Corporate Affairs Overview and Scrutiny Committee
|
|
- Isabella Richardson
- 8 years ago
- Views:
Transcription
1 Agenda item: 4 Committee: Corporate Affairs Overview and Scrutiny Committee Date of meeting: 29 January 2009 Subject: Lead Officer: Portfolio Holder: Link to Council Priorities: Exempt information: Delegated status: Information Security Head of Information Systems Cllr Roger Whittaker Portfolio Holder Resources P1 None For information EXECUTIVE SUMMARY: This report provides an overview of the Council s information security arrangements including the work of the Information Security Forum and an update on the Government Connect Programme. The Information Security Policy Framework aims to manage the security risk to the Council in the event of misuse of ICT facilities and the Council s information. These policies have been produced following an extensive consultation process over a number of years and regular reminders are posted on the Council s Intranet. RECOMMENDATION: THAT THE CORPORATE AFFAIRS OVERVIEW AND SCRUTINY COMMITTEE NOTES: A) THE ARRANGEMENTS WITH RESPECT TO THE COUNCIL S INFORMATION SECURITY POLICY AND ASSOCIATED POLICIES. B) THE 2008/09 WORK PROGRAMME OF THE INFORMATION SECURITY FORUM INCLUDING THE SECURE EXCHANGE OF DATA AND THE REQUIREMENT FOR ALL STAFF TO ATTEND INFORMATION MANAGEMENT AND SECURITY AWARENESS SESSIONS. C) THE IMPLEMENTATION OF GOVERNMENT CONNECT FOR THE BENEFITS SERVICE IN APRIL 2009 AS REQUIRED BY THE DWP. REPORT: 1. Background As Members will be aware the corporate officer-working group, the Information Security Forum is tasked with ensuring the Council achieves compliance with the ISO standards for information management and security. 2. The Information Security Forum (ISF) The ISF develops, manages and maintains the Council s Information Security Management System (ISMS) as required by ISO and ensures that it remains operational by:
2 reviewing and approving the Information Security Policy monitoring significant changes in the exposure of information assets to major threats monitoring information security incidents (and the following the agreed procedures in the event of an incident) approving major initiatives to enhance information security by developing an annual Work Programme. 3. The Information Security Policy Framework The Council s Information Security Policy Framework was significantly redeveloped in 2005 and last formally updated at the end of The policy framework includes: Information Security Policy (overarching policy) Computer Usage Policy Usage Policy Internet Usage Policy Home Working Policy Mobile Equipment (removeable media devices) Usage Policy Security Incident Management Policy All policies, information security guidelines and minutes of the Information Security Forum are available on the Council s Intranet on the following link: 4. Personal Commitment Statement Whilst security policies and standards underpin the security of information within the organisation, it is essential that users must understand and comply with the policies in order for these to be fully effective. The Joint Staff Advisory Group on 12 October 2007 was advised of the arrangements to introduce a Personal Commitment Statement (Appendix A) to be signed by all authorised IT network and equipment users (including temporary staff) and countersigned by the Divisional Head. Members are encouraged to sign into the Council s Virtual Private Network (VPN) and its secure environment although Councillors are not required to sign the Information Security Personal Commitment Statement at this stage. With respect to usage, the Council s policy, for a number of years, has been that no automatic forwarding rules are set up on behalf of Members and Members should be contacted via corporate standard Information Security Incident Management On 8 July 2008 the Corporate Management Board (CMB) agreed that the Security Incident Management Policy be renamed Information Security Incident Management Policy and that the Policy be updated to reflect: Revised security breach categories as proposed by the ISF and that; The Strategic Director Resources (as the ISF Champion at the CMB)
3 receives the Quarterly Summary Report of Security Incidents (as considered by the ISF) and; In respect of any on-going incidents which are classified as 'Serious' (or any 'Significant' incident which is required to be tracked as if designated 'Serious') a status report will be provided to CMB by the Strategic Director Resources and the Chair of the ISF until the incident is closed. 6. Information Security Forum Work Programme At the beginning of the current financial year and following a risk assessment the ISF agreed the following priority order for the 2008/09 Wok Programme: 1. Ensure adequate protection of data security and exchange data security-mapping for completion by Sep Look at secure messaging/data exchange and encryption in accordance with ISO and the Code of Connection (CoCo) compliance requirements for Government Connect. 3. Implement the "Baseline Personal Security Standard" for all users (permanent and agency staff and Members if appropriate) of Government Connect secure and data exchange (GCSx). 4. Network Audit Logs. 5. Develop an Information Management Framework / Strategy. 6. Test compliance to all policies via test audit (including any actions arising from the two internal audits conducted in 2008 re:- /web access and compliance with ISO ). 7. Education Programme - ongoing communication of Information Security Policies via guides and awareness sessions. 8. Review the use of generic Accounts, proxy access and forwarding of s. All of the above projects are closely linked and based on compliance with ISO and the Government Connect Code of Connection (CoCo). 