Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.
|
|
- Conrad Glenn
- 8 years ago
- Views:
Transcription
1 Document No: IG10d Version: 1.1 Name of Procedure: Third Party Due Diligence Assessment Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L. Hamill L. Hamill Full content review. Change of format and name. This document supersedes all previous issues.
2 Contents Section Page 1. Introduction Purpose Scope Using the Assessment Questionnaire... 3 Appendix 1 Third Party Due Diligence Questionnaire. 4
3 1. Introduction Information is an important asset for the Trust in order to provide high quality services to patients and service users. In addition to this the requirement to ensure the confidentiality and security of both staff and patient information under the Data Protection Act 1998 necessitates that the Trust secures personal data to a high level. The Trust is committed to ensuring the security and confidentiality of all personal and confidential information that it holds. So that the Trust is able to do this and to comply with the necessary legal and regulatory requirements it is essential that we are assured that third party contractors have the necessary processes in place to secure this data. 2. Purpose The purpose of this procedure and accompanying assessment is to ensure that the Trust consistently meets its Information Governance requirements in relation to third party contracts (both clinical and non-clinical). 3. Scope The assessment at Appendix 1 should be used when engaging a new Third Party to provide services to the Trust which will involve the transfer of Trust data to the Third Party s premises. 4. Using the Assessment Questionnaire The assessment questionnaire should be provided to the Third Party for completion by Supplies, Projects or the relevant IAO/IAA who should ensure that it is completed and approved prior to the transfer of any Trust data. The completed assessment questionnaire will be reviewed and approved by the Information Governance Team and the Information Security Manager. A copy of the signed form will then be returned to the Supplies contact, Projects contact or relevant IAO/IAA as appropriate to confirm approval. The Information Governance Team and/or Information Security Manager may include comments or recommendations and may approve the assessment on the basis that any recommendations are in place prior to the transfer of Trust data. It is the responsibility of the Supplies contact, Projects contact and/or relevant IAO/IAA as appropriate to ensure that any such recommendations are met by the Third Party. The Third Party access/agreement should also be logged on the relevant IAO s Information Risk Management Tool.
4 Appendix 1 Third Party Due Diligence Assessment Organisation Name: Organisation Address: Service Provided: Organisation Contact: Information Asset Owner: (All systems/assets must have an Information Asset Owner (IAO). IAO s are normally the Assistant Divisional Managers and report to the SIRO) Name: Name: Title: Title: Department Project Manager / Department: / Location: Supplies Contact: Telephone: Telephone: Name: Information Asset Name: Title: Administrator: Title: (All systems / assets must have an Information Asset Administrator (IAA) who reports the IAO as stated above. IAA s are normally System Managers / Project Leads) Department: Department: Telephone: Telephone:
5 1. INFORMATION PROCESSED ON BEHALF OF THE TRUST Section Question Description/Comments 1.1. GENERAL Please describe the data processed by the organisation on behalf of the Trust Does the data consist of sensitive data as per the Data Protection Act? Yes No 1.2. TRANSFER OF DATA TO ORGANISATION How is Trust data transferred to the organisation? Electronic Hardcopy Both Please provide details of how Trust data is transferred e.g. , fax, courier, removable media etc. Please provide details of the security measures in place in relation to the transfer e.g. encrypted /removable media, safe haven fax, recorded courier and contracted service etc STORAGE OF TRUST DATA How is Trust data stored? Electronic Hardcopy Both If stored electronically, please name the systems on which the data is stored. Please provide details of the security measures in place in relation to the storage of Trust data e.g. locked filing cabinet, network and system security controls etc OUTSOURCING AND OVERSEAS TRANSFERS Is any activity involving Trust data or information assets outsourced to another third party? If so, please provide details including the relationship type (e.g. Data Controller Data Processor). Are any Trust data or information assets transferred outside of the EEA? If so, what, where and to whom? Are any Trust data or information assets transferred outside of the UK? If so, what, where and to whom? Yes No Yes No Yes No
6 2. INFORMATION SECURITY GOVERNANCE Section Question Yes/No/NA Description/Comments 2.1. GENERAL GOVERNANCE Does the organisation have a dedicated Information Security Policy? If so, how are all staff made aware of the Information Security Policy? Does the organisation have a dedicated Information Security Officer, department, or similar? Does the organisation hold any certificates or awards gained for quality, security or business continuity? E.g. BS 9000/9001, BS 7799/ISO 27001, BS If so, please provide the scope statement for any certificates If a non-nhs organisation, is the organisation registered with the Care Quality Commission (CQC)? If an NHS organisation or registered with CQC, please provide details of IG Toolkit compliance level where relevant DPA AND TRAINING & AWARENESS Is the organisation registered with the ICO under the Data Protection Act? If so, what is the notification number? Do all relevant staff undertake Data Protection and Confidentiality awareness training during induction and at least on annual basis? If so, please describe Do all relevant staff undertake Information Security awareness training during induction and at least on annual basis? If so, please describe Are staff in the organisation made aware of the Computer Misuse Act? Does the organisation maintain a register of breaches/incidents (including data protection) and if so, how frequently is the analysed? Is a response process in place to deal with breaches/incidents? (please describe) Has the organisation been subject to any action by the Information Commissioner s Office (including complaints)? If so, please provide details AUDIT Is there an internal audit function within the organisation?
