Cyber security policy

Purpose

This document provides the overarching governance policy for the protection and security of London Borough of Enfield (LBE) data and information.

The policy aims to define the high-level governance of Cyber Security within the council.

Objectives

The main objectives of this policy are:

to present the management approved requirements, control objectives and principles for Cyber Security
to define the structure and roles within LBE’s Cyber Security structure
to maintain confidence that LBE’s Cyber Security governance meets its corporate and Digital Service (DS) risk appetite
to maintain confidence that LBE’s Cyber Security governance meets the requirements of the law including the data protection regulations, the guidance on government use of cloud services and other compliances as required

Scope

This policy applies to all LBE DS systems, data and information directly or indirectly via third parties.

Policy mandate, approval and maintenance

This policy is approved by the Information and Data Governance Board (IDGB) with delegated authority from the Assurance Board.

The policy will be reviewed regularly and at least annually, and in case of any impacting changes (for example, changes to HMG policy, legislation, regulation, industry standards or LBE DS environment), to ensure it remains current, appropriate and applicable.

Policy

Requirements, control objectives and principles

Risk appetite

LBE has a defined risk management process and this process will follow the LBE risk appetite defined there.

Compliance

LBE is required to comply with law and with certain regulations. This policy mandates compliance with, at a minimum:

Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR / DPA)
UK Minimum Cyber Security Standard
Payment Card Industry Data Security Standard (PCI-DSS)
Public Sector Network Code of Connection (PSN CoCo)

Roles

Data Owner. The person responsible for the data and compliance in a particular area or system. Generally, this will be a head of service or above. The Data Owner is recorded in the GDPR Workbook for each information asset area.

Senior Information Risk Owner (SIRO).The risk decision maker for the authority.

Chair of Information and Data Governance Board (IDGB). The person who is overall the decision maker on information and data governance matters, delegated by the Assurance Board.

Deputy Chair IDGB. The person responsible for the IDGB in the absence of the Chair.

Data Protection Officer. The independent person providing advice to the authority on compliance, dealing with public complaints and acting as interface to the regulator.

Caldicott Guardians. The person(s) responsible for managing data supplied from NHS.

Security Manager. Person responsible for security management and implementation.

Head of Operational Support Hub (NHS Registration Manager). This role is mandated by some of the NHS sharing agreements.

Head of Legal Services. Responsible for legal advice to the council.

Complaints and Access to Information Manager. Responsible for management of cases (for example,

Data Governance Officer. Responsible for ensuring continuous improvement in data quality.

Corporate Records Manager. The owner of records management across the council, responsible for ensuring records are preserved and destroyed appropriately.

Boards

Information and Data Governance Board

The strategic forum working on behalf of and reporting to the Assurance Board that is empowered to:

set the strategic direction for and approve applicable information, governance, privacy (including surveillance) and security policies on behalf of the Executive Management Team (EMT) and SIRO
Assure EMT that risks are being managed effectively in accordance with their risk appetite and policies and controls are adequate and enforced
receive reports on the IG, privacy and security status of the organisation, including internal audit, and ensure effective investigation of and organisational learning from complaints, incidents and near-misses
ensure compliance with required standards and legislation, overseeing training and testing and making recommendations to EMT as appropriate
oversee registration with the ICO, the council’s privacy statement and data sharing protocols
ensure effective records and data management across the organization
provide reporting to Assurance Board, Caldicott Guardians, Executive Management Team and Audit Committee
produce an Annual Report on Information and Data Governance to EMT, Assurance Board and Audit Committee

Security Team responsibilities is to:

develop IS policy and associated IS implementation strategy and plans, and/or maintain the currency of the policy
prepare an annual IS assessment for sign off by the EMT/Assurance Board
develop LBE’s IS work programme and ensure that implementation of IS is co-ordinated across LBE
ensure that LBE’s approach to IS is communicated to all staff and made available to the public as appropriate
assist with coordination of activities of staff given IS responsibilities
receive reports from operational and project teams and monitor LBE’s IS activities to ensure compliance with policy, standards, contracts and law
ensure that IS training is made available by LBE
provide a focal point for the resolution and/or discussion of IS issues
review issues/incidents related to IS
evaluate information received from security testing and the monitoring and reviewing of information security alerts, events, and incidents, and recommend appropriate actions in response to identified trends, threats, incidents, weaknesses or assessed risks.
approve methodologies and processes for information security, such as, risk assessment, information classification
review impact analysis for all new (or significant changes to) systems/processes to ensure that security functionality and data security are not adversely affected
manage risks and review the adequacy of risk and control measures
offer support and guidance to the IG, data protection, and DS architectural, design, development, deployment and operational functions within LBE

Applicable standards

There are a number of standards applicable to Cybersecurity and Information Management that the council is required or recommended to adhere to. These are:

Data Protection Act 2018 (including the UK version of the General Data Protection Regulation created by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019)
Freedom of Information Act 2000
Section 224 of Local Government Act 1972
ISO 15489 International Standard for Record Management
ISO 27000 family of information security standards
E-Government Interoperability and Metadata Frameworks
UK Gov Minimum Cybersecurity standards
PCI-DSS requirements
PSN Code of Connection requirements
Access to Health Record Act 1990
BS 10008 Evidential weight and legal admissibility of electronically stored information (ESI)
Common Law Duty of Confidence
Human Rights Act (Article 8)
Caldicott Principles

Policy exceptions and violations

Any employee, contractor, partner, service provider or other entity who is requested to undertake an activity which he or she believes is in violation of this policy, must provide a written formal complaint or Exception Request, via his or her manager or other manager or Human Resources Department to the council’s SIRO. Complaints may be dealt with by managers and the HR Department. All Exception Requests must first be approved by the Chair of IGB in conjunction with the SIRO.

Any violation of this policy may result in disciplinary action, up to and including termination of employment. LBE reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. LBE does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, LBE reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.

Policy details

Author - Security
Owner - Information and Data Governance Board
Version - 1.6
Reviewer - Security
Classification - Official
Issue status - Final
Date of first issue - 11.07.2017
Date of latest re-issue - 30.05.2023
Date approved by IGB - 19.05.2023
Date of next review - 30.04.2024