Upload
trinhdung
View
214
Download
1
Embed Size (px)
Citation preview
Information Security Policy
Printed copies should not be considered the definitive version
DOCUMENT
CONTROL
POLICY NO. 77
Policy Group Information Assurance and Security
Author Andrew Turner Version No. 1.3
Reviewer Medical Director Implementation Date Aug 2013
Scope (Applicability) Board wide Next review date Aug 2016
Status Final Last review date New document
Approved By Dr Cameron
Information
Assurance
Committee
Area Partnership
Forum
NHS Dumfries & Galloway
Page 2 of 17 Pages
Title: Information Security Policy
Date Aug 2013
Version: 1.3
Author: Andrew Turner
The only current version of this document is on the Intranet.
Contents 1. OVERVIEW 4
2. POLICY AIMS 4
3. SCOPE & APPLICABILITY 4
4. RESPONSIBILITIES 5
a. Chief Executive 5
b. Medical Director 5
c. Caldicott Guardian 6
d. Information Assurance Committee 6
e. eHealth Lead 6
f. eHealth IM&T Department 6
g. Third Parties 7
h. Data Protection Officer 7
i. Information Governance and Security Lead 7
j. Line Managers 8
k. All Staff 8
5. OPERATIONAL SYSTEMS 9
a. Confidentiality of IT Systems will be maintained by ensuring that: 9
b. Integrity of IT Systems will be maintained by ensuring: 10
c. Availability of IT Systems will be maintained by ensuring: 10
6. MOBILE COMPUTING 10
7. SYSTEM PROCUREMENT, DEVELOPMENT AND IMPLEMENTATION 10
8. COMPLIANCE 11
9. RISK MANAGEMENT AND BUSINESS CONTINUITY 11
11. RELATED DOCUMENTS 12
12. Appendix 1 – Policy Approval Checklist 13
13. Appendix 2 -Document Status 14
14. Appendix 3 - Communication Action Plan for Implementation 15
NHS Dumfries & Galloway
Page 3 of 17 Pages
Title: Information Security Policy
Date Aug 2013
Version: 1.3
Author: Andrew Turner
The only current version of this document is on the Intranet.
15. Appendix 4 – Related Documents 16
16. Appendix 5 – Codes of Practice 17
NHS Dumfries & Galloway
Page 4 of 17 Pages
Title: Information Security Policy
Date Aug 2013
Version: 1.3
Author: Andrew Turner
The only current version of this document is on the Intranet.
1. OVERVIEW a. The purpose of information security is to ensure business continuity and
minimise risk by preventing or reducing the impact of security incidents.
Information security enables information to be shared while ensuring the
protection of information assets.
b. Information takes several formats; it can be stored on computers, transmitted
across IT networks, printed out, audio-visual and stored on optical media (CD
or DVD/BluRay discs) or written down on paper.
c. From an Information Security perspective, appropriate protection should be
applied to all forms of information stored, including paper-based information,
computer databases, portable and fixed IT media and any other methods used
to communicate information.
d. This policy sets out clear management direction and support for information
security across NHS Dumfries & Galloway in accordance with business
requirements, legislation, regulations, standards and guidance.
e. It demonstrates management support for, and commitment to, information
security through issuing this policy for user acceptance and compliance, as well
as any related policies, procedures and guidelines, including user education
and awareness across NHS Dumfries & Galloway. The purpose of this policy is
to protect all NHS Dumfries & Galloway information assets from threats, internal
or external, deliberate or accidental.
f. It is important that Information Security does not act as a barrier to sharing the
right information with the right person at the right place and at the right time.
Where a clear business need is established for information to be shared, both
internally within the Board and externally to our partners, then appropriate
Information Sharing Protocols will be developed which enable this sharing to
take place. In most cases this will come under the auspices of the Scottish
Accord for the Sharing of Personal Information (SASPI), This process will
ensure that sharing of information is performed in a secure, considered and
controlled manner which will enable effective delivery of healthcare whilst
preserving the appropriate levels if security.
2. POLICY AIMS a. This policy aims to:
i. Provide guidance on the procedures and methods which are to be
employed to maintain the confidentiality, integrity and availability of all
sensitive information throughout NHS Dumfries & Galloway.
ii. Detail the roles and responsibilities and supporting organisational
monitoring arrangements for ensuring that information is accessed,
processed and used safely, securely and effectively.
iii. Provide a framework under which NHS Dumfries & Galloway can
ensure compliance with all relevant legislation and policies.
