How To Protect School Data From Harm
|
|
- Molly Carroll
- 3 years ago
- Views:
Transcription
1 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED: SEPTEMBER 2013 NEXT REVIEW: SEPTEMBER 2014 The Governing Body is responsible for the maintenance of this policy. 1. Introduction Data Security This policy provides core security principles to be followed to ensure that data assets (information, property and staff) are secured in a proportionate manner and that information (including personal data) can be shared confidently, knowing it is reliable, accessible and secured to agreed standards. The Cabinet Office report Data Handling Procedures and subsequent policy document HMG Security Policy Framework outline mandatory security requirements and management arrangements to which all government departments and public agencies must adhere. Guidance for schools, colleges and universities produced by Becta, following the spirit of government procedures, is proportionate and appropriate for education and helps schools ensure compliance with the Data Protection Act The underlying principle of the guidance is that through a combination of technical and procedural solutions, organisations should do everything within their power to ensure the safety and security of any personal data (or data that is important to the secure running of an organisation). Responsibilities Data Handling Procedures in Government highlighted two roles (SIRO and IAO) that have responsibility for information security risk management. Although overall responsibility for data security rests with the Head Teacher and Governing Body, it is strongly recommended that the school adopts the titles below (and the responsibilities attached to them). All ICT policies and procedures outlined in this review assume the designation of named staff to these roles: 1. Senior Information Risk Officer (SIRO): a senior member of staff who is familiar with information risks and the school's response. The SIRO at Kingsmead is a Deputy Head (currently Peter Plowman). The key responsibilities are: a) To own the information risk policy and risk assessment b) To keep a record of all Information Asset Owners (IAOs) see below c) To act as an advocate for information risk management 2. Information Asset Owners (IAOs): compile and own specific information and their role is to be clear about: a) What information they hold, and for what purposes. b) How this information will be amended or added to over time. c) Who has access to the data and why. d) How information is retained and disposed of.
2 Information Assets will include the personal data of learners and staff; such as assessment records, medical information and special educational needs data. Information assets also include non-personal data that could be considered sensitive if lost or corrupted, such as financial data, commercial data, research data, organisational and operational data, and correspondence. The value of an asset is determined by considering the consequences likely to occur if it is lost or compromised in anyway, such as identity theft, adverse publicity or breaches of statutory/legal obligations. An information asset is regarded as the collection of data or an entire data set. It is important to distinguish between an information asset and the information (usually a subset of the asset) that needs protecting. For example, reports run from a core information asset, such as a management information system (SIMS) are not information assets themselves. Organisations should identify an Information Asset Owner (IAO) for each asset or group of assets as appropriate. For example, the organisation s management information system should be identified as an asset and should have an IAO. The IAO should able to manage and address risks to the information and make sure that information handling complies with legal requirements. Typically, there may be several IAOs within an institution, whose roles may currently be those of e- safety co-ordinator, ICT manager or management information systems manager. 3. Network Manager oversees the network and monitors its performance, security, error detection, and also implements access controls. Some critical elements of e-security procedures are also the responsibility of the Network Manager or other Technical Support Staff (for example access control to the Network and Technical Security). Although this policy explicitly identifies these roles, the handling of secured data is everyone s responsibility whether they are an employee, consultant, student, parent, governor, software provider or a managed service provider. It must be understood by everyone that failing to apply appropriate controls to secure data could amount to gross misconduct or even legal action. 2. Data Classification Following recent breaches of information confidentiality in UK educational establishments, current government guidance for schools is to align school information with one of the government information classification levels defined below and safeguard it accordingly. All Information assets are usually regarded as falling into one of five markings, which in descending order of sensitivity are: Top Secret, Secret, Confidential, Restricted and Protect. Most learner or staff personal data that is used within educational institutions will come under the Restricted classification with much other general school data being marked as Protect. These classification levels are derived from the potential impact that unauthorised disclosure of information may have on the individuals concerned. Non-compliance with this guidance and any subsequent loss of sensitive or personal data could potentially lead to prosecution under the data protection act. i) Restricted: Information which can only be accessed by named individuals or groups. Printed restricted information shall be labelled to identify it as confidential. Where possible, restricted information displayed on screen should be labelled as such. ii) Protect: General school information which it is not expected to be released to the public.
