University of Brighton School and Departmental Information Security Policy

Size: px
Start display at page:

Download "University of Brighton School and Departmental Information Security Policy"

Transcription

1 University of Brighton School and Departmental Information Security Policy This Policy establishes and states the minimum standards expected. These policies define The University of Brighton business objectives for managing operations and controlling activities. These top-level policies represent the plans or protocols for achieving and maintaining internal control over information systems as well as compliance with the requirements imposed. Last updated Q North 16 th June 2015 This document and other Information Services documents are held online on our website:

2 University of Brighton Information Services Contents 1 Summary Scope Roles and Responsibilities Information Security Programme Risk Management Internal Audits Audit Programme Support Corrective Action Information Security Controls Human Resources Security Prior to employment During employment Termination of Employment Asset Management Asset Register Physical Security Policy Building Security Secure Areas Visitors Data Centre and Server Room Environments Disposal of Equipment System/Application Access Control Policy Controls Protecting Information Policy Controls Supplier Relationships Policy Controls Incident and Weakness Management Policy Controls Business Continuity Management...12 Page 2 16 th June 2015

3 Policy Controls... 12

4 University of Brighton Information Services Document Details Author Approver Creation Date Version Andy Whillance Quentin North 16 June Version History 0.1 Draft prepared by Andy Whillance (ECSC Ltd) 0.2 Amended after review by Lucy Sharp (ECSC Ltd) 0.3 Aligned to UoB by Quentin North 1.0 Final issue by Quentin North 1 Summary This policy guidance on the minimum standards expected for Information Security within schools and central departments. These policies define the University of Brighton business objectives for managing operations and controlling activities. These top-level policies represent the plans or protocols for achieving and maintaining internal control over information as well as compliance with the requirements imposed. 2. Scope This policy, and the Information Security Management System, applies to all departments, schools and functional areas of the University. Whenever the term department is used in this document it should be interpreted to mean to apply to a school, central department or functional area such as a campus or college. 3. Roles and Responsibilities Each department is expected to assign the following roles. One person may hold more than one role, while the duties could be split across multiple people. Department Information Security Representatives are responsible for monitoring the University's implemented security programmes. Within the department they will ensure that all University information security policies are understood and applied, will be the main information security point of contact, and will assist in keeping departmental risk registers up to date. Where policy is not met, they will report this in to the University information security management representative. Information Asset Owners are assigned for each key system, application or data store. They are responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of information technology resources and data they own. They are also responsible for periodically reviewing that only those Page 4 16 th June 2015

5 University of Brighton School and Departmental Information Security Policy who require access to perform their job responsibilities have access to the data they own. This must be done at least annually. Departmental IT security practitioners Where departments, schools or functions have their own IT function, this role must be assigned. These persons must be aware of the University technical policies and procedures, and must be aware of the UoB Application Standards. They should be expected to provide technical input into any departmental risk management processes. 4. Information Security Programme Departments must support the wider University security programme through proactive adherence to the approved policies and procedures, and pro-active understanding of the potential issues that could be faced. Two practices in particular must be addressed at a departmental level; these are Risk Assessments and Internal Audits Risk Management The University of Brighton is committed to understanding where the organisation might be at risk to loss of confidentiality, integrity or availability of any of its information assets. This will be done by identifying potential threats to the assets held, where assets can be physical, electronic, informational or people. Each department will be asked to complete and maintain a Risk Register. A suitable methodology that can be used is documented in the UoB Information Security Risk Assessment Methodology document. On at least an annual basis, all current open risks on departmental registers will be discussed with the departmental senior management and where appropriate reported upwards to the Risk Management Steering Group as part of the annual University risk assessment process. Where risk is thought to be unacceptable, treatment should be identified. Where risk can be treated at a departmental level, a responsible person and action date must be assigned for any treatment action. If a department is unable to take action themselves, the school/department will raise the risk at a Senior Management Team level. Printed Thursday, 06 August 2015 Page 5