3. SCOPE & APPLICABILITY a. This policy applies to all information assets held by NHS Dumfries & Galloway
in any format and is intended to be fully consistent with the Information Security
Policy and Standards of NHS Scotland.
b. This policy applies to all users who undertake work for NHS Dumfries &
Galloway or use any part of the IT infrastructure, whether as an employee, a
NHS Dumfries & Galloway
Page 5 of 17 Pages
Title: Information Security Policy
Date Aug 2013
Version: 1.3
Author: Andrew Turner
The only current version of this document is on the Intranet.
student, a volunteer, a contractor, partner agency, external consultant or 3rd
party supplier.
c. It is a management requirement that all NHS Dumfries & Galloway information
assets are properly safeguarded against breaches of confidentiality, integrity
and availability.
d. In order to achieve this, the following attributes will at all times be in place with
respect to matters relating to Information Assurance:
i. Information Security Policy, objectives, activities and improvements will
be aligned with the business objectives and organisational culture of
NHS Dumfries & Galloway and meet the requirements of
ISO/IEC27002, the Code of Practice for Information Security
Management.
ii. A risk based approach to Information Security will be maintained
enabling informed decisions on information security initiatives and
ensuring that budget and resources are focussed appropriately. These
security initiatives will meet the following objectives:
1. Prevention of incidents via the identification and reduction of
risks.
2. Detection of incidents before damage can occur.
3. Recovery from incidents via containment and repair of damage
and prevention of reoccurrence.
iii. Information security will be promoted at all levels of the business
through comprehensive user awareness education and training.
iv. Management will actively support information assurance initiatives,
ensure they remain abreast of the risks to information assets and
champion the continual improvement of information security within NHS
Dumfries & Galloway.
v. An effective Information Security architecture will be maintained.
vi. An effective Information Security Policy and procedural environment
will be maintained ensuring that;
1. All information assets are protected against unauthorised
access and disclosure.
2. Confidentiality of information will be assured at all times.
3. Integrity of information will be maintained at all times.
4. Business requirements for availability will be met.
5. Breaches of security both actual and suspected are reported
and investigated.
6. Classification and ownership of information assets will be
applied.
7. Regulatory and legislative requirements will be met, including
compliance with the UK Data Protection Act 1998.
4. RESPONSIBILITIES
a. Chief Executive i. Final responsibility for the secure operation of all systems used to store
information assets in NHS Dumfries & Galloway is vested in the Chief
Executive. This responsibility is delegated to all staff developing,
introducing, managing and using information systems throughout the
medium of this policy.
b. Medical Director i. The Medical Director has executive responsibility for Information
Assurance and Security Planning.
NHS Dumfries & Galloway
Page 6 of 17 Pages
Title: Information Security Policy
Date Aug 2013
Version: 1.3
Author: Andrew Turner
The only current version of this document is on the Intranet.
ii. The Medical Director has responsibility for ensuring that Information
Assurance and Security is adequately and appropriately resourced to
complete its function.
c. Caldicott Guardian i. The responsibility for maintaining the confidentiality of patient
identifiable information rests with the NHS Dumfries & Galloway
Caldicott Guardian.
d. Information Assurance Committee i. The NHS Dumfries & Galloway Information Assurance Committee has
the responsibility to monitor compliance with, to review and to approve
all Information Security policies.
ii. The IAC will report twice a year to the Clinical Governance Committee
on levels of compliance with policy.
e. eHealth Lead i. The eHealth Lead has the responsibility to ensure that:
1. The IT infrastructure supports and enables all Information
Security policies to be implemented and maintained.
2. IM&T staff must work within a clear framework which promotes
Information Security and that this framework is documented
and regularly reviewed within the department.
f. eHealth IM&T Department i. All members of the eHealth IM&T Department have the responsibility to
ensure that:
1. IT systems are held in secure areas that provide protection
from unauthorised access and environmental threats such as
fire, flood and loss of power.
2. IT systems used to store NHS Dumfries & Galloway data are
recorded and any movements tracked to ensure that theft or
loss is detected.
