DOCUMENT CONTROL PAGE
|
|
- Sophie Whitehead
- 8 years ago
- Views:
Transcription
1 DOCUMENT CONTROL PAGE Title: Title Version: 0.2a Reference Number: Supersedes Supersedes: IT Encryption and Security Policy and Guidelines Description of Amendment(s): Clarification of document approval routes. Originated by: Lois Critchley Originator Designation: Head of infrastructure and Continuity Modified by: Designation: Approval Approval by: Informatics Strategic Board Date: March 2014 Application All Staff Circulation Issue Date: March 2014 Circulated by: Informatics Issued to: All Divisions and Corporate Services / Staffnet Version: 0.2a Page 1 of 21
2 Central Manchester and Manchester Children's University Hospitals NHS Trust Review Review Date: October 2016 Responsibility of: Head of Infrastructure & Continuity Version: 0.2a Page 2 of 21
3 ISSUE DATE: March 2014 VERSION: 0.2a Version: 0.2a Page 3 of 21
4 CONTENTS 1. Introduction Purpose Audience Scope Definitions Used Code of Practice Desktops Laptops Trust Mobile Devices including tablets and mobile devices such as ipads Usernames, Passwords and PIN codes Anti-virus / Malware Protection / Software Patching Software Licences Security Internet Security Working from Home / Remote Working Network Links with Other NHS Trusts and third party Suppliers Removable Media Bring Your Own Device (BYOD) and use of Personal Devices Mobile Phones Digital Cameras / IPods / Mp3 Players Cloud Storage Disposal of Redundant /Obsolete Trust IT Equipment Dealing with Breaches of Security User Responsibility Manager Responsibility Informatics Responsibility FURTHER INFORMATION Version: 0.2a Page 4 of 21
5 1. Introduction 1.1 Purpose The purpose of this document is to clearly define the code of practice for the use of IT to maximise security and governance to prevent unauthorised disclosure, modification, removal or destruction of data and or IT systems owned by Central Manchester University Hospitals NHS Foundation Trust (CMFT) and to ensure that disruption to Trust activities is minimised. The code of practice applies to all authorised users of CMFT data and systems including staff who are not employed by CMFT but use CMFT data or systems. The code of practice defines the responsibility of: Users Managers Informatics Any employee who breaches standards within the IT code of practice may be subject to disciplinary action, in accordance with the Trust s disciplinary procedures. This may result in summary dismissal for gross misconduct. It may also result in criminal proceedings being taken. Action will also be taken against any user not employed by the Trust and who breaches the standards of this document. This action will be in line with relevant Contract arrangements and may include criminal proceedings. 1.2 Audience This document is aimed at users and the code of practice within the document should be self-explanatory. However if there is anything within the document that any member of staff does not understand they should contact the Informatics Service Desk. 1.3 Scope This document covers desktops, laptops, tablet devices, other mobile devices including smart phones, software, , storage mediums such as, but not limited to, cloudbased storage, CDs, USB pens, memory sticks, portable hard drives and other devices such as digital cameras and so on. The document is not intended to stand in isolation and a number of legislative acts and CMFT policies are relevant to the interpretation and application of this document. These include, but are not limited to: Data Protection Act 1998 Version: 0.2a Page 5 of 21
6 Computer Misuse Act 1990 NHS Caldicott Principles CMFT Network Security Code of Practice CMFT Internet and Code of Practice CMFT Data Protection Policy CMFT Disciplinary Policy CMFT Record Keeping Policy CMFT Handling Sensitive Information Procedure The above list is not exhaustive and all legislative acts are subject to updates. 1.4 Definitions Used For the purpose of this document, the wording Sensitive Data refers to all information which relates to an identifiable living or deceased individual, all confidential data, commercially sensitive data. Identifiable data includes, but is not limited to, Surname Forenames Date of Birth Post Codes / Address Telephone Numbers Casenote Numbers Diagnosis, Procedures, Treatment details This list is not exhaustive. The NHS Number may be used without encryption as long as it is sent on its own without any further identifiable information. For the purpose of this document, the wording Trust PC refers to any Trust device used for data collection and processing; including (but not limited to) desktops, laptops, tablets and other mobile devices that are capable of local storage and installation of software. 2. Code of Practice Sensitive data must not be saved on the local hard drive of a PC, mobile device or any other data storage medium (such as a cloud-based storage or USB pen etc.) that is not owned or approved by the Trust or not meeting the required standards outlined in this document. Users must only use security and encryption hardware / software which is recommended and approved by Informatics. Version: 0.2a Page 6 of 21
7 Users must not tamper with or alter the hardware specification of any Trust-owned PC without prior approval from the Informatics. If a supplementary resource is required, such as additional memory, then a call must be logged with the Informatics Service Desk. Users must not wilfully, intentionally or negligently damage or destroy any hardware, software or data belonging to the Trust. Deletion of any information or disposal of PCs or storage devices must be in line with legislation and Trust policies such as CMFT Record Keeping Policy. All data handling must be line with the Data Protection Policy (1998) and NHS Caldicott guidelines. There are 8 key principles for Data Protection; these are: One: Personal data will be processed fairly and lawfully. Two: Personal data will be obtained for specified and lawful purposes and will not be used in a way which is unsuited to those purposes. Three: Personal data will be adequate, relevant and not excessive for the purposes for which it is used. Four: Personal data will be accurate and up to date. Five: Personal data will not be kept for longer than is necessary. Six: Personal data will be processed in line with individuals rights. Seven: Appropriate technical and organisational measures will be taken to protect against unauthorised or unlawful processing, accidental loss, destruction or damage to personal data. Eight: Personal data will not be transferred to a country which does not have adequate levels of protection for the information. There are seven NHS Caldicott Principles which are: Justify the purpose for using personal confidential information. Don t use personal confidential information unless it is absolutely necessary. Use the minimum necessary personal confidential data. Access to personal confidential data should be on a strict need-to-know basis. Everyone with access to personal confidential data should be aware of their responsibilities. Version: 0.2a Page 7 of 21
