SECURITY POLICY REMOTE WORKING



Similar documents
ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

REMOTE WORKING POLICY

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

Remote Access and Home Working Policy London Borough of Barnet

Policy Document. IT Infrastructure Security Policy

Data and Information Security Policy

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

INFORMATION SECURITY POLICY

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

PS177 Remote Working Policy

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

Policy Document. Communications and Operation Management Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Portable Devices and Removable Media Acceptable Use Policy v1.0

IT ACCESS CONTROL POLICY

Ixion Group Policy & Procedure. Remote Working

Physical Security Policy

Protection of Computer Data and Software

Information Security Incident Management Policy

Information Security

Information Security Incident Management Policy September 2013

Remote Working and Portable Devices Policy

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

ABERDARE COMMUNITY SCHOOL

Version: 2.0. Effective From: 28/11/2014

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY

Mike Casey Director of IT

Acceptable Use Guidelines

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

LSE PCI-DSS Cardholder Data Environments Information Security Policy

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

Human Resources Policy documents. Data Protection Policy

How To Protect Decd Information From Harm

Secure Storage, Communication & Transportation of Personal Information Policy Disclaimer:

Information Security Incident Protocol

Data Transfer Policy. Data Transfer Policy London Borough of Barnet

Merthyr Tydfil County Borough Council. Information Security Policy

Corporate Information Security Management Policy

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Information Governance Policy (incorporating IM&T Security)

Enterprise Information Security Procedures

HR Guide: Agile Working Version: 1.0

Mobile Devices Policy

Acceptable Use of ICT Policy. Staff Policy

Angard Acceptable Use Policy

So the security measures you put in place should seek to ensure that:

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Network Security Policy

Information Security Policy

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY. Processing Electronic Card Payments

MOBILE DEVICE SECURITY POLICY

University of Liverpool

Scottish Rowing Data Protection Policy

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)

U09 Remote Access Policy

INFORMATION MANAGEMENT & TECHNOLOGY SECURITY POLICY

A practical guide to IT security

INFORMATION SECURITY INCIDENT REPORTING POLICY

Dene Community School of Technology Staff Acceptable Use Policy

Corporate Information Security Policy

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy

INFORMATION SECURITY POLICY

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_ Effective of 7 Title: Corporate Information Technology Usage Policy

DATA AND PAYMENT SECURITY PART 1

Small businesses: What you need to know about cyber security

How To Protect School Data From Harm

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

The Bishop s Stortford High School Internet Use and Data Security Policy

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Data Protection Procedures

Consumer Device Policy (Smartphones / Tablets) BYOD (Bring Your Own Device)

Information Incident Management Policy

Don t Let A Security Breach Put You Out of Business

Originator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy. Computer Security Policy

Transcription:

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY REMOTE WORKING Introduction This policy defines the security rules and responsibilities that apply when doing Council work outside of Council offices at any time (also known as remote working). Its aim is to protect residents, service users, and the Council. The policy applies to every type of remote working, covering both the remote use of electronic devices and paper documents. Policy Statement The Council will provide training and communications and ensure everyone working on Council business from outside of Council offices is aware of their responsibilities. Remote workers must comply with the policy and complete any required security training so that they are equipped to work outside of Council offices in a secure manner in compliance with the Data Protection Act 1998. The Council may at any time, and without notice, request a software and hardware audit, and ask permission to have access to, or remove, any Council owned electronic equipment used for remote working. Not covered by the Policy Additional security measures needed when accessing the Government IT Network are not included in this policy. They are described in the Remote Working Access to Government Data Policy. Those Affected by the Policy This policy applies to Councillors, employees of the Council, contractors, agency workers, and others working in a similar capacity. It applies to volunteers and partner organisations or individuals who have a need to access Council information. The policy does not cover work done by external consultants who independently use their own IT technology and information assets. Their Data Protection Act 1998 and information protection obligations must be stated in their Council work contract. Roles and Responsibilities 1. Directors, Heads of Service, Service Leads and Managers Approve requests for remote working, and ensure staff are trained and aware of the policy rules. 2. Remote Workers are responsible for: (a) submitting requests to their Council manager to authorise remote working and the use of IT facilities and information, (b) their compliance with the policy, and (c) providing access to Council equipment or information requested by the Council or its agents after a security breach or concern. 3. The Council IT Service is responsible for: (a) providing secure remote working hardware and software (b) providing remote IT network connection technology, and (c) providing advice, IT support, and monitoring compliance. Page 1 of 5 Next Review: December 2015

This may be delegated to an approved IT support service. Policy Compliance If you are found to have breached this policy by not complying with its rules and responsibilities you may be subject to the Council s disciplinary procedure or other action. If you are suspected of breaking the Law, you may be subject to prosecution. If you do not understand the policy or how it applies to you, seek advice from your Council manager or from the IT Security and Information Manager. Applying the Policy This section explains remote working responsibilities and the rules that apply. Authorisation Rule 1 Obtain management authorisation before working outside of Council offices. Get permission to utilise any electronic equipment, software or documents. Physical Security Rule 2 Do not take documents out of the office unless they will actually be used. Before taking legal documents out get approval from your Council manager. Rule 3 Rule 4 Rule 5 Rule 6 Rule 7 Rule 8 Be vigilant and protect Council equipment and documents when walking, when travelling on public transport, or by any other means of transport. Make sure your Council portable computer is kept separate from other Council documents, notebooks, USB memory sticks, or mobile phones when working remotely. Make sure that physical security tokens and portable computer media are kept physically separate from related computer equipment at all times. Protect Council IT equipment and documents outside of Council offices. When not in use they must be kept out of sight, or locked away if possible. When staying in hotels or other accommodation keep Council IT equipment, computer media or paper-based information protected. Use complimentary hotel security facilities if available. Any theft or loss of equipment or information must be reported to: (a) The Police if theft is suspected, and a Crime Reference Number obtained. (b) The Council s phone provider 24x7 emergency number if a phone is involved. (c) The Council manager responsible. (d) The IT Service Desk if equipment needs to be de-activated. (e) The IT Security and Information Manager by submitting a security incident. Other precautions can help to reduce the risk of theft or unauthorised access. These are offered as guidance, but are not mandatory. If Council services decide to adopt any of them they must provide appropriate support for their staff and other workers. (i) Keep bags used to carry equipment or documents locked when out of the office. A small suitcase lock is sufficient. (ii) Disguise laptops by using ordinary bags rather than laptop bags or briefcases. (iii) If possible store Council equipment and information upstairs when not at home. Page 2 of 5 Next Review: December 2015

