Information Security Policy
1: Purpose of this document
The purpose of this document is to:
- Inform any University Staff or persons acting on behalf of the University of their responsibilities for Information Security and the ways that information is stored and/or processed.
- Ensure that information collected, stored, processed and disposed of by the University remains, protected from any risk of unauthorised or illegal access, use, disclosure, disruption, modification or destruction by providing clear policy information and rules for University Staff to follow when dealing with the University Information held either electronically or in hard copy.
1.1: Policy scope
The terms ‘Data’ and ‘Information’ are used interchangeably to mean information captured, processed or stored by the University or its Subsidiaries.
All information/data collected, collated, filed, stored, processed, transferred, transmitted or destroyed on behalf of the University or its Subsidiaries is within scope.
These obligations apply to all University Employees, Students, Contractors and any other authorised persons acting as agents for the University whether in a paid or unpaid capacity.
1.2: Policy objectives
‘Information security’ is a term applied to the policies, processes and controls applied to the availability, integrity, confidentiality and legal compliance relating to information collected stored, processed and destroyed by the University and its Subsidiaries in the pursuance of its business. It addresses the protection of information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction whether within the U.K or abroad.
This is necessary;
- To protect the reputation and standing of the University
- To protect the right to privacy of individuals
- To protect the intellectual property rights of the University
- To ensure that the Legal obligations placed upon the University are met
- To aid the continuity of University business
and is to be achieved by:
- Following recognised Information Security good practice
- Ensuring that appropriate information security measures are applied
- Storing and/or processing University information in a safe and secure manner. Ensuring that all University Staff and all University IT users are aware of, and understand the policy and associated law.
- Ensuring that all University Staff and IT users comply with these policies and related legal obligations.
The outcomes required are to make sure that University Information:
- Conforms to relevant legislation
- Is accurate and timely
- Is accessible to those who have a legitimate need for it
- Is inaccessible where disclosure may cause damage to University activities, the University’s reputation or to individuals
- Is recoverable within an appropriate period of time in the event of its loss.
- Is appropriately protected from security breaches
- Is subject, as far as is possible, to breach detection where prevention has been unsuccessful
- Is subject to damage limitation actions in the wake of any breach
- Is, as far as is possible, recoverable from the effects of a breach.
This document has been issued on the authority of the Vice Chancellor of the University who has overall executive responsibility for all University Information Security.
The University will investigate all suspected breaches of security and review whether changes to policy or implementation are necessary.
The University will take reasonable steps to achieve the above and to ensure that all staff are trained and aware of their information responsibilities.
Any policy breach may result in disciplinary action and/or IT service privileges being suspended, reduced or removed.
1.4: Legal aspects
Current English Law applies and must be observed.
The Law applies equally to electronic and non-electronic information and it makes a number of significant demands regarding the handling of personal information. These are intended to ensure that we manage personal information in a way that is fair to the ‘data subject’ (i.e. the person that the information is about) and that their interests are properly protected.
Personal data is information that relates to a living individual, the ‘data subject’, which can be used to identify them either directly from that data or by combining that data with some other information. It does not include information relating to the deceased, groups, communities of people, organisations or businesses nor to aggregate statistical information (as long as personal data cannot be inferred).
Personal information can include names, addresses and dates of birth, information about physical or physiological attributes and any other sensitive personal information about that person, such as information relating to the services which individuals provide to, or receive from, the University. Other examples are: Qualifications, Income, Medical information, Payment Card details, Political opinions, and Sexual life.
Photographs and images (still or moving) are also regarded as personal data for the purposes of the Act (if the data subject can be clearly recognised from them) and this also applies to webcam or CCTV images.
Any person that the University holds data about (the data subject) has a right to see it and check the accuracy of it. This is done via a formal ‘data subject access request’ and the University has only a limited time to respond. Consequently, any information held about an individual must always be factual and able to be supported by evidence in accordance with the Data Protection Act guidance.
Other sensitive or confidential information
As detailed above, this can be about an individual, but equally applies to information that the University does not want to make generally available.
For example, restrictions may be applied to ‘commercial’ or ‘research’ information.
Unauthorised access to systems or data is also covered by the Computer Misuse Act and may also result in a breach of the Law by those gaining such unauthorised access. Such breaches can result in a significant fine and/or a 5 year prison sentence.
