information security assurance plan - guildford & … · information security assurance plan...

Information Security Assurance Plan 2015/16

Policy number: N/A

Version 2.0

Approved by Information Governance Sub-Committee

Name of author/originator Daniel Lo Russo, Information Governance Manager

Owner (Exec Director) Elaine Newton, Director of Governance & Compliance/SIRO

Date of approval August 2015

Date of last review July 2015

Next due for review April 2016 for approval following release of Version 14 CCG IG Toolkit (expected June 2016)

Information Security Assurance Plan 2015/16 2

Version control sheet

Version Date Author Status Comment

1.0 March 2014 Daniel Lo Russo

Draft Draft for Q&CGC approval


Approved Approved by Quality & Clinical Governance Committee


Final Front sheet added

2.0 July 2015 Daniel Lo Russo

Draft Draft for IG Sub-Committee approval

2.0 TBC Daniel Lo Russo

Final Approved by IG Sub-Committee

Related Documents

Name

Information Governance Framework

Confidentiality & Data Protection Policy

Information Security Policy

Records Management Policy

2015/16 Caldicott Function Assurance Plan


Information Security Assurance Plan

Introduction This work programme is designed to support the Information Security Policy, and describes how NHS Guildford and Waverley CCG can obtain assurance to address its Information Security needs (as required by the IG Toolkit Requirement 13-300 series). Information and information systems are important assets and it is essential that the CCG takes all necessary measures to ensure that they are protected, available and accurate to support the operations of the business at all times. The aim of the CCG’s Information Security Policy and individual System Level Security Policies and Risk Assessments is to maintain the confidentiality, integrity and availability of the information stored, processed and communicated by and within the CCG. This assurance plan outlines roles and responsibilities for managing Information Security, Information Security Incidents, and controls. It details the activities the CCG will undertake to provide assurance regarding its level of compliance with Information Security Assurance related requirements of the CCG IG Toolkit. It also details how the CCG will seek assurance with respect to ICT services provided by the South East Commissioning Support Unit (CSU). The Information Security Assurance Plan therefore includes two separate but related elements: 1. Local Information Security Assurance Plan 2. Assurance Plan for ICT Services provided by South East CSU

Actions identified in the Assurance Plan will be included within the annual Information Governance Improvement Programme. Information Security Management Responsibilities Responsibility for managing Information Security within the CCG rests with all employees and the following key officers:

SIRO (Senior Information Risk Owner)

Information Security Officer (Information Governance Manager)

Information Asset Owners (IAOs)

Details of specific roles and responsibilities are included within the CCG’s Information Security Policy. Responsibilities for managing Information Security within the CSU are defined within the South East CSU’s ICT Security Policy and Application Security Policy. These are available to CCG staff via the CSU’s website (over N3 network only) or by request to the CCG’s IG Manager. Every CCG staff member and contractor is responsible for processing personal data, sensitive personal data and sensitive corporate data in a secure manner.

Approval, Monitoring & Reporting

This plan will be approved by the IG Sub-Committee of the CCG’s Quality & Clinical Governance Committee, which includes the SIRO;


Exception reports against this Assurance Plan will be provided at regular review meetings between the CCG’s SIRO and Information Governance Manager;

Exception reports against this Assurance Plan will be provided at each meeting of the IG Sub-Committee (IGSC) of the CCG’s Quality & Clinical Governance Committee,

Reports against this Assurance Plan and will be used to support IGSC approval of submission of the CCG’s annual IG Toolkit assessment

An annual summary report will be provided to the CCG’s Governing Body.

The effectiveness of the Assurance Plan and related functions/roles will be reviewed annually as part of the CCG’s IG Improvement Programme;

The IG Sub-Committee of the CCG’s Quality & Clinical Governance Committee will review and approve a 2016/17 Information Security Assurance Plan following publication of 2015/16 CCG IG Tool-kit requirements (expected June 2016).

Abbreviations Used in Assurance Plan

CSU – Commissioning Support Unit

DR&BC – Disaster Recovery & Business Continuity

IA – Information Asset

IAO - Information Asset Owner

ICT – Information Communication Technology

PIA – Privacy Impact Assessment


Section 1 – Local Information Security Assurance Plan Please see the CCG’s 2015/16 IG Improvement Plan for details of the current scheduling of activities detailed below.

Control IGT

(v13) Req.

Assurance Activity/Monitoring Q1 Further Action Req. Q2-4 Responsible

Information Security Framework

131 340

There is an appropriate Information Security Framework in place.

