RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY POLICY Version 2.0.1

Transcription

1 RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION Version Revised and effective from 1st April 2012 Document Control Document Control Organisation Title Author Filename ICT Services Information Security Policy Tim Jones \\adrctcictnas2\gcsx\gcsx-project\policies and Procedures\Information Security Policy

2 Owner Author Subject Protective Marking Review date Head of ICT Steve Carter Information Security Unclassified The Information Management & Security Forum will formally review the Information Security Policy annually Revision History Revision Revisor Previous Description of Revision Date Version 20/02/09 ICT SMT 1.0. Final Document 11/09/09 ICT SMT 1.1 Amendments to reflect GCSX Use 22/11/11 Steve Carter 1.1 Updates 01/03/2012 Steve Carter 2.0 Additional paper based security Updates on Social Media, PCi and device control 01/04/2012 Steve Carter Review - Minor changes Document Approvals This document requires the following approvals: Sponsor Approval Name Date Information Management & 01/03/2012 Security Forum Andrew Hopkins (Internal Audit) Rhianydd Davies (HR) Phil Derham (Corp) Jeanette Howells (ESG) Josie Rhisart (Education) Sally Churchill (CCS) Andy Wilkins (Legal) Louise Evans 01/03/ /03/ /03/ /03/ /03/ /03/ /03/2012 ICT SMT Elaine Pritchard 19/03/2012 Tim Jones 19/03/2012 SIRO Leigh Gripton 21/03/2012 Document Distribution This document will be distributed to: Name Job Title Address All employees, members, contractors & third party suppliers Page 2 of 16

3 RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SUMMARY OF POLICY INTENTIONS The purpose of this Information Security Policy is to create a framework to protect the Council s Information Assets, whether electronic or paper based from all threats, including internal or external, deliberate or accidental (the Policy). It is the purpose of this Policy to ensure that: Information will be protected against unauthorised access. Confidentiality of information will be assured. Integrity of information will be maintained. Regulatory and legislative requirements will be met. Business Continuity plans will be produced, tested and regularly reviewed. All breaches of information security, actual or suspected, will initially be reported to the ICT Service Desk and where they will be appropriately investigated. Operating policies and procedures will be produced to support this Policy (see section 5 for more details) Business requirements for the availability of information and information systems will be met. The Head of ICT, in consultation with the Director (Customer Care & ICT), has direct responsibility for developing, promoting and raising awareness of this Policy and in providing advice and guidance on its implementation. Responsibility for Data Protection, within the context of the Data Protection Act 1998, is delegated to the Data Protection Officer. All breaches of information security, actual or suspected, electronic or paper based, must be reported to the ICT Service Desk for further investigation. All Group Directors, Directors, Service Directors and Heads of Service are directly responsible for implementing and managing this Policy within their Service areas. Page 3 of 16

4 It is the responsibility of each employee to familiarise themselves with this Policy and fully adhere to its requirements. Priorities One of the ICT Services top priorities is to improve its security controls in line with best practice (namely International Standards Organisation (ISO 27001)) This Policy has been produced to help promote best practice and will act as a catalyst for further policies and procedures to improve security controls for information within the Council. As new policies emerge and existing ones are amended, staff and other users will be updated on the most recent policies appropriately. Policy Revision The Information Management Group will periodically review and re-issue this Policy where appropriate drawing attention to any changes that may have been made. Page 4 of 16

5 INFORMATION CONTENTS Page 1. Definition of Information Security 6 2. Scope of Policy 7 Statement of Management Intent 7 Links to ICT Services Objectives 7 Responsibility for Information Security 8 3. Control Framework 8 Information Asset Control - General Responsibilities 8 Authorisation for use of ICT computer equipment 8 Computer Systems 9 Computer Data 9 Creation of Databases (Sub-systems) 10 Storage Users responsibilities 11 General Protocol for Use of ICT 11 Users Responsibilities Reference to Other Policies Structure of Risk Management Education, Training & Awareness of Information Security Business Continuity & ICT Disaster Recovery Reporting Security Events (Breach of Controls) Consequences of Breach to Policy 15 Exemptions from this Policy Compliance with Legislation Reminder of General Responsibilities 16 Page 5 of 16

