Ealing Council Corporate Information and Data Security Policy

Transcription

1 Appendix 3 Ealing Council Corporate Information and Data Security Policy Classification: Internal Use Date Created: July 2008 Policy Ref: INFOSEC Author: Information & Data Management Owner: Business Services Group

2 Version Control Document Change Control Date Change Description Release Version 16/02/02 Initial document creation /07/08 Rewrite 2.02 Distribution This document has been distributed to: Name Title / Role Date of Issue Version Diane Malpass Head of Information & Data Management 28/07/ Clementine Knowledge Manager 28/07/ Adewumni Darren Bestley GIS Manager 28/07/ Paul Brill Process & Data Manager 28/07/ Mick Coppard Head of Strategy 28/07/ Mark Newton Head of Service Ealing 29/07/ Helen Harris Head of Legal Services 29/07/ Teresa Bengey Head of Audit & Investigation 29/07/ Jacqueline Wiltshire Director of Human Resources 29/07/ Anthony Kemp Director of Business Services Group 29/07/ CIDM Governance Board Diane Malpass Head of Corporate Information & Data Management (Chair CIDMGB) Mary Umrigar Social Services (Caldicot Guardian Member CIDMGB) Tim Moore Interim Head Client Management & Performance, Regeneration & Housing (Member CIDMGB) Nick Senior Business Manager, Legal & Democratic Services (Member CIDMGB) Polly Hicks Head of Improvement, Innovation and Information, Human Resources (core) (Member CIDMGB) Tim Yarnell Improvement Manager, Policy & Performance (Member CIDMGB) Alison Reynolds Interim Customer Services Director, Customer Services (Member CIDMGB) Polly Hicks Head of Improvement, Innovation and Information, Human Resources (core) (Member CIDMGB) Clementine Adewunmi Knowledge Manager, Information & Data Management Kastur Ashani Governance & Data Quality Manager Policy Approved By Title/Role Name Date approved Version Corporate Information & data Chair - see minutes of xx.xx Management Governance Board meeting Corporate Board Chief Executive see xx.xx minutes of meeting Cabinet Chair see minutes of meeting xx.xx I

3 Foreword In our business dealings with the Public, Partner Agencies and other organisations, we are entrusted with all types of information and data, from confidential to highly sensitive and personal information. The Council has a duty of care to ensure that the information and data it is entrusted with is responsibly maintained ensuring it is accurate, complete, relevant, kept up-to-date, reliable, authentic and stored extremely safely and securely. This policy also applies to the council s property portfolio and the physical security aspects associated with the effective management of buildings. The Government s agenda to transform the delivery and accessibility of public services by increasing the use of information and communications technology has created challenges for all local authorities in the way they manage, control and secure their information, data and associated information systems. Privacy legislation such as the Data Protection Act 1998, and the Human Right Acts 1998, are also fuelling demand for much improved information and data security practices. In recent months we have seen significant Information and data losses come to light that have encompassed both the public and the private sector. These losses have prompted Central Government to commission a number of reviews around Information and Data, the result, a plethora of information, recommendations, legislation and guidelines to review and consider how to implement. The Council places significant importance on the safety and security of information and data within its control and is currently building on its existing corporate Information and Data Management Policies and security aspects of its technical infrastructure, to ensure it keeps ahead of the rapid changes in today s age of progressive technology. The council s strategy for information and data security is standards based, working towards the implementation and accreditation with the International Standard for Information security known as ISO that provides a robust framework, which is measurable. We are currently developing an Information & Data Management Policy Framework to support ISO The Policy framework will provide the foundation, which we build on to meet our desired goal. This is the first policy to be developed within this framework. The Council welcomes and fully supports this policy, which places a responsibility and duty of care upon everyone who accesses, handles, stores, manipulates and processes data on behalf its behalf to ensure the responsible handling of the information and data they are entrusted with. Darra Singh, Chief Executive. II

