Information Security Assurance Plan 2015/16

Size: px
Start display at page:

Download "Information Security Assurance Plan 2015/16"

Transcription

1 Information Security Assurance Plan 2015/16 Policy number: N/A Version 2.0 Approved by Name of author/originator Owner (Exec Director) Date of approval August 2015 Date of last review July 2015 Next due for review Information Governance Sub- Committee Daniel Lo Russo, Information Governance Manager Elaine Newton, Director of Governance & Compliance/SIRO April 2016 for approval following release of Version 14 CCG IG Toolkit (expected June 2016)

2 Version control sheet Version Date Author Status Comment 1.0 March 2014 Daniel Lo Russo 1.1 March 2014 Daniel Lo Russo 1.2 March 2014 Daniel Lo Russo 2.0 July 2015 Daniel Lo Russo 2.0 TBC Daniel Lo Russo Draft Approved Final Draft Final Draft for Q&CGC approval Approved by Quality & Clinical Governance Committee Front sheet added Draft for IG Sub-Committee approval Approved by IG Sub- Committee Related Documents Name Information Governance Framework Confidentiality & Data Protection Policy Information Security Policy Records Management Policy 2015/16 Caldicott Function Assurance Plan Information Security Assurance Plan 2015/16 2

3 Information Security Assurance Plan Introduction This work programme is designed to support the Information Security Policy, and describes how NHS Guildford and Waverley CCG can obtain assurance to address its Information Security needs (as required by the IG Toolkit Requirement series). Information and information systems are important assets and it is essential that the CCG takes all necessary measures to ensure that they are protected, available and accurate to support the operations of the business at all times. The aim of the CCG s Information Security Policy and individual System Level Security Policies and Risk Assessments is to maintain the confidentiality, integrity and availability of the information stored, processed and communicated by and within the CCG. This assurance plan outlines roles and responsibilities for managing Information Security, Information Security Incidents, and controls. It details the activities the CCG will undertake to provide assurance regarding its level of compliance with Information Security Assurance related requirements of the CCG IG Toolkit. It also details how the CCG will seek assurance with respect to ICT services provided by the South East Commissioning Support Unit (CSU). The Information Security Assurance Plan therefore includes two separate but related elements: 1. Local Information Security Assurance Plan 2. Assurance Plan for ICT Services provided by South East CSU Actions identified in the Assurance Plan will be included within the annual Information Governance Improvement Programme. Information Security Management Responsibilities Responsibility for managing Information Security within the CCG rests with all employees and the following key officers: SIRO (Senior Information Risk Owner) Information Security Officer (Information Governance Manager) Information Asset Owners (IAOs) Details of specific roles and responsibilities are included within the CCG s Information Security Policy. Responsibilities for managing Information Security within the CSU are defined within the South East CSU s ICT Security Policy and Application Security Policy. These are available to CCG staff via the CSU s website (over N3 network only) or by request to the CCG s. Every CCG staff member and contractor is responsible for processing personal data, sensitive personal data and sensitive corporate data in a secure manner. Approval, Monitoring & Reporting This plan will be approved by the IG Sub-Committee of the CCG s Quality & Clinical Governance Committee, which includes the SIRO; Information Security Assurance Plan 2015/16 3

4 Exception reports against this Assurance Plan will be provided at regular review meetings between the CCG s SIRO and Information Governance Manager; Exception reports against this Assurance Plan will be provided at each meeting of the IG Sub-Committee (IGSC) of the CCG s Quality & Clinical Governance Committee, Reports against this Assurance Plan and will be used to support IGSC approval of submission of the CCG s annual IG Toolkit assessment An annual summary report will be provided to the CCG s Governing Body. The effectiveness of the Assurance Plan and related functions/roles will be reviewed annually as part of the CCG s IG Improvement Programme; The IG Sub-Committee of the CCG s Quality & Clinical Governance Committee will review and approve a 2016/17 Information Security Assurance Plan following publication of 2015/16 CCG IG Tool-kit requirements (expected June 2016). Abbreviations Used in Assurance Plan CSU Commissioning Support Unit DR&BC Disaster Recovery & Business Continuity IA Information Asset IAO - Information Asset Owner ICT Information Communication Technology PIA Privacy Impact Assessment Information Security Assurance Plan 2015/16 4

