Information Security Policy 7 - NHSGGC
Information Security Policy 7 Asset Management Lead Manager Head of Operations Responsible Director Director eHealth Approved By Information Governance Steering Group Date Approved December 2019 Review Date December 2021 Version No. N1.0 THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT
Consultation and Distribution Record Contributing Authors IT Compliance Manager Consultation Process / Stakeholders Information Governance Steering Group Distribution All Staff Change Record Date Author 1 Oct 2019 S Harris Change New Asset Management Policy THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT Version No N1.0
Contents 1 INTRODUCTION . 4 2 Policy Objectives . 4 3 SCOPE . 4 4 LOCATION . 4 5 ASSSET MANAGEMENT RESPONSIBILITY FOR ASSETS . 4 5.1 INVENTORY OF ASSETS . 5 5.1.1 Physical Assets. 5 5.1.2 Software Assets . 5 OWNERSHIP OF ASSETS . 5 5.3 ACCEPTABLE USE OF THE ASSETS . 5 5.4 RETURN OF ASSETS . 5 6 5.2 ASSET MANAGEMENT : INFORMATION CLASSIFICATION AND LIFECYCLE . 6 6.1 CLASSIFICATION OF INFORMATION . 6 6.2 LABELLING OF INFORMATION . 6 6.3 HANDLING OF ASSETS . 7 6.4 INFORMATION AND DATA LIFECYCLE . 7 6.5 INFORMATION ASSET REGISTER . 7 7 ASSET MANAGEMENT INFORMATION AND DATA STORAGE AND PROTECTION . 7 INFORMATION AND DATA PROTECTION . 7 7.2 RESILIENCE . 7 8 7.1 ASSET MANAGEMENT: MEDIA HANDLING . 7 8.1 MANAGEMENT OR REMOVABLE MEDIA . 7 8.2 DISPOSAL OF MEDIA . 8 8.3 PHYSICAL MEDIA TRANSFER . 8 9 INFORMATION SECURITY POLICY FRAMEWORK (2018) CONTROL . 9 10 REFERENCES . 11 10.1 Internal . 11 10.2 External . 11 THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT
1 INTRODUCTION This Policy supports the implementation of the sub-control objectives relating to the Organisation of Information Security as part of the Network Information Systems Regulations (2018). It replaces the previous Information Security, Asset Management and Media Handling Policy and now includes, Responsibility for assets, Information Classification and Lifestyle, Information and Data Storage Protection. 2 Policy Objectives The objectives of this policy are: 3 To identify organisational assets and define appropriate protection responsibilities To ensure that information receives an appropriate level of protection in accordance with its importance to the organisation To ensure that information and data storage is managed and protected SCOPE NHS GG&C employs tens of thousands of staff, agency workers, and contractors who use tens of thousands of IT assets to access information assets. This policy relates to all elements of NHS GG&C where information is used or operated, including those supplied or operated on its behalf by external contractors. It also applies to joint working arrangements with other agencies. This policy is applicable to all NHS GG&C data and information and to all people accessing such data and information from any location, regardless of the method used. It also applies to all staff accessing other information resources using NHS systems or equipment. 4 LOCATION Where the term staff is used it shall be taken to apply to full or part time employees, contractors, volunteers or third parties that work on behalf of NHS GG&C. 5 ASSSET MANAGEMENT RESPONSIBILITY FOR ASSETS The eleven sub controls of this policy are designed to reduce the impact of the following threats, as defined in the Information Security Risk Management Policy. Threat Number T1 T2 T3 T4 T5 T6 NHSGGC Commonly Identified Threats Deliberate unauthorised access or misuse by known outsiders (including supplier) Deliberate unauthorised access or misuse by insiders (staff, contractors etc.) Theft or wilful damage by outsiders of data or equipment Theft or wilful damage by insiders of data or equipment User error,unintentional change of data in an information system Account Sharing by authorised users THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT
T7 T8 T9 T10 T11 T12 T13 T14 T15 T16 T17 T18 T19 T20 T21 T22 Theft of data via Unauthorised Access by Hacker/ Malicious External Actor Communications intercepted en route Introduction of damaging or disruptive software or Malicious code (e.g. malware) Phishing/Social Engineering Breach of legislation, Privacy/Regulation issue Accidental misrouting of data, wrong recipients Inadequate or absent audit trail Network connection failures Infrastructure technical failure Environmental failure like Loss of Electricity System or network software failure Supplier withdraws a key product in the solution or end of life Key supplier becomes insolvent Supply chain cyber attack Act of Terrorism DDoS Attack for Public Facing services 5.1 INVENTORY OF ASSETS Assets associated with information processing and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. IT Assets include 5.1.1 Physical Assets Desktops, laptops and server computers, associated storage and backup infrastructure Printers and scanners Routers, firewalls, switches 5.1.2 Software Assets Software licences 5.2 OWNERSHIP OF ASSETS Assets must have an identified owner. 5.3 ACCEPTABLE USE OF THE ASSETS Information assets must only be used in support of the business and clinical purposes of GG&C. GGC hardware and software assets can only be used in support of the business and clinical purposes of GG&C, or authorised reasonable personal use as defined in the Internet Acceptable Use Policy. 5.4 RETURN OF ASSETS As part of their exit interview line mangers shall ensure that all employees and external party users shall return all of the organization’s assets in their possession upon termination of their employment contract or agreement. THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT
6 ASSET MANAGEMENT : INFORMATION CLASSIFICATION AND LIFECYCLE 6.1 CLASSIFICATION OF INFORMATION The Records Management Plan shall show information classification in terms of legal requirements, value, criticality and sensitivity to unauthorised modification 6.2 LABELLING OF INFORMATION The Organisation’s information labelling follows UK Government Security Classification Framework and its impact on health and social care information sharing. Label Green Or Non-Sensitive Information Amber Or Sensitive Information Red Or High Sensitive Information Description This is information which is unlikely to cause distress to individuals, breach confidence or cause any financial or other harm to the organisation if lost or disclosed to unintended recipients. This can include information which mentions only a person’s name (e.g. routine appointment confirmation letter) as long as it does not contain anything that is judged to describe a person’s physical or mental state. Example: Anonymised Data, Only CHI Number, Only Name In most boards the largest proportion of patient information can be said to require extra protection because it constitutes sensitive personal data as defined by the Data Protection Act. In particular: Any information about an individual (i.e. anything clinical or nonclinical) that would cause short-term distress, inconvenience or significant embarrassment if lost. Any information which if lost or disclosed to unintended recipients would lead to a low risk to a person’s safety (e.g. loss of an address but no evidence to suggest direct harm would result). Any information if lost that would be likely to negatively affect the efficiency of that service (e.g. cancellation of appointments). Example: Name and Address or demographic information, No Clinical Information or Business Information about system configuration Most boards also hold some information which is highly sensitive. Particularly: Any information which if lost could directly lead to actual harm (e.g. to mental health or put the person at physical risk from themselves or others in any way). Any information that would in the opinion of a qualified person cause substantial distress and/or constitute a substantial breach in privacy (e.g. identity theft, loss of professional standing) to the subject. This is likely to include for example information on a person’s sexual health. Information that affects the privacy or could cause distress to more than one individual (e.g. several family members or several linked persons contained in a file). THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT
Information relating to vulnerable persons’ health (e.g. child protection cases) Information governed by legislation that requires additional layers of security and recognises the substantial distress that would be caused by loss (e.g. embryology, human fertilisation and gender re-assignment). Information if lost that is likely to result in undermining confidence in the service or would cause significant financial loss to the organisation, prejudice investigation of crime etc. Example: Any Clinical Information 6.3 HANDLING OF ASSETS Information assets must be protected in line with their classification. User access to sensitive information is based on defined role and requirement and controlled through Role Based Access Control (RBAC). 6.4 INFORMATION AND DATA LIFECYCLE Information and data shall be retained and destroyed as defined in the GGC Records Management Plan. 6.5 INFORMATION ASSET REGISTER Key information assets and their owners must be identified and documented on the Information Asset Register. Identification must include whether a Business Sensitive Information Asset or a Patient Sensitive Information Asset. 7 ASSET MANAGEMENT INFORMATION AND DATA STORAGE AND PROTECTION 7.1 INFORMATION AND DATA PROTECTION Critical data must have real time replication Off line backups must be maintained and securely stored to support recovery and data retention requirements. Access to backups is restricted to administrators. Administrator accounts cannot modify backup. Backup administrator account activities are logged. 7.2 RESILIENCE Backup is available to support service delivery should the original data not be available 8 ASSET MANAGEMENT: MEDIA HANDLING 8.1 MANAGEMENT OR REMOVABLE MEDIA For endpoint devices only authorised removable media will be used THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT
For computer room services removable media will be appropriately managed. 8.2 DISPOSAL OF MEDIA Media shall be disposed of securely when no longer required, using formal procedures. 8.3 PHYSICAL MEDIA TRANSFER Media containing information shall be protected against unauthorised access, misuse or corruption during transportation. THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT
9 INFORMATION SECURITY POLICY FRAMEWORK (2018) CONTROL 11) Asset Management: responsibility for assets Objective To identify organisational assets and define appropriate protection responsibilities. Sub-control (ISO 27001-CAF-ICO Ref. no.) Detail Assets associated with information and information processing facilities shall be identified a) Inventory of assets (ISO: A.8.1.1) and an inventory of these assets shall be drawn up and maintained. Assets maintained in the inventory shall be owned. b) Ownership of assets (ISO: A.8.1.2) c) Acceptable use of the assets (ISO: A.8.1.3) d) Return of assets (ISO: A.8.1.4) Rules for the acceptable use of information and of the assets associated with information and information processing facilities shall be identified, documented and implemented. All employees and external party users shall return all of the organisational assets in their possession upon termination of their employment, contract or agreement. 