home » about us » policies » information and communication technology » 

• 
• Contact Us
• FAQ's
• Accessibility
• A-Z
• Links
• Log In 

Start of main content

Return to

• IS policies main menu

Information Security ISMS Overview

Please note that as this policy is periodically reviewed and updated, if you print it from the website, its accuracy cannot be guaranteed for more than a 24 hour period following printing.

Information Security Policy

Objectives

The objective of the information security policy is to protect the Hampshire Fire and Rescue Service’s (HFRS) ability to maintain business continuity and reduce the risk of business damage by preventing and minimizing the effects of information security breaches.

The HFRS Information Security Management System (ISMS) is deployed by the Information Services (IS) Information Security Manager and a delegated team to achieve this.

Policy

The purpose of the policy is to protect HFRS information assets from all threats, whether internal or external, deliberate or accidental. It will ensure that:

1. Information will be protected against unauthorized access.
2. Confidentiality of information will be assured.
3. Integrity of information will be maintained.
4. Regulatory, contractual and legislative requirements will be met.
5. Business continuity plans will be produced, maintained and tested.
6. Information security training will be available to all staff.
7. All breaches of Information Security, actual or suspected, shall be reported to the IS Service Desk and investigated by the Information Security Manager and a delegated team.

Implementation

This policy is enacted by:

1. Procedures which exist to support the policy covering general information security, network security, virus control, passwords and business continuity.
2. Information systems and their availability shall be designed to meet business requirements.
3. The IS Security Manager has direct responsibility for maintaining the policy and providing advice and guidance on its implementation.
4. All line managers who are directly responsible for implementing the policy within their business areas, and for adherence by their staff.
5. It is the responsibility of each member of staff to adhere to the policy.

Signatories

The signatories of this policy are the Chief Fire Officer, the Head of Corporate Services, the IS Security Manager and members of the Information and Physical Asset Security Board.

ISMS overview

General Requirements:

HFRS shall establish, implement, operate, monitor, review, maintain and improve the ISMS documentation within the context of the activities and the risks it faces. For the purposes of this international standard, the process used is based on the Plan Do Check Act (PDCA) model.

Establish the ISMS

The ISMS is to help promote and deliver the aims of HFRS.

The scope of the ISMS is applicable to the support, development, maintenance decommissioning and hosting of HFRS applications, the management and support of the LAN, and WAN and the protection of system information.

The scope of the ISMS is applicable to all staff and activities within the IS department located at HFRS headquarters.

Dependencies

Although the scope is limited to the Information Services department, the security of information outside of the scope is managed by the publication and adoption of HFRS wide information security policies. Compliance to these polices is validated by internal audit.

The HFRS incident reporting process provides visibility to both the Information and Physical Asset Security Board and the Information Services Information Security Forum of issues outside the scope of the ISMS that may impact the security of HFRS.

HFRS information security policies are applicable to all HFRS personnel, including temporary staff, contractors, and consultants. Where necessary these information security policies are augmented by Information Services department specific policies and processes.

ISMS Policy

The configuration and management of all IS systems in accordance with policies developed for the ISMS will ensure that all HFRS systems are protected in accordance with industry best practice.

It is the intention of the HFRS senior management to achieve and maintain certification with the ISO27001 Information Security Standard for the following reasons:

1. HFRS has an obligation to citizens, employees, customers and suppliers to protect the confidentiality, integrity and availability of information assets.
2. To facilitate business improvement through the adoption of secure business practices and business management.
3. ISO27001 will assist with the delivery of the requirements outlined within the Data Protection Act 1998 and other applicable regulations and legislation.
4. It will provide a foundation for future connections with Central Government, Regional Control and other appropriate public authorities including Fire and Rescue Services.

Management framework

HFRS has established the ISMS to ensure business continuity by protecting the Confidentiality, Integrity and Availability of information and to minimise business damage by preventing and minimising the impact of the security incidents.

It is HFRS policy to ensure that all information security breaches will be investigated.

