Newark & Sherwood District Council

Transcription

1 Newark & Sherwood District Council ICT Strategy Version: 1.0 Page 1 of 47

2 ICT STRATEGY INDEX Executive Summary 1 1. ICT Strategy Introduction 9 2. Corporate aims & objectives for ICT Corporate Business Drivers ICT Infrastructure Network Configuration UNIX platform Network infrastructure Network Server Configuration Windows networking Software Network Upgrades IP Telephony ICT Software Development Standards PC Software Corporate application software Packaged Software Software Upgrades ICT Hardware PC s Printers IP Telephones Mobile Phones Mobile Devices Security 7.1 Protocols, Standards and procedures 7.2 Protection from malicious software (Virus Controls) 7.3 Vulnerability and Patch Management 7.4 Government Connect 7.5 Anti Virus 7.6 Firewalls 7.7 Encryption 7.8 Virus Alerts Version: 1.0 Page 2 of 47

3 8. Roles and Responsibilities The Cabinet Corporate Management Team Head of ICT ICT development group Channel Strategy Electronic data interchange Web enabled services Home / Site Visits and Contact Home Working ICT Purchasing Acquisition Policy Shared Services Technical & User Support Hardware Software Risk assessment and risk management Green ICT 13.1 Printer Consolidation 13.2 LCD Monitors 13.3 Power Efficient Hardware 13.4 Server Virtualisation 13.5 Storage Virtualisation 13.6 Virtual Desktop Integration 13.7 PC Energy Saving measures 13.8 Replacement of equipment 13.9 Mobile devices ICT Equipment Recycling 14. Future Developments Version: 1.0 Page 3 of 47

4 Executive Summary This strategy defines the Council s strategic approach to the development of Information and Communications Technology (ICT). This will ensure that these systems both contribute to and underpin the delivery of the Council s Strategic Objectives and Service Delivery Plans. The aims of the strategy are: Provide a solid, secure and reliable computer infrastructure. Provide a fully integrated voice and data network. Set standards. Provide a high quality ICT environment. Comply with Government IT standards and best practice guidelines. Ensure that ICT facilities are secure and protected from security risks. Provide an infrastructure which will enable participation in shared services. Comply with Government Connect security requirements. Comply with international information security management standards. Corporate aims & objectives for ICT The success of most organisations is dependant on their ability to develop effective information systems, which support major goals and objectives with timely and accurate information. For local authorities, information technology has become a corporate asset of strategic importance. An ICT strategy is concerned with aligning the needs of the organisation with the provision of information systems through the application of ICT. Underpinning the strategy is the selection of a strategic ICT platform, capable of supporting customers and users, and providing for opportunities in a flexible, unrestrictive fashion. The ICT strategy supports, and is appropriately aligned with, the Councils Corporate Plan and enables the authority to achieve elements of the corporate plan, CPA, any future strategies and projects which support the Council s Priorities. An ICT strategy defines the building blocks necessary to achieve a transparent infrastructure, on which applications are placed, and also defines the processes required to ensure that security and data communication are effective and efficient. The DCLG s Transformational Government agenda identifies a shared services culture as a key transformation and particular mention is made of the IT infrastructure. The corporate objectives of the strategy are: To integrate complex multi vendor software and hardware. To be able to integrate information from several sources. To have the ability to re align technology quickly. To have the ability to expand and change easily without affecting other components. Version: 1.0 Page 4 of 47

5 To have portable systems. To have an infrastructure capable of supporting shared services. Corporate Business Drivers The corporate business drivers reflect the pressures faced by the Authority to deliver efficiencies, meet Central Government directives and continue to deliver a high quality public service and include the following: Customer Relationship Management (CRM) Business Continuity Efficiency Savings Lean Working Mobile and Flexible Working Information Management Web Development Government Connect Shared Services ICT Infrastructure The ICT infrastructure is the platform upon which ICT systems are run and consists of hardware and software. Standards are essential in order to ensure consistency, compatibility, efficiency and flexibility and is made up of the following components: UNIX Network infrastructure Network Server Configuration Windows networking Software Network Upgrades IP Telephony ICT Software Software is the essential component which sits on top of the infrastructure to provide user facilities. It is imperative that standards are adhered to in order to provide systems which are stable, compatible, portable and maintainable. The essential components are: Development Standards PC Software Corporate application software Packaged Software Software Upgrades Version: 1.0 Page 5 of 47

