5. Security Policy Management

5.1 Provide management direction and support

5.1.1 Develop your information security policies

Information Security Policy

Introduction

The Scandiatransplant IT-system is considered a most critical resource, which is why there is an emphasis on reliability, quality and confidentiality. The Scandiatransplant office recognizes the need for its users and employees to have access to the information they require in order to carry out their work and recognizes the role of information security in enabling this.

This information security policy defines the framework within which information security will be managed in the Scandiatransplant office. This policy is the primary information security policy under which all other security related polices reside.

Scope

It is important to ensure that the security level is high and that information is treated with due confidentiality to give the best possible service to the recipients waiting for an organ, support the activity in general in the Nordic transplantation community and to maintain Scandiatransplant’s credibility.

This policy is applicable to and will be communicated to all employees at the Scandiatransplant office.

Objectives

Accessibility and recovery – to have high uptime percentage, rely on good backup recovery procedures for recovering data and build contingency plans for critical hardware failure. In a great extent to use open source software to be independent from supplier(s).
Integrity - minimized risk of manipulation and function errors in both data and system.
Confidentiality – data processing, transmission and storage must be treated with confidentiality.
Access requirements – approval of new user before granting access, password allowing only authorized users to gain access to required applications, regular check of user activity.
System development – to have a process development plan describing how to develop, document, test, implement and monitor all new parts of the IT systems.

Organization & responsibility

All employees must be familiar with, relate to and comply with the information security policy in their daily work.

All persons are considered as possible causes of security breaches, i.e. no group of people should be beyond safety regulations.

Scandiatransplant office wishes to maintain and continuously enhance information security based on the requirements outlined in ISO 27000, 27001, 27002 and 27799. Furthermore to be in compliance with regulations outlined in GDPR, which became effective in every EU member state May 2018.

The Medical director is ultimately responsible for the maintenance of this policy and for compliance within the Scandiatransplant office. This policy has been approved by the Scandiatransplant board.

The Medical Director must together with the board work with the security policy at a strategic level and make sure that it supports the vision and the objectives of the IT strategy. Furthermore this policy should conform to all existing rules, regulations and appropriate laws.

Assets and Risk analyze

It is important to be aware of Scandiatransplant’s information assets to protect corporate assets from internal and external risks, including items such as valuable and sensitive data that needs to be kept secure and confidential.

Scandiatransplant does not wish to eliminate every risk at any cost, however, it is necessary to be aware of risks, relate satisfactorily to these and establish an adequate level of security.
All employees must perferably be involved in the risk assessment and are responsible for assessing threats, consequences and risks of the IT system and other relevant areas.

No	Updated	Update by	Approved	Approved by	Public
1.0	2013-09-23	IDW	2013-09-23	Scandiatransplant board	2013-09-25
1.1	2018-07-06	IDW	2018-07-09	KAJ	2018-07-09

5.1.2 Review your information security policy document

Do “we do what we say and say what we do”?

Objective