Information security and paper-based data storage and disposal. INFORMATION SECURITY POLICY Version 2.2

Transcription

1 Information security and paper-based data storage and disposal NOT PROTECTIVELY MARKED INFORMATION SECURITY POLICY Version 2.2 Title Subject Version Date Author Protective Marking Classification INFORMATION SECURITY POLICY Version 2.0 Information Security /07/2011 Aysha Mukhtar Not Protectively Marked Description Initial draft created. INFORMATION SECURITY POLICY Version 2.1 Information Security /07/2011 Aysha Mukhtar Not Protectively Marked Document amended to include comments of IGG INFORMATION SECURITY POLICY Version 2.2 Information Security /10/2011 Tim Rodgers Not Protectively Marked Final version for CMT approval Meta Data: Page 1 10/10/2011

2 Figure.1 Information Governance Policy Framework Legislation, Regulations, BSI Standards Information Governance Policy Framework High Level Policies Records Management Policy Information Security Policy Data Protection Policy Corporate Information Risk policy Sub Policies and Procedures Records Management Procedure Internet, Intranet And Policy ICT Technical Policies And Procedures Security Incident Management Procedure Information Handling Procedure Guidelines and LBTH Classification Scheme LBTH Retention Schedule Retention Guidelines Encryption Server Hardening Privileged User Toolkits Protective Marking Scheme (Currently being developed) Acceptable Usage Policy for GCSX Subject Access Request Guidelines Information Sharing Protocols Data Disposal Guidelines (Currently being developed) Access Management Patch Management Information Systems Third Party Access Agreement Information Governance Impact Assessment Corporate Scanning Guidelines and Toolkits Virus Control IAO Guidance Standard Operating Procedures Licensing Policy Software Development Application security IT Investigations Procedure Page 2 10/10/2011

3 1. The Information Governance Policy Framework The Information Governance Policy Framework (fig.1 above) is based on the Industry Standard ISO 27001, which is the international recommended code of practice for Information Security Management. The framework consists of High level policies under which there are sub policies and procedures. The Information Security Policy is one of the high level policies that sit along side the Records Management Policy, the Data Protection Policy and the Corporate Information Risk Policy. The Information Security Policy has the following sub policies beneath it: Information Handling Policy Internet, Intranet and Policy Information Security Incident Management Procedure ICT Technical policies and procedures All Council employees and those who work for or on behalf of the Council must also read and adhere to the above sub policies. Page 3 10/10/2011

4 2. About this policy Introduction and Scope This policy covers the security of all London Borough of Tower Hamlets held information, whether on paper, film, fiche or held electronically. This Policy applies to all Council members and staff, including those employed on temporary contracts and those contracted to work on the Council s behalf (also referred in this policy as third parties). This policy is in compliance with the Data Protection Act 1998 and The Computer Misuse Act 1990 which the Council is bound by, and therefore are under a legal obligation to apply security measures to protect personal information it holds against unauthorised access and use. There are no exceptions to the need to handle information appropriately and securely. Everyone who is employed by or works on behalf of the London Borough of Tower Hamlets is required to maintain the security of information, and the provisions of this policy are binding on you. Failure to comply with this policy may lead to breaches of the Data Protection Act 1998, which may result in heavy fines and enforcement action taken against the Council by the Information Commissioner s Office 1. Any breach of Information Security (e.g. theft, loss, malicious damage to ICT equipment or systems or paper documents, compromise of security etc.) must be reported as soon as possible. (See section 9 of this policy). The Council may take action against any user who is found to have acted in breach of this Policy. Where the user is an employee, the breach may be investigated under the Council s Disciplinary Procedure which could result in the employee s dismissal. In any other case, the Council will consider and take action as appropriate. The Council may have regard to the Computer Misuse Act in any such investigation. (See section 4 of this policy). The Council is committed to the implementation and operation of an Information Security Management System (ISMS) that is aligned with industry best practice and the International Standard ISO The Policy is based on the ISO27001 standard The Information security policy will be reviewed updated and changed from time to time as needs and circumstances dictate. 1 The Information Commissioner s Office (ICO) is the Government body overlooking compliance of the Data Protection Act 1998, the Freedom of Information Act 2000 and the Environmental Information Regulations Act The ICO has enforcement powers which he can use against organisations that breach the above Legislation. Page 4 10/10/2011