6 1. Definition of Information Security INFORMATION 1.1 Information is an asset that, like other important business assets, is essential to an organisation s business and consequently needs to be suitably protected. This is especially important in the increasingly interconnected business environment. As a result of this increasing interconnectivity, information is now exposed to a growing and wider variety of threats and vulnerabilities. 1.2 Information Security is the protection of information from a wide range of threats in order to ensure business continuity, minimise business risk and maximise business opportunities. 1.3 Information Security is achieved by implementing a suitable set of controls, including policies, processes and procedures, organisational structures and software and hardware functions. 1.4 These controls need to be established, implemented, monitored, reviewed and improved where necessary, to ensure that specific security and business objectives of the Council are met. 1.5 This Policy will support ICT Services in its operation of Information Security whose aim is to maintain: Confidentiality of information Integrity of information Availability of information protecting access to it; preventing alteration of information; and ensuring information and services are available to authorised persons when required. 1.6 This Policy intends to help minimise the risks, from whatever source, to the security of Information and intends introducing appropriate levels of controls to offer adequate protection without unnecessary expense or intrusion. 1.7 The Council recognises Information Security as an enabler to service delivery and sharing of information with the Council s partners. The Council s aim is to implement effective, efficient and appropriate security controls to match requirements of both good practice and those of its partners and demonstrate to the citizens that information held about them, and information they may require, is held and delivered in a secure manner. Page 6 of 16

7 2. Scope of Policy 2.1 This Policy applies to the use of any Information facilities including hardware, software, buildings and networks provided by the Council and is applicable to all members of the Council including elected members, staff, contractors, consultants, visitors, authorised third party users and any other authorised users who access the Council Information Systems. 2.2 All Information Assets are corporate assets. This Policy covers all Information Assets, wherever they exist, which are either the Council s property or can reasonably be held to be the property of the Council. 2.3 This Policy also covers data held for the purpose of the councils business on all media inclusive of paper documents and electronic files. Statement of Management Intent: 2.4 ICT Services has a positive commitment set out in its ICT Plan and Information Management Plan to maintain communications with both Service Groups and key suppliers to help support and implement the goals and objectives of this Policy. Links to ICT Services Objectives: 2.5 As part of its objectives, ICT Services has identified the following two objectives that correlate to this Policy. It intends to: Delivering a flexible, available and secure infrastructure, ensuring continuous and equitable access to ICT Ensure the most effective use of information governance and integration to provide a platform for more secure efficient data sharing. 2.6 Fundamental to the success in meeting these objectives will be the adherence to Information policies and procedures, this Policy being the one that underpins the impetus to succeed in this endeavour. Responsibility for Information Security: 2.7 The Director for Customer Care & ICT has overall accountability, under the Council s Scheme of Delegation, for the security of Information facilities and the post also fulfils the function of Senior Information Risk Officer (SIRO) for the Council. In addition to this and the above Management s commitment, ICT Services will engage with the Information Management Group as an appropriate forum that will monitor progress towards the implementation of controls as set out by ISO and the ICT Strategic Steering Group will act as a decision point at key stages in the process. The Director of Customer Care & ICT will chair this forum. Page 7 of 16

8 3. Control Framework Information Asset Control - General Responsibilities: 3.1 Every piece of information and the physical media upon which it is stored and the physical or wireless media through which it is transmitted, is classified as an Information Asset. This information is collected, classified, organised and stored in various forms: Applications Databases Data Files Operational and Support Procedures Archived Information Continuity Plans Computer Equipment Communications Equipment Telephony Devices Storage Media Specific Technical Equipment Paper Based Documentation and Files 3.2 These information assets are owned by the Council and will be maintained on a Corporate Information Asset Register. Data held on paper and other physical storage devices are also classified as Information Assets. Authorisation for Use of ICT Computer Equipment: The Directors and Heads of Service are responsible for computer equipment under their control to ensure its proper use. Only persons authorised by the Directors of the Council, Heads of Service or delegated Managers may operate computer equipment. All acquisitions of computer equipment must conform to Contract Procedure Rules and Financial Procedure Rules (current edition) and must be appropriately procured via published ICT Services procedures. (Available at respectively.) Only authorised ICT staff may connect or disconnect Council computer equipment from designated connection points. (With the exception of Mobile Computer users). In certain circumstances, ICT Services may delegate this responsibility for specific staff relocation purposes. Only software authorised by Group / Service Directors or Heads of Service, may be installed and accessed on any Council Computer System post consultation with ICT. Details of which should be shared with ICT Services to ensure security measures are followed appropriately and that Page 8 of 16

