Issued Page 1 of 40 Version 1.2

Transcription

1 Contents statement 1. Overarching Security Statement 2. Introduction 3. Scope 4. Security policy 5. Organisation of information security 6. External parties 7. Asset management 8. Human resource security 9. Physical and environmental security 10. Communications and operations management 11. Access control 12. Information systems acquisition, development and maintenance 13. Information security incident management 14. Business continuity management 15. Compliance 16. Effective date 17. Review date 18. Amendment history Appendix 1 MRC operational policy template Issued Page 1 of 40

2 Document Control Summary Title MRC Information Security Electronic file reference (network or intranet) Status Final approval Version No. 1.2 Date of this Document 10 th September 2010 Author(s) Information Security Team Owner Information Technology Security Officer Approved by (Names, titles and date) Operations Board Next Review Date October 2011 Equality Impact Assessment Completed in April 2010 Issued Page 2 of 40

3 statement The confidentiality, security and accurate processing of data are matters of great importance to the Medical Research Council. Failure in any of these, or delays and disruption of computer processing can result in disruption to the services the MRC, loss in public confidence, and financial or other material losses. The objective of the information security policy is to ensure business continuity and minimise business damage by preventing and minimising the impact of information security incidents. The Medical Research Council is committed to good information security provision for its stakeholders and for its employees. Issued Page 3 of 40

4 1. Overarching Security Statement Protective Security, including physical, personnel and information security, is an essential enabler to making government work better. Security risks must be managed effectively, collectively and proportionately, to achieve a secure and confident working environment. 1.1 The confidentiality, security and accurate processing of data are matters of great importance to the Medical Research Council. Failure in any of these, or delays or curtailment of computer processing can result in disruption to the services the MRC, loss in public confidence, and financial or other material losses. The objective of the information security policy is to ensure business continuity and minimise business damage by preventing and minimising the impact of information security incidents. The Medical Research Council is committed to good information security provision for its stakeholders and for its employees. 1.2 Goals The goals of the MRC, in relation to Information Security, are: To identify through appropriate risk assessment, the value of information assets and to understand their vulnerabilities and the threats that may expose them to risk. To manage the risks to an acceptable level through the design, implementation and maintenance of a formal Information Security Management System. To comply with Legislation including: o The Data Protection Act 1998; The Freedom of Information Act 2000; Public Interest Disclosure Act 1998; Defamation Act 1996; o Companies Act 1985; o Computer Misuse Act 1990; o Copyright, Designs and Patents Act 1988 (as amended by the Copyright (Computer Programs) Regulations 1992; o Electronic Communications Act 2000; Telecommunications Act 1984; The Regulation of Investigatory Powers Act 2000; o Obscene Publications Act 1959; o Protection of Children Act 1978; Criminal Justice Act 1988; o Protection from Harassment Act 1997; Sex Discrimination Act 1975; Race Relations Act 1976; o Human Rights Act To comply with Contract conditions. To comply with the Council s corporate objectives. 1.3 Obligations There are nine general principles that provide guidance in the security of information. These are: Accountability: the responsibility and accountability of information / data owners, information/ data providers, users and other parties concerned with the security of information should be explicit. Awareness: to foster confidence in information systems, owners, providers and users shall have access to all documentation about information security policies and procedures. Issued Page 4 of 40

