Information security policy

Policy covering protection of information in all formats

1. Purpose and scope

This policy sets out the commitment of the Keeper of the Registers of Scotland (RoS) to protect information in all its forms including:

• electronic
• paper and voice
• from known threats
• whether internal or external
• accidental or deliberate

2. Information security

RoS is an information business. Our information assets are critical to our mission and we will protect them.

We will ensure that the use, access and disclosure of our information assets takes place in accordance with identified procedures and in compliance with applicable legislation, regulation and standards, so that:

• statutory and regulatory obligations are met
• confidentiality of all information is appropriately maintained
• integrity of information is appropriately maintained
• availability of the information systems and assets is appropriately maintained

Each department is responsible for maintaining their information asset entries within our Information Asset Register (IAR). All departments are required to outline the information asset owner, classification level, where the assets are stored and who they are shared with for all assets under management.

3. Information Security Management System (ISMS)

Our information assets will be protected by a combination of personnel, physical, procedural and technical controls. These will be set out in an ISMS that will operate in line with recognised standards. This will include controls for:

• training and awareness of all staff with information security responsibilities
• identification of information and technology assets
• secure access to information assets and systems
• cryptography
• physical and environmental security
• operational information security
• network security
• procurement of secure systems and services
• secure development and testing practices
• security incident management
• business continuity capability
• supply chain information security management

Our ISMS will align with current recognised standards of good practice in information security, including those prescribed across Scottish Government.

4. Roles and responsibilities

All our employees and contractors have responsibilities for information security, are bound by the commitments of this policy, and are required to effectively operate the various procedures and controls that facilitate compliance in practice.

Our Information Security Group (ISG) has operational ownership of this policy and is responsible for ensuring its fulfilment in practice.

The Departmental Security Officer, Senior Information Risk Owner, and Information Asset Owners, who constitute our Information Assurance Group (IAG), have strategic oversight and overall accountability for information security within RoS.

In so far as this policy is applicable to them, the partners in our supply chain will support its fulfilment in practice, and ISG will take steps to ensure that this is the case.

5. Approval and review

This policy will be reviewed and approved by the ISG every 2 years, unless earlier review is appropriate.