NHS Fife. Your Risk - Information Governance and Security Survey
|
|
- Ashlie McDonald
- 8 years ago
- Views:
Transcription
1 NHS Fife Your Risk - Information Governance and Security Survey Prepared for NHS Fife September 2014
2 Audit Scotland is a statutory body set up in April 2000 under the Public Finance and Accountability (Scotland) Act We help the Auditor General for Scotland and the Accounts Commission check that organisations spending public money use it properly, efficiently and effectively.
3 Contents Background... 4 Findings - Survey Results... 5 Survey Response... 5 Awareness of good practice... 5 Areas for improving knowledge and awareness... 5 Conclusion... 6 Management Action... 7 Acknowledgement... 7 Appendix A - Action Plan... 8 Appendix B - Questionnaire... 9 NHS Fife Page 3
4 Background Background 1. Your Risk (YB@R) is a web-based survey that helps bodies quickly assess procedural, cultural and ethical compliance risks that have the potential to undermine the effectiveness of their information governance policies. 2. The Graham Committee report on the Standards of Conduct in Public Life and the Standards Commission for Scotland endorsed this type of tool and recommended that a survey of this type be used throughout the whole of the public sector. 3. Effective information governance always comes down to people and behaviours. Security policies have to be understood, accepted and integrated with, rather than bolted on to the business processes used in an organisation. 4. YB@R provides a snapshot of whether an organisation s information governance policies are achieving their objectives and can help minimise the likelihood of data loss and the consequent corrective work that would ensue. 5. Participating in YB@R will help your organisation to be able to: assess awareness of the risks associated with the use of technology gauge how well policies and standards have been understood assess the levels of Information Communications and Technology (ICT) security awareness among staff highlight areas where you may need to improve governance and reduce risk. 6. A copy of the survey questionnaire has been included at appendix B to provide context for the readers of this report. Page 4 NHS Fife
5 Findings - Survey Results Findings - Survey Results Survey Response 7. All ICT users were invited by and advertisement on the board's intranet to participate in the web based survey to assess their awareness of security issues and their role in reducing risk to the organisation. The survey was launched on Monday 19 May and officially closed on Friday 6 June The survey was advertised on the board's intranet and staff were reminded of the survey in an on 26 May. 8. A total of 528 surveys were completed, equating to 6% of the potential survey population. Although the rate of responses was the lowest that we have received from similar organisations, they were from all the directorates, which allowed us to conclude that the summary analysis below provides representation from across the organisation. Awareness of good practice 9. The survey identified a number of areas where NHS Fife staff demonstrated an adequate level of awareness of good practice, while appreciating that there is always room for improvement: 98% of those who responded would report their concerns about security at their place of work 87% would either change their computer password immediately or seek advice if they suspected that someone knew their password more than 91% appreciate the medium to high risk nature of the information they handle and the potentially serious consequences incorrect disclosure would have 86% understand that everyone within NHS Fife is responsible for information security. However, 3% stated that they did not know where responsibility lay. Areas for improving knowledge and awareness 10. The survey also identified an apparent lack of knowledge and awareness among staff in many areas, representing potential risks to the organisation. These issues merit further consideration by management as on-going information security awareness training is developed, and should inform development of future information security policies and procedures: 72% of those who responded find they need to write some or all of their passwords down, with the majority storing them in paper format, for example in a diary or organiser 63% use the same password across all of the systems that they use; while this approach offers ease of use when interacting with several systems, it is important that staff are reminded that such passwords should be complex (use a mixture of letters, numbers and special characters) and be updated on a regular basis. 11% who reported using the same password across multiple systems also use this password for private use of ICT NHS Fife Page 5