5 2.1Objectives This policy aims to: Ensure that the Council s information (be it paper, electronic or in any other format), communication assets, computers and systems are protected against internal and external threats To minimise the damage that could result from unauthorised access to information To ensure that all IT users are aware of their obligations, and of the risks of not complying with the requirements of the Policy and, To demonstrate that the Council has met its obligations under relevant law. 2.2 Ownership and Maintenance of this Policy The Policy is owned by the Senior Information Risk Owner (SIRO) 2, and managed on his behalf by the Corporate Information Governance Group (IGG). IGG will review this Policy and the supporting documentation and policies at least once a year and update them as required. 3 The need for security 3.1 Principles Information used by the Council must be adequately protected to ensure business continuity and to avoid breaches of the law and heavy fines from the ICO 3, and to support the Council s statutory, regulatory and contractual obligations. Information is held and communicated by the Council in many forms, including written or printed on paper, stored on computers and websites and sent by post or electronically. The three key aspects of information security are: Confidentiality taking appropriate measures to ensure that information is accessible only to those entitled to see it Integrity maintaining the accuracy and completeness of council information, and ensuring that all changes or modifications affecting it are authorised, controlled and validated, and Availability ensuring that information is available to authorised users when and where required. 3.2 Responsibilities Chief Executive: Ultimately responsible for ensuring the application of effective information security measures 2 SIRO is CMT level representation for all information security issues and risks. Responsible for managing the Council s information risks, including maintaining and reviewing an information risk register 3 ICO- Information Commissioners Office is the government body that overlooks the Data Protection Act 1998 who has enforcement powers and the power to fine organisations up to 500,000 for serious information security breaches and incidents. Page 5 10/10/2011

6 - Senior Information Risk Owner: CMT level representation for all information security issues and risks. Responsible for managing the Council s information risks, including maintaining and reviewing an information risk register. The SIRO will be specifically trained in the requirements of this role. - Information Governance Group: the cross-council group which deals with all information governance matters is responsible for: formulating security policies, procedures and guidance - The Information Security Manager: is responsible for the technical investigation and management of all information security incidents and overall management of IT security controls. - The Information Governance Manager: is the nominated Data Protection Officer for the Council and is responsible for the overall governance of all aspects of information handling including raising awareness and providing training to Council staff and monitoring compliance. The information Governance Manager is also responsible for leading on paper base information security incidents. - All Managers: Managers, as custodians of information within their specific areas of business, have a responsibility to protect that information. All Managers are directly responsible for implementing the Information Security Policy within their business areas, and for adherence by their staff. Management, in conjunction with Human Resources under the Council s Induction scheme, are responsible for ensuring new staff and contractors are aware of this policy and request a User ID for ICT systems. In particular all managers shall inform ICT of any changes to their staff, including additions, moves and leavers, so as to ensure that privileges are managed appropriately. - All Staff, Contractors and Authorised Third Parties: All staff and authorised users of LBTH ICT and paper based systems are responsible for abiding by the Information Security policy and, in doing so; actively support the provision of information security throughout the organisation. 3.3 Training All Council employees, permanent and temporary, who use the council ICT facilities or handle information paper or electronic form, should attend the Information Security training provided by the Information Governance Team. The Information Security Training is compulsory for all staff that has a GCSx 4 account. See section 4. Human Resources, for more information. 4 Acceptable Usage 4 GCSx Government Secure Network that enables local authorities and other central Government departments to communicate and share information securely. It has stringent security controls Page 6 10/10/2011

7 4.1 General requirements for authorised LBTH ICT systems users The following is a listing of general usage requirements that exist for all authorised users of LBTH ICT systems including those employed on temporary contracts and third parties 5 : Please refer to the Information Handling Procedure V.1.1 for more details on how Council Information should be handled. <link to the policy> 4.2 General Requirements The following is a listing of general usage requirements that exist for all authorised users of LBTH ICT systems: a) Each authorised user of LBTH ICT systems is provided with unique user IDs and passwords for the various systems that are in place b) Accessing other users PC without the owner s permission and using it maliciously is strictly prohibited and would be seen as an offence under section 3 of Computer Misuse Act c) The sharing of passwords for individual accounts is strictly forbidden 6 d) Attempting to break or avoid the security controls of LBTH equipment or any other third party computer system is strictly forbidden e) Accessing network traffic not intended for yourself or doing anything that would adversely affect the ability of others to access ICT services is strictly prohibited f) Intentionally accessing or transmitting information about or software designed for breaching security controls, creating computer viruses or any other activity that compromises the confidentiality, integrity or availability of ICT systems or third party computer systems is strictly prohibited 7 g) Knowingly doing anything that is illegal under English or European Law and any other relevant country is strictly prohibited h) Carrying out activities to support any private business without permission is strictly prohibited i) No information can be copied or transferred from LBTH computer environments including desktops or laptops without the permission of the owner of said information. j) Storing work related documents on the U:drive is strictly prohibited. All work related documents must be saved on the M:drive. k) Staff must not take part in online or computer based discussions on matters that are politically controversial (unless such discussions are specific to their role), must not participate in discussions relating to matters that are the 5 Those contracted to work on the Council s behalf: 6 Where there is a requirement for delegated access to an account or files, a process of delegation is to be utilised. Further information is available in Section 8.8 below. 7 The Information Security Manager is exempted from this statement where preventative or investigative research is required, though only for the purposes of strengthening the security provisions. Page 7 10/10/2011

