AUDIT COMMITTEE 10 DECEMBER 2014
|
|
- Morris Stewart
- 8 years ago
- Views:
Transcription
1 AUDIT COMMITTEE 10 DECEMBER 2014 AGENDA ITEM 8 Subject Report by MANAGEMENT OF INFORMATION RISKS DIRECTOR OF CORPORATE SERVICES Enquiries contact: Tony Preston, Ext 6541, tony.preston@chelmsford.gov.uk Purpose This report provides an overview of the Council s approach to managing the risk of its information assets. Recommendation(s) 1. That the report be noted Corporate Implications Legal: Financial: Personnel: Risk Management: Equalities and Diversity: Health and Safety: IT: Other: Consultees ( Risk reported to Strategic Risk Board) (Report is on work of IT team) 1
2 Policies and Strategies The report takes into account the following policies and strategies of the Council: Governance Policy; Corporate Security Policy; Security Policies Remote Working, Removable Media, Software Asset Management, Payment Card Security, Incident Management, Conditions of Acceptable Use, 3 rd Party Remote Access Request. Corporate Plan Priorities The report relates to the following priorities in the Corporate Plan [tick the relevant box] Attracting investment and delivering infrastructure Facilitating suitable housing for local needs Providing high quality public spaces Promoting a more sustainable environment Promoting healthier and more active lives Enhancing participation in cultural activities 1. Introduction The Data and Team within ICT acts as the focal point for the Council s information assurance and legislative compliance activities, for example: - handling FOI requests, investigating data breaches, and managing PSN compliance. 2. The Governance Structure Underpinning the Council s approach to information risk is the umbrella document Governance Policy which highlights Chelmsford City Council s approach to Governance, focusing on policies, roles and responsibilities. This is published on a dedicated intranet section detailing the role of IAOs, IMG and Governance roles, plus relevant policies and helpful guidance documents. The key roles involved in the management of information include the Senior Risk Owner (SIRO - Louise Goodwin), Manager and the Asset Owners (IAOs) who have responsibility for managing information within services. All IAOs sign an annual declaration showing their commitment to fulfilling their responsibilities. These key roles form the backbone of the Management Group (IMG) which meets on a quarterly basis. The meeting is used to consult on policies, to discuss issues, develop solutions and set and drive the information strategy. Appendix A analyses our current activity and future actions against 8 recommended governance actions. 2
3 3. Development of an Register IAOs were pivotal in the formation of an Asset Register (IAR) which identifies all the key information assets within their service areas. An information asset is a collection of information managed, of value to the business and the IAR provides information about assets to help focus on protecting and potentially exploiting that information. The IMG has also developed a number of other key areas, and earlier this year identified and prioritised risks relevant to their services to enable the creation of an Risk Register (please see below). This has since been used to steer the direction of focus of the Group. The top risks identified were the security of data in transfer, poor data management, lack of training and awareness and human error (see Appendix A). The IMG has then focused upon what the Council can do to mitigate against these risks. Clearly the risks highlight that collectively the greatest information risk to the organisation is people and culture, and therefore, IAOs have identified that awareness and education is a high priority. 6 Very High 5 High 4 Significant 7 Likelihood 3 Low 2, 3, 6, 8, 9, 10 2 Very Low 1, Almost impossible 1 Negligible Impact 2 Marginal 11 3 Critical 4 Catastrophic 1 Identifying customers 7 Papers on desks 2 3rd party security 8 Lack of policy 3 User/ manual error 9 Retention 4 Member access 10 Security 5 Insider threat 11 Sending of data 6 File management The above IRR is summarised in the Strategic Risk Register with an evaluation of Low Likelihood and Marginal Impact and includes the controls in place (see Appendix B). 3
4 4. Training and Awareness To help to drive culture change and raise awareness, a massive focus has been on training and development. For example, in 2012, all staff completed an elearning module in key information legislations. At the end of 2013, a successful training day was held in the Council Chamber with expertise from the Cabinet Office and The National Archives to focus IAOs and nominated officers within services to expand their understanding and awareness of information governance. In September, the National Archives also provided the services of an information specialist to come in and engage the organisation on the key principles of information assurance in Management Team Assurance breakfast session with what was the extended Management Team consisting of Directors and senior managers. But more significantly, following on from a recommendation from the IMG, in September 2014 the Council held its first