Review of IG & Information Security related policies in progress.

IGSC approval of updated Information Security policy.

IG Manager

131 340 341

Independent assurance regarding ICT risk management

Independent audit of ICT risk management completed – outcome: Substantial Assurance.

Information Security IGT measures included within 15/16 IGT audit sample.

IG Manager

Staff Awareness & Training

134 Over 95% staff completion of mandatory IG Training

Training of new staff. See Key Performance Indicators reports.

Refresher training for existing staff.

IG Manager

345 SIRO and IAO training Training Needs Analysis reviewed.

Mandatory training to be completed. Explore additional local training.

IG Manager

349 IA Incident reporting training Review of new HSCIC guidance

Development of new IG Incident Reporting Procures and evidence of staff understanding

IG Manager

IG related contract clauses in place with third parties

132 341 351

Appropriate IG clauses are in place for all staff, contractors and third parties

Discussions with project and contract managers regarding IG requirements for new contracts

Assurance that appropriate compliance with IG related requirements has been received from third parties

Directors of Contracts

Structured Implementation and InfoSec Accreditation

237 All services and information assets are developed to comply with Information Security requirements

Advice and guidance to CCG staff developing new services and information assets.

Information asset review programme to be completed. Input to OD Programme to ensure IG needs reflected.

IG Manager

Information Asset Register

340 341 345

Inc all key/critical local information assets including sensitive or personal data

None Update following completion of Risk Assessments & SLSPs

IG Manager


Control IGT

(v13) Req.


345 351

Confirms IA Risk Assessments completed

None Update following completion of Risk Assessments & SLSPs

IG Manager

237 344

Confirms Access Controls None Update following completion of Risk Assessments & SLSPs

IG Manager

346 Confirms DR&BC Plans None

344 Confirms System Level Security Policies

None

Data Flow Mapping

350 236

Mapping of data flows for all business units

Safeguarding sessions being organised currently

Data flow mapping exercise refresh

IG Manager

350 351

Risk assessment of data flows

None

350 351

SIRO's review of data flow mapping outcomes

None

351 250

Information sharing/data processor agreements

LAC & ICP Information Sharing Agreements in progress

Register of ISAs maintained and regularly reviewed

IG Manager

235 348 351

Compliance with email policy

Guidance being updated and non-NHS email accounts being closed by CSU.

Staff evidence read and understood guidance.

IG Manager

235 348 351

Robust encryption methods used for transfers of sensitive/personal data

Staff guidance being updated. Data flow mapping exercise refresh

IG Manager

235 348 351

Use of mobile memory media

Use of encrypted USB sticks by CCG staff

Review staff use of personal iPhones and use of iPads for Board Papers etc.

IG Manager

Information Risk Management

235 341 345

Risk Assessment of existing, new and proposed local Information Assets.

Complete for high risk assets (quarterly reviews)

Review and update risk assessments and System Level Security Policies at required frequency.

IG Manager

344 System level security policies established for existing, new and proposed local key/critical Info Assets.

Complete for high risk assets (quarterly reviews)

IG Manager


Control IGT

(v13) Req.


Information Risk Management (cont)

346 Team level BC&DR plans include access to key/critical IAs

None Development and testing of team level BC&DR Plans

Deputy Director G&C

235 237

Privacy Impact Assessments (PIAs) undertaken for new services

PIAs completed for LAC work and Integrated Care (in progress)

Complete PIAs as required. Take forward as part of CCG OD Programme.

IG Manager

341 351

Physical Protection of Premises/equipment

None Arrange for physical penetration testing to take place by 3rd party

IG Manager

237 344 347 348

Monitoring of ICT services delivered by 3rd party organisations

See Section 2 – Assurance Plan for ICT Services Provided by South East CSU. Meeting held with CSU Account Manager and ICT Lead

Various assurance and supporting evidence. See section 2 – Assurance Plan for ICT Services Provided by South East CSU

IG Manager

134 231

Staff IG Survey to be undertaken

None Develop questions and methodology

IG Manager

ICT Network Usage

235 350

Acceptable Usage of email system

Staff guidance in development. NHS.net upgrade underway.

Explore NHS.net mailbox reporting with HSCIC

IG Manager

235 350

Acceptable Usage of internet

Implementation of proxy server.

Move all staff to proxy and receive regular reports from CSU.

IG Manager

NHS Smart Card Usage

342 CCG Registration Authority policy and procedures in place

Policy and procedures in place.