6 Findings - Survey Results 71% indicated that they lock their computer when leaving it unattended. However, 24% only lock their computers sometimes with the remaining 5% never locking them Although 96% indicated being aware of the board's policies and procedures on the use of ICT resources, 46% are not familiar with the procedure to go through if they lost a work's laptop, PDA or mobile telephone Many members of respondents incorrectly identified pieces of information which are covered by the Data Protection Act, e.g. 18% were not aware that an from an individual is covered by the Act while 14% believed that a recording of wildlife is covered 49% indicated that they have not had any security awareness training 28% have accessed a computer that was logged on with another user s access credentials. We are concerned to note that 2% stated that this was without the other user s permission Only 77% would inform management if they found a way to over-ride security features, a significant number (22%) would do nothing. The remaining 2% stated they would use this knowledge Although responses indicated that a significant number of respondents share personal information using higher security practices, such as sending information by courier mail, recorded and special delivery, 38% indicated they share personal information by insecure means, e.g. standard post or electronically without any encryption. 34% do not know whether information shared with external organisations is given a higher level of security or not 9% advised that they used personal accounts to access confidential information when out of the office, while 31% indicated that they use removable storage such as memory sticks or CDs, including 24% who refer to paper copies of confidential information when out of the office. Conclusion 11. Overall, the low response rate was disappointing. However, on the basis of the survey, although the profile of results demonstrates that there is some information security awareness within NHS Fife, a number of areas have been highlighted that should be addressed to improve overall staff awareness of information security. 12. A high level of information security awareness is the first step to changing behaviours and establishing effective information governance within an organisation. The full results from the survey have been submitted to management for detailed review to assist with the improvement of information governance through increased information security awareness within the board. Page 6 NHS Fife
7 Findings - Survey Results Management Action 13. The overall finding from our survey has been included in the accompanying Appendix A. Planned action, responsibilities and timescales for action in response to the identified risk exposure have been provided by management. Acknowledgement 14. The contents of this report have been discussed with relevant officers to confirm factual accuracy. The co-operation and assistance we received from board officers is gratefully acknowledged, in particular the assistance afforded to us by Elena Beratarbide (ehealth Quality & Performance Manager) during the course of our survey. NHS Fife Page 7
8 Appendix A - Action Plan Appendix A - Action Plan No. Audit Finding Risk Proposed Management Response & Action Responsible Officer and Date 1 Our survey of ICT There is a The response rate was low, Elena users identified an risk of loss therefore a balanced Beratarbide apparent lack of of approach should be taken knowledge and awareness of information security among staff in many areas, representing potential risks to the board. The results of our survey can assist management in their drive to improve knowledge and awareness. information which could have serious legal and reputational implications for the board. around the validity of the assumptions on a Board wide basis. A newsletter will be produced which outlines staff responsibilities in relation to password security, reporting of breach procedure and offering departmental training session by the Board IG / IT Security Officers. The IG & IT security officers will continue - Newsletter issued via corporate communication by 31st October Corporate induction (Ongoing) to deliver awareness sessions at the Board Corporate Induction events. Page 8 NHS Fife
9 Appendix B - Questionnaire Appendix B - Questionnaire Q1 Q2 Q3 Q4 Q5 Q6 Do you feel it is necessary to write some or all of your passwords down? Yes because they are too complex Yes because I have too many to remember Yes, because the passwords to different systems expire at different times No If yes, how do you store them? Locked away (for example in a locked desk drawer) Stored electronically - on a network Stored electronically - on portable media (for example memory stick) Written down (for example in a diary or organiser) Stored electronically in a encrypted password protected file, document or database What would you do first if you suspect that someone knows your password (for example someone watched you type your password in)? Change it immediately Ask someone for advice Contact your help desk and report them Contact your help desk and ask them to change all your passwords Do nothing How often do you voluntarily change your passwords (that is before the system prompts you)? Never Weekly Monthly Every two months Between 3-6 Months More than 6 months Other Do you use the same password for more than one system that you use at work? Yes - where possible No Do you use the same password for the systems you use at work as you do for your personal systems (e.g. personal , banking, Facebook)? Yes No NHS Fife Page 9
