SOUTH NORTHAMPTONSHIRE COUNCIL 10/11 REMOTE WORKING FINAL REPORT MARCH 2011

Size: px
Start display at page:

Download "SOUTH NORTHAMPTONSHIRE COUNCIL 10/11 REMOTE WORKING FINAL REPORT MARCH 2011"

Transcription

1 SOUTH NORTHAMPTONSHIRE COUNCIL 10/11 REMOTE WORKING FINAL REPORT MARCH 2011 This report and the work connected therewith are subject to the Terms and Conditions of the contract dated 18/06/07 between South Northamptonshire Council and Deloitte & Touche Public Sector Internal Audit Limited. The report is produced solely for the use of South Northamptonshire Council. Its contents should not be quoted or referred to in whole or in part without our prior written consent except as required by law. Deloitte & Touche Public Sector Internal Audit Limited will accept no responsibility to any third party, as the report has not been prepared, and is not intended for any other purpose.

2 CONTENTS Page Categorisation of Recommendations 4 Definition of Assurance Levels 4 Executive Summary 5 Detailed Report 9 Appendix 1: Terms of Reference 21 Appendix 2: Implementation Timetable and Response 22 Appendix 3: Statement of Responsibility 27

3 CATEGORISATION OF RECOMMENDATIONS The recommendations in this report have been categorised as follows: Priority Description This Report Priority 1 Major issues that we consider need to be brought to the attention of senior management 0 Priority 2 Important issues that should be addressed by management in their areas of responsibility 9 Priority 3 Detailed issues of a minor nature 1 DEFINITION OF ASSURANCE LEVELS Level Description This Report Full Assurance There is a sound system of control designed to achieve the system objectives with controls consistently being applied Satisfactory Assurance Limited Assurance No Assurance Whilst there is a basically sound system, there are weakness that put some of the system objectives at risk Weakness in the system of controls are such as to place the system objectives at risk Control is generally weak, leaving the system open to significant error or abuse 10/11 Remote Working Page 4 South Northants Council

4 EXECUTIVE SUMMARY An audit of the systems and controls in place within the Council in respect of Remote Working has been completed in accordance with the Terms of Reference, as agreed with management, which is set out in Appendix 1. In light of risk evaluation and compliance testing undertaken during this audit, a Limited Assurance Opinion is given in respect of the key controls operating over the arrangements for Remote Working. We have raised nine Priority 2 recommendations and one Priority 3 recommendation within this report where we believe internal controls can be improved. Strategy, Policies and Procedures Remote working was implemented at the Council out of the vision of a "better place to work" and initially was introduced as a pilot scheme to a selected number of users. However, as this developed a remote working strategy has not been developed to indicate the forward direction of home and remote working and how this supports the Council s service delivery. A policy on Working from Home has been documented and is posted on the Council s intranet, as well as being included in the employee handbook in May 2010 following approval from full Council. This Policy was found to cover the areas for the obtaining of approval for home working, ensuring health & safety risk assessments are performed and also include performance management measures. The Working from Home Policy contains links to other policies such as the and Internet usage Policy, Data Protection Policy and Information Security Policy. It also contains guidance on the storage of data and IT equipment when working from home and the need to keep Council data confidential. The Policy also provides details of IT support that is available when working from home. Although an Information Security Policy has been developed, it is still in draft format. Review of the Policy confirmed that it does contain guidance on mobile device security and on and internet policies. Neither the Information Security Policy nor the Working from Home Policy contains statements in relation to the following areas that would be applicable for remote workers: The return of IT equipment upon termination of employment; Leaving the laptop in an empty office or location; Storage of laptop at home; and Use of laptop in public spaces or when travelling. Additionally, users are not required to read and agree to any terms and conditions of use prior to being issued with laptops or smart phones such as ipaqs. Laptops are issued with Kensington locks as a standard issue to assist in securing the laptop; however, it was indicated that only Councillors are currently issued laptops and locks are not always used. 10/11 Remote Working Page 5 South Northants Council

5 Risk Assessment IT risks have been assessed and are included within the corporate Risk Register. However, a risk assessment has not been carried out specifically relating to remote working. It was indicated that as part of achieving compliance with GCSx Code of Connection (CoCo) requirements, the use of encryption and mobile devices is currently being reviewed. IT Support Arrangements The Working from Home Policy document provides guidance to remote workers on the technical support arrangements that are in place and the requirement to log any faults with the IT Helpdesk. It has been clearly stated that although Capita will support the Citrix environment, it will not support personal computer equipment or problems with the user's own broadband. The Policy also clearly states that support will not extend to home visits and users are required to bring the equipment to the Council offices for diagnosis and repair. Staff are also informed of the system support hours during induction which are between 8 am - 6 pm. Access Control for Remote Access to Network Users access the network from remote locations using two factor authentication, through a Secure Socket Layer (SSL) tunnel using the Citrix client. Remote users are supplied with RSA SecureID tokens to obtain access to the Council network. Remote access can also be obtained via Neoteris using RSA tokens; however, this may be decommissioned in the future and is used to provide only and intranet access to users, and does not provide access to Council applications. Remote workers are currently allowed to obtain access to the network using their own personal equipment. It was discussed that the Council is currently trying to achieve compliance to CoCo version 4.1 and are currently in discussion with GCSx on the risk and cost of supplying Council equipment for remote workers. The Council is required to comply with CoCo by the end of 2010 and discussions are in place with GCSx to ascertain if the requirement to issue Council equipment for remote workers can be resolved. A procedure is in place for setting up remote workers on Citrix. The line manager for the staff requesting home working is required to put forward a business case to the Head of Service to specify the reason and duration for remote access. If approved, the manager is then required to complete a remote worker checklist that helps to confirm that a Health & Safety Assessment has been completed, training has been received on Citrix use and performance monitoring targets have been specified. The Health and Safety forms and the Checklist are approved by the Health and Safety Advisor and then forwarded to HR to be stored within the worker's personnel file. A helpdesk call is subsequently logged with Capita to set up the user with remote access and issue the Citrix fob. Audit confirmed that out of a sample of 6 remote workers who have left the Council in the last 12 months, only two users have had their access disabled with some having left the organisation in This was also confirmed for two mobile phone users who had left in 2009 but are both still active on the mobile phone user and system. It could not be confirmed whether their mobile devices, namely ipaqs had been returned. Remote access connections are logged and can be queried for the login per user; however, the logs are not monitored for security violations. 10/11 Remote Working Page 6 South Northants Council