5 Ethics: in the provision of information systems and the establishment of information security, the rights and legitimate interests of the organisation s personnel, and its stakeholders shall be respected. Business Perspectives: security processes shall take account of and address the relevant business considerations and viewpoints; these include commercial, technical, administrative, organisational, operational, political, and legal/ statutory aspects. Proportionality: the level and cost of security processes shall be appropriate and proportionate to the value of and degree of reliance on information systems and the severity, probability and extent of potential or actual harm to the Council. Integration: security processes shall be co-ordinated and integrated with each other and with other measures, procedures and practices of the Council to create a coherent system of information security. Timeliness: action to respond to an information security breach shall be timely and coordinated to prevent and overcome the breach of security. Reassessment: the security of information systems shall be reassessed periodically recognising that the information systems and the requirement for their security varies over time. Freedom of Information: the security of information will be compatible with the legitimate use and flow of data and information as required by privacy and freedom of information statutory requirements. 1.4 The purpose of the information security policy is to protect the MRC, their stakeholders and staff 1 from all information security threats, whether internal or external, deliberate or accidental. The information security policy is characterised here as the preservation of: Confidentiality: ensuring that information is accessible only to those authorised to have access Integrity: safeguarding the accuracy and completeness of information and processing methods Availability: ensuring that authorised users have access to information and associated assets when required Regulatory compliance: ensuring that the MRC meets its regulatory and legislative requirements The MRC has a Corporate Information Security team to introduce and maintain policy and to provide advice and guidance on its implementation. In addition, each establishment shall appoint an Information Security Manager (ISM) responsible for local management of Information Security policy. The MRC require that all breaches of information security, actual or suspected, shall be reported to, and investigated by, the Corporate Information Security team. The MRC undertake to provide appropriate information security training for all stakeholders and staff. The MRC is required to ensure that the confidentiality, integrity, availability and regulatory requirements of all their business systems are met. The MRC shall hold all managers directly responsible for implementing the policy within their business areas and for ensuring that staff adhere to the policy. It is the responsibility of all members of staff to adhere to the policy. 1 Includes all full and part time employees, temporary employees, consultants, collaborators, secondees and contractors students, Issued Page 5 of 40

6 2. Introduction The business of the Medical Research Council ( MRC hereafter) is dependent on information and its availability. As custodians of a large volume of data which can be commercially, personally or in some cases politically sensitive, the MRC has a duty of care to protect that information from unauthorised or accidental modification, loss, release, or impact on the safety and well being of individuals. Specifically, information plays a vital role in supporting business processes and stakeholder services, in contributing to operational and strategic business decisions, and in conforming to legal and statutory requirements. Accordingly, information must be protected to a level commensurate with their value to the MRC. 2.1 Purpose The purpose of Information Security Management is to provide an appropriate level of protection for information assets from relevant threats, whether internal or external, deliberate or accidental (see also section 1.2). The implementation of this policy is important to maintain our integrity as a supplier of public services to stakeholders. This policy is set within the context of, and is an enabler to, the RCUK Cross Council Information Security (currently version 2.6a). In the context of the above, it is the policy of the MRC to ensure that: Information will be protected against unauthorised access. Confidentiality of information will be maintained. Information will not be disclosed to unauthorised persons through deliberate or careless action. Integrity of information is assured through protection from unauthorized modification. Information is available to authorised users when needed. Regulatory and legislative requirements will be met. Business continuity plans will be produced, maintained and tested as far as practicable. Information security training will be available to all staff. All suspected breaches of information security will be reported and investigated. MRC units and establishments who sign up to and implement this policy and associated policies, standards, guidelines and procedures, will be accorded trusted status within this virtual environment. Organisations outside the scope of this policy will be treated as un-trusted and the sharing and co-hosting of any information assets will be restricted by the terms of this policy and associated policies, standards, guidelines and procedures. 2.2 Terms & definitions Asset Control Establishment Guideline Anything that adds value to the organisation. [ISO/IEC :2004] Means of managing risk, including policies, procedures, guidelines, practices or organisational structures, which can be administrative, technical, management or legal nature: NOTE Control is also used as a synonym for safeguard or countermeasure Any MRC Unit or Centre, which employs MRC staff and handles MRC related data. A description that clarifies what should be done and how, to achieve the objectives set out in policies. [ISO/IEC :2004] Issued Page 6 of 40

