28400 POLICY IT SECURITY MANAGEMENT

Transcription

1 Version: 2.2 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low 1. About This Policy 1.1. The objective of this policy is to provide direction and support for IT Security in accordance with business requirements and relevant laws and regulations This policy outlines Hampshire Constabulary s approach to the protection of its IT infrastructure. This policy is intended to prevent major and widespread damage to Constabulary assets such as the network, user applications, files, and hardware The policy applies to all Hampshire Constabulary staff (permanent and temporary personnel), contractors and third parties with contractual obligations to maintain Force IT systems. 2. General Principles 2.1. systems represent essential core assets to the daily operation of the Constabulary. Availability, performance and security of the network including its computers and systems are key to service delivery New viruses represent a continual threat, requiring continual research to plan proactive measures against them systems are subject to the discovery of operating system or application vulnerabilities and the subsequent emergence of exploits of such vulnerabilities which have the potential to cause disruption or damage to those systems Hampshire Constabulary recognises that there may be legitimate business needs for members of the Constabulary and other third parties to be able to access information systems on the Constabulary s network from remote locations that are not linked directly to the network. 3. Statement Of Policy

2 3.1. Asset Management Responsibilities for assets Objective To achieve and maintain appropriate protection of Hampshire Constabulary assets Inventory of assets Ownership of assets Acceptable use of assets All assets shall be clearly identified and an inventory of all information security assets drawn up and maintained. All information and assets associated with information processing facilities shall have nominated Asset Owners. Rules of acceptable use of information and assets associated with information processing facilities shall be identified, documented, and implemented in the form of Security Operating Procedures (SyOPs) Communications and Operations Management Operational Procedures and Responsibilities Objective To ensure the correct and secure operation of information processing facilities Documented operating procedures Change management Segregation of duties Separation of Operating procedures shall be documented, maintained and made available to all users who need them. Changes to information processing facilities and systems shall be controlled. Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of Hampshire Constabulary s assets.

3 development, test and operational facilities Development, test and operational facilities shall be separated to reduce the risks of unauthorised access or changes to the operational system Third Party Service Delivery Management Objective - to implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements. Service delivery Monitoring and review of third party services Managing changes to third party services Remote Access It shall be ensured that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated and maintained by the third party. The services, reports and records provided by third party shall be regularly monitored and reviewed, and audits shall be carried out regularly. Changes to the provision of services, including maintaining and improving exiting information security policies, procedures and controls, shall be managed, taking into account of the criticality of business systems and processes involved and re-assessment of risks. Remote access by third parties will be uniquely identified, subjected to robust risk analysis and supported via contracts between the Constabulary and the third party. All request for remote access will be authorised by the Sy&IA Unit System Planning and Acceptance Objective to minimise the risk of systems failures Capacity management The use of resources shall be monitored, tuned

4 System acceptance and projections made of future capacity requirements to ensure the required system performance. Acceptance criteria for new information systems, upgrades, and new versions shall be established and suitable tests of the system(s) carried out during development and prior to acceptance Protection Against Malicious and Mobile code Objective to protect the integrity of software and information. s against malicious code s against mobile code Patch Management Detection, prevention and recovery controls to protect against malicious code and appropriate user awareness procedures shall be implemented, these will include the provisions to detect, remove and protect against viral infections. All computers connected physically or remotely to the Hampshire Constabulary network will have anti-virus software correctly installed, configured, activated, and up-dated with the latest version of virus definitions. Where the use of mobile code is authorised, the configuration shall ensure that the authorised mobile code operates according to a clearly defined security policy, and unauthorised mobile code shall be prevented from executing. Critical system updates will be deployed as soon as practicable, after an assessment of risks and ensuring patch stability Back-up Where patching of the infrastructure us not a viable option other security measures will be sought Objective to maintain the integrity and availability of information processing facilities.

5 back-up Back-up copies of information and software shall be taken and tested regularly in accordance with the agreed backup policy Network Security Management Objective to ensure the protection of information in networks and the protection of the supporting infrastructure. Network controls Security of network services The network will be adequately managed and controlled in order to be protected from threats and to maintain security for the systems and applications using the network, including information in transit. Security features, service levels and management requirements of all network services shall be identified and included in any network services agreement, whether these services are provided in-house or outsourced Media Handling Objective to prevent unauthorised disclosure, modification, removal or destruction of assets and interruption to business activities. Management of removable media Disposal of media handling procedures Security of system There shall be documented procedures in place for the management of removable media. Media shall be disposed of securely and safely when no longer required, using formal procedures. Procedures for the handling and storage of information shall be established to protect this information from unauthorised disclosure or misuse.

6 documentation System documentation shall be protected against unauthorised access Exchange of Objective To maintain the security of information and software exchanged within Hampshire Constabulary and with any external entity. exchange policies and procedures Sharing agreements Physical media in transit Electronic messaging Business information systems Formal exchange policies, procedures and controls shall be in place to protect the exchange of information through the use if all types of communication facilities. Agreements shall be established for the exchange of information and software between Hampshire Constabulary and external parties. Media containing information shall be protected against unauthorised access, misuse or corruption during transportation beyond Hampshire Constabulary s physical boundaries. involved in electronic messaging shall be appropriately protected. Policies and procedures shall be developed and implemented to protect information associated with the interconnection of business information systems 4. Implications Of The Policy 4.1. The implementation of the required information security standards will incur substantial resource implications for the Hampshire Constabulary. The cost of physical and technical security controls required for new initiatives will be included in their procurement. 5. Monitoring / Evaluation

7 5.1. Monitoring for compliance with this policy is the responsibility of the Joint Management Unit. The Force Security Policy and associated documents are independently evaluated by the CJX / Airwave Accreditor as part of the annual process for seeking to renew the Force s Codes of Connection to those national services. 6. Review 6.1. This policy and all associated documents will be every three years or more frequently as deemed necessary. 7. Other Related Policies, Procedures And Sources Policy - Security 7.2. AD203 Equality Impact Assessment 7.3. sources: HMG IA Standards CESG Good Practice Guides Security Policy Framework ISO Origin: Management