Information Security Policy

Transcription

1 Information Security Policy 1

2 Version and Review Summary Rev Date Author Approver Revision description 1.00 April 2009 T Monachello Formal Review st June 2009 T.Monachello Information Governance Board (IGB) Formal Approval 1 st June 2009 IGB Board 2

3 Purpose... 4 Policy Definition... 4 Direction... 5 Scope and Responsibilities... 6 Specific responsibilities... 7 Chief Executive Officer... 7 All users... 7 Information Security... 8 Information Governance Board... 8 Management... 8 Information Asset Owners... 9 Caldicott Guardian Shared Services Human Resources and Development Review of Information Security Policy Information Security Policy Exceptions Associated Documentation Appendix A Associated documentation Appendix B Legislation

4 Purpose The purpose of Information Security for Harrow Council is to protect the council s information assets, regardless of whether these are held in manual or electronic form. This will help to safeguard the reputation of the council, to optimise the management of risk and to minimise the impact of Information Security incidents. Implementation of this Policy will provide assurance to stakeholders, partners and citizens, that their information is held securely and used appropriately by the council, whilst complying with legislation and satisfying auditors. Further, it is a key enabler for information sharing through enhanced controls e.g. supporting access channel strategy, business continuity planning, citizen focussed services, first contact deployment and flexible working. Policy Definition The International Standard: ISO Code of Practice defines Information Security as the preservation of three aspects of Information: Confidentiality: Information is only available to those that are authorised to gain access. Integrity: Safeguarding the accuracy and completeness of information and processing methods. Availability: The assurance that authorised users have access to information and associated assets when this is required. Information takes many forms. It may be processed and stored on computers or in other electronic form, printed or written on paper, shared through voice or video communications, transmitted through post or electronic means such as or fax, made available on corporate videos or web sites. Whatever form the information may take, or means by which it is shared, stored or processed, it should always be appropriately classified and protected according to that classification. Information systems and the information they process and store are a vital asset to Harrow Council. Harrow is dependent on the availability of accurate information to provide local government services. Any loss of computer systems or the information they contain could have serious repercussions for Harrow and / or its clients. A breach of security during processing, storage or transfer of data could result in financial loss, personal injury to a member of staff, or client, serious inconvenience, embarrassment, or even legal proceedings against Harrow, and possibly the individuals involved. In order to ensure the confidentiality, integrity and availability of these systems an appropriate level of security must be achieved and maintained. The level of security implemented on each of the various systems will be consistent with the designated security classification of the information and the environment in which it operates. 4

5 Specific security standards, procedures and guidelines will be published and updated from time to time in support of the information Security Policy, aiming to mitigate risk of unauthorised modification, destruction or disclosure whether accidental or intentional. Within Harrow, access to information will be restricted to those personnel in roles with a valid business requirement. Information on computer systems will be protected with anti-virus software, which will be updated regularly. Scans will be carried out regularly on all servers, workstations and laptops, and virus definitions will be updated each weekday. Updates and scans will be automatic for every machine and must not be turned off or bypassed. Harrow will take appropriate steps to prevent, detect, and recover from any loss or incident, whether accidental or malicious, including error, fraud, misuse, damage and disruption to, or loss of computing or communications facilities. A security risk assessment will be carried out on each information asset to identify the level of protection required. The security and control procedures required will take into account the sensitivity and value of the information. All groups must have business continuity plans for information that is deemed to be critical. Direction Information Security is a key enabling mechanism for supporting the strategy for e- Government, knowledge sharing and joined up team working. It promotes trust both internally and externally in shared data and infrastructure. Harrow s strategic direction for Information Security is to provide a strong forward-looking information management system that is clearly aligned to the Council s Corporate Vision and strategic priorities. This vision for Information Security reflects its growing role in maintaining trust and confidence both within the council and outside. The Local Government Association (LGA) has produced data handling procedures designed for local authorities to use as standard guidelines. They set out the fundamental steps that every council should take to mitigate against the ever-present risk that personal information is lost or that data protection systems fail. They therefore provide chief executives, senior managers and elected members with a vital aid in discharging their responsibilities and accountability for secure and effective handling of personal information. The guidelines were prepared by working closely with councils and central government to meet local government circumstances. As governments cast a wider net on their ability to share sensitive information among agencies, security requirements dictate that a sophisticated internal networking environment be developed within the authority. Government Connect (GC) is a recognised, accredited and trusted secure government network for all Local Authorities (LAs) in England and Wales. The network is called GCSx and it enables secure data sharing up to restricted level across government. GC is critical as it allows local authorities and central government to exchange information securely over a private network rather than the Internet. This security policy ensures that the fundamental security principals of the data handling guidelines and the Government Connect initiative are followed. 5