10 Appendix B - Questionnaire Q7 Have you ever used or accessed a computer that has been logged in under someone else s password Yes - with their express permission Yes - without their express permission No Q8 Do you lock your computer when leaving it unattended? (for example CTRL+ALT+DEL, screensavers or smartcards) Always Sometimes Never Q9 You receive a call from an IT help desk operator about a problem you ve been having with your PC, what information would you give them if asked? (please tick all that apply) Your name Your staff number Your password/s Your logon id / username Asset Number / sticker (located on pc or laptop) Refuse or obtain their telephone number and call them back Q10 You receive an telling you of a new corporate system and asks you to open a web page and log on using your network user name and password. This is the first you have heard of this system - what would you do next? Open the site and log on to the system Check with your colleagues/manager to see if they are aware of the new system Check with your IT help desk Ignore it Q11 If you find a way to over-ride security features on your computer, would you? Use this knowledge Report it to the IT help desk Do nothing Q12 Have you seen someone viewing inappropriate material on their work computer? Yes No Page 10 NHS Fife
11 Appendix B - Questionnaire Q13 Q14 If you answered Yes to the previous question, what did you do? (Please tick all that apply) Reported it to IT help desk Reported it to your manager Reported it to their manager Spoke to them personally Nothing If you saw one of the following individuals accessing inappropriate material on their work computer, what would you do? Report it Speak to them personally Do nothing Someone in the office you don't know A good friend Your manager Q15 Q16 Q17 Are you aware of your organisations policy and procedures about the use of IT resources such as: internet, and telephones? Yes No Which of the following are covered by the Data Protection Act? (please tick all that apply) from an individual from HM Government Photo of a building Audio recording of wildlife Handwritten notes made during a job interview Audio recording of an individual Photo ID / passport Handwritten notes taken during a lecture If your job requires you to share personally identifiable information (internally or externally), how is this shared? (please tick all that apply) Electronically transmitted Electronically transmitted - Encrypted Electronically transmitted via secure system (for example GSI) By courier mail By Recorded delivery By Special delivery By standard post Collect or deliver in person NHS Fife Page 11
12 Appendix B - Questionnaire Q18 Q19 Q20 Q21 Q22 Which of the following items do you consider to be personal data? (please tick all that apply) An address written on a post-it note Your surname Your address Your pay number A photo of you and your colleagues taken on a work night out Your opinion published anonymously in a departmental survey or report Your anonymous notes from a performance review meeting that you conducted A tweet or blog-post with anonymised comments about a rare clinical case within your town Hand-written notes/actions taken during a departmental meeting Is shared information given a higher level of security if it is sent externally as opposed to internally? Yes Sometimes No Don t know If the information you use every day was incorrectly disclosed, do you think this would be? Low risk - little or no consequence Medium risk - limited consequence High risk - serious consequence If you access work related confidential information when out of the office, how is the information accessed? (Please tick all that apply) On your corporate network (for example Virtual Private Network (VPN)) Work Laptop / PDA Own equipment (for example via web based corporate site) Internet cafe Via personal (for example mailing documents to a private account) USB Pen Drive Other removable storage (for example CDs, media cards) Paper copy Other If you use a USB Pen Drive to access sensitive or confidential workplace information when out of the office, or to transfer it between computers, is the information on the Pen Drive encrypted? Yes - always Usually Never Page 12 NHS Fife
13 Appendix B - Questionnaire Q23 Q24 You receive a free promotional CD at your work address - what would you do first? Take a look at the contents on your work PC/laptop Contact your IT help desk for advice Pass it to your line manager/management Throw it away Take a look at the contents on your home PC/laptop For the following 4 scenarios - What would you do first if you found a CD on your work desk? (please tick one box per scenario): Put it in Contact Pass it to Put it in Look at it your PC your IT your line the bin at home help desk manager/ managem ent With your organisation's name/logo? Draft Restructuring Plan? Department Salary Report? Un-labelled Q25 Q26 Your desktop or laptop is destroyed and you are sent a replacement - how will the data be restored? It wouldn t as I hadn t backed it up From my own local back-ups From the network From attachments A mixture of the above My data is not critical (doesn t need to be backed up) Don t know You find a memory stick (USB flash/pen drive) - What would you do first? Refer to policy and procedures held on the Intranet Try to find the owner by checking the files on the drive Delete the files keep and use for personal use Contact your IT help desk Ask everyone in the office if they have lost a pen drive Leave it at reception Pin a notice on your notice board Other NHS Fife Page 13
