RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1
|
|
- Oswald Bradford
- 7 years ago
- Views:
Transcription
1 RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version Revised and effective from 1st April 2012
2 Document Control Organisation Title Author Filename Owner Subject Protective Marking Review date ICT Services Information Security Incident Management Policy Steve Carter \\adrctcictnas2\gcsx\gcsx-project\policies and Procedures\Information Security Incident Management Policy Head of ICT/SIRO Security Incident Management Unclassified The Information Management & Security Forum will formally review the Information Security Policy annually Revision History Revision Revisor Previous Description of Revision Date Version 01/07/09 E. Pritchard 0.1 Highlighted (other than yellow) - removed 20/07/09 E. Pritchard 0.3 Amends from HR, ICT & Internal Audit 22/02/12 S. Carter 2.0 Updates around Paper based Incidents and Reporting 1/04/2012 S. Carter 2.0 Review - Minor Amendments Document Approvals This document requires the following approvals: Sponsor Approval Name Date Information Management & Phil Derham (Finance) Security Forum Andrew Hopkins (Internal 01/03/2012 Audit) Rhianydd Davies (HR) Jeanette Howells (ESG) Josie Rhisart (Education) Sally Churchill (CCS) Andy Wilkins (Legal) Louise Evans (ICT) Head Of ICT Tim Jones 19/03/2012 SIRO Leigh Gripton 21/03/2012 Document Distribution This document will be distributed to: Name Job Title Address All employees, members, contractors, third party suppliers Page 2 of 11
3 Contents Section Page 1 Policy Statement 4 2 Purpose 4 3 Scope 4 4 Definition 4 5 Risks 5 6 Applying the Policy 5 7 Policy Compliance 5 8 Policy Governance 6 9 Review and Revision 6 Appendices Section Page 10 Reporting Information Security Incident Procedure 7 11 Examples of Information Security Incidents Process Flow; Reporting an Information Security Event or 11 Weakness Page 3 of 11
4 1 Policy Statement Protecting Rhondda Cynon Taff County Borough Council s computers, systems, electronic and paper based data from unauthorised use is of paramount importance with the management of system security and our response to breaches playing an important role in this process. All employees and personnel that have access to the Authority s information assets must adhere to the policy defined below in order to protect the security of the network, protect computer systems and protect data integrity and confidentiality. 2 Purpose The purpose of this policy is to mandate a standard for the management of Information Security Incidents or weaknesses. A consistent approach to dealing with all security events must be maintained across the Council. The events must be analysed to establish when security events become escalated to an incident. The incident response procedure must be a seamless continuation of the event reporting process and must include contingency plans to advise the Council on continuing operation during the incident. 3 Scope This policy applies to employees, members, contractors, third party suppliers or anyone with access to electronic or paper based information systems and or output from such systems. 4 Definition This policy needs to be applied as soon as information systems or data are suspected to be, or are actually affected by an adverse event which is likely to lead to a security incident. The definition of an information management security incident ( Information Security Incident in the remainder of this policy and procedure) is an adverse event that has caused or has the potential to cause damage to an organisation s information assets, reputation and / or personnel. Incident management is concerned with intrusion, compromise and misuse of information and information resources, and the continuity of critical information systems and processes. An Information Security Incident includes, but is not restricted to, the following: The loss or theft of data or information. The transfer of data or information to those who are not entitled to receive that information. Attempts (either failed or successful) to gain unauthorised access to data or information storage or a computer system. Page 4 of 11
5 Changes to information or data or system hardware, firmware, or software characteristics without the Council's knowledge, instruction, or consent. Unwanted disruption or denial of service to a system. The unauthorised use of a system for the processing or storage of data by any person. Examples of some of the more common forms of Information Security Incidents have been provided in Appendix 2. 5 Risks The Council recognises that there are risks associated with users accessing and handling information in order to conduct official Council business. This policy aims to mitigate the following risks: To reduce the impact of information security breaches by ensuring incidents are responded to consistently, efficiently and effectively. To help identify areas for improvement to decrease the risk and impact of future incidents. Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers. 6 Applying the Policy Events and weaknesses need to be reported at the earliest possible stage as they need to be assessed by an Information Management Officer. The Information Management Officer enables the Service to identify when a series of events or weaknesses have escalated to become an incident. It is vital for ICT Services to gain as much information as possible from the business users to identify if an incident is occurring. For full details of the procedure for incident handling please refer to Appendix 3. 7 Policy Compliance Any breach of this policy may warrant further investigation that may lead to the Council s disciplinary procedures being invoked and in certain circumstances, may necessitate the involvement of the Police. Specifically in relation to third party suppliers or contractors, non conformance will result in the immediate removal of access to Council systems. If damage or compromise of Council systems results, the Council may consider legal proceedings Page 5 of 11
