Central Bedfordshire Council. IT Acceptable Use Policy. Version 1.7 January 2016 Not Protected. Not Protected Page 1 of 11

Transcription

1 Central Bedfordshire Council IT Acceptable Use Policy Version 1.7 January 2016 Not Protected Not Protected Page 1 of 11

2 Policy Approval Central Bedfordshire Council acknowledges that information is a valuable asset, it is therefore wholly in its interest to ensure that the information it holds, in whatever form, is appropriately governed, in terms of protecting the interests of all of its stakeholders. This policy and its supporting standards and work instructions supersedes any previous policy of the same name and are fully endorsed by the Corporate Management Team and the Executive under authority defined within Central Bedfordshire Councils Constitution, part H3 (SCHEME OF DELEGATION BY THE COUNCIL AND BY THE EXECUTIVE TO DIRECTORS AND OTHER OFFICERS), section , the through the production of these documents and their minuted approval. I trust that all officers, contractors and other relevant parties will, therefore, ensure that these are observed in order that we may contribute to the achievement of the Council s objectives and the delivery of effective services to our community. Chief Information Officer: (Senior Information Risk Owner) Date The current version of the Central Bedfordshire Council s IT Acceptable Use Policy is available from the website at Alternatively, a copy can be obtained by writing to the Information Governance Manager at: Central Bedfordshire Council Priory House Chicksands Shefford SG17 5TQ 1 Information and Communication Technology - To determine and issue to officers general standards and guidelines in the management and use of information technology and systems across the Council. Not Protected Page 2 of 11

3 CONTENTS 1 IT ACCEPTABLE USE POLICY INTRODUCTION PURPOSE INTENDED AUDIENCE SCOPE NON COMPLIANCE TELEPHONY INCOMING PERSONAL CALLS ON CBC PHONES OUTGOING PERSONAL CALLS FROM CBC PHONES MOBILE USE VOICE MAIL INTERNAL TELEPHONE DIRECTORY IDENTIFYING CALLERS SECURITY OF SYSTEMS AND INFORMATION SHARING OF LOGON PASSWORDS PASSWORDS EXCEPTIONS DELEGATING ACCESS TO COLLEAGUES PASSWORD SECURITY PIN SECURITY CLEAR SCREEN TERMINATION OF EMPLOYMENT DATA STORAGE UNAUTHORISED OR UNLICENSED COMPUTER SOFTWARE UNAUTHORISED COMPUTER HARDWARE COMPUTER VIRUSES... 9 NOT FORWARD WARNINGS OF NEW VIRUS OUTBREAKS TO OTHERS SECURITY INCIDENTS WORKING AWAY FROM THE OFFICE REMOTE ACCESS INTERNET AND INTERNET ACCESS BUSINESS PERSONAL USE OF Not Protected Page 3 of 11

4 1 IT Acceptable Use Policy 1.1 Introduction The digital age brings with it advantages as well as threats. If used correctly, computer and telephony services can provide local authorities with the ability to serve our citizens, customers and partners efficiently in an economical, secure, accessible and legally compliant manner. 1.2 Purpose This policy sets out the mandatory measures and requirements applicable to the use of the Council s IT systems It should be read in conjunction with Council policies, procedures and guidance covering: a) Information Governance b) Records Management c) Data Protection d) Freedom of Information e) Remote / teleworking f) Social Media g) Discipline. 1.3 Intended Audience This policy applies to all members, established employees, temporary employees, agency staff, authorised third party employees and consultants/contractors who are provided with access to any council provided IT service not designated as a public facility For the purpose of this policy these people will be termed users. Managers are responsible for ensuring all users under their control are aware of, understand and adhere to this policy. 1.4 Scope The Council provides IT resources to its users for business use. Personal use of IT resources is permitted within the constraints defined in this document, however use of the Councils IT resources to operate a personally owned business or for personal financial gain is unacceptable All access to council IT systems is based upon business need and related to the post held and role undertaken. Managers should satisfy themselves as to the suitability of candidates IT skills during the recruitment process and ensure IT training and skills needs analysis form part of ongoing staff management.. 2 A public website is a public facing facility, where an extranet or the corporate network is not Not Protected Page 4 of 11

