Information Governance and Assurance Framework Version 1.0
|
|
- Joan Logan
- 8 years ago
- Views:
Transcription
1 Information Governance and Assurance Framework Version 1.0 Page 1 of 19
2 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: Meridio Location: Approval Body: Policy and Guidance Information Governance and Assurance Framework Head of Information and Records Management (KS) Chief Operating Officer (SIRO) Security and Information Assurance Committee Executive Director Operations and Investigations To go in 1.07 APPROVED STRATEGIES, POLICY AND GUIDANCE / Business Policy and Guidance Leadership Team Approval Date: 11/02/14 Change History Version Date Status Update by Comment /10/13 Draft Katharine Stevenson /01/14 Draft Tom Stoddart /01/14 Draft Luke Whiting /02/14 Draft Katharine Stevenson /02/14 Final Version Katharine Stevenson In draft shared with Frank Garofalo and Security and Information Assurance Committee 15/01/14 General comments and ICT detail General comments and legislative detail Changes from TS and SIAC made. Submitted to Mick Martin for QA and approval to submit to LT Leadership Team approved Framework Page 2 of 19
3 1. Introduction 1.1 Purpose and Context of the Framework The purpose of the Information Governance and Assurance Framework is to formally establish PHSO s position regarding Information Governance and Assurance. Information Governance describes the holistic approach to managing information by implementing processes, roles, controls and metrics that treat information as a valuable asset. At PHSO it involves the work of the IRM, FOI/DP, ICT and Insight and Research teams. Information Assurance describes the confidence in the processes of information risk management specifically. It is the practice of managing the appropriate levels of availability, integrity and confidentiality whether information is in storage, processing or transit, and if it is threatened by malice or accidental error, fraud, privacy violation, service interruption, theft or disaster. The intent is to consolidate our Information Governance and Assurance arrangements and risk mitigation measures into one central source. The Framework therefore details the people, places and processes which are in place to ensure that the appropriate staff have access to the appropriate information, at the appropriate time. The Framework is a baseline for Information Governance training and awareness and sets out the policies and procedures all staff need to understand and apply in the course of their day-to-day work. 1.2 Framework Scope The Information Governance and Assurance Framework is relevant to all PHSO staff (including temporary and contract staff) who create, store, share and dispose of information. Though many of the controls are concerned with the management of electronic information and associated systems, the framework also covers paper records. 1.3 Framework Implementation The Information and Records Management (IRM) Team will be responsible for the oversight and maintenance of the Information Governance and Assurance Framework, with assistance from other specialists in the office. The Framework will be placed on Ombudsnet and referenced in the Induction pack. PHSO also recognises that we must demonstrate our security controls to third parties and therefore the Framework will also be published on our website. Page 3 of 19
4 1.4 Information Governance and Assurance Contacts There are a number of specialists who have specific responsibility for supporting PHSO s approach to Information Governance and Assurance. In the first instance staff can contact the IRM team for support and assistance. 2. Information Risk Management 2.1 Risk Management Structure If we use information well it helps to make our casework and other office processes more efficient and improves the services we offer to our customers and stakeholders. The risks in handling the information are not only in failing to protect it properly, but also in not using it for the public good. Managing information risk is about taking a proportionate approach so that both of these aims are achieved. Our approach to information risk management is consistent with PHSO s Corporate Risk Policy. Since the Cabinet Office Review of Data Handling Procedures in Government, there is also a separate but complimentary structure for explicitly managing information risk. In summary: Our Audit Committee must now maintain an explicit oversight of information risk, and the Accounting Officer has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level, as well as reporting our status as part of the Governance Statement The Senior Information Risk Owner (SIRO) governs the management of information risk at board level. She is also responsible for policy and providing written advice to the Accounting Officer on the content of the annual Governance Statement relating to information risk The Information Asset Owners are senior individuals involved in running key areas of PHSO. Their role is to understand the address risks to the information; ensure that the information in their part of PHSO is used legally and for the public good, and provides written assurance to the Senior Information Risk Owner on information security and use of their information assets PHSO has Local Information and Records Advisers to further support our Information Asset Owners and staff in our overall approach to assurance 2.2 Our Risk Tolerance PHSO is not willing to accept information risks that may result in significant reputational damage, financial loss or exposure, information integrity, major breakdowns in information systems or significant incidents of regulatory noncompliance. Page 4 of 19
5 However, PHSO recognises that we cannot eliminate information risk altogether and there may be circumstances where the cost of mitigation outweighs the likely impact of the risk. Our information assurance approach provides the means to identify, prioritise and manage the risk and provide a balance between the cost of treating risk, and the anticipated benefits that we be derived. PHSO s Information Risk Tolerance statements are currently being developed and will be included in Annex A once approved by Leadership Team. 3. Information Assets 3.1 What are Information Assets? PHSO recognises a number of information asset categories that are central to the efficient running of PHSO data, software, hardware, services, casework and people. 