4 1. Introduction Information, data and their processing systems are considered to be valuable assets of an organisation as they form the foundation upon which business decisions are made which leads to more efficient and effective service delivery, ultimately enhancing corporate performance. As the custodian of a large volume of information and data assets ranging from confidential to highly sensitive and personal information, the Council has a fundamental duty of care to protect them from unauthorised or accidental disclosure, unauthorised modification, loss, release or damage. The main objective of information and data security is to protect information and data assets from hazards and threats, as failure to do so could result in a loss of: o Confidentiality the accidental or unauthorised disclosure of information & data; o Integrity unauthorised modification or destruction of information and data; and o Availability the continuity of business processes and their recoverability in the event of a major disruption. The loss of confidentiality, integrity and availability (CIA), may in turn have an adverse impact on the efficiency of the Council s operations and ultimately, its reputation. Legislation, such as The Data Protection Act 1998 and The Freedom of Information Act 2000, are also key drivers in the protection of information and data assets, which places an obligation on the Council, to strike a balance between the perspectives of access and openness against their confidentiality, privacy and security. The Council s strategy to ensure the safe and secure management and handling of these extremely important assets is standards based. The Council has committed to the adoption, implementation and accreditation with the International Standard ISO for Information Security. ISO is achievable, measurable and demonstrable. The development of this policy supports ISO 27001; its implementation will lead to a robust corporate information and data management foundation and ICT infrastructure. The purpose of this high-level Information and Data Security Policy is to: Provide management direction and support for information and data security across the Council; Provide a robust, standards based framework for securing the information and data assets owned, leased or hired by the Council; Meet legislative and regulatory requirements (see appendix A); Clearly define the requirements for the use of information and data assets, ensuring that information assets are processed, handled and managed securely and accountability is evident; Identify the essential safeguards and controls that need to be put in place and provide adequate resources to minimise the risk of a security breach; Ensure the continuity of the Council and its services to its customers and business partners; Ensure that the principles of information and data security are consistently and effectively applied during the planning and development of Council activities; and Inform all people and businesses who have access to Council information and data assets of their responsibilities and obligations with respect to security and safe keeping of them. 1

5 Scope This policy applies to: All users of Council information, data, information systems and the council s property portfolio (its physical buildings), including service providers and consultants and encompasses data, information, software, systems, paper documents and personnel (see Appendix B). Policy Statement The Council will establish and maintain an information and data security management framework that will incorporate policies, procedures and processes to include organisational, technical and operational safeguards in order to preserve the CIA of its information and data assets aligning them with the international standard for Information Security Management, ISO The following measures will be implemented to support this policy. Where specific supporting information security policies are referenced within this policy, these documents will form part of the Corporate Information and Data Security Policy and are given equal significance: Organisational security A consolidated information and data and ICT strategy has been developed which promotes the implementation of a standards based approach to information and data security ISO Information security management. A corporate information and data management governance board will be established; membership will include a senior manager representative from each directorate to ensure communication, collaboration and cooperation with corporate colleagues. (See Appendix C); An independent review of the implementation of this policy will be undertaken periodically. Asset management To enable appropriate management and control, all information and data assets will be inventoried, allocated an owner, classified and labelled appropriately in accordance with the Corporate Information Asset Management, Classification and Control Policy; To determine the appropriate level of security measures to be applied, all information and data assets will be evaluated to determine their value and importance to the Council. To identify the threats associated with the information and data assets, the probability and impact of security failures that will enable selection of the appropriate control measure in accordance with the Corporate Information and Data Risk Management Policy; 2

