MRC Information Security Policy v1 2

Issued 10092010 Page 1 of 40
Version 1.2

MRC Information Security Policy

Contents

Policy statement
1. Overarching Security Statement
2. Introduction
3. Scope
4. Security policy
5. Organisation of information security
6. External parties
7. Asset management
8. Human resource security
9. Physical and environmental security
10. Communications and operations management
11. Access control
12. Information systems acquisition, development and maintenance
13. Information security incident management
14. Business continuity management
15. Compliance
16. Effective date
17. Review date
18. Amendment history
Appendix 1 MRC operational policy template

Version 1.2


Version 1.2

Document Control Summary

Title MRC Information Security Policy

Electronic file reference
(network or intranet)

Status Final approval
Version No. 1.2

Date of this Document 10
th
September 2010
Author(s) Information Security Team

Owner Information Technology Security Officer

Approved by
(Names, titles and date)
Operations Board

Next Review Date October 2011
Equality Impact Assessment
Completed in
April 2010


Version 1.2

Policy statement

The confidentiality, security and accurate processing of data are matters of great importance
to the Medical Research Council. Failure in any of these, or delays and disruption of computer
processing can result in disruption to the services the MRC, loss in public confidence, and
financial or other material losses.

The objective of the information security policy is to ensure business continuity and minimise
business damage by preventing and minimising the impact of information security incidents.
The Medical Research Council is committed to good information security provision for its
stakeholders and for its employees.


Version 1.2
1. Overarching Security Statement
Protective Security, including physical, personnel and information security, is an essential
enabler to making government work better. Security risks must be managed effectively,
collectively and proportionately, to achieve a secure and confident working environment.
1.1 Objective
The confidentiality, security and accurate processing of data are matters of great importance
to the Medical Research Council. Failure in any of these, or delays or curtailment of computer
processing can result in disruption to the services the MRC, loss in public confidence, and
financial or other material losses.
The objective of the information security policy is to ensure business continuity and minimise
business damage by preventing and minimising the impact of information security incidents.
The Medical Research Council is committed to good information security provision for its
stakeholders and for its employees.
1.2 Goals
The goals of the MRC, in relation to Information Security, are:
To identify through appropriate risk assessment, the value of information assets
and to understand their vulnerabilities and the threats that may expose them to
risk.
To manage the risks to an acceptable level through the design, implementation
and maintenance of a formal Information Security Management System.
To comply with Legislation including:
o The Data Protection Act 1998; The Freedom of Information Act 2000; Public
Interest Disclosure Act 1998; Defamation Act 1996;
o Companies Act 1985;
o Computer Misuse Act 1990;
o Copyright, Designs and Patents Act 1988 (as amended by the Copyright
(Computer Programs) Regulations 1992;
o Electronic Communications Act 2000; Telecommunications Act 1984; The
Regulation of Investigatory Powers Act 2000;
o Obscene Publications Act 1959;
o Protection of Children Act 1978; Criminal Justice Act 1988;
o Protection from Harassment Act 1997; Sex Discrimination Act 1975; Race
Relations Act 1976;
o Human Rights Act 1998.
To comply with Contract conditions.
To comply with the Councils corporate objectives.
1.3 Obligations
There are nine general principles that provide guidance in the security of information. These
are:
Accountability: the responsibility and accountability of information / data owners,
information/ data providers, users and other parties concerned with the security of information
should be explicit.
Awareness: to foster confidence in information systems, owners, providers and users shall
have access to all documentation about information security policies and procedures.

Version 1.2
Ethics: in the provision of information systems and the establishment of information security,
the rights and legitimate interests of the organisations personnel, and its stakeholders shall be
respected.
Business Perspectives: security processes shall take account of and address the relevant
business considerations and viewpoints; these include commercial, technical, administrative,
organisational, operational, political, and legal/ statutory aspects.
Proportionality: the level and cost of security processes shall be appropriate and
proportionate to the value of and degree of reliance on information systems and the severity,
probability and extent of potential or actual harm to the Council.
Integration: security processes shall be co-ordinated and integrated with each other and with
other measures, procedures and practices of the Council to create a coherent system of
information security.
Timeliness: action to respond to an information security breach shall be timely and co-
ordinated to prevent and overcome the breach of security.
Reassessment: the security of information systems shall be reassessed periodically
recognising that the information systems and the requirement for their security varies over
time.
Freedom of Information: the security of information will be compatible with the legitimate
use and flow of data and information as required by privacy and freedom of information
statutory requirements.
1.4 Policy
The purpose of the information security policy is to protect the MRC, their stakeholders and
staff
1
from all information security threats, whether internal or external, deliberate or
accidental. The information security policy is characterised here as the preservation of:
Confidentiality: ensuring that information is accessible only to those authorised to have
access
Integrity: safeguarding the accuracy and completeness of information and processing
methods
Availability: ensuring that authorised users have access to information and associated
assets when required
Regulatory compliance: ensuring that the MRC meets its regulatory and legislative
requirements
The MRC has a Corporate Information Security team to introduce and maintain policy and to
provide advice and guidance on its implementation. In addition, each establishment shall
appoint an Information Security Manager (ISM) responsible for local management of
Information Security policy.
The MRC require that all breaches of information security, actual or suspected, shall be
reported to, and investigated by, the Corporate Information Security team.
The MRC undertake to provide appropriate information security training for all stakeholders
and staff.
The MRC is required to ensure that the confidentiality, integrity, availability and regulatory
requirements of all their business systems are met.
The MRC shall hold all managers directly responsible for implementing the policy within their
business areas and for ensuring that staff adhere to the policy.
It is the responsibility of all members of staff to adhere to the policy.

1
Includes all full and part time employees, temporary employees, students,
consultants, collaborators, secondees and contractors

Version 1.2
2. Introduction
The business of the Medical Research Council (MRC hereafter) is dependent on information
and its availability. As custodians of a large volume of data which can be commercially,
personally or in some cases politically sensitive, the MRC has a duty of care to protect that
information from unauthorised or accidental modification, loss, release, or impact on the safety
and well being of individuals.
Specifically, information plays a vital role in supporting business processes and stakeholder
services, in contributing to operational and strategic business decisions, and in conforming to
legal and statutory requirements. Accordingly, information must be protected to a level
commensurate with their value to the MRC.
2.1 Purpose
The purpose of Information Security Management is to provide an appropriate level of
protection for information assets from relevant threats, whether internal or external, deliberate
or accidental (see also section 1.2). The implementation of this policy is important to maintain
our integrity as a supplier of public services to stakeholders.
This policy is set within the context of, and is an enabler to, the RCUK Cross Council
Information Security Policy (currently version 2.6a). In the context of the above, it is the
policy of the MRC to ensure that:
Information will be protected against unauthorised access.
Confidentiality of information will be maintained.
Information will not be disclosed to unauthorised persons through deliberate or careless
action.
Integrity of information is assured through protection from unauthorized modification.
Information is available to authorised users when needed.
Regulatory and legislative requirements will be met.
Business continuity plans will be produced, maintained and tested as far as practicable.
Information security training will be available to all staff.
All suspected breaches of information security will be reported and investigated.
MRC units and establishments who sign up to and implement this policy and associated
policies, standards, guidelines and procedures, will be accorded trusted status within this
virtual environment. Organisations outside the scope of this policy will be treated as un-trusted
and the sharing and co-hosting of any information assets will be restricted by the terms of this
policy and associated policies, standards, guidelines and procedures.
2.2 Terms & definitions
Asset
Anything that adds value to the organisation. [ISO/IEC 13335-1:2004]
Control
Means of managing risk, including policies, procedures, guidelines,
practices or organisational structures, which can be administrative,
technical, management or legal nature: NOTE Control is also used as a
synonym for safeguard or countermeasure
Establishment
Any MRC Unit or Centre, which employs MRC staff and handles MRC
related data.
Guideline
A description that clarifies what should be done and how, to achieve the
objectives set out in policies. [ISO/IEC 13335-1:2004]