5 Section 1 Local Information Security Assurance Plan Please see the CCG s 2015/16 IG Improvement Plan for details of the current scheduling of activities detailed below. Control Information Security Framework Staff Awareness & Training IG related contract clauses in place with third parties Structured Implementation and InfoSec Accreditation Information Asset Register Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible There is an appropriate Information Security Framework in place. Independent assurance regarding ICT risk management 134 Over 95% staff completion of mandatory IG Training Review of IG & Information Security related policies in progress. Independent audit of ICT risk management completed outcome: Substantial Assurance. Training of new staff. See Key Performance Indicators reports. 345 SIRO and IAO training Training Needs Analysis reviewed. 349 IA Incident reporting training Review of new HSCIC guidance Appropriate IG clauses are in place for all staff, contractors and third parties 237 All services and information assets are developed to comply with Information Security requirements Inc all key/critical local information assets including sensitive or personal data Discussions with project and contract managers regarding IG requirements for new contracts Advice and guidance to CCG staff developing new services and information assets. None IGSC approval of updated Information Security policy. Information Security measures included within 15/16 audit sample. Refresher training for existing staff. Mandatory training to be completed. Explore additional local training. Development of new IG Incident Reporting Procures and evidence of staff understanding Assurance that appropriate compliance with IG related requirements has been received from third parties Information asset review programme to be completed. Input to OD Programme to ensure IG needs reflected. Update following completion of Risk Assessments & SLSPs Directors of Contracts Information Security Assurance Plan 2015/16 5

6 Data Flow Mapping Information Risk Management Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible 345 Confirms IA Risk None Update following completion of 351 Assessments completed Risk Assessments & SLSPs 237 Confirms Access Controls None Update following completion of 344 Risk Assessments & SLSPs 346 Confirms DR&BC Plans None 344 Confirms System Level None Security Policies 350 Mapping of data flows for all 236 business units 350 Risk assessment of data 351 flows 350 SIRO's review of data flow 351 mapping outcomes 351 Information sharing/data 250 processor agreements 235 Compliance with 348 policy Robust encryption methods 348 used for transfers of 351 sensitive/personal data 235 Use of mobile memory 348 media Risk Assessment of 341 existing, new and proposed 345 local Information Assets. 344 System level security policies established for existing, new and proposed local key/critical Info Assets. Safeguarding sessions being organised currently None None LAC & ICP Information Sharing Agreements in progress Guidance being updated and non-nhs accounts being closed by CSU. Staff guidance being updated. Use of encrypted USB sticks by CCG staff Complete for high risk assets (quarterly reviews) Complete for high risk assets (quarterly reviews) Data flow mapping exercise refresh Register of ISAs maintained and regularly reviewed Staff evidence read and understood guidance. Data flow mapping exercise refresh Review staff use of personal iphones and use of ipads for Board Papers etc. Review and update risk assessments and System Level Security Policies at required frequency. Information Security Assurance Plan 2015/16 6

7 Information Risk Management (cont) ICT Network Usage NHS Smart Card Usage NHS Number Usage 346 Team level BC&DR plans include access to Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible key/critical IAs Privacy Impact Assessments (PIAs) undertaken for new services Physical Protection of Premises/equipment Monitoring of ICT services delivered by 3 rd party organisations Staff IG Survey to be undertaken Acceptable Usage of system Acceptable Usage of internet 342 CCG Registration Authority policy and procedures in place 343 CCG to ensure adequate governance over the issuing/use of NHS Smartcards 421 There is consistent and comprehensive use of the NHS Number in line with NHS requirements None PIAs completed for LAC work and Integrated Care (in progress) None See Section 2 Assurance Plan for ICT Services Provided by South East CSU. Meeting held with CSU Account None Staff guidance in development. NHS.net upgrade underway. Implementation of proxy server. Policy and procedures in place. Q1 reports from CSU Registration Authority and reviewed by CCG sponsors. Development of Accredited Safe Haven (ASH) outline business case for IGSC and EMT review. Development and testing of team level BC&DR Plans Complete PIAs as required. Take forward as part of CCG OD Programme. Arrange for physical penetration testing to take place by 3 rd party Various assurance and supporting evidence. See section 2 Assurance Plan for ICT Services Provided by South East CSU Develop questions and methodology Explore NHS.net mailbox reporting with HSCIC Move all staff to proxy and receive regular reports from CSU. Review following receipt of CSU updated RA Policy. Receive and review reports Q2-4. Include NHS Number use review within 2015/16 Information Asset Review Programme. Deputy Director G&C CGSM Manager Information Security Assurance Plan 2015/16 7

