Corporate Affairs Overview and Scrutiny Committee

Size: px
Start display at page:

Download "Corporate Affairs Overview and Scrutiny Committee"

Transcription

1 Agenda item: 4 Committee: Corporate Affairs Overview and Scrutiny Committee Date of meeting: 29 January 2009 Subject: Lead Officer: Portfolio Holder: Link to Council Priorities: Exempt information: Delegated status: Information Security Head of Information Systems Cllr Roger Whittaker Portfolio Holder Resources P1 None For information EXECUTIVE SUMMARY: This report provides an overview of the Council s information security arrangements including the work of the Information Security Forum and an update on the Government Connect Programme. The Information Security Policy Framework aims to manage the security risk to the Council in the event of misuse of ICT facilities and the Council s information. These policies have been produced following an extensive consultation process over a number of years and regular reminders are posted on the Council s Intranet. RECOMMENDATION: THAT THE CORPORATE AFFAIRS OVERVIEW AND SCRUTINY COMMITTEE NOTES: A) THE ARRANGEMENTS WITH RESPECT TO THE COUNCIL S INFORMATION SECURITY POLICY AND ASSOCIATED POLICIES. B) THE 2008/09 WORK PROGRAMME OF THE INFORMATION SECURITY FORUM INCLUDING THE SECURE EXCHANGE OF DATA AND THE REQUIREMENT FOR ALL STAFF TO ATTEND INFORMATION MANAGEMENT AND SECURITY AWARENESS SESSIONS. C) THE IMPLEMENTATION OF GOVERNMENT CONNECT FOR THE BENEFITS SERVICE IN APRIL 2009 AS REQUIRED BY THE DWP. REPORT: 1. Background As Members will be aware the corporate officer-working group, the Information Security Forum is tasked with ensuring the Council achieves compliance with the ISO standards for information management and security. 2. The Information Security Forum (ISF) The ISF develops, manages and maintains the Council s Information Security Management System (ISMS) as required by ISO and ensures that it remains operational by:

2 reviewing and approving the Information Security Policy monitoring significant changes in the exposure of information assets to major threats monitoring information security incidents (and the following the agreed procedures in the event of an incident) approving major initiatives to enhance information security by developing an annual Work Programme. 3. The Information Security Policy Framework The Council s Information Security Policy Framework was significantly redeveloped in 2005 and last formally updated at the end of The policy framework includes: Information Security Policy (overarching policy) Computer Usage Policy Usage Policy Internet Usage Policy Home Working Policy Mobile Equipment (removeable media devices) Usage Policy Security Incident Management Policy All policies, information security guidelines and minutes of the Information Security Forum are available on the Council s Intranet on the following link: 4. Personal Commitment Statement Whilst security policies and standards underpin the security of information within the organisation, it is essential that users must understand and comply with the policies in order for these to be fully effective. The Joint Staff Advisory Group on 12 October 2007 was advised of the arrangements to introduce a Personal Commitment Statement (Appendix A) to be signed by all authorised IT network and equipment users (including temporary staff) and countersigned by the Divisional Head. Members are encouraged to sign into the Council s Virtual Private Network (VPN) and its secure environment although Councillors are not required to sign the Information Security Personal Commitment Statement at this stage. With respect to usage, the Council s policy, for a number of years, has been that no automatic forwarding rules are set up on behalf of Members and Members should be contacted via corporate standard Information Security Incident Management On 8 July 2008 the Corporate Management Board (CMB) agreed that the Security Incident Management Policy be renamed Information Security Incident Management Policy and that the Policy be updated to reflect: Revised security breach categories as proposed by the ISF and that; The Strategic Director Resources (as the ISF Champion at the CMB)