8 Comply with the law. The duty to share information can be as important as the duty to protect patient confidentiality Further information on the Data Protection Policy and NHS Caldicott Principles can be found in the Trust Data Protection Policy held on the Staffnet. 2.1 Desktops Desktops PCs that are installed within Trust premises in a secure location with restricted physical and system access are considered to be at low risk and require no mandatory security requirements. Desktop PCs that are installed in insecure locations or in areas accessed by the public will require additional physical security whereby the desktop is physically locked down, for example to the desk or table. Sensitive data should not be stored on desktop PCs installed in insecure locations or are in general usage with unrestricted access (also referred to as insecure desktop). In these instances the Trust s network storage (network folder, SAN) should be used. To set this up, a call needs to be logged with the Informatics Service Desk. It is recommended that data/files such as Microsoft Word, Excel documents, are not stored on desktop local hard drive but on the Trust network drives. For further information on this or to arrange transfer of your data to a network drive, please contact the Informatics Service Desk. Desktop PCs must be suitably protected by Trust recommended antivirus software. If a user is unsure of anti-virus protection then please contact the Informatics Service Desk for advice. 2.2 Laptops Laptop PCs that are installed within Trust premises as the main PC, require additional physical security whereby the laptop is physically locked down at the main location, for example to the desk or table. All laptops must be fully encrypted at hard disk level and this is undertaken by informatics as part of the installation. Where full encryption of the laptop is not possible then a risk assessment must be completed. A copy of the completed risk assessment form must be sent Informatics for approval. If you need any assistance in carrying out a risk assessment on a PC, please contact the Informatics Service Desk for advice. Version: 0.2a Page 8 of 21
9 The principal, named user of a laptop is the person requesting the order of the laptop. The principal user will then be fully responsible for the security of that laptop and data stored on it. If the laptop is transferred to another user, then it is the principal user s responsibility to inform the Informatics of the transfer and the name of the new user. Responsibility for the laptop will remain with the principal user until the Informatics has been notified of the laptop transfer. To prevent unauthorised disclosure of information, the principal user is responsible for ensuring that all data that is no longer required to be held on the laptop is removed from the laptop prior to its transfer to another user. For assistance with this, a call should be logged with the Informatics Service Desk. Laptops must never be left unattended unless stored out of sight in a safe and secure location with restricted authorised access only. When travelling and not in use, avoid placing laptops in locations where they may be forgotten or left behind e.g. overhead racks. When in transit, laptops should be stored in car boots; however laptops must never be left in car boots overnight. Sensitive data stored on a laptop should be kept to the minimum required for its effective clinical or business use in order to minimise the risks and impacts should a breach occur. Laptops must be suitably protected by Trust recommended antivirus software. If a user is unsure of virus protection then please contact the Informatics Service Desk for advice. Remote transmission of sensitive data from a laptop must be encrypted and in line standards outlined in this document. Trust laptops must only be used by authorised CMFT users. Department Heads, or appropriate line managers, must authorise the use of any laptop which is to be used outside premises owned by CMFT. Additional authorisation must be obtained from the Trust Caldicott Guardian, or nominated officer, where the processing of sensitive data is proposed. 2.3 Trust Mobile Devices including tablets and mobile devices such as ipads Mobile device management (MDM) is installed on all Trust-owned mobile devices, where possible. MDM is used to manage the device, including monitoring of app deployment, location tracking and remote wiping of the device including data if the devices is reported as mislaid, lost or stolen. Mobile apps that are installed on Trust-owned devices must be licenced and purchased through authorised APP stores. Version: 0.2a Page 9 of 21
10 Where possible, Trust data should not be stored on Trust-owned mobile devices. Additionally, Trust data must not be stored solely on these devices. If a Trust mobile device is mislaid, lost or stolen, it must be reported immediately to the Informatics Service Desk. 2.4 Usernames, Passwords and PIN codes Passwords should be strong, that is one that cannot easily be guessed. Personal information such as name, date of birth or dictionary words should not be used. Where possible, passwords should be a minimum of six characters and should use a mix of upper and lower case letters, numbers and other characters such as,$,%, for example the word password could become P4$$w0rd. The longer the password, the harder it is for someone else to guess it. Pin numbers should not be obvious e.g If you find it hard to remember PINs, consider creating bogus contacts on your mobile phone with your PIN as part of the number (you must ensure they appear to be real contacts) Users are responsible for any work undertaken on any system using their personal logon credentials (username/password). Logon credentials must remain confidential at all times and must not be disclosed. Any breach of this may invoke the Trust Disciplinary Procedure. For further information of passwords/pin codes please see the Handling Person Identifiable Information Policy on Staffnet. 2.5 Anti-virus / Malware Protection / Software Patching Desktops and laptops (including windows tablet devices) that are installed on Trust premises must be suitable protected by Trust authorised anti-virus / malware software (AV software) and other associated security software / patches. The PC configuration must allow for: automatic updates of AV definitions Checking of PC memory and Files on start-up Checking of each of these files upon use Checking of removable drives upon use Warning messages / quarantine of suspicious files/programs Scanning of All files, on request Warning message when virus definition is over two weeks old Automatic update of other security patches such as Windows Operating System patches. Users must not disable or interfere with AV or other security software installed on any PC. Version: 0.2a Page 10 of 21