6 University of Brighton Information Services 4.2. Internal Audits Audit Programme Support Each department must support the Internal Audit programme that operates across the University. Departments must make resources available for the auditor when audits are scheduled. A representative from senior management within the department should be available for opening and closing meetings Corrective Action For any actions arising from the audit, senior management within the department shall ensure that an action plan is agreed, resources are assigned to completing the agreed action and supporting evidence is sent to the auditor to allow closure of the identified shortcoming. Page 6 16 th June 2015

7 University of Brighton School and Departmental Information Security Policy 5. Information Security Controls 5.1 Human Resources Security Prior to employment It is important that all employees and relevant contractors receive appropriate checks and vetting prior to employment, depending on the level of access to information they will have, and the sensitivity of the role to be filled. The screening ensures that employees are checked for their eligibility to work in the UK, their suitability for the role, and any potential concerns are addressed prior to them taking up a permanent or temporary role. For this reason, all departments are required to follow the University recruitment procedures, as described on the HR SharePoint site During employment All employees will be provided with Information Security e-learning soon after joining the organisation, reinforcing the content of the contract and UoB IT Regulations. Departmental managers should reinforce this message, with appropriate guidance and training given to new starters on any department specific requirements Termination of Employment On termination or change of employment, the HR and IT functions must be informed in a timely manner that employees, contractors or third parties are leaving so that all physical and logical access is revoked, and all assets are returned Asset Management Asset Register Where physical assets are given out by the department, a register should be maintained. Items to be recorded include: User Devices (Laptops, Desktops, Phones, USB keys) IT Assets (Servers, Networking Equipment, Supporting Utilities) Authentication/Entry controls (keys, key-codes, access cards etc.) The format of asset registers can take many forms, from a simple spreadsheet to a comprehensive software application. The most appropriate method should be chosen to allow control of the items recorded. The minimum information that should be kept include: Owner / user A unique identifier for each item A description or other identifier (e.g. Make and model) Location or main user Printed Thursday, 06 August 2015 Page 7

8 University of Brighton Information Services Status (e.g. Active, spare, disposed) Information on assets that have been disposed of should not be removed from the register, but the asset should be identified as no longer held. Unique identifiers should not be reused. The Department Information Security Representative should review the register periodically. Asset disposal should follow the appropriate IS, Finance and Estates procedures. Note: Only assets directly under the control of the department need to be recorded. If items are issued and controlled by a central function, that function will maintain the register. Examples include IT equipment issued through the IS Computer Store and Service Desk. However, if you then pass an asset on to a third party, you should keep a record of that asset Physical Security Policy Physical security controls and secure areas are used to minimise unauthorised access, damage, and interference to information and information systems. Physical Security includes providing environmental safeguards for controlling physical access to equipment and data in order to protect information technology resources from unauthorised use, in terms of both physical hardware and information perspectives Building Security Because of the open nature of the University buildings, it is not possible to implement a great deal of perimeter security at the building level. However, the following minimum standards should be applied: External doors should only be open for as long as necessary to allow normal daytime usage. Normal hours vary by building and time of year, but are not less than 8.30 to 5pm. Outside of normal operating hours, access through external doors shall be provided via the Unicard system. CCTV shall cover all entrances/exits to the building. CCTV Shall cover any room with servers hosting protected information. Where offices contain protected information (as defined in the UoB IT Regulations document), those rooms must be restricted to those needing to enter for work purposes. A record of people authorised access to rooms containing protected information should be maintained. This shall be reviewed periodically. There shall be an access control system in place to ensure that only authorised individuals may access locations where protected information is handled. The Unicard system is preferred. Page 8 16 th June 2015

