Incident reporting procedure



Similar documents
Information security incident reporting procedure

Data Protection Policy

Incident Reporting Procedure

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

So the security measures you put in place should seek to ensure that:

Human Resources Policy documents. Data Protection Policy

Information Incident Management Policy

Scottish Rowing Data Protection Policy

Risk Management Policy

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

How To Protect Decd Information From Harm

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures

Information Security Incident Management Policy September 2013

CORK INSTITUTE OF TECHNOLOGY

Corporate ICT & Data Management. Data Protection Policy

INFORMATION GOVERNANCE POLICY

Policy Document Control Page

Information Security Incident Management Policy

Rick Parsons Information Governance Officer County Hall

Data Protection Policy

HERTSMERE BOROUGH COUNCIL

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

Merthyr Tydfil County Borough Council. Data Protection Policy

Data Compliance. And. Your Obligations

Enterprise Information Security Procedures

University of Limerick Data Protection Compliance Regulations June 2015

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

PRIVACY BREACH MANAGEMENT POLICY

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

John Leggott College. Data Protection Policy. Introduction

Portable Devices and Removable Media Acceptable Use Policy v1.0

Data Protection Policy

How To Ensure Network Security

Information Security Incident Management Policy and Procedure

NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities

Highland Council Information Security Policy

1. (a) Full name of proposer including trading names if any (if not a limited company include full names of partners) Date established

INFORMATION SECURITY POLICY

Summary Electronic Information Security Policy

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)

How To Protect Your Personal Information At A College

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

USE OF PERSONAL MOBILE DEVICES POLICY

Guidance on data security breach management

Rotherham CCG Network Security Policy V2.0

Guidance on data security breach management

Information Security Policy. Appendix B. Secure Transfer of Information

Network Security Policy

NHS Commissioning Board: Information governance policy

HIPAA 101: Privacy and Security Basics

Information Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy

Information Governance Checklist and Privacy Impact Assessments

Data Security and Extranet

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

INFORMATION RISK MANAGEMENT POLICY

Version Number Date Issued Review Date V1 25/01/ /01/ /01/2014. NHS North of Tyne Information Governance Manager Consultation

Data Protection Breach Management Policy

Data Protection Policy June 2014

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

INFORMATION TECHNOLOGY SECURITY STANDARDS

Once more unto the breach... Dealing with Personal Data Security Breaches. Helen Williamson Information Governance Officer

Network Security Policy

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

NETWORK SECURITY POLICY

Personal Information Protection Act Information Sheet 11

Information Technology Policy and Procedures

Introduction to the NHS Information Governance Requirements

DATA PROTECTION POLICY

Data Protection Guidance

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

This factsheet is for: Senior management of small firms that handle, store or dispose of customers personal data in the course of their business.

Human Resources People and Organisational Development. Disciplinary Procedure for Senior Staff

Security Incident Management Policy

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

Security Incident Policy

INFORMATION SECURITY POLICY

DATA PROTECTION POLICY

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

Transcription:

Incident reporting procedure Responsible Officer Author Date effective from Aug 2009 Date last amended Aug 2009 Review date July 2012 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Page 1 of 9

1 Introduction 1.1 Incident reporting plays a major role in helping the Institute maintain a safe and secure working environment. It helps protect the confidentiality, integrity and availability of the information and systems accessed and is an essential element for effective risk management. Trend analysis of reported incidents enables the organisation to highlight areas of weakness and, if necessary, take appropriate action to reduce specific threats and vulnerabilities. 1.2 The Institute must demonstrate a commitment to, and delivery of, effective information governance. Incident management is a cyclical process of identification, reporting, investigation, resolution and learning to minimise the risk of re-occurrence. 1.3 All staff members have a responsibility to report information security incidents whether deliberate or accidental. 1.4 The procedure outlines the main requirements for incident reporting related to information security only and is designed to ensure core data is recorded, the event is properly reviewed, corrective action taken where necessary to minimise the risk of re-occurrence and to provide clarity over accountability and responsibility for actions. 1.5 Incidents relating to health & safety should be reported in accordance with the Health & Safety policy. Any identified fraud should be reported in accordance with the Counter Fraud policy. 2 Information security 2.1 An information security incident is any actual or potential breach of security which may compromise the confidentiality, integrity or availability of information stored, processed and communicated in relation to the Institute s business whether in hard copy or electronic format. 2.2 The term security incident covers a wide range of events which can vary considerably and it is therefore not possible to detail every single event. The following list gives examples of types of security incidents that should be reported: Type of data Sensitive personal data 1 Example Risk of accidental or deliberate disclosure of sensitive personal data e.g 1. Personnel or recruitment files left unattended on a desk eg 2. Patient expert applications held on a file drive with general staff access Confidential information including Risk of accidental or deliberate access of confidential information by an unauthorised 1 As defined in Appendix 1 Page 2 of 9

