Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Transcription

1 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014

2 Copyright Notification Copyright London Borough of Islington 2014 This document is distributed under the Creative Commons Attribution 2.5 license. This means you are free to copy, use and modify all or part of its contents for any purpose as long as you give clear credit for the original creators of the content so used. For more information please see: Page 2 of 10

3 TABLE OF CONTENTS 1 PURPOSE OF THIS DOCUMENT PART OF AN UMBRELLA ICT POLICY FRAMEWORK BACKGROUND STANDARDS THE POLICY REGULAR AUDITS MUST BE UNDERTAKEN RISK ASSESSMENTS MUST BE UNDERTAKEN RESTRICTED DATA MUST BE STORED AND TRANSFERRED IN ACCORDANCE WITH NATIONAL STANDARDS BUILDINGS MUST BE SECURE PEOPLE ACCESSING BUILDINGS MUST BE RESTRICTED TO AUTHORISED PERSONS NON-ELECTRONIC INFORMATION MUST BE SECURELY MANAGED COMPUTER EQUIPMENT MUST BE STORED IN SUITABLE PHYSICAL LOCATIONS COMPUTER EQUIPMENT STORAGE MUST MEET THE MINIMUM STANDARD ALL EQUIPMENT MUST BE RECORDED ON AN INVENTORY CABLES MUST BE PROTECTED DATA MUST NOT BE STORED ON COMPUTER LOCAL HARD DRIVES EQUIPMENT WILL BE MAINTAINED EQUIPMENT USED OFF-SITE MUST BE MANAGED TO MINIMUM STANDARDS ELECTRONIC EQUIPMENT MUST BE DISPOSED OR RE-USED TO CORPORATE STANDARDS DELIVERY AND RECEIPT OF COMPUTER EQUIPMENT MUST MEET MINIMUM STANDARDS REPORTING INCIDENTS POLICY COMPLIANCE GOVERNANCE, APPROVAL AND REVIEW CORPORATE GOVERNANCE GROUP FORMAL APPROVAL, ADOPTION AND REVIEW APPENDIX A: DEFINITION OF RESTRICTED DATA APPENDIX B: AUDITING PHYSICAL SECURITY CONTROLS...10 Page 3 of 10

4 1 PURPOSE OF THIS DOCUMENT This document sets out Islington Council s security policy standards on the physical location, storage and use of Islington s computer equipment and information. 2 PART OF AN UMBRELLA ICT POLICY FRAMEWORK This policy should be read in conjunction with the Islington ICT Security Policy Framework, which sets out the overarching approach to Information and Communication Technology (ICT) policies in Islington Council. The framework lists the other policies, which together aim to protect the Council s information technology assets, such as computer hardware and software, telecommunications equipment and data held within the council s IT systems. 3 BACKGROUND In order to ensure the continued protection of the personal, confidential and RESTRICTED 1 information that Islington Council holds and uses, and to comply with legislative requirements, information security best practice, and, newly mandated security frameworks such as those attending credit and debit card transactions and access to the Government Connect Secure Extranet (GCSx), access to Islington Council information equipment and information must be protected. This protection may be as simple as a lock on a filing cabinet or as complex as the security systems in place to protect the Council s IT data centre. The protection required needs to be appropriate to the level of information held and the consequential risks of unauthorised access. No service should fall below the baseline security standard level of protection required for their teams and locations. 4 STANDARDS The physical and environmental security of information is set out in section A9 of ISO and this policy serves as Islington s implementation of the standard. 5 THE POLICY 5.1 Regular Audits must be undertaken Each service area must understand the data it processes and ensure that it is adequately stored and secured. A general audit of physical information security arrangements needs to be undertaken regularly to provide an independent appraisal and to recommend security improvements where necessary. The Data Security Manager will carry out ad hoc reviews of physical security across the council s main premises. These reviews will be undertaken in line with the checklist found in Appendix B of this policy. Each department should carry out additional checks against these standards, depending on the sensitivity of the data it manages. Risks and vulnerabilities identified during such audits must be reported to the relevant Service Director, and to the Data Security Working Group, and in the case of serious risks, to the Corporate Governance Group. 1 Restricted defines sensitive personal data that is likely to cause considerable harm or distress to individuals if improperly disclosed (please see Appendix A for a full definition). Page 4 of 10

