Information Governance Management Framework Document Status: Approved Version: v 1.3 DOCUMENT CHANGE HISTORY Version Date Comments (i.e. viewed, or reviewed, amended, approved by person or committee v1.0 8 June 2012 Draft, Phil Stimpson v1.1 23 July 2012 Additions made to draft by Phil Stimpson v1.2 24 August 2012 Include IG Toolkit Workplan as Appendix F Approved by CCG 09/01/2013 Quality Committee V1.3 22 April 2013 Include Information Security Work plan as Appendix G Revised list of IG policies V1.3 26 June 2013 Approved by SDT CCG Quality Committee Authors: Corporate Affairs Manager Names and roles of Contributors, committee members etc Document IG Toolkit version 11 requirements 130, 131, 134, 230, 231, 232, 233, 341, Reference: 345, 349 Directorate:- Corporate Affairs Approval Quality Committee Review Date of approved document: April 2014 South Devon and Torbay Clinical Commissioning Group promotes equality, diversity and human rights and is committed to ensuring that all people and communities it serves have access to the services we provide. In exercising the duty to address health inequalities, the CCG has made every effort to ensure this policy does not discriminate, directly or indirectly, against patients, employees, contractors or visitors sharing protected characteristics of: age; disability; gender reassignment; marriage and civil partnership; pregnancy and maternity; race; religion and belief; sex (gender); sexual orientation or those protected under Human Rights legislation. All CCG policies can be provided in large print or Braille formats; translations on request; language line interpreter services are available; and website users can use contrast, text sizing and audio tools if required. For any other assistance, please contact the CCG at sdtccg@nhs.net or 01803 652500. South Devon & Torbay CCG Information Governance Management Framework v1.3 June 2013 Page 1 of 19
CONTENTS Section Page 1. Introduction 3 2. Definitions & Key Roles 5 3. Key Policies 6 4. Key Governance Bodies 6 5. Resources 6 6. Governance Framework 7 7. Information Governance Toolkit 7 8. Information Governance Training and Guidance 8 9. Incident Management 8 10. Information Sharing 9 11. Information Security 9 Appendix A Glossary 10 Appendix B SDT CCG / Devon PCT Cluster staff in key IG roles 11 Appendix C SDT CCG / Devon PCT Cluster support arrangements for SIRO 12 Appendix D SDT CCG / Devon PCT Cluster support arrangements for Caldicott Guardian 13 Appendix E SDT CCG / Devon PCT Cluster Information Governance Policies 14 Appendix F SDT CCG / Devon PCT Cluster Information Sharing Protocols 15 Appendix G IG Toolkit Workplan Not included Appendix H Information Security Operational Plan 2013-14 16 Linked strategies, policies and other documents Dissemination requirements Information Governance Policy Data Protection Policy Code of Confidentiality Records Management Policy The policy will be disseminated via managers to cascade to staff within their remit. This framework will be made available on the CCG s intranet and internet sites. South Devon & Torbay CCG Information Governance Management Framework v1.3 June 2013 Page 2 of 19
1 Introduction 1.1 Introduction 1.1.1 The Information Governance Toolkit (IGT) for 2013/14 requires NHS South Devon and Torbay Clinical Commissioning Group (CCG) to have an Information Governance Management Framework (IGMF) to bring together all threads of the CCG s Information Governance (IG) activities in an approved document. 1.1.2 References are made throughout this Framework to the Information Governance Toolkit in the format 11-130, where 11 refers to version 11 for 2013/14 and 130 refers to requirement number 130. 1.1.3 Much of the content of this Framework is taken directly from Connecting for Health guidance, to ensure that the Cluster produces the precise documentation required for Information Governance Toolkit auditing and evidence purposes. 1.1.4 Robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. The way that an organisation chooses to deliver against these requirements is referred to within the Information Governance Toolkit as the organisation s Information Governance Management Framework. This Framework must be documented, approved at the most appropriate senior management level in the organisation (e.g. the Governing Body, the Executive Team or a named Executive Director) and reviewed annually. 