14 Appendix B - Questionnaire Q27 If you found a memory stick, would you place it in your computer if you Yes No Found it in the car park? Found it in a communal area inside your building? Found it on your desk? It had your organisations logo on it? It was labelled [Your Department Head] Personal files? Q28 Q29 Q30 Q31 Q32 What would you do if you lost or mis-placed a removable media device (for example USB / CD) which contained information? - Do nothing Refer to policy and procedures on the Intranet Report it to the helpdesk Report it to your manager Are you aware of the procedures to be carried out if you lose your laptop, PDA or work s mobile? Yes No How would you describe your organisation s IT security policy / procedures?? Very good Good Adequate Poor Very poor Don t know Who is responsible for IT security in your organisation? Everyone Central IT Dedicated IT security department/personnel The board Don t know Have you had any security awareness training? Yes No Page 14 NHS Fife
15 Appendix B - Questionnaire Q33 Q34 What would you do if you are concerned about security (at your place of work) - would you report it? Yes No If yes, who would you report the security breach to? Line manager Help desk IT Manager Other NHS Fife Page 15
ABERDARE COMMUNITY SCHOOL
ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been
More informationHIPAA and Health Information Privacy and Security
HIPAA and Health Information Privacy and Security Revised 7/2014 What Is HIPAA? H Health I Insurance P Portability & A Accountability A - Act HIPAA Privacy and Security Rules were passed to protect patient
More informationDATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff
DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has
More informationGETTING STARTED ON THE WINDOWS SERVICE A GUIDE FOR NEW STAFF MEMBERS
Your Login ID: GETTING STARTED ON THE WINDOWS SERVICE A GUIDE FOR NEW STAFF MEMBERS CONTENTS 1.0 Introduction... 3 1.1 Welcome to Edinburgh Napier University from Information Services!... 3 1.2 About Information
More informationWhy do we need to protect our information? What happens if we don t?
Warwickshire County Council Why do we need to protect our information? What happens if we don t? Who should read this? What does it cover? Linked articles All WCC employees especially mobile and home workers
More informationINFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationBERKELEY COLLEGE DATA SECURITY POLICY
BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data
More informationService Children s Education
Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and
More informationSecure Storage, Communication & Transportation of Personal Information Policy Disclaimer:
Secure Storage, Communication & Transportation of Personal Information Policy Version No: 3.0 Prepared By: Information Governance, IT Security & Health Records Effective From: 20/12/2010 Review Date: 20/12/2011
More informationInformation Security Guide for Students
Information Security Guide for Students August 2009 Contents The purpose of information security and data protection...1 Access rights and passwords...2 Internet and e-mail...3 Privacy protection...5 University
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third
More informationOriginator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy. Computer Security Policy
Originator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy Computer Security Policy Contents 1 Scope... 3 2 Governance... 3 3 Physical Security... 3 3.1 Servers... 3 3.2
More informationSecurity Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)
Security Awareness A Supplier Guide/Employee Training Pack May 2011 (updated November 2011) Contents/Chapters 1. How do I identify a DWP asset 2. Delivering on behalf of DWP - Accessing DWP assets 3. How
More informationPortable Devices and Removable Media Acceptable Use Policy v1.0
Portable Devices and Removable Media Acceptable Use Policy v1.0 Organisation Title Creator Oxford Brookes University Portable Devices and Removable Media Acceptable Use Policy Information Security Working
More informationIncident reporting procedure
Incident reporting procedure Responsible Officer Author Date effective from Aug 2009 Date last amended Aug 2009 Review date July 2012 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance
More informationData Encryption Policy
Data Encryption Policy Please be aware that this printed version of the Policy may NOT be the latest version. Staff are reminded that they should always refer to the Intranet for the latest version. Purpose
More informationProtection of Computer Data and Software
