1 Security Awareness A Supplier Guide/Employee Training Pack May 2011 (updated November 2011)
2 Contents/Chapters 1. How do I identify a DWP asset 2. Delivering on behalf of DWP - Accessing DWP assets 3. How will I know when and how to protect a DWP asset 4. Consequences of not adequately safeguarding information 5. Office environment and data security (premises) 6. Personnel and security 7. Communications and security 8. Portable media and security 9. Data Protection Act 10. Technical security 11. Security incidents 12. Areas for consideration specific to your organisation
3 1. How do I identify a DWP asset? Definition of a DWP Data asset: An asset is any information or collection of information that is in the supply chain and processed on behalf of DWP, this can include personal or sensitive data regarding individuals and also policy advice. It can also be software and physical assets such as computers or buildings. DWP assets Information and data electronic, paper based media in any form. DWP Data assets: Any personal/sensitive data that the DWP collects, stores, uses and transmits or shares with others and is Data Controller of under the Data Protection Act. For example: Client records anything from a name to National Insurance Number, date of birth, health records, address etc. DWP Staff data anything from a name, address, date of birth, health record etc. Physical assets IT, laptops, mobile phones, machinery or premises. Protecting these assets also helps to provide personal security for our people and customers.
4 2. Delivering on behalf of DWP Accessing DWP assets As an organisation or as an individual you are required to protect DWP assets you access. Access to assets is protected by law which includes trespass, and in the case of personal data - by the Data Protection Act. You are only allowed to access assets if you have a genuine business reason and agreed authority to do so. You must not provide, share or allow access to DWP assets to anyone who does not possess a right to that asset. By allowing unauthorised access, accessing data without authority yourself: losing, misusing or enabling misuse of data you may be in the uncomfortable position of breaking a law.
5 3. How will I know when and how to protect a DWP asset? If you are unsure that you have appropriate authority and a genuine business reason to handle an asset you should seek advice from your manager or supervisor: or the author or sender of the item.
6 4. Consequences of not adequately safeguarding information: Customer Stress, distress Identity theft Financial loss Physical harm e.g. victims of domestic violence. Public/DWP Confidence Loss of public/dwp confidence Accountability Embarrassment Theft of commercial information. Personal Information Distress at personal details being known e.g. Absence record, Staff Reports, Previous disciplinary Information. Misuse of information or failure to follow correct policy may result in disciplinary action and possible dismissal.
7 5. Office environment & data security (premises) Keeping you and your office safe Are you aware of your environment and why the security measures in place are important? Working securely means being alert, not necessarily suspicious of, all situations that might impact on the business. This includes threats to individuals and premises. Threats to you and your environment can come from a variety of sources:
8 Controlling access to sites Allowing unauthorised and unchecked access to sites may allow an intruder to cause damage to the premises, harm to individuals or steal valuables. Visitors require access to premises for legitimate business reasons e.g. clients attending appointments, engineers to install equipment, colleagues for meetings. Without exception, they must all follow the correct security procedures for that site. Don t let anyone follow you into the office; if it is unclear who they are. Wearing a pass and or name badge at work helps to identify authorised members of staff and to identify and challenge people who should not have access. Plus, the requirement for visitors to sign in will avoid unauthorised access. If you are required to enter a code into a digit-lock, do not let anyone else see the code.
9 Signposts to official assets and individuals Wearing identity passes away from official premises may alert others to official business being undertaken. Wearing ID away from the office may put an individual at risk and alert others to where they work and live. Leaving the office A Clear Desk Policy is not just about clearing everything from your desk. Is there anything left on the printer, photocopier or fax machine? Lock papers away before leaving. If you are last to leave, make sure windows and cupboards are locked and the keys are secure. Remove paper on faxes to avoid receiving messages when unattended. Switch off faxes, photocopiers and printers where possible. Are there any papers, files or information on desks or in post trays. Are all cabinets and cupboards locked and are keys removed and stored safely.