6 Human resource security To reduce the risk of misuse, fraud, abuse, theft or human error by those employed by the Council, security responsibilities will be defined within all job descriptions; To minimise the likelihood of employing personnel who may pose a risk to the security of confidential information and data and key information systems, appropriate screening will be undertaken in accordance with the Corporate Human Resources Policy; Appropriate security awareness and training will be provided to all employees and users of all information and data assets and information systems in accordance with the Corporate Information Security Awareness and Training Policy; Procedures will be put in place to ensure the prompt removal of access rights and the return of information and data assets, information and data systems and access to buildings when an employee leaves the organisation; Physical and environmental security Appropriate physical and environmental controls will be implemented to prevent unauthorised access or damage to, loss or theft of, interference or interruption to the Council s information assets in accordance with the Corporate Physical and Environmental Security Policy; Information systems that process critical, sensitive or high availability information (as defined by the corporate Information Asset Management, Classification and Control Policy) will be located within secure areas; Use of Mobile Devices Abroad Generally, the use of Ealing Council devices will not be allowed abroad. In the extreme exception, the Head of department whose staff need to take Ealing Council mobile devices abroad, must submit a formal written request to the Head of Information & Data Management, prior to the event, to carry and use Ealing Council mobile devices abroad, these include (memory sticks, laptops, CD s, discs, tapes and hand held devices that is capable of storing corporate information and data. The request will be considered by the Head of Information and Data Management in conjunction with the Head of Service Ealing (ICT), to ensure the Council s business can be carried out abroad as safely and securely as possible through the use of intelligent encryption software or locking down devices, in whichever means is deemed most appropriate to the security and integrity of the councils information, data and systems. Communications and operations management To ensure the correct and secure operation of information and data processing systems and entry into the councils physical buildings, all procedures and processes will be fully documented, reviewed and updated on a annual basis; Third-party service delivery will be managed and monitored to ensure that information and data security controls are maintained; In accordance with the following corporate policies: o Virus Protection Policy; o Security Patching Policy; o Backup & Recovery Policy; and 3

7 o Change Control Policy The appropriate processes and procedures will be implemented to minimise the risk of systems failure; Controls will be implemented to protect the councils information and data and the infrastructure which they reside within from threats and will maintain the security Council s network in accordance with the Network Configuration Management Policy The handling, storage and exchange of information and the media it is held on will be governed by its classification in accordance with the Information and Data Asset Management, Classification and Control Policy, Data Handling Policy and ecommunications Policy; Information and data involved in electronic commerce or is published electronically, will be governed by the corporate ecommerce and Web Publishing Policy. Information processing activities will be logged and monitored with regular reviews being undertaken in accordance with the Audit Logging and Monitoring Policy and Intrusion Detection Policy. Access control Access to information and data assets will be managed in accordance to the Access Control and User Account Management Policy, Password and Authentication Policy and the Third-party Access Policy; Guidelines that support good security practises in the selection of passwords and the use of information assets will be developed and circulated to all Users; Controls will be implemented to manage and control remote access to the Council s information and data assets in accordance with the Mobile Computing and Remote Working Policy; Information systems acquisitions, development and maintenance Security requirements and controls will be detailed within the specifications for new information and data processing applications or enhancements to existing applications; All applications implemented will have controls governing the input, processing and output of information and data to ensure its accuracy, integrity, confidentiality, completeness and availability and importantly, its quality; To protect the confidentiality and integrity of information and data and to validate authenticity cryptographic which means - Public key encryption. This is when a message is encrypted with a recipient's public key which cannot be decrypted by anyone except the recipient possessing the corresponding private key. This is used to ensure confidentiality and is in accordance with the corporate Information and data asset Management, Classification and Control Policy and the Cryptography and Encryption Policy. In accordance with legislative requirements the use and control of application software will be governed by the corporate Software Licence Compliance Policy; 4