Version 1.2
Information
processing
facilities
Any information processing system, service or infrastructure, or the
physical locations housing them
Information
Security
Preservation of confidentiality, integrity and availabi lity of information;
in addition, other properties, such as authenticity, accountability, non-
repudiation, and reliability can also be involved
Information
Security
Event
An information security event is an identified occurrence of a system,
service or network state indicating a possible breach of information
security policy or failure of safeguards, or a previously unknown
situation that may be security related. [ISO/IEC TR 18044:2004]
Information
Security
Incident
An information security incident is indicated by a single or series of
unwanted or unexpected information security events that have a
significant probability of compromising business operations and
threatening information security. [ISO/IEC TR 18044:2004]
Policy
Overall intention and direction as formally expressed by management
Risk
Combination of the probability of an event and its consequence.
[ISO/IEC Guide 73:2002]
Risk Analysis
Systematic use of information to identify sources and to estimate the
risk.
Risk
Assessment
Overall process of risk analysis and risk evaluation. [ISO/IEC Guide
73:2002]
Risk
Evaluation
Process of comparing the estimated risk against given risk criteria to
determine the significance of the risk. [ISO/IEC Guide 73:2002]
Risk
Management
Coordinated activities to direct and control an organisation with regard
to risk
NOTE: Risk management typically includes risk assessment, risk
treatment, risk acceptance and risk communication. [ISO/IEC Guide
73:2002]
Risk
Treatment
Process of selection and implementation of measures to modify risk.
Third Party
That person or body that is recognised as being independent of the
parties involved, as concerns the issue in question. [ISO/IEC
Guide2:1996]
Threat
A potential cause of an unwanted incident, which may result in harm so
a system or organisation. [ISO/IEC 13335-1:2004]
Vulnerability
A weakness of an asset or group of assets that can be exploited by one
or more threats. [ISO/IEC 13335-1:2004]
2.3 Policy framework
This policy is intended to act as a framework and it is expected that individual MRC
establishments shall develop further controls (that is, policies, standards, guidelines and
procedures) to support its implementation. The number, strength and type of controls shall

Version 1.2
vary depending on which facility they are designed to protect. The MRC shall agree a
Statement of Applicability (SoA) for each facility based on this policy. The SoA will be the
minimum standard that the MRC shall adhere to.
To this end the word appropriate is frequently used in the document. The appropriate
controls shall be implemented in accordance with the relevant SoA, however, individual
establishments can introduce more or stronger controls if they wish. However, the controls
must not be lessened or weakened.
The Cabinet Office Security Policy Framework v2.0 has been included in the Policy, all
references to the policy are suffixed with a reference [MRnn] where MR stands for Mandatory
Requirement and nn is the number from the Security Policy Framework.


Version 1.2
3. Scope
This policy is the Security Policy for the Medical Research Council. It establishes, in detail, the
policies that must be implemented by the MRC and its establishments who participate in joint
working projects that require interconnectivity between their respective IT/IS infrastructures.
This document uses the standard for information security management ISO27001 and risk
management as the framework. In particular the structure of this document reflects exactly
the structure and numbering of ISO27001. This will facilitate cross-referencing with the
standard when the document is reviewed and audited.
The policy will help the MRC to demonstrate the necessary compliance with the Cabinet Office
Security Policy Framework.
This policy and associated policies, standards, guidelines and procedures shall be regarded as
the mandatory standard to be achieved by any establishment connected to shared systems
and facilities. This will provide assurance to the MRC that they may trust other
establishments to have in place the minimum standard to protect the assets of all participants.
Any establishment not achieving this standard shall be regarded as untrusted and placed
outside the shared facilities. This standard shall apply irrespective of location. Compliance with
this policy shall be subject to periodic audit.
3.1 Business scope
This policy concerns the administrative controls that are in place to support the following
objectives shared by the MRC:
Encourage and support research to improve human health;
Produce skilled researchers;
Advance and disseminate knowledge and technology to improve the quality of life and
economic competitiveness of the UK;
Promote dialogue with the public about medical research.
3.2 Organisational scope
3.2.1 General
This policy covers the management and control of information assets (including facilities, data,
software, paper documents, and personnel) which are either shared by the MRC or hosted in a
shared environment.
3.2.2 Facilities
Includes all equipment as well as the physical and environmental infrastructure:
Computer processors of any size whether general or special purpose;
Peripheral, workstation and terminal equipment;
Telecommunications and data communication cabling and equipment;
Local and wide area networking equipment;
Environmental control systems, including air conditioning, water smoke and fire alarm
systems and other safety equipment;
Required utility services such as electricity and water;
Buildings and building improvements, accommodation and equipment.
3.2.3 Data
Includes:

Version 1.2
Electronically held data, regardless of storage media and including hard copies and the
data otherwise in transit;
Information derived from any of the MRCs business processes, regardless of the
storage or presentation media;
Any other information for which the MRC has responsibility.
3.2.4 Software
Includes locally developed programs and those acquired from external sources:
Operating system software and associated utility and support programs;
Application enabling software, including database management, telecommunications
and network software;
Application software.
3.2.5 Paper documents
Includes systems documentation, user manuals, continuity plans, contracts, guidelines, and
procedures.
3.2.6 Personnel
Includes employees (permanent and temporary), students, auditors, service providers,
representatives of stakeholders, contractors, consultants, visitors or representatives of other
bodies who are working within the MRC either physically or nominally.
3.3 Location scope
Within the context of the organisational scope of this policy, see section 3.2.1 above, this
covers all permanent or temporary offices, home/mobile working locations, institutes,
establishments, and laboratories operated by the MRC, or wherever information associated
with the MRC is located.

