Information Security Policy

Size: px
Start display at page:

Download "Information Security Policy"

Transcription

1 Information Security Policy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference: 291 Date(s) reviewed: October 2011 Version 1a Approved by: Procedural Documents Approval Committee April 2012 Version 2 September 2014 Version 3 Date approved: September 2014 Next Review date: September 201 Version No: 3 Responsibility for review: Head of Information Governance Contributors: Please See Procedural Development, Consultation Proposal Form page 2 Archiving information held by the secretary of the Procedural Documents Approval Committee Policy: 291 Page 1 of 9

2 Procedural Development Consultation Proposal Form Title: Information Security Policy Policy Procedure Guideline Protocol Standard Name of person presenting document: Rees Millbourne, Head of Information Governance Reason for document development/review: Bi-annual review, minor changes. Names of development team (including a representative from all relevant disciplines): Rees Millbourne, Head of Information Governance Who has been consulted? Head of IT Associate Director of ICT Director of Finance (SIRO) Local Counter Fraud Specialist Does this document require presentation and agreement from Health and Safety Committee or Staff Partnership Forum prior to PDAC approval? Yes No Specify groups of staff to whom the document relates: All Trust staff, including agency and contractors Source of supporting evidence (references etc.): See Evidence Base. Are there resource implications? Yes No If yes please detail them: Does the Procedure/Guideline meet latest NHSLA, Risk Management Standards, Essential Standards of Quality and Safety (CQC)? Yes No Does this Procedure/Guideline include children, if applicable? 1. Does this document apply to children? Yes No 2. Are there aspects of this document that differ with regard to the treatment of children? Yes No If yes, please state who has been consulted A Trust review will occur every two years unless national guidance states otherwise. Date: April 2014 Policy: 291 Page 2 of 9

3 Contents Page No. Review, Updating and Archiving of the Document 1 Document Development and Consultation Process 2 Contents 3 Introduction 4 Related Documents 5 1. Definition of Terms 5 2. Roles and Responsibilities 5 3. Information Risk Assessment Management of Security Contracts of Employment Security Control of Assets Access Controls User Access Controls Computer Access Control Application Access Control Equipment Security Information Security Incidents and Weaknesses Classification of Sensitive Information Protection from Malicious Software User Media Monitoring System Access and Use Accreditation of Information Systems System Change Control Intellectual Property Rights Business Continuity and Disaster Recovery Plans 4. Training 5. Evidence Base. Monitoring Compliance and Audit 9. Dissemination, Implementation and Access to the Document 9 Policy: 291 Page 3 of 9

4 Introduction and Policy Statement Information security is primarily about people but is facilitated by the appropriate use of technology. The purpose of the Trust s Information Security Policy is to protect, to a consistently high standard, all information assets. The policy covers security which can be applied through technology but, perhaps more crucially, it encompasses the behaviour of the people who manage information. This Information Security Policy is a key component of the Trust s overall information security management framework and should be read alongside more detailed information security documentation including system level security policies, security guidance, protocols and procedures. This policy applies to staff and contractors of Colchester Hospital University NHS Foundation Trust and partner organisations who access Trust information or information systems. Objectives, Aims and Scope Objectives The objectives of the Information Security Policy are to preserve: Confidentiality Access to data shall be confined to those with appropriate authority. Integrity Information shall be complete and accurate. All systems, assets, and networks shall operate correctly, according to specification. Availability Information shall be available and delivered to the right person, at the time when it is needed. Policy Aim The aim of this Policy is to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by the Trust by: ensuring that information is being managed securely and in a consistent and corporate way. ensuring that staff are aware of and fully comply with relevant legislation as described in this and other policies. describing the principles of information security and explaining how they will be implemented in the Trust. introducing a consistent approach to tackle the issues around information security and ensuring that staff fully understand their own responsibilities. creating and maintaining within the Trust awareness of information security as an integral part of the day-to-day business. protecting information under the control of the Clinical Commissioning Group (CCG). Scope This policy applies to staff and contractors of Colchester Hospital University NHS Foundation Trust and partner organisations who access Trust information or information systems. This policy applies to all Trust information and information systems including: information collected, processed, stored and communicated by or on behalf of the Trust. software that is owned or operated by the Trust or is used for Trust business. websites and the internet when accessed via the Trust s network or when being used for Trust business. the corporate network and servers that store and process Trust information, whether located within or outside the Trust. Policy: 291 Page 4 of 9

