accidental loss or destruction of, or damage to, personal information. 6. Types of Security Incident This policy addresses the reporting and handling of serious security incidents, including those involving a data breach. A security incident is classified as serious when the incident: Involves actual or potential failure to meet the requirements information legislation such as the Data Protection Act 1998; Potentially involves or could lead to a data breach. Some examples of serious security incidents are:- Loss or theft of IT equipment or information; Disclosing personal information to someone not authorised to have it; Unauthorised access to information; Breach of physical building security; Uploading personal information to a website in error; Page 5 of 19

6 Human error resulting for example in personal information being left in an insecure location; Unforeseen circumstances such as fire or flood; Hacking into IT systems; Blagging offences where information is obtained by deception. Reporting Serious Security Incidents (Including potential or actual data breaches) - Responsibility of Council Departments 7. Identification and Classification of serious security incidents This section is about reporting the serious security incident (including a data breach) to the Security Incident Group, classifying the incident and taking appropriate mitigating action. The Security Incident Group is made up of the following employees: Principal Information Governance Officer; Unified Communications Manager; IT Customer Quality Manager; Senior Auditor. 7.1 The person who discovers/receives a report of a serious security incident must inform a manager. This should ideally be the manager responsible for the department in which the incident has occurred, but if this is not possible another manager should be informed. If the incident occurs or is discovered outside normal working hours this should be done as soon as practicable. The manager must then report the serious security incident to the Security Incident Group, as soon as possible. 7.2 The manager should identify into which of the following three categories the incident fits: - a) An actual or suspected data breach. b) An IT serious security incident that is not a data breach. c) Another type of serious security incident that puts personal information at risk but is not a data breach. Appendix A provides further information to assist with categorisation of serious security incidents. 7.3 The manager should accurately record details of the incident and provide the following information to the Security Incident Group, using the form shown as Appendix B: - Date and time of security incident / period of time occurred. Date and time security incident detected. Who reported the security incident? Description of the security incident. Page 6 of 19

7 Type of security incident (See section 6.0). Approximate number of data subjects affected. Details of any council ICT systems or third party systems involved. Details of any action taken to minimise / mitigate the effect on data subjects. Details of anyone who is aware of the security incident. Brief details of supporting material held by the service material which either confirms the security incident or is related to the security incident. Details of any contractors or sub contractors involved. 7.4 Details of serious security incidents can be very sensitive and any sensitive information must be handled with discretion and only disclosed to those who need to know the details. 7.5 Employees or others working on behalf of the council must not attempt to deal with a security incident (other than reporting the incident). 7.6 The Security Incident Group will determine who should lead an investigation and the lead will appoint an Investigation Team. Employees must not attempt to conduct their own investigations, unless authorised to do so, to ensure evidence is not destroyed. 7.7 The council s Senior Information Risk Owner (SIRO) and the relevant director are ultimately responsible for making any decisions. 7.8 In some circumstances security incidents should also be reported to GovCertUK and the NHS Information Governance Team, using the details shown in Appendix D and by following published procedures from these other organisations. Other Policies - Joint Responsibility between Departments & the Investigation Lead 8. Links to other Departments Sometimes a security incident will be identified during an internal investigation under another council policy. Alternatively during a security incident investigation it may be found necessary to inform another council department of the incident. 8.1 Officers who identify a serious security incident, as part of another policy investigation, should complete the Security Incident form shown in Appendix B and forward to the relevant lead from the Security Incident Group. When this other investigation is complete relevant details should be provided to Security Incident Group lead. Page 7 of 19