Version 1.2
4. Security policy
4.1 Information Security Policy
Objective
To provide management, direction and support for information security in accordance with
business requirements and relevant laws and regulations.
Policy
4.1.1 Information Security Policy Document
An information security policy document shall be approved by management, and published and
communicated to all employees and relevant external parties.
4.1.2 Review of the information security policy
The information security policy shall be reviewed at planned intervals or if significant changes
occur to ensure its continuing suitability, adequacy, and effectiveness.
Each Information Security Manager
2
shall regularly review the associated policies, standards,
guidelines and procedures within their respective establishment.
4.1.3 Self Assessment
The Corporate MRC Information Security team must have a system of assurance of compliance
with the Security Policy, and produce an annual report to their Management Board on the state
of all aspects of protective security. [MR06]
In addition, the RCUKs top level Information Security policy shall be made available to all
staff.

4.1.4 Central Reporting
The MRC Corporate Information Security team must submit an annual security return to the
Cabinet Office Security Policy Division, covering their Agencies and main delivery partners, and
must include:
Details of any changes to key individuals responsible for security matters (The
appointment of a new Departmental Security Officer (DSO) must be reported
immediately).
Significant departmental risks and mitigations that have implications for protective
security.
All significant security incidents (those involving serious criminal activity, damage to
personal security, serious reputational damage, data losses or leaks) must also be
reported immediately.
Declaration of meeting all Mandatory Requirements from the Cabinet Office Security
Policy Framework.
Confirmation that any significant control weaknesses have been reflected in the
Departmental Statement on Internal Control. [MR07]
4.1.5 Audit and Review

2
See section 5.1.1 which defines the role of the Information Security Manager

Version 1.2
The MRC Corporate Information Security team and all establishments must comply with
oversight arrangements including external audit/compliance arrangements as set out by the
Cabinet Office. [MR08]


Version 1.2
5. Organisation of information security
5.1 Internal organisation
Objective
To manage information security within the organisation.
Policy
5.1.1 Management commitment to information security
Management shall actively support security within the organisation through clear direction,
demonstrated commitment, explicit assignment, and acknowledgment of information security
responsibilities.
Ultimate responsibility for security rests with the Senior Information Risk Owner (SIRO), a
stated board level representative at the MRC. In addition, the MRC must have a designated
Departmental Security Officer (DSO) with day-to-day responsibilities for all aspects of
Protective Security (including physical, personnel and information security). [MR04]
The MRC Operations Board (OB) shall act as the top-level management security forum in
support of the information security management framework.
The information security responsibilities of OB include:
setting the scope of the information security management system;
endorsing the MRC information security policy;
approving and supporting the implementation of the information security management
system;
agreeing levels of risk and approving residual risk;
receiving security reports at regular intervals (at least half yearly) covering the status
of security implementation, update on threats, results of security reviews, audits etc;
The MRC Corporate Information Security Team shall provide the executive function of
the security forum. In this role, the teams principal activities shall be to:
define the scope of the information security management system;
implement the information security management system;
develop the MRCs information security policy;
appoint, as appropriate, Information Security Manager(s) and other key managers
responsible for co-ordinating the implementation of the security policy framework;
gaining and maintaining awareness of the security threats to information being faced by
the Council;
prepare a statement of applicability;
to monitor incidents, security status and current threats and recommend safeguards;
monitor compliance with ISO27001:2005.
Each establishment shall create and maintain the role of Information Security
Manager(s) (ISM). The ISM(s) principle activities shall be to:
establish and implement appropriate policies, standards, guidelines and procedures in
support of this policy and the Information Security Management Policy;
select control objectives and controls to be implemented;
further define responsibilities for information security within their own establishment;

Version 1.2
promote security awareness within their own establishment;
undertake risk assessment;
manage risk and the level of assurance required;
carry out security reviews;
record security incidents.
5.1.2 Information security co-ordination
The MRC and its establishments shall co-ordinate information security measures as outlined in
section 5.1.1 above.
5.1.3 Roles and responsibilities
Information risk must be specifically addressed in the departmental annual Statement on
Internal Control (SIC), which is signed off by the Accounting Officer. [MR34]
The MRC must have
a) A designated Senior Information Risk Owner (SIRO); a Board level individual
responsible for managing departmental information risks, including maintaining and
reviewing an information risk register (the SIRO role may be combined with other
security or information management board level roles).
b) A designated Information Technology Security Officer (ITSO); responsible for the
security of information in electronic form.
c) Information Asset Owners; senior named individuals responsible for each identified
information asset. [MR35]
5.1.4 Allocation of information security responsibilities
All information security responsibilities shall be clearly defined.
5.1.5 Authorisation process for information processing facilities
A management authorisation process for new information processing facilities shall be defined
and implemented.
5.1.6 Confidentiality agreements
Requirements for confidentiality or non-disclosure agreements reflecting the organisations
needs for the protection of information shall be identified and regularly reviewed.
5.1.7 Contact with authorities
Appropriate contacts with relevant authorities shall be maintained.
5.1.8 Specialist information security advice
The ISM(s) for each establishment shall act as a source of specialist advice within that
establishment for all matters relating to information security. Where necessary the ISM(s) shall
also seek specialist advice from external sources and shall appropriately document such advice
which they will make available to other establishments as appropriate.
5.1.9 Contact with special interest groups
Appropriate contacts with special interest groups or other specialist security forums and
professional associations shall be maintained.
5.1.10 Independent review of information security

Version 1.2
The MRCs approach to managing information security and its implementation at a Corporate
and local level (i.e. control objectives, controls, policies, processes, and procedures for
information security) shall be reviewed independently at planned intervals, or when significant
changes to the security implementation occur.
The MRC shall regularly audit the implementation of this policy and associated policies,
standards, guidelines and procedures.

policies, standards, guidelines and procedures.

Version 1.2
6. External parties
Objective
To maintain the security of the organisations information and information processing facilities
that are accessed, processed, communicated to, or managed by external parties.
Policy
6.1.1 Identification of risks related to third parties
The risks to the organisations information and information processing facilities from business
processes involving external parties shall be identified and appropriate controls implemented
before granting access.
6.1.2 Addressing security when dealing with customers
All identified security requirements shall be addressed before giving customers access to the
organisations information or assets.
6.1.3 Addressing security in third party contracts
Agreements with third parties involving accessing, processing, communicating or managing the
organisations information or information processing facilities, or adding products or services to
information processing facilities shall cover all relevant security.
The MRC must ensure that security requirements are specified in ICT contracts and all new ICT
contracts handling personal data must adhere to the Office of Government Commerce (OGC)
ICT model terms and conditions. [MR43]
6.1.4 Governance
The MRC must ensure that all main delivery partners are compliant with the Cabinet Office
Security Policy Framework and must consider the extent to which those providing other goods
and / or services to them, or carrying out functions on their behalf, are required to comply.
[MR02]