6 8 Policy Governance The following table identifies who within the council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply: Responsible the person(s) responsible for developing and implementing the policy. Accountable the person who has ultimate accountability and authority for the policy. Consulted the person(s) or groups to be consulted prior to final policy implementation or amendment. Informed the person(s) or groups to be informed after policy implementation or amendment. Responsible Accountable Consulted Informed All Group Directors, Service Directors and Heads of Service Head of Service for ICT Human Resources, Internal Audit, ICT Information Management Group All users of Council Systems 9 Review and Revision The Information Management Group will review the Information Security Policy and its supporting policies every six months and reissue it annually, drawing attention to any changes that may have been made. Page 6 of 11
7 10 Appendix 1 - Procedure for Incident Handling 10.1 Reporting Information Security Events or Weaknesses The following sections detail how all users must report information security events or weaknesses. Appendix 3 provides a process flow diagram illustrating the process to be followed when reporting information security events or weaknesses Reporting Information Security Events for all Employees All suspected security events should be reported immediately to the user s Line Manager and the ICT Service Desk on The ICT Service Desk will require you to supply further information, the nature of which will depend upon the nature of the incident. However, the following information must be supplied: Contact name and number of person reporting the incident. E mail address of person reporting the incident. Department and Directorate of person reporting the incident. The type of data, information or equipment involved. Whether the loss of the data puts any person or other data at risk. Location of the incident. Inventory numbers of any equipment affected. Date and time the security incident occurred. Location of data or equipment affected. Type and circumstances of the incident. Security events, for example a virus infection, could quickly spread and cause data loss across the organisation. All users must understand, and be able to identify that any unexpected or unusual behaviour on the workstation could potentially be a software malfunction. If an event is detected users must: Note the symptoms and any error messages on screen. Disconnect the workstation from the network if an infection is suspected (with assistance from ICT Support Staff). Not use any removable media (for example USB memory sticks) that may also have been infected Responsibilities for the Management of Information Security Incidents A consistent approach to dealing with all security events must be maintained across the Council. The events must be analysed and the Information Management Officer must be consulted to establish when security events become escalated to an incident. The incident Page 7 of 11
8 response procedure must be a seamless continuation of the event reporting process and must include contingency plans to advise the Council on continuing operation during the incident Collection of Evidence If an incident requires information to be collected for an investigation, strict rules must be adhered to. The collection of evidence for a potential investigation must be approached with care and where necessary the Information Management Officer may contact the Councils Data Protection Officer and Internal Audit for guidance. If in doubt about a situation, for example concerning computer misuse or paper security, contact the ICT Service Desk for advice Responsibilities and Procedures Management responsibilities and appropriate procedures must be established to ensure an effective response against security events. The Information Management Officer must in consultation with Senior Information Management Risk Officer (SIRO), Legal Services, Internal Audit and Human Resources decide when events are classified as an incident and determine the most appropriate response. An incident management process must be created and include details of: Identification of the incident, analysis to ascertain its cause and vulnerabilities exploited. Limiting or restricting further impact of the incident. Tactics for containing the incident. Corrective action to repair and prevent reoccurrence. Communication across the Council to those affected. The actions required to recover from the security incident must be under formal control. Only identified and authorised staff should have access to the affected electronic or paper based systems during the incident and all of the remedial actions should be documented in as much detail as possible Learning from Information Security Incidents To learn from incidents and improve the response process incidents must be recorded and a Post Incident Review conducted. The following details must be retained by ICT: Types of incidents. Volumes of incidents and malfunctions. Costs incurred during the incidents. Page 8 of 11
9 The information must be collated and reviewed on a regular basis by ICT Services and any patterns or trends identified. Any changes to the process made as a result of the Post Incident Review must be formally noted. The information, where appropriate, should be shared with GovCertUK, the Warning, Advice and Reporting Point (WARP) to aid the alert process for the region and where deemed appropriate the Information Commissioners Office (ICO). Page 9 of 11
10 11 Appendix 2 Examples of Information Security Incidents Examples of the most common Information Security Incidents are listed below. It should be noted that this list is not exhaustive. Misuse Giving information to someone who should not have access to it - verbally, in writing or electronically. Computer infected by a Virus or other Malware. Sending a sensitive to 'all staff' by mistake. Receiving unsolicited mail of an offensive nature. Receiving unsolicited mail which requires you to enter personal data. Finding data that has been changed by an unauthorised person. Receiving and forwarding chain letters including virus warnings, scam warnings and other s which encourage the recipient to forward onto others. Unknown people asking for information which could gain them access to Council data (e.g. a password or details of a third party). Sending confidential or sensitive information to the incorrect recipient Use of unapproved or unlicensed software on Council equipment. Accessing a computer system using someone else's authorisation (e.g. someone else's user id and password). Writing down your password and leaving it on display / somewhere easy to find. Printing or copying confidential information and not storing it correctly or confidentially. Theft / Loss Theft / loss of a hard copy file. Theft / loss of any computer equipment. Page 10 of 11
