Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018
|
|
- Whitney Gibson
- 5 years ago
- Views:
Transcription
1 1.0 Executive Summary Birmingham Community Healthcare NHS Foundation Trust 2017/17 Data Security and Protection Requirements March 2018 The Trust has received a request from NHS Improvement (NHSI) to self-assess and provide assurance to its Board of Directors and in turn to NHSI on ten data security standards and statutory obligations on data protection and data security. This report presents an assessment, assurance and any actions required in respect of each of the ten standards to enable the Trust to submit the return to NHSI by the end of March. Overall it is recommended that the Trust is in a strong position in respect of the ten standards and those rated amber require further verbal update at the board meeting due to the timing of the report or require formal approval of submissions. 2.0 Background From April 2018 the new Data Security and Protection (DSP) Toolkit replaces the Information Governance (IG) Toolkit. It will form part of a new framework for assuring that all health and social care organisations contracted to provide services under the NHS Standard Contract implement the ten data security standards and are meeting their statutory obligations on data protection and data security as part of the data security and protection requirements set out in that contract. When considering data security as part of the well-led element of inspections, the Care Quality Commission (CQC) will also look at how organisations are assuring themselves that the steps set out in this document are being taken. 3.0 NHS Providers At the end of the 2017/18 financial year NHSI will ask NHS providers to confirm that they have implemented the requirements set out in this document. In the longer term NHSI will ensure that data security is included in their oversight arrangements. 3.1 Leadership Obligation One People 1. Senior Level Responsibility: There must be a named senior executive to be responsible for data and cyber security in your organisation. Ideally The Chief Operating Officer is the senior executive on the Trust Board responsible for Information Technology. Information Governance (which currently incorporates Information Security) sits within the Chief Finance Officer this person will also be your Senior who is also the SIRO. The Medical Director also Information Risk Owner (SIRO), and undertakes the Caldicott Guardian Role. where applicable a member of your organisation s board. Cyber Security is a standing agenda item for discussion within the Estates & IT Steering Group (EITSG), chaired by the COO, which reports to the Finance and Performance Assurance Committee (FPAC). In addition, there is a specific risk in respect of cyber security on the Board Assurance Framework which is reviewed at EITSG and on a quarterly basis by the Trust Board. Action: consideration to be given as to whether the SIRO should become responsible for Cyber Security or the responsibility is shared between the CFO and the COO and explicit as to different areas of responsibility in
2 both roles. 2. Completing the Information The submission for the IG Toolkit for 17/18 is in the final Governance Toolkit v14.1: In stages of being finalised and there is an expectation that 2017/18, organisations are still the Trust will achieve the minimum level 2 on all domains required to achieve at least level two and controls. on the current IG Toolkit before it is replaced with a new approach (DSP Toolkit), from 2018/19 onwards, to measuring progress against the ten Internal Audit report received by Audit Committee on 22/3/18 providing significant assurance in respect of IG Toolkit submission by year end. data security standards. Action: Formal approval of the 17/18 IG Submission to 3. Prepare for the introduction of the General Data Protection Regulation (GDPR) in May 2018: The Beta version of the Data Security and Protection Toolkit, to go live in February 2018, will help organisations understand what actions they will need to take to implement GDPR, which comes into effect in May Training Staff: All staff must complete appropriate annual data security and protection training. This training replaces the previous IG training whilst retaining key elements of it: be approved by QGRC virtually by 29 th March Significant work has already been undertaken in this area by the Information Governance team. A GDPR guide has also been produced and IG colleagues have attended a number of staff meetings, forums and groups. However, there has been no formal assessment received by the Trust Board or its committees to date. Action: Formal assurance against the Trust position in respect of the requirements of GDPR and the Beta version of the DSP Toolkit to be presented to QGRC in April ahead of May 2018 implementation date. All staff are mandated to complete the current IG training annually which includes training on data security and protection. Compliance as at the end of February 2018 is 96%. The IG Team has processes in place to monitor this training take-up, escalate to managers as required and prompt areas that may be falling behind. This is covered by remedial action plans at PPMG as required. 3.2 Leadership Obligation Two - Processes 5. Acting on CareCERT advisories: Organisations must: CareCERT advisories are already actioned by Technical Services staff in the IT. Act on CareCERT advisories where relevant to your organisation; The Technical Services Manager is the primary point of Confirm within 48 hours that plans are in place to act on High Severity CareCERT advisories, and evidence this through CareCERT Collect; and contact to receive and co-ordinate responses. Identify a primary point of contact for your organisation to receive and coordinate your organisation s response to CareCERT advisories, and provide this information through CareCERT Collect. Where confirmation and updates on CareCERT plans are required, these are co-ordinated by the Technical Services Manager and are responded to within a timely manner.
