26 June 2013 Performance and Resources Board
23
To consider
Update from the Information Security Working Group Issue 1. The Information Security Working Group (ISWG) is a pan-GMC group that was formed in 2005 to oversee our information security work. An oversight group is a key requirement of the ISO 27001 standard for information security. We have been accredited to ISO 27001 since 2006, increasing the scope of business coverage from Fitness to Practise in 2006 to full coverage by 2010. 2. The group has been working under a Terms of Reference (ToR) that was issued in 2005 when it was formed. We have recently reviewed and updated the ToR to take account of changes in our organisation and governance arrangements. Recommendations 3.
The Performance and Resources Board is asked to: a.
Note the work of the Information Security Working Group.
b. Approve the revised Terms of Reference of the Information Security Working Group (Annex A).
Issue
4. The ISWG was set up in 2005 to support the work of a project we had initiated to develop our information security arrangements. This project had three key aims: a. To create a formal framework to manage information security across all GMC activities. b. To achieve certification to ISO 27001, the international standard for information security. c. To achieve compliance with BS 10008 (formerly BIP 0008), the standard for the legal admissibility and evidential weight of electronic information. This gives us the basis to use electronic documents in our legal processes. 5. The Fitness to Practise Directorate (FPD) achieved ISO 27001 certification in 2006 and we achieved full certification to ISO 27001 in March 2010. We have also been compliant with BIP 0008 from 2006 – 2009 and with BS 10008 from 2009 when this standard replaced BIP 0008. 6. ISO27001 provides a systematic approach for developing information security arrangements and managing activity on an on-going basis. At the heart of this is what is known as an Information Security Management System (ISMS). Our ISMS covers people, processes and IT systems and incorporates policies, processes and controls aimed at minimising our information security risks.
The work of the ISWG 7.
The ISWG meets on a monthly basis. Key aspects of the group’s work are: a. Reviewing outcomes of the annual internal and external audits and ensuring resulting actions are completed. b. Reviewing the outcome of the annual information security risk assessment and ensuring resulting actions are completed. c. Approving new policies, procedures or controls and changes to existing ones. d. Reviewing monthly reports of information security incidents, monitoring trends and ensuring any corrective action and/or further investigation is undertaken and reported back to the group. e.
Championing information security across the GMC.
ISWG Terms of reference
2
8. Since the Group was first established we have achieved the three key aims of the information security project: setting up a formal framework for managing information security, gaining certification to ISO 27001 and achieving compliance with BS 10008. We have also been successful in achieving certification and compliance on an annual basis. 9. The proposed terms of reference for the ISWG have been rewritten to reflect: changes in our organisation, changes in our governance arrangements, and also the state of maturity of our information security management arrangements. 10. The terms of reference specify that the key responsibilities of the ISWG are to continue to improve, monitor and promote information security across the GMC. 11. To do this we need to adapt to changes in our organisation and the external environment. ISO 27001 prescribes the “Plan-Do-Check-Act” life-cycle model to help an organisation manage its information security activities. The elements of this model are set out as responsibilities for the ISWG in the revised terms of reference document. This is the way we will seek to continuously improve our arrangements to reduce risk levels. 12.
The new version of the ISWG Terms of Reference is at Annex A.
3
Supporting information How this issue relates to the Corporate Strategy and Business P lan 13.
Strategic aim 7: To continue to use our resources efficiently and effectively.
If you have any questions about this paper please contact: David Anson, Assistant Director, IS,
[email protected], 0161 923 6240
4
23 – Update from the Information Security Working Group
Annex A Information Security Working Group Terms of Reference
A1
Information Security Working Group Terms of Reference
Author: Version: Status: Date: Document Reference: File Location:
Kathryn Dziubak 2.1 Agreed 13 May 2013 Livelink
A2
Document History Version
Date
Description of Change
Author
1.0 2.0
25 March 2008 11 April 2013
P Maxwell K Dziubak
2.1
13 May 2013
Issued Change of authority to enable approval of InfoSec policies and procedures. Included feedback and comments from ISWG.