3 iii) Public: Information freely available to anyone. Kingsmead will adopt an Information Classification table (example below), which should be expanded to contain a list of all data types (both paper and electronic) currently held within the school. This will then allow an information risk assessment to be carried out. RESTRICTED PROTECT PUBLIC Personal information related to pupils or staff (usually contained in the Management Information System). School routines, schedules and management information. Website and promotional materials. Display material around school Information risk assessment Kingsmead School conducts thorough risk assessments on the assets it holds. This helps to plan security measures that are practical and proportionate to the assets specific size and risk profile. Conducting information risk assessments Criteria for assessing risks take into account: the assets involved legal requirements (such as the Data Protection Act 1998) the practicalities of running the school day to day the impact of incidents on reputation in the community Identifying, describing and prioritising risks against these criteria: Information Asset Owners list information assets that contain personal data or data valuable to the organisation and then identify: the asset details (and the marking to be applied to them) perceived threats any existing controls potential vulnerabilities possible consequences Once the school has identified risks their size can be estimated, that is the combination of consequence and likelihood of the assets being compromised, and what can be done to mitigate these risks. These actions together with the Information Classification Table can then be included in the Information Risk Assessment Policy. 3.Data storage and transfer It is a legal requirement of the Data Protection Act 1998 to protect and secure personal data. The Information Commissioner s Office (ICO) recommends that portable and mobile devices (including media) used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information. Any personal or sensitive data that is removed or accessed from outside an approved secure space should be encrypted. Examples of approved secure
4 spaces include physically secure areas in the school, and the premises of support contractors. This applies to both communication links (for example VLE or 24hour school remote access) and to files held on electronic storage media (e.g. hard drives, CDs, DVDs, USB sticks and memory cards). In particular: When sensitive or personal data is required by an authorised user from outside the school s premises for example, by a member of staff to work from their home, they should preferably make use of secure remote access to the management information system or the learning platform (VLE, Firefly ). If secure remote access is not possible, users must only remove or copy personal or sensitive data from the school or authorised premises if the storage media, portable or mobile device is encrypted and is transported securely for storage in a secure location. Kingsmead School and all users must securely delete personal or sensitive data when it is no longer required. 4. Data security measures to enable business continuity As a priority Kingsmead will install sufficient server UPS (Uninterrrupted Power Supply) capacity to ensure that data corruption would not occur in the event of a power outage and ensure that a backup is regularly made and stored off site. Currently there is no UPS system in place for the school server infrastructure leaving it vulnerable to data loss in the event of a power outage. There is also no offsite backup. This means that in the event of a catastrophic incident (e.g. fire) which destroyed the server infrastructure and any backups which are currently stored on-site, business recovery would be impossible. 5. Secure system Kingsmead School has an MS Exchange based solution in place for staff. In order to be compliant with best practice, incoming must be subjected to virus checking before it arrives within the school network. systems must also comply with the data protection act s requirement to store any personal (Restricted) information within the EU or within a safe harbour country. For these reasons, use of systems such as Google mail by staff and students many of which are hosted within the cloud is to be discontinued as these systems do not provide the level of audit transparency or access to archived material likely to be required in the investigation of any potential criminal proceedings involving the use of school ICT systems. Going forward, a secure e- mail solution (such as a local MS Exchange system) should be provided for all users including students. 6. Password Security The Network Manager will implement a strong password policy to protect data with regular enforced password changes for users accessing data types with a restricted classification (e.g. SIMS passwords). Students will continue to be able to access their user accounts using soft passwords. 7. External access to school based information resources. Single factor authentication (Username + Password) is required for external access via the web to resources on the school network. Access to SIMS, potentially allowing unauthorised access to Restricted student data, must require 2nd Factor authentication (e.g. by One time password key generation devices)
