Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013
|
|
- David Anderson
- 7 years ago
- Views:
Transcription
1 Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page 1 of 11
2 Document Control Organisation Mendip District Council Title Information Security Incident Management Policy Author Jennifer Russell ICT Manager Filename Information Security Incident Management Policy.Doc Owner ICT Manager Subject IT Policy Protective Marking Internal Public Review date June 2014 Revision History Revision Date Revisor Previous Version Description of Revision V1.0 Steve Mawn 1 Creation V1.1 Jennifer Russell V1.2 Jennifer Russell 1.0 Review 1.1 Review Document Approvals This document requires the following approvals: Sponsor Approval Name Date Chief Executive Stuart Brown Corporate Manager Access to Services Chris Atkinson ICT Manager Jennifer Russell Document Distribution This document will be distributed to: Name Job Title Address All Staff Page 2 of 11
3 Contents 1 Policy Statement 4 2 Purpose 4 3 Scope 4 4 Definition 4 5 Risks 4 6 Applying the Policy Containment or Control and Recovery Assessment of ongoing risk Notification of Breach Evaluation and Response 7 7 Policy Compliance 8 8 Policy Governance 8 9 Review and Revision 9 10 References 9 11 Key Messages 9 12 Appendix Appendix 2 Examples of Information Security Incidents 11 Page 3 of 11
4 1 Policy Statement Mendip District Council will ensure that it reacts appropriately to any actual or suspected incidents relating to information systems and information within the custody of the Council 2 Purpose This document sets the standards by which Mendip District Council (MDC) will respond to a breach or unauthorised disclosure of Council information and the process staff need to follow when a breach occurs. 3 Scope This policy applies to all MDC employees, Councillors and contractors working on our behalf. 4 Definition Mendip District Council processes large amounts of both personal and non-personal information. We are required by law to take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal information. This policy indicates the steps MDC employees and our contractors are required to take in the event of a breach in information security. An information security breach can happen for a number of reasons: Loss or theft of information stored either as a hard copy or on equipment such as desktop PCs, laptops, handheld devices (PDAs and Blackberries), mobile phones, etc, as well as portable media such as memory sticks and DVD/CD Roms. Inadequate access controls in place which allow unauthorised users to access both manual records and electronic systems. Equipment failure. Human error. Unforeseen circumstances such as a fire or flood. Hacking of the IT system by an external third party. Information obtained dishonestly corporate fraud. The following sections cover specific areas of the information security incident management policy: 3.1 Containment or Control and Recovery 3.2 Assessment of ongoing risk 3.3 Notification of Breach 3.4 Evaluation and Response 5 Risks Mendip District Council recognises that there are risks associated with users accessing and handling information in order to conduct official Council business. This policy aims to mitigate the following risks: To reduce the impact of information security breaches by ensuring incidents are followed up Page 4 of 11
5 correctly. To help identify areas for improvement to decrease the risk and impact of future incidents. Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers. 6 Applying the Policy 6.1 Containment or Control and Recovery Information security breaches will require not just an initial response to investigate and contain the situation, but also a recovery plan. This should include, where necessary, damage limitation. This will often involve input from specialists across the Council such as Strategic IT and Capita IT, HR, Communications, and in some cases contact with external stakeholders and suppliers. In cases of theft of data, it may be appropriate to inform the police and the Information Commissioner s Office. The flowchart at Appendix 1 sets out the procedure which staff should follow when an incident occurs. The key outcomes of the investigation into the incident will be to: Determine the type of breach. Establish who needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise. Establish whether there is anything we can do to recover any losses and limit the damage the breach may cause. Put in place measures to avoid the breach recurring. Where it is suspected that a serious intentional breach has been caused by a user on the corporate network, their permissions may be removed from the network as soon as practicable and their door pass disabled. In the event of criminal activity, the police should be notified. 6.2 Assessment of ongoing risk As the Council holds personal and often sensitive information on our customers, it is important to establish early on the risks and consequences of this information being lost or disclosed without the customer s consent. The following points should be taken into consideration: What type of Information is involved? Does the information relate to our customers or staff or is it non-personal? How sensitive is the information? Some information will be sensitive because of its very personal nature (social care, children s and benefit records) while other types of information is sensitive because of what could happen if misused (bank account details, politically sensitive information etc) What security, if any, was in place? If information has been lost or stolen, were there any measures in place to protect the information such as encryption or password protection? What has happened to the information? If information has been lost or stolen it poses a different risk to information that has been corrupted or damaged. Page 5 of 11
