Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25"

Transcription

1 Information Security Policy Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25

2 Document Information Trust Policy Number : ULH-IM&T-ISP01 Version : 3.1 Status : Approved Issued by : Information Governance Manager Issued date : 31 March 07 Approved by : Executive Team Date of approval : 1 September 2003 Date of review : 1 April 2011 Change Control Previous Versions : 2.0 Changes: Additions : Reissue Modifications : Section 5 Deletions : Date of issue : 2 September 2003 Review date : 26 March 2008 Referenced Documents : See Appendix 1 Relevant Legislation : Data protection Act (1988) Copyright and Design Patents Act (1988) Computer Misuse Act (1990) Human Rights Act (1988) Freedom of Information Act (2000) Telecommunications Regulations (2000) Investigatory Powers Act (2000) Relevant Standards : Caldicott Report (1988) BS7799-2:2000 NHS Statement of Compliance Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 2 of 25

3 Table of Contents 1. Introduction Purpose Objectives Scope Code of Practice for Information Security Management Information Security Management System Legal Compliance Retention of Records Information Governance 9 2. Security Principles Policy Statement EIS Security Policy Principles MIS Security Policy Principles General Principles Caldicott Principals Patient Identifiable Information Safe Havens Sharing Information with Partner Organisations Sharing Information with Non-partner Organisations Sharing Information Internally Communications Policy Statement Network Security Home-working Telephone Security Internet Monitoring Postal Communications Verbal Communications Fax Security Quality Control and Data Validation Policy Statement Data Input Validation 18 Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 3 of 25

4 5. Security Responsibilities Overall responsibility Associate Director of ICT Ops Information Security Manager Data Protection Officer Caldicott Guardian ICT Ops Accreditation Authority Information Governance Board Director of Facilities Line Managers General Responsibilities Project Board 22 Appendices: 1. References Glossary of Terms Guidance for Staff 25 Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 4 of 25

5 1. Introduction 1.1 Purpose This document defines the Information Security Policy for the United Lincolnshire Hospitals Trust (ULHT). The purpose of this policy is to recognise the security threats to information and to provide a management framework for reducing the likelihood of security incidents. It provides high level guidance on ensuring the confidentiality, integrity and availability of information. Specific procedures flowing from the guidance will be amplified in supporting policies as required. This Document: Sets out the organisation s policy for the protection of its information assets; that is information in all its forms, electronic information systems (EIS) including PCs, networks and applications and paper based manual information systems (MIS). Establishes the security responsibilities for information security. Provides reference to the documentation, which comprises the Information Security Management System (ISMS). 1.2 Objectives The objectives of this policy are: To ensure the security of the Trust s information assets: To ensure Availability, that is to ensure that assets are available as and when required, adhering to the organisation s business objectives. To preserve Integrity, that is to protect assets from unauthorised or accidental modification, ensuring the accuracy and completeness of the organisation s assets. To preserve Confidentiality, that is to protect assets against unauthorised disclosure To provide the means to ensure that the Trust complies with legislation and directives regarding the security of information This policy aims to ensure that its information systems are properly assessed for security and that confidentiality, integrity and availability of information is maintained; staff are fully aware of their responsibilities, roles and accountability, and procedures are in place to detect and resolve security breaches. Where systems are managed by third parties, it is the Trust s responsibility to ensure that the information systems are managed in line with this policy. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 5 of 25

6 1.3 Scope This policy relates to information held in both manual and electronic form. The policy applies to all full-time and part-time employees of the Trust, non-executive directors, contracted third parties (including agency staff), students/trainees, secondees and other staff on placement with the Trust and staff of partner organisations with approved access. It applies to the provision, maintenance, support and use of EIS systems, including information systems, networks and applications, in support of the following business processes: All Clinical support: Diagnostic data, patient care information, central patient records, clinical support and administration information. All Corporate support: Organisational information - desktop services including , web access and office applications. Staff related information. 1.4 Code (s) of Practice for Information Security Management United Lincolnshire Hospitals Trust has adopted and will comply with the following standards: BS ISO/IEC 27001, British Standards for Information Security. NHS Code of Practice for Information Security Management All employees of ULHT are required to comply with these standards which will be outlined through the Information Security Policy and procedural document sets. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 6 of 25

7 1.5 Information Security Management System The ULHT Board is fully committed to the goals and principles of information security. To manage information security effectively within the organisation a security management system will be developed to provide a framework for information security. Owners will be identified for specific information systems and, where appropriate, specific datasets. These owners will work with the Caldicott Guardian to determine appropriate data sharing protocols, access protocols and appropriate security practices and procedures. There are a number of activities required in developing the overall ISMS: Policy definition. Determine Information Assets and document in a register. Risk assessment, identifying threats, vulnerabilities and impacts. Select appropriate controls & implement, developing procedure and process related documentation. Produce applicability statement and combine documentation for formal accreditation to standard (ISO17799). ISMS (Information Security Management System) Information Security Policy Information Asset Register Risk Assessment Report Statement of Applicability ISMS Supporting policy/procedures & those integrated/supported with other policy areas Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 7 of 25