8 8.2 Where a security incident occurs that may affect another department or a school, the Security Incident Group lead will contact the relevant senior manager or school. 8.3 Any decision to take disciplinary action will be in line with the council s Disciplinary Policy. 8.4 The data breach or serious security incident report will be concluded when all other relevant investigations are complete. Data Breach Management Plan - Responsibility of Information Governance 9. Breach Management Plan The Information Governance Team will lead all data breach investigations and will follow the Information Commissioner s Office (ICO) suggested Breach Management Plan: - 1. Containment and recovery. 2. Assessment of ongoing risk. 3. Notification of breach. 4. Evaluation and response. 9.1 Containment and Recovery Containment and recovery involves limiting the scope and impact of the data breach, and stemming it as quickly as possible A senior member of the Information Governance Team will inform the relevant Director(s) and Legal Services A senior member of the Information Governance Team will ascertain who should contact whom, both within the council and externally. If illegal activity is known or is believed to have occured, or where there is a risk that illegal activity might occur in the future a Director in conjunction with a senior member of the Information Governance Team and the Head of Audit, Risk and Insurance must consider whether the police need to be informed. An example of illegal activity is theft A senior member of the Information Governance Team will lead an investigation and to do so will create an Investigation Team, made up of key officers, including Internal Audit. Where the breach involves social service or health information the relevant Caldicott Guardian will be informed. Where contractual arrangements with other organisations are involved advice will be sought from Legal Services about how to proceed and the investigation will be led in conjunction with the Contract Manager. Page 8 of 19

9 9.1.4 A senior member of the Information Governance Team will lead the Investigation Team to quickly take appropriate steps to ascertain full details of the breach, determine whether the breach is still occuring, recover any losses and limit the damage. Steps might include: - Attempting to recover any lost equipment or personal information. Shutting down an IT system. Contacting the council s Contact Centre and other key departments so that they are prepared for any potentially inappropriate enquiries about the affected data subjects. If an inappropriate enquiry is received staff should attempt to obtain the enquirer s name/contact details and confirm that they will ring the enquirer back. The Information Governance Team organising, with the approval of the Communications Team, for a council-wide to be sent. Contacting the Communications Team so they can be prepared to handle any press enquiries or to make any press releases. The use of back-ups to restore lost, damaged or stolen information. If bank details have been lost/stolen consider contacting banks directly for advice on preventing fraudulent use. If the data breach includes any entry codes or passwords then these codes must be changed immediately, and the relevant organisations and members of staff informed. 9.2 Assessment of Ongoing Risk / Investigation The next stage of the management plan is for the Investigation Team to investigate the breach and assess the risks arising from it The Investigation Team should ascertain whose information was involved in the breach, the potential effect on the data subjects and what further steps are required to remedy the situation The investigation should consider: - The type of information. Its sensitivity. How many individuals are affected by the breach? What protections are in place (e.g. encryption)? What happened to the information? Whether the information could be put to any illegal or inappropriate use. What could the information tell a third party about the individual? Page 9 of 19

10 How many people are affected? What types of people have been affected (the public, suppliers, staff etc)? Whether there are wider consequences to the breach A senior member of the Information Governance Team should keep a clear report detailing the nature of the breach, steps to preserve evidence, the assessment of risk/investigation, and the actions taken to mitigate the breach, any notifications made and recommendations for future work/actions. See Appendix C for more information about preserving evidence The initial investigation should be completed urgently and wherever possible within 24 hours of the breach being discovered/reported. A further review of the causes of the breach and recommendations for future improvements can be done once the matter has been resolved 9.3 Notification A senior member of the Information Governance Team, after seeking legal advice and working with the Investigation Team should decide whether anyone, such as the Information Commissioner s Office (ICO) or the data subjects, should be notified of the breach. A senior member of the Information Governance Team will make any notifications to the ICO. The Investigation Team will decide whether and how anybody else should be notified. Directorates must not make any notifications directly Every incident will be considered on a case-by-case basis but if the breach is significant and involves personal information the ICO should be notified. There is guidance on the ICO website about how and when to notify - The following points will be used to assist in deciding whether to notify an organisation such as the ICO or the data subjects: - Do we have any legal/contractual obligations in relation to notification? Would notification help prevent the unauthorised or unlawful use of the personal information? Could notification make the unauthorised or unlawful use of the personal information more likely? Could notification help the data subject could they act on the information to mitigate risks? If the information is personal or sensitive personal in nature and there are large numbers of data subjects involved or possible serious consequences we should notify the ICO. Page 10 of 19