3. All information assets are securely removed before equipment
is re-allocated or sent for secure disposal/destruction.
4. Protection against malicious code is operated on all
workstations, servers and data exchange systems.
5. All incoming data (including data held on IT media, e-mail and
Internet downloads) is scanned for malicious code before
installation or use.
6. Back-up and recovery procedures are in place to assist in
business contingency arrangements.
7. Interaction with external IT systems is recorded and monitored.
This includes the monitoring of e-mail and other data streams
up-loaded to, or downloaded from, any NHS Dumfries &
Galloway system.
8. Back-ups of IT systems are kept in a secure place and
success/failure results recorded.
9. A regime of test bare metal restores is performed to ensure
viability of backups. Details of success/failure of these tests
must be recorded.
10. Quarterly reports showing the following must be sent to the
Information Assurance and Security Lead for presentation at
the Information Assurance Committee meeting:
a. Major system outages for the period with details of
steps taken to prevent repeated failures.
NHS Dumfries & Galloway
Page 7 of 17 Pages
Title: Information Security Policy
Date Aug 2013
Version: 1.3
Author: Andrew Turner
The only current version of this document is on the Intranet.
b. Failures of backups and details of rectification
processes put in place.
c. Success and failures of test restores and details of
rectification processes put in place.
d. Numbers of virus/malware infections
e. Numbers of user login failures resulting in user lockout.
g. Third Parties i. Third parties with access to NHS Dumfries & Galloway information
must be governed as follows:
1. Shared accesses to information will be governed by the
principles provided by the Scottish Accord for the Sharing of
Personal Information (SASPI).
2. Each access under SASPI will be provided under the
provisions of an Information Sharing Protocol (ISP) agreed to
between the parties sharing the information.
3. For each ISP an accompanying Privacy Impact Assessment
(PIA) as required by the Information Commissioner under the
Data Protection Act will be completed.
4. The Information Governance and Security Lead must be
consulted during the production of the ISP and the PIA.
h. Data Protection Officer i. The Data Protection Officer will ensure that:
1. A register of all NHS Dumfries & Galloway information assets is
maintained. The register will record data owners and designate
those assets that are confidential or sensitive as defined in
Data Protection legislation and Caldicott guidelines.
2. Staff handling personal information must understand that they
are contractually responsible for following good data protection
practice and are appropriately trained to do so.
3. Queries about handling personal information are promptly and
courteously dealt with.
4. Methods of handling personal information are clearly
described.
5. A regular audit of how personal information is handled is
carried out.
i. Information Governance and Security Lead i. The Information Governance and Assurance Lead for NHS Dumfries &
Galloway is responsible for the implementation and enforcement of all
Information Security Policies and has responsibility for:
1. Ensuring that all Information Security Policies are implemented
throughout NHS Dumfries & Galloway.
2. Ensuring that System Security Policies (SSP) and Secure
Operating Procedures (SOP) are in place and maintained for
all new and existing IT systems.
3. Determining the level of security required for any new IT
systems.
4. Ensuring that all 3rd
party connections comply with the NHSnet
Code of Connection, NHS Dumfries & Galloway or other local
methods of remote connectivity.
5. Providing assistance and guidance in the production of SASPI
ISP and PIA documents.
NHS Dumfries & Galloway
Page 8 of 17 Pages
Title: Information Security Policy
Date Aug 2013
Version: 1.3
Author: Andrew Turner
The only current version of this document is on the Intranet.
6. Ensuring regular risk assessments are performed on IT
systems.
7. Monitoring and reporting to the IAC the state of IT security
within NHS Dumfries & Galloway.
8. Developing, maintaining, reviewing and enforcing procedures
to maintain Information security.
9. Ensuring compliance with relevant legislation and NHS
Scotland Information security guidance.
10. Developing IT Security awareness training material to ensure
that all staff are aware of their responsibilities and
accountability for Information security.
