Remote Access and Home Working Policy London Borough of Barnet

Transcription

1 Remote Access and Home Working Policy London Borough of Barnet DATA PROTECTION 11

2 Document Control POLICY NAME Remote Access and Home Working Policy Document Description This policy applies to home and remote working and remote access of the London Borough of Barnet (LBB) network. Document Author 1) Team and 2) Officer and contact details Status 1) Information Management Team 2) Lucy Martin, ext: 2029 Live Version 2.0 (Live/ Draft/ Withdrawn) Last Review Date June 2015 Next Review Due Date August 2016 Approval Chain: Head of Information Management Date Approved August 2015 Version Control Version no. Date Author Reason for New Version /10/13 Rachel Simon, Information Projects Assistant New policy /03/14 Victoria Blyth Review to incorporate business continuity and ownership of devices /06/15 Lucy Martin Rename from Remote Working Policy to Remote Access and Home Working Policy. Annual review & removal of requirement for authorisation to take equipment off site. Considerable changes made. DATA PROTECTION 11

3 Contents 1. Introduction Purpose and scope Remote / Home Working Remote Access Methods of remote access VPN on your LBB tablet or laptop Citrix on your LBB tablet or laptop Information security Confidentiality Electronic storage Taking paper records out of the office Data and devices in transit Working in public locations Network access overseas Responsibilities and liability Data incidents Insurance Business Continuity Policy review Additional policies and guidance DATA PROTECTION 21

4 1. Introduction The council provides officers with the ability and opportunity to work remotely and from home as and when appropriate to your role. This aligns with the council s vision to enable staff to work smarter, with greater flexibility and efficiency through the implementation of Smarter Working. Whilst clear benefits are recognised by increasing the use of mobile devices and working from home, we all need to be mindful of the additional security challenges and risks which will present themselves. This policy should be read in conjunction with the HR issued Home Working Policy, available under HR policies on the intranet. The HR Policy covers elements such as Health and Safety and insurance, which are not specifically addressed in this policy. This document forms part of the wider suite of Information Management policies concerning information management and security and must be adhered to at all times. 2. Purpose and scope This policy applies to all home and remote working arrangements including the remote access of the London Borough of Barnet (LBB) network. The purpose of this policy is to protect the information assets owned and used by the council; to protect other services or networks (to which the council is connected) from misuse; and to comply with all regulatory, legislative and internal policy requirements. This policy applies to all employees, Members, temporary staff, partners and any authorised third parties (suppliers and contractors) who have been permitted access to council data and / or users of computer services and equipment that are provided by LBB, or its ICT providers. Referred throughout the policy as officers or users. This policy is underpinned by risk management and users must be aware of and take mitigating actions to address any areas of risk. The user is responsible for ensuring confidentiality of work information outside the office (aside from IS related risks eg damage or loss of information due to malware, virus etc). Users are responsible for the safe usage and security of equipment, and records and systems in their possession. 3. Remote / Home Working Remote working may involve paper records or use of electronic devices to access the LBB network. You may only use a corporately managed machine (either owned or authorised by the London Borough of Barnet) to work on council information, to access council systems and the LBB network. 4

5 Users are reminded that corporately issued ICT equipment remains the property of LBB. Further guidance regarding acceptable ICT usage can be located in the Acceptable Use Policy. Examples of remote working situations include: Home working (formal or ad hoc arrangements) Working when on the move (eg on a train, during site visits) Working at rest (eg in a library) Working from the premises of customers, clients, delivery partners, contractors, or any other organisations. 4. Remote Access Remote access is where users gain access to the LBB network, their accounts, its systems and resources from remote locations. This must be via corporately managed devices, through the use of corporate BlackBerrys or smart phones, or corporately owned tablets (ipad) or laptops. In normal circumstances you should not attempt access from personally owned computers or other personally owned devices which are not specifically authorised. Any such attempt is a breach of policy. See section 11 Business Continuity for exceptions Methods of remote access You need to be connected to the internet to be able to access the LBB network remotely. You may use a home broadband or a public wireless network and an LBB corporate device. You may not attempt to access the LBB network using a non-approved device as this poses a security risk. The network can be accessed from a home broadband or a public wireless via VPN (Virtual Private Network) on LBB tablets or laptops or via the Citrix system on LBB tablets/laptops (to connect to the council s thin client (Citrix) remote access service).. You will have to provide your username, and a numeric pass-code followed by the numeric code generated by your RSA token. The RSA token is a small device which is used to provide staff with a high level of security access eg authentication of the person accessing the network, together with additional numeric pass-code. Take good care of the token and ensure you do not store your password and pass-code together. There is a charge if the device is lost and any loss must be reported immediately to the IT Service Desk as detailed in the Acceptable Use Policy. The VPN or Citrix client will check that the device you are using has the requisite level of anti-virus and that it meets the council s security requirements. Without this you will not gain access to the network. Should your device be subject to malware or virus attack while you are logged in to the LBB network the connection to the network may be dropped and you may be prevented from further access. Contact the IT Servicedesk if you suspect this has happened. 5