9 University of Brighton School and Departmental Information Security Policy Buildings should be protected by fire and intruder alarms, linked either to emergency services or to the Estates and Facilities Management functions Secure Areas Within the University of Brighton offices, all computers containing protected information (as defined in the UoB IT Regulations document) and all important network equipment should be situated in an area restricted only to authorised personnel (e.g. IT security practitioners). No other personnel should permitted to access unless explicit authorisation has been given unless they are accompanied by someone authorised to be in that area. Any sensitive information in physical format, for example material such as exam scripts, should be kept in a secure area (this could be a lockable room, a safe, a locked cabinet). Any secure areas must be locked when not occupied or in use, either by physical key or Unicard. If the authentication system retains a record of accesses, these should be reviewed as appropriate to identify any unauthorised accesses Visitors The following principles have been adopted to ensure that risks from visitors are controlled: Access badges, key codes or other access will only be provided to any visitor if their identity and the purpose of their visit is known by the issuing person. A record will be kept of which card, key etc. was provided to any visitor or third party. This register will be retained for not less than six months. Visitor access will be set to expire at the end of the last day their visit. If not known passes shall expire at the end of the day. Unallocated visitor or contractor passes providing access to protected information, or to secure areas, shall be de-activated until the time that they are required. All visitors accessing any secure area, or accessing any sensitive information, will be accompanied for the duration of their visit Data Centre and Server Room Environments In order to preserve the availability of important information, it is vital that sufficient redundancy is in place, and that supporting utilities are in place to ensure that systems and applications can continue to function properly. The preferred solution is to base all operational servers supporting important applications in the two dedicated data centres (Watts Building and Mithras House Annexe). This ensures the following: N+1 configuration for all important plant equipment Fully operated and maintained planned maintenance schedule Resilient data networking to all University sites. Printed Thursday, 06 August 2015 Page 9

10 University of Brighton Information Services 1. Key systems, as defined in the UoB Applications Standards document, should reside in the main datacentres and should not be held in individual departmental areas Disposal of Equipment The University of Brighton recognise the need to ensure that all data and licensed software has been removed from data storage devices prior to disposal. To ensure that this is done you must use the service available from the Estates and Facilities Management that will provide you with a certificate of destruction. The following controls must apply when undertaking disposal: A list of equipment being disposed of must be compiled prior to pick-up A destruction certificate must be obtained from the disposal contractor This list of equipment must be reconciled against the destruction certificate to account for all devices taken System/Application Access Control Policy Authorisation and control of access to facilities and information systems is a crucial tool in ensuring Information security. The protection of information assets from unauthorised access is an important business requirement. It is the policy of the University of Brighton that only authorised personnel have access to facilities and information systems and that such access is limited dependent on the role of the individual concerned. For this reason, it is expected that all key applications must have been assessed against the UoB Application Standards document Controls In order to ensure that the risks associated with any applications are recorded and assessed, the following process must be followed: Departments should identify important key applications as defined in the UoB Application Standards. These should be included on the departmental Asset Register Each application must be assessed against the standards documented in the UoB Applications Standards Any deviation from the guidelines must be added to the Departmental Risk Register. All new applications implemented should meet the minimum standards documented in the UoB Applications Standards Protecting Information Policy The University of Brighton has standards for protecting information to ensure that sensitive information is not unintentionally disclosed. These are documented both in the UoB IT Regulations document for data movement, and in the UoB Application Page th June 2015

11 University of Brighton School and Departmental Information Security Policy Standards for the guidelines for protection in application, databases or systems. Suitably strong protection measures are employed and implemented, whenever deemed appropriate, for information during transmission and in storage Controls A summary of the protection standards is that the following principles have been adopted: It is a fundamental policy of the University of Brighton that all sensitive information will be protected while passing over public networks. Encryption is only permitted when authorised, using permitted technologies and methods. No unauthorised encrypted containers are permitted on the University of Brighton network. Systems that contain sensitive client, personnel and financial data will only be available for off-site remote access through a centrally managed secure access method that provides encryption and secure authentication. Departments should review data transfer within their control, and ensure that the required controls have been met Supplier Relationships Policy The University of Brighton requires that the services provided by external suppliers meet expectations, both in terms of Information Security and agreed service levels. The risk posed by suppliers will be understood, and controls implemented to ensure that all parties are satisfied that security will be maintained. This is particularly important for any third party who holds, or has unaccompanied access to, protected information as defined in the University of Brighton UoB IT Regulations document Controls The following controls must be implemented: As part of a Risk Assessment, suppliers, contractors and other third parties have been considered and recorded in the Departmental Risk Register where there is thought to be a potential risk and reviewed periodically. The right to audit suppliers on aspects of information security will be considered and applied in contracts where practical and where thought necessary. Where applicable, suppliers will be required to demonstrate that their security controls are aligned with those of the University of Brighton, either by completing questionnaires, supplying certificates or by allowing University of Brighton staff or representatives to audit systems or premises. Appropriate non-disclosure or confidentiality agreements may be drawn up and signed by suppliers and the University of Brighton. Access to premises will be carefully controlled, as described in the Physical Security section of this document. Printed Thursday, 06 August 2015 Page 11