11. Monitoring, recording, investigating and reporting actual or
potential IT security breaches.
j. Line Managers i. Managers will notify the NHS Dumfries & Galloway IT Service Desk of
changes to staff personnel so that IT access can be provided and
withdrawn in a controlled and auditable manner.
ii. Managers will ensure that all current and future staff undertake and
maintain their mandatory training in their personal IT security
responsibilities.
iii. Managers will ensure that any staff using IT systems/media are trained
in their secure use and disposal.
iv. Managers will ensure that no unauthorised staff are allowed to access
any of NHS Dumfries & Galloway IT systems.
v. Managers will determine which staff should be given authority to
access specific IT systems. The level of access to IT systems will be
based on job function need, irrespective of status.
vi. Managers will implement procedures to minimise NHS Dumfries &
Galloway exposure to fraud/theft/disruption of its IT and information
assets.
vii. Managers will ensure that key documentation is maintained for all
critical job functions to ensure Departmental business continuity in the
event of staff unavailability is maintained.
k. All Staff i. All NHS Dumfries & Galloway staff, contractors and service providers
who use or influence the use of NHS Dumfries & Galloway information
systems must conform to the standards expected and described in this
and any other associated information security policies.
ii. All staff must read and sign up to this and any other relevant
information security policies which are relevant to their job role.
iii. All staff and other users of NHS Dumfries & Galloway Information
Systems are expected to have completed the mandatory Information
Governance and Security training within, at an absolute maximum, four
weeks of being granted access. Failure to do so may result in
access being withdrawn.
iv. Similarly staff who fail to undertake the required mandatory Information
Governance and Security refresher training after a period of more than
two years and six months may also have access removed.
v. Specific information security responsibilities required of key personnel
will be defined in their job description and also within IT systems secure
operating procedure documentation. All staff required to use
information systems will be made aware of their responsibilities in
maintaining appropriate levels of Information Security, be adequately
NHS Dumfries & Galloway
Page 9 of 17 Pages
Title: Information Security Policy
Date Aug 2013
Version: 1.3
Author: Andrew Turner
The only current version of this document is on the Intranet.
trained in their Information Security responsibilities and in the correct
use of those systems.
vi. Secure workplace practices are an essential part of this Information
Security Policy. NHS Dumfries & Galloway expects all staff to take
personal and professional responsibility for dealing securely with any
information to which they have access in the course of their duties.
vii. All staff entrusted with access to NHS Dumfries & Galloway information
assets have a responsibility to ensure that their actions when using
these assets fully conform to this and related policies, NHS Scotland
standards and legal requirements;
viii. Every member of staff is personally responsible for ensuring that no
breaches of Information Security result from their personal actions. This
is also equally applicable for staff authorised to access and use NHS
Dumfries & Galloway Information systems remotely.
ix. In particular staff are required to lock workstations when leaving for
more than a few (more than 30) seconds and not to allow another
member of staff to use a workstation which is logged in under their
name.
x. Staff must not log into an application on a workstation which is logged
into the network under a user name other than their own.
xi. Staff must not provide another user with their own user name and
password to allow the other to log in under their name.
xii. Staff must report any suspected or actual breaches of IT security via
the Datix Incident Reporting System which is available on the NHS
Dumfries & Galloway Intranet.
xiii. All staff must fully comply with all NHS Dumfries & Galloway
Information Security Policies, Standards and Procedures.
xiv. Failure to observe this policy may result in disciplinary action or legal
proceedings being taken.
xv. Any member of staff responsible for preparing, procuring services
through or using standard supplier contracts will also ensure
contractors and other third parties comply fully with the provisions of
this and other NHS Dumfries & Galloway Information Security policies.
xvi. All staff must notify their Line Manager of all suspected or actual
breaches of Information security.
5. OPERATIONAL SYSTEMS
a. Confidentiality of IT Systems will be maintained by ensuring that:
i. Only authorised NHS Dumfries & Galloway staff will be granted access
to Information systems and that access will be restricted to the
information required for the person’s job function i.e. only on a need to
know basis.
ii. Updating and other activities that could affect the integrity of
information must be restricted to authorised staff needing to do so as
part of their job function, in line with Caldicott principles on confidential
information access.
iii. Where multiple staff share access to an NHS Dumfries & Galloway
Information System, each member of staff will be provided with a
personal authentication identity. All transactions on such systems must
be attributable and auditable to the user under whose name
transactions are conducted.