11 SECURITY INCIDENT MANAGEMENT POLICY OWNER: ICT SMT DATE: 24/02/ Appendix 3 Process Flow; Reporting an Information Security Event or Weakness INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 1. 0 All suspected security events to be reported to user s Line Manager and the ICT Service Desk via telephone. The following information must be provided *Contact name and number of the person reporting the incident * address of the person reporting the incident *Department and Directorate of person reporting the incident *The type of data, information or equipment involved Whether * the loss of data put any person or other data at risk *Location of the incident *Inventory numbers of any equipment affected *Location of data or equipment affected *Type and circumstances of the incident Event Record created in HEAT and unique sequential reference number generated and provided to the customer The ICT Service Desk will advise the user to *Note the symptoms and any error messages on the screen Disconnect the workstation from the network if an infection is suspected and request assistance from ICT Support Staff *Not use any removable media, for example USB memory sticks that may have been infected Security event to be analysed by Information Management Officer and progressed as either an event or an incident Incident Event or Incident Event If an incident requires the collation of evidence for a potential investigation this must be approached with care and the Councils Data Protection Officer and Internal Audit team consulted for guidance Incident Management Process to be invoked to include Analysis of the cause and the vulnerabilities exploited * * Limiting or restricting further impact of the incident *Tactics for containing the incident *Corrective action to repair and prevent reoccurrence *Communication across the Council to those affected ICT Information Management Officer to Sign off event with SIRO Event Closed Actions required to recover from the incident must be under formal c. ontrol Identified / Authorised staff only to have access to the affected systems during the incident. Remedial action undertaken to be documented in as much detail as possible Post Incident Review to be conducted, the following must be retained by ICT, Types of incident, volumes of incidents and malfunctions, costs incurred during the incident. Where appropriate information to be shared with WARP (Warning, Advice and Reporting Point), GovCert UK and the Information Commissioners Office (ICO) Incident Closed Incident Report retained Page 1 Page 11 of 11
Information Security Incident Management Policy and Procedure
Information Security Incident Management Policy and Procedure Version Final 1.0 Document Control Organisation Title Author Filename Owner Subject Protective Marking North Dorset District Council IT Infrastructure
More informationInformation Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy
Bolsover District Council North East Derbyshire District Council & Rykneld Homes Ltd Information Security Incident Management Policy September 2013 Version 1.0 Page 1 of 13 CONTROL SHEET FOR Information
More informationSecurity Incident Management Policy
Security Incident Management Policy January 2015 Document Version 2.4 Document Status Owner Name Owner Job Title Published Martyn Ward Head of ICT Business Delivery Document ref. Approval Date 27/01/2015
More informationInformation Security Policy. Chapter 10. Information Security Incident Management Policy
Information Security Policy Chapter 10 Information Security Incident Management Policy Author: Policy & Strategy Team Version: 0.4 Date: December 2007 Version 0.4 Page 1 of 6 Document Control Information
More informationInformation Security Incident Management Policy
Information Security Incident Management Policy Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT Policy & Regulation
More informationSecurity Incident Policy
Organisation Title Author Owner Protective Marking Somerset County Council Security Incident Policy Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council will
More informationDBC 999 Incident Reporting Procedure
DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible
More informationInformation Incident Management Policy
Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit
More informationIslington Security Incident Policy A council-wide information technology policy. Version 0.7.1 July 2013
A council-wide information technology policy Version 0.7.1 July 2013 Copyright Notification Copyright London Borough of Islington 2014 This document is distributed under the Creative Commons Attribution
More informationU07 Information Security Incident Policy
Dartmoor National Park Authority U07 Information Security Incident Policy June 2010 This document is copyright to Dartmoor National Park Authority and should not be used or adapted for any purpose without
More informationSomerset County Council - Data Protection Policy - Final
Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council
More informationHead of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2
Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationMerthyr Tydfil County Borough Council. Information Security Policy
Merthyr Tydfil County Borough Council Information Security Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of
More informationPolicy Document. IT Infrastructure Security Policy
Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT
More informationPolicy Document. Communications and Operation Management Policy
Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationUNCLASSIFIED. http://www.govcertuk.gov.uk. General Enquiries. Incidents incidents@govcertuk.gov.uk Incidents incidents@govcertuk.gsi.gov.uk.
