Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)

Size: px
Start display at page:

Download "Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)"

Transcription

1 Security Awareness A Supplier Guide/Employee Training Pack May 2011 (updated November 2011)

2 Contents/Chapters 1. How do I identify a DWP asset 2. Delivering on behalf of DWP - Accessing DWP assets 3. How will I know when and how to protect a DWP asset 4. Consequences of not adequately safeguarding information 5. Office environment and data security (premises) 6. Personnel and security 7. Communications and security 8. Portable media and security 9. Data Protection Act 10. Technical security 11. Security incidents 12. Areas for consideration specific to your organisation

3 1. How do I identify a DWP asset? Definition of a DWP Data asset: An asset is any information or collection of information that is in the supply chain and processed on behalf of DWP, this can include personal or sensitive data regarding individuals and also policy advice. It can also be software and physical assets such as computers or buildings. DWP assets Information and data electronic, paper based media in any form. DWP Data assets: Any personal/sensitive data that the DWP collects, stores, uses and transmits or shares with others and is Data Controller of under the Data Protection Act. For example: Client records anything from a name to National Insurance Number, date of birth, health records, address etc. DWP Staff data anything from a name, address, date of birth, health record etc. Physical assets IT, laptops, mobile phones, machinery or premises. Protecting these assets also helps to provide personal security for our people and customers.

4 2. Delivering on behalf of DWP Accessing DWP assets As an organisation or as an individual you are required to protect DWP assets you access. Access to assets is protected by law which includes trespass, and in the case of personal data - by the Data Protection Act. You are only allowed to access assets if you have a genuine business reason and agreed authority to do so. You must not provide, share or allow access to DWP assets to anyone who does not possess a right to that asset. By allowing unauthorised access, accessing data without authority yourself: losing, misusing or enabling misuse of data you may be in the uncomfortable position of breaking a law.

5 3. How will I know when and how to protect a DWP asset? If you are unsure that you have appropriate authority and a genuine business reason to handle an asset you should seek advice from your manager or supervisor: or the author or sender of the item.

6 4. Consequences of not adequately safeguarding information: Customer Stress, distress Identity theft Financial loss Physical harm e.g. victims of domestic violence. Public/DWP Confidence Loss of public/dwp confidence Accountability Embarrassment Theft of commercial information. Personal Information Distress at personal details being known e.g. Absence record, Staff Reports, Previous disciplinary Information. Misuse of information or failure to follow correct policy may result in disciplinary action and possible dismissal.

7 5. Office environment & data security (premises) Keeping you and your office safe Are you aware of your environment and why the security measures in place are important? Working securely means being alert, not necessarily suspicious of, all situations that might impact on the business. This includes threats to individuals and premises. Threats to you and your environment can come from a variety of sources:

8 Controlling access to sites Allowing unauthorised and unchecked access to sites may allow an intruder to cause damage to the premises, harm to individuals or steal valuables. Visitors require access to premises for legitimate business reasons e.g. clients attending appointments, engineers to install equipment, colleagues for meetings. Without exception, they must all follow the correct security procedures for that site. Don t let anyone follow you into the office; if it is unclear who they are. Wearing a pass and or name badge at work helps to identify authorised members of staff and to identify and challenge people who should not have access. Plus, the requirement for visitors to sign in will avoid unauthorised access. If you are required to enter a code into a digit-lock, do not let anyone else see the code.

9 Signposts to official assets and individuals Wearing identity passes away from official premises may alert others to official business being undertaken. Wearing ID away from the office may put an individual at risk and alert others to where they work and live. Leaving the office A Clear Desk Policy is not just about clearing everything from your desk. Is there anything left on the printer, photocopier or fax machine? Lock papers away before leaving. If you are last to leave, make sure windows and cupboards are locked and the keys are secure. Remove paper on faxes to avoid receiving messages when unattended. Switch off faxes, photocopiers and printers where possible. Are there any papers, files or information on desks or in post trays. Are all cabinets and cupboards locked and are keys removed and stored safely.

