Birmingham City Council Internet Monitoring Standard

Transcription

1 If you have inquiries about this Standard, contact the Business Policy Team of the ICF on or Standard Owner: Author: Version: 2.0 Date: 22/04/2009 Classification Unclassified Business Policy Team, ICF, Birmingham City Council Madeleine Westrop (Service Birmingham) and Caroline Hobbs (ICF) 2009 Produced in conjunction with v2.0 Page 1

2 Contents Contents...2 Document History...3 Overview OBJECTIVES OF THE INTERNET MONITORING STANDARD...5 Why the Internet is Monitored...5 What is not Monitored...5 Scope...5 Responsibilities...6 The in relation to other Council Policy...6 The Internet Monitoring Procedure INTERNET USE MONITORING REPORTS...7 Monitoring access to the Internet...7 Monitoring information transferred across the Internet...7 Investigation Access REPORTS ON BLOCKED INTERNET SITES...9 Operational Changes to Site Access...9 Report of sites Blocked...9 Internet Access requests and complaints COMPLAINTS ABOUT INTERNET MONITORING AND REQUESTS FOR ACCESS TO BLOCKED SITES...9 v2.0 Page 2

3 Document History Version Amendment Date Purpose Author Draft 1 10/01/2006 Network Security Team discussions Sue Smith Draft 2 16/01/2006 Network Security Team amendments Sue Smith Draft 3 18/01/2006 Information Security Team amendments Sue Smith Draft 4 14/03/2006 CISG amendments Sue Smith Draft 5 03/04/2006 Further CISG amendments Sue Smith Draft 0.6 1Completely Rewritten & changes arising from the new Internet Use Policy Note draft 5 was never formally approved Madeleine Westrop Draft Changes after comments from Audit to make it clear monitoring Madeleine Westrop is individual, global and for groups. Syntax changes from ICF. PS&BS reviewed but no comments. Draft Amended to make it clear the standard covers only with Madeleine Westrop respect to web mail, which is not covered by the Policy Final document approved by Business Transformation Advisory Caroline Hobbs Group 1.1 March 2009 Review as part of the Internet Reporting Project Caroline Hobbs 1.2 April 2009 Version for review by CISG Caroline Hobbs /04/2009 Amended with review comments Caroline Hobbs /04/2009 Approved by BTAG Caroline Hobbs Standard Distribution once signed off Name Organisation Role All Staff All Staff Service Birmingham Standard Reviewers Name Organisation Role Audit Strategy, Policy & Service Birmingham Note: drafts see version history above. Business Security and Network Security Standards Database Distribution List ICF Legal Department Network Services Service Birmingham CISG Version 1.2 Standard Approval Name Organisation Role Date BTAG Authorising Body 22 nd April 2009 Overview Purpose Authority Ownership Scope Review Related docs BS ISO/IEC 27001:2005 BS :2005 control reference See Objectives Below See Scope Below Annually Listed in Glossary and Appendix to the Internet Policy. 5.1 Information Security Policy 6.3 To minimize damage from security incidents and to monitor and learn from such incidents 7.1 To achieve protection of organizational assets Operational staff should maintain a log of activities to include timings, system errors, confirmation of correct handling and names of persons making the log entry. v2.0 Page 3

4 7.1.3 acceptable use of assets 8.2 Human Resources security principles to ensure employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities Protection against malicious and mobile code Capacity management to detect unauthorised information processing 15.2 Compliance with security policies and standards ; Etc. v2.0 Page 4

