Information Security Assurance Plan 2015/16



Similar documents
Information Governance Plan

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Information Governance Training Plan v13

Information Governance Strategy. Version No 2.0

Information Governance Policy

INFORMATION GOVERNANCE STRATEGY

Information Governance Framework and Strategy. November 2014

Information Governance Strategy

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

UCL Information Governance Framework Trevor Peacock UCL School of Life and Medical Sciences

Information Governance Policy

Policy: D9 Data Quality Policy

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION SECURITY POLICY

INFORMATION GOVERNANCE POLICY

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Governance Policy

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE POLICY & FRAMEWORK

Information Governance Policy (incorporating IM&T Security)

INFORMATION GOVERNANCE POLICY

Information Governance Strategy :

Information Management Policy CCG Policy Reference: IG 2 v4.1

Information Governance Strategy. Version No 2.1

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

Information Governance Strategy

Remote Working and Portable Devices Policy

Information Governance Management Framework

Data Encryption Policy

N3 Protecting the Network through Information Governance and Assurance

Version Number Date Issued Review Date V1 25/01/ /01/ /01/2014. NHS North of Tyne Information Governance Manager Consultation

Information Governance Policy

INFORMATION GOVERNANCE POLICY

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy

INFORMATION GOVERNANCE POLICY (INCORPORATING INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK)

NHS Commissioning Board: Information governance policy

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY

BEFORE USING THIS GUIDANCE, MAKE SURE YOU HAVE THE MOST UP TO DATE VERSION GUIDANCE 2 POLICY AREA: INFORMATION GOVERNANCE

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs

How To Ensure Information Security In Nhs.Org.Uk

INFORMATION GOVERNANCE STRATEGY NO.CG02

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

Information Governance Strategy Includes Information risk & incident management methodology

CCG: IG06: Records Management Policy and Strategy

INFORMATION GOVERNANCE POLICY

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

How To Ensure Network Security

How To Audit Health And Care Professions Council Security Arrangements

Information Governance Strategy

INFORMATION GOVERNANCE POLICY

Information Governance Strategy Includes Information risk & incident management methodology

Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance

INFORMATION GOVERNANCE HANDBOOK

INFORMATION GOVERNANCE POLICY

Policy Document Control Page

Information Governance Policy

Newcastle University Information Security Procedures Version 3

Information Governance Policy

Information Governance Policy

[Type text] SERVICE CATALOGUE

Policies for: Information Governance Information Quality Information Management Information Security. Version Control Version: 0.1

Information Governance Policy

Rotherham CCG Network Security Policy V2.0

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Transcription:

Information Security Assurance Plan 2015/16 Policy number: N/A Version 2.0 Approved by Name of author/originator Owner (Exec Director) Date of approval August 2015 Date of last review July 2015 Next due for review Information Governance Sub- Committee Daniel Lo Russo, Information Governance Manager Elaine Newton, Director of Governance & Compliance/SIRO April 2016 for approval following release of Version 14 CCG IG Toolkit (expected June 2016)

Version control sheet Version Date Author Status Comment 1.0 March 2014 Daniel Lo Russo 1.1 March 2014 Daniel Lo Russo 1.2 March 2014 Daniel Lo Russo 2.0 July 2015 Daniel Lo Russo 2.0 TBC Daniel Lo Russo Draft Approved Final Draft Final Draft for Q&CGC approval Approved by Quality & Clinical Governance Committee Front sheet added Draft for IG Sub-Committee approval Approved by IG Sub- Committee Related Documents Name Information Governance Framework Confidentiality & Data Protection Policy Information Security Policy Records Management Policy 2015/16 Caldicott Function Assurance Plan Information Security Assurance Plan 2015/16 2

Information Security Assurance Plan Introduction This work programme is designed to support the Information Security Policy, and describes how NHS Guildford and Waverley CCG can obtain assurance to address its Information Security needs (as required by the IG Toolkit Requirement 13-300 series). Information and information systems are important assets and it is essential that the CCG takes all necessary measures to ensure that they are protected, available and accurate to support the operations of the business at all times. The aim of the CCG s Information Security Policy and individual System Level Security Policies and Risk Assessments is to maintain the confidentiality, integrity and availability of the information stored, processed and communicated by and within the CCG. This assurance plan outlines roles and responsibilities for managing Information Security, Information Security Incidents, and controls. It details the activities the CCG will undertake to provide assurance regarding its level of compliance with Information Security Assurance related requirements of the CCG IG Toolkit. It also details how the CCG will seek assurance with respect to ICT services provided by the South East Commissioning Support Unit (CSU). The Information Security Assurance Plan therefore includes two separate but related elements: 1. Local Information Security Assurance Plan 2. Assurance Plan for ICT Services provided by South East CSU Actions identified in the Assurance Plan will be included within the annual Information Governance Improvement Programme. Information Security Management Responsibilities Responsibility for managing Information Security within the CCG rests with all employees and the following key officers: SIRO (Senior Information Risk Owner) Information Security Officer (Information Governance Manager) Information Asset Owners (IAOs) Details of specific roles and responsibilities are included within the CCG s Information Security Policy. Responsibilities for managing Information Security within the CSU are defined within the South East CSU s ICT Security Policy and Application Security Policy. These are available to CCG staff via the CSU s website (over N3 network only) or by request to the CCG s. Every CCG staff member and contractor is responsible for processing personal data, sensitive personal data and sensitive corporate data in a secure manner. Approval, Monitoring & Reporting This plan will be approved by the IG Sub-Committee of the CCG s Quality & Clinical Governance Committee, which includes the SIRO; Information Security Assurance Plan 2015/16 3

