Information Security Management System (ISMS) Policy



Similar documents
Corporate Information Security Policy

University of Sunderland Business Assurance Information Security Policy

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

Information Governance Strategy & Policy

Rotherham CCG Network Security Policy V2.0

CPS SECURITY & INFORMATION RISK MANAGEMENT POLICY CPS SECURITY & INFORMATION RISK MANAGEMENT POLICY

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Information Governance Policy (incorporating IM&T Security)

Corporate Information Security Management Policy

How To Protect Decd Information From Harm

Information Governance Policy

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

3 August 2012 Policy updated to reflect name changes and alignment with current Aurora Energy Group Policy standards.

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

Information security policy

How To Ensure Information Security In Nhs.Org.Uk

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

University of Brighton School and Departmental Information Security Policy

Information Governance Strategy :

Policy Document Control Page

Business Continuity Policy and Business Continuity Management System

INFORMATION TECHNOLOGY SECURITY STANDARDS

The CPS incorporates RCPO. CPS Data Protection Policy

Information Governance Framework

Information Security: Business Assurance Guidelines

Policies for: Information Governance Information Quality Information Management Information Security. Version Control Version: 0.1

Information Security Management System Policy

Information Security Management System Information Security Policy

SHELL GENERAL BUSINESS PRINCIPLES

Our Commitment to Information Security

Derbyshire Trading Standards Service Quality Manual

Client information note Assessment process Management systems service outline

Lancashire County Council Information Governance Framework

Network Security Policy

Information Governance Strategy

Information Security and Governance Policy

NETWORK SECURITY POLICY

Smart Meters Programme Schedule 2.5. (Security Management Plan) (CSP South version)

Information Governance Policy

<COMPANY> P01 - Information Security Policy

REMOTE WORKING POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Information Security Policy

Information & ICT Security Policy Framework

INFORMATION SECURITY PROCEDURES

NHS Business Services Authority Information Security Policy

Quality Policy. JRI Orthopaedics Limited

Practical Overview on responsibilities of Data Protection Officers. Security measures

Mike Casey Director of IT

Senate. SEN15-P17 11 March Paper Title: Enhancing Information Governance at Loughborough University

The New Zealand Human Services Quality Framework - ISO9002:2008 to 2012

Information governance strategy

Shell General Business Principles

UK SBS Physical Security Policy

COMMERCIALISM INTEGRITY STEWARDSHIP. Back-up Policy & Guidance

Network Security Policy

Information Security Policy. Chapter 10. Information Security Incident Management Policy

HMG Security Policy Framework

National Approach to Information Assurance

Information Security Programme

Cyber security standard

Information Security Policy

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Information Governance Policy

The potential legal consequences of a personal data breach

How To Ensure Network Security

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Customer-Facing Information Security Policy

Operational Risk Publication Date: May Operational Risk... 3

Information Governance and Assurance Framework Version 1.0

INFORMATION SECURITY POLICY

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September Information Governance Manager

ISO27001 Controls and Objectives

ISO 27001: Information Security and the Road to Certification

Lexcel England and Wales v6 Guidance notes for in-house legal departments Excellence in practice management and client care The Law Society.

Information Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy

INFORMATION GOVERNANCE POLICY

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Information Classification and. Handling Policy

BENENDEN HOSPITAL TRUST JOB DESCRIPTION

Prepared for Public Service Staff Relations Board. Prepared by Consulting and Audit Canada Project No.:

Transcription:

Information Security Management System (ISMS) Policy April 2015 Version 1.0

Version History Version Date Detail Author 0.1 18/02/2015 First draft Andy Turton 0.2 20/02/2015 Updated following feedback from P2 Andy Turton 1.0 29/04/2015 Approved Andy Turton This document has been prepared using the following ISO27001:2013 standard controls as reference: ISO Control Description 5.2 Information Security Policy Page 2 of 7

RACI Matrix A RACI matrix describes the participation by various roles in completing tasks or deliverables for a project or business process. It is especially useful in clarifying roles and responsibilities in crossfunctional/departmental projects and processes. R A C I Andrew Turton IAG IAG All Commission staff R Responsibility A Accountable C Consultable I Informed Those who do the work to achieve the task. The one ultimately answerable for the correct and thorough completion of the deliverable or task, and the one who delegates the work to those responsible. Those whose opinions are sought, typically subject matter experts; and with whom there is two-way communication. Those who are kept up-to-date on progress, often only on completion of the task or deliverable; and with whom there is just one-way communication. Page 3 of 7