5 for those users requiring external access to Restricted resources. Kingsmead will develop auditable change logs and reconciliation with the school MIS system for data held in other systems. Kingsmead will develop systems to ensure that all ICT resources taken out of school are subject to the highest level of security protection and any ICT resources which do not have this security applied have no access to the core network when they return. 8. Access Controls A central record of sensitive usernames/passwords is stored in the school safe with access controlled by the SIRO and Bursar. The data classification table is updated annually and reported to the governing body. The audit of access rights to Restricted data ensures that access is only provided to staff who require it to carry out their role in school. 9. Published protocols and procedures The Network Manager will develop, publish and annually review manuals, procedures and policies which cover all aspects of the day to day use of ICT systems by all users, including information which could be used in extremis by a third party to successfully manage the current school ICT systems in the absence of the Network Manager. This last item is stored in the school safe along with the central record of sensitive usernames/passwords. 10. Data Security working Group Kingsmead will establish a data security working group to meet periodically whose remit includes the review of all ICT policies and procedures including the updating of the Acceptable Usage Policy (AUP). Aspects of e-safety fall within the remit of this group. The group will also consider the provision of appropriate training for all sectors of the school community including: School Workforce training in understanding the rationale for all data security procedures and the consequences of inappropriate practice. School Workforce training in responsible approaches to data use on mobile devices, communicating online and procedures when using multimedia digital content such as photographs, videos and podcasts in terms of permission seeking, taking, storage and retention. Regular re-visiting of the AUP with staff and pupils. 11. Incident Reporting An important element of data security is the ability to identify and deal with incidents related to the confidentiality of information. All staff and students have a responsibility to report data security incidents so that they may be dealt with effectively and in a timely manner in order to minimise any impact on the school. The incident reporting procedure requires incidents to be reported in the Incident Log held by the SIRO. The log captures the following information: Incident Date: When the occurrence took place Description of the Occurrence: What happened inc. classification of any information compromised Immediate Corrective Action: What was done to minimise the impact of the incident Further Action: Tasks to be undertaken to prevent reoccurrence Legal Implications: Any legal ramifications e.g. Data Protection Act
6 Closed Date: Date by which the incident is closed by the Head/SIRO The Incident Log is formally reviewed, and any outstanding actions delegated via the Senior Leadership Team at a minimum frequency of once per term. Through this review process, where deemed appropriate, the leadership team shall update the risk assessment in light of new incidents. The Log and accompanying action plans should be reviewed annually by the Governing Body. Examples of common incidents which occur in schools which would be expected to be logged include: Circumventing the network security system Accessing inappropriate material (definition in AUP) Installing unapproved software Using other people s addresses or passwords Breaching copyright Uploading Restricted or Protect school material onto a social network or chat room Leaving school mobile devices unattended Failure to log off when leaving a device 12. Starters and Leavers The formal system for recording starters and leavers, ensuring that access to all school ICT systems (including any VLE in use) is removed in a timely fashion for all leavers is the responsibility of the Network Manager. All staff are required to sign the Acceptable Usage Policy and teaching staff sign an acceptance of responsibility for the security of all ICT equipment issued
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationAcknowledgment to ECSC for guidance and support in the creation of elements of this manual
Acknowledgment to ECSC for guidance and support in the creation of elements of this manual Introduction Rapidly developing information and communication technologies (ICT) are exciting and motivating learning
More informationHighland Council Information Security Policy
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationINFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationInformation and Data Security
Information and Data Security Guidance for Knowsley Schools Version 4.0 Version Control Record: Revision Date Author Summary of Changes V1.0 19 th November 2008 L Hornsby V2.0 18 February 2010. Maria Bannister
More informationDATA PROTECTION AND DATA STORAGE POLICY
DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationBOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationE- Safety and Digital Photography - College ICT
Penrice Academy E-SAFETY POLICY Adopted by the Governing Body on June 2013 Review date: June 2015 Scope of the Policy This policy applies to all members of the College community (including staff, students,
More informationPolicy Document. IT Infrastructure Security Policy
Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationIslington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014
Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document
More information2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy
Version History Author Approved Committee Version Status date Eddie Jefferson 09/15/2009 Full Governing 1.0 Final Version Body Eddie Jefferson 18/08/2012 Full Governing Body 2.0 Emended due to the change
More informationIM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...
IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationCAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board
CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD Data Breach Management Policy Adopted by Cavan and Monaghan Education Training Board on 11 September 2013 Policy Safeguarding personally identifiable information
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationDocument Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014
Document Control Policy Title Data Breach Management Policy Policy Number 086 Owner Information & Communication Technology Manager Contributors Information & Communication Technology Team Version 1.0 Date
More informationInformation governance strategy 2014-16
Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope
More informationWe then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.
Good Practice Audit outcomes analysis Police Forces April 2013 to April 2014 This report is based on the final audit reports the ICO completed in the Criminal Justice sector, specifically of Police forces,
More informationData Protection Breach Management Policy
Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/
More informationDevelopment / Monitoring / Review of this Policy. Schedule for Development / Monitoring / Review
Blakeley Heath Primary School E-Safety Policy Development / Monitoring / Review of this Policy This e-safety policy has been developed by a working group made up of: Headteacher Coordinator Staff including
More informationPS177 Remote Working Policy
PS177 Remote Working Policy January 2014 Version 2.0 Statement of Legislative Compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010; Data Protection
More informationSomerset County Council - Data Protection Policy - Final
Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council
More informationUniversity of Aberdeen Information Security Policy
University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...
More informationThe Bishop s Stortford High School Internet Use and Data Security Policy
Internet Acceptance Use and Data Security Policy Last Updated: 08/10/2012 Date of Next Review: 08/10/2015 Approved by GB: 10/10/2012 Responsible Committee: Student Welfare and Development Internet Acceptable
More informationHarbinger Escrow Services Backup and Archiving Policy. Document version: 2.8. Harbinger Group Pty Limited Delivered on: 18 March 2008
Document version: 2.8 Issued to: Harbinger Escrow Services Issued by: Harbinger Group Pty Limited Delivered on: 18 March 2008 Harbinger Group Pty Limited, Commercial in Confidence Table of Contents 1 Introduction...
More informationCaedmon College Whitby
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
More informationInformation Governance Strategy & Policy
Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information
More informationLife Cycle of Records
Discard Create Inactive Life Cycle of Records Current Retain Use Semi-current Records Management Policy April 2014 Document title Records Management Policy April 2014 Document author and department Responsible
More informationNHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé
NHS HDL (2006)41 abcdefghijklm = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé Dear Colleague NHSSCOTLAND INFORMATION SECURITY POLICY Summary 1. NHSScotland IT Security Policy was
More informationData Breach Management Policy and Procedures for Education and Training Boards
Data Breach Management Policy and Procedures for Education and Training Boards POLICY on DATA BREACHES in SCHOOLS/COLLEGES and OTHER EDUCATION and ADMINISTRATIVE CENTRES UNDER the REMIT of TIPPERARY EDUCATION
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1
Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees
More informationInformation Security Policy London Borough of Barnet
Information Security Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Document Description Information Security Policy Policy which sets out the council s approach to information
More informationColáiste Pobail Bheanntraí
Coláiste Pobail Bheanntraí Seskin Bantry, Co. Cork. Principal: Dr. Kevin Healy B.A, H.D.E, M.Ed, Ed.D Deputy Principal: Mr. Denis O Sullivan, BSc. (Ed.), H.D.E Phone: 027 56434 Fax: 027 56439 E-mail: admin@colaistepobailbheanntrai.com
More informationInformation Security
Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September
More informationPortable Devices and Removable Media Acceptable Use Policy v1.0
Portable Devices and Removable Media Acceptable Use Policy v1.0 Organisation Title Creator Oxford Brookes University Portable Devices and Removable Media Acceptable Use Policy Information Security Working
More informationUniversity of Liverpool
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
More informationSmall businesses: What you need to know about cyber security
Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...