Awareness Week. This event was designed to raise awareness of information risks and security for all staff, and to show how the Council can get more value out of information by managing it appropriately. The week was designed to be as engaging and dynamic to ensure not just attendance, but also, to change the behaviours of staff. The week contained interactive themes to teach staff the fundamentals of information assurance, and in a way that would last long in their minds. To help embed this, each activity looked at the learning from a personal and a professional angle, showing that skills are transferrable and do not stop when you walk out the office at the end of the day, and also, that we can learn from how we protect information in our personal lives. The week had a real impact with around 150 individuals attending events, and a 98% satisfaction rate of the week as a whole. Underpinning this, all staff members are placed into categories referred to as gold, silver or bronze based on their role with data as part of the framework for staff training in Assurance. These categories define the level of training required by staff and allow them to structure their learning and ensure that it is relevant to the level of information responsibility that they have and links into the Council s Awareness Programme. Already, over 500 staff have achieved their status by undertaking the required level of training. The evaluation for risk 7 above was affirmed following a review of the clear desks at the end of the Awareness Week 4
5 5. Breaches As the risks allude to, human error can happen, and human error has been the cause for the vast majority of breached information. To ensure that any incidents are managed effectively, the Council has an Breach Procedure which has been developed over time from feedback from IAOs and learning from breaches, and is based on the Commissioner s own breach reporting procedure. The level of information breaches has increased over time, however this is not a negative sign. With an increase in staff awareness and drive for the organisation to be more open, staff are more willing to report incidents when they happen. This is a good situation to be in as increased awareness can identify and address issues such as training; policies and procedures - prior to this issues may have gone unnoticed resulting in systemic issues not being addressed. The Council emphasises the importance of investigating why these are happening and each individual breach is investigated thoroughly and improvement recommendations set and managed within Covalent. Incidents are scored from Low through to Critical against the Incident scoring matrix, which is engrained in the Risk Management process for information and ICT risks. Any issues with High or Critical breaches are then reported to the Strategic Risk Board. Statistics on information breaches There have been 36 breaches from 1 st October 2012 to the present day. The majority of these breaches have been as a result of accidental human error. Just over 80% of these breaches involved less than 5 records being breached, and 50% involved just one record. During this period the Council has reported three breaches to the Commissioner, who regulates information legislations. On each occasion, the Council was told the breach was not deemed serious enough and no further action was taken the Council has have used this learning to build into the Incident scoring matrix. 5
6 6. Technology The Council has again passed the standards to become Public Services Network (PSN) and Payment Card Industry (PCI) compliant. It is important that the Council meets these standards as without them the Council would not be able to administer services to vulnerable citizens such as Benefits (PSN) nor process card payments (PCI). In the last two years we have seen some significant changes in the way that Spam and malware are sent to Council staff, this has made the task of filtering very difficult. In 2013 ICT introduced a new filter, icritical this had the advantage of a global awareness functionality with the ability to react to threats and spam quickly; however, during 2014 it became clear that a key component of the functionality which was to learn about anticipated threats from users acceptance or rejection of s, would not work and the supplier was unlikely to make it work within the foreseeable future and hence the risk of IT security breaches was increasing; so in September 2014 the Mimecast filtering service was introduced so far this has worked as specified, testing and analysing some incoming s per day. Network monitoring has shown that our network does experience high levels of external attacks (being both in the UK and as part of Government), with 3 times the level during elections from overseas (1700 firewall attacks). Chelmsford was one of the first Councils to notice this and passed on this valuable information to other authorities. The usage of software to detect third party devices to the network has also prevented internal threats to the network as staff still attempt to attach non authorised devices such as memory sticks to the PCs. This helps to then target training needs. The use of Good technology was introduced to enable Councillors and staff to access s and the Intranet from Council or their own smart phones or tablets. The technology is now being tested to also allow staff access to documents on personal and shared files on the network. 7. Conclusion Considerable progress has been made in reducing Risk but effort is still required to maintain vigilance and improve individual behaviour with respect to policy compliance. List of Appendices Appendix A Analysis of 8 Steps for Governance Appendix B Strategic Risk Background Papers Nil 6