6 Scope and Responsibilities The Harrow Council Information Security Policy is applicable to: All Council information, information owned by its clients and partners, and information about its clients. All Council members, permanent, contract and temporary personnel, and all third parties, who have access to Harrow premises, systems or information. All Council systems, software, and information created, held, processed or used on those systems or related media, electronic, magnetic, or written/ printed output from Harrow systems. All means of communicating information, both within the Council and externally. For example data and voice transmissions or recordings, post, , sms/text, cameras, whiteboards, memory sticks, disks, fax, telex, image/sound processing, videoconferencing, photocopying, flip charts, general conversation etc. It also includes the requirement to comply with any criminal and civil law, statutory, regulatory or contractual obligations, and any other security requirement, including business continuity management. Information security is not an option. We are all required to maintain a minimum level of Information Security to maintain our legal and contractual obligations. Defined and approved policies and standards of information security must be implemented. The Service Management for Information Management and the HITS Security Specialist(s) are responsible for defining Information Security policy and standards. Department heads and service providers are responsible for implementing policies and standards in their area of jurisdiction. Furthermore, these policies and standards must be included in service level agreements and contracts with IT service providers. Non-compliance with this policy will be dealt with under the relevant Council procedures and may result in disciplinary action, termination of contract, or criminal prosecution in the most serious of cases. This policy is a living document and thus frequently updated to reflect technological, legal and organisational changes. It should therefore be revisited on a regular basis by all staff. 6

7 Specific responsibilities Chief Executive Officer The Chief Executive Officer is ultimately responsible for ensuring the implementation of this Security Policy. It is the responsibility of all employees to ensure that they conduct their business in accordance with this Policy. All users Users of systems and information must: Access only systems and information, including reports and paper documents, to which they are authorised. Use systems and information only for the purposes for which they have been authorised, and only from Harrow ICT controlled or authorised secure equipment and approved software. Comply with all appropriate legislation, and with the controls defined by the Information Owner, and all corporate Policies, Standards, Procedures and Guidelines. A summary of the appropriate legislation can be found in Appendix B. Not disclose confidential information to anyone without the permission of the Information Owner. Keep their passwords and other access credentials secret, and not allow anyone else to use their account, or equipment or media in their care, to gain access to any system or information. Notify their immediate superior, or the HITs Security Specialist or the Service Manager for Information Management, of any actual or suspected breach of Information Security, or of any perceived weakness in the Council Security Policies, Procedures and Practices, Process or infrastructure. Establish the identity and authority of anyone requesting information access or information system access e.g. for servicing or repairs Familiarise themselves with this Policy, and all applicable supporting Policies, Procedures, Standards and Guidelines. Compliance with this Policy is mandatory, and any employee failing to comply will be subject to disciplinary procedures, revoking of access &/or prosecution in serious cases. If responsible for management of third parties you must ensure that those third parties are contractually obliged to comply with this Policy and are aware that their failure to comply may lead to contract termination &/or prosecution in serious cases. Use the relevant Harrow Code of Connection terms. Be aware that the Council monitors the content and usage of its systems and communications to check for Policy compliance. Never leave computers logged into the network unattended unless password protected screen locking is available and has been engaged <ctrl alt delete>. Keep your desk clear of all confidential paper files and documents when you are not working on them. Maintain a clear desk policy when leaving your desk unattended for any period of time and out of office hours. Keep all confidential paper files and documents in secure, lockable cabinets. 7