7 Information processing facilities Information Security Information Security Event Information Security Incident Risk Risk Analysis Any information processing system, service or infrastructure, or the physical locations housing them Preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, nonrepudiation, and reliability can also be involved An information security event is an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security related. [ISO/IEC TR 18044:2004] An information security incident is indicated by a single or series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security. [ISO/IEC TR 18044:2004] Overall intention and direction as formally expressed by management Combination of the probability of an event and its consequence. [ISO/IEC Guide 73:2002] Systematic use of information to identify sources and to estimate the risk. [ISO/IEC Guide 73:2002] Risk Assessment Overall process of risk analysis and risk evaluation. 73:2002] [ISO/IEC Guide Risk Evaluation Risk Management Risk Treatment Third Party Threat Vulnerability Process of comparing the estimated risk against given risk criteria to determine the significance of the risk. [ISO/IEC Guide 73:2002] Coordinated activities to direct and control an organisation with regard to risk NOTE: Risk management typically includes risk assessment, risk treatment, risk acceptance and risk communication. [ISO/IEC Guide 73:2002] Process of selection and implementation of measures to modify risk. [ISO/IEC Guide 73:2002] That person or body that is recognised as being independent of the parties involved, as concerns the issue in question. [ISO/IEC Guide2:1996] A potential cause of an unwanted incident, which may result in harm so a system or organisation. [ISO/IEC :2004] A weakness of an asset or group of assets that can be exploited by one or more threats. [ISO/IEC :2004] 2.3 framework This policy is intended to act as a framework and it is expected that individual MRC establishments shall develop further controls (that is, policies, standards, guidelines and procedures) to support its implementation. The number, strength and type of controls shall Issued Page 7 of 40

8 vary depending on which facility they are designed to protect. The MRC shall agree a Statement of Applicability (SoA) for each facility based on this policy. The SoA will be the minimum standard that the MRC shall adhere to. To this end the word appropriate is frequently used in the document. The appropriate controls shall be implemented in accordance with the relevant SoA, however, individual establishments can introduce more or stronger controls if they wish. However, the controls must not be lessened or weakened. The Cabinet Office Security Framework v2.0 has been included in the, all references to the policy are suffixed with a reference [MRnn] where MR stands for Mandatory Requirement and nn is the number from the Security Framework. Issued Page 8 of 40

9 3. Scope This policy is the Security for the Medical Research Council. It establishes, in detail, the policies that must be implemented by the MRC and its establishments who participate in joint working projects that require interconnectivity between their respective IT/IS infrastructures. This document uses the standard for information security management ISO27001 and risk management as the framework. In particular the structure of this document reflects exactly the structure and numbering of ISO This will facilitate cross-referencing with the standard when the document is reviewed and audited. The policy will help the MRC to demonstrate the necessary compliance with the Cabinet Office Security Framework. This policy and associated policies, standards, guidelines and procedures shall be regarded as the mandatory standard to be achieved by any establishment connected to shared systems and facilities. This will provide assurance to the MRC that they may trust other establishments to have in place the minimum standard to protect the assets of all participants. Any establishment not achieving this standard shall be regarded as untrusted and placed outside the shared facilities. This standard shall apply irrespective of location. Compliance with this policy shall be subject to periodic audit. 3.1 Business scope This policy concerns the administrative controls that are in place to support the following objectives shared by the MRC: Encourage and support research to improve human health; Produce skilled researchers; Advance and disseminate knowledge and technology to improve the quality of life and economic competitiveness of the UK; Promote dialogue with the public about medical research. 3.2 Organisational scope General This policy covers the management and control of information assets (including facilities, data, software, paper documents, and personnel) which are either shared by the MRC or hosted in a shared environment Facilities Includes all equipment as well as the physical and environmental infrastructure: Computer processors of any size whether general or special purpose; Data Includes: Peripheral, workstation and terminal equipment; Telecommunications and data communication cabling and equipment; Local and wide area networking equipment; Environmental control systems, including air conditioning, water smoke and fire alarm systems and other safety equipment; Required utility services such as electricity and water; Buildings and building improvements, accommodation and equipment. Issued Page 9 of 40

10 Electronically held data, regardless of storage media and including hard copies and the data otherwise in transit; Information derived from any of the MRC s business processes, regardless of the storage or presentation media; Any other information for which the MRC has responsibility Software Includes locally developed programs and those acquired from external sources: Operating system software and associated utility and support programs; Application enabling software, including database management, telecommunications and network software; Application software Paper documents Includes systems documentation, user manuals, continuity plans, contracts, guidelines, and procedures Personnel Includes employees (permanent and temporary), students, auditors, service providers, representatives of stakeholders, contractors, consultants, visitors or representatives of other bodies who are working within the MRC either physically or nominally. 3.3 Location scope Within the context of the organisational scope of this policy, see section above, this covers all permanent or temporary offices, home/mobile working locations, institutes, establishments, and laboratories operated by the MRC, or wherever information associated with the MRC is located. Issued Page 10 of 40

