Information Security Policy · HBL ICT Shared Service Information Security Policy Approved 1 Oct...
Transcript of Information Security Policy · HBL ICT Shared Service Information Security Policy Approved 1 Oct...
Hertfordshire, Bedfordshire and Luton ICT Shared Services is hosted by
NHS East & North Hertfordshire CCG
Information Security
Policy
Document Control
Document Owner Alex McLaren Approved by Phil Turnock
Document Author(s)
Keith Fairbrother, Metaish Parmar, Alex McLaren
Date of Approval 1/102018
Version 11.1.1 Date for Review 30/9/2019
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 2 of 30
Version Control
Version Status Commentary Date Author
Draft Initial Draft 09/2007 J Hepburn
1.0 Live 10/2007 J Hepburn
2.0 V2 Review 04/2010 J Hepburn
3.0 V3 Live Amendments 05/2010 C Goodey
5.1 V5.1 Live Amendments 02/2012 M Wallis
5.2 V5.2 Live Amendments 03/2012 M Wallis
6.0 V6.0 Live Amendments 05/2013 M Wallis
7.0 V7.0 Live Amendments 07/2013 M Wallis / K Fairbrother
8.0 V8.0 Draft Amendments 07/2014 L Harris / K Fairbrother
8.0 V8.0 Live Amendments 07/2014 E Robson
8.1 V8.1 Draft Organisational Change/Formatting 10/2014 K Fairbrother
8.1 V8.1 Live HBL ICT SMT Approval 11/2014 HBL ICT SMT
8.2 V8.2 Live HBL ICT SMT Approval. Format
change.
10/2015 HBL ICT SMT
8.2.1 Draft Moved to new format, ready for
annual review
8/2016 A McLaren
8.2.2 Draft Updates from SMT, Linda Whiteley
ready for Review by Partners. Amend
Trust for Partner. Amend Job Titles,
Meeting titles, Clinical Safety
8/2016 A McLaren
9.0 Live Distribution core Policy to Partners 9/2016 A McLaren
9.1 Live Update to 6.3 to clarify change of
Factory set passwords, remove
section 11 as detailed in imp. Plan
12/2016 A McLaren
9.2 Live Update section 7.2.3 CSA Policy 21/04/2017 M Parmar
9.2.1 Draft Annual update, inclusion of GDPR
elements
Significant changes: Inclusion of
DPO, IAO, SRO, TA, CISO. Update
to Personal Information, Software,
Data classification,
Other: Job Role titles existing;
streamline removal of duplicate
paragraphs
No change to policy (BYOD) from
NHSMail2 as this is already in place –
ie no change
31/10/2017 A McLaren
10.0.0 Live Approved by SMT 22/11/2017 A McLaren
10.0.1 Draft Reference -Addition of associated 17/08/2018 M Parmar
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 3 of 30
papers NIS, DSPT, 10 Data Security
Standards
6.4.2 - Password standards update, ,
7.1, 7.2.1, 7.2.3 updated
10.0.2 Draft 4.12, 4.8 Role Titles Architect, IT
Security Manager
Purpose and Scope - Remove
duplicate paragraph Legal Framework
7.1, 7.2.1, 7.2.3 update following
move to NHSMail, separating Email to
Internet
17/08/2018 A McLaren
11.0.0 Live Confirmed by SMT 24/9/2018 A McLaren
11.1.0 Live Amend to Appendix, SIRO for HPFT
is Director of Innovation and
Transformation. Confirmed by P
Turnock
1/10/2018 A McLaren
11.1.1 Draft Update for ENHCCG IG Forum
Amends:
Legislation update DPA 2018, NIS
acronym, 6.5.5 addition re CareCERT.
Removal of Distribution as covered
within Dissemination; 6.12 clarification
Information Assets where Information
Asset Owner HBL ICT. 6.2.3
providing updates to CSA for movers,
joiners, leavers promptly to HBL ICT
to ensure access accurate.
16/11/2018 A McLaren
Implementation Plan
Development and Consultation
IG within Partner organisations
Hertfordshire, Bedfordshire and Luton ICT Shared Services (HBL ICT) is committed to the fair treatment of all, regardless of age, colour, disability, ethnicity, gender, gender reassignment, nationality, race, religion or belief, responsibility for dependents, sexual orientation, trade union membership or non-membership, working patterns or any other personal characteristic This policy / procedure will be implemented consistently regardless of any such factors and all will be treated with dignity and respect. To this end, an equality impact assessment has been completed on this policy.
Dissemination Staff can access this policy via the Intranet and will be notified of new/ revised versions via the staff briefing.
This policy will be included in the CCGs Publication Scheme in compliance with the Freedom of Information Act (FOI) 2000
This document is issued to the Partners for authorisation, local amends and dissemination.
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 4 of 30
Training All staff members are required to carry out the mandatory IG training through the online NHS Information and Governance Training Tool.
Monitoring 3rd
Party Audit, IG Toolkit, spot check
Review The policy will be reviewed annually
Equality, Diversity and Privacy
The PIA and EIA are completed separately
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 5 of 30
References
External : Legislation, Guidance and Standards
Statutory Frameworks (see section 3.4)
UK and EU legislation, including :
Data Protection Act (2018) and GDPR
Freedom of Information Act (2000);
Human Rights Act (1998)
Bribery Act 2010
The Computer Misuse Act 1990,
Regulation of Investigatory Powers Act (2000)
Copyright, Designs and Patents Act (1988)
Health and Social Care Act 2012
Caldicott 2 Review
Care Act 2014
NIS
Department of Health and NHS Regulations and Guidance, including :
Guide to Confidentiality in Health and Social Care
NHS IM&T Security Manual,
NHS Information Governance Standards
NHS Statement of Compliance
HSCIC_Data_Destruction_Standard_v3.2
Destruction and Disposal of Sensitive Data - Good Practice Guidelines
DSPT
10 Data Security Standards
Standards for Information Security Management ISO27001 and ISO27002
SCCI 0129 & SCCI 0160
Policies and procedures including:
Policies, procedure and guidance on the management of patient/client records.
