Enterprise Information Security Procedures
|
|
- Tyrone Ellis
- 8 years ago
- Views:
Transcription
1 GHL Network Services Ltd Enterprise Information Security Procedures Prepared By Nigel Gardner Date 16/11/09 1
2 Contents 1. Openwork s Information Security Policy Enterprise Information Security Procedures Physical Security - Business Premises...3 IT Security Staff Recruitment and Leavers Training Third Party Vetting & Contracts...5 & Fax Procedures Fax Caller Verification - Release of Client Information Retention & Disposal of Client Information and IT Hardware Methods of destruction - Physical files Electronic files and documents Reporting the loss or theft of information...7 Information Classification and Ownership Monitoring...9 2
3 1. Openwork s Information Security Policy Openwork s Policy and procedures are intended to ensure that personal information is hard to steal or lose and that only authorised people have access to it. Openwork will ensure client information is treated as a precious resource. This means: - We keep it secure - We only share it when we need to - We only allow fit and proper people to see it - We use it skilfully. This policy is driven from the need to support statements we have made to our clients and to fulfil our obligations to our regulators: - We ve told the client, in the DP leaflet, You can be sure we ll keep your personal information confidential and use it with care FSA connection between the loss of personal information, identity theft and financial crime they therefore require all FSA regulated firms to take appropriate care of client personal information as made clear in the FSA papers: - o Fact Sheet Your responsibilities for customer data security (April 2008) o Data Security in Financial Services (April 2008) The Data Protection Act requires you to keep information secure Principle 7 Appropriate measures shall be taken against unauthorised or unlawful processing or accidental loss of personal data 2. GHL Network Services Ltd ( GHL ) Information Security Procedures This document draws all the Information Security Policy and Procedures into one place. The procedures define the minimum standards that must be achieved. Everyone in GHL will have received a copy of these procedures and confirmed they have been received and the content understood. GHL will maintain a record of when they were seen. 3. Physical Security - Business Premises Access to client information is controlled by: - Locked building, room or cabinet as appropriate. - Clear Desk policy - Screen Savers which are password protected, automatically activated after 10 minutes (see IT Security Standards on the Portal - Home -> Financial Crime Prevention - > Information Security -> Procedure Templates and Guides->IT Security Standards ) - Desktops and laptops that have whole disk encryption (see IT Security Standards on the Portal - Home -> Financial Crime Prevention - > Information Security -> Procedure Templates and Guides->IT Security Standards ) - Locking business premises when unattended Access restrictions - Computer security when out of office e.g. not left in the boot of a car Clear Desk Policy In accordance with Openwork s requirements GHL operate a clear desk policy. This means keeping desks and other surfaces clear of any client information and records of logon IDs and passwords. 3
4 4. IT Security The security of computer hardware and the client information held on them are documented in the IT Security Standards on the Portal (Home -> Financial Crime Prevention -> Information Security -> Procedure Templates and Guides -> IT Security Standards) This covers high level requirements including: - - Encryption - Anti-virus - Passwords (changes & complexity) - Maintenance of computer equipment logs (records of serial numbers and encryption keys etc - Backups & safe storage - Networks wireless internet - External storage (CD, Data Stick, Smart Phones and other portable media) - Data bases - Access rights limiting access to systems (such as Senro or Quay) - Specialist IT consultancy All PC s ( laptops & desktops ) must be encrypted to protect clients against the possibility of their details being lost or stolen. In addition, all USB data sticks used must similarly be encrypted using AES 256 bit hardware encryption. 5. Staff Recruitment and Leavers Taking on staff GHL will ensure that all staff have the honesty and integrity to handle client information. GHL has staff that are subject to vetting by Openwork and also those with access to client information that are not. These are, for example, Category 2 PAs, Admin Plus, receptionists and admin staff and it may also have temporary and contract staff (see also Third Party Vetting and Contracts). Staff not vetted by Openwork. With access to client information: - GHL is responsible for the vetting of all staff with access to client information - A record of the information obtained is kept on the staff members personnel files to show why it was satisfied that the person was fit and proper - For evidence of identification GHL will complete a proof of identity (similar to the client CVI form) template form on the Portal (Financial Crime Prevention -> Information Security -> Related Documents). The authenticity of this identification should be tested as far as is reasonably possible with recourse to publicly available information sources - References from previous employers are obtained covering the last 12 months where appropriate. - References provided by the staff member are not appropriate to accept - If a credit check is to be undertaken the staff member must give permission - Where GHL decides to carry out a Criminal Records Bureau check it must obtain permission before doing so Staff with no access to client information - Where staff members do not have access to client information, it is not necessary to carry out a fit and proper check, however, evidence will be retained of why the staff member does not require the vetting Changes in Role and Responsibilities GHL must be alert to the risk that a change of role or multi-tasking may allow a non-vetted staff member to handle client information. If this happens, the vetting procedure above must be applied and the information collected recorded on the Personnel File. 4
5 Leavers When any staff leave, precautions are taken to ensure they no longer have access to client information. Where appropriate the following will take place: - Return of keys / swipe cards - Cancellation of personal computer passwords and user accounts - Return of all portable IT equipment and software provided by GHL - Providers microsites will be notified for cancellation of logon rights - Where leavers have their own machines, Openwork software and client data belonging to GHL will be removed (e.g. OTPm and ETi software and databases) - Regulated Support will be notified of any staff member that leaves in order to remove Portal access. - Change of other user passwords if there is a possibility they are known to the leaver 6. Training It is important that everyone, the Practice Principals, the Advisers and the administrators, understands the importance and relevance of information security and how to keep client information secure. Openwork has training modules, available through the Portal, on Financial Crime (FC) and Data Protection (DP). All Advisers and Enterprise staff must complete the FC and DP modules before they start handling client information: - - Advisers the training modules are available through Insight and are part of the annual refresher cycle (and induction training) - Enterprise Staff - with Portal access - the training modules are available on the FC and DP pages (Home->Quality->Financial Crime, and Home->Quality->Data Protection) - Enterprise Staff - without Portal access print off the training modules from the FC and DP pages and log the completion of the training on their personnel file. Manual records will be kept of the date of the training in order that refresher training can be undertaken once a year 7. Third Party Vetting & Contracts GHL may involve third parties in a number of aspects of its activities which may allow access to or the opportunity to access client information. These are (but may not be limited to): - Maintenance of premises (including landlords) - Physical security of premises - Cleaning - Secure disposal of waste, including waste containing client information - Delivery of urgent documents - Remote back-up of computer records - IT support - File Archiving - Appointment making Vetting of Third Parties A reasonable risk based approach is taken when carrying out due diligence checks on third parties. The arrangements may not be as formal as a contract as they may be with an individual on a personal arrangement (e.g. a cleaner) - Evidence of identity will be obtained from each company or individual providing a service. This may be a certificate of incorporation or evidence of the company s existence taken from Companies House. GHL takes account of Openwork s CVI Procedures. - For individuals doing some work for GHL evidence of identification is required. GHL will complete a proof of identity (similar to the client CVI form) template form on the Portal (Financial Crime Prevention -> Information Security -> Related Documents). The authenticity of this identification should be tested as far as is reasonably possible with recourse to publicly available information sources - Where a contract exists between GHL and a third party; this will contain specific clauses detailing the third parties obligations in respect of information security where appropriate - Copies of the third parties recruitment and information security procedures should be reviewed. These should be equivalent to those in place at GHL - Evidence of the checks carried out and the procedures reviewed, evidence of the assessment carried out and a copy of the contract, should be retained on a file specific to each third party supplier 5