1.1.5 The Information Governance Management Framework adopted by a CCG may be described in a standalone document or may be incorporated within an over-arching Information Governance Policy or an Information Governance Strategy. Whilst many elements of Information Governance Management Frameworks will be similar for different organisations and must cover the headings described in the table below, there is no requirement for frameworks to be identical. The Information Governance Management Framework should provide a summary/overview of how an organisation is addressing the Information Governance agenda, and adapted appropriately to the capacity and capability of the organisation concerned. 1.1.6 The elements of an Information Governance Management Framework, as defined by Connecting for Health, are shown in the table below: INFORMATION GOVERNANCE MANAGEMENT FRAMEWORK Heading Requirement Notes Senior Roles Senior Information Risk Owner (SIRO) (11-345) Caldicott Guardian (11-230) IG Lead These roles should be at Governing Body or the most senior leadership team level. The IG lead and the SIRO may be the same individual but the Caldicott Guardian should be distinct from both of the others South Devon & Torbay CCG Information Governance Management Framework v1.3 June 2013 Page 3 of 19
Key Policies Over-arching IG Policy (11-131) Data Protection Act 1998/Confidentiality Policy Organisation Security Policy Information Lifecycle Management Policy Corporate Governance Policy Key Governance Bodies IG Board / Forum / Steering Group Resources Details of key staff roles and dedicated budgets Governance Framework Details of how responsibility and accountability for IG is cascaded through the organisation. (11-230 & 11-345) Training & Guidance Staff Code of Conduct (11-231, 11-232 & 11-233) Training for all staff (11-134) and advisory rather than accountable. Policies set out scope and intent. The over-arching IG policy should reference the three supporting Confidentiality, Security and Records Management policies and might be where the organisation s intended IG Management Framework is documented. A group, or groups, with appropriate authority should have responsibility for the IG agenda. This might be one or more standalone groups or be part of an Integrated Governance Board or Risk Management group. The key staff involved in the IG agenda below those at Governing Body or most senior levels should be identified with a description of their roles and responsibilities. This may include an IG officer, Data Protection Officer, Information Security Officer, Freedom of Information Manager, Corporate and Clinical Governance Leads or Data Quality Leads. Any dedicated budgets and high level plans for expenditure in-year should also be identified, including outsourcing to external resources or contractors. This should include staff contracts, contracts with third parties, Information Asset Owner arrangements, Departmental Leads on aspects of IG etc. Staff need clear guidelines on expected working practices and on the consequences of failing to follow policies and procedures. The approach to South Devon & Torbay CCG Information Governance Management Framework v1.3 June 2013 Page 4 of 19
Incident Management Organisation Security Policy Training for specialist IG roles Documented procedures and staff awareness (11-341, 11-342 & 11-345) ensuring that all staff receive training appropriate to their roles should be detailed. Clear guidance on incident management procedures should be documented and staff should be made aware of their existence, where to find them and how to implement them. 2 Definitions & Key Roles Information Governance Management Framework documented approach to the organisation and delivery of clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. The following roles should be at Governing Body or the most senior leadership team level: Senior Information Risk Owner (SIRO) A member of the Senior Management Team (SMT) with overall responsibility for the organisation s information risk policy. The SIRO will also lead and implement the Information Governance risk assessment and advise the SMT on the effectiveness of risk management across the organisation. The SIRO s responsibility is formally added to the job description of this individual, using the standard Connecting for Health wording. Details of the staff roles directly supporting the SIRO are shown in Appendix C. (11-345) Information Asset Owners (IAO) - A senior member of staff who is the nominated owner for one or more of the identified information assets of the CCG. The IAO responsibility is formally added to the job description of this individual, using the standard Connecting for Health wording. Information Governance (IG) Lead A senior representative in the organisation who leads and co-ordinates the Information Governance work programme. This may be the same individual as