11 The dangers of over notifying, which may cause disproportionate enquiries and work Notifications should include a description of how and when the breach occurred, what information was involved and what has already been done to mitigate the risks When notifying data subjects, specific and clear advice should be given on what individuals can do to protect themselves and what the council can do to assist them Details should be provided of how to make a complaint to the council and how to appeal to the Information Commissioner. 9.4 Review and Evaluation Once the initial after effects of the breach are over a senior member of the Information Governance Team should fully review both the causes of the breach and the effectiveness of the response to it, and work with Internal Audit to determine if any further control improvements are required The Head of Information Governance will write a report for the Council Management Team (CMT) The Principal Information Governance Officer will inform the Information Security Forum of high level details of the breach If issues are identified an action plan must be drawn up to put these right. 10. Information Governance Contact Details Please do not leave a voic or an to report a data breach. Always speak with somebody in the Information Governance Team. The main contacts are: - Principal Information Governance Officer Phillipa Thornley Telephone: Strategy and Information Governance Manager Rachel Johnson Telephone: Head of Information Management Chris Daly Telephone: Page 11 of 19

12 Serious Security Incident (Non Data Breach) - Responsibility of Security Incident Team 11. Serious Security Incident Management Plan The most relevant member of the Security Incident Group or an employee appointed by the team would lead a serious security incident investigation that did not involve a data breach. The following Management Plan should be followed: - 1. Containment and recovery. 2. Assessment of ongoing risk. 3. Evaluation and response. 12. Containment and Recovery Containment and recovery involves limiting the scope and impact of the serious security incident, and stemming it as quickly as possible The lead officer from the Security Incident Group will ascertain who should contact whom, both within the council and externally. If illegal activity is known or is believed to have occurred or where there is a risk that illegal activity might occur in the future a Director in conjunction with a senior Manager and the Head of Audit, Risk and Insurance must consider whether the police need to be informed. An example of illegal activity is theft The appointed lead of the serious security incident investigation will lead an investigation and to do so will create an Investigation Team, made up of key officers, including Internal Audit. Where contractual arrangements with other organisations are involved advice will be sought from Legal Services about how to proceed and the investigation will be led in conjunction with the Contract Manager Full details of the incident should be determined and migrating action such as the following should be taken to limit the impact of the incident: Attempting to recover any lost equipment or personal information. Shutting down an IT system. The use of back-ups to restore lost, damaged or stolen information. Making a building secure. If the incident involves any entry codes or passwords then these codes must be changed immediately, and the relevant organisations and members of staff informed. Page 12 of 19

13 13. Assessment of Ongoing Risk / Investigation The next stage of the management plan is for the Investigation Team to investigate the serious security incident and assess the risks arising from it The Team should ascertain what information was involved in the serious security incident and what steps are required to remedy the situation The investigation should consider: - The type of information. Its sensitivity. What protections are in place (e.g. encryption)? What happened to the information? Whether there are wider consequences to the incident The appointed lead of the Security Incident Investigation should keep a clear report detailing the nature of the incident, steps taken to preserve evidence, the assessment of risk/investigation, any migrating actions taken and any recommendations for future work/actions. See Appendix C for more information about preserving evidence The initial investigation should be completed within an agreed timeframe. 14. Review and Evaluation Once the initial after effects of the serious security incident are over the Information Security Forum should fully review both the causes of the incident and the effectiveness of the response to it and work with Internal Audit to determine if any further control improvements are required The Security Incident Group lead should update the Information Security Forum with details of the incident If issues are identified an action plan must be drawn up to put these right. Page 13 of 19

14 15. Serious Security Incident Group Please do not leave a voic or an to report a serious security incident. Always speak with somebody from the following list of contacts: - Unified Comms Manager Paul Smith Telephone: IT Customer Quality Manager Carl Render Telephone: Senior Auditor - Stuart Anderson Telephone: Principal Information Governance Officer Phillipa Thornley Telephone: Page 14 of 19

15 Appendices Appendix A: Guidelines for the Categorisation of Serious Security Incidents Actual or Suspected Data Breach Examples include: - Use of viruses or spyware software; Use of illegal or unauthorised software or information; Fraud or forgery; Unauthorised use of the council IT network or systems; Unauthorised use of another user s profile (masquerading of user identity); Divulging a password to another user without authority; Unauthorised access to council information classified as personal or confidential; Unauthorised alteration or deletion of council information; Unauthorised copying of council information; Wilful damage to council IT equipment or property; Unauthorised access to council offices; Unauthorised removal of council property or information; Theft or loss of IT equipment containing council information. IT Serious Security Incident (Not a Data Breach) - Examples include: - IT network attack; Use of viruses or spyware; Unauthorised access to the council s IT network and systems; Theft or damage to IT equipment. Other Serious Security Incident (Not a Data Breach) - Examples include: - Fire; Flood; Storm damage; Power supply failures & fluctuations; Terrorist and bomb attacks, including suspicious packages; Unauthorised access to council premises; Theft of or damage to council property. Page 15 of 19