6 4.2. VPN on your LBB tablet or laptop See the user guide for accessing the network via Virtual Private Network (VPN). Contact IS service desk should you need a copy of this guide. VPN enables connection to the network using a private, exclusive link. With VPN, privacy is achieved by encryption, so when information leaves a computer/tablet it is encrypted. It is then sent via a private tunnel/pathway across the internet to a recipient computer /tablet where it is de-coded and received. No one can read the data whilst it is being transmitted, or change it in anyway. VPN should be the preferred method of connection for officers Citrix on your LBB tablet or laptop Citrix is a software client that lets you access the LBB network and your account, with all applications, and data. This is a virtualised version of your desktop, and a secure workspace. You can access the Citrix receiver via the Office Citrix icon pre-installed on your corporate device. If you cannot find this on your device contact the IS service desk for installation. 5. Information security Officers working at home or remotely are responsible for ensuring that all council information (both paper and electronic) is kept confidential and secure to prevent access by a third party. Even though you working in a different environment and aren t in the office, you are still required to adhere to all Information Management policies. Some key principles and guidance, specific to remote and home working are outlined below. For home working it is recommended that the work area of the house should be kept separate from the rest of the household. Always lock your laptop when leaving it unattended When leaving the house (even for a short period), your laptop must be shut down and all paperwork put away out of sight. Equipment should not be left where it would attract the interests of the opportunist thief. In the home it should also be located out of sight of the casual visitor, and paper record kept separate from valuables. VPN fobs / authentication tokens should be kept in a separate location from your laptop. 6

7 5.1. Confidentiality Never leave information accessible to other people eg family members, visitors, or members of the public. Paper files must be put away in a secure cabinet when not in use in the home. Where lockable cabinets are not available in the home, ensure all papers are kept out of sight and away from valuables. Refer to the Paper records Secure Handling and Transit Policy. Where printing facilities are available to you, ensure you do not leave papers lying on the printer and always clear paper jams so as not to inappropriately disclose information to others. Take care when making or receiving phone calls when working remotely. Be aware of what others close by may overhear Electronic storage Do not or divert s to a personal address in order to work on them remotely. Do not create or attempt to transfer council data on to your own home computer. Do not use USB data sticks, CDs or other removable media as portable temporary storage for electronic files and documents unless they have been appropriately encrypted. The Acceptable Use Policy provides further detail and must be followed at all times Taking paper records out of the office Confidential documents/materials or documents containing personal information, must not be taken out of the office without specific authorisation from a line manager. Taking paper records/hard copy material off-site should only happen when it is absolutely essential to do so and there is no alternative method for accessing the information or undertaking the work. Records should not be taken off-site just because it is convenient to do so. Where papers records/hard copy material have to be taken off-site, only the minimum amount of personal or other confidential data necessary for the job in hand should be removed and, where possible, data should be anonymised. The Paper Records Secure Handling and Transit Policy must be followed at all times Data and devices in transit Always shut down your device when in transit (even when only travelling for short journeys), to ensure encryption is engaged and the device is properly protected. Don t leave bags or cases containing paper files / tablet visible in a car; if it is unavoidable to store paper records/hard-copy material in a car, lock them in the boot. 7