Authorisation
K Dziubak
A3
Contents 1
Introduction ............................................................................................... 5 1.1 1.2 1.3 1.4
2
Purpose of this Document ............................................................................ 5 Background ................................................................................................ 5 Scope ......................................................................................................... 5 Responsibilities ........................................................................................... 5
The Information Security Working Group .................................................. 6 2.1 2.2 2.3
Role and Responsibilities.............................................................................. 6 Membership ................................................................................................ 6 Meetings..................................................................................................... 7
A4
INTRODUCTION 1.1
Purpose of this Document The purpose of this document is to define the roles and responsibilities of the Information Security Working Group (ISWG).
1.2
Background
ISO 27001 formally outlines an information management system that is intended to bring information security under management control. We have a formal Information Security Policy which includes our objectives and commitment to maintaining good information security practices. These objectives are acknowledged and realised through our Information Security Management System (ISMS). The ISMS is a systematic approach to managing information to ensure it remains secure. It encompasses people, processes and IT systems. We are required to design, implement and maintain a set of policies, processes and systems to manage risks to our information assets. This ensures that we maintain acceptable levels of information security risk. For our ISMS to remain effective and efficient, we need to adapt to changes in our organisation and the external environment. ISO 27001 incorporates the ‘Plan-Do-Check-Act’ approach:
Plan - is about designing the ISMS, assessing information security risks and selecting appropriate controls.
Do - involves implementing and operating the controls.
Check - the objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
Act - changes are made where necessary to bring the ISMS back to peak performance.
Management direction and support for the ISMS is delivered by the Information Security Working Group. 1.3
Scope This document forms part of the ISMS and covers the Information Security Working Group and its representatives.
1.4
Responsibilities The Records and Information Security Manager shall ensure that this document is up to date and relevant.
A5
THE INFORMATION SECURITY WORKING GROUP 2.1
Role and Responsibilities
The Information Security Working Group supports the information security management framework in operation under ISO 27001 and BS 10008. In order to contribute towards maintaining compliance with BS 10008 and certification to ISO 27001 the key responsibilities of the group include:
2.2
Approving and supporting the Information Security Management System.
Developing, approving and implementing GMC information security policies and procedures.
Supporting the Records and Information Security Manager responsible for coordinating the implementation of information security.
Reviewing status reports covering information security implementation, updates on risks, actioning recommendations following security reviews, audits etc.
Reviewing and monitoring incident reports together with the results of any investigation carried out.
Recommending changes to wider policies and procedures based on security incidents and changes in risks.
Gaining and maintaining awareness of the information security risks being faced by the GMC in order to continually improve our systems and processes.
Acting as champions for information security in their own business area.
Membership
The Information Security Working Group includes representatives from all business areas. This ensures that ongoing developments in information security and legal admissibility are carefully considered at an organisational level prior to being implemented. The working group includes:
Director responsible for Information Security (Chairperson) Assistant Director, IS Assistant Director, HR Tribunal Clerk, MPTS Assistant Director, FPD Operations Assistant Director, Change Management (R&R) Head of IS Operations Head of Information Policy
A6
2.3
Head of Facilities Records and Information Security Manager Representatives from Fitness to Practise Directorate, Registration and Revalidation, Education and Standards, Resources and Quality Assurance and Strategy and Communication. Head of Consultancy and Review attends meetings in an advisory capacity and does not have the responsibilities listed in 2.1. Other staff are invited to attend specific meetings as appropriate to issues being discussed (e.g. Directors or Heads of Section). The Director of Resources and Quality Assurance is responsible for information security issues. The Director will ensure senior management commitment by referral to the Performance and Resources Board as appropriate.
Meetings
The Records and Information Security Manager will arrange to minute all items discussed and circulate a copy to all attendees and other staff as appropriate. The Information Security Working Group will meet on a monthly basis.
A7
