Chiltern District Council ICT Security Policy

Transcription

1 Chiltern District Council ICT Security Policy Chapter 3 Information Security Policy Version 2.1: 31/03/2012 Page 1 of 6

2 CONTENTS 1 Information Security Incident Management Policy Overview Policy Statement Scope Payment Card Industry Data Security Standard (PCI DSS) Forwarding payment card information User access controls Secure connection through the GSi network Availability of the GSi Reporting Information Security Events and Weaknesses Reporting Information Security Events Reporting Information Security Weaknesses Reporting Information Security Events for ICT Support Staff Collection of evidence Responsibilities and procedures Management of information security incidents and improvements Policy Compliance 6 Version 2.1: 31/03/2012 Page 2 of 6

3 1. Information Security Incident Management Policy 1.1. Overview The aim of this policy is to ensure that Chiltern District Council s information systems and data are protected from any actual or suspected security incidents. The definition of an event is an observable change to the normal expected behaviour of a system. An incident can be service affecting and is an adverse event that has caused or has the potential to cause damage to an organisations assets, reputation and/or personnel. An incident is also an event attributable to a human cause or an event that could signify malicious intent. An incident can include loss of paper records containing secure information as well as the loss of any removable media containing secure Council data. Incident management in ICT is concerned with intrusion, compromise and misuse of information and information resources, and the continuity of critical information systems and processes. This policy applies to all Chiltern District Council employees with the exception of sections to that applies to ICT Support staff only. Reported events and weaknesses need to be assessed by the ICT Department Policy Statement All Chiltern District Council employees, contractors and users with access to Chilterns ICT hardware/software and information (in any format including electronic and paper records) are responsible for ensuring the safety and security of the Council s systems and the information that they use or manipulate. All employees must complete the ICT Security training module in order to understand the importance of ICT Security. By signing the user acceptance in Chapter 1 of this policy you are confirming that the training module has been completed. ICT SECURITY TRAINING MODULE 1.3. Scope of this Policy This policy applies to all users of the Council s facilities and equipment including staff and any third party suppliers and contractors. All users have a role to play and a contribution to make to the safe and secure use of technology and the information that it holds Payment Card Industry Data Security Standard (PCI DSS) Users must understand the importance of protecting information that the council holds with regard to payment card information received from members of the public. Acceptance of this policy confirms that understanding Forwarding payment card information PAN s (Primary Account Numbers) should be rendered unreadable or secured with strong cryptography whenever they are sent via end-user messaging technologies e.g. , instant messaging. Advice must be sought from ICT with regard to this. Under no circumstances should unprotected PANs be sent via end-user messaging technologies. Version 2.1: 31/03/2012 Page 3 of 6

4 1.4.2 User access controls Any changes to user access must be approved by the Administration Manager who is the Software Administrator for the card payment system. This approval must be communicated to the ICT Service Desk by so it can be attached to logged call Secure connection through the GSi A number of organisations have the facility to send secure communication through the GSi (Government Secure Intranet). Chiltern provides this facility to relevant users who are required to send communication that needs to have the protective marking of RESTRICTED. This is done by giving the relevant users access to a secure GCSX address. Any communication sent or received through the GSi may be intercepted or monitored. The user acceptance that you have signed (see Chapter 1 Introduction) indicates compliance with this policy. It s important to note that users must not use their GCSX address as a sender field when ing content from the Internet to the GSi Availability of the GSi Connection to the GSi is made through Cable & Wireless. Sometimes it may be necessary for relevant CDC users to send bulk across the GSi to a large number of recipients or to send large file attachments. If this ever applies to you, you should contact Cable & Wireless to ensure that there is no impact on the availability of the GSi mail service. Contacting Cable & Wireless can be done through the ICT Helpdesk or directly to; IGC service Support desk it/servicedesk@tameside.gov.uk Connecting to other Public Sector networks through the GSi If a connection needs to be made to other Public Sector networks (e.g. Primary Care Trust, NHS, Paradigm Housing etc.) through the GSi, the IGC Service Support desk will need to be contacted to allow and approve the connection. Their contact details are in section of this chapter. This must be documented as a change control process 1.6. Reporting Information Security Events & Incidents Reporting Information Security Events & Incidents for all Employees Security events, for example a virus infection, could quickly spread and cause data loss across the organisation. All users must be able to identify that any unexpected or unusual behaviour on the workstation could potentially be a software malfunction. It s important to note that any loss of information, be it on removable media or paper records constitutes a security incident. Lost/stolen paper records containing secure information should be treated in exactly the same way as a lost/stolen memory stick containing secure data. Please see 1.1 for the definition of a security event and incident. Every department in the Council must have a procedure to help identify what a security event/incident is and the possible severity of the event. The reporting procedure is as follows; Version 2.1: 31/03/2012 Page 4 of 6

