318 - South West Yorkshire Partnership NHS Foundation Trust

wirelessguideΚινητά – Ασύρματες Τεχνολογίες

24 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

100 εμφανίσεις

Information Security
Policy




Page
1

of
18


March 2012















Document name:



Information Security Policy


Document type:



Policy

Staff group to whom it applies:



All staff within the Trust

Distribution:



The whole of the Trust


How to access:



Intranet

Issue date:



March

201
2

Next review:



March

201
4

Approved by:



Executive Management Team

Developed by:



Portfolio Manager


䥍♔
䥮f牡獴牵捴u牥

Director leads:



Director of
Finance


Contact for advice:



Portfolio Manager


䥍♔
䥮f牡獴牵捴u牥

Information Security
Policy




Page
2

of
18


March 2012

INFORMATION SECURITY

POLICY


1

Introdu
ction


1.1

This document defines the Information Security Policy
for South West Yorkshire
Partnership NHS Foundation

Trust (referred to hereafter as the Trust). The

Information Security Policy applies to all business and covers the information,
information sy
stems, networks, physical environment and relevant people who
support and use those business functions.

It has been produced in conjunction
with representatives of other NHS Trusts on the Community Of Interest Network
(COIN).


1.2

The wording and structure of

this document is also common to each organisation
in order to achieve a policy which each Trust can implement in the knowledge
that the requirements detailed are also implemented by other NHS Trusts who
share our computer network and infrastructure.
Almos
t all

of the Trust IT
Infrastructure is supported via a service level agreement with The Health
Informatics Service (The HIS)


1.3

This policy replaces the existing Information Security policy and it is an alignment
of the IM&T Security policy from Care Se
rvices Direct.


This document:


a.

Sets out the organisation’s policy for the protection of the confidentiality,
integrity and availability of its assets, that is hardware, software and
information handled by information systems, networks and application
s;


b.

Establishes the information security responsibilities;

c.

Provides reference to documentation relevant to this policy.


2


Purpose
/Scope

of this Policy


2.1 The scope

of this policy is to ensure the security of
The Trust
’s information
assets. To do

this the Trust will:

o

Ensure Availability

-

Ensure that assets are available for Users;


o

Preserve Integrity

-

Protect assets from unauthorised or accidental
modification;

o

P
reserve Confidentiality

-

Protect assets against unauthorised disclosure.


2.2

Willfu
l or negligent disregard of this policy may be investigated and dealt with
under the Trust Disciplinary Procedure.


2.3

This policy applies to all information media, systems, networks, portable
electronic
devices, applicatio
ns, locations and Users within t
he T
rust.


2.4

Provide a consistent risk management framework in which information
security
risks will be identified, considered and addressed in key approval, review and
control processes in conjunction with the risk management strategy of the
Trust.



2.5

To provide

a systematic, standardised and legal basis for the admissibility of
digital evidence that may be required for formal dispute or legal process. In this
Information Security
Policy




Page
3

of
18


March 2012

context, information security forensics may include evidence in the form of log
files, emails, back
-
up d
ata, removable media, portable computers and network
and telephone records amongst others that may be collected in response to an
event or dispute occurring.


3

Definitions


3.1

Confidentiality of information
-

Person
-
identifiable, sensitive or otherwise
val
uable information will be protected against unauthorised access and disclosure


3.2

Information Assets
-

Any information that is stored physically or electronically,
transmitted across networks or telephone lines, sent by fax, spoken in
conversations or pr
inted.


3.3

Integrity of information
-

Safeguards to protect against unauthorised
modification and destruction of information.


3.
4

Physical, logical, environment and communications security

-

Controls to
prevent unauthorised access, damage and interferenc
e to IM&T services and
clinical records.


3.5

Infrastructure

-

Computers, systems, networks, cabling and other devices which
make up the estate of information management in
SWYPFT
.




