Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013



Similar documents
Guidance on data security breach management

Guidance on data security breach management

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

Information Security Incident Management Policy and Procedure

Information Incident Management Policy

Security Incident Management Policy

Information Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy

Information Security Incident Management Policy

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

Data Security Breach Incident Management Policy

DBC 999 Incident Reporting Procedure

Security Incident Policy

Policy Document. IT Infrastructure Security Policy

Somerset County Council - Data Protection Policy - Final

Policy Document. Communications and Operation Management Policy

IT ACCESS CONTROL POLICY

SECURITY POLICY REMOTE WORKING

How To Protect Decd Information From Harm

Network Password Management Policy & Procedures

Human Resources Policy documents. Data Protection Policy

So the security measures you put in place should seek to ensure that:

NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities

INFORMATION SECURITY INCIDENT REPORTING POLICY

REMOTE WORKING POLICY

Data Protection Breach Management Policy

PRIVACY BREACH MANAGEMENT POLICY

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

Information security incident reporting procedure

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

Procedure for Managing a Privacy Breach

Data Protection Policy

Corporate Information Security Management Policy

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

Information Security

The potential legal consequences of a personal data breach

The Ministry of Information & Communication Technology MICT

GUIDE TO MANAGING DATA BREACHES

Information Security Incident Protocol

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014

Information Governance Framework. June 2015

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Version: 2.0. Effective From: 28/11/2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

1. (a) Full name of proposer including trading names if any (if not a limited company include full names of partners) Date established

The best advice before you decide on what action to take is to seek the advice of one of the specialist Whistleblowing teams.

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

Information Security Incident Management Policy September 2013

Information Security Policy. Chapter 10. Information Security Incident Management Policy

University of Sunderland Business Assurance Information Security Policy

Records Management Policy & Guidance

Information Security Policy

Data Protection Breach Reporting Procedure

Data Protection Policy

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Information Security Policy. Chapter 12. Asset Management

Once more unto the breach... Dealing with Personal Data Security Breaches. Helen Williamson Information Governance Officer

Personal Information Protection Act Information Sheet 11

How To Ensure Network Security

INFORMATION SECURITY POLICY

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Incident reporting procedure

How To Protect School Data From Harm

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Information Governance Policy

Acceptable Use of Information Systems Standard. Guidance for all staff

Caedmon College Whitby

DATA PROTECTION POLICY

ICT POLICY AND PROCEDURE

ABERDARE COMMUNITY SCHOOL

Privacy and Security Incident Management Protocol

DATA AND PAYMENT SECURITY PART 1

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

Data Transfer Policy London Borough of Barnet

Enterprise Information Security Procedures

Remote Access and Home Working Policy London Borough of Barnet

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Glasgow Kelvin College. Disciplinary Policy and Procedure

HERTSMERE BOROUGH COUNCIL

Data Protection Procedures

Merthyr Tydfil County Borough Council. Data Protection Policy

Council, 14 May Information Governance Report. Introduction

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Transcription:

Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page 1 of 11

Document Control Organisation Mendip District Council Title Information Security Incident Management Policy Author Jennifer Russell ICT Manager Filename Information Security Incident Management Policy.Doc Owner ICT Manager Subject IT Policy Protective Marking Internal Public Review date June 2014 Revision History Revision Date Revisor Previous Version Description of Revision V1.0 Steve Mawn 1 Creation V1.1 Jennifer Russell V1.2 Jennifer Russell 1.0 Review 1.1 Review Document Approvals This document requires the following approvals: Sponsor Approval Name Date Chief Executive Stuart Brown Corporate Manager Access to Services Chris Atkinson ICT Manager Jennifer Russell Document Distribution This document will be distributed to: Name Job Title Email Address All Staff Page 2 of 11

Contents 1 Policy Statement 4 2 Purpose 4 3 Scope 4 4 Definition 4 5 Risks 4 6 Applying the Policy 5 6.1 Containment or Control and Recovery 5 6.2 Assessment of ongoing risk 5 6.3 Notification of Breach 6 6.4 Evaluation and Response 7 7 Policy Compliance 8 8 Policy Governance 8 9 Review and Revision 9 10 References 9 11 Key Messages 9 12 Appendix 1 10 13 Appendix 2 Examples of Information Security Incidents 11 Page 3 of 11