5 any device that connects to the corporate servers and network or that accesses Trust information, including PCs, printers, laptops, other portable devices, USB flash drives, memory sticks, smart phones, discs and tapes. Related Documents 292 Information Governance Strategy 23 Information Governance Procedure 314 Internet Policy 315 Internet Procedure 311 Data Transfer and Removable Media Policy 30 Network Security Policy 240 Remote Access Procedure 293 Clinical Systems Access Policy 11 Risk Management Strategy 03a Serious Incident Procedure (including Never Events) 1. Definition of Terms This procedure applies to all Trust information and information systems including: information collected, processed, stored and communicated by or on behalf of the Trust. software that is owned or operated by the Trust or is used for Trust business. websites and the internet when accessed via the Trust s network or when being used for Trust business. the corporate network and servers that store and process Trust information, whether located within or outside the Trust. any device that connects to the corporate servers and network or that accesses Trust information, including PCs, printers, laptops, other portable devices, USB flash drives, memory sticks, smart phones, discs and tapes. 2. Roles and Responsibilities Ultimate responsibility for information security rests with the Chief Executive of the Trust. On a day-to-day basis the Associate Director of Information Communication and Technology (ICT) shall be responsible for managing and implementing the Policy and related procedures. Director of Finance Has responsibility at Board level for information security, as they are the nominated Senior Information Risk Owner (SIRO). Head of Information Governance (IG) Will maintain, review and update the Information Security Policy biannually. Is responsible for implementing, monitoring, documenting, and communicating security requirements for the Trust. Line Managers Are responsible for ensuring that their permanent, temporary staff and contractors are aware of: information security procedures applicable in their work areas. personal responsibilities for information security. how to access advice on information security matters. Are individually responsible for the security of their physical environments where information is processed or stored. Policy: 291 Page 5 of 9

6 All Staff Are required to comply with information security procedures, including the maintenance of data confidentiality and data integrity. Failure to do so may result in disciplinary action. Are responsible for the operational security of the information systems they use. Are required to comply with the security requirements that are currently in force, and also ensure that the confidentiality, integrity, and availability of the information they use is maintained to the highest standard. Have a responsibility to only access clinical information they have a legitimate relationship with as part of the formal job role. External Contractors Contracts with external contractors that allow access to the Trust s information systems must be in operation before access is allowed. Dependent on the content of the contract there may be a requirement to have an additional data sharing agreement. These contracts will ensure that the staff or sub-contractors of external organisations comply with all appropriate security policies. Local Counter Fraud Specialists (LCFS) The LCFS is responsible for investigation of all cases where actual or suspected fraud concerning information security is alleged. This may result in disciplinary, criminal or civil prosecution. 3. Process Management of Security Contracts of Employment Staff security requirements will be addressed at recruitment stage and all contracts of employment contain a confidentiality clause and a section specific to Information Governance. Information security expectations of staff will be included within appropriate job descriptions. Security Control of Assets Each IT asset, (hardware, software, application or data) will have a named custodian (known as the Information Asset Owner (IAO)) who will be responsible for the information security of that asset. This will be Heads of Department/Service Managers for local assets and a Director for Trust wide assets. Access Controls Only authorised personnel who have a justified and approved business need can be given access to restricted areas containing information systems or stored data. User Access Controls Access to information will be restricted to authorised users who have a bona-fide business need to access the information. Computer Access Control Access to computer facilities will be restricted to authorised users who have a business need to use the facilities. Policy: 291 Page of 9