CiC and AiC information person. e.g 1. CiC information taken out of the building on unencrypted media eg 2. CiC information sent by email without password protection or encryption Passwords An unauthorised person has gained access to your account or attempted to gain access using your password e.g Password/login details left accessible and unsecured to visitors in home worker s home. Physical security breach Unauthorised access to secure areas containing confidential information Eg forced access to tamber unit containing confidential information or sensitive personal data Theft or loss of portable media Laptops or other portable media containing confidential or sensitive personal data lost or stolen e.g. laptop stolen from car 2.3 This list is not exhaustive and staff must ensure they report any incident where they have a reasonable belief that there is a risk to the security of sensitive personal data or any confidential information. 3 Reporting security incidents 3.1 All information security incidents should be reported using the form at Appendix 3 and notified to the line manager, Business Planning and Resources Director and Governance Manager. Any incident occurring outside secure office premises should be reported immediately to the Business Planning and Resources Director and Governance Manager. 3.2 Information on the incident should include a description of the data lost or stolen, whether it was held in hard copy or portable media, the quantity (if known), where it was lost and the sensitivity of the data (if known). 3.3 The Corporate Office will retain a central log of all significant security breaches. These will be reported to the Audit Committee by the Governance Manager and escalated via the Senior Information Risk Officer as necessary in accordance with the Serious Untoward Incident reporting procedure (Appendix 2). 4 Sensitive security incidents 4.1 It is recognised that some incidents can be sensitive especially if colleagues or managers may be incriminated. It is important that the Page 3 of 9

person reporting the incident receives absolute protection and guarantee of confidentiality even in the event of a false alarm. In these circumstances the provisions of the Whistle blowing policy will apply and the individual identifying the incident should complete the incident report on their behalf and forward direct to the SIRO. 5 Accidental breaches of security 5.1 If an individual unintentionally causes a potential breach of security such as losing their smart card, they should inform their line manager immediately. The reporting procedure detailed below will still be followed. 6 Security weaknesses 6.1 Staff should report any observed or suspected security weaknesses such as staff sharing User IDs and Passwords, including Smartcards, system admin privileges given to individuals who do not require them. 6.2 Staff should not attempt to prove a suspected security weakness as this might be interpreted as a potential misuse of the system. Instead the weakness should be reported to the IT department and additionally to their line manager. The line manager will ensure the weakness is reported to the Business Planning & Resources Director. 7 Incident resolution 7.1 Once the incident has been dealt with and closed, the individual who reported the incident should be notified of the resolution. This is the responsibility of the designated manager investigating the incident but may be delegated to the individuals line manager 8 Further information 8.1 Further information, including contact details, can be found on the governance section of the intranet. Page 4 of 9

Appendix 1 Definition of personal data 1 Personal data is any information: which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual 2 This definition should be considered in light of the extent to which the data relates to the individual s privacy in their family life, business or professional capacity. 3 The DH defines sensitive personal data as information that includes the name of an individual, combined with one or more of the following: Bank / financial / credit card details National Insurance number / Tax, benefit or pension records Passport number / information on immigration status Travel details (for example at immigration control, or Oyster records) Passport number / information on immigration status / personal (non- NICE) travel records Health records Work record Material related to social services (including child protection) or housing case work Conviction / prison / court records / evidence Other sensitive data defined by s.2 of the Data Protection Act 1998 including information relating to: (a) racial or ethnic origin (b) political opinions (c) religious beliefs or other beliefs of a similar nature (d) membership of a trade union (e) physical or mental health or condition (f) sex life (g) the commission or alleged commission by him of any offence (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings. Page 5 of 9

Appendix 2 Reporting of serious untoward incidents 0 1 2 3 4 5 Minor Medium Significant No significant damage to the reputation of the individual or organisation Damage to an individual s reputation Damage to a section s reputation Damage to a service s reputation Damage to NICE reputation Damage to DH, NHS or public sector in general Media interest very unlikely Possible media interest Some local media interest that may not go public Low key coverage in press or local media National or local press coverage National press coverage Minor breach of confidentiality Potentially serious breach Serious potential breach and risk assessed as high Serious breach of confidentiality Serious breach of confidentiality of sensitive information Serious breach with potential for ID fraud Only a single individual Report to Audit Committee Less than 5 people affected and risk low eg due to encryption Up to 20 people affected and media not encrypted Report to Audit Committee Report to Board Report to ALB BSU and Senior Departmental Sponsor OR up to 100 people affected OR up to 1000 people affected Report to Audit Committee Report to Board OR over 100 people affected Report to ALB BSU and Senior Departmental Sponsor ALB BSU (with DH Security) will decide if Ministers, Cabinet Office and/or Information Commissioner need to be informed Page 6 of 9

Appendix 3 Incident reporting form Please PRINT all details on this form [To be completed by the person who identified the incident or the person reporting on their behalf] Completing this form does not imply an admission of liability on any person. Date of incident Time of incident (24 hr clock) Place of incident Name of person reporting incident Position Tel: Brief description of incident (brief factual account of what happened) Brief description of any immediate action taken Date form submitted Signature Name and position of any other staff involved / witnesses [max 2] Name Signature Position Name Signature Position Date form sent to Page 7 of 9

BPRD FOR BPRD USE ONLY Incident number Date form received Incident level (0-5) Report to (tick) Audit Committee Board ALB BSU Brief description of action taken Identify likely cause of incident Action to prevent repeat of incident Investigating Officer Signature Date Page 8 of 9

Appendix A - Version Control Sheet Version Date Author Replaces Comment 1 Julian Lewis n/a Page 9 of 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information