3.2 Our Information Asset Register Information assets are documented in PHSO s Information Asset Register and each has an Information Asset Owner assigned. Its purpose is to record the organisational areas and processes which handle information throughout PHSO. As such it is the foundation for the selection and deployment of our on-going security controls. It is important to ensure that the register is kept up to date. Changes can be identified via a number of routes, for example an annual risk assessment, a Privacy Impact Assessment exercise or an Information Governance Audit. The IRM team are responsible for ensuring the register up to date. 3.3 What is the Protective Marking Scheme? PHSO s Protective Marking Scheme is our administrative scheme which helps to ensure that access to information is correctly managed and safeguarded to an agreed and proportionate level, including creation, storage, transmission and disposal. The scheme is designed to support our work and meet the requirements of relevant legislation and international standards. Where a Protective Marking is used the creator/owner is indicating its sensitivity and the level of security and protection they expect. Staff should be are of the scheme s markings and associated handling arrangements (in descending order of sensitivity): RESTRICTED PROTECT UNMARKED 4. Responsibilities for Information Assurance Page 5 of 19
6 4.1 Accounting Officer The Accounting Officer is the Ombudsman who has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. Information risks should be handled in a similar manner to other major risks such as financial, legal and reputational risk. Key elements of the Accounting Officer role are: Lead and foster a culture that values, protects and uses information for the public good. For example, support the SIRO, participate in training, review and encourage the information assurance approach Discuss information risk in the delivery chain regularly with Leadership Team, the Board and Audit Committee Cover information risk explicitly in the Governance Statement 4.2 Senior Information Risk Owner (SIRO) Our SIRO is the Chief Operating Officer familiar with information risks and leads PHSO s approach. The SIRO governs the management of information risk at Board level. For our purposes the term Board encompasses our Leadership Team, Non- Executives and the Ombudsman. Key elements of the SIRO role are: Lead and foster a culture that values, protects and uses information for the public good. For example, support the Information Asset Owners, participate in training, and lead the information assurance approach Define the overall information assurance approach including the Information Governance policies and Information Assurance Framework Own the overall information risk assessment process, test its outcome and ensure it is used Advise the Accounting Officer on the information risk aspects of her Governance Statement. 4.3 Information Asset Owners Information Asset Owners are senior managers involved in running key PHSO business areas. They are responsible for managing the risks associated with their information assets. Accountability for information helps to ensure that appropriate protection is maintained. Information Asset Owners are expected to set the regime for information assurance as a policy and process owner. Staff are however still responsible for compliance both with relevant legislation and security policies and procedures. Page 6 of 19
7 Key elements of the Information Asset Owner are: Lead and foster a culture that values, protects and uses information for the public good. For example, participate and support the information assurance approach Know their information assets, for example which business processes use it; which systems are used; who has access to it and why; who is the information shared with and how; and how and when is the information disposed of? Understand and address risks to their information and provide written assurance to the SIRO quarterly. For example, contribute to the information risk management procedures and assess the impact of change on an on-going basis (using Privacy Impact Assessments) Ensures the information is fully used for the public good, including responding to requests for access from others. For example, negotiate, manage and approve agreements on the sharing of personal and PHSO sensitive information between organisations; and consider whether better use of the information could be made. The Information Asset Owner can assign day-to-day responsibility for each information asset to a manager but overall liability should remain with the nominated owner of the asset. In some business areas, Information Asset Owners will also work with other staff to increase awareness of information assurance procedures and measures. They will be expected to build protection measures in the quality control and operational delivery. 4.4 Managers All line managers are responsible for ensuring that they and their staff are instructed in their information assurance responsibilities which include the correct handling of information. The responsibility of all managers includes fostering a climate in which staff will give security its due attention. Practical examples: Ensure new staff attend the corporate induction which includes information governance training and all existing staff complete Data Protection training annually Ensure all staff know about and understand the Information Assurance Framework and specifically recognise the importance of Information Governance policies and supporting procedures and guidance Actively particulate in identifying potential information risks in their area and contribute to the implementation of appropriate mitigation Implement the authorisation of access to data Page 7 of 19
8 4.5 Staff All staff must recognise and understand the need to proactively manage the information they create. They should consider the value and sensitivity of all of the data in their care and take personal responsibility for it. Practical examples: Read the Information Governance and Assurance Framework and understand the Information Governance policies and supporting procedures and guidance Attend Information Governance training, including Data Protection training annually 4.6 Information Governance and Assurance staff PHSO does not have one single Information Governance and Assurance team; instead the responsibilities are distributed across the office. Together they support the SIRO. The Head of IRM is responsible for: the co-ordination and operational management of the Information Governance and Assurance approach Reviewing Information Governance and Assurance compliance and ensures quality control and alignment with the Information Assurance Maturity Model and other professional standards The creation, monitoring and enforcement of PHSO s Records Management, Retention and Disposal and Information Security policies Ensuring PHSO is complying with the eight Data Protection Principles, providing advice, guidance and training to staff, procurements and projects involving information requirements Handling information security breach incidents Records Management, monitoring compliance with its standards and raising awareness of records management practice. The responsibility for the day-to-day management of records is devolved to individual business areas and Local Information and Records Advisers support this. The Information and Records Manager(s) support the Head of IRM in the coordination and management of the information assurance and records management approaches. Head of FOI/DP is responsible for: ensuring PHSO complies with requests for information under the Freedom of Information Act 2000,the Environmental Information Page 8 of 19