8 responsibility of another officer within the Council and must not provide information or advice known to be contrary to the Council s policies or interests l) Misrepresentation of one's digital identity to gain an advantage of any nature is strictly prohibited m) Playing games, other than those authorised and supplied with legitimate software that can be played during non-work hours or those used in LBTH training courses, is strictly forbidden n) The storage of personal non-business related data, such as music, pictures or video, on ICT equipment, be it on a PC, a laptop or on networked storage, is not permitted o) The use of any unauthorised encryption software is strictly prohibited. Records may be kept of ICT usage making it possible to discover and track usage that does not comply with these requirements, which can be inspected by systems administrators for the purpose of monitoring system performance and efficiency, and by management in the event of any suspected malpractice. Further information on monitoring of policy compliance is available in the Internet, Intranet and Policy, available on the Intranet. 4.3 Internet, Intranet and An Internet, Intranet and Policy is available on the Intranet which describes, in detail, the acceptable usage of corporately provided Internet, Intranet and access. Compliance with this Policy is required as part of the overall Information Security Policy. x, 4.4 Desktop and Laptop PCs Desktop PCs, Laptop PCs and other network resources, such as printers and scanners are provided for staff to access and make use of information that they need to do their job. Using the Council's IT equipment and software for anything other than work or for personal usage as defined within the Internet, Intranet and policy risks facilities being withdrawn, disciplinary action and/or prosecution under law. 4.5 Other Mobile Devices Council issued Mobile phones, Blackberry s and Personal Digital Assistants (PDAs) capable of accessing the Council network are covered by this Policy. Personal equipment used in the course of working for the Council are also covered. Page 8 10/10/2011

9 5 Human Resources 5.1 Awareness and training of Information Security Staff Intranet, and Manager s Briefings will be the major points of contact for receiving updates to ICT policies and procedures. Staff must take the time to read new materials as they become available. Security awareness will be created at the enrolment stage and reference to the Information Security Policy will be included in employee contracts. A Data Protection Policy covers the handling of personal data and should be read in conjunction with this document. All LBTH staff who use the council ICT facilities or handle LBTH information and documents in paper form should attend the Information Security training provided by the Information Governance Team. More information on the training is available on the Intranet on the Information Governance page. Additionally there is a Corporate Learning and Development course on Information Governance which includes a specific module on Information Security. Please note, the Information Security Training is compulsory for all staff that have a GCSx 8 account. 5.2 Confidentiality agreements All members of staff will have signed a contract of employment including a clause regarding information that they receive in the course of employment that requires them to ensure the confidentiality of LBTH information during and after their employment. All employees handling critical information must be subject to a formal pre-employment screening, which must include satisfactory professional references. Council information is to be kept confidential during and after employment with Tower Hamlets. Where agency and contract staff and other third party users are concerned, a confidentiality agreement is required before they are granted access to LBTH ICT facilities. Agency contracts and supplier contracts may exist which contain clauses relating to confidentiality, which satisfy this requirement. Where such clauses do not exist, the Information Security Officer should be contacted so that an appropriate agreement can be created (24-hour turnaround). 8 GCSx Government Secure Network that enables local authorities and other central Government departments to communicate and share information securely. It has stringent security controls Page 9 10/10/2011