5 5.2 Risk assessments must be undertaken Where service areas find that physical security is not adequate for the sensitivity of the data that they hold, a risk assessment should be undertaken. This must identify the appropriate level of protection to be implemented to secure the information being stored, the sensitivity of the data, the risks of current storage options, mitigations of current risks, and actions to resolve the issues. A copy of the risk assessment must be provided to Digital Services and reviewed by the Data Security Manager. 5.3 Restricted data must be stored and transferred in accordance with national standards Systems handling RESTRICTED information must be accredited with Cabinet Office requirements, which are reviewed annually. Where transfer of RESTRICTED information is necessary this must be over a secure channel. 5.4 Buildings must be secure Physical security must begin with the building itself and an assessment of perimeter vulnerability must be conducted. Each department must ensure that doors and windows are properly secured. The building must have appropriate control mechanisms in place for the type of information and equipment that is stored there. These could include, but are not restricted to, the following: Alarms fitted and activated outside working hours. Window and door locks. Window bars on lower floor levels. Access control mechanisms fitted to all accessible doors (where codes are utilised they should be regularly changed and known only to those people authorised to access the area/building). CCTV cameras. Staffed reception area. Protection against damage - e.g. fire, flood, vandalism. 5.5 People accessing buildings must be restricted to authorised persons Physical access to buildings should be restricted to authorised persons. Staff working in secure areas should challenge anyone not wearing a badge. Identification and access tools/passes (e.g. badges, keys, entry codes etc.) must only be held by officers authorised to access those areas and should not be loaned/provided to anyone else. Visitors to secure areas are required to sign in and out with arrival and departure times and are required to wear an identification badge. A Council IT employee must monitor all visitors accessing secure IT areas at all times. Where there has been a security breach or a member of staff leaves outside normal termination circumstances, all identification and access tools/passes (e.g. badges, keys etc.) should be recovered from the staff member and any door/access codes should be changed immediately. In addition, any security breaches must be reported to the Data Security manager by raising a fault on ICT Help Me and labelling this Data Security Incident. 5.6 Non-Electronic Information must be securely managed Paper based (or similar non-electronic) information must be assigned an owner and a classification. If it is classified as RESTRICTED, information security controls to protect it must be put in place. A risk assessment should identify the appropriate level of protection for the information being stored. Paper in Page 5 of 10

6 an open office must be protected by the controls for the building and via appropriate measures that could include, but are not restricted to, the following: Filing cabinets that are locked with the keys stored away from the cabinet. Locked safes. Stored in a Secure Area protected by access controls. 5.7 Computer equipment must be stored in suitable physical locations All computer equipment must be located in suitable physical locations that: a) Limit the risks from environmental hazards e.g. heat, fire, smoke, water, dust and vibration. b) Limit the risk of theft e.g. if necessary items such as laptops should be physically attached to the desk. c) Allow workstations handling sensitive data to be positioned so as to eliminate the risk of the data being seen by unauthorised people. d) Limit the risk of tampering and other attempts at network intrusion 5.8 Computer equipment storage must meet the minimum standard The following serves as the minimum standard that must be in place for keeping all computer equipment secure. a) They will be stored in a Digital Services approved enclosure. b) The enclosure will be locked at all times. c) The key / mechanism for entry to the enclosure will be held by a responsible person with a written (at least by ) procedure for issuing and returning this key / mechanism made clear to all staff. d) There will be no unrestricted public access to computer equipment. 5.9 All equipment must be recorded on an inventory All items of equipment must be recorded on an inventory, both on the Departmental and the Digital Services inventory. Procedures should be in place to ensure inventories are updated as soon as assets are received or disposed of. All equipment must be security marked and have a unique asset number allocated to it. This asset number should be recorded in the Departmental and the Digital Services inventories Cables must be protected Cables that carry data or support key information services must be protected from interception or damage. Power cables should be separated from network cables to prevent interference. Network cables should be protected by conduit and where possible avoid routes through public areas Data must not be stored on computer local hard drives No data should be stored on computer local hard drives and should instead be stored on network files servers. This ensures that information lost, stolen or damaged via unauthorised access can be restored with its integrity maintained. All servers located outside of the data centre must be sited in a physically secure environment. Business critical systems should be protected by an Un-interrupted Power Supply (UPS) to reduce the operating system and data corruption risk from power failures. The equipment must not be moved or modified by anyone without authorisation from Digital Services. Page 6 of 10