6 ICT Hardware Hardware works with the infrastructure and software to provide user s with facilities to use ICT systems. It is imperative that standards are adhered to in order to provide users with facilities which are stable, compatible, portable, efficient, cost effective and maintainable. The essential components are: PC s Printers IP Telephones Mobile Phones Mobile Devices: mobile devices and Application specific mobile devices Security Security is essential in order to protect the Councils information processing facilities, hardware, software and data, which are important assets. Confidentiality, integrity and availability of information are essential to the operation of the Council. The essential components are: Protocols, Standards and procedures Protection from malicious software (Virus Controls) Vulnerability and Patch Management Government Connect Anti Virus Firewalls Encryption Virus Alerts Future Developments ICT technology moves quickly and its essential that the Council makes cost effective decisions on how we are going to move forward to meet the challenges faced, both from a technical and budget perspective. Roles and Responsibilities There is a need for clear governance arrangements to ensure that the Council s ICT strategy and projects are delivered effectively, with sufficient priority within the Council. The following structure encompasses staff from all levels within the authority to ensure full ownership of the ICT strategy. The Cabinet The portfolio holder for corporate issues is the member e champion. The role of the Cabinet is to approve the initial and future developments of the ICT strategy. Senior Management Team Version: 1.0 Page 6 of 47

7 The responsibility of this team is to support the ICT strategy, policies and procedures, by ensuring that all directorates participate in the identification of requirements for, and the development of the strategy. The team will be responsible for ensuring that all projects within their directorate and cross cutting projects are adequately resourced and that staff are given appropriate priorities for all projects. The Chief Executive has been nominated as the officer e champion. Head of ICT The responsibility of the Head of ICT is to develop the ICT strategy and its associated policies and procedures. The Head of ICT will report to the Corporate Management Team and the Cabinet to gain approval for developments of the strategy. The Head of ICT will be the lead officer of the ICT development group and will be responsible for the development and delivery of ICT projects. ICT development group The responsibility of this group is to develop and manage ICT projects. Channel Strategy The Council has always conducted business with its customers through a variety of channels, e.g. face to face and telephone. E business provides the opportunity to improve our services by offering new channels and enhancing existing methods of communication. The strategy defines the Council s current position regarding the following channels: Electronic data interchange Web enabled services Home / Site Visits and Contact Specialist Portals Home Working Version: 1.0 Page 7 of 47

8 ICT Purchasing Acquisition Policy An acquisition policy is necessary to ensure that computer equipment and software purchased meets the ICT strategy requirements and is in line with the Council s procurement policies. The Computer section is responsible for ordering all computer equipment and software and any associated maintenance, this ensures that the necessary standards are adhered to. ICT will use Catalyst and the OGC wherever possible. Shared Services A shared services culture relating to the IT infrastructure is one of the key transformations of the DCLG s Transformational Government agenda. All ICT acquisitions should be examined for their potential for shared services. The categories of shared services arrangements which should be evaluated for purchases of ICT hardware and software are as follows: Hardware Collaborative procurement for infrequent high cost purchases. Collaborative procurement for equipment purchased regularly. Software Collaborative procurement for the purchase of applications software. Joint service delivery for some or all of the following functions: The IT software and hardware platform and the support function. Joint service delivery of the back office function. Joint service delivery of the front office/ customer facing function. Mapping Joint procurement of mapping services. Collaborative procurement of specific geographical data Technical & User Support The technical support strategy is divided into the following areas: Hardware Maintenance contracts should be arranged for the core computer equipment in order to minimise down time for critical applications. Equipment not covered by maintenance agreements will be repaired on a time and materials basis. Software Software support contracts should be arranged for critical application packages. Version: 1.0 Page 8 of 47

9 Risk assessment and risk management ICT projects are not without risk and therefore it is imperative that the Council has a risk assessment and risk management procedure which will identify the critical areas of risk under the following headings: IT Infrastructure Culture Resources Skills Corporate planning / management Technical risk Security Legislation Green ICT Faced with increasingly urgent warnings about the consequences of the projected rise in both energy demands and greenhouse gas emissions, ICT are focusing more attention than ever on the need to improve energy efficiency. Green technologies exist today to help optimise space, power, cooling and resiliency while improving operational management and reducing costs. The green ICT strategy is divided into the following areas: Printer Consolidation LCD Monitors Power Efficient Hardware Server Virtualisation Storage Virtualisation Virtual Desktop Integration PC Energy Saving measures Replacement of equipment Mobile devices ICT Equipment Recycling Future Developments ICT technology moves quickly and its essential that the Council makes cost effective decisions on how we are going to move forward to meet the challenges faced, both from a technical and budget perspective. Version: 1.0 Page 9 of 47

