Information & ICT Security Policy Framework



Similar documents
INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

How To Ensure Information Security In Nhs.Org.Uk

How To Ensure Network Security

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

CCG: IG06: Records Management Policy and Strategy

Corporate Information Security Management Policy

Information Security Policy

NETWORK SECURITY POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

INFORMATION GOVERNANCE POLICY

Software Policy. Software Policy. Policy and Guidance. June 2013

Version Number Date Issued Review Date V1 25/01/ /01/ /01/2014. NHS North of Tyne Information Governance Manager Consultation

Records Retention and Disposal Schedule. Information Management

Information Governance Strategy & Policy

University of Sunderland Business Assurance Information Security Policy

ISO27001 Controls and Objectives

Version 1.0. Ratified By

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Information Governance Policy

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

JOB DESCRIPTION. Information Governance Manager

Rotherham CCG Network Security Policy V2.0

Corporate Information Security Policy

SCOTLAND S COMMISSIONER FOR CHILDREN AND YOUNG PEOPLE STANDARD CONDITIONS OF CONTRACT FOR SERVICES

Information Security Incident Management Policy

The Newcastle upon Tyne Hospitals NHS Foundation Trust. Software Asset Management Policy

INFORMATION GOVERNANCE POLICY

Information Governance Framework

University of Liverpool

Information Governance Policy

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Highland Council Information Security Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Network Security Policy

How To Protect Decd Information From Harm

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

Network Security Policy

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013

ISO Controls and Objectives

Information Integrity & Data Management

Policy Document. IT Infrastructure Security Policy

Information security policy

NHS Business Services Authority Information Security Policy

Rules for the use of the IT facilities. Effective August 2015 Present

Information Governance Policy

Caedmon College Whitby

ULH-IM&T-ISP06. Information Governance Board

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

INFORMATION GOVERNANCE STRATEGY

Corporate Affairs Overview and Scrutiny Committee

University of South Wales Software Policies

University of Liverpool

University of Liverpool

IS INFORMATION SECURITY POLICY

Business Continuity Policy and Business Continuity Management System

Information Governance Policy

REMOTE WORKING POLICY

Information Governance Policy (incorporating IM&T Security)

ATHLONE INSTITUTE OF TECHNOLOGY. I.T Acceptable Usage Staff Policy

SOCIAL MEDIA POLICY. Senior Governance Officer, NHS North of England Commissioning Support Unit Reference No

Newcastle University Information Security Procedures Version 3

Internet Use Policy and Code of Conduct

BUSINESS CONTINUITY POLICY RM03

Harper Adams University College. Information Security Policy

St. Peter s C.E. Primary School Farnworth , Internet Security and Facsimile Policy

NHS Commissioning Board: Information governance policy

USE OF PERSONAL MOBILE DEVICES POLICY

Information Management Policy CCG Policy Reference: IG 2 v4.1

Information Security Policies. Version 6.1

SOFTWARE ASSET MANAGEMENT POLICY

CCG CO11 Moving and Handling Policy

CCG Social Media Policy

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Guideline for Roles & Responsibilities in Information Asset Management

Mike Casey Director of IT

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

University of Liverpool

Merthyr Tydfil County Borough Council. Information Security Policy

General Register Office for Scotland information about Scotland s people. Paper NHSCR GB 1/08. NHSCR Scotland Information Governance Standards

Data Protection Policy June 2014

University of Sunderland Business Assurance. Over-arching Information Governance Policy. Document Classification: Public

Bring Your Own Device (BYOD) Policy

Information Governance Strategy

information systems security policy...

INFORMATION SECURITY POLICY

Recommendations. That the Cabinet approve the withdrawal of the existing policy and its replacement with the revised document.

Information Governance Policy

Ealing Council Corporate Information and Data Security Policy

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Services. Regulations for the Use of Information Technology (IT) Facilities at the University of Kent

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

Internet Acceptable Use Policy A council-wide information management policy. Version 1.5 June 2014

Senior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES

Transcription:

Information & ICT Security Framework Version: 1.1 Date: September 2012 Unclassified

Version Control Date Version Comments November 2011 1.0 First draft for comments to IT & Regulation Group and IMG January 2012 1.1 Updated version following comments received. Added in diagrammatic framework to Appendix A June 2012 1.1 Approved at Chief Officer Group September 2012 1.1 Approved Delegated Executive Decision Information & ICT Security Unclassified Page 2 of 9