7 Appendix A - Analysis of 8 Steps for Governance 8 Steps recommended by CEB s Legal, Risk and Compliance Practice 1. Review the quality of the work done by your organisation s information security team. The second line of defence has a key role to play critically assess how well they fulfil that role and drive improvement Current Activity Risk is now seen as of strategic importance and is reported as one of eight risks to the Strategic Risk Board See also Appendix B Future Actions Ongoing assessment of risk and reporting to SRB. 2. Ensure that business-led IT initiatives are appropriately secured and deliver creative IT solutions quickly to innovative business managers around the organisation 3. Review all key aspects of information security every year to ensure that no gaps or disconnects exist. This is likely to require tough resourcing and planning decisions for CAEs Privacy Impact Assessments are completed for all new systems acquisition/development activity led by the Manager. Third party service providers are assessed for levels of Risk See 1 above. IT and IM security are assessed each year as part of PSN and PCI compliance. Penetration tests reveal potential weaknesses and are corrected as part of compliance work. Maintenance of software patches now seen as a priority ahead of new business projects. IT audit work recommendations are acted upon (IT audit not done in majority of Essex Councils) During 2015 Service Managers will take on the initial assessment activity with the Manager providing a consulting and assessment role. Penetration tests and recent work around Awareness Week has shown that the storage and security around manual records (eg on desks, management of passwords and unlocked filing cabinets) needs to be improved in many parts of the Council and will be a priority for the work programme of the Manager in
8 4. Ensure your audit committee can provide effective oversight of information security. This means they should have the right skills and knowledge and can challenge management frequently enough on information security risks facing the organisation and the controls management has implemented Awareness session provided in September Committee members have attended external training sessions. Strategic Risk Management with the SRB. Annual reporting in line with SRB reporting. 5. Strengthen your security barriers by changing employees behaviour. Secure behaviour by employees (and contractors and others working for you) provides agile protection against a rapidly changing threat environment even in the absence of a written policy IAOs recognise there has been a change in the last 18 months however see 3 above. IT security tends to focus on stopping events happening, but not the underlying behaviour of people attempting to be noncompliant eg using nonsecure USB devices See 3 above Propose that future audit programme may need to focus more on actions needed to achieve behaviour change. 6. Use a nuanced approach to train all employees effectively in corporatesensitive roles, including all senior management, the assistants of those senior managers, and everyone in sensitive roles such as purchasing or systems administration As part of PSN compliance work appropriate training has to be maintained for all staff. SIRO has to attend annual training sessions. IAOs have attended training session and attend quarterly meeting. Role based training (gold, silver, bronze) is provided electronically. Future specific training sessions being prepared for remote sites and potential 2015 Awareness week will again focus on achieving behaviour change. 8
9 7. Run scenario exercises to ensure senior management truly understands the information assets relied upon by the organisation, the main vulnerabilities and the real impact of their behaviours and decisions awareness week touched on this. Business Continuity exercises across Council test how service react to systems (hence information) loss We are investigating this are; eg the creation of false viruses to see how staff react (however, external research suggest that results and behaviour tend to be poor) 8. Scan the horizon routinely to understand critical emerging risks and ensure your control framework is adapted in time. Partially covered through the annual changes in PSN compliance requirements eg this year there has been a move way from pure technology compliance to principles and hence more emphasis on how information is then used and shared. Responsibilities shared between Manager and Technical Team Leader; who also attend appropriate external briefings; maintain Essex wide networks of staff in similar role. Security Systems suppliers provide regular updates. Internal security systems analysis has shown when we need to be more vigilant (eg during elections) Continue as now. 9