2: Roles and responsibilities
The Vice-Chancellor has overall executive responsibility for the security of the University's information. Specific information security tasks have been delegated to certain staff responsible for drawing up University wide Policies and Procedures.
Managers within the University and its Subsidiaries, are likely to be custodians of various ‘University information assets’ on either a permanent or temporary basis and are responsible for the following in their area:
- Ensuring that the relevant Legislation is adhered to
- Undertaking, with HR, appropriate background checks during staff recruitment processes
- Ensuring related University policies and procedures are followed
- Ensuring that local working practices comply with the principles of this Policy
- Ensuring, by regular review, that established working practices are being followed
- Ensuring that their staff are aware of, understand and comply with this Policy
- Ensuring the physical security of areas where Information is collected, recorded, processed or destroyed
- Ensuring the security of access to local information assets and the local infrastructure within which those assets reside
- Reporting any known, or suspected, breaches of information security to Legal Services
2.2: Individual staff members
Individual Staff Members (including temps, contractors or agents) are responsible for:
- Understanding and following established working practices
- ensuring that they comply with this policy and associated instructions
- ensuring they comply with the law
- reporting any breaches of this policy or law to the University
- reporting any identified threats or vulnerabilities immediately
- Undertaking information security Staff Awareness training on hire and at least bi-annually thereafter
2.3: Data custodians
Data Custodians are responsible for:
- Ensuring that access to confidential or sensitive data which is either in their charge, or temporarily under their control, is properly protected
- Ensuring that all access to information assets remains, essential for individuals to fulfil their duties and that this access has been properly authorised and is removed when no longer appropriate
- Ensuring that those with such access privileges remain fully aware of their Information Security responsibilities
- Dealing with any known compliance gaps, process circumvention
- Dealing with any known threats to data safety
2.4: Research project managers
Research may be a particularly sensitive area, dependent upon the nature of the research, the nature of the data, the collaborating research Partners involved and the value of any Intellectual Property (IP) involved.
Project Managers have an obligation to the University to ensure, as part of any research project, that suitable arrangements have been put in place to protect any research data and/or any intellectual property forming part of such projects.
Staff engaged in research projects must be suitably briefed and trained in this aspect and must confirm to the project manager that they have a clear understanding that they have a duty to the University to ensure that any data and IP are properly protected at all times
Great care should be taken when entering into research activities and it is essential that safe data collection, storage, processing and disposal requirements are identified, taken account of and arranged at the planning stage of the project – 2.5 below applies.
Procurers, Business Analysts & Designers, Project Managers, Developers, Service Owners & Systems Managers are responsible for:
- Ensuring that University systems and services being acquired, or new systems/services/processes being adopted, are designed and configured to both meet this policy and comply with appropriate regulatory and legal requirements.
- That any security assurances offered by external suppliers, relating to the access, processing, storage or disposal of University Information, are underpinned by current contractual obligations which are actively monitored and subject to continual review.
- Ensuring that the discovery of any vulnerabilities, existing compliance gaps or shortfalls are properly recorded and reported, risk assessed and risks remediated where possible, before the service, system or process is released in a ‘live business environment’.
2.6: Key roles in information security
Key roles in information security are:
- Local Managers for ensuring staff compliance and local physical security
- Privileged IT Users – responsible for protecting their own privileges and ensuring that the privileges provided to others are based on the ‘least privileges principle’, properly authorised & then removed when no longer required.
- The Legal Services Information Security Officer, who will provide advice on compliance with relevant legislation, including the 1998 Data Protection Act
- The Head of Legal Services – responsible for monitoring compliance with this policy and providing advice and support in relation to it.
- Project Managers involved in the introduction of new or changed processes, services and systems in which any sensitive information is potentially a component - it is an essential requirement to seek advice on data security aspects at the ‘design stage’ of any project; and to ensure that, as an outcome of the project, appropriate security arrangements are implemented around any potentially sensitive information throughout its life-cycle.
- IT Services Change/Release Manager – responsible for checking IT security test outcomes in order to ensure that significant system/service change or release risks have been adequately managed.
- Information Custodians, who have responsibilities relating to specific types of information
- Contract Managers – where access to, or care of, data is a feature of the service contracted out
- Director of IT Services – for ensuring IT Service compliance
- IT Services Security Manager - responsible for reviewing this policy and monitoring compliance with those Policies relating to IT stored Information
- University Protection Manager – for overall physical security of University promises.