7. Data Security and Exchange In view of a number of high profile national information security incidents the Council s Corporate Strategic Risk Register 2008/09 includes as Strategic Risk E Failure to ensure adequate protection of data security and exchange with a Potential impact on all objectives. As the top priority in the ISF Work Programme 2008/09 (see section 6 above), a Data Security Mapping Project during the summer identified that data exchange is common practice between the Authority and a number of different public and private bodies and that there is no consistency in the method/mode of data exchange. As a consequence the Corporate Management Board agreed that the Guidelines for Data Security (originally issued by the ISF in December 2007 to complement the existing Information Security Policies), be revised to strengthen procedures in line with Information Security best practice and the new Local Government Data Handling Guidelines issued in November
4 The revised procedures will be implemented following a period of consultation with Heads of Division and middle managers in January The revised Data Security Guidelines as at December 2008 are at Appendix B. In the longer term the phased implementation of Government Connect GCSx will provide a secure extranet for and data exchange. 8. Government Connect Programme 8.1 All local authorities in England and Wales have signed up to the Government Connect Programme for secure and data exchange. The Government Connect Secure extranet (GCSx) is a secure, national IT network infrastructure for secure and data exchange linking local authorities, central government departments, the NHS, police and criminal justice agencies. GCSx is an extension of central government s secure intranet (GSi). 8.2 In April 2008 a 33m funding package to complete the delivery and operation of GCSx to 31st March 2011 was announced with lead responsibility for delivery passing to the DWP and confirmation that from April 2009 the DWP, DCSF and CLG will begin phasing out less efficient, robust or secure internet or postal based methods of communication. On 7th July 2008 the DWP mandated the use of Government Connect GCSx for Council Tax and Housing Benefits from 1 April The Government Connect Implementation Programme (Appendix C) is split into five stages. Elmbridge is at Stage 3 although most of Stage 4 has already been completed. As at 23 December 2008, 288 out of 410 local authorities are at Stage 3 and only one authority, Guildford Borough Council, in the South East Region is at Stage 5 - Live. Completion of Stage 3 and 4 are dependent on obtaining approval of the Code of Connection (CoCo). 8.4 The Code of Connection (CoCo) defines the minimum standards and processes that an authority must comply with before being able to connect to GCSx. The CoCo covers many of the requirements for ISO and the projects listed above in the ISF Work Programme. Achieving compliance to the CoCo requires the local authority to provide a compliance statement and supporting comment against a 91 security control measures. Elmbridge s first assessment was described as a very good submission however we were asked to address a number of action requests required to bring Elmbridge up to the required security standard. Compliance with the CoCo requires significant work to meet all the controls (the majority of which are highly technical) and a detailed plan has been developed reflecting the actions required, target dates, resources, risks, issues and cost, and crucially the evidence of compliance. 9. Information Security Communications Plan 9.1 The implementation of the ISF Work Programme and increased security controls will have an impact across the authority and the role of the ISF in
5 developing, implementing, monitoring and communicating the new security controls will be crucial. 9.2 The ISF Communications Plan is aimed at all users as defined in the Information Security Policies. The Communication objectives being: Raise awareness of the Information Security Policies including Computer Usage Policy, Usage Policy, Internet Usage Policy, Mobile Equipment (Removable Media Devices) Usage Policy, Home working Policy and the Information Security Incident Management Policy Raise awareness of the revised Data Security Guidelines and Check List. Raise awareness of the requirement for maintaining information/data quality and the effective management of records and information. Help all staff and Members understand that every individual has a personal responsibility to protect the information in their care (including using recognised security classification and protective marking in line with the Government s Manual of Protective Security). Help all staff and Members understand the risks associated with noncompliance. 9.3 The immediate priority is to deliver the Information Management and Security Awareness Sessions for all staff as required by ISO and the Government Connect Code of Connection (CoCo). Following these mandatory Information Security Awareness sessions there will need to be specific training for users of GCSx all before 31 March Information Security issues will continue to be introduced during both new staff and Member Induction Days. Subsequent staff training needs will be identified through the Staff Performance Review process and Information Security Awareness sessions will be built into the Members Development Training Programme for the next municipal year. 9.5 The Baseline Personnel Security Check will be introduced. Whilst this is essentially required for GCSx users, in order to set up appropriate procedures and controls this security standard will be applied to all new employees and agency staff. 9.6 The Government Connect requirements will need to be included in contractual arrangements e.g. third party access to our IT network. 9.7 A disciplined approach to documenting a business case for any exemptions to the required standard will be required which will, in some cases require approval of new policy statements. Financial implications: The financial cost of the Information Security Awareness sessions and new security software and hardware required to comply with the CoCo and therefore meet the 31 March 2009 target will be met from approved 2008/09 Capital and Revenue budgets. Environmental/Sustainability Implications: There are no direct implications as part of this report