11 Where Trust authorised AV software is not able to be installed on a Trust Desktop or laptop (for example, where the AV software causes a conflict with other software or hardware such as a clinical analyser) then a risk assessment must be completed by the User for that PC. A copy of the completed risk assessment form must be sent Informatics for approval. If you need any assistance in carrying out a risk assessment on a PC, please contact the Informatics Service Desk for advice. Trust-owned laptops must be regularly connected (as a minimum, once every two weeks) to the Trust network to ensure that the AV software is maintained and up-todate. All new desktops and laptops ordered through the Trust recommended stock process will have an AV licence purchased and allocated as part of the ordering process. If any desktop or laptop is ordered outside this process, then a licence for Trust approved anti-virus software must be purchased through Informatics. Please contact the Informatics Service Desk for advice. Users must not disable or interfere with anti-virus software installed. If you are unsure of AV protection on your PC then please contact the Informatics Service Desk for advice. Users must not open any attachment in an that is known to be infected by a virus. If an from a known source is received with an unexpected or unusual message and / or attachment, the user should contact the sender for clarification prior to opening the . Caution must be used when an with an attachment is received from an unknown source. If there is any doubt regarding attachments on an , then do not open the attachment but contact the Informatics Service Desk for advice. Users must not send or forward any messages containing warnings about viruses, even if the warning has been received from a known source. If a user is concerned regarding a warning received by then please contact the Informatics Service Desk for advice. If unexpected s are received from sources such as Bank, Building Societies, Clubs etc. then do not respond unless the request has been verified and confirmed as genuine. Users must not disclose personal details by unless the source has been verified and confirmed as genuine. In practice, this is highly unlikely as legitimate sources do not request this type of information by . If there is any doubt regarding s received from sources such as above then please contact the Informatics Service Desk for advice. Version: 0.2a Page 11 of 21
12 s sent to and from the system will pass through filtering software and any considered to be containing inappropriate or malicious content will be quarantined. A message is sent to the recipient advising of the quarantine. In these instances if the is considered to be genuine then please contact the Informatics Service Desk. As soon as a virus is found or suspected this must be logged immediately by telephone with the Informatics Service Desk. The PC must not then be used until authorisation has been given by corporate IM&T department. 2.6 Software Licences Only Trust-licensed and authorised software may be loaded on to a Trust desktop/laptop. Adequate licences must be maintained for all installed software and installation of software must be in line with license agreements. Installation and removal of software must be undertaken by the Informatics department. This may be requested through the Informatics Service Desk. Informatics will request proof of purchase of licences as part of regular auditing. Where stored locally, master copies of software, backup tapes and manuals should be kept in a locked, secure location with restricted access and be protected from environmental damage such as fire, flood and extreme temperatures and humidity. Backups of master disks should be taken (subject to licence agreement) and used to install applications. Master copies should not be in general use (unless copyright forbids making backups). Users accessing any Trust application (such as PAS, Medisec, Symphony, or the Electronic Staff Record etc.) must ensure adherence to relevant legislation and Trust policies such as Handling Sensitive Information Procedure, Data Protection Policy, Code of Practice for Internet and Use Security The Trust recommends two systems, its own system (@CMFT.nhs.uk) and the NHS-wide system (@nhs.net). If patient identifiable or other sensitive or confidential information is unencrypted then it can be sent as follows: From: No Version: 0.2a Page 12 of 21
13 Any other address No Any other No However, whenever possible, anonymised data should be used rather than identifiable data and sensitive data should only be sent in line with Data Protection and NHS Caldicott principles. Secure encrypted s can be sent from CMFT system to any external NHS or non-nhs address and this can be used for patient or other sensitive/confidential data. To encrypt the you need to put the word encrypt in square brackets in the subject box before the rest of the subject detail; (e.g. Subject: [encrypt] important update on patient condition). The (including any attachments) will be sent as an encrypted to the recipients. The first time the recipient receives an encrypted they will need to register by following the on-screen instructions which comes with the encrypted ; after that they will be able to access any further encrypted s using their registered credentials. The is still encrypted if the recipient then replies to the original encrypted . As long as [encrypt] is in the subject line before the rest of the subject detail then the is encrypted. The wording [encrypt] may need to be re-inserted if the same is being responded to more than once. Further guidance on the encryption facility can be found on Staffnet. If unencrypted sensitive information is sent from a non-cmft to address or from a non-nhs.net to address then this has been sent at risk. These s should not be replied to if the reply would mean that the sensitive information would be sent out again. A separate should be sent to the sender advising that unencrypted sensitive information was sent used an unapproved method and an alternative method for communicating the unencrypted sensitive information must be established. If s are held on a PC using Microsoft Outlook cached facility (where a copy of your mailbox is stored locally on your PC), then this must be in line with the PC requirements as stated elsewhere within this document. Private accounts such as Hotmail, yahoo etc. must not be used for any Trust business. and Internet usage must be in line with the Trust s Internet and Usage Code of Practice and other policies. 2.8 Internet Security Sensitive data must not be processed through the Internet unless it is encrypted, using a security certificate; generally the web address begins This type of Version: 0.2a Page 13 of 21
14 processing is quite common during participation in research programmes where there is data capture or input using web-based third party software. Please log a call with the Informatics Service Desk for confirmation that data collection using the Internet meets Trust encryption requirements. Files must only be downloaded onto a Trust-owned PC that has up-to-date anti-virus software installed. File downloads must be done in accordance with the English and European Laws, for example, the Copyright, Designs and Patents Act. Staff must not download, install and/or run files that can disable the network or compromise the integrity and security of any IT equipment. If in any doubt contact the Informatics Service Desk for advice and assistance prior to undertaking the download. Access to downloadable files, the downloading of files and transmission of files may be restricted by Web Monitoring Software, Content Filtering Software and / or NHS and Trust network settings. These restrictions may include files of a certain type (e.g. ZIP files) and / or files that exceed specific size thresholds and may change in line with security advice. Informatics Department reserves the right to exclude access to certain websites. Web Monitoring Software is used to manage such restrictions in a real-time environment. and Internet usage must be in line with the Trust s Internet and Usage Code of Practice and other policies. 2.9 Working from Home / Remote Working Remote access can be provided for staff that Work from home Work at remote sites that are not connected to the Trust s data network, including other NHS and non-nhs premises You can connect to your , network files and folders through: OWA - Outlook Web Access (Webmail) VPN - Virtual Private Network VDI - Virtual Desktop OWA provides access to your mailbox through a secure, encrypted web link using Internet Explorer. OWA can be used from any PC with an internet connection. You must ensure that you fully sign out of OWA when you have finished and close down the Internet browser window. Please contact the Informatics service desk for further information on using this facility. Version: 0.2a Page 14 of 21