7 Application Access Control Access to data, system utilities and program source libraries will be controlled and restricted to authorised users who have a legitimate business need e.g. systems or database administrators. Authorisation to use an application will be dependent upon the availability of a licence from the supplier. Equipment Security In order to minimise loss of, or damage to, all assets, equipment will be physically protected from threats and environmental hazards. Information Risk Assessment The core principle of risk assessment and management requires the identification and quantification of information security risks in terms of their perceived value of asset, severity of impact and the likelihood of occurrence. Once identified, information security risks will be managed on a formal basis. They will be recorded within the Trust s risk register and action plans will be put in place to effectively manage those risks. The risk register and all associated actions will be reviewed in accordance with the Trust s risk register procedure. Any implemented information security arrangements will also be a regularly reviewed feature of the Trust s risk management programme. These reviews will help to identify areas of continuing best practice and possible weakness, as well as potential risks that may have arisen since the last review was completed. Information Security Incidents and Weaknesses All information security incidents and suspected weaknesses must be reported to the Associate Director of ICT. All information security incidents will be investigated to establish their cause and impacts with a view to avoiding similar events. Classification of Sensitive Information A consistent system for the classification of information within the NHS organisations enables common assurances in information partnerships, consistency in handling and retention practice when information is shared with non-nhs bodies. The Trust will implement appropriate information classification controls, based upon the results of formal risk assessment and guidance contained within the IG Toolkit to secure their NHS information assets. Protection from Malicious Software The Trust will use software countermeasures and management procedures to protect itself against the threat of malicious software. All staff are expected to co-operate fully with this policy. Users must not install software on the Trust s property. Users breaching this guidance may be subject to disciplinary action. User Media Non-Trust removable media of all types that contain software or data from external sources, or that have been used on external equipment; require the approval of the Associate Director of ICT before they may be used on the Trust s systems. Such media must also be fully virus checked before being used on the Trust s equipment. Users breaching this requirement may be subject to disciplinary action. Trust owned removable media must be used in accordance with the removable media procedure. Policy: 291 Page of 9

8 Monitoring System Access and Use When necessary, and as directed by senior management, an audit trail of system access and data used by staff shall be maintained and reviewed on a regular basis. The Trust has in place routines to regularly audit compliance with this and other policies. In addition it reserves the right to monitor activity where it suspects that there has been a breach of policy. The Regulation of Investigatory Powers Act (2000) permits monitoring and recording of staff electronic communications (including telephone communications) for the following reasons: Establishing the existence of facts. Investigating or detecting unauthorised use of the system. Preventing or detecting crime. Ascertaining or demonstrating standards which are achieved or ought to be achieved by persons using the system (quality control and training). In the interests of national security. Ascertaining compliance with regulatory or self-regulatory practices or procedures. Ensuring the effective operation of the system. Any monitoring will be undertaken in accordance with the above Act and the Human Rights Act. Accreditation of Information Systems The Trust shall ensure that all new information systems, applications, and networks include a security plan and are approved by the Confidential Information Steering Group before they commence operation. Each System Administrator will be responsible for developing, maintaining, and reviewing a system specific procedure which will include system security. System Change Control Changes to information systems, applications, or networks will be reviewed and approved by the Associate Director of ICT. Intellectual Property Rights The Trust will ensure that all information products are properly licensed and approved by ICT. Users shall not install software on the Trust s property without permission from the Associate Director of ICT. Users breaching this requirement may be subject to disciplinary action. Business Continuity and Disaster Recovery Plans The Trust will ensure that business impact assessment, business continuity, and disaster recovery plans are produced for all mission critical information, applications, systems, and networks. 4. Training All staff are required to complete mandatory Information Governance elearning on an annual basis. This training content includes Information Security. 5. Evidence Base The Trust is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation will be devolved to staff and agents of the Trust, who may be held personally accountable for any breaches of information security for which they may be held responsible. The Trust will comply with the following legislation and other legislation as appropriate: Policy: 291 Page of 9

9 The Data Protection Act (199) The Data Protection (Processing of Sensitive Personal Data) Order (2000) The Copyright, Designs and Patents Act (19) The Computer Misuse Act (1990) The Health and Safety at Work Act (194) Human Rights Act (199) Regulation of Investigatory Powers Act (2000) Freedom of Information Act (2000) Health & Social Care Act (2001). Monitoring Compliance and Audit All incidents or risks associated with this Policy, including reports of non-compliance, will be reported to the Confidential Information Steering Group. Any incidents declared as Serious Incidents (SIs) or Extreme Risks will be reported to the Director of Finance as the Senior Information Risk Owner (SIRO) and managed in accordance with the Trust s policies and procedures.. Dissemination, Implementation and Access to the Document This policy is available on the Trust intranet. Staff are notified via , of the policy and any amendments. Policy: 291 Page 9 of 9

Procedures. Issue Date: June 2014 Version Number: 2.0. Document Number: POL_1009. Status: Approved Next Review Date: April 2017 Page 1 of 17