6 Legal implications: Compliance with information related legislation, including Freedom of Information, Data Protection, employment law and information sharing protocols. Equality implications: There are no direct equality implications as part of this report. Risk implications: The Council s Corporate Strategic Register 2008/09 includes as Strategic Risk E Failure to ensure adequate protection of data security and exchange with a Potential impact on all objectives. Failure to comply with the Information Security Policies and compliance standards pose a potential risk to the IT network, and therefore the organisation; a risk of noncompliance with information related legislation. Furthermore, failure to follow policies and procedures would result in lack of compliance with the ISO and the Government Connect GCSx Code of Connection relating to information security and management. A major implication for the authority is that continued access to DWP secure data by the Housing Benefits Section is dependent on the Council meeting the GCSx Code of Connection. The highest risk for the authority is that we may not be able to demonstrate compliance with the CoCo with the subsequent operational impact on the Benefits Service of not being live on Government Connect GCSx by 1 April Community Safety implications: There are no direct Community Safety implications as part of this report. Principal Consultees: Corporate Management Board Information Security Forum Heads of Division Background papers: Cabinet - 10 February Information Security Policy Cabinet - 12 October Information Security Policy Update Joint Staff Advisory Group 12 October Information Security Policy Update With the Chair of Information Security Forum (Head of Information Systems) Enclosures/Appendices: Appendix A - Personal Commitment Statement Appendix B - Revised Data Security Guidelines December 2008 Appendix C - Government Connect Implementation Stages Contact details: Frances Pearce Head of Information Systems fpearce@elmbridge.gov.uk
7 Appendix A Information Security Policy Personal Commitment Statement I name as a user of the Elmbridge Borough Council s information systems understand and agree to comply with the Council s main Information Security Policy and all related compliance policies for IT systems, and web access usage. I understand that the Council s IT equipment and systems are provided for business use and that only limited personal use is acceptable. I will make myself familiar with the security policies, procedures and any special instructions that relate to the use of secure and data exchange, as well as to ensuring the quality and accuracy of all data. I should inform my manager, ISD or a member of the Information security Forum immediately if I detect, suspect or witness an incident that may be a breach of security. I acknowledge that the Council reserves the right to monitor my use of IT Systems and that if any misuse or abuse of the facilities is identified this may lead to disciplinary action. I agree to be responsible for the use of my unique user ID and password (and any other mechanism provided) and address; in particular, I will not write down or share my password. I will not use a colleague's unique ID credentials to access information systems and will not attempt to access any system that I have not been given permission to access; I will not leave my computer unattended in such a state as to risk unauthorised viewing of information displayed on IT systems. I will not send sensitive or confidential information over public networks such as the Internet; and will always check that the recipients of messages are correct so that potentially sensitive information is not accidentally released into the public domain. I understand that only ISD staff are authorised to install software or hardware, as they must be properly purchased and licensed to the Council (including all removable devices such as USB memory sticks, digital cameras) and I will not remove equipment or information from my employer s premises without appropriate approval from my Head of Division. I will comply with the Data Protection Act 1998 and any other legal, statutory or contractual obligations that my employer informs me are relevant. I hereby agree to the terms as set out above. Employee s Signature Date: Employee Name: name Username: log in id Job Title: Division: Line Manager: (Print Name) Head of Division/Director: (Print Name) Signature Signature Date Date - 147/1 -