15 Both VPN and VDI provide secure, encrypted access to Trust systems and applications. Access through VPN and VDI is controlled by RSA token and username/password two factor authentication process. RSA tokens are charged for and need to be requested, authorised and supplied via Informatics. VPN connections require clean access control software and a VPN client to be installed on the PC. Clean access ensures that a device connecting to VPN has up to date Antivirus and windows patches applied. Instructions for installing VPN can be provided by the Trust s Informatics department. VDI is accessible from any internet connected device that has VMware View Client installed. This is the preferred method for providing remote access to Trust systems and applications as all the processing is done on Trust servers. Instructions for installing VDI can be provided by the Informatics department. When accessing Trust systems and applications remotely or from home you must ensure that no Trust data is saved on the local hard drive of a PC (desktop or laptop), mobile device or any other data storage medium (such as a cloud-based storage or USB pen) that is not owned or approved by the Trust or not meeting the required standards outlined in this document. When working remotely in public places, meeting rooms and other unprotected areas care should be taken to avoid the unauthorised access to or disclosure of the information stored and processed during the remote session. Care should be taken by the staff to minimise the risk of unauthorised persons overlooking the screen. Confidentiality Policies apply equally to information whether in the office or at home. Failure to maintain confidentiality may result in a disciplinary action Network Links with Other NHS Trusts and third party Suppliers In line with the Trust Network Security code of practice transmission of data using N3 to other NHS Trusts and third party suppliers must be encrypted using VPN technology, Remote Desktop with TLS encryption or other approved encryption software or technologies. For further information regarding this, then please log a call with the Informatics Service Desk. Further information on network security can be found in the Network Code of Practice Removable Media Removable media refers to any kind of portable data storage device that can be connected to and removed from the PC. This incorporates: Data DVDS or CDs Zip Drives and portable hard drives USB Pens Version: 0.2a Page 15 of 21
16 This list is not exhaustive. Sensitive data must not be stored on any removable media unless the device meets the Trust s encryption standards. Removable media must not in normal circumstances be used to store Trust data unless you have a legitimate and justifiable requirement and it is absolutely necessary to do so. Trust data must not be stored solely on these devices. For advice on backing up your files and folders, please log a call with the Informatics Service desk. Trust approved USB pens can be obtained through the Informatics Service Desk Bring Your Own Device (BYOD) and use of Personal Devices Trust can be accessed on your personal smartphone/tablet device using the BYOD facility or through the normal network connectivity your device uses (3G/4G/Wi- Fi). The following applies irrespective of the network connection used by your personal device. The Trust provides BYOD (Bring Your Own Device) access at its central-island site location. This facility allows staff to use their own personal mobile device at work to access Trust and also the Internet. BYOD access can be applied for by completing the BYOD form found under forms on Staffnet. The BYOD facility is currently offered for the following devices / operating systems: Apple ipad / iphone ios 5 and above Android devices Android 2.3 (Gingerbread) and above Windows devices Windows 8 Information on connecting your personal device through 3G/4G/Wi-Fi can be provided by the Informatics Servicedesk. If you wish to use your personal smartphone/tablet device to access your Trust , a security code will be required on your device; this is mandatory and is installed as part of the connection process. If you do not wish to have a security code then you will not be allowed to connect your device to your Trust account. With the exception of s, you must not store any Trust data or information relating to patients, staff or any other confidential or sensitive data on your personal mobile device. You must not store any Trust data or information on cloud storage accessed through your personal device. If your personal device has been set up to access your Trust account then you must inform Informatics Servicedesk on immediately if your device is Version: 0.2a Page 16 of 21
17 mislaid, lost or stolen. In this instance, Informatics will remotely wipe your device. This will remove ALL data from your device, including personal data. In line with recommended good practice you should ensure that all your own data and information stored on your personal device is regularly backed up. Your device will also be wiped if your security code is incorrectly entered more than 5 times. The Trust is not responsible for any loss of data / information on your personal device through using its BYOD facility or as a result of a remote wipe Mobile Phones Mobile phones should not be used to record images of patients. Personal mobile phones should not be used to hold work information and Trust-owned mobile phones should not be used to store sensitive data in messages or photographs. For further guidance on mobile phones please refer to the Mobile phone policy on Staffnet Digital Cameras / IPods / Mp3 Players Digital cameras and other devices used to take images must be used in line with the Trust Patient Images Policy. No sensitive data must be held on a digital camera, ipod or MP3 player but should be transferred to an approved storage device Cloud Storage Cloud storage must not be used for storing sensitive (identifiable living or deceased individual, confidential data, commercially sensitive) data. Cloud storage may occasionally be used where data has been approved as nonsensitive and available in the public domain (e.g. an informative presentation). However care must be taken in the use of cloud storage and you must ensure that the data is not put at risk through breach of copyright, data ownership or breach of other Trust policies, codes of practice or legalisation. Where a member of staff chooses to store their own personal details regarding work on cloud storage (e.g. a shift rota pattern) then this is at their own risk and the Trust is not responsible for any misuse or inappropriate access to that data. If other staff details are included (whether implicitly or explicitly) then explicit permission must be given by those staff members. In order to protect its network, systems, data and information from risk of breaches of security, viruses and other malware, some cloud storage and particularly hosting Version: 0.2a Page 17 of 21