Procedures. Issue Date: June 2014 Version Number: 2.0. Document Number: POL_1009. Status: Approved Next Review Date: April 2017 Page 1 of 17 Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

NHS Business Services Authority Information Security Policy

NHS Business Services Authority Information Security Policy NHS Business Services Authority Information Security Policy NHS Business Services Authority Corporate Secretariat NHSBSAIS001 Issue Sheet Document reference NHSBSARM001 Document location F:\CEO\IGM\IS\BSA

More information

Information security policy

Information security policy Information security policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review of IS Policy\Current

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Network Security Policy

Network Security Policy Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

Corporate Information Security Management Policy

Corporate Information Security Management Policy Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework Putting Barnsley People First Barnsley Clinical Commissioning Group Information Governance Policy and Management Framework Version: 1.1 Approved By: Governing Body Date Approved: 16 January 2014 Name of

More information

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure

More information

Mike Casey Director of IT

Mike Casey Director of IT Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Information Governance Policy Issue Date: June 2014 Document Number: POL_1008 Prepared by: Information Governance Senior Manager Insert heading depending on Insert line heading

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact

More information

NHS Commissioning Board: Information governance policy

NHS Commissioning Board: Information governance policy NHS Commissioning Board: Information governance policy DOCUMENT STATUS: To be approved / Approved DOCUMENT RATIFIED BY: DATE ISSUED: October 2012 DATE TO BE REVIEWED: April 2013 2 AMENDMENT HISTORY: VERSION

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

This Policy supersedes the following Policy, which must now be destroyed :

This Policy supersedes the following Policy, which must now be destroyed : Document Title Reference Number Lead Officer Author(s) (name and designation) Ratified by Removable Media: Data Encryption Policy NTW(O)30 Lisa Quinn Executive Director of Performance and Assurance Sue

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid. Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,

More information

OFFICIAL. NCC Records Management and Disposal Policy

OFFICIAL. NCC Records Management and Disposal Policy NCC Records Management and Disposal Policy Issue No: V1.0 Reference: NCC/IG4 Date of Origin: 12/11/2013 Date of this Issue: 14/01/2014 1 P a g e DOCUMENT TITLE NCC Records Management and Disposal Policy

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

Information Security and Governance Policy

Information Security and Governance Policy Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet

More information

Version 1.0. Ratified By

Version 1.0. Ratified By ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

DATA ENCRYPTION POLICY

DATA ENCRYPTION POLICY DATA ENCRYPTION POLICY Contents 1. Introduction...4 2. Purpose...4 3. Audience...4 4. Responsibilities/Duties...4 4.1 Individual Staff Responsibilities...4 4.2 Accountable Officer...5 4.3 Director of Strategy

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY ISO 27002 5.1 Author: Owner: Organisation: Chris Stone Ruskwig TruePersona Ltd Document No: SP- 5.1 Version No: 1.0 Date: 10 th January 2010 Copyright

More information

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013 Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

CCG: IG06: Records Management Policy and Strategy

CCG: IG06: Records Management Policy and Strategy Corporate CCG: IG06: Records Management Policy and Strategy Version Number Date Issued Review Date V3 08/01/2016 01/01/2018 Prepared By: Consultation Process: Senior Governance Manager, NECS CCG Head of

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

IS INFORMATION SECURITY POLICY

IS INFORMATION SECURITY POLICY IS INFORMATION SECURITY POLICY Version: Version 1.0 Ratified by: Trust Executive Committee Approved by responsible committee(s) IS Business Continuity and Security Group Name/title of originator/policy

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY Policy approved by: Audit and Governance Committee Date: 4 th December 2014 Next Review Date: December 2016 Version: 1 Information Security Policy Page 1 of 17 Review and Amendment

More information

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation Northumberland, Newcastle North and East, Newcastle West, Gateshead, South Tyneside, Sunderland, North Durham, Durham Dales, Easington and Sedgefield, Darlington, Hartlepool and Stockton on Tees and South

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review

More information

Information Management Policy CCG Policy Reference: IG 2 v4.1

Information Management Policy CCG Policy Reference: IG 2 v4.1 Information Management Policy CCG Policy Reference: IG 2 v4.1 Document Title: Policy Information Management Document Status: Final Page 1 of 15 Issue date: Nov-2015 Review date: Nov-2016 Document control

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:

More information

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes INFORMATION SECURITY POLICY Ratified by RCA Senate, February 2007 Contents Introduction 2 Policy Statement 3 Information Security at RCA 5 Annexes A. Applicable legislation and interpretation 8 B. Most

More information

Information Governance Plan

Information Governance Plan Information Governance Plan 2013 2015 1. Overview 1.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient organisation of services and resources.