Version 1.2
7. Asset management
7.1 Responsibilities for assets
3

Objective
To achieve and maintain appropriate protection of organisational assets.
Policy
7.1.1 Inventory of assets
All assets shall be clearly identified and an inventory of all important assets, or assets
containing personally identifiable data drawn up and maintained.
7.1.2 Ownership of assets
All information and assets associated with information processing facilities shall be owned
4
by
a designated staff member, this person is known as the Information Asset Owner.
The MRC shall specify appropriate security conditions in contracts with outsourced companies
that involve access to its IT facilities.
7.1.3 Acceptable use of assets
Rules for the acceptable use of information and assets associated with information processing
facilities shall be identified, documented, and implemented.
7.2 Information classification
Objective
To ensure that information receives an appropriate level of protection.
7.2.1 Classification guidelines
Information shall be classified in terms of its value, legal requirements, sensitivity and
criticality to the organisation.
7.2.2 Information labelling and handling
An appropriate set of procedures for information labelling and handling shall be developed and
implemented in accordance with the Protective Marking and Handling Scheme. [MR11]
7.2.3 Material originating outside HMG
The MRC must ensure that non-HMG material which is marked to indicate sensitivity is handled
at the equivalent level within the Protective Marking System, or where there is no equivalence,
to the level offered by PROTECT as a minimum. [MR18]
7.2.4 Universal controls
The MRC must apply the following baseline controls to all protectively marked material:
a) Access is granted on a genuine need to know basis.

3
Asset in this document refers to information assets which can be tangible (e.g. IS/IT
assets) or intangible
4
Explanation: The term owner identifies an individual or entity that has approved
management responsibility for controlling the production, development, maintenance, use and
security of the assets. The term owner does not mean that the person actually has property
rights to the asset.

Version 1.2
b) Assets must be clearly and conspicuously marked. Where this is not practical (for
example the asset is a building, computer etc) staff must still have the appropriate
personnel security control and be made aware of the protection and controls required.
c) Only the originator or designated owner can protectively mark an asset. Any change to
the protective marking requires the originator or designated owners permission. If they
cannot be traced, a marking may be changed, but only by consensus with other key
recipients.
d) Assets sent overseas (including to UK posts) must be protected as indicated by the
originator's marking and in accordance with any international agreement. Particular
care must be taken to protect assets from foreign Freedom of Information legislation by
use of national prefixes and caveats or special handling instructions.
e) No official record, held on any media, can be destroyed unless it has been formally
reviewed for historical interest under the provisions of the Public Records Act.
f) A file, or group of protectively marked documents or assets, must carry the protective
marking of the highest marked document or asset contained within it (e.g. a file
containing CONFIDENTIAL and RESTRICTED material must be marked CONFIDENTIAL).
[MR19]
For further details, see the MRC Portal for details of the Protectively Marking procedure.
7.2.5 Breaches
MRC establishments must have a breach system and give clear guidance to all staff that
deliberate or accidental compromise of protectively marked material may lead to disciplinary
and / or criminal proceedings. [MR21]
7.2.6 Risk management
All establishments must adopt a risk management approach, including a detailed risk register,
to cover all areas of protective security across the organisation. [MR05]
7.2.7 Legal requirements
Establishments must provide all staff with guidance on the Official Secrets Acts, Data
Protection Act and Freedom of Information Act. Staff handling protectively marked information
must be given guidance on how this legislation relates to their role. [MR12]
7.2.8 Official Secrets Act
The MRC must ensure that those who are notifiable under Section 1(1) of the Official Secrets
Act 1989 are notified in writing. Any establishment responsible for notified employees must:
Renew notices every five years.
Keep under review the need for continuing notification of individual posts.
Maintain and keep under review the number of notifiable posts. [MR13]
7.2.9 Data Protection Act
All MRC establishments must follow the minimum standards and procedures for handling and
protecting citizen or personal data, as outlined in HMG IA Standard No.6 - Protecting Personal
Data and Managing Information Risk. [MR14]
7.2.10 Freedom of Information Act
All MRC establishments must ensure that any protectively marked material that is to be
released under the Freedom of Information Act is de-classified first and is marked as such. The

Version 1.2
originator, or specified owner, must be consulted before protectively marked material can be
de-classified. [MR15]
7.2.11 The need-to-know principle
All MRC establishments must ensure that access to protectively marked assets is only granted
on the basis of need to know principle. All employees must be made fully aware of their
personal responsibility in applying this principle. [MR16]


Version 1.2
8. Human resource security
8.1 Prior to employment
5

Objective
To ensure that employees, contractors and third party users understand their responsibilities,
and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or
misuse of facilities.
Policy
8.1.1 Roles and responsibilities
Security roles and responsibilities of employees, contractors and third party users shall be
defined and documented in accordance with the MRCs information security policy.
8.1.2 Screening
Background verification checks on all candidates for employment, contractors, and third party
users shall be carried out in accordance with relevant laws, regulations and ethics, and
proportional to the business requirements, the classification of the information to be accessed,
and the perceived risks.
8.1.3 Baseline Personnel Security Standards (BPSS)
The MRC must apply the requirements of the Baseline Personnel Security Standard (BPSS) to
all HMG staff, and contractors and temporary staff. [MR23]
8.1.4 Confidentiality agreements
All MRC establishments must have arrangements in place which:
sets out employees responsibilities concerning confidentiality and non-disclosure of
information, both within the MRCs premises and beyond, and within and beyond
normal working hours;
ensures that the use of IS/IT facilities by agency, temporary or contract staff is covered
by appropriate confidentiality agreements;
Other organisations may require MRC employees to sign confidentiality agreements in respect
of their dealings with them.
8.1.5 Terms and conditions of employment
As part of their contractual obligation, employees, contractors and third party users shall agree
and sign the terms and conditions of their employment contract, which shall state their and the
organisations responsibilities for information security.
The terms and conditions and any supporting documents shall state that the employees
responsibilities for information security extends beyond the MRCs premises and outside
working hours (including home working).
8.2 During employment
Objective

5
Explanation: The word employment is meant here to cover all of the following different
situations: employment of people (temporary or longer lasting), appointment of job roles,
changing of job roles, assignment of contracts, and the termination of any of these
arrangements.