10 Appendix B Strategic Risk Managed By Louise GOODWIN Review Date 31-Oct-2014 Risk Number Current Risk Score * Target Risk Score * Description Potential loss or misuse of SR-008 Marginal x Low Marginal x Low data and information due to targeted or accidental external or internal actions Actions / Controls Already in Place Adequacy of action/control to address risk Required Management Action / Control Critical Success Factors Next Review Date Compliance assures Central Government that the Council meets the security standards PSN CoCo required to control our ICT Compliance based data and information assets; this is at the same level as international standards and is reassessed each year. PCI Compliance Internal Audit Regime As a level 3 merchant, compliance is monitored through self assessment (see also penetration tests) The Internal Audit plan related to ICT is based on an assessment of risk, and includes an annual assessment with respect to controls of financial systems. SIRO supported by IAOs and Manager to review key controls in place highlighting any weaknesses. Assurance that ICT services will not be brought off line to deal with network or systems breaches. No successful external attacks aimed at April 2015 ICT and Policies Senior Risk Owner (SIRO) and Asset Owners Policies are updated annually (these follow a standard format agreed by all Essex Local Authorities through the Essex On Line Partnership). The SIRO (Louise Goodwin) meets with the IAOs quarterly to review Assurance programmes of work. Marking is likely to be mandated during 2015 for PSN compliance. Further action, systems and training will be required. obtaining sensitive data. The threat of staff misuse of data is minimised. No data breaches will require action by the ICO against the Council (IAO)s Annual declaration by IAOs that 10
11 Asset Owner (IAO) Declarations ICT Security Systems Mobile Device Management ICT Penetration Tests Security Incident Management breach management they are managing the data and information risks in their business areas in accord with policies; local risks and action plans recorded in Covalent. Non Disclosure Agreements also used to manage risk with third parties. To achieve PSN CoCo compliance a range of ICT systems are maintained to latest levels; eg data and systems back up, Systems Access Control, 3 rd party access control, Identity Management, Anti Virus, Firewalls, Web and E:mail filtering, end point device management. Secure destruction carried out on obsolete data storage. As part of PSN compliance a mobile device management(good) is deployed to mobiles and tablets to ensure no corporate data resides on that device and can only be accessed securely. Carried out annually as part of PSN compliance testing. Also covers ability to access non ICT based data. Quarterly external penetration tests test for PCI compliance. Security systems management information is used to identify further information assurance activities and identify potential non compliance with policy, as well as carry out risk assessments when threat risk is heightened (eg during Elections) and at times of security alerts. The investigation of information breaches is carried out by the Manager. Remedial actions are recorded in Covalent. 11
12 Training Programmes Privacy Impact Assessments (PIAs) Sharing Agreements Staff roles are assessed as to the level of Assurance training required (Bronze, Silver or Gold). Understanding is tested and recorded using Meta Compliance system. SIRO attends annual Government briefing sessions. ICT staff attend appropriate training courses to manage and operate ICT security technologies The owners of all new ICT projects involving use of data complete a PIA to ensure any information risk is properly evaluated and managed. Technical assessments/due diligence carried out as part of PIA process. The WEISF (Whole Essex Sharing Forum) has agreed a framework for the sharing for data between public sector bodies. Sharing protocols provide assurance that only permissible data is shared and is done so with the appropriate level of security. Note: * Evaluating a single score is difficult. There is a low likelihood of regular marginal impact events; eg information breaches or random external attacks; conversely there is a very low likelihood of external targeted attacks succeeding but these could possibly have a critical level of impact. 12
West Dunbartonshire Council. Follow-up data protection audit report
West Dunbartonshire Council Follow-up data protection audit report Auditors: Lee Taylor (Audit Team Manager) Jonathan Kay (Engagement Lead Auditor) Data controller contacts: Michael Butler (Data Protection/Information
More informationHighland Council Information Security Policy
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
More informationHow To Protect School Data From Harm
43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):
More informationSecurity Incident Management Policy
