14 May 2014 Information Security, Information Governance and the Law – Confidence in Compliance © Contact Leonardo for reuse

Slides:



Advertisements
Similar presentations
Managing the Health and Safety of Contractors
Advertisements

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
Slide 1 Wednesday, 3 July 2013 Sir George Monoux College Data Protection: What You Need to Know.
2 3 There are two basic areas where there is a need to have resources available. Internal:  Financial  Personnel  Assets  Time External  Consultants.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
HIPAA Regulations What do you need to know?.
Environmental Management System (EMS)
Guidance Note Work Health & Safety Obligations for Independent Contractors March 2015.
Cambridgeshire County Council
Contractor Safety Management
Developing a Records & Information Retention & Disposition Program:
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Health and Safety Legislation
Session 3 – Information Security Policies
Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.
Level 2 IT Users Qualification – Unit 1 Improving Productivity Name.
Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Network security policy: best practices
Confidentiality… important facts to know and critical things to do!
ICT School Policies 6 th November Suggested Policies for Schools Not always a requirement, but useful to cover you, your school and the students.
UNIT 3C Security of Information. SECURITY OF INFORMATION Firms use passwords to prevent unauthorised access to computer files. They should be made up.
© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.
Practical Information Management
Ofsted framework 2012 Feedback from inspections carried out under the new framework and implications for clerks and governing bodies Clerks briefings April.
Introduction Definition Advantages for employees and employers
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA PRIVACY AND SECURITY AWARENESS.
Level 2 IT Users Qualification – Unit 1 Improving Productivity
Training Module 11 – Version 1.1 For Internal Use Only Communication Policy ® Corporate Communications, Disclosure and Insider Trading Policy 
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Being Audited – Life on the Other Side of the Fence.
Ecords Management Records Management Paul Smallcombe Records & Information Compliance Manager.
ISO27001 Introduction to Information Security. Who has day-to-day responsibility? All of us! Why Information Security? Control risk, limit liability What.
Health and Safety Policy
Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.
OER, IPR, and the Law The Good, The Bad and The Ugly? 20 October 2009.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
TOP TEST SECURITY RECOMMENDATIONS FOR SCHOOL DISTRICTS John Fremer, Ph.D. President Caveon Test Security October 25, 2006.
SCHOOLS FINANCE OFFICERS MEETINGS Records Management, “Paper-Lite” Environments and Procedures when a school closes Elizabeth Barber.
Legal framework Look at the legal compliance and framework a business is subject to.
Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.
Session 12 Information management and security. 1 Contents Part 1: Introduction Part 2: Legal and regulatory responsibilities Part 3: Our Procedures Part.
ICT Legislation  Copyright, Designs and Patents Act (1988);  Computer Misuse Act (1990);  Health and Safety at Work Act (1974);  EU Health and Safety.
DATA PROTECTION AND RUNNING A COMPLIANT PUB WATCH SCHEME Nigel Connor Head of Legal –JD Wetherspoon PLC.
Workshop Understanding your responsibilities under the Data Protection Act 1998 and the Freedom of Information Act 2000 Adele Rhodes Girling.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
The Disclosure and Barring Service Taxi and PHV licensing conference Thursday 19 March 2015 Presented by:Ian Johnston - Director for Operations (Disclosure)
Welcome to Business Lincolnshire Business Continuity e-awareness Follow the team as they find out more about what Business Continuity is and what they.
Scientific data storage: How are computers involved in the following?
BYOD and leave the risk behind RSC NW, 28 January 2014 ETIHAD Stadium All images downloaded from ClipArt.com.
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
Welcome to the ICT Department Unit 3_5 Security Policies.
Every employer must ensure, as far as is reasonable practicable, the health, safety and welfare of all his employees More specifically, employers must.
Section 4 Policies and legislation AQA ICT A2 Level © Nelson Thornes Section 4: Policies and Legislation Legislation – practical implications.
Handling Personal Data & Security of Information Paula Trim, Information Officer, Children’s Strategic Services, Mon – Thurs 9:15-2:15.
Health and Safety Policy
Information Assurance Policy and Management
Archive / Destruction / Disposal
Unit 7 – Organisational Systems Security
GDPR and paper records Why it’s not all cyber and fines Gary Shipsey
G.D.P.R General Data Protection Regulations
Data Protection and Running a Compliant Pub Watch SCHeme
General Data Protection Regulation
County HIPAA Review All Rights Reserved 2002.
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Health and Safety! By jack Hughes.
 How does GDPR impact your business? Pro Tip: Pro Tip: Pro Tip:
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
How it affects policies and procedures
Presentation transcript:

14 May 2014 Information Security, Information Governance and the Law – Confidence in Compliance © Contact Leonardo for reuse

Information Security, Information Governance and the Law14 May 2014 Jason Miles-Campbell Jisc Legal Manager

Information Security, Information Governance and the Law14 May 2014 Have you heard of Jisc Legal before? 1.Hello again, Jason 2.Yes, fairly often 3.Yes, used occasionally 4.Vague acquaintance 5.What’s that, then? 4

Information Security, Information Governance and the Law14 May 2014 When it comes to data protection law... 1.I’m confident 2.I’ve a fair idea 3.I dabble 4.I ask others 5.I hide in the toilet 5

Information Security, Information Governance and the Law14 May 2014 Are you confident in your compliance with information security provisions this far? 1.Absolutely 2.Generally 3.Probably 4.Possibly 5.Oh, look! Squirrel! 6

Information Security, Information Governance and the Law14 May 2014 This workshop’s mission » To increase your confidence in complying with statutory, governmental and contractual requirements in relation to information security and governance 7

Information Security, Information Governance and the Law14 May 2014 The Requirements » Statutory (DP, FOI) » Avoidance of liability (information loss) » Government/funder requirements » Contractual requirements 8

Information Security, Information Governance and the Law14 May 2014 The Welsh Government Information Assurance Requirements for Work Based Learning 2015 – 2019 (which involves the storage, receipt and processing of personal data) 9

Information Security, Information Governance and the Law14 May 2014 If bidders do not agree, they will fail this section of the tender evaluation and their bid will not be considered further. 10 “ ”

Information Security, Information Governance and the Law14 May Security Contact » “Suppliers must have a named contact responsible for the security aspects of our contract.” » “In a smaller company (typically less than 5 employees), the named contact may also fulfil other roles” 11

Information Security, Information Governance and the Law14 May 2014 Do you have a widely-known named contact in charge of information security at the moment? 1.It’s me, and everyone knows 2.It’s me, but don’t tell anyone 3.It’s another, known, person 4.Someone was named in 1989 but left 8 years ago 5.No named contact known 12

Information Security, Information Governance and the Law14 May Security Incidents » “Suppliers must have a written procedure that documents how it will inform the Welsh Government of any security incidents.” » “Examples of security incidents: breach of information security controls, loss of information, failure of backups.” 13

Information Security, Information Governance and the Law14 May 2014 Do you have a written procedure to deal with information security incidents? 1.Yes, and we use it weekly… 2.Yes 3.Not to my knowledge 4.We don’t have infosec incidents 5.Don’t know 14

Information Security, Information Governance and the Law14 May Security Risk Assessment » “Suppliers must complete a risk assessment of the security measures in place to protect Welsh Government information.” » “Risk assessments must be reviewed on a monthly basis (or whenever controls change) and reported to Welsh Government.” 15

Information Security, Information Governance and the Law14 May 2014 Do you already undertake regular security risk assessments? 1.Yes, planned and undertaken 2.Yes, when someone asks 3.We did one once, I think 4.No 5.Don’t know 16

Information Security, Information Governance and the Law14 May Subcontractors » “Suppliers must monitor subcontractor compliance with these controls.” 17

Information Security, Information Governance and the Law14 May Training » “…everyone who handles Welsh Government information receives security awareness briefings on the appropriate handling of that information. ” 18