Review following receipt of CSU updated RA Policy.

IG Manager

343 CCG to ensure adequate governance over the issuing/use of NHS Smartcards

Q1 reports from CSU Registration Authority and reviewed by CCG sponsors.

Receive and review reports Q2 - 4.

CGSM Manager

NHS Number Usage

421 There is consistent and comprehensive use of the NHS Number in line with NHS requirements

Development of Accredited Safe Haven (ASH) outline business case for IGSC and EMT review.

Include NHS Number use review within 2015/16 Information Asset Review Programme.

IG Manager


Control IGT

(v13) Req.


IG Incident Management

349 Robust incident reporting arrangements in place

Monitoring and reporting of IG related incidents in accordance with CCG procedures.

CCG incident reporting procedures updated to reflect latest HSCIC Guidance.

IG Manager

235 349

Monitoring of IG related incident trends

Monitoring and reporting of IG related incidents in accordance with CCG procedures.

Undertake trend analysis of incidents

IG Manager

134 Staff awareness and compliance with incident reporting procedures

E-brief reminder and incident form circulated.

Audit of incident records to be undertaken.

IG Manager

User Access Control

235 343 344

Robust registrations & leavers process in place

Guidance issued via E-brief. HR review of processes in place.

Audits of records held by CCG and CSU.

IG Manager

Mobile Computing

348 Robust encryption in place on laptops.

Raised concerns to CSU Assurance from CSU IG Manager

348 Equipment held by authorised individuals only

Records held of authorisations Audits of records held by CCG and CSU.

IG Manager

Pseudo. and Anonymisation

236 352

Robust pseudonymisation and/or anonymisation is undertaken

Provided under SLA with CSU. Assurance statement from CSU.

Head of Information

Please see below for Section 2 – Assurance Plan for ICT Services Provided by South East CSU


Section 2 – Assurance Plan for ICT Services Provided by South East CSU Please see the CCG’s 2015/16 IG Improvement Plan for details of the current scheduling of activities detailed below.

Control IGT

(v13) Req.


Contracts are monitored and assurance gained in respect of compliance with IG requirements

132 Assurance required in respect of compliance with IG requirements

Review of CSU 14/15 IGT Return Copy of CSU's final 2014/15 IGT Independent Audit Report

IG Manager

Meeting with CSU Account Manager and ICT Lead

In year assurance regarding 15/16 IGT score for CSU, copies of NHS England’s Reports on Internal Controls in place at SECSU, and copy of CSU's draft 2015/16 IGT Independent Audit Report

IG Manager

Assurance regarding individuals with access to CCG confidential data

133 Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation

Details of required assurance provided to CSU Account Manager and ICT Lead

Assurance statement regarding suitable IG clauses being in place for any CSU staff who may access CCG personal data (e.g. ICT staff)

IG Manager

CCG confidentiality checks

235 Staff access to confidential personal information is monitored and audited. Where care records are held electronically, audit trail

As above. Report showing usage of removable media devices (USBs etc) used to remove data from CCG electronic filing system

IG Manager


Control IGT

(v13) Req.


details about access to a record can be made available to the individual concerned on request.

As above. Confirmation that all non-NHS.net email accounts for GWCCG users have now been deleted

IG Manager

As above. Assurance statement or independent audit report confirmation regarding confidentiality audits for CSU systems holding CCG confidential data undertaken during 15/16

IG Manager

Information Risk Management

340 The work necessary to provide Information Security Assurance has been identified

Informed CSU that current version of CSU’s IS Assurance Plan available to CCG is out of date.

Updated CSU IS Assurance Plan for review.

IG Manager

341 An Information Risk Assessment and Management Programme has been documented along with associated strategies, policies and procedures, linked to the organisation's corporate risk register

As above. As above. IG Manager

There are established business

342 All CSU RA staff have received the mandated national training.


Assurance regarding CSU RA Staff Training completion

IG Manager


Control IGT

(v13) Req.


processes and procedures that satisfy the organisation’s obligations as a Registration Authority (RA)

RBAC implementation at Registration Authorities


Assurance regarding RBAC fully implemented.

IG Manager

CSU RA service capacity As above. Assurance regarding RA consumables etc

IG Manager

343 CSU have robust RA policy in place

Informed CSU that current version available to CCG is out of date.

Updated CSU Registration Authority Policy for review.

IG Manager

Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use

Q1 report received from CSU and reviewed by CCG Sponsors/Line Managers. Closure of access no longer required.