6 Intrusion Detection Software (IDS) is not in place, although this is being considered as part of achieving compliance with GCSX CoCo. Physical Security of Mobile Devices A Configuration Management Database (CMDB) has been implemented in April 2010 to record the asset details of all machines on the SNDC network. However, at the time of the audit, this was still being configured and it could not be verified whether the CMDB will be able to discover remotely logged in machines. Logical Security of Mobile Devices Users of mobile phone and data devices are required to set a PIN code to prevent casual access to the devices, PIN codes are not set as a default on mobile phones when configured and issued and currently users have the ability to override this setting. Data encryption is not currently in use on laptops or any mobile phone devices; however, this is being reviewed as part of achieving compliance with CoCo. Capita are responsible for ensuring that anti-virus software is in place on the Council network and is kept updated through the download of regular updates. The Information Security Policy also states that Council computers and systems will be protected by anti-virus systems. Since the Council has opted to allow remote users to use their own equipment, the users have been made responsible for ensuring that their anti-virus is up-to-date within the Working from Home Policy. A remote wipe solution is in place for ipaqs. The Goodlink Management console is used to remove the system on the phone, however, it does not remove any stored attachments or contact lists saved on the phone. It was confirmed that there are 35 users who currently have the mobile device. Audit testing confirmed that staff are not issued with USB's to store data. Additionally, the Information Security Policy also states the policy on restricting storage and transport of data on removable media. Health and Safety See section above on Access Control for Remote Access to Network for detail on Health and Safety Assessments (H&S). Audit testing also identified that, although all remote workers are required to carry out a Health & Safety assessment, an annual review of the Health and Safety assessments is not being carried out to ensure they are up to date. Monitoring The Working from Home Policy requires management to ensure performance monitoring has been discussed and confirmed with the remote worker. A review of the Remote Working checklist also confirmed that this is discussed by management prior to granting access. HR has not currently specified a requirement for the meetings between management and remote workers to be formally documented unless the manager has serious concerns about misuse of the remote working facility. Furthermore, HR does not require any performance of one-to-ones to be formally recorded on the personnel files of the remote worker. 10/11 Remote Working Page 7 South Northants Council

7 Appendix 2 contains a summary of recommendations in priority order and an implementation timetable that has been agreed with management. 10/11 Remote Working Page 8 South Northants Council

8 DETAILED REPORT Recommendation 1 Remote Working Strategy A Remote Working Strategy should be developed to define the objectives, scope, anticipated benefits of remote working and an action plan to achieve these benefits. This can also be used to identify changes in the Council s accommodation strategy that may be delivered as a result of users working remotely. Priority Priority 2 Rationale The purpose of a Remote Working Strategy is to provide an overview of the goals, objectives and delivery targets for remote working. The strategy would help to ensure that actions and expected outcomes relating to implementation and the further development of remote working are assessed. Audit testing confirmed that remote working was born out of the vision of a "better place to work" within the Council and initially being introduced as a pilot scheme. However, a Remote Working Strategy had not been developed. If a Remote Working Strategy is not developed there is a risk that the strategic objectives for remote working are not achieved and potential benefits are not realised. Management Response The Council is undergoing a medium to long term strategic review of accommodation needs as part of the Moat Lane regeneration programme with hot-desking and remote working practices a defined outcomes. In light of this major change programme it is felt that the current approach of line managers assessing their officer s ability / suitability for remote working best suits the Council s current needs and is fully supported by policies and procedures that are already in place. Implementation Responsibility and Timetable IT & Customer Services Manager 10/11 Remote Working Page 9 South Northants Council

9 Recommendation 2 Information Security Policy and Terms & Conditions of Use The Information Security Policy should be finalised and enhanced to incorporate the following areas of laptop usage: The return of IT equipment upon termination of employment; Not leaving laptops in an empty office; Processes for the storage of laptop at home; Guidance on the use of laptop in public spaces or when travelling; and The use of Kensington locks to secure laptops. Additionally, staff should be issued with Terms and Conditions of Use for laptops and mobile phone devices and should be required to confirm that they have read, understood and agree to comply with them. Priority Priority 2 Rationale Terms and conditions of use that have been read and agreed by users would help to ensure that users are fully aware of their responsibilities as well as the risks associated with using portable equipment. The Information Security Policy is still in draft format. Additionally, users are not required to read and agree to any terms and conditions of laptop or mobile phone use and it was determined that although Kensington locks are issued to all staff, in some cases they are not always routinely used. There is a risk that users may not be fully aware of the responsibilities associated with using portable equipment such as laptops and mobile devices such as ipaqs. As a result these remote users may be more likely to expose the Council to greater data security risks which may lead to a breach in data confidentiality and possible reputational damage to the Council. Management Response To be confirmed Implementation Responsibility and Timetable Graham Thorpe (Information Systems Officer) to be confirmed. 10/11 Remote Working Page 10 South Northants Council

10 Recommendation 3 Remote Working Risk Assessment and Risk Register Management should ensure that the risks associated with home and offsite working are assessed and addressed within the ICT Risk Registers. This should include in particular the potential increased risk of breaches in data security and confidentiality when Council information is accessed using laptops, USB s or smart phones away from the office. This can also assist in demonstrating the controls that the Council has put in place to mitigate these risks. Priority Priority 2 Rationale The identification and mitigation of key risks associated with remote access to the network would help to ensure that risks that have been identified in the remote working area are assessed to help ensure that data availability and confidentiality is maintained. IT risks are included within the Corporate Risk Register; however, a risk assessment has not been performed specifically for remote working, issuing laptops and the use of non-council equipment for remote working. Where key risks relating to the security of data and assets taken offsite are not identified and appropriately managed, there is a risk that the Council may not be able to manage its risk to an acceptable level. This may impact on its ability to protect data and information assets against loss or damage. Management Response As stated previously individual line managers are best placed to assess their officers - this is supported by Council procedures including risk assessments. Implementation Responsibility and Timetable IT & Customer Services Manager 10/11 Remote Working Page 11 South Northants Council