8 1.6 Legal Compliance United Lincolnshire Hospitals Trust and its employees have a legal responsibility to implement, manage and maintain security and confidentiality under the following legislation: Data Protection Act (1998). Computer Misuse Act (1990). Copyright Design and Patents Act (1988). Criminal and Public Orders Act (1994). Human Rights Act (1998). Telecommunications Regulations (2000). Regulation of Investigatory Powers Act (2000). This policy describes the way in which information should be managed, in particular, the way in which personal or sensitive information should be protected. In addition to the above, other legislation can impact upon the way in which we should use personal information. This includes: Public Interest Disclosure Act Access to Health records Act (1990). Audit & Internal Control Act Public Health (Code of Practice) Act NHS (VD) Regulations National Health Service Act Human Fertilisation & Embryology Act Abortion Regulations The Terrorism Act Road Traffic Act Regulations under Health & Safety at Work Act Regulation of Investigatory Powers Act Freedom of Information Act In addition, ULHT is bound by the confidentiality aspects of common law and the Caldicott guidance on protection of patient information. 1.7 Retention of Records As part of, and in addition to the above legislation, ULHT is required to retain all records (health and administrative) for specified periods of time and in accordance with the Trust retention and disposal policies. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 8 of 25

9 1.8 Information Governance Information Governance provides a framework for the handling of both personal and patient information in a confidential and secure manner to appropriate ethical and quality standards. It brings together the following areas of governance: Information Governance Management Information Security Assurance Confidentiality and Data Protection Assurance Clinical Information Assurance Secondary use of Information Assurance Corporate Information Assurance Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 9 of 25

10 2. Security Principles 2.1 Policy Statement United Lincolnshire Hospitals Trust will seek to ensure the confidentiality, integrity and availability of its information is maintained by implementing best practice to minimise risk. Patient care and confidentiality are the driving forces of the information security processes and procedures. The integrity of information is essential for informed decision making about both the types of patients care and its delivery. Patients may accept that clinical information is available to other professionals but at times may wish that certain information is withheld. The principle of confidentiality will be upheld throughout the Trust and be reflected in its protocols and system procedures. 2.2 EIS Security Policy Principles The Trust will ensure that, EIS are available when needed, they can be accessed only by legitimate users and contain complete and accurate information. The EIS must also be able to withstand or recover from threats to their availability, integrity and confidentiality. This policy will support the development of the Electronic Care Record as part of the NHS Care Record Service (CRS), and The Trust will adhere to the NHS Care Record Guarantee. 2.3 MIS Security Policy Principles The Trust will ensure that MIS are available when needed, they are used only by legitimate personnel in the course of their duties and contain complete and accurate information. Manual records will remain confidential, be available when required and their integrity will be maintained. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 10 of 25

11 2.4 General Principles Information Security Principles Information Security Policy (Overall policy for confidentiality, integrity and availability of information) System & area specific policy & System & procedure areas specific policy & System & procedure areas specific policy & procedure The IS policy sets the high level direction and required standard across the organisation. This is supported where necessary by specific system & area policies, where the required controls are explained in detail. This also links to procedure documents & manuals. Acceptable Use Policies (Policies which make up the ISMS) To ensure compliance with BS ISO/IEC ULHT will: Protect all information assets under its control including hardware, software, and electronic or manual records. This will be achieved through the implementation of a set of well balanced technical and non-technical measures Provide both effective and cost-effective protection that is commensurate with the risks to its assets Implement the Information Security Policy in a consistent, timely and cost effective manner. Carry out reviews at least annually or following a change that could affect the basis of the original risk assessment (e.g. security incident, new vulnerabilities or changes to the organisation or technical infrastructure) Carry out security risk assessment(s) in relation to all the business process covered by this policy. These risk assessments will cover all information systems, applications and networks that are used to support those business processes. The risk assessment will identify the appropriate security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability Produce a comprehensive security document set, which will form the basis of the ISMS and will apply to all information systems, applications and networks. These policies will be developed on the basis of an analysis of risks. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 11 of 25