3 6. Continuity planning: A comprehensive business continuity plan must be in place to respond to Business continuity planning is an on-going process that ensures all areas of the Trust (clinical, non-clinical and corporate) have up to date business continuity plans in data and cyber security incidents. place. Business Continuity planning incorporates all potential service disruptions including specific IT, data and cyber security incidents. Following the Wannacry malware attack in May 2017 (which was a live exercise in business continuity), a large amount of feedback and lesson learning took place, with comprehensive reports and a Cyber Incident Recovery Plan forming the outputs from this work. The Trust has a risk in respect of ensuring resilience against cyber attacks and supporting the timely response and return of services to BAU should an attack be experienced. Mitigating actions include the comprehensive business continuity planning for all areas. 7. Reporting incidents: Staff across the organisation report data security incidents and near misses, and incidents are reported to CareCERT in line with reporting guidelines. The Trust has significantly updated and increased its existing cyber security to mitigate against the continual threat of further cyber attacks and malware. Trust staff are aware of the need to log all incidents and near misses on to the Datix and in addition, to the IT Service Desk. A cyber security report is received as a standing item at every EITSG. All incidents are also reported to CareCERT (via the Technical Services Manager) in line with reporting guidelines. 3.3 Leadership Obligation Three - Technology 8. Unsupported systems: Your organisation must: identify unsupported systems (including software, hardware and applications); and have a plan in place by April 2018 to remove, replace or actively mitigate or manage the risks associated with unsupported systems. Unsupported systems such as Windows XP and Microsoft Server 2003 have already been addressed and are no longer supported and staff have been upgraded. Other unsupported systems / hardware are currently being addressed through capital funds provided by NHS Digital and procurement taking place throughout March (to replace hardware and thereby enable software upgrades to be implemented or to facilitate the latest software / firmware to be present on the new device). Hence status as not complete at time of writing report. The cyber security report received at every EITSG identifies laptops that have not been connected to the network for two months to enable automatic updates. Details are escalated to managers and machines are disabled until clarification received as to requirements for access and updates enabled.
4 9. On-Site Assessments: Your organisation must: Undertake an on-site cyber and data security assessment if you are invited to do so by NHS Digital; and Act on the outcome of that assessment, including any recommendations, and share the outcome of the assessment with your commissioner. The Trust has already undertaken such an assessment through NHS Digital and is working through the recommendations (supported by capital funds provided by NHS Digital). The Trust has also undertaken a separate Cyber Security audit via Internal Audit and associated third party consultants, with an accompanying audit report and action plan forming the outputs. Updates on both action plans have been provided to both the Audit Committee and to the Estates & IT Steering 10. Checking Supplier Certification: Your organisation should ensure that any supplier of IT systems (including other heath and care organisations) and the system(s) provided have the appropriate certification. Group. The Trust is contacting all IT systems suppliers to confirm they comply with, and have supplied evidence of, the appropriate cyber security standards, accreditation and legislation, as per the certification frameworks provided by NHS Digital 1. A deadline for confirmation has been set as Friday 30 th March 2018 and progress will be verbally provided at the Trust Board meeting on 29 th March 2018, hence status at the time of writing the report. Allied to this, every IT system procured and implemented by the Trust is subject to a Privacy Impact Assessment; an element of which requires the confirmation of the supplier s Information Security certifications, processes and procedures together with supporting evidence. NHS Digital good practice guide on the management of unsupported systems can be found at:
5
Data Security Standards
Data Security Standards Overall guide The bigger picture of where the standards fit in 2018 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a
More informationBOARD OF DIRECTORS (OPEN) Meeting Date: 14 th November 2018
BORD OF DIRECTORS (OPEN) Meeting Date: 14 th November 2018 Open BoD 14.11.18 Item 14 TITLE OF PPER TO BE PRESENTED BY CTION REQUIRED Senior Information Risk Owner (SIRO) nnual Report Phillip Easthope,
More informationGMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017
GMSS Information Governance & Cyber Security Incident Reporting Procedure February 2017 Review Date; April 2018 1 Version Control: VERSION DATE DETAIL D1.0 20/04/2015 First Draft (SC) D 2.0 28/04/2015
More informationInformation Technology Branch Organization of Cyber Security Technical Standard
Information Technology Branch Organization of Cyber Security Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 1 November 20, 2014 Approved:
More informationINFORMATION SECURITY AND RISK POLICY
INFORMATION SECURITY AND RISK POLICY 1 of 12 POLICY REFERENCE INFORMATION SHEET Document Title Document Reference Number Information Security and Risk Policy P/096/CO/03/11 Version Number V02.00 Status:
More informationInformation Governance Incident Reporting Policy
Information Governance Incident Reporting Policy Version: 4.0 Ratified by: NHS Bury Clinical Commissioning Group Information Governance Operational Group Date ratified: 29 th November 2017 Name of originator
More informationThe ehealth Annual Report aims to highlight the activities within the teams that make up the ehealth Department.