11 4. Security policy 4.1 Information Security To provide management, direction and support for information security in accordance with business requirements and relevant laws and regulations Information Security Document An information security policy document shall be approved by management, and published and communicated to all employees and relevant external parties Review of the information security policy The information security policy shall be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. Each Information Security Manager 2 shall regularly review the associated policies, standards, guidelines and procedures within their respective establishment Self Assessment The Corporate MRC Information Security team must have a system of assurance of compliance with the Security, and produce an annual report to their Management Board on the state of all aspects of protective security. [MR06] In addition, the RCUK s top level Information Security policy shall be made available to all staff Central Reporting The MRC Corporate Information Security team must submit an annual security return to the Cabinet Office Security Division, covering their Agencies and main delivery partners, and must include: Details of any changes to key individuals responsible for security matters (The appointment of a new Departmental Security Officer (DSO) must be reported immediately). Significant departmental risks and mitigations that have implications for protective security. All significant security incidents (those involving serious criminal activity, damage to personal security, serious reputational damage, data losses or leaks) must also be reported immediately. Declaration of meeting all Mandatory Requirements from the Cabinet Office Security Framework. Confirmation that any significant control weaknesses have been reflected in the Departmental Statement on Internal Control. [MR07] Audit and Review 2 See section which defines the role of the Information Security Manager Issued Page 11 of 40

12 The MRC Corporate Information Security team and all establishments must comply with oversight arrangements including external audit/compliance arrangements as set out by the Cabinet Office. [MR08] Issued Page 12 of 40

13 5. Organisation of information security 5.1 Internal organisation To manage information security within the organisation Management commitment to information security Management shall actively support security within the organisation through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities. Ultimate responsibility for security rests with the Senior Information Risk Owner (SIRO), a stated board level representative at the MRC. In addition, the MRC must have a designated Departmental Security Officer (DSO) with day-to-day responsibilities for all aspects of Protective Security (including physical, personnel and information security). [MR04] The MRC Operations Board (OB) shall act as the top-level management security forum in support of the information security management framework. The information security responsibilities of OB include: setting the scope of the information security management system; endorsing the MRC information security policy; approving and supporting the implementation of the information security management system; agreeing levels of risk and approving residual risk; receiving security reports at regular intervals (at least half yearly) covering the status of security implementation, update on threats, results of security reviews, audits etc; The MRC Corporate Information Security Team shall provide the executive function of the security forum. In this role, the team s principal activities shall be to: define the scope of the information security management system; implement the information security management system; develop the MRC s information security policy; appoint, as appropriate, Information Security Manager(s) and other key managers responsible for co-ordinating the implementation of the security policy framework; gaining and maintaining awareness of the security threats to information being faced by the Council; prepare a statement of applicability; to monitor incidents, security status and current threats and recommend safeguards; monitor compliance with ISO27001:2005. Each establishment shall create and maintain the role of Information Security Manager(s) (ISM). The ISM(s) principle activities shall be to: establish and implement appropriate policies, standards, guidelines and procedures in support of this policy and the Information Security Management ; select control objectives and controls to be implemented; further define responsibilities for information security within their own establishment; Issued Page 13 of 40

14 promote security awareness within their own establishment; undertake risk assessment; manage risk and the level of assurance required; carry out security reviews; record security incidents Information security co-ordination The MRC and its establishments shall co-ordinate information security measures as outlined in section above Roles and responsibilities Information risk must be specifically addressed in the departmental annual Statement on Internal Control (SIC), which is signed off by the Accounting Officer. [MR34] The MRC must have a) A designated Senior Information Risk Owner (SIRO); a Board level individual responsible for managing departmental information risks, including maintaining and reviewing an information risk register (the SIRO role may be combined with other security or information management board level roles). b) A designated Information Technology Security Officer (ITSO); responsible for the security of information in electronic form. c) Information Asset Owners; senior named individuals responsible for each identified information asset. [MR35] Allocation of information security responsibilities All information security responsibilities shall be clearly defined Authorisation process for information processing facilities A management authorisation process for new information processing facilities shall be defined and implemented Confidentiality agreements Requirements for confidentiality or non-disclosure agreements reflecting the organisation s needs for the protection of information shall be identified and regularly reviewed Contact with authorities Appropriate contacts with relevant authorities shall be maintained Specialist information security advice The ISM(s) for each establishment shall act as a source of specialist advice within that establishment for all matters relating to information security. Where necessary the ISM(s) shall also seek specialist advice from external sources and shall appropriately document such advice which they will make available to other establishments as appropriate Contact with special interest groups Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained Independent review of information security Issued Page 14 of 40