Version 1.2
To ensure that all employees, contractors and third party users are aware of information
security threats and concerns, their responsibilities and liabilities, and are equipped to support
organisational security policy in the course of their normal work, and to reduce the risk of
human error.
Policy
8.2.1 Management responsibilities
Management shall require employees, contractors and third party users to apply security in
accordance with established policies and procedures of the organisation.
8.2.2 Information security awareness, education and training
All employees of the MRC and, where relevant, contractors, partners, collaborators and other
third party users shall receive appropriate awareness training and at least annual updates, in
organisational policies and procedures, as relevant for their job function.
All MRC establishments must ensure that all users of ICT systems are familiar with the security
operating procedures governing their use, receive appropriate security training, and are aware
of local processes for reporting issues of security concern. They must further ensure that staff
with access to information assets, are appropriately trained, are aware of incident reporting,
and the minimum standards relating to the handling of protectively marked data. [MR48]
8.2.3 Disciplinary process
There shall be a formal disciplinary process for employees who have committed a security
breach.
8.2.4 Culture, training and professionalism
All MRC establishments must ensure that:
Security education and awareness must be built into all staff inductions, with annual
familiarisation thereafter.
There are plans in place to foster a culture of proportionate protective security.
There is a clearly stated and available policy, and mechanisms in place, to allow for
independent and anonymous reporting of security incidents. [MR09]
8.2.5 Risk management
Each MRC establishment must, as part of their risk management approach to protective
security, assess the need to apply personnel security controls against specific posts and the
access to sensitive assets. [MR22]
8.2.6 Governance
Each MRC establishment must ensure that all staff understand the relevant requirements and
responsibilities placed upon them by the Security Policy Framework and that they are properly
equipped to meet the mandatory security policies as set out in the Cabinet Office Security
Policy Framework. [MR01]
8.3 Termination or change of employment
Objective
To ensure that employees, contractors and third party users exit an organisation or change
employment in an orderly manner.
Policy
8.3.1 Termination responsibilities

Version 1.2
Responsibilities for performing employment termination or change of employment shall be
clearly defined and assigned.
8.3.2 Return of assets
All employees, contractors and third party users shall return all of the MRCs assets in their
possession upon termination of their employment, contract or agreement.
8.3.3 Removal of access rights
The access rights of all employees, contractors and third party users to information and
information processing facilities shall be removed upon termination of their employment,
contract or agreement, or adjusted upon change.


Version 1.2
9. Physical and environmental security
9.1 Secure areas
Objective
To prevent unauthorised physical access, damage and interference to the organisations
premises and information.
Policy
9.1.1 Defence in depth
Each MRC establishment must adopt a layered approach to physical security, ensuring that
their physical security policy incorporates identifiable elements of prevention, detection and
response. [MR50]
9.1.2 Physical security perimeter
Security perimeters (barriers such as walls, card controlled entry gates or manned reception
desks) shall be used to protect areas that contain information and information processing
facilities.
Each MRC establishment must establish a secure perimeter, with appropriate security barriers
and entry controls. Perimeters should offer physical protection from unauthorised access,
damage and interference and allow for the quick identification of suspicious individuals or
unusual items. [MR61]
Each MRC establishment must assess the security risks to their estate ensuring that security is
fully integrated early in the process of planning, selecting, designing and modifying their
facilities. [MR55]
Each MRC establishment must consider the use of guard forces to protect the assets they hold.
Where guards are deployed the GSZ Manned Guarding Services Manual is considered best
practice. [MR60]
Each MRC establishment must produce a detailed Operational Requirement before deciding to
deploy a security measure, particularly when purchasing a system or security product. This
should clearly define what the system is expected to achieve. [MR62]
9.1.3 Physical entry controls
Secure areas shall be protected by appropriate entry controls to ensure that only authorised
personnel are allowed access.
When unoccupied, secure areas shall be secured and physically locked. Electronic surveillance
(such as CCTV) shall be considered in high-risk environments. Unauthorised photography shall
not be permitted in such areas.
Each MRC establishment must control access to their estate using safeguards that will prevent
unauthorised access. [MR56]
Each MRC establishment must ensure that access control policies are made available to all
staff, and that staff are briefed on their personal responsibilities (e.g. wearing a pass at all
times, escorting visitors and searching their work area if required). [MR58]
9.1.4 Securing offices, rooms and facilities
Physical security for offices, rooms, and facilities shall be designed and applied.
Each MRC establishment must ensure that all locations where information and system assets
(including cryptographic items) are kept must have an appropriate level of physical security as
set out in this framework. [MR47]
9.1.5 Secure containers

Version 1.2
Each MRC establishment must ensure that protectively marked or valuable material is secured
in appropriate security containers. Large amounts of protectively marked material or
equipment, which cannot be stored in a security container, must be stored in a secure room.
[MR52]
9.1.6 Secure rooms
All establishments must ensure that windows, doors, locks and entry controls meet appropriate
security standards in rooms holding protectively marked material or sensitive assets. [MR53]
9.1.7 CCTV
The deployment of CCTV must be in accordance with the Data Protection Act 1998. [MR63]
9.2 Equipment security
Objective
To prevent loss, damage, theft or compromise of assets and interruption to the organisations
activities.
Policy
9.2.1 Equipment placement and protection
Equipment shall be sited or protected to reduce the risks from environmental threats and
hazards, and opportunities for unauthorised access.
9.2.2 Supporting utilities
Equipment shall be protected from power failures and other disruptions caused by failures in
supporting utilities.
9.2.3 Cabling security
Power and telecommunications cabling carrying data or supporting information services shall
be protected from interception or damage.
9.2.4 Equipment maintenance
Equipment shall be correctly maintained to ensure its continued availability and integrity.
9.2.5 Security of equipment off-premises
Security shall be applied to off-site equipment taking into account the different risks of working
outside the organisations premises. All laptops, drives, memory sticks, PDAs, etc. must be
encrypted before they can be taken off-site.
For MRC issued laptops, the disk encryption software will be provided by the local IT support
team. Partner, collaborator and other third party-owned laptops containing MRC data and
information, must be protected with their own Disk Encryption software. Contact the local IT
Helpdesk or Information Security team for further guidance.

9.2.6 Secure disposal or re-use of equipment
All items of equipment containing storage media shall be checked to ensure that any sensitive
data and licensed software has been removed or securely overwritten prior to disposal.
All MRC units must ensure that all media used for storing or processing protectively marked or
otherwise sensitive information must be disposed of or sanitised in accordance with HMG IA
Standard No. an 5 Secure Sanitisation of Protectively Marked or Sensitive Information.
[MR45]

Version 1.2
9.2.7 Removal of property
Equipment, information or software shall not be taken off-site without prior authorisation.


Version 1.2
10. Communications and operations management
10.1 Operational procedures and responsibilities
Objective
To ensure the correct and secure operation of information processing facilities.
Policy
10.1.1 Documented operating procedures
ISM(s) and/or delegated manager(s) shall clearly document, maintain, and publicise (as
appropriate) procedures for all key IS/IT operations, developments, maintenance and testing.
10.1.2 Change management
Changes to information processing facilities and systems shall be controlled.
10.1.3 Segregation of duties
Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorised
or unintentional modification or misuse of the organisations assets.
10.1.4 Separation of development, test and operational facilities
Development, test and operational facilities shall be separated to reduce the risks of
unauthorised access or changes to the operational system.
10.1.5 Information security policy
All MRC establishments must have, as a component of their overarching security policy, an
information security policy setting out how they, and their delivery partners (including offshore
and nearshore (EU/EEA based) Managed Service Providers), comply with the minimum
requirements set out in this policy and the wider framework. [MR31]
10.1.6 Managing information risk
All MRC establishments must conduct an annual technical risk assessment (using HMG IA
Standard No.1) for all HMG ICT Projects and Programmes and when there is a significant
change in a risk component (Threat, Vulnerability, Impact etc.) to existing HMG ICT Systems
in operation. The assessment and the risk management decisions made must be recorded in
the Risk Management and Accreditation Documentation Set (RMADS), using HMG IA Standard
No.2 - Risk Management and Accreditation of Information Systems. [MR32]