Version 1.2 19-June-2013 GUIDELINES Incident Response Guidelines Executive Summary Government Departments have a responsibility to report computer incidents under the terms laid out in the SPF, issued
More informationINFORMATION SECURITY INCIDENT REPORTING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationCorporate Information Security Management Policy
Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification
More informationIT ACCESS CONTROL POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationTameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
More informationThird Party Security Requirements Policy
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
More informationSoftware Policy. Software Policy. Policy and Guidance. June 2013
Software Policy Policy and Guidance June 2013 Project Name Software Policy Product Title Policy and Guidance Version Number 1.2Final Page 1 of 8 Document Control Organisation Title Author Filename Owner
More informationSECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures
SECURITY INCIDENT REPORTING AND MANAGEMENT Standard Operating Procedures Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme.
More informationTHE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31
THE MORAY COUNCIL Guidance on data security breach management Information Assurance Group DRAFT Based on the ICO Guidance on data security breach management under the Data Protection Act 1 Document Control
More informationUniversity of Aberdeen Information Security Policy
University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...
More informationIslington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014
Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document
More informationHow To Protect School Data From Harm
43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:
More informationSECURITY POLICY REMOTE WORKING
ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY REMOTE WORKING Introduction This policy defines the security rules and responsibilities that apply when doing Council work outside of Council offices
More informationINFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
More informationISO IEC 27002 2005 (17799 2005) TRANSLATED INTO PLAIN ENGLISH
13.1 REPORT INFORMATION SECURITY EVENTS AND WEAKNESSES 1 GOAL Make sure that information system security incidents are promptly reported. 2 GOAL Make sure that information system security events and weaknesses
More informationABERDARE COMMUNITY SCHOOL
ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been
More informationInformation Incident Management and Reporting Procedures
` Information Incident Management and Reporting Procedures Compliance with all CCG policies, procedures, protocols, guidelines, guidance and standards is a condition of employment. Breach of policy may
More informationInformation Security
Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff
More informationData Protection Breach Reporting Procedure
Central Bedfordshire Council www.centralbedfordshire.gov.uk Data Protection Breach Reporting Procedure October 2015 Security Classification: Not Protected 1 Approval History Version No Approved by Approval
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationWorking Practices for Protecting Electronic Information
Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that
More informationKEELE UNIVERSITY IT INFORMATION SECURITY POLICY
Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical
More informationVersion: 2.0. Effective From: 28/11/2014
Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationAUDIT COMMITTEE 10 DECEMBER 2014
AUDIT COMMITTEE 10 DECEMBER 2014 AGENDA ITEM 8 Subject Report by MANAGEMENT OF INFORMATION RISKS DIRECTOR OF CORPORATE SERVICES Enquiries contact: Tony Preston, Ext 6541, email tony.preston@chelmsford.gov.uk
More informationCorporate Information Security Policy
Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives
More informationNetwork Password Management Policy & Procedures
Network Password Management Policy & Procedures Document Ref ISO 27001 Section 11 Issue No Version 1.3 Document Control Information Issue Date April 2009, June 2010, September 2011 Status Approved By FINAL
More informationDATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE
DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationCouncil, 14 May 2015. Information Governance Report. Introduction
Council, 14 May 2015 Information Governance Report Introduction 1.1 The Information Governance function within the Secretariat Department is responsible for the HCPC s ongoing compliance with the Freedom
More informationPhysical Security Policy
Physical Security Policy Author: Policy & Strategy Team Version: 0.8 Date: January 2008 Version 0.8 Page 1 of 7 Document Control Information Document ID Document title Sefton Council Physical Security
More informationCyber Security Incident Reporting Scheme
OCIO/G4.12a ISMF Guideline 12a Cyber Security Incident Reporting Scheme BACKGROUND Reporting cyber security incidents is a source of intelligence information that assists in the development of a greater
More informationNote: Non JCQ awarding bodies have their own reporting forms and these would be used where appropriate.