April 2011 Country of Origin: United Kingdom Protection of Computer Data and Software Introduction... 1 Responsibilities...2 User Control... 2 Storage of Data and Software... 3 Printed Data... 4 Personal
More informationUCLH VPN User Guide. January 2009. VPN User Guide v1.3 20090106
UCLH VPN User Guide January 2009 VPN User Guide v1.3 20090106 1. What is the VPN? The VPN (Virtual Private Network) provides users with secure access, using a web browser, to a standard terminal screen
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationInformation Security Code of Conduct
Information Security Code of Conduct IT s up to us >Passwords > Anti-Virus > Security Locks >Email & Internet >Software >Aon Information >Data Protection >ID Badges > Contents Aon Information Security
More informationVersion: 2.0. Effective From: 28/11/2014
Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director
More informationBARNSLEY CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLICY
Putting Barnsley People First BARNSLE CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLIC Version: 2.0 Approved By: Governing Body Date Approved: Feb 2014 (initial approval), March
More informationA common sense guide to the Data Protection Act 1998 for volunteers
A common sense guide to the Data Protection Act 1998 for volunteers Why is it necessary? The Data Protection Act 1998 is a law introduced to control the way information held about individuals is handled
More informationCorporate Affairs Overview and Scrutiny Committee
Agenda item: 4 Committee: Corporate Affairs Overview and Scrutiny Committee Date of meeting: 29 January 2009 Subject: Lead Officer: Portfolio Holder: Link to Council Priorities: Exempt information: Delegated
More informationBOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
More informationLSE PCI-DSS Cardholder Data Environments Information Security Policy
LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project
More informationYMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY
YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY Author Head of IT Equality impact Low Original Date September 2003 Equality No This Revision September
More informationPolicy. Social Media Acceptable Use Policy. Executive Lead. Review Date. Low
Policy Social Media Acceptable Use Policy Date approved by - ISG Version Issue Date Review Date Executive Lead 11/6/2013 1.0 11/6/2013 11/6/2015 Mike Robson Executive Director Finance Procedure/Policy
More informationUniversity for the Creative Arts. Mobile Working and Remote Access Policy
Mobile Working and Remote Access Policy Version 1.0 Date: 20 July 2009 Document History Version History 1.0 20 July 2009 Approved for publication by the IS Board after E&FC approval in June 2009 Title:
More informationHIPAA: Bigger and More Annoying
HIPAA: Bigger and More Annoying Instructor: Laney Kay, JD Contact information: 4640 Hunting Hound Lane Marietta, GA 30062 (770) 312-6257 (770) 998-9204 (fax) laney@laneykay.com www.laneykay.com OFFICIAL
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationEASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES
EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES This document describes Eastern Oklahoma State College s policy and procedures for the proper
More informationA Guide to Information Technology Security in Trinity College Dublin
A Guide to Information Technology Security in Trinity College Dublin Produced by The IT Security Officer & Training and Publications 2003 Web Address: www.tcd.ie/itsecurity Email: ITSecurity@tcd.ie 1 2
More informationUnipass Identity User Guide & FAQ Document v1.1
Unipass Identity User Guide & FAQ Document v1.1 Some background information regarding Unipass Identity and a summary of some of the most commonly asked questions relating to your Unipass Identity. UIdP
More informationIT Data Security Policy
IT Data Security Policy Contents 1. Purpose...2 2. Scope...2 3. Policy...2 Access to the University computer network... 3 Security of computer network... 3 Data backup... 3 Secure destruction of data...
More informationLAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY
LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee
More informationCareer Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity
Career Connection, Inc. Data Privacy Objectives This course is intended for CCI employees. The course gives guidance on data privacy concepts and describes how data privacy is relevant when delivering
More informationHow To Protect Research Data From Being Compromised
University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...
More informationENISA s ten security awareness good practices July 09
July 09 2 About ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the internal market. ENISA is a centre of excellence for the European
More informationOxCCARE Information Governance Policy
OxCCARE Information Governance Policy Introduction: This document is intended to act as a practical guide to information governance (IG) for all research, audit, quality improvement and service evaluation
More informationThis factsheet is for: Senior management of small firms that handle, store or dispose of customers personal data in the course of their business.