- Deputy Vice Chancellor – responsible for the University Information Security Forum
- The Vice Chancellors Office – responsible for approval and overall corporate adherence to this policy
3: Critical policy components
Following are the specific Policy components which have been agreed by the University.
- Information Security (applies to ALL Information Security – both electronic and hard copy)
- IT Network Security (covers the IT Network Security – managed by IT Services)
- IT Server Security (covers IT Server Security – managed by IT Services)
- IT Access Control (covers IT User Access Security – managed by IT Services)
- Required response to Information Security Breaches Incidents
Information confidentiality requirements
The University has an overall obligation to protect the information it uses from inappropriate access, release or publication in compliance with the Data Protection Act
This extends to our obligation to any ‘data subject’ not to disclose or expose their personal data to third parties without their consent. Unauthorised disclosures will breach the Data Protection Act 1998, and may give rise to legal action by the data subject and the Information Commissioner.
Personal data may only be used for the purpose for which it was originally collected. At the point of collection the data subject must be informed of the reason for the collection, the use the data will be put to and how long it will be kept for. Any changes to these must be subject to written approval from the data subject. Personal data may not be collected for one purpose and then put to another use without the informed consent of the data subject.
Great care is required when dealing with a request to make an information disclosure about a person.
The requirement not to disclose without the informed consent of the data subject extends to those who, for example, are, or claim to be, the parents, guardians, employers, or National Government representatives of Students.
Such requests should always be made in writing and, where there is any uncertainty, referred to Legal Services for a decision.
Personal data may be disclosed to other University staff, provided that the information is required for the performance of their official duties. Staff with such access privileges may not make use of that data for purposes other than official University business.
This obligation extends to ensuring that access to stored personal or sensitive data is restricted to only those staff for whom access is essential in order to fulfil their duties. By virtue of this obligation, such data should never be placed or left exposed in a general staff or public shared area (either physical or electronic)
Personal Data may not be disclosed to external persons (including relatives) or organisations without the subject’s prior informed consent unless its release is required in order to prevent a crime, or in order to comply with a legally enforceable instruction (such as a court order).
Disclosures may also be made in emergency life or death situations.
Specific Policy areas are provided in the further sections below and you must familiarise yourself with the content of these and use them as points of reference to follow as they relate to your work.
For further information about the law that these specific Policy areas are based upon, see the Data Protection Act.
Members of Staff are required to undertake appropriate training before using University Systems and Services, and Line Managers are required to ensure that this happens as part of a new member of Staff’s induction. Part of this training includes ‘essential’ Data Protection Act training which ALL members of Staff must undertake and familiarise themselves with purpose behind the eight principles of the Act.
This training must also be ‘refreshed’ bi-annually. Anyone not having completed this must raise this requirement with their line manager or with HR.
Dependent upon their role, some staff may need to examine the requirements of the Act it in greater depth.
If you need more detailed advice relating to something you are working on, please contact Legal Services.
The purpose of this is to ensure that access to both electronically stored University Information, and to University IT Assets which underpin that information, is restricted appropriately to those that need it to fulfil their role duties and obligations. It further aims to ensure that such access, once given, remains restricted only to those individuals for as long as they are required to fulfil that role.
This is best achieved by ensuring that a user’s responsibilities to properly protect the access privileges allocated to them are fully explained, documented, understood and then properly observed.
The policy covers all University systems and services including computer systems and electronic communication systems. It applies to ALL users of those systems and services (employees, students, contractors, partners and other external agents) who are provided with University IT Service privileges.
IT data access policy – specific requirements
University Management are required to ensure that all IT data and voice systems, along with the supporting procedures and processes, meet the requirements of the Information Security Policy by:
- Ensuring that access to system components is strictly limited on a ‘least privilege’ basis to those persons for whom it is essential in order for the duties, obligations and functions of the University to be met.
- Maintain records of access privileges allocated to individuals
- Ensuring that procedures are in place for reviewing existing access privileges after a role or system change in order to confirm that access either remains appropriate or, if not, that it is removed
- Ensuring that appropriate secure authentication controls exist on all computing and communications hardware and software or on any external computing services employed
- Ensuring secure procedures are in place for setting and changing passwords
- Ensuring appropriate controls are in place for the issuing of passwords
- Ensuring guidelines are in place for the composition of passwords
- Ensuring procedures are in place for dealing with the misuse of passwords or credentials
- Preventing unauthorised access through lack of passwords or through weak or uncontrolled passwords
- Ensuring that passwords allocated are set in accordance with the password guidelines
- Detecting the misuse of passwords
- Removal of access rights on termination of contract with the University and the removal of all associated data in agreement with the appropriate line manager or departmental head.
