Information Security Policy
POLICY NO
REVIEW COMMITTEE
ISP01v4.1
Neil Robson - Managing Director
Angie Hare – IG Lead
Steve Wragg – I.T. Manager
DATE RATIFIED
NEXT REVIEW DATE
29/10/2014
31/10/2015
POLICY STATEMENT:
Storetec Services Ltd recognises the vital importance of a structured, coherent
and secure Information system and associated systems used to process, store
and return clients’ sensitive Information in order to safeguard the integrity of this
data and protect against all loss, either accidental or due to malicious intent.
ACCOUNTABLE DIRECTOR: Managing Director
POLICY AUTHOR:
Information Systems Manager
KEY POLICY ISSUES



To ensure a secure and reliable system for the
transference, handling and storage of client Information
Identify and comply with national policies, laws and
legislations, in particular, The Data Protection Act 1998, PCI
DSS and Information Governance best practice
To meet the client requirements for data transfer into
externally located systems and ensure connection security
Table of Contents
Introduction ......................................................................................................... 3
Rational ........................................................................................................... 3
Scope .............................................................................................................. 3
Principles ........................................................................................................ 3
Laws legislations and guidelines ................................................................. 4
Information confidentiality ............................................................................ 4
Policy .................................................................................................................. 5
Email ............................................................................................................... 5
Personal Use ............................................................................................... 5
Housekeeping ............................................................................................. 5
Use of Email ................................................................................................ 6
Terms of use ............................................................................................... 6
Spam and Junk Email ................................................................................. 7
Virus Checking ............................................................................................ 8
Content Filtering .......................................................................................... 8
Email Investigation Requests ...................................................................... 8
Internet ............................................................................................................ 8
Internet Use ............................................................................................... 10
Personal Use ............................................................................................. 10
Internet Security ........................................................................................ 11
Monitoring.................................................................................................. 11
Reporting ................................................................................................... 11
Internet content filtering ............................................................................. 12
Internet Use Investigation Requests .......................................................... 12
Remote Working and Mobile devices ............................................................... 12
Site security .................................................................................................. 12
IT Server and Communications Rooms ..................................................... 12
Desktop Computer Security....................................................................... 13
Virus Protection ......................................................................................... 14
Network Security ....................................................................................... 14
New I.T. Systems ...................................................................................... 14
System access levels ................................................................................ 15
Disposal of I.T. Equipment and Media .......................................................... 15
Storetec Information Security Policy – ISP01v4.1 October 2014
1
Password Management ................................................................................ 15
Network Account Management ..................................................................... 16
Account creation ........................................................................................ 16
Account deletion ........................................................................................ 17
Security incident handling ............................................................................. 17
Reporting an incident ................................................................................ 17
Responding to an incident ......................................................................... 17
Business Continuity ...................................................................................... 18
Training ......................................................................................................... 18
Duties and Responsibilities ........................................................................... 18
Monitoring and Compliance. ......................................................................... 19
Development & Consultation Process .............................................................. 19
Appendices ....................................................................................................... 20
Caldicott Guidelines ...................................................................................... 20
Computer misuse Act 1990 ........................................................................... 21
Storetec Information Security Policy – ISP01v4.1 October 2014
2
Introduction
Rational
The Information Security policy has been put in place for the following reasons
 Storetec Services Ltd (from hereon known as “Storetec”) recognises the
importance of its Information systems used for the processing and
storage of client data.

Through this policy, government laws and legislations (see section 5
Reference Documents) Storetec will identify and adopt structured
security procedures for all Information systems

To ensure the availability of data: that is, ensure that client assets are
available as and when required to those with predetermined access
adhering to Storetec’s business objectives and SLAs

To preserve integrity: that is, protect assets from unauthorized or
accidental modification ensuring the accuracy and completeness of client
assets

To preserve confidentiality: that is, protecting Information from
unauthorized access and disclosure

Storetec staff are bound by the confidentiality and security policies set by
Storetec and the Information Commisioner’s Office.
Scope
All client Information that is processed, stored, transmitted or received during
the course of Storetec’s business activity is an asset that Storetec has been
entrusted to preserve and protect.
This policy applies to all Storetec employees or other persons working for
Storetec or whilst engaged on or involved in any Storetec business.
This policy must be adhered to at all times. Failure to comply with this policy
may lead to Storetec’s disciplinary policy being invoked.
Principles
The term Information can be defined as “a collection of facts or data” and for the
purpose of this policy Information includes

Information stored on computers.

