Presentation is loading. Please wait.

Presentation is loading. Please wait.

14 May 2014 Information Security, Information Governance and the Law – Confidence in Compliance © Contact Leonardo for reuse

Published byDortha Greer Modified over 8 years ago

Similar presentations

Presentation on theme: "14 May 2014 Information Security, Information Governance and the Law – Confidence in Compliance © Contact Leonardo for reuse"— Presentation transcript:

1 14 May 2014 Information Security, Information Governance and the Law – Confidence in Compliance © Contact Leonardo for reuse leonardo@vinci

2 Information Security, Information Governance and the Law14 May 2014 Jason Miles-Campbell jason.miles-campbell@jisclegal.ac.uk 0141 548 4939 www.jisclegal.ac.uk 2 Jisc Legal Manager

3

4 Information Security, Information Governance and the Law14 May 2014 Have you heard of Jisc Legal before? 1.Hello again, Jason 2.Yes, fairly often 3.Yes, used occasionally 4.Vague acquaintance 5.What’s that, then? 4

5 Information Security, Information Governance and the Law14 May 2014 When it comes to data protection law... 1.I’m confident 2.I’ve a fair idea 3.I dabble 4.I ask others 5.I hide in the toilet 5

6 Information Security, Information Governance and the Law14 May 2014 Are you confident in your compliance with information security provisions this far? 1.Absolutely 2.Generally 3.Probably 4.Possibly 5.Oh, look! Squirrel! 6

7 Information Security, Information Governance and the Law14 May 2014 This workshop’s mission » To increase your confidence in complying with statutory, governmental and contractual requirements in relation to information security and governance 7

8 Information Security, Information Governance and the Law14 May 2014 The Requirements » Statutory (DP, FOI) » Avoidance of liability (information loss) » Government/funder requirements » Contractual requirements 8

9 Information Security, Information Governance and the Law14 May 2014 The Welsh Government Information Assurance Requirements for Work Based Learning 2015 – 2019 (which involves the storage, receipt and processing of personal data) 9

10 Information Security, Information Governance and the Law14 May 2014 If bidders do not agree, they will fail this section of the tender evaluation and their bid will not be considered further. 10 “ ”

11 Information Security, Information Governance and the Law14 May 2014 2. Security Contact » “Suppliers must have a named contact responsible for the security aspects of our contract.” » “In a smaller company (typically less than 5 employees), the named contact may also fulfil other roles” 11

12 Information Security, Information Governance and the Law14 May 2014 Do you have a widely-known named contact in charge of information security at the moment? 1.It’s me, and everyone knows 2.It’s me, but don’t tell anyone 3.It’s another, known, person 4.Someone was named in 1989 but left 8 years ago 5.No named contact known 12

13 Information Security, Information Governance and the Law14 May 2014 3. Security Incidents » “Suppliers must have a written procedure that documents how it will inform the Welsh Government of any security incidents.” » “Examples of security incidents: breach of information security controls, loss of information, failure of backups.” 13

14 Information Security, Information Governance and the Law14 May 2014 Do you have a written procedure to deal with information security incidents? 1.Yes, and we use it weekly… 2.Yes 3.Not to my knowledge 4.We don’t have infosec incidents 5.Don’t know 14

15 Information Security, Information Governance and the Law14 May 2014 4. Security Risk Assessment » “Suppliers must complete a risk assessment of the security measures in place to protect Welsh Government information.” » “Risk assessments must be reviewed on a monthly basis (or whenever controls change) and reported to Welsh Government.” 15

16 Information Security, Information Governance and the Law14 May 2014 Do you already undertake regular security risk assessments? 1.Yes, planned and undertaken 2.Yes, when someone asks 3.We did one once, I think 4.No 5.Don’t know 16

17 Information Security, Information Governance and the Law14 May 2014 5. Subcontractors » “Suppliers must monitor subcontractor compliance with these controls.” 17

18 Information Security, Information Governance and the Law14 May 2014 6. Training » “…everyone who handles Welsh Government information receives security awareness briefings on the appropriate handling of that information. ” 18

19 Information Security, Information Governance and the Law14 May 2014 Do you have regular security awareness briefings? 1.Yes 2.Depends who’s asking 3.We chat about hacking over coffee, if that counts? 4.No 5.Don’t know 19

20 Information Security, Information Governance and the Law14 May 2014 Training… » Jisc Legal Plus - Need to Know Workshops (1 hour) - Confident in Compliance Workshops (2½ hours) 20

21 Information Security, Information Governance and the Law14 May 2014 7. Data Protection Law Compliance » “Suppliers must annually assess compliance under the Data Protection Act.” 21

22 Information Security, Information Governance and the Law14 May 2014 10. Access to Personal Information » “Suppliers must maintain an up-to-date list of its users who have access to Welsh Government personal information.” » “The default access level for the Welsh Government’s information should be ‘no access’.” 22