9 Regulations 2004, and Subject Access requests and requests for information relating to cases under the Data Protection Action 1998, the Health Service Commissioners Act 1993 and Parliamentary Commissioners Act Helping to maintain an effective relationship with the Information Commissioner s Office and respond to correspondence from the that office on complaints about PHSO s handling of information requests. In conjunction with the FOI/DP Officers, act as a source of advice and expertise to PHSO staff about information legislation generally, including the release of information during an investigation and compliance with the Data Protection Act. FOI/DP officers support the Head of FOI/DP Head of ICT, as IT Security Officer (ITSO) is responsible for: supporting production of the RMADS in accordance with IS1 and IS2; accrediting PHSO s ICT systems, accepting residual risk on behalf of the SIRO where it is clearly within PHSO s normal risk appetite; representing security requirements in the procurement, design and implementation of PHSO s ICT architectures, including software, platform and infrastructure as a service (SaaS, PaaS, IaaS); conducting technical risk assessments against PHSO s Information Security Management Systems, using CESG IA methodologies where appropriate; assisting PHSO in the routine application and interpretation of ICT security policies and practices; agreeing the Security policy and guidance, ICT Acceptable Use policy, Security Operating Procedures (SyOPs) and Forensic Readiness policy, ensuring these are updated as IT security threats emerge and evolve; maintaining PSN code of connection compliance; maintaining PHSO s relationship with CESG and CPNI; The Learning and Insight Manager is responsible for our Information Promise, and the Information Sharing Policy, promoting and updating with assistance and advice from the IRM and FOI/DP teams. 5. Third Party Arrangements 5.1 Contractual Obligations PHSO uses the information assurance/security elements of the Office of Government Commerce (OGC) model terms and conditions for ICT Services and Contracts, which are the approved Government standards for ICT services contracts and which embody current policy and best practice. PHSO also specifies security requirements in non-ict services contracts which handle personal and organisational sensitive information. Page 9 of 19
10 5.2 PHSO suppliers PHSO has a small number of suppliers who handle personal and sensitive business information on our behalf (i.e. TNT). PHSO is committed to working with suppliers to drive data handling improvements throughout the delivery chain. Review meetings are held with suppliers periodically to discuss any issues that arise during the course of the contract. 6. Working with information 6.1 Legal and Regulatory Framework In managing information risk PHSO will comply with all relevant legislation. The Data Protection Act 1998 (DPA) imposes statutory obligations on anybody processing personal data. The DPA makes clear that PHSO is legally responsible for ensuring that the personal information it creates, collects, uses, stores or otherwise processes must be handled and protected in accordance with the requirements of the DPA. Parliamentary Commissioner Act this act also regulates the use and handling of information collected by PHSO for the purposes of carrying out investigations under the Act. The Act includes restrictions about when information obtained for the purposes of an investigation can be disclosed. Health Service Commissioner Act 1993 this act also regulates the use and handling of information collected by PHSO for the purposes of carrying out investigations under the Act. The Act includes restrictions about when information obtained for the purposes of an investigation can be disclosed. Freedom of Information Act 2000, together with the Environmental Information Regulations 2004, establishes a statutory regime for public access to information held by public authorities. The appropriate balance must be struck between this right of access and the need to protect personal and business sensitive information, applying exemptions where legitimate and the public interest is best served by withholding the information. Other relevant legislation includes the Computer Misuse Act 1990 and the Human Rights Act The Health and Social Care Act 2012 also enables us to share information with relevant stakeholders (see Information Sharing Policy). PHSO is working towards achieving appropriate levels in the Information Assurance Maturity Model. Work to modernise and improve information governance and assurance policies and processes will continue and it is expected that we will manage our specific security risks over and above the baseline measures. PHSO is committed to keeping abreast of change and will respond to threat and circumstance appropriately. Page 10 of 19
11 6.2 Our Information Policies The Information Governance policies The purpose of the Information Governance policies is to provide the tools that support the effective use of information and technology while maintaining an environment of controlled risk and value for money investment. In this way, the policies aim to enable PHSO to: Deliver its strategic priorities Meet its responsibilities to its external stakeholders and complainants Comply with legislation The Information Governance policies are as follows: Archive Policy Clear Desk Policy Cookie Policy Digital Preservation Policy Forensic Readiness Policy ICT Acceptable Use Policy Information Security Breach Policy Information Sharing Policy Privacy Policy Records Management Policy Retention and Disposal Schedules Security Policy The high level polices are supported by a number of more detailed guidance documents: Case file Structure Guidance ICT Control Procedures Records Management best practice guidance (including Meridio) Remote Working and BlackBerry Security Operating Procedures (SyOPs) Security Guidance The Information Promise PHSO is required to hold and process certain personal data in order to fulfil its operational and legal obligations. The Information Promise is our ethos on how PHSO manages the information provided to us by our customers. PHSO s Information Promise sets out our responsibilities in respect of personal information and explains how the public can request information we may hold Page 11 of 19
