Information security incident notification procedures

What do we mean by information?

Information takes many forms. It can be:

• physical (e.g. letters, deeds, printouts from websites)
• electronic (e.g. emails, computer files, the Registers)
• verbal (e.g. conversations by telephone or in person)

It covers both information created by RoS and information received into RoS - including hard copy deeds and other documents submitted as part of the registration process.

What is an information security incident?

An information security incident occurs when:

Information or data is disclosed to unauthorised persons, or IT systems, security and/or policies are breached resulting in unauthorised intentional or unintentional disclosure, modification, destruction, or loss of information.

Examples of information security incidents include but are not limited to:

• Leaving valuable hard copy information unsecured, when unattended, in breach of the Clear Desk and Screen Policy
• Leaving sensitive or information marked with a security classification unattended in breach of the Clear Desk and Screen Policy and Security Classification Policy
• Leaving portable equipment and media unsecured, when unattended, such as laptops, tablets, mobile phones, CDs, DVDs and USB memory sticks
• Loss or theft of hard copy information, portable equipment and media
• Failing to lock your computer screen when away from your desk in breach of the ICT Code of Conduct and Clear Desk and Screen Policy exposing your computer and user account
• Failing to handle and transmit information in accordance with the Security Classification Policy and Guidance for Handling Information
• Sending information to an unauthorised party in error, for example by email
• Purposefully sending or sharing information with an unauthorised party
• Attempts (either failed or successful) to gain unauthorised access to a computer system
• Attempts (either failed or successful) to gain access to electronic or hard copy information which an individual is not permitted to access
• Copyright infringement
• A malware (virus) infection

What to do if you identify an information security incident or you suspect there has been one?

• All information security incidents, or suspected incidents must be taken seriously and reported in a swift and proportionate manner.
• Staff must immediately advise the IT Service desk and the SIA team, by phone, of information security incidents or suspected incidents. Staff should also advise their Line Management, who in turn must immediately advise their Information Asset Owner, Area Information Manager and SIA team as appropriate.
• Where there may be a suspicion of a malware (virus) infection this should be reported immediately to the IT Service desk, SIA team, by phone and also the line manager.
• Where the incident involves personal data relating to individuals, the Data Protection Officer must be advised immediately. This includes incidents where any personal data are lost, damaged, corrupted, unavailable or otherwise compromised, or where unauthorised access may have taken place.
• Personal data is any data which identifies, or might identify, an individual – this includes names of clients, customers, colleagues or other individuals, including registration information.

What happens if the Information Security Incident Notification procedures are not followed?

• Anyone who does not comply with the information security incident notification procedures may be subject to RoS disciplinary policy.

RoS may be held to be in breach of legal, regulatory and contractual requirements resulting in financial and reputational damage.