Gartner Toolkit: Software Asset Management Policy Template Feb 15
NHS Digital Information Security Example Policy v1.0
Internal : Related Documentation
Management of Records Policy and Procedure
Standing Financial Instructions
Data Quality Policy
Acceptable Use Policy
Information Governance Framework
Mobile Devices Security Policy
Incident Policy
Confidentiality Policy
Data Centre and Policy Procedures doc
Guidance on Portable Computers
Disposal of Assets Policy
Records Policy
Non-Standard Equipment Standards
Risk Management Policy
RA Policy
Enclosures none
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 6 of 30
Contents
1 Executive Summary ............................................................................................ 11
2 Introduction ......................................................................................................... 11
3 Purpose and Scope ............................................................................................. 12
Purpose ................................................................................................................ 12 3.1
Scope ................................................................................................................... 12 3.2
Local Variation .................................................................................................... 12 3.3
4 Information and Data .......................................................................................... 12
Ownership of Data / Data Controller .................................................................. 12 4.1
Processing of Data/ Data Processor ................................................................. 13 4.2
Personal Information .......................................................................................... 13 4.3
Chief Executive (CEO)/Managing Director (MD) - or equivalent ...................... 13 4.4
Caldicott Guardian .............................................................................................. 13 4.5
Senior Information Risk Owner (SIRO) ............................................................. 13 4.6
Line Managers ..................................................................................................... 13 4.7
IM&T Security Adviser Role ............................................................................... 14 4.8
Data Protection Officer ....................................................................................... 14 4.9
Information Asset Owners.................................................................................. 15 4.10
Senior Responsible Owners ............................................................................... 15 4.11
Solutions Architect ............................................................................................. 15 4.12
5 Responsibility of all Staff ................................................................................... 15
General Responsibility ....................................................................................... 15 5.1
Paper Records ..................................................................................................... 16 5.2
5.2.1 Paper Waste Disposal....................................................................................................... 16
Information Systems and Equipment ................................................................ 16 5.3
Mobile Devices .................................................................................................... 16 5.4
Access to Information Systems ......................................................................... 17 5.5
Data Accuracy ..................................................................................................... 17 5.6
Processing Information and Data ...................................................................... 17 5.7
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 7 of 30
Portable Storage Devices - Electronic Media ................................................... 17 5.8
6 Management and Control of Information Assets ............................................. 18
Control of Assets ................................................................................................ 18 6.1
6.1.1 Ownership of Assets ......................................................................................................... 18
6.1.2 Asset Registers ................................................................................................................. 18
6.1.3 Procurement of Assets ...................................................................................................... 18
6.1.4 Disposal of Assets............................................................................................................. 18
6.1.5 Media Disposal.................................................................................................................. 19
Access Control .................................................................................................... 19 6.2
6.2.1 Physical Access Controls .................................................................................................. 19
6.2.2 Logical Access Controls .................................................................................................... 19
6.2.3 Computer System Access Controls .................................................................................. 19
Use of Information Assets .................................................................................. 20 6.3
6.3.1 Installation and Siting of Equipment .................................................................................. 20
6.3.2 Limitations on Use............................................................................................................. 20
6.3.3 Data Security .................................................................................................................... 20
6.3.4 Security of Equipment Off-Premises ................................................................................. 20
6.3.5 Security of Hard Disks ....................................................................................................... 21
Passwords ........................................................................................................... 21 6.4
6.4.1 Password Protection ......................................................................................................... 21
6.4.2 Password Standards ......................................................................................................... 21
Business Continuity ........................................................................................... 22 6.5
6.5.1 Physical Security ............................................................................................................... 22
6.5.2 Remote Access to the Organisation’s Services ................................................................ 22
6.5.3 Remote Access to the Organisation’s Services by Staff ................................................... 22
6.5.4 Remote Access to the Organisation’s Services by Suppliers ........................................... 23
6.5.5 Business Continuity Planning............................................................................................ 23
Databases and Application Systems ................................................................. 23 6.6
6.6.1 Authorised Databases and Systems ................................................................................. 23
6.6.2 Acquisition of Application Systems ................................................................................... 23
6.6.3 System Acceptance .......................................................................................................... 24
6.6.4 Privacy Impact Assessment (PIA) / Data Protection Impact Assessment (DPIA) ............. 24
6.6.5 Clinical Safety ................................................................................................................... 24
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 8 of 30
Software Protection ............................................................................................ 25 6.7
6.7.1 Licensed Software............................................................................................................. 25
6.7.2 Software Standards........................................................................................................... 25
6.7.3 Virus Control ..................................................................................................................... 25
7 Electronic Mail and Internet Access .................................................................. 26
Purpose and Ownership ..................................................................................... 26 7.1
Access and Disclosure of Electronic Communications .................................. 26 7.2
7.2.1 Monitoring Usage .............................................................................................................. 26
7.2.2 Inspection and Disclosure of Communications ................................................................. 26
7.2.3 Monitoring and Disclosure Procedures ............................................................................. 27
8 Security Incident Management .......................................................................... 27
Personal Data Breach ......................................................................................... 27 8.1
Security Incidents ............................................................................................... 27 8.2
8.2.1 Logging Security Incidents ................................................................................................ 27
9 Disciplinary Action .............................................................................................. 28
Appendix A. Organisational SIROs ............................................................................. 29
Appendix B. Comment Form ....................................................................................... 30
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 9 of 30
Terms and Acronyms
Term Definition
ICT Information and Communications Technology
IM&T Information Management and Technology
IP Internet Protocol
PIA / DPIA Privacy Impact Assessment
Data Protection Impact Assessment (term for PIA within GDPR)
SIRO Senior Information Risk Owner
UPS Uninterruptable Power Supply
VPN Virtual Private Network
Data Owner / Data Processor
Under DPA, the following Terms are identified in Section 1.1 “data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed “Data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. “processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including— a) organisation, adaptation or alteration of the information or data, b) retrieval, consultation or use of the information or data, c) disclosure of the information or data by transmission, dissemination or otherwise making available, or d) alignment, combination, blocking, erasure or destruction of the information or data The ICO states that “The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.”
