Scottish Government records management plan

Element 8: Information Security

Records are held in accordance with information security compliance requirements.

An authority's RMP must make provision for the proper level of security for its public records.

All public authorities produce records that are sensitive. An authority's RMP must therefore include evidence that the authority has procedures in place to adequately protect its records. Information security procedures would normally acknowledge data protection and freedom of information obligations as well as any specific legislation or regulatory framework that may apply to the retention and security of records.

The security procedures must put in place adequate controls to prevent unauthorised access, destruction, alteration or removal of records. The procedures will allocate information security responsibilities within the authority to ensure organisational accountability and will also outline the mechanism by which appropriate security classifications are linked to its business classification scheme.

Information security refers to records in all or any format as all are equally vulnerable. It refers to damage from among other things: computer viruses, malware, flood, fire, vermin, mould, accidental damage, information breach or malicious actions.

Current or semi-current records do not normally require archival standard storage. Physical records will however survive far better in a controlled environment. In broad terms, the environment for current physical records should not allow large changes in temperature or excess humidity (as increased high temperatures and humidity are more likely to cause mould). If physical records are not adequately protected then the risk that the records could be damaged and destroyed is potentially higher and could lead to significant reputational and financial cost to the business.

Best Practice might include:

• Information security provision is adequate to meet all relevant information security compliance requirements.
• Appropriate security measures are in place to protect records involving personal data and ensure compliance with the integrity and confidentiality principle.

Read further explanation and guidance about element 8.

Scottish Government Statement

Scottish Government has a number of well-established information security policies and procedures which all staff are required to comply with. The policies are approved and reviewed on a regular basis.

Scottish Government is pro-active in its approach to information risk through the corporate risk register.

All Information Asset Owners (IAOs) are briefed and provided with guidance on their role.

All staff are required to complete "Responsible for Information – General User'" and "Data Protection" e-learning training on an annual basis. This annual awareness training reminds employees of the importance of data security and associated risks.

Scottish Government ensure that adequate physical controls are put in place to maintain the security and confidentiality of all business sensitive data whether held manually or electronically.

Evidence

E12: SG Information Security Policy Statement

E13: SG Data Handling Standard

E14: SG Clear Desk Policy

E15: SG Risk Management Guide

E16: SG Risk Strategy and Policy

E17: Information Asset Owner Handbook

E18: Scottish Government IT Security Policy

E19: Scottish Government Information Risk Management Appetite Statement

E20: Restricting files and documents in eRDM – use of security groups

E33: Scottish Government eRDM Document Restrictions

E38: Scottish Government IT Code of Conduct

Further Development

These policies will continue to be reviewed regularly and updated as required.