Report CopyRight/DMCA Form For : Information Security Policy Nhs England
Choose an item,Information Security Policy,Version number v2 0. First published,Updated only if this is applicable. Prepared by Corporate Information Governance,Classification OFFICIAL. This information can be made available in,alternative formats such as easy read or large. print and may be available in alternative,languages upon request Please contact. england ig corporate nhs net, Document Number Issue Date August 2018 Version Number 4 0. Status Approved Next Review Date March 2021 Page 2 of 15. Choose an item,NHS England INFORMATION READER BOX,Directorate. Medical Operations and Information Specialised Commissioning. Nursing Trans Corp Ops Strategy Innovation,Publications Gateway Reference 08542. Document Purpose Policy,Document Name Information Security Policy. Author Corporate Information Governance,Publication Date December 2018. Target Audience All NHS England Employees,Additional Circulation VALUE. Description Policy and high level procedures for Information Security. Cross Reference,Superseded Docs,Information Security Policy v 3 0. if applicable,Action Required,Timing Deadlines,if applicable. Contact Details for Corporate Information Governance. further information NHS England,Quarry House,Quarry Hill. England ig corporate nhs net,Document Status, This is a controlled document Whilst this document may be printed the electronic version posted on. the intranet is the controlled copy Any printed copies of this document are not controlled As a. controlled document this document should not be saved onto local or network drives but should. always be accessed from the intranet, Document Number Issue Date August 2018 Version Number 4 0. Status Approved Next Review Date March 2021 Page 3 of 15. Choose an item,Contents 4,1 Introduction 6,1 1 Background 6. 1 3 Objectives 7,3 Roles and Responsibilities 7,3 1 Chief Exectutive 7. 3 2 Senior Information Risk Owner 7,3 3 Data Protection Officer DPO 8. 3 4 Senior Managers 8,3 5 Head of Corporate Information Governance IG 8. 3 6 Head of Corporate ICT Technology and IT Cyber Security 8. 3 7 Information Asset Owners 9,3 8 All Staff 9,4 Policy Framework 9. 4 1 Contracts of Employment 9,4 2 Security Control Assets 9. 4 3 Access Controls 10,4 4 Computer Access Controls 10. 4 5 Application Access Controls 10,4 6 Equipment Security 10. 4 7 Computer and Network Procedures 10,4 8 Information Risk Assessment 10. 4 9 Information Security Events and Weaknesses 10,4 10 Classification of Sensitive Information 11. 4 11 Protection from Malicious Software 11,4 12 Removable Media 11. 4 13 Monitoring System Access and Use 11,4 14 Accreditation of Information Systems 12. 4 15 System Change Control 12, 4 16 Business Continuity and Disaster Recovery Plans 12. 4 17 Training Awareness 12, 4 18 IG requirements for New Processes Services Information Systems and. 5 Distribution and Implementation 13,5 1 Distribution Plan 13. 5 2 Training Plan 13,6 Monitoring 13,7 Equality Impact Assessment 13. 8 Associated Documentation 13,9 References legislation 14. Document Number Issue Date August 2018 Version Number 4 0. Status Approved Next Review Date March 2021 Page 4 of 15. Choose an item, Document Number Issue Date August 2018 Version Number 4 0. Status Approved Next Review Date March 2021 Page 5 of 15. Choose an item,1 Introduction,1 1 Background, NHS England is a public body with information processing as a fundamental part of. its purpose It is important therefore that the organisation has a clear and relevant. Information Security Policy This is essential to our compliance with data protection. and other legislation and to ensuring that confidentiality is respected. The purpose of NHS England s Information Security policy is to protect to a. consistently high standard all information assets The policy covers security which. can be applied through technology but perhaps more crucially it encompasses the. behaviour of the people who manage information in the line of NHS England. Information security is about peoples behaviour in relation to the information they are. responsible for facilitated by the appropriate use of technology The business. benefits of this policy and associated guidance are. Assurance that information is being managed securely and in a consistent and. corporate way, Assurance that NHS England is providing a secure and trusted environment for. the management of information used in delivering its business. Clarity over the personal responsibilities around information security expected. of staff when working on NHS England business, A strengthened position in the event of any legal action that may be taken. against NHS England assuming the proper application of the policy and. compliance with it, Demonstration of best practice in information security. Assurance that information is accessible only to those authorised to have. Assurance that risks are identified and appropriate controls are implemented and. documented, The aim of NHS England s Information Security Policy is to preserve. Confidentiality Access to Data shall be confined to those with appropriate. Integrity Information shall be complete and accurate All systems assets. and networks shall operate correctly according to specification. Availability Information shall be available and delivered to the right person at. the time when it is needed, Document Number Issue Date August 2018 Version Number 4 0. Status Approved Next Review Date March 2021 Page 6 of 15. Choose an item,1 3 Objectives, The objectives of this policy are to establish and maintain the security and. confidentiality of information information systems applications and networks owned. or held by NHS England by, Ensuring that all members of staff are aware of their roles responsibilities and. accountability and fully comply with the relevant legislation as described in this. and other Information Governance policies, Working with other Arm s Length Bodies ALBs who share a common Open. Service supply partner to develop collaborative approaches systems and. processes relating to information security, Describing the principles of security and explaining how they are implemented. in the organisation Introducing a consistent approach to security ensuring that. all members of staff fully understand their own responsibilities. Creating and maintaining within the organisation a level of awareness of the. need for Information Security as an integral part of the day to day business. Protecting information assets under the control of the organisation. Staff of the following NHS England areas are within the scope of this document. Staff working in or on behalf of NHS England this includes contractors. temporary staff embedded staff secondees and all permanent employees. NHS England s Commissioning Support Units,3 Roles and Responsibilities. The information within scope includes,3 1 Chief Executive. Responsibility for information security resides ultimately with the Chief Executive. This responsibility is discharged through the designated roles of Senior Information. Risk Owner SIRO and Head of Corporate ICT Technology and Security as. required by the Information Governance Data Security and Protection DSP Toolkit. 