MALPRACTICE IN ASSESSMENT POLICY 1. Policy Statement 1.1 Carshalton College is committed to ensuring that issues of malpractice in internal and external examinations and assessments are addressed. For
More informationPS177 Remote Working Policy
PS177 Remote Working Policy January 2014 Version 2.0 Statement of Legislative Compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010; Data Protection
More informationDene Community School of Technology Staff Acceptable Use Policy
Policy Overview Dene Community School of Technology The school provides computers for use by staff as an important tool for teaching, learning, and administration of the school. Use of school computers,
More informationSTRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS
Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level
More informationSenior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES
Senior School 1 PURPOSE The policy defines and describes the acceptable use of ICT (Information and Communications Technology) and mobile phones for school-based employees. Its purpose is to minimise the
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September
More informationInformation Security Incident Protocol
Information Security Incident Protocol Document Owner Caroline Dodge Tel: 01622-221652 caroline.dodge@kent.gov.uk Version Version 2: July 2013 Contents 1. Protocol Objectives 2. Scope 3. Protocol Statement
More informationIncident reporting procedure
Incident reporting procedure Responsible Officer Author Date effective from Aug 2009 Date last amended Aug 2009 Review date July 2012 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance
More informationInformation Security Policy London Borough of Barnet
Information Security Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Document Description Information Security Policy Policy which sets out the council s approach to information
More informationSecurity Incident Procedures Response and Reporting Policy
Security Incident Procedures Response and Reporting Policy Approved By: \S\ James Palmer CSC Loss Prevention Director PCI Policy # 1030 Version # 1.0 Effective Date: MM/DD/YYYY Date 1.0 Purpose The purpose
More informationINFORMATION SECURITY POLICY
Information Security Policy INFORMATION SECURITY POLICY Introduction Norwood UK recognises that information and information systems are valuable assets which play a major role in supporting the companies
More informationIncident Response Plan for PCI-DSS Compliance
Incident Response Plan for PCI-DSS Compliance City of Monroe, Georgia Information Technology Division Finance Department I. Policy The City of Monroe Information Technology Administrator is responsible
More informationStandard: Information Security Incident Management
Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of
More informationThe Ministry of Information & Communication Technology MICT
The Ministry of Information & Communication Technology MICT Document Reference: ISGSN2012-10-01-Ver 1.0 Published Date: March 2014 1 P a g e Table of Contents Table of Contents... 2 Definitions... 3 1.
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationHarper Adams University College. Information Security Policy
Harper Adams University College Information Security Policy Introduction The University College recognises that information and information systems are valuable assets which play a major role in supporting
More informationThe Bishop s Stortford High School Internet Use and Data Security Policy
Internet Acceptance Use and Data Security Policy Last Updated: 08/10/2012 Date of Next Review: 08/10/2015 Approved by GB: 10/10/2012 Responsible Committee: Student Welfare and Development Internet Acceptable
More informationREMOTE WORKING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third
More informationInformatics Policy. Information Governance. Network Account and Password Management Policy
Informatics Policy Information Governance Policy Ref: 3589 Document Title Author/Contact Document Reference 3589 Document Control Network Account Management and Password Policy Pauline Nordoff-Tate, Information
More informationNazareth Catholic College Student Acceptable Use of Information and Communications Technology Procedures
Nazareth Catholic College Student Acceptable Use of Information and Communications Technology Procedures 1. Introduction Nazareth Catholic College acknowledges the increasing use of Information and Communication
More informationHighland Council Information Security Policy
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationSecurity Incident Management Process. Prepared by Carl Blackett
Security Incident Management Prepared by Carl Blackett 19/01/2009 DOCUMENT CONTROL Purpose of document This document describes the Security Incident Management and defines all roles and responsibilities
More informationYMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY
YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY Author Head of IT Equality impact Low Original Date September 2003 Equality No This Revision September
More informationInformation Security Incident Management Guidelines. e-governance
Information Security Incident Management Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.