23 Information Security, Information Governance and the Law14 May 2014 11. Acceptable Use Policy » “Suppliers must ensure … that an Acceptable Use policy is in place. ” » “Acceptable Use policies are wide ranging but typically include the organisation’s policy on passwords, monitoring of ICT systems, internet use, personal use of work systems, internet browsing, removable media, mobile ICT etc.” 23

24 Information Security, Information Governance and the Law14 May 2014 15. Disposal of Information » “Suppliers must have a process … to ensure that ICT equipment … is erased in a way that makes the information unrecoverable” 24

25 Information Security, Information Governance and the Law14 May 2014 What’s your main method of assuring destruction of protected information? 1.Delete the files 2.Format the disk 3.Some clever program 4.Violence 5.Explosives 6.Don’t know 25

26 Information Security, Information Governance and the Law14 May 2014 18. Data Controller Responsibilities » “The supplier is required to undertake to comply with the obligations of a “data controller” under the provisions of the Data Protection Act 1998” 26

27 Information Security, Information Governance and the Law14 May 2014 20. Data Encryption » “All Welsh Government information must be encrypted whether at rest or in transit.” » “For mobile equipment, hard disk encryption must be used and protected by complex passwords.” 27

28 Information Security, Information Governance and the Law14 May 2014 21. Removable Media » “The Welsh Government’s information must not be copied to removable media and removed from the Supplier’s site without prior approval of the Welsh Government.” 28

29 Information Security, Information Governance and the Law14 May 2014 Do you currently regulate use of removable and portable media? 1.Yes 2.To some extent 3.It’s on someone’s to do list 4.No 5.Don’t know 29

30 Information Security, Information Governance and the Law14 May 2014 22. Staffing and Information Security » “The Supplier must ensure baseline controls are applied to their staff and provide details … of HR checks undertaken on new employees” » “The Baseline Personnel Security Standard includes … independent verification via Disclosure Scotland.” 30

31 Information Security, Information Governance and the Law14 May 2014 30. Records Management » “Suppliers must ensure records are managed efficiently and are easily retrievable when required.” 31

32 Information Security, Information Governance and the Law14 May 2014 Next steps? 1.Go back and say well done! 2.Start a conversation with relevant people 3.Re-write a few policies 4.Monitor what’s in place already 5.Get further support 6.Point at someone else and say ‘his problem!’ or ‘her problem!’ 32

33 Information Security, Information Governance and the Law14 May 2014 How’s this session been for you? 1.That was the most amazing, useful session I’ve ever heard. 2.That was the most amazing, useful session on information security I’ve ever heard. 3.That was the most amazing, useful session on information security I’ve heard this afternoon. 33

34 Information Security, Information Governance and the Law14 May 201434

35 35 This work, with the exception of logos, and any other content marked with a separate copyright notice, is licensed under a Creative Commons Attribution 3.0 Unported Licence. Attribution should be “© Jisc Legal – www.jisclegal.ac.uk – used under Creative Commons Attribution 3.0 Unported Licence” (with clickable URLs where possible). The use of logos in the work is licensed for use only on non-derivative copies. Further information at www.jisclegal.ac.uk/CopyrightPolicy.Creative Commons Attribution 3.0 Unported Licencewww.jisclegal.ac.ukCreative Commons Attribution 3.0 Unported Licencewww.jisclegal.ac.uk/CopyrightPolicy

36 36

Download ppt "14 May 2014 Information Security, Information Governance and the Law – Confidence in Compliance © Contact Leonardo for reuse"

Similar presentations

Managing the Health and Safety of Contractors

Managing the Health and Safety of Contractors
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
Slide 1 Wednesday, 3 July 2013 Sir George Monoux College Data Protection: What You Need to Know.

Slide 1 Wednesday, 3 July 2013 Sir George Monoux College Data Protection: What You Need to Know.
2 3 There are two basic areas where there is a need to have resources available. Internal:  Financial  Personnel  Assets  Time External  Consultants.

2 3 There are two basic areas where there is a need to have resources available. Internal:  Financial  Personnel  Assets  Time External  Consultants.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Environmental Management System (EMS)

Environmental Management System (EMS)
Guidance Note Work Health & Safety Obligations for Independent Contractors March 2015.

Guidance Note Work Health & Safety Obligations for Independent Contractors March 2015.
Cambridgeshire County Council

Cambridgeshire County Council
Contractor Safety Management

Contractor Safety Management
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Health and Safety Legislation

Health and Safety Legislation
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.

Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.
Level 2 IT Users Qualification – Unit 1 Improving Productivity Name.

Level 2 IT Users Qualification – Unit 1 Improving Productivity Name.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Network security policy: best practices

Network security policy: best practices
Confidentiality… important facts to know and critical things to do!

Confidentiality… important facts to know and critical things to do!

Similar presentations

Ads by Google