10 1. ICT Strategy Introduction This strategy defines the Council s strategic approach to the development of Information and Communications Technology (ICT) systems and related technologies. This will ensure that these systems both contribute to and underpin the delivery of the Council s Strategic Objectives and Service Delivery Plans. The aims of the strategy are: Provide a solid, secure and reliable computer infrastructure which is capable of running all of the Council s business applications. Provide a fully integrated voice and data network. Set standards which will ensure that network integrity and the synergy of the network is maintained. Provide a high quality ICT environment that supports the Council s strategic and service priorities, e business vision and Geographical Information Systems (GIS) and enables the Council to improve its operational performance. Comply with Government IT standards and best practice guidelines in order to provide a solid foundation which will support the development of shared services. Ensure that ICT facilities are secure and protected from security risks such as viruses, distributed denial of service attacks, and the potential for system and network compromise. Provide an infrastructure and processes which will enable the Council to participate in shared services. Comply with Government Connect security requirements. Comply with international information security management standards to ensure that information held on ICT facilities is secure. Version: 1.0 Page 10 of 47

11 2. Corporate aims & objectives for ICT The success of most organisations is dependant on their ability to develop effective information systems, which support major goals and objectives with timely and accurate information. For local authorities, information technology has become a corporate asset of strategic importance. The availability of timely and accurate information is also essential to corporate decision making. An ICT strategy is concerned with aligning the needs of the organisation with the provision of information systems through the application of ICT. Underpinning the strategy is the selection of a strategic ICT platform, capable of supporting customers and users, and providing for opportunities in a flexible, unrestrictive fashion. The ICT strategy supports, and is appropriately aligned with, the Councils Corporate Plan and enables the authority to achieve elements of the corporate plan, CPA, any future strategies and projects which support the Council s Priorities. Newark & Sherwood District Council has adopted an open systems strategy, which will protect the investment in ICT by providing a flexible platform for the future, capable of accommodating change without losing past investment in ICT. An information technology strategy defines the building blocks necessary to achieve a transparent infrastructure, on which applications are placed, and also defines the processes required to ensure that security and data communication are effective and efficient. The DCLG s Transformational Government agenda has three key transformations, one of these is a shared services culture and particular mention is made of the IT infrastructure. The vision is to release efficiencies by standardisation, simplification and sharing. Shared services provide the opportunity to reduce waste and inefficiency by re using assets, by sharing investments, by sharing management overheads and other costly resources. The corporate objectives of the strategy are as follows: To integrate complex multi vendor software and hardware into a synergetic corporate facility, so that the organisation can respond better to external pressures. To be able to integrate information from several sources, to produce management and operational reports and assess the performance of the organisation, as well as enabling on line access to corporate databases. To have the ability to re align technology quickly, in response to unexpected and economic, political or legislative changes. To have the ability to expand and change easily in required areas without affecting other components, providing savings in both costs and implementation time. To have portable systems in order to achieve flexibility. Version: 1.0 Page 11 of 47

12 To have an infrastructure capable of supporting shared services. The overall objectives of the Council's information and communications technology are to minimise costs, provide higher level management information and to support service delivery to the public and users taking due regard of the Council s equalities policy. Version: 1.0 Page 12 of 47

13 3. Corporate Business Drivers There are a range of business drivers that have an implication on the development and delivery of ICT Services. In addition to the Council s own priorities, there are significant external drivers that impact on the direction the Council must take over the coming years and that have direct implications for the delivery of ICT Services. Customer Relationship Management (CRM) A corporate decision has not yet been made on how the Authority is to proceed with a CRM system, but the potential of this decision needs to be a consideration in all developments due to the fundamental culture and technological changes that will be required to be implemented with a CRM system. Consideration is given to CRM implications as a part of every project implementation to ensure that potential future integration is possible should a CRM system be adopted. Business Continuity The growing reliance on ICT systems means that greater emphasis must be placed on service availability, business continuity and disaster recovery options. The existing joint authority contract has proved a cost effective and service efficient option and the Council will be looking to renew this ahead of the 31 st July 2010 expiry date. Efficiency Savings The continuing requirement on Councils to cut budgets and produce efficiencies whilst still providing a high level of service to the public means greater pressure will be applied on ICT to deliver more efficient ways of working. Lean Working Linked to the Efficiency Savings, work is underway throughout the Authority to review and map the processes in use. Assessment of what the streamlining of these processes can achieve in making the service delivery more efficient and cost effective and working smarter may result in ICT developments. Mobile and Flexible Working Staff and office accommodation are critical resources for the Council and there are also environmental pressures to reduce travel through more flexible ways of working. Linked to the Workforce Development Plan (currently under revision), the Council is looking to provide more flexible working arrangements to assist in staff retention, reduction of officers travel time, reduction in travel costs, the potential to extend the Authority s opening hours, enable home working, implementing hot desking facilities and releasing office accommodation. Version: 1.0 Page 13 of 47