Table of Contents 1. Introduction...4 2. Objectives...4 3. Scope...5 4. Internal Organisation...5 5. Principles...5 5.1. ISO 27001...5 5.2. Government Connect Secure Extranet (GCSx)...5 5.3. Payment Card Industry Data Security Standards (PCI DSS)...5 5.4. HM Government Security Framework...6 6. Legal Compliance...6 6.1. Software Licensing...7 6.2. Material Subject to Copyright...7 7. Hardware Asset Management...7 7.1. Hardware Acquisition...7 7.2. Hardware Maintenance...7 7.3. Hardware Movements...7 7.4. Hardware Disposal...7 8. Compliance...8 9. Governance and Review...8 Appendix A - St.Helens Council Information & ICT Security Framework...9 Information & ICT Security Unclassified Page 3 of 9

1. Introduction The increasing use of Information and Communication Technology and the development of information strategies to support the process of providing effective services make it necessary to take appropriate action to ensure that these systems are developed, operated and maintained in a safe and secure manner. Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means. Whatever form the information may take, or means by which it is shared or stored, it should always be appropriately protected. Information Security is an asset that, like other important business assets, has value to an organisation and consequently needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimise business damage and maximise return on investments and business opportunities. 2. Objectives This document presents the Council s overarching Information & ICT Security Framework and governance arrangements in place. A diagrammatic representation of the framework can be found in Appendix A. The main objectives of this document are to protect the Council s information through clear direction and guidance: To ensure the integrity and accuracy of the Council s information and systems To minimise the risk of business damage caused by security incidents To ensure that confidentiality of personal and other sensitive information is assured To ensure all legislative and regulatory requirements are met To ensure that the Council s Information Technology is used responsibly, securely and with integrity at all times To create a level of awareness throughout the Council, of the need for information security to be an integral part of the day-to-day operation of Council business. To ensure all policies and guidelines that form part of the Information and ICT Security Framework, take account of the Council s Codes of Conduct and Equality including: o Duty of Fidelity includes actions or omissions, which could damage the business prospects or reputation of the Council or in any way, bring the Council into disrepute. o Duty of Care is defined as carrying out your particular occupation using the skills, ability and knowledge (for which you are employed), to the best interest of the Council, and using Council equipment and resources with proper regard. o Use of Council Property or Facilities you must not remove or use Council property for your personal requirements or for the benefit of others where the work of the Council is not involved. Information & ICT Security Unclassified Page 4 of 9

3. Scope The Council s Information and ICT Security Framework applies to all users granted access to the Council s network, information and systems. 4. Internal Organisation The Council has a management framework to initiate and control the implementation of information security within the organisation in line with the corporate aims and objectives. The IT & Regulation Group is responsible for: Developing and producing policy and procedures in relation to Information and Communication Technology management and governance across the authority. Discussing and planning for the effects of changes in legislation/regulations in relation to ICT. Outcomes from the IT & Regulation Group are reported to the Information Management Group (IMG). The Information Management Group (IMG) is made up of departmental representatives from across the council. The remit of the group is to enable a co-ordinated and multi-disciplinary approach to the management of information throughout their departments. 5. Principles The principles of Information Security applied by St Helens Council are based on the following: 5.1. ISO 27001 ISO 27001 is the international best practice standard for the management of Information Security. The standard ensures that adequate and proportionate security controls are in place. 5.2. Government Connect Secure Extranet (GCSx) In order to be connected to GCSx, the Council must comply with a Code of Connection (CoCo), which sets out the minimum security requirements to ensure that the government networks are not compromised by the connection to local authorities networks. The minimum standards must be maintained at all times. An external audit will be undertaken annually in order to ensure ongoing compliance. Users of the GCSx will be required to sign the Councils GCSx Personal Commitment Statement before being granted access. 5.3. Payment Card Industry Data Security Standards (PCI DSS) The Payment Card Industry Data Security Standards were introduced by the major credit card companies and aim to ensure that every organisation that handles, stores or processes cardholder data does so in a secure manner, thereby reducing the risk of payment card fraud and information theft. Compliance with the standards is mandatory and constitutes a continuing monitoring programme. Information & ICT Security Unclassified Page 5 of 9