15 The MRC s approach to managing information security and its implementation at a Corporate and local level (i.e. control objectives, controls, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, or when significant changes to the security implementation occur. The MRC shall regularly audit the implementation of this policy and associated policies, standards, guidelines and procedures. policies, standards, guidelines and procedures. Issued Page 15 of 40

16 6. External parties To maintain the security of the organisation s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties Identification of risks related to third parties The risks to the organisation s information and information processing facilities from business processes involving external parties shall be identified and appropriate controls implemented before granting access Addressing security when dealing with customers All identified security requirements shall be addressed before giving customers access to the organisation s information or assets Addressing security in third party contracts Agreements with third parties involving accessing, processing, communicating or managing the organisation s information or information processing facilities, or adding products or services to information processing facilities shall cover all relevant security. The MRC must ensure that security requirements are specified in ICT contracts and all new ICT contracts handling personal data must adhere to the Office of Government Commerce (OGC) ICT model terms and conditions. [MR43] Governance The MRC must ensure that all main delivery partners are compliant with the Cabinet Office Security Framework and must consider the extent to which those providing other goods and / or services to them, or carrying out functions on their behalf, are required to comply. [MR02] Issued Page 16 of 40

17 7. Asset management 7.1 Responsibilities for assets 3 To achieve and maintain appropriate protection of organisational assets Inventory of assets All assets shall be clearly identified and an inventory of all important assets, or assets containing personally identifiable data drawn up and maintained Ownership of assets All information and assets associated with information processing facilities shall be owned 4 by a designated staff member, this person is known as the Information Asset Owner. The MRC shall specify appropriate security conditions in contracts with outsourced companies that involve access to its IT facilities Acceptable use of assets Rules for the acceptable use of information and assets associated with information processing facilities shall be identified, documented, and implemented. 7.2 Information classification To ensure that information receives an appropriate level of protection Classification guidelines Information shall be classified in terms of its value, legal requirements, sensitivity and criticality to the organisation Information labelling and handling An appropriate set of procedures for information labelling and handling shall be developed and implemented in accordance with the Protective Marking and Handling Scheme. [MR11] Material originating outside HMG The MRC must ensure that non-hmg material which is marked to indicate sensitivity is handled at the equivalent level within the Protective Marking System, or where there is no equivalence, to the level offered by PROTECT as a minimum. [MR18] Universal controls The MRC must apply the following baseline controls to all protectively marked material: a) Access is granted on a genuine need to know basis. 3 Asset in this document refers to information assets which can be tangible (e.g. IS/IT assets) or intangible 4 Explanation: The term owner identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets. The term owner does not mean that the person actually has property rights to the asset. Issued Page 17 of 40

18 b) Assets must be clearly and conspicuously marked. Where this is not practical (for example the asset is a building, computer etc) staff must still have the appropriate personnel security control and be made aware of the protection and controls required. c) Only the originator or designated owner can protectively mark an asset. Any change to the protective marking requires the originator or designated owner s permission. If they cannot be traced, a marking may be changed, but only by consensus with other key recipients. d) Assets sent overseas (including to UK posts) must be protected as indicated by the originator's marking and in accordance with any international agreement. Particular care must be taken to protect assets from foreign Freedom of Information legislation by use of national prefixes and caveats or special handling instructions. e) No official record, held on any media, can be destroyed unless it has been formally reviewed for historical interest under the provisions of the Public Records Act. f) A file, or group of protectively marked documents or assets, must carry the protective marking of the highest marked document or asset contained within it (e.g. a file containing CONFIDENTIAL and RESTRICTED material must be marked CONFIDENTIAL). [MR19] For further details, see the MRC Portal for details of the Protectively Marking procedure Breaches MRC establishments must have a breach system and give clear guidance to all staff that deliberate or accidental compromise of protectively marked material may lead to disciplinary and / or criminal proceedings. [MR21] Risk management All establishments must adopt a risk management approach, including a detailed risk register, to cover all areas of protective security across the organisation. [MR05] Legal requirements Establishments must provide all staff with guidance on the Official Secrets Acts, Data Protection Act and Freedom of Information Act. Staff handling protectively marked information must be given guidance on how this legislation relates to their role. [MR12] Official Secrets Act The MRC must ensure that those who are notifiable under Section 1(1) of the Official Secrets Act 1989 are notified in writing. Any establishment responsible for notified employees must: Renew notices every five years. Keep under review the need for continuing notification of individual posts. Maintain and keep under review the number of notifiable posts. [MR13] Data Protection Act All MRC establishments must follow the minimum standards and procedures for handling and protecting citizen or personal data, as outlined in HMG IA Standard No.6 - Protecting Personal Data and Managing Information Risk. [MR14] Freedom of Information Act All MRC establishments must ensure that any protectively marked material that is to be released under the Freedom of Information Act is de-classified first and is marked as such. The Issued Page 18 of 40