11 Recommendation 4 Leavers and Dormant Accounts A procedure to review leavers as well as dormant remote access accounts should be developed to help ensure that remote access is promptly removed for users on the termination of their employment and all IT equipment or mobile devices are returned. Priority Priority 2 Rationale User accounts that are no longer required should be removed to ensure that access cannot be obtained to the Council's network and data. A procedure to review dormant remote access accounts is not currently in place. Capita occasionally receive a leaver's form from line management, however, this is not consistent. A leaver's list is published on the intranet by HR each month which is checked by Capita to disable accounts. Audit testing identified that out of a sample of 6 leavers in the last 12 months, only two had their access disabled with some having left the organisation in The same was confirmed for two mobile phone users who left in 2009 but are both still active on the mobile phone user and system. It could not be confirmed whether their mobile devices had been returned. Failure to implement formal procedures for disabling remote user accounts increases the risk of confidentiality on the system being compromised resulting from unauthorised access. Management Response There is now a procedure in place that covers this issue - Dormant accounts are deactivated and equipment returned. Implementation Responsibility and Timetable IT & Customer Services Manager implemented. 10/11 Remote Working Page 12 South Northants Council

12 Recommendation 5 Monitoring of Remote Access to the Network We recommend that the Council consider enhancing security on the network by implementing the following controls: The regular review of remote access logs is performed for potential security violations; and Implementation of an Intrusion Detection System (IDS). Priority Priority 2 Rationale Monitoring remote access connection attempts helps to ensure that unauthorised attempts at network access are identified and preventative action is put in place. It was identified through our testing that: Although remote access is logged, specific events are not reviewed; and The Council currently does not have any Intrusion Detection Systems in place over the corporate network, although this is being reviewed as part of achieving compliance with CoCo requirements. Unless processes are put in place for the monitoring of remote access sessions and alerts configured to alert staff in the event of suspicious activity, there is a risk that unauthorised access attempts could occur without the Council being aware. Management Response The Surecloud system has been installed and implemented. It is an IDS and log recording system meeting GCSX standards. Implementation Responsibility and Timetable Tim Bartlett (IT Team Leader) implemented. 10/11 Remote Working Page 13 South Northants Council

13 Recommendation 6 IT Asset Register Management should ensure that all laptop, PC and mobile phone assets are updated on to an IT Asset Register when new stock is received and issued to user, and when stock is returned or disposed. Priority Priority 2 Rationale A complete, accurate and up-to-date IT Asset Register would help to ensure that management are able to account for and locate all the Council's IT assets. A Configuration Management Database (CMDB) was installed by Capita to discover all hardware devices in April 2010 and has started to populate the database. At the time of the audit this was still being configured and it was indicated that the Council is unsure whether the CMDB will be able to discover remote machines attached to the network. A procedure is yet to be developed to ensure that mobile devices are recorded in the Asset Register. Failure to maintain an up-to-date, accurate and complete IT Asset Register may expose the Council to the risk of equipment not being identifiable and traceable in the event of loss or theft. This may affect the Council's ability to claim on its insurance for the loss or damage of equipment. Management Response All devices on the network are captured on the IT asset register. The current system does not capture mobile phones or Laptops that have NEVER been connected to the network. The proposed shared working arrangement with Cherwell DC is likely to present an opportunity to improve the current system. Implementation Responsibility and Timetable Tim Bartlett (IT Team Leader) ongoing. 10/11 Remote Working Page 14 South Northants Council

14 Recommendation 7 Mobile Phone Devices Management should ensure that security settings on mobile device handsets such as ipaqs are adjusted to incorporate the following: Devices should be required to be protected by a power on password or PIN. Default passwords or pin codes need to be changed on initial use, these should not be deactivated unless authorised in writing by ICT; Devices should be set to Non-discoverable or Hidden to help prevent information disclosure; and Users should be restricted from reconfiguring the security settings on the device. The remote wipe solution currently in place should be developed to ensure all the data stored on the mobile phone is wiped. Additionally, the approved list of mobile phones issued to users should be reviewed for accuracy and should be completed for future mobile phones requests for remote workers. Priority Priority 2 Rationale Enabling PIN security and restricting users from reconfiguring mobile device handset security settings would help to ensure that minimum security standards are enforced by the Authority. This would also help to ensure that in the event that the handset is lost or stolen, data confidentiality is not easily compromised. It was identified that default settings on the handsets are not adjusted to require PIN entry on power on. Additionally, users have the ability to reconfigure the security settings on their handset and therefore have the ability to disable the requirement for PIN entry as well as any other security features set. The remote wipe solution removes data but it does not remove any other data such as attachments or the contact list stored on the phone. Audit testing confirmed that a list of approved mobile phones had been in place 5 years ago, though this has not been updated for the past 5 years. Where security settings on mobile data device handsets are not configured or can be changed, there is a risk that in the event that the handset is lost or stolen data confidentiality may be compromised. Failure to distribute only approved mobile devices increases the risk that smart phones with weak security settings could be distributed, thus potentially compromising data security. 10/11 Remote Working Page 15 South Northants Council

15 Management Response For all IPAQ: Devices could be pin protected, but are not currently, Devices are set to Non-discoverable / Hidden Users are restricted from reconfiguring security settings The remote wipe solution ensures all data is wiped. All Smart-phones that have access to or other corporate data have been reviewed as suggested. Implementation Responsibility and Timetable IT & Customer Services Manager July /11 Remote Working Page 16 South Northants Council