the SIRO. Information Security Lead - A senior representative supporting the organisation who leads and co-ordinates the Information Technology / Security work programme. This individual may report directly to the CCG SIRO. Caldicott Guardian - A member of the Senior Management Team responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing. Caldicott Guardians were mandated for NHS organisations by Health Service Circular HSC 1999/012, and later for social care by Local Authority Circular LAC 2002/2. General Practices are required by regulations to have a confidentiality lead. This position may not be the same individual as the SIRO or the IG lead because the Caldicott Guardian s role should be advisory rather than accountable. Details of the staff roles directly supporting the Caldicott Guardian are shown in Appendix D. (11-230) South Devon & Torbay CCG Information Governance Management Framework v1.3 June 2013 Page 5 of 19
Details of senior leadership roles for Information Governance are shown in Appendix B. 3 Key Policies This is of particular relevance to 11-131. Policies set out scope and intent. The over-arching IG policy should reference the three supporting Confidentiality, Security and Records Management policies. The CCG s Information Governance policies will be reviewed and agree by the IG Forum followed by approval by the Quality Committee. IT Security policies follow the same basic principles as other Information Governance policies, and the writing, review and approval techniques described here apply equally to IT Security policies. The responsibility for writing a particular policy is normally assigned by a senior manager (Manager or Head of Department) or to a named individual having expertise in that area. For Information Governance policies, the Information Governance Manager is typically tasked with writing appropriate policies. As polices require an update, either because they are near the agreed review date or because legislation, national guidance or working practices have changed, the original author will typically make the necessary changes. The CCG s Information Governance policies are listed in Appendix E. 4 Key Governance Bodies The Quality Committee with authority delegated from the CCG Governing Body will be the typical mechanism for directing and approving Information Governance work programmes, receiving reports and approving policies. The IG experts from across the CCG s departments corporate, quality, medicines, business intelligence - meet on a monthly basis to share learning and best practice and to ensure that IG work programmes are on track, particularly the IG Toolkit plans and submissions for each organisation. This is the IG Forum. 5 Resources The key staff involved in the IG agenda are identified with a description of their roles and responsibilities. These staff may either be directly employed by the CCG or their professional services are provided to the CCG via a contract with other NHS organisations, and include Information Governance Manager, Data Protection Officer, Information Security Manager, Freedom of Information Manager, Corporate and Clinical Governance leads or Data Quality leads. Details of key staff roles are described in Appendix B. South Devon & Torbay CCG Information Governance Management Framework v1.3 June 2013 Page 6 of 19
The Information Security Manager of NEW Devon CCG holds the CISM qualification (Certified Information Security Manager), having passed ISACA exams in December 2009, and is contracted to South Devon and Torbay CCG to undertake Information Security work for this CCG. 6 Governance Framework This is of particular relevance to 11-230 and 11-345. The CCG s Caldicott Guardian is a member of the Senior Management Team and is supported in this function as described in Appendix D. The contracts of all CCG staff contain specific Confidentiality and Data Protection clauses that describe staff s responsibilities towards any personal data they process [these clauses will also be included in any new CCG positions created]: CONFIDENTIALITY / DATA PROTECTION You must adhere to the CCG's policy, national legislation and common law in relation to confidential and personal information. You must not disclose any information of a confidential or personal nature relating to the employer or in which the employer has a duty of confidence to any third party other than where you are obliged to disclose such information in the proper course of your employment or required by law. A failure to follow any policy in relation to the collection, keeping, processing or destruction of personal data and / or confidential