12 University of Brighton Information Services Any access to systems by third parties will be provided only after authorisation from information asset owners and IT Security Practitioners. Appropriate technical means will be implemented to ensure access is restricted to the minimum possible level. Accounts must be disabled when not in use. Where the supplier provides a service, the service provided will be monitored, reviewed and audited as necessary Incident and Weakness Management Policy While the Information Security Management System (ISMS) has been planned and implemented in order to minimise the likelihood that an incident will occur, it is recognised that there may be occasions where policies and procedures are not followed, either by staff, contractors, visitors, suppliers or any other third party. The University of Brighton is committed to responding to any breach of confidentiality, integrity or availability of any assets either of the organisation or of its clients Controls The following controls have been implemented to ensure that any incidents arising are quickly reported, receive an appropriate response, and are used to improve the information security management system. Incident management procedures have been written and are communicated to all members of the University in the UoB IT Regulations document. All staff will receive training which includes specific instruction on the requirement to report any incidents or potential incidents that are noted. Departmental Information Security Representatives must ensure that they are known as the local point of contact. Departmental Information Security Representatives will report on how many events, incidents or weaknesses have been reported (even if this is a nil return) as part of the annual departmental risk review Business Continuity Management Policy The University of Brighton provides a safe, secure IT environment to serve its requirements in order to ensure stability and continuity of the business. It is recognised that incidents can occur which can interrupt normal business practices. The University of Brighton are committed to minimising the impact of any such incident that might affect the organisation s premises, staff or equipment Controls Each department must maintain either a plan or a set of plans that describe how it will react to an incident that affects normal business operations. The plans should address the following aspects: Notification of an incident, and plan invocation Internal communications (to staff, students etc.) Page th June 2015

13 University of Brighton School and Departmental Information Security Policy External communications (to Estates, SMT, customers and suppliers) Recovery of important operations to a 'stable' state. The following scenarios should be covered in the pan or plans: The unavailability of a building (with no damage) The loss of a building The unavailability of a key application, system or IT The loss of key resources (e.g. staff, a key supplier) 2. A scenario based walk-through of the plan or plans should take place at least once per year, taking into account one or more scenarios listed above. 3. A summary of the test shall be retained, and any actions arising from the test shall be tracked and closed as appropriate. 4. Other activities (communications cascade, testing involving other departments) should be considered to support the activities stated above. Printed Thursday, 06 August 2015 Page 13

Information Security Policy

Information Security Policy Information Security Policy Last updated By A. Whillance/ Q. North/ T. Hanson On April 2015 This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

How To Protect Decd Information From Harm

How To Protect Decd Information From Harm Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date

More information

Policy Document. IT Infrastructure Security Policy

Policy Document. IT Infrastructure Security Policy Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

Version 1.0. Ratified By

Version 1.0. Ratified By ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience

More information

Network Security Policy

Network Security Policy IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact

More information

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure

More information

Physical Security Policy

Physical Security Policy Physical Security Policy Author: Policy & Strategy Team Version: 0.8 Date: January 2008 Version 0.8 Page 1 of 7 Document Control Information Document ID Document title Sefton Council Physical Security

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L. Document No: IG10d Version: 1.1 Name of Procedure: Third Party Due Diligence Assessment Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

UoB Risk Assessment Methodology

UoB Risk Assessment Methodology [Type here] UoB Risk Assessment Methodology The Risk Assessment Methodology describes how information security risk will be managed, including guidance for assessing, scoring, choosing acceptance or treatment