Board paper 18/41 THE STATE HOSPITALS BOARD FOR SCOTLAND Date of Meeting: 28 June 2018 Agenda Reference: Item No: 21 Sponsoring Director: Author(s): Title of Report: Purpose of Report: Finance and Performance
More informationReviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.
Assistant Deputy Minister (Review Services) Reviewed by in accordance with the Access to Information Act. Information UNCLASSIFIED. Security Audits: Management Action Plan Follow-up December 2015 1850-3-003
More informationCommissioning Digital Services for General Practice: GP IT Operating Arrangements, including addendum to the 2016/18 Operating Model
Commissioning Digital Services for General Practice: GP IT Operating Arrangements, including addendum to the 2016/18 Operating Model Sue Cooke, Senior DPC (GP IT) Programme Lead, NHS England Nikki Hinchley,
More informationBusiness Continuity Policy
Business Continuity Policy Version Number: 3.6 Page 1 of 14 Business Continuity Policy First published: 07-01-2014 Amendment record Version Date Reviewer Comment 1.0 07/01/2014 Debbie Campbell 2.0 11/07/2014
More informationInformation Governance Incident Reporting Procedure
Information Governance Incident Reporting Procedure : 3.0 Ratified by: NHS Bury CCG Quality and Risk Committee Date ratified: 15 th February 2016 Name of originator /author (s): Responsible Committee /
More informationIT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive
IT Governance ISO/IEC 27001:2013 ISMS Implementation Service description Protect Comply Thrive 100% guaranteed ISO 27001 certification with the global experts With the IT Governance ISO 27001 Implementation
More informationNHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy
NHS Gloucestershire Clinical Commissioning Group 1 Document Control Title of Document Gloucestershire CCG Author A Ewens (Emergency Planning and Business Continuity Officer) Review Date February 2017 Classification
More informationWye Valley NHS Trust. Data protection audit report. Executive summary June 2017
Wye Valley NHS Trust Data protection audit report Executive summary June 2017 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationProcedure re-written. (i.e. All staff with responsibility for the creation, use and management of organisational responsibility)
Standard Operating Procedure Title of Standard Operation Procedure: Corporate Records Management Procedure Reference Number: ECT002863 Version No: 2.0 Supersedes Versions No: 0.1 Amendments Made: Procedure
More informationMeeting of the BBC Audit and Risk Committee SUMMARY MINUTES. Thursday 22 June, 2017 New Broadcasting House, London
Meeting of the BBC Audit and Risk Committee SUMMARY MINUTES Thursday 22 June, 2017 New Broadcasting House, London ITEMS OF BUSINESS 1. Internal Audit quarterly reporting: a) Internal Audit quarterly update
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationInformation Governance Incidents Cyber Security Incidents and Near Misses Reporting Procedure
Information Governance Incidents Cyber Security Incidents and Near Misses Reporting Procedure Procedure Number: IG05 Version: 2.3 Approved by: Information Governance Working Group Date approved January
More informationGDPR Compliance. Clauses
1 Clauses GDPR The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a privacy and data protection regulation in the European Union (EU). It became enforceable from May 25 2018. The
More informationINFORMATION TECHNOLOGY SECURITY POLICY
INFORMATION TECHNOLOGY SECURITY POLICY Author Responsible Director Approved By Data Approved September 15 Date for Review November 17 Version 2.3 Replaces version 2.2 Mike Dench, IT Security Manager Robin
More informationDigital Health Cyber Security Centre
Digital Health Cyber Security Centre Current challenges Ransomware According to the ACSC Threat Report 2017, cybercrime is a prevalent threat for Australia. Distributed Denial of Service (DDoS) Targeting
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More informationData Sheet The PCI DSS
Data Sheet The PCI DSS Protect profits by managing payment card risk IT Governance is uniquely qualified to provide Payment Card Industry (PCI) services. Our leadership in cyber security and technical
More informationPublic Safety Canada. Audit of the Business Continuity Planning Program
Public Safety Canada Audit of the Business Continuity Planning Program October 2016 Her Majesty the Queen in Right of Canada, 2016 Cat: PS4-208/2016E-PDF ISBN: 978-0-660-06766-7 This material may be freely