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

University of Liverpool

University of Liverpool University of Liverpool IT Asset Disposal Policy Reference Number Title CSD 015 IT Asset Disposal Policy Version Number v1.2 Document Status Document Classification Active Open Effective Date 22 May 2014

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

Highland Council Information Security Policy

Highland Council Information Security Policy Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...

More information

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy.

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy. Title: Reference No: NHSNYYIG - 007 Owner: Author: INFORMATION GOVERNANCE POLICY Director of Standards First Issued On: September 2010 Latest Issue Date: February 2012 Operational Date: February 2012 Review

More information

Information Governance Strategy. Version No 2.1

Information Governance Strategy. Version No 2.1 Livewell Southwest Information Governance Strategy Version No 2.1 Notice to staff using a paper copy of this guidance. The policies and procedures page of LSW Intranet holds the most recent version of

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

INFORMATION RISK MANAGEMENT POLICY

INFORMATION RISK MANAGEMENT POLICY INFORMATION RISK MANAGEMENT POLICY DOCUMENT CONTROL: Version: 1 Ratified by: Steering Group / Risk Management Sub Group Date ratified: 21 November 2012 Name of originator/author: Manager Name of responsible

More information

Policy Checklist. Head of Information Governance

Policy Checklist. Head of Information Governance Policy Checklist Name of Policy: Information Governance Policy Purpose of Policy: To provide guidance to all staff on their responsibilities regarding information governance and to ensure that the Trust

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

43: DATA SECURITY POLICY

43: DATA SECURITY POLICY 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:

More information

Information Governance Strategy. Version No 2.0

Information Governance Strategy. Version No 2.0 Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent

More information

Network Security Policy

Network Security Policy IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service

More information

Information Governance Policy

Information Governance Policy BEXLEY CARE TRUST MANAGEMENT MANUAL Title: INFORMATION GOVERNANCE POLICY Originating Department: IT DEPARTMENT Authorised by: Risk Management Committee June 2008 Reference no: CA12 Date of Issue: JANUARY

More information

Information Governance Management Framework

Information Governance Management Framework Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Version: 0.2 Committee Approved by: Audit Committee Date Approved: 15 th January 2014 Author: Responsible Directorate Information Governance & Security Officer, The Health Informatics

More information

INFORMATION SECURITY & DATA PROTECTION POLICY. Documentation Control

INFORMATION SECURITY & DATA PROTECTION POLICY. Documentation Control INFORMATION SECURITY & DATA PROTECTION POLICY Documentation Control Reference Date Approved Approving Body GG/INF/002 TRUST BOARD Implementation Date JUNE 2010 Supersedes Consultation Date of Completion

More information

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services Issue 1.0 (Effective 27 June 2012) This document contains a copy of the STFC policy statements outlining

More information

Information governance strategy 2014-16

Information governance strategy 2014-16 Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Appendix 1 INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Author Information Governance Review Group Information Governance Committee Review Date May 2014 Last Update February 2013 Document No. GV

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Name of Policy Author: Name of Review/Development Body: Ratification Body: Ruth Drewett Information Governance Steering Group Committee Trust Board : April 2015 Review date:

More information

Staffordshire County Council. Records Management Policy

Staffordshire County Council. Records Management Policy Staffordshire County Council Records Management Policy Version Author Approved By Date Published Review V. 2.0 Information Governance Unit Philip Jones, Head of Information Governance 2/11/2012 November

More information

Information Governance Policy

Information Governance Policy Policy Policy Number / Version: v2.0 Ratified by: Audit Committee Date ratified: 25 th February 2015 Review date: 24 th February 2016 Name of originator/author: Name of responsible committee/individual:

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

Merthyr Tydfil County Borough Council. Information Security Policy

Merthyr Tydfil County Borough Council. Information Security Policy Merthyr Tydfil County Borough Council Information Security Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of