10 6. Personnel and security What should be your personnel security objective? - To protect personal and sensitive personal data from accidental or deliberate loss or misuse. To ensure that staff are aware and are compliant with DWP Policies and requirements with regard to correctly handling data. Covering: Staff vetting Contractual obligations Training, induction and ongoing refresher training Confidentiality Legal obligations Disciplinary process

11 Personnel and security - key messages Staff Vetting as a Government Department DWP must satisfy Cabinet Office requirements including the need for staff vetting before being allowed access to data assets, which extends to DWP suppliers. Therefore all supplier staff are required to go through the following security checks before handling DWP data identity, employment history, nationality, immigration status, criminal records check. Training, induction and ongoing refresher training Based on a DWP requirement, on induction to the company and prior to handling DWP data you should have received security training (of which this slide pack may be part of). You will be required to attend refresher training on a regular basis during your employment. Confidentiality all suppliers are required to sign a confidentiality agreement as part of the DWP contract. Contractual obligations depending on the contract you may have been asked to sign individual confidentiality agreements or it may form part of your contract of employment. Legal obligations you must be aware of your legal obligations when handling any data, they include: Data Protection Act, access rights, Computer Misuse Act and Freedom of Information Act). More information is available on the Cabinet Office Website. Disciplinary procedures it is important to understand that if any misuse, disclosure, loss of data occurs, this could lead to disciplinary action.

12 7. Communications and security What should be your communications management objective? - To ensure the integrity and availability of DWP data and reduce security risks to DWP data using media which must be controlled and comply with all applicable legal requirements. Covering Accessing information and systems Unauthorised access to your account General password information Sending information by Transferring hard-copy data by post Stop and think

13 Communications and security Accessing information and systems We all have bank cards to access our money and buy goods. Think about how you look after your bank cards where do you store them? Where do you keep your PIN? Is it easy to guess for example your birthday. At the office we use passwords to manage access to information and the tools we need to do our jobs. Much of the information that is held has great value not only to our customers, but to someone who may want to steal it. How do you store valuable documents e.g. passports, birth certificates and bank statements? Are they in a safe place and somewhere you can always find them? Think about how you dispose of letters containing your name and address and personal details how careful are you in ensuring that your identity and finances are protected? It is just as important that you take care of other people s information at work.

14 Unauthorised access to your account In most organisations it is likely that when you log into your PC, your account can be used to access any of the systems you are authorised to use. Therefore, any unauthorised actions would be logged against you. Private and confidential information could be viewed or your account used to send inappropriate s. Someone could access inappropriate Internet sites. Access to applications and information is controlled to protect you and our organisation. General password information Your password: must be known only to you and should not be easily guessed must not be shared should contain a combination of upper and lower case letters must not contain characters that are all the same e.g or a sequence of letters or numbers e.g. ABCDE avoid anything obvious like password or welcome. If you think someone knows your password then change it immediately. If you need to write it down then make sure that you keep the note secure and try to disguise it so that it does not look like a password.

15 Sending information by There are some occasions where we can safely respond to an by an , for example: Where an from a customer or member of staff is asking for a simple action or confirmation (e.g. have you received my claim form? Could you confirm the date of my appointment?) Where a customer or member of staff is, for example, complaining about a generic issue (e.g. I could not get through on the telephone; I could not find anyone to answer my query). At the same time, we need to observe some basic rules, as follows: We should not, under any circumstances, disclose or confirm, in an , details of customers address, National Insurance Numbers or bank accounts or information that is already known to them. We should never give out multiple customer details in a single reply. Above all, if an incoming looks odd or doesn t ring true, then we should seek to verify the sender s details by contacting them using details already held (rather than those provided in the ) or seeking further authentication before sending a substantive reply. If doubts remain, we should reply by ordinary post to the person s recorded home address.

16 Transferring hard copy DWP data by post - key messages: Always use a Fully Tracked Service when sending DWP personal data of about 50 or more individuals together (in the same envelope). A Fully Tracked Service should be used as standard for DWP items going to/from storage/archiving facilities. A Fully Tracked Service should also be used for smaller numbers for more sensitive personal DWP data i.e. Transfers containing name along with for example, National Insurance Number, health records, financial records, work history, personal etc (20 or more items). All staff must ensure that correct courier or postal addresses are used. It is the sender s responsibility to consider the scale and sensitivity of the information that is being sent, and whether additional security (i.e. using a Fully Tracked Service) is required. If incorrectly addressed DWP mail is received; you must ensure appropriate care is taken to safeguard the package until the correct recipient is known. The package should be sent using a similar fully tracked service. This approach will avoid any risk to the DWP personal/sensitive data that may be contained within the package.

17 Social networking Where posting information or personal comments on-line; or considering any television appearances or other media such as newspaper articles; staff must: not disclose any knowledge and official information, make commitments or engage in activities on behalf of the Department unless you are authorised to do so. not represent the Department when expressing personal opinions. Seek permission before taking part in any media activity that may identify you as delivering a contract on behalf of the Department. not pass official information on or make it available to any person e.g.. newspapers, journalists or give interviews about the Department without appropriate authorisation. understand that such unauthorised disclosure of information is very serious and disciplinary action will be taken for failing to comply.