5.4. HM Government Security Framework As an important reference point, the HMG Security Framework contains the primary internal protective security policy and guidance on security and risk management for HM Government Departments and associated bodies. It is the source on which all localised security policies should be based. The framework also provides technical information, advice and guidance to support implementation of the policy requirements 6. Legal Compliance The following key statutory legislation governs aspects of the Council s information security arrangements: Legislation The Freedom of Information Act 2000 The Human Rights Act 1998 The Electronic Communications Act 2000 The Regulation of Investigatory Powers Act 2000 The Data Protection Act 1998 The Copyright Designs and Patents Act 1988 The Computer Misuse Act 1990 The Environmental Information Regulations 2004 The Re-use of Public Sector Information Regulations 2005 Equality Act 2010 Privacy and Electronic Communications Regulations Areas Covered Public access to Council information Right to privacy and confidentiality Cryptography, electronic signatures Hidden surveillance of staff Protection and use of personal information Software piracy, music downloads, theft of Council data Hacking and unauthorised access Public access to Council information related to the environment The Council s ability to sell certain data sets for commercial gain Right to equality covering age, disability, gender identity and gender reassignment, race, religion or belief, sex, sexual orientation, marriage and civil partnerships and pregnancy and maternity Covers rights over electronic marketing and regulation of the telecommunications industry Data protection and privacy must be ensured as required in relevant legislation, regulations, and, if applicable, contractual clauses. Key records must be protected from loss, destruction and falsification, in accordance with statutory, regulatory, contractual, and business requirements. Information & ICT Security Unclassified Page 6 of 9

6.1. Software Licensing The Council uses software in all aspects of its business to support the work carried out by its employees. In all instances every piece of software is required to have a licence and the Council will not condone the use of any software that the Council is not officially licensed to use. Computer software must be purchased through Council s procurement system, or approved by the IT section. Shareware, Freeware and Public Domain Software are bound by the same policies and procedures as all other software. No user may install any free or evaluation software onto the Council s systems without prior approval from Business IT. Employees must not make copies of computer software owned by the Council for private use including Programme Code written within the IT Development environment. Misuse of the Council s software in this manner will result in disciplinary action. 6.2. Material Subject to Copyright Users must not, under any circumstances store any material or electronic content for which the Council does not have a legitimate right to own or use. For example, this includes music/videos etc. 7. Hardware Asset Management 7.1. Hardware Acquisition All computer hardware must be purchased in accordance with the Council s Financial Instructions. 7.2. Hardware Maintenance Maintenance of IT equipment must only be undertaken by Business IT, or a contractor approved by Business IT. All maintenance requests and fault reporting must be made to the IT Service Desk. All items of equipment must be recorded on an inventory in line with the Council s Financial Instructions. 7.3. Hardware Movements The IT Service Desk must be notified of all movement of hardware equipment (with the exception of mobile devices being taken off premises for work purposes). No IT equipment should be disconnected or removed, except by Business IT or a contractor approved by Business IT. Employees must not take equipment, data or software off-site without prior approval from their manager. 7.4. Hardware Disposal All ICT equipment must be disposed of in accordance with the Council s Financial Instructions. An appropriate Officer must sanction and arrange for the write-off and disposal of ICT equipment within each section. Information & ICT Security Unclassified Page 7 of 9

A call must be logged with Business IT via the IT Service Desk on ext. 6525 or via the IT Service Desk Portal, who will arrange for the secure recycling or disposal of the equipment. 8. Compliance All requests for changes to this policy must be tested against the Code of Connection. Any change that does not conform to the Code of Connection will not be accepted. ICT contracts with external organisations must include requirements to comply with this and should include relevant paragraphs provided by the Council s Legal Services. Wherever there is the potential for the sharing of the Council s client information, adequate arrangements must be made to create Information Sharing Protocols and where appropriate these should be embedded into Agreements / Contracts with external providers for the security of data and its appropriate disposal. Failure to comply with the provisions of this policy or related documents may lead to disciplinary action and / or criminal proceedings. If you do not understand the implications of this policy or how it may apply to you, please seek advice from Internal Audit (Regulation and Compliance). 9. Governance and Review The IT and Regulation Group will develop, create and maintain the Information and ICT Security Framework and related policies and procedures. Internal Audit will evaluate security controls whilst undertaking audit reviews in addition to undertaking specific Information Security audits. Information & ICT Security Unclassified Page 8 of 9

Appendix A - St.Helens Council Information & ICT Security Framework N.B: Policies in red are currently being revised/developed St.Helens Council Information & ICT Security Framework Corporate Information & ICT Security User Information & ICT Security Operational Information & ICT Security Information Management Data Protection Retention Freedom of Information Data Quality Internet and Email Acceptable Use Access Control Information Security Incident Management Social Media Information Systems Development & Operations Management PCI DSS Statement 3 rd Party Access Mobile Devices and Remote Working Removable Media Members ICT Protocol Information & ICT Security Unclassified Page 9 of 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information