8 Not take confidential documents or materials home, however, if this is unavoidable, do consider the use of lockable bags or cases when it is necessary to carry paper files or documents in person. Stand at public Fax machines/printers or have documents containing confidential information retrieved immediately so that unauthorised individuals have no opportunity to see the information. Not store confidential electronic files and documents on your computer s local drive (C:) or mail to a personal address in order to work on them at home. Not use standard USB data sticks or digital drives as portable temporary storage for electronic files and documents. AES 256 standard encrypted USB data sticks may be used only after the Service Manager for Information Management has approved a valid business case. If permission is granted, these USB data sticks may only be purchased from HITs Procurement. Purchase all new laptops, mobile phones, PDA s and any other hand held devices capable of storing data, through HITS to allow encryption software to be installed prior to being released to you. This ensures that the device is protected should it be lost or stolen. Any existing Council owned laptops or portable devices should be returned to HITS who will make appropriate arrangements to have the encryption software installed at a predetermined rate. Lock all laptops away in a secure cabinet when not in use in the office or in the home and never leave on the back seat of a car! Information Security The Service Management for Information Management and the HITS Security Specialist(s) will act as the focus for all Information security issues, suggesting policies to mitigate risk, and assisting with their interpretation into team procedures and standards, whilst implementing those aspects affecting the operational security of the Council s Information and IT infrastructure. Information Governance Board An Information Governance Board (IGB) has been established and the Councils Section 151 officer (Corporate Director Finance) has assumed the role of the Information Governance Lead with delegated authority from the Chief Executive. This Board would provide the forum by which Information Management issues are translated into an ongoing strategy and action plan, it would ensure a consistent approach across the Council, promoting information management/sharing including partnership working. The IGB will be represented by all levels of management to provide visible management support and clear direction for information security at the executive level. Management Managers are responsible for: In conjunction with Shared Services, defining reference and vetting requirements for the role and undertaking pre-employment/contract reference checking including managing clearance to HMG Baseline Personnel Security standard for users who require access to the GSI and RESTRICTED information. 8

9 Ensuring that their permanent, contract and temporary personnel are fully conversant with this Policy and all associated Policies, Standards, Procedures, Guidelines and relevant legislation, and are aware of the consequences of non-compliance. Developing compliant procedures, processes and practices for use in their business areas. Maintaining an appropriate Business Continuity Plan, which is incorporated into the corporate Business Continuity Plan, and is broad enough to respond to all types of potential loss of critical infrastructure, systems and data. Ensuring that when requesting or authorising access for their staff, they comply with the standards and procedures defined by the Information Owners, with particular regard to segregation of duties, minimum access and any minimum training requirements. Notifying the Service Manager for Information Management, Hits Security Specialist via the Council Help Desk of any suspected or actual breaches or perceived weaknesses of information security. Taking disciplinary action supported by the Human Resources Department in the event of misconduct, and non-compliance with Security Policies. Information Asset Owners Before any asset can be protected to an appropriate level, it must be identified, and have a value assigned to it. Somebody must take responsibility for managing, or owning the asset, and defining the levels of access that may be given to it. The information owner is responsible for identifying, documenting, valuing and carrying out a risk assessment on assets, then specifying the level of protection and access that should be given to those assets in accordance with the Information Classification Guidelines. Although the work may be delegated, the information owner retains accountability, and must be satisfied that all assets have been assessed, and that appropriate procedures are in place to protect them from unauthorised access or modification. The activities carried out by the information owner are: Identify and document major assets all physical assets must be labelled, and information held on electronic media should be clearly identifiable. Assign a sensitivity value to each asset based on a business impact analysis. This value to be RESTRICTED -IL3, PROETCTED IL2 or IL1 and Unclassified-IL0. Carry out a risk assessment to identify specific threats and vulnerabilities relating to each asset, and their estimated recovery costs or asset value. Specify the controls from ISO27001 that will be used to protect the assets including: Physical protection and access controls. Storage requirements for hard copy information. Authorisation of users, job roles or security clearance levels, who may access the asset, together with the level of access allowed. Backups, media handling and storage. Compliance with legislation. Any need for encryption to protect information at rest on computer systems and/or in transit across internal or external networks. 9