More informationInformation Governance Incident Reporting Policy and Procedure
Information Governance Incident Reporting Policy and Procedure Policy Number Target Audience Approving Committee IG007 CCG/GMSS Staff CCG Chief Officer Date Approved February 2018 Last Review Date February
More informationAsda. Privacy and Electronic Communications Regulations audit report
Asda Privacy and Electronic Communications Regulations audit report Executive summary May 2018 1. Background and Scope The Information Commissioner may audit the measures taken by the provider of a public
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director
More informationInformation backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013
Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board Issued: September 2013 Document reference: 495A2013 Status of report This document has been prepared for the internal
More informationNHS Scotland Cyber Attack: NSS Evidence to Scottish Parliament Health & Sport Committee (Jun 17)
B/17/74 NSS Formal Board Meeting Thursday, 29 June 2017 NHS Scotland Cyber Attack: NSS Evidence to Scottish Parliament Health & Sport Committee (Jun 17) Purpose The Board is asked to review and consider
More informationSupporting the NHS to Improve Cyber Security. Presented by Chris Flynn Security Operations Lead NHS Digital s Data Security Centre
Supporting the NHS to Improve Cyber Security Presented by Chris Flynn Security Operations Lead NHS Digital s Data Security Centre https://www.youtube.com/watch?v=3bqt7zkkq JA 2 Start with why And why it
More informationData Security Standard 9 IT protection The bigger picture and how the standard fits in
Data Security Standard 9 IT protection The bigger picture and how the standard fits in 2018 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a
More informationInformation Security Incident
Good Practice Guide Author: A Heathcote Date: 22/05/2017 Version: 1.0 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body
More informationPolicy. Business Resilience MB2010.P.119
MB.P.119 Business Resilience Policy This policy been prepared by the Bi-Cameral Business Risk and Resilience Group and endorsed by the Management Boards of both Houses. It is effective from December to
More informationSTAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:
STAFF REPORT January 26, 2001 To: From: Subject: Audit Committee City Auditor Information Security Framework Purpose: To review the adequacy of the Information Security Framework governing the security
More informationNHS Fife. 2015/16 Audit Computer Service Review Follow Up
NHS Fife 2015/16 Audit Computer Service Review Follow Up Prepared for NHS Fife April 2016 Audit Scotland is a statutory body set up in April 2000 under the Public Finance and Accountability (Scotland)
More informationICT Portable Devices and Portable Media Security
ICT Portable Devices and Portable Media Security Who Should Read This Policy Target Audience All Trust Staff, contractors, and other agents, who utilise trust equipment and access the organisation s data
More informationThe Role of the Data Protection Officer
The Role of the Data Protection Officer Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 28 July 2016 www.itgovernance.co.uk Introduction Adrian Ross GRC consultant Infrastructure services
More informationINFORMATION SECURITY POLICY
Open Open INFORMATION SECURITY POLICY OF THE UNIVERSITY OF BIRMINGHAM DOCUMENT CONTROL Date Description Authors 18/09/17 Approved by UEB D.Deighton 29/06/17 Approved by ISMG with minor changes D.Deighton
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationGovernment Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security
Government Resolution No. 2443 of February 15, 2015 33 rd Government of Israel Benjamin Netanyahu Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security It is hereby resolved:
More informationCanada Life Cyber Security Statement 2018
Canada Life Cyber Security Statement 2018 Governance Canada Life has implemented an Information Security framework which supports standards designed to establish a system of internal controls and accountability
More informationPRIVACY NOTICE VOLUNTEER INFORMATION. Liverpool Women s NHS Foundation Trust
PRIVACY NOTICE VOLUNTEER INFORMATION Liverpool Women s NHS Foundation Trust Introduction This document summarises who we are, what information we hold about you, what we will do with the information we
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationFIRE REDUCTION STRATEGY. Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017
