Information Security Policy

Transcription

1 (Policy & Security Incident Procedure) Reference No. CR Policy Sponsor Director of Corporate Resources Policy Owner Head of Information Management Policy Author Redacted Information Security Manager Effective Date December 2013 Review Date December 2014 Revision History Version Date Comments / Reason for Amendments Amended By /09/2013 New Format Redacted Version 1.0 Page 1 of 16

2 CONTENTS POLICY...3 POLICY PURPOSE...3 SCOPE...3 PRINCIPLES...3 KEY INFORMATION...4 LEGAL / NATIONAL FRAMEWORK...5 WHO TO CONTACT ABOUT THIS POLICY/PROCEDURE...5 PROCEDURE STEP BY STEP Incident Management Breach Management Level of Breach and Sanction Change Control GUIDANCE ROLES & RESPONSIBLITIES ADDITIONAL INFORMATION Definitions Monitoring and Review...14 ADDITIONAL GUIDANCE DOCUMENTS...15 MANAGEMENT GUIDANCE...15 FREQUENTLY ASKED QUESTIONS (FAQ s)...15 FORMS / DOCUMENTS / LETTERS...15 RECORD RETENTION SCHEDULE...16 Version 1.0 Page 2 of 16

3 POLICY POLICY PURPOSE The purpose of this policy is to protect British Transport Police (BTP) information assets, whether paper-based or electronic from all threats, whether internal, external, deliberate or accidental. SCOPE This policy applies to all Police Officers, Police Community Support Officers (PCSOs), Police Staff and Special Constables; collectively termed as employees, this includes those who are on part time, fixed term, or permanent contracts and those on secondment. The policy also applies to community volunteers, members of other agencies and those acting on behalf of BTP. It is applicable in England, Scotland and Wales. PRINCIPLES The general public has a right to expect that all members of BTP will, when utilising information in connection with BTP business, ensure: That confidentiality of all BTP information, whether electronic or paper-based, is maintained and that that only authorised users with a need to know have access to it. The integrity of information is kept to a high standard and it is accurate and complete at all times. The availability of information is accessible and usable upon demand by authorised users. That information is disclosed only to those authorised to receive it. That information disclosed is used only for Police purposes. That regulatory and legislative requirements are met. The loss, damage, wrongful destruction or wrongful disclosure of information could result in substantial costs to BTP as well as a reduction in public confidence. BTP will ensure that there will be a robust procedure in place for change control when there is a requirement to implement change to Information Technology & Communication systems and processes. Version 1.0 Page 3 of 16

4 All BTP employees are personally responsible for ensuring compliance with this policy and procedure. Failure to comply with this may lead to disciplinary action being taken. KEY INFORMATION The Director of Corporate Resources through their role as the Senior Information Risk Owner (SIRO) is responsible for ensuring the confidentiality, integrity and availability of information assets and promoting robust policy and procedures throughout BTP..The Force s risk appetite is deemed to be cautious and that system tolerance is zero in view of this a security case/risk assessment report will be required to be prepared for any risk identified above medium. BTP will provide cost and risk effective protection through adequate and efficient safeguards and countermeasures, against all nature of threats to its information assets. Protection will be through an appropriate combination of personnel, physical, procedural, technical and management security controls. Security incidents can include a range of situations which could lead to damage to operational effectiveness, harm to reputation both organisationally and personally and in the most extreme cases can lead to prejudice of national security, resulting in a crime and even endangering lives. All security incidents or potential incidents must be taken seriously and investigated in a swift and proportionate manner. All security incidents whether actual or suspected must be reported in accordance with procedure section of this policy. The Information Assurance Board shall be responsible for all policies with respect to how information is gathered, stored and processed as part of any information system, whether manual or computerised. Changes to production systems include the implementation of new applications, modifications of existing applications, removing old applications, and upgrading or patching system software carry risks. From a security viewpoint there is a concern with the potential security impact if these changes are not documented or approved by management. Therefore it is important that every computing facility should have clear guidance regarding change control to operating systems, computer equipment, networks, environmental facilities (e.g. HVAC, water, plumbing, electricity and alarms) and applications The Information Security Team can offer confidential and practical advice on all maters relating to the information security. All BTP employees and contractors are personally responsible for ensuring compliance with this policy and procedure. Failure to comply with this may lead to disciplinary action being taken Version 1.0 Page 4 of 16