8 IG Incident Management User Access Control Mobile Computing Pseudo. and Anonymisation 349 Robust incident reporting arrangements in place Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible Monitoring of IG related incident trends 134 Staff awareness and compliance with incident reporting procedures Robust registrations & leavers process in place 348 Robust encryption in place on laptops. Equipment held by 348 authorised individuals only Robust pseudonymisation and/or anonymisation is undertaken Monitoring and reporting of IG related incidents in accordance with CCG procedures. Monitoring and reporting of IG related incidents in accordance with CCG procedures. E-brief reminder and incident form circulated. Guidance issued via E-brief. HR review of processes in place. CCG incident reporting procedures updated to reflect latest HSCIC Guidance. Undertake trend analysis of incidents Audit of incident records to be undertaken. Audits of records held by CCG and CSU. Raised concerns to CSU Assurance from CSU Records held of authorisations Provided under SLA with CSU. Audits of records held by CCG and CSU. Assurance statement from CSU. Head of Information Please see below for Section 2 Assurance Plan for ICT Services Provided by South East CSU Information Security Assurance Plan 2015/16 8

9 Section 2 Assurance Plan for ICT Services Provided by South East CSU Please see the CCG s 2015/16 IG Improvement Plan for details of the current scheduling of activities detailed below. Control Contracts are monitored and assurance gained in respect of compliance with IG requirements Assurance regarding individuals with access to CCG confidential data Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible 132 Assurance required in respect of compliance with IG requirements 133 Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation Review of CSU 14/15 Return Copy of CSU's final 2014/15 Independent Audit Report Meeting with CSU Account In year assurance regarding 15/16 score for CSU, copies of NHS England s Reports on Internal Controls in place at SECSU, and copy of CSU's draft 2015/16 Independent Audit Report Assurance statement regarding suitable IG clauses being in place for any CSU staff who may access CCG personal data (e.g. ICT staff) CCG confidentiality checks 235 Staff access to confidential personal information is monitored and audited. Where care records are held electronically, audit trail Report showing usage of removable media devices (USBs etc) used to remove data from CCG electronic filing system Information Security Assurance Plan 2015/16 9

10 Information Risk Management Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible details about access to a record can be made available to the individual concerned on request. 340 The work necessary to provide Information Security Assurance has been identified Informed CSU that current version of CSU s IS Assurance Plan available to CCG is out of date. Confirmation that all non- NHS.net accounts for GWCCG users have now been deleted Assurance statement or independent audit report confirmation regarding confidentiality audits for CSU systems holding CCG confidential data undertaken during 15/16 Updated CSU IS Assurance Plan for review. 341 An Information Risk Assessment and Management Programme has been documented along with associated strategies, policies and procedures, linked to the organisation's corporate risk register There are established business 342 All CSU RA staff have received the mandated national training. Assurance regarding CSU RA Staff Training completion Information Security Assurance Plan 2015/16 10

11 processes and procedures that satisfy the organisation s obligations as a Registration Authority (RA) Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible RBAC implementation at Registration Authorities Assurance regarding RBAC fully implemented. CSU RA service capacity Assurance regarding RA consumables etc 343 CSU have robust RA policy in place Informed CSU that current version available to CCG is out of date. Updated CSU Registration Authority Policy for review. ICT Application Assurance Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use 344 Operating and application information systems (under the organisation s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems Q1 report received from CSU and reviewed by CCG Sponsors/Line Managers. Closure of access no longer required. Q1 report received from CSU and reviewed by CCG. All current used have electronically signed their terms and conditions. Quarterly reports showing current CCG Smartcard users Audit report on the outcome of checking that all CCG NHS Smartcard users have electronically signed their terms and conditions Standard CCG desktop and laptop image build (including common and technical applications) and specific builds for roles (Info Team, Comms Team) to be agreed. Information Security Assurance Plan 2015/16 11

12 Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible There are appropriate user access management procedures (including user registration, update and deregistration processes), technical functionality and management controls for all key information assets identified in the organisations asset register. ICT Network reports on password strength settings and number of failed login attempts for GWCCG staff members Reports showing CCG Account Directory accounts (including details date opened, approver and date closed) Report showing G&WCCG Account Directory Accounts Inactive for 2 or more weeks Access to information assets is only possible for individuals who have been duly authorised Examples of ICT Network access logs for G&WCCG users (e.g. 2 week period) Penetration Testing results for ICT network utilised by CCG (COIN) SIRO Assurance 345 An effectively supported Senior Information Risk Owner takes ownership of the organisation s information risk policy and information risk management strategy CSU Information Security Policy to check alignment with CCG policy Information Security Assurance Plan 2015/16 12