The Information and Physical Asset Security Board is responsible for the overall direction and commitment to Information Security and Physical Asset Security. The Information Security Manager and delegated team have direct responsibility for maintaining the policies and providing guidance on their implementation. The Information and Physical Asset Security Board is responsible for implementation and monitoring of compliance with policies within HFRS, supported by the IS Level Information Security Forum.

Management commitment

The High Level Policy has been authorised by the Information and Physical Asset Security Board, the Chief Officer, IS Security Manager and the Information Security Officer.

All other policies and procedures have been created and authorised by the

Information Security Manager and the Information Security Officer

As part of their training, all users are made aware of the importance of information security, the impact a security breach will have upon HFRS, its customers and partners and the business benefits of an ISO27001:2005 certified information security management system.

Senior management appointed an Information Security Manager, an Information Security Officer and a delegated team to fully support the implementation of this Information Security.

Management system

All documentation and processes generated by this ISMS are reviewed and authorised by the Information and Physical Asset Security Board where applicable and supported in their work by the IS Level Information Security Forum.

The Information Security Manager will implement the Information Security Review. The Information Security Manager and the Information and Physical Asset Security Board will periodically review the ISMS to ensure that it meets with objectives of HFRS. A Management Review report will be presented to the Information and Physical Asset Security Board at least once a year.

Resource management

HFRS has appointed an Information Security Manager, who has established both an Information and Physical Asset Security Board and an IS Level Information Security Forum. The Security Forums and Senior Management review all security initiatives to ensure that they align with HFRS policy, its culture and business requirements.

IS Line managers are responsible for ensuring that processes implemented within their jurisdiction are working as expected.

The Information Security Manager and the delegated internal auditors will undertake compliance auditing to ensure conformance to policy and contractual and legal obligations.

The Information and Physical Asset Security Board will review the ISMS annually.

Management review

The Information Security Manager will undertake a management review of the ISMS, at least once a year. The results of the review and its recommendations will be documented and a report will be presented to the Information and Physical Asset Security Board

The review will include:

1. Any recommendations covering the effectiveness of the ISMS.
2. Recommended modifications to procedures, business processes as result of internal or external events.
3. Consideration of any changes in business, security, regulatory or legal requirements.
4. Changes in risk and identification of any areas of high risk that require risk acceptance.
5. Any additional resource needs (systems, tools or people).

Information and Physical Asset Security Board

This board has been established to ensure that there is clear direction and visible

management support for security initiatives and is dedicated to the principles of Information Security best practice, standards and initiatives.

The Information and Physical Asset Security Board is a focus for consideration of security and continuity issues which may affect the ability of HFRS to provide services to citizens and customers. The board is in place to provide a strategic lead to HFRS wide security, improvement and maintenance programmes.

The long-term goal is to reduce the amount of time, money and effort involved in resolving security breaches, continuity issues and incidents by introducing management controls that prevent or avoid them.

The Information and Physical Asset Security Board will consider and set policies on security issues that affect HFRS. This includes security in terms of personnel, physical location, operational procedures and Information and Technical protection arrangements.

The scope of the Information and Physical Asset Security Board includes but is not limited to the following:

1. Review of major security breaches and help in developing protective strategies to prevent their reoccurrence.
2. Provision of a strategic lead to HFRS security improvement programmes.
3. Reviewing existing and developing new security policies in line with ISO/IEC 27001 key controls.
4. Establishment of working groups to tackle special security projects.
5. Promotion of security awareness throughout HFRS.
6. Co-ordination of new security initiatives.
7. Review of issues which may impact upon legal & regulatory security requirements.
8. Monitoring and reporting new or perceived security issues.

Risk assessment

The RiskSS approach and methodology for risk management was used to identify the specific risks to Information.

Information assets were identified during the analysis stage of the process and were subjected to a Business Impact analysis. Information assets were then grouped into types and similar impacts and where appropriate assessed by an in-depth risk assessment. The risk assessment approach has assessed the risks of internal, external deliberate or accidental threats to the information assets.