Systems acquired, leased, designed, developed or purchased are required to meet appropriate minimum access control standards
All systems storing confidential, personal or sensitive information must:
- Identify the user as someone authorised to use the system
- Be securely password protected (i.e. the password should not be capable of being intercepted or interpreted)
- Passwords should be:
- At least 8 Characters long (and should cater for longer passwords)
- Complex, containing a suitable mixture of letters, digits and punctuation marks
- Be automatically locked after 20 or less consecutive failed login attempts
- Capable of reporting repeated Login failures as event alerts
- Be subject to a forced change after a pre-set period
- Not be passwords that the user has previously used
Where the data stored is confirmed to not comprise confidential, personal or sensitive information, only requirements 3a & 3b above are required as a minimum.
These requirements should be automatically verified and controlled by the system in question.
- Have had the appropriate classified data (e.g. confidential, personal, sensitive etc.) to be held within a new system/service confirmed with the University’s Legal Services Group – they may wish to record the system as a data repository which they need to be aware of. There will be a requirement to document how such data will be validated, how information changes will be controlled and audited and which job roles will have access and what level of access.
- Where there is a need for different levels of security within a system (e.g. manager’s level, administrator’s level, user level etc.) it is a requirement to be able to assign appropriate permissions to individual user accounts so that only those system access privileges which are necessary for them to carry out their duties can be used by them.
- A system administrative function (e.g. adding or removing users or adding/changing other user’s passwords) requires a separate login and should not be capable of being carried out by a normal user. However any user should be able to change their own password from within their system account. Administrative users should not be able to view any user’s password.
- In order to obtain an account and password for a system a member of staff must have prior authorisation from an appropriate Information Custodian for the system (there must be a process to ensure this).
Use of contractors
No data either collected, or generated, by the University for any purpose may be placed (permanently or temporarily) in the hands of any Contractor or external service provider for any purpose unless:
- There is a clear definition and understanding of the data involved
- The complete ‘data lifecycle’ is documented (from data acquisition through to disposal)
- The storage, processing and data access arrangements are fully understood and documented
- The security accreditations of the contractor and the safety of their systems/services is known
- The contractors use of sub-contractors is documented and understood
- The proposed storage location/s of the data at rest is known and is secure
- The proposed arrangements around data in transit is known and is secure
- That the security of the data is adequately warranted by contract
- That ‘due diligence’ via Legal Services & IT Services has been carried out on the arrangement
- That an approved (by Legal Services) Contract is in place before the arrangement is ‘goes live’
- That any changes to such an ‘approved arrangement’ be subject to strict change control thereafter
- That the University’s right to the data in the event of contract termination is catered for
For new users
- New or changed user passwords will only be transmitted to that person in a secure way. If printed it will be in a sealed envelope and handed to the person concerned on production of a valid University ID card. Any document on which this information is written should be shredded once the account has been successfully accessed. Alternatively it may be sent via SMS to the user’s validated personal mobile phone or personal email address (user ID’s and passwords must not be transmitted electronically together within the same message or using the same medium). Users’ in receipt of a new password are required to change it immediately to one that only they know, and not to share it with any other person.
- New System users performing Staff roles should be given access to copy of the Code of Conduct for the Use of ICT Facilities along with this policy when they are given their account and password.
- New students users are required to confirm their acceptance of the terms and conditions of the Code of Conduct for the Use of ICT Facilities as a condition of the registration procedure for allocation of a computer account and password;
- Users shall not write down or record, where others can either see or access it, their account password for any University system, nor shall they pass on a password to any other person by any other means or under any circumstances. If any user believes that their password has been compromised in any way, then they are obliged to change it immediately to one that is secure.
- Users shall not allow others to use their account once logged in, or at any other time.
- All users will be periodically requested to confirm their acceptance of the Code of Conduct for Use of ICT Facilities via a system reminder which unless accepted may result in withdrawal of the use of facilities or in a reduction of privileges.
This will be carried out via the University Disciplinary procedures.
To provide clear terms of reference for those persons contemplating either adding to, or changing, existing network services run by the University.
This policy must be followed for all services needing to utilise the University Network. This is essential in order to minimise the potential for attacks and/or unauthorised access to University information, technology and assets.