9 ongoing software support can be arranged. Only authorised ICT staff may install or uninstall hardware, applications software, firmware, device drivers or applications programming interfaces to computer systems. In certain circumstances, ICT Services may delegate this responsibility for specific staff relocation purposes. Computer Systems: Council Computer Systems and associated Council business software applications must be used primarily for the purpose of Council business unless authorised by the individual user s manager for limited personal use outside of working hours. No personal computer, personal media device or network system is to be connected to the Council s computer systems without authorisation and the consent of the Head of ICT, or staff with appropriate delegated authority. All laptops must be encrypted with the Council s encryption system. The only exception being where agreement is reached with the Information Management Officer to utilise an alternative method of ensuring the security of any data held on the device. All removable media such as USB storage devices must be encrypted to a minimum of 128 bit encryption. All mobile phones, smart phones, tablets or PDAs must be protected with a strong password and should any device be used to store personal or sensitive information it must be encrypted. All areas where ICT Servers or Communications equipment is sited should be secure with access restricted only to ICT staff or staff who have been given appropriate permission from a Head of Service. No telecommunication channel to remote systems is to be established from any Council computer equipment without authorisation and the consent of the Head of ICT, or staff with appropriate delegated authority. Data: Directors and Heads of Service are responsible for information under their control and to ensure its proper use. Copyright of all Council data is vested in the Council. No intellectual property rights may be claimed by any authorised user over data and information produced by Council owned systems. Any record of personal information recorded on any data file within the Council s paper based systems is the responsibility of the employee to ensure compliance with the Data Protection Act Users that require access to PROTECT or RESTRICTED information and are required to use the Government Secure Extranet (GCSx) facilities or PCi must be cleared to Baseline Personnel Security Standard. Page 9 of 16

10 Deliberate attempts to gain unauthorised access to copy, destruct, destroy, alter, interfere or generally subvert any Council Computer System, Information Asset or Communications System is forbidden. Unauthorised disclosure of information is forbidden. All data accessed, stored, received and transmitted by an authorised user is the responsibility of that user whilst their userid is valid within Council owned computer systems. Upon termination of access and/or termination of contractual employment of that user, the data currently and previously accessed, stored, received and transmitted on or by Council owned Computer Systems by virtue of the userid properties becomes the sole property of the Council, and its access, control, archive, dissemination and deletion immediately inherited by the Local Head of Service or Head of ICT as appropriate. The security of all paper based data accessed, stored or transported is the responsibility of the data owner. Paper records and files containing personal or sensitive data should be handled in such a way as to restrict access only to those persons with authorisation and business reasons to access them. Personal and sensitive information held on paper or any other media must be protected from visitors or unauthorised staff to offices. Before any personal data is transported the consent of the Data Owner must be obtained and the identity and authorisation of the recipient must be formally confirmed and documented. Facsimile technology (fax machines) should not be used for transmitting documents containing personal data where avoidable. If faxing is the only available option of transmitting documents containing personal data a procedure should be followed whereby the recipient is informed, prior to faxing, of the imminent arrival of documents containing personal data by way of fax. All projects relating to the way information is handled, or involving new information must be reviewed at the outset of the project to ascertain if a Privacy Impact Assessment should be included as part of the project. All data sharing with parties outside the Council must be documented and agreed using the appropriate forms and details must be passed to the Data Protection Officer. The creation and subsequent use of personal databases containing Council data is forbidden unless authorised by ICT Services. (See section 3.3.) Creation of databases (sub-systems): 3.3 The creation of a database (via applications such as Microsoft Excel or Microsoft Access) by using or duplicating Council data from approved systems to assist you in your day to day duties is not permitted, unless appropriately authorised and it includes the following principles: Page 10 of 16