NHS Dumfries & Galloway
Page 10 of 17 Pages
Title: Information Security Policy
Date Aug 2013
Version: 1.3
Author: Andrew Turner
The only current version of this document is on the Intranet.
iv. Passwords must be defined in line with national NHS Scotland
standards and kept confidential at all times.
v. Access to NHS Dumfries & Galloway Information systems from external
IT networks and other types of communication link will only be
permitted on an exception basis and be subject to an additional layer of
security, in line with national and NHS Scotland remote connectivity
standards and regulations.
vi. NHS Dumfries & Galloway will control and monitor internal access to
external networks and reserves the right to disconnect immediately,
and if necessary, permanently, any member of staff or organisation
attempting to breach this or any other NHS Dumfries & Galloway
Information security policy.
b. Integrity of IT Systems will be maintained by ensuring: i. All NHS Dumfries & Galloway Information assets will operate in
accordance with IT systems manufacturer specifications.
ii. Wherever possible the CHI number will be the only single point of
reference for all systems.
iii. Staff will be expected to apply due diligence when filing records.
iv. Wherever possible information interchanges between systems will be
transferred electronically and rekeying designed out of systems.
v. Electronic patient records will be standard across NHS Dumfries &
Galloway.
c. Availability of IT Systems will be maintained by ensuring: i. Resilience to component or software failure is designed into all systems
and data networks from the outset.
ii. Regular backups are taken of all IT systems and stored in a secure
manner.
iii. Backups are tested regularly to ensure that systems/files can be
restored if and when required.
iv. Anti-virus and malware detection systems are deployed and maintained
up to date.
v. Security, Critical and Important operating system and application
patches are tested and applied within two weeks of release.
vi. Routine penetration testing will be used to identify security risks and
effective work plans put in place to mitigate these risks.
vii. Business Continuity/Disaster recovery plans are in place, are tested
regularly and are reviewed at least every three years.
6. MOBILE COMPUTING a. Details of guidance on accessing information from mobile devices is given in
the NHS Dumfries & Galloway Use of Mobile Devices Policy.
7. SYSTEM PROCUREMENT, DEVELOPMENT AND
IMPLEMENTATION a. All system procurements, developments and implementations must follow the
guidelines defined in the NHS Dumfries & Galloway Information Systems
Procurement, Development and Implementation Policy.
b. Completed Business Cases for new information Systems must be presented to
the eHealth Board for consideration and approval before submission to Capital
Management Group for procurement.
NHS Dumfries & Galloway
Page 11 of 17 Pages
Title: Information Security Policy
Date Aug 2013
Version: 1.3
Author: Andrew Turner
The only current version of this document is on the Intranet.
c. The testing of all applications must be documented and attention paid to all
aspects of security. Configuration Management must be used for each system -
specifically, all initialisation files, data and test results files and system files
must be identified and preserved with appropriate security and accountability.
Under no circumstances will operational data be provided for use in application
development or testing outside of NHS Dumfries & Galloway own secure IT
environment.
d. All new systems must have a System Security Policy incorporated. The SSP
must address the different aspects of:-
i. physical, personnel and document security principles;
ii. communications security;
iii. hardware and software security measures;
iv. administrative and procedural security rules.
8. COMPLIANCE a. NHS Dumfries & Galloway staff will comply fully with all relevant legislation and
give consideration to advisory instructions from NHS Scotland and Scottish
Government. A list of the principal legislation and formal administrative
guidance on Information Security with which NHS bodies must currently comply
is provided in Appendix 1.
b. NHS Dumfries & Galloway will respect the license conditions and intellectual
property rights of software manufacturers. It will maintain records of the
procurement, disposition and secure disposal of media and licences.
c. NHS Dumfries & Galloway proactively discourages the unauthorised
introduction of software and unauthorised use or copying of licensed software.
d. NHS Dumfries & Galloway is required to make arrangements for adequate
levels of audit to be undertaken to enable detection of unauthorised access,
data leakage and other security breaches.
e. The NHS Dumfries & Galloway Internal Audit function will review and report at
defined intervals upon controls and security levels which operate at a system
and application level. Specifically, Internal Audit will report upon the
compliance of NHS Dumfries & Galloway with this policy as part of their input to
the Annual Statement of Internal Control.