6 8. & Fax Procedures is not a confidential means of communication. GHL recognises that messages can be very easily read by those for whom they were not intended and recognises particularly that s can be: - intercepted by third parties (legally or otherwise) - wrongly addressed - forwarded accidentally - forwarded by initial recipients to third parties against our wishes - viewed accidentally on recipients computer screens Personal information is not communicated by unless the express permission of the subject has been obtained and can be evidenced or unless adequate protection (password or encryption) has been employed. See Portal Home -> IT Support - > IT How To Guides -> IT Security and Guidelines. is not relied on for record-keeping purposes. Where long term accessibility is an issue records are transferred to a more lasting medium or other electronic environment. Your GHL Network Services address must be used for all business communications and personal data relating to clients must be encrypted. Further details of the procedures are documented in the Openwork IT Security and Guidelines (see Portal Home -> IT Support - > IT How To Guides -> IT Security and Guidelines ). 8.2 Fax Fax services are not reliable and are replaced with secure wherever possible as documents may be intercepted or misdirected due to operator or technical error. Personal medical details are not faxed. When sending a fax, it is good practice to check the recipient's number before sending. The person sending the fax will phone ahead to warn the recipient of the transmission of personal information. 9. Caller Verification - Release of Client Information. Before personal client information is released the identity of the caller will be verified using the table below: Who s calling? Client Openwork Support Centre Adviser / Administrator Who s answering? Adviser / Administrator Adviser / Administrator If the callers have a well established relationship 1 Client Voice recognition Voice recognition Voice recognition Compulsory Caller Full Name Caller Full Name information 2 Caller Address Caller Job Role Caller DOB Caller phone number Caller to inform Client who they are and who they represent Two items of Optional Information required 3 Plan Number NI Number Product Held Provider/Lender Maiden name Partners name Partners DOB Full Plan Numbers Case ID If Adviser / Administrator is concerned, offer them the opportunity to call back via the switchboard number from the Portal If client is concerned, offer client the opportunity to check the callers identity via the published phone number /switchboard of the firm ID Checks fail 4 The call may be returned but If the Adviser / Administrator If the client does not wish to 6
7 only to a number that was previously known to belong to the caller does not wish to proceed, end the call politely and write to them proceed, end the call politely and write to them 1. Voice recognition alone is an acceptable verification, but only if the caller is known well enough. If the caller can be confidently verified from their voice, then the compulsory or optional information is not needed. Relying solely on voice recognition must be used with extreme caution and should be backed up by conversational identification checks. The FSA has cast doubt on the ability of an adviser or other person to recognise the voice of all their clients. The reliance on voice recognition must be proportionate to the number of clients you have and how often you speak to them. 2. If the caller cannot quickly confirm the details, i.e. without stuttering or unreasonable delay, then the call will be ended without releasing the requested information. 3. These lists are not exhaustive and are provided to indicate the nature of information that may be considered suitable. 4. If the ID checks fail, the call may still be returned but only to a number that was known to belong to the caller prior to the call e.g. previously noted home number, SWIFT recorded phone number or via the appropriate switchboard. If this approach is used, the verification checks will still be made but different optional information will be used to identify the person being spoken to. 10. Retention & Disposal of Client Information and IT Hardware Personal information will only be collected and kept if there is a regulatory requirement or a good business reason to do so. Keeping information for longer than is necessary increases the risk of information loss. GHL follows Openwork s guidance on the retention period for client information as set out in the Compliance Manual and the Data Protection pages (see Portal Home -> Quality > Data protection ) Methods of destruction - Physical files These are treated as confidential waste and disposed of securely Electronic files and documents Electronic material and computer memories (hard drives, magnetic tapes, CDs, DVDs etc.) are erased prior to (or as part of) the disposal procedure. This is done by: - Physical destruction of the hard drive or other storage medium - or - Specialist software is used to ensure computer disks are completely erased before they are disposed of Records of the date and method of destruction including which software was used are retained in the GHL s Computer Equipment Log. 11. Reporting the loss or theft of information Loss of or theft of information could include: - Laptop being lost or stolen - Missing memory stick - Paper records missing or stolen - Back-up disks lost or stolen - Misdirected fax or - Physical damage (by, for example, fire, flood etc.) Action for Advisers and administrators Immediately report discovery or suspicion to the GHL Data Protection Officer (DPO) and the Openwork DPO) providing as much detail as possible as to the circumstances and the nature of the information at risk. 7