information, and whether deliberate or accidental, whether regarding a patient, another staff member or other third party, will be regarded as potential misconduct, and may result in disciplinary proceedings being brought. Deliberate or negligent misuse of data, whether by unlawful disclosure or otherwise, may be considered gross misconduct, and may result in summary dismissal in the most serious cases. This clause does not interfere with your rights to make a disclosure under the Public Interest Disclosure Act 1998 ("whistle blowing"), which gives legal protection to employees against being dismissed or penalised by their employers as a result of disclosing information which is considered to be in the public interest and which you believe shows malpractice/wrongdoing within the CCG. If you are making a disclosure under the Public Interest Disclosure Act you must ensure that you follow the procedure laid down in the CCG Whistle blowing Policy. 7 Information Governance Toolkit The CCG aims to achieve level 2 for all Information Governance Toolkit requirements. The Information Governance Statement of Compliance (IGSoC) has been signed by the Chief Operating Officer; this commits the CCG to achieving compliance with the terms and conditions of the statement, including meeting a minimum of level 2 for all IG Toolkit requirements, or having an agreed improvement / action plan in place to achieve that level. Documentary evidence to meet the IG Toolkit requirements is compiled by the Information Governance and IT Security Managers, and uploaded onto the IG Toolkit website as appropriate. South Devon & Torbay CCG Information Governance Management Framework v1.3 June 2013 Page 7 of 19
For version 10 of the IG Toolkit, the final submission was made on 19 April 2013. Version 11 will apply in 2013/14, and the CCG is expected to have achieved level 2 compliance across all requirements by 30 June 2013. A statement on this will be made by the Information Governance Manager to the Quality Committee in June 2013, at which point authorisation for submission from the Quality Committee and SIRO will be sought. The action plan to achieve level 2 across all requirements is contained at Appendix G. 8 Information Governance Training and Guidance This is of particular relevance to 11-134, 11-231, 11-232 and 11-233. All staff receive Information Governance training during their first year of employment with the CCG (ideally within the first few weeks of employment) and annual Mandatory refresher training. This comprises the online IG Training Tool module(s) relevant to each role, supplemented as necessary by classroom training sessions. The Information Governance Manager and IT Security Manager work closely with the Organisation Development team to ensure that all staff are undertaking the prescribed online training modules recommended by Connecting for Health. Further specific staff training on particular aspects of Information Governance can also be delivered during Departmental development days, Team meetings and other staff events. Details of policies will be cascaded to staff through line management and via the CCG s intranet. Copies of approved policies will be published on the CCG s website... The CCG recognises that dissemination via electronic methods is not always the best approach to ensure that all staff understand the policies relevant to their work, and that other cascade and awareness routes are also available as appropriate, including: a. Inclusion in local induction process/paperwork. b. Corporate induction. c. Email reminders. d. Newsletters. e. Information on policies and procedures provided with letter of appointment. f. Focus increased within Mandatory Training (refresher). g. Further inclusion of responsibilities of staff included within individual contracts. 9 Incident Management This is of particular relevance to 11-341, 11-342 and 11-345. Guidance has been issued to staff on recording both Clinical and non-clinical Incidents, the latter to include Information Governance incidents such as data loss and breach of confidentiality, and IT Security incidents such as theft of a laptop computer. The CCG s Incident Management Policy describes the process for staff to follow. The CCG will follow the previously-published South West Strategic Health Authority s Managing Serious Untoward Incidents reported by NHS organisations through the Strategic Executive South Devon & Torbay CCG Information Governance Management Framework v1.3 June 2013 Page 8 of 19