18 services such as Dropbox, will not be available through the Trust s network. For further details on Internet access please see the Trust s Internet and Usage Code of Practice Disposal of Redundant /Obsolete Trust IT Equipment IM&T equipment may be classed as redundant / condemned (obsolete) when: It has failed and is beyond economic repair It is below recommended minimum specification and is not fit for its purpose of use The Informatics department will confirm when a piece of IM&T equipment falls within the above. Redundant / condemned IM&T equipment will be removed by the Informatics department or their nominated representative. No other person must remove redundant or condemned IM&T equipment without prior permission from the Informatics department. Informatics will ensure that hard drives and other storage mediums are destroyed in line with governance standards to ensure that there is no risk of breach of confidentiality/security of the data/information stored on them. In line with legislation such as Health and Safety, Electrical Regulations etc., redundant / condemned IM&T equipment is not sold to staff. Trust IM&T equipment which is no longer required for its original purpose but still meets or exceeds minimum specification will be re-allocated within the Trust. For further information regarding the above please contact the Informatics Service Desk. For information on the safe disposal of Trust mobile phones please contact the Facilities department. 3 Dealing with Breaches of Security Any breach or potential breach in security must be reported through the Trust Incident Reporting procedure. A full investigation, following any reported breach, must be undertaken by appropriate Managers. Where required, external bodies must be notified of reported breaches Version: 0.2a Page 18 of 21
19 Action required from the outcome of the investigation will be in line with appropriate Trust policies. 4 User Responsibility This Code of Practice applies to all authorised users of Central Manchester University Hospitals NHS Foundation Trust (CMFT) data and systems including staff who are not employed by CMFT but use CMFT data or systems. It is the responsibility of all users within CMFT to ensure that the computer systems and data are safe and secure. This includes physical access such as ensuring unattended offices are locked and system or data access such as ensuring passwords are changed regularly and not disclosed to anyone else. Each user is responsible for ensuring that no breaches of information security result from their actions. Each user is responsible for reporting any breach, or suspected breach of security. Each user is responsible for ensuring that deletion or disposal of data or physical devices is in line with Trust policies and procedures. These include, but are not limited to, the Trust Record Keeping Policy and Trust Data Protection Policy. Each user is responsible for ensuring that appropriate backups of data have been made, where data is stored locally and not held on centrally provided storage (e.g. network drive / SAN). For further information regarding backups, please log a call with the Trust Informatics Service Desk. 5 Manager Responsibility Each manager must ensure that their staff, including those staff not employed by CMFT but under their management remit, are instructed in their security responsibilities and are aware of confidentiality clauses in their contract of employment. Each manager must ensure that each member of staff only has access to systems or data which is appropriate to their job function. Each manager must ensure that risk assessments in accordance with organisational policy and NHS Information Governance guidance are undertaken with regard to using laptops and transfer of sensitive data outside of the Trust. Department Heads, or appropriate managers, must authorise the use of any laptop which is to be used outside premises owned by CMFT and ensure that additional authorisation has been obtained from the Trust Caldicott Guardian, or nominated officer, where the processing of sensitive data is proposed. Version: 0.2a Page 19 of 21
20 Each manager must ensure that any breach or potential breach of security in their area is investigated appropriately and recommended actions following the investigation are implemented. Each manager is also responsible for ensuring that any reported breach in security is disclosed to the appropriate authorities including external bodies such as the Information Commissioner s Office and the Police. Each manager must ensure that the correct procedures are followed when staff transfer from their department or leave the employment of the Trust. This includes the return of all Trust devices such as laptops and removal of system / data access. 6 Informatics Responsibility Informatics is responsible for: ensuring that all security and encryption devices or software meet the necessary standards as required by NHS Information Governance and other local policies and legislative acts. ensuring that appropriate guidance is available to all CMFT users in relation to data security and that this guidance is updated as technologies develop. ensuring that all PC installations undertaken by the Informatics department include the required level of security and encryption hardware / software and that security updates are applied in a timely manner. Ensuring that appropriate hardware / software is deployed to protect the Trust from virus / malware. Ensuring that in the event of a virus outbreak / attack, virus definitions and other appropriate patches are deployed in an emergency manner and that immediate action is taken to minimise the impact on the Trust of a virus attack Ensuring that redundant hard drives and other storage mediums passed to them are destroyed in line with governance standards to ensure that there is no risk of breach of confidentiality/security of the data/information stored on them monitoring and analysing breaches of data security and ensuring corrective action is taken, including pro-active steps to reduce the risk of breach. undertaking audits, on a planned and spot-check basis, to ensure security and compliance with Trust guidelines. The Informatics reserves the right to take preventative action if a breach or potential breach of security is identified. This includes withdrawing the use of IT facilities until corrective actions have been undertaken and approved. Version: 0.2a Page 20 of 21
21 7 FURTHER INFORMATION If further information is required regarding this Code of Practice or any security issue, please log a call with the Informatics Service Desk. Version: 0.2a Page 21 of 21
NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction
NHSnet : PORTABLE COMPUTER SECURITY POLICY 9.2 Introduction This document comprises the IT Security policy for Portable Computer systems as described below. For the sake of this document Portable Computers
More informationVersion: 2.0. Effective From: 28/11/2014
Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director
More informationIM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers
IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy DOCUMENT INFORMATION Author: Vince Weldon Associate Director of IM&T Approval: Executive This document replaces: IM&T Policy No. 1 Anti Virus Version
More informationInformation Security Policy for Associates and Contractors
Policy for Associates and Contractors Version: 1.12 Status: Issued Date: 30 July 2015 Reference: 61418080 Location: Livelink Review cycle: Annual Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...