16 Recommendation 8 Mobile Device Encryption Management should ensure that all confidential and sensitive data held on Laptops and mobile device handsets such as ipaqs is adequately encrypted. Priority Priority 2 Rationale Encryption on portable data storage devices would help to ensure that in the event that the device is lost or stolen that data confidentiality is not easily compromised. This also helps the Council with compliance with the Code of Connection and Data Protection requirements. It was identified that data encryption is not currently used on the laptops or the ipaq handsets issued by the Council. However, this is being reviewed as part of achieving compliance with CoCo requirements. Where data held on mobile storage devices such as laptops and ipaq handsets is not adequately protected, there is a risk that if these devices are lost or stolen that data confidentiality may be compromised. This could mean that the Council is not protecting data in accordance with Data Protection principles. Management Response We currently have no mobile device encryption. Whilst this is desirable it is also prohibitively costly - However shared working arrangement with Cherwell DC is likely to present an opportunity to implement such a solution at lower costs. Additionally no RESTRICTED data is held on any laptop or mobile device As such I request that this recommendation be categorised as a lower priority. Implementation Responsibility and Timetable Tim Bartlett (IT Team Leader) ongoing. 10/11 Remote Working Page 17 South Northants Council

17 Recommendation 9 Remote Working Code of Connection The requirements of the Code of Connection regarding the use of Council users home IT equipment for accessing the Council network should be finalised to ensure that the Council is in line with Code of Connection requirements. Processes should be established to provide assurance that adequate controls relating to security and virus protection have been put in place. Priority Priority 2 Rationale Confirming the requirements of the Code of Connection with regards to access to the Council network via users own IT equipment helps to ensure that the Council is in compliance with the Code of Connection and has also taken steps to secure the network from unauthorised activity and virus attack. The Council currently allows users to access the Council network and data via their own PCs and laptops. The latest version of the Code of Connection places increased controls and restrictions on using personal IT equipment to access Council data. We understand that the Council is currently in discussions with the assessors on the exact requirement of this. Failure to confirm the status of the requirements of the Code of Connection could mean that the Council is not in line with the code of connection requirements; Furthermore, the use of users own PCs to access Council systems could expose the Council to the risk of weak security settings on PCs opening up vulnerabilities to the Council network. Management Response The Council passed its most recent Health Check and Code of Connection assessment. Implementation Responsibility and Timetable IT and Customer Services Manager implemented. 10/11 Remote Working Page 18 South Northants Council

18 Recommendation 10 Health & Safety Assessment Review The Health & Safety assessments should be reviewed on an annual basis to ensure that users home circumstances are still suitable for home or remote working. Priority Priority 3 Rationale The Remote Workers Health and Safety Risk Assessment helps to ensure that users have reviewed their home/remote working requirements and that these have been confirmed as suitable for users to work away from the office. Audit testing identified that the annual review of Health and Safety Assessments for home workers is not always performed. Failure to undertake adequate annual review of Health and Safety Assessments on all home/remote workers increases the risk that these workers may suffer injuries as a result of unsuitable remote working conditions, which could mean the Council may not operate in compliance with Health and Safety legislation. Management Response This recommendation will be forwarded to all managers. Implementation Responsibility and Timetable Helen Marshall (Health and Safety Advisor) implemented. 10/11 Remote Working Page 19 South Northants Council

19 Appendix 1 Terms of Reference: 10/11 Remote Working Scope of the Audit: The audit specifically covered the following areas and control objectives: Remote Working Policies and Procedures; Remote Working Risk Assessment; IT Support Arrangements; Access Controls for Remote Access to the South Northamptonshire District Council Network; Logical and Physical Security of Mobile Devices; Health and Safety; and Monitoring. The audit took a sample of projects and evaluated the extent to which they have been managed in accordance with the corporate policy and procedures. Start of fieldwork: 27 th May 2010 Audit Staff Andrew Robinson - Deloitte 2 Day Aditi Babla - Deloitte 9 Days 11 Days Senior Auditees Mike Shaw IT Manager Reporting Deadlines and Distribution Draft Report 12 th August 2010 Distribution Mike Shaw IT Manager Martin Henry Head of Finance David Price Director of Community Engagement and Corporate Services 10/11 Remote Working Page 20 South Northants Council

20 Final Report 24 th March 2011 Distribution Mike Shaw IT Manager Martin Henry Head of Finance David Price Director of Community Engagement and Corporate Services Jean Morgan Chief Executive 10/11 Remote Working Page 21 South Northants Council

21 APPENDIX 2 Implementation Timetable and Responsibility Ref No Recommendation Priority Management Response Implementation Responsibility 1 Remote Working Strategy 2 The Council is undergoing a Mike Shaw A Remote Working Strategy should be developed to medium to long term strategic IT and Customer define the objectives, scope, anticipated benefits of review of accommodation needs as Services remote working and an action plan to achieve these part of the Moat Lane regeneration Manager benefits. This can also be used to identify changes in programme with hot-desking and the Council s accommodation strategy that may be remote working practices a defined delivered as a result of users working remotely. outcomes. Implementation Deadline On-going 2 Information Security Policy and Terms & Conditions of Use The Information Security Policy should be finalised and enhanced to incorporate the following areas of laptop usage: In light of this major change programme it is felt that the current approach of line managers assessing their officer s ability / suitability for remote working best suits the Council s current needs and is fully supported by policies and procedures that are already in place. 2 To be confirmed. Graham Thorpe Information Systems Officer To be confirmed. 10/11 Remote Working Page 22 South Northants Council

22 Ref No Recommendation Priority Management Response Implementation Responsibility The return of IT equipment upon termination of employment; Not leaving laptops in an empty office; Processes for the storage of laptop at home; Guidance on the use of laptop in public spaces or when travelling; and The use of Kensington locks to secure laptops. Implementation Deadline Additionally, staff should be issued with Terms and Conditions of Use for laptops and mobile phone devices and should be required to confirm that they have read, understood and agree to comply with them 3 Remote Working Risk Assessment and Risk Register Management should ensure that the risks associated with home and offsite working are assessed and addressed within the ICT Risk Registers. This should include in particular the potential increased risk of breaches in data security and confidentiality when Council information is accessed using laptops, USB s or smart phones away from the office. This can also assist in demonstrating the controls that the Council has put in place to mitigate these risks. 2 As stated previously individual line managers are best placed to assess their officers - this is supported by Council procedures including risk assessments. Mike Shaw IT and Customer Services Manager Not applicable. 10/11 Remote Working Page 23 South Northants Council

