THE OBLIGATIONS INTERCEPTION OF COMMUNICATIONS CODE OF PRACTICE

Similar documents
Retention of Communications Data Code of Practice

Retention of Communications Data

Information Security Policies. Version 6.1

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

INFORMATION TECHNOLOGY SECURITY STANDARDS

Client Security Risk Assessment Questionnaire

TELEFÓNICA UK LTD. Introduction to Security Policy

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

ISO27001 Controls and Objectives

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Data Protection Act Guidance on the use of cloud computing

ISO 27002:2013 Version Change Summary

DATA PROTECTION POLICY

CCG: IG06: Records Management Policy and Strategy

ISO Controls and Objectives

University of Aberdeen Information Security Policy

PCI DSS Compliance the Rocky Road. Colin Dixon Head of Risk and Compliance

Newcastle University Information Security Procedures Version 3

Information security controls. Briefing for clients on Experian information security controls

INFORMATION SYSTEMS. Revised: August 2013

Gatekeeper PKI Framework. February Registration Authority Operations Manual Review Criteria

How To Protect Decd Information From Harm

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

DATA PROTECTION AND DATA STORAGE POLICY

Student Records. 4. Data Security: Upper Yarra Community House Inc. will protect the personal information it

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Third Party Security Requirements Policy

06100 POLICY SECURITY AND INFORMATION ASSURANCE

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

ULH-IM&T-ISP06. Information Governance Board

Data Protection Policy

Information Circular

XIT CLOUD SOLUTIONS LIMITED

Supplier Information Security Addendum for GE Restricted Data

Access Control Policy

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Information Security Policy

DISCLOSURE STATEMENT PREPARED BY

Data Processing Agreement for Oracle Cloud Services

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

University of Brighton School and Departmental Information Security Policy

Privacy and Cloud Computing for Australian Government Agencies

Operational Risk Publication Date: May Operational Risk... 3

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

Network Security Policy

Supplier Security Assessment Questionnaire

How To Audit Health And Care Professions Council Security Arrangements

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Policy Document. IT Infrastructure Security Policy

Data Retention and Investigatory Powers Bill

State of Oregon. State of Oregon 1

Gatekeeper Compliance Audit Program

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Information Security Team

How To Protect School Data From Harm

Hang Seng HSBCnet Security. May 2016

University of Sunderland Business Assurance Information Security Policy

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Retention & Destruction

Gatekeeper Public Key Infrastructure Framework. Compliance Audit Program

Version 1.0. Ratified By

NHS Business Services Authority Records Management Audit Framework

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Mike Casey Director of IT

Records Management and Security Procedure. Approved by: Executive Management Team Version: 1.2 Date:

ROYAL AUSTRALASIAN COLLEGE OF SURGEONS

IT ACCESS CONTROL POLICY

INFORMATION SECURITY POLICY

Information System Audit Guide

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Policy Document. Communications and Operation Management Policy

University of Liverpool

Merthyr Tydfil County Borough Council. Data Protection Policy

INFORMATION SECURITY: UNDERSTANDING BS BS 7799 is the most influential, globally recognised standard for information security management.

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

FMCS SECURE HOSTING GUIDE

Intel Enhanced Data Security Assessment Form

University of Limerick Data Protection Compliance Regulations June 2015

Records Management Plan. April 2015

2014 No. ELECTRONIC COMMUNICATIONS. The Data Retention Regulations 2014

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

Data Protection Policy June 2014

Data Protection Act Bring your own device (BYOD)

Business System Recordkeeping Assessment - Digital Recordkeeping Compliance

Somerset County Council - Data Protection Policy - Final

Cloud Service Baseline Requirements

Scottish Rowing Data Protection Policy

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY

Top Ten Technology Risks Facing Colleges and Universities

Information Security Policy

DATA AND PAYMENT SECURITY PART 1

HSCIC Audit of Data Sharing Activities:

Document Control Sheet

Transcription:

THE OBLIGATIONS INTERCEPTION OF COMMUNICATIONS CODE OF PRACTICE If you ve been served with a Technical Capability Notice, here are some of things that will be required of you. v 8.3 The obligations the Secretary of State considers reasonable to impose on communications service providers (CSPs) include: Ø Obligations to provide facilities or services of a specified description; Ø Obligations relating to apparatus owned or operated by a relevant operator; Ø Obligations relating to the removal of electronic protection applied by or on behalf of the relevant operator on whom the obligation has been placed to any communications or data; Ø Obligations relating to the security of any postal or telecommunications services provided by the relevant operator; Ø Obligations relating to the handling or disclosure of any content or data v 8.15 The person or company to whom a notice is given will be provided with a handbook 1 which will contain the basic information they will require to respond to requests for reasonable assistance in relation to the interception of communications. v 8.16 As set out in section 217(7), the notice will specify the period within which the CSP must undertake the steps specified in the notice. Ø It will often be the case that a notice will require the creation of dedicated systems. v 8.54 The obligations the Secretary of State considers reasonable to impose on CSPs in technical capability notices may include (amongst others) obligations relating to the security of any postal or telecommunications services provided by the relevant operator. v 8.55 CSPs must maintain physical, document, operational and non-operational information technology, and personnel security to standards as specified in the Cabinet Office Security Policy Framework, subject to guidance from the National Technical Assistance Centre (NTAC). Ø CSPs must also implement the Government s Information Assurance Maturity Model in conjunction with CESG/CCP approved consultant to identify their level of information security. Ø The results of this assessment should be shared with NTAC. v 8.56 Specific security requirements relate to a number of broad areas the security and integrity of interception identifiers/factors and delivery of intercept product, and the destruction of interception identifiers/factors. v 8.57 Detail on the security arrangements to be put in place by CSPs may be included in the technical capability notices given to a CSP, in accordance with section 217(4) of the Act. Ø A Service Level Agreement will also be negotiated between the Government and the CSP. Ø This document will provide detail of how the obligations imposed by a technical capability notice will be effected, including those that relate to security. 1 We have no idea what this handbook is

v 8.58 The scope of the security controls defined within this section apply to all dedicated IT systems that are used to access, support or manage dedicated interception systems. It also applies to all CSP (or third party) operational and support staff who have access to such systems. v 8.59 Systems holding intercept material will be securely separated by technical security measures (e.g. a firewall) from a CSPs business systems. However, interception solution may make use of equipment currently in place at the CSP. v 8.60 Where interception identifiers/factors are retained in business or shared systems, or where business systems are used to access, support or manage LI systems, these will be subject to specific security controls and safeguards as agreed with the Government v 8.61 The security put in place at a CSP will comprise four key areas: Ø Physical security e.g. buildings, server cages, CCTV; Technical security e.g. firewalls and anti-virus software; Personnel security e.g. staff security clearances and training; Procedural security e.g. processes and controls. v 8.62 As each of these broad areas is complementary, the balance between these may vary e.g. a CSP with slightly lower personnel security will require stricter technical and procedural controls. Ø The specific security arrangements in place will be agreed in confidence between the Home Office, NTAC and the relevant CSP. v 8.63 CSPs operating under a technical capability notice will provide timely access to NTAC to assess physical, personnel, procedural and information security. v 8.64 When interception is authorised and conducted under the Act, checks should be undertaken by the CSP at intervals agreed with NTAC to ensure the integrity and security of interception and the delivery of correct product. v 8.65 The intercepting agency must be notified of any errors (including breaches) in the interception. Ø NTAC should be notified of any problems or changes to interception capability or the delivery of intercept product. v 8.66 The CSP must ensure that audit systems are in place to provide assurance that no unauthorised changes have been made to the interception identifiers/factors and to confirm details of those identifiers/factors. v 8.67 In the event that checks indicate any problems or changes in relation to the warranted interception, the intercepting agency will advise the CSP on any further action that may be required. v 8.68 All interception systems and practices must be compliant with relevant legislation. v 8.69 All systems and practices must comply with any security policies and standards in place in relation to the interception of communications. Ø This may include any policies and standards issued by the Home Office or NTAC.