16 Appendix B Serious Security Incident and Data Breach Form Contact details of person submitting form 1. Name 2. Job Title Address Telephone Number Address Incident Information 3. Date / Time of Breach or Period of Time Date / Time Breach Detected Who / What Reported the Breach? Description of the Breach Type of breach see section 6.0 for list: - Approximate number of Data Subjects affected Page 16 of 19

17 Details of Council ICT / 3 rd Party ICT Systems Involved Details of any action taken to minimise / mitigate the effect on the data subjects 4. Who is aware of this data breach? Brief Details of Supporting Information held by Department Details of any Contractors / Sub Contractors Involved Page 17 of 19

18 Appendix C: Guidelines for Preserving Evidence Where appropriate the Investigation Team must follow these steps to preserve evidence: - Keep a log of all events showing how evidence was collected, analysed, transported and preserved; Where possible mark evidence with the date, time and name of the collector and witnesses; If relevant, dump computer contents from memory to a file and take a back-up of the file; If relevant, make an image (copy) of the computer hard drive(s), which will be used for further analysis to ensure that the evidence on the original system is unharmed; If relevant, IT system logs (both current and archived) should be preserved to provide evidence of the incident discovered, as well as any previous incidents. Page 18 of 19

19 Appendix D: Guidelines for Reporting Information Security Incidents GovCert UK Follow the link to report a suspected incident within the submission process. In the event of the internet not being available the following details should be used: CESG s Incident Response Team The CESG GovCertUK Incident Response team provides a 24/7 (24 hours 7 days a week) operation, and can be contacted on the following: - Telephone: Fax: General Enquiries: - or Incidents and alerts: - or During office hours ( hrs) the GovCertUK response team will handle any queries or incidents. Outside office hours, at weekends and on public holidays a duty officer will monitor correspondence and respond to telephone calls, supported by on-call GovCertUK response personnel. GovCertUK provides CESG s CERT function to UK government, assists public sector organisations in the response to computer security incidents and provides advice to reduce exposure to threat. NHS Information Governance https://www.igt.hscic.gov.uk/incidentreportingmenu.aspx?tk= &uid=57915&cb=bf5c0062-1c6a-4a69-8b82- a146fe33ec9d&lnv=12&clnav=yes https://www.igt.hscic.gov.uk/knowledgebasenew/hscic%20ig%20siri%20 %20Checklist%20Guidance%20V2%200%201st%20June% pdf Follow the link to report a data breach. The NHS Information Governance Self Assessment requires organisations, such as the council who are required to complete the assessment, to report all data breaches occurring within Adult Social Care. Page 19 of 19

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful

More information

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013 Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page

More information

Guidance on data security breach management

Guidance on data security breach management Guidance on data security breach management Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction

More information

Guidance on data security breach management

Guidance on data security breach management ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...

More information

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31 THE MORAY COUNCIL Guidance on data security breach management Information Assurance Group DRAFT Based on the ICO Guidance on data security breach management under the Data Protection Act 1 Document Control

More information

Data Security Breach Incident Management Policy

Data Security Breach Incident Management Policy Data Security Breach Incident Management Policy Contents 1. Background... 1 2. Aim... 1 3. Definition... 2 4. Scope... 2 5. Responsibilities... 2 6. Data Classification... 2 7. Data Security Breach Reporting...

More information

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom

More information

DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT

DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT GD21 2 DATA PROTECTION (JERSEY) LAW 2005: GUIDANCE ON DATA SECURITY BREACH MANAGEMENT Introduction Organisations which process

More information

Information Incident Management Policy

Information Incident Management Policy Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit

More information

Data Protection Breach Management Policy

Data Protection Breach Management Policy Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Data Breach Management Policy and Procedures for Education and Training Boards

Data Breach Management Policy and Procedures for Education and Training Boards Data Breach Management Policy and Procedures for Education and Training Boards POLICY on DATA BREACHES in SCHOOLS/COLLEGES and OTHER EDUCATION and ADMINISTRATIVE CENTRES UNDER the REMIT of TIPPERARY EDUCATION

More information

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures SECURITY INCIDENT REPORTING AND MANAGEMENT Standard Operating Procedures Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme.

