NES Information Security Acceptable Use Policy
A new Information Security Acceptable Use Policy is now in effect. This policy applies to all users who undertake work for NES or use any part of NES’s digital infrastructure. This includes employees, trainees, contractors, partner agencies, external consultants and third-party suppliers.
Its overall purpose is to;
- Outline the information security requirements that staff must follow to protect the information assets owned and used by NES from threats, whether internal or external, deliberate or accidental.
- Empower staff to make appropriate use of information assets.
The policy applies to information in any format or medium held on NES premises, equipment and infrastructure, on cloud and/or other hosted environments. This policy covers the following:
- Incident Management;
- Physical Security;
- Clear Desk and Clear Screen;
- Secure Disposal;
- Passwords and Pass Codes;
- Malware (Virus);
- Mobile Devices and Bring Your Own Device (BYOD) and Remote Working;
- E-Mail and Internet Acceptable Use;
- Social Media Use.
By implementing and maintaining effective Information Security procedures and behaviours we can ensure that:
- Ensure NES meets all regulatory and legislative requirements.
- All information assets are protected against unauthorised access and disclosure;
- Confidentiality of information is assured;
- Integrity of information is maintained;
- Business requirements for availability of information are met;
- Breaches of security both actual and suspected are reported and investigated;
- Ownership of information assets are identified and recorded.
What you should do:
- Check out the video from Christopher Wroath on the intranet front page about information security and ISO 27001:
- Familiarise yourself with the policy available here (updated link)
- Bring any issues or queries to the attention of NES Information Governance by contacting Information.Security@nes.scot.nhs.uk