10 6. Personnel and security What should be your personnel security objective? - To protect personal and sensitive personal data from accidental or deliberate loss or misuse. To ensure that staff are aware and are compliant with DWP Policies and requirements with regard to correctly handling data. Covering: Staff vetting Contractual obligations Training, induction and ongoing refresher training Confidentiality Legal obligations Disciplinary process
11 Personnel and security - key messages Staff Vetting as a Government Department DWP must satisfy Cabinet Office requirements including the need for staff vetting before being allowed access to data assets, which extends to DWP suppliers. Therefore all supplier staff are required to go through the following security checks before handling DWP data identity, employment history, nationality, immigration status, criminal records check. Training, induction and ongoing refresher training Based on a DWP requirement, on induction to the company and prior to handling DWP data you should have received security training (of which this slide pack may be part of). You will be required to attend refresher training on a regular basis during your employment. Confidentiality all suppliers are required to sign a confidentiality agreement as part of the DWP contract. Contractual obligations depending on the contract you may have been asked to sign individual confidentiality agreements or it may form part of your contract of employment. Legal obligations you must be aware of your legal obligations when handling any data, they include: Data Protection Act, access rights, Computer Misuse Act and Freedom of Information Act). More information is available on the Cabinet Office Website. Disciplinary procedures it is important to understand that if any misuse, disclosure, loss of data occurs, this could lead to disciplinary action.
12 7. Communications and security What should be your communications management objective? - To ensure the integrity and availability of DWP data and reduce security risks to DWP data using media which must be controlled and comply with all applicable legal requirements. Covering Accessing information and systems Unauthorised access to your account General password information Sending information by Transferring hard-copy data by post Stop and think
13 Communications and security Accessing information and systems We all have bank cards to access our money and buy goods. Think about how you look after your bank cards where do you store them? Where do you keep your PIN? Is it easy to guess for example your birthday. At the office we use passwords to manage access to information and the tools we need to do our jobs. Much of the information that is held has great value not only to our customers, but to someone who may want to steal it. How do you store valuable documents e.g. passports, birth certificates and bank statements? Are they in a safe place and somewhere you can always find them? Think about how you dispose of letters containing your name and address and personal details how careful are you in ensuring that your identity and finances are protected? It is just as important that you take care of other people s information at work.
14 Unauthorised access to your account In most organisations it is likely that when you log into your PC, your account can be used to access any of the systems you are authorised to use. Therefore, any unauthorised actions would be logged against you. Private and confidential information could be viewed or your account used to send inappropriate s. Someone could access inappropriate Internet sites. Access to applications and information is controlled to protect you and our organisation. General password information Your password: must be known only to you and should not be easily guessed must not be shared should contain a combination of upper and lower case letters must not contain characters that are all the same e.g or a sequence of letters or numbers e.g. ABCDE avoid anything obvious like password or welcome. If you think someone knows your password then change it immediately. If you need to write it down then make sure that you keep the note secure and try to disguise it so that it does not look like a password.
15 Sending information by There are some occasions where we can safely respond to an by an , for example: Where an from a customer or member of staff is asking for a simple action or confirmation (e.g. have you received my claim form? Could you confirm the date of my appointment?) Where a customer or member of staff is, for example, complaining about a generic issue (e.g. I could not get through on the telephone; I could not find anyone to answer my query). At the same time, we need to observe some basic rules, as follows: We should not, under any circumstances, disclose or confirm, in an , details of customers address, National Insurance Numbers or bank accounts or information that is already known to them. We should never give out multiple customer details in a single reply. Above all, if an incoming looks odd or doesn t ring true, then we should seek to verify the sender s details by contacting them using details already held (rather than those provided in the ) or seeking further authentication before sending a substantive reply. If doubts remain, we should reply by ordinary post to the person s recorded home address.
16 Transferring hard copy DWP data by post - key messages: Always use a Fully Tracked Service when sending DWP personal data of about 50 or more individuals together (in the same envelope). A Fully Tracked Service should be used as standard for DWP items going to/from storage/archiving facilities. A Fully Tracked Service should also be used for smaller numbers for more sensitive personal DWP data i.e. Transfers containing name along with for example, National Insurance Number, health records, financial records, work history, personal etc (20 or more items). All staff must ensure that correct courier or postal addresses are used. It is the sender s responsibility to consider the scale and sensitivity of the information that is being sent, and whether additional security (i.e. using a Fully Tracked Service) is required. If incorrectly addressed DWP mail is received; you must ensure appropriate care is taken to safeguard the package until the correct recipient is known. The package should be sent using a similar fully tracked service. This approach will avoid any risk to the DWP personal/sensitive data that may be contained within the package.