Training and awareness

HFRS has established a training and awareness programme for all users.

All users are provided with a security guidance that explains their responsibilities in accordance with HFRS Information Security Policy during their induction training. Staff shall also be given information security guidance appropriate to their job function, and receive regular bulletins reminding them of security policies and current issues through Routine Notice.

Support staff that have operational responsibility for designing, installing,

configuring, maintaining or supporting systems receive detailed security guidance relevant to their area of responsibility. Security Training will be given as part of the induction process to new starters.

Additional training, recommended by the Security Forum, will be given to existing users as deemed necessary.

Training, awareness and competence

A training programme for information security awareness has been implemented within HFRS.

Line managers must ensure that people working for them maintain an appropriate level of information security awareness.

The objectives of the training and awareness programme are to:

1. Ensure Staff are aware of the value and importance of data resources and assets
2. Reduce the risk of human error causing the failure of any installed security measures
3. Ensure Staff are aware of their responsibilities.

Elements may include:

1. Basic security awareness education as part of induction training.
2. Personnel awareness sessions on appropriate management courses.
3. Awareness sessions during staff meetings by line managers.
4. Awareness sessions during management meetings by line managers.
5. Distribution of posters, pamphlets, development and maintenance of intranet pages and other memory aids.

A record of all training is kept including details of:

1. Trainee’s and Trainer’s names
2. Nature of training and dates run
3. Results of training / examination.

Security incident reporting and handling

HFRS has established security incident handling procedures. Firewall activity, internet activity and email usage are all monitored by Hampshire County Council.

The Information Security Manager has delegated the responsibility for investigating security incidents to the Information Security Officer and delegated team. A monthly report is produced summarising any information security issues that might have arisen. This report will give feedback on incidents and audit reports to the IS Level Information Security Forum.

Incident reporting

The Policy applies to all scales of security incident from a technical or management issue that has no apparent immediate effect to a wide-ranging life-threatening crisis.

The information systems and its management of security incidents requires a formalised process of both reporting and managing all security incidents. A single security reporting system has been implemented..

Responsibilities

It is the responsibility of all HFRS employees, contractors and third parties to report any incident or suspected incident. Failure to do so will be deemed a contravention of policy or an attempt to aid and abet an incident and will be investigated as such.

Incident definition

An information security incident is defined as:

1. An event which may compromise the confidentiality, integrity or availability of stored information.
2. An event where a security policy is violated.
3. Any occurrence of such an event that has come to light and has not been     reported.

A building security incident is defined as:

1. An incident where an attempt has been made to force entry to a building or a room or facility (e.g. a filing cabinet).
2. An incident where a person has intruded into a part of a building without relevant authorisation.
3. An incident where an item of value has gone missing in suspicious circumstances.
4. Any occurrence of such an event, which has come to light and has not been reported.

ISMS documents

All documents that form part of the Information Security Management System will be controlled and approved.

As a minimum, the documents shall be approved by the Information Security Manager or the Information Security Officer, in their absence. The Information and Physical Asset Security Board has approved the High Level Security policy.

Proposed changes to the policies and procedures within the ISMS are

identified as a result of:

1. Day to day activities
2. Incident reports
3. Audit report findings
4. Management reviews.

In the event that the information security policies or the high level policy change significantly, they are again submitted to the Information and Physical Asset Security Board for approval.

A list of all documents identified within the ISMS is maintained by the Information Security Manager. This list provides details of the latest released copy of each document such as:-

1. Document owner
2. Version reference
3. Date of release

Each document has the date of issue, version number, location, owner and review date.

The master document of all ISMS documents is held on Hantsfirenet. The owner of each document within the ISMS is responsible for ensuring that the document remains legible, accessible, and identifiable by revising and updating its format in line with HFRS corporate identity. No document or policy can be changed with out a “Change Control” and authorization of the IS level Information Security Forum.

Record control

The Information Security Manager will store all records that show the implementation of the ISMS (see list below) securely.