More information

Mike Casey Director of IT

Mike Casey Director of IT Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

EA-ISP-005-Personnel IT Policy. Technology & Information Services. Owner: Adrian Hollister Author: Paul Ferrier Date: 17/02/2015

EA-ISP-005-Personnel IT Policy. Technology & Information Services. Owner: Adrian Hollister Author: Paul Ferrier Date: 17/02/2015 Technology & Information Services EA-ISP-005-Personnel IT Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 17/02/2015 Document Security Level: PUBLIC Document Version: 1.00 Document Ref: EA-ISP-005

More information

Highland Council Information Security Policy

Highland Council Information Security Policy Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...

More information

Information Security Management System (ISMS) Policy

Information Security Management System (ISMS) Policy Information Security Management System (ISMS) Policy April 2015 Version 1.0 Version History Version Date Detail Author 0.1 18/02/2015 First draft Andy Turton 0.2 20/02/2015 Updated following feedback from

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION AND DATA STORAGE POLICY DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether

More information

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy Page 1 of 10 Contents 1 Preamble...3 2 Purpose...3 3 Scope...3 4 Roles and responsibilities...3

More information

BUSINESS CONTINUITY PLAN

BUSINESS CONTINUITY PLAN Business Logo Here BUSINESS CONTINUITY PLAN FOR SMALL TO MEDIUM SIZED BUSINESSES DATE :??? VERSION:?? PRODUCED BY DURHAM CIVIL CONTINGENCIES UNIT BUSINESS CONTINUITY PLAN LIST OF CONTENTS 1. DISCLAIMER...4

More information

Remote Access and Home Working Policy London Borough of Barnet

Remote Access and Home Working Policy London Borough of Barnet Remote Access and Home Working Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Remote Access and Home Working Policy Document Description This policy applies to home and

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

DATA SECURITY POLICY. Data Security Policy

DATA SECURITY POLICY. Data Security Policy Data Security Policy Contents 1. Introduction 3 2. Purpose 4 3. Data Protection 4 4. Customer Authentication 4 5. Physical Security 5 6. Access Control 6 7. Network Security 6 8. Software Security 7 9.

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

Working Practices for Protecting Electronic Information

Working Practices for Protecting Electronic Information Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that

More information

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution. Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR

More information

How To Protect School Data From Harm

How To Protect School Data From Harm 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0 PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner

More information

An Approach to Records Management Audit

An Approach to Records Management Audit An Approach to Records Management Audit DOCUMENT CONTROL Reference Number Version 1.0 Amendments Document objectives: Guidance to help establish Records Management audits Date of Issue 7 May 2007 INTRODUCTION

More information

REMOTE WORKING POLICY

REMOTE WORKING POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

Records Management Policy & Guidance

Records Management Policy & Guidance Records Management Policy & Guidance COMMERCIALISM Document Control Document Details Author Nigel Spencer Company Name The Crown Estate Department Name Information Services Document Name Records Management

More information

Information Security Team

Information Security Team Title Document number Add document Document status number Draft Owner Approver(s) CISO Information Security Team Version Version history Version date 0.01-0.05 Initial drafts of handbook 26 Oct 2015 Preface

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

How To Manage A Business Continuity Strategy

How To Manage A Business Continuity Strategy Business continuity strategy 2009 2012 Table of contents 1 Why this strategy is needed 3 2 Aim of the strategy 4 3 Our approach to business continuity 4 PROCESS 4 STRUCTURE 5 DOCUMENTATION 6 DISRUPTION

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

CCG: IG06: Records Management Policy and Strategy

CCG: IG06: Records Management Policy and Strategy Corporate CCG: IG06: Records Management Policy and Strategy Version Number Date Issued Review Date V3 08/01/2016 01/01/2018 Prepared By: Consultation Process: Senior Governance Manager, NECS CCG Head of

More information

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document

More information

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information

More information

Protection of Computer Data and Software

Protection of Computer Data and Software April 2011 Country of Origin: United Kingdom Protection of Computer Data and Software Introduction... 1 Responsibilities...2 User Control... 2 Storage of Data and Software... 3 Printed Data... 4 Personal

More information

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities: Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 21/09/2015 HSCIC Audit of Data Sharing

More information

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network...

