06100 POLICY SECURITY AND INFORMATION ASSURANCE

Transcription

1 Version: 5.4 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low Management of Police Information (MoPI) The Hampshire Constabulary recognises that any information it holds must be for a policing purpose and managed in accordance with the force policy on MOPI 1. About This Policy 1.1. This policy outlines the mandatory security requirements and management arrangements to which Hampshire Constabulary employees and those working on behalf / for the Hampshire Constabulary must adhere This policy applies to all personnel (police officers, police staff, special constabulary, contractors, temporary staff and volunteers) who have access to protectively marked material in any form This policy is in support of the current version of the Corporate Information Management Strategy The Hampshire Constabulary has a responsibility to ensure that its information systems meet the standards set by the ACPO/ACPO(S) Information Systems Community Security Policy. 2. General Principles 2.1. This policy Deals with: a). b). c). d). e). Governance, Risk Management and Compliance; Protective Marking and Asset Control; Personnel Security; Information Security and Assurance; Physical Security.

2 3. Statement of Policy 3.1. Governance, Risk Management & Compliance This section deals with: a). b). c). d). e). f). g). h). i). Governance; Roles, accountability and responsibilities; Risk management; Assurance; Self assessment; Central reporting; Audit and review; Culture, training and professionalism; International Agreements; Governance Hampshire Constabulary employees and those working on behalf / for the Hampshire Constabulary are required to familiarise themselves with the requirements of the Security & Information Assurance Procedures and comply with their provisions Security requirements for the Force originate from the Cabinet Office. The Hampshire Constabulary Policies and Procedures are aligned to the Cabinet Office Security Policy Framework to enable the effective protection and utilisation of Force assets (people, information and equipment) The Security & Information Assurance Policies and Procedures outline the mandatory security policy requirements that all must meet when using Force assets or attending Force premises. Under certain circumstances additional security will be required. This could be due to threat levels, threat actors, impact levels etc. The Security & Information Assurance Policies and Procedures must also be extended, where necessary, to any organisations working on behalf of, or handling Force assets, such as contractors, Local

3 Authorities, or regular suppliers of goods and / or services Roles, accountability and responsibilities Hampshire Constabulary have designated personnel who have overall responsibility for security within the Force The day to day responsibilities for all aspects of Protective Security are managed by the Security & Information Assurance Unit Overall responsibility for Force Security rests with the Deputy Chief Constable who takes the role of the Senior Information Risk Owner (SIRO) Managers To be aware of Information Security Policies and Procedures and their individual responsibility as well as those of their staff; to ensure compliance in their area of responsibility To regularly monitor staff IT accounts and information processes to ensure compliance Employees, volunteer and non police personnel working on behalf or with the Constabulary Are responsible for compliance with the Information Security Policies and Procedures to ensure that security measures are adhered to in order to prevent / minimise vulnerabilities to the organisation, it s staff and it s assets Risk Management The Hampshire Constabulary have adopted a risk management approach to cover all areas of protective security across the organisation All Hampshire Constabulary assets must be registered and the person responsible for those assets must be identified and aware of their responsibilities Asset owners will need to understand the vulnerability and likelihood of attack from various threats, value them in terms of the impact from loss or failure of

4 confidentiality, integrity and availability and assign a proportionate level of protection to mitigate, and / or recover from, the potential loss or failure of those assets. The identified risk should be reviewed annually Audit and review The Security & Information Assurance Unit will conduct internal reviews of security arrangements throughout the Force. These will include OpSec and Protective Security reviews The Security & Information Assurance Unit must demonstrate compliance with the controls contained within the Information Assurance Maturity Model Culture, training and professionalism Hampshire Constabulary will ensure that: a). b). c). d). e). Board members responsible for security undergo security and risk management familiarisation upon appointment; All members of the Security & Information Assurance Unit will receive relevant training from agencies such as the Centre for Protection of National Infrastructure (CPNI) at the earliest opportunity after appointment; Security education and awareness will be built into all staff inductions, with regular familiarisation thereafter; Hampshire Constabulary plan to foster a culture of proportionate protective security; All security incidents will be reported as per The HANTSPOL Guidance and Instruction for Information Security to the Sy & IA Unit or via Confide in Us to allow for anonymous reporting of security incidents International Security agreements Hampshire Constabulary will ensure that they will adhere to any UK obligations in multilateral or bilateral international agreements Protective marking and asset control