3 receives the Quarterly Summary Report of Security Incidents (as considered by the ISF) and; In respect of any on-going incidents which are classified as 'Serious' (or any 'Significant' incident which is required to be tracked as if designated 'Serious') a status report will be provided to CMB by the Strategic Director Resources and the Chair of the ISF until the incident is closed. 6. Information Security Forum Work Programme At the beginning of the current financial year and following a risk assessment the ISF agreed the following priority order for the 2008/09 Wok Programme: 1. Ensure adequate protection of data security and exchange data security-mapping for completion by Sep Look at secure messaging/data exchange and encryption in accordance with ISO and the Code of Connection (CoCo) compliance requirements for Government Connect. 3. Implement the "Baseline Personal Security Standard" for all users (permanent and agency staff and Members if appropriate) of Government Connect secure and data exchange (GCSx). 4. Network Audit Logs. 5. Develop an Information Management Framework / Strategy. 6. Test compliance to all policies via test audit (including any actions arising from the two internal audits conducted in 2008 re:- /web access and compliance with ISO ). 7. Education Programme - ongoing communication of Information Security Policies via guides and awareness sessions. 8. Review the use of generic Accounts, proxy access and forwarding of s. All of the above projects are closely linked and based on compliance with ISO and the Government Connect Code of Connection (CoCo). 7. Data Security and Exchange In view of a number of high profile national information security incidents the Council s Corporate Strategic Risk Register 2008/09 includes as Strategic Risk E Failure to ensure adequate protection of data security and exchange with a Potential impact on all objectives. As the top priority in the ISF Work Programme 2008/09 (see section 6 above), a Data Security Mapping Project during the summer identified that data exchange is common practice between the Authority and a number of different public and private bodies and that there is no consistency in the method/mode of data exchange. As a consequence the Corporate Management Board agreed that the Guidelines for Data Security (originally issued by the ISF in December 2007 to complement the existing Information Security Policies), be revised to strengthen procedures in line with Information Security best practice and the new Local Government Data Handling Guidelines issued in November

4 The revised procedures will be implemented following a period of consultation with Heads of Division and middle managers in January The revised Data Security Guidelines as at December 2008 are at Appendix B. In the longer term the phased implementation of Government Connect GCSx will provide a secure extranet for and data exchange. 8. Government Connect Programme 8.1 All local authorities in England and Wales have signed up to the Government Connect Programme for secure and data exchange. The Government Connect Secure extranet (GCSx) is a secure, national IT network infrastructure for secure and data exchange linking local authorities, central government departments, the NHS, police and criminal justice agencies. GCSx is an extension of central government s secure intranet (GSi). 8.2 In April 2008 a 33m funding package to complete the delivery and operation of GCSx to 31st March 2011 was announced with lead responsibility for delivery passing to the DWP and confirmation that from April 2009 the DWP, DCSF and CLG will begin phasing out less efficient, robust or secure internet or postal based methods of communication. On 7th July 2008 the DWP mandated the use of Government Connect GCSx for Council Tax and Housing Benefits from 1 April The Government Connect Implementation Programme (Appendix C) is split into five stages. Elmbridge is at Stage 3 although most of Stage 4 has already been completed. As at 23 December 2008, 288 out of 410 local authorities are at Stage 3 and only one authority, Guildford Borough Council, in the South East Region is at Stage 5 - Live. Completion of Stage 3 and 4 are dependent on obtaining approval of the Code of Connection (CoCo). 8.4 The Code of Connection (CoCo) defines the minimum standards and processes that an authority must comply with before being able to connect to GCSx. The CoCo covers many of the requirements for ISO and the projects listed above in the ISF Work Programme. Achieving compliance to the CoCo requires the local authority to provide a compliance statement and supporting comment against a 91 security control measures. Elmbridge s first assessment was described as a very good submission however we were asked to address a number of action requests required to bring Elmbridge up to the required security standard. Compliance with the CoCo requires significant work to meet all the controls (the majority of which are highly technical) and a detailed plan has been developed reflecting the actions required, target dates, resources, risks, issues and cost, and crucially the evidence of compliance. 9. Information Security Communications Plan 9.1 The implementation of the ISF Work Programme and increased security controls will have an impact across the authority and the role of the ISF in