Security Incident Management Policy January 2015 Document Version 2.4 Document Status Owner Name Owner Job Title Published Martyn Ward Head of ICT Business Delivery Document ref. Approval Date 27/01/2015
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationUniversity of Sunderland Business Assurance Over-arching Information Governance Policy
University of Sunderland Business Assurance Over-arching Information Governance Policy Document Classification: Public Policy Reference Central Register IG001 Policy Reference Faculty / Service IG 001
More informationAuditing data protection a guide to ICO data protection audits
Auditing data protection a guide to ICO data protection audits Contents Executive summary 3 1. Audit programme development 5 Audit planning and risk assessment 2. Audit approach 6 Gathering evidence Audit
More informationInformation Governance Policy
Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date
More informationInformation governance strategy 2014-16
Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope
More informationDBC 999 Incident Reporting Procedure
DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible
More informationCyber Essentials Scheme
Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these
More informationINFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK
INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Version: 3.2 Authorisation Committee: Date of Authorisation: May 2014 Ratification Committee Level 1 documents): Date of Ratification Level 1 documents): Signature of ratifying
More informationLancashire County Council Information Governance Framework
Appendix 'A' Lancashire County Council Information Governance Framework Introduction Information Governance provides a framework for bringing together all of the requirements, standards and best practice
More informationNine Steps to Smart Security for Small Businesses
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
More informationInformation Governance Policy
Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact
More informationCardiff Council. Data protection audit report. Executive summary June 2014
Cardiff Council Data protection audit report Executive summary June 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998
More informationCorporate Information Security Management Policy
Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification
More informationAll CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.
Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,
More informationINFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
More informationPolicy Checklist. Head of Information Governance
Policy Checklist Name of Policy: Information Governance Policy Purpose of Policy: To provide guidance to all staff on their responsibilities regarding information governance and to ensure that the Trust
More informationInformation Governance Strategy :
Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update
More informationCorporate Information Security Policy
Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives
More informationInformation Governance Strategy & Policy
Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information
More informationINFORMATION GOVERNANCE POLICY & FRAMEWORK
INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger
More informationInformation Security Policy London Borough of Barnet
Information Security Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Document Description Information Security Policy Policy which sets out the council s approach to information
More informationInformation Governance Policy
Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route
More informationRHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1
RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1 Revised and effective from 1st April 2012 Document Control Organisation Title Author Filename Owner
More informationINFORMATION GOVERNANCE STRATEGY
INFORMATION GOVERNANCE STRATEGY Page 1 of 10 Strategy Owner Valerie Penn, Head of Governance Strategy Author Caroline Law, Information Governance Project Manager Directorate Corporate Governance Ratifying
More informationCyber Security Evolved
Cyber Security Evolved Aware Cyber threats are many, varied and always evolving Being aware is knowing what is going on so you can figure out what to do. The challenge is to know which cyber threats are
More informationDerbyshire County Council Performance and Improvement Framework. January 2012
Derbyshire County Council Performance and Improvement Framework January 2012 Contents 1. Introduction 3 2. About the framework 4 3. Planning 7 5. Monitoring Performance 8 6. Challenge and Review 11 7.
More informationSecurity Incident Policy
Organisation Title Author Owner Protective Marking Somerset County Council Security Incident Policy Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council will
More informationData Protection Breach Reporting Procedure
Central Bedfordshire Council www.centralbedfordshire.gov.uk Data Protection Breach Reporting Procedure October 2015 Security Classification: Not Protected 1 Approval History Version No Approved by Approval
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationWe then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.
