Information security incident reporting procedure



Similar documents
Incident reporting procedure

Data Protection Policy

Incident Reporting Procedure

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

Information Governance Management Framework

Information Incident Management Policy

Risk Management Policy

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

CORK INSTITUTE OF TECHNOLOGY

Scottish Rowing Data Protection Policy

So the security measures you put in place should seek to ensure that:

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Policy Document Control Page

Information Security Policy. Appendix B. Secure Transfer of Information

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Rick Parsons Information Governance Officer County Hall

Information Incident Management and Reporting Procedures

INFORMATION GOVERNANCE POLICY

Human Resources Policy documents. Data Protection Policy

University of Oxford. Cancer Epidemiology Unit (CEU) Policy: Information Security Incident Reporting and Management

NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities

Will we be in trouble? How information laws are enforced

Information Security Incident Management Policy September 2013

PRIVACY BREACH MANAGEMENT POLICY

Information Incident Management. and Reporting Policy

Notification of data security breaches to the Information Commissioner s

NHS Waltham Forest Clinical Commissioning Group Information Governance Strategy

Data Protection Policy June 2014

DATA PROTECTION POLICY

Data Protection Policy

Checklist Guidance for Reporting, Managing and Investigating Information Governance Serious Incidents Requiring Investigation (IG SIRI)

Data Compliance. And. Your Obligations

Portable Devices and Removable Media Acceptable Use Policy v1.0

Data Protection Breach Reporting Procedure

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation

DATA PROTECTION POLICY

Information Incident Management and Reporting Procedures

Little Marlow Parish Council Registration Number for ICO Z

Summary Electronic Information Security Policy

Safe Haven Policy. Equality & Diversity Statement:

Data Protection Policy

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Information Governance Serious Incident Requiring Investigation Policy and Procedure

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

RECORDS MANAGEMENT POLICY

Our Commitment to Information Security

Merthyr Tydfil County Borough Council. Data Protection Policy

Security Incident Policy

Data Protection Policy

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)

HERTSMERE BOROUGH COUNCIL

Information Security Incident Management Policy and Procedure

Policy: IG01. Information Governance Incident Reporting Policy. n/a. Date ratified: 16 th April 2014

Procedure for Managing a Privacy Breach

University of Limerick Data Protection Compliance Regulations June 2015

How To Ensure Network Security

Guidance on data security breach management

Islington Security Incident Policy A council-wide information technology policy. Version July 2013

INFORMATION RISK MANAGEMENT POLICY

Personal data - Personal data identify an individual. For example, name, address, contact details, date of birth, NHS number.

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures

Corporate ICT & Data Management. Data Protection Policy

Guidance on data security breach management

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

DATA PROTECTION POLICY

Data Security Breach Management Procedure

Human Resources and Data Protection

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Information Technology Policy and Procedures

Privacy and Electronic Communications Regulations

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

Network Security Policy

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Career Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity

Information governance guidance for schools

Once more unto the breach... Dealing with Personal Data Security Breaches. Helen Williamson Information Governance Officer

Information Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy

NETWORK SECURITY POLICY

Dean Bank Primary and Nursery School. Data Protection Policy

Barnet Partnership Information Sharing Protocol

Somerset County Council - Data Protection Policy - Final

Name of responsible committee: Information Governance Board Date issued: 15 th April 09 Review date: 14 th April 11 Referenced Documents:

Applying the legislation

NHS Commissioning Board: Information governance policy

Information Governance Policy

DATA AND PAYMENT SECURITY PART 1

Abertay Data Storage Policy

How To Protect School Data From Harm

Data Security and Extranet

Information Governance Policy

INFORMATION SECURITY POLICY

The EDGE 2014 User Conference Information Governance Workshop

Information Security Incident Management Policy

AlixPartners, LLP. General Data Protection Statement

Privacy Impact Assessment and Information Governance Checklist

Hull Teaching Primary Care Trust INTERNET USE POLICY

Transcription:

Information security incident reporting procedure Responsible Officer Author Date effective from 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2015 Review date December 2018 Version 1.4 Page 1 of 7

Introduction 1. NICE is committed to ensuring effective safeguards are applied to the information it holds. NICE therefore uses the Security Policy Framework (SPF) to ensure compliance with Government-wide standards and protocols for information governance. 2. NICE holds a range of confidential information. This includes personal data relating to its staff and to some of the individuals that it works with. NICE also holds commercial in confidence data, plus information from the Health and Social Care Information Centre (HSCIC) that contains anonymised, but patient identifiable information. 3. Reporting of information security incidents helps NICE maintain a safe and secure working environment. It helps protect the confidentiality, integrity and availability of the information and systems accessed and is important for effective risk management. 4. Managing incidents relating to the security of information is a cyclical process of identification, reporting, investigation, resolution and learning to minimise the risk of re-occurrence. 5. All staff members have a responsibility to report information security incidents whether deliberate or accidental. 6. This procedure outlines the main requirements for incident reporting related to information security events only and is designed to ensure the incident is recorded, the event is properly reviewed, corrective action taken where necessary and to provide clarity over accountability and responsibility for actions. 7. Incidents relating to health & safety should be reported in accordance with the Health & Safety Welfare Manual. Any identified fraud should be reported in accordance with the Counter Fraud and Anti-Bribery Policy. Information security 8. An information security incident is defined as the exposure of sensitive personal data or confidential information to unacceptable risk. It may include any actual or potential breach of security which may compromise the confidentiality, integrity or availability of information stored, processed and communicated in relation to NICE business whether in hard copy or electronic format. Each potential incident will be risk assessed on a case by case basis. 9. The term information security incident covers a wide range of events which can vary considerably and it is therefore not possible to detail every single event. The following list gives examples of types of security incidents that should be reported: Page 2 of 7