10 Staff that need to use GCSx accounts must go through a Baseline Personnel Security Check (security vetting) which is a requirement under the Government Code of Connection. More information about the Baseline Personnel Security Check can be found on the following link: Reckless handling of personal data may be regarded as gross misconduct and where such handling is alleged, employees may be investigated under the Council s Disciplinary Procedure, an outcome of which could be dismissal. In any other case, the Council will consider and take action as appropriate. 6 Physical and Environmental Security 6.1 Secure Areas Physical security protection for LBTH is based on defined perimeters and achieved through barriers within the organisation to prevent, detect, and minimize the effects of unauthorized access. Critical installations are protected at least by lock and key and are to be kept secure at all times. All LBTH buildings in the Borough are designated as secure areas and entry to each is controlled by general access procedures: To gain entry, visitors must enter via a public entrance and report to reception. Admittance is under the control of the reception staff. Visitors are not admitted beyond the reception area until the member of staff being visited has been contacted and a member of staff is then requested to collect the visitor from the reception area. Prior to admission, visitors are given a visitors pass and required to sign the visitor s book. The pass is to be affixed to their person and must be visible at all times. They are then placed under the responsibility of the member of staff being visited, for the duration of their stay. All staff and other visitors are issued with a badge for identification. All badge holders must wear the badge at all times while in LBTH buildings. Entry to specifically identified key areas, such as the computer room, is by separate swipe card, which shall be granted by senior ICT Management. Only those staff whose jobs require them to enter these areas are issued with access to these areas. Page 10 10/10/2011

11 All contractors entering the Computer Room must sign the log book for the Computer Room. Video surveillance cameras are located at computer room entrance and main building entrances and exit. The CCTV is monitored by trained personnel. The video surveillance recording must be retained for a minimum of 4 weeks, for possible future playback. Access Violation Reports from the Access Control Software for sensitive areas such as computer room be securely maintained and reviewed by the respective Administration Department on regular basis. Staffs are instructed to challenge people who are visitors or otherwise unknown to them and are not displaying the appropriate identification or acting in an appropriate manner. 6.2 Equipment Security Council ICT Equipment including mobile devices such laptops and PDA s and IRON KEY (Council encrypted USB stick) must be protected from security and environmental threats to a suitable level. Such threats include (but are not limited to) theft, sabotage etc. Corporate ICT systems shall be sited in an appropriate environment, including temperature, humidity and power supply control. Corporate ICT systems must be provided with appropriate supply of power, in line with manufacturer s specification, and that supply shall be protected by an Uninterruptible Power Supply (UPS). Equipment taken off site must only be with the approval of the appropriate manager. Staff who have obtained authorisation to take equipment off site must ensure that such equipment is given a high level of protection. Laptops must be protected by suitable access and physical protection (such as locks on laptop bags) and must never be left unattended and must be kept with you at all times whilst in transit. When taking laptops off site, employees must not: leave laptops in cars, because of high risk of car theft; Take laptops to Pubs, Bars, restaurants etc. take laptops to social events or sports venues outside of their work and; Take laptops to any other such place where the laptop is placed at risk of being stolen or damaged. Disposal of ICT equipment (both devices and media such as backup tapes, CDs) is subject to legislation and may also be subject to various licensing agreements. Equipment should only be disposed under the direct supervision of ICT. It is essential that, prior to disposal, the data on the equipment is either removed to a secure location or permanently deleted. Page 11 10/10/2011

12 Where other devices have been used, again any Council data should be removed or deleted. 6.3 Clear screen and clear desk In order to reduce the likelihood of security breaches resulting from information being left unattended, staff must ensure that their PC terminals are locked or logged out at all times when they leave their terminal for any reason. Staff shall also ensure that all information (business. personal or sensitive information) is kept secure at all times and Paper documents must be filed and locked away and not left in plain view in their workspaces when they are to be away from their desk for over an hour. The Council operates a clear desk policy and as such workstations need to be cleared at the end of each day. The Council s clear desk procedure can be found at the following link: workforce_development/health wellbeing/flexible_working/clear_desk.aspx 6.4 Removal of information Information must only be taken offsite after completion of a proper risk assessment. Examples of such situations include positions requiring work offsite, such as social work, Remote Access and Home Working arrangements. All information taken off-site must be encrypted. See section 5.5 Encryption below. 6.5 Encryption The Council has encrypted all LBTH laptops in order to protect the information held on them. The Council also provides encrypted USB sticks called the IRON KEY for those who need to use a USB stick. All information in transmitted, taken off-site, in transit and stored off the council network must be encrypted. Although the encryption help keep the information on the devices secure, minimum information as possible should be held on the devices. Use secure (GCSx or CJSM) where possible when ing documents containing personal or confidential data to Public Authorities (i.e. Central Government departments, other local Authorities, Police, NHS). When ing externally outside of the Council to non public authority organisations, employees must ensure the documents containing personal or confidential data is encrypted using WinZip (encrypted to 256- bit AES standard). Always send the password for the encrypted document separately and keep the password safe. Page 12 10/10/2011