18 Stop and think! Do you have the authority to send the information? Does the recipient have the authority to receive it? Do you need to send the information is there a different way of dealing with it? Only send the bare minimum to satisfy the request for information and remove any information that is not required to answer the query. What are your options for sending the information? What are the options for posting or sending the information electronically or by post or courier what are the restrictions on these? What is the likelihood that the information will go astray? What is the potential damage or embarrassment? What would be the impact on you/your employer?

19 8. Portable media and security Definition: Portable media includes laptops, memory sticks (USB) but can also include blackberries, palmtops, personal digital assistants, electronic diaries and organisers as well as mobile phones and smart phones etc. Also this could be any media containing DWP Personal Data such as hardcopy paper. What should be your portable media Objective? - To ensure that equipment, systems and services containing personal and sensitive personal data, are protected from unauthorised access, theft, interference or damage. Covering Travelling Working offsite including outreach working.

20 Portable media and security Travelling Train journeys are often used as time to get some work done. If you are working on the train make sure that you cannot be overlooked or overheard. Many mobile phones have cameras and voice recording facilities, so take care what can be seen and heard by others. Never leave any equipment i.e. laptops, phones, encrypted memory sticks or paperwork unattended. If you need to leave anything in a car it must be kept out of sight and locked away in the boot. Don t leave any equipment in an unattended vehicle overnight. Only authorised encrypted removable media provided by your employer should be used.

21 Portable media and security Working Off site It is important to get approval from your line manager to take official documents out of the office. Only take with you what you need to do the job. Make sure the information is kept secure and away from prying eyes. It may be necessary to take work out of the office, for example when visiting customers or outside organisations. Authorisation should be given from your line manager if you need to take sensitive documents out of the office. You should always consider the most secure method of working and take extra precautions when outside of your office. For example, only take what you need to do your job.

22 9. Data Protection Act Data Controller / Data Processor definition Important definitions that you need to be aware of under the Data Protection Act are as follows: Personal Data - As per the DPA Act 1998 data which relates to a living individual who can be identified from the data or from the data and other information which is in the possession of or is likely to come into the possession of the data controller. Information available publicly such as Name, Address (Home or Office), Post Code, Telephone Number, Date of Birth, driving licence number. Sensitive Personal Data - As per the DPA Act 1998 this is as Personal Data but would also concern the data subject s race, ethnicity, politics, religion, trade union status, health, sex life or criminal record. Equally sensitive information i.e. National Insurance Number, Health, Finance, Work History, Personal Address linked to any Personal Data would be classed as Sensitive Personal under Cabinet Office guidelines. Data Controller As per the Data Protection Act, 1998 the person who is responsible for controlling the information and who can authorise or deny access to certain data. They determine the purpose for which and the manner in which any personal data is processed. This would usually be DWP. Data Processor As per the DPA Act 1998 the person who processes the data on behalf of the data controller and is usually the supplier.

23 8 Principles of Data Protection If you handle personal information about living individuals, you have a number of legal obligations to protect that information under the Data Protection Act 1998, which make sure personal information is: 1) Fairly and lawfully processed: Have legitimate grounds for collecting and using the personal data. Not use the data in ways that have unjustified adverse effects on the individuals concerned; Be transparent about how you intend to use the data and give individuals appropriate privacy notices when collecting their personal data; Handle people's personal data only in ways they would Reasonably expect; and Make sure you do not do anything unlawful with the data. 2) Processed for limited purposes: Be clear from the outset about why you are collecting personal data and what you intend to do with it; Comply with the Act s fair processing requirements including the duty to give privacy notices to individuals when collecting their personal data; Comply with what the Act says about notifying the Information Commissioner; and Ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use of disclosure is fair. 3) Adequate, relevant and not excessive: You hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual; and You do not hold more information than you need for that purpose; You should identify the minimum amount of personal data you need to properly fulfil your purpose. You should hold that much information, but no more. This is part of the practice known as data minimisation. 4) Accurate and up to date: Take reasonable steps to ensure the accuracy of any personal data you obtain; Ensure that the source of any personal data is clear; Carefully consider whether it is necessary to update the information.