14 Information Management Improving information management processes will support improved efficiency in the delivery of services as well as help the Council meet its legislative responsibilities under the Freedom of Information Act (FOI) 2000 and the Data Protection Act A key component of this would be to introduce a corporate Electronic and Records Management System (EDRMS). The investment of time & resource should be made into the development of the corporate GIS database and the introduction of the Mosaic data set. Web Development The Authority s website is seen as a key access channel into the Councils services, allowing the public to self serve if they wish to, supplying information as required and providing the Council with a more cost effective method of handling transactions. A project has been commissioned to replace the existing Content Management System (CMS) and redesign the corporate website to allow a more transactional approach and give an improved structure to the information stored, making it more intuitive for the residents to locate what they are looking for. Government Connect Government Connect is a secure communications network between central government and all other government bodies. Its purpose is to help government bodies to improve their efficiency and connect more effectively with their customers, with each other and with central government. The Council successfully achieved compliance with the Code of Connection (CoCo) ahead of the deadline of 31 st March The latest version of the CoCo, version 4.1 has just been released and whilst there are less criteria overall, more of these are now mandatory. This will be an ongoing annual process to achieve compliance against the security criteria issued by central government. The Council is looking at the possibility of carrying out some of the work associated with CoCo compliance jointly with other local authorities in Nottinghamshire to achieve consistency and reduce the demands on individuals within the Council s technical teams. Shared Services Following the restructure of ICT, which came into effect on the 1 st October 2008, the Council has a shared Head of ICT with Mansfield DC. This provides efficiencies for both councils and begins the process of developing a more strategic direction for future ICT developments. Version: 1.0 Page 14 of 47

15 A Shared Services Business Case has been approved by CMT and the Cabinet at Newark & Sherwood and SMT at Mansfield and also includes partners from Broxtowe BC, Rushcliffe BC & Gedling BC. Some of the work already carried out within this partnership includes; a joint DR contract, a joint MAVPN and a shared ISP provision all of which have provided cost savings or cost avoidance for all partners. Consideration is given to joint procurement for each project in order to ascertain whether there is an opportunity to achieve procurement efficiencies and begin the move towards the same operating systems and software applications to further support shared service opportunities across service areas. Version: 1.0 Page 15 of 47

16 4. ICT Infrastructure 4.1. Network configuration The Council s computer network is a high quality technically advanced structure encompassing IP telephony, fully integrated voice and data networks, internet facilities, web site, remote working facilities, GIS and e business functionality. The network is the backbone of the computer facilities, and as such should be maintained and updated in order to retain the synergy of the network as a whole. Future development relies on the network being flexible UNIX platform The mid range processing power of the Council must conform to the open systems standards. The Council has standardised on a UNIX platform running AIX. A UNIX platform was selected as it enables the Council to change and expand its mid range computer facilities with flexibility and without losing the value of past investment and also conform to the open systems standards. The advantages of this configuration are as follows: Additional machines can be added to the network without disruption to other services. Applications are portable from one machine to another providing flexibility in the case of a machine failure, this is particularly important where essential applications are involved, such as Revenues and Housing services. Integration of information between mid range computers and the applications running on them is essential to produce management and operational reports and on line access to data Network infrastructure The network infrastructure is the backbone of all of the Council s computer facilities and as such must be solid, secure, flexible and reliable. The network infrastructure consists of the following: A fully integrated voice and data network. High quality private network connections to remote sites. A 100 Meg core connecting the servers and IP telephony switches. CISCO switches, all IP capable with UPS and in line power. Contact centre technology. Version: 1.0 Page 16 of 47

17 A demilitarised zone to isolate publicly accessible facilities and remote working access points. Firewalls to protect the internal network, systems and data from intrusions and viruses Network Server Configuration The server configuration supplies the network with software and data which can be shared by all users on the network. Server virtualisation has been adopted by the Council in order to reduce the number of servers managed, thereby reducing the costs of server hardware, maintenance and software. A storage network device, in conjunction with server virtualisation, is used as a data store and consolidates the data resulting in more efficient use of servers. It should be noted that not all servers can be virtualised. Some applications and services cannot work in a virtualised environment and some would not operate efficiently. The major benefits of server virtualisation are: Lower number of physical servers reduction in hardware maintenance costs because of a lower number of physical servers. Server consolidation increases space utilisation efficiency in the server population. By having each application within its own virtual server prevents one application from impacting another application when upgrades or changes are made. The reduction in the number of servers results in a reduction of power usage. Multiple operating system technologies can be deployed on a single hardware platform. Virtual servers can be copied from one server to another easily and quickly aiding business continuity and server maintenance. Server virtualisation improves the efficiency of the data centre, as well as lowering the cost of ownership Windows networking Software Microsoft Windows is the standard workstation and networking software for the Council. TCP/IP (network transportation software) is the network communication product. Windows provides all of the above mentioned facilities, TCP/IP provides a communications facility between the UNIX processors and all of the other units on the network. The network connects and manages computing devices, applications and services that users require. Network software provides the layer of consistency that is required to mask users from Version: 1.0 Page 17 of 47