6 Can the information be restored or re-created? Assess if the situation can be eased by a recovery or partial recovery of lost or corrupted information (back up discs etc). How usable is the lost information? Assess what could happen if the information got into the wrong hands. Is the information particularly sensitive or is it largely meaningless to non-council staff? How many customers are affected by the breach? Whilst any breach is serious, if it affects a large number of people then the impact on the organisation will be greater. A risk assessment should be conducted when the breach occurs to identify the breadth and depth of the impact. Whose information has been lost and what harm could there be to these individuals? Whether they are staff, customers, clients or suppliers, their status will to some extent determine the level of risk posed by the breach and our actions in attempting to mitigate those risks. Are there risks to an individual s physical safety, the council s reputation, financial loss or a combination of these? What other considerations are possible? Are there wider consequences to consider such as a risk to public health or loss of public confidence in an important service we provide? Can the information be use for fraudulent purposes? Can the information be used for ID fraud? If individuals bank details have been lost, consider contacting the banks themselves for advice on how they can help to prevent fraudulent use. 6.3 Notification of Breach Notification to individuals of an information security breach should have a clear purpose. Whether this is to enable individuals who may have been affected to take steps to protect themselves or to allow the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints. Answering the following questions will assist in deciding whether to notify: Are there any legal or contractual requirements? Will revealing the breach further compromise security? Would notification help or hinder us to meet our security obligations with regard to the seventh data protection principle requiring us to keep data secure? Can notification of the breach help the individual? Bearing in mind the potential effects of the breach, could individuals act on the information provided to mitigate risks to themselves, for example by cancelling a credit card or changing a password? How many individuals are affected? If a large number of people are affected, or there are likely to be very serious consequences, we should inform the Information Commissioner s Office (ICO). When notifying the ICO, details should be included of the security measures in place such as encryption and, where appropriate, details of the security procedures in place at the time the breach occurred. Can the people affected by the breach understand the issue? Consider how notification can be made appropriate for particular groups of individuals, for example, if notifying children or vulnerable adults. Page 6 of 11
7 Is the breach relatively minor? Not every incident will warrant notification and notifying all customers when the breach affects a small percentage may well cause disproportionate enquiries and additional work. How are the details communicated? Consideration should be made of who should be notified, what the message is, how the message will be communicated and the security of the communication medium used. Who else needs to know? Ensure the appropriate regulatory body is notified. A sector specific regulator may require WBC to notify them of any type of breach but the ICO should only be notified when the breach involves personal data. What needs to be included in a data breach notification: A description of how and when the breach occurred and what data was involved. Details of what steps have already been taken to respond to the risks posed by the breach. Specific and clear advice on the steps those affected can take to protect themselves and also what you are willing to do to help them. Provide a contact point for further information or to ask you questions about what has occurred. Record what happened in writing. Anything else we need to do? We may also need to consider notifying third parties such as the police, insurers, professional bodies, bank or credit card companies who can assist in reducing the risk of financial loss to individuals, and trade unions. 6.4 Evaluation and Response It is important not only to investigate the causes of the breach but also to evaluate the effectiveness of our response to it. If the breach was caused even in part by systemic and ongoing problems, then simply containing the breach and continuing business as usual is not sufficient. A breach may also require a review of policies and management responsibility. To reduce the risk of further breaches we should: Ensure we know what types of information we hold, whether this includes personal data and where and how it is stored. Establish where the biggest risks lie. This will normally be dictated by the sensitivity of the data. When sharing data, we must ensure that the method of transmission is secure and only share or disclose the minimum amount of data necessary. For social care information, we must ensure that the Caldicott principles for information sharing are applied. Identify weak points in the Council s existing security measures such as the use of portable storage devices or access to public networks. Staff awareness of security issues will be addressed by training, regular security audits and information in staff bulletin. Page 7 of 11