8 Procedures and controls will govern the development, maintenance and support of application system software; Appropriate measures will be taken to reduce the risk of exploitation of technical vulnerabilities. Information Security Incident Management Information security incidents, events and weaknesses will be investigated and responded to inline with the corporate Information and Data Security Incident Management Policy; Procedures and processes will be documented to ensure a consistent approach is applied to the investigation of all incidents, events and weakness reported or discovered; Business Continuity Management A business continuity management framework will be maintained in accordance with the corporate Business Continuity Management Policy. All business processes will be risk assessed to identify any threats and the possible impact they could have on the provision of services. Plans will be drawn up that detail how operations will be maintained or restored should those failures occur. Testing of plans will be undertaken on a regular basis; Compliance Appropriate measures will be implemented that support the Council s compliance with statutory and regulatory requirements relevant to information and data security (Appendix A); Adherence to procedures, processes and standards that support the implementation of the security polices will be reviewed periodically. Failure to comply will be considered a security breach which will be subject to an investigation and possible further action being taken Security policies will be reviewed annually. They will be amended in response to changes in legal and operational requirements to ensure the controls remain relevant and effective. Changes to policy can also be requested by completing the policy change request form; Exemption to any security policy will be stated within the specific security policy, where an operational function thinks there is a justifiable reason it cannot comply with a specific area within a policy, a policy exemption must be requested using the policy exemption request form, available from the Information and Data Management Compliance Team. Roles and Responsibilities Chief Executive The Chief Executive has overall responsibility for all matters of security within the Council. This responsibility is delegated to the following: - Corporate Board is responsible for ensuring that: Mechanisms are in place to comply with all legislative and regulatory requirements in respect of information and data security; 5

9 They endorse this and all supporting Information and Data Management policies; and Their endorsement is communicated to all users of the Council s information and data assets; The Executive Director of Corporate Resources Delegates responsibility for all matters of security to the Director, Business Services Group; The Director of Business Services Group delegates day to day responsibility for all matters of information and data management security to the Head of Information and Data Management; The Head of Information and Data Management is responsible for: Chairing the Information and Data Management Governance Board; Providing regular update reports to the Corporate Board and the Information and Data Management Member Champion; Ensuring that the corporate board and cabinet approve all corporate information and data management policies. Developing a consolidated Information and Data Management and ICT Strategy that actively promotes compliance with the International Security Standard ISO (formerly known as BS 7799); An Information and Data Management Policy Framework is developed to support ISO 27001; The development, production and communication of standards, procedures and guidelines to support the implementation of this and all supporting Information and Data Management Policies; Monitoring day-to-day compliance with this and all supporting information and Data Management policies; The on-going review of the effectiveness of this and all supporting information and Data Management policies; Corporate Information and Data Management Governance Board (CIDMGB) - is accountable to the Corporate Board. CIDMGB membership will comprise a senior manager from each directorate, their remit to review, amend and agree the corporate Information and Data Management Policy Framework prior to it being submitted to corporate board and cabinet for final approval and ratification. For clarity, the full suite of documents will be developed entirely by the corporate Information and data management department and then submitted to the IDMGB for review. The CIDMGB is responsible for: 6

10 Reviewing, amending and agreeing the content of the corporate Information and Data Management Policies on behalf of their directorate (see attached terms of reference); The promotion and clear communication of this and all supporting corporate Information and Data Management Framework Policies to their directorate Senior Management Teams and cascading these corporate documents to all users of the Council s information and data assets within their specific directorates. Ensuring the promotion and implementation of this policy and all other corporate Information and Data Management Policies within their directorates cascading policies to their senior management teams and then on to operational staff for implementation; The Head of Service Ealing is responsible for: The implementation of the appropriate technical and operational controls to protect the services, technical platforms and communications infrastructure that transport information ensuring alignment with the approved consolidated Information and Data Management and ICT Strategy and ISO Information Security standard; Advising information and data owners on the appropriate technical and operational solutions defined within the approved consolidated Information and Data Management and ICT Strategy; The Head of property services is responsible for: The physical and environmental security of the council s property portfolio where information, data and information systems reside. The Director of Human Resources is responsible for: Ensuring there are adequate procedures and processes in place to support human resources security; Incorporating the appropriate confidentiality agreements in contracts and terms and conditions of employment; The development, deployment and training of the Council workforce with regard to information security competencies Supporting training initiatives on information security, data protection, freedom of information and Caldicott. Ensuring that that all personnel are fully informed of their obligations and responsibilities with respect to standards, guidelines and procedures; The Caldicott Guardian is responsible for: Complying with the principles of the Caldicott Report and the implementation of the Social Care Information Governance Toolkit, which supports the continual improvement in the handling and protection of patient-identifiable (personal) information. 7