CSA Computer System Access
DPO Data Protection Officer
EUD End User Devices (EUD) 51. The EUD programme anticipates that any OFFICIAL information (including information handled with the OFFICIAL-SENSITIVE caveat) can be managed on a single device that conforms to the security principles defined in the End User Device Strategy: Security Framework and Controls, (March 2013). Note that the assurance required (including compliance with relevant legislation such as Freedom of Information Act (FoI) and DPA), means that EUDs will normally be owned, managed and controlled by the organisation. Any stated residual risks must be managed in line with local risk appetites. (Taken from Government Security Classification v1.0 Oct 2013 NHSMail2 solution is accredited to government Official status for sharing patient identifiable and sensitive information, meaning it meets a set of information security controls that offer an appropriate level of protection against loss or inappropriate access
HBL ICT Hertfordshire, Bedfordshire and Luton ICT Shared Services
Personal Data and Sensitive Personal Data – under GDPR
Personal data
Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 10 of 30
range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9). These categories are broadly the same as those in the DPA, but there are some minor changes.
For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).
Personal Data and Sensitive Personal Data – under DPA
Personal data means data which relate to a living individual who can be identified –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Sensitive personal data means personal data consisting of information as to -
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c ) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
Patient Confidential Data
Patient’s personal information given or received in confidence for one purpose. This may not be used for a different purpose or passed to anyone else without the consent of the provider of the information
ICT Department For the purposes of this document, the term ICT Department refers to HBL ICT
DSPT Data Security and Protection Toolkit.
This is the replacement IG Toolkit within NHS Digital
NIS Network and Information Systems EU Directive came into force on 10th May 2018. All
organisations deemed to be Operators of Essentials Services are in scope. Network and information systems and the essential services they support play a vital role in society, from ensuring the supply of electricity and water, to the provision of healthcare and passenger and freight transport. Their reliability and security are essential to everyday activities.
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 11 of 30
1 Executive Summary
The Information Security Policy sets out the commitment of the organisation to preserve
the confidentiality, integrity and availability of the information and information systems and
to ensure the information and systems are effectively and lawfully managed.
The Policy aims to ensure that:-
The organisation’s information, its information systems and the supporting
infrastructure are secure and are operated in accordance with NHS Guidance, to
industry standards and current best practice;
The information contained in or processed by these systems is kept secure;
Confidentiality, integrity and availability are maintained at all times;
Staff are aware of their responsibilities and adhere to the provisions of the policy;
Procedures are in place to detect and resolve security breaches and to prevent a
recurrence.
This policy applies to:
All information and information storage, whether manual or electronic, information
processing systems and networks used by the organisation;
All staff employed by the organisation, contractors, seconded staff from other
organisations and any other persons used by the organisation or engaged on the
organisation’s business.
Any other persons granted access to the organisation’s information, systems and
networks.
All locations, all information, information systems, computer equipment and networks.
Application of the policy will assist in the organisation’s compliance with information
related legislation, NHS standards and Information Governance Standards.
2 Introduction
The organisation works to a framework for handling personal information in a
confidential and secure manner to meet ethical and quality standards. This enables
National Health Service organisations in England and individuals working within them
to ensure personal information is dealt with legally, securely, effectively and efficiently
to deliver the best possible care to patients and clients.
The organisation, via the Information Governance Toolkit (DSPT), provides the means
by which the NHS can assess our compliance with current legislation, Government
and National guidance.
Information Governance covers: Data Protection and IT Security (including smart
cards), Human Rights Act, Caldicott Principles, Common Law Duty of Confidentiality,
Freedom of Information Regulations, Information Quality Assurance and Fraud and
Bribery Policy.
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 12 of 30
3 Purpose and Scope
Purpose 3.1
The Information Security Policy sets out the commitment of the organisation to preserving
the confidentiality, integrity and availability of information and information systems and to
ensure the information and information systems are effectively and lawfully managed.
The Policy aims to ensure that:
The organisation’s information, its information systems and the supporting
infrastructure are secure and are operated in accordance with NHS Guidance, to
industry standards and current best practice;
The information contained in or processed by these systems is kept secure;
Confidentiality, integrity and availability are maintained at all times;
Staff are aware of their responsibilities and adhere to the provisions of the policy;
Procedures are in place to detect and resolve security breaches and to prevent a
recurrence.
Scope 3.2
This policy applies to:
All information and information storage, whether manual or electronic, information
processing systems and networks used by the organisation;
All staff employed by the organisation, contractors, seconded staff from other
organisations and any other persons used by the organisation or engaged on the
organisation’s business.
Any other persons granted access to the organisation’s information, systems and
networks;
All locations and all information, information systems, computer equipment or network
used by staff.
Local Variation 3.3
Variation to some parts of the policy may be allowed where local conditions do not permit
full implementation. Applications for such variation must be made to the Head of
Technical Services and must be approved by the ICT Department’s Director or Associate
Director and Head of Governance and Compliance and, should the assessed level of risk
warrant it, the Stakeholder Board before being introduced.
4 Information and Data
Ownership of Data / Data Controller 4.1
The organisation is the legal owner of all data held in its Records, Information systems
and equipment. All of the organisation’s staff must ensure the data is accurate, up-to-date
and secure from unauthorised access or disclosure.
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 13 of 30
Processing of Data/ Data Processor 4.2
The organisation’s data must be processed only by systems and equipment owned or
authorised by the organisation.
Data must not be transferred to or processed on any equipment that is not owned by the
organisation without the prior authority of the appropriate Service Manager or the Caldicott
Guardian.
Processing of all data must be legal and must comply with other organisational policies;
eg Records Management Policy.
Personal Information 4.3
Personal information is subject to the provisions of the Data Protection Act and from 25
May 2018, GDPR. Additionally, information about patients is subject to the Guide to
Confidentiality in Health and Social Care
Under both the Data Protection Act and GDPR the organisation is obliged to notify the
Information Commissioner of the personal information it processes and for what purposes.