12 2.4.6 All security policies will be approved by the Information Security Manager (ISM) both at the beginning of the project and prior to the implementation of any information system Produce system acceptable use policies (AUP) and security contingency plans Ensure that all users of the system are made aware of the contents and implications of relevant AUP s. They must accept and follow the terms laid out in the Information Security Policy and relevant AUP s, before being granted permission to access systems Ensure that all users of information systems, applications and networks are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities Implement procedures to ensure that any breach of security, suspect incident or security weakness is reported and subsequently investigated Ensure that any Information Security policy violations (irresponsible or improper actions) are investigated and may result in formal disciplinary procedures being taken (using the HR Disciplinary Policy), or criminal prosecution Develop a business continuity management policy to ensure that contingency and disaster recovery plans are produced for all critical applications, systems and networks. These plans will be reviewed by the ISM and tested on a regular basis Ensure that for all new systems, all relevant security documentation, security AUP s and contingency plans reflecting the requirements of the security policy are produced as part of the project Ensure that the relevant project/system manager reviews changes to the security of an information system, application or network. All such changes must be reviewed and approved by the ISM Ensure that all EIS are approved before they commence operation Ensure that measures are in place to detect and protect information systems, applications and networks from viruses and other malicious software Ensure that all connections to external networks and systems have documented and approved AUP s Ensure all connections to external networks and systems are approved by both the Network Security Manager and ISM before they commence operation Ensure that all third Party accesses and access rights are strictly controlled. Access will only be granted when a contractual agreement with the third party has been made, the third party has signed The Trust confidentiality agreement accepting the terms stated within the Information Security Policy and other conditions made within a contract. Should the connection be made via N3, the statement of compliance will form part of a conditional contract. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 12 of 25

13 Ensure that: Security responsibilities are included in job descriptions. All employees sign The Trust code of practise for confidentiality. System Managers/ICT Ops are informed of new employees, change to employees job roles and when employees leave the Trust. 2.5 Caldicott Principles United Lincolnshire Hospitals Trust is fully committed to the Caldicott Principles regarding the protection and use of patient-identifiable information, namely: Use and transfer of such information will only take place where the purpose is fully justified. Use and transfer will only occur when absolutely necessary. Use the minimum required where possible, all data should be anonymised. Access strictly need to know. Everyone must understand his or her responsibilities. Understand and comply with the law. 2.6 Patient Identifiable Information Information routinely flows within the NHS community and between NHS organisations and other bodies concerned with patient care or an individual s medical condition. The misuse of patient identifiable information for non-clinical purposes could have an adverse effect on the clinician/patient relationship and could also infringe individuals legal rights. With this in mind ULHT has established a Caldicott Guardian to ensure that the flow of patient identifiable information is appropriately controlled. All data sharing will be strictly undertaken against the principle that only those who are involved with the direct provision of care or with broader work concerned with the treatment or prevention of disease in a population should normally have access to patient identifiable information. This is not restricted to clinical staff but may include other staff, where they need access to clinical information systems (manual and electronic). 2.7 Safe Haven Principles The Trust will adhere to the Safe Haven principles outlined in the Caldicott report. Areas will be identified where patient identifiable information can be handled in a controlled environment and information can be received, transmitted, processed and stored safely. Details will be outlined in the Safe Haven and Communications Policy. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 13 of 25

14 2.8 Sharing Information with Partner Organisations United Lincolnshire Hospitals Trust works with partner organisations which all have a legitimate role to play in delivering care to NHS patients. Partners, in this context, are taken to be: Lincolnshire Primary Care Trust (LPCT) Lincolnshire Partnership Trust (LPT) East Midlands Ambulance Service Lincolnshire County Council St Barnabas Hospice HM Prison Morton Hall A formal Lincolnshire community wide Information Protection and Sharing Protocol has been developed and published which makes the standards of information protection control explicit. 2.9 Sharing Information with Non-partner Organisations In addition to partner organisations, ULHT receives requests for person-identifiable information from external and non-nhs sources. Organisations requesting such information include: Private Healthcare providers Police Insurance companies Solicitors Whilst such requests may be legitimate, ULHT will ensure the use of such information is not abused, by applying the following principles when considering the release of the information to non-partner organisations: Information will not normally be released without the written consent of the individual concerned. Individuals will normally be fully informed: - That information is being released. - Of the purpose(s) for which it is being used. Individuals will wherever possible be given the right to review the information being released and given the opportunity to correct or otherwise amend such information before release. These requirements may be waived in certain conditions such as where we have a legal requirement to release without the individuals consent (e.g. as a result of a court order) but only after authorisation has been obtained from the Data Protection Office. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 14 of 25

15 2.10 Sharing Information Internally United Lincolnshire Hospitals Trust shares its internal network with other NHS organisations which all have a legitimate role to play in delivering care to NHS patients and who are based within trust facilities. Such organisations include: Macmillan nurses. Path Links. Cancer Collaborative Staff. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 15 of 25