23 Ref No Recommendation Priority Management Response Implementation Responsibility 4 Leavers and Dormant Accounts 2 There is now a procedure in place Mike Shaw A procedure to review leavers as well as dormant that covers this issue - Dormant IT and Customer remote access accounts should be developed to help accounts are deactivated and Services ensure that remote access is promptly removed for equipment returned. Manager users on the termination of their employment and all IT equipment or mobile devices are returned. 5 Monitoring of Remote Access to the Network 2 The Surecloud system has been Tim Bartlett We recommend that the Council consider enhancing installed and implemented. It is an IT Team Leader security on the network by implementing the IDS and log recording system following controls: meeting GCSX standards The regular review of remote access logs is performed for potential security violations; and Implementation of an Intrusion Detection System (IDS). 6 IT Asset Register Management should ensure that all laptop, PC and mobile phone assets are updated on to an IT Asset Register when new stock is received and issued to users, and when stock is returned or disposed. 2 All devices on the network are captured on the IT asset register. The current system does not capture mobile phones or Laptops that have NEVER been connected to the network. Tim Bartlett IT Team Leader Implementation Deadline Implemented. Implemented. On-going 7 Mobile Phone Devices Management should ensure that security settings on mobile device handsets such as ipaqs are adjusted to 2 The proposed shared working arrangement with Cherwell DC is likely to present an opportunity to improve the current system. For all IPAQ: Mike Shaw IT and Customer Services July /11 Remote Working Page 24 South Northants Council

24 Ref No Recommendation Priority Management Response Implementation Responsibility incorporate the following: Devices could be pin protected, Manager but are not currently, Devices should be required to be protected by a power on password or PIN. Default passwords or pin codes need to be changed on initial use, these should not be deactivated unless authorised in writing by ICT; Devices should be set to Non-discoverable or Hidden to help prevent information disclosure; and Users should be restricted from reconfiguring the security settings on the device. The remote wipe solution currently in place should be developed to ensure all the data stored on the mobile phone is wiped. Devices are set to Nondiscoverable / Hidden Users are restricted from reconfiguring security settings The remote wipe solution ensures all data is wiped. All Smart-phones that have access to or other corporate data have been reviewed as suggested Implementation Deadline Additionally, the approved list of mobile phones issued to users should be reviewed for accuracy and should be completed for future mobile phones requests for remote workers. 8 Mobile Phone Encryption Management should ensure that all confidential and sensitive data held on laptops and mobile device handsets such as ipaqs is adequately encrypted. 2 We currently have no mobile device encryption. Whilst this is desirable it is also prohibitively costly - However shared working arrangement with Cherwell DC is likely to present an opportunity to implement such a solution at lower costs. Tim Bartlett IT Team Leader Ongoing. 10/11 Remote Working Page 25 South Northants Council

25 Ref No Recommendation Priority Management Response Implementation Responsibility Implementation Deadline 9 Remote Working Code of Connection The requirements of the Code of Connection regarding the use of Council users home IT equipment for accessing the Council network should be finalised to ensure that the Council is in line with Code of Connection requirements. Processes should be established to provide assurance that adequate controls relating to security and virus protection have been put in place. 10 Health & Safety Assessment Review The Health & Safety Assessments should be reviewed on an annual basis to ensure that users home circumstances are still suitable for home or remote working. Additionally no RESTRICTED data is held on any laptop or mobile device. 2 The Council passed its most recent Health Check and Code of Connection assessment. 3 This recommendation will be forwarded to all managers Mike Shaw IT and Customer Services Manager Helen Marshall Health & Safety Advisor Implemented. April /11 Remote Working Page 26 South Northants Council

26 APPENDIX 3 Statement of Responsibility We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management s responsibilities for the application of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal control system. The assurance level awarded in our internal audit report is not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board. Deloitte & Touche Public Sector Internal Audit Limited St Albans March 2011 In this document references to Deloitte are references to Deloitte & Touche Public Sector Internal Audit Limited. Registered office: Hill House, 1 Little New Street, London EC4A 3TR, United Kingdom. Registered in England and Wales No Deloitte & Touche Public Sector Internal Audit Limited is a subsidiary of Deloitte LLP, the United Kingdom member firm of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, whose member firms are legally separate and independent entities. Please see for a detailed description of the legal structure of DTTL and its member firms. Member of Deloitte Touche Tohmatsu Limited 10/11 Remote Working 27 South Northants Council

SOUTH NORTHAMPTONSHIRE COUNCIL. 11/31 ICT Capacity Management FINAL REPORT. June 2011

SOUTH NORTHAMPTONSHIRE COUNCIL. 11/31 ICT Capacity Management FINAL REPORT. June 2011 SOUTH NORTHAMPTONSHIRE COUNCIL 11/31 ICT Capacity Management FINAL REPORT June 2011 This report and the work connected therewith are subject to the Terms and Conditions of the contract dated 18/06/07,

More information

Dacorum Borough Council Final Internal Audit Report

Dacorum Borough Council Final Internal Audit Report Dacorum Borough Council Final Internal Audit Report ICT Change Management Distribution list: Chris Gordon Group Manager Neil Telkman - Information, Security and Standards Officer Gary Osler ICT Service

More information

South Northamptonshire Council

South Northamptonshire Council South Northamptonshire Council Windows Active Directory Final Internal Audit Report - September Distribution list: Mike Shaw IT & Customer Services Manager David Price Director of Community Engagement

More information

Draft Internal Audit Report Software Licensing Audit. December 2009

Draft Internal Audit Report Software Licensing Audit. December 2009 Draft Internal Audit Report Software Licensing Audit December 2009 Contents Page Executive Summary 3 Observations and Recommendations 6 Appendix 1 Audit Framework 9 Appendix 2 - Staff Interviewed 10 Statement