More informationInformation Security
Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationBOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
More informationPolicy: Remote Working and Mobile Devices Policy
Policy: Remote Working and Mobile Devices Policy Exec Director lead Author/ lead Feedback on implementation to Clive Clarke SHSC Information Manager SHSC Information Manager Date of draft 16 February 2014
More informationA Guide to Information Technology Security in Trinity College Dublin
A Guide to Information Technology Security in Trinity College Dublin Produced by The IT Security Officer & Training and Publications 2003 Web Address: www.tcd.ie/itsecurity Email: ITSecurity@tcd.ie 1 2
More informationIxion Group Policy & Procedure. Remote Working
Ixion Group Policy & Procedure Remote Working Policy Statement The Ixion Group (Ixion) provide laptops and other mobile technology to employees who have a business requirement to work away from Ixion premises
More informationLAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY
LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee
More informationLSE PCI-DSS Cardholder Data Environments Information Security Policy
LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project
More informationABERDARE COMMUNITY SCHOOL
ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationAcceptable Use Guidelines
Attachment to the Computer and Information Security and Information Management Policies Acceptable Use Guidelines NZQA Quality Management System Supporting Document Purpose These Acceptable Use Guidelines
More informationCCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY
CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review
More informationAcceptable Use of ICT Policy. Staff Policy
Acceptable Use of ICT Policy Staff Policy Contents INTRODUCTION 3 1. ACCESS 3 2. E-SAFETY 4 3. COMPUTER SECURITY 4 4. INAPPROPRIATE BEHAVIOUR 5 5. MONITORING 6 6. BEST PRACTICE 6 7. DATA PROTECTION 7 8.
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third
More informationData Protection Act 1998. Bring your own device (BYOD)
Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...
More informationBurton Hospitals NHS Foundation Trust. On: 16 January 2014. Review Date: December 2015. Corporate / Directorate. Department Responsible for Review:
POLICY DOCUMENT Burton Hospitals NHS Foundation Trust INFORMATION SECURITY POLICY Approved by: Executive Management Team On: 16 January 2014 Review Date: December 2015 Corporate / Directorate Clinical
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Policy approved by: Audit and Governance Committee Date: 4 th December 2014 Next Review Date: December 2016 Version: 1 Information Security Policy Page 1 of 17 Review and Amendment
More informationPolicies and Procedures. Policy on the Use of Portable Storage Devices
Policies and Procedures Policy on the Use of Date Approved by Trust Board Version Issue Date Review Date Lead Person One May 2008 Dec 2012 Head of ICT Two Dec 2012 Dec 2014 Head of ICT Procedure /Policy
More informationICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date
More informationTenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014
Tenth Judicial Circuit of Florida Information Systems Acceptable Use s Polk, Hardee and Highlands Counties as of January 2014 The following guidelines define the acceptable use of information technology
More informationWorking Practices for Protecting Electronic Information
Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that
More informationSenior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES
Senior School 1 PURPOSE The policy defines and describes the acceptable use of ICT (Information and Communications Technology) and mobile phones for school-based employees. Its purpose is to minimise the
More informationEnterprise Information Security Procedures
GHL Network Services Ltd Enterprise Information Security Procedures Prepared By Nigel Gardner Date 16/11/09 1 Contents 1. Openwork s Information Security Policy...3 2. Enterprise Information Security Procedures...3
More informationAcceptable Use of Information Systems Policy
Information Governance & Management Framework Acceptable Use of Information Systems Policy Version 1.3 Produced by: Customer Services & Business Transformation Inverclyde Council Municipal Buildings GREENOCK
More informationVersion 1.0. Ratified By
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience
More informationNetwork Security Policy
IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service
More informationSecurity Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)
Security Awareness A Supplier Guide/Employee Training Pack May 2011 (updated November 2011) Contents/Chapters 1. How do I identify a DWP asset 2. Delivering on behalf of DWP - Accessing DWP assets 3. How
More informationNETWORK SECURITY POLICY
NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet
More informationHow To Ensure Network Security
NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:
More informationPortable Devices and Removable Media Acceptable Use Policy v1.0
Portable Devices and Removable Media Acceptable Use Policy v1.0 Organisation Title Creator Oxford Brookes University Portable Devices and Removable Media Acceptable Use Policy Information Security Working
More informationTameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Policy for the electronic transfer of Person Identifiable Data - harmonised Version: 5 Reference Number: CO51 Supersedes Supersedes: 4 Description of Amendment(s):
More informationRemote Working and Portable Devices Policy
Remote Working and Portable Devices Policy Policy ID IG04 Version: V1 Date ratified by Governing Body 29/09/13 Author South Commissioning Support Unit Date issued: 21/10/13 Last review date: N/A Next review
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September
More informationAcceptable Use of Information Systems Standard. Guidance for all staff
Acceptable Use of Information Systems Standard Guidance for all staff 2 Equipment security and passwords You are responsible for the security of the equipment allocated to, or used by you, and must not
More informationInformation Security Policy London Borough of Barnet
Information Security Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Document Description Information Security Policy Policy which sets out the council s approach to information