Records relating to ISMS will be kept for a minimum of 3 years plus 1. The distribution of records applicable to this ISMS will be restricted to the Information and Physical Asset Security Board, senior management, auditors and authorised personnel. records will be maintained in accordance with the requirements of the Data Protection Act 1998 and Freedom of Information Act 2000. Hard copies will be stored in accordance with manufacturers instructions, electronic records will be backed up regularly.

The records generated by ISMS have been defined by the Plan-Do-Check-Act cycle. The Information Security Manager is responsible for determining what records are needed to show performance of the ISMS cycle, whilst each department is responsible for identifying the appropriate records which shall provide evidence of the performance and implementation of the controls selected in their area.

Where services have been outsourced to third parties, controlling SLAs state what records must be provided and when. Reports and records may be provided on request, monthly or an ad hoc basis and some during audit process only. Records must be available to show evidence of conformity to requirements, performance of the ISMS and occurrence of incidents.

The following records must be maintained as part of the PDCA Cycle defined within the ISMS in accordance with ISO27001:

1. Incident (& weakness) reports, findings and recommendations
2. Management review results and recommendations
3. Internal audit programme, preparation and reports of findings,
4. Information and Physical Asset Security Board and IS level Information Security Forum minutes and /or management approval of recommendations from incident reports, management reviews and internal audits
5. Results of corrective actions taken in response to incidents, management review and internal audit
6. Results of preventive actions taken in response to incidents, management review and internal audit
7. Training records of education, training, skills, experience and qualifications.
8. Evidence to show compliance to Access Policy such as:
   • Access requests / authorisation (including changes / removal)
   • 3rd party risk assessments / access approval
   • Remote access authorisation
   • Logs of access to sensitive areas (e.g. computer room access)
   • Evidence to show monitoring / technical compliance
   • Event logs & fault logs
   • Service Desk logs / reports
   • Evidence to show management approval of processes
   • New information processing
   • Purchasing new equipment / systems
   • System change management
   • Acceptance testing

Other records must be maintained to show that the applicable controls within ISO27001 have been implemented. These records may be in hard copy or electronic form, they may be documents, reports, forms or database entries. Examples of these records are listed in point 8 above.

Audit schedule

The Information Security Manager is responsible for the audit schedule. It is anticipated that each control will be audited at least once within a one year period. Internal audits within HFRS will be carried by the delegated team.

The audit schedule will include plans to audit managed service providers and external third parties as required and any additional audits required to confirm successful implementation of the risk register and any other initiative affecting information security.

Internal ISMS audits

The Information Security Manager will ensure that each section of the ISMS is verified at least annually and will maintain an ISMS Audit Programme with the help of internal audit team.

Audits may be organised more frequently depending on the importance of the activities being audited. The following sources of information are reviewed to determine the audit programme:

1. Previous audit reports (Internal or Outsourced)
2. Feedback from HFRS users and third parties.
3. Senior management directives which might affect any services /policies
4. Changes in operational systems
5. Changes to relevant standards (i.e. ISO27001)

The programme covers audits that are carried out either internally within HFRS, on or by third parties as part of the outsourced or third party contracts by other third parties on ad hoc basis.

The programme is reviewed on a monthly basis to check progress and consider any changes (e.g. to policy, system or service provision) that might need to be reflected.

To ensure objectivity and impartiality, the internal audit team will undertake internal audits within HFRS to ensure satisfactory implementation of any initiatives and corrective or preventive actions.

Audit preparation

In preparation for each audit:

1. The objectives of the audit are identified and documented
2. The ISMS and supporting policies are reviewed to determine the activities to be audited to meet objectives
3. Line managers are asked to identify any areas of concern / known issues
4. A representative number of policies, clauses, controls and records are identified and selected to be audited.
5. Recipients of the audit reports are established (as minimum the Information   Security Manager and relevant line manager)
6. Interviews are arranged with any teams / staff as appropriate and any queries resolved prior to the audit.

Documentation review

The ISMS policies, procedures and standards may be reviewed to establish whether they:

1. Are simple concise and easy to use
2. Could be reduced in complexity
3. Are up to date (e.g. reflect HFRS or Third party system changes)
4. Need any other changes.