10 Ensuring appropriate Contract/Code of Connection with any 3 rd parties. Specifying minimum training requirements and arranging its availability. Ensure that procedures are in place reflecting the controls and access levels. Periodically review access to ensure that procedures are followed, especially in the event of process changes that affect the asset. Specify the retention period for each asset, and the manner in which it should be deleted or destroyed at the end of that period. Be advised in the event of any incident relating to the assets, and revise controls if required. This is not a one-off process, but a live ongoing responsibility. These activities will be carried out with guidance and assistance from the Service Manager, Information Management. Please be aware that the if data (IL1 to IL3) under your responsibility is sent or distributed to 3 rd party organisations outside the council, then appropriate precautions should be undertaken to safeguard the confidentiality of this data and its content. Council guidelines on sending such data (Protocols on Sharing Data (IL1 to IL3)) are available to you to enable you to share this information securely. Caldicott Guardian The Caldicott Guardian has a specific set of responsibilities for defining the circumstances in which personal information held about clients can be legitimately shared with other Harrow departments and with other agencies. In Harrow, the Caldicott Guardian s responsibilities primarily relate to Social Care; similar roles exist in other agencies, such as the NHS trusts. The Guardian is responsible for ensuring that these information-sharing guidelines are publicised appropriately and strictly adhered to. Shared Services Shared Services are responsible for monitoring vetting processes and for the management of employee lifecycle information. Their responsibilities include: Monitoring pre-employment reference checking and advising management to ensure compliance with requirements of the role including clearance to the HMG Baseline Personnel Security standard for users who require access to the GSI and RESTRICTED information. Ensuring that system administrators receive prompt notification of employee role changes and departures. Human Resources and Development Promoting awareness of training, including induction training and for ensuring inclusion of relevant security awareness therein & in employee documentation. 10

11 Supporting management to define disciplinary action in the event of misconduct, and non-compliance with Security Policies and assisting management with disciplinary procedures. Review of Information Security Policy The Information Governance Board (IGB) will review this policy on a yearly basis, and the results of the review will be detailed on the minutes of this meeting. Any resulting changes will be notified to all relevant stakeholders. In the event of major network configuration changes, change of policy, security incidents or a lack of security identified in the yearly penetration test performed on the Council s network, the policy will be reviewed for effectiveness, and modified if appropriate. Information Security Policy Exceptions It is not intended that any exceptions will be permitted even on a temporary basis but rather the Policy should be reviewed at the next opportunity. Any changes must be approved by the Information Governance Board. Associated Documentation Further information security documents supporting this policy will be developed over time. Intended further Policies can be found in Appendix A. 11