19 originator, or specified owner, must be consulted before protectively marked material can be de-classified. [MR15] The need-to-know principle All MRC establishments must ensure that access to protectively marked assets is only granted on the basis of need to know principle. All employees must be made fully aware of their personal responsibility in applying this principle. [MR16] Issued Page 19 of 40

20 8. Human resource security 8.1 Prior to employment 5 To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities Roles and responsibilities Security roles and responsibilities of employees, contractors and third party users shall be defined and documented in accordance with the MRC s information security policy Screening Background verification checks on all candidates for employment, contractors, and third party users shall be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks Baseline Personnel Security Standards (BPSS) The MRC must apply the requirements of the Baseline Personnel Security Standard (BPSS) to all HMG staff, and contractors and temporary staff. [MR23] Confidentiality agreements All MRC establishments must have arrangements in place which: sets out employees responsibilities concerning confidentiality and non-disclosure of information, both within the MRC s premises and beyond, and within and beyond normal working hours; ensures that the use of IS/IT facilities by agency, temporary or contract staff is covered by appropriate confidentiality agreements; Other organisations may require MRC employees to sign confidentiality agreements in respect of their dealings with them Terms and conditions of employment As part of their contractual obligation, employees, contractors and third party users shall agree and sign the terms and conditions of their employment contract, which shall state their and the organisation s responsibilities for information security. The terms and conditions and any supporting documents shall state that the employee s responsibilities for information security extends beyond the MRC s premises and outside working hours (including home working). 8.2 During employment 5 Explanation: The word employment is meant here to cover all of the following different situations: employment of people (temporary or longer lasting), appointment of job roles, changing of job roles, assignment of contracts, and the termination of any of these arrangements. Issued Page 20 of 40

21 To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organisational security policy in the course of their normal work, and to reduce the risk of human error Management responsibilities Management shall require employees, contractors and third party users to apply security in accordance with established policies and procedures of the organisation Information security awareness, education and training All employees of the MRC and, where relevant, contractors, partners, collaborators and other third party users shall receive appropriate awareness training and at least annual updates, in organisational policies and procedures, as relevant for their job function. All MRC establishments must ensure that all users of ICT systems are familiar with the security operating procedures governing their use, receive appropriate security training, and are aware of local processes for reporting issues of security concern. They must further ensure that staff with access to information assets, are appropriately trained, are aware of incident reporting, and the minimum standards relating to the handling of protectively marked data. [MR48] Disciplinary process There shall be a formal disciplinary process for employees who have committed a security breach Culture, training and professionalism All MRC establishments must ensure that: Security education and awareness must be built into all staff inductions, with annual familiarisation thereafter. There are plans in place to foster a culture of proportionate protective security. There is a clearly stated and available policy, and mechanisms in place, to allow for independent and anonymous reporting of security incidents. [MR09] Risk management Each MRC establishment must, as part of their risk management approach to protective security, assess the need to apply personnel security controls against specific posts and the access to sensitive assets. [MR22] Governance Each MRC establishment must ensure that all staff understand the relevant requirements and responsibilities placed upon them by the Security Framework and that they are properly equipped to meet the mandatory security policies as set out in the Cabinet Office Security Framework. [MR01] 8.3 Termination or change of employment To ensure that employees, contractors and third party users exit an organisation or change employment in an orderly manner Termination responsibilities Issued Page 21 of 40