5 1.4.3 In order to ensure the effective operation of this policy and to safeguard the organisation s greater interests, the Council reserves the right to use automated tools and selected manual intervention, where appropriate and necessary, to monitor usage of business IT systems and services in accordance with the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations All devices issued by CBC IT are for company use only with only incidental use in exceptional cases for personal needs. 1.5 Non Compliance Non Compliance with this framework and/or abuse of any electronic information, IT resources or breach of any of the IT Acceptable Use Policy clauses, may include disciplinary action up to and including termination of employment for staff. Sanctions imposed by the Council do not preclude possible criminal prosecution under relevant legislation. 2 Telephony The Council may provide users with a variety of telephony services, such as, desktop phones, mobiles, PDAs 3 /smart phones and voice mail services. 2.2 Incoming personal calls on CBC phones It may be necessary, on occasion, to receive incoming personal calls during work time. Providing the nature, frequency, call length or other aspects do not reach an unacceptable level that affect your performance in your role or that of your colleagues, this is acceptable. 2.3 Outgoing personal calls from CBC phones Council provided phones (fixed or mobile) may be utilised for outgoing personal use, subject to usage not becoming excessive. Users must not divert their office or mobile phone to their personal mobile Mobile use Users of Mobiles/smart-phones shall: a) Avoid the use of their personal devices for undertaking Council business in situations in which this is clearly inappropriate 5 b) Avoid using a mobile to discuss sensitive information in public places where possible 2.5 Voice Mail Users shall not: a) Leave messages containing sensitive information on voice mail. 3 Personal Digital Assistant 4 Due to the cost of forwarding calls across the mobile network 5 For example, if use of personal phone/number would lead to a failure to maintain appropriate professional boundaries between service users and staff Not Protected Page 5 of 11

6 b) Use it to screen incoming calls or to avoid answering calls unless there is a genuine need Internal Telephone Directory All users are provided with access to the internal telephone directory and are expected to ensure that their own entry is kept accurate. 2.7 Identifying Callers When using any voice communications, beware divulging sensitive information of a business or personal nature, unless you are: a) Sure of the other person s identity b) Confident you cannot be overheard by people other than work colleagues 3 Security of Systems and Information 3.1 Sharing of Logon Passwords Users shall: a) Keep their password secret b) Not write down their password c) Not allow anyone else to use a computer whilst logged on under their name d) Not attempt to access a computer system for which they have no authorised access Passwords Exceptions In emergency circumstances, access to an individual s account may be granted to their line manager, Internal Audit or other appropriate party (via password reset or other methods). The following controls shall apply: a) Written authorisation by an Assistant Director or Chief Officer giving a clear business justification for the access will be required b) The party gaining access to the account must abide by all relevant legislation, policies and guidance and only use the access for the specific purpose given in their justification IT administrators may have passwords and PINs that cannot be changed due to technology limitation. An emergency record of the password must be securely retained. 3.3 Delegating Access to Colleagues Managers must not divulge their personal passwords to their secretary or PA (Personal Assistant) as a means of delegating system access 6 This is important in providing good customer service for both internal and external facing roles alike 7 This is a criminal offence as defined in the Computer Misuse Act 1990 Not Protected Page 6 of 11

