Remte Wrking (Plicy & Prcedure) Publicatin Scheme Y/N Department f Origin Plicy Hlder Authrs Can be published n Frce Website Prfessinal Standards Department (PSD) Ch Supt Head f PSD IT Security Officer & Infrmatin Gvernance Manager Related Infrmatin Cmputer Misuse Act 1990 Data Prtectin Act Gvernment Prtective Marking Scheme ICT Acceptable Use Plicy Mbile Phne Plicy Official Secrets Act 1989 Regulatin f Investigatry Pwers Act The Telecmmunicatins (Lawful Business Practice) (Interceptin f Cmmunicatins) Regulatins 2000 Date First Apprved at FPG 05/12/2012 This Versin Versin 1.0 Created 12/09/2012 Date f Next Review 05/12/2015 September 2012
Remte Wrking PSD Plicy Statement Merseyside Plice needs t maintain a high level f cnfidence and trust with ur custmers, suppliers, ther frces, criminal justice agencies and ur crime and disrder partners. We must, therefre, be able t demnstrate that business infrmatin is prtected frm bth intentinal and unintentinal misuse irrespective f the lcatin at which the infrmatin is handled. Aims This plicy aims t establish minimum prtective measures by utlining the physical and ICT cntrls applicable when wrking n fficial infrmatin away frm fficial premises. The plicy is underpinned by prcedures designed t prvide clear, definitive and unambiguus directin fr all thse invlved in remte wrking. This shuld help t prtect the Merseyside Plice Cmputer Netwrk, equipment and the infrmatin that it hlds. Objectives A brad bjective is t enable the rganisatin and its emplyees t gain the maximum business benefit frm using frce infrmatin. Mre specific assciated bjectives are t: a) Safeguard the rganisatin s infrmatin. b) Prtect the rganisatin frm ptential legal liabilities and prtect the reputatin f Merseyside Plice. c) Ensure all individuals using frce infrmatin in remte lcatins understand their persnal respnsibilities. d) Ensure that ICT systems and equipment used fr remte wrking are used apprpriately. Applicatin and Scpe The plicy applies t the use f all Merseyside Plice infrmatin frm any remte wrking lcatin. Remte wrkers must ensure that they read, understand and cmply with all relevant frce plicies and thse prcedures cntained within, r referenced frm, this dcument. Failure t cmply may lead t a breach in system security and cnsequently may lead t disciplinary actin. Remte wrking refers t any wrk dne utside f Merseyside Plice premises, including accessing, string, prcessing r discussing business infrmatin. This culd be at hme, at anther frce r at a partner agency. It als cvers mbile wrking; traveling n public r private transprt; staying in htels; in public places such as libraries r cffee shps r even having telephne cnversatins in the street. All system use is audited and system users shuld have n expectatin f privacy. Merseyside Plice will take criminal and/r disciplinary actin against any emplyee wh wilfully misuses its systems. Status: V1.0 1 Last Update: 26/09/2012
Remte Wrking PSD Outcme Evaluatin The Anti Crruptin Unit will retain respnsibility fr ensuring that the use f ICT systems and frce infrmatin is audited and mnitred n an nging basis. Relevant data will include the number f cases investigated by the ACU and cmplaints/referrals t PSD n assciated issues. Status: V1.0 2 Last Update: 26/09/2012
Remte Wrking PSD 1. Remte Wrking Prcedures 1.1 Persnal Respnsibility 1.1.1 All users f Merseyside Plice ICT systems, equipment and infrmatin have a persnal respnsibility t prtect frce infrmatin and assets that are under their cntrl. This includes keeping them physically safe when in transit and securely string all papers and prtable ICT equipment when wrk is finished. 1.1.2 When wrking frm hme it is the persnal respnsibility f the individual t make sure infrmatin is safe and the individual s husehld understands the need fr the security measures t be taken. 1.2 Security Measures 1.2.1 The fllwing pints cver the security measures needed t wrk securely utside f Merseyside Plice premises. 1.2.2 It is necessary t: a) Obtain the Head f Department r Area Cmmander s apprval befre cmmencement f remte wrking. b) Be familiar with and abide by the security requirements f all frce plicies and legislatin and in particular: Acceptable Use f ICT Plicy Gvernment Prtective Marking Scheme (GPMS) Data Prtectin Plicy Email & Electrnic Messaging Plicy Internet Plicy c) Cnsider the GPMS prtective marking f the infrmatin yu will be wrking n and handle this in line with frce plicies and prcedures. d) Transprt papers, prtable ICT, fficial briefcases and phnes securely. Keep them with yu at all times when travelling and stre them securely. D nt leave frce infrmatin in vehicles that are left unattended i.e. vernight r during breaks in jurneys. e) Make sure yur lcatin is sensibly secure t wrk in, fr example it is nt verlked. D nt wrk n sensitive matters in a public place. If wrking frm hme, if pssible, use a rm where the dr can be clsed and may be lcked at the end f the day. f) Put yur papers away and lck yur laptp/pc if stepping away frm yur ICT. g) Use the security ptins n yur mbile phne, such as a pin number r a passwrd. h) Remember that telephnes are nt secure, be aware telephne calls are transmitted ver pen lines. i) Ensure that remvable media cntaining frce infrmatin must be encrypted by using frce systems. j) Always recrd business infrmatin n apprved ICT equipment. Be aware that the Freedm f Infrmatin Act applies t any infrmatin cncerning fficial business held in persnal email accunts r n yur persnal ICT. k) Bring prtectively marked infrmatin back int the ffice fr secure dispsal if there is n apprved secure destructin facility available. l) Cntact the ICT Helpdesk, if travelling r wrking verseas, t check whether security restrictins apply. Status: V1.0 3 Last Update: 26/09/2012