9. RISK MANAGEMENT AND BUSINESS CONTINUITY a. NHS Dumfries & Galloway Information Governance and Security Lead and the
Programme Adviser NHS Resilience will carry out risk assessments for all
information systems to ensure that suitable disaster recovery and contingency
arrangements are in place.
b. Recovery procedures will be developed for all IT operational systems and
where relevant appropriate contingency plans will be documented and tested to
ensure an acceptable level of service and control is maintained following a
system failure.
c. The Information Governance and Security Lead will report on the outcomes of
the above work programmes on a twice yearly basis to the IAC.
10. EQUALITY AND DIVERSITY a. NHS Dumfries and Galloway is committed to equality and diversity in respect of
the six equality groups defined by age, disability, gender, race,
religion/belief and sexual orientation.
b. We believe, however, that equality and diversity issues are not relevant to this
area of work because this policy is designed to provide everyone including NHS
NHS Dumfries & Galloway
Page 12 of 17 Pages
Title: Information Security Policy
Date Aug 2013
Version: 1.3
Author: Andrew Turner
The only current version of this document is on the Intranet.
Dumfries and Galloway staff with a consistent approach to Information Security
for the organisation to ensure good governance arrangements are in place.
11. RELATED DOCUMENTS a. NHS Dumfries & Galloway Information Assurance Strategy and NHS Dumfries
& Galloway Information Policy document.
b. NHS Dumfries & Galloway Information Security Strategy.
c. All underlying NHS Dumfries & Galloway Information Assurance Policies and
Procedures.
d. NHS Scotland Information Security Policy.
e. ISO/IEC27002, the Code of Practice for Information Security Management.
NHS Dumfries & Galloway
Page 13 of 17 Pages
Title: Information Security Policy
Date Aug 2013
Version: 1.3
Author: Andrew Turner
The only current version of this document is on the Intranet.
12. Appendix 1 – Policy Approval Checklist
NHS DUMFRIES AND GALLOWAY POLICY APPROVAL CHECKLIST
This checklist must be completed and forwarded with the policy to the appropriate approval
group
POLICY TITLE Information Security Policy POLICY NO. …………….
EXECUTIVE LEAD Dr Angus Cameron
Why has this policy been developed?
Compliance with Board Information
Assurance Strategy
Has the policy been developed in
accordance with or related to legislation?
Please give details of applicable
legislation.
CEL 26/2012
Data Protection Act 1998
Electronic Communications Act 2000
Computer Misuse Act
Has a risk control plan been developed?
Who is the owner of the risk?
Who has been involved/consulted in the
development of the policy?
eHealth Lead and staff, Dr Cameron, Internal
Audit, Staff side representative
Has the policy been assessed for equality
and diversity in relation to:-
Has the policy been assessed for Equality
and Diversity not to disadvantage the
following groups:-
Race/Ethnicity
Gender
Age
Religion/Faith
Disability
Sexual Orientation
Yes
Yes
Yes
Yes
Yes
Yes
Minority Ethnic Communities
Women and Men
Religious & Faith Groups
Disabled People
Young People
L, G, B & T Community
Yes
Yes
Yes
Yes
Yes
Yes
Does the policy contain evidence of the
Equality & Diversity Impact Assessment
Process?
YES
Is there an implementation plan?
YES
When will the policy take effect? Immediate
If the policy applies to partner agencies,
please explain the reasons for this and
how they will be informed of their
responsibilities
Not applicable
NHS Dumfries & Galloway
Page 14 of 17 Pages
Title: Information Security Policy
Date Aug 2013
Version: 1.3
Author: Andrew Turner
The only current version of this document is on the Intranet.
13. Appendix 2 - Document Status Title Information Security Policy
Author Andrew Turner
Approver Dr Angus Cameron
Document reference
Version number 1.2
Document Amendment History
Version number Edited by Edit date Topics covered
0.1 NHS
Lanarkshire
June 2009 Exemplar document
1.0 Andrew
Turner
25th March 2013 1
st Draft.
1.1 Andrew
Turner
2nd
July 2013 2nd
draft after peer review
1.2 Andrew
Turner
11th July 2013 Final draft following review and amendments as
recommended by Information Assurance
Committee – added introduction paragraph
referring to information sharing.