BSI audit

The auditor’s task is to establish if the ISMS and security initiatives are being followed in practice and conforms to ISO27001 and any legal or regulatory requirements. This is achieved by interviewing staff to establish current practice and verifying this practice against records kept. The auditor examines the records selected in order to determine whether the activities identified above have been carried out correctly. The auditor keeps a record of the process and the findings of the ISMS Audit.

The ISMS audit record and all other documents relating to internal audits are passed to the Information Security Manager. The ISMS audit records and all other documents relating to internal ISMS Audits are retained for inspection by Information Security Manager, the Information and Physical Asset Security Board, senior management and external auditors.

All issues arising from the internal ISMS Audits requiring attention are discussed with the appropriate personnel and a record kept on an Audit Report. The auditor will document their findings and present them to the Information Security Officer and the Information Security Manager.

When required, the Information Security Officer will liaise with the Information

Security Manager to agree corrective or preventive actions (where potential weaknesses or non-conformities were identified). As part of this process it will be decided who will carry out the action and within what timescale.

The Information Security Manager ensures the Audit results are discussed at the next IS Information Security Forum. Once corrective and preventative actions are implemented they are reviewed by the Information Security Manager to ensure that the initiatives are working correctly.

Reporting

Non-conformity reports may be produced when an incident arises or an audit is undertaken.

When non-conformities are reported, they are investigated and appropriate corrective actions are taken. In addition, various preventive actions are implemented on a regular basis to identify potential areas for non-conformities.

The Information Security Manager has delegated the maintenance of the following records to the Information Security Officer:

1. Incident reports
2. Audit reports
3. Non-conformances
4. IS Information Security Forum minutes
5. Risk assessments
6. Actions log
7. Risk Treatment Plan.

Management

With the support of the Chief Officer, Head of Corporate Services and the Information and Physical Asset Security Board, the Information Security Manager is responsible for implementing improvements to the ISMS.

When required he can delegate this responsibility, however, ownership of the project remains with the Information Security Manager. All improvements will be documented within the IS Information Security Forum. The Information Security Manager is responsible for confirming that improvements to the ISMS are functioning correctly.

When a non-conformity report is raised, all interested parties involved, including the relevant line managers, receive copies of the report and any recommended actions. The managers confirm what actions they intend to take as a result of the points raised in the report and their planned implementation dates. The Information Security Manager is responsible for checking the effectiveness of any new initiatives. Whenever possible this should be done within one week of the security enhancement.

Continual improvement

The Information Security Officer will report, on monthly basis, the results of audit, incidents, and status of corrective and preventive actions to establish day to day improvements to the ISMS. The Information Security Manager will review, on a monthly basis, the results of audit, incidents and corrective action to establish processes, or products that will improve the ISMS.

The Information and Physical Asset Security Board with receive reports from the IS Security Manager and lead the overall improvements for HFRS.

Non-conformities and Incidents

A non-conformity is defined as:

The absence of, or the failure to implement and maintain one or more ISMS requirements or a situation which would, on the basis of available objective evidence, raise significant doubt as to the capability of the ISMS to fulfill the Information Security Policy and security objectives of HFRS.

Non-conformities may be identified during the investigation following an incident or during an internal audit. Potential non-conformities might be identified as part of day-to-day activities.

To ensure a consistent approach these are reported as potential incidents and treated in same way as an actual incident. In the event of an incident occurring the Information Security Manager will liaise with relevant teams to determine the reason for the non-conformity.

During an audit the auditor will attempt to identify the reason for non-conformities, however where the auditor does not have the necessary skill set they will liaise with the Information Security Manager. Having identified the cause of the non-conformity the situation is investigated with a view to taking corrective actions. Additional action may be taken to prevent recurrence of the non-conformity, either immediately or following approval from the IS Information Security Manager or management reviews. Corrective action may take many forms, such as removing authorisation, changing system values or invoking disciplinary process.