18 the underlying complexity of the technology and will enable users to perform their functions more efficiently through easy, seamless access to critical information regardless of where users or information are located. Networking software provides the following facilities: Shared devices Printers, storage devices, scanners, photocopiers and backup systems. In order to reduce duplication of facilities and save costs. Shared information A secure electronic filing cabinet in order to reduce duplication of data and to provide shared facilities. Corporate processing Access to corporate databases and applications in order to create a complete working environment from one location. Interpersonal communications E mail to increase efficiency and provide workflow capability. Management facilities Intuitive and reliable system management to reduce the costs and complexity of managing a network and to allow network management to manage every layer of the network easily and efficiently Network Upgrades In order to sustain maximum performance and benefit from the Computer network there is a continuing requirement to take advantage of supplier operating system technological advances. Critically but not exclusively this will include operating system and network management software. This is particularly relevant where supplier support is withdrawn for current versions of software. Upgrades should be applied in all areas, where there is a necessity or there are advantages to do so, in order to retain the synergy of the network and to achieve a flexible network which can readily respond to change. It will be critical in the context of supporting an upgrading policy to allow for planned budgetary support for multi user network hardware and software upgrades which will be essential to ensure the continuing development of the network. The Computer budget has no ongoing provision for upgrades, however in 2005/2006 for the first time a budget for ICT renewals was created, however this is only funded at year end when any under spends on Council budgets are divided into three with ICT being allocated one third, these allocations are one off and not yearly. Where the pace of technology necessitates expenditure the appropriate reports to cabinet will be prepared to identify further funding requirements. Multi user network hardware and software upgrades would cover the following: UNIX and central PC network server hardware and software upgrades. Version: 1.0 Page 18 of 47

19 Switches, used for IP telephony, PC and printer connection. Telecommunications cabinets containing switches and cabling. 4.7 IP Telephony The Council installed IP telephony in January 2005, the ultimate aim of this was to migrate to a single voice and data network which would improve the Council s ability to scale for the future and quickly react to the dynamically changing needs of the Council. Enhanced telephony facilities were required in order to meet the vast change in requirements and operation of ICT due to best value, CPA, the government s modernisation strategy and to lay the foundation for future telephony based service development and operation. IP Telephony has a direct impact in creating a Customer First culture which is one of the primary elements of the Corporate plan. The primary outcomes of IP Telephony are: Call centre technology for the customer support unit which will supply call queuing and statistics which will enable a sophisticated level of call evaluation and should ultimately result in service improvements. A converged data and voice network which will in time reduce equipment and maintenance costs by combining the multiple network infrastructures into a single IPbased network. IP (Internet Protocol) Telephony will centralise call processing, thus eliminating the need for separate units at off site locations, resulting in a reduced investment in equipment. A reduction in the number of wiring drops and hardware connection costs. Expenditure associated with moves adds and changes will be minimised. An integrated network will improve the ability to scale for the future and its ability to quickly react to the dynamically changing needs of the Council. A converged network enhances the Council s communications capabilities by facilitating employee mobility and providing a solid foundation for the deployment of advanced, feature rich services and solutions. IP telephony, unified messaging, and multi channel contact centre applications are just a few examples of such solutions. Version: 1.0 Page 19 of 47

20 5. ICT Software 5.1. Development Standards Standards are essential for software development and maintenance to be efficiently and effectively controlled. Standards should include documentation standards for specifications and programs, and programming standards. Standards produce conformity, enabling efficient and effective development and maintenance. Newark & Sherwood District Council operates its own systems and programming standards. These standards were introduced in 2009, and will be updated regularly to take into account new working practices and hardware and software changes PC Software Standardisation of software does not apply to current versions as no central ICT budgetary provision is made for this purpose. Compatibility problems can therefore occur with different versions and impact on the workload and effectiveness of PC Network Support and users, the major problem is that of users sharing information. Standardisation is necessary to ensure the synergy of the network, all units on the network must be open to each other, allowing software links and document transfer. This is essential to the future development of the network, allowing growth to take place instead of a rebirth for new projects Corporate application software Corporate application software is standardised and consists of the following facilities: Database to extract information from other sources in order to analyse and manipulate the data into a form suitable for a particular purpose. The database will also provide users with a tool to create local applications for data maintenance and analysis. Spreadsheets which provide a further analysis tool for the manipulation of data, including graphical representation. Word processing facilities including the ability to merge information from both spreadsheet and database applications into documents. E mail to automate the transfer of information between E mail users both internally and externally. CRM application for corporate complaints and service requests. GIS software for mapping facilities, data management and analysis. LLPG software for the corporately held property gazetteer database. Version: 1.0 Page 20 of 47