7 5.12 Equipment will be maintained Digital Services, all Departmental ICT representatives and 3 rd party suppliers must ensure that all of Islington Council s ICT equipment is maintained in accordance with the manufacturer s instructions and with any documented internal procedures to ensure it remains in working order. Staff involved with equipment maintenance should: Retain all copies of manufacturer s instructions. Identify recommended service intervals and specifications. Enable a call-out process in event of failure. Ensure only authorised technicians complete any work on the equipment. Record details of all remedial work carried out. Identify any insurance requirements. Record details of faults incurred and actions required. A service history record of equipment should be maintained so that when equipment becomes older decisions can be made regarding the appropriate time for it to be replaced. Equipment maintenance must be in accordance with the manufacturer s instructions. This must be documented and available for support staff to use when arranging repairs Equipment used off-site must be managed to minimum standards The use of equipment off-site must be formally approved by the user s line manager in writing (at least by ). Equipment taken away from Islington Council s premises is the responsibility of the user and should: a) Be logged in and out, where applicable. b) Not be left unattended. c) Concealed whilst transported. d) Not be left open to theft or damage whether in the office, during transit or at home. e) Where possible, be disguised (e.g. laptops should be carried in less formal bags). f) Be encrypted if carrying RESTRICTED information. g) Be password protected. h) Be adequately insured. Users should also ensure that they are aware of and follow the requirements of the insurance policy. Any losses / damage must be reported to the Data Security Manager by raising a fault on ICT Help Me and labelling this Data Security Incident Electronic equipment must be disposed or re-used to corporate standards All electronic equipment will be disposed of through Digital Services. Any equipment that is to be reused or disposed of must have all of its data and software erased / destroyed. If the equipment is to be passed onto another organisation (e.g. returned under a leasing agreement) the data removal must be achieved by using professional data removing software tools by Digital Services. Software media or services must be destroyed to avoid the possibility of inappropriate usage that could break the terms and conditions of the licences held Delivery and receipt of computer equipment must meet minimum standards In order to confirm accuracy and condition of deliveries and to prevent subsequent loss or theft of stored equipment, the following must be applied: Page 7 of 10

8 a) Equipment deliveries must be signed for by an authorised individual using an auditable formal process. This process should confirm that the delivered items correspond fully to the list on the delivery note. Actual assets received must be recorded. b) Loading areas and holding facilities should be adequately secured against unauthorised access and all access should be auditable. c) Subsequent removal of equipment should be via a formal, auditable process. 6 REPORTING INCIDENTS It is the duty of all users to immediately report any actual or suspected breaches in information security to Digital Services in line with the council s Security Incident Management Policy. Any such incidents must be reported through ICT Help Me and labelled Security Incident. 7 POLICY COMPLIANCE All employees are expected to serve the council and implement its policies to the highest standards, as described in the Code of Conduct. If any user is found to have breached this policy, they may be subject to the council s disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s). If you do not understand the implications of this policy or how it may apply to you, please seek advice from Digital Services. 8 GOVERNANCE, APPROVAL AND REVIEW 8.1 Corporate Governance Group This policy framework and the commitment to security management are subject to continuous, systematic review and improvement. This council-wide technology policy will be governed by the Corporate Governance Group (CGG), chaired by the Director of Finance, who is also the council s Senior Information Risk Owner. The CGG has a clear term of reference and reports directly into the Corporate Management Board. 8.2 Formal approval, adoption and review This policy will be formally signed off by the Corporate Management Board. The Data Security Manager will lead an annual review of all ICT Security Policies. Page 8 of 10

9 9 APPENDIX A: DEFINITION OF RESTRICTED DATA While central government processes all personal data in accordance with the Data Protection Act requirements, the act s definitions of personal and sensitive data are not suitable for the administrative definition, or specification of technical protection requirements, for the range of information handled by government. Central government departments therefore operate in accordance with the Manual of Protected Security (MPS). The MPS defines the technical protection requirements for various categories of information, one of them being RESTRICTED. In addition, in response to several inquiries about data loss, in 2008 Government released a document called Data Handling Procedures which specific reference to RESTRICTED data. The main purpose of marking data in this way is to ensure that only genuinely sensitive data is safeguarded. Information that links an identifiable individual with information that, if released, would put them at significant risk of harm or distress is marked RESTRICTED. The compromise of assets with this classification is likely to: Cause substantial distress to individuals Cause adverse embarrassment to an organisation Cause financial loss or loss of earning potential to, or facilitate improper gain or advantage for, individuals or companies Prejudice the investigation or facilitate the commission of crime Breach proper undertakings to maintain the confidence of information provided by third parties Impede the effective development or operation of government policies Breach statutory restrictions on disclosure of information Disadvantage government in commercial or policy negotiations with others Undermine the proper management of the public sector and its operations. Systems handling RESTRICTED information must be accredited with Cabinet Office requirements. Where transfer of RESTRICTED information is necessary this must be over a secure channel. Page 9 of 10

10 10 APPENDIX B: AUDITING PHYSICAL SECURITY CONTROLS Building Department Date Audited: Audit carried out by: Control Yes/no/partial Comments Access to building is cardcontrolled Access to office space is card controlled Files/paper locked in cupboards Desks clear of paper/data Printers clear of paper/data Recycling bins checked for confidential waste Lockers are locked Any other comments Page 10 of 10