3.6

Forensic Readiness

-

The ability of an organisation to make use of d
igital
evidence when required. Its aim is to maximise the organisation’s ability to gather
and use digital evidence whilst minimising disruption or cost


4

Duties


4
.1

T
rust responsibilities



The Trust will ensure that

its

information systems, application
s and networks are
available when needed, they can be accessed only by legitimate Users and
should contain complete and accurate information. The information systems,
applications and networks must also be able to withstand or recover from threats
to thei
r availability, integrity and conf
identiality. To satisfy this,
The Trust

will
undertake to the following:


4.11

Protect all hardware, software and information assets under its control. This will
be achieved through compliance with Department of Health

standards;


Provide both effective and cost
-
effective protection that is commensurate with the
risks to its assets;


4.1.2

Implement the Information Security Policy in a consistent, timely and cost
effective manner;


4.1.3

Where relevant,
The Trust

will c
omply with:




-
Copyright, Designs & Patents Act 1988

Information Security
Policy




Page
4

of
18


March 2012



-
Access to Health Records Act 1990



-
Computer Misuse Act 1990



-
The Data Protection Act 1998



-
The Human Rights Act 1998



-
Electronic Communications Act 2000



-
Regulation of Investigatory Powers Act 2000



-
Free
dom of Information Act 2000



-
Health & Social Care Act 2008


4.1.4

The Trust

will comply with other laws and legislation as appropriate.


4
.2

User Responsibilities




All personnel or agents acting for the organisation have a duty to:

4.2.1

Safeguard hardwa
re, software and information in their care;


4.2.2

Ensure that document files are not saved on the hard disk (including the
desktop) of Trust computers (if the computer were to be stolen the data would
be lost). The Trust recognises that there are rare oc
casions when saving work
files locally may be necessary and in these instances permission must be
gained in advance from

the

Portfolio Manager


Information Governance and
Health Records

and an adequate risk assessment undertaken, prior to any files
being
stored on a computer hard disk.


4.2.3

Ensure that person

identifiable or other sensitive information is not stored on
portable or removable media (laptops, USB, memory stick)
under any
circumstances
.


4.2.4

Prevent the introduction of malicious software o
n the organisation’s IT systems;


4.2.5

Report on any suspected or actual breaches in security;


4.2.6

Comply with all information security measures approved by the Trust.
Deliberate misuse of information or systems, or negligently disregarding Trust
secu
rity measures could result in disciplinary action, including dismissal

and
may lead to a criminal conviction
.


4
.3


Line Manager's Responsibilities




Line Managers are directly responsible for:



4
.3
.1

Ensuring the security of the organisation’s assets,

(that is information, hardware
and software used by staff and, where appropriate, by third parties) is consistent
with legal and management requirements and obligations;


4
.3
.2


Ensuring that their staff are aware of their security responsibilities and co
mply
with all Trust policies and procedures;


4
.3
.3

Ensuring that their staff have had suitable security training.


4
.4

Caldicott Guardian, SIRO &

Information Governance
TAG

Information Security
Policy




Page
5

of
18


March 2012


4
.4.1

The Caldicott Guardian’s responsibility, supported by t
he

Senior Responsibl
e
Risk Owner and the

IG TAG,

is to oversee the delivery of the Trusts Information
Governance agenda to ensure that all information used in the Trust, but
especially that relating directly or indirectly to patient care, is managed carefully,
responsibly, wi
thin current law and with due regard to considerations of privacy
such as those define
d in the Caldicott principles.


4
.4.2

The Caldicott Guardian, supported by t
he
IG TAG,

is also responsible for
ensuring that all staff are consistently made aware of the
ir obligations in this
area.


4
.4.3

The Caldicott Guardian, supported by t
he
IG TAG,

is responsible for ensuring
security is considered when applications and systems are under development or
enhancement.


4
.4.4

The SIRO
will ensure that all information r
isk is identified
, reviewed

and
appropriately responded to.


4.4.5

The SIRO will ensure that
all critical
Information
assets

have appropriate
business continuity plans and disaster recovery plans



4.4.6

Ensuring that the role of Information Security Man
ager is appropriately
allocated
.


4.4.7

Co
-
ordinating the development and maintenance of IG forensic policy
procedures and standards for Care Services Direct
.


4.4.8

Review, recommend and approve policies and procedures for I
nformation
Security

to EMT.


I
n the absence of a Project Board the responsibility for security falls to a
nominated Project Officer

or Information Asset Owner
. The development of a
security policy for the application or system should commence at the earliest
opportunity following the
initiation of the project.


4
.5

Project Managers



4
.5.1

Project Managers and others responsible for implementing systems are
responsible for ensuring that effective security countermeasures are produced
and implemented as part of any new systems project a
nd ensuring that all
relevant system documentation relating to operating procedures and
disaster
recovery/business continuity

plans are in place as part of the project.