More information

Guidance on Managing Data Breaches

Guidance on Managing Data Breaches Guidance on Managing Data Breaches This guidance covers what to do if you believe there has been a data breach and when it should be notified to the Commissioner. This guidance relates to both the Data

More information

Information Security Incident Management Policy September 2013

Information Security Incident Management Policy September 2013 Information Security Incident Management Policy September 2013 Approving authority: University Executive Consultation via: Secretary's Board REALISM Project Board Approval date: September 2013 Effective

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Data Security Breach Management Procedure

Data Security Breach Management Procedure Academic Services Data Security Breach Management Procedure Document Reference: Data Breach Procedure 1.1 Document Type: Document Status: Document Owner: Review Period: Procedure v1.0 Approved by ISSG

More information

NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities

NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities Information Governance Untoward Incident Reporting and Management Advice for Local Authorities March 2013 Contents Page 1. The Role of the NIGB.....3 2. Introduction...4 3. Background Information...6 4.

More information

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014 Document Control Policy Title Data Breach Management Policy Policy Number 086 Owner Information & Communication Technology Manager Contributors Information & Communication Technology Team Version 1.0 Date

More information

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD Data Breach Management Policy Adopted by Cavan and Monaghan Education Training Board on 11 September 2013 Policy Safeguarding personally identifiable information

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

Cork ETB Data Breach Management Policy and Procedures

Cork ETB Data Breach Management Policy and Procedures Cork ETB Data Breach Management Policy and Procedures POLICY ON THE MANAGEMENT OF DATA BREACHES IN SCHOOLS/COLLEGES AND OTHER EDUCATION AND ADMINISTRATIVE CENTRES UNDER THE REMIT OF CORK EDUCATION AND

More information

Data Protection Breach Reporting Procedure

Data Protection Breach Reporting Procedure Central Bedfordshire Council www.centralbedfordshire.gov.uk Data Protection Breach Reporting Procedure October 2015 Security Classification: Not Protected 1 Approval History Version No Approved by Approval

More information

Information Security Policy

Information Security Policy Information Security Policy Reference No: Version: 5 Ratified by: CG007 Date ratified: 26 July 2010 Name of originator/author: Name of responsible committee/individual: Date approved by relevant Committee:

More information

Somerset County Council - Data Protection Policy - Final

Somerset County Council - Data Protection Policy - Final Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council

More information

Coláiste Pobail Bheanntraí

Coláiste Pobail Bheanntraí Coláiste Pobail Bheanntraí Seskin Bantry, Co. Cork. Principal: Dr. Kevin Healy B.A, H.D.E, M.Ed, Ed.D Deputy Principal: Mr. Denis O Sullivan, BSc. (Ed.), H.D.E Phone: 027 56434 Fax: 027 56439 E-mail: admin@colaistepobailbheanntrai.com

More information

Quick Guide To Information Governance Policies

Quick Guide To Information Governance Policies Quick Guide To Information Governance Policies Data Protection The Data Protection Act 1998 established principles and rights in relation to the collection, use and storage of personal information by organisations.

More information

Information Security Policy

Information Security Policy You can learn more about the programme by downloading the information in the related documents at the bottom of this page. Information Security Document Information Security Policy 1 Version History Version

More information

Information Governance Framework. June 2015

Information Governance Framework. June 2015 Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review

More information

Information Security Policy

Information Security Policy Information Security Policy JUNE 2014 Author Responsibility Lynda Harris, Head of Information Governance, Central Eastern CSU, Bedfordshire and Luton All staff Effective Date June 2014 Review Date June

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

GUIDE TO MANAGING DATA BREACHES

GUIDE TO MANAGING DATA BREACHES 8 MAY 2015 CONTENT PURPOSE OF THE GUIDE 3 INTRODUCTION 4 HOW DATA BREACHES COULD OCCUR 5 RESPONDING TO A DATA BREACH 6 i. DATA BREACH MANAGEMENT PLAN 6 ii. CONTAINING THE BREACH 7 iii. ASSESSING RISK AND