8 Never leave your device or papers unattended on view in a vehicle. The council s equipment insurance does not cover incidences where tablets have been left in an unattended vehicle. If you do have to leave the device in a vehicle it must be locked in the boot. When travelling on public transport keep your bag/case containing council assets close by at all times. Items should not be placed in luggage racks or storage areas, as this increases the possibility of theft or the misplacing of the item. 6. Working in public locations When work is required to be done in any public environment care should be taken to ensure that no bystander could overlook any information displayed on the device or any user input (especially passwords). Consider purchasing a privacy screen for your laptop for use when working in a public place. The security and confidentiality of data and equipment must be considered at all times. Working in crowded locations (coffee shops for example) is inadvisable, and it is not recommended to access personal data unless absolutely necessary. 7. Network access overseas Access to the network when overseas: if a situation arises in which users need to take their device out of the UK they must first check with IS if this is appropriate, as it may put council information and the council network at risk. Some countries are banned from connecting to Public Services Network connected networks. Certain countries may confiscate encrypted devices on entry and/or force a user to enter passwords and bypass security. Confiscated devices may not be returned. Please contact the IT service desk itservicedesk@barnet.gov.uk to discuss your requirements and have roaming enabled on your device. 8. Responsibilities and liability Officers Officers must ensure they have line management approval to work remotely or from home. You are responsible for adopting appropriate and necessary security measures; ensuring that all council information (both paper and electronic) is kept confidential and secure to prevent access by a third party. Whilst working with council data, whether remotely or at home you are required to abide by all Information Management policies to ensure information is appropriately protected. 8

9 You are responsible for identifying to your line manager/hiring manager any concerns with work processes or other local arrangements that prevent you complying with this or any other IM policy. Line/hiring managers are responsible for ensuring that users are supported in complying with this policy. Line Managers You are responsible for ensuring your team members have appropriate mechanisms in place to minimise the potential loss/damage of council paperwork / documentation whilst in the home. You may need to agree that the provision of additional equipment will be necessary e.g. fire and tamper proof boxes, lockable filing cabinets or privacy screens for mobile devices, to ensure areas of risk are mitigated. 9. Data incidents The loss of a council owned device, such as laptop, ipad, tablet or BlackBerry, or a loss of paperwork whilst working at home or remotely must immediately be reported to: Your line manager IT Servicedesk on Information Management Team data.protection@barnet.gov.uk or call the police (obtain a crime reference number from the police, as this will be required for claim purposes) Insurance team on (only for the loss of equipment) Timeliness of reporting is vital to ensure measures are put in place to contain and mitigate any security risks or data loss. Every incident must be reported, logged and investigated as soon as it occurs. The Security and Data Protection Incident Management Policy on the intranet has full details of how to handle the loss or theft of council hardware or information. 10. Insurance The council s Employers and Public Liability Insurance arrangements will cover home and remote working in the same way as other employees. See the HR issued Home Working Policy, available under HR policies on the intranet for further details. Council property insurance will cover all council provided equipment and works on an "all risks" basis subject to policy terms and conditions. Tablets etc will be covered in transit and at home, unless left in an unattended vehicle. 9

10 Users shall not incur any liability provided that they take reasonable care of the property. 11. Business Continuity On a day to day basis the use of personally owned equipment or personal accounts for council business is forbidden. If working from home is required on either a regular or ad hoc basis this should only be conducted on council equipment. However, during business continuity incidents such as building failures or extreme weather it may be accepted that some council business could be conducted on personal equipment. Line Managers should discuss these requirements with IMT and seek appropriate sign-off as and when needed. Personal information must only be dealt with when absolutely necessary and not for the sake of convenience. Sensitive personal data (as defined by the Data Protection Act 1998, such as medical or equalities information) should never be sent to or processed using non-council provided equipment. Any use of personal accounts for business continuity purposes should copy in your work account to ensure that the council has an appropriate record of its business. Council data must be deleted from personal equipment and accounts as soon as the necessity to use personal equipment is over. It is expected that users will prepare for expected events such as tube strikes or forecast bad weather and take equipment home with the approval of their line manager if it is expected that attendance at work would not be possible. Users should still abide by this policy and the Acceptable Use Policy during business continuity incidents, and seek appropriate approval when exceptions to policy are required. 12. Policy review This policy will be reviewed on an annual basis or sooner as is required e.g. where there are changes in legislation, or recommended changes to improve best practice. 13. Additional policies and guidance This policy forms part of a suite of Information Management policies which are all available on the intranet. The policies provide further guidance on council information standards, data security and working practices which must be adhered to. 10

11 Further advice and guidance for staff is available from the Information Management Team. Address: Information Management Team London Borough of Barnet Building 2, North London Business Park Oakleigh Road South London N11 1NP Any additional advice or guidance regarding network access, connectivity and device related assistance is available from the IT Servicedesk. Tel No: (020)