Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager
|
|
- Deborah Chase
- 7 years ago
- Views:
Transcription
1 Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security and Compliance Manager Information and Library Services Issue th January th January 2017 Information Assurance and Security Committee 1
2 1.0 Introduction University of Greenwich Information Security and Assurance Policy University of Greenwich information assets are valuable to its objectives. The confidentiality, integrity and availability of University information assets are essential to the success of its operational and strategic activities. The University aims to secure its information assets by establishing an information security strategy that will enable the implementation of a robust information security risk management system and foster good security practices across its campuses. The Information Security Policy is a key component of the University s Information Security Strategy built on a framework of information security management standards and best practices. The Information Security Policy will serve as an overarching policy document to provide a high level overview of information security management within the University. The Information Security Policy will be supplemented by a suite of policies, processes, standards and procedures that will set out the expectations for information security within the University, and will provide clear guidelines to staff, students and other users of University information assets of their responsibilities for appropriate use and safety of these assets, and their legal obligations to comply with related statutory requirements. 2.0 Objectives The objectives of the Information Security Policy are: a) To ensure that University information assets are available when required to authorised users. b) To ensure that University information assets are adequately protected against unauthorised access, malicious or accidental loss, misuse or damage. c) To ensure that all users of University information assets are aware of and fully comply with this policy and supplementary policies, processes, standards, procedures and guidelines. d) To ensure that all users of University information assets understand their responsibilities for protecting the confidentiality and integrity of University information assets. e) To ensure that the risks to University information assets are appropriately managed. f) To ensure that information security incidents are resolved promptly and appropriately. g) To ensure that the University meets relevant audit and statutory requirements. h) To ensure there is an efficient disaster recovery plan in place. 2
3 i) To protect the University from any legal liability resulting from information security incidents. 3.0 Scope The Information Security Policy and supplementary policies, processes, standards and procedures apply to all forms of information stored, used or processed by the University including but not limited to all paper records and information held on electronic devices. The policy also applies to all information systems owned or leased by the University including information systems managed by third parties on behalf of the University. The policies apply to all staff, students, contractors and third party agents who access, use, handle or manage all University information assets. 4.0 Principles The following principles govern the University's information security approach: a) The University will adopt ISO Information Security Management Standard as a framework for its Information Security Strategy along with other supporting good practices from JISC and UCISA, and will ensure continuous assessment, development and maturity of the strategy. b) The University will adopt an information security risk management approach in line with the Institutional Risk Management Policy to ensure information security risk mitigation efforts reflect the University s risk appetite. c) The Information Security Policy and supplementary policies, processes, standards, procedures and guidelines will be communicated to all users via training and awareness sessions, inductions, University intranet and internet, bulletins and other appropriate communication channels. d) University data (information) will be classified and provided with appropriate safeguards commensurate to their value, ensuring they are available when needed and protected against unauthorised or inappropriate access or use. e) User access to the University s information assets will be based on job requirements rather than job titles. Access rights will be reviewed at regular intervals and revoked if or where necessary. f) The University believes that information security is the responsibility of its information asset users, and will set out the responsibilities for the strategic leadership, management and coordination of the information security strategy, and use of its information assets via relevant policies, job descriptions and terms and conditions of employments. 3
4 g) The University will establish and promote an information security awareness culture amongst its information asset users through user awareness and training, publications on information security risks and incidents, and guidelines for managing them. h) Disaster recovery plans for mission critical information assets and related services will be established, tested and maintained. i) The University will implement an incident reporting and management system to enable prompt and appropriate incident resolution activities and inform risk assessments and management. j) The University will enforce and monitor compliance with the Information Security Policy, supplementary policies, processes, standards, procedures and guidelines. 5.0 Compliance The University has an obligation to comply with relevant legal and statutory requirements. The Information Security Policy and supplementary policies, processes, standards, procedures and guidelines are to promote and enforce compliance with applicable laws by providing directions and guidelines on good information security practices to underpin the University s compliance with these laws. The applicable laws include but are not limited to: a) Data Protection Act (1998) b) Copyright, Designs and Patents Act (1988) c) Computer Misuse Act (1990) d) Counter- Terrorism and Security Act 2015 and Prevent Duty Guidance: for Higher Education Institutions in England and Wales e) Public Interest Disclosure Act f) Computer related legislation g) Other relevant legislations that may influence this policy 5.1 Relationship with other policies The Information Security Policy is related to the University s data privacy, risk and information management policies to facilitate the implementation of relevant requirements set out in the related policies in order to assure compliance with the statutory laws that govern these policies. These policies include: a) Data Protection Policy b) Information and Records management Policy 4