8 Appendix B Guidelines for Data Security (Revised December 2008) 1. Elmbridge Borough Council is required to comply with the provisions of the Data Protection Act 1998 in respect of holding and transmitting data. 2. Heads of Division are responsible for specific data sets in their area - ie. they are the information asset owner. 3. All personal, sensitive and confidential information should be kept within secure premises and systems. 4. As detailed in the Personal Commitment Statement, every individual has a responsibility for data protection and for not sending personal, sensitive or confidential information over public networks, e.g. the standard postal service, the Internet, unless they have authority to do so from their Head of Division. 5. All data sent externally to third parties must be transmitted in a secure manner and, unless there is no alternative, in an electronic format. 6. Bulk transfer of information should be carried out via a secure network and/or to a secure web site where access is controlled by using a unique login and password. 7. Where no secure network or site is available then at a minimum the electronic data should be password protected.the password information must be communicated separately. 8. The use of removable media (laptops, removable discs, CDs, USB memory sticks, PDAs and media card formats etc) should be carefully considered and strictly limited. Where it is unavoidable, encryption should be used and the personal, sensitive or confidential information transferred should be the minimum necessary. 9. Mindful of risk and cost, any personal, sensitive or confidential information sent to third parties in hard copy format or on a removable media device should be sent by special delivery e.g. DX service, courier service or Royal Mail Special Delivery via the Mail Room to enable the tracking of delivery and receipt of data. 10. Heads of Division must maintain a record of all data transmitted to third parties including, where possible, confirmation from the recipient that the sensitive/personal data has been received. 11. If officers are in any doubt about procedures for transmitting data to third parties they should seek advice from their Head of Division before data is sent to third parties. Officers should refer to the existing Information Security Policies for further information /2 -
9 GOVERNMENT CONNECT IMPLEMENTATION STAGES Appendix C Implementation Stage Action Required: Elmbridge Position Submit GCSx Proforma, obtain connection By when: 30 April 2008 CoCo* review & consultancy By when: 31 May 2008 LA: Submit completed proforma to GC GC: Order GCSx connection C&W: Deliver GCSx circuit Trigger to move to stage 2: CoCo Sent to LA LA: Initial review of CoCo compliance LA: Book CoCo consultancy meeting with GC Acct Mgr GC: Provide CoCo consultancy Completed 2007 Completed 2007 Circuit line was installed at the Civic Centre April 2008 March 2008 GC consultancy and submissions between March September 2008 CoCo Assesments By when: 30 November 2008 Submit contracts. CoCo approval & circuit activation By when: 31 December 2008 Stage end trigger: CoCo submitted to GC for assessment GC: Assess LA CoCo submission LA: Amend and resubmit CoCo LA: Sign OGCbs** T&Cs C&W: Issue bespoke Service Contract LA: Sign Service Contract CoCo formally submitted to GC September 2008 CoCo assessed September 2008 Resubmitted December 2008 Completed March 2008 Completed March 2008 OGCbs: Approve GCSx circuit activation Stage end trigger: All stage 4 actions complete and C&W circuit delivered - 147/3 -
10 Complete local configuration By when: 31 March 2009 LA: Procure local hardware LA: Configure & test local hardware LA: Train staff LA: Initiate services over GCSx Purchase of local hardware - In progress Stage end trigger: Local configuration complete Stage end trigger: Notify GC of business LIVE over GCSx Business LIVE over GCSx By when: 31 March 2009 ** OGCbs Office of Government Commerce buying. solutions OGCbs is the owner of the GSi Framework Agreement, under which the GCSx service has been procured /4 -
Corporate Information Security Policy
Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives
More informationPolicy Document. Communications and Operation Management Policy
Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author
More informationREMOTE WORKING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationAGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader
AGENDA ITEM: SUMMARY Report for: Committee Date of meeting: 30 May 2012 PART: 1 If Part II, reason: Title of report: Contact: Purpose of report: Recommendations Corporate objectives: Implications: INFORMATION
More informationData Protection Policy
Data Protection Policy Version: V1 Ratified by: Operational Management Executive Committee Date ratified: 26 September 2013 Name and Title of originator/author(s): Chris Brady, FOI, Data Protection and
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationLAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY
LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee
More informationINFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK
INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire
More informationInformation & ICT Security Policy Framework
Information & ICT Security Framework Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT & Regulation Group and IMG January
More informationBarnsley Clinical Commissioning Group. Information Governance Policy and Management Framework
Putting Barnsley People First Barnsley Clinical Commissioning Group Information Governance Policy and Management Framework Version: 1.1 Approved By: Governing Body Date Approved: 16 January 2014 Name of
More informationPolicy Document. IT Infrastructure Security Policy
Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT
More informationCCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY
CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review
More informationInformation security and paper-based data storage and disposal. INFORMATION SECURITY POLICY Version 2.2
Information security and paper-based data storage and disposal NOT PROTECTIVELY MARKED INFORMATION SECURITY POLICY Version 2.2 Title Subject Version Date Author Protective Marking Classification INFORMATION
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationHSCIC Audit of Data Sharing Activities:
Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 26/10/2015 HSCIC Audit of Data Sharing
More informationMEMBERS CONSIDER THE RISK STRATEGY AND RECOMMEND APPROVAL TO COUNCIL.