8 In the event of a serious breach the Monitoring Officer, Head of Governance and Democratic Services, should be immediately informed. All breaches should be notified via the Information Capita IT helpdesk (see flowchart at Appendix 1). The Team Manager will then be informed and appropriate mitigation/investigation put in place. All breaches will be reported to the Partnership operating Board and Gov cert UK.. Any breach that affects one of our partner organisations or breaches of data sharing protocol should be communicated to the partners. MDC does not actively monitor information exchanges with external bodies for criminal activity. However, it will co-operate with any investigation into such activity to the fullest extent that it is able and within the limits and requirements of English law. MDC will attempt to identify the source of any attack on its services and will take appropriate steps that may include legal action. 7 Policy Compliance If any user is found to have breached this policy, they may be subject to Mendip District Council s disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s). If you do not understand the implications of this policy or how it may apply to you, seek advice from Strategic ICT. 8 Policy Governance The following table identifies who within Mendip District Council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply: Responsible the person(s) responsible for developing and implementing the policy. Accountable the person who has ultimate accountability and authority for the policy. Consulted the person(s) or groups to be consulted prior to final policy implementation or amendment. Informed the person(s) or groups to be informed after policy implementation or amendment. Responsible ICT Manager Accountable Corporate Manager Access to Services Consulted Informed Corporate Management Team, Human Resources and UNISON All Council Employees, All Temporary Staff, All Contractors Page 8 of 11
9 9 Review and Revision This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months. Policy review will be undertaken by the strategic ICT Manager. 10 References The following Mendip District Council policy documents are directly relevant to this policy: Policy. Internet Acceptable Use Policy. Software Policy. GCSx Acceptable Usage Policy and Personal Commitment Statement. Computer, Telephone and Desk Use Policy. Removable Media Policy. Remote Working Policy. IT Access Policy. Legal Responsibilities Policy. Information Protection Policy. Human Resources Information Security Standards. IT Infrastructure Policy. Communications and Operation Management Policy. 11 Key Messages All staff should report any incidents or suspected incidents immediately by notifying the Capita It helpdesk. We can maintain your anonymity when reporting an incident if you wish. If you are unsure of anything in this policy you should ask for advice from Strategic ICT Page 9 of 11
10 12 Appendix 1 Security Weakness or incident observed Incident reported to Capita IT Helpdesk Incident Logged Line Management Informed Action required No Incident Call Closed Yes Incident investigated and recommendations or action plan put forward Action taken and relevant officers informed of changes Incident report forwarded to Partnership Operating Board Group decides on whether any policy changes are required. Page 10 of 11
11 Incident call 13 Appendix closed 2 Examples of Information Security Incidents Examples of the most common Information Security Incidents are listed below. It should be noted that this list is not exhaustive. Malicious Giving information to someone who should not have access to it - verbally, in writing or electronically. Computer infected by a Virus or other malware. Sending a sensitive to 'all staff' by mistake. Receiving unsolicited mail of an offensive nature. Receiving unsolicited mail which requires you to enter personal data. Finding data that has been changed by an unauthorised person. Receiving and forwarding chain letters including virus warnings, scam warnings and other s which encourage the recipient to forward onto others. Unknown people asking for information which could gain them access to council data (e.g. a password or details of a third party). Misuse Use of unapproved or unlicensed software on Mendip District Council equipment. Accessing a computer database using someone else's authorisation (e.g. someone else's user id and password). Writing down your password and leaving it on display / somewhere easy to find. Printing or copying confidential information and not storing it correctly or confidentially. Theft / Loss Theft / loss of a hard copy file. Theft / loss of any Mendip District Council computer equipment. Page 11 of 11
Guidance on data security breach management
Guidance on data security breach management Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction
More informationGuidance on data security breach management
ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...