Remte Wrking PSD 1.2.3 It is vital that remte wrkers d nt: a) Wrk n r stre persnal data r prtectively marked data n persnal ICT. This includes PCs, laptps, tablets, CDs, DVDs, memry sticks etc. b) Send r frward persnal data r prtectively marked data ver the Internet r t private email addresses. c) Share yur passwrd with anyne. d) Stre yur passwrd with yur ICT. e) Hld sensitive cnversatins, r thse invlving persnal data, in public. Only use secure email r wait until yu are back in the ffice if pssible. f) Give ut persnal cntact numbers withut the wner s cnsent and be wary f unidentified callers. 2 Incident Management Prcedures 2.1 Incident Reprting Structure 2.1.1 Individuals wh becme aware that an IT system infrmatin has, r may have been, cmprmised, must reprt this, at the first available pprtunity, t the ICT Helpdesk and Infrmatin Gvernance Manager via their line manager. Reprts shuld be made using the frm available n the frce Intranet. It is a requirement that they include all relevant details, including, where pssible, what infrmatin may have been cmprmised. The types f incident that need t be reprted are: a) Suspected r actual lss f, r unauthrised access t, Prtectively Marked material this includes unauthrised individuals lking at IT system infrmatin n a terminal screen r in hard-cpy frmat. b) Cmprmise f security measures prtecting IT system infrmatin this includes malfunctining lcks, brken shredders, and lst keys t security cntainers. c) Suspected virus infectin f the IT system r terminal, including unexpected errr messages r warning messages frm anti-virus sftware. d) Previusly unidentified threats t IT system infrmatin. 2.1.2 Where an individual suspects that a virus has infected a terminal, they must stp using the terminal and cntact the ICT Helpdesk immediately fr advice, either by telephne r by e-mail frm a different terminal. 2.1.3 Any suspected lss, theft r cmprmise f IT system infrmatin r equipment will be initially investigated by the Frce Infrmatin Gvernance Manager, in cases where security has been breached, r the Anti Crruptin Unit, where internal miscnduct is suspected. If it is believed that the safety f an individual r individuals may be cmprmised by an incident, apprpriate actin will be taken, in cmpliance with Frce plicy. 2.2 General Incident and Fault Reprting Structure 2.2.1 IT system users shuld cntact the ICT Helpdesk fr general IT system related issues. Only apprved IT supprt staff must deal with any IT system issues. Hwever in sme cases a Systems Administratr may deal directly with sme functinal issues. Status: V1.0 4 Last Update: 26/09/2012
Remte Wrking PSD Appendix 1 Glssary f Terms GPMS Gvernment Prtective Marking Scheme ACU Anti Crruptin Unit ICT Infrmatin Cmmunicatin Technlgy, this is a term used t cver all the technlgies used fr infrmatin prcessing, including sftware, hardware, cmmunicatins technlgies and related services. ICT systems A term used t describe ICT and the prcesses, prcedures and ther functins that are used t supprt a business prcess. Remvable Media All prtable devices used t stre data. e.g. USB Sticks CD-Rm, DVD Malware A Malicius r unwanted sftware prgram. Persnal Data Infrmatin frm which a living individual can be identified either frm that infrmatin r that and ther available infrmatin. Appendix 2 Cntact Infrmatin Rle Descriptin f Rle Cntact ICT Helpdesk Infrmatin Gvernance Manager Data Prtectin Officer IT Security Officer The Frce Recrds Manager Systems Administratr The first pint f call fr all IT issues. Prvides advice and reslutin t IT issues. Prvides advice and guidance n security educatin, training and gd practice. Prvides advice n plicies and prcedures. Prvides advice and guidance n Data Prtectin educatin, training and gd practice. Prvides advice n plicies and prcedures. The IT Security Officer prvides advice and guidance n technical security practice and Infrmatin Systems. Prvides advice n the management f frce recrds and their retentin. Systems Administratrs are respnsible fr the day-t-day management, security, mnitring and administratin f individual systems. ICT Department Tel: 75555 Email: IT Helpdesk Anti Crruptin Unit Tel: 71422 Email: Infrmatin Security Anti Crruptin Unit Tel: 71422 Email: Infrmatin Security ICT Department Tel: 75542 Email: IT Security Officer Infrmatin Bureau Tel: 77055 Email: Recrds Management Each system has its wn systems administratr. Cntact the ICT Helpdesk fr advice. Tel: 75555 Email: IT Helpdesk Status: V1.0 5 Last Update: 26/09/2012