LINCOLNSHIRE COUNTY COUNCIL. Information Security Policy Framework. Document No. 8. Policy V1.3

Transcription

1 LINCOLNSHIRE COUNTY COUNCIL Information Security Policy Framework Document No. 8 Policy V1.3

2 Document Control Reference V1.3 Policy Date 17 July 2015 Author Approved by Version History David Ingham Judith Hetherington Smith - Chief Information Officer Date Version Revision Notes Author Number 18 February 14 V 0.1 Initial Draft David Ingham 10 April 14 V 0.2 Minor amendments release for comment David Ingham 14 April 14 V 1 Amendments following HoIMT review David Ingham 4 June 14 V 1.1 Minor amendments following CIO review. David Ingham Addition of BPSS requirement 10 June 2015 V 1.2 Minor text corrections. David Ingham Para 4.5 amended. Clarification of forwarding and OWA access included Para 5.4 added. Para 14 added delegate access. Para 15 added accessing ex-employee accounts 17 July 2015 V1.3 Minor text amendments following CIO comment. Added para 17. David Ingham Contents Document Control Aim Introduction Scope General Principles confidentiality GCSX LCC Secure LCC standard Spam Virus transmission Unacceptable Use Personal Use Generic Accounts Delegate Access Accessing accounts of ex-employees management Further Information Document Reference: V1.3 Policy Page 2

3 1. Aim 1.1. The aim of this policy is to ensure that individuals are aware of their responsibilities when using Council This policy forms part of the LCC Information Security Policy Framework which contains a set of policies, procedures and standards designed to protect Council information and information assets. 2. Introduction 2.1. Electronic mail ( ) systems are provided by the Council to allow employees to communicate on behalf of the Council in an effective, efficient and timely manner However, can put the Council at risk from a number of threats. These range from information being obtained by unauthorised people, introduction of malicious software, and legal action caused by inappropriate use of the systems It is the responsibility of those who use Council to ensure that this technology is used for Council purposes in a manner which does not compromise the Council or its Users in any way. 3. Scope 3.1. The policy applies to every individual using Council provided including employees, members, contractors, consultants, suppliers, partnerships, and volunteers. 4. General Principles must not be considered to be any less formal than memos or letters that are sent out from the Council must not contain any material which would reflect poorly on the Council s reputation or its relationship with third parties Personal web-based accounts or home accounts must not be used to conduct Council business must not be auto-forwarded to non LCC corporate addresses as security of alternative addresses cannot be assured When using Outlook Web Access to access corporate information must not be transferred to/stored on a non LCC device. This is to ensure all corporate information is subject to corporate security controls. Document Reference: V1.3 Policy Page 3

4 4.6. Requests for information under the Data Protection Act or Freedom of Information Act may require that an is made public and therefore the confidentiality and privacy of s cannot be guaranteed s must only be transmitted by individuals using their own authorised account s which form part of a record must be subject to the Records Management Policy and must be subject to the appropriate retention and disposal schedules attachments should be stored within corporate systems i.e. IMP, Mosaic, and deleted from s Attempts to all LCC users will be blocked and automatically diverted to the Internal Communications team who are responsible for approving corporate s. 5. confidentiality 5.1. When sending an to more than one recipient and it is necessary to protect addresses the BCC (blind carbon copy) feature must be used i.e. when sending an external to multiple members of the public or multiple suppliers Care must be taken when addressing s and checks must be undertaken to ensure any /attachment is transmitted to the intended recipient Particular care must be taken if the client software auto-completes an address as the user begins typing the recipient's name s which contain personal data or information which can be defined as sensitive by the Council (information you would not want to be published in the public domain) must not be sent external to the Council unless a secure solution is used. Secure solutions are described below in paragraph 6 and In addition to using secure , attachments containing personal data or other sensitive information must be password protected where possible. This will prevent casual access if an is sent to the incorrect recipient Any incoming marked using the governments classification scheme e.g. Official must have their markings preserved and respected for any onward communication. 6. GCSX GCSX must be used to securely send personal data or sensitive information via to Government organisations that have a designated GCSX or equivalent address. Document Reference: V1.3 Policy Page 4

5 6.2. Equivalent addresses include: Local Government *gcsx.gov.uk NHS/Health *.nhs.net The Police National Network/Criminal Justice Service/Ministry of Justice *.pnn.police.uk *scn.gov.uk *cjsm.net Central Government *.x.gsi.gov.uk *.gsi.gov.uk *.gse.gov.uk 6.3. Users must be aware that sending an from a GCSX account to an address which does not meet the above criteria is insecure and must not be used to send personal data or sensitive information LCC Secure must be used as an alternative to GCSX when Government authorities or private organisations do not have access to a GCSX account or equivalent GCSX Mail must only be available from LCC corporate devices s delivered to GCSX accounts must not be auto forwarded to another account Applications for a GCSX account must be completed using the online GCSX e-form available on the Information Governance page on George Applications for a GCSX generic account must be completed by a Manager using the generic request e-form available on the Information Governance page on George Only staff with individual GCSX accounts must be allocated access to a generic GCSX account All users of GCSX (a PSN service) must be validated against the Baseline Personal Security Standard before an account is provided. 7. LCC Secure LCC Secure service must be used to transmit s containing personal data or sensitive information to external addresses when the recipient does not have access to a GCSX address or equivalent. Document Reference: V1.3 Policy Page 5