Distribution
Name Version number Responsibility
Corporate Business Manager 1.2 Place on policy register
Board Management Team 1.2 For approval
Area Partnership Forum 1.2 Approved 29th August 2013
Communications Team 1.2 Place on Intranet and in ‘latest’ news’
Staff side representative 1.2 For comment prior to presentation to APF
IM&T Department 1.2 To configure systems according to policy
1.2
Associated Documents
ISO/IEC 27002 The Code of Practice for Information Security Management
CEL26/2012
NHS Scotland Information Security Policy
NHS Dumfries & Galloway Information Assurance Strategy
NHS Dumfries & Galloway Information Assurance Policy
NHS Dumfries & Galloway Information Systems Procurement, Development and
Implementation Policy
NHS Dumfries & Galloway Access to Information Policy
NHS Dumfries & Galloway Mobile Devices Policy
NHS Dumfries & Galloway eMail Acceptable Use Policy
NHS Dumfries & Galloway Internet and Internet Acceptable Use Policy
NHS Dumfries & Galloway Communications Monitoring Policy
NHS Dumfries & Galloway
Page 15 of 17 Pages
Title: Information Security Policy
Date Aug 2013
Version: 1.3
Author: Andrew Turner
The only current version of this document is on the Intranet.
14. Appendix 3 - Communication Action Plan for
Implementation Name Responsibility Timeframe
Place on policy register Corporate
Business
Manager
Immediate
Place in ‘latest’ news’ Communications
Team
Immediate
Place on Intranet Communications
Team
Immediate
Dissemination to all staff
through line management
Board
Management
Group
Continual process
Routinely issue to all staff IM&T Department Continual process
Amend staff contracts HR Department Immediate
NHS Dumfries & Galloway
Page 16 of 17 Pages
Title: Information Security Policy
Date Aug 2013
Version: 1.3
Author: Andrew Turner
The only current version of this document is on the Intranet.
15. Appendix 4 – Related Documents g. The Principal Acts of Parliament, Management Executive letters and Scottish
Office Home and Health Department circulars relevant to Information security
and confidentiality are:
i. Compliance with legal requirements
ii. Data Protection Act 1998
iii. Computer Misuse Act 1990
iv. Copyright, Design & Patents Act 1988
v. The Health and Safety at Work Act (1974)
vi. Human Rights Act (1998)
vii. Regulation of Investigatory Powers Act (2000)
viii. Health and Social Care Act (2001)
ix. Freedom of Information (Scotland) Act (2002)
x. Public Records (Scotland) Act
xi. Electronic Communications Acts (2000)
NHS Dumfries & Galloway
Page 17 of 17 Pages
Title: Information Security Policy
Date Aug 2013
Version: 1.3
Author: Andrew Turner
The only current version of this document is on the Intranet.
16. Appendix 5 – Codes of Practice ISO/IEC 27002 The Code of Practice for Information Security Management
Circ. SW 1/89 Confidentiality of Social Work Records
Circ. SW 2/89 Access to Personal Files / Regulations
MEL 1992 (14) Safeguarding Confidentiality Identifiable Data / Contracting
MEL 1992 (42) Confidentiality / Personal Data associated with contracts
MEL 1992 (45) Computer Security Guidelines
MEL 1992 (69) Access to Health Records (Now superseded by Data Protection Act
1998 (for living patients)
MEL 1993 (152) Guidance for the Retention and Destruction of Health Records
MEL 1993 (59) NHS in Scotland Information Security Policy
MEL 1993 (70) NHS Communications Systems
MEL 1994 (100) Protecting the Confidentiality of Personal Health Information
MEL 1994 (75) NHS in Scotland IT Security Manual
HDL (2006) 41 NHS Scotland Information Security Policy
MEL 1994 (76) Telecommunications Policy & Management
MEL 1996 (72) The Year 2000
MEL 1996 (80) NHS-Net Telecommunications Policy & Management
NHS circ. DGM 1992 (20) Security of Health records
NHS circ. GEN 1990 (22) Confidentiality of Personal Health Information
NHS circ. GEN 1991 (27) Access to Health Records
SHHD/DGM (1991)/39 Safeguarding the Confidentiality of Personal Data Associated with
Contracts
SHHD/DGM (1991)/47 Computer Security
SHHD/DGM 1991 (28) Computer Software and Crown Copyright