Transmitted across networks.
Information that is retrieved, accessed, transmitted to/received from other
organisations using the following mediums
Storetec Information Security Policy – ISP01v4.1 October 2014
3
1. Networks (Local or Wide) (including Internet and remote access)
2. Fax machines and any other communications media.

Printed out or written on paper

Stored on disk, tape or any other electronic or optical media

Recorded on video tape
Also included are verbal communications and any other methods used to convey
knowledge and ideas relating to Storetec or its business or any client data held
within any of the media listed above.
Laws legislations and guidelines
Due to the nature of Storetec’s business, Storetec must comply with but not
limited to the following laws, legislations and guidelines

The Data Protection Act 1998

The Freedom of Information act

The Computer Misuse Act 1990

The Caldicott Guidelines

Confidentiality NHS Code of Practice

Electronic Communications Act 2000
Information confidentiality
Keep all confidential Information secure, use it only for the purposes intended
and do not disclose to any unauthorised third party.

Client data is only to be stored within designated systems
Client data must not be saved to the workstation or device’s local storage (e.g.
“C” drive), USB devices, CD/DVD/Blu-Ray, Memory Card or any other external
storage devices (even those that are encrypted), unless via an approved
methodology
Storetec Information Security Policy – ISP01v4.1 October 2014
4
Policy
This security policy covers all Storetec I.T. systems and Information
communicated and managed by these IT systems.
Email
Storetec employs the use of email to facilitate its business objectives.

Microsoft Outlook
This is used for day to day communications of non secure Information
and is set up as part of the account request process.

The use of Personal Internet email is permitted during break times and
rest periods with agreement of your service lead. Staff should be aware
that all internet activity across Storetec networks is monitored.

Internet email is only for personal use. Storetec related emails and
attachments or anything that is considered sensitive or would bring
Storetec into disrepute is prohibited. Failure to comply with this usage
the trust reserves the right to invoke the disciplinary policy.
Personal Use
Although personal use of Trust email facilities is discouraged, limited personal
use will be permitted provided that the content of messages is appropriate, i.e.
is not likely to cause offence or used for personal business for financial gain.
Employees should regard this facility as a privilege that should normally be
exercised in their own time without detriment to the job and not abused.
Inappropriate use may result in disciplinary action and/or removal of facilities.
However, staff should be aware that both private and business use of email will
be subject to monitoring.
Housekeeping
The amount of e-mail in the personal Inbox must be kept to a minimum.
Non essential work related E-mails should be deleted after reading, response,
or action. Saved e-mails must be reviewed on a monthly basis and deleted
when no longer required. It is good practice to move Emails that need to be
saved to a personal folder. The same housekeeping rules apply to Sent Items.
Care must be taken when sending file attachments as these are typically large
and may cause network congestion. File attachments must only be sent when
necessary and must be deleted as soon as is practicable. Users are
responsible for their own housekeeping. Staff should refrain from sending emails with inserted graphics or multimedia or large attachments unless
Storetec Information Security Policy – ISP01v4.1 October 2014
5
absolutely necessary as these e-mails tend to take up a lot of space on the
system.
After a period of time attachments will be archived outside the mail system and
the attachment will link to the original attachment itself. This is to conserve
working space on the mail systems.
Use of Email
Storetec uses technologies and policies to control who has access to Storetec
network. These policies also control who has access to the Email systems.

Expressly agree with the recipient that the use of e-mail is an acceptable
form of communication bearing in mind that if the material is confidential,
privileged, or sensitive, Outlook e-mail normally is un-encrypted and is
not secure unless specifically manually encrypted.

Some intended recipients may have rigorous e-mail gateway protocols
(or firewalls) which can automatically screen all incoming e-mail for
content and source. If this is the case, consider whether this means of
communication is appropriate.

All emails are checked for viruses and content
Terms of use
Storetec’s main purpose in providing IT facilities for email is to support the
approved business activities of Storetec. IT facilities provided by Storetec for
email should not be abused. An absolute definition of abuse is difficult to
achieve but certainly includes (but is not necessarily limited to):
 Creation or transmission of material that could bring Storetec into
disrepute.