13 Business Continuity Plan ICT Network Assurance Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible 346 Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place 347 Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely Installation of proxy server and some CCG users moved to test environment. Assurance regarding BCDR arrangements for services provided to CCG under SLA and testing of these during 15/16 Assurance regarding Surrey Community of Interest Network (COIN) utilised by CCG & COIN Stakeholder Group updates and Risk Assessments Take forward proxy server configuration and roll out to all users. Reports to support acceptable usage of internet monitoring by CCG Mobile computing and teleworking assurance 348 Policy and procedures ensure that mobile computing and teleworking are secure Report on RAS Accounts (including details date opened, approver and date closed) Reports showing devices (phones, ipads and laptops) on network being utilised by CCG staff Information Security Assurance Plan 2015/16 13

14 Incident Reporting Data Flow Mapping Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible 349 Adherence with NHS incident management and reporting procedures 236 All transfers of CCG personal data to countries outside of the UK fully comply with the Data Protection Act 1998 and DH guidelines. Where the review of overseas transfers reveals that appropriate contracts are not already in place for existing transfers, the organisation ensures that new contractual arrangements are signed. Assurance that attached VPN solution diagram remains correct and has been penetration tested in 15/15 Assurance regarding encryption system in place on Surrey CCG laptops Assurance that CSU has not experienced any data loss incidents (inc near misses) relating to GWCCG confidential business data (inc PID) Statement confirming whether the CSU transfer/process any G&W CCG data outside UK/EEA and, if so, statement confirming that all transfers of personal data to countries outside of the UK fully comply with the Data Protection Act 1998 and DH guidelines. Information Security Assurance Plan 2015/16 14

15 Technical Controls Assurance Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible 350 All transfers of hardcopy and digital personal and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers 351 All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures Assurance regarding processing of GWCCG data by CSU Assurance regarding penetration testing of ICT Network utilised by CCG Assurance regarding encryption system in place on Surrey CCG laptops and penetration testing of VPN Pseudo. and anonymisation assurance Records Management Assurance 352 The confidentiality of CCG service user information is protected through use of pseudonymisation and anonymisation techniques where appropriate 420 The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience Assurance regarding processing of GWCCG data by CSU Reports on corporate X Drive Usage (to include no of folders, destination/no of files, file type, file size etc) Reports on staff personal Z Drive Usage (to include no of folders/no of files, file type, file size etc) Head of Information Information Security Assurance Plan 2015/16 15

16 NHS Number Assurance 421 There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible Confirmation that CSU have NHS Number plan in place Information Security Assurance Plan 2015/16 16

Information Governance Plan

Information Governance Plan Information Governance Plan 2013 2015 1. Overview 1.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient organisation of services and resources.

More information

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework Putting Barnsley People First Barnsley Clinical Commissioning Group Information Governance Policy and Management Framework Version: 1.1 Approved By: Governing Body Date Approved: 16 January 2014 Name of

More information

Information Governance Training Plan v13

Information Governance Training Plan v13 Information Governance Training Plan To meet requirements of IGT v13 Lincolnshire East Clinical Commissioning Group Page 1 of 17 Contents Introduction Page 3 Training Provision Page 4 Staff Induction Awareness

More information

Information Governance Strategy. Version No 2.0

Information Governance Strategy. Version No 2.0 Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Information Governance Policy Issue Date: June 2014 Document Number: POL_1008 Prepared by: Information Governance Senior Manager Insert heading depending on Insert line heading

More information

INFORMATION GOVERNANCE STRATEGY

INFORMATION GOVERNANCE STRATEGY INFORMATION GOVERNANCE STRATEGY Page 1 of 10 Strategy Owner Valerie Penn, Head of Governance Strategy Author Caroline Law, Information Governance Project Manager Directorate Corporate Governance Ratifying

More information

Information Governance Framework and Strategy. November 2014

Information Governance Framework and Strategy. November 2014 November 2014 Authorship : Committee Approved : Chris Wallace Information Governance Manager CCG Senior Management Team and Joint Trade Union Partnership Forum Approved Date : November 2014 Review Date

More information

Information Governance Toolkit Report 2013/14

Information Governance Toolkit Report 2013/14 TAUNTON AND SOMERSET NHS FOUNDATION TRUST Information Governance Toolkit Report 2013/14 Report to: Trust Board on: 28 May 2014 Purpose of the Report: This report is presented to the Trust Board for information

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

UCL Information Governance Framework Trevor Peacock UCL School of Life and Medical Sciences

UCL Information Governance Framework Trevor Peacock UCL School of Life and Medical Sciences UCL Information Governance Framework Trevor Peacock UCL School of Life and Medical Sciences NHS-HE Forum, 28 th November 2013 UCL IG Framework Where we ve got to The IG Framework Services to support the