13 Information sent via GCSx does not need to be encrypted as GCSx is a secure network 7 Communications and Operations Management 7.1 Use of software Precautions are required to prevent and detect the introduction of malicious software, such as viruses and spyware. All managers and staff should be alert to the dangers of malicious software. Measures have been introduced to the Council s ICT infrastructure to assist in the prevention and detection of malicious software Malicious software controls To minimise the threat of virus and other malicious software outbreaks within the Council s ICT environment, a number of practices have been introduced. Virus checking of all computer media used is to be conducted. All PCs are provided with virus checking software and this is to be used to scan all floppy disks and memory keys prior to usage. All data sent via , including both messages and attachments, is scanned by antivirus software, however, users should still be aware of the potential dangers of receiving attachments through and must only open attachments they are expecting and are from trusted sources. Users should endeavour to ensure that antivirus applications are operating at all times. Users of portable equipment must ensure that their devices are regularly connected to the LBTH network to ensure that virus protection measures are kept up-to-date. In addition: - Staff must not disable virus scanning software on laptops - Staff must scan all floppy, CD, USB devices and other types of mobile storage devices prior to connection to the LBTH equipment or the network Software License controls The Council requires that all software used within the organisation is appropriately licensed and authorised and that no unlicensed software is used. The use of such software is prohibited. Software that is installed must be for business purposes associated with the Council. It is the linemanager's responsibility to ensure that only licensed software is used on machines within their control and that suitable documentation is retained. The use of unlicensed software will result in disciplinary proceedings and possibly criminal access. The use of unlicensed software is not only illegal; it is potentially damaging to the ICT operations of the Council. Users may not purchase or install any hardware or software on Council equipment without the express authorisation of ICT, as supported by an Page 13 10/10/2011

14 approved business case. The ICT Service Desk is the initial point of contact for all software acquisitions. Any incidents relating to viruses, malicious or unlicensed software should be reported to the Service desk on x Use of hardware Users shall not install, relocate or modify hardware allocated to them without the express permission of ICT Users shall not connect any hardware devices to LBTH computer equipment connected to the LBTH network without the express permission of ICT Users shall use computer hardware allocated to them in a responsible manner and in compliance with this policy The responsibility for the protection of ICT portable computers and the information stored in them shall reside with the person to whom the equipment has been loaned or allocated to No privately owned computer equipment, including equipment used by contractors or third party suppliers, may connect directly to the LBTH network. Such devices may however be connected over the internet using the appropriate remote access software (VPN), provided that the user has formally requested such access in accordance with the procedures for remote access, available on the Intranet. Only approved PDAs with approved software may be connected to the LBTH network. 7.3 Storage of Data The Council works to ensure the protection of all electronic information through the provision of a data backup facility. This facility is only effective for information that is stored on a network drive which is the, M:drive. Information saved locally, on PCs or laptops, is not secured and can be lost in the event of disk or system failure or if documents are deleted or modified. Additionally if the PC hard drive or laptop gets stolen the information can be easily be compromised. To ensure that all of the Council s information is protected, all work related information must only be saved on the M:drive especially business critical information and information containing clients and customers personal and sensitive data. Under NO circumstances should work related, and clients and customers personal information be saved on the U:drive. This is strictly prohibited. The IRON KEY (encrypted USB stick) and laptops should only be used to transport data and should NOT be used as a storage device. Any information saved on these devices should be temporary and should be saved on to the M: drive and deleted off the IRON KEY or laptop as soon as the staff is back in the Office. Page 14 10/10/2011

15 7.4 Remote access and Home Working Remote access to the LBTH network and subsequent ICT systems is controlled using VPN Secure ID technology which is an additional authorisation process and additional hardware. This process is defined in the ICT enrolments section on the Intranet. Please refer to the Access to systems page on the Intranet on the ICT pages. x Staff working from home on a regular basis should use VPN Secure ID technology to access the LBTH network. Staff should refer to the Council s Home Working Policy when considering working home and also the Information Handling Procedure V1.1 for guidance on secure home working. The Council s Home Working Policy can be found on the HR page on the Intranet: workforce_development/health wellbeing/flexible_working/homeworking.aspx The Information Handling Procedure V1.1 can be found on the Information Governance page on the Intranet: complaints/info rmation_governance/information_gov_policies.aspx 7.5 Use of removable media The use of personal USB sticks, compact or digital video discs or other digital storage to transfer personal data by council employees and agencies working on behalf of the Council is strictly prohibited. Council staff should use the Council provided encrypted USB sticks (Iron Key) for safe transportation of council data. The loss of personal data on a USB stick, or through unsecure channels will be regarded as a disciplinary offence USB Devices potentially carry viruses. Therefore great care should be taken when connecting USB devices to the network, and their contents should be scanned with anti-virus software when inserted. The council reserves to right to inspect USB devices on demand. 7.6 Internet and All Council staff must read and adhere to the Councils Internet, Intranet and . Page 15 10/10/2011