The auditor or Information Security Manager will review the nonconformity with the relevant teams and agree the appropriate action that should be taken. In the event of an Audit, the Auditor will document the non-conformity whilst the Information Security Manager will document any non-conformities resulting from an Incident. Either the Auditor or the Information Security Manager will recommend corrective actions, which will be presented to the IS Information Security Board.

Each non-conformity report will as minimum hold the following details:

1. The date
2. The user/customer
3. The nature of the non-conformity
4. The risk to the business.

For each corrective action the following details are held:

1. The action taken
2. Who took the appropriate action
3. Confirmation that the action was correctly implemented.

The IS Information Security Board will review all corrective actions. The Information Security Manager will confirm that all corrective actions are correctly implemented.

Preventative actions

HFRS aim to prevent security incidents and potential non conformances by implementing the following:

1. The publication of polices and procedures
2. Regular risk assessments on internal information assets
3. Undertaking risk assessments on all third party connections to HFRS assets
4. Undertaking risk assessments on proposed new systems
5. Ensuring all users are aware of information security issues
6. Ensuring that all major information systems are updated with the latest security patches
7. Ensuring that Antivirus systems are regularly updated
8. Monitoring system activity for potential abuse or attack
9. Regular reviews of computer access rights
10. Regular reviews of IS perimeter security
11. Regular testing of Business Continuity Plans
12. Monitoring information security media sources for new threats and vulnerabilities.
13. The Information Security Manager will document all preventative measures taken and where applicable audit new initiatives to ensure that they are working correctly.

Roles and Responsibilities

Information Service Information Security Manager

Objective of role

Responsible for the IS Security Management process, dealing with information security from the perspective of IS Management and for maintaining the relationship with all other Service Management processes as appropriate to achieve the purpose of IS Security Management.

This role is normally held by the Information Services Manager.

Responsibilities

The IS Security Management process can be summarised as comprising of six key

activities:

Control, plan, implement, evaluate, maintain, report.

Responsibilities within the specific activities include:

Control

1. Maintain the HFRS information security policy, standards and guidelines.
2. Organise and direct the ISMS  process in accordance with HFRS Security Policy.
3. Organise the management framework for information security, including
   • Method for establishing security plans
   • Process through which plans are implemented
   • Method for evaluation of implementation
   • Process through which results of evaluations are used for the maintenance of security plans
4. Define the information security training and awareness programme.
5. Define a programme for the continuous monitoring and improvement of information security.
6. Define the process for the review and approval of the information security aspects of remote and mobile working.
7. Define a system for information classification of HFRS asset.
8. Engagement process.
9. Define the Asset Classification and Control process
10. Define policy statements for the way the IS Service operates its security process, specifically the:
11. System, Network and Workstation security policy
12. Antivirus policy
13. Patch management policy
14. Define standards for:
15. IS facility standards
16. IS equipment maintenance standards
17. System, Network & Workstation security standards
18. Equipment security baseline standards
19. Network connection standards
20. Authentication standards
21. Antivirus control standards
22. Patch management standards
23. Asset Classification and Control standards
24. Information security development standards
25. Production and development isolation standards
26. Establish information security support systems for the users, specifically:
27. Acceptable use guidelines
28. Security awareness training (formal)
29. Legal guidelines
30. Remote and mobile working guidelines
31. Antivirus guidelines
32. Interact with existing operational processes in all matters of IS security, specifically the:
33. Information and Physical Asset Security Board process
34. Change Management process

Implement

Implement a range of measures relating to:

1. The HFRS IS Security Statement and Security policy
2. External user agreements which ensure compliance with the Security Policy
3. Creation and maintenance of awareness of IS Security throughout the organisation
4. Classification and registration
5. Operational management of systems and applications
6. Control and management of access rights
7. Security incident handling and registration

Evaluate

Ensure effective evaluation methods are in place for each of the implemented security measures. These include:

1. Internal audit
2. External audits or testing
3. Conducting security risk assessments for business applications and systems.
4. Ensure compliance monitoring systems are in place, specifically:
5. System, Network and Workstation security policy
6. Antivirus policy
7. Patch management policy
8. Information security development standards
9. Security testing.
10. Security policy adherence by:
11. Employees
12. Third party users
13. IS service suppliers
14. Monitor and review security policy compliance testing by third parties.
15. Monitor usage of the IS asset management system.
16. Ensure evaluation of security incidents.
17. Ensure output from evaluations is fed into the maintenance and planning of new or revised measures as part of the continuous improvement programme.

