.svg)
Key Point:
Your organisation must develop and continuously improve a set of cyber security and information governance (IG) policies, processes, and procedures that effectively manage risks to your essential functions.
Overview:
This outcome focuses on ensuring that your organisation has a well-defined set of policies, processes, and procedures to manage cyber security and IG risks. These should be regularly reviewed and updated to remain effective and compliant with the latest legislation and regulations.
How to Meet the Requirement:
Your organisation should have a comprehensive suite of policies that guide its cyber security and IG activities. These policies should be risk-driven and signed off by a board representative. Ensure that policies are reviewed periodically and after significant changes, and that they are documented in a central location accessible to all relevant staff.
The policies should cover:
It’s also important to ensure that your policies align with national legal and regulatory requirements, such as the NHS’s DSPT framework, UK GDPR, and the National Cyber Security Centre (NCSC) guidance.
Evidence to Provide:
Submit documents like:
Ensure your evidence shows how your policies support the overall governance and risk management of your organisation’s data security and protection efforts.
Indicators of Good Practice:
Key Point:
Your organisation must ensure that all staff are aware of and follow the policies, processes, and procedures designed to protect data and manage security risks.
Overview:
This outcome ensures that your policies, processes, and procedures are effectively implemented and followed by staff. Monitoring and evaluating adherence is crucial to ensure policies are not only in place but are being used correctly.
How to Meet the Requirement:
You should develop monitoring mechanisms to assess whether staff are following policies and procedures. This can include spot checks, staff feedback, and audits of areas such as asset management, access control, and incident reporting.
You must have a process for identifying and addressing breaches of policy. When breaches occur, conduct a thorough investigation and ensure improvements are made to prevent future incidents. Training should reinforce staff awareness and accountability for following these policies, particularly when handling confidential or personal data.
Evidence to Provide:
Ensure your documentation illustrates how the policies have been implemented and how breaches or non-compliance are addressed and corrected.
Indicators of Good Practice:
Policy Scope and Relevance:
Policies should be tailored to the needs of your organisation’s essential functions. They must address both high-level governance and detailed technical security practices, ensuring comprehensive coverage of risk management areas.
Monitoring Compliance:
Regular monitoring is essential to ensure that policies are being followed. This could involve:
Incident Reporting and Breach Investigation:
In cases of policy breaches, it is vital to investigate promptly and take corrective action. This may involve retraining staff, updating procedures, or adjusting access controls to mitigate risks.
Ensure your organisation’s cyber security and IG policies are robust, up to date, and fully implemented. Need help creating or refining policies, improving compliance, or investigating breaches? Periculo can support you in developing strong governance frameworks to safeguard your organisation’s essential functions. Contact us now to ensure your policies are effective and compliant!
Contact Periculo for expert cyber security solutions tailored to the digital health industry.