16 3. Communications 3.1 Policy Statement The use of IT networks will continue to increase and will become the primary means of communication within and between the various organisations providing services to clients throughout the NHS. One consequence of this is that the networking infrastructure will be increasingly used for a wide variety of purposes to facilitate more flexible working practices and delivery of care, for example, home-working by both clinical and managerial staff. Domestic dwellings may be more vulnerable than work premises to theft and subsequent loss or disclosure of information. Increased use of fax and also introduces the vulnerability to interception or misdirection. It is appropriate to include postal and verbal communications as part of an information security policy as these elements are integral parts of the information management culture. 3.2 Network Security United Lincolnshire Hospitals Trust will manage its network services to at least the level of the N3 Data Networking Security Policy and its associated Statement of Compliance. Full details are set out in the Network Security Policy. 3.3 Home-working United Lincolnshire Hospitals Trust will implement a set of strict controls and procedures that apply to all home-working activity. Only those members of staff prepared to accept the controls and certify that they have done so will be permitted to work on ULHT information at home. Full details are set out in the Mobile Computing and Homeworking Policy. 3.4 Telephone Security It is essential that all staff are aware of the need to check the credentials and identity of all callers requesting patient-identifiable or other sensitive information and that all Trust protocols and procedures, regarding the release of patient identifiable information, are adhered to. Full details are set out in the Safe Haven and Communications Policy is not a secure method for the transfer of information, and unless an approved encryption process is used as part of an organised workflow, the content should not contain patient identifiable or sensitive business information. accounts are given to all ULHT employees as a business tool and may with discretion be used for personal use but employees will be made aware that s will be monitored and therefore privacy cannot be expected. The use of must be in accordance with the Trust's Acceptable Use Policy. Commercial Web based . The use of commercially available web based such as hotmail and mail.com is specifically prohibited for any patient identifiable information or official information relating or belonging to ULHT. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 16 of 25

17 3.6 Internet Access to the Internet is a useful tool in the workplace and can be a significant source of reference information. It can also be the source of inappropriate material. ULHT is committed to giving all staff access to the internet for both work and limited personal use (break times, with line management authority) whilst at the same time ensuring that their use of it does not breach any acceptable standards which may bring the organisation into disrepute. Staff are advised that use of the Internet may be monitored and that appropriate technical controls will be put in place. This is to ensure that the Trust Board meets their Legal Obligations, that the system is only used in accordance with Trust policy and that ULHT's information resources are protected from malicious attack. All staff are to abide by the Trust's Web Services (Internet/Intranet) Acceptable Use Policy. 3.7 Monitoring In order to ensure that staff do not breach any legislation that may have an impact upon ULHT during their personal use of the and Internet the organisation will monitor its IT systems. This monitoring will be carried out in accordance with the Information Commissioners guidance in this area and will comply with the Regulation of Investigatory Powers Act. 3.8 Postal/Courier Communications All staff should ensure that arrangements for sending and receiving information through the post are adequate particularly in relation to personal identifiable information. The use of tamper proof envelopes is mandatory for all non-encrypted bulk date transferred by hand or courier. The use of Special Delivery is mandatory for all bulk non-encrypted data sent in the post. 3.9 Verbal Communications Under the Caldicott guidelines, staff are obliged to respect the privacy of individual patients. This means holding conversations about patients discreetly and with due regard to the sensitivity of the subject under discussion. Staff should be aware of the dangers of conversations being overheard both in the workplace and particularly when away from it. Users of mobile phones should take particular care when in public areas especially whilst on public transport Fax Security All users of Fax machines should implement controls to ensure that fax communications are protected at all times. The faxing of Patient Identifiable Information must only be sent to and received from a secure environment in accordance with Safe Haven principles. For further guidance refer to the Safe Haven and Communications Policy. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 17 of 25

18 4. Quality Control and Data Validation 4.1 Policy Statement The integrity of data is a key component of information security and it is essential that confidence be maintained in data accuracy for use in decision making. Therefore it is vitally important that data held by ULHT is of the highest possible quality. Inaccuracies in data, particularly that relating directly to patient care, have the potential to adversely affect a patient s treatment or to seriously disrupt the running of ULHT's operations. This requirement extends to both computerised and manual data. 4.2 Data Input Data accuracy is the direct responsibility of the person inputting the data supported by their line manager. All systems will include validation processes at data input to check in full or in part the acceptability of the data. Depending on the system, later validation may be necessary to maintain referential integrity. Systems should report all errors together with a helpful reason for the rejection to facilitate correction. Error correction should be done at the source of input as soon as it is detected. Such correction is increasingly important as systems are linked and errors can be transmitted between systems. Any loss or corruption of data should be reported to the relevant system manager at once - this should involve the incident recording mechanism immediately and possibly major incident control (dependant upon the severity of the problem). 4.3 Validation All electronic systems will incorporate validation processes and audit trails to detect and record problems with processing or data integrity. Where this is not achievable, due to system limitations, manual validation systems will continue to support information requirements. For further guidance refer to the Data Quality Assurance Policy Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 18 of 25