5 c) Archiving Policy d) Risk Management Policy All users of University information assets must comply with the Information Security Policy and supplementary policies, processes, standards, procedures and guidelines and must also keep abreast of updates to these policies. Failure to adhere to the Information Security Policy and supplementary policies, processes, standards, procedures and guidelines will be addressed by necessary disciplinary actions in accordance to the University s Staff Disciplinary Procedures, Student Disciplinary Regulations and Procedures and relevant contractor and third party contractual clauses relating to non- conformance with the Information Security Policy and related policies. 6.0 Responsibilities for Information Security 6.1 Vice Chancellor s Group The Vice Chancellor s Group is ultimately responsible for information security management and compliance with related statutory laws in the University. The Vice Chancellor s Group is responsible for the strategic direction of information security within the University including: a) Ensuring the information security strategy aligns with University objectives. b) Endorsing the implementation of approved policies, processes, standards and procedures. c) Resourcing and supporting information security initiatives. d) Ensuring risks are mitigated to acceptable levels. 6.2 IT Strategy Board The IT Strategy Board will be responsible for: a) Ensuring that information security is properly managed across the University. b) Driving the allocation of resources and supporting the implementation of information security initiatives. c) Engaging with the Information Assurance and Security Committee (IASC) to facilitate an information security awareness culture in the University. d) In collaboration with the Information Assurance and Security Committee, advise the Vice Chancellor s Group on matters relating to information security management and compliance assurance. 6.3 Information Assurance and Security Committee (IASC) 5
6 The Information Assurance and Security Committee will provide leadership on the management of information security within the University and serve as an advisory body to the Vice Chancellor s Group (VCG) via the IT Strategy Board on information security matters. The committee s responsibilities are: a) To facilitate the establishment of the Information Security Management Strategy. b) To facilitate the development, implementation and evolvement of the strategy. c) To define the University s information security risks appetite and approach for mitigating related risks. d) To facilitate an information security awareness culture. e) To review, recommend and approve relevant policies, procedures, standards and processes. f) To ensure compliance with relevant policies, audit and statutory requirements. g) To facilitate the implementation of information security initiatives and provide governance oversight on progress and outcomes. h) To review information security requirements for major IT and data sharing/migration projects and recommend best practices. i) To review major information security incidents and lessons learned and make recommendations. j) To advise and recommend response plans to related internal and external audit findings. k) To engage and advise the VCG on information security management and compliance assurance via the IT Strategy Board. 6.4 Information Security Management (Information and Library Services) Information Security Management sits within the Information and Library Services (ILS) Directorate and is responsible for: a) Coordinating the implementation of the Information Security Strategy and Policy, and supplementary policies, processes, standards, procedures and guidelines across the University. b) Communicating the Information Security Policy and supplementary policies, processes, standards, procedures and guidelines to all users of its information assets. c) Coordinating the implementation of the Information Security Awareness and Training Plan. d) Monitoring compliance with the Information Security Policy and supplementary policies, processes, standards, procedures and guidelines. e) Updating the Information Security Policy and supplementary policies, processes, standards, procedures and guidelines to ensure they remain fit for purpose. f) Managing the implementation of information security risk assessments and relevant mitigation controls; monitoring and reporting on risks to the IASC. 6
7 g) Managing and monitoring incidents and reporting findings to the IASC. h) Monitoring the state of University information security and reporting on findings and key performance indicators to the IASC to inform the Statement of Internal Control. i) Monitoring and analysing external information security attack trends and advising the IASC of related risks to the University. 6.5 All Users (staff, students, contractors and third party agents) All individuals who access, use, handle and manage University information assets are responsible for: a) Familiarising themselves with the Information Security Policy, related policies, processes, standards, procedures and guidelines. b) Familiarising themselves and agreeing to comply with their legal responsibilities for appropriate use and safety of University information assets. c) Completing relevant information security awareness and training courses. d) Reporting information security incidents via the appropriate procedure promptly. 