8 Action for GHL s Data Protection Officer Inform the Openwork DPO immediately (See Portal Home -> Quality > Data protection -> Loss or theft of data. Openwork Support Openwork will support GHL to ensure appropriate action is taken to mitigate the risks of Clients, Advisers, Enterprises, Openwork and its partner businesses falling victim to financial crime. GHL and Openwork will work together to: - Inform the Police if theft or criminal activity is suspected and obtain a crime report number - Review the circumstances leading to the information loss to assess whether new procedures or controls are required, or whether existing ones need updating - Contact clients and providers (where necessary) to ensure they ll be able to take steps to prevent loss (they may both seek compensation if loss can be demonstrated as arising from the compromised information) 12. Information Classification and Ownership This table lists the information classifications for Openwork. When determining how information is to be treated these criteria are referred to: UNCLASSIFIED/INTERNAL USE Low Risk Low to Medium Value UNCLASSIFIED information can be disclosed to anyone. It is known to the market and would not violate an individual s right to privacy. Knowledge of this information does not expose the Enterprise or Openwork, to financial loss, embarrassment, or jeopardise the security of our assets. INTERNAL USE ONLY information, due to its technical or business sensitivity, is limited to the Enterprise or Openwork, staff or personnel covered by a non-disclosure agreement. If there is unauthorised disclosure, there would be minimal impact to the Enterprise, Openwork, its clients, or staff. Examples Unclassified Marketing information Published annual and interim reports Business cards Interviews with news media Issued press releases Internets (unless otherwise marked) Internal Use Only Routine administrative & office information Policies and procedures System requirements CONFIDENTIAL /HIGHLY CONFIDENTIAL High Risk High Critical Value CONFIDENTIAL information is defined as information whose unauthorised disclosure, compromise, or destruction would have an adverse impact on the Enterprise, Openwork, its clients, or staff. Financial loss, damage to reputation, loss of business, and potential legal action could occur. It is intended solely for use within the Enterprise or Openwork and is limited to those with a business need-to-know. HIGHLY CONFIDENTIAL information (the highest level of classification) is information that is shareprice sensitive or whose unauthorised disclosure, compromise, or destruction would result in severe damage, provide a significant advantage to a competitor, or cause penalties or great embarrassment to the Enterprise, Openwork, its clients or staff. It is intended solely for restricted use within the Enterprise or Openwork and is limited to those explicitly identified in advance as requiring access to the information. Examples Confidential Business plans Budget information System configurations Proprietary software Highly Confidential Credit card/bank account details Client databases Client personal or policy Information Sensitive personal information (which include data on racial or ethnic origin, political, religious 8
9 UNCLASSIFIED/INTERNAL USE CONFIDENTIAL /HIGHLY CONFIDENTIAL Telephone directory or philosophical opinions, beliefs or activities, trade union membership and related activities and opinions, health, private life or sex life, social welfare measures, administrative and criminal prosecution and sanctions 13. Monitoring GHL will conduct an annual Data Security Controls Assessment (DSCA) see Portal Home -> Quality -> Information Security -> DSCA) GHL will make an Annual Declaration that the assessment has been done. 9
Human Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationScottish Rowing Data Protection Policy
Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this
More informationSecurity Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)
Security Awareness A Supplier Guide/Employee Training Pack May 2011 (updated November 2011) Contents/Chapters 1. How do I identify a DWP asset 2. Delivering on behalf of DWP - Accessing DWP assets 3. How
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationABERDARE COMMUNITY SCHOOL
ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been
More informationDATA PROTECTION AND DATA STORAGE POLICY
DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether
More informationProtection of Computer Data and Software
April 2011 Country of Origin: United Kingdom Protection of Computer Data and Software Introduction... 1 Responsibilities...2 User Control... 2 Storage of Data and Software... 3 Printed Data... 4 Personal
More informationThis factsheet is for: Senior management of small firms that handle, store or dispose of customers personal data in the course of their business.