19 5 Security Responsibilities 5.1 Overall Responsibility The Chief Executive is ultimately responsible for information security, both policy and implementation, within the Trust and has agreed with the Board of Directors to the implementation and management of BS ISO/IEC as an Information Security Management System. The overall responsibility is delegated to the Associate Director of ICT who will appoint a dedicated Information Security Manager. 5.2 Associate Director of ICT The Associate Director of ICT is responsible for: Making arrangements for information security by setting an overall information security policy for the organisation Appointing the Information Security Manager Ensure that, where appropriate, staff receives information security awareness training. 5.3 Information Security Manager The Information Security Manager is responsible for: Acting as a central point of contact on information security within the organisation, for both staff and external organisations Implementing an effective framework for the management of security Assisting in the formulation of information security policy Advising on the content and implementation of the information security programme Co-ordinating the production of organisational standards, procedures and guidance on information security matters for approval by the Information Security Forum Co-ordinating information security activities particularly those related to shared information systems or IT infrastructures The development and implementation of the Information Security Management System to ensure Trust compliance with the requirements of BS ISO/IEC Investigating and reporting on all information security incidents. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 19 of 25

20 5.4 Data Protection Officer The data protection officer is responsible for: Ensuring that appropriate Data Protection Act notifications are maintained for applicable organisation s systems and information Dealing with enquires, from any source, in relation to the Data Protection Act and facilitating Subject Access Requests Advising users of information systems, applications and networks on their responsibilities under the Data Protection Act, including Subject Access Advising the Trust Executive Board on breaches of the Act and the recommended actions Encouraging, monitoring and checking compliance with the Data Protection Act Liaising with external organisations on Data Protection Act matters Promoting awareness and providing guidance and advice on the Data Protection Act as it applies within the organisation. 5.5 Caldicott Guardian The Caldicott Guardian is responsible for ensuring that the Caldicott principles for the handling of patient identifiable data are adhered to in relation to all Information systems both manual and automated. 5.6 ICT Ops ICT Ops are responsible for: Ensuring that all EIS are configured and managed in accordance with Trust information security policies and specific systems AUP s and procedures Ensuring that only individuals who have the necessary authority are allocated system accounts Ensuring that risks to IT systems are reduced to an acceptable level by applying security countermeasures identified in a timely manner. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 20 of 25

21 5.7 Accreditation Authority Before any IT system is allowed to store, process or forward any Trust information on the ULHT LAN, or confidential information in stand alone mode, it must be given security approval, known as Accreditation. The Accreditation Authority (AA) has delegated authority by the Trust Board to: Review the Security Policy Documentation. Request security enhancements. Grant authority to process data in accordance with the AUP. Deny authority to process data where the security of an EIS is deemed to be unacceptable. 5.8 Information Governance Board The Information Governance Board will act as the AA and will promote the security of the Trust by: Implementing the Information Security Policy throughout the Trust. Ensure awareness of all employees' accountabilities and responsibilities. Reviewing and where appropriate authorising information security policies and responsibilities. Review incident reports relating to security and ensure appropriate action is taken to reduce or eliminate the risk. Develop and enforce Trust security. 5.9 Director of Facilities The Director of Facilities is the designated Trust Director who, with Senior management, ensures key tasks are carried out and that adequate policies, procedures and systems are in place for the protection of persons and property and to the deterrent and prevention of crime Line Managers Line Managers are directly responsible for: Ensuring the security of the organisation s assets, that is information, hardware and software used by staff and, where appropriate, by third parties is consistent with legal and management requirements and obligations Determining members of staff who require access to specific systems based on their role and their need to access information held on that particular system Ensuring that system administrators are informed when members of staff no longer require access to a particular system Ensuring that their staff are aware of their security responsibilities. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 21 of 25

22 Ensuring that their staff have had suitable security training Ensure that any actual or potential breach of information security policy within their area of responsibility is reported via the trust incident reporting system and for serious incidents, direct to the ISM General Responsibilities All personnel or agents acting for the organisation have a duty to: Safeguard hardware, software and information in their care and ensure confidentiality is maintained Ensure that all computer accounts are protected by the safeguarding of their individual username and passwords Ensure that no breach of information security results from their action Prevent the introduction of malicious software on the organisation s EIS Report on any suspected or actual breaches in information security to their line manger or via the trust incident reporting procedure Accept and follow the terms laid out in the information security policy and all other relevant security policies and procedural documents. A guide for EIS users is at appendix IT Project Board s IT Project Board s are responsible for ensuring that security is properly considered when applications and systems are under development or enhancement. In the absence of a Project Board the responsibility for security falls to a nominated project officer. The development of a security policy for the application or system should commence at the earliest opportunity following the initiation of the project and should result in the development of security procedures. Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 22 of 25