7.0 Risk Management The University s Risk Management Policy is a high level document that sets out the University s approach for managing and reducing risks to an acceptable level. In line with the Risk Management Policy, the University will develop an information security risk management system to support faculties and administrative offices in identifying internal and external risks to the security of the University s information assets they are responsible for. Relevant, appropriate and cost effective controls along with necessary training where applicable will be implemented in a timely manner to mitigate identified risks. In addition, the information security risk management system will be a tool for evaluating the effectiveness of risk mitigation controls, and will inform the recommendation and implementation of new or additional controls where necessary, and ensure continuous monitoring of risks. 8.0 Awareness and Training Information Security awareness and training will be a key component of the University s information security strategy designed to strengthen users compliance with University information security policies and the University s compliance with audit and statutory requirements. 7
8 Through information security awareness and training, the University aims to establish an information security conscious culture, providing basic knowledge and relevant skills that will enable users to carry out their information security responsibilities, and promoting good security practices amongst users of its information assets. University staff and students must complete relevant awareness and training courses made available by the University. Contractors and third parties will be responsible for providing necessary awareness and training to their staff. 9.0 Data Classification and Information Handling Data classification and appropriate information handling procedures will facilitate good information management within the University to ensure that University data (from creation to retention and/or destruction) is handled in a manner that safeguards the confidentiality, integrity and availability of the data. In order to achieve this, The University will establish a Data Classification Policy and Information Handling Procedures that will set out how University data should be accessed, used and handled, and the appropriate controls that should be implemented commensurate with the sensitivity and criticality of the data. All users of University data are required to familiarise themselves with the Data Classification Policy and information handling procedures in order to engage in suitable security practices to protect University data from unauthorised access, disclosure, modification, loss, theft or damage Disaster Recovery Plan The University has a responsibility to establish processes that will ensure essential business operations and services are sustained while recovering from a major information system failure or a disaster. There is a University Business Continuity Plan (BCP), covering all essential and critical business activities, and is supplemented by the IT Disaster Recovery Plan, which provides the procedures to be followed in order to optimise continuity of IT services, and then enable a return to normal operations in the event of a disaster. Information Security Management in consultation with relevant staff and parties across the University will undertake business impact analyses and risk assessments of critical systems and services within the University s IT infrastructure, identifying the levels of risks to the Institution as a result of a system 8
9 or service unavailability. This includes the risk to operations, teaching, research, legal obligations and reputation. The outcomes of the risk assessments will serve to indicate the criticality of each system and related service and therefore determine the appropriate recovery and continuity provision for each component Incident Management The management of information security incidents in a prompt and appropriate manner will enable the University to efficiently mitigate the risks and any legal implications that may be associated with information security incidents. The University s Data Security Breach Policy sets out the procedure and guidelines for reporting information security and data breach incidents. The Data Security Breach Policy is available to all users via the University s internet and intranet. All users are responsible for complying with the statements and steps detailed in the Policy. In addition, the University aims to implement a problem management system that will facilitate an optimised incident notification, escalation, response, and resolution process allowing efficient use of relevant resources in addressing information security incidents Policy Review and Maintenance This policy will be reviewed and updated regularly to ensure that it remains appropriate in light of changes to business requirements, statutory laws or contractual obligations Definitions Authorised Users (in the context of this policy and related documents) Availability Business Impact Analysis Confidentiality All users who access, handle, process, store, share or manage the University s information assets. These are University staff, students, contractors and third party agents. Information assets are accessible only to authorised users when required. A process for determining the impact of a loss or unavailability of an information asset or service to an organisation. Access to and sharing of sensitive or personal information is restricted only to authorised users. 9
10 Information Assets (in the context of this policy and related documents) Information Processing Facilities Information Systems Integrity Key information assets Risk Risk Assessment A collection of information (paper or digital format), hardware, software, infrastructure and services that support the implementation of University strategic and operational activities. IT system or service, location, building or infrastructure that houses information processing systems and services. Information processing computers or data communication systems. The preservation of the complete, accurate and validate state of information assets. Information assets that are highly essential to University critical activities and services. The probability of an exploited weakness and its resulting consequence leading to an adverse event. A process for identifying and evaluating risks Links Links to University related information security policies, processes, standards, procedures and guidelines. Links to the Data Protection policy and related documents. 10
Newcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September
More informationINFORMATION SECURITY MANAGEMENT POLICY
INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June
More informationKEELE UNIVERSITY IT INFORMATION SECURITY POLICY
Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationInformation security policy
Information security policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review of IS Policy\Current
More informationNHS Business Services Authority Information Security Policy
NHS Business Services Authority Information Security Policy NHS Business Services Authority Corporate Secretariat NHSBSAIS001 Issue Sheet Document reference NHSBSARM001 Document location F:\CEO\IGM\IS\BSA
More informationHead of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2
Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications
More informationHarper Adams University College. Information Security Policy
Harper Adams University College Information Security Policy Introduction The University College recognises that information and information systems are valuable assets which play a major role in supporting
More informationNSW Government Digital Information Security Policy
NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core
More informationInformation Security Management System Policy
Information Security Management System Policy Public Version 3.3 Issued Document Name Owner P079A ISMS Security Policy Information Security Security Policies, Standards and Procedures emanate from the
More informationInformation Governance Strategy & Policy
Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information
More informationUniversity of Liverpool
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
More informationData Protection Breach Management Policy
Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/
More informationCorporate Information Security Policy
Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives
More informationINFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
More informationUTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter
Pennsylvania State System of Higher Education California University of Pennsylvania UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter Version [1.0] 1/29/2013 Revision History
More informationInformation Security: Business Assurance Guidelines
Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies
More informationHow To Ensure Information Security In Nhs.Org.Uk
Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:
More informationINFORMATION SECURITY POLICY
Information Security Policy INFORMATION SECURITY POLICY Introduction Norwood UK recognises that information and information systems are valuable assets which play a major role in supporting the companies
More informationThird Party Security Requirements Policy
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
More informationInformation Management Responsibilities and Accountability GUIDANCE September 2013 Version 1
Information Management Responsibilities and Accountability GUIDANCE September 2013 Version 1 Document Control Document history Date Version No. Description Author September 2013 1.0 Final Department of
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationTitle: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION
Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION The purpose of this policy is to outline essential roles and responsibilities within the University community for
More informationData Protection Policy
Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationInformation Security Program
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
More informationMike Casey Director of IT
Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date
More informationInformation Security Policy
Office of the Prime Minister document CIMU P 0016:2003 Version: 2.0 Effective date: 01 Oct 2003 Information 1. statement i) General The Public Service of the Government of Malta (Public Service) shall
More informationCOMMERCIALISM INTEGRITY STEWARDSHIP. Security Breach and Weakness Policy & Guidance
Security Breach and Weakness Policy & Guidance Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Security Breach & Weakness
More informationR345, Information Technology Resource Security 1
R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationInformation Security Management System Information Security Policy
Management System Policy Version: 3.4 Issued Document Name: Owner: P079A - ISMS Security Policy Classification: Public Security Policies, Standards and Procedures emanate from the Policy which has been
More informationCrime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection
Crime Statistics Data Security Standards Office of the Commissioner for Privacy and Data Protection 2015 Document details Security Classification Dissemination Limiting Marker Dissemination Instructions
More information9. GOVERNANCE. Policy 9.8 RECORDS MANAGEMENT POLICY. Version 4
9. GOVERNANCE Policy 9.8 RECORDS MANAGEMENT POLICY Version 4 9. GOVERNANCE 9.8 RECORDS MANAGEMENT POLICY OBJECTIVES: To establish the framework for, and accountabilities of, Lithgow City Council s Records
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationInformation and Compliance Management Information Management Policy
Aurora Energy Group Information Management Policy Information and Compliance Management Information Management Policy Version History REV NO. DATE REVISION DESCRIPTION APPROVAL 1 11/03/2011 Revision and
More informationInformation Integrity & Data Management
Group Standard Information Integrity & Data Management Serco recognises its responsibility to ensure that any information and data produced meets customer, legislative and regulatory requirements and is
More informationInformation Governance Framework. June 2015
Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review
More informationInformation Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.
Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments
More informationUniversity of Aberdeen Information Security Policy
University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...
More informationhave adequate policies and practices for secure data disposal have not established a formal 22% risk management program
do not have budgeted disaster 38% recovery plans do not use standardized data 37% classification do not have a plan for responding to 29% security breaches 23% have adequate policies and practices for
More informationICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen
ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationService Children s Education
Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and
More informationHow To Ensure Network Security
NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:
More informationINFORMATION TECHNOLOGY POLICY
COMMONWEALTH OF PENNSYLVANIA DEPARTMENT OF PUBLIC WELFARE INFORMATION TECHNOLOGY POLICY Name Of : DPW Information Security and Privacy Policies Domain: Security Date Issued: 05/09/2011 Date Revised: 11/07/2013
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationMONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY
MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency
More informationInformation Governance Policy A council-wide information management policy. Version 1.0 June 2013
Information Governance Policy Version 1.0 June 2013 Copyright Notification Copyright London Borough of Islington 2012 This document is distributed under the Creative Commons Attribution 2.5 license. This
More informationInformation governance strategy 2014-16
Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope
More informationApproved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee
Policy History Date Action Approved by President Mohammed Qayoumi May 27, 2013 April 9, 2013 Reviews: IT Management Advisory Committee Draft Policy Released Table of Contents Introduction and Purpose...
More informationinformation systems security policy...
sales assessment.com information systems security policy... Approved: 2nd February 2010 Last updated: 2nd February 2010 sales assessment.com 2 index... 1. Policy Statement 2. IT Governance 3. IT Management
More informationCorporate Information Security Management Policy
Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationUlster University Standard Cover Sheet
Ulster University Standard Cover Sheet Document Title IT Monitoring Policy 1.5 Custodian Approving Committee Deputy Director of Finance and Information Services (Information Services) Information Services
More informationBOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
More informationPolicy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.
London School of Economics & Political Science IT Services Policy Remote Access Policy Jethro Perkins Information Security Manager Summary This document outlines the controls from ISO27002 that relate
More informationInformation Governance Management Framework
Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date
More informationIT Governance Charter
Version : 1.01 Date : 16 September 2009 IT Governance Network South Africa USA UK Switzerland www.itgovernance.co.za info@itgovernance.co.za 0825588732 IT Governance Network, Copyright 2009 Page 1 1 Terms
More informationGuidelines. London School of Economics & Political Science. Remote Access and Mobile Working Guidelines. Information Management and Technology
London School of Economics & Political Science Information Management and Technology Guidelines Remote Access and Mobile Working Guidelines Jethro Perkins Information Security Manager Summary This document
More informationCal Poly Information Security Program
Policy History Date October 5, 2012 October 5, 2010 October 19, 2004 July 8, 2004 May 11, 2004 January May 2004 December 8, 2003 Action Modified Separation or Change of Employment section to address data
More informationUniversity of Liverpool
University of Liverpool Information Security Incident Response Policy Reference Number Title CSD-012 Information Security Incident Response Policy Version Number 1.2 Document Status Document Classification
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationCOUNCIL POLICY R180 RECORDS MANAGEMENT
1. Scope The City of Mount Gambier Records Management Policy provides the policy framework for Council to effectively fulfil its obligations and statutory requirements under the State Records Act 1997.
More informationSocial Media Policy. 1. Summary
Social Media Policy Version: 2.0 Approved by: Executive Policy owner/sponsor: Executive Director, Public Libraries and Engagement Policy Contact Officer: Manager, Media and Communications Policy No: PD/17
More informationOperational Risk Publication Date: May 2015. 1. Operational Risk... 3
OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...