Creation or transmission of material that is illegal.

The transmission of unsolicited commercial or advertising material, chain
letters, press releases or other junk-mail of any kind.

The unauthorised transmission to a third party of confidential material
concerning the activities of Storetec.

The unauthorised transmission to a third party of confidential material
concerning the activities of a client of Storetec.

The transmission of material such that this infringes the copyright of
another person, including intellectual property rights.

Activities that unreasonably waste staff effort or networked resources, or
activities that unreasonably serves to deny service to other users.
Storetec Information Security Policy – ISP01v4.1 October 2014
6

Activities that corrupt or destroy other users' data or disrupt the work of
other users.

Unreasonable or excessive personal use.

Creation or transmission of any offensive, obscene or indecent images,
data or other material.

Creation or transmission of material that is designed or likely to cause
annoyance, inconvenience or anxiety.

Creation or transmission of material that is abusive or threatening to
others, serves to harass or bully others, discriminates or encourages
discrimination on racial or ethnic grounds, or on grounds of gender,
sexual orientation, marital status and disability, political or religious
beliefs.

Creation or transmission of defamatory material or material that includes
claims of a deceptive nature.

Activities that violate the privacy of others or unfairly criticise,
misrepresent others; this includes copying distribution to other
individuals.

Creation or transmission of anonymous messages or deliberately forging
messages or email header Information, (i.e. without clear identification of
the sender)

The deliberate unauthorised access to services and facilities.

The unauthorised provision of access to Trust services and facilities by
third parties.
Spam and Junk Email
Spam can be defined as "the mass electronic distribution of unsolicited email to
individual email accounts". Junk mail is usually a result of spamming. In reality
spam and junk mail are regarded as interlinked problems.
Storetec maintains an email content management system (messagestream)
which filters junk email, any mail which has been marked as Junk mail will be
quarantined and not delivered.
Storetec is constantly striving to improve its Junk mail detection mechanisms
but unfortunately no system is 100% and occasionally Junk email will evade the
detection process and be delivered. Conversely some mail may be tagged as
junk mail but is legitimate.
Storetec Information Security Policy – ISP01v4.1 October 2014
7
Virus Checking
Computer viruses, Trojan horses and worms are collectively known as malware.
The most common method for distributing malware is via email. All email
communication passing through Storetec’s email servers is checked for
malware. Checking strategies include: refusing messages containing
executable attachments, scanning messages for known malware or a
combination of both techniques.
Messages containing malware will be retained for a limited time for
administrative reasons. The sender of such messages will be informed of the
viral content of their email. A similar message will be sent to the administrator(s)
of the email gateways.
Content Filtering
Email is filtered for both inbound and outbound mail, content filtering is in use to
stop the exchange of viruses, chain letters, spam etc. Network bandwidth is
essential for Storetec’s day to day operations. To optimise this, the message
gateway attempts to blocks messages that contain (or are likely to contain) nonbusiness attachments, movies, pictures, sound files etc.
Storetec’s content filtering system is configured to reply to internal users
informing them that their message has been blocked, detailing the reason for
the block and advising on the actions required to have the message released.
Email Investigation Requests
Two forms of email Investigations are available and should be requested via the
Information Security Manager by logging an incident with the Support desk.

A basic summary of compliance in line with Storetec’s acceptable use of
email policy statements can be requested.

A full email investigation can be requested, but will only be accepted if it
forms part of a HR investigation.

The HR investigation terms of reference would have to be compatible
with email analysis.
Internet
Storetec employs the use of the internet as a communications medium to
facilitate its business function. Access to the internet is controlled through
network security.
Any person or persons accessing the Internet via Storetec’s network will be
considered to have read, understood and accepted the Information Security
policy.
Storetec Information Security Policy – ISP01v4.1 October 2014
8
Any service user accessing the internet via Storetec network will have to
comply with this policy and the service user internet use policy.
A copy of the service user internet use policy can be requested from HR and
will be given to the employee.
The purpose of this document is to define the environment under which full or
partial access to the Internet may be granted from a workstation or device
attached to the Storetec network.