Processing of all personal information must be consistent with this notification. Privacy
Impact Assessments must be carried out and submitted to the IG Manager before new
systems or significant changes to existing systems are implemented as part of GDPR,
these assessments will be called Data Protection Impact Assessments DPIA – see
Section Privacy Impact Assessments. Management of Information Security
Chief Executive (CEO)/Managing Director (MD) - or equivalent 4.4
The CEO/MD of the organisation has overall responsibility for all matters relating to
information security.
Caldicott Guardian 4.5
The organisation’s Caldicott Guardian will ensure that information about patient and
service information is used legally ethically and appropriately
Senior Information Risk Owner (SIRO) 4.6
The SIRO is responsible for user access into systems and is responsible for information
risk across the organisation
Line Managers 4.7
Line Managers are individually responsible for ensuring that information security is applied
and practiced within their area of responsibility.
Specifically, Line Managers will ensure that:
All staff are appropriately instructed/trained in their security responsibilities;
All staff sign confidentiality undertakings as part of their contract of employment;
All staff are appropriately trained in any procedures, systems, services and equipment
they are required to use;
Untrained staff are not allowed access to confidential information or to computer
systems and equipment;
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 14 of 30
Staff are appropriately authorised to access information systems in accordance with
their job function and relationship with patients, specifically that they do not share their
login credentials;
Staff are authorised to access equipment, systems, services and media appropriate to
their job function;
Information quality standards are maintained by their staff and that information
recorded is accurate and up-to-date;
All critical job functions are adequately documented to maintain continuity of service;
Procedures are implemented to minimise disruption to systems and services and
exposure to fraud/theft. These may include segregating duties, implementing dual
control and staff rotation where appropriate;
Appropriate disciplinary action is taken for breaches of policies, standing instructions
and legislation.
IM&T Security Adviser Role 4.8
The IT Security Manager within the ICT Department is the IM&T Security Advisor and so
will provide advice and guidance on confidentiality and security of information and
information systems.
Specifically, the Security Adviser will:
Develop and maintain confidentiality and information security policies and assist with
the implementation of these policies;
Provide advice on compliance with legislation, NHS Policies and guidelines relating to
confidentiality and information security;
Ensure that breaches of information security are investigated and reported
appropriately;
Advise and assist in implementing security improvement programmes consistent with
NHS, DH and industry best practice.
Data Protection Officer 4.9
The Data Protection Officer is responsible for ensuring that the organisation and its
constituent business areas remain compliant at all times with Data Protection, Privacy and
Electronic Communications Regulations, Freedom of Information Act and the
Environmental Information Regulations. The Data Protection Officer shall lead on the
provision of expert advice to the organisation on all matters concerning the Data Protection
Act, compliance, best practice and setting and maintaining standards
The DPOs within the organisation will:
Inform and advise the organisation and its employees about their obligations to comply
with the GDPR and other data protection laws.
To monitor compliance with the GDPR and other data protection laws, including
managing internal data protection activities, advise on data protection impact
assessments; train staff and conduct internal audits.
To be the first point of contact for supervisory authorities and for individuals whose
data is processed (employees, customers etc).
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 15 of 30
Information Asset Owners 4.10
The Information Asset Owners (IAOs) are senior/responsible individuals involved in running
the business area and shall be responsible for:
Understanding what information is held
Knowing what is added and what is removed
Understanding how information is moved
Knowing who has access and why
Senior Responsible Owners 4.11
All Senior Managers, Heads of Department, Information Risk Owners and Directors,
defined as Senior Responsible Owners (SROs) are individually responsible for ensuring
that this policy and information security principles shall be implemented managed and
maintained in their business area. This includes:
Appointment of Information Asset Owners (IAO) to be responsible for Information
Assets in their areas of responsibility
Awareness of information security risks, threats and possible vulnerabilities within the
business area and complying with relevant policies and procedures to monitor and
manage such risks
Supporting personal accountability of users within the business area(s) for Information
Security
Ensuring that all staff under their management have access to the information required
to perform their job function within the boundaries of this policy and associated policies
and procedures.
Solutions Architect 4.12
Within the ICT Department the Solutions Architect will ensure that solutions are created that
meet the business requirements and will comply with the Information Security agenda
The Solutions Architect will attend the Technical Design Authority meetings to ensure
review of all solutions prior to delivery
5 Responsibility of all Staff
General Responsibility 5.1
Information Security and the appropriate protection of information assets is the
responsibility of all users and individuals are expected at all times to act in a professional
and responsible manner whilst conducting business on behalf of the organisation. All staff
are responsible for information security and remain accountable for their actions in relation
to NHS and other UK Government information and information systems.
Staff shall ensure that they understand their role and responsibilities and that failure to
comply with this policy may result in disciplinary action. This will be reinforced by yearly
mandatory training.
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 16 of 30
All members of staff are responsible for ensuring that no breaches of information security
result from their actions. Members of staff are required to:
Comply with the Information Security Policy and the Guide to Confidentiality in Health
and Social Care,
Raise any concern regarding information security with their manager and/or the ICT
Department Service Desk;
Comply with any relevant legislation, regulations, codes of conduct, any other policies
and procedures and any instructions which may be issued from time to time;
Ensure they are familiar with security measures, such as access controls and anti-
virus software, and use or operate them correctly.
Paper Records 5.2
All paper records must be stored in the appropriate manual filing system when not in use.
Records containing personal information must be kept secure from unauthorised access
at all times. Records are to be stored in line with the Partner records policy
5.2.1 Paper Waste Disposal
Any reports or printouts containing personal and/or patient information must be treated as
confidential, and stored and disposed of accordingly. For example, in cross shredder
machines or confidential waste sacks/bins. Further guidance can be found in the Partners
Confidentiality Policy.
Information Systems and Equipment 5.3
Information systems and associated equipment - computers, printers, etc. - are provided
for the conduct of official organisational business. They must not be used for any
commercial purposes or for personal gain. Limited personal use may be permitted at the
discretion of the appropriate Senior Manager.
