Information security policy. Document author Assured by Review cycle. 1. Introduction Policy statement Purpose Scope...

Transcription

1 Information security policy Board library reference Document author Assured by Review cycle P021 Information Security and Technical Assurance Manager Finance and Planning Committee 3 year This document is version controlled. The master copy is on Ourspace. Once printed, this document could become out of date. Check Ourspace for the latest version. Contents 1. Introduction Policy statement Purpose Scope Standards Roles and responsibilities The board The senior information risk owner (SIRO) The Information Asset Owner (IAO) The information asset administer (IAA) The information security manager (ISM) Line managers Individual System Users Training Monitoring and audit...5 Information security policy Expiry date: 15/04/2019 Version No: 4.0 Page 1 of 6

2 1. Introduction Avon and Wiltshire Mental Health Partnership NHS Trust (AWP) is bound by the provisions of a considerable number of items of legislation and regulation affecting the stewardship of data and information. Information Governance (IG) ensures the Trust s compliance with applicable legislation, the regulatory framework, Common Law, and mandated Best Practice. In short, IG exists to ensure the Integrity, Availability, Confidentiality of the Trust s operational, patient, staff and management information. The AWP Overarching Information Governance Policy defines the Trust s mandated base-line strategy for compliance and effective management in each of the following six areas of Information Governance. Confidentiality & Data Protection Assurance Information Governance Management Assurance Clinical Information Assurance Information Security Assurance Secondary Use Assurance Corporate Information Assurance Each of these six areas is further governed by detailed policy. Collectively, the Policies constitute the top level documentation of the Trust s Information Governance Management System (IGMS). Compliance with all Policies, Procedures and Guidelines contained in the IGMS is mandatory for all persons and organisations operating under the auspices of, or delivering a service to the Trust, whether they are staff, students, volunteers, contractors or partner organisations. Staff should be aware that IGMS Policies are intended to protect the Trust and staff from adverse outcomes in terms of compliance with the law. Where IGMS policies are breached by staff it may be necessary for managers to consider retraining staff, or following the Trust s Disciplinary Procedures. Staff should also note that legal penalties could also be imposed upon the Trust or its employees for non-compliance with relevant legislation and NHS guidance, and in serious cases individuals may not be immune from prosecution or civil legal action by virtue of their employment within the Trust. 2. Policy statement The Trust shall implement effective Information Security management to ensure the integrity, confidentially and availably of information in compliance with the national standards defined in the NHS Information Governance Toolkit. 3. Purpose To set out the key responsibilities for Information Security management within the Trust 4. Scope This is a Trust-wide Policy and applies to all Information Assets and the data held, processed or transmitted by them, including staff, service user, management, audit and all other types of information used by the Trust. This is a Trust-wide Policy and applies to all staff and personnel operating under the auspices of the Trust, including employees, locums, contractors, temporary staff, students, service user representatives, volunteers and partner agency staff. Information security policy Expiry date: 15/04/2019 Version No: 4.0 Page 2 of 6

3 Where an Information Asset is provided by or used by a third party which has an organisational policy that differs from this Policy, a formal agreement as to which policy statement applies shall be agreed between all parties. In the absence of such an agreement, this Policy shall be deemed to have precedence. 5. Standards This information security management within the Trust shall be assessed against UK legislation The NHS Information Governance Toolkit HMG/CESG best practice guidance International standard compliance (e.g. ISO, ENISA) Industry best practice (e.g. ETSI, NIST, IETF, SANS institute, ISC2 ) 6. Roles and responsibilities 6.1 The board The NHS Executive has mandated that the ultimate responsibility for Information Governance, including information security, rests with the Board of each organisation. 6.2 The senior information risk owner (SIRO) A Board-level Senior Information Risk Owner shall be appointed by the Chief Executive The Senior Information Risk Owner is the accountable officer for information security and responsible for fostering a culture for protecting and using data, provides a focal point for managing information risks and incidents, is concerned with the management of all information assets. 6.3 The Information Asset Owner (IAO) An Information Asset Owner (IAO) shall be designated by the Senior Information Risk Owner (SIRO) for each separate information asset. It is important that ownership of Information Assets is linked to a post, rather than a named individual, to ensure that responsibilities for the asset are passed on, should the individual leave the organisation or change jobs within it. The IAO is responsible for the operation and compliance of the information asset assigned to them and the data it contains. For each information asset the IOA shall be responsible for: Risk and issue management Documentation and process management Change control Information sharing Information flow mapping Systems availability Asset management Access control Information security policy Expiry date: 15/04/2019 Version No: 4.0 Page 3 of 6

4 Patching and updating Capacity and performance planning IPR & copyright Protection from Malicious Software & attack Information security policy Backup, archiving and data lifecycle management Disaster recovery Business continuity Security Incident Management Remote access and support 6.4 The information asset administer (IAA) The information asset owner (IAO) shall designate a suitable information asset administer (IAA) who will be responsible for the oversight of day to day operation of the system and ensuring that the requirements of the NHS information governance toolkit are met to an appropriate level. 6.5 The information security manager (ISM) SIRO will ensure there is an appropriately trained and resourced Information Security Manager to support the SIRO, IAO s and IAA s to achieve the required level of Information Security compliance of the information assets assigned to them and the data it contains. The Information Security Manager is responsible for Overarching approach and top level Information Security Policies Technical guidance Assurance Penetration testing and audits Forensic Readiness DR co-ordination Asset register Major incident response 6.6 Line managers Line Managers are responsible for ensuring that any staff members and contractors under their supervision are aware of: The information security policies and procedures applicable in their work areas Their personal responsibilities for information security How to access advice and guidance on information security matters The requirement for information governance training 6.7 Individual System Users Individual system users are responsible for complying with the security requirements in place and ensuring that the confidentiality, integrity and availability of the information they use is maintained. Information security policy Expiry date: 15/04/2019 Version No: 4.0 Page 4 of 6

5 7. Training Basic Information governance training, which includes information security, training is mandatory for all staff The SIRO, IAOs, IAAs, Information governance and senior IM&T Staff are required to pass enhanced training provided by the NHS as part of the Information Governance Toolkit on a annual basis. The Trust's overarching policy for training is the Learning and Development Policy and this should be read in conjunction with this policy. The Learning and Development Policy also describes the Trust's arrangements for training, in particular how there are processes in place to ensure staff receive the training they require and how non-attendance is followed up. These arrangements are further supported by management supervision and appraisal processes. 8. Monitoring and audit Monitoring shall be proactive and designed to highlight issues before an incident occurs, and should consider both positive and negative aspects of any examined process. Compliance with this policy shall be monitored by the Information Security Officer and formally reported to the SIRO quarterly, and shall be assessed annually using the Information Governance Toolkit. Internal Audit shall conduct an annual audit of Information Governance Statement of Compliance and the NHS Operating Framework and report their findings and recommendations to the SIRO. Where failings have been identified, action plans shall be drawn up and changes made to arrangements to reduce the risks. The SIRO shall facilitate the review and update of this policy and supporting IG/IS policies. Information security policy Expiry date: 15/04/2019 Version No: 4.0 Page 5 of 6

6 Version History Version Date Revision description Editor Status /11/2005 Version 1 Information Governance Manager /12/2009 by Quality and Healthcare Committee Company Secretary /11/2012 by the Information Governance Management Group IT Security Specialist /01/2013 by Finance and Planning Committee IT Security Specialist /04/2016 by Finance and Planning Committee 15/ ISTAM Information security policy Expiry date: 15/04/2019 Version No: 4.0 Page 6 of 6