Quarterly reports showing current CCG Smartcard users

IG Manager

Q1 report received from CSU and reviewed by CCG. All current used have electronically signed their terms and conditions.

Audit report on the outcome of checking that all CCG NHS Smartcard users have electronically signed their terms and conditions

IG Manager

ICT Application Assurance

344 Operating and application information systems (under the organisation’s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems


Standard CCG desktop and laptop image build (including common and technical applications) and specific builds for roles (Info Team, Comms Team) to be agreed.

IG Manager


Control IGT

(v13) Req.


As above. Details of required assurance provided to CSU Account Manager and ICT Lead

ICT Network reports on password strength settings and number of failed login attempts for GWCCG staff members

IG Manager

There are appropriate user access management procedures (including user registration, update and deregistration processes), technical functionality and management controls for all key information assets identified in the organisations asset register.


Reports showing CCG Account Directory accounts (including details date opened, approver and date closed)

IG Manager

As above. Report showing G&WCCG Account Directory Accounts Inactive for 2 or more weeks

IG Manager

Access to information assets is only possible for individuals who have been duly authorised


Examples of ICT Network access logs for G&WCCG users (e.g. 2 week period)

IG Manager

As above. Penetration Testing results for ICT network utilised by CCG (COIN)

IG Manager

SIRO Assurance

345 An effectively supported Senior Information Risk Owner takes ownership of the organisation’s information risk policy and information risk management strategy


CSU Information Security Policy to check alignment with CCG policy

IG Manager


Control IGT

(v13) Req.


Business Continuity Plan

346 Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place

Assurance regarding BCDR arrangements for services provided to CCG under SLA and testing of these during 15/16

IG Manager

ICT Network Assurance

347 Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely


Assurance regarding Surrey Community of Interest Network (COIN) utilised by CCG & COIN Stakeholder Group updates and Risk Assessments

IG Manager

Installation of proxy server and some CCG users moved to test environment.

Take forward proxy server configuration and roll out to all users.

IG Manager


Reports to support acceptable usage of internet monitoring by CCG

IG Manager

Mobile computing and teleworking assurance

348 Policy and procedures ensure that mobile computing and teleworking are secure


Report on RAS Accounts (including details date opened, approver and date closed)

IG Manager

As above. Reports showing devices (phones, ipads and laptops) on network being utilised by CCG staff

IG Manager


Control IGT

(v13) Req.


As above. Assurance that attached VPN solution diagram remains correct and has been penetration tested in 15/15

IG Manager

As above. Assurance regarding encryption system in place on Surrey CCG laptops

IG Manager

Incident Reporting

349 Adherence with NHS incident management and reporting procedures


Assurance that CSU has not experienced any data loss incidents (inc near misses) relating to GWCCG confidential business data (inc PID)

IG Manager

Data Flow Mapping

236 All transfers of CCG personal data to countries outside of the UK fully comply with the Data Protection Act 1998 and DH guidelines. Where the review of overseas transfers reveals that appropriate contracts are not already in place for existing transfers, the organisation ensures that new contractual arrangements are signed.


Statement confirming whether the CSU transfer/process any G&W CCG data outside UK/EEA and, if so, statement confirming that all transfers of personal data to countries outside of the UK fully comply with the Data Protection Act 1998 and DH guidelines.

IG Manager


Control IGT

(v13) Req.


350 All transfers of hardcopy and digital personal and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers

As above. Assurance regarding processing of GWCCG data by CSU

IG Manager

Technical Controls Assurance

351 All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures


Assurance regarding penetration testing of ICT Network utilised by CCG

IG Manager

As above. Assurance regarding encryption system in place on Surrey CCG laptops and penetration testing of VPN

IG Manager

Pseudo. and anonymisation assurance

352 The confidentiality of CCG service user information is protected through use of pseudonymisation and anonymisation techniques where appropriate


Assurance regarding processing of GWCCG data by CSU

Head of Information

Records Management Assurance

420 The Information Governance agenda is supported by adequate information quality and records management skills, knowledge and experience


Reports on corporate X Drive Usage (to include no of folders, destination/no of files, file type, file size etc)

IG Manager

As above. Reports on staff personal Z Drive Usage (to include no of folders/no of files, file type, file size etc)

IG Manager


Control IGT

(v13) Req.


NHS Number Assurance

421 There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements


Confirmation that CSU have NHS Number plan in place

IG Manager