12 Appendix A Associated documentation Documents supporting this policy include (this is not an exhaustive list): Document Acceptable Use Policy Asset Management Business continuity Change Control Procedure Data backup Disposal of equipment, media and documents Protocols on Sharing Data (IL1 to IL3) Incident reporting and handling Induction and user awareness Information Classification Information Security Statement Network and infrastructure security Remote Working Policy/Toolkit Purpose Defines the acceptable use of Harrow s computer systems, networks, passwords, internet access and (to include notification of monitoring) Procedure for protecting information assets in accordance with their classification and value Procedure and plan to ensure continuity of business in the event of an incident that affects the availability of information or information systems Procedure for identifying, approving and carrying out change in a controlled manner Procedure for creating, managing, storing, labelling, testing and restoring backups of computer based information. Procedure for protection of the confidentiality of information in the event of equipment upgrades, maintenance or disposal, or when information has reached the end of its retention period. Procedure for the use of encryption and/or secure ftp services to protect the confidentiality of sensitive information when sent to 3 rd party organisations. Procedure for reporting, management, and learning from actual, potential or suspected security breaches or weaknesses. Procedure for ensuring that all employees, contractors and third parties who have access to Harrow information are aware of their responsibilities and the consequences of non-compliance with Security Policies. Procedure defining the classifications, and the process for identifying information assets and ensuring that they are appropriately protected according to their value and sensitivity. CEO statement regarding Information Security Technical procedures relating to internet, intranet, remote access, and related equipment including firewalls, switches & routers. Procedures relating to accessing of corporate data remotely. 12

13 Offsite security of equipment and information (including mobile computing and telephony) System security Physical security Virus and malicious code protection Policy and procedure for protection of information that is taken out of Harrow premises, whether in the form of paper documents, or electronically stored media held on laptops or other portable computer equipment. This also covers equipment which is installed on sites of third party organisations. Standards for building, managing, monitoring and maintaining secure computer systems and clients. Policy for physical security of premises and computing facilities, together with standards for environmental controls Procedure for protecting against malicious code, and for handling incidents caused by malicious code 13

14 Appendix B Legislation All employees will comply with all current legislation. Laws relating to information security include those outlined below: Data Protection Act 1998 and EU Directive on Data Protection Personal information relating to identifiable individuals must be kept accurate and up to date. It must be fairly obtained and securely stored. Personal information may only be disclosed to people who are authorised to use it. Copyright, Designs and Patents Act 1988 Documentation must be used strictly in accordance with current applicable copyright legislation, and software must be used in accordance with the licence restrictions. Unauthorised copies of documents or software may not be made under any circumstances. Caldicott Principles Used to describe the confidentiality and security of client information held by providers of social care services and their partners about service users. Computer Misuse Act 1990 This Act addresses the following offences: Unauthorised access to computer material. Unauthorised access with intent to commit or facilitate commission of further offences. Unauthorised modification of computer material. Regulation of Investigatory Powers Act 2000 (RIPA) This Act provides for, and regulates the use of, a range of investigative powers, by a variety of public authorities. It updates the law on the interception of communications to take account of technological change such as the growth of the Internet. It puts other intrusive investigative techniques on a statutory footing for the very first time; provides new powers to help combat the threat posed by rising criminal use of strong encryption; and ensures that there is independent judicial oversight of the powers in the Act. Electronic Communications Act 2000 This Act supports the use of encryption and digital signatures. 14

15 Code on Employers Monitoring Practices Part 3 of the Employee Practices Data Protection Code, which provides best practice guidance on monitoring of s, phone calls and Internet access in the context of the Data Protection Act. EU Directive on Privacy and Electronic Communications Defines legal standards for the processing of personal data, and the protection of privacy in the electronic communications sector. Human Rights Act 1998 Based on the European Convention on Human Rights. Freedom of Information Act 2000 Provides members of the public with the right to request any information from any public body. Public Sector Information Regulations 2005 Obliges public authorities to price up their commercially valuable information for sale under usage licenses, protected by copyright notices issued as part of Freedom of Information responses. Disability Discrimination Act 2004 Particular impact on web site design, accessibility issues. Race Relations (Amendment) Act 2000 Prohibiting race discrimination and a statutory general duty to promote race equality. Environmental Information Regulations Environmental Information must be available and pro-actively published. Business partners should be tied into compliance by contract Guidelines The Local Government Data (LGA) Handling Guidelines, Government Connect and the Code of Connections, 15