4.5.2

Ensure that all information systems, applications and networks are approved by
T
he HIS on behalf of, and in conjunction with the Trust,

before they commence
operation, and that approval is appropriately documented.


4.5.3

Ensure that the relevant Project or System Manager reviews changes to the
security of any information system, appl
ication or network. In addition, all such
changes must be reviewed and approved by
The HIS on behalf of, an
d in
Information Security
Policy




Page
6

of
18


March 2012

conjunction with the Trust
. The Project or System


4.5.4

Managers are responsible for updating all relevant system documentation.



4.5.
5

Ensur
e that there is an effective configuration management system for all
information systems, applications and networks.


4.5.6

The SSSP Risk Screening Template will be sent to the
IMT TAG for approval.


4
.6

ICT Service Suppliers


4
.6.1

The
ICT Service Supplie
rs

on behalf of, and in conjunction with the Trust, is
responsible for ensuring that the information systems do not pose an
unacceptable security risk to the organisation.


4.6.2

The
ICT Service Suppliers

on behalf of, and in conjunction with the
Trust
,

must
ensure that measures are in place to detect and protect the network from
viruses and other malicious software.


4.6.3

The
ICT Service Suppliers

on behalf of, and in conjunction with the Trust, may
require checks on or an assessment of
a system

impleme
ntation based on
any
changes implemented.


4.6.4

The
ICT Service Suppliers

on behalf of, and in conjunction with the Trust, must
ensure that all connections to external networks and systems are documented
and approved.


4.6.5

The
ICT Service Suppliers

on b
ehalf of, and in conjunction with the Trust, must
approve all connections to external networks and systems before they
commence operation.


4.6.6

The
ICT Service Suppliers

on behalf of, and in conjunction with the Trust,

will
implement

and
maintain device
control

on every Trust computer.


4.6.7

Ensure that all operational applications, systems and networks are monitored for
potential security breaches.


4.6.8

Ensure that there is an effective configuration management system for all
information systems, appl
ications and networks.


4.6.9

Ensure that information systems are regularly checked for compliance with
security implementation standards.


4.6.10

E
nsure that disaster recovery plans are produced for all critical applications,
systems and networks.

The pla
ns must be reviewed by The
ICT Service
Suppliers

on behalf of, and in conjunction with the Trust, and tested on a regular
basis.


4
.6.11

Ensure

that, where appropriate, IT staff receive IT security awareness training.


Information Security
Policy




Page
7

of
18


March 2012

4
.6.12

Implement an effective framewo
rk for the management of information security in
line with the NHS information Governance Toolkit.


4
.6.13

Assist in the formulation of Information Security Policy and related policies and
procedures.


4
.6.14

Advise on the content and implementation of th
e relevant action plans.


4
.6.15

Produce organisational standards, procedures and guidance on Information
Security m
atters for approval by the IG

TAG. All such documentation will be
included in the Asset register.


4
.6.16

Co
-
ordinate information security a
ctivities particularly those related to shared
information systems or IT infrastructures.


4
.6.17

In line with Department of Health directives, ensure all portable storage devices
and removable media supported by the Trust are encrypted at hard disk level

to
the Department of Health’s advised standard.


4
.6.18

Liaise

with external organisations on information security matters, including
representing the Trust on cross
-
community committees.


4
.6.19

Create, maintain, give guidance on and oversee the impleme
ntation of,
guidance relating to information security.


4
.6.20

Represent the organisation on internal and external committees that relate to
information security.


4
.6.21

Provide advice and guidance on:



Policy Compliance



Incident Investigation



IT Security

Awareness



Department of Health guidance


4
.6.2
2

Advise
Users
on potential breaches of the Act and recommended actions.


4.6.23

Promote awareness and provide guidance and advice on other legislation and
regulations relevant to Information Security and conf
identiality as they apply to
the organisation.




5

Principles


5.1

Risk Assessment and audit


5
.1
.1

The HIS on behalf of, and in conjunction with the Trust,

is responsible for
ensuring that appropriate risk assessment(s) are carried out in relation to all t
he
business processes covered by this policy.
These risk assessments will cover
all information systems, applications and networks that are used to support
those business processes. The risk assessment will identify the appropriate
Information Security
Policy




Page
8

of
18


March 2012

security countermeasures

necessary to protect against possible breaches in
confidentiality, integrity and availability.