5 developing, implementing, monitoring and communicating the new security controls will be crucial. 9.2 The ISF Communications Plan is aimed at all users as defined in the Information Security Policies. The Communication objectives being: Raise awareness of the Information Security Policies including Computer Usage Policy, Usage Policy, Internet Usage Policy, Mobile Equipment (Removable Media Devices) Usage Policy, Home working Policy and the Information Security Incident Management Policy Raise awareness of the revised Data Security Guidelines and Check List. Raise awareness of the requirement for maintaining information/data quality and the effective management of records and information. Help all staff and Members understand that every individual has a personal responsibility to protect the information in their care (including using recognised security classification and protective marking in line with the Government s Manual of Protective Security). Help all staff and Members understand the risks associated with noncompliance. 9.3 The immediate priority is to deliver the Information Management and Security Awareness Sessions for all staff as required by ISO and the Government Connect Code of Connection (CoCo). Following these mandatory Information Security Awareness sessions there will need to be specific training for users of GCSx all before 31 March Information Security issues will continue to be introduced during both new staff and Member Induction Days. Subsequent staff training needs will be identified through the Staff Performance Review process and Information Security Awareness sessions will be built into the Members Development Training Programme for the next municipal year. 9.5 The Baseline Personnel Security Check will be introduced. Whilst this is essentially required for GCSx users, in order to set up appropriate procedures and controls this security standard will be applied to all new employees and agency staff. 9.6 The Government Connect requirements will need to be included in contractual arrangements e.g. third party access to our IT network. 9.7 A disciplined approach to documenting a business case for any exemptions to the required standard will be required which will, in some cases require approval of new policy statements. Financial implications: The financial cost of the Information Security Awareness sessions and new security software and hardware required to comply with the CoCo and therefore meet the 31 March 2009 target will be met from approved 2008/09 Capital and Revenue budgets. Environmental/Sustainability Implications: There are no direct implications as part of this report

6 Legal implications: Compliance with information related legislation, including Freedom of Information, Data Protection, employment law and information sharing protocols. Equality implications: There are no direct equality implications as part of this report. Risk implications: The Council s Corporate Strategic Register 2008/09 includes as Strategic Risk E Failure to ensure adequate protection of data security and exchange with a Potential impact on all objectives. Failure to comply with the Information Security Policies and compliance standards pose a potential risk to the IT network, and therefore the organisation; a risk of noncompliance with information related legislation. Furthermore, failure to follow policies and procedures would result in lack of compliance with the ISO and the Government Connect GCSx Code of Connection relating to information security and management. A major implication for the authority is that continued access to DWP secure data by the Housing Benefits Section is dependent on the Council meeting the GCSx Code of Connection. The highest risk for the authority is that we may not be able to demonstrate compliance with the CoCo with the subsequent operational impact on the Benefits Service of not being live on Government Connect GCSx by 1 April Community Safety implications: There are no direct Community Safety implications as part of this report. Principal Consultees: Corporate Management Board Information Security Forum Heads of Division Background papers: Cabinet - 10 February Information Security Policy Cabinet - 12 October Information Security Policy Update Joint Staff Advisory Group 12 October Information Security Policy Update With the Chair of Information Security Forum (Head of Information Systems) Enclosures/Appendices: Appendix A - Personal Commitment Statement Appendix B - Revised Data Security Guidelines December 2008 Appendix C - Government Connect Implementation Stages Contact details: Frances Pearce Head of Information Systems fpearce@elmbridge.gov.uk

7 Appendix A Information Security Policy Personal Commitment Statement I name as a user of the Elmbridge Borough Council s information systems understand and agree to comply with the Council s main Information Security Policy and all related compliance policies for IT systems, and web access usage. I understand that the Council s IT equipment and systems are provided for business use and that only limited personal use is acceptable. I will make myself familiar with the security policies, procedures and any special instructions that relate to the use of secure and data exchange, as well as to ensuring the quality and accuracy of all data. I should inform my manager, ISD or a member of the Information security Forum immediately if I detect, suspect or witness an incident that may be a breach of security. I acknowledge that the Council reserves the right to monitor my use of IT Systems and that if any misuse or abuse of the facilities is identified this may lead to disciplinary action. I agree to be responsible for the use of my unique user ID and password (and any other mechanism provided) and address; in particular, I will not write down or share my password. I will not use a colleague's unique ID credentials to access information systems and will not attempt to access any system that I have not been given permission to access; I will not leave my computer unattended in such a state as to risk unauthorised viewing of information displayed on IT systems. I will not send sensitive or confidential information over public networks such as the Internet; and will always check that the recipients of messages are correct so that potentially sensitive information is not accidentally released into the public domain. I understand that only ISD staff are authorised to install software or hardware, as they must be properly purchased and licensed to the Council (including all removable devices such as USB memory sticks, digital cameras) and I will not remove equipment or information from my employer s premises without appropriate approval from my Head of Division. I will comply with the Data Protection Act 1998 and any other legal, statutory or contractual obligations that my employer informs me are relevant. I hereby agree to the terms as set out above. Employee s Signature Date: Employee Name: name Username: log in id Job Title: Division: Line Manager: (Print Name) Head of Division/Director: (Print Name) Signature Signature Date Date - 147/1 -