7 Section Question Yes/No/NA Description/Comments Does the organisation engage external auditors? Are information security audits performed to measure compliance with policy? If so, please specify whether these are internal or external audits. 3. PHYSICAL & ENVIRONMENTAL SECURITY Section Question Yes/No/NA Description/Comments 3.1. GENERAL Is the building wholly owned / occupied by the organisation? 3.2. ACCESS TO PREMISES SECURITY Is there a formal reception area? Are there any other access controls in place? If so, what? Is the building manned 24 hours a day, 365 days a year? Are the premises protected by security guards? Do the security guards man the reception area? Do the security guards monitor alarms and CCTV? Do the security guards perform night time patrols? Do the security guard patrols include the interior of the premises as well as the exterior? 3.3. VISITORS Are all visitors required to sign in and out and issued with a visitor s pass during their visit? Are all visitors accompanied when in sensitive areas? 3.4. ACCESS CARDS & PIN CODES Are access cards issued to all staff? Is access restricted according to job role or function?
8 Section Question Yes/No/NA Description/Comments Do cards trigger a log entry when used? Are any doors protected by PIN codes (without access cards)? 3.5. CLEAR DESK AND SECURE STORAGE Does the organisation have a Clear Desk and Screen Policy? If so, are regular checks in place to ensure compliance? Are all documents containing Trust, personal or other confidential information locked away when unattended? If the organisation is processing large volumes of documents containing Trust, personal or other confidential information, are additional measures in place in the areas where this activity takes place? (please describe) 3.6. CCTV Is the building monitored continuously by CCTV both internally and externally? Are access points to computer/server rooms monitored by CCTV? Is CCTV footage backed up? 3.7. INTRUDER ALARMS Do the premises have an intruder alarm system? Is the alarm system regularly tested and maintained? Is the alarm system linked to an Alarm Receiving Centre (ARC) or automatically inform the Police? Are all ground access points alarmed (e.g. doors, windows, etc)? 3.8. FIRE ALARMS Do the premises have fire detection and alarm system? Is the fire detection and alarm system regularly tested and maintained? Is the fire detection and alarm system linked to emergency services, security organisation or similar? Have fire meeting points and fire marshals been established for the premises?
9 Section Question Yes/No/NA Description/Comments 3.9. COMPUTER / SERVER ROOM ACCESS & ENVIRONMENTAL CONTROLS Is access to computer / server rooms restricted to named authorised personnel and is all access logged? Are computer / server room access privileges reviewed / checked periodically? Are access points to computer / server rooms adequately secured? (please describe) Are all servers and other IT equipment housed in cabinets? If the computer / server room is shared, are all cabinets locked? Is computer / server room equipment protected by UPS devices? Are UPS devices subject to regular testing and maintenance? Have generators been installed? Are generators subject to regular testing and maintenance? Does the room have dedicated temperature control and air cooling? Does the room have a fire detection and suppression system installed? If gas suppression is installed, has the integrity of the room been tested? 4. HUMAN RESOURCES SECURITY Section Question Yes/No/NA Description/Comments 4.1. RECRUITMENT & VETTING Does the organisation follow a formal recruitment and vetting procedure for all applicants? Does the process include CRB checks for staff processing personal / sensitive information? Are previous employment references obtained for all staff? Are employee qualifications independently verified? Are all such checks completed prior to commencement of employment?