To clarify Storetec's policy regarding staff use of the Internet.

To mitigate the organisation's exposure to potential liability.

To minimise the risk of Internet borne security threats through the
promotion of staff awareness and good practice.

To encourage the most effective and positive use of the Internet as an
Information resource.
Heads of Departments will be responsible for ensuring that users are aware of
and conform to the practices laid out in this document.
The internet is a source of Information and knowledge of infinite range but
offers no guarantee of accuracy, reliability and authenticity.
Discussion, news group and blogging sites
The membership of special interest groups is not private and, the fact that a
member is employeed by Storetec could be easily apparent and could be used
to generate adverse publicity therefore the use of Storetec e-mail accounts
must not be used for registering with internet sites for personal business use
including but not limited to EBay, TESCO home shopping and holiday sites.
Storetec reserves the right to investigate any use that may bring it into
disrepute.
Social Media
It is recognised that Social Media is becoming an important channel for effective
communication and as such viewing access is permitted during break and rest
periods via agreement with your line manager.
Storetec Information Security Policy – ISP01v4.1 October 2014
9
Internet Use
When entering an internet site, always read and comply with the terms and
conditions governing its use;
Do not download any images, text or material that is copyright protected other
than for private study (see section 5 Reference Documents Copyright, Designs
& Patents Act 1988)
Do not download any images, text or material that are obscene or likely to
cause offence;
You must not download or install any software. If you want to download or
install any software, first seek permission from the Information Security Team.
If you are involved in creating, amending or deleting our web pages or content
on our web sites, such work should be consistent with your responsibilities and
be in our best interests. Always ensure that the proper vetting procedures have
been complied with and the Information is accurate and up-to-date.
Personal Use
Storetec has made arrangements for the Internet to be used for the purposes of
their business. The facility can be used for employees’ personal use at the
discretion of the user's line manager and during a time agreed by that manager.
The Internet may also be used for educational purposes if this is identified as a
necessary requirement for the development of that particular member of staff.
Any abuse of this concession or failure to adhere to the terms under which such
access is granted will be treated as a disciplinary offence.
Please ensure that your personal use of the internet:

Does not interfere with the performance of your duties;

Does not take priority over your work responsibilities;

Does not incur unwarranted expense on Storetec;

Does not have a negative impact on Storetec in any way; and is lawful
and complies with this policy.

Is conducted during official breaks and outside working hours.

Is not used for personal business or financial gain
Storetec Information Security Policy – ISP01v4.1 October 2014
10
Any user found to be using a Storetec Internet connection for conducting
personal business activities will be subject to disciplinary action under
Storetec’s disciplinary process.
Internet Security
The Internet is not a secure transport medium for Information. Under no
circumstances must client data be sent via the Internet unless advice has been
requested and permission given from the Information security manager.
Any attempt to gain unauthorised access to the Internet will be treated as a
disciplinary offence and be dealt with under Storetec’s disciplinarily procedures.
All Trust staff are responsible for the security of the workstation they accessed
the internet from. After using the workstation all staff must logout, if a breach of
security is identified, the user’s account that the offence occurred under will be
investigated.
Monitoring
All internet traffic is monitored and controlled 24 hours a day for network
bandwidth, security purposes and content control.
The systems used to monitor internet traffic are used to generate usage reports.
These reports contain the following Information

User name.

Sites accessed.

Time spent accessing the internet and individual sites.

Amount of Information accessed.
These access reports will be reviewed on regular bases for audit purposes.
Reporting
If a member of staff feels that they have accidentally accessed an inappropriate
internet site should report this matter to the Information Security Manager as
soon as possible.
All Storetec staff have a responsibility to report any security incidents or
suspected security incidents or any security vulnerabilities to Storetec’s
systems or Information to the IT systems security manager.
Storetec Information Security Policy – ISP01v4.1 October 2014
11
Internet content filtering
All internet traffic is checked for content via Storetec’s internet content
management system.
The content management system checks for illegal or immoral sites, all access
to these sites will be blocked; other sites which are blocked will include but are
not limited to

Gambling sites

Adult content

Games sites

Crime/Terrorism

Music Downloads
Internet Use Investigation Requests
Investigations summarising Internet Use can be requested via the Information
Security Manager.

