CHESHIRE FIRE AUTHORITY

Transcription

1 CHESHIRE FIRE AUTHORITY ITEM: 4 MEETING OF : POLICY COMMITTEE DATE : 30 JANUARY 2013 REPORT OF : ASSISTANT CHIEF FIRE OFFICER, RICHARD OST AUTHOR : GRAHAM FOSTER SUBJECT : ICT USAGE AND SECURITY POLICIES Summary 1. The purpose of this paper is to gain approval for new and refreshed ICT policies which provide governance and guidance for staff on the use of ICT equipment and facilities following on from the investment the Fire Authority has made through the ICT programme of change. 2. The suite of policies provides guidance aimed at enabling staff to maintain standards and reduce the risk of information security breaches occurring. 3. The suite of policies falls into two distinct (but related) areas Usage: ICT Acceptable Use Policy (supplemented by Internet Policy, Policy and Mobile Phone Policy) Security: Firelink MDT Information Security Policy; Physical Security Policy, Removable Media and Mobile Device Policy and System and Remote Access Policy. 4. A further generic Information Security Policy (with Security Breach Reporting Process) will also be brought to Members at a later date. Members will note that this is referred to in some of the policies covered by this report). 5. The complete set of policies is required not just for internal governance but also to comply with external requirements (e.g. the continued connection to the Government network, Airwave). 6. The following are refreshed policies: ICT Acceptable Use Policy Policy Mobile Phone Policy

2 7. The following are new policies: Firelink MDT Information Security Policy Physical Access Policy Removable Media and Mobile Device Policy System and Remote Access Internet Policy 8. Members will note that the Usage policies make allowances to staff to enable them to utilise ICT equipment and facilities belonging to the Service for their personal use. In particular, officers will be able to use the Internet in their own time, e.g. lunch time, or during official breaks. 9. It is believed that staff should be encouraged to become better ICT users and allowing them some personal use will support this objective. It is also believed that with the improved ICT infrastructure personal use will not have a detrimental impact upon performance. Finally, there are better technical arrangements and approaches available to the Service to ensure that appropriate governance can be applied to the proposed arrangements. 10. Whilst it is fully expected that the improved ICT infrastructure will cope with the increase in traffic and that staff will act appropriately, it is recommended that there is a six month trial of the new policies with a detailed impact assessment being concluded before the policies are confirmed. Recommended That : [1] the policies be considered and approved; [2] The Assistant Chief Fire Officer be authorised to arrange for the implementation of the policies; [3] The Assistant Chief Fire Officer be required to carry out a review of the effect of the introduction of the policies prior to determining whether they should be confirmed (or amended); and [4] The Assistant Chief Fire Officer be authorised to make such minor changes to the policies as are necessary as a result of the review referred to above, or generally. Background 11. The investment made in ICT and the formation of the Programme of Change allowed for an upgrade to the technical aspects of the Service s infrastructure to take place. The Service is now in a position to implement governance around the new infrastructure to ensure it remains fit for purpose and manageable in the future. To do this, a refresh of current ICT policies and

3 procedures is required along with the creation of new policies to cover any missing elements in the previous arrangements. 12. Not only will these new policies provide good governance around the ICT infrastructure, they will also be used to evidence to DCLG conformity with the Airwave Code of Connection (and future connections for NW Fire Control & the Public Services Network (PSN)). USAGE ICT Acceptable Use Policy (Appendix 1) 13. The previous Acceptable Use Policy was approved in June 2006 and provided governance and guidance for the technology and employee requirements at the time. Since then we have seen considerable changes to the technology we can use to access our network and systems, along with changes in the way we use and access the Internet, and our expectations for the technology we use during our day-to-day life. 14. The refreshed Acceptable use Policy relaxes the Service previous strict No Personal Use element by allowing staff to use ICT equipment and more specifically, the Internet for personal use during break time. 15. The policy makes it clear, all personal use will still be recorded and should be reasonable, lawful, responsible and not impact on the business. 16. The new policy reflects the Service s developing culture and mature attitude to staff using CFRS ICT equipment to give greater freedom and access. Internet policy (Appendix 2) 17. The new Internet policy relaxes our previous restriction on staff using the Internet for personal use by allowing them to do so during break times. 18. The policy not only provides guidance on personal use of the internet but also the use of social media both for personal and business use. Policy (Appendix 3) 19. The policy has been refreshed to reflect the changes in Service systems over the past few years and states that all s and accounts maintained by the Service are the property and legal responsibility of CFRS. 20. Whilst the policy continues to state personal use of the system is not allowed, it also acknowledges that staff may be sent private s and provides guidance as to how they are expected to deal with them.

4 Mobile Phone Policy (Appendix 4) 21. The previous acceptable use policy included a section on mobile phone use but concentrated on their acceptable use rather than the capabilities of the phone as smart phones were in their infancy. 22. The new separate mobile phone policy is provided to define the current requirements relating to use of smart phones and devices. All elements of mobile phone use, including which phones are issued, smart devices accessing our infrastructure, security of mobile phones, general usage and security breach procedures are now included in this policy. SECURITY Removable Media and Mobile Device Policy (Appendix 5) 23. Removable media and mobile devices are increasingly used to enable information access and transfer. 24. However removable media and mobile devices are also a high risk for the Service in terms of loss of information, lack of Corporate access, duplicate work, and potential for attack on CFRS systems. 25. This policy defines how the Service will use removable media and mobile devices while managing information security risks. Firelink MDT Information Security Policy (Appendix 6) 26. CFRS have been using the secure government radio network, Airwave, for a number of years for voice communication during operational incidents. The Airwave network is also capable of carrying data between control and the mobile data terminals on each appliance. 27. Transmitting data between control and the appliances has a number of benefits such as dynamic mobilisation of the appliance using automatic vehicle location. 28. To enable CFRS to connect its mobile data terminals (MDTs) to the Airwave network for data messaging requires CFRS to have in place a number of ICT policies. 29. The first is the Firelink MDT Information Security Policy which sets the rules around how CFRS staff must use the MDTs and what CFRS must have in place in order to comply with DCLG code of connection. 30. What follows are the remaining policies for compliance to the Airwave Code of Connection

5 Physical Security Policy (Appendix 7) 31. Securing the physical access to ICT equipment is crucial to maintaining the integrity not only of the physical asset, but more importantly, the data the Service holds on its systems and network. 32. CFRS provides ICT equipment and services for staff to utilise in relation to the role they are employed to undertake. 33. Physical access to this equipment needs to be secured and monitored to ensure CFRS data and systems remain protected. 34. The policy has been developed to advise staff of the conditions under which they must protect access to both ICT equipment and systems and help them understand the importance of doing so. System and Remote Access Policy (Appendix 8) 35. CFRS has a duty and responsibility to protect information and systems as they are critical to service delivery. From an ICT perspective a major information security measure is to maintain appropriate access control. 36. Good access control will ensure that only authorised users can access information appropriate to their business needs, and that no unauthorised access and amendments can occur. 37. The Access Control Policy explains how access to CFRS systems will be protected. Financial Implications 38. None Legal Implications 39. The effective implementation of policies related to usage and security of ICT facilities and equipment should reduce risks to the organisation. The policies and their implementation would be considered if there was a security breach that led to an investigation by an external body, e.g. the Information Commissioner. Equality & Diversity Implications 40. A full E&D Assessment has been completed and is attached to this report.

6 Environmental Implications 41. A full EIA assessment has been completed and is attached to this report. CONTACT: JOANNE SMITH, FIRE SERVICE HQ, WINSFORD TEL [01606]