10 Section Question Yes/No/NA Description/Comments Is evidence obtained to justify any gaps in employment history of more than 3 months? Have all staff signed contracts which cover confidentiality? Are the same checks conducted for temporary staff, bank/agency staff and employees of third parties working on behalf of the organisation? Is there a process in place to carry out periodic follow-up checks on individuals working in high risk areas / processing personal or sensitive information? Does the organisation have procedures in place for revoking access (both physical and electronic) following termination or changes to employment? 4.2. DISCIPLINARY PROCESSES Do you have a formal documented disciplinary policy and procedure? 4.3. CLEANERS Are cleaners directly employed by the organisation? Is cleaning carried out during business hours? Are cleaners prevented from accessing secure areas unless accompanied? 5. LOGICAL ACCESS CONTROLS Section Question Yes/No/NA Description/Comments 5.1. DESKTOP FACILITIES Is there a desktop timeout (password protected screensaver) policy? Are users required to lock their workstations before leaving them unattended and is this monitored? 5.2. USER IDs AND PASSWORDS Is there a dedicated team/person responsible for user access management? Are access controls in place to restrict access to certain information e.g. access levels for particular levels, RBAC (role based access controls)? Are unique system credentials i.e. user IDs and passwords used to gain access to the network and other systems?
11 Section Question Yes/No/NA Description/Comments If so, can access be traced back to an individual and are such logs checked? Are parameters in place to enforce strong passwords (i.e. password length and regular changing of passwords)? Are passwords issued / disclosed securely to ensure adequate privacy? How often are access reviews carried out? 5.3. INTERNET & ACCESS Is there an Internet and Acceptable Usage Policy in place? Is the internet restricted or monitored? Are staff prevented from downloading non-work related content from the internet (e.g. games, screensavers and personal s)? 5.4. REMOTE ACCESS Is remote access restricted? Is remote access encrypted? 5.5. FIREWALLS & ANTIVIRUS Are firewalls in place? Are firewalls monitored? Are appropriate antivirus software measures in place? Are they routinely monitored and updated? Has penetration testing been carried out within the last 12 months? If so, was this conducted internally or by a third party? Have any weaknesses identified by penetration testing been addressed? 6. DATA AND INFORMATION SECURITY Section Question Yes/No/NA Description/Comments 6.1. INCIDENT MANAGEMENT Is there an incident management procedure for reporting, logging and investigating incidents? Is there an established procedure to inform customers (including the Trust) of any incidents?
12 6.2. STORED DATA Is/would Trust data be segregated from that of the organisation and other clients? Has/would access to Trust data be restricted to only authorised individuals with a specific need to access the data? Is/would administration access to any data environment be restricted or controlled? 7. BUSINESS CONTINUITY & DISASTER RECOVERY Section Question Yes/No/NA Description/Comments 7.1. BACKUPS How often are backups performed? What is the retention period for backups? Are backup tapes stored in a separate fire zone or off-site to production data? Is backup data protected to the same level as production data? Are backups encrypted? 7.2. BUSINESS CONTINUITY & DISASTER RECOVERY CAPABILITY Are there formal Business Continuity and Disaster Recovery Plans in place? Have the plans been tested successfully within the last 12 months? 7.3. WEBSITE SECURITY (This section only applies if a website or web service is used in connection with the service provided to the Trust) Is a DMZ used to secure the service? Has intrusion detection software been installed? Has application firewall technology been installed? Is the website/service monitored for availability? Are documented change-control procedures in place? Does the site use SSL certificates? Has penetration testing been carried out within the last 12 months and since any material change? Have all weaknesses identified by penetration testing been addressed?
13 Form completed by: Name: Title: Signature: Date: Information Governance Office Approval: Comments/Recommendations: Name: Title: Signature: Date: Information Security Manager Approval: Comments/Recommendations: Name: Title: Signature: Date:
Name: Position held: Company Name: Is your organisation ISO27001 accredited:
Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held:
More informationService Children s Education
Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and
More informationDocument No: IG10f. Version: 1.0. Information Governance Contracts Guidance. Name of Procedure: Version Control
Document No: IG10f Version: 1.0 Name of Procedure: Information Governance Contracts Guidance Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release
More informationLauren Hamill, Information Governance Officer
Document No: IG10a Version: 1.0 Name of Document: General Information Governance Checklist Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationNETWORK SECURITY POLICY
NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet
More informationULH-IM&T-ISP06. Information Governance Board
Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible
More informationNetwork Security Policy
Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant
More informationHow To Ensure Network Security
NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationRotherham CCG Network Security Policy V2.0
Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date
More informationNetwork Security Policy
IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service
More informationVersion 1.0. Ratified By
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationMike Casey Director of IT
Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationIM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...
IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationUniversity of Brighton School and Departmental Information Security Policy
University of Brighton School and Departmental Information Security Policy This Policy establishes and states the minimum standards expected. These policies define The University of Brighton business objectives
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Policy approved by: Audit and Governance Committee Date: 4 th December 2014 Next Review Date: December 2016 Version: 1 Information Security Policy Page 1 of 17 Review and Amendment
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationInformation Technology General Controls Review (ITGC) Audit Program Prepared by:
Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the
More informationICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen
ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationData Access Request Service
Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations
More informationInternet Banking Internal Control Questionnaire
Internet Banking Internal Control Questionnaire Completed by: Date Completed: 1. Has the institution developed and implemented a sound system of internal controls over Internet banking technology and systems?
More informationSummary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)
Introduction This document provides a summary of technical information security controls operated by Newcastle University s IT Service (NUIT). These information security controls apply to all NUIT managed
More informationSmall Business IT Risk Assessment
Small Business IT Risk Assessment Company name: Completed by: Date: Where Do I Begin? A risk assessment is an important step in protecting your customers, employees, and your business, and well as complying
More informationMusic Recording Studio Security Program Security Assessment Version 1.1
Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND
More informationIntel Enhanced Data Security Assessment Form
Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized
More informationBOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
More informationFORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference
FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS Workpaper Reference Date(s) Completed Organization and Staffing procedures used to define the organization of the IT Department. 2. Review the organization
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationRemote Access Policy
BASINGSTOKE AND NORTH HAMPSHIRE NHS FOUNDATION TRUST Remote Access Policy Summary This is a new document which sets out the policy for remote access to the Trust s network and systems. Remote access is
More informationPhysical Security Policy
Physical Security Policy Author: Policy & Strategy Team Version: 0.8 Date: January 2008 Version 0.8 Page 1 of 7 Document Control Information Document ID Document title Sefton Council Physical Security
More informationCITY UNIVERSITY OF HONG KONG Physical Access Security Standard
CITY UNIVERSITY OF HONG KONG (Approved by the Information Strategy and Governance Committee in December 2013) PUBLIC Date of Issue: 2013-12-24 Document Control Document Owner Classification Publication
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationInformation Security and Governance Policy
Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information
More informationCentral London Community Healthcare NHS Trust. Data protection audit report
Central London Community Healthcare NHS Trust Data protection audit report Executive Summary July 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with
More informationJoint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three
Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three Data Handling in University Information Classification and Handling Agenda Background People-Process-Technology
More informationIntroduction to the NHS Information Governance Requirements
Introduction to the NHS Information Governance Requirements 2 Version April 2014 Information Governance ensures necessary safeguards for, and appropriate use of, patient and personal information. The widely
More informationECSA EuroCloud Star Audit Data Privacy Audit Guide
ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:
More informationSTFC Monitoring and Interception policy for Information & Communications Technology Systems and Services
STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services Issue 1.0 (Effective 27 June 2012) This document contains a copy of the STFC policy statements outlining
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationIT - General Controls Questionnaire
IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationInformation Governance Strategy. Version No 2.0
Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent
More informationRecords Management and Security Procedure. Approved by: Executive Management Team Version: 1.2 Date: 21.9.2015
Document: Records Management and Security Procedure Approved by: Executive Management Team Version: 1.2 Date: 21.9.2015 1. Overview Senior management of Wentworth Institute ( WINWIN ) have a legal responsibility
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationA Question of Balance
A Question of Balance Independent Assurance of Information Governance Returns Audit Requirement Sheets Contents Scope 4 How to use the audit requirement sheets 4 Evidence 5 Sources of assurance 5 What
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationHIPAA Compliance Evaluation Report
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
More informationUnderstanding It s Me 247 Security. A Guide for our Credit Union Clients and Owners
Understanding It s Me 247 Security A Guide for our Credit Union Clients and Owners October 2, 2014 It s Me 247 Security Review CU*Answers is committed to the protection of you and your members. CU*Answers
More informationSupply Chain Security Audit Tool - Warehousing/Distribution
Supply Chain Security Audit Tool - Warehousing/Distribution This audit tool was developed to assist manufacturer clients with the application of the concepts in the Rx-360 Supply Chain Security White Paper:
More informationBKDconnect Security Overview
BKDconnect Security Overview 1 Introduction 1.1 What is BKDconnect 1.2 Site Creation 1.3 Client Authentication and Access 2 Security Design 2.1 Confidentiality 2.1.1 Least Privilege and Role Based Security
More informationSystem Security Plan University of Texas Health Science Center School of Public Health
System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many
More informationInformation Technology Services Guidelines
Page 1 of 10 Table of Contents 1. Purpose... 2 2. Entities Affected by This Guideline... 2 3. Definitions... 2 4. Guidelines... 3 4.1 Requesting Data Center or... 3 4.2 Requirements for Data Center or...