5
.
1.
2
Connecting for Health’s Information Governance Toolkit requires the Trust to
undertake a self
-
assessment audit based on defined indicators. Representa
tives
of Connecting for Health may request further audit.


5
.
1.
3

Internal Audit has the ability to undertake an audit of compliance with policy on
request.


5.
1.
4

Risk assessment using SSSP risk screening tool (appendix 1) in conjunction
with overall pri
ority planning will be undertaken to determine appropriate,
effective and affordable information security controls are in place.


5.
1.
5

All information security incidents will be reported and investigated through the
SWYPFT Incident management system


5.2.1

Ope
rating Procedures


5
.
2.
1

Procedures relating to the operation of systems must be appropriately
documented. The procedures should be developed on th
e basis of an analysis
o
f risks and submitted to the IG

TAG for review.


5
.2
.2

User access control and acces
s rights procedural documentation will be
developed for each individual Trust system, on the basis of an analysis of risk.


5.3


Unauthorised Software


5.3
.1

Use of any non
-
standard software
1

on Trust equipment must be approved by
The HIS on behalf of, an
d in conjunction with the Trust,

before installation. All
software used on Trust equipment must have a valid licence agreement


it is
the responsibility of the
Information Asset Owner
” or Responsible User of non
-
standard software to ensure that this is th
e case.


5.4


Mobile computing and communications


5.4.1

Mobile computing is now commonplace, with Users connecting remotely to
systems through
laptops, mobile phones, PDA’s

etc. Therefore it is essential
that the following considerations are made and ris
k assessment carried out:


5.4.2


Equipment in transit is at particular risk of being damaged, stolen or lost.
Training, procedures and writt
en guidance should be put into place for users to
cover these threats. Assessment of equipment in use should consid
er whether
person based or sensitive information is in use and therefore whether
equipment should contain encryption facility.

Please refer to the Encryption
Policy.





1

Contact the IT Service Desk for advice on Trust standard software

Information Security
Policy




Page
9

of
18


March 2012

5.4.3


The

HIS on behalf of, and in conjunction with the Trust,

should ensure that
mobile

computing equipment recommendations meet Department of Health
guidelines as a minimum.


5.4.4


Regular audits of mobile working arrangements should be carried out to ensure
that Users are approved, assets can be accounted for, that secure remote
access i
s used, and that any sensitive or confidential information is securely
transported or stored in a remote location.


5.4.5

Use of secure file servers should be promoted and where possible devices
should be configured so that data processed on them are sync
hronised to the
network at the end of a session. If data is saved to the local drive and the device
is lost so is the data.


5.4.6

Mobile devices should not be used under any circumstances to store patient,
person or sensitive electronic data.


5.5

Electro
nic Transfer of Person Identifiable Data


5.5.1

Any bulk electronic extract and transfers of person identifiable or sensitive data
by portable or removable media, file transfer protocol or email, must be
authorised in advance by the
Portfolio Manager


Inf
ormation Governance and
Health Records.


5.5.2

It is a requirement of the Trust that any electronic bulk transfer of person
identifiable or sensitive data is encrypted to a standard advised by the
Department of Health.

Please refer to the Trust Encryption
Policy.


5.6

Removable Media (e.g. USB, memory stick, pen drives, external hard disk
drives, CD Rom, floppy disk
, mobile phones, audio devices etc.
)


5.6
.1

Staff and contractors are not permitted to introduce or use any removable media
for storing or trans
fer person identifiable or sensiti
ve information.


5.6
.2

Line managers are responsible for the day to day management and oversight of
removable media used within their work areas to ensure this policy is followed.


5.6
.3

Line managers are responsible for t
he se
cure storage of all
portable

electronic

media.


5.6.
4

Staff who have been authorised to use
encrypted
removable media for the
purposes of their job role are responsible for the secure use of those removable
media as required by this policy.


5.6.
5

Sta
ff who wish to dispose of any type of electronic portable media should
contact the IT Service Desk.


5.7


Reportin
g Data Security Breaches and
Weaknesses


5.7.1

Data Security Breaches

and weaknesses, such as the loss of data or the theft of
a laptop, mus
t be reported in accordance with the requirements of the Trust's
Information Security
Policy




Page
10

of
18


March 2012

incident reporting procedure and, where necessary, investigated by the Portfolio
Manager


IM&T Infrastructure.



