University of Sunderland Business Assurance Over-arching Information Governance Policy

Transcription

1 University of Sunderland Business Assurance Over-arching Information Governance Policy Document Classification: Public Policy Reference Central Register IG001 Policy Reference Faculty / Service IG 001 Policy Owner Assistant Director, Business Assurance Date Policy Written May 2013 Date Policy Last Updated Date to Information Governance Group 13 th June 2013 Date to Executive 26 th July 2013 Date for next Review May 2014 Comments B u s i n e s s A s s u r a n c e 4 t h F l o o r, E d i n b u r g h B u i l d i n g Page 1

2 1. INTRODUCTION Information Governance is defined as the way by which information is handled. Information Governance is the term used to encompass the multi-disciplinary structures, policies, procedures, process and controls which are implemented to manage the processing of information within an organisation. It provides a framework for processing information in a confidential and secure manner, as determined by legislative acts, statutes and best practice guidance such as:- The Data Protection Act 1998 The Freedom of Information Act 2000 Computer Misuse Act 1990 Human Rights Act 1998 Access to Health Records Act 1990 Environmental Information Regulations 2004 Regulation of Investigatory Powers Act 2000 Lawful Business Practice Regulations 2000 Mental Capacity Act DEFINITIONS The University has developed the following definitions: The University has a Corporate Plan, which outlines its vision and strategic themes. This has been agreed formally by the University Executive and Board of Governors, and contains high-level principles that drive how the University formulates policy. A policy is a concise statement of principle which states how the University will operate in a particular area. Policies provide the operational framework within which the University conducts its business. A central register of policies is maintained by Business Assurance. A procedure states how we will implement policy on an operational level. They serve to inform staff about how to accomplish their work within current systems. A guidance note defines the recommended approach for conducting a specific activity, and should provide operational detail, instructions and advice that facilitates the implementation of a code of practice. 3. INFORMATION GOVERNANCE MANAGEMENT 3.1. Objective: To ensure appropriate management arrangements are in place to effectively manage the Information Governance agenda Responsibilities Board of Governors and Vice Chancellor Ultimate responsibility information governance rests with the Board of Governors. The Vice Chancellor, has executive responsibility for all aspects of information governance and together with the Board of Governors, will ensure that proper procedures are in place to fully implement this policy. The Vice Chancellor is responsible signing any undertakings with the Information Commissioner on behalf of the University due to non-compliance. B u s i n e s s A s s u r a n c e 4 t h F l o o r, E d i n b u r g h B u i l d i n g Page 2

3 Senior Information Risk Owner (SIRO) Overall responsibility for this policy lies with the Assistant Director of Business Assurance, who performs the role of the University s Senior Information Risk Owner (SIRO) The SIRO is responsible for: Ensuring that an overall culture exists that values and protects information within the organisation Owning the organisation s overall information risk policy and risk assessment process, testing its outcome and ensuring that it is used Owning the organisation s information incident management framework The Assurance Manager (Business Assurance - Information Governance), responsible to the Assistant Director for Business Assurance, is responsible for drawing up information governance policy, process and guidance and ensuring compliance with this policy. The Assurance Manager will oversee the Information Governance Framework and ensure its successful operation. The IT Security Manager (ITS), reporting to the Assistant Director of SLS: IT, is responsible for developing IT Security Policy, standards and guidelines. He/she is also responsible for ensuring that effective IT Security systems, controls and training programs are operationally implemented, fit for purpose and available across the University. The Legal Support & Data Protection Officer is responsible for developing policy, process and guidance relating to Data Protection and can provide advice on collecting, using and protecting personal information. The University Deans of Faculty and Directors of Support Services have responsibility for ensuring compliance with the University s Information Governance policies and ensuring any issues of non-compliance are addressed. They have responsibility for ensuring that an appropriate member of staff, in each Faculty and Service, takes on the role of Information Champion. Individual employees have responsibility for ensuring that they comply with this policy and any related policies and guidance. Staff should attend training and awareness sessions provided by the University. Employees also have a duty to report any incidents or near misses in relation to information security Governance Groups Information Governance Group The Information Governance Group is accountable to the University s Business Assurance Board. It is to act as a programme board for direction of the University s overall approach to Information Governance. Specifically, it is tasked with:- Holding an understanding of all elements of Information Governance, including relevant technical and legal requirements Overseeing all aspects of policy development in relation to Information Governance B u s i n e s s A s s u r a n c e 4 t h F l o o r, E d i n b u r g h B u i l d i n g Page 3

4 Overseeing all technical developments to support and enhance the University s approach to the management of Information Governance Governing the design and delivery of all training and development activity in relation to Information Governance Information Champions Group Information Champions are accountable to their Dean of Faculty/Director of Service and have a responsibility to monitor information governance compliance and awareness and be the primary point of contact and source of information and support within the Faculty/Service. The Information Champions Group will report to the Information Governance Group. Technical Security Group Faculty IT Technicians play a pivotal role in the application of technical IT Security controls within their Faculty and are accountable to their Dean of Faculty/Director of Service for ensuring the IT Services provided by the Faculty are in line with IT Security Policies & Standards. The technicians must also be a primary point of contact and source of information in relation to IT Security form an awareness perspective in supporting the Faculty/Service. The Technical Security Group will report to the Information Governance Group. 4. CONFIDENTIALITY AND DATA PROTECTION 4.1. Objective: To ensure that all staff and contractors are aware of and comply with their obligations with regards to confidentiality. Compliance with legal and regulatory framework will be achieved, monitored and maintained. The obligation to keep information confidential arises out of the common law duty of confidentiality, the Data Protection Act 1998, professional obligations and staff employment contracts. In combination, these duties and obligations place all staff members with access to confidential personal information under a duty to keep that information safe and secure (i) Policies and Procedures To aid staff in complying with their duties and obligations with regards to confidentiality, the following policies and procedures will be in place: Data Protection Policy Subject Access Request (SAR) Procedures Staff Guide to Personal Information Student Guide to Personal Information Public Guide to Personal Information Data Sharing Agreement Guidance Non disclosure Agreement Guidance Commercial Confidentiality Guidance B u s i n e s s A s s u r a n c e 4 t h F l o o r, E d i n b u r g h B u i l d i n g Page 4