Agenda item: 8 Committee: Audit & Standards Committee Date of meeting: 19 th September 2011 Subject: Risk Management Strategy Lead Officer: Head of Finance Portfolio Holder: Resources - Councillor T Oliver
More informationINFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK
INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic
More informationWhy do we need to protect our information? What happens if we don t?
Warwickshire County Council Why do we need to protect our information? What happens if we don t? Who should read this? What does it cover? Linked articles All WCC employees especially mobile and home workers
More informationInformation Security Policy London Borough of Barnet
Information Security Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Document Description Information Security Policy Policy which sets out the council s approach to information
More informationSECURITY POLICY REMOTE WORKING
ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY REMOTE WORKING Introduction This policy defines the security rules and responsibilities that apply when doing Council work outside of Council offices
More informationSECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures
SECURITY INCIDENT REPORTING AND MANAGEMENT Standard Operating Procedures Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme.
More informationInformation Governance Strategy
Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:
More informationIslington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014
Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document
More informationData Transfer Policy. Data Transfer Policy London Borough of Barnet
Data Transfer Policy Data Transfer Policy London Borough of Barnet Document Control POLICY NAME Data Transfer Policy Document Description Policy surrounding data transfers (electronic and paper based).
More informationInformation Governance Policy A council-wide information management policy. Version 1.0 June 2013
Information Governance Policy Version 1.0 June 2013 Copyright Notification Copyright London Borough of Islington 2012 This document is distributed under the Creative Commons Attribution 2.5 license. This
More informationNon ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3
Paper 9 Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3 Please ensure that all THREE pages of this contract are returned to: Information Governance Manager, Health Informatics, Chertsey House, St Peter
More informationHead of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2
Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications
More informationPolicies and Procedures. Policy on the Use of Portable Storage Devices
Policies and Procedures Policy on the Use of Date Approved by Trust Board Version Issue Date Review Date Lead Person One May 2008 Dec 2012 Head of ICT Two Dec 2012 Dec 2014 Head of ICT Procedure /Policy
More informationHow To Ensure Information Security In Nhs.Org.Uk
Proforma: Information Policy Security & Corporate Policy Procedures Status: Approved Next Review Date: April 2017 Page 1 of 17 Issue Date: June 2014 Prepared by: Information Governance Senior Manager Status:
More informationAll CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.
Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,
More informationYMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY
YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST PC SECURITY POLICY Author Head of IT Equality impact Low Original Date September 2003 Equality No This Revision September
More informationInformation Governance Policy
BEXLEY CARE TRUST MANAGEMENT MANUAL Title: INFORMATION GOVERNANCE POLICY Originating Department: IT DEPARTMENT Authorised by: Risk Management Committee June 2008 Reference no: CA12 Date of Issue: JANUARY
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationNetwork Password Management Policy & Procedures
Network Password Management Policy & Procedures Document Ref ISO 27001 Section 11 Issue No Version 1.3 Document Control Information Issue Date April 2009, June 2010, September 2011 Status Approved By FINAL
More informationInformation Governance Policy
Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups
More informationINFORMATION SECURITY MANAGEMENT POLICY
INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June
More informationCaedmon College Whitby
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
More informationUlster University Standard Cover Sheet
Ulster University Standard Cover Sheet Document Title IT Monitoring Policy 1.5 Custodian Approving Committee Deputy Director of Finance and Information Services (Information Services) Information Services
More informationINITIAL APPROVAL DATE INITIAL EFFECTIVE DATE
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationInformation Governance Strategy :
Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update
More informationDene Community School of Technology Staff Acceptable Use Policy
Policy Overview Dene Community School of Technology The school provides computers for use by staff as an important tool for teaching, learning, and administration of the school. Use of school computers,
More informationCorporate Information Security Management Policy
Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification
More informationICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee
More informationService Children s Education
Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and
More informationROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING
ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING Introduction and Policy Aim The Royal Borough of Windsor and Maidenhead (the Council) recognises the need to protect Council
More informationInformation Governance Strategy & Policy
Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information
More informationITU-10002 Computer Network, Internet Access & Email policy ( Network Access Policy )
ITU-10002 Computer Network, Internet Access & Email policy South Norfolk Council IT Unit Documentation www.south-norfolk.gov.uk Page : 2 of 8 Summary This policy informs all users about acceptable use
More informationMerthyr Tydfil County Borough Council. Information Security Policy
Merthyr Tydfil County Borough Council Information Security Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of
More informationInformation Security and Governance Policy
Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information
More informationINFORMATION GOVERNANCE POLICY & FRAMEWORK
INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger
More informationInformation Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.
Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date
More informationTameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
More informationVersion 1.0. Ratified By
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience
More informationBOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
More informationInformation Governance Framework
Information Governance Framework March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aim 2 3 Purpose, Values and Principles 2 4 Scope 3 5 Roles and Responsibilities 3 6 Review 5 Appendix 1 - Information
More informationInformation Security Assurance Plan 2015/16
Information Security Assurance Plan 2015/16 Policy number: N/A Version 2.0 Approved by Name of author/originator Owner (Exec Director) Date of approval August 2015 Date of last review July 2015 Next due
More informationINFORMATION GOVERNANCE STRATEGY
INFORMATION GOVERNANCE STRATEGY Page 1 of 10 Strategy Owner Valerie Penn, Head of Governance Strategy Author Caroline Law, Information Governance Project Manager Directorate Corporate Governance Ratifying
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Policy for the electronic transfer of Person Identifiable Data - harmonised Version: 5 Reference Number: CO51 Supersedes Supersedes: 4 Description of Amendment(s):
More informationVersion Number Date Issued Review Date V1 25/01/2013 25/01/2013 25/01/2014. NHS North of Tyne Information Governance Manager Consultation
Northumberland, Newcastle North and East, Newcastle West, Gateshead, South Tyneside, Sunderland, North Durham, Durham Dales, Easington and Sedgefield, Darlington, Hartlepool and Stockton on Tees and South
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Policy approved by: Audit and Governance Committee Date: 4 th December 2014 Next Review Date: December 2016 Version: 1 Information Security Policy Page 1 of 17 Review and Amendment
More informationHighland Council Information Security Policy
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
More informationInformation Governance Strategy
Information Governance Strategy ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationRotherham CCG Network Security Policy V2.0
Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationPolicy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25
Information Security Policy Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25 Document Information Trust Policy Number : ULH-IM&T-ISP01 Version : 3.1 Status : Approved Issued by : Information Governance
More informationInformation Management Policy CCG Policy Reference: IG 2 v4.1
Information Management Policy CCG Policy Reference: IG 2 v4.1 Document Title: Policy Information Management Document Status: Final Page 1 of 15 Issue date: Nov-2015 Review date: Nov-2016 Document control
More informationInformation Security Policy
Office of the Prime Minister document CIMU P 0016:2003 Version: 2.0 Effective date: 01 Oct 2003 Information 1. statement i) General The Public Service of the Government of Malta (Public Service) shall
More informationAudit and Performance Committee Report
Audit and Performance Committee Report Date: 3 February 2016 Classification: Title: Wards Affected: Financial Summary: Report of: Author: General Release Maintaining High Ethical Standards at the City
More informationIT ACCESS CONTROL POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More information2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy
Version History Author Approved Committee Version Status date Eddie Jefferson 09/15/2009 Full Governing 1.0 Final Version Body Eddie Jefferson 18/08/2012 Full Governing Body 2.0 Emended due to the change
More informationAccess Control Policy
Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
More informationData Encryption Policy
Data Encryption Policy Number: THCCGCG36 Version: 01 Executive Summary This Policy defines the Security requirements for data encryption upon laptops, physical media and Secure File Transfer within the
More informationICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen
ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure
More informationInformation Governance Strategy. Version No 2.0
Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):
More information2.0 RECOMMENDATIONS Members of the Committee are asked to note the information contained within this report.