3 2 Senior Information Risk Owner, The Senior Information Risk Owner SIRO is responsible for information risk within. NHS England and advises the Board on the effectiveness of information risk. management across the Organisation, Deputy SIROs have also been appointed in Region Teams to support the SIRO for. NHS England, Document Number Issue Date August 2018 Version Number 4 0. Status Approved Next Review Date March 2021 Page 7 of 15. Choose an item, Hosted bodies including CSUs will have their own SIRO. 3 3 Data Protection Officer DPO, As a public authority NHS England is required to appoint a Data Protection Officer by. the General Data Protection Regulation GDPR The Information Governance Policy. establishes this role The DPO is responsible for providing advice monitoring. compliance and is the first point of contact in the organisation for data protection. matters The DPO reports to the SIRO and directly to the Board in relation to data. protection matters, CSUs have appointed Deputy DPOs that report directly to the NHS England DPO. 3 4 Senior Managers, Senior Managers are responsible for the security of their physical environments. where information is processed or stored Furthermore they are responsible for. Ensuring that all staff permanent temporary and contractor are aware of the. information security policies procedures and user obligations applicable to their. area of work, Ensuring that all staff permanent temporary and contractor are aware of their. personal responsibilities for information security. Determining the level of access to be granted to specific individuals. Ensuring staff have appropriate training for the systems they are using. Ensuring staff know how to access advice on information security matters. 3 5 Head of Corporate Information Governance IG, The Head of Corporate Information Governance will be responsible for maintaining. appropriate policies and guidance for staff around the use and processing of. personal data of information contained within NHS England s information assets in. line with data protection and data security legislation and regulations. 3 6 Head of Corporate ICT Technology and IT Cyber Security. The role of the Head of Corporate Information Governance supported by the Head of. Corporate ICT Technology and IT Cyber Security, The Head of Corporate ICT Technology and IT Cyber Security is responsible for. developing implementing and enforcing suitable and relevant information security. procedures and protocols to ensure NHS England s systems and infrastructure. remain compliant with the Data Protection Act 2018. The Head of Corporate ICT Technology and Cyber Security is responsible for. ensuring that all NHS England electronic equipment and assets have adequate. Document Number Issue Date August 2018 Version Number 4 0. Status Approved Next Review Date March 2021 Page 8 of 15. Choose an item, security measures to comply with data protection and data security legislation and. regulations,3 7 Information Asset Owners, All Information Asset Owners are responsible for ensuring that third party data. processors have appropriate ISO and or Cyber Essentials accreditation where. appropriate for assets stored electronically with third parties Information Asset. Owners are also responsible for ensuring appropriate data protection assurance from. all third party suppliers processing NHS England data. 3 8 All Staff, All staff are responsible for information security and therefore must understand and. comply with this policy and associated guidance Failure to do so may result in. disciplinary action In particular all staff should undertake their mandatory annual. Data Security Awareness training and understand, What information they are using how it should be protectively handled stored. and transferred, What procedures standards and protocols exist for the sharing of information. with others, How to report a suspected beach of information security within the organisation. Their responsibility for raising any information security concerns with the Head. of Corporate ICT Technology and Security, Contracts with external contractors that allow access to the organisation s information. systems must be in operation before access is allowed These contracts must ensure. that the staff or sub contractors of the external organisation comply with all. appropriate security policies,4 Policy Framework,4 1 Contracts of Employment. Staff security requirements shall be addressed at the recruitment stage and all. contracts of employment shall contain an appropriate confidentiality clause. Information security expectations of staff shall be included within appropriate job. definitions and descriptions,4 2 Security Control Assets. NHS England Corporate ICT will establish an ICT asset management process and. associated system this will involve support and collaboration from the OpenService. vendor where applicable, Document Number Issue Date August 2018 Version Number 4 0. Status Approved Next Review Date March 2021 Page 9 of 15. Choose an item, All ICT assets hardware software application or data shall have a named. Information Asset Owner IAO who shall be responsible for the information security. of that asset,4 3 Access Controls, Access to information shall be restricted to users who have an authorised business. need to access the information and as approved by the relevant IAO. 4 4 Computer Access Controls, Access to data system utilities and program source libraries shall be controlled and. restricted to those authorised users who have a legitimate business need e g. systems or database administrators Authorisation to use an application shall depend. on the availability of a license from the supplier. 4 5 Application Access Controls, Access to data system utilities and program source libraries shall be controlled and. restricted to those authorised users who have a legitimate business need e g. systems or database administrators Authorisation to use an application shall depend<.