21 5.4. Packaged Software The main factors which should be taken into consideration when selecting packaged software should be cost effectiveness, efficiency, benefits and the ability to perform the required functions. The first consideration before embarking on the following procedure is to investigate whether the required function could be provided by shared services. Section 10.2 of the strategy defines the different categories of shared services for ICT purchases. The following guidelines, shown below, should ensure that software packages meet the Council's needs. The Council s corporate project management procedures must be followed and project approval gained before a specification is produced. The guidelines to package selection where the functionality is common and packages are already available are as follows: An outline system specification should be produced by the user in the first instance to determine their specific requirements. All corporate and major ICT developments will be reported/presented to the ICT development group. ICT must be involved with the outline system specification in order to ensure that the interfaces with other systems are fully specified, and that the requirements of the ICT strategy and all ICT policies and standards are met. That evaluation criteria must be established before commencing the product investigation and will generally include costs, performance, functionality and benefits. The level of software integration requirements must be investigated by ICT. Detailed supplier statement of the software facilities to be provided. Where interfaces to other systems are required the supplier must provide reference sites, where available, for verification by users and ICT. The interfacing requirements must be included in the contract when purchasing products. A questionnaire should be sent to the existing users of the packages being evaluated, in order to gain a view of user s opinions. The supplier must provide full support of the package and any supporting database, this must include remote citrix connection for the support of all elements of the package. Version: 1.0 Page 21 of 47

22 Local Authorities are often required by government to perform functions which are operationally new areas of activity and in some cases where legislation is not available until the nth hour. In these cases it may not be possible to find a readily available package and therefore a different set of guidelines will apply. The guidelines to package selection in this case are as follows: A trusted supplier should be selected with a large portfolio of local government applications. An agreement should be made which will allow the Authority to exit at any stage should the project fail to meet the Authorities requirements. An outline system specification should be produced in the first instance, to determine the users specific requirements. If this area of activity is new and a specification cannot be fully determined then external help should be obtained. The agreement should be tailored to allow the authority to use the specification as an evaluation document for other suppliers should the authority not wish to proceed with the selected supplier. ICT must be involved with the outline system specification in order to ensure that the interfaces with other systems are fully specified, and that the requirements of the ICT strategy and all ICT policies and standards are met. That evaluation criteria must be established before commencing the product investigation, if the decision is made not to go ahead with the original supplier, and will generally include costs, performance, functionality and benefits. The level of software integration requirements must be investigated by ICT. Detailed supplier statement of the software facilities to be provided before signing up for the final product production stage. The interfacing requirements must be included in the contract when purchasing products. The supplier must provide full support of the package and any supporting database, this must include remote citrix connection for the support of all elements of the package. Where there is a requirement for multiple users of the software package LAN licences must be purchased not dongles Software Upgrades Suppliers frequently upgrade software for some or all of the following reasons: Technological advancement User demand Legislation Supplier competition Version: 1.0 Page 22 of 47

23 Software upgrades should only be applied where necessary, not just because an upgrade is available. It may be necessary to upgrade for some or all of the following reasons: Legislation Dependence on other software which has been upgraded Additional functionality Performance improvements Fault rectification Maintenance on the current version ceasing It should not be a practise of this Council to install software versions which have not been vigorously tried and tested, and working in a live environment for at least six months. Only in the following exceptional circumstances should this practise not be followed: Legislation. Organised Beta site testing. Software development, working in partnership with suppliers, where there is a new ground breaking area of activity or new legislation. Version: 1.0 Page 23 of 47

24 6. ICT Hardware 6.1. PC s The high population of PC's is resulting in a continuing increase in network complexity and technical support requirements. While an open policy on PC selection would truly support an open systems policy, the resulting mix of hardware would be impossible to support. Another result of such an open policy would be a proliferation of low quality equipment which could prove expensive on external maintenance costs and time consuming on internal support. In order to achieve openness in the area of PC selection and to create a supportable environment, PC's must satisfy the following criteria: Must be totally compatible with the existing population of PC's. Must be totally compatible with network operating system software. Manufacturers selected must be high volume suppliers and provide technical support. ICT will, on a monthly basis, evaluate its recommended PC specifications against market developments, there will be three models, one for laptops and a low and high specification workstation Printers The number of printers within the authority has now reached a level where service areas should review printing requirements and identify areas where in the past it has been considered an advantage for staff to have personal printers it should now be balanced against cost and the requirement for printed documents. Printer consolidation is now a policy of the Council. Printer consolidation should also be applied to photocopiers. New generation photocopiers are now available which are networked. The use of networked printer photocopiers will: reduce costs in paper, cartridges and servicing more efficient i.e. all networked staff can control photocopying from the desktop. reduce leasing costs reduce staffing costs Networked printer photocopiers will be the main printing facilities for the authority. Printers will only be purchased where the requirements fall into one of the following categories: Highly sensitive information being printed on a regular basis e.g. audit, personnel. Version: 1.0 Page 24 of 47