16 Council staff must never discuss or post Council information on the Social Networking sites and chat rooms (unless specifically authorised by your manager to do so). Council staff who need to send protectively marked 9 RESTRICTED data (personal data or sensitive information) to other local or central government departments should use GCSx 10 secure , Under no circumstances RESTRICTED data should be sent to an account outside of the council network unless they are using GCSx or CJSM secure . Please contact ICT Service desk x 4444 for setting up GCSx or CJSM 11 secure . Ensure that all personal data that do not fall under RESTRICTED classification is encrypted before ing it outside of the Councils network and secure facility. (See section 5.5 Encryption). Where regular access to personal data is required outside of the office, managers should consider investing in VPN (Secure ID technology) to allow staff to work from home on a virtual desktop. Please see above section Remote access. 8 Access Control Authorised users are provided with access to LBTH ICT systems based on a strict business need. Access is based on the need-to-know and least privilege principles where officers are only privy to information that is in direct support of the conduct of their responsibilities. 8.1 Enrolment Access to LBTH ICT systems is controlled using the ICT Systems Enrolment Form, available in the ICT section of the Intranet. ems.aspx All users of ICT resources must be individually enrolled. Individual user accounts must not be shared with the exception of delegation. 9 The Protective Marking Scheme is a Government Information Classification scheme and a data handling system. The protective marking scheme has been developed to ensure that information is handled in a manner that is appropriate to its value in terms of the severity of impact or damage that is likely to result from its compromise. 10 GCSx Government Connect Secure Extranet network that enables local authorities and other Government agencies communicate and share information securely. It has stringent security controls. 11 CJSM- Criminal Justice Secure is intended to provide criminal justice organisations and practitioners to sensitive and confidential securely. Page 16 10/10/2011

17 When applications for enrolment are successfully completed, a login ID and password is provided. Passwords must remain confidential at all times. Approval for enrolments must be given by the system owner or line manager under delegation. 8.2 Password use When staff are creating or updating passwords, the following guidelines must be used. Passwords should: Be at least 7 characters in length Contain a mix of alphabetical (e.g. a, b, c, etc), numerical (e.g. 1, 2, 3, etc) and special characters (e.g.. etc) Contain a mix of upper and lower case characters Not be anything that could be easily guessed, such as a pet s name or birth date Be easy to remember Not be written down Not be divulged to any other person Must contain at least one capital letter Password should be changed every 60 days Failure to correctly enter a password more than three times in a row may result in a lock being placed upon the account, disabling access. The ICT service desk should be contacted on x4444 to apply to have the lock removed. Users will be required to suitably identify themselves before this can be processed. 8.3 Privileged Accounts The use of all Operating System or Database System Administrator accounts must be approved by the Service Head, ICT The use of all application-specific administrator and other privileged accounts shall be approved by ICT systems administrators once approved by the System Owner. 8.4 Access to Information Users are authorised to access LBTH information, only whilst in the employment of LBTH or as an authorised volunteer, work experience student or person having a contractual relationship with LBTH. No information can be copied or transferred from LBTH computer environments (including desktops or laptops) or paper files without the permission of the owner of said information. Page 17 10/10/2011

18 8.5 Access Administration Every system shall have a System Owner who will have overall responsibility for granting access rights to users of their particular applications. Each authorised user will be granted access to those information resources needed to perform that officer's duties. If an application function has an official delegation, then only staff with that delegation will be able to access that function. 8.6 Access Monitoring Where the capability exists, the use of LBTH ICT systems will be monitored using audit trails that log security-related events. The following time stamped events will be recorded as a minimum: Details of all logon attempts, whether successful or not; Details of attempts to access protected resources, whether successful or not; All activities relating to the use of special system privileges; All modifications to security information (user IDs and passwords); and All modifications to system control parameters. All transactional activity Such logs will be reviewed, when necessary, to identify any misuse of access privileges or attempts to do so. Security investigations will be subsequently carried out as required. 8.7 Access Removal and Modification When the employment of a staff member is to end, the appropriate system and application administrators must be notified to ensure that the user accounts are disabled and/or removed in a timely fashion. The leaving staff member s line-manager must report this to ICT using the form on the ICT pages on the Intranet. The ICT Service Desk will then raise this with the appropriate administrator to ensure that the account is disabled. When a contract is to be terminated or the need for an authorised third party supplier to access LBTH ICT resources ends, the manager responsible for that person or persons is to contact the ICT Service Desk to inform them of the change. The ICT Service Desk will then raise this with the appropriate administrator to ensure that the account is disabled. Page 18 10/10/2011

