NHS Guildford and Waverley Clinical Commissioning Group Information Security Assurance Plan 2015/16 Policy number: N/A Version 2.0 Approved by Information Governance Sub- Committee Name of author/originator Daniel Lo Russo, Information Governance Manager Owner (Exec Director) Elaine Newton, Director of Governance & Compliance/SIRO Date of approval August 2015 Date of last review July 2015 April 2016 for approval following Next due for review release of Version 14 CCG IG Toolkit (expected June 2016) NHS Guildford and Waverley Clinical Commissioning Group Version control sheet Version Date Author Status Comment 1.0 March 2014 Daniel Lo Draft Draft for Q&CGC approval Russo 1.1 March 2014 Daniel Lo Approved Approved by Quality & Clinical Russo Governance Committee 1.2 Daniel Lo Final March 2014 Front sheet added Russo 2.0 July 2015 Draft Daniel Lo Draft for IG Sub-Committee approval Russo 2.0 TBC Daniel Lo Final Approved by IG Sub- Russo Committee Related Documents Name Information Governance Framework Confidentiality & Data Protection Policy Information Security Policy Records Management Policy 2015/16 Caldicott Function Assurance Plan Information Security Assurance Plan 2015/16 2 NHS Guildford and Waverley Clinical Commissioning Group Information Security Assurance Plan Introduction This work programme is designed to support the Information Security Policy, and describes how NHS Guildford and Waverley CCG can obtain assurance to address its Information Security needs (as required by the IG Toolkit Requirement 13-300 series). Information and information systems are important assets and it is essential that the CCG takes all necessary measures to ensure that they are protected, available and accurate to support the operations of the business at all times. The aim of the CcG's Information Security Policy and individual System Level Security Policies and Risk Assessments is to maintain the confidentiality, integrity and availability of the information stored, processed and communicated by and within the CCG. This assurance plan outlines roles and responsibilities for managing Information Security, Information Security Incidents, and controls. It details the activities the CCG will undertake to provide assurance regarding its level of compliance with Information Security Assurance related requirements of the CCG IG Toolkit. It also details how the CCG will seek assurance with respect to ICT services provided by the South East Commissioning Support Unit (CsU). The Information Security Assurance Plan therefore includes two separate but related elements: 1. Local Information Security Assurance Plan 2. Assurance Plan for ICT Services provided by South East CSU Actions identified in the Assurance Plan will be included within the annual Information Governance Improvement Programme. Information Security Management Responsibilities Responsibility for managing Information Security within the CCG rests with all employees and the following key officers: SIRO (Senior Information Risk Owner) Information Security Officer (Information Governance Manager) Information Asset Owners (IAOs) Details of specific roles and responsibilities are included within the CCG's Information Security Policy. Responsibilities for managing Information Security within the CsU are defined within the South East CSU's IcT Security Policy and Application Security Policy. These are available to CCG staff via the CsU's website (over N3 network only) or by request to the CCG's IG Manager. Every CCG staff member and contractor is responsible for processing personal data, Approval, Monitoring & Reporting This plan will be approved by the IG Sub-Committee of the CCG's Quality & Clinical Governance Committee, which includes the SiRO; Information Security Assurance Plan 2015/16 3 NHS Guildford and Waverley Clinical Commissioning Group Exception reports against this Assurance Plan will be provided at regular review meetings between the CCG's SIRO and Information Governance Manager;