23 Appendix 1 - References Reference No Document Title Document Owner 7974 NHS Code of Practice for Information Security Digital Information Policy Management NHS Connecting for Health Protecting and Using Patient Information A NHS Executive manual for Caldicott Guardians ULH-IM&T-COP01 Confidentiality Code of Practice Information Governance for the United Lincolnshire Hospitals Trust ULH-IM&T-ISP02 Acceptable User Information Governance ULH-IM&T-ISP03 Internet Acceptable User Information Governance ULH-IM&T-ISP04 Computer Acceptable User Information Governance ULH-IM&T-ISP05 Mobile Computing and Home Working Information Governance ULH-IM&T-GP02 Safe Haven and Communications Policy Information Governance ULH-IM&T-DQA01 Data Quality Assurance Policy Information Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 23 of 25

24 Appendix 2 - Glossary of Terms ULHT ICT IT EIS MIS ISO ISMS CRS CRG AUP AUP HR ISM AA United Lincolnshire Hospitals Trust Information Communications Technology Information Technology Electronic Information System Manual (paper based) Information Systems British standard for information security Information Security Management System Care Record Services Care Record Guarantee Acceptable Use Policy Acceptable Use Policy (System Security) Human Resources Information Security Manager Accreditation Authority Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 24 of 25

25 Appendix 3 - Guidance for EIS Users Data Protection: Keep all personal/sensitive information/data confidential (Data Protection Act 1998). Never divulge more information than is required, Patient Information must only be given to authorised personnel. Try to use anonymised data using NHS numbers as an identifier whenever possible. Systems Access: Do not access or help someone to access any computer system, modify any program or data unless you are authorised to do so. Never allow another individual to use your system account without the authority of the Systems Manager. Passwords: Passwords must be kept secure and changed at regular intervals. You should never give out your password to others. Anti-Virus procedures: All downloaded files, attachments and floppy disks should be scanned for viruses using virus protection software. Physical Security: Observe building security procedures such as locking doors and windows after working hours. Wear your identity badge at all times and challenge strangers that act suspiciously or are in restricted areas. You should take steps to prevent the theft of any assets, especially information assets. Configuration Control: Hardware and software purchases must be processed though the Supplies Manager in conjunction with Computer Services. No systems software or application programmes are to be introduced onto any computer system unless authorised by Computer Services. Unattended Workstations: Log off or lock your P.C. if you intend to leave it unattended. If provided, use the screensaver password protection facility. Data Storage: Do not store information/data locally on a P.C. unless your system has facilities to backup the data to an external device. Please ask your line manager to request network access for storage if required. You are responsible for backing up anything that is not stored on the network. Magnetic Media Security: Storage media such as floppy disks must be securely stored, please note the manufacturer guidelines for storage conditions You must comply with the Information Security Policy, all legal requirements and relating policies and procedures: Data Protection Act (1998) Computer Misuse Act (1990) Copyright Design and Patents Act (1988) Criminal and Public Orders Act (1994) Human Rights Act (1998) Telecommunications Regulations (2000) Regulation of Investigatory Powers Act (2000) BS7799-2:2002 Security Operating Procedures Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 25 of 25

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

Network Security Policy

Network Security Policy IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service

More information

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

Network Security Policy

Network Security Policy Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant

More information

Version 1.0. Ratified By

Version 1.0. Ratified By ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date

More information

Mike Casey Director of IT

Mike Casey Director of IT Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date

More information

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

Information security policy

Information security policy Information security policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review of IS Policy\Current

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Information Governance Policy

Information Governance Policy Information Governance Policy UNIQUE REF NUMBER: AC/IG/013/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June 2014 1 P age AMENDMENT HISTORY

More information

NHS Business Services Authority Information Security Policy

NHS Business Services Authority Information Security Policy NHS Business Services Authority Information Security Policy NHS Business Services Authority Corporate Secretariat NHSBSAIS001 Issue Sheet Document reference NHSBSARM001 Document location F:\CEO\IGM\IS\BSA

More information

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction NHSnet : PORTABLE COMPUTER SECURITY POLICY 9.2 Introduction This document comprises the IT Security policy for Portable Computer systems as described below. For the sake of this document Portable Computers

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by: Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3 Paper 9 Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3 Please ensure that all THREE pages of this contract are returned to: Information Governance Manager, Health Informatics, Chertsey House, St Peter

More information

Harper Adams University College. Information Security Policy

Harper Adams University College. Information Security Policy Harper Adams University College Information Security Policy Introduction The University College recognises that information and information systems are valuable assets which play a major role in supporting

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

Internet Use Policy and Code of Conduct

Internet Use Policy and Code of Conduct Internet Use Policy and Code of Conduct UNIQUE REF NUMBER: AC/IG/023/V1.1 DOCUMENT STATUS: Agreed by Audit Committee 18 July 2013 DATE ISSUED: July 2013 DATE TO BE REVIEWED: July 2014 1 P age AMENDMENT