1 Purpose... 2. 2 Scope... 2. 3 Roles and Responsibilities... 2. 4 Physical & Environmental Security... 3. 5 Access Control to the Network... Contents 1 Purpose... 2 2 Scope... 2 3 Roles and Responsibilities... 2 4 Physical & Environmental Security... 3 5 Access Control to the Network... 3 6 Firewall Standards... 4 7 Wired network... 5 8 Wireless

More information

Information Security Incident Management Policy September 2013

Information Security Incident Management Policy September 2013 Information Security Incident Management Policy September 2013 Approving authority: University Executive Consultation via: Secretary's Board REALISM Project Board Approval date: September 2013 Effective

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Version: 0.2 Committee Approved by: Audit Committee Date Approved: 15 th January 2014 Author: Responsible Directorate Information Governance & Security Officer, The Health Informatics

More information

IT SECURITY POLICY (ISMS 01)

IT SECURITY POLICY (ISMS 01) IT SECURITY POLICY (ISMS 01) NWAS IM&T Security Policy Page: Page 1 of 14 Date of Approval: 12.01.2015 Status: Final Date of Review Recommended by Approved by Information Governance Management Group Trust

More information

Remote Access Policy

Remote Access Policy BASINGSTOKE AND NORTH HAMPSHIRE NHS FOUNDATION TRUST Remote Access Policy Summary This is a new document which sets out the policy for remote access to the Trust s network and systems. Remote access is

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Information Security Policy. Information Security Policy. Working Together. May 2012. Borders College 19/10/12. Uncontrolled Copy

Information Security Policy. Information Security Policy. Working Together. May 2012. Borders College 19/10/12. Uncontrolled Copy Working Together Information Security Policy Information Security Policy May 2012 Borders College 19/10/12 1 Working Together Information Security Policy 1. Introduction Borders College recognises that

More information

<COMPANY> P01 - Information Security Policy

<COMPANY> P01 - Information Security Policy P01 - Information Security Policy Document Reference P01 - Information Security Policy Date 30th September 2014 Document Status Final Version 3.0 Revision History 1.0 09 November 2009: Initial release.

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Network Security Policy

Network Security Policy Department / Service: IM&T Originator: Ian McGregor Deputy Director of ICT Accountable Director: Jonathan Rex Interim Director of ICT Approved by: County and Organisation IG Steering Groups and their relevant

More information

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction Policy: Title: Status: 1. Introduction ISP-S12 Network Management Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1.1. This information security policy document covers management,

More information

How To Audit Health And Care Professions Council Security Arrangements

How To Audit Health And Care Professions Council Security Arrangements Audit Committee 28 Internal audit report ICT Security Executive summary and recommendations Introduction Mazars has undertaken a review of ICT Security controls, in accordance with the internal audit plan

More information

University of Liverpool

University of Liverpool University of Liverpool IT Asset Disposal Policy Reference Number Title CSD 015 IT Asset Disposal Policy Version Number v1.2 Document Status Document Classification Active Open Effective Date 22 May 2014

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

NHS Information Governance:

NHS Information Governance: NHS Information Governance: Information Risk Management Guidance: Maintenance and Secure Disposal of Digital Printers, Copiers and Multi Function Devices Department of Health Informatics Directorate July

More information

UK SBS Physical Security Policy

UK SBS Physical Security Policy UK SBS Physical Security Policy Version Date Author Owner Comments 1.0 16 June 14 Head of Risk, Information and Security Compliance (Mel Nash) Senior Information Risk Owner (Andy Layton) Ist Issue following

More information

ABERDARE COMMUNITY SCHOOL

ABERDARE COMMUNITY SCHOOL ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical

More information

Records Management plan

Records Management plan Records Management plan Prepared for 31 October 2013 Audit Scotland is a statutory body set up in April 2000 under the Finance and Accountability (Scotland) Act 2000. We help the Auditor General for Scotland