Good Practice Audit outcomes analysis Police Forces April 2013 to April 2014 This report is based on the final audit reports the ICO completed in the Criminal Justice sector, specifically of Police forces,
More informationInformation Governance Strategy. Version No 2.0
Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent
More informationWHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?
WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? Contents Introduction.... 3 What Types of Network Security Services are Available?... 4 Penetration Testing and Vulnerability Assessment... 4 Cyber
More informationVersion Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation
Northumberland, Newcastle North and East, Newcastle West, Gateshead, South Tyneside, Sunderland, North Durham, Durham Dales, Easington and Sedgefield, Darlington, Hartlepool and Stockton on Tees and South
More informationNorth East Regional Bias Against Information Security Threat
Summary Information Security North East () is a forum for council and public service information security managers from Northumberland, Tyne and Wear, Durham and the Tees Valley 1. is also the Warning,
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationAGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader
AGENDA ITEM: SUMMARY Report for: Committee Date of meeting: 30 May 2012 PART: 1 If Part II, reason: Title of report: Contact: Purpose of report: Recommendations Corporate objectives: Implications: INFORMATION
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationDepartment of Energy and Climate Change (DECC) Information Management Assessment Programme Action Plan
Department of Energy and Climate Change (DECC) Information Management Assessment Programme Action Plan # Recommendation Actions Priority High/ Low/ Medium R1 DECC must ensure that where key services are
More informationNHS Commissioning Board: Information governance policy
NHS Commissioning Board: Information governance policy DOCUMENT STATUS: To be approved / Approved DOCUMENT RATIFIED BY: DATE ISSUED: October 2012 DATE TO BE REVIEWED: April 2013 2 AMENDMENT HISTORY: VERSION
More informationDATA QUALITY POLICY PORTFOLIO RESPONSIBILITY: CORPORATE, CUSTOMER SERVICES AND HUMAN RESOURCES CABINET 10 APRIL 2008
DATA QUALITY POLICY PORTFOLIO RESPONSIBILITY: CORPORATE, CUSTOMER SERVICES AND HUMAN RESOURCES CABINET 10 APRIL 2008 Wards Affected County-wide Purpose To approve the data quality policy. Key Decision
More informationInformation Governance Framework
Information Governance Framework Authorship: Chris Wallace, Information Governance Manager Committee Approved: Integrated Audit and Governance Committee Approved date: 11th March 2014 Review Date: March
More informationICT Strategy 2010-2013
ICT Strategy 2010-2013 If you would like to receive this publication in an alternative format (large print, tape format or other languages) please contact us on 01832 742000. East Northamptonshire Council
More informationInformation Incident Management Policy
Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit
More informationTop tips for improved network security
Top tips for improved network security Network security is beleaguered by malware, spam and security breaches. Some criminal, some malicious, some just annoying but all impeding the smooth running of a
More informationCommittees Date: Subject: Public Report of: For Information Summary
Committees Audit & Risk Management Committee Finance Committee Subject: Cyber Security Risks Report of: Chamberlain Date: 17 September 2015 22 September 2015 Public For Information Summary Cyber security
More informationInformation Governance Strategy. Version No 2.1
Livewell Southwest Information Governance Strategy Version No 2.1 Notice to staff using a paper copy of this guidance. The policies and procedures page of LSW Intranet holds the most recent version of
More informationThe CPS incorporates RCPO. CPS Data Protection Policy
The CPS incorporates RCPO CPS Data Protection Policy Contents Introduction 3 Scope 4 Roles and Responsibilities 4 Processing Criminal Cases 4 Information Asset Owners 5 Information Asset Register 5 Information
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationInformation Security Incident Management Policy September 2013
Information Security Incident Management Policy September 2013 Approving authority: University Executive Consultation via: Secretary's Board REALISM Project Board Approval date: September 2013 Effective
More informationInformation Governance and Assurance Framework Version 1.0
Information Governance and Assurance Framework Version 1.0 Page 1 of 19 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: Meridio Location: Approval Body: Policy and Guidance
More informationdeveloping your potential Cyber Security Training
developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company
More informationInformation Security Management System (ISMS) Policy