FSA factsheet for All firms This factsheet is for: Senior management of small firms that handle, store or dispose of customers personal data in the course of their business. It explains: What you should
More informationCareer Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity
Career Connection, Inc. Data Privacy Objectives This course is intended for CCI employees. The course gives guidance on data privacy concepts and describes how data privacy is relevant when delivering
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More informationData Protection Policy
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
More informationInformation Security Policy for Associates and Contractors
Policy for Associates and Contractors Version: 1.12 Status: Issued Date: 30 July 2015 Reference: 61418080 Location: Livelink Review cycle: Annual Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...
More informationDATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff
DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has
More informationThe supplier shall have appropriate policies and procedures in place to ensure compliance with
Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations
More informationData Protection and Information Security. Data Security - Guidelines for the use of Personal Data
Data Protection and Information Data - Guidelines for the use of Personal Data Page 1 of 10 Created on: 21/06/2013 Contents 1. Introduction... 3 2. Definitions... 3 4. Physical... 4 5 Electronic... 6 6
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationLSE PCI-DSS Cardholder Data Environments Information Security Policy
LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project
More informationInformation Security Policy. Appendix B. Secure Transfer of Information
Information Security Policy Appendix B Secure Transfer of Information Author: Data Protection and Information Security Officer. Version: 0.7 Date: March 2008 Document Control Information Document ID Document
More informationSample Data Security Policies
This document provides three example data security policies that cover key areas of concern. They should not be considered an exhaustive list but rather each organization should identify any additional
More informationIncident reporting procedure
Incident reporting procedure Responsible Officer Author Date effective from Aug 2009 Date last amended Aug 2009 Review date July 2012 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance
More informationCORK INSTITUTE OF TECHNOLOGY
CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationSECURITY POLICY REMOTE WORKING
ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY REMOTE WORKING Introduction This policy defines the security rules and responsibilities that apply when doing Council work outside of Council offices
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationPolicy Document. Communications and Operation Management Policy
Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author
More informationROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING
ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING Introduction and Policy Aim The Royal Borough of Windsor and Maidenhead (the Council) recognises the need to protect Council
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationSection 5 Identify Theft Red Flags and Address Discrepancy Procedures Index
Index Section 5.1 Purpose.... 2 Section 5.2 Definitions........2 Section 5.3 Validation Information.....2 Section 5.4 Procedures for Opening New Accounts....3 Section 5.5 Procedures for Existing Accounts...
More informationUniversity of Liverpool
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
More informationInformation Security
Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third
More informationPortable Devices and Removable Media Acceptable Use Policy v1.0
Portable Devices and Removable Media Acceptable Use Policy v1.0 Organisation Title Creator Oxford Brookes University Portable Devices and Removable Media Acceptable Use Policy Information Security Working
More informationHIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014
HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors
More informationSmall businesses: What you need to know about cyber security
Small businesses: What you need to know about cyber security Contents Why you need to know about cyber security... 3 Understanding the risks to your business... 4 How you can manage the risks... 5 Planning
More informationData Protection Guidance
53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection
More informationBERKELEY COLLEGE DATA SECURITY POLICY
BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data
More informationInformation Security Policy London Borough of Barnet
Information Security Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Document Description Information Security Policy Policy which sets out the council s approach to information
More informationAngard Acceptable Use Policy
Angard Acceptable Use Policy Angard Staffing employees who are placed on assignments with Royal Mail will have access to a range of IT systems and mobile devices such as laptops and personal digital assistants
More informationData and Information Security Policy
St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration
More informationDocument Type Doc ID Status Version Page/Pages. Policy LDMS_001_00161706 Effective 2.0 1 of 7 Title: Corporate Information Technology Usage Policy
Policy LDMS_001_00161706 Effective 2.0 1 of 7 AstraZeneca Owner Smoley, David Authors Buckwalter, Peter (MedImmune) Approvals Approval Reason Approver Date Reviewer Approval Buckwalter, Peter (MedImmune)
More informationIxion Group Policy & Procedure. Remote Working
Ixion Group Policy & Procedure Remote Working Policy Statement The Ixion Group (Ixion) provide laptops and other mobile technology to employees who have a business requirement to work away from Ixion premises
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationThe Manitowoc Company, Inc.