12 about them. It demonstrates that we recognise the importance of the lawful treatment of personal information and ensures confidence in the organisation. The Information Promise is the externally facing vehicle by which we communicate our internal information governance policies (i.e. Records Management, Retention and Disposal) on how we manage customer information. 6.3 Creating and Receiving Information Information that staff create during the course of their working life is considered as recorded information if held: Electronically for example, an , Word document, spreadsheet, audio recording, in Meridio, SharePoint, Engage, Visualfiles or any other system Physically for example, a printed letter, handwritten notes, a photograph or x-ray Information staff receive during the course of their working life is also considered as recorded information. This includes information originally created by a colleague, another organisation, a customer or a third party. All recorded information is subject to the Freedom of Information Act 2000 and the Environmental Information Regulations All recorded personal data is subject to the Data Protection Act Recorded information must be disclosed on request unless there is a valid exemption for withholding it. Staff should therefore be aware of the type and volume of information they are handling. Further information can be found in the Records Management Policy. Type and Volume of Information The type and volume of information created and received will have a direct impact on how staff are expected to handle it for example, the security arrangements that will be necessary; who will be entitled to access and use the information; and how (if at all) it should be shared outside PHSO. In particular, the information staff create and receive may contain the following types of key information: Personal information this relates to individuals, often our customers or sometimes our stakeholders and staff. For example, biographical information or views and opinions recorded about someone Business sensitive information information that can be considered as business sensitive if PHSO or a third party organisation would be affected by any loss of, or unauthorised access to, the information. For example, information marked PROTECT or RESTRICTED under PHSO s Page 12 of 19
13 Protective Marking Scheme, or marked under the Government s Protective Marking Scheme. The volume of information, along with the nature of the information, can define the risk posed by any breach of security. For example, the loss of one person s bank details (although important) does not have the same impact as losing bank details of 10 million people; the loss of one person s medical record can however cause substantial damage and distress to the individual concerned. Collecting Personal Information PHSO would be unable to fulfil many of its functions without collection personal information from bodies in jurisdiction and/or individuals. However, a legitimate need to collect personal information for example, in order to undertake an investigation into a complaint provides the justification to collect and use personal information, meeting Principle 1 of the DPA. Staff must take care to only request information which is likely to be relevant to their investigation. 6.4 Storing Information Protecting Information the layered approach Once information is captured it must be protected. Security involves a number of distinct measures which form part of a layered approach. The approach starts with the protection of the asset at its source, for example protecting the ICT assets (e.g. PSN CoCo), and then proceeds progressively outwards to include security measures at PHSO offices. PHSO has a number of policies and procedures which staff must follow to assist with this layered approach. Examples include: ICT Acceptable Use Policy Security Operating Procedures for remote and mobile working Control Procedures for ICT Administrators covering removable media, backups, secure disposal, security vetting, account creation and deletion, incident response. Clear Desk Policy Security Guidance Storage Physical information assets such as case files or HR, Finance or Procurement files which no longer require regular access but need to be retained until their retention period has exceeded, should be prepared for offsite storage, submitted to the IRM team for registration and deposited to the offsite storage facility (TNT). Electronic information will remain in-situ until their retention period is reached when it will either be deleted or migrated to the PHSO Archive for permanent preservation. Page 13 of 19
14 PHSO Archive PHSO has a physical and electronic archive where information assets selected for permanent preservation is kept. Records are selected in accordance with our Archive Policy. 6.5 Sharing Information Sharing information with colleagues and stakeholders Information can be shared where appropriate and in line with relevant legislation and internal policies (i.e. Information Sharing Policy). PHSO staff have a responsibility to ensure that information is secure when it is being shared whether internally or externally. All movement of information between people, organisations or ICT systems involves an element of risk. At the same time, people have expectations of us whenever we have access, receive or handle information, especially if the information is personal or business sensitive. In an attempt to encourage greater knowledge sharing within PHSO, Meridio and Visualfiles follow the ethos of open access except for staffing and business sensitive information, or highly sensitive casework. Staff are reminded however to always be mindful of the information they have access to. Sharing data by hardcopy documents Internal sharing of hardcopy documents must follow the Protective Marking Scheme and Associated Handling Arrangements. The clear desk policy must also be followed. External sharing of hardcopy documents must also follow the Protective Marking Scheme and Associated Handling Arrangements. Where personal data is being shared with stakeholders, Information Sharing Agreements in line with ICO best practice must be created, approved and followed. Sharing data by The Protective Marking Scheme and Associated Handling Arrangements must be followed when sharing information by . Personal or business sensitive documentation being shared with customers, stakeholders or other third parties on non-secure networks (i.e. Gmail, yahoo,) must be password protected. Guidance on secure s and how to password protect documents can be found on Ombudsnet. Sharing data by removable media Removable media is not allowed, please contact ICT for guidance and advice. Third Party Access to PHSO network Access to PHSO ICT systems can be gained in three ways: 1. From a desktop terminal within PHSO, which provides access to a PHSO domain user account. This is subject to the ICT Acceptable Use Policy. Page 14 of 19