7 3.4 Password Security Computers identify an individual by their username and password. As the username is usually known or easily discoverable, the password is critical in authenticating 8 the user to the system. Users are therefore expected to take all reasonable steps to ensure that their password remains known only to them Personal passwords shall be: a) Changed at least every 42 days b) Changed whenever prompted by the system c) A mixture of upper and lower case letters and numbers d) A minimum of 8 characters in length e) Not obvious PIN Security Personal identification numbers may be issued with some mobile devices or authentication tokens to improve security. PINs shall be: a) Changed, where possible, from the default to something memorable b) Not simple ascending or descending sequences c) Not all the same digit Where the device allows the use of a password the measures for personal passwords shall apply. 3.6 Clear Screen Where possible Computer screens must be positioned on desks to avoid being overlooked by unauthorised persons A password protected screen save must be used by staff when they are away from their desk Staff must log off and shut down their machine at the end of the working day. 3.7 Termination of Employment Line managers must request that the IT Service Desk disables logon accounts in a timely manner for users that leave the organisation. 3.8 Data Storage 8 Authentication is the process to confirm the identity of an individual user as true, genuine and valid. For example a secret password known only to its user. 9 An attacker may try to recover a users password by guessing it based on their knowledge of the user or by using a dictionary based attack based on common names and words. Not Protected Page 7 of 11

8 3.8.1 Removable media represent a high risk with regard to virus infections, unauthorised data removal/transfer and data loss The Council shall actively restrict the availability of removable media by technical and physical controls Users shall : a) Store files on the network and not on local drives or removable media as these are not backed up b) Never store data on an unencrypted laptop drive or unencrypted removable media c) Hold information at a level of security appropriate to its classification d) Use their home drive (H:) on the network to store information to which access has to be restricted to their personal logon id e) Not attempt to use personally owned removable media Unauthorised or Unlicensed Computer Software Only approved, legal computer software may be used with Council IT systems. a) All requests to use new software products and Services must be raised through via the IT Service Desk b) All software must be purchased and approved by the IT service unless written permission is given to the contrary by the CIO 11 c) Users must not attempt to purchase, download or install software themselves on CBC IT equipment 12 d) The use of Microsoft Access within the organisation is forbidden, unless explicitly authorised in writing by IT Unauthorised Computer Hardware Only hardware approved by IT may be used with the Councils IT systems Users shall not: a) Attempt to purchase or install hardware themselves, irrespective of how it is intended to be used b) Connect any personally owned equipment to Council equipment, including USB ports and network ports. c) Attempt to access services on the PSN network from a personally owned device 10 Contact the IT Service Desk for authorised encrypted media if a business requirement exists 11 This is to ensure that the product is compatible with the Councils technical infrastructure. It may prove impossible for IT to support software that has not been checked by IT for compatibility 12 This includes commercial demos/trials, screensavers, shareware / freeware / OpenSource or software downloaded from the internet (including unlicensed music or video material) or drivers to connect devices (such as ipod s or phones) to your computer. Not Protected Page 8 of 11

9 Where there is a corporate need to connect devices to equipment, this must be approved by IT and will usually be performed by IT. For example, exceptions will be made to allow third party IT solution/support providers to install hardware and software on behalf of the Council Computer Viruses To protect the Council from disruption caused by malicious software all computers shall have anti virus software installed and actively running Users shall: a) Never attempt to disable the anti virus protection b) Report viruses and suspected virus incidents to the IT Service Desk c) Follow any instructions given by IT regarding not using a PC/laptop with a suspected virus infection whilst it contains the infection d) Virus check any removable media from an external source before transferring any data from it onto a council systems 3.12 Not forward warnings of new virus outbreaks to others Security Incidents If staff detect, suspect or witness an incident that may be a breach of this IT acceptable use policy, a loss of confidentiality, a near miss or an obvious security weakness then they must report it to the IT Service Desk and their line manager, stating clearly that they believe it to be a security incident Working Away From the Office Users shall: a) Not take council equipment or data offsite without good reason b) Ensure that they sign for any portable/mobile equipment that they require to undertake their role c) Ensure that they have appropriate authorisations to transport, transfer or transmit data d) Ensure that any sensitive data on CBC portable equipment or media is encrypted Make a note of the make model and serial number of portable equipment and keep this separate from the equipment itself 13 e) Report all losses/thefts of portable equipment to your line manager and the IT Service Desk promptly. Also report the incident to the Police if the equipment was lost / stolen whilst off site Remote Access Remote working increases the risk of theft, loss, damage to equipment, tampering, interception of communications and access by unauthorised parties, therefore additional safeguards, proportionate to the increased risk must be implemented and observed. 13 This includes information on laptop hard drives, transferred by or removable media (CD-Rs, DVD-Rs, diskettes, USB memory sticks, SD cards etc) Not Protected Page 9 of 11