11 It is appropriately registered with ICT Services to allow recognition and ongoing ICT support; It is legally licensed; It is held securely and is subject to appropriate back up controls; and It doesn t compromise the integrity of an existing authorised system or process or undermine Management s objectives for the use of that data. Must be deleted when no longer required Note - spreadsheets are databases. If in doubt, contact the ICT Service Desk for further advice. Storage: Computer input and output whether printed or electronically stored (CD/DVD type), must be stored securely in accordance with the sensitivity of the information printed or stored. Waste computer output whether printed or electronically stored (CD/DVD type), must be disposed of with due regard to its sensitivity. All confidential printed output must be shredded or appropriately disposed of as confidential waste. Paper documents must be stored securely in accordance with the sensitivity of the information. 4. Users Responsibilities General Protocol for Use of ICT 4.1 General use of ICT must be controlled by policy to enable the efficient business use of computer facilities within the Council. Users Responsibilities: All authorised users of the Council are expected to use computing and telephone facilities within their environment in a responsible manner to the benefit of the Council without offence to other users, the public and any third party with whom they are communicating. Authorised ICT staff will set up users with a systems profile, which allows access levels to Council systems, Information, applications and computer devices as determined by the user s Manager. All users are issued with a permanent logon userid and initial personal password. The combination of userid and password enables logon and sign-on to the Councils networked computer systems. Users are compelled to change their password at least every 60 days. Certain applications require additional userid s and passwords, which will be issued by the relevant application owner or ICT Services, according to ownership, access rights and distribution. Page 11 of 16

12 In all cases, the personal password(s) issued will be known only to the authorised user and must not be written down or physically or electronically stored by the user. The disclosure of passwords, directly or indirectly is forbidden with the notable exception being where it is essential to disclose it to a member of ICT Services to facilitate maintenance or resolve user password problems, in these circumstances, once maintenance is complete or problems have been resolved, users should change the password to retain privacy. Where authorised group access applies, the disclosure of passwords to anyone outside of the authorised group is forbidden. The use of any userid and/or password other than your own or, where applicable, that of the authorised group is forbidden. Users must utilise lock computer (by holding down the Ctrl, Alt and Del buttons simultaneously then clicking on the lock computer tab) and use password enabled screen savers at all times when leaving their workstation unattended. Computer systems screensavers and background images must be one of the default range provided by the computer. Creation, modification or manufacture of an image that portrays a pornographic, sexual, violent, capable of inciting violence, terrorist or rebellious, or offensive image or text is forbidden. Any illegal or unlicensed use of software is forbidden. All Council owned Computer Systems are enabled with ICT installed antivirus software. Attempted removal, modification or subversion of this software is forbidden. Staff who access sensitive or confidential information must be aware of their responsibilities under the Data Protection Act and actively seek training where necessary. Staff required to access facilities on the GCSx network or information derived from that source must read and understand the GCSx Acceptable Usage Policy and accept the conditions set out in the Personal Commitment Statement Staff required to use systems under PCi governance must read and accept the PCi and Income Management Policies. 4.2 If you are in doubt as to any of the above issues, you should contact the ICT Service Desk for assistance. (ICT Service Desk ) or via at ictservicedesk@rhondda-cynon-taff.gov.uk Page 12 of 16

13 5. Reference to Other Policies 5.1 The following documents will be added to as further Information policies are developed as part of the on-going improvement process for Information Security. The following policies will together constitute a framework of policy and guidance that governs the operation of Information Security within the Council: This Information Security Policy Internet and Acceptable Use Policy Password Management & Personal Firewall Policies Malware & Patch Management Policies Portable & Remote Computing Policy Information Security Incident Management Policy GCSX Information AUP & Personal Commitment Statement Protective Monitoring Policy Network Time & Physical Security Policies Third Party Connection Agreements ICT Disaster Recovery Plan & Business Continuity Planning Risk Management/Business Impact Analysis Approach PCI and Income Management Policies Records Management and Retention Policy Freedom of Information & Data Protection Policies Subject Access Request Policy Regulation of Investigatory Powers Policy Environmental Information Regulation Policy Social Media Policy This document, and subsequent new and supporting guides and procedures, are available at the above intranet link or on request via the ICT Service Desk. 6. Structure of Risk Management 6.1 The Council shall protect its information assets commensurate with their value and importance to the Council. Risks will be determined and assessed and appropriate control measures put in place to minimise such risks. The Council s Risk Management Group is responsible for developing and monitoring such risks although Information Security is an operational service risk which is managed by ICT. 7. Education, Training & Awareness of Information Security 7.1 All employees will be asked to read, familiarise and ensure they have understood this Policy and their role and responsibilities in complying with it. Page 13 of 16

