Cyber security policy

Purpose

This document provides the overarching governance policy for the protection and security of London Borough of Enfield (LBE) data and information.

The policy aims to define the high-level governance of Cyber Security within the council.

Objectives

The main objectives of this policy are to:

Scope

This policy applies to all LBE DS systems, data and information directly or indirectly via third parties.

Policy mandate, approval and maintenance

This policy is approved by the Information and Data Governance Board (IDGB) with delegated authority from the Assurance Board.

The policy will be reviewed regularly and at least annually, and in case of any impacting changes (for example, changes to HMG policy, legislation, regulation, industry standards or LBE DS environment), to ensure it remains current, appropriate and applicable.

Policy

Requirements, control objectives and principles

Risk appetite

LBE has a defined risk management process and this process will follow the LBE risk appetite defined there.

Compliance

LBE is required to comply with law and with certain regulations. This policy mandates compliance with, at a minimum:

Roles

Data Owner. The person responsible for the data and compliance in a particular area or system. Generally, this will be a head of service or above. The Data Owner is recorded in the GDPR Workbook for each information asset area.

Senior Information Risk Owner (SIRO).The risk decision maker for the authority.

Chair of Information and Data Governance Board (IDGB). The person who is overall the decision maker on information and data governance matters, delegated by the Assurance Board.

Deputy Chair IDGB. The person responsible for the IDGB in the absence of the Chair.

Data Protection Officer. The independent person providing advice to the authority on compliance, dealing with public complaints and acting as interface to the regulator.

Caldicott Guardians. The person(s) responsible for managing data supplied from NHS.

Security Manager. Person responsible for security management and implementation.

Head of Operational Support Hub (NHS Registration Manager). This role is mandated by some of the NHS sharing agreements.

Head of Legal Services. Responsible for legal advice to the council.

Complaints and Access to Information Manager. Responsible for management of cases (for example,

Data Governance Officer. Responsible for ensuring continuous improvement in data quality.

Corporate Records Manager. The owner of records management across the council, responsible for ensuring records are preserved and destroyed appropriately.

Boards

Information and Data Governance Board

The strategic forum working on behalf of and reporting to the Assurance Board that is empowered to:

Security Team responsibilities is to:

Applicable standards

There are a number of standards applicable to Cybersecurity and Information Management that the council is required or recommended to adhere to. These are:

Policy exceptions and violations

Any employee, contractor, partner, service provider or other entity who is requested to undertake an activity which he or she believes is in violation of this policy, must provide a written formal complaint or Exception Request, via his or her manager or other manager or Human Resources Department to the council’s SIRO. Complaints may be dealt with by managers and the HR Department. All Exception Requests must first be approved by the Chair of IGB in conjunction with the SIRO.

Any violation of this policy may result in disciplinary action, up to and including termination of employment. LBE reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. LBE does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, LBE reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.


Policy details

Author – Security
Owner – Information and Data Governance Board
Version – 1.6
Reviewer – Security
Classification – Official
Issue status – Final
Date of first issue – 11.07.2017
Date of latest re-issue – 30.05.2024
Date approved by IGB – 19.05.2024
Date of next review – 30.04.2025

Council news directly to you

The latest news in your inbox every week. Council news, community updates, local events and more.

Sign up Sign up