8 Appendix B Guidelines for Data Security (Revised December 2008) 1. Elmbridge Borough Council is required to comply with the provisions of the Data Protection Act 1998 in respect of holding and transmitting data. 2. Heads of Division are responsible for specific data sets in their area - ie. they are the information asset owner. 3. All personal, sensitive and confidential information should be kept within secure premises and systems. 4. As detailed in the Personal Commitment Statement, every individual has a responsibility for data protection and for not sending personal, sensitive or confidential information over public networks, e.g. the standard postal service, the Internet, unless they have authority to do so from their Head of Division. 5. All data sent externally to third parties must be transmitted in a secure manner and, unless there is no alternative, in an electronic format. 6. Bulk transfer of information should be carried out via a secure network and/or to a secure web site where access is controlled by using a unique login and password. 7. Where no secure network or site is available then at a minimum the electronic data should be password protected.the password information must be communicated separately. 8. The use of removable media (laptops, removable discs, CDs, USB memory sticks, PDAs and media card formats etc) should be carefully considered and strictly limited. Where it is unavoidable, encryption should be used and the personal, sensitive or confidential information transferred should be the minimum necessary. 9. Mindful of risk and cost, any personal, sensitive or confidential information sent to third parties in hard copy format or on a removable media device should be sent by special delivery e.g. DX service, courier service or Royal Mail Special Delivery via the Mail Room to enable the tracking of delivery and receipt of data. 10. Heads of Division must maintain a record of all data transmitted to third parties including, where possible, confirmation from the recipient that the sensitive/personal data has been received. 11. If officers are in any doubt about procedures for transmitting data to third parties they should seek advice from their Head of Division before data is sent to third parties. Officers should refer to the existing Information Security Policies for further information /2 -

9 GOVERNMENT CONNECT IMPLEMENTATION STAGES Appendix C Implementation Stage Action Required: Elmbridge Position Submit GCSx Proforma, obtain connection By when: 30 April 2008 CoCo* review & consultancy By when: 31 May 2008 LA: Submit completed proforma to GC GC: Order GCSx connection C&W: Deliver GCSx circuit Trigger to move to stage 2: CoCo Sent to LA LA: Initial review of CoCo compliance LA: Book CoCo consultancy meeting with GC Acct Mgr GC: Provide CoCo consultancy Completed 2007 Completed 2007 Circuit line was installed at the Civic Centre April 2008 March 2008 GC consultancy and submissions between March September 2008 CoCo Assesments By when: 30 November 2008 Submit contracts. CoCo approval & circuit activation By when: 31 December 2008 Stage end trigger: CoCo submitted to GC for assessment GC: Assess LA CoCo submission LA: Amend and resubmit CoCo LA: Sign OGCbs** T&Cs C&W: Issue bespoke Service Contract LA: Sign Service Contract CoCo formally submitted to GC September 2008 CoCo assessed September 2008 Resubmitted December 2008 Completed March 2008 Completed March 2008 OGCbs: Approve GCSx circuit activation Stage end trigger: All stage 4 actions complete and C&W circuit delivered - 147/3 -

10 Complete local configuration By when: 31 March 2009 LA: Procure local hardware LA: Configure & test local hardware LA: Train staff LA: Initiate services over GCSx Purchase of local hardware - In progress Stage end trigger: Local configuration complete Stage end trigger: Notify GC of business LIVE over GCSx Business LIVE over GCSx By when: 31 March 2009 ** OGCbs Office of Government Commerce buying. solutions OGCbs is the owner of the GSi Framework Agreement, under which the GCSx service has been procured /4 -

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

Policy Document. Communications and Operation Management Policy

Policy Document. Communications and Operation Management Policy Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author

More information

REMOTE WORKING POLICY

REMOTE WORKING POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader AGENDA ITEM: SUMMARY Report for: Committee Date of meeting: 30 May 2012 PART: 1 If Part II, reason: Title of report: Contact: Purpose of report: Recommendations Corporate objectives: Implications: INFORMATION

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version: V1 Ratified by: Operational Management Executive Committee Date ratified: 26 September 2013 Name and Title of originator/author(s): Chris Brady, FOI, Data Protection and

More information

How To Protect Decd Information From Harm

How To Protect Decd Information From Harm Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

Information & ICT Security Policy Framework

Information & ICT Security Policy Framework Information & ICT Security Framework Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT & Regulation Group and IMG January

More information

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework Putting Barnsley People First Barnsley Clinical Commissioning Group Information Governance Policy and Management Framework Version: 1.1 Approved By: Governing Body Date Approved: 16 January 2014 Name of