22 Responsibilities for performing employment termination or change of employment shall be clearly defined and assigned Return of assets All employees, contractors and third party users shall return all of the MRC s assets in their possession upon termination of their employment, contract or agreement Removal of access rights The access rights of all employees, contractors and third party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. Issued Page 22 of 40

23 9. Physical and environmental security 9.1 Secure areas To prevent unauthorised physical access, damage and interference to the organisation s premises and information Defence in depth Each MRC establishment must adopt a layered approach to physical security, ensuring that their physical security policy incorporates identifiable elements of prevention, detection and response. [MR50] Physical security perimeter Security perimeters (barriers such as walls, card controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information processing facilities. Each MRC establishment must establish a secure perimeter, with appropriate security barriers and entry controls. Perimeters should offer physical protection from unauthorised access, damage and interference and allow for the quick identification of suspicious individuals or unusual items. [MR61] Each MRC establishment must assess the security risks to their estate ensuring that security is fully integrated early in the process of planning, selecting, designing and modifying their facilities. [MR55] Each MRC establishment must consider the use of guard forces to protect the assets they hold. Where guards are deployed the GSZ Manned Guarding Services Manual is considered best practice. [MR60] Each MRC establishment must produce a detailed Operational Requirement before deciding to deploy a security measure, particularly when purchasing a system or security product. This should clearly define what the system is expected to achieve. [MR62] Physical entry controls Secure areas shall be protected by appropriate entry controls to ensure that only authorised personnel are allowed access. When unoccupied, secure areas shall be secured and physically locked. Electronic surveillance (such as CCTV) shall be considered in high-risk environments. Unauthorised photography shall not be permitted in such areas. Each MRC establishment must control access to their estate using safeguards that will prevent unauthorised access. [MR56] Each MRC establishment must ensure that access control policies are made available to all staff, and that staff are briefed on their personal responsibilities (e.g. wearing a pass at all times, escorting visitors and searching their work area if required). [MR58] Securing offices, rooms and facilities Physical security for offices, rooms, and facilities shall be designed and applied. Each MRC establishment must ensure that all locations where information and system assets (including cryptographic items) are kept must have an appropriate level of physical security as set out in this framework. [MR47] Secure containers Issued Page 23 of 40

24 Each MRC establishment must ensure that protectively marked or valuable material is secured in appropriate security containers. Large amounts of protectively marked material or equipment, which cannot be stored in a security container, must be stored in a secure room. [MR52] Secure rooms All establishments must ensure that windows, doors, locks and entry controls meet appropriate security standards in rooms holding protectively marked material or sensitive assets. [MR53] CCTV The deployment of CCTV must be in accordance with the Data Protection Act [MR63] 9.2 Equipment security To prevent loss, damage, theft or compromise of assets and interruption to the organisation s activities Equipment placement and protection Equipment shall be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access Supporting utilities Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities Cabling security Power and telecommunications cabling carrying data or supporting information services shall be protected from interception or damage Equipment maintenance Equipment shall be correctly maintained to ensure its continued availability and integrity Security of equipment off-premises Security shall be applied to off-site equipment taking into account the different risks of working outside the organisation s premises. All laptops, drives, memory sticks, PDAs, etc. must be encrypted before they can be taken off-site. For MRC issued laptops, the disk encryption software will be provided by the local IT support team. Partner, collaborator and other third party-owned laptops containing MRC data and information, must be protected with their own Disk Encryption software. Contact the local IT Helpdesk or Information Security team for further guidance Secure disposal or re-use of equipment All items of equipment containing storage media shall be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal. All MRC units must ensure that all media used for storing or processing protectively marked or otherwise sensitive information must be disposed of or sanitised in accordance with HMG IA Standard No. an 5 Secure Sanitisation of Protectively Marked or Sensitive Information. [MR45] Issued Page 24 of 40

25 9.2.7 Removal of property Equipment, information or software shall not be taken off-site without prior authorisation. Issued Page 25 of 40