The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational
More informationDSHS CA Security For Providers
DSHS CA Security For Providers Pablo F Matute DSHS Children's Information Security Officer 7/21/2015 1 Data Categories: An Overview All DSHS-owned data falls into one of four categories: Category 1 - Public
More informationHighland Council Information Security Policy
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
More informationInformation Governance
Information Governance Information for Patients Information Governance (IG) Contents: Identifying the IG Lead for the Practice. This identifies the main people responsible for Information Governance Policy.
More informationSecure Storage, Communication & Transportation of Personal Information Policy Disclaimer:
Secure Storage, Communication & Transportation of Personal Information Policy Version No: 3.0 Prepared By: Information Governance, IT Security & Health Records Effective From: 20/12/2010 Review Date: 20/12/2011
More informationINFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK
INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More informationIntroduction to the NHS Information Governance Requirements
Introduction to the NHS Information Governance Requirements 2 Version April 2014 Information Governance ensures necessary safeguards for, and appropriate use of, patient and personal information. The widely
More informationAcceptable Use of Information Systems Standard. Guidance for all staff
Acceptable Use of Information Systems Standard Guidance for all staff 2 Equipment security and passwords You are responsible for the security of the equipment allocated to, or used by you, and must not
More informationWhy do we need to protect our information? What happens if we don t?
Warwickshire County Council Why do we need to protect our information? What happens if we don t? Who should read this? What does it cover? Linked articles All WCC employees especially mobile and home workers
More informationData Protection and Data security Policy
Data Protection and Data security Policy Statement of policy and purpose of Policy 1. Somer Valley Community Radio Ltd (the Employer) is committed to ensuring that all personal information handled by us
More informationGuide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR
Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Information and Resources for Small Medical Offices Introduction The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario s health-specific
More informationCOVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name
COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name Introduction Removable Media and Mobile Device Policy Removable media and mobile devices are increasingly used to enable information access
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationSmall businesses: What you need to know about cyber security
Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...
More informationAuthorised Acceptable Use Policy 2015-2016. Groby Community College Achieving Excellence Together
Groby Community College Achieving Excellence Together Authorised Acceptable Use Policy 2015-2016 Reviewed: Lee Shellard, ICT Manager: May 2015 Agreed: Leadership & Management Committee: May 2015 Next review:
More informationwww.neelb.org.uk Web Site Download Carol Johnston
What I need to know about data protection and information security when purchasing a service that requires access to my information by a third party. www.neelb.org.uk Web Site Download Carol Johnston Corporate
More informationINITIAL APPROVAL DATE INITIAL EFFECTIVE DATE
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
More informationHIPAA and Health Information Privacy and Security
HIPAA and Health Information Privacy and Security Revised 7/2014 What Is HIPAA? H Health I Insurance P Portability & A Accountability A - Act HIPAA Privacy and Security Rules were passed to protect patient
More informationWHAT YOU NEED TO KNOW ABOUT CYBER SECURITY
SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes
More informationPHI- Protected Health Information
HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson
More informationDATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE
DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful
More informationData Security Policy. 1. Document Status. Version 1.0. Approval. Review By June 2011. Secure Research Database Analyst. Change History. 1 Version 1.