15 2. Using a PHSO laptop and authentication token, which provides access to a PHSO domain user account. This is subject to the ICT Acceptable Use Policy and a SyOPs. 3. Using a PHSO-issued BlackBerry, which provides access to PHSO and calendar. This requires the user to have a PHSO domain user account, administered by PHSO. This is subject to the ICT Acceptable Use Policy and a SyOPs. Access is granted to PHSO systems following a decision by the IT Security Officer, and is usually subject to completion of BPSS checks, or SC clearance where administrative access is granted. 6.6 Disposing Information Information Disposal Information is retained by PHSO to support its operational business functions and to fulfil its legal obligations to comply with legislation. At the end of its operational purpose, it needs to be disposed. This means preserved permanently in our PHSO Archive, or destroyed. PHSO s Disposal Schedule can be found in the Information Asset Register and details the period of retention and the disposal action necessary to manage the information lifecycle. The retention periods and disposal actions that are detailed in this schedule are supported by legislation and best practice and should be applied to all information retained by PHSO. Where possible the retention periods and disposal actions will be undertaken and managed by PHSO s Electronic Document and Records Management System (EDRMS Meridio). Where this is not possible, the Information Asset Owner is responsible for the application of the retention period and disposal action detailed in this schedule. Please contact the IRM team for further advice and guidance. Preservation Information that it to be retained for an extended period will be subject to the Digital Preservation policy to reduce the risk of loss through obsolescence and degradation and ensure its on-going accessibility. Hardcopy records will also be preserved in accordance with best practice standards. Records selected for Permanent Preservation will be stored in our PHSO Archive. Information Destruction Personal and business information must be securely disposed of. PHSO has arrangements in place for the secure disposal of information with secure disposal bins, confidential waste bins and shredders in both sites. 7. Training and Culture Page 15 of 19
16 Fostering a professional culture and developing a positive attitude toward managing our information assets is critical to the successful delivery of this framework. Information Assurance must be seen as an integral part of and a key enabler to effective PHSO business. Training All new and existing staff are required to undertake Information Governance training on appointment, and Data Protection training annually. This has been made mandatory by Leadership Team. Information Asset Owners will receive an IAO Briefing on their role and responsibilities on appointment and attend training offered by the National Archives. The Senior Information Risk Owner will attend regular SIRO network briefings and other training offered by the National Archives. We will also provide our Board and Audit Committee with relevant training and briefing information should they choose to undertake the training. Guidance PHSO has provided a range of technical and policy guidance to staff via Ombudsnet, and internal publications. This guidance covers the use, creation, protection, access and disposal of PHSO s information. Disciplinary Procedures Breaches of information security could result in disciplinary action. The kind of action will depend on the nature of the breach and will be dealt with in accordance with the Capability and Disciplinary policies. The ICT Acceptable Use Policy states that Inappropriate use of the PHSO s ICT assets may result in action being taken under the misconduct procedure and in cases of gross misconduct, this may include dismissal. 8. Incident Reporting, Recovery and Contingency Reporting Information Losses Staff should report any loss of paper or electronic (i.e. ) records to the Head of IRM in line with the Information Security Breach Policy. Loss of ICT equipment (including Blackberry s and laptops) should also be reported to the Head of ICT. ICT will log the loss of the ICT asset and arrange a replacement. At the same time staff should ensure that their local Information Asset Owner is also notified of the incident. Incident Management and Escalation Page 16 of 19
17 The Head of IRM will assess all information losses by completing an incident breach form which will help to determine the sensitivity of the information and impact of the potential loss. The actual and/or potential harm to individuals is the overriding consideration in deciding whether a breach of data security should be reported to the individuals concerned and/or the Information Commissioner s Office (ICO). Only the SIRO is authorised to permit the Head of IRM to report incidents to the ICO. The Head of ICT will assess all technology related incidents reporting to CESG or CPNI as required. Recovery PHSO makes regular daily backups of our corporate systems. Backups will be taken at a point in time (nightly) and therefore will not include any information or files created before the next backup is taken. Desktops are not backed up and staff must not store items there, in line with our Records Management policy. Business Continuity Management Information Security is a key element of business continuity management. In the event of a significant interruption to service, PHSO s Business Continuity procedures will be actioned. 9. Audit, Monitoring and Review 9.1 Monitoring Information Access and Use ICT Assets PHSO is required to ensure that its ICT Acceptable Use Policy and its other rules and procedures are followed. PHSO also has a legitimate interest in protecting its reputation and communication systems, limiting its exposure to legal liability and ensuring that users conduct themselves and perform their work to the level expected of them. PHSO automatically monitors all users use of ICT assets on a continuous basis and reserves the right to further monitor users use of its ICT assets, without advance notice, in accordance with the terms of the Policy. Information obtained as a result of monitoring will not normally be used for purposes other than those for which monitoring was carried out, unless it reveals information that PHSO cannot reasonably be expect to ignore (for example, a breach of the ICT Acceptable Use Policy or evidence of criminal activities). All use of ICT evidence in investigations is subject to PHSO s Forensic Readiness Policy. Information Assets The Information Governance Compliance Programme outlines the approach to monitoring and reporting of access, use and disposal of information held in our ICT systems, including Meridio, Visualfiles and SharePoint. Privacy Impact Assessments and Information Governance Audit Page 17 of 19