REPORT TO: SCRUTINY COMMITTEE 25 JUNE 2013 REPORT ON: REPORT BY: INTERNAL AUDIT REPORTS CHIEF INTERNAL AUDITOR REPORT NO: 280-2013 1.0 PURPOSE OF REPORT To submit to Members of the Scrutiny Committee a
More informationData Transfer Policy London Borough of Barnet
London Borough of Barnet DATA PROTECTION 11 Document Control Document Description Data Transfer Policy Version v.2 Date Created December 2010 Status Authorisation Name Signature Date Prepared By: IS Checked
More informationData Encryption Policy
Data Encryption Policy Please be aware that this printed version of the Policy may NOT be the latest version. Staff are reminded that they should always refer to the Intranet for the latest version. Purpose
More information1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy.
Title: Reference No: NHSNYYIG - 007 Owner: Author: INFORMATION GOVERNANCE POLICY Director of Standards First Issued On: September 2010 Latest Issue Date: February 2012 Operational Date: February 2012 Review
More informationDATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff
DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has
More informationRemote Access and Home Working Policy London Borough of Barnet
Remote Access and Home Working Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Remote Access and Home Working Policy Document Description This policy applies to home and
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third
More informationE-SAFETY POLICY 2014/15 Including:
E-SAFETY POLICY 2014/15 Including: Staff ICT policy (Corporation approved) Data protection policy (Corporation approved) Staff guidelines for Data protection Data Security, awareness raising Acceptable
More informationData and Information Security Policy
St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration
More informationNOT PROTECTIVELY MARKED. Suffolk County Council DATA QUALITY POLICY
Suffolk County Council DATA QUALITY POLICY This policy is sponsored by the Director of Resource Management on behalf of the Chief Executive of Suffolk County Council. Responsibility for maintaining, reviewing
More informationInformation security policy
Information security policy Issue sheet Document reference Document location Title Author Issued to Reason issued NHSBSARM001 S:\BSA\IGM\Mng IG\Developing Policy and Strategy\Develop or Review of IS Policy\Current
More informationInformation Security Policy for Associates and Contractors
Policy for Associates and Contractors Version: 1.12 Status: Issued Date: 30 July 2015 Reference: 61418080 Location: Livelink Review cycle: Annual Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...
More informationIT SECURITY POLICY (ISMS 01)
IT SECURITY POLICY (ISMS 01) NWAS IM&T Security Policy Page: Page 1 of 14 Date of Approval: 12.01.2015 Status: Final Date of Review Recommended by Approved by Information Governance Management Group Trust
More informationInformation Governance Framework and Strategy. November 2014
November 2014 Authorship : Committee Approved : Chris Wallace Information Governance Manager CCG Senior Management Team and Joint Trade Union Partnership Forum Approved Date : November 2014 Review Date
More informationInformation Governance Policy
Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route
More informationUSE OF INFORMATION TECHNOLOGY FACILITIES
POLICY CI-03 USE OF INFORMATION TECHNOLOGY FACILITIES Document Control Statement This Policy is maintained by the Information Technology Department. Any printed copy may not be up to date and you are advised
More informationE- Safety and Digital Photography - College ICT
Penrice Academy E-SAFETY POLICY Adopted by the Governing Body on June 2013 Review date: June 2015 Scope of the Policy This policy applies to all members of the College community (including staff, students,
More informationInternet Use Policy and Code of Conduct
Internet Use Policy and Code of Conduct UNIQUE REF NUMBER: AC/IG/023/V1.1 DOCUMENT STATUS: Agreed by Audit Committee 18 July 2013 DATE ISSUED: July 2013 DATE TO BE REVIEWED: July 2014 1 P age AMENDMENT
More informationU09 Remote Access Policy
Plymouth City Council U09 Remote Access Policy December 2008 This document is copyright to Plymouth City Council and should not be used or adapted for any purpose without the agreement of the Council.
More information