More information

Policy Document. IT Infrastructure Security Policy

Policy Document. IT Infrastructure Security Policy Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT

More information

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review

More information

Information security and paper-based data storage and disposal. INFORMATION SECURITY POLICY Version 2.2

Information security and paper-based data storage and disposal. INFORMATION SECURITY POLICY Version 2.2 Information security and paper-based data storage and disposal NOT PROTECTIVELY MARKED INFORMATION SECURITY POLICY Version 2.2 Title Subject Version Date Author Protective Marking Classification INFORMATION

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities: Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 26/10/2015 HSCIC Audit of Data Sharing

More information

MEMBERS CONSIDER THE RISK STRATEGY AND RECOMMEND APPROVAL TO COUNCIL.

MEMBERS CONSIDER THE RISK STRATEGY AND RECOMMEND APPROVAL TO COUNCIL. Agenda item: 8 Committee: Audit & Standards Committee Date of meeting: 19 th September 2011 Subject: Risk Management Strategy Lead Officer: Head of Finance Portfolio Holder: Resources - Councillor T Oliver

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

Why do we need to protect our information? What happens if we don t?

Why do we need to protect our information? What happens if we don t? Warwickshire County Council Why do we need to protect our information? What happens if we don t? Who should read this? What does it cover? Linked articles All WCC employees especially mobile and home workers

More information

Information Security Policy London Borough of Barnet

Information Security Policy London Borough of Barnet Information Security Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Document Description Information Security Policy Policy which sets out the council s approach to information

More information

SECURITY POLICY REMOTE WORKING

SECURITY POLICY REMOTE WORKING ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY REMOTE WORKING Introduction This policy defines the security rules and responsibilities that apply when doing Council work outside of Council offices

More information

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures SECURITY INCIDENT REPORTING AND MANAGEMENT Standard Operating Procedures Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme.

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document

More information

Data Transfer Policy. Data Transfer Policy London Borough of Barnet

Data Transfer Policy. Data Transfer Policy London Borough of Barnet Data Transfer Policy Data Transfer Policy London Borough of Barnet Document Control POLICY NAME Data Transfer Policy Document Description Policy surrounding data transfers (electronic and paper based).

More information

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013 Information Governance Policy Version 1.0 June 2013 Copyright Notification Copyright London Borough of Islington 2012 This document is distributed under the Creative Commons Attribution 2.5 license. This

More information

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3 Paper 9 Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3 Please ensure that all THREE pages of this contract are returned to: Information Governance Manager, Health Informatics, Chertsey House, St Peter

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

Policies and Procedures. Policy on the Use of Portable Storage Devices

Policies and Procedures. Policy on the Use of Portable Storage Devices Policies and Procedures Policy on the Use of Date Approved by Trust Board Version Issue Date Review Date Lead Person One May 2008 Dec 2012 Head of ICT Two Dec 2012 Dec 2014 Head of ICT Procedure /Policy

More information

How To Ensure Information Security In Nhs.Org.Uk

How To Ensure Information Security In Nhs.Org.Uk Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:

More information

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid. Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,

More information

YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY

YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY Author Head of IT Equality impact Low Original Date September 2003 Equality No This Revision September

More information

Information Governance Policy

Information Governance Policy BEXLEY CARE TRUST MANAGEMENT MANUAL Title: INFORMATION GOVERNANCE POLICY Originating Department: IT DEPARTMENT Authorised by: Risk Management Committee June 2008 Reference no: CA12 Date of Issue: JANUARY

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Network Password Management Policy & Procedures

Network Password Management Policy & Procedures Network Password Management Policy & Procedures Document Ref ISO 27001 Section 11 Issue No Version 1.3 Document Control Information Issue Date April 2009, June 2010, September 2011 Status Approved By FINAL

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

INFORMATION SECURITY MANAGEMENT POLICY

INFORMATION SECURITY MANAGEMENT POLICY INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Ulster University Standard Cover Sheet

Ulster University Standard Cover Sheet Ulster University Standard Cover Sheet Document Title IT Monitoring Policy 1.5 Custodian Approving Committee Deputy Director of Finance and Information Services (Information Services) Information Services

More information

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Information Governance Strategy :

Information Governance Strategy : Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update