The policy will be applied automatically to any requested changes or to situations where any non-compliance is discovered.
Specific scope (network)
This policy covers ALL devices or network components owned and/or operated by the University, and University partners or subsidiaries which require a connection to the University Network.
Included (but not limited to):
- Physical infrastructure, hardware and software
- Network Equipment (including switches & hubs and extensions)
- Wired connections to the Network
- Wireless connections to the Network
- Virtual Connections to the Network
Excluded from scope
- Networks owned and maintained by subsidiaries or partners
- Separate self-contained networks not connected to the University network.
Any networked server devices will be governed specifically by the Server Security policy (see section 3.4).
All University buildings will usually be provided with connections to the core University network and telephone system.
Only equipment authorised by IT Services may be connected these. Connections may only be made through approved network points (including wireless access).
Equipment such as routers, hubs switches or any other network extensions may not be connected to network connection points without the permission of IT Services.
Modems or any other devices capable of receiving external connections must not be
attached to a device (e.g. a server or pc) which is connected to the network without the permission of IT Services.
Audits and tests may be carried out on any network connected resource. This will include testing configuration settings, procedures and processes, content filtering and physical security.
Any vulnerability found will be escalated to those responsible.
Any failure to remediate an identified risk within a reasonable time scale may result in removal from service until the matter is addressed and the matter may also be escalated within the University.
Any unauthorised device connected to the network which is either causing a problem, or creating a vulnerability or risk, may be disconnected and removed from the relevant network point and office location.
Those responsible will be required to provide an undertaking that the equipment will not be reconnected. If the equipment in question is University owned, then it may be retained in a secure location until the necessary compliance undertakings are received. If the device is personally owned equipment, it may be permanently blocked from further network access.
In circumstances of non-compliance, disciplinary action may also be pursued.
An IT server is a computing device designed to process requests and deliver data to other (client) computers over a local network, the Internet or by some other connection.
Networked servers are usually configured with additional processing, memory and storage capacity to handle the load of servicing clients. A server would typically be capable of being connected to by multiple users or other systems.
The purpose of this policy is to provide clear terms of reference for those needing to join servers to the Coventry University Network or to store University Information on servers external to the Network. This policy applies to all existing and future servers that might be employed in the provisioning of either a permanent service or a temporary arrangement.
University information should not be stored on any internal or external server unless the arrangement has been specifically approved as a ‘safe arrangement’ by both Legal Services and IT Services. To this end an ISO27001 accredited storage service is available via IT Services.
This policy is essential in order to minimise the potential for attack and/or unauthorised access to Coventry University intellectual property, stored personal information or University technology and assets.
Regular compliance testing will take place on both existing server arrangements as well as any changes to configuration.
The policy will apply automatically to all servers connected to the University network. Non-Compliance may result in disconnection without notice.
Specific scope (servers)
This policy applies to any server equipment (virtual or physical) owned, operated and/or loaned to/by Coventry University including any servers registered under any School, College, Faculty, Professional Service, Partner or Subsidiary which requires either connectivity to the University network or to store University information.
This includes, but is not limited to, servers connected to internal Local Area Networks and external access via internet communications provided by both IT Services and JANET, or to stand alone servers which can be connected to by some other means.
Excluded from scope
- Servers on Networks owned and maintained by stand-alone trading subsidiaries or trading elements of the University Group, which are subject to control of their respective Board/s through local governance structures. It should be noted, however, that it does cover all servers that are owned and maintained by the above trading organisations which are directly connected to the Coventry University network.
- Servers connected to self-contained networks. However, as soon as a server is made live and directly connected to the Campus Network, or has University Information loaded to it, this policy will automatically apply and must be adhered to immediately.
Reference should also be made to the Network Security Policy (see 3.3 above).
Ownership and responsibilities
All Servers either Networked, or having University controlled data stored on them, must be registered with IT Services and must meet established configuration and management requirements. Implemented software versions and configuration documentation must be provided at the time of registration. All approved servers must also have a named server manager who will be responsible for keeping the server properly patched and protected. The server manager will also be responsible for ensuring appropriate access controls are in place.
Approved Servers must continue to operate in a safe and secure manner throughout the life of the server and it is the responsibility of the ‘server manager’ to ensure this.