FSA factsheet for All firms This factsheet is for: Senior management of small firms that handle, store or dispose of customers personal data in the course of their business. It explains: What you should
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Policy for the electronic transfer of Person Identifiable Data - harmonised Version: 5 Reference Number: CO51 Supersedes Supersedes: 4 Description of Amendment(s):
More informationInformation Security Policy London Borough of Barnet
Information Security Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Document Description Information Security Policy Policy which sets out the council s approach to information
More informationResearch Governance Standard Operating Procedure
Research Governance Standard Operating Procedure The Management and Use of Research Participant Data for Secondary Research Purposes SOP Reference: Version Number: 01 Date: 28/02/2014 Effective Date: Review
More informationAcceptable Use of ICT Policy. Staff Policy
Acceptable Use of ICT Policy Staff Policy Contents INTRODUCTION 3 1. ACCESS 3 2. E-SAFETY 4 3. COMPUTER SECURITY 4 4. INAPPROPRIATE BEHAVIOUR 5 5. MONITORING 6 6. BEST PRACTICE 6 7. DATA PROTECTION 7 8.
More informationPolicy Document. IT Computer Usage Policy
Policy Document IT Computer Usage Policy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Author IT Services Manager Version 4.1 Issue Issue Date
More informationINFORMATION MANAGEMENT & TECHNOLOGY SECURITY POLICY
Information Management & Technology Security Policy INFORMATION MANAGEMENT & TECHNOLOGY SECURITY POLICY POLICY NO IM&T 003 DATE RATIFIED October 2010 NEXT REVIEW DATE October 2013 POLICY STATEMENT/KEY
More informationData protection. Report on the data protection guidance we gave schools in 2012
Data protection Report on the data protection guidance we gave schools in 2012 Contents 1. Background 2. Summary of recommendations 3. tification 4. Personal data 5. Fair processing 6. Information security
More informationHow To Protect School Data From Harm
43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:
More informationInformation Security. Annual Education 2014. Information Security. 2014 Mission Health System, Inc.
Annual Education 2014 Why? Protecting patient information is an essential part of providing quality healthcare. As Mission Health grows as a health system and activities become more computerized, new information
More informationDOCUMENT CONTROL PAGE
DOCUMENT CONTROL PAGE Title: Title Version: 0.2a Reference Number: Supersedes Supersedes: IT Encryption and Security Policy and Guidelines Description of Amendment(s): Clarification of document approval
More informationE-Safety and Computer Security Rules
E-Safety and Computer Security Rules Process / Signatures Portfolio Team Portfolio Team Lead Principal Chair of Governors Behaviour Safety & Ethos Mrs K Mitford Dr J V Edwards Mrs K Mitford Presented 2
More informationPHI- Protected Health Information
HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson
More informationInformation Security Policy. Appendix B. Secure Transfer of Information
Information Security Policy Appendix B Secure Transfer of Information Author: Data Protection and Information Security Officer. Version: 0.7 Date: March 2008 Document Control Information Document ID Document
More informationInformation Security Policy for Associates and Contractors
Policy for Associates and Contractors Version: 1.12 Status: Issued Date: 30 July 2015 Reference: 61418080 Location: Livelink Review cycle: Annual Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...
