Information security policy
Published: 27 February 2024Freedom of information class: How we manage our resources
Policy covering protection of information in all formats.
Table of contents
1. Purpose and scope
1.1 This policy sets out the commitment of the Registers of Scotland (RoS) to protect information in all its forms including electronic, paper and voice, from known threats, whether internal or external, accidental or deliberate.
2. Information security
2.1 RoS is an information business. Our information assets are critical to our purpose - we will protect them.
2.2 We will ensure that the use, access and disclosure of our information assets takes place in accordance with identified procedures and in compliance with applicable legislation, regulation and standards, such that:
- Statutory and regulatory obligations are met
- Confidentiality of all information is appropriately maintained
- Integrity of information is appropriately maintained
- Availability of the information systems and assets is appropriately maintained
2.3 Each directorate is responsible for maintaining their information asset entries within our Information Asset Register. All directorates are required to outline the information asset owner, classification level, where the assets are stored and who they are shared with for all assets under management.
3. Information security management system (ISMS)
3.1 Our information assets will be protected by a combination of personnel, physical, procedural and technical controls. These are set out in our Information Security Management System (ISMS) that operates in line with recognised standards. This includes controls for:
- Education and awareness for all employees with information security responsibilities
- Identification of information and technology assets
- Secure access to information assets and systems
- Cryptography
- Physical and environmental security
- Operational information security
- Network security
- Procurement of secure systems and services
- Secure development and testing practices
- Security incident management
- Business continuity capability
- Supply chain information security management
- Segregation of duties
3.2 Our ISMS will align with current recognised standards of good practice in information security, including those prescribed across Scottish Government.
4. Roles and responsibilities
4.1 All our employees and contractors have responsibilities for information security, are bound by the commitments of this policy, and are required to effectively operate the various procedures and controls that facilitate compliance in practice.
4.2 Our Information Security Assurance Group (ISAG) has operational ownership of this policy and is responsible for ensuring its fulfilment in practice.
4.3 The Senior Information Risk Owner, and Information Asset Owners, who constitute our Information Security Assurance Group, have strategic oversight and overall accountability for information security within RoS.
4.4 In so far as this policy is applicable to them, the partners in our supply chain will support its fulfilment in practice, and ISAG will take steps to ensure that this is the case.
5. Approval and review
4.1 This policy will be reviewed and approved by the ISG annually, unless earlier review is appropriate.
| Author | Information Assurance Advisor | ||
|---|---|---|---|
| Reviewed | Service Manager for Information Security Risk and Assurance | ||
| Cleared | Director of People (SIRO) - Information Security Assurance Group (ISAG) | ||
| Approval | ISG | Approval date | February 2024 |
| Policy version | Version 2.0 | ||
| Review responsibility | ISG | Review date | February 2025 |
| Publication scheme | Yes | ||
| Email to contact | |||