Incident reporting procedure

Transcription

1 Incident reporting procedure Responsible Officer Author Date effective from Aug 2009 Date last amended Aug 2009 Review date July 2012 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Page 1 of 9

2 1 Introduction 1.1 Incident reporting plays a major role in helping the Institute maintain a safe and secure working environment. It helps protect the confidentiality, integrity and availability of the information and systems accessed and is an essential element for effective risk management. Trend analysis of reported incidents enables the organisation to highlight areas of weakness and, if necessary, take appropriate action to reduce specific threats and vulnerabilities. 1.2 The Institute must demonstrate a commitment to, and delivery of, effective information governance. Incident management is a cyclical process of identification, reporting, investigation, resolution and learning to minimise the risk of re-occurrence. 1.3 All staff members have a responsibility to report information security incidents whether deliberate or accidental. 1.4 The procedure outlines the main requirements for incident reporting related to information security only and is designed to ensure core data is recorded, the event is properly reviewed, corrective action taken where necessary to minimise the risk of re-occurrence and to provide clarity over accountability and responsibility for actions. 1.5 Incidents relating to health & safety should be reported in accordance with the Health & Safety policy. Any identified fraud should be reported in accordance with the Counter Fraud policy. 2 Information security 2.1 An information security incident is any actual or potential breach of security which may compromise the confidentiality, integrity or availability of information stored, processed and communicated in relation to the Institute s business whether in hard copy or electronic format. 2.2 The term security incident covers a wide range of events which can vary considerably and it is therefore not possible to detail every single event. The following list gives examples of types of security incidents that should be reported: Type of data Sensitive personal data 1 Example Risk of accidental or deliberate disclosure of sensitive personal data e.g 1. Personnel or recruitment files left unattended on a desk eg 2. Patient expert applications held on a file drive with general staff access Confidential information including Risk of accidental or deliberate access of confidential information by an unauthorised 1 As defined in Appendix 1 Page 2 of 9

3 CiC and AiC information person. e.g 1. CiC information taken out of the building on unencrypted media eg 2. CiC information sent by without password protection or encryption Passwords An unauthorised person has gained access to your account or attempted to gain access using your password e.g Password/login details left accessible and unsecured to visitors in home worker s home. Physical security breach Unauthorised access to secure areas containing confidential information Eg forced access to tamber unit containing confidential information or sensitive personal data Theft or loss of portable media Laptops or other portable media containing confidential or sensitive personal data lost or stolen e.g. laptop stolen from car 2.3 This list is not exhaustive and staff must ensure they report any incident where they have a reasonable belief that there is a risk to the security of sensitive personal data or any confidential information. 3 Reporting security incidents 3.1 All information security incidents should be reported using the form at Appendix 3 and notified to the line manager, Business Planning and Resources Director and Governance Manager. Any incident occurring outside secure office premises should be reported immediately to the Business Planning and Resources Director and Governance Manager. 3.2 Information on the incident should include a description of the data lost or stolen, whether it was held in hard copy or portable media, the quantity (if known), where it was lost and the sensitivity of the data (if known). 3.3 The Corporate Office will retain a central log of all significant security breaches. These will be reported to the Audit Committee by the Governance Manager and escalated via the Senior Information Risk Officer as necessary in accordance with the Serious Untoward Incident reporting procedure (Appendix 2). 4 Sensitive security incidents 4.1 It is recognised that some incidents can be sensitive especially if colleagues or managers may be incriminated. It is important that the Page 3 of 9

4 person reporting the incident receives absolute protection and guarantee of confidentiality even in the event of a false alarm. In these circumstances the provisions of the Whistle blowing policy will apply and the individual identifying the incident should complete the incident report on their behalf and forward direct to the SIRO. 5 Accidental breaches of security 5.1 If an individual unintentionally causes a potential breach of security such as losing their smart card, they should inform their line manager immediately. The reporting procedure detailed below will still be followed. 6 Security weaknesses 6.1 Staff should report any observed or suspected security weaknesses such as staff sharing User IDs and Passwords, including Smartcards, system admin privileges given to individuals who do not require them. 6.2 Staff should not attempt to prove a suspected security weakness as this might be interpreted as a potential misuse of the system. Instead the weakness should be reported to the IT department and additionally to their line manager. The line manager will ensure the weakness is reported to the Business Planning & Resources Director. 7 Incident resolution 7.1 Once the incident has been dealt with and closed, the individual who reported the incident should be notified of the resolution. This is the responsibility of the designated manager investigating the incident but may be delegated to the individuals line manager 8 Further information 8.1 Further information, including contact details, can be found on the governance section of the intranet. Page 4 of 9

5 Appendix 1 Definition of personal data 1 Personal data is any information: which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual 2 This definition should be considered in light of the extent to which the data relates to the individual s privacy in their family life, business or professional capacity. 3 The DH defines sensitive personal data as information that includes the name of an individual, combined with one or more of the following: Bank / financial / credit card details National Insurance number / Tax, benefit or pension records Passport number / information on immigration status Travel details (for example at immigration control, or Oyster records) Passport number / information on immigration status / personal (non- NICE) travel records Health records Work record Material related to social services (including child protection) or housing case work Conviction / prison / court records / evidence Other sensitive data defined by s.2 of the Data Protection Act 1998 including information relating to: (a) racial or ethnic origin (b) political opinions (c) religious beliefs or other beliefs of a similar nature (d) membership of a trade union (e) physical or mental health or condition (f) sex life (g) the commission or alleged commission by him of any offence (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings. Page 5 of 9

6 Appendix 2 Reporting of serious untoward incidents Minor Medium Significant No significant damage to the reputation of the individual or organisation Damage to an individual s reputation Damage to a section s reputation Damage to a service s reputation Damage to NICE reputation Damage to DH, NHS or public sector in general Media interest very unlikely Possible media interest Some local media interest that may not go public Low key coverage in press or local media National or local press coverage National press coverage Minor breach of confidentiality Potentially serious breach Serious potential breach and risk assessed as high Serious breach of confidentiality Serious breach of confidentiality of sensitive information Serious breach with potential for ID fraud Only a single individual Report to Audit Committee Less than 5 people affected and risk low eg due to encryption Up to 20 people affected and media not encrypted Report to Audit Committee Report to Board Report to ALB BSU and Senior Departmental Sponsor OR up to 100 people affected OR up to 1000 people affected Report to Audit Committee Report to Board OR over 100 people affected Report to ALB BSU and Senior Departmental Sponsor ALB BSU (with DH Security) will decide if Ministers, Cabinet Office and/or Information Commissioner need to be informed Page 6 of 9

7 Appendix 3 Incident reporting form Please PRINT all details on this form [To be completed by the person who identified the incident or the person reporting on their behalf] Completing this form does not imply an admission of liability on any person. Date of incident Time of incident (24 hr clock) Place of incident Name of person reporting incident Position Tel: Brief description of incident (brief factual account of what happened) Brief description of any immediate action taken Date form submitted Signature Name and position of any other staff involved / witnesses [max 2] Name Signature Position Name Signature Position Date form sent to Page 7 of 9

8 BPRD FOR BPRD USE ONLY Incident number Date form received Incident level (0-5) Report to (tick) Audit Committee Board ALB BSU Brief description of action taken Identify likely cause of incident Action to prevent repeat of incident Investigating Officer Signature Date Page 8 of 9

9 Appendix A - Version Control Sheet Version Date Author Replaces Comment 1 Julian Lewis n/a Page 9 of 9