More information

Coleg Gwent Internal Audit Report 2014/15 Staff Performance Management. Assurance Rating:

Coleg Gwent Internal Audit Report 2014/15 Staff Performance Management. Assurance Rating: Coleg Gwent Internal Audit Report 2014/15 Staff Performance Management Assurance Rating: Distribution List: Final Report Audit Committee Principal Vice Principal, (Resources and Financial Planning)/Director

More information

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating:

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating: Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory Assurance Rating: Distribution List: Draft Report: Principal Vice Principal, (Finance, Estates and Information Services) Clerk to the Corporation

More information

Report 6c. Final Internal Audit Report Network and Communications. April 2008

Report 6c. Final Internal Audit Report Network and Communications. April 2008 Report 6c Final Internal Audit Report Network and Communications April 2008 Contents Page Executive Summary 3 Observations and Recommendations 4 Appendix 2 - Staff Interviewed 14 Appendix 3 Benchmark Results

More information

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery Dacorum Borough Council Final Internal Audit Report IT Business Continuity and Disaster Recovery Distribution list: Chris Gordon Group Manager Performance, Policy and Projects John Worts ICT Team Leader

More information

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010 Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010 This report has been prepared on the basis of the limitations set

More information

Item 10 Appendix 1d Final Internal Audit Report Performance Management Greater London Authority April 2010

Item 10 Appendix 1d Final Internal Audit Report Performance Management Greater London Authority April 2010 Item 10 Appendix 1d Final Internal Audit Report Performance Management Greater London Authority April 2010 This report has been prepared on the basis of the limitations set out on page 16. Contents Page

More information

REMOTE WORKING POLICY

REMOTE WORKING POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June 2007. Report 6c Page 1 of 15

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June 2007. Report 6c Page 1 of 15 Appendix 6c Final Internal Audit Report Disaster Recovery Planning June 2007 Report 6c Page 1 of 15 Contents Page Executive Summary 3 Observations and Recommendations 8 Appendix 1 - Audit Framework 13

More information

Coleg Gwent Internal Audit Report 2012/13 Payroll and HR. Assurance Rating: Payroll

Coleg Gwent Internal Audit Report 2012/13 Payroll and HR. Assurance Rating: Payroll Coleg Gwent Internal Audit Report 2012/13 Payroll and HR Assurance Rating: Payroll HR Distribution List: Final Report Audit Committee Principal Vice Principal, (Finance, Estates and Information Services)

More information

At its meeting in March 2012, the Committee approved the Internal Audit Plan for 2012-13.

At its meeting in March 2012, the Committee approved the Internal Audit Plan for 2012-13. Audit Committee 28 Internal audit report ICT Security Executive summary and recommendations Introduction Mazars has undertaken a review of ICT Security controls, in accordance with the internal audit plan

More information

Internal Audit Report 2010/11 North Norfolk District Council. February 2011

Internal Audit Report 2010/11 North Norfolk District Council. February 2011 Internal Audit Report 2010/11 North Norfolk District Council NN/11/17 Network Infrastructure, Security and Telecommunications February 2011 This report has been prepared on the basis of the limitations

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Business Planning & Budgetary Control 2012/13

Business Planning & Budgetary Control 2012/13 Cymdeithas Tai Cantref Cyf Final Internal Audit Report Business Planning & Budgetary Control 2012/13 Date of fieldwork: October November 2012 Date of draft report: November 2012 Date of final report: November

More information

Appendix 1b. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Review of Mobile Portable Devices Management

Appendix 1b. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Review of Mobile Portable Devices Management Appendix 1b DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA Review of Mobile Portable Devices Management DISTRIBUTION LIST Audit Team David Esling, Head of Audit and Assurance

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader AGENDA ITEM: SUMMARY Report for: Committee Date of meeting: 30 May 2012 PART: 1 If Part II, reason: Title of report: Contact: Purpose of report: Recommendations Corporate objectives: Implications: INFORMATION

More information

Aberdeen City Council IT Asset Management

Aberdeen City Council IT Asset Management Aberdeen City Council IT Asset Management Internal Audit Report 2014/2015 for Aberdeen City Council January 2015 Terms or reference agreed 4 weeks prior to fieldwork Target Dates per agreed Actual Dates

More information

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

SECURITY POLICY REMOTE WORKING

SECURITY POLICY REMOTE WORKING ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY REMOTE WORKING Introduction This policy defines the security rules and responsibilities that apply when doing Council work outside of Council offices

More information

REVIEW OF THE FIREWALL ARRANGEMENTS

REVIEW OF THE FIREWALL ARRANGEMENTS WEST DORSET DISTRICT COUNCIL REVIEW OF THE FIREWALL ARRANGEMENTS Report issued: December 2007 The matters raised in this report are only those, which came to the attention of the auditor during the course

More information

Business Internet Banking security user guide

Business Internet Banking security user guide Business Internet Banking security user guide You must read this user guide before using Business Internet Banking. It is a very important document as it sets out security obligations you must comply with.

More information

STRONGER ONLINE SECURITY

STRONGER ONLINE SECURITY STRONGER ONLINE SECURITY Enhanced online banking without compromise Manage your business banking efficiently and securely Internet banking has given business leaders and treasurers greater control of financial

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Remote Access and Home Working Policy London Borough of Barnet

Remote Access and Home Working Policy London Borough of Barnet Remote Access and Home Working Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Remote Access and Home Working Policy Document Description This policy applies to home and

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Essex Fire Authority. Fleet Management. Internal Audit Report (4.12/13) 28 February 2013 FINAL. Overall Opinion

Essex Fire Authority. Fleet Management. Internal Audit Report (4.12/13) 28 February 2013 FINAL. Overall Opinion Essex Fire Authority Fleet Management Internal Audit Report (4.12/13) 28 February 2013 FINAL Overall Opinion Essex Fire Authority Fleet Management 4.12/13 CONTENTS Section Page Executive Summary 1 Action