More informationInformation Classification and. Handling Policy
Information Security Document Information Classification and 1 Version History Version Date Detail Author 1.0 27/06/2013 Approved by Information Governance Jo White Group 2.0 31/07/2013 Approved by Information
More informationTONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & EMAIL POLICY AND CODE
GENERAL STATEMENT TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & EMAIL POLICY AND CODE 1.1 The Council recognises the increasing importance of the Internet and email, offering opportunities for improving
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationCaedmon College Whitby
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
More informationUMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE
UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE Originator Patch Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Recommended by Director
More informationInformation Security Incident Reporting & Investigation
Information Security Incident Reporting & Investigation Purpose: To ensure all employees, consultants, agency workers and volunteers are able to recognise an information security incident and know how
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationThe Wellcome Trust Sanger Institute IT Acceptable Use Policy (AUP) Version 1.8
The Wellcome Trust Sanger Institute IT Acceptable Use Policy (AUP) Version 1.8 Introduction The IT systems must be used in a reasonable manner and in such a way that does not affect their efficient operation,
More informationData Encryption Policy
Data Encryption Policy Please be aware that this printed version of the Policy may NOT be the latest version. Staff are reminded that they should always refer to the Intranet for the latest version. Purpose
More informationInformation Incident Management and Reporting Procedures
Information Incident Management and Reporting Procedures Compliance with all policies, procedures, protocols, guidelines, guidance and standards is a condition of employment. Breach of policy may result
More informationProcedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom
Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom
More informationINFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes
INFORMATION SECURITY POLICY Ratified by RCA Senate, February 2007 Contents Introduction 2 Policy Statement 3 Information Security at RCA 5 Annexes A. Applicable legislation and interpretation 8 B. Most
More informationData Protection Policy
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
More informationITEC Malpractice & Maladministration Policy
ITEC Malpractice & Maladministration Policy Version 3 1 Contents Malpractice & Maladministration Policy 3 Introduction 3 Centre s Responsibility 3 Review Arrangements 4 Definition of Malpractice 4 Definition
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):
More informationAcceptable Use of Information Systems Standard. Guidance for all staff
Acceptable Use of Information Systems Standard Guidance for all staff 2 Equipment security and passwords You are responsible for the security of the equipment allocated to, or used by you, and must not
More informationIM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers
IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy DOCUMENT INFORMATION Author: Vince Weldon Associate Director of IM&T Approval: Executive This document replaces: IM&T Policy No. 1 Anti Virus Version
More informationNHS Waltham Forest Clinical Commissioning Group Information Governance Strategy
NHS Waltham Forest Clinical Commissioning Group Governance Strategy Author: Zeb Alam, CCG IG Lead, (NELCSU) David Pearce, Head of Governance, WFCCG Version 3.0 Amendments to Version 2.1 Annual Review Reference
More informationInformation security incident reporting procedure
Information security incident reporting procedure Responsible Officer Author Date effective from 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended
More informationRotherham CCG Network Security Policy V2.0
Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October
More informationNHS Business Services Authority Information Security Incident Handling Procedure
NHS Business Services Authority Information Security Incident Handling Procedure NHS Business Services Authority Corporate Secretariat NHSBSAIS003 Issue Sheet Document reference NHSBSAIS003 Document location
More informationNOS for IT User and Application Specialist. IT Security (ESKITU04) November 2014 V1.0
NOS for IT User and Application Specialist IT Security (ESKITU04) November 2014 V1.0 NOS Reference ESKITU040 ESKITU041 ESKITU042 Level 3 not defined Use digital systems NOS Title Set up and use security
More informationUMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY
UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY Antivirus Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Originator Recommended by Director
More informationData Transfer Policy. Data Transfer Policy London Borough of Barnet
Data Transfer Policy Data Transfer Policy London Borough of Barnet Document Control POLICY NAME Data Transfer Policy Document Description Policy surrounding data transfers (electronic and paper based).
More information