More informationInformation Technology Acceptable Usage Policy
Information Technology Acceptable Usage Policy Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly
More informationInformation Security Policy. Policy and Procedures
Information Security Policy Policy and Procedures Issue Date February 2013 Revision Date February 2014 Responsibility/ Main Point of Contact Neil Smedley Approved by/date Associated Documents Acceptable
More informationNETWORK AND INTERNET SECURITY POLICY STATEMENT
TADCASTER GRAMMAR SCHOOL Toulston, Tadcaster, North Yorkshire. LS24 9NB NETWORK AND INTERNET SECURITY POLICY STATEMENT Written by Steve South November 2003 Discussed with ICT Strategy Group January 2004
More informationUSE OF PERSONAL MOBILE DEVICES POLICY
Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014
More informationDATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff
DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has
More informationData Protection and Information Security. Data Security - Guidelines for the use of Personal Data
Data Protection and Information Data - Guidelines for the use of Personal Data Page 1 of 10 Created on: 21/06/2013 Contents 1. Introduction... 3 2. Definitions... 3 4. Physical... 4 5 Electronic... 6 6
More information2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy
Version History Author Approved Committee Version Status date Eddie Jefferson 09/15/2009 Full Governing 1.0 Final Version Body Eddie Jefferson 18/08/2012 Full Governing Body 2.0 Emended due to the change
More informationSecure Storage, Communication & Transportation of Personal Information Policy Disclaimer:
Secure Storage, Communication & Transportation of Personal Information Policy Version No: 3.0 Prepared By: Information Governance, IT Security & Health Records Effective From: 20/12/2010 Review Date: 20/12/2011
More informationCOVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name
COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name Introduction Removable Media and Mobile Device Policy Removable media and mobile devices are increasingly used to enable information access
More informationData and Information Security Policy
St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration
More informationYMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY
YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY Author Head of IT Equality impact Low Original Date September 2003 Equality No This Revision September
More informationPS177 Remote Working Policy
PS177 Remote Working Policy January 2014 Version 2.0 Statement of Legislative Compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010; Data Protection
More informationSERVER, DESKTOP AND PORTABLE SECURITY. September 2014. Version 3.0
SERVER, DESKTOP AND PORTABLE SECURITY September 2014 Version 3.0 Western Health and Social Care Trust Page 1 of 6 Server, Desktop and Portable Policy Title SERVER, DESKTOP AND PORTABLE SECURITY POLICY
More informationName of responsible committee: Information Governance Board Date issued: 15 th April 09 Review date: 14 th April 11 Referenced Documents:
Storage and Transfer of Person Identifiable Information Policy Trust Wide Policy number: ULH-IM&T-AUP03 Version: 1.1 New or Replacement: New Approved by: Executive Board Date approved: 14 th April 09 Name
More informationMobile Security Standard
Mobile Security Standard Title Mobile Security Standard Mobile Device Security Category Version: 18/07/2013 PUBLISHED Author:, IT Services Contact: itsecurity@contacts.bham.ac.uk Mobile Security Standard
More informationInformation Security Code of Conduct
Information Security Code of Conduct IT s up to us >Passwords > Anti-Virus > Security Locks >Email & Internet >Software >Aon Information >Data Protection >ID Badges > Contents Aon Information Security
More informationCentral Bedfordshire Council. IT Acceptable Use Policy. Version 1.7 January 2016 Not Protected. Not Protected Page 1 of 11
Central Bedfordshire Council IT Acceptable Use Policy Version 1.7 January 2016 Not Protected Not Protected Page 1 of 11 Policy Approval Central Bedfordshire Council acknowledges that information is a valuable
More informationInformation Security It s Everyone s Responsibility
Information Security It s Everyone s Responsibility Developed By The University of Texas at Dallas (ISO) Purpose of Training As an employee, you are often the first line of defense protecting valuable
More informationData Encryption Policy
Data Encryption Policy Number: THCCGCG36 Version: 01 Executive Summary This Policy defines the Security requirements for data encryption upon laptops, physical media and Secure File Transfer within the
More informationIT ACCESS CONTROL POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationNETWORK SECURITY POLICY
NETWORK SECURITY POLICY Version: 0.2 Committee Approved by: Audit Committee Date Approved: 15 th January 2014 Author: Responsible Directorate Information Governance & Security Officer, The Health Informatics
More informationSECURITY POLICY REMOTE WORKING
ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY REMOTE WORKING Introduction This policy defines the security rules and responsibilities that apply when doing Council work outside of Council offices
More informationDSHS CA Security For Providers
DSHS CA Security For Providers Pablo F Matute DSHS Children's Information Security Officer 7/21/2015 1 Data Categories: An Overview All DSHS-owned data falls into one of four categories: Category 1 - Public
More informationULH-IM&T-ISP06. Information Governance Board
Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible
More informationDocument Type Doc ID Status Version Page/Pages. Policy LDMS_001_00161706 Effective 2.0 1 of 7 Title: Corporate Information Technology Usage Policy
Policy LDMS_001_00161706 Effective 2.0 1 of 7 AstraZeneca Owner Smoley, David Authors Buckwalter, Peter (MedImmune) Approvals Approval Reason Approver Date Reviewer Approval Buckwalter, Peter (MedImmune)
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationOUTLOOK WEB ACCESS. User Guide
OUTLOOK WEB ACCESS User Guide V3 2 August 2013 Not protectively marked GETTING STARTED Outlook Web Access (OWA) provides a useful means to remotely access Council email from outside of the council access.