More information

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority Internal Audit Progress Report (19 th August 2015) Contents 1. Introduction 2. Key Messages for Committee Attention 3. Work in progress Appendix A: Risk Classification and Assurance Levels Appendix B:

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

IT control environment Caerphilly County Borough Council

IT control environment Caerphilly County Borough Council Audit 2008/2009 November 2009 Author: PricewaterhouseCoopers LLP Ref: C09366 IT control environment Caerphilly County Borough Council We found the overall IT control environment at Caerphilly County Borough

More information

Berwick Academy Policy on E Safety

Berwick Academy Policy on E Safety Berwick Academy Policy on E Safety Overview The purpose of this document is to describe the rules and guidance associated with E Safety and the procedures to be followed in the event of an E Safety incident

More information

IT ACCESS CONTROL POLICY

IT ACCESS CONTROL POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

Information Security

Information Security Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff

More information

Avon & Somerset Police Authority

Avon & Somerset Police Authority Avon & Somerset Police Authority Internal Audit Report IT Service Desk FINAL REPORT Report Version: Date: Draft to Management: 19 February 2010 Management Response: 12 May 2010 Final: 13 May 2010 Distribution:

More information

Standard: Information Security Incident Management

Standard: Information Security Incident Management Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of

More information

Why do we need to protect our information? What happens if we don t?

Why do we need to protect our information? What happens if we don t? Warwickshire County Council Why do we need to protect our information? What happens if we don t? Who should read this? What does it cover? Linked articles All WCC employees especially mobile and home workers

More information

Information Security Incident Management Policy

Information Security Incident Management Policy Information Security Incident Management Policy Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT Policy & Regulation

More information

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy Version History Author Approved Committee Version Status date Eddie Jefferson 09/15/2009 Full Governing 1.0 Final Version Body Eddie Jefferson 18/08/2012 Full Governing Body 2.0 Emended due to the change

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Internal Audit at the University of Cambridge.

Internal Audit at the University of Cambridge. Internal Audit at the University of Cambridge. Contents Introduction to Deloitte 1 Our team 2 What is Internal Audit? 4 Our approach to Internal Audit 5 Authority and reporting lines 7 Planning 8 Ad Hoc

More information

Information Incident Management Policy

Information Incident Management Policy Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit

More information

Data Access Request Service

Data Access Request Service Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations

More information

Introduction. PCI DSS Overview

Introduction. PCI DSS Overview Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

More information

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY Appendix 1c DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY DISTRIBUTION LIST Audit Team Prakash Gohil, Audit Manager Steven Snaith, Risk

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Policy Document. Communications and Operation Management Policy

Policy Document. Communications and Operation Management Policy Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author

More information

High level review of the general IT control environment

High level review of the general IT control environment High level review of the general IT control environment South Lakeland District Council 2012/13 Last updated 9 April 2013 Summary In January 2013 our information systems specialist performed a high level

More information

Information Security Policy for Associates and Contractors

Information Security Policy for Associates and Contractors Policy for Associates and Contractors Version: 1.12 Status: Issued Date: 30 July 2015 Reference: 61418080 Location: Livelink Review cycle: Annual Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...

More information

Coleg Gwent. Wireless Audit. Internal Audit Report (2.10/11) 23 May 2011. Overall Opinion: Amber Green

Coleg Gwent. Wireless Audit. Internal Audit Report (2.10/11) 23 May 2011. Overall Opinion: Amber Green Coleg Gwent Wireless Audit Internal Audit Report (2.10/11) 23 May 2011 Overall Opinion: Amber Green Coleg Gwent CONTENTS Section Page Executive Summary 1 Action Plan 5 Findings and Recommendations 10 Debrief

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Emerging threats for the healthcare industry: The BYOD. By Luca Sambucci www.deepsecurity.us

Emerging threats for the healthcare industry: The BYOD. By Luca Sambucci www.deepsecurity.us Emerging threats for the healthcare industry: The BYOD Revolution By Luca Sambucci www.deepsecurity.us Copyright 2013 Emerging threats for the healthcare industry: The BYOD REVOLUTION Copyright 2013 Luca

More information

Audit and Risk Management Committee. IT Security Update

Audit and Risk Management Committee. IT Security Update Audit and Risk Management Committee 26 th February 2015 IT Security Update Description of paper 1. The purpose of this paper is to update the Committee on current security issues and what steps are being

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Data Protection Act 1998. Bring your own device (BYOD)

Data Protection Act 1998. Bring your own device (BYOD) Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...

More information

Managing internet security

Managing internet security Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further

More information

Ixion Group Policy & Procedure. Remote Working

Ixion Group Policy & Procedure. Remote Working Ixion Group Policy & Procedure Remote Working Policy Statement The Ixion Group (Ixion) provide laptops and other mobile technology to employees who have a business requirement to work away from Ixion premises

More information

Remote Working - Remote and Mobile Computing Policy. Purpose 3. Strategic Aims 3. Introduction 3. Scope 5. Responsibilities 5.

Remote Working - Remote and Mobile Computing Policy. Purpose 3. Strategic Aims 3. Introduction 3. Scope 5. Responsibilities 5. Brigade Order Human Resources Brigade Order 3 Part 5 Section Title Remote Working - Remote and Mobile Computing Policy Contents No. Purpose 3 Strategic Aims 3 Introduction 3 Scope 5 Responsibilities 5

More information

Cyber Essentials Scheme

Cyber Essentials Scheme Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

Policy: Remote Working and Mobile Devices Policy

Policy: Remote Working and Mobile Devices Policy Policy: Remote Working and Mobile Devices Policy Exec Director lead Author/ lead Feedback on implementation to Clive Clarke SHSC Information Manager SHSC Information Manager Date of draft 16 February 2014

More information

Remote Access Policy

Remote Access Policy BASINGSTOKE AND NORTH HAMPSHIRE NHS FOUNDATION TRUST Remote Access Policy Summary This is a new document which sets out the policy for remote access to the Trust s network and systems. Remote access is