5 LEGAL / NATIONAL FRAMEWORK The implementation of this policy demonstrates the commitment of BTP in complying with the requirement of the Data Protection Act 1998 Principle 7, and the Association of Chief Police Officer (Scotland) Community Security Policy (ACPO(S) CSP), the Security Policy Framework and the Information Assurance Maturity Model both issued from the Cabinet Office. WHO TO CONTACT ABOUT THIS POLICY/PROCEDURE This policy is owned by Information Security Unit. Any enquires about this policy should be directed to Redacted or Redacted. Version 1.0 Page 5 of 16

6 PROCEDURE 1. STEP BY STEP 1.1. Incident Management Employees have responsibility to ensure that they do not commit or facilitate a security incident that may lead to a security breach. All employees (including contractors) must report any concerns that security policy or procedures are not being adhered to and that breaches are either being committed or there is a high likelihood they are being committed. Moreover, if there are strong grounds to believe that security breaches may occur, for example, due to vulnerable procedures or individuals, this must be reported To ensure the management of security incidents follows a recognised procedure and is reported at the earliest opportunity in order to allow for timely corrective or investigative action the following actions are required to be adhered to: Actions In the first instance personnel believing a security incident has taken place or has been identified should inform a line manager or supervisor immediately. The line manager or supervisor should conduct a local investigation and record events and decisions. If the line manager or supervisor is convinced that a security incident has occurred or has been identified then they should complete a Security Incident Reporting Form and forward it to the FISM without delay. Where the security incident involves a loss of Laptops, Radios, PDAs or Identity Cards the line manager should inform one of the Force Control Rooms with the details. This is to allow for a general broadcast to be made to ensure all employees are aware of the loss. The loss of a Radio or PDA should follow the guidelines issued with the device, this will allow for the device to be stunned as appropriate. Where a security incident is identified by the ICT Department then a security incident form should be completed by that department and sent to the Information Security Team (IST) All security incidents classified as a major or gross breach will be referred to PSD The loss of or damage to any physical asset must be reported within 24 hours to IST. The loss of information assets also need to be reported to the Force Claims Manager (Corporate Risk Team) so that potential claims can be assessed and recorded as necessary. Version 1.0 Page 6 of 16

7 All incidences of fraud or suspected fraud must be reported to the Force Claims Manager (Corporate Risk Team) so that they can ensure that the Force Insurers are informed within 14 days of discovery. The Information Security Team will ensure that the Force Claims Manager (Corporate Risk Team), Technology Department and Professional Standards Department (as appropriate) are informed of any incident which may require action by them as outlined above Breach Management To ensure that a considered and consistent approach to any information security incident is applied, this section outlines the levels of breach (e.g. minor, major, and gross) that has occurred and the types of sanction that should be considered as a consequence of any information security incident This list shown below should in no way be considered either exhaustive or definitive. Line management will need to use their judgment according to the circumstances of each individual case. For example higher sanctions may need to be considered for the loss of material in aggregate, or that which may have an obviously greater impact, such as the loss of personal/citizen s data Level of Breach and Sanction Minor breach Loss/theft/breach of one or more documents/assets protectively marked as PROTECT/RESTRICTED due to a proven negligence. Transmitting RESTRICTED material on unprotected systems (e.g. Internet, hotmail etc). RESTRICTED documents being over looked by a member of the public. Leaving a cabinet/room open at the end of the day containing PROTECT/ RESTRICTED material and/or assets or leaving unsecured documents out overnight (i.e. on desk/notice board and/or lying around photocopies, fax machines (MFDs) etc). Not wearing a pass or ID card on premises after being instructed to do so or wearing a pass/id card in public. Loss of building pass/personal ID card or keys due to proven negligence Minor breach: Disciplinary procedures which apply Disciplinary action may be taken. Formal disciplinary procedures may be instigated with an investigation undertaken before a Warning can be issued and appropriate management procedures undertaken (e.g. Management Action File Note). Any further breach must be referred to PSD. Version 1.0 Page 7 of 16