19 Any requirements for change to access rights, such as a member of staff changing their role within the organisation and therefore needing different access, must be raised with the Service Desk for action by the appropriate administrator. It is the responsibility of the former line-manager to ensure that any privileged access is removed should it no longer be required and the responsibility of the new line-manager to request any additional access. 8.8 Delegation of Access At times, it may be necessary to delegate access to certain systems or portions of systems to users that would not generally be assigned such access. This may be due to periods of absence (such as access to an officer s files or during sickness or recreational leave) or perhaps to fulfil operational requirements (such as Personal Assistant requiring access to their superior s mail and calendar). Accounts must not be shared to suit this requirement. Instead, delegation of access must be used. If the delegation is required during a period of leave, steps should be taken to ensure that this is completed prior to the officer going on leave. The delegated access should also be removed as soon as it is no longer required. Assistance with Delegation of Access can be obtained through the Service Desk (x4444). 8.9 Third Party Access The security of the Council s ICT facilities and information assets must be maintained when accessed by third parties (e.g. subcontractors, supplier s partnership organisations, software suppliers etc.). Where there is a business need for third party access, a risk assessment must be carried out to determine the security implications and control requirements. Controls must be agreed and defined in any contract with the third party. The Information Systems Third Party Access Agreement form should be completed by the departments requiring third party access. The form can be found at: complaints/info rmation_governance/information_gov_policies.aspx On occasions third parties (e.g. external suppliers) may wish to connect their laptops / equipment to the Council s network. In these instances ICT service desk should be contacted on x4444 to authorise the connection. Page 19 10/10/2011

20 9 Systems Acquisition, Development and Maintenance Application owners need to define security requirements with the help of information security officer. This will consist of the following sections: Controlled Environment Change Management Source Code Management Version Control Testing Retention Requirements Reverse Engineering Security Requirements in Software development and acquisition There should be documentation of system specifications and current settings. There should also be documented data input controls (in accordance with BS27001ISO 27001). 10 Information Security Incident Management A security incident is one that can be defined as having resulted in: The disclosure of confidential information to an unauthorised individual, The integrity of the data or the system being put at risk, The availability of the data or the system being put at risk, Non-compliance with ICT policies, Unexpected behaviour of ICT systems, An adverse impact on the Council, for example: Embarrassment to LBTH Threat to personal safety or privacy Legal obligation or penalty Financial loss Disruption of activities Incidents, perceived weaknesses or suspected or actual security breach must be reported the Information Security Manager on x 4951 or the ICT Service Desk on x All paper based security incidents must be reported to the Information Governance Manager on x Page 20 10/10/2011

21 Incidents that are found to be of significance (Red or Purple 12 ) will be investigated by the Security Incident Response Team (SIRT 13 ) in a confidential manner and dealt with accordingly and the Senior Information Risk Owner (SIRO) will be engaged. The information Commissioners Office will be notified where there are serious breaches of the Data Protection Act Any disciplinary actions resulting from this investigation will be managed in accordance with the Council s Disciplinary Procedure. Details of the incidents will be referred to the relevant Line Manager and the appropriate Directorate Human Resources Manager. Where the incident involves the Line Manager or the investigating officer, appropriate alternate personnel shall be informed. Regular reports of Information Security Incidents will be provided to the Information Governance Group. For more information please refer to the Security Incident Management Procedure available on the Intranet on the ICT policies page. Or contact the Information Governance Manager on x Business Continuity 11.1 Disaster Recovery Planning An ICT Disaster Recovery Plan has been developed to provide a structured and tested set of procedures and necessary resources for the temporary and potentially long-term recovery of critical ICT infrastructure and services following the occurrence of an event (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions ) that interrupts normal operations. This process shall identify the critical business processes and integrate the information security management requirements of business continuity with other continuity requirements relating to such aspects as operations, staffing, materials, transport and facilities. Proper backup and recovery procedures shall also be in place to ensure quick and accurate restoration. 12 Red incidents are medium severity, Purple incidents are the highest level of severity- Refer to the Security Incident Management Procedure. 13 SIRT is a virtual team chaired by the Information Governance Manager who will co-ordinate the non-technical aspects of the response Page 21 10/10/2011