5 This section deals with: a). b). Legal Requirements; Official Secrets Acts; c). Data Protection Act 1998; d). e). f). g). h). i). j). k). Freedom of Information Act; The need to know principle; International Security Standards; International Security Agreements; Material originating outside of HMG; The Government Protective Marking Scheme; Universal Controls; Breaches; Legal requirements Hampshire Constabulary staff are to familiarise themselves with the Official Secrets Acts, Data Protection Act and Freedom of Information Act. Staff handling protectively marked information will be given guidance on how this legislation relates to their role Official Secrets Acts Hampshire Constabulary employees will sign up to the Official Secrets Act on the signing of their contract Data Protection Act 1998 (DPA) All Hampshire Constabulary employees must follow the minimum standards and procedure for handling citizen or personal data Procedure Data Protection describes Hampshire Constabulary employees responsibility under the Data Protection Act Freedom of Information Act (FOIA)

6 Any protectively marked material that is to be released under the Freedom of Information Act is de-classified first and is marked as such. The originator, or specified owner, must be consulted before protectively marked material can be de-classified Procedure Freedom of Information Responding to Requests describes the procedure to be followed by Hampshire Constabulary when dealing with FOIA requests MOPI The Hampshire Constabulary will manage police information in accordance with the principles of the Code of Practice on the Management of Police Information, and the MoPI guidance For more information see Policy Management of Police Information (MoPI) The need to know principle Access to protectively marked assets is only to be granted on the basis of the need to know principle For more information see The Hantspol guidance & Instruction on Information Security International security standards The GPMS is designed to meet the principles of the international standard of Information Security Management Systems (ISO/IEC series) Material originating outside of Her Majesty s Government (HMG) Hampshire Constabulary employees must ensure that non-hmg material which is marked to indicate sensitivity is handled at the equivalent level within the Protective Marking Scheme, or where there is no equivalence, to the level offered by PROTECT as minimum The Government Protective Marking System (GPMS)

7 All personnel must apply the Protective Marking in accordance with Government Protective Marking Scheme (GPMS) and the necessary controls and measures as outlined in this policy and subordinate linked documentation For more information see Procedure and the Security & Information Assurance Intranet pages: Universal controls The following baseline controls must be followed for all protectively marked material: Access is granted on a genuine need to know and use basis Assets must be clearly and conspicuously marked. Where this is not possible staff must have the appropriate security control and be made aware of the protection and controls required Only the originator or the designated owner can protectively mark an asset. Any change to the protective marking requires the originator or designated owner s permission. If they cannot be traced, a marking may be changed, but only by consensus with other key recipients Assets sent overseas must be protected as indicated by the originator s marking and in accordance with any international agreement. Particular care must be taken to protect assets from foreign Freedom of Information legislation by use of national prefixes and caveats of special handling instructions When destroying official records, held on any media, consideration must be given to those records that may be of historical interest the following link refers: Disposal Schedule Historical Records A file, or group of protectively marked documents or assets, must carry the protective marking of the highest marked document or asset contained within it (e.g. a file containing CONFIDETIAL and RESTRICTED material must be marked CONFIDENTIAL Breaches