More information

Information Governance

Information Governance Attach 8 Information Governance CCG Accredited Safe Haven Application Information Governance CCG Accredited Safe Haven Application 1 1. Introduction 1.1. From the 1st April 2013 new information governance

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy ID IG02 Version: V1 Date ratified by Governing Body 27/09/13 Author South Commissioning Support Unit Date issued: 21/10/13 Last review date: N/A Next review date: September

More information

Policy: D9 Data Quality Policy

Policy: D9 Data Quality Policy Policy: D9 Data Quality Policy Version: D9/02 Ratified by: Trust Management Team Date ratified: 16 th October 2013 Title of Author: Head of Knowledge Management Title of responsible Director Director of

More information

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT 9.7 Date of the meeting 15/07/2015 Author Sponsoring Clinician Purpose of Report Recommendation J Green - Head

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY Policy approved by: Audit and Governance Committee Date: 4 th December 2014 Next Review Date: December 2016 Version: 1 Information Security Policy Page 1 of 17 Review and Amendment

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Name of Policy Author: Name of Review/Development Body: Ratification Body: Ruth Drewett Information Governance Steering Group Committee Trust Board : April 2015 Review date:

More information

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2. Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments

More information

Information Governance Policy

Information Governance Policy Policy Policy Number / Version: v2.0 Ratified by: Audit Committee Date ratified: 25 th February 2015 Review date: 24 th February 2016 Name of originator/author: Name of responsible committee/individual:

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY POLICY NO IM&T 011 DATE RATIFIED January 2012 NEXT REVIEW DATE January 2015 POLICY STATEMENT/KEY OBJECTIVE: To provide an overarching framework through which Information Governance

More information

Further to reports to EAG in February and March 2014, the purpose of this report is to;

Further to reports to EAG in February and March 2014, the purpose of this report is to; Report to: Trust Board of Directors Date of Meeting: 29 May 2014 Report Title: Annual Information Governance Report 13/14 Status: Mark relevant box with X Prepared by: Executive Sponsor (presenting): Appendices

More information

Information Governance Strategy :

Information Governance Strategy : Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update

More information

Information Management Policy CCG Policy Reference: IG 2 v4.1

Information Management Policy CCG Policy Reference: IG 2 v4.1 Information Management Policy CCG Policy Reference: IG 2 v4.1 Document Title: Policy Information Management Document Status: Final Page 1 of 15 Issue date: Nov-2015 Review date: Nov-2016 Document control

More information

Information Governance Strategy. Version No 2.1

Information Governance Strategy. Version No 2.1 Livewell Southwest Information Governance Strategy Version No 2.1 Notice to staff using a paper copy of this guidance. The policies and procedures page of LSW Intranet holds the most recent version of

More information

Information Governance and Data Protection Policy

Information Governance and Data Protection Policy Information Governance and Data Protection Policy Page 1 of 21 Document Control Sheet Name of document: Version: Owner: File location / Filename: Information Governance and Data Protection Policy Final

More information

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid. Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,

More information

A Question of Balance

A Question of Balance A Question of Balance Independent Assurance of Information Governance Returns Audit Requirement Sheets Contents Scope 4 How to use the audit requirement sheets 4 Evidence 5 Sources of assurance 5 What

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Information Governance Toolkit Assessment 2009/10

Information Governance Toolkit Assessment 2009/10 Information Governance Toolkit Assessment 2009/10 Document Reference: Version: Ratified by: Date ratified: Name of originator/author: Name of responsible committee/individual: Document owner: Document

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy THCCGCG9 Version: 01 The information governance strategy outlines the CCG governance aims and the key objectives of its governance policies. The Chief officer has the overarching

More information

Securing excellence in IT Services. Operating model for offender health care

Securing excellence in IT Services. Operating model for offender health care Securing excellence in IT Services Operating model for offender health care February 2013 Table of Contents 01 Glossary of terms 02 Introduction Purpose of document Background 03 Offender Health IT Commissioning

More information

Information Governance Framework

Information Governance Framework Information Governance Framework Authorship: Chris Wallace, Information Governance Manager Committee Approved: Integrated Audit and Governance Committee Approved date: 11th March 2014 Review Date: March

More information

Remote Working and Portable Devices Policy

Remote Working and Portable Devices Policy Remote Working and Portable Devices Policy Policy ID IG04 Version: V1 Date ratified by Governing Body 29/09/13 Author South Commissioning Support Unit Date issued: 21/10/13 Last review date: N/A Next review

More information

Information Governance Management Framework

Information Governance Management Framework Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date