17 Social networking Where posting information or personal comments on-line; or considering any television appearances or other media such as newspaper articles; staff must: not disclose any knowledge and official information, make commitments or engage in activities on behalf of the Department unless you are authorised to do so. not represent the Department when expressing personal opinions. Seek permission before taking part in any media activity that may identify you as delivering a contract on behalf of the Department. not pass official information on or make it available to any person e.g.. newspapers, journalists or give interviews about the Department without appropriate authorisation. understand that such unauthorised disclosure of information is very serious and disciplinary action will be taken for failing to comply.
18 Stop and think! Do you have the authority to send the information? Does the recipient have the authority to receive it? Do you need to send the information is there a different way of dealing with it? Only send the bare minimum to satisfy the request for information and remove any information that is not required to answer the query. What are your options for sending the information? What are the options for posting or sending the information electronically or by post or courier what are the restrictions on these? What is the likelihood that the information will go astray? What is the potential damage or embarrassment? What would be the impact on you/your employer?
19 8. Portable media and security Definition: Portable media includes laptops, memory sticks (USB) but can also include blackberries, palmtops, personal digital assistants, electronic diaries and organisers as well as mobile phones and smart phones etc. Also this could be any media containing DWP Personal Data such as hardcopy paper. What should be your portable media Objective? - To ensure that equipment, systems and services containing personal and sensitive personal data, are protected from unauthorised access, theft, interference or damage. Covering Travelling Working offsite including outreach working.
20 Portable media and security Travelling Train journeys are often used as time to get some work done. If you are working on the train make sure that you cannot be overlooked or overheard. Many mobile phones have cameras and voice recording facilities, so take care what can be seen and heard by others. Never leave any equipment i.e. laptops, phones, encrypted memory sticks or paperwork unattended. If you need to leave anything in a car it must be kept out of sight and locked away in the boot. Don t leave any equipment in an unattended vehicle overnight. Only authorised encrypted removable media provided by your employer should be used.
21 Portable media and security Working Off site It is important to get approval from your line manager to take official documents out of the office. Only take with you what you need to do the job. Make sure the information is kept secure and away from prying eyes. It may be necessary to take work out of the office, for example when visiting customers or outside organisations. Authorisation should be given from your line manager if you need to take sensitive documents out of the office. You should always consider the most secure method of working and take extra precautions when outside of your office. For example, only take what you need to do your job.
22 9. Data Protection Act Data Controller / Data Processor definition Important definitions that you need to be aware of under the Data Protection Act are as follows: Personal Data - As per the DPA Act 1998 data which relates to a living individual who can be identified from the data or from the data and other information which is in the possession of or is likely to come into the possession of the data controller. Information available publicly such as Name, Address (Home or Office), Post Code, Telephone Number, Date of Birth, driving licence number. Sensitive Personal Data - As per the DPA Act 1998 this is as Personal Data but would also concern the data subject s race, ethnicity, politics, religion, trade union status, health, sex life or criminal record. Equally sensitive information i.e. National Insurance Number, Health, Finance, Work History, Personal Address linked to any Personal Data would be classed as Sensitive Personal under Cabinet Office guidelines. Data Controller As per the Data Protection Act, 1998 the person who is responsible for controlling the information and who can authorise or deny access to certain data. They determine the purpose for which and the manner in which any personal data is processed. This would usually be DWP. Data Processor As per the DPA Act 1998 the person who processes the data on behalf of the data controller and is usually the supplier.
23 8 Principles of Data Protection If you handle personal information about living individuals, you have a number of legal obligations to protect that information under the Data Protection Act 1998, which make sure personal information is: 1) Fairly and lawfully processed: Have legitimate grounds for collecting and using the personal data. Not use the data in ways that have unjustified adverse effects on the individuals concerned; Be transparent about how you intend to use the data and give individuals appropriate privacy notices when collecting their personal data; Handle people's personal data only in ways they would Reasonably expect; and Make sure you do not do anything unlawful with the data. 2) Processed for limited purposes: Be clear from the outset about why you are collecting personal data and what you intend to do with it; Comply with the Act s fair processing requirements including the duty to give privacy notices to individuals when collecting their personal data; Comply with what the Act says about notifying the Information Commissioner; and Ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use of disclosure is fair. 3) Adequate, relevant and not excessive: You hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual; and You do not hold more information than you need for that purpose; You should identify the minimum amount of personal data you need to properly fulfil your purpose. You should hold that much information, but no more. This is part of the practice known as data minimisation. 4) Accurate and up to date: Take reasonable steps to ensure the accuracy of any personal data you obtain; Ensure that the source of any personal data is clear; Carefully consider whether it is necessary to update the information.