FIRE REDUCTION STRATEGY Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017 FIRE REDUCTION STRATEGY Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017 2 1. Introduction The
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Colin Sloey Implementation Date: September 2010 Version Number:
More informationVentilation Policy Type: Policy Register No: Status: Public. Developed in response to: Contributes to CQC Outcome number: Outcome 8 and 10
Ventilation Policy Type: Policy Register No: 11056 Status: Public Developed in response to: HTM03-01 Contributes to CQC Outcome number: Outcome 8 and 10 Consulted With Post/Committee/Group Date Louise
More informationHSCIC Audit of Data Sharing Activities:
Directorate / Programme Data Dissemination Services Project / Work Data Sharing Audits Status Final Acting Director Chris Roebuck Version 1.0 Owner Rob Shaw Version issue date 19-Jan-2015 HSCIC Audit of
More informationDirector, Major Projects and Resilience. To: Planning and Performance Committee 6 November 2014
Item Number: B1 By: Director, Major Projects and Resilience To: Planning and Performance Committee 6 November 2014 Subject: Classification: KENT RESILIENCE TEAM Unrestricted FOR DECISION SUMMARY This report
More information2018/19 Addendum to the GP IT Operating Model, Securing Excellence in GP IT Services, Webinar for GPIT Delivery Partners
2018/19 Addendum to the GP IT Operating Model, Securing Excellence in GP IT Services, 2016-18 Webinar for GPIT Delivery Partners Sue Cooke, Senior DPC (GP IT) Programme Lead, NHS England Nikki Hinchley,
More informationAudit and Compliance Committee - Agenda
Audit and Compliance Committee - Agenda Board of Trustees Audit and Compliance Committee April 17, 2018, 1:30 2:30 p.m. President s Board Room Conference Call-In Phone #1-800-442-5794, passcode 463796
More informationCybersecurity and the Board of Directors
Cybersecurity and the Board of Directors Key Findings from BITS/FSR Meetings OVERVIEW Board directors are increasingly required to engage in cybersecurity risk management yet some may need better education
More informationfalanx Cyber ISO 27001: How and why your organisation should get certified
falanx Cyber ISO 27001: How and why your organisation should get certified Contents What is ISO 27001? 3 What does it cover? 3 Why should your organisation get certified? 4 Cost-effective security management
More informationBusiness Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018
Business Continuity Management: How to get started Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018 Introduction Tony Drewitt - Managing Director: IT Governance UK and EU One
More informationUnclassified. Date Monday 24 September Business Continuity Plan Review - Mission Critical Activities
Meeting Paper title Executive Team Date Monday 24 September Business Continuity Plan Review - Mission Critical Activities Agenda item 5 Discussion time Purpose of paper Decision [If a decision you must
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationCyber Security. Building and assuring defence in depth
Cyber Security Building and assuring defence in depth The Cyber Challenge Understanding the challenge We live in an inter-connected world that brings a wealth of information to our finger tips at the speed
More informationNYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services
NYS DFS Cybersecurity Requirements Stephen Head Senior Manager Risk Advisory Services December 5, 2017 About Me Stephen W. Head Mr. Head is a Senior Manager with Experis Finance, and has over thirty-five
More informationREVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009
APPENDIX 1 REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto
More informationNYDFS Cybersecurity Regulations
SPEAKERS NYDFS Cybersecurity Regulations Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com March 9, 2017 The Privacy Team at Hunton & Williams Over 30 privacy
More informationINFORMATION SYSTEMS SECURITY POLICY (ISSP)
INFORMATION SYSTEMS SECURITY POLICY (ISSP) Policy Number & Category IG 02 Information Governance Version Number & Date Version 3.7 February 2009 Ratifying Committee Date Approved March 2009 Next Review
More informationCyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. In today s escalating cyber risk environment, you need to make sure you re focused on the right priorities by
More informationData Encryption Policy