More informationOFFICIAL. NCC Records Management and Disposal Policy
NCC Records Management and Disposal Policy Issue No: V1.0 Reference: NCC/IG4 Date of Origin: 12/11/2013 Date of this Issue: 14/01/2014 1 P a g e DOCUMENT TITLE NCC Records Management and Disposal Policy
More informationWorking Practices for Protecting Electronic Information
Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that
More informationSummary Electronic Information Security Policy
University of Chichester Summary Electronic Information Security Policy 2015 Summary Electronic Information Security Policy Date of Issue 24 December 2015 Policy Owner Head of ICT, Strategy and Architecture
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationData and Information Security Policy
St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration
More informationsecurity policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.
Abstract This paper addresses the methods and methodologies required to develop a corporate security policy that will effectively protect a company's assets. Date: January 1, 2000 Authors: J.D. Smith,
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online
More informationSt Bernadette s Catholic Primary School. E-Safety Policy
St Bernadette s Catholic Primary School E-Safety Policy St Bernadette s Catholic Primary School - e-safety policy Our Vision St Bernadette s Catholic Primary School embrace the positive impact and educational
More informationDene Community School of Technology Staff Acceptable Use Policy
Policy Overview Dene Community School of Technology The school provides computers for use by staff as an important tool for teaching, learning, and administration of the school. Use of school computers,
More informationInformation Governance Policy
Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact
More informationPolicies and Procedures. Policy on the Use of Portable Storage Devices
Policies and Procedures Policy on the Use of Date Approved by Trust Board Version Issue Date Review Date Lead Person One May 2008 Dec 2012 Head of ICT Two Dec 2012 Dec 2014 Head of ICT Procedure /Policy
More informationICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation
ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette
More informationTELEFÓNICA UK LTD. Introduction to Security Policy
TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15
More informationHMG Security Policy Framework
HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of
More informationDATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff
DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has
More informationHead of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2
Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications
More informationData Security Policy
Policy Number: Revision Number: 0 QP1.44 Date of issue: March 2009 Status: Approved Date of approval: April 2009 Responsibility for policy: Responsibility for implementation: Responsibility for review:
More informationProtection of Computer Data and Software
April 2011 Country of Origin: United Kingdom Protection of Computer Data and Software Introduction... 1 Responsibilities...2 User Control... 2 Storage of Data and Software... 3 Printed Data... 4 Personal
More informationData Security and Extranet
Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:
More informationINFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
More informationMerthyr Tydfil County Borough Council. Information Security Policy
Merthyr Tydfil County Borough Council Information Security Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of
More informationRoskear Primary & Nursery School. E-Safety Policy
E-Safety Policy Reviewed by E-safety Group 16 th January 2015 Reviewed by Governors 11 th Feb 2015 Review Date Feb 2016 Development / Monitoring / Review of this Policy This E-Safety policy has been developed
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_D_19
Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility
More informationA Mobile Phone and Camera Toolkit for Early Years Settings. Early Years Services April 2013 Version 1.0
A Mobile Phone and Camera Toolkit for Early Years Settings Early Years Services April 2013 Version 1.0 Contents 1.0 Introduction Who is the Toolkit for? 2.0 Mobile Phone Policy and Procedure 2.1 Aim 2.2
More informationSecurity Incident Management Policy
Security Incident Management Policy January 2015 Document Version 2.4 Document Status Owner Name Owner Job Title Published Martyn Ward Head of ICT Business Delivery Document ref. Approval Date 27/01/2015
More informationAGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader
AGENDA ITEM: SUMMARY Report for: Committee Date of meeting: 30 May 2012 PART: 1 If Part II, reason: Title of report: Contact: Purpose of report: Recommendations Corporate objectives: Implications: INFORMATION
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact
More informationInformation Security Incident Management Policy September 2013
Information Security Incident Management Policy September 2013 Approving authority: University Executive Consultation via: Secretary's Board REALISM Project Board Approval date: September 2013 Effective
More informationCloud Software Services for Schools
Request for information on the document re: cloud and secure storage posted on the DfE website, response provided by DfE and Schools Commercial team: The focus of the project is on data security/safety
More informationInformation Management Policy
Information Management Policy Document Control Title Organisation Description Author(s) Information Management Policy London Legacy Development Corporation The Information Management Policy describes how
More informationPolicy Document. Communications and Operation Management Policy
Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author
More informationData Protection Policy
1. Introduction 1.1 The College needs to keep certain information about its employees, students and other stakeholders, for example to allow it to monitor performance, achievements and health and safety.
