INFORMATION SECURITY POLICY



Similar documents
Harper Adams University College. Information Security Policy

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

Corporate Information Security Management Policy

EA-ISP-001 Information Security Policy

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

INFORMATION SECURITY MANAGEMENT POLICY

information systems security policy...

Information Services. Regulations for the Use of Information Technology (IT) Facilities at the University of Kent

Corporate Information Security Policy

Information security policy

NHS Business Services Authority Information Security Policy

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

St. Peter s C.E. Primary School Farnworth , Internet Security and Facsimile Policy

Essex County Council Policy for Information Management and Security

Caedmon College Whitby

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Information Governance Policy (incorporating IM&T Security)

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Information Security Policy

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

Conditions of Use. Communications and IT Facilities

ICT Acceptable Use Policy. August 2015

Information Governance Policy

TECHNOLOGY USAGE POLICY

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Information Governance Strategy & Policy

Information Management and Security Policy

Data Protection Policy

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

DHHIT Network Security Standards and Procedures

Merthyr Tydfil County Borough Council. Data Protection Policy

Service Schedule for Business Lite powered by Microsoft Office 365

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

How To Protect Decd Information From Harm

Security Incident Management Policy

Council Policy. Records & Information Management

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security

Data Protection Policy June 2014

TELEFÓNICA UK LTD. Introduction to Security Policy

Services Policy

Mobile Phone Device Policy

Rules for the use of the IT facilities. Effective August 2015 Present

INFORMATION SECURITY POLICY

Use of ESF Computing and Network Resources

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

Internet Use Policy and Code of Conduct

Network Security Policy

DATA PROTECTION POLICY

Data Protection Policy. Information Security Review Group. Version Date Author Notes on Revisions

INFORMATION GOVERNANCE POLICY

GENERAL CONDITIONS OF USE OF COMPUTING AND NETWORK FACILITIES

Computer Network & Internet Acceptable Usage Policy. Version 2.0

Service Schedule for BT Business Lite Web Hosting and Business Lite powered by Microsoft Office 365

Information Technology and Communications Policy

Information Governance Policy

Ulster University Standard Cover Sheet

Information Systems Acceptable Use Policy for Learners

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012

Information Security Incident Management Policy September 2013

Information Security Management System Policy

University of Liverpool

The term Broadway Pet Stores refers we to the owner of the website whose registered office is 6-8 Muswell Hill Broadway, London, N10 3RT.

Date of review: January 2016 Policy Category: Corporate Sponsor (Director): Chief Executive CONTENT SECTION DESCRIPTION PAGE.

SPECIAL CONDITIONS FOR THE WEBSTORAGE CDN SERVICE Latest version dated 13/11/2013

Disciplinary and Dismissals Policy

1.5 The Information Governance Policy should be read in conjunction with the Information Governance Strategy.

How to Monitor Employee Web Browsing and Legally

Information Security and Electronic Communications Acceptable Use Policy (AUP)

Using Public Computer Services in Somerset Libraries

PostNL Group Policy. on Fraud Prevention. PostNL Group Policy. on Fraud Prevention Page 1 of 15

Policy. Social Media Acceptable Use Policy. Executive Lead. Review Date. Low

Information Incident Management Policy

Mike Casey Director of IT

Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25

Terms & Conditions. In this section you can find: - Website usage terms and conditions 1, 2, 3. - Website disclaimer

Information Governance Policy

ULH-IM&T-ISP06. Information Governance Board

Electronic business conditions of use

West Midlands Police and Crime Commissioner Records Management Policy 1 Contents

Scotland s Commissioner for Children and Young People Records Management Policy

2.2 If employees or Board Members wish to use mobile telephones or data devices provided by the Group for personal use they may opt to either:

INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security

DATA PROTECTION POLICY

Records Management Policy & Guidance

Information Governance Framework. June 2015

REVIEWED BY Q&S COMMITTEE ON THE 4 TH JUNE Social Media Policy

Remote Access Policy

DATA PROTECTION POLICY

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Glasgow Kelvin College. Disciplinary Policy and Procedure

An Approach to Records Management Audit

INFORMATION GOVERNANCE POLICY

Information Security Management System Information Security Policy

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

HERTSMERE BOROUGH COUNCIL

Transcription:

Information Security Policy

INFORMATION SECURITY POLICY Introduction Norwood UK recognises that information and information systems are valuable assets which play a major role in supporting the companies objectives. Information security is important to the protection of the company s reputation. The management of personal data has important implications for individuals and is subject to legal obligations. The consequences of information security failures can be costly and time-consuming. The Information Security Policy sets out appropriate measures through which Norwood UK will facilitate the secure and reliable flow of information, both within Norwood and in external communications. It comprises this document, which sets out the principles and framework, and a set of specific policies, codes of conduct and guidelines addressing individual aspects of security (listed in Appendix A). The approach is based on recommendations contained in British Standard 7799 - A Code of Practice for Information Security Management. Objectives The objective of the Information Security Policy is to ensure that all information and information systems upon which Norwood UK depends are adequately protected to the appropriate level. Scope The Information Security Policy applies to information in all its forms. It may be on paper, stored electronically or held on film, microfiche or other media. It includes text, pictures, audio and video. It covers information transmitted by post, by electronic means and by oral communication, including telephone and voicemail. It applies throughout the lifecycle of the information from creation

through storage and utilisation to disposal. Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations. The policy applies to all staff of Norwood UK and to other users associated with the company. With regard to electronic systems, it applies to use of Norwood UK owned facilities and privately/externally owned systems when connected to the Norwood network directly or indirectly. ( Owned is deemed to include leased, rented or on-loan). The policy applies to all Norwood owned/licensed data and software, be they loaded on Norwood or privately/externally owned systems, and to all data and software provided to Norwood by sponsors or external agencies. Policy Statement Norwood UK is committed to protecting the security of information through the preservation of confidentiality: protecting information from unauthorised access and disclosure integrity: safeguarding the accuracy and completeness of information and processing methods availability: ensuring that information and associated services are available to authorised users when required Norwood UK will develop, implement and maintain policies and procedures to achieve appropriate levels of information security. These will cover the range of elements that need to be addressed in the management of information security, in particular the following policy requirements