11 Executive Directors, Service Directors, Service Heads are responsible for: Identifying and managing all security risks to business activities performed under their management. They must ensure that the appropriate corporate information and data management and security policies, standards, procedures, guidelines and mechanisms are complied with in the performance of those activities. All personnel whether employees, contractors, consultants or business partners, must observe and comply with this policy and all supporting information security policies and the standards, procedures, guidelines and mechanisms put in place to implement these policies. They are to play an active role in protecting the information assets of the Council. They must not access or operate these assets without authority and must report security breaches or exposures that have come to their attention, in line with those policies and documented procedures. 8

12 Legal Framework Appendix A The following acts relate to the security and confidentiality of and access to information resources/assets and the use of information systems, the most significant legislation in this area is detailed below: The Data Protection Act governs how personal data should be processed, by laying down 8 principles of good data handling practice. The Act gives living Individuals the right to confidentiality and security for their information and also the right to access it. Human Rights sets out a number of rights and fundamental freedoms particularly the right to respect for private and family life. (Individual rights to privacy for themselves and their family members) Copyright, Designs and Patents Act makes it illegal to copy or use software without the owner s permission. Also see Copyright, etc. and Trade Marks (Offences and Enforcement) Act 2002 which increased the penalties. Computer Misuse Act Makes it an offence for any person to gain unauthorised access to information on a computer or make unauthorised modifications to or facilitate a crime using a computer. Also see Police & Justice Act 2006 which increased the penalties. Freedom of Information Act 2000 promotes the individuals right of access to general information held by public authorities. The Regulation of Investigatory Powers Act This Act regulates the interception of communications by public or private telecommunication systems. The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations these regulations dilute the requirements of RIPA and allow certain monitoring in the course of legitimate business practice. The public Interest disclosures Act known as the "the Whistle Blowers Act" protects employees who make a "Protected Disclosure". Protection of Children Act 1978; Criminal Justice Act 1988 These Acts make it a criminal offence to distribute or possess scanned, digital or computer-generated facsimile photographs of a child under 16 that are indecent. Common Law Duty of Confidentiality- unless there is a statutory requirement or a public interest justification, confidential information should only be used for those purposes that the provider of the information has been informed about and has consented to, either implicitly or explicitly. Waste Electrical and Electronic Equipment (WEEE) Directive promotes the eco-friendly disposal of electrical goods as well as goods containing electrical components. The Privacy and Electronic Communications (EC Directive) Regulations defines the rules on electronic marketing. All policies and their implementation will comply with the above acts as well as any relevant employment legislation and occupational health and safety regulations 9

13 Definitions Apprendix B Information resources/assets Facilities includes all equipment, as well as the physical and environmental infrastructure: Computer processors of all sizes, whether general or special purpose, and including personal computers; Peripherals, workstation, terminal equipment, mobile phones and blackberry s; Telecommunications and data communications cabling and equipment; Local and wide area network equipment; Environmental control systems, including air-conditioning and other cooling equipment, Alarms, and safety equipment; Required utility services, including electricity, gas and water; and Buildings and building improvements accommodating personnel and equipment Data includes both raw and processed data: Electronic data files, regardless of their storage media and including hard copies and data otherwise in transit; and Information derived from processed data, regardless of the storage or presentation media, including data and images held on peripherals. Software includes locally developed programs and those acquired from external sources: Operating system software and associated utility and support programs; Application enabling software, including database management, telecommunications and networking software; and Application software. Paper documents includes systems documentation, user manuals, continuity plans, contracts, minutes, agendas, service plans, reports, guidelines and procedures. Personnel include employees, members, contractors, consultants, service providers, representatives of customers and other bodies that access the Council s information and data. Cryptography Protecting the confidentiality of information by transforming it (encrypting it) into and unreadable format called cipher text. Only those who have the key can decipher (decrypt it) the information back into plain text. 10