Information Systems (IS) Visiting Worker Information Security Policy

Transcription

1 Information Systems (IS) Visiting Worker Information Security Policy

2 INFORMATION SYSTEMS (IS) VISITING WORKER INFORMATION SECURITY POLICY Reference: AFBI POL 02/09 Date: 25 March 2009 Version: 1.0 Author: Biometrics & Information Systems Branch Page 1 of 7

3 1 INTRODUCTION POLICY OBJECTIVE SCOPE OF THIS POLICY VISITING WORKER INFORMATION SECURITY POLICY Policy Status Visiting Worker Information Pack (VWIP) Supporting Security Procedures VALIDITY OF THIS POLICY CURRENT POST HOLDERS - DECEMBER Further Information... 5 APPENDIX A: Visiting Worker Information Pack (VWIP)... 6 Page 2 of 7

4 1 INTRODUCTION The Agri-Food & Biosciences Institute (AFBI)'s declared intent to be innovative and entrepreneurial means that it is constantly seeking to expand its work programmes and forge new partnerships with other scientific institutes and research bodies. This results in the need for flexibility in offering visitor work or study positions to non-afbi staff and providing these individuals with a range of AFBI IT network services commensurate with legitimate business need. Visiting workers coming to work or study in AFBI fall into two categories: 1. those with a UK address for a minimum of 3 years within the last 5 years, for whom it is possible to seek Baseline Standard security clearance through AccessNI; 2. those for whom Baseline Standard security clearance cannot be obtained, mostly because they haven't been in the UK for a minimum of 3 years within the last 5 years and the requisite AccessNI disclosure service only provides details of offences committed in the UK. In the latter case, it is the responsibility of the employer or hosting organisation to consider and evaluate the risks involved. Many countries allow their citizens to obtain certificates of good conduct or extracts from their criminal records; these could be provided to employers or hosting organisations. However, the level of information disclosed in this way varies from country to country and it is difficult to confirm that it is genuine or complete. Such certificates should be treated with caution and should form part of a portfolio of supporting documentation that collectively seeks to establish that the individual is who they claim to be, that they are of good character and that they have the right to work in the UK. This document defines the Visiting Worker Information Security Policy (VWISP) for the Agri-Food & Biosciences Institute (AFBI) network. This policy establishes the supplementary security responsibilities for information security in respect of authorised users who do not have Baseline Standard security clearance. The establishment of, and adherence to, a VWISP is an essential component for ensuring the security of AFBI s business in respect of authorised visiting (non- AFBI) workers who for legitimate practical reasons do not have Baseline Standard security clearance. This VWISP applies to all business functions within the defined scope and covers all information systems which support those business functions. It has been developed in line with the provisions of HMG incorporating BS ISO/IEC This policy is not protectively marked on the grounds that it contains no protectively marked information or any facts which could compromise information systems security. Information processed, stored and transmitted by AFBI Information Systems has been assigned a protective marking of RESTRICTED. The network itself therefore attracts a protective marking of RESTRICTED. Specific policy requirements are given in detail later in this document. 2 POLICY OBJECTIVE The objective of this policy is to ensure adequate security of AFBI s information systems, all of which adhere to AFBI s overriding business objectives, particularly: To preserve Confidentiality by protecting assets against unauthorised disclosure To preserve Integrity by protecting assets from unauthorised or accidental modification To retain Availability by ensuring that assets are available as/when required The fundamental issue is that of managing risk to the organisation's IT assets whilst seeking to facilitate legitimate business need. The need to be mindful of equality, equal opportunity and human rights legislation has allowed some flexibility providing adequate safeguards are in place. 3 SCOPE OF THIS POLICY This policy is owned by AFBI and applies to all authorised visiting (non-afbi) workers whose duties require access to AFBI IT network services and who, for legitimate practical reasons, do not have Baseline Standard security clearance. Page 3 of 7

5 This policy aims to achieve a comprehensive and consistent approach to the granting of access to AFBI IT network services to visiting workers who have the necessary authority based on risk assessments and other information as contained in the visiting worker information pack (Appendix A). An authorised user of AFBI Information Systems is defined as any AFBI staff member or contracted other who has approval to access AFBI IT network services to input, store or process information. All authorised users shall have Baseline Standard security clearance as defined in the HMG Manual of Protective Security (MPS), or shall be compliant with the AFBI Visiting Worker Information Security Policy (this document). 4 VISITING WORKER INFORMATION SECURITY POLICY The overall AFBI Information Security Policy statement is: AFBI s information systems will be available when needed, will be accessed only by legitimate users and will contain complete and accurate information. The information systems will also be able to withstand, or recover from, threats to their confidentiality, integrity and availability. To satisfy this overall policy statement, AFBI will implement security measures, commensurate with the value of AFBI s assets, to protect its information systems with priority given to those systems which are considered to be critical to the business. The following statements constitute the agreed protocol in respect of authorised visiting (non- AFBI) workers whose duties require access to AFBI IT network services and who, for legitimate practical reasons, do not have Baseline Standard security clearance. 4.1 Policy Status This policy is subservient to the AFBI Information Security Policy. 4.2 Visiting Worker Information Pack (VWIP) The VWIP shall be completed at Branch level for each visiting worker. The completed VWIP shall be approved at Divisional level and submitted to the Security Manager where possible at least four weeks in advance of the intended start date. The term AFBI Host Manager is used extensively in this document and is taken to mean a senior line manager within the Branch which is hosting the visiting worker. Here "senior" refers to Senior Scientific Officer/Deputy Principal or above. The AFBI Host Manager shall take lead responsibility for completion and maintenance of the VWIP. The Security Manager shall, upon receipt of a completed and approved VWIP, make suitable arrangements for the granting of access to AFBI IT resources and network services in respect of the visiting worker. This shall include instructions for completion of the user account request form and confirmation of automatic system monitoring of the specific user account and any reasonable additional restrictions that, in the opinion of the Security Manager, should apply based on information contained in the completed VWIP. The Security Manager shall confirm these arrangements, in writing, to the AFBI Host Manager. Responsibility for ensuring that the visiting worker abides with any restrictions applied to them remains with the AFBI Host Manager. All staff will be made aware of the contents and implications of the VWIP. 4.3 Supporting Security Procedures AFBI Human Resources shall seek, in advance, a letter on headed paper direct from the sponsoring institution/university giving full details on the visiting worker and the work that is to be undertaken. AFBI Human Resources shall seek, in advance, a copy of the page of the passport containing a photograph of the visiting worker. AFBI Human Resources shall check the passport and other documentation pertinent to the visiting worker (e.g. work permit, insurance, qualifications, visa, police report) on arrival. AFBI Human Resources shall issue the visiting worker with an appropriate work pass on arrival. AFBI Human Resources shall retain copies of any supporting security documentation and confirm these as seen in the VWIP. Page 4 of 7