More information

Dene Community School of Technology Staff Acceptable Use Policy

Dene Community School of Technology Staff Acceptable Use Policy Policy Overview Dene Community School of Technology The school provides computers for use by staff as an important tool for teaching, learning, and administration of the school. Use of school computers,

More information

Corporate Information Security Management Policy

Corporate Information Security Management Policy Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification

More information

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING Introduction and Policy Aim The Royal Borough of Windsor and Maidenhead (the Council) recognises the need to protect Council

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

ITU-10002 Computer Network, Internet Access & Email policy ( Network Access Policy )

ITU-10002 Computer Network, Internet Access & Email policy ( Network Access Policy ) ITU-10002 Computer Network, Internet Access & Email policy South Norfolk Council IT Unit Documentation www.south-norfolk.gov.uk Page : 2 of 8 Summary This policy informs all users about acceptable use

More information

Merthyr Tydfil County Borough Council. Information Security Policy

Merthyr Tydfil County Borough Council. Information Security Policy Merthyr Tydfil County Borough Council Information Security Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of

More information

Information Security and Governance Policy

Information Security and Governance Policy Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2. Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date

More information

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by: Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether

More information

Version 1.0. Ratified By

Version 1.0. Ratified By ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

Information Governance Framework

Information Governance Framework Information Governance Framework March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aim 2 3 Purpose, Values and Principles 2 4 Scope 3 5 Roles and Responsibilities 3 6 Review 5 Appendix 1 - Information

More information

Information Security Assurance Plan 2015/16

Information Security Assurance Plan 2015/16 Information Security Assurance Plan 2015/16 Policy number: N/A Version 2.0 Approved by Name of author/originator Owner (Exec Director) Date of approval August 2015 Date of last review July 2015 Next due

More information

INFORMATION GOVERNANCE STRATEGY

INFORMATION GOVERNANCE STRATEGY INFORMATION GOVERNANCE STRATEGY Page 1 of 10 Strategy Owner Valerie Penn, Head of Governance Strategy Author Caroline Law, Information Governance Project Manager Directorate Corporate Governance Ratifying

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Policy for the electronic transfer of Person Identifiable Data - harmonised Version: 5 Reference Number: CO51 Supersedes Supersedes: 4 Description of Amendment(s):

More information

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation

Version Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation Northumberland, Newcastle North and East, Newcastle West, Gateshead, South Tyneside, Sunderland, North Durham, Durham Dales, Easington and Sedgefield, Darlington, Hartlepool and Stockton on Tees and South

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY Policy approved by: Audit and Governance Committee Date: 4 th December 2014 Next Review Date: December 2016 Version: 1 Information Security Policy Page 1 of 17 Review and Amendment

More information

Highland Council Information Security Policy

Highland Council Information Security Policy Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25

Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25 Information Security Policy Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25 Document Information Trust Policy Number : ULH-IM&T-ISP01 Version : 3.1 Status : Approved Issued by : Information Governance

More information

Information Management Policy CCG Policy Reference: IG 2 v4.1

Information Management Policy CCG Policy Reference: IG 2 v4.1 Information Management Policy CCG Policy Reference: IG 2 v4.1 Document Title: Policy Information Management Document Status: Final Page 1 of 15 Issue date: Nov-2015 Review date: Nov-2016 Document control

More information

Information Security Policy

Information Security Policy Office of the Prime Minister document CIMU P 0016:2003 Version: 2.0 Effective date: 01 Oct 2003 Information 1. statement i) General The Public Service of the Government of Malta (Public Service) shall

More information

Audit and Performance Committee Report

Audit and Performance Committee Report Audit and Performance Committee Report Date: 3 February 2016 Classification: Title: Wards Affected: Financial Summary: Report of: Author: General Release Maintaining High Ethical Standards at the City

More information

IT ACCESS CONTROL POLICY

IT ACCESS CONTROL POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy Version History Author Approved Committee Version Status date Eddie Jefferson 09/15/2009 Full Governing 1.0 Final Version Body Eddie Jefferson 18/08/2012 Full Governing Body 2.0 Emended due to the change

More information

Access Control Policy

Access Control Policy Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you

More information

Data Encryption Policy

Data Encryption Policy Data Encryption Policy Number: THCCGCG36 Version: 01 Executive Summary This Policy defines the Security requirements for data encryption upon laptops, physical media and Secure File Transfer within the

More information

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure

More information

Information Governance Strategy. Version No 2.0

Information Governance Strategy. Version No 2.0 Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