24 8 Principles of Data Protection If you handle personal information about living individuals, you have a number of legal obligations to protect that information under the Data Protection Act 1998, which make sure personal information is: 5) Not kept for longer than is necessary: Review the length of time you keep personal data; Consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it; Securely delete information that is no longer needed for this purpose or these purposes; and Update, archive or securely delete information if it goes out of date. 6) Processed in line with your rights: A right of access to a copy of the information compromised in their personal data; A right to object to processing that is likely to cause or is causing damage or distress; A right to prevent processing for direct marketing; A right to object to decisions being taken by automated means; A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and A right to claim compensation for damages caused by a breach of the Act. 7) Secure: Design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach; Be clear about who in your organising is responsible for information security; Make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and; Be ready to respond to any breach of security swiftly and effectively. 8)Not transferred to other countries without adequate protection: Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

25 10. Technical security IT administrator access user access controls are in place to monitor access to DWP Data, ensuring access is granted to and removed from suppliers personnel as the job role demands. All actions performed by suppliers staff must be traceable to users who process/handle DWP data. Users should be aware that their actions are recorded and all incidents will be investigated and actions taken. Encryption suppliers should have procedures in place for the use of encryption. Your IT dept or IT delivery partner will be able to advise on further technical aspects of the systems you use e.g. malware, antivirus etc

26 11. Security incidents An incident can be described as: any activity that causes or could potentially affect the availability, confidentiality or integrity of the physical or electronic information assets of the Data Controller/Processor. Examples of which are: Unauthorised disclosure or transfer of information, loss of data i.e. paper records or laptop/usb or misuse of information. This can have very serious consequences for both the individuals concerned and your organisation. The following examples can lead to the fraudulent use of a customers or colleagues identity and also damage the reputation of your organisation. Identity theft can cause upset and anxiety for the individual concerned and it can be a long process to rectify the fraudulent activity that has taken place. Reputational damage is very difficult to overcome and this can cause financial loss to your organisation through loss of confidence and competitive advantage. Public/DWP Confidence Loss of public/dwp confidence Accountability Embarrassment Theft of commercial information. Customer Stress, distress Identify Theft Financial loss Physical harm e.g. victims of domestic violence. Personal Information Distress at personal details being known e.g. Absence record, Staff Reports, Previous disciplinary Information.

27 Security incident examples Lost/stolen laptops if not stored securely the loss of a laptop through theft or misplacement can lead to significant data loss. Laptops must be encrypted as in the event of a loss the data stored on the device will remain secure and the loss will be limited to the cost of a new laptop alone. Lost/Incorrectly addressed post can seem quite a minor incident in the scheme of things. However, if the information goes to the wrong address or is sent using an unsuitable postal method this can lead to a severe data loss. Although hard copy records are less likely to contain the same volume of data as above, the consequences can be similar and just as damaging to individuals and your organisation. When post is received it is important to ensure the recipient details are correct. If incorrectly addressed mail is received; you must ensure appropriate care is taken to safeguard the package until the correct recipient is known. Once the intended recipient has been confirmed, the package should be sent using a similar fully tracked service. This approach will avoid any risk to the personal/sensitive data that may be contained within the package. Lost/stolen memory sticks USB devices have the capacity to store thousands of records and can be easily stolen or misplaced if adequate care is not taken to ensure they are securely encrypted and housed. Break-ins - other than the obvious costs resulting from the theft of valuable IT equipment, there are other issues to consider following unauthorised access to your building. If customer data is not securely stored within the building, i.e. in a locked room and within a locked filing cabinet, the perpetrator could have access to highly sensitive and valuable records. If stolen, these records can be used to steal an individual s identity and commit fraud. It is vital that any documents containing personal/sensitive information is not left on desks, printers or unlocked drawers overnight.

28 12. Areas for consideration: specific to your organisation Do you know who is responsible for data security in your organisation? DWP requires all organisations delivering on their behalf to have an agreed and documented policy on data assurance (security) and data privacy, including compliance with the Data Protection Act. Good governance makes it clear who is responsible and accountable for the protection of all sensitive data. Are you aware of policies attributed to data security? And where to find them? Do you regularly receive updates on data security through either training, communications/intranet, at team meetings etc? Does your organisation have a whistle-blowing policy? Are you aware that you need to raise any incidents within your line management chain and potentially direct to your data security named responsible officer. Your company is required to have a defined reporting route and you should know how to react. Do you?