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY [Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Date approved by Heads of Service 3 June 2014 Staff member responsible Director of Finance and Corporate Services Due for review June 2016 Data Protection Policy Content Page 1 Purpose

More information

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services Issue 1.0 (Effective 27 June 2012) This document contains a copy of the STFC policy statements outlining

More information

Security Incident Management Policy

Security Incident Management Policy Security Incident Management Policy January 2015 Document Version 2.4 Document Status Owner Name Owner Job Title Published Martyn Ward Head of ICT Business Delivery Document ref. Approval Date 27/01/2015

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

PRIVACY BREACH MANAGEMENT POLICY

PRIVACY BREACH MANAGEMENT POLICY PRIVACY BREACH MANAGEMENT POLICY DM Approval: Effective Date: October 1, 2014 GENERAL INFORMATION Under the Access to Information and Protection of Privacy Act (ATIPP Act) public bodies such as the Department

More information

DBC 999 Incident Reporting Procedure

DBC 999 Incident Reporting Procedure DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible

More information

Security Incident Policy

Security Incident Policy Organisation Title Author Owner Protective Marking Somerset County Council Security Incident Policy Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council will

More information

Information Security Policy London Borough of Barnet

Information Security Policy London Borough of Barnet Information Security Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Document Description Information Security Policy Policy which sets out the council s approach to information

More information

Data Protection Policy

Data Protection Policy Internal Ref: NELC 16.60 Review date December 2016 Version No. V04 Data Protection Policy 1 Data Protection Statement Data Protection Policy 1.1 North East Lincolnshire Council recognises that in order

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

Security & Data Protection Incident Management Policy London Borough of Barnet

Security & Data Protection Incident Management Policy London Borough of Barnet Security & Data Protection Incident Management Policy London Borough of Barnet DATA PROTECTION 11 POLICY NAME Document Description Security and Data Protection Incident Management Policy Policy which sets

More information

Information Security Policy

Information Security Policy Central Bedfordshire Council www.centralbedfordshire.gov.uk Information Security Policy January 2016 Security Classification: Not Protected 1 Approval History Version No Approved by Approval Date Comments

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1

RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1 RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1 Revised and effective from 1st April 2012 Document Control Organisation Title Author Filename Owner

More information

Data Processing Agreement

Data Processing Agreement Data Processing Agreement BETWEEN GP Name and practice address (Hereinafter known as the Data Controller) AND Coventry & Rugby Clinical Commissioning Group, of Christchurch House, Greyfriars Lane, Coventry,

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998.

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998. BHCC Policy Summary 1 Policy Name Data Protection Policy. 2 Purpose of Policy To define the standards expected of all Brighton & Hove City Council employees, and any third parties, when processing information

More information

1.2. The RAD Data Protection Policy and Procedures is part of the RAD s overall Information Strategy.

1.2. The RAD Data Protection Policy and Procedures is part of the RAD s overall Information Strategy. Data Protection Policy & Procedures 1. Introduction and legal context 1.1. The Royal Academy of Dance (RAD) collects, processes stores and shares information about its employees, members, registered teachers,

More information

Data Protection for Schools Compliance Checklist

Data Protection for Schools Compliance Checklist Data Protection for Schools Compliance Checklist Here is a simple bullet point list of actions your school should take to work towards compliance with the Data Protection Act. It is a non - exhaustive

More information

Key Steps in Responding to Privacy Breaches

Key Steps in Responding to Privacy Breaches Key Steps in Responding to Privacy Breaches Purpose The purpose of this document is to provide guidance to organizations, public bodies, and custodians when a privacy breach occurs. 1 Organizations and

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Information Security Policy

Information Security Policy Information Security Policy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013 Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009 Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

UB Whistleblowing Policy

UB Whistleblowing Policy United Biscuits UK Ltd UB Whistleblowing Policy June 2015 Contents 1. Policy statement... 3 2. Policy Aims... 3 3. Who is covered by this policy?... 3 4. What is whistleblowing?... 3 5. Raising a whistleblowing