22 For further information on the systems and data repositories protected by the ICT Disaster Recovery Plan, please contact the Business Support Manager ICT. 12 Compliance The design, operation, use, and management of information systems must abide by relevant statutory, regulatory, and contractual requirements. The following legislation and standards are relevant, however this is not a comprehensive list and other appropriate existing or future legislation and standards may need to be considered. Computer Misuse Act 1990 Data Protection Act 1998 Human Rights Act 1998 Freedom of Information Act 2000 Environmental Information Regulation 2004 Electronic Communications Act 2000 Copyright, Designs and Patents Act 1988 ISO Information Security Management Standard PCI DSS- Payment Card Industry Data Security Standard GCSx Code of Connection- Government Connect Secure Extranet Appendix 1 shows how the above legislation and standards applies to this policy Audit and Review The information security policy is currently being reviewed annually by the information security officer and the Information Governance Manager; any changes will be submitted to the Information Governance Group for final approval. 13 Details of how to work with the new policy Employees will need to follow the Information Security Policy and the sub polices that sit beneath it at all times. 14 Highlight the consequences of failing to meet the policy Failing to meet the Information Security policy requirements present a threat to confidentiality of the Councils information and to the availability of the tools for employees to complete their jobs. As such, non-compliance Page 22 10/10/2011

23 with this policy will be viewed seriously and will result in disciplinary action, in accordance with the LBTH Disciplinary Procedure, which may result in warning (verbal or written), counselling sessions and potentially dismissal, depending on the severity of the misuse. The following sanctions have been developed so as to deal with cases of misuse of this policy: Withdrawing access to ICT equipment, software and services Legal action, which could result in the award of damages, fines and/or possible imprisonment for breaches of legislation such as the Data Protection Act, the Computer Misuse Act or for breaches of any law 14.1 Success of the Policy - fewer audit actions Success will be measured by: - fewer information security incidents that lead to loss of data - number of referrrals to Information Governance/Information Security for advice on project or operational matters. 15 Policy owner, version number and date of next review This policy is owned by the Information Governance Group. If you have any questions regarding this policy please contact: o The Information Governance Manger Tim Rodgers on ext 4354 or o The Information Security Manager Alan Downey on ext The version of this policy is 2.1 and is next due for review in July 2012 Page 23 10/10/2011

24 1. Legislation Appendix 1- Legislation and Standards 1.1. The Computer Misuse Act 1990 The Act is relevant to electronic records in that it creates three offences of unlawfully gaining access to computer programmes. The offences are: unauthorised access to computer material; unauthorised access with intent to commit or cause commission of further offences; and Unauthorised modification of computer material. Access is defined in the Act as: altering or erasing the computer program or data; copying or moving the program or data; using the program or data; or Outputting the program or data from the computer in which it is held (whether by having it displayed or in any other manner). Unlawful access is committed if the individual intentionally gains access; knowing he is not entitled to do so; and aware he does not have consent to gain access. The 'further offence' applies if unauthorised access is carried out with intent to commit or cause an offence. The 'modification' offence applies if an individual does any act causing unlawful modification of computer material and does so in the knowledge that such modification is unlawful, and with the intent to: impair the operation of any computer; prevent or hinder access to any program or data held in any computer; or Impair the operation of any such program or the reliability of any such data. It is important that all staff members are aware of and comply with the Councils Information Security policy and Information Handling procedure. Page 24 10/10/2011

25 1.2. Data Protection Act The Data Protection Act gives individuals rights to access their own personal data (whether held in paper or electronic format) held by organisations. This is called a subject access request. Organisations must respond to subject access requests within 40 days. The Act also requires data to be accurate, gathered for a specified purpose, retained for no longer than necessary, and protected against unauthorised access, loss or destruction. To comply with all these requirements, it is essential that information is managed efficiently, and there are clear procedures for its collection, storage, security, retention, and destruction. The Information Commissioner may take enforcement action against organisations that breach the act and loose personal data. This includes stopping the organisation from processing the personal data and imposing fines up to 500,000. It is therefore essential that the Council uses coherent, clearly defined procedures 1.3. Freedom of Information Act The Freedom of Information Act gives people a general right of access to the information held by public authorities. The Person making a request has the right to be told whether information exists and to receive that information (subject to certain exemptions) within 20 working days. Under section 77 of the Act it is a criminal offence to alter, conceal or destroy any record held by a public authority to prevent disclosure of information. It is therefore essential that the Council uses coherent, clearly defined procedures to control its information Environmental Information Regulations Environmental Information Regulations 2004 like the FOI Act 2000 gives people a general right of access to environmental information held by public authorities and a response must be provided within 20 working days. Like the FOI Act, efficient record-keeping is essential in order to locate relevant information promptly and respond within the statutory time limits Human Rights Act Article 8 Schedule 1, Article 8, section 2 of the Human Rights Act 1998, Right to respect for private and family life States: There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the Page 25 10/10/2011