Exception reports against this Assurance Plan will be provided at regular review meetings between the CCG s SIRO and Information Governance Manager; Exception reports against this Assurance Plan will be provided at each meeting of the IG Sub-Committee (IGSC) of the CCG s Quality & Clinical Governance Committee, Reports against this Assurance Plan and will be used to support IGSC approval of submission of the CCG s annual IG Toolkit assessment An annual summary report will be provided to the CCG s Governing Body. The effectiveness of the Assurance Plan and related functions/roles will be reviewed annually as part of the CCG s IG Improvement Programme; The IG Sub-Committee of the CCG s Quality & Clinical Governance Committee will review and approve a 2016/17 Information Security Assurance Plan following publication of 2015/16 CCG IG Tool-kit requirements (expected June 2016). Abbreviations Used in Assurance Plan CSU Commissioning Support Unit DR&BC Disaster Recovery & Business Continuity IA Information Asset IAO - Information Asset Owner ICT Information Communication Technology PIA Privacy Impact Assessment Information Security Assurance Plan 2015/16 4

Section 1 Local Information Security Assurance Plan Please see the CCG s 2015/16 IG Improvement Plan for details of the current scheduling of activities detailed below. Control Information Security Framework Staff Awareness & Training IG related contract clauses in place with third parties Structured Implementation and InfoSec Accreditation Information Asset Register 131 340 131 340 341 Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible There is an appropriate Information Security Framework in place. Independent assurance regarding ICT risk management 134 Over 95% staff completion of mandatory IG Training Review of IG & Information Security related policies in progress. Independent audit of ICT risk management completed outcome: Substantial Assurance. Training of new staff. See Key Performance Indicators reports. 345 SIRO and IAO training Training Needs Analysis reviewed. 349 IA Incident reporting training Review of new HSCIC guidance 132 341 351 Appropriate IG clauses are in place for all staff, contractors and third parties 237 All services and information assets are developed to comply with Information Security requirements 340 341 345 Inc all key/critical local information assets including sensitive or personal data Discussions with project and contract managers regarding IG requirements for new contracts Advice and guidance to CCG staff developing new services and information assets. None IGSC approval of updated Information Security policy. Information Security measures included within 15/16 audit sample. Refresher training for existing staff. Mandatory training to be completed. Explore additional local training. Development of new IG Incident Reporting Procures and evidence of staff understanding Assurance that appropriate compliance with IG related requirements has been received from third parties Information asset review programme to be completed. Input to OD Programme to ensure IG needs reflected. Update following completion of Risk Assessments & SLSPs Directors of Contracts Information Security Assurance Plan 2015/16 5

Data Flow Mapping Information Risk Management Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible 345 Confirms IA Risk None Update following completion of 351 Assessments completed Risk Assessments & SLSPs 237 Confirms Access Controls None Update following completion of 344 Risk Assessments & SLSPs 346 Confirms DR&BC Plans None 344 Confirms System Level None Security Policies 350 Mapping of data flows for all 236 business units 350 Risk assessment of data 351 flows 350 SIRO's review of data flow 351 mapping outcomes 351 Information sharing/data 250 processor agreements 235 Compliance with email 348 policy 351 235 Robust encryption methods 348 used for transfers of 351 sensitive/personal data 235 Use of mobile memory 348 media 351 235 Risk Assessment of 341 existing, new and proposed 345 local Information Assets. 344 System level security policies established for existing, new and proposed local key/critical Info Assets. Safeguarding sessions being organised currently None None LAC & ICP Information Sharing Agreements in progress Guidance being updated and non-nhs email accounts being closed by CSU. Staff guidance being updated. Use of encrypted USB sticks by CCG staff Complete for high risk assets (quarterly reviews) Complete for high risk assets (quarterly reviews) Data flow mapping exercise refresh Register of ISAs maintained and regularly reviewed Staff evidence read and understood guidance. Data flow mapping exercise refresh Review staff use of personal iphones and use of ipads for Board Papers etc. Review and update risk assessments and System Level Security Policies at required frequency. Information Security Assurance Plan 2015/16 6