More information

IG: Third Party Contracts and Contractors Policy

IG: Third Party Contracts and Contractors Policy IG: Third Party Contracts and Contractors Policy Document Summary This policy provides guidance on the Information Governance arrangements that need to be considered and / or implemented when engaging

More information

Data Protection Policy

Data Protection Policy London Borough of Enfield Data Protection Policy Author Mohi Nowaz Classification UNCLASSIFIED Date of First Issue 10/08/2012 Owner IGB Issue Status DRAFT Date of Latest Re-Issue 12/09/2012 Version 0.6

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY ISO 27002 5.1 Author: Owner: Organisation: Chris Stone Ruskwig TruePersona Ltd Document No: SP- 5.1 Version No: 1.0 Date: 10 th January 2010 Copyright

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

Data Protection Policy. Information Security Review Group. Version Date Author Notes on Revisions

Data Protection Policy. Information Security Review Group. Version Date Author Notes on Revisions Document Control Table Document Title: Author(s) (name, job title and Division): Version Number: Document Status: Date Approved: Approved By: Effective Date: Date of Next Review: Superseded Version: Data

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third

More information

Whistle Blowing. Coombe Secondary Schools Academy Trust. Considered at Governors Committee meeting: PERSONNEL / FINANCE AND RESOURCES

Whistle Blowing. Coombe Secondary Schools Academy Trust. Considered at Governors Committee meeting: PERSONNEL / FINANCE AND RESOURCES Whistle Blowing Policy Coombe Secondary Schools Academy Trust Equality Analysis Impact Title of Policy: Whistle Blowing Considered at Governors Committee meeting: PERSONNEL / FINANCE AND RESOURCES Date:

More information

Data Protection Procedure

Data Protection Procedure Data Protection Procedure [QP2.28] Procedure Number: QP2.28 Revision Number: 3 Date of issue: January 2006 Status: Approved Date of approval: May 2006 Responsibility for procedure: Director of Information

More information

Everyone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session

Everyone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session Everyone in the workplace has a legal duty to protect the privacy of information about individuals AEP/BELB/LJ/2010 Awareness Session During 2007 alone, 36,989,300 people in the UK have had their private

More information

Islington Security Incident Policy A council-wide information technology policy. Version 0.7.1 July 2013

Islington Security Incident Policy A council-wide information technology policy. Version 0.7.1 July 2013 A council-wide information technology policy Version 0.7.1 July 2013 Copyright Notification Copyright London Borough of Islington 2014 This document is distributed under the Creative Commons Attribution

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Incident Response Policy Reference Number Title CSD-012 Information Security Incident Response Policy Version Number 1.2 Document Status Document Classification

More information

Information Circular

Information Circular Information Circular Enquiries to: Brooke Smith Senior Policy Officer IC number: 0177/14 Phone number: 9222 0268 Date: March 2014 Supersedes: File No: F-AA-23386 Subject: Practice Code for the Use of Personal

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information 6 th Floor, Tower A, 1 CyberCity, Ebene, Mauritius T + 230 403 6000 F + 230 403 6060 E ReachUs@abaxservices.com INFORMATION SECURITY POLICY DOCUMENT Information Security Policy Document Page 2 of 15 Introduction

More information

Information Security Policy

Information Security Policy Information Security Policy 1 Version and Review Summary Rev Date Author Approver Revision description 1.00 April 2009 T Monachello Formal Review 1.01 1 st June 2009 T.Monachello Information Governance

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages

More information

APPENDIX 5 TEMPLATE DATA PROCESSING AGREEMENT. Data Processing Agreement

APPENDIX 5 TEMPLATE DATA PROCESSING AGREEMENT. Data Processing Agreement APPENDIX 5 TEMPLATE DATA PROCESSING AGREEMENT Data Processing Agreement Dated: Parties: (1) The Guide Association, a registered charity (number 306016) incorporated by Royal Charter whose offices are at

More information

PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN

PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN PARLIAMENTARY AND EALT SERVICE OMBUDSMAN Information Security Breach Policy Version 2.0 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: Meridio Location: Approval Body:

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Information Security Incident Management Policy

Information Security Incident Management Policy Information Security Incident Management Policy Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT Policy & Regulation

More information