The request needs to be authorised by the Investigating officer in the
case of an ongoing HR investigation.

The HR investigation terms of reference would have to be compatible
with internet usage analysis.
Remote Working and Mobile devices
The nature of Storetec’s business is such that sales staff may need to access
Information from a location that is not their normal work base. Storetec
provides a variety of mobile devices and allow the use of mobile storage where
necessary.
Site security
It is the responsibility of all Storetec staff to make their area of work as secure
as is reasonably possible. The following guidelines must be adhered to; this
includes but is not limited to
IT Server and Communications Rooms
Storetec server and communications rooms must be locked at all times. This is
for security and health and safety due to the fire prevention systems in use.
Storetec Information Security Policy – ISP01v4.1 October 2014
12
All Staff working in the server room must be trained on the fire prevention
systems in use.
All non-Storetec staff must be accompanied at all times while conducting work
in the server room.
Desktop Computer Security
Desktop security is of paramount importance to Storetec and as such the
Information Security Manager controls the following through network security.
 Network account Password protection
Network account password change will be requested every 40 days.

Screen saver password protection.
Password protected screen savers will be activated if the computer is
idle for 5 minutes.

Virus protection.
The Virus protection systems employed by Storetec will automatically
update while the computer is attached Storetec network and actively
check all open files.

Access to the local hard drive “C” drive will not be available on Storetec
computers while connected to Storetec network. This will be put in place
to stop the storage of trust Information on the local computers.

Storetec has put in place a system to stop the use of USB devices, this
system will record what devices are attached to the computer and can
also record what type of documents have been saved to any USB
device.
USB ports will be restricted to only allow printers, scanners, keyboards
and mice. All other USB devices will be blocked e.g. USB memory sticks
(see section 2.3.3.a), Web cams and cameras.
Any user that needs to connect an alternative USB device will have to
seek permission from the Information Security Manager.
Under no circumstances must Storetec staff copy any personal or multimedia
files i.e. MP3, CDA, WMA, GIF, BMP or JPEG files that are non Storetec
related to any local or network drive. If files are found on Storetec staffs
accounts or shared drives, this will be classed as computer misuse and subject
to Storetec’s disciplinary process.
Do not use the system in any way, which may damage, overload or affect the
performance of the system or the internal or external network.
Storetec will have an asset management system in place to record all IT assets
to enable it to maintain an accurate record of I.T. assets.
Storetec Information Security Policy – ISP01v4.1 October 2014
13
Virus Protection
Storetec recognises the threat to its Information assets through malicious
programs and as such has put in place a system to check and remove viruses
from its network. Each workstation that resides on Storetec’s network will have
the virus protection system installed and will be automatically updated
whenever a new virus is discovered.
Storetec will try to protect its assets against the threat of viruses to its best
endeavours and recognises the dangers that a virus could do if not detected
and removed. It is also the responsibility of all staff to be vigilant and take steps
to protect themselves against computer viruses.
Network Security
Storetec recognises the need for a secure and reliable system to transfer
Information. To facilitate the transference of Information throughout Storetec
Storetec utilises a switched based network system.
All Trust network switches must comply with but are not limited to the following
standards


All switches must be password protected.
Only the Information Security Manager and designated team members
will have access to the switch passwords

All switch passwords must be changed if a Information Security team
leaves Storetec who has had access to the switch passwords.

All switches must be located in a secure location.

All external network traffic containing client Information should be
encrypted.
New I.T. Systems
To aid business continuity Storetec will have to implement new systems or
update old systems. Any new IT based systems installed on Storetec network
or stand alone systems must be implemented as part of a recognised and
structured IT project. This will ensure that the correct procedures are
maintained for the integration of new systems regarding the location, protection
and backup of any Information produced or stored on or by the new systems.
The following are some key issues used in project planning surrounding the
integration of new IT systems.

Conformity
Storetec Information Security Policy – ISP01v4.1 October 2014
14
To keep all Storetec systems at the same or equivalent levels of
standardisation.

Continuity
To ensure that all new IT systems are available where and when they
are needed.
To ensure that all processed and system dependant Information is
backed up in case of system failure.