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has

More information

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING Introduction and Policy Aim The Royal Borough of Windsor and Maidenhead (the Council) recognises the need to protect Council

More information

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION AND DATA STORAGE POLICY DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether

More information

Information Security

Information Security Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff

More information

Enterprise Information Security Procedures

Enterprise Information Security Procedures GHL Network Services Ltd Enterprise Information Security Procedures Prepared By Nigel Gardner Date 16/11/09 1 Contents 1. Openwork s Information Security Policy...3 2. Enterprise Information Security Procedures...3

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Acceptable Use of ICT Policy For Staff

Acceptable Use of ICT Policy For Staff Policy Document Acceptable Use of ICT Policy For Staff Acceptable Use of ICT Policy For Staff Policy Implementation Date Review Date and Frequency January 2012 Every two Years Rev 1: 26 January 2014 Policy

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY CORPORATE POLICY Document Control Title Paper Records Secure Handling and Transit Policy Author Information Governance Manager ** Owner SIRO/CIARG Subject

More information

How To Protect Decd Information From Harm

How To Protect Decd Information From Harm Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Data Protection and Information Security Policy and Procedure

Data Protection and Information Security Policy and Procedure Data Protection and Information Security Policy and Procedure Document Detail Category: Data Protection Authorised By: Full Governing Body Author: School Business Manager Version: 1 Status: Approved May

More information

Why do we need to protect our information? What happens if we don t?

Why do we need to protect our information? What happens if we don t? Warwickshire County Council Why do we need to protect our information? What happens if we don t? Who should read this? What does it cover? Linked articles All WCC employees especially mobile and home workers

More information

Senior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES

Senior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES Senior School 1 PURPOSE The policy defines and describes the acceptable use of ICT (Information and Communications Technology) and mobile phones for school-based employees. Its purpose is to minimise the

More information

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index Index Section 5.1 Purpose.... 2 Section 5.2 Definitions........2 Section 5.3 Validation Information.....2 Section 5.4 Procedures for Opening New Accounts....3 Section 5.5 Procedures for Existing Accounts...

More information

Information Incident Management Policy

Information Incident Management Policy Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit

More information

A common sense guide to the Data Protection Act 1998 for volunteers

A common sense guide to the Data Protection Act 1998 for volunteers A common sense guide to the Data Protection Act 1998 for volunteers Why is it necessary? The Data Protection Act 1998 is a law introduced to control the way information held about individuals is handled

More information

Information Governance

Information Governance CONTROLLED Information Governance Caldicot Version-Workbok Non Caldicott Version - Workbook Version 12 January 2015 40 1 Don t Get Bitten by the Data Demon Notes Using this Workbook The objective of this

More information

Data Protection Procedures

Data Protection Procedures Data Protection Procedures PROCEDURE OVERVIEW: This Procedure outlines Down District Council s ( the Council ) commitment to the Data Protection Act 1998 ( the Act ) and provides a framework for the Council

More information

Data Protection Policy

Data Protection Policy Data Protection Policy This policy applies to the national office of Special Olympics GB; athletes, volunteers, and paid staff its clubs and regions; all Special Olympics GB donors, sponsors, and supporters;

More information

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document

More information

HAZELDENE LOWER SCHOOL

HAZELDENE LOWER SCHOOL HAZELDENE LOWER SCHOOL POLICY AND PROCEDURES FOR MONITORING EQUIPMENT AND APPROPRIATE ICT USE WRITTEN MARCH 2015 SIGNED HEADTEACHER SIGNED CHAIR OF GOVERNORS DATE.. DATE. TO BE REVIEWED SEPTEMBER 2016

More information

Information Security Policy London Borough of Barnet

Information Security Policy London Borough of Barnet Information Security Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Document Description Information Security Policy Policy which sets out the council s approach to information

More information

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy Version History Author Approved Committee Version Status date Eddie Jefferson 09/15/2009 Full Governing 1.0 Final Version Body Eddie Jefferson 18/08/2012 Full Governing Body 2.0 Emended due to the change

More information

Secure Storage, Communication & Transportation of Personal Information Policy Disclaimer:

Secure Storage, Communication & Transportation of Personal Information Policy Disclaimer: Secure Storage, Communication & Transportation of Personal Information Policy Version No: 3.0 Prepared By: Information Governance, IT Security & Health Records Effective From: 20/12/2010 Review Date: 20/12/2011

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,

More information

Data Protection Guidance

Data Protection Guidance 53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection

More information

Photography and filming in schools Code of Practice

Photography and filming in schools Code of Practice Photography and filming in schools Code of Practice Data Protection compliance September 2010 Photography and filming in schools September 2010 1 Contents 1. About this code 3 2. Complying with the Data

More information

SENIORS ONLINE SECURITY

SENIORS ONLINE SECURITY SENIORS ONLINE SECURITY Seniors Online Security Five Distinct Areas Computer security Identity crime Social networking Fraudulent emails Internet banking 1 Computer security 2 There are several ways that

More information

Data Transfer Policy. Data Transfer Policy London Borough of Barnet

Data Transfer Policy. Data Transfer Policy London Borough of Barnet Data Transfer Policy Data Transfer Policy London Borough of Barnet Document Control POLICY NAME Data Transfer Policy Document Description Policy surrounding data transfers (electronic and paper based).