Information Risk Management (cont) ICT Network Usage NHS Smart Card Usage NHS Number Usage 346 Team level BC&DR plans include access to 235 237 341 351 237 344 347 348 134 231 235 350 235 350 Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible key/critical IAs Privacy Impact Assessments (PIAs) undertaken for new services Physical Protection of Premises/equipment Monitoring of ICT services delivered by 3 rd party organisations Staff IG Survey to be undertaken Acceptable Usage of email system Acceptable Usage of internet 342 CCG Registration Authority policy and procedures in place 343 CCG to ensure adequate governance over the issuing/use of NHS Smartcards 421 There is consistent and comprehensive use of the NHS Number in line with NHS requirements None PIAs completed for LAC work and Integrated Care (in progress) None See Section 2 Assurance Plan for ICT Services Provided by South East CSU. Meeting held with CSU Account None Staff guidance in development. NHS.net upgrade underway. Implementation of proxy server. Policy and procedures in place. Q1 reports from CSU Registration Authority and reviewed by CCG sponsors. Development of Accredited Safe Haven (ASH) outline business case for IGSC and EMT review. Development and testing of team level BC&DR Plans Complete PIAs as required. Take forward as part of CCG OD Programme. Arrange for physical penetration testing to take place by 3 rd party Various assurance and supporting evidence. See section 2 Assurance Plan for ICT Services Provided by South East CSU Develop questions and methodology Explore NHS.net mailbox reporting with HSCIC Move all staff to proxy and receive regular reports from CSU. Review following receipt of CSU updated RA Policy. Receive and review reports Q2-4. Include NHS Number use review within 2015/16 Information Asset Review Programme. Deputy Director G&C CGSM Manager Information Security Assurance Plan 2015/16 7

IG Incident Management User Access Control Mobile Computing Pseudo. and Anonymisation 349 Robust incident reporting arrangements in place 235 349 Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible Monitoring of IG related incident trends 134 Staff awareness and compliance with incident reporting procedures 235 343 344 Robust registrations & leavers process in place 348 Robust encryption in place on laptops. Equipment held by 348 authorised individuals only 236 352 Robust pseudonymisation and/or anonymisation is undertaken Monitoring and reporting of IG related incidents in accordance with CCG procedures. Monitoring and reporting of IG related incidents in accordance with CCG procedures. E-brief reminder and incident form circulated. Guidance issued via E-brief. HR review of processes in place. CCG incident reporting procedures updated to reflect latest HSCIC Guidance. Undertake trend analysis of incidents Audit of incident records to be undertaken. Audits of records held by CCG and CSU. Raised concerns to CSU Assurance from CSU Records held of authorisations Provided under SLA with CSU. Audits of records held by CCG and CSU. Assurance statement from CSU. Head of Information Please see below for Section 2 Assurance Plan for ICT Services Provided by South East CSU Information Security Assurance Plan 2015/16 8

Section 2 Assurance Plan for ICT Services Provided by South East CSU Please see the CCG s 2015/16 IG Improvement Plan for details of the current scheduling of activities detailed below. Control Contracts are monitored and assurance gained in respect of compliance with IG requirements Assurance regarding individuals with access to CCG confidential data Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible 132 Assurance required in respect of compliance with IG requirements 133 Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation Review of CSU 14/15 Return Copy of CSU's final 2014/15 Independent Audit Report Meeting with CSU Account In year assurance regarding 15/16 score for CSU, copies of NHS England s Reports on Internal Controls in place at SECSU, and copy of CSU's draft 2015/16 Independent Audit Report Assurance statement regarding suitable IG clauses being in place for any CSU staff who may access CCG personal data (e.g. ICT staff) CCG confidentiality checks 235 Staff access to confidential personal information is monitored and audited. Where care records are held electronically, audit trail Report showing usage of removable media devices (USBs etc) used to remove data from CCG electronic filing system Information Security Assurance Plan 2015/16 9