Security
To ensure that any new systems are located in a secure location and
under the correct environmental conditions i.e. air conditioned and with
the correct fire suppressant systems in use.
To ensure that all client data produced or processed by the new system
is stored in a secure location.
To ensure that the correct access levels to the new system are set up
and password protection is used with an audit trail of system access.

Support
To ensure that IT staff are trained on any new systems to allow an
acceptable level of support.
System access levels
Storetec employs many different systems to facilitate its business function. Most
systems will have different access levels which could allow users access to
different levels of patient / carer Information or access at an administration
level. Storetec reserves the right to add, remove or change access to
applications or systems to facilitate Storetec’s business functions.
System access will be granted on a lowest level required basis in all cases..
Disposal of I.T. Equipment and Media
Storetec disposes of its assets in a controlled and secure manner. All media
and drives are physically and manually destroyed onsite by Storetec staff. Any
data that is required to be removed from Storetec’s systems for operational
purposes will be overwritten with binary data using a software shredding
algorithm.
Password Management
Passwords are confidential Information and must be treated as such.
A password is only as secure as the person who knows it and as such the
following standards must be adhered to:

Keep your system passwords safe.
Storetec Information Security Policy – ISP01v4.1 October 2014
15

Do not disclose them to anyone.

You will be forced to change your passwords from time to time for
security purposes.

Network passwords must be a minimum of 8 characters and at least one
character should be none alphabetic.

Should be easy to remember but difficult to guess.

Should not relate to Information that is known to other members of staff.

Each user is responsible for maintaining the security of their individual
login and password.

Staff must not share their user name or password with anyone.

Must not be written down.
Each user is responsible for maintaining the security of their individual login
and password. If a breach of security is recorded under your login the
burden of proof will be on you to show that you are not responsible for the
breach.
All passwords should be changed at regular intervals when requested by the
system. This should be no less than 40 days
If a password is forgotten the following steps must be taken;

Inform Information Security Manager or a member of his team.
Network Account Management
All IT network accounts will be created and maintained by the Information Security
Manager and his team.
Regular network audits will be conducted to check account assignments and user
rights are being maintained.
User accounts must only have the minimum rights assigned to allow the users to
conduct Storetec business functions.
Account creation
All new network accounts must be requested by the user’s manager by email.
Storetec Information Security Policy – ISP01v4.1 October 2014
16
Account deletion
When a member of staff leaves Storetec, their line manager must inform the IT
service desk via an email sent from the managers e-mail account. The leavers
account must then be disabled immediately and all access rights removed.
Security incident handling
Storetec recognises the risk of an incident occurring involving Storetec systems
and as such has put in place the following IT security incident handling
procedures.
An I.T. Security Incident can be described as any situation involving Information
Technology systems or Information that is stored, manipulated or communicated
by or through these systems being affected in an adverse way either through
controlled or uncontrolled circumstances which could result in:

Loss, damage or theft of Information

Disclosure of confidential Information to unauthorised persons

The integrity of I.T. systems or Information being put at risk

Availability of I.T. systems or Information being put at risk
Storetec recognises the importance of all I.T. related security incidents being
handled using a structured, coherent and proven method, ensuring all incidents
are handled in a consistent manner.
Reporting an incident
All incidents are to be reported by email to support@storetec.net. The inclident will
then be logged and an automatically assigned reference given. The Information
Security Manager and his team will then investigate the incident.
Responding to an incident
1. The Information Security Manager will contact the line manager to discuss
the incident in relation to