More information

SERVER, DESKTOP AND PORTABLE SECURITY. September 2014. Version 3.0

SERVER, DESKTOP AND PORTABLE SECURITY. September 2014. Version 3.0 SERVER, DESKTOP AND PORTABLE SECURITY September 2014 Version 3.0 Western Health and Social Care Trust Page 1 of 6 Server, Desktop and Portable Policy Title SERVER, DESKTOP AND PORTABLE SECURITY POLICY

More information

Bring Your Own Device Policy

Bring Your Own Device Policy Bring Your Own Device Policy Purpose of this Document This document describes acceptable use pertaining to using your own device whilst accessing University systems and services. This document will be

More information

Internal audit report Information Security / Data Protection review

Internal audit report Information Security / Data Protection review Audit Committee 29 September 2011 Internal audit report Information Security / Data Protection review Executive summary and recommendations Introduction Mazars have undertaken a review of Information Security

More information

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015 Identity & Management The Cloud Perspective Andrea Themistou 08 October 2015 Agenda Cloud Adoption Benefits & Risks Security Evolution for Cloud Adoption Securing Cloud Applications with IAM Securing Cloud

More information

Interim Audit Report. Borough of Broxbourne Audit 2010/11

Interim Audit Report. Borough of Broxbourne Audit 2010/11 Interim Audit Report Borough of Broxbourne Audit 2010/11 The Audit Commission is an independent watchdog, driving economy, efficiency and effectiveness in local public services to deliver better outcomes

More information

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY Appendix 1c DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY DISTRIBUTION LIST Audit Team David Esling, Head of Audit Assurance, Risk

More information

DBC 999 Incident Reporting Procedure

DBC 999 Incident Reporting Procedure DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities: Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 26/10/2015 HSCIC Audit of Data Sharing

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

Information Management Policy

Information Management Policy Information Management Policy Document Control Title Organisation Description Author(s) Information Management Policy London Legacy Development Corporation The Information Management Policy describes how

More information

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document

More information

Physical Security Policy

Physical Security Policy Physical Security Policy Author: Policy & Strategy Team Version: 0.8 Date: January 2008 Version 0.8 Page 1 of 7 Document Control Information Document ID Document title Sefton Council Physical Security

More information

Use of tablet devices in NHS environments: Good Practice Guideline

Use of tablet devices in NHS environments: Good Practice Guideline Use of Tablet Devices in NHS environments: Good Practice Guidelines Programme NPFIT Document Record ID Key Sub-Prog / Project Technology Office Prog. Director Chris Wilber Status APPROVED Owner James Wood

More information

EA-ISP-012-Network Management Policy

EA-ISP-012-Network Management Policy Technology & Information Services EA-ISP-012-Network Management Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 01/04/2015 Document Security Level: PUBLIC Document Version: 1.00 Document Ref:

More information

USE OF PERSONAL MOBILE DEVICES POLICY

USE OF PERSONAL MOBILE DEVICES POLICY Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014

More information

ABERDARE COMMUNITY SCHOOL

ABERDARE COMMUNITY SCHOOL ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been

More information

Aberdeen City Council

Aberdeen City Council Aberdeen City Council Internal Audit Report Final Contract management arrangements within Social Care & Wellbeing 2013/2014 for Aberdeen City Council January 2014 Internal Audit KPI Targets Target Dates

More information

COMMERCIALISM INTEGRITY STEWARDSHIP. Remote Access and Mobile Working Policy & Guidance

COMMERCIALISM INTEGRITY STEWARDSHIP. Remote Access and Mobile Working Policy & Guidance Remote Access and Mobile Working Policy & Guidance Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Remote Access and

More information

IT Security Procedure

IT Security Procedure IT Security Procedure 1. Purpose This Procedure outlines the process for appropriate security measures throughout the West Coast District Health Board (WCDHB) Information Systems. 2. Application This Procedure

More information

The Ministry of Information & Communication Technology MICT

The Ministry of Information & Communication Technology MICT The Ministry of Information & Communication Technology MICT Document Reference: ISGSN2012-10-01-Ver 1.0 Published Date: March 2014 1 P a g e Table of Contents Table of Contents... 2 Definitions... 3 1.

More information

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY OBJECTIVE To provide users with guidelines for the use of information technology resources provided by Council. SCOPE This policy

More information

INTERNAL AUDIT FINAL REPORT CNES FINANCE AND CORPORATE RESOURCES DEPARTMENT CLOUD IT SYSTEMS AND THE CRM SYSTEM OFFICIAL OFFICIAL

INTERNAL AUDIT FINAL REPORT CNES FINANCE AND CORPORATE RESOURCES DEPARTMENT CLOUD IT SYSTEMS AND THE CRM SYSTEM OFFICIAL OFFICIAL INTERNAL AUDIT FINAL REPORT CNES FINANCE AND CORPORATE RESOURCES DEPARTMENT CLOUD IT SYSTEMS AND THE CRM SYSTEM AUTHOR DISTRIBUTION David Beaton Director of Finance and Corporate Resources Internal Audit

More information

Information Security Code of Conduct

Information Security Code of Conduct Information Security Code of Conduct IT s up to us >Passwords > Anti-Virus > Security Locks >Email & Internet >Software >Aon Information >Data Protection >ID Badges > Contents Aon Information Security

More information

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction Policy: Title: Status: 1. Introduction ISP-S12 Network Management Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1.1. This information security policy document covers management,

More information

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities: Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 21/09/2015 HSCIC Audit of Data Sharing

More information

Mobile Devices Security Policy

Mobile Devices Security Policy Mobile Devices Security Policy 1.0 Policy Administration (for completion by Author) Document Title Mobile Devices Security Policy Document Category Policy ref. Status Policy Unique ref no. Issued by GSU

More information

UF IT Risk Assessment Standard

UF IT Risk Assessment Standard UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved

More information

St Vincent s Catholic Primary School e-safety Policy

St Vincent s Catholic Primary School e-safety Policy St Vincent s Catholic Primary School e-safety Policy Policy e-safety Policy Date January 2015 Date of review January 2016 Signed Chair of Governors Signed Headteacher Effective Practice in e-safety E-safety

More information