Data Encryption Policy Document Control Sheet Q Pulse Reference Number Version Number Document Author Lead Executive Director Sponsor Ratifying Committee POL-F-IMT-2 V02 Information Governance Manager
More informationNHS R&D Forum Privacy Policy: FINAL v0.1 May 25 th 2018
NHS R&D Forum Privacy Policy: FINAL v0.1 May 25 th 2018 This privacy policy is published to provide transparent information about how we use, share and store any personal information that you may provide
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationREPORT 2015/010 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/010 Audit of information and communications technology strategic planning, governance and management in the Investment Management Division of the United Nations Joint
More informationInformation Governance Toolkit
Information Governance Toolkit A documented procedure and a regular audit cycle for accuracy checks on service user data is in place Requirement No: 14.1-506 Initiative: Secondary Use Assurance Organisation
More informationThe National Fire Chiefs Council. Roy Wilsher Chair National Fire Chiefs Council
The National Fire Chiefs Council Roy Wilsher Chair National Fire Chiefs Council @NFCCChair @NFCC_FireChiefs NFCC Drivers for Change NFCC important contribution to supporting FRAs and the UK Fire Sector;
More informationDated 3 rd of November 2017 MEMORANDUM OF UNDERSTANDING SIERRA LEONE NATIONAL ehealth COORDINATION HUB
Memorandum of Understanding for Joint Working by Ministry of Health and Sanitation, Ministry of Information and Communication on the Government of Sierra Leone ehealth Coordination Hub Dated 3 rd of November
More informationInformation Security Strategy
Security Strategy Document Owner : Chief Officer Version : 1.1 Date : May 2011 We will on request produce this Strategy, or particular parts of it, in other languages and formats, in order that everyone
More informationThe Project Charter. Date of Issue Author Description. Revision Number. Version 0.9 October 27 th, 2014 Moe Yousof Initial Draft
The Project Charter Project Title: VDI Data Center Design and Build Project Sponsor: South Alberta Data Centers Inc. (SADC Inc.) Project Customer: The City of Calgary Project Manager: Moe Yousof Document
More informationRegulating Cyber: the UK s plans for the NIS Directive
Regulating Cyber: the UK s plans for the NIS Directive September 2017 If you are a digital service provider or operate an essential service then new security and breach notification obligations may soon
More informationIT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18
Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationENISA s Position on the NIS Directive
ENISA s Position on the NIS Directive 1 Introduction This note briefly summarises ENISA s position on the NIS Directive. It provides the background to the Directive, explains its significance, provides
More informationAUDIT OF ICT STRATEGY IMPLEMENTATION
APPENDIX A 2 1. Background AUDIT OF ICT STRATEGY IMPLEMENTATION 1.1. This report summarises the findings from the audit of ICT Strategy Implementation. This was a planned audit assignment which was undertaken
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationNZ Certificate in Credit Management (Level 4)
NZ Certificate in Credit Management (Level 4) The current certificate is designed for people working in, or intending to work in, a credit management role. It is designed to help develop and enhance the
More informationInformation Governance Policy
NHS Dorset Clinical Commissioning Group Information Governance Policy 16 December 2015 Supporting people in Dorset to lead healthier lives PREFACE This policy sets out best practice guidance for all staff
More informationCOMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards
November 2016 COMMENTARY Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards The Board of Governors of the Federal Reserve System ( Federal Reserve Board ), the Federal Deposit Insurance
More informationChapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS
Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS The Saskatchewan Power Corporation (SaskPower) is the principal supplier of power in Saskatchewan with its mission to deliver power
More informationTo be an active partner, always ready to improve by working with others
Title of Report: Prepared By: Sponsor: Action Required: Statement of Assurance/Readiness Preparedness to Major Incidents Ben Cockerill, Emergency Planning Officer Kevin O Leary, Deputy Director of Operations
More informationIsaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.