More information

TERMINAL CONTROL MEASURES

TERMINAL CONTROL MEASURES UCR Cashiering & Payment Card Services TERMINAL CONTROL MEASURES Instructions: Upon completion, please sign and return to cashandmerchant@ucr.edu when requesting a stand-alone dial up terminal. The University

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Information Management Policy

Information Management Policy Title Information Management Policy Document ID Director Mark Reynolds Status FINAL Owner Neil McCrirrick Version 1.0 Author Deborah Raven Version Date 26 January 2011 Information Management Policy Crown

More information

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service) Introduction This document provides a summary of technical information security controls operated by Newcastle University s IT Service (NUIT). These information security controls apply to all NUIT managed

More information

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet

More information

BANKING BUSINESS THEMED EXAMINATION PROGRAMME 2011: INFORMATION SECURITY SUMMARY FINDINGS

BANKING BUSINESS THEMED EXAMINATION PROGRAMME 2011: INFORMATION SECURITY SUMMARY FINDINGS BANKING BUSINESS THEMED EXAMINATION PROGRAMME 2011: INFORMATION SECURITY SUMMARY FINDINGS Issued: March 2012 GLOSSARY OF TERMS The following table sets out a glossary of terms used in this report. Content

More information

How To Write A Health Care Security Rule For A University

How To Write A Health Care Security Rule For A University INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

CITY UNIVERSITY OF HONG KONG Physical Access Security Standard

CITY UNIVERSITY OF HONG KONG Physical Access Security Standard CITY UNIVERSITY OF HONG KONG (Approved by the Information Strategy and Governance Committee in December 2013) PUBLIC Date of Issue: 2013-12-24 Document Control Document Owner Classification Publication

More information

Adlib Hosting - Service Level Agreement

Adlib Hosting - Service Level Agreement Adlib Hosting - Service Level Agreement June 2014 This service level agreement (SLA) applies to the Adlib Hosting services provided by Axiell ALM Netherlands BV, and includes the activities and facilities

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Gatekeeper PKI Framework. February 2009. Registration Authority Operations Manual Review Criteria

Gatekeeper PKI Framework. February 2009. Registration Authority Operations Manual Review Criteria Gatekeeper PKI Framework ISBN 1 921182 24 5 Department of Finance and Deregulation Australian Government Information Management Office Commonwealth of Australia 2009 This work is copyright. Apart from

More information

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) (NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) 1. Approval and Authorisation Completion of the following signature blocks signifies

More information

IT ACCESS CONTROL POLICY

IT ACCESS CONTROL POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

University of Kent Information Services Information Technology Security Policy

University of Kent Information Services Information Technology Security Policy University of Kent Information Services Information Technology Security Policy IS/07-08/104 (A) 1. General The University IT Security Policy (the Policy) shall be approved by the Information Systems Committee

More information

06100 POLICY SECURITY AND INFORMATION ASSURANCE

06100 POLICY SECURITY AND INFORMATION ASSURANCE Version: 5.4 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low Management of Police Information (MoPI) The Hampshire Constabulary recognises that any information

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities: Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 26/10/2015 HSCIC Audit of Data Sharing

More information

HR Guide: Agile Working Version: 1.0

HR Guide: Agile Working Version: 1.0 HR Guide: Agile Working Version: 1.0 Contents Section 1 Introduction to Agile Working Section 2 What are the Aims of Agile Working Section 3 Can all employees undertake Agile Working? Section 4 How do

More information

How To Ensure Network Security

How To Ensure Network Security NETWORK SECURITY POLICY Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Page 1 of 12 Review and Amendment Log/Control Sheet Responsible Officer:

More information

28400 POLICY IT SECURITY MANAGEMENT

28400 POLICY IT SECURITY MANAGEMENT Version: 2.2 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low 1. About This Policy 1.1. The objective of this policy is to provide direction and support for IT

More information

Information Services. The University of Kent Information Technology Security Policy

Information Services. The University of Kent Information Technology Security Policy Information Services The University of Kent Information Technology Security Policy 1. General The University IT Security Policy (the Policy) shall be approved by the Information Services Committee (ISC)

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information