Maintenance

Review changes to threats, infrastructure, organisation and processes for impact on security measures.

Report

Ensure a history of security incidents is maintained to enable trend analysis and evaluation of business case for additional/revised measures.

To be a leading member of the Information and Physical Asset Security Board, participating wherever appropriate in its aims of promoting the various aspects of IS security in the Authority by, for example,:

• Attendance at meetings.
• Reporting new IS security issues to the Forums.
• Reporting progress in resolving IS security issues to the group.
• Seeking guidance from and assisting other group members with IS security.

Information Security Officer

Objective of role

Information Security Officer has delegated responsibilities from the Information Security Manager and will also deputise during any absence.

The Information Security Officer has overall responsibility for ensuring that all IS users in the IS Department understand and comply with the statutory, corporate and departmental IS security requirements in accordance with HFRS IS Security Policy

This role is normally held by the Service Delivery Manager.

Responsibilities

At the departmental level the specific activities include:

1. To maintain a working knowledge of corporate and departmental IS security policies, processes, procedures, standards and guidance as contained within HFRS IS Security framework and the underlying legislation.
2. Implementation, enforcement and monitoring IS user (HFRS, third party and IS service supplier employees) compliance with HFRS IS Security Policy.
3. Monitoring the use of IS security standards including:
4. IS facility standards
5. IS equipment maintenance standards
6. Asset classification and control standards
7. Monitoring the use of IS security processes and procedures including:
8. Asset classification and control process (for all existing critical and all new IS systems)
9. Risk assessment process
10. IS system access rights control procedures
11. Physical access controls to IS facilities procedures
12. Third party service supplier engagement process
13. Ensuring that all IS users (HFRS, third party and IS service supplier employees) are aware of, have an adequate understanding of, and have adequate initial and ongoing training, in security guidance including:
14. e-mail, Internet, and intranet monitoring policy
15. Incident reporting
16. User responsibilities (with regard to using HFRS IS systems and facilities)
17. Remote and mobile working guidelines
18. Acceptable use guidelines
19. Legal guidelines
20. Antivirus guidelines

To be an active member of both the Information and Physical Asset Security Board and the IS level Information Security Forum, participating wherever appropriate in its aims of promoting the various aspects of IS security in HFRS by, for example:

1. Attendance at meetings
2. Reporting new IS security issues to the forums
3. Reporting progress in resolving IS security issues to the forum
4. Seeking guidance from and assisting other group members with IS security problems

Interfaces

1. Liaise with the IS Security Manager on IS security policy and IS security issues.
2. Liaise with IS service suppliers to ensure compliance with the HFRS IS security policy.
3. Liaise with the Data Protection Coordinator on Data Protection Act compliance issues.
4. Liaise with internal and external authorities on legal compliance issues.

• news
• keeping safe
• business fire safety
• kidzone
• careers & training
• about us
• for staff
• Go to Animal Rescue :: Operations Audit Commission and Other External Assessments and Reports - The Service Budget, Accounts and Regulations Business Education Community Response Corporate Planning Current Vacancies :: Careers and Training Environment Equality and Diversity Events Diary Fire Control Fire Safety Regulations Fire Stations Fire and Rescue Authority Freedom Of Information Act 2000 (FOI) Hampshire Fire and Rescue Service Plan History of HFRS Home Safety IPDS Incident Types News Releases Past Members Planning for Emergencies Policies Recent Incidents Service News Service orders Station Admin Manual Top 10 Fire Safety Tips Vehicles and Appliances