Information security policy statementPublished: 03 April 2014
Freedom of information class: How we manage our resources
Details of our information security policy statement.
The purpose of the information security policy is to ensure business continuity and minimise business and reputational damage by minimising the impact of information security incidents and, where possible, preventing their occurrence.
The executive management team (EMT) approves and supports the information security policy.
It is Registers of Scotland's (RoS) policy to ensure that:
- A Senior Information Risk Owner (SIRO), Departmental Security Officer (DSO) and IT Security Officer (ITSO) will be appointed.
- Information Asset Owners (IAOs) will be appointed for all Information Assets.
- Information will be protected against unauthorised access or misuse.
- The value and sensitivity of all information will be detailed in the directorate Information Asset Registers.
- Information will be classified and protected in line with the Government Security Classifications.
- Confidentiality of information will be assured.
- Integrity of information will be maintained.
- Availability of information will be assured.
- Regulatory, legislative and contractual requirements will be met.
- Business and Information Communications Technology (ICT) continuity plans will be produced, maintained and exercised.
- Information security training / instruction will be available to all staff.
- All breaches of digital information security, actual or suspected will be reported to the ITSO and investigated by appropriate personnel, and where applicable detail forwarded to the DSO, relevant IAO, HMG security authorities and Information Commissioner’s Office (ICO)
- All breaches of non-digital information security, actual or suspected, will be reported to Management and investigated by appropriate personnel, and where applicable detail forwarded to the DSO, relevant IAO and ICO.
- Standards and procedures will be produced and measures implemented to support the Information Security Policy.
- All managers are responsible for implementing the Information Security Policy within their areas of responsibility and for ensuring that their staff are aware of its content.
- It is the responsibility of every employee to comply with the Information Security Policy and ICT Code of Conduct.
- Infringement of the Information Security Policy will be treated as serious misconduct and will be subject to disciplinary action including dismissal.
The security and information assurance team is responsible for maintaining the information security policy documentation and associated procedures and for providing advice and guidance on their implementation.
- Objective - The objective of information security is to facilitate business operations and maintain customer services, RoS reputation and revenue while protecting RoS information assets and deeds and other documents belonging to other parties submitted to RoS from all relevant threats. At all times the cost effectiveness and fitness for purpose of countermeasures will be considered.
- Confidentiality: Ensuring that information is accessible only to those authorised to have access.
- Integrity: Safeguarding the accuracy and completeness of information and processing methods.
- Availability: Ensuring that authorised users have access to information and associated assets when required.
- SIRO is accountable for information risk in RoS and leads the RoS response. The SIRO is the focus for the management of information risk at Board level.
- DSO is responsible for ensuring that appropriate levels of physical, information and personnel security are in place in RoS in order to protect assets.
- IAOs are responsible for setting out the rules and controls to ensure confidentiality, integrity and availability for their information assets Note: Information takes many forms and can be stored physically or electronically, transmitted across networks or telephone lines, sent by fax, printed as hardcopy or written on paper and spoken in conversations.