Information System (STEIS) -Guidance for lead commissioning Primary Care Trusts. This will in due course be superceded by guidance contained in version 11 of the IG Toolkit. Incidents will be reported via KPIs to the Information Governance Forum and the Quality Committee. 10 Information Sharing The CCG will actively engage with other organisations (for example other health organisations, police, councils and housing trusts) to share patient information where there is a clear need and where this is in line with legislation. This activity will be covered by specific Information Sharing Protocols, which are formally signed off by the Caldicott Guardian. For the sake of clarity, a Protocol describes the principles and purposes of data-sharing, and an Agreement describes the specific data to be shared. The list of Information Sharing Protocols / Agreements to which the CCG is a signatory / partner is shown in Appendix F. 11 Information Security The CCG operates an Information Security Operational Plan, which is an integral part of this Framework. Approval of this Framework includes approval of the Information Security Operational Plan which is attached as Appendix H. South Devon & Torbay CCG Information Governance Management Framework v1.3 June 2013 Page 9 of 19
Appendix A Glossary CCG Clinical Commissioning Group CISM Certified Information Security Manager DPA Data Protection Act 1998 EIR Environmental Information Regulations 2005 FOI Freedom of Information Act 2000 IAO Information Asset Owner IG Information Governance IGMF Information Governance Management Framework ISP Information Sharing Protocol IGSoC Information Governance Statement of Compliance IGT Information Governance Toolkit IS Information Security IT Information Technology NEW Northern, Eastern and Western Devon Clinical Commissioning Group SDHIS South Devon Health Informatics Service SIRO Senior Information Risk Owner SMT Senior Management Team SDT South Devon and Torbay Clinical Commissioning Group STEIS Strategic Executive Information System South Devon & Torbay CCG Information Governance Management Framework v1.3 June 2013 Page 10 of 19
Appendix B CCG staff in key IG roles The following staff are in key Information Governance roles as at 22 nd April 2013. Role Caldicott Guardian Senior Information Risk Owner (SIRO) Staff working directly for, or contracted to, South Devon & Torbay CCG Gill Gant, Director of Quality Governance Mark Procter, Director of Corporate Affairs and Medicines Optimisation Information Governance Manager Phil Stimpson, Corporate Affairs Manager Information Security Manager IG Toolkit Administrator Data Protection Officer Freedom of Information Manager Corporate Governance Lead Clinical Governance Lead Data Quality Lead Richard Ward, IT Security Manager, NEW Devon CCG provides service under under SLA to SDT [CISM qualification, December 2009] Phil Stimpson, Corporate Affairs Manager Phil Stimpson, Corporate Affairs Manager Phil Stimpson, Corporate Affairs Manager Mark Procter, Director of Corporate Affairs and Medicines Optimisation Gill Gant, Director of Quality Governance Jo Turl, Assistant Director of Performance & Information, South Devon & Torbay CCG Information Governance Management Framework v1.3 June 2013 Page 11 of 19
Appendix C CCG support arrangements for SIRO The following staff are in key roles in support of the Senior Information Risk Owner (SIRO) as at 22 nd April 2013. Role Senior Information Risk Owner (SIRO) Support in SDT CCG and via SLA Details Mark Procter Director of Corporate Affairs and Medicines Optimisation Member of Senior Management Team Formally appointed into role June 2012 Information Governance Manager Phil Stimpson NEW Devon CCG Information Security Manager Richard Ward Information Asset Owners in SDT CCG Mark Procter iknow intranet Phil Stimpson Shared drive (hosted by SDHIS) This list will be completed during 2013. South Devon & Torbay CCG Information Governance Management Framework v1.3 June 2013 Page 12 of 19
Appendix D CCG support arrangements for Caldicott Guardian The following staff hold in key roles in support of the Caldicott Guardian as at 22 nd April 2013. Role Caldicott Guardian Support in SDT CCG and via SLA Details Gill Gant Director of Quality Governance Member of Senior Management Team Formally appointed into role June 2012 Information Governance Manager Phil Stimpson NEW Devon CCG Information Security Manager Richard Ward The Caldicott Guardian is the nominated CCG signatory to all Information Sharing Protocols with other organisations. [Appendix E] The Information Governance Manager and the IT Security Manager react to all reported information security and confidentiality issues, which are recorded as appropriate. All urgent and serious incidents are discussed in detail with the Caldicott Guardian and SIRO immediately and all agreed actions are followed through to closure. A summary report is presented regularly to the Caldicott Guardian and SIRO, and then to the Quality Committee. South Devon & Torbay CCG Information Governance Management Framework v1.3 June 2013 Page 13 of 19