(iv) When you leave your home keep Council electronic equipment and documents out of sight and not visible through windows or doors. Unauthorised Access Remote workers are responsible for preventing unauthorised access to Council equipment or information, whether electronically or on paper. Rule 9 No family members or other unauthorised persons may be given access to Council IT equipment, information or documents. Remote Storage of Data and Use of Email Rule 10 Council data must be stored on the Council IT network unless there is no alternative. Management authorisation must be obtained before any data is stored outside this network, e.g. stored on the Internet, on a portable electronic device, on a computer disk drive, or on portable computer media. Rule 11 Council data must not be emailed to an external personal or business email address, unless there are exceptional circumstances. The IT Security and Information Manager must authorise any exceptional circumstances arising from rules 10 and 11. Rule 12 Personal or sensitive personal data stored on a computer disk drive outside the Council IT network must be encrypted and access protected by a strong password. Remote Use of Paper Rule 13 Do not print information outside Council offices unless absolutely necessary. Do not leave printed Council information where it can be read by others. Rule 14 Paper documents containing personal or sensitive data must be disposed of by either (a) by using a cross-cut shredder, or (b) by returning them to the office and using the Council s confidential waste paper disposal service. Remote Access to IT Equipment Remote workers must accept responsibility for use of any email accounts used to conduct Council business, and for any other access made to Council IT services. Rule 15 Protect your Council log on user identifiers, passwords, access tokens, or other access mechanisms. Never share or disclose your Council user identifier and password with anyone else. Never use anyone else s user identifier and password to gain access to Council IT facilities. Rule 16 Switch off or log off any IT equipment used remotely when it is not in use or left unattended. Technical Security Rule 17 Remote IT equipment must be connected to the Council IT network by an approved technical connection. The options are: (a) through a dedicated Council broadband line (b) through a mobile telephone connection operating on Council IT equipment (c) through a Virtual Private Network link (d) by using a non-council computer through an encrypted Internet link into the Page 3 of 5 Next Review: December 2015

Council IT network. Non-Council computers may only be used if protected by reputable anti-virus software receiving regular anti-virus definition updates. Reputable anti-virus software can be obtained free of charge from Microsoft and some other suppliers. It is permissible to use an existing home broadband link to access the Council IT network if it is set up securely (see the guidance in the Council s Use of Wireless Communications Security Policy). Rule 18 Access to the Internet from Council owned IT equipment should only be allowed via the Council IT network, and not directly. Rule 19 Remote workers must not install or update any hardware, software or make other changes to Council computers and electronic equipment. These changes must be carried out by the IT Service or authorised support staff. Rule 20 Council IT equipment should be connected to the IT network or Internet regularly to ensure the latest anti-virus definitions are obtained. Rule 21 Remote workers are responsible for the technical protection of the computers they use for Council business. This includes, but is not limited to, the acceptance of regular operating system patches, other software security updates, and receipt of regular anti-virus definition updates. Rule 22 If you suspect a virus infection on a Council-owned computer when working remotely you must report it as soon as possible to the IT Service Desk, or to an alternative approved IT support service. You must also inform your Council manager and submit a Security Incident Report. Failure to report a virus will be considered a serious breach of this policy. Remote Working outside of the UK IT or telephony services accessed from outside the United Kingdom (including Internet access) have significantly higher security risks. Rule 23 Written authorisation must be obtained from a Director or Head of Service before taking Council portable electronic devices outside the UK. Rule 24 Council personal or sensitive personal data must not be accessed through IT or telephony services from outside the United Kingdom. Policy Training Online policy training and knowledge testing will be offered whenever possible. Related Policies and Procedures Government GCSx IT Acceptable Usage Policy Health, Safety and Lone Working Guidance documents Remote Working Access to Government Data Policy Security Incident Reporting Policy Storage of Information Policy Supplier and Third Party IT Acceptable Usage Policy Use of Wireless Communications Policy Page 4 of 5 Next Review: December 2015

Related Documents and Other Information CESG Good Practice Guide 10 Remote Working Related Legal and Regulatory Obligations Data Protection Act 1998 Principle 7 - Appropriate technical and organisational measures should protect Personal Data. Information Security Management Standard ISO/IEC 27001:2005 Definitions Personal or Sensitive Information - Personal data is data relating to a living, identifiable individual. Sensitive data includes personal data and also any other data that may cause financial loss, distress, or reputation damage. Portable Electronic Device (PED) any piece of equipment that is portable and stored electronic data. This includes, but is not limited to laptops, tablet computers, handheld computers, cameras, Internet smart phone, and mobile phones. Encrypted data data that is scrambled by software using a mathematical formula to prevent it from being read by unauthorised persons. Page 5 of 5 Next Review: December 2015

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information