More information

Data Encryption Policy

Data Encryption Policy Data Encryption Policy Please be aware that this printed version of the Policy may NOT be the latest version. Staff are reminded that they should always refer to the Intranet for the latest version. Purpose

More information

N3 Protecting the Network through Information Governance and Assurance

N3 Protecting the Network through Information Governance and Assurance N3 Protecting the Network through Information Governance and Assurance NHS CFH Operational Security Team cfh.ost@nhs.net Introductions The NHS CFH Operational Security Team: Tony Hodgson Operational Security

More information

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation Northumberland, Newcastle North and East, Newcastle West, Gateshead, South Tyneside, Sunderland, North Durham, Durham Dales, Easington and Sedgefield, Darlington, Hartlepool and Stockton on Tees and South

More information

NHS Information Governance: 2010/11 UPDATE

NHS Information Governance: 2010/11 UPDATE NHS Information Governance: 2010/11 UPDATE JANUARY 2011 Contents Outline of the Changes Quick reference to additional evidence requirements Guide to using the online Toolkit Frequently asked questions

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Version Version 1 Ratified By Date Ratified PROPOSED FOR APPROVAL 15/11/12 Author(s) Responsible Committee / Officers Date Issue November 2012 Review Date November 2013 Intended

More information

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy NHS Waltham Forest Clinical Commissioning Group Information Governance Policy Author: Zeb Alam & David Pearce Version 3.0 Amendments to Version 2.1 Updates made in line with National Guidance and Legislation

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY Directorate of Performance Assurance INFORMATION GOVERNANCE POLICY Reference: DCP074 Version: 2.5 This version issued: 27/03/15 Result of last review: Minor changes Date approved by owner (if applicable):

More information

INFORMATION GOVERNANCE POLICY (INCORPORATING INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK)

INFORMATION GOVERNANCE POLICY (INCORPORATING INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK) Ref No: IN-101 INFORMATION GOVERNANCE POLICY (INCORPORATING INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK) AREA: POLICY SPONSOR: Trust Wide Director of Finance IMPLEMENTED: October 2009 REVISED: June 2011

More information

NHS Commissioning Board: Information governance policy

NHS Commissioning Board: Information governance policy NHS Commissioning Board: Information governance policy DOCUMENT STATUS: To be approved / Approved DOCUMENT RATIFIED BY: DATE ISSUED: October 2012 DATE TO BE REVIEWED: April 2013 2 AMENDMENT HISTORY: VERSION

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Page 1 of 46 Policy Title: Executive Summary: Information Governance Policy This policy seeks to identify the actions required to ensure that information is appropriately

More information

D-CRIS Information Governance Assurance

D-CRIS Information Governance Assurance D-CRIS Information Governance Assurance Date: 05 08 2013 Version: 1.0 Author: Murat Soncul Contents 1. Introduction... 3 2. CRIS Security Model... 3 3. SLaM Information Governance Framework... 4 4. Roles

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:

More information

Corporate Affairs Overview and Scrutiny Committee

Corporate Affairs Overview and Scrutiny Committee Agenda item: 4 Committee: Corporate Affairs Overview and Scrutiny Committee Date of meeting: 29 January 2009 Subject: Lead Officer: Portfolio Holder: Link to Council Priorities: Exempt information: Delegated

More information

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader AGENDA ITEM: SUMMARY Report for: Committee Date of meeting: 30 May 2012 PART: 1 If Part II, reason: Title of report: Contact: Purpose of report: Recommendations Corporate objectives: Implications: INFORMATION

More information

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY INFORMATION GOVERNANCE AND DATA PROTECTION POLICY WN CCG Information Governance & Data Protection Policy July 2013 1 Document Control Sheet Name of Document: Information Governance & Data Protection Policy

More information

Information Governance Policy

Information Governance Policy Information Governance Policy UNIQUE REF NUMBER: AC/IG/013/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June 2014 1 P age AMENDMENT HISTORY

More information

BEFORE USING THIS GUIDANCE, MAKE SURE YOU HAVE THE MOST UP TO DATE VERSION GUIDANCE 2 POLICY AREA: INFORMATION GOVERNANCE

BEFORE USING THIS GUIDANCE, MAKE SURE YOU HAVE THE MOST UP TO DATE VERSION GUIDANCE 2 POLICY AREA: INFORMATION GOVERNANCE GUIDANCE 1 TITLE: INFORMATION GOVERNANCE FRAMEWORK 2 POLICY AREA: INFORMATION GOVERNANCE 3 ACCOUNTABLE DIRECTOR FOR POLICY AREA: DIRECTOR OF QUALITY AND GOVERNANCE 4 GUIDANCE DRAFTED BY: INTEGRATED GOVERNANCE