Contents page Purpose... 5 Individual responsibilities... 5 Information security objectives... 7 Page 4 of 7

Purpose 1. The purpose of this policy is to set out the Commission s aims and objectives for the management of information security. Information Security is defined as the preservation of confidentiality, integrity and availability of information. 2. The scope of the Information Security Policy covers the storage, access and transmission of information in the course of Commission business. It therefore applies to the conduct of staff, contractors, suppliers and others with access to that information (wherever the information or they are located) as well as the applications, systems, equipment and premises that create, process, transmit, host, or store information, whether in-house, personally owned or provided by external suppliers. 3. The Commission is committed to preserving the confidentiality, integrity and availability of all our key information assets in order to effectively deliver strategic goals and to maintain our legal and contractual compliance and reputation. The information security framework (comprising this policy, supporting policies, processes and tools and the requisite management and decision-making structures) shall be an enabling mechanism for information sharing and for reducing information-related risk to acceptable levels. 4. This policy is owned by the Information Asset Group (IAG) who will: Systematically examine the organisation's information security risks, taking, account of the threats, vulnerabilities, and impacts; Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and Adopt an overarching management process to ensure that the information security controls continue to meet the organisation's information security needs on an ongoing basis. Monitor the development of the ISMS to ensure continual improvement. Individual responsibilities All users 5. All individual users of Commission information systems and those handling or having access to Commission information outside of those systems shall be responsible for: a) complying with all relevant information security, policies, practices and procedures including any external accountability; b) ensuring that they request, where necessary, and receive adequate and relevant information security awareness training to enable them to undertake their roles; and c) reporting information security incidents via the defined and approved channels. 6. Violation of information security policies may be grounds for disciplinary action up to and including dismissal. Page 5 of 7

Senior Information Risk Owner (SIRO) 7. The SIRO is ultimately responsible for managing the organisation s information risks, including maintaining an information risk register. The SIRO shall: a) ensure that this policy and the information security objectives are compatible with the strategic direction of the Commission b) own the risks associated with the information security objectives and ensure that control action owners are identified, including identifying key Information Assets and nominating Information Asset Owners c) authorise acceptance or mitigation of significant information security risks that deviate from agreed standards Information Asset Owners (IAOs) 8. IAOs are senior members of staff and form an integral part of the Information Assurance framework. IAOs shall: a) lead and foster a culture that values, protects and uses information for the public good b) know what information an asset holds, and what enters and leaves it and why c) know who has access and why, and ensure their use of the asset is monitored d) understand and address risks to the asset, and provide assurance to the SIRO e) ensure the asset is fully used for the public good, including responding to access requests Departmental Security Officer (DSO) 9. The DSO is required to manage day to day security arrangements, working to the corporate standards set out in the Security Policy Framework and risk assessment requirements of Cabinet Office and the Office of the Government SIRO. The DSO shall: a) be responsible for maintaining security policies and guidance b) monitor compliance to the ISMS c) support IAG reviews d) investigate security breaches e) support IAOs in meeting their responsibilities f) support in the accreditation of relevant systems Information Technology Security Officer (ITSO) 10. The ITSO is responsible for managing IT related security issues. The ITSO shall: a) support IAOs in their understanding, and mitigation of, IT related security risk b) investigate security breaches c) support in the accreditation of relevant systems Page 6 of 7

Information security objectives 11. The following are the Commission s on-going security objectives: Information is only accessible to authorised persons from within or outside the organisation and levels of access are determined by IAOs or by delegated authority Confidentiality, Integrity and Availability of information and systems is maintained Business continuity plans are established, maintained and tested All personnel are trained on information security and are informed that compliance with the policy is mandatory All breaches of information security and suspected weaknesses are reported and investigated and appropriate actions taken Relevant procedures exist to support the policies in place Regular audits of the processes and policies are conducted to ensure continuous review and improvement of the ISMS New systems or services are deployed in a controlled and secure manner As far as is possible the Commission avoids breaches of legal, regulatory and contractual requirements. 12. IAG will also identify specific security objectives that are reviewed annually. These are used to develop the ISMS, including the monitoring of: Internal risks to confidentiality (such as printer checks and clear screen / clear desk compliance) Risks which will impact on service delivery to external stakeholders (including the availability of eservices) Risks to the availability of services and information (including business continuity testing) Page 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information