Information Risk Management Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible details about access to a record can be made available to the individual concerned on request. 340 The work necessary to provide Information Security Assurance has been identified Informed CSU that current version of CSU s IS Assurance Plan available to CCG is out of date. Confirmation that all non- NHS.net email accounts for GWCCG users have now been deleted Assurance statement or independent audit report confirmation regarding confidentiality audits for CSU systems holding CCG confidential data undertaken during 15/16 Updated CSU IS Assurance Plan for review. 341 An Information Risk Assessment and Management Programme has been documented along with associated strategies, policies and procedures, linked to the organisation's corporate risk register There are established business 342 All CSU RA staff have received the mandated national training. Assurance regarding CSU RA Staff Training completion Information Security Assurance Plan 2015/16 10

processes and procedures that satisfy the organisation s obligations as a Registration Authority (RA) Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible RBAC implementation at Registration Authorities Assurance regarding RBAC fully implemented. CSU RA service capacity Assurance regarding RA consumables etc 343 CSU have robust RA policy in place Informed CSU that current version available to CCG is out of date. Updated CSU Registration Authority Policy for review. ICT Application Assurance Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use 344 Operating and application information systems (under the organisation s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems Q1 report received from CSU and reviewed by CCG Sponsors/Line Managers. Closure of access no longer required. Q1 report received from CSU and reviewed by CCG. All current used have electronically signed their terms and conditions. Quarterly reports showing current CCG Smartcard users Audit report on the outcome of checking that all CCG NHS Smartcard users have electronically signed their terms and conditions Standard CCG desktop and laptop image build (including common and technical applications) and specific builds for roles (Info Team, Comms Team) to be agreed. Information Security Assurance Plan 2015/16 11

Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible There are appropriate user access management procedures (including user registration, update and deregistration processes), technical functionality and management controls for all key information assets identified in the organisations asset register. ICT Network reports on password strength settings and number of failed login attempts for GWCCG staff members Reports showing CCG Account Directory accounts (including details date opened, approver and date closed) Report showing G&WCCG Account Directory Accounts Inactive for 2 or more weeks Access to information assets is only possible for individuals who have been duly authorised Examples of ICT Network access logs for G&WCCG users (e.g. 2 week period) Penetration Testing results for ICT network utilised by CCG (COIN) SIRO Assurance 345 An effectively supported Senior Information Risk Owner takes ownership of the organisation s information risk policy and information risk management strategy CSU Information Security Policy to check alignment with CCG policy Information Security Assurance Plan 2015/16 12

Business Continuity Plan ICT Network Assurance Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible 346 Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place 347 Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely Installation of proxy server and some CCG users moved to test environment. Assurance regarding BCDR arrangements for services provided to CCG under SLA and testing of these during 15/16 Assurance regarding Surrey Community of Interest Network (COIN) utilised by CCG & COIN Stakeholder Group updates and Risk Assessments Take forward proxy server configuration and roll out to all users. Reports to support acceptable usage of internet monitoring by CCG Mobile computing and teleworking assurance 348 Policy and procedures ensure that mobile computing and teleworking are secure Report on RAS Accounts (including details date opened, approver and date closed) Reports showing devices (phones, ipads and laptops) on network being utilised by CCG staff Information Security Assurance Plan 2015/16 13

Incident Reporting Data Flow Mapping Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible 349 Adherence with NHS incident management and reporting procedures 236 All transfers of CCG personal data to countries outside of the UK fully comply with the Data Protection Act 1998 and DH guidelines. Where the review of overseas transfers reveals that appropriate contracts are not already in place for existing transfers, the organisation ensures that new contractual arrangements are signed. Assurance that attached VPN solution diagram remains correct and has been penetration tested in 15/15 Assurance regarding encryption system in place on Surrey CCG laptops Assurance that CSU has not experienced any data loss incidents (inc near misses) relating to GWCCG confidential business data (inc PID) Statement confirming whether the CSU transfer/process any G&W CCG data outside UK/EEA and, if so, statement confirming that all transfers of personal data to countries outside of the UK fully comply with the Data Protection Act 1998 and DH guidelines. Information Security Assurance Plan 2015/16 14

Technical Controls Assurance Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible 350 All transfers of hardcopy and digital personal and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers 351 All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures Assurance regarding processing of GWCCG data by CSU Assurance regarding penetration testing of ICT Network utilised by CCG Assurance regarding encryption system in place on Surrey CCG laptops and penetration testing of VPN Pseudo. and anonymisation assurance Records Management Assurance 352 The confidentiality of CCG service user information is protected through use of pseudonymisation and anonymisation techniques where appropriate 420 The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience Assurance regarding processing of GWCCG data by CSU Reports on corporate X Drive Usage (to include no of folders, destination/no of files, file type, file size etc) Reports on staff personal Z Drive Usage (to include no of folders/no of files, file type, file size etc) Head of Information Information Security Assurance Plan 2015/16 15

NHS Number Assurance 421 There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements Assurance Activity/Monitoring Q1 Further Action Q2-4 Responsible Confirmation that CSU have NHS Number plan in place Information Security Assurance Plan 2015/16 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information