ICT Lead for IG
Penrose Health will require the provider of its ICT services to nominate an ICT lead for IG (ICT IG Lead). This requirement will be outlined in the relevant written agreement.
The ICT IG Lead will lead on the following areas:
- Information Security Risk Management and Assurance Plan/Strategy
- Identify and report Information Risks related to information security as part of the ICT Information Risk register
6.1 Responsibility for ICT Information Security
All staff are responsible for maintaining the security of Information. Overall responsibility for information security rests with the Partners.
For technical information security issues, operational and strategic authority rests with the ICT provider, NEL GP IT. The ICT provider shall have a nominated Information Security Manager with appropriate duties and resources.
This Information Security Manager will occupy a key role in the delivery of Information Governance activities, and the responsible individual will be tasked with providing advice on all aspects of information security and risk management, utilising either their own expertise or external advice.
The quality of their assessment of information security risks, threats and advice on controls will contribute significantly to the effectiveness of the Penrose Health information security.
The key responsibilities of the Information Security Manager are to:
- Draft and/or maintain the currency of the appropriate Information Security Policy
- Ensure security accreditation of information systems in line with the approved definitions of risk
- Ensure compliance with the information security components of the Data security and Protection Toolkit
- Ensure all arrangements for managing information security are effective and aligned with the Information Security and Risk Policies
- Provide reports to the senior member of management (e.g. a SIRO/Caldicott Guardian/IAO or equivalent) who has responsibility for Information Governance
- Provide regular information security risk assurance reports to the information risk lead (SIRO)
- Develop and maintain an information security assurance plan to ensure the appropriate management and prioritisation of risks
- Co-ordinate the work of other staff with information security responsibilities
- Coordinate the necessary response and resolution activities following a suspected or actual security incident or breach keeping the information risk lead (SIRO) informed of security incidents, impacts and causes, resulting actions and learning outcomes
- Assist in the drafting and maintenance of System Level Security Policies
- Assist in the development of Business Continuity Management arrangements for key information assets
- Advise in the development of a Network Security policy and controls for the secure operation of ICT networks, including remote/teleworking facilities
- Provide advice and guidance regarding the implementation of controls to mitigate against malicious or unauthorised mobile code
- Assist in designing and configuring access controls for key systems
- Assist in developing the Information Asset Register
- Develop and document an action plan for the delivery of all specific activities involving the Information Security
6.2 ICT Information Security Incidents and Events
All information security incidents should be reported to the ICT Providers Helpdesk upon detection.
ICT Information Security Incidents include:
- Viruses
- Inappropriate access to files or folders
- Use or suspected use of another member of staff’s login (for email, network or system) or smartcard
- Suspected or known disclosure of your smartcard
- Accidental or intentional damage to the accuracy of data
- Slow computers
- Pop-Ups
- Use of unencrypted laptops, USB sticks
- Leaving smartcards unattended
- Unattended IT Assets (laptops, USB sticks, etc.)
- Accidental or deliberate inappropriate disclosure of confidential information through any means, electronic or hard copy
The helpdesk will advise of any additional steps that are required, including initiating policy and procedure as outlined in the relevant Serious Incident and Investigation Policy and Procedure.
6.3 Management of IT Information Security Incidents and Events
The management of Information Security incidents will follow Penrose Health’s ICT Provider Helpdesk procedures for issue resolution and escalation as necessary. The nominated Information Security Officer will advise the Information Governance Lead or SIRO as appropriate for further guidance.
6.4 ICT Information Security Risk Management and Assurance Plan / Strategy
To ensure that there is effective implementation of Information Risk processes, the ICT Provider will ensure a comprehensively scoped, continuously reviewed and formally documented information risk management plan and programme is in place. This plan and programme will consider the security risks to Information Assets; including the systems and media used in processing or storing that information; consideration of the potential impacts on the continued delivery of services; and the protection of PCD and corporate data are all essential elements of the plan and programme.
The Information Security Assurance plan will utilise an appropriate risk assessment methodology. Each risk will be clearly scoped, systematic and seek to identify, quantify and prioritise the information risks to the business functions. Consideration should also be given to information risks that may affect the organisation’s business partners. Where appropriate, controls (countermeasures) should then be put in place and their effectiveness monitored to ensure that the deployed controls are effective in treating the risks. System log files and incident reports may identify ineffective or poorly deployed controls. Periodic update reviews of existing risk assessments should be undertaken, to take account of possible changes.
The risk assessment process will address a Plan, Do, Check and Act cycle:
- Risk Identification
- Risk Analysis
- Risk Treatment
- Risk Review