All equipment and information must be adequately protected at all times. Any default
accounts must be disabled or removed and any factory set passwords changed prior to
issue for use.
Fixed assets eg printers, scanners, PCs must not be removed from premises or relocated
without permission. All requests for movement of equipment must be notified to the ICT
Department Service Desk
Mobile Devices 5.4
Portable computers must only be used in accordance with the organisation’s Mobile
Device Security Policy. All portable devices must be encrypted to DH standards. They
must be secured at all times and must not be left in view when unattended. Any portable
computer taken off premises must not be used or left in an insecure location. They must
be used only by authorised persons and password protection must be in place
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 17 of 30
Access to Information Systems 5.5
Authorised staff will be given a username and/or a smartcard and a password to access
the systems they are authorised to use. These will identify the user to the system; all
actions by the user are recorded by the systems.
Smartcards must be kept safe and secure and must not be used by any other person.
Users of smartcards must also comply with the RA01 Short Form Conditions which they
signed when the card was issued. Further guidance can be found in the RA policy.
Passwords must be kept secret and not divulged to any other person, even Personal
Assistants or Secretaries. Passwords must be changed frequently as prompted by the
system or in accordance with standards and instructions for the system.
Computers must be locked or switched off when unattended.
The authorised user is responsible for any action associated with their identity. Any
suspected misuse should be reported to the ICT Department Service Desk
Data Accuracy 5.6
Members of staff are responsible for the accuracy of the data they record and use. It is
paramount that patient related data is accurate and up-to-date as inaccurate data could
threaten patient safety. Administrative data must also be as accurate as possible to
ensure effective management and decision making.
Processing Information and Data 5.7
The organisation’s information and data must only be processed or stored on NHS
equipment and using authorised systems and databases. Staff must not acquire or
develop systems or databases without the prior approval in writing of the relevant
Information Governance Group in each organisation.
Personal equipment or non-NHS equipment must not be used to process the
organisation’s information unless authorised in writing by the appropriate Information
Governance Group. Where such authorisation is given, it is the responsibility of the
member of staff to make adequate provision to safeguard the security, integrity and
confidentiality of the data. Written advice must be sought from the ICT Department.
Portable Storage Devices - Electronic Media 5.8
Portable Storage devices include smartphones, BlackBerrys, disks, memory sticks,
portable hard drives and any other device that can store information, e.g. cameras,
Dictaphones, etc. These devices must only be used in accordance with the organisation’s
Mobile Devices Security Policy.
Portable storage devices must be encrypted in accordance with DH standards. Only
approved, authorised devices owned by the organisation can be used for storing the
organisation’s information and data. Where a type of device needs to be used but its
storage cannot be encrypted, such as cameras, local procedures must be created and
signed off by the Information Governance Manager before such devices are used.
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 18 of 30
The approval of the appropriate Information Governance Group must be obtained prior to
copying any personal data onto a portable storage device. For patient data this will be the
Caldicott Guardian.
Portable storage devices must not be used for storing the primary copy of any of the
organisation’s information. The primary copy must be stored on the appropriate shared
drive or server area.
Portable storage devices must be kept secure at all times and stored safely when not in
use.
Loss, or suspected loss, of any portable storage device must be reported to the ICT
Department Service Desk and IG Manager immediately.
All redundant or non-functioning portable storage devices must be returned to the ICT
Department for re-use, recycling or secure disposal as appropriate
6 Management and Control of Information Assets
Control of Assets 6.1
6.1.1 Ownership of Assets
All information assets owned by the organisation will be identified, and will have a named
custodian responsible for the security of that asset.
6.1.2 Asset Registers
The ICT Department will maintain asset registers on behalf of customers in line with SLAs.
This includes:
Physical Assets (all computer equipment and hardware);
Software Assets;
Information Assets it (HBL ICT) owns (application systems and databases).
Information asset owners are responsible for ensuring that their information repository
(database, spreadsheets, etc.,) are maintained with details of all their Information Assets.
The partner is responsible for informing HBL ICT on the movement and transfer requests
for IT Assets.
6.1.3 Procurement of Assets
All electronic information assets will be procured by ICT Department in line with SLAs.
Requests for PC’s, printers and other equipment such as cameras, Dictaphones, etc.,
must be made through the ICT Department Service Desk.
6.1.4 Disposal of Assets
All information assets must be maintained until the end of their useful life and then must
be disposed of safely and without risk to the organisation, or the organisation’s patients,
clients and staff.
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 19 of 30
All computer equipment will be disposed of by the ICT Department in accordance with
NHS standing instructions, EU and UK environmental and health and safety regulations.
A record of all disposals will be maintained.
Computer equipment must not be sold, removed or disposed of outside of the agreed
policy without the prior permission of the Director of IT and the SIRO.
6.1.5 Media Disposal
All redundant removable media must be treated as confidential waste and unconditionally
formatted before disposal. Wiping the media must be done in accordance with current
Government policy and standards via the ICT Department (do not attempt to do this
yourself; the data will probably still be recoverable). If reformatting is not possible, the
media must be destroyed.
Access Control 6.2
6.2.1 Physical Access Controls
All information servers, network control equipment, etc., will be installed in designated
controlled areas secured by physical access controls.
Access to controlled areas will be restricted to authorised ICT Department staff whose job
function requires access to that particular area.
The Director of IT may grant access privileges to other staff in the organisation to allow
them to perform agreed specific tasks in the controlled areas.
The ICT Department may authorise authenticated representatives of third party support
suppliers and agencies to access controlled areas. The representatives will be
accompanied at all times in the controlled areas.
All personnel are required to wear their identity badges at all times in controlled areas and
are obliged to challenge all unrecognised or unaccompanied visitors.
A record of all accesses to controlled areas will be maintained.
All staff with access to the Data Centres must abide by the Data Centre Policy and
Procedures document.