More informationRotherham CCG Network Security Policy V2.0
Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October
More informationINITIAL APPROVAL DATE INITIAL EFFECTIVE DATE
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
More informationHighland Council Information Security Policy
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
More informationHMG Security Policy Framework
HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of
More informationINFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes
INFORMATION SECURITY POLICY Ratified by RCA Senate, February 2007 Contents Introduction 2 Policy Statement 3 Information Security at RCA 5 Annexes A. Applicable legislation and interpretation 8 B. Most
More informationNOT PROTECTIVELY MARKED. Suffolk County Council DATA QUALITY POLICY
Suffolk County Council DATA QUALITY POLICY This policy is sponsored by the Director of Resource Management on behalf of the Chief Executive of Suffolk County Council. Responsibility for maintaining, reviewing
More informationWho Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5
Information Security Policy Type: Administrative Responsible Office: Office of Technology Services Initial Policy Approved: 09/30/2009 Current Revision Approved: 08/10/2015 Policy Statement and Purpose
More informationPARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Records Management Policy. Version 4.0. Page 1 of 11 Policy PHSO Records Management Policy v4.
PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN Records Management Policy Version 4.0 Page 1 of 11 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: File Location: Approval
More informationInformation Management and Security Policy
Unclassified Policy BG-Policy-03 Contents 1.0 BG Group Policy 3 2.0 Policy rationale 3 3.0 Applicability 3 4.0 Policy implementation 4 Document and version control Version Author Issue date Revision detail
More informationISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters
When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9
More informationInformation Security and Governance Policy
Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationQatar University Information Security Policies Handbook November 2013
Qatar University Information Security Policies Handbook November 2013 Information Security Policies Handbook November 2013 Produced by Information Technology Services Department / Information Security
More informationGuide for the Role and Responsibilities of an Information Security Officer Within State Government
Guide for the Role and Responsibilities of an Information Security Officer Within State Government Table of Contents Introduction 3 The ISO in State Government 4 Successful ISOs Necessary Skills and Abilities
More informationInformation Governance Policy
Information Governance Policy Implementation date: 30 September 2014 Control schedule Approved by Corporate Policy and Strategy Committee Approval date 30 September 2014 Senior Responsible Officer Kirsty-Louise
More informationThis procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.
Privacy Breach No.: 6700 PR2 Policy Reference: 6700 Category: Information Management Department Responsible: Privacy and Records Management Current Approved Date: 2012 May 01 Objectives This procedure
More informationDATA PROTECTION POLICY
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
More informationPolicy No: TITLE: EFFECTIVE DATE: CANCELLATION: REVIEW DATE:
Policy No: TITLE: AP-AA-17.2 Data Classification and Data Security ADMINISTERED BY: Office of Vice President for Academic Affairs PURPOSE EFFECTIVE DATE: CANCELLATION: REVIEW DATE: August 8, 2005 Fall
More informationASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES
ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES THIS POLICY SETS OUT THE REQUIREMENTS FOR SAFEGUARDING COMPANY ASSETS AND RESOURCES TO PROTECT PATIENTS, STAFF, PRODUCTS, PROPERTY AND
More informationScotland s Commissioner for Children and Young People Records Management Policy
Scotland s Commissioner for Children and Young People Records Management Policy 1 RECORDS MANAGEMENT POLICY OVERVIEW 2 Policy Statement 2 Scope 2 Relevant Legislation and Regulations 2 Policy Objectives
More informationInformation Security Incident Management Policy September 2013
Information Security Incident Management Policy September 2013 Approving authority: University Executive Consultation via: Secretary's Board REALISM Project Board Approval date: September 2013 Effective
More informationInformation Governance Policy
Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact
More informationHSCIC Audit of Data Sharing Activities:
Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 20/04/2016 HSCIC Audit of Data Sharing
More informationRecords Management plan
Records Management plan Prepared for 31 October 2013 Audit Scotland is a statutory body set up in April 2000 under the Finance and Accountability (Scotland) Act 2000. We help the Auditor General for Scotland
More informationEA-ISP-001 Information Security Policy
Technology & Information Services EA-ISP-001 Information Security Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 13/03/2015 Document Security Level: PUBLIC Document Version: 2.41 Document Ref:
More informationStandard: Information Security Incident Management
Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of
More information