18 A Privacy Impact Assessment (PIA) is initiated as a result of a proposed change and is a process whereby potential privacy issues and risks in a project or process are identified and examined, from the perspectives of all stakeholders, and a search is undertaken for ways to avoid or minimise privacy concerns. Information Asset Owners should be instrumental in the completion and approval of a PIA. An Information Governance Audit seeks to understand all aspects of an existing information asset, for example the type and nature of information involved; which business processes use the information; which systems are used; who has access and why. The Audit is therefore similar to a PIA, but is undertaken on projects/process changes that have already been implement. Information Asset Owners should be instrumental in the completion and approval of an Information Governance Audit. 9.2 Risk Assessments Quarterly Assessments PHSO s Audit Committee and Accounting Officer will review information risk quarterly on the basis of a report from the Head of IRM and Head of FOI/DP on Information Governance Compliance in PHSO. Information Asset Owners are expected to contribute to the quarterly risk assessment by completing the IAO quarterly assurance statement. In doing so, they identify and, where appropriate, formally accept significant risks introduced when personal or business sensitive information is moved or shared. Annual Assessments There will be an annual assessment of information risk, which will support the Senior Information Risk Owner in providing written assurance/advice on the Governance Statement to the Accounting Officer. The assessment will cover the effectiveness of the Information Governance and Assurance programme and will be informed by the written IAO annual assurance statements and compliance checks carried out as part of the Information Governance Compliance Programme. Internal audit inspections should also be taken into consideration. 9.3 External Accountability, Transparency and Progress Reporting PHSO promotes transparency about its information risks and incidents. PHSO has published its Information Promise on our website which sets out for the public our standards for handling personal information and how they can address any concerns that they may have. All staff are aware of and uphold the Promise. Each year PHSO will set out in its Annual Report summary material on information risk, covering the overall judgement in the Governance Statement, numbers of information risk incidents sufficiently significant for the Information Commissioner to be informed, the number of people potential affected and action taken to contain the breach and prevent recurrence. Page 18 of 19
19 9.4 Keeping the Framework under Review The Framework should be subject to an annual review. The Review will be carried out by Head of IRM in consultation with the Head of ICT, Head of FOI/DP, Insight and Research Manager, Health Policy Team and the Security and Information Assurance Committee. Page 19 of 19
Information governance strategy 2014-16
Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope
More informationPARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Records Management Policy. Version 4.0. Page 1 of 11 Policy PHSO Records Management Policy v4.
PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN Records Management Policy Version 4.0 Page 1 of 11 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: File Location: Approval
More informationINFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationInformation Governance Strategy & Policy
Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information
More informationCorporate Information Security Policy
Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives
More informationPARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Email Management and Data Storage Policy. Version 1.4
PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN Email Management and Data Storage Policy Version 1.4 Document Control Title: Reference: Original Author(s): Owner: Distribution: Reviewed by: Quality Assured
More informationHead of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2
Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications
More informationHow To Protect School Data From Harm
43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):
More informationInformation Governance Policy A council-wide information management policy. Version 1.0 June 2013
Information Governance Policy Version 1.0 June 2013 Copyright Notification Copyright London Borough of Islington 2012 This document is distributed under the Creative Commons Attribution 2.5 license. This
More informationOFFICIAL. NCC Records Management and Disposal Policy
NCC Records Management and Disposal Policy Issue No: V1.0 Reference: NCC/IG4 Date of Origin: 12/11/2013 Date of this Issue: 14/01/2014 1 P a g e DOCUMENT TITLE NCC Records Management and Disposal Policy
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval
More informationScotland s Commissioner for Children and Young People Records Management Policy
Scotland s Commissioner for Children and Young People Records Management Policy 1 RECORDS MANAGEMENT POLICY OVERVIEW 2 Policy Statement 2 Scope 2 Relevant Legislation and Regulations 2 Policy Objectives
More informationHMG Security Policy Framework
HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationCaedmon College Whitby
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationPublic Records (Scotland) Act 2011. NHS Health Scotland Assessment Report. The Keeper of the Records of Scotland. 5 th August 2015
Public Records (Scotland) Act 2011 NHS Health Scotland Assessment Report The Keeper of the Records of Scotland 5 th August 2015 Contents 1. Public Records (Scotland) Act 2011... 3 2. Executive Summary...