Ø These further requirements are unlikely to be publicly available as they may contain specific details of security infrastructure or practices, disclosure of which could create additional security risks v 8.70 Each CSP must develop a security policy. This policy document should describe the internal security organisation, the governance and authorisation processes, access controls, necessary training, the allocation of security responsibilities, and policies relating to the security and integrity of interception capabilities and information related to warranted interception. Ø Each CSP must also develop security operating procedures. Ø A CSP can determine whether this forms part of, or is additional to, wider company policies. v 8.71 The security policy document and security operating procedures should be reviewed regularly to ensure they remain appropriate v 8.72 Each CSP must identify, assess and treat all information security risks, including those which relate to arrangements with external parties Human Resources Security v 8.73 CSPs must clearly identify roles and responsibilities of staff, ensuring that roles are appropriately segregated to ensure staff only have access to the information necessary to complete their role. Ø Access rights and permissions assigned to users must be revoked on termination of their employment. Ø Such rights and permissions must be reviewed and, if appropriate, amended or revoked when staff move roles within the organisation v 8.74 Staff with access to intercepting systems and sensitive information related to warranted interception should be subject to an appropriate level of security screening. Ø The Government sponsors and manages security clearance for certain staff working within CSPs. Ø CSPs must ensure that these staff have undergone relevant security training and have access to security awareness information. v 8.75 All persons who may have access to intercepted content, or need to see any reporting in relation to it, must be appropriately vetted. Ø On an annual basis, managers must identify any concerns that may lead to the vetting of individual members of staff being reconsidered. Ø The vetting of each individual member of staff must also be periodically reviewed. v 8.76 Where it is necessary for an officer of an intercepting agency or a member of NTAC staff to disclose information related to warranted interception to a CSP operating under a technical capability notice, it is the former s responsibility to ensure that the recipient has the necessary security clearance. Maintenance of Physical Security

v 8.77 There should be appropriate security controls in place to prevent unauthorised access to sensitive information. Ø Access to the locations where the systems are both operated and hosted must be controlled such that access is limited to those with the relevant security clearance and permissions. v 8.78 Equipment used to intercept communications must be sanitised and securely disposed of at the end of its life. Operations v 8.79 Interception systems should be subject to a documented change management process, including changes to third party suppliers, to ensure that no changes are made to systems without assessing the impact on the security of interception product. v 8.80 CSPs must also put in place a patching policy to ensure that regular patches and updates are applied to any interception capabilities or support systems as appropriate. Such patches and updates will include anti-virus, operating systems, application and firmware. Ø The patching policy including timescale in which patches must be applied, must be agreed with the Home Office and NTAC. v 8.81 CSPs should ensure that, where encryption is in place in interception systems, any encryption keys are subject to appropriate controls, in accordance with the appropriate security policy. v 8.82 In order to maintain the integrity and security of interception and the delivery of product, CSPs must ensure that data being processed is validated against agreed criteria. Ø Network infrastructure, services, media, and system documentation must be stored and managed in accordance with the security policy and an inventory of all assets should be maintained together with a clear identification of their value and ownership. Ø All assets must be clearly labelled. v 8.84 Interception systems, and their use, should be monitored and all audit logs compiled, secured and reviewed by the CSP security manager at appropriate intervals. These should be made available for inspection by NTAC as required. CSPs must demonstrate audit and compliance procedures in line with ISO27000. v 8.85 Technical vulnerabilities must be identified and assessed through an independent IT Ø Health Check (ITHC) which must be conducted annually. The scope of the Health Check must be agreed with NTAC. Access Controls v 8.86 CSPs must ensure that registration and access rights, passwords and privileges for access to dedicated interception systems and associated documentation are managed in accordance with their security policy. They must also ensure that users understand and formally acknowledge their security responsibilities.

v 8.87 Access to operating systems must be locked down to an appropriate standard and any mobile computing (i.e. offsite access to CSP systems from non-secure locations) must be subject to appropriate policies and procedures if permitted. Ø Accordingly any remote access for diagnostic, configuration and support purposes must be controlled. v 8.88 Access should be provided to relevant oversight bodies where necessary for them to carry out their functions. Management of incidents v 8.89 CSPs must put in place clear incident management processes and procedures, including an escalation path to raise issues to senior management and NTAC. Ø Any breaches under relevant legislation should be notified in accordance with those provisions. Ø 8.90 Systems must enable the collection of evidence (e.g. audit records) to support investigation into any breach of security. Additional requirements relating to the disposal of systems v 8.90 Systems must enable the collection of evidence (e.g. audit records) to support investigation into any breach of security. v 8.91 The legal requirement to ensure deleted data is impossible to access must be taken into account when disposing of any system, or component of a system, which reaches the end of its service life. v 8.92 If the equipment is to be reused, it must be securely sanitised by means of overwriting using a Government-approved product. If the equipment is not to be reused immediately, it must be securely stored in such a way that it may only be reused or disposed of appropriately. v 8.93 If the equipment is to be finally disposed of, it must be securely sanitised by means of physical destruction by a Government-approved supplier. v 8.94 Sanitisation or destruction of interception identifiers/factors must include retained copies for back-up and recovery, and anything else that stores duplicate data within the CSP system, unless retention of this is otherwise authorised by law

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information