1 Policy Statement Mendip District Council will ensure that it reacts appropriately to any actual or suspected incidents relating to information systems and information within the custody of the Council 2 Purpose This document sets the standards by which Mendip District Council (MDC) will respond to a breach or unauthorised disclosure of Council information and the process staff need to follow when a breach occurs. 3 Scope This policy applies to all MDC employees, Councillors and contractors working on our behalf. 4 Definition Mendip District Council processes large amounts of both personal and non-personal information. We are required by law to take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal information. This policy indicates the steps MDC employees and our contractors are required to take in the event of a breach in information security. An information security breach can happen for a number of reasons: Loss or theft of information stored either as a hard copy or on equipment such as desktop PCs, laptops, handheld devices (PDAs and Blackberries), mobile phones, etc, as well as portable media such as memory sticks and DVD/CD Roms. Inadequate access controls in place which allow unauthorised users to access both manual records and electronic systems. Equipment failure. Human error. Unforeseen circumstances such as a fire or flood. Hacking of the IT system by an external third party. Information obtained dishonestly corporate fraud. The following sections cover specific areas of the information security incident management policy: 3.1 Containment or Control and Recovery 3.2 Assessment of ongoing risk 3.3 Notification of Breach 3.4 Evaluation and Response 5 Risks Mendip District Council recognises that there are risks associated with users accessing and handling information in order to conduct official Council business. This policy aims to mitigate the following risks: To reduce the impact of information security breaches by ensuring incidents are followed up Page 4 of 11

correctly. To help identify areas for improvement to decrease the risk and impact of future incidents. Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers. 6 Applying the Policy 6.1 Containment or Control and Recovery Information security breaches will require not just an initial response to investigate and contain the situation, but also a recovery plan. This should include, where necessary, damage limitation. This will often involve input from specialists across the Council such as Strategic IT and Capita IT, HR, Communications, and in some cases contact with external stakeholders and suppliers. In cases of theft of data, it may be appropriate to inform the police and the Information Commissioner s Office. The flowchart at Appendix 1 sets out the procedure which staff should follow when an incident occurs. The key outcomes of the investigation into the incident will be to: Determine the type of breach. Establish who needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise. Establish whether there is anything we can do to recover any losses and limit the damage the breach may cause. Put in place measures to avoid the breach recurring. Where it is suspected that a serious intentional breach has been caused by a user on the corporate network, their permissions may be removed from the network as soon as practicable and their door pass disabled. In the event of criminal activity, the police should be notified. 6.2 Assessment of ongoing risk As the Council holds personal and often sensitive information on our customers, it is important to establish early on the risks and consequences of this information being lost or disclosed without the customer s consent. The following points should be taken into consideration: What type of Information is involved? Does the information relate to our customers or staff or is it non-personal? How sensitive is the information? Some information will be sensitive because of its very personal nature (social care, children s and benefit records) while other types of information is sensitive because of what could happen if misused (bank account details, politically sensitive information etc) What security, if any, was in place? If information has been lost or stolen, were there any measures in place to protect the information such as encryption or password protection? What has happened to the information? If information has been lost or stolen it poses a different risk to information that has been corrupted or damaged. Page 5 of 11

Can the information be restored or re-created? Assess if the situation can be eased by a recovery or partial recovery of lost or corrupted information (back up discs etc). How usable is the lost information? Assess what could happen if the information got into the wrong hands. Is the information particularly sensitive or is it largely meaningless to non-council staff? How many customers are affected by the breach? Whilst any breach is serious, if it affects a large number of people then the impact on the organisation will be greater. A risk assessment should be conducted when the breach occurs to identify the breadth and depth of the impact. Whose information has been lost and what harm could there be to these individuals? Whether they are staff, customers, clients or suppliers, their status will to some extent determine the level of risk posed by the breach and our actions in attempting to mitigate those risks. Are there risks to an individual s physical safety, the council s reputation, financial loss or a combination of these? What other considerations are possible? Are there wider consequences to consider such as a risk to public health or loss of public confidence in an important service we provide? Can the information be use for fraudulent purposes? Can the information be used for ID fraud? If individuals bank details have been lost, consider contacting the banks themselves for advice on how they can help to prevent fraudulent use. 6.3 Notification of Breach Notification to individuals of an information security breach should have a clear purpose. Whether this is to enable individuals who may have been affected to take steps to protect themselves or to allow the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints. Answering the following questions will assist in deciding whether to notify: Are there any legal or contractual requirements? Will revealing the breach further compromise security? Would notification help or hinder us to meet our security obligations with regard to the seventh data protection principle requiring us to keep data secure? Can notification of the breach help the individual? Bearing in mind the potential effects of the breach, could individuals act on the information provided to mitigate risks to themselves, for example by cancelling a credit card or changing a password? How many individuals are affected? If a large number of people are affected, or there are likely to be very serious consequences, we should inform the Information Commissioner s Office (ICO). When notifying the ICO, details should be included of the security measures in place such as encryption and, where appropriate, details of the security procedures in place at the time the breach occurred. Can the people affected by the breach understand the issue? Consider how notification can be made appropriate for particular groups of individuals, for example, if notifying children or vulnerable adults. Page 6 of 11