More informationData Security Breach Management - A Guide
DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT GD21 2 DATA PROTECTION (JERSEY) LAW 2005: GUIDANCE ON DATA SECURITY BREACH MANAGEMENT Introduction Organisations which process
More informationProcedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom
Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom
More informationTHE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31
THE MORAY COUNCIL Guidance on data security breach management Information Assurance Group DRAFT Based on the ICO Guidance on data security breach management under the Data Protection Act 1 Document Control
More informationInformation Security Incident Management Policy and Procedure
Information Security Incident Management Policy and Procedure Version Final 1.0 Document Control Organisation Title Author Filename Owner Subject Protective Marking North Dorset District Council IT Infrastructure
More informationInformation Incident Management Policy
Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit
More informationSecurity Incident Management Policy
Security Incident Management Policy January 2015 Document Version 2.4 Document Status Owner Name Owner Job Title Published Martyn Ward Head of ICT Business Delivery Document ref. Approval Date 27/01/2015
More informationSoftware Policy. Software Policy. Policy and Guidance. June 2013
Software Policy Policy and Guidance June 2013 Project Name Software Policy Product Title Policy and Guidance Version Number 1.2Final Page 1 of 8 Document Control Organisation Title Author Filename Owner
More informationInformation Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy
Bolsover District Council North East Derbyshire District Council & Rykneld Homes Ltd Information Security Incident Management Policy September 2013 Version 1.0 Page 1 of 13 CONTROL SHEET FOR Information
More informationInformation Security Incident Management Policy
Information Security Incident Management Policy Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT Policy & Regulation
More informationRHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1
RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1 Revised and effective from 1st April 2012 Document Control Organisation Title Author Filename Owner
More informationDATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE
DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful
More informationData Security Breach Incident Management Policy
Data Security Breach Incident Management Policy Contents 1. Background... 1 2. Aim... 1 3. Definition... 2 4. Scope... 2 5. Responsibilities... 2 6. Data Classification... 2 7. Data Security Breach Reporting...
More informationDBC 999 Incident Reporting Procedure
DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible
More informationSecurity Incident Policy
Organisation Title Author Owner Protective Marking Somerset County Council Security Incident Policy Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council will
More informationPolicy Document. IT Infrastructure Security Policy
Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT
More informationU07 Information Security Incident Policy
Dartmoor National Park Authority U07 Information Security Incident Policy June 2010 This document is copyright to Dartmoor National Park Authority and should not be used or adapted for any purpose without
More informationSomerset County Council - Data Protection Policy - Final
Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council
More informationPolicy Document. Communications and Operation Management Policy
Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author
More informationIT ACCESS CONTROL POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationSECURITY POLICY REMOTE WORKING
ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY REMOTE WORKING Introduction This policy defines the security rules and responsibilities that apply when doing Council work outside of Council offices
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationNetwork Password Management Policy & Procedures
Network Password Management Policy & Procedures Document Ref ISO 27001 Section 11 Issue No Version 1.3 Document Control Information Issue Date April 2009, June 2010, September 2011 Status Approved By FINAL
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationNIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities
Information Governance Untoward Incident Reporting and Management Advice for Local Authorities March 2013 Contents Page 1. The Role of the NIGB.....3 2. Introduction...4 3. Background Information...6 4.
More informationData Security Breach Management Procedure
Academic Services Data Security Breach Management Procedure Document Reference: Data Breach Procedure 1.1 Document Type: Document Status: Document Owner: Review Period: Procedure v1.0 Approved by ISSG
More informationINFORMATION SECURITY INCIDENT REPORTING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationREMOTE WORKING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationData Protection Breach Management Policy
Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/
More informationPRIVACY BREACH MANAGEMENT POLICY
PRIVACY BREACH MANAGEMENT POLICY DM Approval: Effective Date: October 1, 2014 GENERAL INFORMATION Under the Access to Information and Protection of Privacy Act (ATIPP Act) public bodies such as the Department
More informationCAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board
CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD Data Breach Management Policy Adopted by Cavan and Monaghan Education Training Board on 11 September 2013 Policy Safeguarding personally identifiable information
More informationInformation security incident reporting procedure
Information security incident reporting procedure Responsible Officer Author Date effective from 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationIslington Security Incident Policy A council-wide information technology policy. Version 0.7.1 July 2013
A council-wide information technology policy Version 0.7.1 July 2013 Copyright Notification Copyright London Borough of Islington 2014 This document is distributed under the Creative Commons Attribution
More informationKEELE UNIVERSITY IT INFORMATION SECURITY POLICY
Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical
More informationProcedure for Managing a Privacy Breach
Procedure for Managing a Privacy Breach (From the Privacy Policy and Procedures available at: http://www.mun.ca/policy/site/view/index.php?privacy ) A privacy breach occurs when there is unauthorized access
More informationData Protection Policy
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
More informationCorporate Information Security Management Policy
Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification
More informationSECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures
SECURITY INCIDENT REPORTING AND MANAGEMENT Standard Operating Procedures Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme.
More informationROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING
ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING Introduction and Policy Aim The Royal Borough of Windsor and Maidenhead (the Council) recognises the need to protect Council
More informationInformation Security
Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationThe Ministry of Information & Communication Technology MICT
The Ministry of Information & Communication Technology MICT Document Reference: ISGSN2012-10-01-Ver 1.0 Published Date: March 2014 1 P a g e Table of Contents Table of Contents... 2 Definitions... 3 1.
More informationGUIDE TO MANAGING DATA BREACHES
8 MAY 2015 CONTENT PURPOSE OF THE GUIDE 3 INTRODUCTION 4 HOW DATA BREACHES COULD OCCUR 5 RESPONDING TO A DATA BREACH 6 i. DATA BREACH MANAGEMENT PLAN 6 ii. CONTAINING THE BREACH 7 iii. ASSESSING RISK AND
More informationInformation Security Incident Protocol
Information Security Incident Protocol Document Owner Caroline Dodge Tel: 01622-221652 caroline.dodge@kent.gov.uk Version Version 2: July 2013 Contents 1. Protocol Objectives 2. Scope 3. Protocol Statement
More informationDocument Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014
Document Control Policy Title Data Breach Management Policy Policy Number 086 Owner Information & Communication Technology Manager Contributors Information & Communication Technology Team Version 1.0 Date
More informationInformation Governance Framework. June 2015
Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review
More informationCCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY
CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review
More informationVersion: 2.0. Effective From: 28/11/2014
Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director
More informationIslington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014
Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document
More informationInformation Security Incident Reporting & Investigation
Information Security Incident Reporting & Investigation Purpose: To ensure all employees, consultants, agency workers and volunteers are able to recognise an information security incident and know how
More information1. (a) Full name of proposer including trading names if any (if not a limited company include full names of partners) Date established
Network Security ProPosal Form Important Please answer all questions from each section and complete in block capitals. Tick the appropriate boxes where necessary and supply any further information requested.
More informationBOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
More informationThe best advice before you decide on what action to take is to seek the advice of one of the specialist Whistleblowing teams.
Whistleblowing Policy (HR Schools) 1.0 Introduction Wainscott school is committed to tackling unlawful acts including fraud, corruption, unethical conduct and malpractice regardless of who commits them,
More informationSTRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS
Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level
More informationInformation Security Incident Management Policy September 2013
Information Security Incident Management Policy September 2013 Approving authority: University Executive Consultation via: Secretary's Board REALISM Project Board Approval date: September 2013 Effective
More informationInformation Security Policy. Chapter 10. Information Security Incident Management Policy
Information Security Policy Chapter 10 Information Security Incident Management Policy Author: Policy & Strategy Team Version: 0.4 Date: December 2007 Version 0.4 Page 1 of 6 Document Control Information
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationRecords Management Policy & Guidance
Records Management Policy & Guidance COMMERCIALISM Document Control Document Details Author Nigel Spencer Company Name The Crown Estate Department Name Information Services Document Name Records Management
More informationData Protection and Information Security Policy and Procedure
Data Protection and Information Security Policy and Procedure Document Detail Category: Data Protection Authorised By: Full Governing Body Author: School Business Manager Version: 1 Status: Approved May
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September
More informationCentral Bedfordshire Council. IT Acceptable Use Policy. Version 1.7 January 2016 Not Protected. Not Protected Page 1 of 11
Central Bedfordshire Council IT Acceptable Use Policy Version 1.7 January 2016 Not Protected Not Protected Page 1 of 11 Policy Approval Central Bedfordshire Council acknowledges that information is a valuable
More informationData Protection Breach Reporting Procedure
Central Bedfordshire Council www.centralbedfordshire.gov.uk Data Protection Breach Reporting Procedure October 2015 Security Classification: Not Protected 1 Approval History Version No Approved by Approval
More informationData Protection Policy
Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationInformation Security Policy. Chapter 12. Asset Management
Information Security Policy Chapter 12 Asset Management Author: Policy & Strategy Team Version: 0.5 Date: April 2008 Version 0.5 Page 1 of 7 Document Control Information Document ID Document title Sefton
More informationOnce more unto the breach... Dealing with Personal Data Security Breaches. Helen Williamson Information Governance Officer
Once more unto the breach... Dealing with Personal Data Security Breaches Helen Williamson Information Governance Officer Aims of the session What are we going to look at? What is a data security breach?
