Information Security Policy
1. Introduction and Purpose
1.1 Information security is concerned with all information, in electronic and paper format. The main purpose of implementing good information security is to allow the effective and efficient use of information, whilst safeguarding the organisation’s data from unauthorised access or modification, to ensure its availability, confidentiality and integrity.
1.2 This high-level policy is a key component of our overall approach to information governance and should be considered alongside all other information governance and cybersecurity policies.
1.3 The aim of this policy is to advise staff and contractors of their obligations with regards to confidentiality and where to seek further guidance and assistance. The objectives of this policy are to preserve:
- Confidentiality – Access to data shall be confined to those with appropriate authority.
- Integrity – Information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification.
- Availability – Information shall be available and delivered to the right person, at the time when it is needed.
2. Scope
2.1 This policy applies to:
- Shinetech Software;
- All subsidiary companies of Shinetech Software;
- All staff of Shinetech Software and its subsidiary companies;
- All contractors, suppliers and other people working on behalf of Shinetech Software or its subsidiary companies.
2.2 It applies to all data that Shinetech Software holds.
3. Definitions
3.1 System Level Security Policies (SLSPs) – Documentation specific to a system or systems, covering security and management procedures in place to ensure the security of the system.
3.2 Information Security Management System (ISMS) – The governing principle behind an ISMS is that an organisation should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.
3.3 Information Asset – Information held which is of value to an organisation. This is generally a body of records or information managed as a single entity.
3.4 Information Security Incident – is any incident which affects the confidentiality, integrity or availability of any information of value to the organisation.
4. Roles and Responsibilities
4.1 Everyone who works for or with Shinetech Software and its subsidiary companies has some responsibility for ensuring data is collected, stored and handled appropriately. Each team that handles data must ensure that it is handled and processed in line with this policy.
4.2 The Board is ultimately responsible for ensuring that Shinetech Software and its subsidiary companies meets its legal obligations.
4.3 Overall responsibility for this policy lies with the Shinetech Software’s Senior Information Risk Owner (SIRO), who will be a member of the Senior Leadership Board.
4.4 The Information Governance Manager and Data Protection Officer is responsible for drawing up all information governance policies, including data protection and information security policy. Developing process and guidance for all of the Information Governance (IG) policy areas and providing advice and guidance on the collection, use and protection of all types of information.
4.5 The Cyber Security Architect is responsible for developing IT security policy, standards and guidelines. He/She is also responsible for ensuring that effective IT security systems, controls and training programs are operationally implemented, fit for purpose and available across the organisation.
4.6 The Country Managers have responsibility for ensuring compliance with information governance policies within their areas of responsibility, and will assume the role of Information Asset Owner within their areas of responsibility. The Information Asset owner will assign information asset administrator(s) from their areas of responsibility.
4.7 Information Asset Administrators are accountable to their Country Managers and will be the day to day contact for the IG Team and wider service users, and will be responsible for monitoring compliance with IG policy, within their faculty / service.
5. Policy Details
5.1 All information handled by Shinetech Software will be handled in line with all applicable laws and regulations.
5.2 All relevant records and information will be classified, in line with the Information Classification Process.
5.3 All records and information will be organised into groups known as Information Assets where it is appropriate to do so.
5.4 All Information assets will be risk assessed, following the Information Risk Management processes and procedures. The outcome of each risk assessment will be shared and where necessary, appropriately acted upon.
5.5 All access to information assets will be controlled by the appropriate asset owner / administrator, ensuring a minimum required access model is followed. Access will be periodically reviewed and amended as applicable.
5.6 All information security incidents will be centrally reported, and where applicable, remedial recommendations will be made and followed up. Reporting of information security incidents will be carried out in line with the Information Security Incident reporting procedure.
5.7 Information Asset Owners shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks.
5.8 Where information is being shared, stored or processed outside of Shinetech Software’s controlled environment, sufficient assessment will be carried out on the recipient to ensure the security of our data. All data sharing activity will be covered by appropriate data sharing agreements or other contractual clauses.
5.9 All technical security measures, will be taken where appropriate so to protect information, details of technical security measures can be found in the IT Security Policy and associated documentation.
5.10 Where there is a requirement to operate outside of the bounds of this policy, such activity will be signed off by an appropriate Information Asset Owner with an appropriate assessment of the risks and held centrally by the Information Governance Team.
6. Training and Education
6.1 All staff will receive training as part of their Cyber Security and Data Protection Training.
6.2 Staff identified as Information Asset Owners or Administrators will receive additional training above and beyond the basic staff training. This will be delivered face to face by a member of the Cyber Security or Information Governance Team.
6.3 Compliance with Legislation – All staff have an obligation to abide by all UK legislation, of particular importance:
- Computer Misuse Act 1990
- Data Protection Act 2018
- Human Rights Act 1998
- National Cyber Security Centre (NCSC) Cyber Essentials Plus
- Regulation of Investigatory Powers Act 2000
- Terrorism Act 2006 and Counter Terrorism Information Security Policy
- UK General Data Protection Regulation (UK GDPR) and ICO Guidance
7. Documents
7.1 All staff should also be aware of the following policies:
- CATQR Privacy Policy
- NHS Records Management Code of Practice
- Shinetech Software IT Security Policy - Contact us
“It’s great to see the reaction of staff when they use CAT and realise how simple it is to record their attendance – just by scanning a class QR code. Our administrators love it because there is no more manual data entry and spreadsheets to deal with, doing away with all the headaches that come with paper registers!”
Read the Barts Health NHS Trust Case Study
Anthony Dowding
Head of Training Resources and Development, Barts Health NHS Trust, UK
“Fantastic and easy to use! I needed a contactless solution for taking attendance at our small private school when students arrive and leave. We were able to easily purpose CAT to accomplish this and signing in/out of school for teachers and students has never been easier or quicker. Even beyond COVID, we will continue to use this system.”
Read the Score Academy Florida Case Study
C. LeAnn Elder
Head of School, Score Academy Florida, USA
“Having Class Attendance Tracker (CAT) QR has now revolutionised the way our GP registrars (trainees) register their attendance at our teaching sessions, and this would have been an impossible task with our switch to virtual teaching! CAT has made what was previously a clunky administrative process into a simple, streamlined one.”
Read the St Helier GPVTS Case Study
Dr Ravi Seyan
Programme Director, St Helier GP Vocational Training Scheme (GPVTS), UK
"Since the launch of the CAT, our process for recording and reporting attendances has improved immensely. We can easily keep track of our staff and students who can see their CAT attendance record in real-time on our learning portal, it is simple yet elegant. Customer support is excellent and enhancements are implemented quickly."
Read the Lewisham and Greenwich NHS Trust Case Study
Alberta Ansong
Digital Learning Lead, Lewisham and Greenwich NHS Trust, UK