More informationInformation Governance Plan
Information Governance Plan 2013 2015 1. Overview 1.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient organisation of services and resources.
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationData Protection Policy June 2014
Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:
More informationInformation Governance Framework
Information Governance Framework March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aim 2 3 Purpose, Values and Principles 2 4 Scope 3 5 Roles and Responsibilities 3 6 Review 5 Appendix 1 - Information
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationInformation Governance Policy
Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact
More informationInformation Integrity & Data Management
Group Standard Information Integrity & Data Management Serco recognises its responsibility to ensure that any information and data produced meets customer, legislative and regulatory requirements and is
More informationINFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK
INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire
More informationNational Approach to Information Assurance 2014-2017
Document Name File Name National Approach to Information Assurance 2014-2017 National Approach to Information Assurance v1.doc Author David Critchley, Dave Jamieson Authorisation PIAB and IMBA Signed version
More informationCardiff Council. Data protection audit report. Executive summary June 2014
Cardiff Council Data protection audit report Executive summary June 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998
More informationThe CPS incorporates RCPO. CPS Data Protection Policy
The CPS incorporates RCPO CPS Data Protection Policy Contents Introduction 3 Scope 4 Roles and Responsibilities 4 Processing Criminal Cases 4 Information Asset Owners 5 Information Asset Register 5 Information
More informationDATA PROTECTION AND DATA STORAGE POLICY
DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:
More informationINFORMATION GOVERNANCE POLICY & FRAMEWORK
INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger
More informationClosed Circuit Television (CCTV) code of practice. Based on the publication A Code of Practice for CCTV www.ico.gov.uk
Closed Circuit Television (CCTV) code of practice Based on the publication A Code of Practice for CCTV www.ico.gov.uk Owner: Ian Heywood Last reviewed: July 2011 Contents 1.0 Introduction... 4 2.0 CCTV
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationPARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN
PARLIAMENTARY AND EALT SERVICE OMBUDSMAN Information Security Breach Policy Version 2.0 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: Meridio Location: Approval Body:
More informationRecords Management Plan. April 2015
Records Management Plan April 2015 Prepared in accordance with the Public Records (Scotland) Act 2011 and submitted to the Keeper of the Records of Scotland for their agreement on 28 April 2015 (Revised
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationWest Dunbartonshire Council. Follow-up data protection audit report
West Dunbartonshire Council Follow-up data protection audit report Auditors: Lee Taylor (Audit Team Manager) Jonathan Kay (Engagement Lead Auditor) Data controller contacts: Michael Butler (Data Protection/Information
More informationInformation Governance Management Framework
Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date
More informationInformation Governance Policy
Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date
More informationCloud Computing and Records Management
GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version
More informationAlign Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
More informationInformation Security and Governance Policy
Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information
More informationWest Midlands Police and Crime Commissioner Records Management Policy 1 Contents
West Midlands Police and Crime Commissioner Records Management Policy 1 Contents 1 CONTENTS...2 2 INTRODUCTION...3 2.1 SCOPE...3 2.2 OVERVIEW & PURPOSE...3 2.3 ROLES AND RESPONSIBILITIES...5 COMMISSIONED
More informationIssue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager
Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security
More information06100 POLICY SECURITY AND INFORMATION ASSURANCE
Version: 5.4 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low Management of Police Information (MoPI) The Hampshire Constabulary recognises that any information
More informationIM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...
IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This
More informationAuditing data protection a guide to ICO data protection audits
Auditing data protection a guide to ICO data protection audits Contents Executive summary 3 1. Audit programme development 5 Audit planning and risk assessment 2. Audit approach 6 Gathering evidence Audit
More informationUniversity of Liverpool
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
More informationINITIAL APPROVAL DATE INITIAL EFFECTIVE DATE
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
More informationService Children s Education
Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and
More informationData Protection Policy
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
More informationMONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY
MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency
More informationRecords Management Policy & Guidance
Records Management Policy & Guidance COMMERCIALISM Document Control Document Details Author Nigel Spencer Company Name The Crown Estate Department Name Information Services Document Name Records Management
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationNSW Government Digital Information Security Policy
NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core
More informationInformation Security Management System (ISMS) Policy
Information Security Management System (ISMS) Policy April 2015 Version 1.0 Version History Version Date Detail Author 0.1 18/02/2015 First draft Andy Turton 0.2 20/02/2015 Updated following feedback from
More informationInformation Governance Policy
Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route
More informationCorporate Data Protection Policy
Corporate Data Protection Policy September 2010 Records Management Policy RMP-09 GOLDEN RULE When you think about Data Protection remember that we are all data subjects. Think about how appropriately and
More informationInformation Governance Framework. June 2015
Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review
More informationINFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK
INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic
More informationInformation Governance Strategy :
Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update
More informationThird Party Security Requirements Policy
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationInformation Governance Strategy. Version No 2.0
Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent
More informationInformation and Compliance Management Information Management Policy
Aurora Energy Group Information Management Policy Information and Compliance Management Information Management Policy Version History REV NO. DATE REVISION DESCRIPTION APPROVAL 1 11/03/2011 Revision and
More informationInformation Governance Strategy
Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:
More informationSecurity Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)
Security Awareness A Supplier Guide/Employee Training Pack May 2011 (updated November 2011) Contents/Chapters 1. How do I identify a DWP asset 2. Delivering on behalf of DWP - Accessing DWP assets 3. How
More informationLord Chancellor s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000
Lord Chancellor s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000 Lord Chancellor s Code of Practice on the management of records issued under
More informationRECORDS MANAGEMENT POLICY
[Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body
More informationAll CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.
Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationData Protection Act. Conducting privacy impact assessments code of practice
Data Protection Act Conducting privacy impact assessments code of practice 1 Conducting privacy impact assessments code of practice Data Protection Act Contents Information Commissioner s foreword... 3
More informationSOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September 2015. Information Governance Manager
SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY Report to the Trust Board 22 September 2015 Sponsoring Director: Author: Purpose of the report: Key Issues and Recommendations: Director
More informationCrime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection
Crime Statistics Data Security Standards Office of the Commissioner for Privacy and Data Protection 2015 Document details Security Classification Dissemination Limiting Marker Dissemination Instructions
More informationData Protection Policy
Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages
More informationHMG Security Policy Framework
HMG Security Policy Framework Version 11.0 October 2013 Contents Introduction... 4 Government Security Responsibilities... 4 Role of the Centre... 5 Policy Context... 7 Critical National Infrastructure
More informationBOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
More informationCouncil Policy. Records & Information Management
Council Policy Records & Information Management COUNCIL POLICY RECORDS AND INFORMATION MANAGEMENT Policy Number: GOV-13 Responsible Department(s): Information Systems Relevant Delegations: None Other Relevant
More informationUniversity of Brighton School and Departmental Information Security Policy
University of Brighton School and Departmental Information Security Policy This Policy establishes and states the minimum standards expected. These policies define The University of Brighton business objectives
More informationUniversity of Aberdeen Information Security Policy
University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...
More informationOperational Risk Publication Date: May 2015. 1. Operational Risk... 3
OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...
More informationData Protection Policy
Data Protection Policy Version: V1 Ratified by: Operational Management Executive Committee Date ratified: 26 September 2013 Name and Title of originator/author(s): Chris Brady, FOI, Data Protection and
More informationSchool of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy
School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy Page 1 of 10 Contents 1 Preamble...3 2 Purpose...3 3 Scope...3 4 Roles and responsibilities...3
More informationInformation Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services
Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...
More informationOperations. Group Standard. Business Operations process forms the core of all our business activities
Standard Operations Business Operations process forms the core of all our business activities SMS-GS-O1 Operations December 2014 v1.1 Serco Public Document Details Document Details erence SMS GS-O1: Operations
More informationInformation Governance Policy
Policy Policy Number / Version: v2.0 Ratified by: Audit Committee Date ratified: 25 th February 2015 Review date: 24 th February 2016 Name of originator/author: Name of responsible committee/individual:
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3
More informationInformation and Data Security
Information and Data Security Guidance for Knowsley Schools Version 4.0 Version Control Record: Revision Date Author Summary of Changes V1.0 19 th November 2008 L Hornsby V2.0 18 February 2010. Maria Bannister
More informationHighland Council Information Security Policy
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
More informationInformation & ICT Security Policy Framework
Information & ICT Security Framework Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT & Regulation Group and IMG January
More informationRotherham CCG Network Security Policy V2.0
Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October
More informationRecords Retention and Disposal Schedule. Information Management
Records Retention and Disposal Schedule Information Management Version control Version Author Policy Approved By Approval Date Publication Date Review Due V 1.0 Information Governance Unit Philip Jones,
More information