More informationCaedmon College Whitby
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
More informationHighland Council Information Security Policy
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
More informationNETWORK SECURITY POLICY
NETWORK SECURITY POLICY Version: 0.2 Committee Approved by: Audit Committee Date Approved: 15 th January 2014 Author: Responsible Directorate Information Governance & Security Officer, The Health Informatics
More informationCleveland Police. Data protection audit report. Executive summary November 2014
Cleveland Police Data protection audit report Executive summary November 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act
More informationInformation Technology
Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing
More informationPolicy Document. IT Infrastructure Security Policy
Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT
More informationSOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY
SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY OBJECTIVE To provide users with guidelines for the use of information technology resources provided by Council. SCOPE This policy
More informationHosted Testing and Grading
Hosted Testing and Grading Technical White Paper July 2014 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or
More informationDraft Information Technology Policy
Draft Information Technology Policy Version 3.0 Draft Date June 2014 Status Draft Approved By: Table of Contents 1.0 Introduction... 6 Background... 6 Purpose... 6 Scope... 6 Legal Framework... 6 2.0 Software
More informationHealthcareBookings.com Security Set Up
HealthcareBookings.com Security Set Up Introduction... 2 Overview of the process for using HealthcareBookings.com... 2 Professionals... 2 Patients... 3 Passwords... 4 Hosting Security... 4 Overview of
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationInformation Security Assurance Plan 2015/16
Information Security Assurance Plan 2015/16 Policy number: N/A Version 2.0 Approved by Name of author/originator Owner (Exec Director) Date of approval August 2015 Date of last review July 2015 Next due
More informationINFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK
INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire
More informationARTICLE 14 INFORMATION PRIVACY AND SECURITY PROVISIONS
A. This Article is intended to protect the privacy and security of specified County information that Contractor may receive, access, or transmit, under this Agreement. The County information covered under
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationInformation Management Handbook for Schools. Information Management Handbook for Schools London Borough of Barnet
Information Management Handbook for Schools London Borough of Barnet Document Name Document Description Information Management Handbook for Schools This document is intended for use by Barnet Borough Schools.
More informationHuddersfield New College Further Education Corporation
Huddersfield New College Further Education Corporation Card Payments Policy (including information security and refunds) 1.0 Policy Statement Huddersfield New College Finance Office handles sensitive cardholder
More informationGatekeeper PKI Framework. February 2009. Registration Authority Operations Manual Review Criteria
Gatekeeper PKI Framework ISBN 1 921182 24 5 Department of Finance and Deregulation Australian Government Information Management Office Commonwealth of Australia 2009 This work is copyright. Apart from
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationWe then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.
Good Practice Audit outcomes analysis Police Forces April 2013 to April 2014 This report is based on the final audit reports the ICO completed in the Criminal Justice sector, specifically of Police forces,
More information1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...
Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless
More informationINITIAL APPROVAL DATE INITIAL EFFECTIVE DATE
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
More informationOriginator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy. Computer Security Policy
Originator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy Computer Security Policy Contents 1 Scope... 3 2 Governance... 3 3 Physical Security... 3 3.1 Servers... 3 3.2
More informationAcceptable Usage Guidelines. e-governance
Acceptable Usage Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
More informationSecurity April 2015. Solving the data security challenge with our enhanced private and hybrid cloud services
Security April 2015 Secure cloud solutions with guaranteed UK data sovereignty. Solving the data security challenge with our enhanced private and hybrid cloud services This paper enables discussion around
More information