Information Security, Information Governance and the Law14 May 2014 Do you have regular security awareness briefings? 1.Yes 2.Depends who’s asking 3.We chat about hacking over coffee, if that counts? 4.No 5.Don’t know 19

Information Security, Information Governance and the Law14 May 2014 Training… » Jisc Legal Plus - Need to Know Workshops (1 hour) - Confident in Compliance Workshops (2½ hours) 20

Information Security, Information Governance and the Law14 May Data Protection Law Compliance » “Suppliers must annually assess compliance under the Data Protection Act.” 21

Information Security, Information Governance and the Law14 May Access to Personal Information » “Suppliers must maintain an up-to-date list of its users who have access to Welsh Government personal information.” » “The default access level for the Welsh Government’s information should be ‘no access’.” 22

Information Security, Information Governance and the Law14 May Acceptable Use Policy » “Suppliers must ensure … that an Acceptable Use policy is in place. ” » “Acceptable Use policies are wide ranging but typically include the organisation’s policy on passwords, monitoring of ICT systems, internet use, personal use of work systems, internet browsing, removable media, mobile ICT etc.” 23

Information Security, Information Governance and the Law14 May Disposal of Information » “Suppliers must have a process … to ensure that ICT equipment … is erased in a way that makes the information unrecoverable” 24

Information Security, Information Governance and the Law14 May 2014 What’s your main method of assuring destruction of protected information? 1.Delete the files 2.Format the disk 3.Some clever program 4.Violence 5.Explosives 6.Don’t know 25

Information Security, Information Governance and the Law14 May Data Controller Responsibilities » “The supplier is required to undertake to comply with the obligations of a “data controller” under the provisions of the Data Protection Act 1998” 26

Information Security, Information Governance and the Law14 May Data Encryption » “All Welsh Government information must be encrypted whether at rest or in transit.” » “For mobile equipment, hard disk encryption must be used and protected by complex passwords.” 27

Information Security, Information Governance and the Law14 May Removable Media » “The Welsh Government’s information must not be copied to removable media and removed from the Supplier’s site without prior approval of the Welsh Government.” 28

Information Security, Information Governance and the Law14 May 2014 Do you currently regulate use of removable and portable media? 1.Yes 2.To some extent 3.It’s on someone’s to do list 4.No 5.Don’t know 29

Information Security, Information Governance and the Law14 May Staffing and Information Security » “The Supplier must ensure baseline controls are applied to their staff and provide details … of HR checks undertaken on new employees” » “The Baseline Personnel Security Standard includes … independent verification via Disclosure Scotland.” 30

Information Security, Information Governance and the Law14 May Records Management » “Suppliers must ensure records are managed efficiently and are easily retrievable when required.” 31

Information Security, Information Governance and the Law14 May 2014 Next steps? 1.Go back and say well done! 2.Start a conversation with relevant people 3.Re-write a few policies 4.Monitor what’s in place already 5.Get further support 6.Point at someone else and say ‘his problem!’ or ‘her problem!’ 32

Information Security, Information Governance and the Law14 May 2014 How’s this session been for you? 1.That was the most amazing, useful session I’ve ever heard. 2.That was the most amazing, useful session on information security I’ve ever heard. 3.That was the most amazing, useful session on information security I’ve heard this afternoon. 33

Information Security, Information Governance and the Law14 May

35 This work, with the exception of logos, and any other content marked with a separate copyright notice, is licensed under a Creative Commons Attribution 3.0 Unported Licence. Attribution should be “© Jisc Legal – – used under Creative Commons Attribution 3.0 Unported Licence” (with clickable URLs where possible). The use of logos in the work is licensed for use only on non-derivative copies. Further information at Commons Attribution 3.0 Unported Licencewww.jisclegal.ac.ukCreative Commons Attribution 3.0 Unported Licencewww.jisclegal.ac.uk/CopyrightPolicy

36

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.