More information

A Guide to Information Technology Security in Trinity College Dublin

A Guide to Information Technology Security in Trinity College Dublin A Guide to Information Technology Security in Trinity College Dublin Produced by The IT Security Officer & Training and Publications 2003 Web Address: www.tcd.ie/itsecurity Email: ITSecurity@tcd.ie 1 2

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

Data and Information Security Policy

Data and Information Security Policy St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration

More information

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data Data Protection and Information Data - Guidelines for the use of Personal Data Page 1 of 10 Created on: 21/06/2013 Contents 1. Introduction... 3 2. Definitions... 3 4. Physical... 4 5 Electronic... 6 6

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Career Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity

Career Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity Career Connection, Inc. Data Privacy Objectives This course is intended for CCI employees. The course gives guidance on data privacy concepts and describes how data privacy is relevant when delivering

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

SHS Annual Information Security Training

SHS Annual Information Security Training SHS Annual Information Security Training Information Security: What is It? The mission of the SHS Information Security Program is to Protect Valuable SHS Resources Information Security is Everyone s Responsibility

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

Ixion Group Policy & Procedure. Remote Working

Ixion Group Policy & Procedure. Remote Working Ixion Group Policy & Procedure Remote Working Policy Statement The Ixion Group (Ixion) provide laptops and other mobile technology to employees who have a business requirement to work away from Ixion premises

More information

NC DPH: Computer Security Basic Awareness Training

NC DPH: Computer Security Basic Awareness Training NC DPH: Computer Security Basic Awareness Training Introduction and Training Objective Our roles in the Division of Public Health (DPH) require us to utilize our computer resources in a manner that protects

More information

BERKELEY COLLEGE DATA SECURITY POLICY

BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data

More information

National Cyber Security Month 2015: Daily Security Awareness Tips

National Cyber Security Month 2015: Daily Security Awareness Tips National Cyber Security Month 2015: Daily Security Awareness Tips October 1 New Threats Are Constantly Being Developed. Protect Your Home Computer and Personal Devices by Automatically Installing OS Updates.

More information

IT Security DO s and DON Ts

IT Security DO s and DON Ts For more advice contact: IT Service Centre T: (01332) 59 1234 E: ITServiceCentre@derby.ac.uk Online: http://itservicecentre.derby.ac.uk Version: February 2014 www.derby.ac.uk/its IT Security DO s and DON

More information

BARNSLEY CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLICY

BARNSLEY CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLICY Putting Barnsley People First BARNSLE CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLIC Version: 2.0 Approved By: Governing Body Date Approved: Feb 2014 (initial approval), March

More information

Portable Devices and Removable Media Acceptable Use Policy v1.0

Portable Devices and Removable Media Acceptable Use Policy v1.0 Portable Devices and Removable Media Acceptable Use Policy v1.0 Organisation Title Creator Oxford Brookes University Portable Devices and Removable Media Acceptable Use Policy Information Security Working

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Policy: Remote Working and Mobile Devices Policy

Policy: Remote Working and Mobile Devices Policy Policy: Remote Working and Mobile Devices Policy Exec Director lead Author/ lead Feedback on implementation to Clive Clarke SHSC Information Manager SHSC Information Manager Date of draft 16 February 2014

More information

Acceptable Use of Information Systems Standard. Guidance for all staff

Acceptable Use of Information Systems Standard. Guidance for all staff Acceptable Use of Information Systems Standard Guidance for all staff 2 Equipment security and passwords You are responsible for the security of the equipment allocated to, or used by you, and must not

More information

Information Management Handbook for Schools. Information Management Handbook for Schools London Borough of Barnet

Information Management Handbook for Schools. Information Management Handbook for Schools London Borough of Barnet Information Management Handbook for Schools London Borough of Barnet Document Name Document Description Information Management Handbook for Schools This document is intended for use by Barnet Borough Schools.