6 The AFBI Host Manager shall immediately inform the Security Manager, in writing, when IT access in respect of the visiting worker is no longer required. Upon receipt of this notification, the Security Manager shall arrange for the withdrawal of access to AFBI network services in respect of the visiting worker. The Security Manager shall confirm these arrangements, in writing, to the AFBI Host Manager. 4.4 Sanctions All users must be informed that irresponsible or improper actions which breach this policy, any other AFBI policies, frameworks or security operating procedures (SYOPS), may result in disciplinary action. The Security Manager shall, at any time and pending further investigation, invoke procedures to immediately suspend IT access services in respect of the visiting worker, where it is reasonably suspected that a security breach may have occurred. Where a user is found to have broken the law then the matter will be reported to, and dealt with by, the appropriate authorities. 5 VALIDITY OF THIS POLICY This policy is reviewed annually by the AFBI Accreditor acting under the authority of the Senior Information Risk Owner (SIRO). Associated information security standards are subject to an ongoing development and review programme. 6 CURRENT POST HOLDERS - DECEMBER 2008 Senior Information Risk Owner (SIRO) Senior Responsible Owner (SRO) Accreditor Security Manager George McIlroy, AFBI CEO David Armstrong, AFBI Head of ICT David Kilpatrick, AFBI Head of Biometrics & Information Systems John Ward, AFBI Business Systems IT Manager 7 FURTHER INFORMATION For further advice please contact the AFBI IT Security Manager, John Ward, on Page 5 of 7

7 APPENDIX A: VISITING WORKER INFORMATION PACK (VWIP) To be completed and submitted in accordance with the current AFBI Visiting Worker Information Security Policy, where possible at least four weeks in advance, when requesting access to AFBI IT network services. AFBI Host Manager shall VWIP with Parts 1 & 2 completed to AFBI HR (Roisin Meehan) and shall follow up with signed paper copy of relevant page. 1. ADVANCE NOTIFICATION (to be completed by AFBI Host Manager) VISITING WORKER Name (in capitals): Nationality: Intended Start Date: Projected End Date: AFBI Host Division: AFBI Site at which based: Brief details about: a. the visiting worker (incl. sponsoring institution/university, previous employment/study, qualifications) b. the work to be undertaken (incl. location, purpose, competences/proficiencies needed) c. AFBI IT network services required (e.g. internet, , applications) d. reporting lines, level of supervision, pattern of work 2. DECLARATION (be completed by Visiting Worker in advance of visit) I agree to adhere to this policy (including any reasonable additional restrictions that, in the opinion of the Security Manager, should apply based on information contained in the completed VWIP) and understand the consequences of violating the policy (see Sanctions 4.4). Signature: Date: (name in capitals) (signature) (date) AFBI HOST MANAGER AFBI HEAD OF BRANCH AFBI HEAD OF DIVISION Page 6 of 7

8 APPENDIX A: VISITING WORKER INFORMATION PACK (VWIP) AFBI HR shall VWIP with Parts 1, 2 & 3 completed to AFBI Security Manager (John Ward). 3. SUPPORTING SECURITY DOCUMENTATION (to be conformed as seen by AFBI Human Resources) Document (name in capitals) (signature) (date) Letter on headed paper direct from sponsoring institution/university, in advance Copy of passport page containing photograph, in advance Passport, on arrival Certificate of good conduct or similar obtained from country s representative in UK Other relevant documentation (e.g. work permit, insurance, qualifications, visa, police report) specify below: AFBI Security Manager shall VWIP with Parts 1, 2, 3 & 4 completed to AFBI Host Manager. 4. IT ARRANGEMENTS (to be completed by AFBI Security Manager) (name in capitals) (signature) (date) Account Issued Account Terminated Confirmation of IT resources and network services made available to the user, including terms of usage AFBI Host Manager shall VWIP with Parts 1, 2, 3, 4 & 5 completed to AFBI HR (Roisin Meehan) and shall follow up with signed paper copy of page with Part 5. AFBI HR shall then arrange for Parts 3 & 4 of the VWIP to be fully signed and shall retain the original complete document. 5. DECLARATION (be completed by Visiting Worker on provision of access to AFBI IT network services) I agree to adhere to the IT arrangements detailed above and understand the consequences of violating them (see Sanctions 4.4). Signature: Date: THIS DOCUMENT BECOMES RESTRICTED ONCE COMPLETED Page 7 of 7