More information

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities: Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 26/10/2015 HSCIC Audit of Data Sharing

More information

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs NOTE: This is a CONTROLLED Document. Any documents appearing in paper

More information

Information Management Policy

Information Management Policy Information Management Policy Document Control Title Organisation Description Author(s) Information Management Policy London Legacy Development Corporation The Information Management Policy describes how

More information

How To Ensure Information Security In Nhs.Org.Uk

How To Ensure Information Security In Nhs.Org.Uk Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:

More information

Secure Transfer of Information Guidance for staff

Secure Transfer of Information Guidance for staff Secure Transfer of Information Guidance for staff Document number CCG.GOV.013.1.1 Version: 1.1 Ratified by: NHS Bury CCG Quality and Risk Committee Date ratified: 8 th January 2014 Name of originator /author

More information

INFORMATION GOVERNANCE STRATEGY NO.CG02

INFORMATION GOVERNANCE STRATEGY NO.CG02 INFORMATION GOVERNANCE STRATEGY NO.CG02 Applies to: All NHS LA employees, Non-Executive Directors, secondees and consultants, and/or any other parties who will carry out duties on behalf of the NHS LA.

More information

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff. Information Governance Policy 1 SUMMARY This policy is intended to ensure that staff are fully aware of their Information Governance (IG) responsibilities, so that they can effectively manage and best

More information

Information Governance Strategy Includes Information risk & incident management methodology

Information Governance Strategy Includes Information risk & incident management methodology Version 2.0 LOGOLOGO Information Governance Strategy Includes Information risk & incident management methodology Approved by: Quality & Governance Committee Ratification date: May 2014 Review date: May

More information

CCG: IG06: Records Management Policy and Strategy

CCG: IG06: Records Management Policy and Strategy Corporate CCG: IG06: Records Management Policy and Strategy Version Number Date Issued Review Date V3 08/01/2016 01/01/2018 Prepared By: Consultation Process: Senior Governance Manager, NECS CCG Head of

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

Information Governance Strategy

Information Governance Strategy Policy No: IG01 Version: 3.0 Name of Policy: Information Governance Strategy Effective From: 02/06/2015 Date Ratified 06/05/2015 Ratified Health Informatics Assurance Group (HIAG) Review Date 01/05/2017

More information

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L. Document No: IG10d Version: 1.1 Name of Procedure: Third Party Due Diligence Assessment Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release

More information

How To Ensure Network Security

How To Ensure Network Security NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

We then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.

We then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective. Good Practice Audit outcomes analysis Police Forces April 2013 to April 2014 This report is based on the final audit reports the ICO completed in the Criminal Justice sector, specifically of Police forces,

More information

How To Audit Health And Care Professions Council Security Arrangements

How To Audit Health And Care Professions Council Security Arrangements Audit Committee 28 Internal audit report ICT Security Executive summary and recommendations Introduction Mazars has undertaken a review of ICT Security controls, in accordance with the internal audit plan

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy Document Status Draft Version: V2.1 DOCUMENT CHANGE HISTORY Initiated by Date Author Information Governance Requirements September 2007 Information Governance Group Version

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Version: 3.2 Authorisation Committee: Date of Authorisation: May 2014 Ratification Committee Level 1 documents): Date of Ratification Level 1 documents): Signature of ratifying

More information

Information Governance Strategy Includes Information risk & incident management methodology

Information Governance Strategy Includes Information risk & incident management methodology Version 3.0 LOGOLOGO Information Governance Strategy Includes Information risk & incident management methodology Approved by: Quality Assurance Group Ratification date: March 2015 Review date: March 2016

More information

Information Governance Standards in Relation to Third Party Suppliers and Contractors

Information Governance Standards in Relation to Third Party Suppliers and Contractors Information Governance Standards in Relation to Third Party Suppliers and Contractors Document Summary Ensure staff members are aware of the standards that should be in place when considering engaging

More information

Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance

Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance QIPP Digital Technology Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance Author: Adam Hatherly Date: 26 th March 2013 Version: 1.1 Crown Copyright 2013 Page 1 of 19 Amendment

More information

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities: Directorate / Programme Data Dissemination Services Project / Work Data Sharing Audits Status Final Acting Director Chris Roebuck Version 1.0 Owner Rob Shaw Version issue date 19-Jan-2015 HSCIC Audit of

More information

INFORMATION GOVERNANCE HANDBOOK

INFORMATION GOVERNANCE HANDBOOK INFORMATION GOVERNANCE HANDBOOK SECTION ONE Author Tracey Burrows Role Information Governance Manager (CSCSU) Date / Version February 2015 Version FINAL V1.0 Approved by IM&T Board Date 27 February 2015