More informationAll CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.
Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,
More informationInformation Integrity & Data Management
Group Standard Information Integrity & Data Management Serco recognises its responsibility to ensure that any information and data produced meets customer, legislative and regulatory requirements and is
More informationSecurity Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)
Security Awareness A Supplier Guide/Employee Training Pack May 2011 (updated November 2011) Contents/Chapters 1. How do I identify a DWP asset 2. Delivering on behalf of DWP - Accessing DWP assets 3. How
More informationE-SAFETY POLICY 2014/15 Including:
E-SAFETY POLICY 2014/15 Including: Staff ICT policy (Corporation approved) Data protection policy (Corporation approved) Staff guidelines for Data protection Data Security, awareness raising Acceptable
More informationE-Safety Policy & Procedures
E-Safety Policy & Procedures Version Policy Originator: Equality Impact Assessed: Approved by: SMT Date Approved: April 2015 Review Interval: Annually Last Review Date: - Next Review Date: April 2016 Audience:
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact
More informationHow To Ensure Your School Is Safe Online
Ivy Road Primary School Policy for e-safety Updated - 2014 1. Introduction Pupils interact with the internet and other communications technologies such as mobile phones on a daily basis. The exchange of
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date
More informationInformation Governance Strategy
Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:
More informationWHAT YOU NEED TO KNOW ABOUT CYBER SECURITY
SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes
More informationInformation Governance Framework
Information Governance Framework March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aim 2 3 Purpose, Values and Principles 2 4 Scope 3 5 Roles and Responsibilities 3 6 Review 5 Appendix 1 - Information
More informationNetworking and Social Media Policy
Networking and Social Media Policy 1 Objectives This policy sets out the Millfields Community School policy on social networking. New technologies are an integral part of our lives and are powerful tools
More informationICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen
ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure
More informationInformation governance guidance for schools
Information governance guidance for schools Guidance Guidance document no: 186/2015 Date of issue: September 2015 Information governance guidance for schools Audience All staff, governors and learners
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationCloud Computing and Records Management
GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version
More informationAUDIT COMMITTEE 10 DECEMBER 2014
AUDIT COMMITTEE 10 DECEMBER 2014 AGENDA ITEM 8 Subject Report by MANAGEMENT OF INFORMATION RISKS DIRECTOR OF CORPORATE SERVICES Enquiries contact: Tony Preston, Ext 6541, email tony.preston@chelmsford.gov.uk
More informationInformation Governance and Assurance Framework Version 1.0
Information Governance and Assurance Framework Version 1.0 Page 1 of 19 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: Meridio Location: Approval Body: Policy and Guidance
More informationElectronic Communications Guidance for School Staff 2013/2014
Our Lady of Lourdes and St Patrick s Catholic Primary Schools Huddersfield Electronic Communications Guidance for School Staff 2013/2014 Updated September 2013 Contents 1. Introduction 2. Safe and responsible
More information