Information, Communications, Technology Security Policy


Key Details

  • Policy prepared by: Tina Wootton-Porter
  • Approved by Committee on: APRIL 2018
  • Policy became operational on: March 2018
  • Reviewed date: March 2020
  • Next review March 2021

Purpose

This document sets Shires Festival of Dance’s overarching Information and Communications Technology (ICT) policy, governance arrangements and best practice for data security. It also sets out the overarching security policy statements to which all committee members will adhere.

Background

Shires Festival of Dance requires the use of ICT to underpin the needs of the festival and to support a more technology advanced organisation. Therefore, Shires Festival of Dance’s ICT security management is vital for public confidence and for the efficient conduct of our organisation. In order to maintain the highest standards of information security, the Shires Festival of Dance has developed a number of policies to protect information technology assets; such as computer hardware and software (USB memory sticks), and data held within the Shires Festival of Dance’s IT systems.

Policy Objectives

The main objectives of the policy are: -

  • To achieve a Shires Festival of Dance wide security standard, thus protecting the Shires Festival of Dance’s ICT infrastructure, assets, users, information and data;
  • To ensure awareness within the Shires Festival of Dance of the need for ICT Security to be made an integral part of the day to day operation of the festival and understand their own responsibilities;
  • To ensure that users and elected members are aware of and comply with all relevant legislation;
  • To ensure information used and produced is only available to those authorised to use and see it.

Scope

The policy covers data that is held by the Shires Festival of Dance in any form, electronic or otherwise. All electronic, manual or other data processed by or on behalf of the Shires Festival of Dance is within the scope of this and related policies. The ICT Security Policies will apply to All Shires Festival of Dance Committee Members.

Security Framework

ICT security and data protection is the responsibility of the Shires Festival of Dance as an entity (Charity Trustees and Members).

The Charity Commission states that charity trustees shall be responsible for the security of all assets under their control.

The Data Protection Officer and Secretary are responsible for the day to day management of volunteers with authorised access to data, to ensure this policy is being implemented properly and that volunteers only have access to data they are authorised to see and use.

Shires Festival of Dance has to comply with relevant legislation affecting ICT. All users in scope of this policy must comply with the following Acts and may be held personally responsible for any breach of current and future legislation undertaken knowingly: -

  • Data Protection Act 1984 and 1998
  • Health & Safety at Work Act 1992 (2012)
  • Freedom of Information Act 2000
  • Electronic Communication Act 2000 (2012)
  • General Data Protection Regulation (GDPR) 2018

ICT Security Policies

The following policies are based on best good practice guidelines.

  • User Security
  • Email Use
  • Removeable Media
  • Website Privacy
  • Social Media
  • Data Protection, Procedures and Privacy Notice

Reporting Incidents

It is the duty of all users to immediately report any incidents involving loss or suspected loss of data, and actual or suspected breaches in information security to the Data Protection Officer.

  1. Loss of mobile device (Laptop, Smart Phone, Tablet);
  2. Loss of Media (Memory Stick);
  3. Breaches to physical security;
  4. Access violations.

Policy Compliance Reporting Incidents

Any user who contravenes any ICT Security policy will be subject to Shires Festival of Dance procedures whereby they will be removed from the committee due to their code of conduct. Violations such as the disclosure of personal data may result in the incident being reported to the proper authorities with a view to prosecution of the user.

Violations of ICT security policies may include, but are not limited to, any act that:

  • Exposes the Shires Festival of Dance to actual or potential monetary loss through the compromise of ICT security;
  • Involves the disclosure of confidential information or the unauthorised use of corporate data;
  • Involves the use of data for illicit purposes, which may include violation of any law, regulation, or any reporting requirement of any law enforcement or government body.
  • Any user who has knowledge of a violation to the ICT Security policy must report that breach immediately to the Data Protection officer.

Changes to ICT Policies

Annual Review

An annual review will be carried out by the Secretary and or Data Protection Officer.

Change Procedure

Any member of staff who identifies a need to change any of the ICT Policies can do so by logging a request with the Secretary and Data Protection Officer.

Policy Changes

  1.  All proposed changes will be reviewed by the Data Protection Officer, Chairman, and Secretary; these will be brought to the attention of all Shires Festival of Dance Committee Members.
  2. In the case of minor changes these can be approved by the Information Security Group consisting of the Data Protection Officer, Chairman, and Secretary.
  3. Following major or significant changes to policies will need to be approved by all members of the Shires Festival of Dance and the ICT Security Policy Acknowledgement of Receipt will need to be resigned.