More informationPersonal Information Protection Act Information Sheet 11
Notification of a Security Breach Personal Information Protection Act Information Sheet 11 Introduction Personal information is used by organizations for a variety of purposes: retail and grocery stores
More informationHow To Ensure Network Security
NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationIncident reporting procedure
Incident reporting procedure Responsible Officer Author Date effective from Aug 2009 Date last amended Aug 2009 Review date July 2012 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance
More informationHow To Protect School Data From Harm
43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationInformation Governance Policy
Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups
More informationAdministrative Procedures Memorandum A1452
Page 1 of 11 Date of Issue February 2, 2010 Original Date of Issue Subject References February 2, 2010 PRIVACY BREACH PROTOCOL Policy 2197 Management of Personal Information APM 1450 Management of Personal
More informationAcceptable Use of Information Systems Standard. Guidance for all staff
Acceptable Use of Information Systems Standard Guidance for all staff 2 Equipment security and passwords You are responsible for the security of the equipment allocated to, or used by you, and must not
More informationCaedmon College Whitby
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3
More informationICT POLICY AND PROCEDURE
ICT POLICY AND PROCEDURE POLICY STATEMENT St Michael s College regards the integrity of its computer resources, including hardware, databases and software, as central to the needs and success of our day-to-day
More informationABERDARE COMMUNITY SCHOOL
ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been
More informationPrivacy and Security Incident Management Protocol
Our Vision Better data. Better decisions. Healthier Canadians. Our Mandate To lead the development and maintenance of comprehensive and integrated health information that enables sound policy and effective
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More informationIM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers
IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy DOCUMENT INFORMATION Author: Vince Weldon Associate Director of IM&T Approval: Executive This document replaces: IM&T Policy No. 1 Anti Virus Version
More informationData Transfer Policy London Borough of Barnet
London Borough of Barnet DATA PROTECTION 11 Document Control Document Description Data Transfer Policy Version v.2 Date Created December 2010 Status Authorisation Name Signature Date Prepared By: IS Checked
More informationEnterprise Information Security Procedures
GHL Network Services Ltd Enterprise Information Security Procedures Prepared By Nigel Gardner Date 16/11/09 1 Contents 1. Openwork s Information Security Policy...3 2. Enterprise Information Security Procedures...3
More informationRemote Access and Home Working Policy London Borough of Barnet
Remote Access and Home Working Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Remote Access and Home Working Policy Document Description This policy applies to home and
More informationSouth West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy
South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy Reference No: CG 01 Version: Version 1 Approval date 18 December 2013 Date ratified: 18 December 2013 Name of Author
More informationNHS Waltham Forest Clinical Commissioning Group Information Governance Strategy
NHS Waltham Forest Clinical Commissioning Group Governance Strategy Author: Zeb Alam, CCG IG Lead, (NELCSU) David Pearce, Head of Governance, WFCCG Version 3.0 Amendments to Version 2.1 Annual Review Reference
More informationNHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé
NHS HDL (2006)41 abcdefghijklm = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé Dear Colleague NHSSCOTLAND INFORMATION SECURITY POLICY Summary 1. NHSScotland IT Security Policy was
More informationSecurity Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)
Security Awareness A Supplier Guide/Employee Training Pack May 2011 (updated November 2011) Contents/Chapters 1. How do I identify a DWP asset 2. Delivering on behalf of DWP - Accessing DWP assets 3. How
More informationINITIAL APPROVAL DATE INITIAL EFFECTIVE DATE
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
More informationGlasgow Kelvin College. Disciplinary Policy and Procedure
Appendix 1 Glasgow Kelvin College Disciplinary Policy and Procedure Document Control Information Status: Responsibility for Document and its implementation Responsibility for document review: Current version
More informationHERTSMERE BOROUGH COUNCIL
HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act
More informationData Protection Procedures
Data Protection Procedures PROCEDURE OVERVIEW: This Procedure outlines Down District Council s ( the Council ) commitment to the Data Protection Act 1998 ( the Act ) and provides a framework for the Council
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationCouncil, 14 May 2015. Information Governance Report. Introduction
Council, 14 May 2015 Information Governance Report Introduction 1.1 The Information Governance function within the Secretariat Department is responsible for the HCPC s ongoing compliance with the Freedom
More informationWHAT YOU NEED TO KNOW ABOUT CYBER SECURITY
SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes
More information