6.2.2 Logical Access Controls
Access to all information and application systems will be restricted to staff who have a
business need and have been authorised by their Line Manager.
Logical access to all information assets will be by means of passwords, key-tokens
(smartcards) or a combination of both.
6.2.3 Computer System Access Controls
Computer system access (CSA) control is managed and controlled through a defined
process. CSA requests are normally made via the customer portal of the Service
Management tool where the relevant CSA form is completed. Access to the forms is
restricted and can only be completed by an authorised member of staff. Staff with access
are responsible for providing correct information and are liable for any discrepancies. This
form includes a Disclaimer, and in order to process the request, this must be ticked.
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 20 of 30
CSA requests for movers, leavers,joiners including maternity, secondments or extended
leave are to be completed promptly and sent to HBL ICT in order to ensure appropriate
access is maintained
Additionally for agreed student intake or rotation these are managed from a bulk provided
list of main base and job title with end date. Email address is provided but not shared
drive access. If shared drive access is deemed necessary then this is logged as an
additional access by the line manager or mentor or person/persons with the appropriate
authority.
Use of Information Assets 6.3
6.3.1 Installation and Siting of Equipment
All equipment must be sited and installed in accordance with current environmental and
health and safety regulations. Initial installation will be made by the ICT Department.
Equipment must not be moved without first informing the ICT Department.
6.3.2 Limitations on Use
Equipment must only be used for the purpose it was supplied and in accordance with the
manufacturer’s/supplier’s instructions.
Equipment must not be modified without the permission of the ICT Department. This
includes the attachment of additional equipment and/or peripherals or the loading of
additional software.
Unauthorised connection or attempted connection to the communications network, e.g. by
means of a personal laptop, will be treated as serious misconduct.
6.3.3 Data Security
All electronic data files must be stored in the appropriate area on the network fileservers.
This will ensure that all files reside in a secure, virus free area and are automatically
backed up on a regular basis.
All confidential data will be stored in secure personal and workgroup areas. Creation and
access to these areas will be managed by the ICT Department on the authority of the
appropriate senior manager
The local hard disk on desktop PC’s must not be used for the storage of files. Where a
local copy has been taken (eg during a network failure), the files must be moved to shared
areas promptly
Removable media or portable storage devices must not be used for the archiving of data
or transferring data unless specifically authorised, in which case the device must be
encrypted. All data archive and transfers will be done via the organisation’s network. See
also section Portable Storage Devices – Electronic Media
6.3.4 Security of Equipment Off-Premises
Equipment and data must not be taken off site without formal authorisation from the
appropriate Senior Manager or person with delegated authority.
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 21 of 30
Where equipment is located in an insecure environment or public access area, additional
physical and logical security measures will be implemented in the form of locks, additional
passwords, etc.
Users are responsible for the security of laptop computers and must follow good security
practices in accordance with the Mobile Device Security Policy.
6.3.5 Security of Hard Disks
The hard disks on any computer may contain sensitive or confidential data, possibly in
temporary files.
Theft or removal off-site of such disks is a potential threat to the security of the
organisation’s information and could risk a breach of confidentiality.
Hard disks sent offsite for data recovery are therefore to be treated as Portable Storage
Devices (see section), and must only be sent to approved contractors who have signed a
confidentiality agreement. If encrypted they must be sent via a recorded delivery system.
If unencrypted they must either be collected by the recovery firm or delivered personally
by a member of the organisation’s staff or ICT Department staff.
Hard Disks that are no longer required will have all data physically removed or will be
destroyed prior to disposal. This process will be controlled by the ICT Department in line
with SLAs, see Disposal of Assets section.
Passwords 6.4
6.4.1 Password Protection
Access to all information systems and the network operating system will be granted on a
need to know basis and restricted by password facilities controlled by the system
managers.
All systems will, where possible, be configured to record unsuccessful login attempts.
Accounts will be frozen after three (3) unsuccessful attempts.
User sessions will, where possible, be de-activated or logged out if inactive for 15 mins.
6.4.2 Password Standards
Passwords will be a minimum of eight (8) alphanumeric characters and contain at least
one (1) alphabetic and one (1) numeric character. Staff will be responsible for maintaining
the secrecy of their passwords.
Passwords must be changed frequently. Enforced password changing will be
implemented using password ageing where the systems permit. The change cycle will be
30 to 90 days depending on the system.
Passwords must not be re-used for a specified number of instances. This will vary
between four (4) and 12 depending on the system.
Generic passwords will be a minimum of ten (10) alphanumeric characters and contain at
least one (1) alphabetic and one (1) numeric character, contains at least one (1)
uppercase letter and at least one (1) lower case letter and at least one (1) special
character. Staff will be responsible for maintaining the secrecy of their passwords.
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 22 of 30
Privileged Domain Accounts will be a minimum of sixteen (16) alphanumeric characters
and contains at least one (1) alphabetic and one (1) numeric character, contains at least
one (1) uppercase letter and at least one (1) lower case letter and at least one (1) special
character. Staff will be responsible for maintaining the secrecy of their passwords.
All systems should be configured to record unsuccessful login attempts and accounts will
be locked after a number of failed attempts, normally three (3), depending on the system.
Business Continuity 6.5
6.5.1 Physical Security
All servers (virtual and physical) and data communications equipment will be located in
secure controlled areas with physical entry controls restricting access to authorised
personnel only.
Local data communications equipment and/or file servers will always be located in secure
areas and/or lockable cabinets.
6.5.2 Remote Access to the Organisation’s Services
In addition to strong authentication, audit trails and events logs will record remote access
activity with particular emphasis on failed login attempts or attempted intrusions to the
local area network.
Security breaches (actual and suspected) will be reported immediately to the ICT
Department Service Desk and IG manager where it will be recorded as a security incident.
All security incidents will be promptly investigated and treated very seriously.
Connection of a modem (or other unauthorised communications equipment) to the ICT
Department’s managed network other than through an authenticating server, is a breach
of the NHSNet Statement of Compliance and may lead to disciplinary action being taken
against that individual.