More informationThe Bishop s Stortford High School Internet Use and Data Security Policy
Internet Acceptance Use and Data Security Policy Last Updated: 08/10/2012 Date of Next Review: 08/10/2015 Approved by GB: 10/10/2012 Responsible Committee: Student Welfare and Development Internet Acceptable
More informationUniversity of Aberdeen Information Security Policy
University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...
More informationEMMANUEL CE VA MIDDLE SCHOOL. IT Security Standards
EMMANUEL CE VA MIDDLE SCHOOL IT Security Standards 1. Policy Statement The work of Schools and the County Council is increasingly reliant upon Information & Communication Technology (ICT) and the data
More informationICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation
ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette
More informationACCEPTABLE IT AND COMPUTER USE POLICY GUIDE FOR STAFF
ACCEPTABLE IT AND COMPUTER USE POLICY GUIDE FOR STAFF The African Academy of Sciences (AAS) Postal Address: P.O. Box 24916 00502, Nairobi, KENYA Physical Address: 8 Miotoni Lane, Karen, Nairobi Tel: +
More informationSTRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS
Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level
More informationBARNSLEY CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLICY
Putting Barnsley People First BARNSLE CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLIC Version: 2.0 Approved By: Governing Body Date Approved: Feb 2014 (initial approval), March
More informationOnline Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange
The responsibility of safeguarding your personal information starts with you. Your information is critical and it must be protected from unauthorised disclosure, modification or destruction. Here we are
More informationRemote Access and Network Security Statement For Apple
Remote Access and Mobile Working Policy & Guidance Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Remote Access and
More informationInformation Security Policy
Information Security Policy The purpose of this Policy is to describe the procedures and processes in place to ensure the secure and safe use of the federation s network and its resources and to protect
More informationAngard Acceptable Use Policy
Angard Acceptable Use Policy Angard Staffing employees who are placed on assignments with Royal Mail will have access to a range of IT systems and mobile devices such as laptops and personal digital assistants
More informationREMOTE WORKING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationRotherham CCG Network Security Policy V2.0
Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October
More informationPolicy Document. Communications and Operation Management Policy
Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author
More informationICT Acceptable Use Policy
ICT Acceptable Use Policy Document Management Document Disclaimer This document is issued only for the purpose for which it is supplied. Document Owner This document is produced and owned by Staffordshire
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationPolicies Concerning the use of Computers
Policies Concerning the use of Computers Shrewsbury School s Policies Concerning the use of Computers The Director of IT is responsible for the formulation and review of policies affecting the use of computers
More informationData Access Request Service
Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations
More informationSmall businesses: What you need to know about cyber security
Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...
More informationInformation Technology Policy and Procedures
Information Technology Policy and Procedures Responsible Officer Author Ben Bennett, Business Planning & Resources Director Policy Development Group Date effective from April 2005 Date last amended February
More informationNetwork Security Policy
Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant
More informationSummary Electronic Information Security Policy
University of Chichester Summary Electronic Information Security Policy 2015 Summary Electronic Information Security Policy Date of Issue 24 December 2015 Policy Owner Head of ICT, Strategy and Architecture
More informationInformation Incident Management Policy
Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit
More informationThis policy outlines different requirements for the use of PSDs based on the classification of information.
POLICY OFFICE OF THE INFORMATION COMMISSIONER Use of portable storage devices 1. Purpose A Portable Storage Device (PSD) is a mobile device capable of storing and transferring digital information. Examples
More informationRemote Access and Home Working Policy London Borough of Barnet
Remote Access and Home Working Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Remote Access and Home Working Policy Document Description This policy applies to home and
More informationData Protection and Information Security Policy and Procedure
Data Protection and Information Security Policy and Procedure Document Detail Category: Data Protection Authorised By: Full Governing Body Author: School Business Manager Version: 1 Status: Approved May
More informationUniversity of Liverpool
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
More informationCITY OF BOULDER *** POLICIES AND PROCEDURES
CITY OF BOULDER *** POLICIES AND PROCEDURES CONNECTED PARTNER EFFECTIVE DATE: SECURITY POLICY LAST REVISED: 12/2006 CHRISS PUCCIO, CITY IT DIRECTOR CONNECTED PARTNER SECURITY POLICY PAGE 1 OF 9 Table of
More informationInformation Technology Security Policies
Information Technology Security Policies Randolph College 2500 Rivermont Ave. Lynchburg, VA 24503 434-947- 8700 Revised 01/10 Page 1 Introduction Computer information systems and networks are an integral
More information