Type of data Sensitive personal data 1 Example Risk of accidental or deliberate disclosure of sensitive personal data e.g..applications for committee membership held on a file drive with general staff access Confidential information including Commercial in Confidence (CiC) and Academic in Confidence (AiC) information Risk of accidental or deliberate access of confidential information by an unauthorised person. e.g. 1. CiC information sent to the wrong recipient e.g. 2. CiC information sent by email without password protection or encryption Passwords An unauthorised person has gained access to your account or attempted to gain access using your password e.g. Password/login details left accessible and unsecured to visitors in home worker s home. IT security breach Degraded IT system integrity or loss of system availability posing threat to loss of information or disruption of activity Unauthorised access to data Physical security breach Unauthorised access to secure areas containing confidential information e.g. forced access to a locker containing confidential information or sensitive personal data Theft or loss of portable media Unencrypted laptops or other portable media containing confidential or sensitive personal data lost or stolen e.g. laptop stolen from car 10. This list is not exhaustive and staff must ensure they report any incident where they have a reasonable belief that there is a risk to the security of sensitive personal data or any confidential information. Reporting security incidents 11. Incidents should be reported to the Governance Manager and line manager by email. Information on the incident should include a description 1 As defined in Appendix 1 Page 3 of 7

of the data lost or stolen, whether it was held in hard copy or portable media, the quantity (if known), where it was lost and the sensitivity of the data (if known). 12. In addition, all information incidents involving an IT security breach should be reported immediately to the IT Team for corrective active action. Security incidents that may have an impact on N3 2 will be reported immediately, by the Associate Director Procurement and IT, to the N3 SP Helpdesk. The Associate Director - Procurement and IT and / or Governance Manager will brief the Business Planning & Resources Director (SIRO) and, if patient information is involved, the Caldicott Guardian. 13. Any incident relating to the confidential information received from the Health and Social Care Information Centre (HSCIC) will be reported to the HSCIC in accordance the conditions set out in the agreement with the HSCIC. 14. Security incidents involving sensitive data should be assessed based on the potential detriment to the individual and / or organisations affected, including possible distress and financial damage together with the volume of data involved. 15. Any IT incident occurring outside secure office premises should be reported immediately to the NICE IT department. The IT department maintains its own system security for portable media and the IT network. 16. The Corporate Office retains a central log of all reported information security incidents. These will be reviewed by the Governance Manager and Associate Director Corporate Office and escalated via the Business Planning & Resources Director as the Senior Information Risk Owner (SIRO) to SMT and the Audit and Risk Committee as necessary. 17. All incidents escalated to the Audit and Risk Committee should include a top line synopsis of the data involved, the nature of the incident, the immediate actions taken in mitigation, and the lessons learnt to minimise the risk of recurrence. 2 N3 Connectivity is the connection between NICE IT systems and the NHS intranet Page 4 of 7

Appendix 1 Definition of personal data 1 Personal data is any information: which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual 2 This definition should be considered in light of the extent to which the data relates to the individual s privacy in their family life, business or professional capacity. 3 Sensitive personal data is information that includes the name of an individual, combined with one or more of the following: Bank / financial / credit card details National Insurance number / Tax, benefit or pension records Passport number / information on immigration status Travel details (for example at immigration control, or Oyster records) Passport number / information on immigration status / personal (non- NICE) travel records Health records Work record Material related to social services (including child protection) or housing case work Conviction / prison / court records / evidence Other sensitive data defined by s.2 of the Data Protection Act 1998 including information relating to: (a) racial or ethnic origin (b) political opinions (c) religious beliefs or other beliefs of a similar nature (d) membership of a trade union (e) physical or mental health or condition (f) sex life (g) the commission or alleged commission by him of any offence (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings. Page 5 of 7

Appendix 2 Reporting of information security incidents Minor* Medium Significant No material damage to the reputation of the individual or organisation Minor breach of confidentiality Up to 20 individuals Damage to an individual s reputation / privacy Potentially serious breach Over 20 people affected and media not encrypted Damage to NICE reputation Serious breach of confidentiality or disclosure of sensitive personal data OR over 100 people affected Report to Corporate Office and Business Planning & Resources Director Report to Corporate Office and Business Planning & Resources Director Report to the Audit and Risk Committee Report to Audit and Risk Committee Report to Board Report to the ALB BSU and Senior Departmental Sponsor and / or ICO *all incidents should be assessed on a case by case basis in light of the potential harm that could be done in each case either to an individual or a third party or to NICE. The Business Planning & Resources Director as the Senior Information Risk Owner (SIRO) retains the discretion to escalate the reporting of an incident to the Audit and Risk Committee or Board. Page 6 of 7

Appendix A - Version Control Sheet Version Date Author Replaces Comment 1.3 Julian Lewis 1.4 Page 7 of 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information