Authorised Use Norwood UK information systems are provided to support the company s activities including learning, teaching, research, reach-out, administration and approved business activities. Only staff and persons authorised by appropriate Norwood UK authority are entitled to use Norwood s information systems. Acceptable Use All users have an obligation to use information and information systems responsibly. Rules are defined in the Acceptable Use Policy and Code of Practice. Monitoring and Privacy Norwood UK respects the privacy of its users and there is no routine monitoring of e-mail content or individual Web access. However Norwood reserves the right to make interceptions in certain circumstances defined in the Code of Practice. Protection of Software All users must comply with the Copyright, Designs and Patents Act 1988 under which it is an offence to copy software or licensed products without the permission of the owner of the copyright. Retention and Disposal of Information All staff have a responsibility to consider security when using and disposing of information in the course of their work. Norwood UK recommends retention periods for certain kinds of information and departments should establish procedures appropriate to the information held and processed by them, and ensure that all staff are aware of those procedures.

Virus Control Norwood UK has an Anti-virus Policy and it is an offence under company regulations to knowingly introduce a virus or take deliberate action to circumvent precautions taken to prevent the introduction of a virus. Business Continuity Norwood UK will implement, and regularly update, a business continuity management process to counteract interruptions to normal activity and to protect critical processes from the effects of failures or damage to vital services or facilities. Legal and Contractual Requirements Norwood UK will abide by all UK legislation and relevant legislation of the European Community related to the holding and processing if information. This includes the following Acts and the guidance contained in the Information Commissioner s Codes of Practice: Computer Misuse Act 1990 Copyright Designs and Patents Act (1988) Data Protection Act 1998 Freedom of Information Act (2000) Human Rights Act (1998) Regulation of Investigatory Powers Act (2000) Responsibilities The IS/IT Strategy Group is responsible for the information security. Norwood UK SHEQ Manager will be responsible for development of the policy, will co-ordinate implementation and dissemination, and will monitor the operation of the policy working in collaboration with other departments. Heads of Group/Departments, with support from the SHEQ Manager, are responsible for ensuring that information and information systems used within their department are managed and used in accordance with information

security policies. Everyone granted access to Norwood UK information systems has a personal responsibility to ensure that they, and others who may be responsible to them, are aware of and comply with the policies, codes of conduct and guidelines. Each individual is responsible for protecting Norwood UK s information assets, systems and infrastructure, and will protect likewise the information assets of third parties whether such protection is required contractually, legally, ethically or out of respect for other individuals or organisations. All staff and other users should report immediately any observed or suspected security incidents where a breach of Norwood UK s security policies has occurred, any security weaknesses in, or threats to, systems or services. Reports should be made to the manager, the owner of the information, or, where the IT infrastructure is involved or the SHEQ Manager. Those responsible for information or information systems, for example database and IT systems administrators, must ensure that appropriate security arrangements are established and maintained. Policy Awareness and Disciplinary Procedures The Information Security Policy will be made available to all staff via the web. Staff and authorised third parties and contractors given access to Norwood UK information systems will be advised of the existence of the relevant policies, codes of conduct and guidelines. Users will be asked to confirm that they understand the policy before being given access to some systems. Failure to comply with the Information Security Policy may lead to suspension or withdrawal of an individual s access to information systems. Failure of a member of staff to comply with the Information Security Policy may lead to the instigation of the relevant disciplinary procedures as specified in their terms and conditions of employment and, in certain circumstances, legal action may be taken. Minor infringements, such as causing inconvenience to other users, may lead to a verbal or written warning. Major infringements, such as major breach of confidentiality, harassment, or illegal activities may lead to a formal warning, suspension or termination of employment. This is not

an exhaustive list of possible offences and Norwood UK will determine whether a case is minor or major having regard to all the circumstances of each incident. Failure of a staff member to comply with the Information Security Policy may lead to the instigation of the disciplinary procedures, and, in certain circumstances, legal action may be taken. Minor infringements, such as causing inconvenience to other users, may lead to disciplinary action under the minor offences procedures. Major infringements, such as major breach of confidentiality, harassment, or illegal activities may lead to action under the major offences procedures This is not an exhaustive list of possible offences and Norwood UK will determine whether a case is minor or major having regard to all the circumstances of each incident. Failure of a contractor to comply could lead to the cancellation of a contract and, in certain circumstances, legal action may be taken. Information Security Education and Training Norwood UK recognises the need for all staff and other users of Norwood systems to be aware of information security threats and concerns, and to be equipped to support Norwood security policy in the course of their normal work. Appropriate training or information on security matters will be provided for users and departments will supplement this to meet their particular requirements. Information Services will undertake a proactive campaign of awareness and monitor/report upon incidents. Maintenance The Information Security Policy will be monitored and reviewed as necessary. Revisions will be subject to appropriate consultation. The SHEQ Manager will report on a summary and exception basis, will notify issues and bring forward recommendations. Managers are required to carry out periodic risk assessments and establish and maintain effective contingency plans. They are also required to carry out regular assessment of the security arrangements for their information systems. Those responsible for information or information

systems must carry out periodic risk assessments of their information and the security controls in place. They must take into account changes in business requirements, changes in technology and any changes in the relevant legislation and revise their security arrangements accordingly. Signed for and on behalf of the company Jo Shuttlewood HR Director

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information