Appendix E CCG Information Governance policies The CCG will write strategies, policies and guidance to cover all aspects of Information Governance and Information Security as required by the IG Toolkit and any other relevant legislation and national guidance. These will be supplemented as a result of new developments in legal or NHS requirements or in response to identified risks or incidents within the CCG. Policies will typically be written by the Information Governance and IT Security Managers, circulated to the IG Forum for comment and agreement, and then formally approved by the quality Committee. Approved policies will be published on the CCG s Intranet and Internet sites. Policies will be re-assessed, amended and approved at least every 3 years; policies will be rewritten and re-approved sooner where there have been significant changes in organisational arrangements, or the underlying legislation or NHS guidance has changed. The exception to this will be the IT policies where the CCG will adopt the policies currently used by the South Devon Health Informatics Service (SDHIS), and these will be published on the intranet site only. South Devon and Torbay CCG Policies Name Version Approved Information Governance Management Framework 1.3 Information Governance Policy 1.0 Information Lifecycle Management Policy (including Information Quality Strategy and Records Management Strategy) 1.0 Confidentiality and Data Protection Policy 1.1 Corporate Governance Policy (including Freedom of Information) 1.1 Information Security Policy 1.1 Business Continuity Strategy 1.2 Incident Management Policy 1.2 System Level Security Policies (for each system) 1.0 South Devon & Torbay CCG Information Governance Management Framework v1.3 June 2013 Page 14 of 19
Appendix F CCG Information Sharing Protocols The CCG is not currently a signatory to any Information Sharing Protocols, as at 22 nd April 2013. However, there are a number of existing agreements (listed below) that were signed by NHS Devon and/or Torbay Care Trust, which the CCG will continue to work with in the spirit of cooperation within the health and social care environment where there is a clear benefit to the patient. As part of the normal review cycle, these agreements will be amended to reflect the position of the CCG, and signed by the CCG Caldicott Guardian. These agreements are typically reviewed every 2 years or sooner if the underlying legislation or working practices change. Signed copies of the agreements are held by the Corporate Affairs Manager. The list of protocols / agreements signed by the CCG will be added to the next version of this Framework. Information Sharing Protocols / Agreements signed by NHS Devon / Torbay Care Trust Name Version Approved Overarching Health and Social Care Organisations in Devon 1.7 Jan 2008 Youth Offending Team 1.8 Jul 2007 Multi-Agency Public Protection Arrangements (MAPPA) 2.0 Oct 2006 Domestic Violence 1.2 Nov 2009 Crime and Disorder 2.0 Nov 2007 Childrens Trust 1.0 Jul 2010 Devon Locality Intelligence Network for Controlled Drugs 0.3 Mar 2008 Single Assessment Process (SAP) 1.2 Feb 2009 Deprivation of Liberty Safeguards (DLS) 0.4 Jun 2010 Local Resilience Forum 1.0 Dec 2009 Hearing Direct (NHS Direct East Midlands) 2.0 Jan 2008 NHS Continuing Healthcare 2.2 Feb 2009 Integrated Offender Management 1.31 Sep 2011 Health and Social Care Secondary Uses 1.5 Jan 2012 South Devon & Torbay CCG Information Governance Management Framework v1.3 June 2013 Page 15 of 19
Information Security Operational Plan 2013/14 Appendix H - Information Security Operational Plan 2013-14 South Devon & Torbay Clinical Commissioning Group Introduction Information security is concerned with protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. The goal is to protect the confidentiality, integrity and availability of information; whatever its format i.e. electronic or paper. Background South Devon and Torbay CCG (SD&T CCG) came into being on the 1 st April 2013. IT Services and support for the CCG are provided by the South Devon Hospitals Information Service (SDHIS). The Information Security function is contracted from Northern, Eastern and Western Devon CCG (NEW Devon CCG. Connecting for Health (CfH) have produced an IG Toolkit specific to CCGs which has 29 Requirements, 13 of which assess Information Security. Scope