After advice from DBIS, MRC Establishments are not required to complete these at this time.
10.1.7 Business Impact
All MRC establishments must, in conjunction with the Protective Marking System, use Business
Impact Levels (ILs) to assess and identify the impacts to the business through the loss of
Confidentiality, Integrity and/or Availability of data and ICT systems should risks be realised.
Aggregation of data must also be considered as a factor in determining ILs. [MR33]
10.1.8 Accreditation and audit
ICT systems that process protectively marked Government data must be accredited using HMG
IA Standard No. 2 - Risk Management and Accreditation of Information Systems, and the
accreditation status must be reviewed at least annually to judge whether material changes
have occurred which could alter the original accreditation decision. [MR36]

Version 1.2
All MRC establishments must have the ability to regularly audit information assets and ICT
systems. This must include:
a) Regular compliance checks carried out by the Accreditor, ITSO etc. (documented in the
RMADS audit of the ICT system against configuration records).
b) A forensic readiness policy that will maximise the ability to preserve and analyse data
generated by an ICT system, that may be required for legal and management
purposes. [MR37]
All ICT systems must have suitable identification and authentication controls to manage the
risk of unauthorised access, enable auditing and the correct management of user accounts.
[MR38]
10.2 Third party service delivery management
Objective
To implement and maintain the appropriate level of information security and service delivery in
line with third party service delivery agreements.
Policy
10.2.1 Service delivery
It shall be ensured that the security controls, service definitions and delivery levels included in
the third party service delivery agreement are implemented, operated, and maintained by the
third party.
10.2.2 Monitoring and review of third party services
The services, reports and records provided by the third party shall be regularly monitored and
reviewed, and audits shall be carried out regularly.
10.2.3 Managing changes to third party services
Changes to the provision of services, including maintaining and improving existing information
security policies, procedures and controls, shall be managed, taking account of the criticality of
business systems and processes involved and re-assessment of risks.
10.3 Protection against malicious and mobile code
Objective
To protect the integrity of software and information.
Policy
10.3.1 Controls against malicious code
Detection, prevention, and recovery controls to protect against malicious code and appropriate
user awareness procedures shall be implemented.
Staff shall only install software in accordance with the guidance issued by the MRC.
Appropriate security incident plans shall be developed for dealing with and recovering from
virus attacks, including all necessary data and software back-up and recovery
arrangements.
Users shall be made aware of the standards, guidelines and procedures they must adhere
to, to protect the MRC from virus infection.
10.3.2 Controls against mobile code

Version 1.2
Where the use of mobile code is authorised, the configuration shall ensure that the authorised
mobile code operates according to a clearly defined security policy, and unauthorised mobile
code shall be prevented from executing.
10.4 Back-up
Objective
To maintain the integrity and availability of information and information processing facilities.
Policy
10.4.1 Information back-up
Back-up copies of information and software shall be taken and tested regularly in accordance
with the agreed backup policy.
10.5 Network security management
Objective
To ensure the protection of information in networks and the protection of the supporting
infrastructure.
Policy
10.5.1 Network controls
Networks shall be adequately managed and controlled, in order to be protected from threats,
and to maintain security for the systems and applications using the network, including
information in transit.
ISM(s) and Network Managers shall implement appropriate access controls, and
cryptographic techniques to ensure the confidentiality and integrity of data passing over
public networks.
Network Managers shall monitor the performance and availability of the LAN and WAN
connections to ensure it is within acceptable parameters or agreed targets.
10.5.2 Security of network services
Security features, service levels, and management requirements of all network services shall
be identified and included in any network services agreement, whether these services are
provided in-house or outsourced.
10.6 Media handling
Objective
To prevent unauthorised disclosure, modification, removal or destruction of assets, and
interruption to business activities.
Policy
10.6.1 Management of removable media
This includes floppy disks, CDs, DVDs and USB hard drives/memory sticks

The only removable devices that can be used are those supplied by the MRC; media from any
other source must not be used. The exception to this is if you receive electronic data from
trusted sources outside the MRC, for example, organisations with which the MRC has a
contractual or formal relationship (examples include suppliers, providers, education sector,
government organisations).

Version 1.2
MRC issues USB hard drives/memory sticks that are encrypted; only these memory sticks may
be used for storing MRC data.
Any removable device must be considered to have the highest level of confidentiality of any
system to which it has been attached.
The device must be accounted for and protected in accordance with the information stored
upon it and the principles of the MRCs Information Security Policy regarding confidentiality,
integrity, availability and legal compliance.
The device must be content-checked by anti-virus software when connected to MRC
equipment. The device must not be attached to any system which does not have up-to-date
anti-virus software installed.
Devices must be disposed of carefully and securely, in line with HMG Information Assurance
standards. The local Information Security team can provide assistance.
10.6.2 Information handling procedures
Procedures for the handling and storage of information shall be established to protect this
information from unauthorised disclosure or misuse.
10.6.3 Security of system documentation
System documentation shall be protected against unauthorised access.
10.7 Exchange of information
Objective
To maintain the security of information and software exchanged within an organisation and
with any external entity.
Policy
10.7.1 Information exchange policies and procedures
Formal exchange policies, procedures, and controls shall be in place to protect the exchange of
information through the use of all types of communication facilities.
10.7.2 Security of electronic mail
Controls shall be applied to reduce the risks associated with electronic mail.
The MRC shall define an IT Code of Practice (CoP) which will be issued to all staff who will be
required to acknowledge that they have read and understood it.
10.7.3 Exchange agreements
Agreements shall be established for the exchange of information and software between the
organisation and external parties, for example to the parent department for reporting.
10.7.4 Physical media in transit
Media containing information shall be protected against unauthorised access, misuse or
corruption during transportation beyond an organisations physical boundaries.
10.7.5 Electronic messaging
Information involved in electronic messaging shall be appropriately protected.
Where necessary, this includes encryption of electronic mail. Contact the Corporate
Information Security Team for more details of this service.
10.7.6 Business information systems
Policies and procedures shall be developed and implemented to protect information associated
with the interconnection of business information systems.