More information

INFORMATION SECURITY MANAGEMENT POLICY

INFORMATION SECURITY MANAGEMENT POLICY INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval

More information

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical

More information

Policy Information Management

Policy Information Management Policy Information Management Document Title: Policy Information Management Issue date: October 2013 Document Status: Approved IGC 23 Oct 2013 Review date: October 2014 Page 1 of 17 Document control Document

More information

Dublin City University

Dublin City University Asset Management Policy Asset Management Policy Contents Purpose... 1 Scope... 1 Physical Assets... 1 Software Assets... 1 Information Assets... 1 Policies and management... 2 Asset Life Cycle... 2 Asset

More information

TRUST POLICY AND PROCEDURES FOR THE USE OF SOCIAL NETWORKING SITES (INCLUDING ACCESS VIA MOBILE DEVICES) Status: Final. Version Date Author Reason

TRUST POLICY AND PROCEDURES FOR THE USE OF SOCIAL NETWORKING SITES (INCLUDING ACCESS VIA MOBILE DEVICES) Status: Final. Version Date Author Reason TRUST POLICY AND PROCEDURES FOR THE USE OF SOCIAL NETWORKING SITES (INCLUDING ACCESS VIA MOBILE DEVICES) Reference Number HR 2012 046 Version: 1 Status: Final Author: Jane Thomas Job Title HR Manager Amendment

More information

Policies for: Information Governance Information Quality Information Management Information Security. Version Control Version: 0.1

Policies for: Information Governance Information Quality Information Management Information Security. Version Control Version: 0.1 Policies for: Information Governance Information Quality Information Management Information Security Approved by: None this version Date approved: Name of originator/author: Ade Oduntan, Mike Hellier,

More information

Information Governance Strategy :

Information Governance Strategy : Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting

More information

information systems security policy...

information systems security policy... sales assessment.com information systems security policy... Approved: 2nd February 2010 Last updated: 2nd February 2010 sales assessment.com 2 index... 1. Policy Statement 2. IT Governance 3. IT Management

More information

Information security policy

Information security policy Information security policy Author Strategic Head of Corporate Affairs Owner Chief Finance Officer (SIRO) Date: 18 February 2013 Version 1.0 Previous version & Date: n/a Equality analysis undertaken 26

More information

Harper Adams University College. Information Security Policy

Harper Adams University College. Information Security Policy Harper Adams University College Information Security Policy Introduction The University College recognises that information and information systems are valuable assets which play a major role in supporting

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette

More information

Information Governance and Data Protection Policy

Information Governance and Data Protection Policy Information Governance and Data Protection Policy Page 1 of 21 Document Control Sheet Name of document: Version: Owner: File location / Filename: Information Governance and Data Protection Policy Final

More information

IT SECURITY POLICY (ISMS 01)

IT SECURITY POLICY (ISMS 01) IT SECURITY POLICY (ISMS 01) NWAS IM&T Security Policy Page: Page 1 of 14 Date of Approval: 12.01.2015 Status: Final Date of Review Recommended by Approved by Information Governance Management Group Trust

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version

More information

IT change management policy

IT change management policy IT change management policy Document Description Document Type Guidance Service Application NHS Birmingham South Central CCG (BSC) Version 0.3 Ratification date 20 June, 2013 Review Date March 2014 Name

More information

Information & ICT Security Policy Framework

Information & ICT Security Policy Framework Information & ICT Security Framework Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT & Regulation Group and IMG January

More information

INFORMATION GOVERNANCE STRATEGY

INFORMATION GOVERNANCE STRATEGY INFORMATION GOVERNANCE STRATEGY Page 1 of 10 Strategy Owner Valerie Penn, Head of Governance Strategy Author Caroline Law, Information Governance Project Manager Directorate Corporate Governance Ratifying

More information

Information Governance Policy

Information Governance Policy Information Governance Policy UNIQUE REF NUMBER: AC/IG/013/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June 2014 1 P age AMENDMENT HISTORY

More information

An Approach to Records Management Audit

An Approach to Records Management Audit An Approach to Records Management Audit DOCUMENT CONTROL Reference Number Version 1.0 Amendments Document objectives: Guidance to help establish Records Management audits Date of Issue 7 May 2007 INTRODUCTION

More information