24 8 Principles of Data Protection If you handle personal information about living individuals, you have a number of legal obligations to protect that information under the Data Protection Act 1998, which make sure personal information is: 5) Not kept for longer than is necessary: Review the length of time you keep personal data; Consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it; Securely delete information that is no longer needed for this purpose or these purposes; and Update, archive or securely delete information if it goes out of date. 6) Processed in line with your rights: A right of access to a copy of the information compromised in their personal data; A right to object to processing that is likely to cause or is causing damage or distress; A right to prevent processing for direct marketing; A right to object to decisions being taken by automated means; A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and A right to claim compensation for damages caused by a breach of the Act. 7) Secure: Design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach; Be clear about who in your organising is responsible for information security; Make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and; Be ready to respond to any breach of security swiftly and effectively. 8)Not transferred to other countries without adequate protection: Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
25 10. Technical security IT administrator access user access controls are in place to monitor access to DWP Data, ensuring access is granted to and removed from suppliers personnel as the job role demands. All actions performed by suppliers staff must be traceable to users who process/handle DWP data. Users should be aware that their actions are recorded and all incidents will be investigated and actions taken. Encryption suppliers should have procedures in place for the use of encryption. Your IT dept or IT delivery partner will be able to advise on further technical aspects of the systems you use e.g. malware, antivirus etc
26 11. Security incidents An incident can be described as: any activity that causes or could potentially affect the availability, confidentiality or integrity of the physical or electronic information assets of the Data Controller/Processor. Examples of which are: Unauthorised disclosure or transfer of information, loss of data i.e. paper records or laptop/usb or misuse of information. This can have very serious consequences for both the individuals concerned and your organisation. The following examples can lead to the fraudulent use of a customers or colleagues identity and also damage the reputation of your organisation. Identity theft can cause upset and anxiety for the individual concerned and it can be a long process to rectify the fraudulent activity that has taken place. Reputational damage is very difficult to overcome and this can cause financial loss to your organisation through loss of confidence and competitive advantage. Public/DWP Confidence Loss of public/dwp confidence Accountability Embarrassment Theft of commercial information. Customer Stress, distress Identify Theft Financial loss Physical harm e.g. victims of domestic violence. Personal Information Distress at personal details being known e.g. Absence record, Staff Reports, Previous disciplinary Information.
27 Security incident examples Lost/stolen laptops if not stored securely the loss of a laptop through theft or misplacement can lead to significant data loss. Laptops must be encrypted as in the event of a loss the data stored on the device will remain secure and the loss will be limited to the cost of a new laptop alone. Lost/Incorrectly addressed post can seem quite a minor incident in the scheme of things. However, if the information goes to the wrong address or is sent using an unsuitable postal method this can lead to a severe data loss. Although hard copy records are less likely to contain the same volume of data as above, the consequences can be similar and just as damaging to individuals and your organisation. When post is received it is important to ensure the recipient details are correct. If incorrectly addressed mail is received; you must ensure appropriate care is taken to safeguard the package until the correct recipient is known. Once the intended recipient has been confirmed, the package should be sent using a similar fully tracked service. This approach will avoid any risk to the personal/sensitive data that may be contained within the package. Lost/stolen memory sticks USB devices have the capacity to store thousands of records and can be easily stolen or misplaced if adequate care is not taken to ensure they are securely encrypted and housed. Break-ins - other than the obvious costs resulting from the theft of valuable IT equipment, there are other issues to consider following unauthorised access to your building. If customer data is not securely stored within the building, i.e. in a locked room and within a locked filing cabinet, the perpetrator could have access to highly sensitive and valuable records. If stolen, these records can be used to steal an individual s identity and commit fraud. It is vital that any documents containing personal/sensitive information is not left on desks, printers or unlocked drawers overnight.
28 12. Areas for consideration: specific to your organisation Do you know who is responsible for data security in your organisation? DWP requires all organisations delivering on their behalf to have an agreed and documented policy on data assurance (security) and data privacy, including compliance with the Data Protection Act. Good governance makes it clear who is responsible and accountable for the protection of all sensitive data. Are you aware of policies attributed to data security? And where to find them? Do you regularly receive updates on data security through either training, communications/intranet, at team meetings etc? Does your organisation have a whistle-blowing policy? Are you aware that you need to raise any incidents within your line management chain and potentially direct to your data security named responsible officer. Your company is required to have a defined reporting route and you should know how to react. Do you?