5.7.
2

Incidents reported via the
IT
Service Desk, should be managed in accord
ance
with the Service Desk procedure for escalating incidents to South West
Yorkshire
Partnership NHS Foundation
Trust.


5.8


Security Awareness Training


5.8
.1

The Trust shall p
rovide security awareness training for all staff to ensur
e that
they are awa
re of their
responsibilities for security, and the actions that they
need to undertake in order to discharge those responsibilities.


5.9

Network Account


5.9
.1

The Trust reserves the right to enable 3
rd

party access to users network files
and folders in e
xceptional circumstances i.e. to make arrangements to cover
long term sickness leave. Access must be logged. Further information is
avail
able from the contact noted in

1
4
.1.


5.10

Awareness and Training


5.10.1

Ensure that all Users of information systems,

applications and the networks are
provided with the necessary security guidance, awareness and, where
appropriate, training to discharge their security responsibilities.


6

Equality Impact Assessment



Included as Appendix
A



7

Dissemination and Impleme
ntation Assessment


This policy once approved will be notified to
staff via
weekly e
-
mail

and will be
placed on the Trust intranet. BDUs will be responsible for more detailed
briefings to appropriate staff. All advice to staff about information governanc
e
will be issued via team brief or the weekly update in the form of policy or
reminders. Where necessary leaflets attached to payslips and other
communications methods will be used. These will be approved by the Trust
communications team. Communications

with service users are covered in the
information sharing, confidentiality and Data Protection policy.


Implementation
Assessment

is Appendix
D


8

Process for Monitoring Compliance and E
ffectiveness


8
.1

Performance

reporting arrangements


8
.
2

Internal

Audit
s



8
.3

Compliance and effectiveness of the Corporate Induction Programme


Information Security
Policy




Page
11

of
18


March 2012

8
.4

Complete with NHS Information Governance Toolkit yearly self assessment


8
.5

Information Services department will maintain a full asset register of all IT
equipment. Repo
rts will be run monthly from the registe
r to ensure encryption
and anti
-
virus software is installed, operating systems are up
-
to
-
date,
unauthorised software is not installed and computers are removed when the
computer is disposed of


8
.6

The IM&T TAG will
receive copies of all SSSPs developed for new information
assets and confirmation of any reviews of them.


8
.7

Information governance questionnaire will be employed periodically to assess
staff awareness and understanding of information security.


8
.8

Info
rmation Governance training
(Including information security)
will be reported
in the Mandatory training report

to EMT and senior managers.


9.

Review and Revision arrangements

(including Archiving)


9.1

This policy has been developed in consultation with t
he IM&T TAG


9.2

W
ill be available on the intranet in read only format.


9.3

A central electronic read only version will be kept by the Integrated Governance
Manager in a designated shared folder to which all Executive Management
Team members and their adm
inistrative staff have access.


9.4

A central paper copy will be retained in the corporate library


9.5

This policy will be retained in accordance with requirements for retention of non
-

clinical

records.


9.6

Historic policies and procedures




A central el
ectronic read only version will be kept in a designated shared
folder to which all Executive Management Team members and their
administrative staff have access.



A central paper copy will be retained in the corporate library, clearly
marked with the version

number and date on which it was approved and
date and title of the policy by which it was replaced.


10.

References


10.1

This policy has been developed with reference to the Information governance
toolkit and the example policies provided in it
.


11

As
sociated documents


This document has been developed in line with guidance issued by the NHS
Litigation Authority and with reference to model documents used in other trusts.
It should be read in conjunction with
:

Information Security
Policy




Page
12

of
18


March 2012




Network Security Policy



Email Policy



Inter
net Policy



Encryption Policy



Disciplinary Procedure



Information Governance Policy



Information sharing, confidentiality and data protection policy



I
nformation risk management policy



Safe Haven Policy

Information Security
Policy




Page
13

of
18


March 2012


Appendix A

Equality Impact Assessment Tool

To be comple
ted and attached to any procedural document when submitted to
the appropriate committee for consideration and approval



Equality Impact
Assessment Questions:


Evidence based Answers & Actions:


1


Name of the policy that you
are Equality Impact
Assessing



Information Security Policy


2


Describe the overall aim of
your policy and context?



Who will benefit from this
policy?



Policy
to ensure that best practice is followed
by members of staff when accessing,
processing or transmitting/transporting
info
rmation


3



4


Who is the overall lead for
this assessment?