26 10. Communications and operations management 10.1 Operational procedures and responsibilities To ensure the correct and secure operation of information processing facilities Documented operating procedures ISM(s) and/or delegated manager(s) shall clearly document, maintain, and publicise (as appropriate) procedures for all key IS/IT operations, developments, maintenance and testing Change management Changes to information processing facilities and systems shall be controlled Segregation of duties Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of the organisation s assets Separation of development, test and operational facilities Development, test and operational facilities shall be separated to reduce the risks of unauthorised access or changes to the operational system Information security policy All MRC establishments must have, as a component of their overarching security policy, an information security policy setting out how they, and their delivery partners (including offshore and nearshore (EU/EEA based) Managed Service Providers), comply with the minimum requirements set out in this policy and the wider framework. [MR31] Managing information risk All MRC establishments must conduct an annual technical risk assessment (using HMG IA Standard No.1) for all HMG ICT Projects and Programmes and when there is a significant change in a risk component (Threat, Vulnerability, Impact etc.) to existing HMG ICT Systems in operation. The assessment and the risk management decisions made must be recorded in the Risk Management and Accreditation Documentation Set (RMADS), using HMG IA Standard No.2 - Risk Management and Accreditation of Information Systems. [MR32] After advice from DBIS, MRC Establishments are not required to complete these at this time Business Impact All MRC establishments must, in conjunction with the Protective Marking System, use Business Impact Levels (ILs) to assess and identify the impacts to the business through the loss of Confidentiality, Integrity and/or Availability of data and ICT systems should risks be realised. Aggregation of data must also be considered as a factor in determining ILs. [MR33] Accreditation and audit ICT systems that process protectively marked Government data must be accredited using HMG IA Standard No. 2 - Risk Management and Accreditation of Information Systems, and the accreditation status must be reviewed at least annually to judge whether material changes have occurred which could alter the original accreditation decision. [MR36] Issued Page 26 of 40

27 All MRC establishments must have the ability to regularly audit information assets and ICT systems. This must include: a) Regular compliance checks carried out by the Accreditor, ITSO etc. (documented in the RMADS audit of the ICT system against configuration records). b) A forensic readiness policy that will maximise the ability to preserve and analyse data generated by an ICT system, that may be required for legal and management purposes. [MR37] All ICT systems must have suitable identification and authentication controls to manage the risk of unauthorised access, enable auditing and the correct management of user accounts. [MR38] 10.2 Third party service delivery management To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements Service delivery It shall be ensured that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated, and maintained by the third party Monitoring and review of third party services The services, reports and records provided by the third party shall be regularly monitored and reviewed, and audits shall be carried out regularly Managing changes to third party services Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business systems and processes involved and re-assessment of risks Protection against malicious and mobile code To protect the integrity of software and information Controls against malicious code Detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures shall be implemented. Staff shall only install software in accordance with the guidance issued by the MRC. Appropriate security incident plans shall be developed for dealing with and recovering from virus attacks, including all necessary data and software back-up and recovery arrangements. Users shall be made aware of the standards, guidelines and procedures they must adhere to, to protect the MRC from virus infection Controls against mobile code Issued Page 27 of 40

28 Where the use of mobile code is authorised, the configuration shall ensure that the authorised mobile code operates according to a clearly defined security policy, and unauthorised mobile code shall be prevented from executing Back-up To maintain the integrity and availability of information and information processing facilities Information back-up Back-up copies of information and software shall be taken and tested regularly in accordance with the agreed backup policy Network security management To ensure the protection of information in networks and the protection of the supporting infrastructure Network controls Networks shall be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. ISM(s) and Network Managers shall implement appropriate access controls, and cryptographic techniques to ensure the confidentiality and integrity of data passing over public networks. Network Managers shall monitor the performance and availability of the LAN and WAN connections to ensure it is within acceptable parameters or agreed targets Security of network services Security features, service levels, and management requirements of all network services shall be identified and included in any network services agreement, whether these services are provided in-house or outsourced Media handling To prevent unauthorised disclosure, modification, removal or destruction of assets, and interruption to business activities Management of removable media This includes floppy disks, CDs, DVDs and USB hard drives/memory sticks The only removable devices that can be used are those supplied by the MRC; media from any other source must not be used. The exception to this is if you receive electronic data from trusted sources outside the MRC, for example, organisations with which the MRC has a contractual or formal relationship (examples include suppliers, providers, education sector, government organisations). Issued Page 28 of 40