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

Policy Information Management

Policy Information Management Policy Information Management Document Title: Policy Information Management Issue date: October 2013 Document Status: Approved IGC 23 Oct 2013 Review date: October 2014 Page 1 of 17 Document control Document

More information

Gloucestershire Hospitals

Gloucestershire Hospitals Gloucestershire Hospitals NHS Foundation Trust TRUST POLICY In the case of hard copies of this policy the content can only be assured to be accurate on the date of issue marked on the document. The Policy

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting

More information

Appendices Device Destruction/ Disposal process 7

Appendices Device Destruction/ Disposal process 7 IM&T Electronic Information Security Policy Classification: Policy Lead Author: Jym Bates, Head of Information Assurance Additional author(s): N/A Authors Division: Corporate (IM&T) Unique ID: TI4(09)

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Information Governance Policy

Information Governance Policy Information Governance Policy REFERENCE NUMBER IG 101 / 0v3 May 2012 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive 4.9.12 REVIEW DUE DATE May 2015 West Lancashire CCG is committed to ensuring

More information

Agenda Item: Item 21 Report Number: 130/15 Dianthus Building, Wishbone Way, Goldsworth Park, Woking, Surrey GU21 3RT Date 12 January 2015

Agenda Item: Item 21 Report Number: 130/15 Dianthus Building, Wishbone Way, Goldsworth Park, Woking, Surrey GU21 3RT Date 12 January 2015 Agenda Item: Item 21 Report Number: 130/15 Venue: Dianthus Building, Wishbone Way, Goldsworth Park, Woking, Surrey GU21 3RT Date 12 January 2015 North West Surrey CCG Governing Body Title of Report: Prepared

More information

Safe Haven Policy. Equality & Diversity Statement:

Safe Haven Policy. Equality & Diversity Statement: Title: Safe Haven Policy Reference No: 010/IT Owner: Deputy Chief Officer Author Information Governance Lead First Issued On: November 2012 Latest Issue Date: March 2015 Operational Date: March 2015 Review

More information

Copyright 2016 Health and Social Care Information Centre

Copyright 2016 Health and Social Care Information Centre Document filename: Registration Authorities Operational and Process Guidance Directorate / Programme Access Control Project Access Control Document Reference Project Manager John Winter Status Final Owner

More information

NHS Waltham Forest Clinical Commissioning Group Information Governance Strategy

NHS Waltham Forest Clinical Commissioning Group Information Governance Strategy NHS Waltham Forest Clinical Commissioning Group Governance Strategy Author: Zeb Alam, CCG IG Lead, (NELCSU) David Pearce, Head of Governance, WFCCG Version 3.0 Amendments to Version 2.1 Annual Review Reference

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

[Type text] SERVICE CATALOGUE

[Type text] SERVICE CATALOGUE [Type text] SERVICE CATALOGUE IT Services 1 IT Support and Management Services SERVICE AREA: SERVICE DESK Users can contact the Service Desk via the phone or an online web form for all their ICT service

More information

Policies for: Information Governance Information Quality Information Management Information Security. Version Control Version: 0.1

Policies for: Information Governance Information Quality Information Management Information Security. Version Control Version: 0.1 Policies for: Information Governance Information Quality Information Management Information Security Approved by: None this version Date approved: Name of originator/author: Ade Oduntan, Mike Hellier,

More information

Information Governance Policy

Information Governance Policy BEXLEY CARE TRUST MANAGEMENT MANUAL Title: INFORMATION GOVERNANCE POLICY Originating Department: IT DEPARTMENT Authorised by: Risk Management Committee June 2008 Reference no: CA12 Date of Issue: JANUARY

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16 NHS Newcastle Gateshead Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Document Ratified/Approved By Approved No impact NHS Quality, Safety

More information

NHS North Durham Clinical Commissioning Group. Information Governance Strategy 2015/16

NHS North Durham Clinical Commissioning Group. Information Governance Strategy 2015/16 NHS North Durham Clinical Commissioning Group Information Governance Strategy 2015/16 Document Status Equality Impact Assessment Document Ratified/Approved By Final No impact Risk and Audit Committee/Governing

More information

Cardiff Council. Data protection audit report. Executive summary June 2014

Cardiff Council. Data protection audit report. Executive summary June 2014 Cardiff Council Data protection audit report Executive summary June 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998

More information

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Name: Position held: Company Name: Is your organisation ISO27001 accredited: Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held:

More information