Version 1.2
10.8 Monitoring
Objective:
To detect unauthorised information processing activities.
Policy
10.8.1 Audit logging
Audit logs recording user activities, exceptions, and information security events shall be
produced and kept for an agreed period to assist in future investigations and access control
monitoring.
10.8.2 Monitoring system use
In line with the MRCs Code of Practice for IT use staff should be aware that the use of MRC
systems and equipment is routinely logged and monitored. Within the legal framework, the
MRC reserves the right to monitor, access, intercept and/or quarantine any networking or
computing resources. Privacy of emails and other documents cannot be guaranteed.
Staff must not use IT facilities provided to engage in any inappropriate or illegal activity. This
includes knowingly viewing, accessing, producing, storing, processing and/or distributing
materials or messages of the following types:
that is illegal in the UK;
with pornographic content, including pictures showing unclothed or partially clothed
people, pictures showing or suggesting acts of a sexual nature and written material
referring to the above, except when this is directly required for MRC work and pre-
approved ;
sympathetic to criminal or terrorist activities;
that promote or encourage discrimination or intolerance, for example, racism;
that is defamatory, for example, libellous;
that infringes the data protection rights or privacy of any other individual
that breaches UK copyright law
that could endanger the health and safety of any other individual
that is considered unacceptable because it runs counter to MRC policy, for example on
Equal Opportunities, Harassment and Bullying and the MRCs Disciplinary Procedure;
and
Contains a virus, worm.

Staff logon information is stored within a security log. Information recorded within this log
includes records of user logon names, time and date of each logon, success/failure rates of
each logon and the date and time of any changes made to permissions set on files and folders.
Data held is in line with the HMG recommended period.
This Policy will be implemented in line with the 1998 Education Reform Act, Section 202, which
ensures that academic staff have freedom within the law to question and test received wisdom,
and to put forward new ideas and controversial or unpopular opinions, without placing
themselves in jeopardy of losing their jobs or privileges they may have at their institutions.


Version 1.2
11. Access control
11.1 Business requirement for access control
Objective
To control access to information
Policy
11.1.1 Access control policy
An access control policy shall be established, documented, and reviewed based on business
and security requirements for access.
11.2 User access management
Objective
To ensure authorised user access and to prevent unauthorised access to information systems.
Policy
11.2.1 User registration
There shall be a formal user registration and de-registration procedure in place for granting
and revoking access to all information systems and services.
11.2.2 Privilege management
The allocation and use of privileges shall be restricted and controlled.
11.2.3 User password management
The allocation of passwords shall be controlled through a formal management process.
11.2.4 Review of user access rights
Management shall review users access rights at regular intervals using a formal process.
11.3 User responsibilities
Objective
To prevent unauthorised user access, and compromise or theft of information and information
processing facilities.
Policy
11.3.1 Password use
Users shall be required to follow good security practices in the selection and use of passwords.
Passwords are required to be at least eight characters in length and be an alpha numeric mix.
Network passwords must be changed at least every 42 days with re-use prohibited.
Passwords must be kept confidential, not shared with others and not written down. If problems
are experienced with passwords and access to the network, contact either the local or Auris
Helpdesk who will follow approved MRC procedures.

11.3.2 Unattended user equipment
Where a computer is logged into the MRC network but inactive for more than 10 minutes, an
inactivity lock must be automatically applied.

Version 1.2
In line with Corporate and local environmental & sustainability policies, Staff should logout and
switch off workstations and monitors before leaving the office at the end of each working day.
However, they must remain plugged into the mains to allow for remote updates to be applied.
11.3.3 Clear desk and clear screen policy
All staff must handle information in accordance with the MRCs Protective Marking and
Handling Scheme. Where possible, it is recommended to implement a general clear desk
policy.
11.4 Network access control
Objective
To prevent unauthorised access to networked services.
Policy
11.4.1 Policy on use of network services
Users shall only be provided with access to the services that they have been specifically
authorised to use.
11.4.2 User authentication for external connections
Appropriate authentication methods shall be used to control access by remote users.
11.4.3 Equipment identification in networks
Automatic equipment identification shall be considered as a means to authenticate connections
from specific locations and equipment.
11.4.4 Remote diagnostic and configuration port protection
Physical and logical access to diagnostic and configuration ports shall be controlled.
11.4.5 Segregation in networks
Groups of information services, users, and information systems shall be segregated on
networks.
11.4.6 Network connection control
For shared networks, especially those extending across the organisations boundaries, the
capability of users to connect to the network shall be restricted, in line with the access control
policy and requirements of the business applications (see 11.1.1).
11.4.7 Network routing control
Routing controls shall be implemented for networks to ensure that computer connections and
information flows do not breach the access control policy of the business applications.
11.5 Operating system access control
Objective:
To prevent unauthorised access to operating systems.
Policy
11.5.1 Secure log-on procedures
Access to operating systems shall be controlled by a secure log-on procedure.
11.5.2 User identification and authentication

Version 1.2
All users shall have a unique identifier (user ID) for their personal use only, and a suitable
authentication technique shall be chosen to substantiate the claimed identity of a user.
11.5.3 Use of system utilities
The use of utility programs that might be capable of overriding system and application controls
shall be restricted and tightly controlled.
11.5.4 Session time-out
Inactive sessions shall shut down after a defined period of inactivity.
11.5.5 Limitation of connection time
Restrictions on connection times shall be used to provide additional security for high-risk
applications.
11.6 Application and information access control
Objective
To prevent unauthorised access to information held in application systems.
Policy
11.6.1 Information access restriction
Access to information and application system functions by users and support personnel shall be
restricted in accordance with the defined access control policy.
11.6.2 Sensitive system isolation
Sensitive systems shall have a dedicated (isolated) computing environment.
11.7 Mobile computing and teleworking
Objective
To ensure information security when using mobile computing and teleworking facilities.
Policy
11.7.1 Mobile computing and communications
This includes equipment such as laptop computers, personal digital assistants (PDAs), smart
phones and BlackBerrys.
It is expected that staff will be vigilant and take care of MRC property at all times. For
example, equipment must not be left near open windows or in view of the public, and
equipment such as laptops, PDAs and smart phones must be locked away in a secure place
when not in use and overnight, or be taken off site for added security. Unauthorised persons
must be prevented from using MRC equipment.
Data should be copied and backed up from laptop computers on a regular basis in case of loss
or theft.
Laptops must be protected with disk encryption software. For MRC issued laptops, the disk
encryption software will be provided by the local IT support team. Partner, collaborator and
other third party-owned laptops containing MRC data and information, must be protected with
their own Disk Encryption software. Contact the local IT Helpdesk or Information Security team
for further guidance.
Use of wireless internet hotspots is allowed from MRC laptops (provided by the MRC and
commercial companies, for example BT Openzone). To avoid unauthorised access to
information on MRC laptops in a wireless area, Computer to Computer access (access via
another workstation), and unsecured access (where no password is required) is not permitted.

Version 1.2
Staff have personal accountability for the information held and accessed from their PDA. If
staff lose their PDA, or have it stolen, this must be immediately reported to the local IT
Security Officer or the MRCs Corporate Information Security team. The backup of the PDA
data is the responsibility of the user.
Staff using MRC supplied portable IT equipment should note that in addition to monitoring
undertaken as part of information security, the MRC monitors the use of this equipment.
Where there is doubt that the equipment is not being used regularly and there is a
requirement elsewhere within the MRC for such equipment, then the equipment may be re-
allocated.
11.7.2 Teleworking
A policy, operational plans and procedures shall be developed and implemented for teleworking
activities.