2.0 RECOMMENDATIONS Members of the Committee are asked to note the information contained within this report.

2.0 RECOMMENDATIONS Members of the Committee are asked to note the information contained within this report. REPORT TO: SCRUTINY COMMITTEE 25 JUNE 2013 REPORT ON: REPORT BY: INTERNAL AUDIT REPORTS CHIEF INTERNAL AUDITOR REPORT NO: 280-2013 1.0 PURPOSE OF REPORT To submit to Members of the Scrutiny Committee a

More information

Data Transfer Policy London Borough of Barnet

Data Transfer Policy London Borough of Barnet London Borough of Barnet DATA PROTECTION 11 Document Control Document Description Data Transfer Policy Version v.2 Date Created December 2010 Status Authorisation Name Signature Date Prepared By: IS Checked

More information

Data Encryption Policy

Data Encryption Policy Data Encryption Policy Please be aware that this printed version of the Policy may NOT be the latest version. Staff are reminded that they should always refer to the Intranet for the latest version. Purpose

More information

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy.

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy. Title: Reference No: NHSNYYIG - 007 Owner: Author: INFORMATION GOVERNANCE POLICY Director of Standards First Issued On: September 2010 Latest Issue Date: February 2012 Operational Date: February 2012 Review

More information

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has

More information

Remote Access and Home Working Policy London Borough of Barnet

Remote Access and Home Working Policy London Borough of Barnet Remote Access and Home Working Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Remote Access and Home Working Policy Document Description This policy applies to home and

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third

More information

E-SAFETY POLICY 2014/15 Including:

E-SAFETY POLICY 2014/15 Including: E-SAFETY POLICY 2014/15 Including: Staff ICT policy (Corporation approved) Data protection policy (Corporation approved) Staff guidelines for Data protection Data Security, awareness raising Acceptable

More information

Data and Information Security Policy

Data and Information Security Policy St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration

More information

NOT PROTECTIVELY MARKED. Suffolk County Council DATA QUALITY POLICY

NOT PROTECTIVELY MARKED. Suffolk County Council DATA QUALITY POLICY Suffolk County Council DATA QUALITY POLICY This policy is sponsored by the Director of Resource Management on behalf of the Chief Executive of Suffolk County Council. Responsibility for maintaining, reviewing

More information

Information security policy

Information security policy Information security policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review of IS Policy\Current

More information

Information Security Policy for Associates and Contractors

Information Security Policy for Associates and Contractors Policy for Associates and Contractors Version: 1.12 Status: Issued Date: 30 July 2015 Reference: 61418080 Location: Livelink Review cycle: Annual Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...

More information

IT SECURITY POLICY (ISMS 01)

IT SECURITY POLICY (ISMS 01) IT SECURITY POLICY (ISMS 01) NWAS IM&T Security Policy Page: Page 1 of 14 Date of Approval: 12.01.2015 Status: Final Date of Review Recommended by Approved by Information Governance Management Group Trust

More information

Information Governance Framework and Strategy. November 2014

Information Governance Framework and Strategy. November 2014 November 2014 Authorship : Committee Approved : Chris Wallace Information Governance Manager CCG Senior Management Team and Joint Trade Union Partnership Forum Approved Date : November 2014 Review Date

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

USE OF INFORMATION TECHNOLOGY FACILITIES

USE OF INFORMATION TECHNOLOGY FACILITIES POLICY CI-03 USE OF INFORMATION TECHNOLOGY FACILITIES Document Control Statement This Policy is maintained by the Information Technology Department. Any printed copy may not be up to date and you are advised

More information

E- Safety and Digital Photography - College ICT

E- Safety and Digital Photography - College ICT Penrice Academy E-SAFETY POLICY Adopted by the Governing Body on June 2013 Review date: June 2015 Scope of the Policy This policy applies to all members of the College community (including staff, students,

More information

Internet Use Policy and Code of Conduct

Internet Use Policy and Code of Conduct Internet Use Policy and Code of Conduct UNIQUE REF NUMBER: AC/IG/023/V1.1 DOCUMENT STATUS: Agreed by Audit Committee 18 July 2013 DATE ISSUED: July 2013 DATE TO BE REVIEWED: July 2014 1 P age AMENDMENT

More information

U09 Remote Access Policy

U09 Remote Access Policy Plymouth City Council U09 Remote Access Policy December 2008 This document is copyright to Plymouth City Council and should not be used or adapted for any purpose without the agreement of the Council.

More information