8 Deliberate or accidental compromise of protectively marked assets may lead to disciplinary, performance and / or criminal proceedings All security breaches will be reported to the Security & Information Assurance Unit: a). Phone: ; b). Security Incident Mailbox For more information on Security Breaches see Procedure Personnel Security This Section Deals with: a). b). c). d). e). Risk Management; Force Security Vetting; National Security Vetting; Ongoing personnel security management ( Aftercare ); Appeals; Risk Management Hampshire Constabulary, as a part of the risk management approach to protective security, will assess the need to apply personnel security controls against specific posts and the access to sensitive assets (designated posts) Hampshire Constabulary employ a risk management approach to Personnel Security in accordance with protective security principles. These seek to reduce the risk of damage, loss, or compromise of Hampshire Constabulary assets and/or reputation by application of personnel security controls before and during employment. These controls do not provide a guarantee of reliability and must be supported by effective line management, nor should they be considered an alternative to the correct application of the need to know principle.

9 Hampshire Constabulary when making a decision on a security clearance will take into account all information available to them and will evidence their decision When making a vetting decision judgement is exercised and all the information obtained during the clearance process is taken into consideration. The existence of one or more factors of concern does not necessarily or conclusively demonstrate unreliability or present an unmanageable risk. The PSVU will consider the nature, likelihood and credibility of the threat and adopts the ACPO National Vetting Policy as guidance for all of the Units processes and assessment criterion Force Security Vetting All personnel wishing to join Hampshire Constabulary, or provide a service which requires access to its premises or information assets, must be subject to the appropriate vetting process as per the Association of Chief Police Officers (ACPO) National Vetting Policy National Security Vetting Hampshire Constabulary will apply National Security Vetting only where it is necessary, proportionate and adds real value and in accordance with the ACPO National Vetting Policy and Government Protective Marking Scheme Ongoing personnel security management ( Aftercare ) Hampshire Constabulary will conduct aftercare as required by the ACPO National Vetting Policy. This will include formal reviews of all vetting clearances, managers and individuals must participate in the process and are responsible for informing the Personnel Security & Vetting Unit (PSVU) if any change in circumstance that may impact on the suitability to hold security clearance Appeals Vetting Unit Homepage Hampshire Constabulary record all vetting results and will report where appropriate to the Professional Standards Tactical and Strategic TCG.

10 3.4. Information Security & Assurance This Section deals with: a). b). c). d). e). f). g). h). i). j). k). l). Information security; Managing information risk; Business impact; Personal data; Roles and responsibilities; Accreditation and audit; Codes of connection and technical controls; Cryptography; Eavesdropping and Electro-magnetic countermeasures; Remote working / mobile media; Procurement; Reporting incidents; m). Secure disposal; n). o). Education, training and awareness; Business continuity and disaster recovery planning; Information Security Hampshire Constabulary employees, and those working on behalf / for the Hampshire Constabulary MUST adhere to all Hampshire Constabulary security policies and supporting procedures Managing information risk As a part of the risk management and accreditation process an annual technical risk assessment of Hantspol and other relevant systems and applications will be completed.

11 Business impact Hampshire Constabulary will in conjunction with the Protective Marking System, use Business Impact Levels (ILs) to assess and identify the impacts to the business through the loss of Confidentiality, Integrity and / or Availability of data and / or assets, should the risk be realised. Aggregation of data will be considered as a factor determining ILs Personal data Hampshire Constabulary employees and those who work for / on behalf of the Constabulary must comply with the data protection principles as set out in the Data Protection Act 1998 and Procedure to ensure a high level of confidence that personal data is handled correctly Roles and responsibilities Information risk must be specifically addressed in the departmental annual Statement on Internal Control (SIC), which is signed off by the Chief Constable Accreditation and audit All Hampshire Constabulary Information Systems will be formally accredited prior to installation. Accreditation will be reviewed annually or more often where re-accreditation conditions apply The HANTSPOL Accreditation Document Set contains the necessary information security assurance and risk calculations All new information assets and ICT systems will have an audit functionality to enable regular compliance checks and which will include a forensic readiness plan that will maximise the ability to preserver and analyse data generated by an ICT system, that may be required for legal and management purposes All new ICT systems must have suitable identification and authentication controls to enable the risk of unauthorised access to be managed and to enable auditing and the correct management of user accounts.