14 7.2 ICT Services will actively promote this Policy and other related policies, both internally and externally, and will make staff aware of any changes or new policies as and when they occur. 7.3 All users must be made aware and have access to appropriate Information Security guidance and where users are to work with information of a personal or sensitive nature they must receive appropriate information security awareness training. 8. Business Continuity & ICT Disaster Recovery 8.1 The Council will aim to provide business continuity for its critical information systems in the event of systems failure The purpose of a Business Continuity Plan is to reduce, to an acceptable level, the actual or potential disruption caused by disasters and/or failures of security. The role of the plan is to provide documented pre-agreed decisions and procedures for responding to incidents in order to continue business operations in relation to people, premises, ICT, information, supplies and stakeholders. The Business Continuity Plan coordinates several areas of response and is owned by the Group Director for Environmental Services The purpose of an ICT Disaster Recovery Plan is to reduce, to an acceptable level, the actual or potential disruption caused by disasters and/or failures of security. The role of the plan is to provide documented pre-agreed decisions and procedures for responding to incidents in order to continue business operations specifically in relation to ICT services. This approved plan forms part of the wider Business Continuity Plan and is owned by ICT. 8.3 The risk management process will provide a means of considering the risks to each information asset and the controls needed to reduce the risk of failure. A combination of preventative and recovery controls will be used. 9. Reporting Security Events (Breach of Controls) 9.1 Any employee or information user of the Council who considers that this policy has not been or is not being followed by any user in respect of computer, , paper documents or internet usage, the results of which could be damaging to other staff, service users, or the Council, or illegal in any way, must raise the matter with their line manager, or if not appropriate, the ICT Service Desk. All security events must be reported to the ICT Service Desk ( ictservicedesk@rhondda-cynon-taf.gov.uk) as defined in the Information Security Incident Management Policy as soon as they become apparent. Security events can be any instance of security breach, threat, weakness or malfunction, which may impact on the security of the Council s Information Assets. Page 14 of 16

15 9.2 All staff or agents of the Council will be encouraged to report any security event, actual or potential, without fear of recrimination. Every effort will be made to learn lessons from security events in order that preventative controls may be put in place for the future. 9.3 Where an employee or computer or information user of the Council inadvertently makes a genuine mistake or the unexpected occurs it should be reported to their line manager or the ICT Service Desk without delay. 10. Consequences of Breach to Policy 10.1 Any breach of this and related policies may warrant further investigation that may lead to an investigation by Internal Audit, the Council s disciplinary procedures being invoked and in certain circumstances, may necessitate the involvement of the Information Commissioner s Office and/or the Police To help facilitate any such investigation, the Information Commissioners Office and/or the Council reserves the right to monitor, access and review any individuals use of Council Computer equipment, information systems and facilities covered by this policy without the additional consent being required from any employee. ICT Services monitoring tools for example are capable of detailing an individual user s activity during the day such as files accessed, created and deleted, access to the internet, websites visited, the times visited and the number of s sent / received on any given day. Using this information, monitoring and surveillance may be undertaken for the purpose of business operations, audit and security or where there is reason to believe that a breach of security or a breach of policy has occurred. In some circumstances equipment including personal storage media may be seized by ICT Services for forensic analysis. Exemptions from this policy: Authorised ICT System Administrators are exempt from this policy as their associated userids enable those authorised to offer the ability to provide proactive maintenance of Council owned computer systems and protection of Information Assets. At all other times ICT officers must adhere to this Policy. 11. Compliance with Legislation 11.1 The Council, its employees and agents must comply with all UK and European legislation that is pertinent to the security of its ICT facilities. This legislation includes the following and any statutory modifications or amendments: The Civil Contingencies Act (2004) Freedom of Information Act (2000) The Regulation of Investigatory Powers Act (2000) Page 15 of 16

16 STATEMENT DATE: 01/04/2012 Electronic Communications Act (2000) The Data Protection Act (1998) The Computer Misuse Act (1990) The Malicious Communications Act (1988) The Copyright, Designs and Patents Act (1988) The Telecommunications Act (1984) The Theft Act (1968) The Obscene Publications Act (1964) The Criminal Justice Act (1987, 1991 and 2003) The Race Relations Act (1965) Contract Law (a range of UK and EU legislation) UK and EU Human Rights Legislation 12. Reminder of General Responsibilities All Group Directors, Directors, Service Directors and Heads of Service are directly responsible for implementing this Policy within their Service areas, and for adherence by their staff. It is the responsibility of each employee to familiarise themselves with this Policy and fully adhere to its requirements. Any breaches of this and related policies may warrant further investigation that may lead to the Council s disciplinary procedures being invoked, an investigation by Internal Audit and, in certain circumstances, may necessitate the involvement of the Police End of policy document Page 16 of 16