Who else was involved in
conducting this assessment?



Portfolio Manager:
IM&T Infrastructure



N
o one


5


Have you involved and
consulted service users,
carers, and staff in
developing this p
olicy?


What did you find out and
how have you used this
information?


No



6





7


What equality data have you
used to inform this equality
impact assessment?


What does this data say?




None


8


Have you considered the
potential for unlawfu
l direct or
indirect discrimination in
relation to this policy?



Yes

Information Security
Policy




Page
14

of
18


March 2012




Taking into account the
information gathered.

Does this policy affect one
group less or more favourably
than another on the basis of:



Where Negative impact
has been identified
ple
ase explain what
action you will take to
mitigate this.


If no action is to be taken
please explain your
reasoning.

Evidence
based
Answers &
Actions

9
a

Race

YES

NO

No impact
expected.

9
b

Disability



No impact
expected.

9
c

Gender



No impact
expected.

9
d

Age



No impact
expected.

9
e

Sexual Orientation



No impact
expected.

9
f

Religion or Belief



No impact
expected.

9
g

Transgender



No impact
expected.






Information Security
Policy




Page
15

of
18


March 2012

Appendix
B



Checkl
ist for the Review and Approval of Procedural Document




Title of document being reviewed:

Yes/No/

Unsure

Comments

1
.

Title




Is the title clear and unambiguous?

YES



Is it clear whether the document is a guideline,
policy, protocol or standard?

YES


2
.

Rationale




Are reasons for development of the document
stated?

YES


3
.

Development Process




Is the method described in brief?

YES



Are people involved in the development
identified?

YES



Do you feel a reasonable attempt has been made
to ens
ure relevant expertise has been used?

YES



Is there evidence of consultation with
stakeholders and users?

YES


4
.

Content




Is the objective of the document clear?

YES



Is the target population clear and unambiguous?

YES



Are the intended outcomes

described?

YES



Are the statements clear and unambiguous?

YES


5
.

Evidence Base




Is the type of evidence to support the document
identified explicitly?

YES



Are key references cited?

YES



Are the references cited in full?

YES



Are supporting
documents referenced?

YES


6
.

Approval




Does the document identify which
committee/group will approve it?

YES


Information Security
Policy




Page
16

of
18


March 2012


Title of document being reviewed:

Yes/No/

Unsure

Comments


If appropriate have the joint Human
Resources/staff side committee (or equivalent)
approved the document?



7
.

Dissemination and Implemen
tation




Is there an outline/plan to identify how this will
be done?

YES



Does the plan include the necessary
training/support to ensure compliance?

YES


8
.

Document Control




Does the document identify where it will be
held?

YES



Have archiving a
rrangements for superseded
documents been addressed?

YES


9
.

Process to Monitor Compliance and
Effectiveness




Are there measurable standards or KPIs to
support the monitoring of compliance with and
effectiveness of the document?

YES



Is there a plan
to review or audit compliance
with the document?

YES


1
0
.

Review Date




Is the review date identified?

YES



Is the frequency of review identified? If so is it
acceptable?

YES


1
1
.

Overall Responsibility for the Document




Is it clear who will be r
esponsible
implementation and review of the document?

YES





Page
17

of
18


Appendix
C



Version Control Sheet


Versi
on

Date

Author

Status

Comment / changes

1

Dece
mber
2011

John Hodson

Draft

Using template of current Information
Security Policy

2

Jan
2012

John Hodson

Draft

Incorporate
Barnsley CDS IM&T Security
Policy
IG Policy.

2

Feb

2011

John Hodson

Draft

Update policy format

for presentation to
IM&T TAG 28/03/2012

2.1

March
2012

John Hodson

Final

Update following comments from IM&T
TAG



18


Appendix
D


Information
Security
Policy


Impact of Implementation



Description of Impact

Staff /Dept affected

Cost
implication

1

Revise the
IM&T

TAG
membership to reflect the new
trust components

BDUs

No

2

Review arrangements for
incident management

IG TAG

No

3

Review infor
mation risk
management arrangements

IG TAG/ CSD IG committee

No

4

Review arrangements for audit
subgroup

IG TAG

No

5

Develop Trust
-
wide policies for
IM&T Security (e
-
mail,
internet, network security,
acceptable use, information
security)

IG TAG

No