25 High volume application printing required e.g. Council tax, Housing, Elections. Specialist printing of high quality or large scale prints e.g. photographs, and plans. maps 6.3 IP Telephones Locations either behind locked doors or remote from the photocopiers e.g. CCTV, Central Control. ICT will, on a monthly basis, evaluate its recommended IP telephone models against market developments. Accessibility issues, with an associated risk assessment, will be the only exceptions. 6.4 Mobile Phones ICT will, on a monthly basis, evaluate its recommended mobile phone models against market developments. Accessibility issues, with an associated risk assessment, will be the only exceptions. 6.5 Mobile Devices Mobile devices cover two areas: Mobile Devices ICT will purchase only one model of this type of device, this will only change when the model is updated and replaced. Accessibility issues, with an associated risk assessment, will be the only exceptions. Application specific mobile devices Suppliers providing systems for these devices may specify that their system will only run on a particular device with specific capabilities, where this is the case then there will be no option but to use the specified device. Where there is a choice then the devices should be evaluated and where a device matches one already in operation then this device should be chosen as long as the functionality of other devices is not superior. Accessibility issues, with an associated risk assessment, will be the only exceptions. Version: 1.0 Page 25 of 47

26 7. Security Security is essential in order to protect the Councils information processing facilities, hardware, software and data, which are important assets. Confidentiality, integrity and availability of information are essential to the operation of the Council. 7.1 Protocols, Standards and procedures The Council has adopted protocols, standards and procedures, in particular the Information Security Management Standards based on ISO27001 and ISO27002, which support the following objectives: To ensure that the Authority s ICT assets hardware, software and data are protected against theft, loss, damage, corruption and any unauthorised actions. To ensure that all employees of the Authority are aware of the risks to which ICT systems may be subjected and of their responsibilities to minimise those risks. To ensure the authority complies with the many and varied laws surrounding Information and communications. 7.2 Protection from malicious software (Virus Controls) It is essential to ensure that the Councils network remains virus free, and that any penetration by any virus (or other malicious software) is immediately detected and the threat is contained and dealt with before any damage can occur. This is achieved through a multi tiered approach to the threat: Ensuring current anti virus software is always in place right across all Council Information Technology Assets Ensuring that all users of Council Information Technology Assets follow procedures to reduce the risk of viruses accidentally being let in to the organisation. Ensuring that the vulnerabilities that viruses generally exploit are not present anywhere on the Council network. Ensuring that appropriate processes are in place to minimise loss and deal effectively with viruses that are detected Standard anti virus software shall be installed on all of Council s servers, workstations, personal computers, laptops and notebooks, and automatic scanning for viruses shall be activated whenever such equipment is in use. If (notwithstanding the protective measures being taken) a virus does enter the Council network then this shall be dealt with effectively and promptly by ICT so as to minimise risk to the Council. Version: 1.0 Page 26 of 47

27 Additionally, all users of Council Information Technology Assets have a personal responsibility to play their part in protecting the Council network against malicious software. In particular, users are responsible for ensuring that: They do not inadvertently introduce a virus from an external source into the Council network. When using Council Information Technology Assets, the equipment that they are using is running anti virus software with up to date file definitions. They report any suspicious incidents immediately by contacting ICT. They follow any instructions received from ICT regarding dealing with a virus threat. 7.3 Vulnerability and Patch Management ICT are responsible for keeping abreast of identifications of new vulnerabilities that could impact Council Information Technology Assets and for implementing patches accordingly. ICT is responsible for ongoing monitoring of new vulnerabilities. For Microsoft Windows products Microsoft Software Update Services will be used for automatic updates. For all other products periodic checks will be conducted on a regular basis to ensure that new vulnerability threats are identified and dealt with in a timely manner. Patch implementation shall be conducted taking into account the need to minimise system downtime whilst still ensuring implementation of patches to all potentially impacted machines in a timely manner. 7.4 Government Connect The Department of Communities and Local Government (DCLG) have implemented Government Connect (GC), which is a secure network delivering a secure infrastructure, linking all local authorities to each other and to central government departments and agencies. In high level terms, the major components of Government Connect are: A core network that enables the linking of Local Authorities to each other and to Government departments, therefore providing a foundation for the secure exchange of sensitive information. Mail A secure routing solution between Government bodies. Version: 1.0 Page 27 of 47