5 1. OBJECTIVES OF THE INTERNET MONITORING STANDARD Why the Internet is Monitored This Standard is published in order to make it clear to all Internet users that Birmingham City Council monitors and reports on use of the Internet in a fair and appropriate way. In particular, Internet use is monitored in order to: analyse the use of Internet resources and to manage those resources; control security risks and in particular to protect the confidentiality, integrity and availability of Council information; make sure that excessive personal use of the Internet, or the , system does not use up the resources needed by and to make sure personal use does not affect the conduct of Council business; establish the existence of other facts relevant to the business; regulate the use of the Internet and make sure it is used in compliance with s policies, standards and codes of practice; regulate the way the Internet is used in compliance with the law; perform public duties such as those required in the interests of national security or public safety. What is not Monitored All traffic to and from the Internet, including web mail - ( sent through the Internet service), is automatically logged by the Council s Bluecoat Proxy Management software. Birmingham City Council does not specifically monitor personal use of the Internet but Users should be aware that this activity is logged and will be available to Internal Audit and Council management along with information about business use in the case of an investigation. Private information is only deliberately recorded or processed as part of an investigation where the degree of intrusion into what is private, is clearly justified and not excessive, in order to investigate or prevent criminal activity, breach of policy, wrongdoing or public harm. Scope This Standard applies whenever the Internet Use Policy applies. Please refer to this document which is available in the PSPG database on Lotus Notes or via Inline. Also note that this Standard applies to all web mail and does not include Lotus Notes , which is transferred by a different route. (For Lotus Notes monitoring guidance, see the Policy and Code of Practice available in the PSPG database or via Inline). v2.0 Page 5

6 Responsibilities Please refer to the Glossary and Appendix to the Internet Policy available in the PSPG database or via Inline. The in relation to other Council Policy This Standard is part of the City Council s set of corporate security policies and codes of practice which are listed in the document, Glossary and Appendix to the Internet Policy available in the PSPG database on Lotus Notes and via Inline. All monitoring will be carried out in accordance with the ISO27001 Standard for Information Security Management and in accordance with the law. In particular, the Lawful Business Practice Regulations (issued under the Regulation of Investigatory Powers Act 2000) permit to monitor their own communications systems in order to make sure that policies, codes, rules and terms and conditions are followed. The Internet Monitoring Procedure The Bluecoat Proxy Management software categorises each Internet site (this is maintained by the software provider). Each category has been reviewed and has been assigned one of the following actions: Accessible to all Internet users all of the time (Allowed) Blocked to all Internet users all of the time (Denied) Accessible to all users outside Internet Reporting Core Time (10am -12pm and 2pm 4pm) (Non Core) Accessible to Users with an approved business need in and out of Internet Reporting Core Time(Exception) A list of the categories and the actions assigned to them is available on the PSPG and via Inline. If access to a blocked category is required for business purposes, a request must be submitted to the Business Policy Team of the ICF (Lotus Notes Business Policy Team ICF) using the form for requesting access to restricted internet categories (available on Inline) accompanied by a legitimate business reason for the access. The form must be forwarded to the ICF from the manager of the individual requiring access. This forwarding is taken as authority for access to be granted. In exceptional circumstances, when access is required urgently an Assistant Director must sign and submit the form. Managers should be aware that spot checks will be carried out by Internal Audit and by the ICF to verify that business access is legitimate and that the decision to grant authority may be challenged should an investigation be required. Approved access requests will be sent to Service Birmingham for action. If access is requested to a category that is perceived to pose a security risk, Service Birmingham will perform a risk assessment. If the risks identified are deemed to pose an unacceptable threat to the Council or its network access will not be granted. It is the manager s responsibility to ensure that Exception access to blocked sites is withdrawn when there is no longer a business need for it (e.g. when a person s job role changes). v2.0 Page 6