6.5.3 Remote Access to the Organisation’s Services by Staff
Controlled virtual private network (VPN) access via the internet may be given to members
of staff who can demonstrate a genuine need to access network resources remotely.
Access will be conditional on:
The completion by an authorised manager of the appropriate Computer System
Access form;
Acceptance that passwords or tokens issued to enable remote access are for use only
by the person they are issued to;
The user taking care to ensure any sensitive data displayed on screen is not visible to
others;
No attempt is made to connect to any wireless local area network that fails to meet at
least the WPA-2 standard, e.g. wireless hotspots. Where you believe you will need to
use wireless hotspots, request must be authorized by your line manager and SIRO
Use of domestic wireless local area networks is acceptable provided the wireless access
point (sometimes known as a wireless hub or router) is configured to at least WPA-2
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 23 of 30
standards. Refer to the device manual or its supplier for information on how it should be
configured.
Even when using a wired connection in a domestic setting, if a wireless access point is
connected to the network it must be configured to at least the WPA-2 standard.
6.5.4 Remote Access to the Organisation’s Services by Suppliers
Controlled virtual private network (VPN) access via the internet may be given to support
organisations who can demonstrate a genuine need to access network resources
remotely. Access will be conditional on:
An agreement being signed restricting the access for use only by qualified persons for
specified purposes and that no information will be disclosed to unauthorised persons.
Each request for dial up or VPN access being logged and approved by an authorised
person in the ICT Department.
Passwords or tokens issued to enable remote access are for use only by the person
they are issued to.
6.5.5 Business Continuity Planning
All critical systems will have a disaster recovery plan in the event of system or data loss.
These will be agreed between the ICT Department and representatives of the
organisation. Criticality of systems will be established as part of the implementation of this
policy. Plans will be reviewed and be tested regularly.
NHS Digital provide CareCERT advice and guidance to organisations to respond
effectively and safely to cyber security threats.
Databases and Application Systems 6.6
6.6.1 Authorised Databases and Systems
A list of authorised databases and applications will be maintained by the ICT Department.
The organisation’s information and data must only be stored and processed in
applications or databases on the list. Where members of staff develop systems in Access
such databases must not be used for storing any organisation related information or data
without referral to the ICT Department. Support for such systems will only be provided on
a reasonable endeavours basis.
6.6.2 Acquisition of Application Systems
Acquisition of all application systems whether by procurement or development must follow
the current Information Governance standards and NHS procurement procedures and
guidelines. The ICT Department must be approached as early as possible in such a
process.
Security requirements to ensure compliance with this policy must be incorporated in the
business requirements used for the development or procurement process. The security
requirements must be approved by Head of Technical Services before the start of any
procurement or development
Prospective suppliers must formally commit to meeting or exceeding the required level of
security.
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 24 of 30
6.6.3 System Acceptance
Application systems will not be connected to, or accessed from, the managed network
until the ICT Department Head of Technical Services; is satisfied that security has been
comprehensively addressed.
The Project Team responsible for the new system will devise formal acceptance test plans
and demonstrate that the security requirements of the system have been tested
satisfactorily. These tests must include witness testing the strength of the security
features in a controlled environment.
6.6.4 Privacy Impact Assessment (PIA) / Data Protection Impact Assessment
(DPIA)
A PIA/DPIA must be completed for all application systems. This will be completed before
new applications are accepted. The PIA/DPIA must be revised when any changes to
functionality or usage are made.
A PIA/DPIA must also be completed in respect of any data being transferred between the
organisation and third parties along with all other appropriate documents.
The DPIA/PIA must contain the following information:
A description of the processing operations and the purposes, including, where
applicable, the legitimate interests pursued by the controller.
An assessment of the necessity and proportionality of the processing in relation to the
purpose.
An assessment of the risks to individuals.
The measures in place to address risk, including security and to demonstrate that you
comply.
6.6.5 Clinical Safety
The provision and deployment of Health IT Systems within the National Health Service
(NHS) can deliver substantial benefits to NHS patients through the timely provision of
complete and correct information to those healthcare professionals that are responsible
for delivering care. However, it has to be recognised that failure or incorrect use of such
systems has the potential to cause harm to those patients that the system is intending to
benefit.
To ensure that Health IT Systems do not introduce risks to NHS patients, all Health IT
systems must now comply with the following National Information Standards
SCCI 0129 – Clinical Risk Management: its Application in the Manufacture of Health
IT Systems
SCCI 0160 – Clinical Risk Management: its Application in the Deployment and Use of
Health Software
These two standards provide manufacturers of Health IT systems and software and
Health Organisations responsible for deploying these systems with a set of mandated
requirements to ensure that they are well designed and do not impact on patient safety.
SCCI 0129 outlines the safety management requirements for system suppliers during
system production and handover to healthcare organisations including system changes
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 25 of 30
and upgrades. This requires suppliers to produce formal documentation of their clinical
safety assessment and approval process, identification of any risk and mitigation
proposal.
SCCI 0160 requires healthcare organisations to ensure appropriate systems are in place
to assess patient safety risks during procurement, implementation, use and
decommissioning of Health IT Systems. These processes should build upon or clarify
existing safety processes, project governance and other clinical risk management
arrangements. This requires suppliers to produce formal documentation of their clinical
safety assessment and approval process, identification of any risk and mitigation
proposal.
Software Protection 6.7
6.7.1 Licensed Software
Only licensed and supported software will be installed on organisation owned equipment.
All installed software must comply with ICT Department standards. All software must be
used only for the purpose it is provided and in accordance with training and instructions.
Any required software will be procured and installed by the organisation’s ICT
Department. Records of entitlement data, including contracts, purchase records and other
media to support proof of software subscription use rights must be maintained. Staff must
not install any software on any of the organisation’s computers without the express written
consent of Partner IG and ICT Department’s Governance and Compliance Manager.
Users who require additional software must submit a request to their Department
Manager.
6.7.2 Software Standards
The organisation has standardised on the Microsoft Office suite of applications, Microsoft
Outlook E-mail for office applications and Microsoft Internet Explorer for web browsing.