28 A single multi agency sign on and authentication vehicle that will allow secure and trusted online interaction with the citizen The DWP, from 1 st April 2009, mandated that the transfer of information to and from Local Authorities for benefits information would only be through Government connect, in essence this mandated the use of Government Connect by Local Authorities. In order to gain connection the Council must comply with the Government Connect security standards and submit a return stating compliancy in March every year. The standards are many and extremely complicated 7.5 Anti Virus The Council utilises an Anti Virus Service which protects the Council from known and unknown viruses which can be transmitted using s as a medium, and can also block other based threats such as phishing scams, Trojans, and worms. The virus protection service offers protection from known and unknown viruses using pattern protection techniques. This service is essential in order to enable the Council to avoid, as much as is possible, virus related costs such as system down time, lost productivity and reputation damage. 7.6 Firewalls The Council deploys firewalls between the Councils network and the Internet and external users in order to protect the Network providing protection against intrusions, targeted attacks and vulnerabilities. Intrusions and targeted attacks may result in: Loss of data Loss of reputation Loss of time Loss of service availability 7.7 Encryption The Council deploys encryption technologies to protect the confidentiality, authenticity and integrity of information. The following encryption facilities are in place: Full disk encryption to ensure that information remains secure when stored on laptops and tablet PC s, the only exception is laptops which are only used for presentations. This would ensure that data on any of these devices if lost or stolen would remain secure. Removable and mobile device encryption to ensure that information remains secure when stored on removable devices e.g. memory sticks and CD s, and mobile devices e.g. Version: 1.0 Page 28 of 47

29 PDA s. This would ensure that data taken from Council systems can only be read using Council owned equipment. Portable encryption to allow the transfer of data to another establishment by encrypting the data to include the software which combined with a password will un encrypt the data for use. attachments may also be encrypted in this way. It is also essential to control how users copy data onto removable media, such as USB drives and MP3 players, by restricting which removable storage devices can be connected i.e. only Council supplied equipment, and by ensuring these also are encrypted, this method of device Control automatically monitors usage, and blocks any unauthorised attempts to use these devices to transfer data. Floppy disk drives are used very rarely and these are blocked from use as encryption is not feasible with these devices. 7.8 Virus Alerts On receipt of a Virus alert for a new destructive virus, users will be notified and the external E mail and Internet system will be shut down while a full network virus check can be made and investigations made as to the origin and methods of dispatch and detection of the virus. The external E mail and Internet system will be re opened when a virus pattern update has been received and installed. Version: 1.0 Page 29 of 47

30 8. Roles and Responsibilities PROPOSAL There is a need for clear governance arrangements to ensure that the Council s ICT strategy and projects are delivered effectively, with sufficient priority within the Council. The following structure encompasses staff from all levels within the authority to ensure full ownership of the ICT strategy. This structure will not only deliver the ICT strategy and projects but will continue to deliver future ICT programme plans and strategies The Cabinet The portfolio holder for Corporate issues has been nominated as the member responsible for ICT and the member e champion. The role of the Cabinet will be to approve the initial and future developments of the ICT strategy and its associated documents and any additional budgetary provisions required Senior Management Team The responsibility of this team primarily is to support the ICT strategy, policies and procedures, by ensuring that all directorates participate in the identification of requirements for, and the development of the strategy. The team will be responsible for ensuring that all projects within their directorate and cross cutting projects are adequately resourced and that staff are given appropriate priorities for all projects. This team will be ultimately responsible for the success or failure of the Council s achievement of its ICT strategy. The Chief Executive has been nominated as the officer e champion Head of ICT The responsibility of the Head of ICT is to develop the ICT strategy and its associated policies and procedures. The Head of ICT will report to the Corporate Management Team and the Cabinet to gain approval for developments of the strategy. The Head of ICT will be the lead officer of the ICT development group and will be responsible for the development and delivery of the programme plan. Developments will be identified initially from a number of different sources, such as internal service developments, consultancy and audit reviews and specific changes in policy. The initial interpretation and assessment of requirements should be made by the Head of ICT who will decide the appropriate course of action. In order to maximise general performance, all minor projects, amendments or enhancements to existing systems within budget will, subject to the approval of the relevant Head of Service, be undertaken by the Head of ICT for expediency. Major corporate projects will be referred to the ICT development group. Major departmental projects will be managed by the appropriate group member, departmental representatives and appropriate ICT staff. Version: 1.0 Page 30 of 47