Information Security Management System (ISMS) Policy April 2015 Version 1.0 Version History Version Date Detail Author 0.1 18/02/2015 First draft Andy Turton 0.2 20/02/2015 Updated following feedback from
More informationIT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies
IT Professional Standards Information Security Discipline Sub-discipline 605 Information Security Testing and Information Assurance Methodologies December 2012 Draft Version 0.6 DOCUMENT REVIEW Document
More informationDigital Continuity Plan
Digital Continuity Plan Ensuring that your business information remains accessible and usable for as long as it is needed Accessible and usable information Digital continuity Digital continuity is an approach
More informationDocument No: IG10f. Version: 1.0. Information Governance Contracts Guidance. Name of Procedure: Version Control
Document No: IG10f Version: 1.0 Name of Procedure: Information Governance Contracts Guidance Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release
More informationWaveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy
Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy Page: 1 Contents 1. Purpose, Aims & Objectives 2. Accountabilities, Roles & Reporting Lines 3. Skills & Expertise
More informationInformation Governance Plan
Information Governance Plan 2013 2015 1. Overview 1.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient organisation of services and resources.
More informationBarnsley Clinical Commissioning Group. Information Governance Policy and Management Framework
Putting Barnsley People First Barnsley Clinical Commissioning Group Information Governance Policy and Management Framework Version: 1.1 Approved By: Governing Body Date Approved: 16 January 2014 Name of
More informationThird Party Security Requirements Policy
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
More informationUNCLASSIFIED. http://www.govcertuk.gov.uk. General Enquiries. Incidents incidents@govcertuk.gov.uk Incidents incidents@govcertuk.gsi.gov.uk.
Version 1.2 19-June-2013 GUIDELINES Incident Response Guidelines Executive Summary Government Departments have a responsibility to report computer incidents under the terms laid out in the SPF, issued
More informationInformation Governance Management Framework
Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date
More informationInformation Sharing Policy
Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed
More informationInformation Management Strategy. July 2012
Information Management Strategy July 2012 Contents Executive summary 6 Introduction 9 Corporate context 10 Objective one: An appropriate IM structure 11 Objective two: An effective policy framework 13
More informationINFORMATION SECURITY TESTING
INFORMATION SECURITY TESTING SERVICE DESCRIPTION Penetration testing identifies potential weaknesses in a technical infrastructure and provides a level of assurance in the security of that infrastructure.
More informationArgyll and Bute Council
Argyll and Bute Council 3 June 2009 Contents Page 1 Executive Summary 1 Appendices A B Action plan Progress in implementation of prior year recommendations 1 1 Executive Summary 1.1 Introduction The Council's
More informationCP3043 Social, Legal and Professional Aspects of Computing. Mr Graham Brown. Assessment 2
CP3043 Social, Legal and Professional Aspects of Computing Mr Graham Brown Assessment 2 Colin Hopson 0482647 Wednesday 16 th April 2008 i Contents 1 Introduction... 1 1.1 The Bridgeway Building Society...
More informationSmall businesses: What you need to know about cyber security
Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...
More informationMEMBERS CONSIDER THE RISK STRATEGY AND RECOMMEND APPROVAL TO COUNCIL.
Agenda item: 8 Committee: Audit & Standards Committee Date of meeting: 19 th September 2011 Subject: Risk Management Strategy Lead Officer: Head of Finance Portfolio Holder: Resources - Councillor T Oliver
More informationDacorum Borough Council Final Internal Audit Report
Dacorum Borough Council Final Internal Audit Report ICT Change Management Distribution list: Chris Gordon Group Manager Neil Telkman - Information, Security and Standards Officer Gary Osler ICT Service
More informationInformation Governance Strategy
Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:
More informationRisk Management Policy
Risk Management Policy Responsible Officer Author Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date effective from December 2008 Date last amended December 2012
More informationData Access Request Service
Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations
More informationSecuring business data. CNS White Paper. Cloud for Enterprise. Effective Management of Data Security
Securing business data CNS White Paper Cloud for Enterprise Effective Management of Data Security Jeff Finch, Head of Business Development, CNS Mosaic 2nd July 2015 Contents 1 Non-Disclosure Statement...