Version 1.2
12. Information systems acquisition, development and maintenance
12.1 Security requirements of information systems
Objective:
To ensure that security is an integral part of information systems.
Policy
12.1.1 Security requirements analysis and specification
Statements of business requirements for new information systems, or enhancements to
existing information systems shall specify the requirements for security controls.
12.2 Security of system files
Objective
To ensure the security of system files.
Policy
12.2.1 Control of operational software
There shall be procedures in place to control the installation of software on operational
systems.
12.3 Security in development and support processes
Objective
To maintain the security of application system software and information.
Policy
12.3.1 Change control procedures
The implementation of changes shall be controlled by the use of formal change control
procedures.
12.3.2 Technical review of applications after operating system changes
When operating systems are changed, business critical applications shall be reviewed and
tested to ensure there is no adverse impact on organisational operations or security.
12.4 Technical Vulnerability Management
Objective
To reduce risks resulting from exploitation of published technical vulnerabilities.
Policy
12.4.1 Control of technical vulnerabilities
Timely information about technical vulnerabilities of information systems being used shall be
obtained, the organisation's exposure to such vulnerabilities evaluated, and appropriate
measures taken to address the associated risk.
MRCs Corporate Information Security team will provide updates to all establishments about
known vulnerabilities.


Version 1.2
13. Information security incident management
13.1 Reporting information security events and weaknesses
Objective
To ensure information security events and weaknesses associated with information systems
are communicated in a manner allowing timely corrective action to be taken.
Policy
13.1.1 Reporting information security events
Information security events shall be reported through appropriate management channels as
quickly as possible.
13.1.2 Reporting security weaknesses
All employees, contractors and third party users of information systems and services shall be
required to note and report any observed or suspected security weaknesses in systems or
services.
13.2 Management of information security incidents and improvements
Objective
To ensure a consistent and effective approach is applied to the management of information
security incidents.
Policy
13.2.1 Responsibilities and procedures
Management responsibilities and procedures shall be established to ensure a quick, effective,
and orderly response to information security incidents.
13.2.2 Learning from information security incidents
There shall be mechanisms in place to enable the types, volumes, and costs of information
security incidents to be quantified and monitored.
13.2.3 Collection of evidence
Where a follow-up action against a person or organisation after an information security
incident involves legal action (either civil or criminal), evidence shall be collected, retained,
and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s).

The Corporate Information Security Team have a list if approved third parties with the relevant
experience.
13.2.4 Reporting incidents
The Corporate MRC Information Security team has a clear policy and process for reporting,
managing and resolving ICT security incidents (see Security Incident Handling Policy, version
1.2). All security incidents must be reported to:
a) Appropriate departmental security authorities.
b) The Information Commissioners Office and the Cabinet Office Central Sponsor for
Information Assurance for significant actual or possible losses of personal data. [MR44]

Version 1.2
14. Business continuity management
14.1 Information security aspects of business continuity management
Objective:
To counteract interruptions to business activities and to protect critical business processes
from the effects of major failures of information systems or disasters and to ensure their
timely resumption.
Policy
14.1.1 Including information security in the business continuity management process
A managed process shall be developed and maintained for business continuity throughout the
MRC that addresses the information security requirements needed for the business continuity
of all its establishments.
14.1.2 Business continuity and risk assessment
Events that can cause interruptions to business processes shall be identified, along with the
probability and impact of such interruptions and their consequences for information security.
14.1.3 Developing and implementing continuity plans including information security
Plans shall be developed and implemented to maintain or restore operations and ensure
availability of information at the required level and in the required time scales following
interruption to, or failure of, critical business processes.
14.1.4 Business continuity planning framework
A single framework of business continuity plans shall be maintained to ensure all plans are
consistent, to consistently address information security requirements, and to identify priorities
for testing and maintenance.
14.1.5 Testing, maintaining and reassessing business continuity plans
Business continuity plans shall be tested and updated regularly to ensure that they are up to
date and effective.

Version 1.2
15. Compliance
15.1 Compliance with legal requirements
Objective:
To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any
security requirements.
Policy
15.1.1 Identification of applicable legislation
All relevant statutory, regulatory and contractual requirements and the MRCs approach to
meet these requirements shall be explicitly defined, documented, and kept up to date for each
information system and the organisation.
15.1.2 Intellectual property rights (IPR)
Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory,
and contractual requirements on the use of material in respect of which there may be
intellectual property rights and on the use of proprietary software products.
15.1.3 Protection of organisational records
Important records shall be protected from loss, destruction and falsification, in accordance with
statutory, regulatory, contractual, and business requirements.
15.1.4 Data protection and privacy of personal information
Data protection and privacy shall be ensured as required in relevant legislation, regulations,
and, if applicable, contractual clauses.
15.2 Compliance with security policies and standards, and technical compliance
Objective:
To ensure compliance of systems with organisational security policies and standards.
Policy
15.2.1 Compliance with security policies and standards
Managers shall ensure that all security procedures within their area of responsibility are carried
out correctly to achieve compliance with security policies and standards.
15.2.2 Technical compliance checking
Information systems shall be regularly checked for compliance with security implementation
standards.
15.3 Information systems audit considerations
Objective
To maximise the effectiveness of and to minimise interference to/from the information systems
audit process.
Policy
15.3.1 Information systems audit controls

Version 1.2
Audit requirements and activities involving checks on operational systems shall be carefully
planned and agreed to minimise the risk of disruptions to business processes.

16. Effective date

16.1 This policy is effective from September 2010.

17. Review date

17.1 This policy will be formally reviewed in October 2011.

18. Amendment history

Version Date Comments/Changes
1.0 20
th
November 2009 New policy.
1.1 7
th
June 2010 Format changes.
1.2 10
th
September Changes for MRC Website; date change of HMG SPF

Version 1.2
Appendix 1 MRC operational policy template

Appendix One lists all current Policies related to Information Security, and relevant to the MRC

HMG Security Policy Framework
May 2010, Version 4.0

RCUK Cross-Council Information Security Policy
July 2009, Version 2.6 a

Medical Research Council Document Marking Procedure
March 2009, Version 1.11

Medical Research Council Head Office/SSC IT Code of Practice
August 2008, Version 1.0

Medical Research Council-wide IT Code of Practice
February 2009, Version 1.0

Medical Research Council Exceptions Policy
July 2009, Version 1.0

Medical Research Council Security Incident Handling Policy
June 2009, Version 1.2

Medical Research Council Computer Usage and Internet Monitoring Policy
December 2009, Version 1.0

MRC Information Security Policy v1 2

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

MRC Information Security Policy v1 2

Загружено:

Авторское право:

Доступные форматы

Issued 10092010 Page 1 of 40

Вам также может понравиться