More information

School policies and Security Risks

School policies and Security Risks 1) Introduction a) The school expects its computer and telephone systems to be used in a professional manner at all times. The school provides these facilities at its expense for its own business purposes.

More information

Information Security Incident Reporting & Investigation

Information Security Incident Reporting & Investigation Information Security Incident Reporting & Investigation Purpose: To ensure all employees, consultants, agency workers and volunteers are able to recognise an information security incident and know how

More information

This factsheet is for: Senior management of small firms that handle, store or dispose of customers personal data in the course of their business.

This factsheet is for: Senior management of small firms that handle, store or dispose of customers personal data in the course of their business. FSA factsheet for All firms This factsheet is for: Senior management of small firms that handle, store or dispose of customers personal data in the course of their business. It explains: What you should

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Data protection. Report on the data protection guidance we gave schools in 2012

Data protection. Report on the data protection guidance we gave schools in 2012 Data protection Report on the data protection guidance we gave schools in 2012 Contents 1. Background 2. Summary of recommendations 3. tification 4. Personal data 5. Fair processing 6. Information security

More information

DSHS CA Security For Providers

DSHS CA Security For Providers DSHS CA Security For Providers Pablo F Matute DSHS Children's Information Security Officer 7/21/2015 1 Data Categories: An Overview All DSHS-owned data falls into one of four categories: Category 1 - Public

More information

Burton Hospitals NHS Foundation Trust. On: 16 January 2014. Review Date: December 2015. Corporate / Directorate. Department Responsible for Review:

Burton Hospitals NHS Foundation Trust. On: 16 January 2014. Review Date: December 2015. Corporate / Directorate. Department Responsible for Review: POLICY DOCUMENT Burton Hospitals NHS Foundation Trust INFORMATION SECURITY POLICY Approved by: Executive Management Team On: 16 January 2014 Review Date: December 2015 Corporate / Directorate Clinical

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Information and Resources for Small Medical Offices Introduction The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario s health-specific

More information

Personal Data Protection Policy

Personal Data Protection Policy Personal Data Protection Policy Please take a moment to read the following Policy. If there is anything you do not understand then please contact us. We are committed to protecting privacy. This Personal

More information

Acceptable Use of Information Systems Policy

Acceptable Use of Information Systems Policy Information Governance & Management Framework Acceptable Use of Information Systems Policy Version 1.3 Produced by: Customer Services & Business Transformation Inverclyde Council Municipal Buildings GREENOCK

More information

Incident reporting procedure

Incident reporting procedure Incident reporting procedure Responsible Officer Author Date effective from Aug 2009 Date last amended Aug 2009 Review date July 2012 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance

More information

Identity Theft Prevention Program Compliance Model

Identity Theft Prevention Program Compliance Model September 29, 2008 State Rural Water Association Identity Theft Prevention Program Compliance Model Contact your State Rural Water Association www.nrwa.org Ed Thomas, Senior Environmental Engineer All

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

HIPPA Goes HITECH. Data Protection for Agents

HIPPA Goes HITECH. Data Protection for Agents HIPPA Goes HITECH Data Protection for Agents For agent information only. this material should not be distributed to the public or used in any solicitation. 13-0127 Course objectives Agents will be able

More information

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level

More information

Administrative Procedures Memorandum A1452

Administrative Procedures Memorandum A1452 Page 1 of 11 Date of Issue February 2, 2010 Original Date of Issue Subject References February 2, 2010 PRIVACY BREACH PROTOCOL Policy 2197 Management of Personal Information APM 1450 Management of Personal

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

INFORMATION MANAGEMENT & TECHNOLOGY SECURITY POLICY

INFORMATION MANAGEMENT & TECHNOLOGY SECURITY POLICY Information Management & Technology Security Policy INFORMATION MANAGEMENT & TECHNOLOGY SECURITY POLICY POLICY NO IM&T 003 DATE RATIFIED October 2010 NEXT REVIEW DATE October 2013 POLICY STATEMENT/KEY

More information

Information Security Policy for Associates and Contractors

Information Security Policy for Associates and Contractors Policy for Associates and Contractors Version: 1.12 Status: Issued Date: 30 July 2015 Reference: 61418080 Location: Livelink Review cycle: Annual Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...