Alternative products are not supported and must not be installed.
Software used must be reviewed by ICT Department to ensure it is fit for purpose and
does not have a negative impact on other business applications.
6.7.3 Virus Control
Virus protection software will be installed on all network servers and all PC’s. The virus
protection software will be updated frequently to ensure adequate protection against the
latest viruses. Network servers will be updated at least daily. Standalone PC’s must be
updated at least weekly.
The users of portable computers are responsible for ensuring virus protection is kept up-
to-date. Portable computers receive updates every time they are connected to the
network and must be so connected at least once a month.
Connection (beyond the need to download updates) may be refused if any PC or laptop
does not have up-to-date anti-virus software.
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 26 of 30
The ICT Department will make every effort using the technology available to protect
against virus attacks. Users are also responsible for ensuring virus infections do not
occur or are spread by their actions.
Any suspected or actual virus infection must be reported to the ICT Department Service
Desk by phone immediately. Any user suspecting virus activity on their PC or laptop
should disconnect it from the network if they are able to do so safely.
7 Electronic Mail and Internet Access
Purpose and Ownership 7.1
E-mail and internet services are provided for the conduct of the organisation’s and NHS
business. These systems, including the hardware, software and all data that are stored
within the system – which include file downloads - are the property of the organisation.
The e-mail services is owned and managed by NHS Digital and associated policies are
available on the NHSMail Portal
All staff must comply with the organisation’s Acceptable Use Policy, and NHSMail
Policies.. The use of Internet and email resources must be related to the legitimate
business activity of the organisation. This includes authorised professional and academic
pursuits
Access and Disclosure of Electronic Communications 7.2
7.2.1 Monitoring Usage
All electronic communications - - will be monitored to ensure compliance with policies,
license use rights, procedures and with the organisation’s statutory obligations.
The organisation may at any time, and without notice, block any incoming or outgoing
communication that is considered to be not relevant to the conduct of the organisation’s or
NHS business or which could damage any of the organisation’s systems or information. It
is the user’s responsibility to check if a suspicious e-mail has been detected on their
device who in turns informs HBLICT IT Department to take the corrective measures to
have NHSMail block these e-mails.
7.2.2 Inspection and Disclosure of Communications
All electronic communication may be inspected and disclosed under the provisions of the
Data Protection Act and GDPR from 2018 and the Freedom of Information Act (2000),
subject to the safeguards contained in the legislation. This may be done without informing
the sender or recipient.
Inspection and disclosure may also be done:
To discharge legal obligations and legal processes and any other obligations to staff,
clients, patients, customers or any other persons;
To locate information required for the organisation’s or NHS business that is not
readily available by other means;
To safeguard assets and to ensure they are used in an appropriate manner;
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 27 of 30
In the course of an investigation into alleged criminal offences, misconduct or misuse.
7.2.3 Monitoring and Disclosure Procedures
Prior approval must be obtained from the appropriate Director/SIRO/Caldicott Guardian in
addition to the ICT Department’s Director or Associate Director to gain access to the
contents of electronic communications or data stores, and disclose information gained
from such access. See NHSMail policies for details relating to email
8 Security Incident Management
The ICT Department will detect, investigate and resolve any suspected or actual breaches
in computer security. The processes for managing security incidents will be linked with
the organisation’s Incident reporting Policies and Procedures.
Personal Data Breach 8.1
A personal data breach means a breach of security leading to the destruction, loss,
alteration, unauthorised disclosure of, or access to, personal data. This means that a
breach is more than just losing personal data.
All suspected breaches must be reported at once to the organisation’s DPO. The
organisation will notify the relevant supervisory authority of a breach where it is likely to
result in a risk to the rights and freedoms of individuals. A notifiable breach has to be
reported to the relevant supervisory authority within 72 hours of the organisation
becoming aware of it.
Security Incidents 8.2
A security incident is an event that may result in:
the integrity of any system being jeopardised,
the availability of any system being jeopardised,
unauthorised disclosure of information or disruption of activity,
unauthorised or inappropriate use of assets and resources,
financial loss or loss of resources,
Legal action.
All suspected security incidents must be reported at once to the ICT Department’s Service
Desk.
8.2.1 Logging Security Incidents
All ICT related incidents should be reported to the ICT Department via the Service Desk.
All actual or suspected security incidents will be formally logged, categorised by severity
and action/resolution recorded by the ICT Department’s Service Desk.
In addition, the organisation’s Incident recording system may be used to log untoward
events. This process will record what happened, what was done, by whom, when and
final resolution. Refer to the Incident Policy for details.
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 28 of 30
Disaster Recovery procedures will be invoked in response to serious problems e.g.
inability to recover critical live systems.
9 Disciplinary Action
Members of staff who breach any aspect of this policy will be subject to disciplinary action
in line with the current disciplinary policy. Serious breaches will be regarded as gross
misconduct and may result in dismissal and potential referral to the Local Counter Fraud
Service (LCFS) for further investigation.
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 29 of 30
Appendix A. Organisational SIROs
Organisation SIRO Role
BCCG Director of Finance
ENHCCG Director of Finance
HCT Director of Finance
HPFT Director of Innovation and Transformation
HVCCG Director of Finance
LCCG Director of Finance
HBL ICT Shared Service
Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0
Page 30 of 30
Appendix B. Comment Form
As part of HBL ICT Services Department continuous improvement regime, would you please
complete this form. Any comments or feedback on this document should be addressed to the Owner.
Please provide your name and contact details in case clarification is required.
Name
Please return to:
HBL ICT Services
Charter House
Welwyn Garden City
Hertfordshire, AL8 6JL
Address
Phone
Please confirm the document you want to give response …
Please rate the document using the topics and criteria indicated below:
Very Good Good Average Fair Poor
Format and Layout
Accuracy
Clarity
Illustrations (tables, figures etc.)
When using the document, what were you looking for?
How could the document be improved?
How often do you use the document?
If you have additional comments, please include them below:
Thank you for your time