More informationESKISP6054.01 Conduct security testing, under supervision
Overview This standard covers the competencies required to conduct security testing under supervision. In order to contribute to the determination of the level of resilience of an information system to
More informationInformation Governance Policy
Policy Policy Number / Version: v2.0 Ratified by: Audit Committee Date ratified: 25 th February 2015 Review date: 24 th February 2016 Name of originator/author: Name of responsible committee/individual:
More informationProcurement Policy Note Use of Cyber Essentials Scheme certification
Procurement Policy Note Use of Cyber Essentials Scheme certification Action Note 09/14 25 September 2014 Issue 1. Government is taking steps to further reduce the levels of cyber security risk in its supply
More informationInformation Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy
Bolsover District Council North East Derbyshire District Council & Rykneld Homes Ltd Information Security Incident Management Policy September 2013 Version 1.0 Page 1 of 13 CONTROL SHEET FOR Information
More informationINFORMATION RISK MANAGEMENT POLICY
INFORMATION RISK MANAGEMENT POLICY DOCUMENT CONTROL: Version: 1 Ratified by: Steering Group / Risk Management Sub Group Date ratified: 21 November 2012 Name of originator/author: Manager Name of responsible
More informationSomerset County Council - Data Protection Policy - Final
Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council
More informationPolicy Document. Communications and Operation Management Policy
Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author
More informationService Children s Education
Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and
More informationInformation Governance Strategy
Information Governance Strategy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationInformation Security Incident Management Policy and Procedure
Information Security Incident Management Policy and Procedure Version Final 1.0 Document Control Organisation Title Author Filename Owner Subject Protective Marking North Dorset District Council IT Infrastructure
More informationSECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures
SECURITY INCIDENT REPORTING AND MANAGEMENT Standard Operating Procedures Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme.
More informationInformation Security Policy. Chapter 10. Information Security Incident Management Policy
Information Security Policy Chapter 10 Information Security Incident Management Policy Author: Policy & Strategy Team Version: 0.4 Date: December 2007 Version 0.4 Page 1 of 6 Document Control Information
More informationSecurity and Employee Monitoring Security and
Security and Employee Monitoring 2 Security & Employee Monitoring Firewalls and anti- virus solutions are fine for protecting your perimeter, but they won t help if your Employees let your business get
More informationNHS Information Risk Management
NHS Information Risk Management Digital Information Policy NHS Connecting for Health January 2009 Contents Introduction Roles and Responsibilities Information Assets Information Risk Policies Links with
More informationA Best Practice Guide
A Best Practice Guide Contents Introduction [2] The Benefits of Implementing a Privacy Management Programme [3] Developing a Comprehensive Privacy Management Programme [3] Part A Baseline Fundamentals
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationQuality of Utility Company Reinstatements
Item no Report no Quality of Utility Company Reinstatements Transport, Infrastructure and Environment Committee 18 June 2012 1 Purpose of report 1.1 The purpose of this report is to report on the arrangements
More informationVISION FOR LEARNING AND DEVELOPMENT
VISION FOR LEARNING AND DEVELOPMENT As a Council we will strive for excellence in our approach to developing our employees. We will: Value our employees and their impact on Cardiff Council s ability to
More informationAgenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007
Security Testing: The Easiest Part of PCI Certification Core Security Technologies September 6, 2007 Agenda Agenda The PCI Standard: Security Basics and Compliance Challenges Compliance + Validation =
More informationInformation Security and Governance Policy
Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information
More informationInformation Governance Strategy
Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version
More information