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY Information Security Policy INFORMATION SECURITY POLICY Introduction Norwood UK recognises that information and information systems are valuable assets which play a major role in supporting the companies

More information

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical

More information

SERVER, DESKTOP AND PORTABLE SECURITY. September 2014. Version 3.0

SERVER, DESKTOP AND PORTABLE SECURITY. September 2014. Version 3.0 SERVER, DESKTOP AND PORTABLE SECURITY September 2014 Version 3.0 Western Health and Social Care Trust Page 1 of 6 Server, Desktop and Portable Policy Title SERVER, DESKTOP AND PORTABLE SECURITY POLICY

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact

More information

Procedures. Issue Date: June 2014 Version Number: 2.0. Document Number: POL_1009. Status: Approved Next Review Date: April 2017 Page 1 of 17

Procedures. Issue Date: June 2014 Version Number: 2.0. Document Number: POL_1009. Status: Approved Next Review Date: April 2017 Page 1 of 17 Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY Policy approved by: Audit and Governance Committee Date: 4 th December 2014 Next Review Date: December 2016 Version: 1 Information Security Policy Page 1 of 17 Review and Amendment

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Version: 0.2 Committee Approved by: Audit Committee Date Approved: 15 th January 2014 Author: Responsible Directorate Information Governance & Security Officer, The Health Informatics

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting

More information

Information Governance Framework. June 2015

Information Governance Framework. June 2015 Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE.

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE. Title: Information Governance Policy Date Approved: Approved by: Date of review: Policy Ref: Issue: January 2015 Information Governance Group Division/Department: January 2016 Policy Category: ISP-04 5

More information

Secure Storage, Communication & Transportation of Personal Information Policy Disclaimer:

Secure Storage, Communication & Transportation of Personal Information Policy Disclaimer: Secure Storage, Communication & Transportation of Personal Information Policy Version No: 3.0 Prepared By: Information Governance, IT Security & Health Records Effective From: 20/12/2010 Review Date: 20/12/2011

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version: V1 Ratified by: Operational Management Executive Committee Date ratified: 26 September 2013 Name and Title of originator/author(s): Chris Brady, FOI, Data Protection and

More information

An Approach to Records Management Audit

An Approach to Records Management Audit An Approach to Records Management Audit DOCUMENT CONTROL Reference Number Version 1.0 Amendments Document objectives: Guidance to help establish Records Management audits Date of Issue 7 May 2007 INTRODUCTION

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Appendix 1 INFORMATION GOVERNANCE INFORMATION GOVERNANCE POLICY Author Information Governance Review Group Information Governance Committee Review Date May 2014 Last Update February 2013 Document No. GV

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

Information Sharing Policy

Information Sharing Policy Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed

More information

USE OF PERSONAL MOBILE DEVICES POLICY

USE OF PERSONAL MOBILE DEVICES POLICY Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014

More information

Information Incident Management Policy

Information Incident Management Policy Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit

More information

YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY

YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY Author Head of IT Equality impact Low Original Date September 2003 Equality No This Revision September

More information

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services Issue 1.0 (Effective 27 June 2012) This document contains a copy of the STFC policy statements outlining

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2. Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments

More information

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes INFORMATION SECURITY POLICY Ratified by RCA Senate, February 2007 Contents Introduction 2 Policy Statement 3 Information Security at RCA 5 Annexes A. Applicable legislation and interpretation 8 B. Most

More information

Information Security

Information Security Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff

More information

St. Peter s C.E. Primary School Farnworth Email, Internet Security and Facsimile Policy

St. Peter s C.E. Primary School Farnworth Email, Internet Security and Facsimile Policy Learn, sparkle & shine St. Peter s C.E. Primary School Farnworth Email, Internet Security and Facsimile Policy Adopted from the LA Policy April 2015 CONTENTS Page No 1. Introduction 1 2. Guiding Principles

More information

General Register Office for Scotland information about Scotland s people. Paper NHSCR GB 1/08. NHSCR Scotland Information Governance Standards

General Register Office for Scotland information about Scotland s people. Paper NHSCR GB 1/08. NHSCR Scotland Information Governance Standards General Register Office for Scotland information about Scotland s people Paper NHSCR GB 1/08 NHSCR Scotland Information Governance s This is a draft on which the Board s comments would be welcome. Contents

More information

Information Technology and Communications Policy

Information Technology and Communications Policy Information Technology and Communications Policy No: FIN-IT-POL-001 Version: 03 Issue Date: 10.06.13 Review Date: 10.06.16 Author: Robert Cooper Monitor Changes Approved by: Board of Governors Version