7 2. INTERNET USE MONITORING REPORTS Monitoring access to the Internet Service Birmingham will record details when the Internet is accessed through the Birmingham City Council Internet service. The following details, among others, will be kept in logs: The identity used when somebody accesses the Internet; the date and time the Internet is accessed by that identity; the duration of access by that identity; the web sites and addresses visited through the Internet by that identity; attempts by that identity to access web sites which are blocked ; details about which workstation is used to access the Internet by that identity; use during Internet Reporting Core and Non Core Time; Internet reports will be kept in line with the Council s Corporate Retention Schedules available on Inline. Monitoring information transferred across the Internet Certain details will be logged when information is downloaded from the Internet. This information is mostly contained in files and the files may originate from a web site, or from a distant computer participating in file sharing networks. The following details, among others, will be kept in addition to the access data mentioned above: The types of files downloaded, particularly files containing software or computer viruses; the size of files downloaded; the web sites and addresses from which files are downloaded; the times that data is downloaded from the Internet. Raw data from the Internet logs will be kept for a period of 2 years, during which time it will be available for reporting as required. Note that the content of private web-based s sent across the Internet will be stored and recorded within these reports. This information is not sought by. The Council monitors only for the purposes listed in the section on Why the Internet is Monitored, above. However, information obtained in this way may be used where there is a legal justification. For example, information obtained in this way may be used as part of an investigation if the information points to a sufficiently serious breach of the law or of Birmingham City Council policy. v2.0 Page 7

8 On a monthly basis Service Birmingham will produce reports from Business Objects using the information from the Bluecoat logs. Reports will be made available to nominated managers in the Council for action. The standard reports are: Top users in Internet Reporting Core Time (10am to 12pm and 2pm to 4pm) Top users in Internet Reporting Non Core Time Top categories used in Internet Reporting Core Time (10am to 12pm and 2pm to 4pm) Top categories used in Internet Reporting Non Core Time Trend reports will also be produced to monitor overall usage and sites used. Ad-hoc reports can be requested by Internal Audit or Council managers using any of the information that is logged by Bluecoat. However any information required to investigate potential wrongdoing must be obtained following the Investigation Access procedure (see below) which is available in full on the PSPG database or via Inline. Investigation Access If analysis of the standard reports described above, or other information, raises a reasonable suspicion of wrongdoing by a particular individual, then more detailed forensic reports may be produced for the Council by Service Birmingham. In this case, the Investigation Access procedure must be followed. This procedure has the following overriding objectives: 1. The degree of Access must be considered and described in the Impact Assessment. 2. Wherever possible the person doing the investigation must avoid unjustified intrusion into personal data and correspondence. 3. Wherever possible the investigation should be revealed only to those who need to know about it and are sufficiently responsible to keep details confidentially. 4. The evidence must not be corrupted. More information about the Investigation Access Procedure is available on the PSPG database on Lotus Notes and via Inline. v2.0 Page 8

9 3. REPORTS ON BLOCKED INTERNET SITES Operational Changes to Site Access blocks access from their systems to certain Internet sites or categories of Internet sites (see the Internet Use Policy and Code of Practice). The Service Birmingham Security Team can make operational decisions to block or change the access to particular Internet sites. In making these operational decisions, Service Birmingham are informed by general principles provided by. is kept informed through regular reports, about what sites or categories of sites are currently blocked and may revise the operational decisions made by Service Birmingham. The list of which sites are blocked will change constantly because web sites themselves change and the classification of those sites is always being revised. However, the City Council aims to use consistent principles to guide its decisions about whether particular sites should be blocked. Two sorts of reports may be produced: Report of sites Blocked Regular reports about which sites and which categories of sites are blocked are produced by Service Birmingham and are made available to. Birmingham City Council ultimately decides which sites should be blocked. Internet Access requests and complaints The Service Birmingham Service Desk may receive requests to make a change to allow access to a particular Internet site, or to disallow access, or to permit particular information to be downloaded from the Internet. Service Birmingham may be authorised to make an operational change (see above) at once. If Service Birmingham is not clearly authorised, or if the matter is contentious, Service Birmingham will forward these requests to s Corporate Information Security Group who decide whether to change the access or not. Records of what decisions are reached and why they were reached, will be kept by the Council. These records will be used by and by Service Birmingham in order to control the Internet blocking consistently. 4. COMPLAINTS ABOUT INTERNET MONITORING AND REQUESTS FOR ACCESS TO BLOCKED SITES. Internet users should address all complaints and enquiries about the Internet service, monitoring or blocking to the Service Birmingham Service Desk on v2.0 Page 9