In order to provide an overarching service assurance in this regard, IT Services, or their agents, will monitor the security arrangements and test them from time to time. All University staff and contractors are obliged to co-operate with these exercises (and any new contractual arrangements with external partners should allow for this).
All server security incidents, problems, vulnerabilities or threats (whether suspected or confirmed) must be properly recorded and reported to IT Services as soon as they are discovered. IT Services must ensure that any identified risks to the protection of confidential/sensitive information; service configuration information; systems access control or to the integrity University data (accuracy), are contained and then mitigated as far as is possible.
IT Services will remotely scan storage devices periodically in order to confirm that no sensitive data such as personal details or payment card details are being stored in a repository which is accessible to those without authority to have that access.
All University IT users are required to co-operate with any instructions or requests from IT Services in this connection relating to their use of IT whilst any threat continues.
University Managers are responsible for ensuring that their staff, students or employed agents are aware of, and understand these requirements. Any server found to be failing to comply with this policy, or to be causing detriment or risk to the normal operation of the University Network or to any dependent IT service or business function, may be disconnected from the Network without notice.
3.5: User owned IT devices
It is recognised that many IT users bring their own devices and connect to University services (this has been a well-established principle for Student users for some time now).
However, where staff owned devices are used, there is a risk that ‘sensitive’ University information could be placed, or could migrate, onto these devices which may be lost, stolen or accessed by unauthorised persons.
Devices include pc’s, laptops/notebooks, tablets, smartphones, external drives, memory sticks and other transportable storage.
Therefore, the guiding principle is that permission is not given to store sensitive University information on these devices unless;
- The device is protected with a secure password and/or (where possible) encryption
- The device is configured to be wiped remotely if lost or stolen
- No-one other than the person authorised to access that sensitive information, can do so.
- The User’s line manager has approved this type of data being stored on the device
- No University information is backed up into any non-University contracted ‘Cloud Services’ on the Internet.
- The owner agrees to notify the University if the device is lost
The University provides encrypted USB drives to enable University data to be held and accessed by mobile devices. As a result no sensitive or confidential data should be stored on users’ own IT devices.
3.6: User owned cloud (internet) storage
Many users have private Internet based email accounts which may also come with data storage facilities.
Many users’ might be tempted to use these facilities as a ‘data-bridge’, to get sensitive data from a University system onto their own device (assuming that the device complies with 3.5 above).
There are problems with this, not least of which are;
- The University cannot attest as to the security arrangements of any such service provider
- The storage location of the University data will be unknown
- The laws governing what can happen to that data will be unknown
Consequently permission is not given to process or store sensitive University information on such private facilities.
This includes the use of such non-contracted facilities as ‘Drop-box’, Google Docs and similar.
4: Incident management process
Reporting and dealing with a potential breach
Any University Employee suspecting a breach of Information Security, has an obligation report it immediately to the University.
If the breach is an unconfirmed suspicion and involves IT aspects, the suspicion should be logged with IT Services through the normal ‘LogMyCall’ service (via the IT Service Desk).
If the matter is a confirmed incident and considered urgent (for containment reasons) or requires escalation, then the IT Services Security & Service Improvement Manager should be contacted – failing that the Director or Assistant Director of IT Services should be notified. IT Services will automatically advise Legal Services of any confirmed serious breach.
If the suspected breach does not involve IT, then the Legal Services Information Security Officer should be made aware, failing that, the Head of Group Legal Services should be contacted.
Once the details of the breach have been confirmed and logged the following response should be employed:
- Containment and recovery
- Carry out potential Impact assessment
- Identify measures needed to contain or limit potential damage
- Identify measures needed to recover from the Incident
- Risk assessment
- Identify risks associated with the breach
- Assessment of potential and probable adverse consequences for individuals
- Assessment of potential and probable adverse consequences for the University
- Identify ‘post containment’ actions required
- Identify and agree who needs to be informed and why along with the level of detail
- Identify what is appropriate information to communicate to those people
- Establish whether the ICO needs to be informed
- Establish whether the Authorities need to be informed
- Establish whether any other regulatory bodies need to be informed
- Establish whether any other 3rd parties needs to be informed
- Establish whether a ‘media message’ needs to be prepared
- Establish and document the cause/s of the breach
- Establish what further treatments necessary to prevent re-occurrence
- Establish action plan for applying any treatments necessary
- Evaluation & closure
- Evaluate the effectiveness of the response
- Establish whether any adjustments are needed to policy
- Establish whether any adjustments are needed to procedures