12 Codes of connection and technical controls Hampshire Constabulary will follow the requirements of any codes of connection and / or shared services security policies to which they are signatories Hampshire Constabulary have the following technical policies in place, policy refers: a). b). c). d). e). Patching policy; Policy to manage risks posed by all forms of malicious software ( malware ), including viruses, spyware and phishing etc; Boundary security devices (e.g. firewalls); Content checking / blocking policy; Lockdown policy to restrict unnecessary services and ensure that no user has more privileges than required; Cryptography The Hampshire Constabulary will ensure that information where appropriate will be encrypted to the appropriate level. All CAPS approved encryption is kept in accordance with HMG IA Standard No For more information contact the Security & Information Assurance Unit Remote working / mobile media See Procedure for information on remote working (e.g. home or mobile). This procedure sets out the correct practices when working remotely Procurement Security requirements will be specified in all contracts where applicable. Security requirements are mandatory for all ICT contracts and those contracts where personal data is involved Reporting incidents

13 All actual and suspected security incidents must be reported to the Security & Information Assurance Unit by ing the Security Incidents Mailbox or calling For more information on reporting security incidents see procedure Secure disposal All media used for storing or processing protectively marked or otherwise sensitive information must be disposed of or sanitised securely For more information on secure disposal see procedure Education, training and awareness All Hampshire Constabulary employees will receive appropriate security awareness and training, be familiarised with Security Operating Procedures (SyOPs) and will be made aware of the process for reporting incidents Business continuity and disaster recovery planning Hampshire Constabulary will ensure that Business Continuity and Disaster Recovery Plans are in place at all relevant locations For more information on Business Continuity see Policy Extensions to the Force Network Extending the Force data network into premises that are not under the control of the Hampshire Constabulary will incur vulnerabilities and, impacts on the confidentiality, integrity and availability of our information systems. For further details on the process for extending the force data network into new locations and premises see link to Remote Access (Network Extensions) 3.6. Physical Security This section deals with:

14 a). b). c). d). e). f). g). h). i). j). Purpose; Defence in Depth; Storage of sensitive assets; Secure containers; Secure rooms; Office areas; Building security; Physical access control; Incoming mail and deliveries; CCTV Purpose Physical security involves the appropriate layout and design of facilities, combined with suitable security measures, to prevent unauthorised access and protection of Hampshire Constabulary, people, information, materials and infrastructure. This requires putting in place, or building into design, measures that prevent, deter, delay and detect, attempted or actual unauthorised access, acts of damage and or violence, and triggers an appropriate response Hampshire Constabulary s Baseline Objectives for the access, storage, control and transmission and disposal and destruction of assets can be found here Defence in Depth Hampshire Constabulary will adopt a layered approach to physical security Storage of sensitive assets In order to identify appropriate security measures the Security & Information Assurance Unit will conduct a Physical Security Assessment.

15 Critical, sensitive and protectively marked assets must be located in secure Hampshire Constabulary premises or approved premises and be protected by a defined perimeter where possible, with appropriate security barriers and entry controls Security containers Protectively Marked or valuable material must be secured in appropriate security containers. Large amounts of protectively marked material or equipment which cannot be stored in a security container, must be stored in a secure room For more information on Protective Marking see Procedure Secure rooms Rooms holding protectively marked material or sensitive assets will have windows, doors, locks and entry control which meets the appropriate standard Offices must be adequately secured when unoccupied, e.g. windows and doors closed and where applicable locked Office areas Hampshire Constabulary recognise and use the Need to Know principle. This is used to ensure that access to protectively marked material by individuals who do not have a need to access it is avoided Where practicable (adequate storage is available) a clear desk policy will exist. The purpose of a clear desk policy is to ensure that sensitive material is not left unattended A clear screen and wall policy will be enforced, screens must be positioned to prevent overlooking (e.g. overlooked by a window or reflective surfaces), where this is not possible other measures must be introduced, for example blinds Buildings Hampshire Constabulary will assess the security risks to it s estate ensuring that security is fully integrated