More information

ELECTRONIC MAIL (E-MAIL) September 2014. Version 3.1

ELECTRONIC MAIL (E-MAIL) September 2014. Version 3.1 ELECTRONIC MAIL (E-MAIL) September 2014 Version 3.1 Western Health and Social Care Trust Page 0 of 6 E-mail Policy V3.1 Policy Title ELECTRONIC MAIL (E-MAIL) POLICY Policy Reference Number CORP09/006 Original

More information

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level

More information

INFORMATION SECURITY MANAGEMENT POLICY

INFORMATION SECURITY MANAGEMENT POLICY INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Data Protection Breach Management Policy

Data Protection Breach Management Policy Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/

More information

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy DOCUMENT INFORMATION Author: Vince Weldon Associate Director of IM&T Approval: Executive This document replaces: IM&T Policy No. 1 Anti Virus Version

More information

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

Working Practices for Protecting Electronic Information

Working Practices for Protecting Electronic Information Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that

More information

Mobile and Remote Working Policy

Mobile and Remote Working Policy Mobile and Remote Working Policy UNIQUE REF NUMBER: AC/IG/018/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June 2014 1 P age AMENDMENT HISTORY

More information

Information Circular

Information Circular Information Circular Enquiries to: Brooke Smith Senior Policy Officer IC number: 0177/14 Phone number: 9222 0268 Date: March 2014 Supersedes: File No: F-AA-23386 Subject: Practice Code for the Use of Personal

More information

Information Security and Electronic Communications Acceptable Use Policy (AUP)

Information Security and Electronic Communications Acceptable Use Policy (AUP) Policy No.: AUP v2.0 Effective Date: August 16, 2004 Revision Date: January 17, 2013 Revision No.: 1 Approval jwv / mkb Information Security and Electronic Communications (AUP) 1. INTRODUCTION Southwestern

More information

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs NOTE: This is a CONTROLLED Document. Any documents appearing in paper

More information

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document

More information

Quick Guide To Information Governance Policies

Quick Guide To Information Governance Policies Quick Guide To Information Governance Policies Data Protection The Data Protection Act 1998 established principles and rights in relation to the collection, use and storage of personal information by organisations.

More information

TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & EMAIL POLICY AND CODE

TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & EMAIL POLICY AND CODE GENERAL STATEMENT TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & EMAIL POLICY AND CODE 1.1 The Council recognises the increasing importance of the Internet and email, offering opportunities for improving

More information

ABERDARE COMMUNITY SCHOOL

ABERDARE COMMUNITY SCHOOL ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

Information Governance

Information Governance Information Governance Information for Patients Information Governance (IG) Contents: Identifying the IG Lead for the Practice. This identifies the main people responsible for Information Governance Policy.

More information

43: DATA SECURITY POLICY

43: DATA SECURITY POLICY 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:

More information

IT SECURITY POLICY (ISMS 01)

IT SECURITY POLICY (ISMS 01) IT SECURITY POLICY (ISMS 01) NWAS IM&T Security Policy Page: Page 1 of 14 Date of Approval: 12.01.2015 Status: Final Date of Review Recommended by Approved by Information Governance Management Group Trust

More information

Information Security Policy London Borough of Barnet

Information Security Policy London Borough of Barnet Information Security Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Document Description Information Security Policy Policy which sets out the council s approach to information

More information

Accessing Personal Information on Patients and Staff:

Accessing Personal Information on Patients and Staff: Accessing Personal Information on Patients and Staff: A Framework for NHSScotland Purpose: Enabling access to personal and business information is a key part of the NHSScotland Information Assurance Strategy

More information

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy Version History Author Approved Committee Version Status date Eddie Jefferson 09/15/2009 Full Governing 1.0 Final Version Body Eddie Jefferson 18/08/2012 Full Governing Body 2.0 Emended due to the change

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval

More information

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures SECURITY INCIDENT REPORTING AND MANAGEMENT Standard Operating Procedures Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme.

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Information Security Policy. Information Security Policy. Working Together. May 2012. Borders College 19/10/12. Uncontrolled Copy

Information Security Policy. Information Security Policy. Working Together. May 2012. Borders College 19/10/12. Uncontrolled Copy Working Together Information Security Policy Information Security Policy May 2012 Borders College 19/10/12 1 Working Together Information Security Policy 1. Introduction Borders College recognises that

More information

Authorised Acceptable Use Policy 2015-2016. Groby Community College Achieving Excellence Together

Authorised Acceptable Use Policy 2015-2016. Groby Community College Achieving Excellence Together Groby Community College Achieving Excellence Together Authorised Acceptable Use Policy 2015-2016 Reviewed: Lee Shellard, ICT Manager: May 2015 Agreed: Leadership & Management Committee: May 2015 Next review:

More information