6 7.2. All Users must familiarise themselves with the LCC Secure service instructions before using it. Failure to do so may result in an being sent insecurely All Users must ensure intended recipients are provided with LCC Secure service instructions on initial use Instructions on the use of LCC Secure are available on the Information Governance Intranet page. 8. LCC standard LCC standard accounts i.e. lincolnshire.gov.uk must only be used to exchange personal data or sensitive information with other internal LCC standard addresses LCC standard accounts must not be used to send personal data or other sensitive information external to the Council. 9. Spam Spam , also known as junk , is unsolicited sent to numerous accounts. It can be used as a method of delivering malicious software by convincing a User to click on an executable attachment or on a link to a malicious website which has been quarantined by the technical controls on the Council Network must only be released if the User is confident it is a legitimate A User must not open an attachment or click on any link within any unless confident the is legitimate Spam must be deleted and must not be forwarded Users must not reply to spam nor must they attempt to remove the Council address from the mailing list as this confirms the existence of an address following a speculative Users must consider the consequences of providing an official Council address to a third party e.g. commercial website, as this can lead to spam Council addresses must only be provided for legitimate Council business purposes Technical measures will be implemented and maintained by the Council to prevent inbound s which contain executable files e.g. attachment. Document Reference: V1.3 Policy Page 6

7 10. Virus transmission is the most common way that viruses are transmitted between computers. The most common mechanism for this is in the form of an attachment to the message A User must not open an attachment or click on any link within any unless confident the is legitimate A User must be vigilant to malicious software when receiving attachments which contain compressed file formats, such as.zip and.rar. If in doubt a User must not open the attachment and must seek advice from the IT Service Desk A User must not forward any they suspect of containing a virus A User must contact the IT Service Desk if they believe they have received a virus via or a virus is present on their device If a virus is confirmed as being present on your device you must follow the instructions provided by the IT Service Desk. 11. Unacceptable Use Users must not unsolicited commercial or advertising material, chain letters, or other junk-mail of any kind, internally or to other organisations Users must not undertake activities that unreasonably waste staff effort or use networked resources, or activities that unreasonably serve to deny the service to other users Users must not create or transmit any offensive, obscene or indecent images, data, or other material, or any data capable of being resolved into obscene or indecent images or material Users must not create or transmit material which is designed or likely to cause annoyance, inconvenience or needless anxiety Users must not create or transmit material that is abusive or threatening to others, or serves to harass or bully others Users must not create or transmit material that either discriminates or encourages discrimination on racial or ethnic grounds, or on grounds of gender, sexual orientation, marital status, disability, political or religious beliefs Users must not create or transmit defamatory material Users must not create or transmit material which brings the Council into disrepute. Document Reference: V1.3 Policy Page 7

8 11.9. Users must not broadcast global s. This must be coordinated by the Council's communications team. 12. Personal Use You must not use corporate to send personal outside of the Council. Internal personal use of corporate must be reasonable, proportionate, and occasional, and must not interfere with the performance of your role or the performance of the system Personal use must not impact or interfere with your own performance at work or that of others Personal use must not include the use of personal accounts for Council business Personal use of must not conflict with "Unacceptable Use" as described in paragraph The Council may monitor usage to ensure compliance with this policy. 13. Generic Accounts A generic account for shared access must be provided only when a business case exists A generic account must have a designated owner who will be responsible for the account and for granting/revoking access rights to the account A generic account must only be used to send when there is a business need to do so as individual accounts must be used as the preferred method of communication. 14. Delegate Access Delegate access can allow another person to read, create or have full control over items in a User's inbox and is most commonly used between a manager and the relevant support staff. In this instance access must be provided following the identification of a clear business need Delegate access to accounts in other instances e.g. long term absence, must only be provided following a clear business need and only when authority is provided by the account owner or in their absence an appropriate senior manager Requests for delegate access must be documented by the authoriser Delegate access must not be provided by supplying details of a User account i.e. Username and password. Document Reference: V1.3 Policy Page 8

9 14.5. Delegate access must not allow the delegated person to write s from the delegated account. Responses to s must be sent from the delegates own account It must be the responsibility of the authoriser (owner of the account or senior manager) to request the removal of delegate access when a business need no longer exists Delegate access must be implemented as a temporary solution only based on business need unless it meets Accessing accounts of ex-employees There are occasions when access to business s of ex-employees is required and in each instance a robust business case must be provided Authority to access an ex-employees account must be provided by an appropriate manager and recorded by the IT Service Desk Unless the business case requires otherwise access must be time limited to 30 days The person accessing s must take reasonable precautions to avoid opening private s. If it becomes readily apparent that an is of a personal nature the reader must not open it or stop immediately if the has been opened Access must be provided by transferring s into a container of the relevant persons client Forwarding or redirecting s from an ex-employees account must be avoided management The use of a signature facility must be included as a sign off on s to ensure the recipient understands who they are communicating with and to provide additional contact details A message will automatically generate on s sent externally to the Council which includes a disclaimer. It must provide guidance to recipients should an be received in error The Out of Office assistant must be activated if you are unable to answer s. Alternative contact details must be provided for a line manager or colleague accounts must be managed by account holders to ensure the size of the mail box remains manageable. Document Reference: V1.3 Policy Page 9

10 16.5. All s which are corporate records must be moved to the appropriate corporate resource and must not be stored in personal accounts. 17. Further Information For further information or guidance please contact the Information Governance Team by at Document Reference: V1.3 Policy Page 10