8 Major breach Loss/theft/breach of CONFIDENTIAL material/assets due to proven negligence. Significant loss (less than 100 records) or misuse of personal data (either marked PROTECT or higher). Transmitting of CONFIDENTIAL over a lower protectively marked system. CONFIDENTIAL documents being over looked by a member of the public and over looked by personnel not cleared to view such documents. Leaving a secure cabinet/room open at end of day containing CONFIDENTIAL material/assets or storing them insecurely. Persistent offence of minor/major breaches. Any attempt to hide, cover-up or fail to report a security incident of any kind. Removing CONFIDENTIAL material from official premises without proper authorisation and safeguarding. Theft/fraud. Giving logon details and password to someone else Major breach: Disciplinary/administrative procedures which apply Must be referred to PSD. Unsatisfactory Performance Procedures (UPP) or Misconduct proceedings. Possible criminal proceedings Gross breach Loss/theft/breach of SECRET and above material due to proven negligence act. Loss/theft/breach of Cryptographic material regardless of protective marking due to proven negligence. Substantial (more than 100 records) loss or misuse of personal data (either marked PROTECT or higher). Transmission of SECRET over a lower protectively marked system. Removing SECRET and above material from official premises without proper authorisation and safeguarding. SECRET documents being over looked by a member of the public. Leaving an encrypted laptop in public place together with access tokens/passwords etc. Deliberate alteration or deletion of information/assets. Serious theft or fraud Gross breach: disciplinary/administrative/criminal procedures which apply Must be referred to PSD. Criminal proceedings under Official Secrets Act, Misconduct in Public Office may apply. Version 1.0 Page 8 of 16

9 1.4. Change Control Correctly documented and authorised Change Control processes are essential for the following reasons: To ensure that changes can be properly assessed before they are authorised To ensure that only properly authorised changes are made To ensure that a proposed change is not already registered and thereby reduce possible duplicative effort To prevent conflicting changes To bring changes into effect in a controlled manner by specifying the timing of the change To rationalise similar or related changes for example by grouping changes which affect a single item or a common area To monitor the cost of changes approved and their impact on the project budget To keep track of changes and have an audit trail. In other words, who did what? When and why did they do it? What authority did they have? To assess impact of change as part of the risk control process The goals of a correctly implemented change management process are to eliminate problems and errors, and to ensure that the entire environment is stable. To meet these goals it is important to Ensure orderly change in a facility requiring a high level of systems availability, all changes must be managed in a process to control any variables possibly affecting the environment. As change can cause serious disruption however, it must be carefully and consistently controlled. Inform the computing community of change changes assumed to affect only a small subsection of BTP may actually affect a much broader cross section. Therefore the whole of the computing community should receive adequate notification of impending changes. Analyse changes the presentation of an intended change to an oversight committee or Change Control Board (CCB), with the corresponding documentation of the change, often effectively exposes the change to careful scrutiny. This analysis clarifies the originator s intended change, prior to the change being implemented, and is helpful in preventing erroneous or inadequately considered changes from entering the system. In addition this will also highlight any risks to organisation in implementing any changes. Version 1.0 Page 9 of 16

10 Reduce the impact of changes on service computing resources must be available when BTP needs them. Poor judgment, erroneous changes and inadequate preparation must not be allowed in the change process. Procedures must be in place to support the Change Control process and the following steps should be undertaken. Applying to introduce a change a method must be established for applying to introduce a change affecting the computing environment in areas covered by change procedures, these are covered by the steps and form shown below. Cataloguing the change all change requests should be entered into a change log, which provides documentation for the change itself (e.g. the timing and testing of the change). This log should be updated as the change moves through the process, providing a thorough audit trail of all changes. Scheduling the change after thorough preparation and testing by the sponsor, the change should be scheduled for review and implementation by the CCB. Implementing the change the final step in the change process is the application of the change to the hardware and software environment. Reporting to management periodically a full report summarising change activity should be submitted to the Chief Officers Group (COG). This helps ensure that senior management is aware of any problems that may have developed and any impacts on the service The following steps should be followed: Step 1 - Once a potential requirement for change is identified, a Change Request Form should be completed. Step 2 - The Change Request Form should be sent directly to the Technology Service Desk who will undertake an initial review. This may result in a rejection of the request for change, or a referral for formal registration with the Change Control Coordinator [CCC]. This should be entered into a change log. Step 3 - Once registered the CCC will refer the change request to all work stream leads for review and authorisation for an impact analysis. Step 4 - An Impact Analysis will be undertaken by work stream leads. Step 5 - The CCC circulates the change request and the impact analysis to appropriate members of the CCB for further evaluation of impact and recommendations. This board will make one of the following decisions: Accept change Version 1.0 Page 10 of 16