Data Security Policy 1. Document Status Security Classification Level 4 - PUBLIC Version 1.0 Status DRAFT Approval Life 3 Years Review By June 2011 Owner Secure Research Database Analyst Change History
More informationSenior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES
Senior School 1 PURPOSE The policy defines and describes the acceptable use of ICT (Information and Communications Technology) and mobile phones for school-based employees. Its purpose is to minimise the
More informationAuthorized. User Agreement
Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationMONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)
MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,
More informationHow To Protect School Data From Harm
43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy
More informationA common sense guide to the Data Protection Act 1998 for volunteers
A common sense guide to the Data Protection Act 1998 for volunteers Why is it necessary? The Data Protection Act 1998 is a law introduced to control the way information held about individuals is handled
More informationAcceptable Use Guidelines
Attachment to the Computer and Information Security and Information Management Policies Acceptable Use Guidelines NZQA Quality Management System Supporting Document Purpose These Acceptable Use Guidelines
More informationA Guide to Information Technology Security in Trinity College Dublin
A Guide to Information Technology Security in Trinity College Dublin Produced by The IT Security Officer & Training and Publications 2003 Web Address: www.tcd.ie/itsecurity Email: ITSecurity@tcd.ie 1 2
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationEuropean Investment Bank Group. Video-surveillance policy
Group TABLE OF CONTENTS 1. Purpose and scope of the video-surveillance policy... 2 2. Respect for privacy, data protection and compliance with the relevant rules... 2 2.1. Compliance status... 2 2.2.
More informationSERVER, DESKTOP AND PORTABLE SECURITY. September 2014. Version 3.0
SERVER, DESKTOP AND PORTABLE SECURITY September 2014 Version 3.0 Western Health and Social Care Trust Page 1 of 6 Server, Desktop and Portable Policy Title SERVER, DESKTOP AND PORTABLE SECURITY POLICY
More informationLife Cycle of Records
Discard Create Inactive Life Cycle of Records Current Retain Use Semi-current Records Management Policy April 2014 Document title Records Management Policy April 2014 Document author and department Responsible
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationHIPAA Training for Staff and Volunteers
HIPAA Training for Staff and Volunteers Objectives Explain the purpose of the HIPAA privacy, security and breach notification regulations Name three patient privacy rights Discuss what you can do to help
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationCellular/Smart Phone Use Procedure
Number 1. Purpose This procedure is performed as a means of ensuring the safe and efficient use of cell/smart phones throughout West Coast District Health Board (WCDHB) facilities. 2. Application This
More informationEncryption Policy Version 3.0
Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
More informationIM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers
IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy DOCUMENT INFORMATION Author: Vince Weldon Associate Director of IM&T Approval: Executive This document replaces: IM&T Policy No. 1 Anti Virus Version
More informationProcedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom
Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom
More informationFollow the trainer s instructions and explanations to complete the planned tasks.
CERT Exercises Toolset 171 20. Exercise: CERT participation in incident handling related to Article 4 obligations 20.1 What will you learn? During this exercise you will learn about the rules, procedures
More informationSchool of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy
School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy Page 1 of 10 Contents 1 Preamble...3 2 Purpose...3 3 Scope...3 4 Roles and responsibilities...3
More informationUniversity of Limerick Data Protection Compliance Regulations June 2015
University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick
More informationINFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationTenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014
Tenth Judicial Circuit of Florida Information Systems Acceptable Use s Polk, Hardee and Highlands Counties as of January 2014 The following guidelines define the acceptable use of information technology
More informationThe virtual safe: A user-focused approach to data encryption
The virtual safe: A user-focused approach to data encryption Steganos GmbH, 2008 1 The hard disk: a snapshot of our lives The personal computer has never been more personal. We routinely trust it with
More informationBOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationIT Data Security Policy
IT Data Security Policy Contents 1. Purpose...2 2. Scope...2 3. Policy...2 Access to the University computer network... 3 Security of computer network... 3 Data backup... 3 Secure destruction of data...
More informationSummary Electronic Information Security Policy
University of Chichester Summary Electronic Information Security Policy 2015 Summary Electronic Information Security Policy Date of Issue 24 December 2015 Policy Owner Head of ICT, Strategy and Architecture
More informationJohn Leggott College. Data Protection Policy. Introduction
John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and
More information