More information

Data Protection and Data security Policy

Data Protection and Data security Policy Data Protection and Data security Policy Statement of policy and purpose of Policy 1. Somer Valley Community Radio Ltd (the Employer) is committed to ensuring that all personal information handled by us

More information

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful

More information

Physical Security Policy

Physical Security Policy Physical Security Policy Author: Policy & Strategy Team Version: 0.8 Date: January 2008 Version 0.8 Page 1 of 7 Document Control Information Document ID Document title Sefton Council Physical Security

More information

Information Security Code of Conduct

Information Security Code of Conduct Information Security Code of Conduct IT s up to us >Passwords > Anti-Virus > Security Locks >Email & Internet >Software >Aon Information >Data Protection >ID Badges > Contents Aon Information Security

More information

PS177 Remote Working Policy

PS177 Remote Working Policy PS177 Remote Working Policy January 2014 Version 2.0 Statement of Legislative Compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010; Data Protection

More information

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3 Paper 9 Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3 Please ensure that all THREE pages of this contract are returned to: Information Governance Manager, Health Informatics, Chertsey House, St Peter

More information

Road to Recovery Fact Sheet

Road to Recovery Fact Sheet Road to Recovery Fact Sheet What is the American Cancer Society s Road to Recovery program? Road to Recovery is an American Cancer Society program designed to ensure that cancer patients have transportation

More information

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014 HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

Data Transfer Policy London Borough of Barnet

Data Transfer Policy London Borough of Barnet London Borough of Barnet DATA PROTECTION 11 Document Control Document Description Data Transfer Policy Version v.2 Date Created December 2010 Status Authorisation Name Signature Date Prepared By: IS Checked

More information

Payment Card Industry Data Security Standard PCI DSS

Payment Card Industry Data Security Standard PCI DSS Payment Card Industry Data Security Standard PCI DSS What is PCI DSS? Requirements developed by the five card brands: VISA, Mastercard, AMEX, JCB and Discover. Their aim was to put together a common set

More information

Information governance

Information governance Information governance Staff handbook RDaSH 88 02 Information governance Introduction to information governance Overview 88 03 Information governance or IG - includes information security and confidentiality,

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes

More information

The Ministry of Information & Communication Technology MICT

The Ministry of Information & Communication Technology MICT The Ministry of Information & Communication Technology MICT Document Reference: ISGSN2012-10-01-Ver 1.0 Published Date: March 2014 1 P a g e Table of Contents Table of Contents... 2 Definitions... 3 1.

More information

Everyone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session

Everyone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session Everyone in the workplace has a legal duty to protect the privacy of information about individuals AEP/BELB/LJ/2010 Awareness Session During 2007 alone, 36,989,300 people in the UK have had their private

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

Originator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy. Computer Security Policy

Originator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy. Computer Security Policy Originator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy Computer Security Policy Contents 1 Scope... 3 2 Governance... 3 3 Physical Security... 3 3.1 Servers... 3 3.2

More information

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Cellular/Smart Phone Use Procedure

Cellular/Smart Phone Use Procedure Number 1. Purpose This procedure is performed as a means of ensuring the safe and efficient use of cell/smart phones throughout West Coast District Health Board (WCDHB) facilities. 2. Application This

More information

2014 Core Training 1

2014 Core Training 1 2014 Core Training 1 Course Agenda Review of Key Privacy Laws/Regulations: Federal HIPAA/HITECH regulations State privacy laws Privacy & Security Policies & Procedures Huntsville Hospital Health System

More information

PROGRAM TO PREVENT, DETECT & MITIGATE IDENTITY THEFT

PROGRAM TO PREVENT, DETECT & MITIGATE IDENTITY THEFT Office of Employee Benefits Administrative Manual PROGRAM TO PREVENT, DETECT & MITIGATE IDENTITY THEFT 150 EFFECTIVE DATE: AUGUST 1, 2009 REVISION DATE: PURPOSE: Ensure that the Office of Employee Benefits

More information

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008 DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008 This model has been designed to help water and wastewater utilities comply with the Federal Trade Commission s (FTC)

More information

Angard Acceptable Use Policy

Angard Acceptable Use Policy Angard Acceptable Use Policy Angard Staffing employees who are placed on assignments with Royal Mail will have access to a range of IT systems and mobile devices such as laptops and personal digital assistants

More information

Information Governance

Information Governance Information Governance Information for Patients Information Governance (IG) Contents: Identifying the IG Lead for the Practice. This identifies the main people responsible for Information Governance Policy.

More information

School Information Security Policy

School Information Security Policy School Information Security Policy Created By: Newport Education Service Date Created: 22 December 2009 Version: V1.0 Contents Background... 3 IT Infrastructure... 3 IT Access... 3 Acceptable use policy...

More information