11 Conditional acceptance Reject change Defer pending further information/decisions Step 6 - Results will be registered on the change request log, and the originator of the change request will be notified of the result. Step 7 - Once the sponsor has thoroughly tested the process the CCB should be made aware of the proposed implementation date and any known ramifications of change should be made aware to the board. If the board agrees that the change has been thoroughly tested, it should then agree in writing the implementation schedule. All approvals and denials should be in writing with appropriate reasons if at this stage the change is rejected. Step 8 - If the change works correctly it should be noted on the change control form. When the change does not perform as expected, information should be gathered, analysed and entered on the change control form, as reference to help avoid a recurrence of the same problem possibly in the future. In addition the change request should have information to demonstrate how a failed change would affect system operations or how the system is restored until the change can be implemented at a later date Step 9 - Final sign off of the Change Control Form 2. GUIDANCE 2.1. A security incident can cover a wide range of events and may be categorised as follows Physical: The following, whilst not exhaustive, provides examples of possible security incidents involving physical assets: Loss of Identification (ID)/Warrant cards The loss/theft/breach of hard copy protectively marked material The breaching of access controls The loss/theft/breach of sensitive data or equipment e.g. Radios, PDAs Laptops etc Unauthorised access to, tampering with or use of ICT systems, equipment or accounts Unauthorised acquisition of privileges Unauthorised access to, use or disclosure of sensitive information Unauthorised changes to system hardware, firmware or software Procedural: Improper use of an ICT system, access or privileges (e.g. password sharing, inappropriate use of or accessing inappropriate web sites); Version 1.0 Page 11 of 16

12 improper handling, distribution, accounting, storage and destruction of cryptographic items or sensitive information Electronic: Malware attacks (Viruses, Worms, Trojan Horses); unauthorised disruption of service (denial of service and distributed denial of service attacks), receipt of spam, phishing attacks, etc Operational: System failures, crashes, environmental failures and operator errors may have security implications and should be treated as incidents, in addition to their potential implications for business continuity. Some ICT security incidents have been detected as a result of poor system performance The examples listed above are not exhaustive and many incidents will belong to more than one category. A breakdown of common forms of security incidents is shown at Appendix A. Other incidents may be difficult to classify and all personnel should be alert to the possibility of new types or manifestations of incident, particularly as attack methods are constantly evolving. All concerns should be brought to the attention of the FISM at the earliest opportunity 3. ROLES & RESPONSIBLITIES The Director of Corporate Resources is the Senior Information Risk Owner (SIRO), who is the representative at Senior Command Team (SCT) level and understands the strategic business goals of the organisation and how these may be impacted by failure of information systems. The SIRO also ensures that management of information risks are weighed alongside the management of the other risks facing the organisations such as financial, legal and operational risks The Head of Information Management is responsible for developing, producing, maintaining and delivering the business strategic plans for Information Management, within budget and to agreed timescales, and ensuring that all Information work streams support the strategic aims of BTP Area Commanders and Heads of Department are responsible for implementing the policy within their areas and for adherence by their staff Line Managers should be aware of the and their individual responsibilities as well as those of their staff; to ensure compliance within their area of responsibility All BTP Employees have a responsibility to adhere to this policy and procedure and to abide by the conditions of employment by maintaining the confidentiality, integrity and availability of information; and to use BTP information assets for policing purposes only. Failure to do so may lead to disciplinary action being taken. Version 1.0 Page 12 of 16