5 5. INFORMATION SECURITY 5.1. Objective: To ensure that information systems are secure and respond to security related incident in whatever way is appropriate. To prevent loss, damage or compromise of assets and interruption to business activities. The main priorities for information security are:- creating a culture towards Information Security within the organisation ensuring security policies contain sufficient detail and strength to guide staff, particularly around o the identification and understanding of the types of information they deal with o removable media/portable computing o transfer of person identifiable information ensuring staff have access to policies and guidance and sufficient training to ensure they can fulfil their duties responsibly and securely 5.2. Policies and Procedures The following policies and procedures, as a minimum, will be in place in relation to Information Security: Information Security Policy IT Acceptable Use Policy IT Security Policy Information Risk Management Policy (and procedures) IT and Communications Interception and Monitoring Policy Policy on Connection to the University Network IT Systems at Risk Policy University Network at Risk Policy JANET Acceptable Use Policy Backup/Disaster Recovery Policy Additionally, standards and best practice guidance documents will be drawn up to assist staff in areas such as:- Standards: Intrusion Detection Standard Network Configuration and Management Standard Password Standard Physical Security Standard Portable Computing Standard Security Monitoring Standard Security Training Standard Computer Hardening Standard Software Licensing Standard Special Access Standard Guidance: Account Management Best Practice Draft: NDA Trusted Third Party Agreement ( TTP ) Vendor Access - Best Practice Your Password Social Networking Identity Theft Phishing Spam Anti Virus - Students B u s i n e s s A s s u r a n c e 4 t h F l o o r, E d i n b u r g h B u i l d i n g Page 5

6 Secure System Development Standard Virus Protection Standard Application Security Management Standard IT Asset Management Standard Data Destruction Standard Encryption Standard Log Management & Retention Standard Patch & Vulnerability Management Standard Data Loss Prevention Standard Data Handling Standard Logical Access Control (LACS) Standard Security Testing Standard BYOD Standard Mobile Device Standard Anti Virus - University Owned PCs (staff) Anti Virus - Staff Owned PCs Secure USB keys for Staff 6. RECORDS MANAGEMENT 6.1. Objective: To ensure that records are accessible and retrievable when and where required. This includes records on network drives and in shared folders, s and attachments web pages on Internet and Intranet sites and paper records. Freedom of Information The Freedom of Information (FOI) Act was introduced in 2000 to promote greater openness and accountability. It gives all members of the public the right to access information from public bodies, such as the University. Good records management will assist the University in complying with the requirements contained within the Act. Work in this area of records management will concentrate on themes such as:- Creating and maintaining an inventory of existing corporate records Creation/File Naming conventions Storage Retention periods Archiving Disposal Freedom of Information compliance Electronic document management Corporate records management (including policy management) 6.2. Policies and Procedures At a minimum, the following policies and procedures will be developed in relation to Records Management:- Records Management Policy Archive and Retention Policy Information Classification Policy B u s i n e s s A s s u r a n c e 4 t h F l o o r, E d i n b u r g h B u i l d i n g Page 6

7 Archiving and Retention Procedures FOI and EIR Policy FOI Procedures FOI Guidance for Staff/Requestors 7. TRAINING AND EDUCATION Information is the lifeblood of the University. It is essential that a culture is developed whereby information management is part of everyday activities and becomes part of the culture of the organisation. Increasing staff awareness is key to successfully implementing a University-wide approach to Information Governance. Training and awareness will be available to all staff: 7.1. Induction All newly employed staff will receive basic guidance in organisational policy in relation to information governance as part of the University s induction checklist Information Governance Training All staff will receive basic Information Governance training, at least 3 yearly. Additionally service specific and subject specific training will be provided as appropriate and necessary to inform staff of policy and process. Training will be deployed using a variety of techniques including:- e-learning face to face training sessions facilitated workshops B u s i n e s s A s s u r a n c e 4 t h F l o o r, E d i n b u r g h B u i l d i n g Page 7

8 University of Sunderland Business Assurance Over-arching Information Governance Policy APPENDIX A OVERVIEW OF INFORMATION GOVERNANCE POLICIES Data Information Security Information Governance Records Management Freedom of Information Protection/Confidentiality (and IT related policies) Information Governance Policy Records Management Policy FOI and EIR Policy Data Protection Policy Information Security Policy Data Assurance Policy IG Training Policy Using Copyright in Education Archive and Retention Policy IT Acceptable Use Policy Information Classification Policy FOI Procedures SAR Procedures IT Security Policy (and standards) Archiving and Retention Procedures FOI Guidance for Staff Social Media Policy FOI Guidance for Requestors Incident Management Policy Staff Guide to Personal Information Student Guide to Personal Information Public Guide to Personal Information Data Sharing Agreement Guidance Non disclosure Agreement Guidance Commercial Confidentiality Guidance Information Risk Management Policy (and procedures) IT and Communications Interception and Monitoring Policy Policy on Connection to the University Network IT Systems at Risk Policy University Network at Risk Policy JANET Acceptable Use Policy Backup/Disaster Recovery Policy Change Management Policy B u s i n e s s A s s u r a n c e 4 t h F l o o r, E d i n b u r g h B u i l d i n g Page 8