More informationBurton Hospitals NHS Foundation Trust. On: 16 January 2014. Review Date: December 2015. Corporate / Directorate. Department Responsible for Review:
POLICY DOCUMENT Burton Hospitals NHS Foundation Trust INFORMATION SECURITY POLICY Approved by: Executive Management Team On: 16 January 2014 Review Date: December 2015 Corporate / Directorate Clinical
More informationPolicy for the Secure Use of USB Memory Sticks. Choice, Responsiveness, Integration & Shared Care
Policy for the Secure Use of USB Memory Sticks Choice, Responsiveness, Integration & Shared Care Worcestershire Mental Health Partnership NHS Trust Information Reader Box Document Type: Document Purpose:
More informationInformation Security Incident Reporting & Investigation
Information Security Incident Reporting & Investigation Purpose: To ensure all employees, consultants, agency workers and volunteers are able to recognise an information security incident and know how
More informationEAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
More informationNetwork Security for End Users in Health Care
Network Security for End Users in Health Care Virginia Health Information Technology Regional Extension Center is funded by grant #90RC0022/01 from the Office of the National Coordinator for Health Information
More informationName of responsible committee: Information Governance Board Date issued: 15 th April 09 Review date: 14 th April 11 Referenced Documents:
Storage and Transfer of Person Identifiable Information Policy Trust Wide Policy number: ULH-IM&T-AUP03 Version: 1.1 New or Replacement: New Approved by: Executive Board Date approved: 14 th April 09 Name
More informationInformation Governance Training Booklet for Pharmacy Staff January 2010
Information Governance Training Booklet for Pharmacy Staff January 2010 dra_schwartz/istock 2 Introduction To ensure compliance with the law and NHS requirements, all staff working in pharmacies that have
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationAdvanced HIPAA Security Training Module
Advanced HIPAA Security Training Module The Security of Electronic Information Copyright 2008 The Regents of the University of California All Rights Reserved The Regents of the University of California
More informationAcceptable Usage Guidelines. e-governance
Acceptable Usage Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
More informationSERVER, DESKTOP AND PORTABLE SECURITY. September 2014. Version 3.0
SERVER, DESKTOP AND PORTABLE SECURITY September 2014 Version 3.0 Western Health and Social Care Trust Page 1 of 6 Server, Desktop and Portable Policy Title SERVER, DESKTOP AND PORTABLE SECURITY POLICY
More informationICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation
ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette
More informationPassword Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.
DRAFT 6.1 Information Systems Passwords OVERVIEW Passwords are an important aspect of information security. They are the front line of protection for user accounts. A poorly chosen password may result
More informationThe virtual safe: A user-focused approach to data encryption
The virtual safe: A user-focused approach to data encryption Steganos GmbH, 2008 1 The hard disk: a snapshot of our lives The personal computer has never been more personal. We routinely trust it with
More informationCOVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name
COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name Introduction Removable Media and Mobile Device Policy Removable media and mobile devices are increasingly used to enable information access
More informationHIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014
HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors
More informationSecure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines
Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines 1. Implement anti-virus software An anti-virus program is necessary to protect your computer from malicious programs,
More informationMobility and Young London Annex 4: Sharing Information Securely
Young London Matters April 2009 Government Office For London Riverwalk House 157-161 Millbank London SW1P 4RR For further information about Young London Matters contact: younglondonmatters@gol.gsi.gov.uk
More informationInformation Security
Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff
More informationInformation Security It s Everyone s Responsibility
Information Security It s Everyone s Responsibility Developed By The University of Texas at Dallas (ISO) Purpose of Training As an employee, you are often the first line of defense protecting valuable
More informationE-Mail Use Policy. All Staff Policy Reference No: Version Number: 1.0. Target Audience:
E-Mail Use Policy Authorship: Barry Jackson Information Governance, Security and Compliance Manager Committee Approved: Integrated Audit and Governance Committee Approved date: 11th March 2014 Review Date:
More informationINFORMATION RISK MANAGEMENT POLICY
INFORMATION RISK MANAGEMENT POLICY DOCUMENT CONTROL: Version: 1 Ratified by: Steering Group / Risk Management Sub Group Date ratified: 21 November 2012 Name of originator/author: Manager Name of responsible
More informationE-SAFETY POLICY. The Kingswinford School - a science college. December 2014. Every Child a Scientist. Page 1
The Kingswinford School - a science college E-SAFETY POLICY December 2014 Page 1 E-Safety Policy - Advice and Guidance Setting This guidance applies to all members of the school community (including staff,
More informationLauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.