12) Asset Management: Information Classification & Lifecycle Objective To ensure that information receives an appropriate level of protection in accordance with its importance to the organisation. Sub-control (ISO 27001-CAF-ICO Ref. no.) Detail Information shall be classified in terms of legal requirements, value, criticality and sensitivity to a) Classification of information (ISO: A.8.2.1) unauthorised disclosure or modification. (CAF: B3.a) b) Labelling of information (ISO: A.8.2.2) c) Handling of assets (ISO: A.8.2.3) (CAF: B3.a) d) Information and data lifecycle (CAF: B3.a) e) Information asset register (CAF A3.a) An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme to be adopted by the organisation. Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organisation. User access to sensitive information is controlled. Policies on the lifecycle management of information and data shall be developed from creation through retention and destruction. This will include documentation of retention times for data categories and evidence of audit procedures for information destruction. Key information assets and their owners shall be identified and documented in an Information Asset Register (IAR). Impact on assets needs to be assessed in terms of confidentiality, integrity and availability. THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT
13) Asset Management: Information & data storage & protection Objective To ensure that information and data storage is managed and protected. Sub-control (ISO 27001-CAF-ICO Ref. no.) Detail There is suitable physical or technical means in place to protect stored data from unauthorised a) Information and data protection (CAF: B3.c) access, modification or deletion. Necessary historic or archive data is suitably secured in storage. There are secured backups of data (electronic or hardcopy) that are available to allow service b) Service resilience (CAF: B3.c, D1.b) delivery continuity should the original data not be available. THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT
10 REFERENCES 10.1 Internal Return of Assets - Leavers Checklist xit-process/ Disposal of Media – asset management process Records Management Plan /# NHSS Standard/policy/guidance GG&C Information Asset Register about%20staffnet/Lists/Information %20Asset%20Register%20Form/AllItems.aspx Media Handling Procedure c/HIT/eHealth/CS/Procedure%20Docume nts/Forms/AllItems.aspx Implementing the Business Classification Scheme rvices/eHealth/LN/Pages/Implementing BCS.aspx 10.2 External Mobile Data Standard (May 2012) NHSScotland records management code of practice (v2.0, March 2010) Revised Section 61: Scottish Ministers’ Code of Practice on Records Management by Scottish Public Authorities Disposal and Destruction of Sensitive Data (CfH v1.0 Mar 2006) HMG IA5 Secure Sanitation (UNCLASSIFIED) (Cabinet Office, v4 April 2011) THIS DOCUMENT IS CURRENT AS AN ON LINE DOCUMENT
Sub-control (ISO 27001-CAF-ICO Ref. no.) Detail a) Inventory of assets (ISO: A.8.1.1) Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. b) Ownership of assets (ISO: A.8.1.2) Assets maintained in the inventory shall be owned.
support in clinical supervision, it's non-reactionary, the union allows added opportunity for NHSGGC to support staff in self care It can support the Clinical Supervisors - offers additional support as they transition into a new role Will support supervisees -if supervisors are fully present, attentive with a
8 INFORMATION SECURITY POLICY FRAMEWORK (2018) CONTROL 36) Supplier relationships: supplier service delivery management Objective To maintain an agreed level of security and service delivery in line with supplier agreements. Sub-control (ISO 27001-CAF-ICO Ref. no.) Detail a) Monitoring and review of supplier services (ISO: A.15.2.1) (CAF: A4.a)
Sub-control (ISO 27001-CAF-ICO Ref. no.) Detail a) Management responsibilities (ISO: A.7.2.1) Management shall require all employees and contractors to apply information security in accordance with established policies and procedures of the organisation. b) Information security awareness, education and training (ISO: A.7.2.2) (CAF: B1.b, B6.b)
Class- VI-CBSE-Mathematics Knowing Our Numbers Practice more on Knowing Our Numbers Page - 4 www.embibe.com Total tickets sold ̅ ̅ ̅̅̅7̅̅,707̅̅̅̅̅ ̅ Therefore, 7,707 tickets were sold on all the four days. 2. Shekhar is a famous cricket player. He has so far scored 6980 runs in test matches.
QGEA Queensland Government Information Security Policy - Mandatory Clauses Final v1.0.2, November 2010 Page 7 of 36 PUBLIC PUBLIC 1 Policy, planning and governance 1.1 Information security policy The information security policy domain includes all aspects of management direction and
Principles of Info Security Management §Six P's: 1. Planning 2. Policy 3. Programs 4. Protection 5. People 6. Project management Enterprise information security policy (EISP) Issue-specific security policy (ISSP) Password policy Remote access policy System-specific policies (SysSPs) Policy for the payroll system
Resourcing security risk management 13 2. Developing a framework 14 3. Governance and accountability 17 Creating an effective security risk management structure 17 4. Policy and principles 21 Developing a security policy 22 Establishing security requirements 24 5. Operations and programmes 25 Security risk assessments 28 Security plans 30
AWJM, the abrasive particles are allowed to entrain in water jet to form abrasive water jet with significant velocity of 800 m/s. Such high velocity abrasive jet can machine almost any material. Fig. 1 shows the photographic view of a commercial CNC water jet machining system along with close-up view of the cutting head.