How the incident occurred

How the incident will be resolved

Actions needed to stop any future reoccurrence of the incident.
2. The Support Desk will issue communications to all staff affected by an
incident causing a service interruption.
Storetec Information Security Policy – ISP01v4.1 October 2014
17
3. If it is decided that access to I.T. systems needs to be removed, a request
must come from the member of staff’s manager unless there is a direct
threat to Storetec systems, in which case the Information Security Manager
or Operations Manager will authorise the removal of I.T. resources from the
member of staff with immediate affect.
4. When an incident involving computer misuse occurs the Information
Security Manager must investigate the member of staff’s computer and / or
computer accessories to collect any evidence needed for legal
proceedings.
5. The Information Security Team has the right to disconnect and disable a
user’s account if it is suspected that they are in breach of the Information
Security policy pending an investigation.
Business Continuity
Storetec is aware that some form of disaster may occur, and as such will
implement and regularly update a business continuity management process to
counteract interruptions to normal activity and to protect critical processes from
the effects of failures or damage to vital services or facilities.
Training
Storetec will endeavor to train or supply training to all IT personnel on IT
systems in use within Storetec.
Extra training for IT staff to include security awareness relating to IT systems
will also be made available due to increasing security risks surrounding IT
systems.
Duties and Responsibilities
Managing Director
The Managing Director as the accountable officer is responsible for the
management of Information Security and for ensuring appropriate mechanisms
are in place to comply with all current legislation.
IG Lead
Storetec’s IG Lead has a particular responsibility in ensuring that a robust
framework to comply with all legislation is in place across Storetec. It is the
responsibility of the IG Lead to ensure that every member of staff within
Storetec complies with all requirements of the Information Security Policy,
which is driven by current legislation and best practise.
Storetec Information Security Policy – ISP01v4.1 October 2014
18
Senior Managers
It is the responsibility for all Senior Managers to ensure that staff work within the
boundaries of Storetec policies and procedures and are aware of their
responsibilities.
All staff
All employees of Storetec, or staff working in a voluntary capacity, independent
contractors must adhere to the current legislative framework and Trust policies.
Monitoring and Compliance.
The policy will be monitored for effectiveness by measurement of the number of
reported Information Security Incidents.
Development & Consultation Process
The Policy has been developed by the Managing Director and the IG Lead The
Policy has been reviewed and ratified by the Managing Director, IG Lead and
Board of Directors
This policy will be under continual development and consultation due to the
nature of Information technology and its constant evolvement with the
introduction of new technologies.
The policy will also be reviewed on a yearly basis.
Storetec Information Security Policy – ISP01v4.1 October 2014
19
Appendices
The Data Protection Act
The Data Protection Act controls how personal information is used by
organisations, businesses or the government.
Everyone who is responsible for using data has to follow strict rules called ‘data
protection principles’. They must make sure the information is:

used fairly and lawfully

used for limited, specifically stated purposes

used in a way that is adequate, relevant and not excessive

accurate

kept for no longer than is absolutely necessary

handled according to people’s data protection rights

kept safe and secure

not transferred outside the UK without adequate protection
There is stronger legal protection for more sensitive information, such as:

ethnic background

political opinions

religious beliefs

health

sexual health

criminal records
Storetec Information Security Policy – ISP01v4.1 October 2014
20
Caldicott Guidelines
The Caldicott Report (December 1997) was a review commissioned by the
Chief Medical Officer to make recommendations to improve the way the
National Health Service handles and protects patient Information.
The Caldicott Committee was set up to review the confidentiality and flows of
data throughout the NHS for purposes other than direct care, medical research
or where there is a statutory requirement for Information. Its recommendations
are now being put into practice throughout the NHS and in the Health Protection
Agency.
The Caldicott report identified 6 principles, similar in many respects to the
principles outlined in the Data Protection Act.
1. Justify the purpose(s) for using patient data
2. Don't use patient-identifiable Information unless it is absolutely
necessary.
3. Use the minimum necessary patient-identifiable Information
4. Access to patient-identifiable Information should be on a strict need to
know basis.
5. Everyone should be aware of their responsibilities to maintain
confidentiality.
6. Understand and comply with the law, in particular the Data Protection
Act.
Computer misuse Act 1990
For your Information, the following activities are criminal offences under the
Computer Misuse Act 1990:


Unauthorised access to computer material i.e. hacking;
Unauthorised modification of computer material; and
 Unauthorised access with intent to commit/facilitate the commission of
further offences
For further Information regarding the Computer Misuse Act 1990 see section 5
reference documents.
Storetec Information Security Policy – ISP01v4.1 October 2014
21
Information Security Policy Declaration
By signing this declaration
You agree that you have read and understood the Information security policy
and you agreed to be bound by its terms.
Print Name ______________________________________________
Signature______________________________________________
Date___/___/___ (DD/MM/YY)
Document Title
Document Number
Document owner
Production Date
Information Security Policy Declaration
form
Declaration 02
Information Security Manager
29/10/2014
Storetec Information Security Policy – ISP01v4.1 October 2014
22