Document No: IG10d Version: 1.1 Name of Procedure: Third Party Due Diligence Assessment Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release
More informationPhysical Security Policy
Physical Security Policy Author: Policy & Strategy Team Version: 0.8 Date: January 2008 Version 0.8 Page 1 of 7 Document Control Information Document ID Document title Sefton Council Physical Security
More informationAcceptable Use Guidelines
Attachment to the Computer and Information Security and Information Management Policies Acceptable Use Guidelines NZQA Quality Management System Supporting Document Purpose These Acceptable Use Guidelines
More informationSOME QUESTIONS AND ANSWERS
SOME QUESTIONS AND ANSWERS WHAT IS THE SURVEY ABOUT? What is the survey about? The Staff Survey questionnaire has been designed to gather your views about the University. The overall aim is to collect
More informationStandard Operating Procedure. Secure Use of Memory Sticks
Standard Operating Procedure Secure Use of Memory Sticks DOCUMENT CONTROL: Version: 2.1 (Amendment) Ratified by: Finance, Infrastructure and Business Development Date ratified: 20 February 2014 Name of
More informationSenior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES
Senior School 1 PURPOSE The policy defines and describes the acceptable use of ICT (Information and Communications Technology) and mobile phones for school-based employees. Its purpose is to minimise the
More informationDene Community School of Technology Staff Acceptable Use Policy
Policy Overview Dene Community School of Technology The school provides computers for use by staff as an important tool for teaching, learning, and administration of the school. Use of school computers,
More informationHIPAA Training for Hospice Staff and Volunteers
HIPAA Training for Hospice Staff and Volunteers Hospice Education Network Objectives Explain the purpose of the HIPAA privacy and security regulations Name three patient privacy rights Discuss what you
More informationQuick Tips For Full-Access Accounts
Florida SHOTS Quick Tips For Full-Access Accounts Contact Information www.flshots.com Free help desk: 877-888-SHOT (7468) Monday Friday, 8 A.M. to 5 P.M. Eastern A complete user guide and Web-based training
More informationJoint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three
Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three Data Handling in University Information Classification and Handling Agenda Background People-Process-Technology
More informationProvider OnLine. Log-In Guide
Provider OnLine Log-In Guide Table of Contents 1 LOG-IN ACCESS... 3 1.1 ENTERING THE USER ID AND PASSWORD... 4 1.2 OVERVIEW AND PURPOSE OF TRICIPHER... 5 1.2.1 Log-in for Users Who Are Active, But Not
More informationAngard Acceptable Use Policy
Angard Acceptable Use Policy Angard Staffing employees who are placed on assignments with Royal Mail will have access to a range of IT systems and mobile devices such as laptops and personal digital assistants
More informationAnnual HIPAA Security & Information Security Competency
Annual HIPAA Security & Information Security Competency 1 General Information FISO- What is a FISO? Facility Information Security Officer Responsible for the physical protection and recovery of all electronic
More informationData Protection and Information Security Policy and Procedure
Data Protection and Information Security Policy and Procedure Document Detail Category: Data Protection Authorised By: Full Governing Body Author: School Business Manager Version: 1 Status: Approved May
More informationHIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012
HIPAA Privacy and Security Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012 Goals and Objectives Course Goal: To introduce the staff of Munson Healthcare to the concepts
More informationScoMIS Encryption Service
Introduction This guide explains how to install the ScoMIS Encryption Service Software onto a laptop computer. There are three stages to the installation which should be completed in order. The installation
More informationNetwork Password Management Policy & Procedures
Network Password Management Policy & Procedures Document Ref ISO 27001 Section 11 Issue No Version 1.3 Document Control Information Issue Date April 2009, June 2010, September 2011 Status Approved By FINAL
More informationPolicy: Remote Working and Mobile Devices Policy
Policy: Remote Working and Mobile Devices Policy Exec Director lead Author/ lead Feedback on implementation to Clive Clarke SHSC Information Manager SHSC Information Manager Date of draft 16 February 2014
More informationPeople at Work Project An Assessment of Psychosocial Hazards in the Workplace Pre-Survey Communication Plan
People at Work Project An Assessment of Psychosocial Hazards in the Workplace Pre-Survey Communication Plan This guiding document is targeted at organisations participating in the People at Work Project.
More informationDesktop and Laptop Security Policy
Desktop and Laptop Security Policy Appendix A Examples of Desktop and Laptop standards and guidelines 1. Implement anti-virus software An anti-virus program is necessary to protect your computer from malicious
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More information