Isaca EXAM - CISM Certified Information Security Manager Buy Full Product http://www.examskey.com/cism.html Examskey Isaca CISM exam demo product is here for you to test the quality of the product. This
More informationNERC Staff Organization Chart Budget 2019
NERC Staff Organization Chart Budget 2019 President and CEO Associate Director to the Office of the CEO Senior Vice President and Chief Reliability Senior Vice President, General Counsel and Corporate
More informationNew Zealand Certificate in Regulatory Compliance (Core Knowledge) (Level 3)
New Zealand Certificate in Regulatory Compliance (Core Knowledge) (Level 3) If your staff need to learn the basics about regulatory compliance in New Zealand, then this is the paper for them. This qualification
More informationNERC Staff Organization Chart Budget 2018
NERC Staff Organization Chart Budget 2018 President and CEO Associate Director to the Office of the CEO Senior Vice President and Chief Reliability Senior Vice President, General Counsel and Corporate
More informationTurning Risk into Advantage
Turning Risk into Advantage How Enterprise Wide Risk Management is helping customers succeed in turbulent times and increase their competitiveness Glenn Tjon Partner KPMG Advisory Presentation Overview
More informationNational Ophthalmology Database Audit: Information Governance Overview V1.9
Policy Document National Ophthalmology Database Audit: Information Governance Overview V1.9 18 Stephenson Way, London, NW1 2HD T. 020 7935 0702 contact@rcophth.ac.uk rcophth.ac.uk @RCOphth The Royal College
More informationManager, Infrastructure Services. Position Number Community Division/Region Yellowknife Technology Service Centre
IDENTIFICATION Department Position Title Infrastructure Manager, Infrastructure Services Position Number Community Division/Region 32-11488 Yellowknife Technology Service Centre PURPOSE OF THE POSITION
More informationThe NIS Directive and Cybersecurity in
The NIS Directive and Cybersecurity in ehealth Dr. Athanasios Drougkas Officer in NIS Belgian Hospitals Meeting on Security Brussels 13 th October European Union Agency For Network And Information Security
More informationCyber Security Standards Drafting Team Update
Cyber Security Standards Drafting Team Update Michael Assante, VP & Chief Security Officer North American Electric Reliability Corp. February 3, 2008 Overview About NERC Project Background Proposed Modifications
More informationPrivacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016
Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016 Pēteris Zilgalvis, J.D., Head of Unit for Health and Well-Being, DG CONNECT Table of Contents 1. Context
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationNERC Staff Organization Chart Budget 2019
NERC Staff Organization Chart Budget 2019 President and CEO Associate Director to the Office of the CEO Senior Vice President and Chief Reliability Officer Senior Vice President, General Counsel and Corporate
More informationCyber Security Strategy
Cyber Security Strategy Committee for Home Affairs Introduction Cyber security describes the technology, processes and safeguards that are used to protect our networks, computers, programs and data from
More informationAneurin Bevan Health Board
Aneurin Bevan Health Board Information Governance Committee Minutes of the meeting held on 10 February 2010, 2pm, in the Small Boardroom, Mamhilad House Present: Prof Janet Wademan - Independent Member
More informationDEPARTMENT OF HEALTH and HUMAN SERVICES. HANDBOOK for
DEPARTMENT OF HEALTH and HUMAN SERVICES HANDBOOK for FEDERAL ACQUISITION CERTIFICATION PROGRAM/PROJECT MANAGERS Issuer Office of the Secretary Office of the Assistant Secretary for Financial Resources
More informationAPF!submission!!draft!Mandatory!data!breach!notification! in!the!ehealth!record!system!guide.!
enquiries@privacy.org.au http://www.privacy.org.au/ 28September2012 APFsubmission draftmandatorydatabreachnotification intheehealthrecordsystemguide. The Australian Privacy Foundation (APF) is the country's
More informationSAFE USE OF MOBILE PHONES AT WORK POLICY
SAFE USE OF MOBILE PHONES AT WORK POLICY Links to Lone Working Policy, Personal Safety Guidance, Lone Working Guidance, Information Governance Policy Document Type General Policy Unique Identifier GP31
More informationPS Mailing Services Ltd Data Protection Policy May 2018
PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Limited is a registered data controller: ICO registration no. Z9106387 (www.ico.org.uk 1. Introduction 1.1. Background We collect
More information