5 Any event/incident should first be referred to your immediate line manager. The procedures in place for each department should be referred to in order to establish the severity of the event/incident. The ICT Helpdesk must be informed as soon as practicably possible. If a security event is being reported you should note the symptoms and any error messages on screen. If a security incident is being reported you must forward any evidence that you may have (see 1.5.4) together with any information pertaining to the loss of data on removable media/paper files. Once the information is collated and logged by the ICT Helpdesk the security event/incident is reported to the designated ICT Security Officer. The ICT Security Officer must inform the Chief Executive and also GovCertUK if the event/incident becomes service affecting. Please refer to 1.6 for the GovCertUK reporting procedure Reporting Information Security Weaknesses for all Employees Security weaknesses for example a software malfunction must be reported through the same process as security events/incidents. Users must not attempt to prove a security weakness as such an action may be considered to be misuse Reporting Information Security Events for ICT Support Staff Information security events and weaknesses must be reported to the designated ICT Security Officer and the ICT Helpdesk as quickly as possible. Security events can include: Uncontrolled system changes Access violations Breaches of physical security Non compliance with policies Systems being hacked or manipulated Security weaknesses can include: Inadequate firewall or antivirus protection System malfunctions or overloads Malfunctions of software applications Human errors Collection of Evidence If an incident may require information to be collected for an investigation strict rules must be adhered to. The collection of evidence for a potential investigation must be approached with care. Internal Audit must be contacted immediately for guidance and strict processes must be followed for the collection of forensic evidence. If in any doubt about the process to follow, contact the Head of ICT or the Infrastructure Manager Responsibilities and Procedures Management responsibilities and appropriate procedures must be established to ensure an effective response against security events. The ICT Security Officer must decide when events are classified as an incident and the most appropriate response. All incidents must be logged and include details of: Version 2.1: 31/03/2012 Page 5 of 6

6 Identification of the incident, analysis to ascertain its cause and vulnerabilities it exploited Limiting or restricting further impact of the incident Tactics for containing the incident Corrective action to repair and prevent reoccurrence Communication across the Council to those affected The process must also include details referring to the collection of any evidence that might be required for analysis as forensic evidence Management of Information Security Incidents and Improvements If an event becomes service affecting it must be escalated to a Security Incident. All security incidents must be reported to GovCertUK using their reporting process detailed below; GovCertUK Reporting Process Incidents should be reported by the Departmental Security Officer, or equivalent (or an individual authorized by the DSO). We recommend that you telephone number for an initial response, which should be followed up with an to incidents@govcertuk.gov.uk using the incident template (doc). During office hours ( ) all correspondence is monitored by the GovCertUK response team. Outside office hours, at weekends and on public holidays all correspondence will be monitored by a nonspecialist duty officer, supported by on-call GovCertUK response personnel. When speaking to the duty officer, please be clear that the call is for GovCertUK. Where possible as much supporting information as possible should be supplied, such as log files, internal/external IP addresses, affected Operating Systems, patch levels and policy etc. Please refer to for more information Policy Compliance If you are found to have breached this policy, you may be subject to the Council s disciplinary procedure. If you have broken the law, you may be subject to prosecution. If you do not understand the implications of this policy or how it may apply to you, seek advice from the ICT Helpdesk. Version 2.1: 31/03/2012 Page 6 of 6