13 All BTP employees, contractors and vendors who may have cause to request a change to computing facilities must follow the procedure detailed within the Change Control Section of this policy Where security incidents are reported to the Technology Helpdesk or IST are made aware of possible security incidents they must report the matter to Information Security immediately The Force Information Security Manager has direct responsibility for maintaining the policy, providing guidance on its implementation and ensuring compliance with policies, standards and procedures together for ensuring that an adequate system for detecting, reporting and responding to security incidents is in place The Information Security Team is responsible for ensuring all security incidents are investigated in a timely manner, providing a response to information security incidents within 24 hours (critical) and 5 working days (non-critical) and to escalate, as required, those incidents that require PSD or line management intervention. 4. ADDITIONAL INFORMATION 4.1. Definitions Cautious Risk Appetite Preference for safe options that have a low degree of residual risk and may only have limited potential foe business benefit Zero system tolerance Fully acceptable residual risk status is in place, within BTP s corporate risk appetite and tolerance levels. No changes to risk treatment strategy required at the current time An Information System is any facility or practice that is used to store or process business information in any form An Asset is any information or equipment that has value either financial or operational to BTP The term Employee(s) refers to all BTP officers, Police Staff and Police Authority members The term Contractor(s) includes the main supplier of goods or services, their servants, agents and subcontractors The term Security Incident is any suspected failure or identified weakness in information security, namely: Accidental or deliberate unauthorised destruction of information. Accidental or deliberate unauthorised modification of information. Accidental or deliberate unauthorised disclosure of information. Deliberate and unauthorised unavailability of systems. Version 1.0 Page 13 of 16

14 Unauthorised access to systems or information. Misuse of data and theft of assets. Any contravention of Information Security or Vetting Policies and associated procedures. Any other event which affects security of information Confidentiality - Assurance that information is shared only among authorised persons or organisations. Breaches of confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of the information concerned (i.e. safeguards not being in place when creating and storing documents or other data, printing, copying, ing or scanning) Integrity - Assurance that the information is authentic and complete. The integrity of data is not only whether the data is 'correct', but whether it can be trusted and relied upon. Making copies of a sensitive document by scanning or photocopying, threatens both the confidentiality and the integrity of the information because that data is at risk of change/modification Availability - Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them Cryptographic items - The primary goal of cryptography is to conceal data to protect it against unauthorized third-party access by applying encryption Monitoring and Review This policy will be reviewed on an annual basis and in response to any significant changes in legislation or business purpose. Version 1.0 Page 14 of 16

15 ADDITIONAL GUIDANCE DOCUMENTS MANAGEMENT GUIDANCE This policy and procedure places certain responsibilities on line managers to ensure that employees comply with the requirements contained within this document to ensure that everyone protects all Police information and assets properly. Doing this reduces the risk of an information security incident from happening, helps protects employees and the reputation of BTP. If a manager has any questions relating to this document, please contact a member of the Information Security Team. FREQUENTLY ASKED QUESTIONS (FAQ s) Q - Does this policy document relate to me? A - Yes, everyone has responsibility for Information Security to ensure the confidentiality, integrity and availability of all information and assets within BTP are maintained and protected at all times from threats of deliberate or accidental actions by internal or external sources. Q - I think an Information security incident has happened what do I need to do? A - You need to speak to your line manager as soon as practically possible, they will help establish the facts and determine if an incident has occurred. You will be required to complete a Security Incident Form which must be sent to the Information Security Team. Q - Does this document provide me with everything I need to know regarding information security with BTP? A - No, this document must be read in conjunction with the other policy documents listed below. Q - I have identified that an IT system needs to be upgraded, what do am I required to do? A - You need to follow the change control section of this policy and complete a Change Control Request Form and send it to the Technology Department for their initial appraisal. Q - Where can I get more advice regarding my responsibilities? A - In the first instance you should speak to your line manager and for further guidance contact the Information Security Team who will be happy to provide advice and offer support. FORMS / DOCUMENTS / LETTERS Use & Management of IT and Communication Systems Policy Physical Security Measures of Buildings (including Home workers) Policy Handling Protecting and Disposing of Police Assets Policy Warrant and Identity Card Policy Security Incident Reporting Form (CR F1) Change Control Request Form (CR F1) Version 1.0 Page 15 of 16

16 Common Examples of Information Security Incidents (CR F2) RECORD RETENTION SCHEDULE Records generated as a result of this policy/procedure document will be kept for 7 years. Version 1.0 Page 16 of 16