16 at an early in the process of planning, selecting, designing and modifying their facilities In any building in which protectively marked or other valuable assets are stored physical security controls will exist these will take into account the level of sensitivity and the level of threat to the site or assets Sensitive / covert sites and areas These sites / areas will include but are not limited to: a). Special Branch; b). Major Crime; c). Specialist Investigations; d). Scientific Services; e). Serious and Organised Crime; f). Intelligence Directorate; g). Professional Standards Department Anti- Corruption Unit; h). Professional Standards Department Security and Information Assurance Those sites listed above and those that use CONFIDENTIAL systems will require a higher level of security For advice of additional Security measures please contact the Security & Information Assurance Unit Physical Access Control Hampshire Constabulary will control access to its estate using safeguards that will prevent unauthorised access Hampshire Constabulary staff must familiarise themselves with this policy and this guidance on physical access Access control refers to the practice of controlling and monitoring access to a property or asset.

17 All Hampshire Constabulary employees and non-police personnel working for or on behalf of the Constabulary are required to wear (if not in uniform) / carry their ID / Warrant Card when on Hampshire Constabulary premises (See procedure 06104) Hampshire Constabulary employees are encouraged to challenge any individual who is not wearing an authorised identity card or uniform To restrict entry, Hampshire Constabulary premises will have either an automatic access control system (AACS) which works in conjunction with the ID / Warrant card to allow access for authorised personnel only or alternatively Mechanical Push Button Locks (MPBL) will be used A visitor is classed as someone which the station they are attending is not their normal place of work and/or they are not employed by Hampshire Constabulary e.g. contractor, from another agency. Visitors must report to either the reception or a staff member to advise of their presence Visitors must: a). b). c). d). Sign in and out of Hampshire Constabulary premises; Wear a temporary pass which must be returned on leaving; Be escorted whilst in the building; Regular contractors who have free and unsupervised access to the building must be vetted CCTV Where CCTV is installed it will be done in accordance with the Data Protection Act Working away from Hampshire Constabulary Premises For information on how to securely work away from Hampshire Constabulary premises see procedure

18 4. Implications of the Policy 4.1. Financial Implications / Best Value The implementation of the required information security standards will incur substantial resource implications for the Hampshire Constabulary. The cost of physical and technical security controls required for new initiatives will be included in their procurement Staffing / Training All staff in the Force will receive relevant training with regard to information security and will be required to reaffirm compliance with the Security Operating Procedures annually. Computer based training has been developed for Information Security and Data Protection this must be completed by all new starters Bureaucracy It is not envisaged that this policy will produce any undue bureaucracy Risk The main risk attached to the implementation of this policy would be through budgetary restriction Consultation In Creating this policy, consultation has been carried out with: 5. Monitoring/ Evaluation 5.1. The Professional Standards Department is responsible for the monitoring and, where appropriate, the enforcement of all breaches of Policy - Information Security and associated procedures.

19 6. Review 6.1. This policy will be reviewed every three years or more frequently as deemed necessary 7. Related Policies, Procedures and Information Sources 7.1. Related Force Policies/Procedures Professional Standards IT Security Management Security at Police Buildings 7.2. Information Security Procedures The HANTSPOL Guidance & Instruction for Information Security User s Responsibilities in Respect of Information Systems Remote Working / Mobile Media Force Identity & Warrant Cards & PCSO Designation Cards Protective Marking Secure Erasure / Disposal Data Protection Freedom of Information Responding to Requests Information Sharing Use of Internet Web Browsing

20 Security at Police Buildings 7.3. Information Sources HMG Security Policy Framework HMG Information Assurance Standards ACPO / ACPOS Information Systems Community Security Policy AD203 Equality Impact Assessment Origin: Information Management