Is the breach relatively minor? Not every incident will warrant notification and notifying all customers when the breach affects a small percentage may well cause disproportionate enquiries and additional work. How are the details communicated? Consideration should be made of who should be notified, what the message is, how the message will be communicated and the security of the communication medium used. Who else needs to know? Ensure the appropriate regulatory body is notified. A sector specific regulator may require WBC to notify them of any type of breach but the ICO should only be notified when the breach involves personal data. What needs to be included in a data breach notification: A description of how and when the breach occurred and what data was involved. Details of what steps have already been taken to respond to the risks posed by the breach. Specific and clear advice on the steps those affected can take to protect themselves and also what you are willing to do to help them. Provide a contact point for further information or to ask you questions about what has occurred. Record what happened in writing. Anything else we need to do? We may also need to consider notifying third parties such as the police, insurers, professional bodies, bank or credit card companies who can assist in reducing the risk of financial loss to individuals, and trade unions. 6.4 Evaluation and Response It is important not only to investigate the causes of the breach but also to evaluate the effectiveness of our response to it. If the breach was caused even in part by systemic and ongoing problems, then simply containing the breach and continuing business as usual is not sufficient. A breach may also require a review of policies and management responsibility. To reduce the risk of further breaches we should: Ensure we know what types of information we hold, whether this includes personal data and where and how it is stored. Establish where the biggest risks lie. This will normally be dictated by the sensitivity of the data. When sharing data, we must ensure that the method of transmission is secure and only share or disclose the minimum amount of data necessary. For social care information, we must ensure that the Caldicott principles for information sharing are applied. Identify weak points in the Council s existing security measures such as the use of portable storage devices or access to public networks. Staff awareness of security issues will be addressed by training, regular security audits and information in staff bulletin. Page 7 of 11

In the event of a serious breach the Monitoring Officer, Head of Governance and Democratic Services, should be immediately informed. All breaches should be notified via the Information Capita IT helpdesk (see flowchart at Appendix 1). The Team Manager will then be informed and appropriate mitigation/investigation put in place. All breaches will be reported to the Partnership operating Board and Gov cert UK.. Any breach that affects one of our partner organisations or breaches of data sharing protocol should be communicated to the partners. MDC does not actively monitor information exchanges with external bodies for criminal activity. However, it will co-operate with any investigation into such activity to the fullest extent that it is able and within the limits and requirements of English law. MDC will attempt to identify the source of any attack on its services and will take appropriate steps that may include legal action. 7 Policy Compliance If any user is found to have breached this policy, they may be subject to Mendip District Council s disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s). If you do not understand the implications of this policy or how it may apply to you, seek advice from Strategic ICT. 8 Policy Governance The following table identifies who within Mendip District Council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply: Responsible the person(s) responsible for developing and implementing the policy. Accountable the person who has ultimate accountability and authority for the policy. Consulted the person(s) or groups to be consulted prior to final policy implementation or amendment. Informed the person(s) or groups to be informed after policy implementation or amendment. Responsible ICT Manager Accountable Corporate Manager Access to Services Consulted Informed Corporate Management Team, Human Resources and UNISON All Council Employees, All Temporary Staff, All Contractors Page 8 of 11

9 Review and Revision This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months. Policy review will be undertaken by the strategic ICT Manager. 10 References The following Mendip District Council policy documents are directly relevant to this policy: Email Policy. Internet Acceptable Use Policy. Software Policy. GCSx Acceptable Usage Policy and Personal Commitment Statement. Computer, Telephone and Desk Use Policy. Removable Media Policy. Remote Working Policy. IT Access Policy. Legal Responsibilities Policy. Information Protection Policy. Human Resources Information Security Standards. IT Infrastructure Policy. Communications and Operation Management Policy. 11 Key Messages All staff should report any incidents or suspected incidents immediately by notifying the Capita It helpdesk. We can maintain your anonymity when reporting an incident if you wish. If you are unsure of anything in this policy you should ask for advice from Strategic ICT Page 9 of 11

12 Appendix 1 Security Weakness or incident observed Incident reported to Capita IT Helpdesk Incident Logged Line Management Informed Action required No Incident Call Closed Yes Incident investigated and recommendations or action plan put forward Action taken and relevant officers informed of changes Incident report forwarded to Partnership Operating Board Group decides on whether any policy changes are required. Page 10 of 11

Incident call 13 Appendix closed 2 Examples of Information Security Incidents Examples of the most common Information Security Incidents are listed below. It should be noted that this list is not exhaustive. Malicious Giving information to someone who should not have access to it - verbally, in writing or electronically. Computer infected by a Virus or other malware. Sending a sensitive e-mail to 'all staff' by mistake. Receiving unsolicited mail of an offensive nature. Receiving unsolicited mail which requires you to enter personal data. Finding data that has been changed by an unauthorised person. Receiving and forwarding chain letters including virus warnings, scam warnings and other emails which encourage the recipient to forward onto others. Unknown people asking for information which could gain them access to council data (e.g. a password or details of a third party). Misuse Use of unapproved or unlicensed software on Mendip District Council equipment. Accessing a computer database using someone else's authorisation (e.g. someone else's user id and password). Writing down your password and leaving it on display / somewhere easy to find. Printing or copying confidential information and not storing it correctly or confidentially. Theft / Loss Theft / loss of a hard copy file. Theft / loss of any Mendip District Council computer equipment. Page 11 of 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information