10 Remote users must: a) Not use personally owned IT equipment to access CBC systems except via a CBC IT approved remote access solution to the corporate network b) Not store their two factor authentication token with the equipment used to access the CBC network remotely, especially when mobile c) Use 3G broadband rather than use public WiFi hotspots to access the CBC network when mobile working using a CBC supplied laptop 14 d) Ensure that CBC laptops are kept physically secure when unattended e) Co-operate on returning equipment to IT in the event that problems cannot be fixed remotely Users must not: a) Take CBC IT equipment out of the UK or attempt to access the CBC network from a foreign country b) Move CBC provided thin clients (A thin client (sometimes also called a lean, zero or slim client) is a computer or a computer program that depends heavily on another computer (its server) to fulfill its computational roles) to another part of their home without the prior consent of their manager 15 c) Allow other members of their household to use any of the CBC provided equipment. This includes, but is not limited to thin clients, PCs, laptops, routers, printers, encrypted media, scanners and faxes d) Unplug any CBC provided home router and substitute their own e) Attempt to use their own computer equipment to access Council systems that contain personal data for which the Council is not identified as the data controller. 4 Internet and 4.1 Internet Access Unacceptable internet usage shall be only that which is in breach of the officer s code of conduct and/or the Council s constitution IT may block some sites in order to protect the organisation or its staff, such as those hosting malicious software or that are illegal to view Business is not a secure means of communication. It does not provide immediate or guaranteed delivery. All s sent or received from the Council s systems are the property of the Council. All messages will be unpacked and scanned for viruses as they arrive or leave the Council. 14 It is acceptable to use a WiFi enabled router with WPA or WPA2 encryption at home 15 Moving equipment has implication for compliance with health and safety regulations, security and can create unnecessary IT support work 16 Some site may be illegal to view under existing UK legislation Not Protected Page 10 of 11

11 4.2.2 Users of Council shall: a) Except for Not Protected s clearly indicate the sensitivity of their message content in the subject line of all to indicate to the recipient how you expect them to handle the information b) Use the delegation functionality in to grant or rescind access c) Use Private calendar appointments where the subject of meeting indicates confidentiality is of concern d) Treat as permanent written records which may be read by persons other than the addressee e) Review their mailbox regularly and delete unnecessary messages f) Treat unsolicited s from unknown sources with suspicion g) Electronically retain relevant s in a structured manner according to their retention schedule h) Treat both s and attachments in the same way, where corporate decisions or advice are being given or discussed Users of Council shall not: a) Send outbound from generic accounts set up to receive incoming only b) Forward chain or joke s to others c) Rename attachments 18 or password protect attachments to evade malicious software scanning. d) Use non GCSx where use of GCSx is clearly appropriate e) Not seek to gain access to another users mailbox without either their consent or the written approval of an Assistant Director 4.3 Personal use of Staff may use the corporate system for personal use, provided such use does not breach the officer s code of conduct and/or the Council s constitution. DECLARATION I confirm that I have read and understood and will abide by the Central Bedfordshire Council IT Acceptable Use Policy and the Information Security Procedures. I accept that my usage of IT systems will be monitored and that I have no expectation of privacy as a result of any such usage. I understand that breach of these policies could result in disciplinary action. Name:... Signed:... Date: Such information is often subject to disclosure under the Freedom of Information Act until any formal specified destruction date is reached under an approved retention schedule. 18 Sometimes referred to as attachment spoofing Not Protected Page 11 of 11