The remit of Information Security within the NHS is wide and includes: Working towards achieving ISO 27000 (Information Security Management) compliance. Achieving a satisfactory score in the annual IG Toolkit self assessment Implementing the CfH Information Risk Management Good Practice Guide In practice both progress with ISO 27000 and the IG Toolkit work is assessed through the completion of the IG Toolkit. The IG Toolkit is an annual self assessment tool that examines various aspects of Information Governance including a section on Information Security of the 29 IG Toolkit requirements 13 are concerned with Information Security. The implementation of CfH Information Risk Management guidance is a national NHS requirement and specific activity and CfH have published a Good Practice Guide A second area covered in the IG Toolkit 300 series of requirements is the implementation of the CfH Information Risk Management Good Practice Guide; this has been adopted by the CCG as the basis for its Information Risk Management Policy. Richard Ward Page 16 of 19 19/4/2013
Information Security Operational Plan 2013/14 Resources The contracted Information Security service from NEW Devon equates to a qualified Information Security Manager and support for approximately one day a week. Caldicott Guardian Gill Gant Senior Information Risk Owner (SIRO) Mark Procter SD&T CCG IG Team Information Security Manager Richard Ward SDHIS (IT Provider) Aim The 2013/14 Information Security Operational Plan aims to deliver: implementation of the DoH Information Risk Management Policy GPG achieve a minimum of level of 2 for each of the IT related IG Toolkit requirements i.e. the 300 series of requirements for each of the South Devon and Torbay CCG; or where a level 2 cannot be demonstrated ensure that a plan to achieve level two is developed. Note: Where a level 2 cannot be achieved without it; then a plan to achieve this level must be put in place this will allow level 2 to be claimed. Appendix 1 shows the individual work streams and their associated tasks, it is likely that additional tasks will be identified as the year progresses Conclusion There are a number of uncertainties that may have an impact on Information Security activities, including the development of the individual CCGs; these may result in significant changes to this Operational Plan. Richard Ward Page 17 of 19 19/4/2013
Information Security Operational Plan 2013/14 Not all the tasks in Appendix 1 will be completed within the 2013/14 year as some are of a continuous nature and the priority of others may change. However, any outstanding tasks will have been subjected to a review and be either carried forward to the next years plan or removed in total. There are a number of significant risks to achieving this plan and these will be identified on, and dealt with through, the IS and IT Risk Management processes. Richard Ward Page 18 of 19 19/4/2013
Information Security Operational Plan 2013/14 Work stream Detail Start date End date Information Risk Management Maintain Policies Assist the CCG implement the CfH Information Risk Management Good Practice Guide IT Policies to be reviewed by review dates and approved by the SIRO. April 2013 April 2013 31/3/2014 Create reports The reports to be produced will be in line with the CCG Management team requirements Bi-Monthly Continuous Mobile devices Monitor and investigate CfH monthly encryption reports Monthly Continuous IG Toolkit (South Devon and Torbay CCG) Put in place processes to capture the required evidence. Present the evidence (document) Complete the IG Toolkit submission A continuous process but effort being concentrated in Q4 each year. 31/3/2014 System level security Policy (SLSPs) User Audits Business Impact assessment (BIA) Identify systems and assist Information Asset Owners (IAO) develop SLSPs Assist IAOs carry out User Audits and other associated tasks The corporate Business Continuity Management project includes IT Disaster Recovery plans, the first requirement of these is that a BIA is carried out. It is intended to complete these in conjunction with SLSPs June 2013 31/3/2014 June 2013 31/3/2014 June 2013 31/3/2014 Monitor IT Provider SLAs Assist AD IT to set up KPI reporting. Monitor the resulting reporting for Performance and IG Toolkit evidence April 2013 Continuous IG Forum (SHA) IG Forum (local) SIRO updates Attend and participate in monthly updates April 2013 Continuous Information Security Incident management Investigate and report IS incidents to inform the IG Manager, SIRO, Caldicott Guardian, and Operational management. April 2013 Ad Hoc Richard Ward Page 19 of 19 19/4/2013