Birmingham City Council Internet Monitoring Standard



Similar documents
Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Internet Use Policy and Code of Conduct

University of Sunderland Business Assurance Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012

Electronic Communications Monitoring Policy

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

University of Liverpool

Information Management and Security Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

Information Security Incident Management Policy

ISO27001 Controls and Objectives

COMMERCIALISM INTEGRITY STEWARDSHIP. Back-up Policy & Guidance

INFORMATION SECURITY INCIDENT REPORTING POLICY

How To Protect Decd Information From Harm

Information Security Policy

Information Governance Policy (incorporating IM&T Security)

TELEFÓNICA UK LTD. Introduction to Security Policy

Information Governance Framework. June 2015

Information Security Management System (ISMS) Policy

Caedmon College Whitby

Version: 2.0. Effective From: 28/11/2014

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

Aberdeen City Council IT Security (Network and perimeter)

Corporate Information Security Policy

University of Birmingham. Closed Circuit Television (CCTV) Code of Practice

PS 172 Protective Monitoring Policy

Rotherham CCG Network Security Policy V2.0

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

Sample Employee Network and Internet Usage and Monitoring Policy

Recommendations. That the Cabinet approve the withdrawal of the existing policy and its replacement with the revised document.

REMOTE WORKING POLICY

Information Circular

Electronic business conditions of use

Network Security Policy

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

Information Security Incident Management Policy and Procedure

University of Liverpool

Rules for the use of the IT facilities. Effective August 2015 Present

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

How To Ensure Network Security

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

CHECKLIST ISO/IEC 17021:2011 Conformity Assessment Requirements for Bodies Providing Audit and Certification of Management Systems

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Policy Document. IT Infrastructure Security Policy

Newcastle University Information Security Procedures Version 3

ISO Controls and Objectives

Network Security Policy

Scotland s Commissioner for Children and Young People Records Management Policy

Mike Casey Director of IT

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Information Security Baseline (minimal measures)

ISO Information Security Management Systems Foundation

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Guideline for Roles & Responsibilities in Information Asset Management

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Privacy and Electronic Communications Regulations

Policy. Version: 1.1. Date ratified: February 2014 Name of originator /author (s): Responsible Committee / individual:

Records Retention and Disposal Schedule. Information Management

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Network Security Policy

Policy Document. Communications and Operation Management Policy

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

Do you have a private life at your workplace?

UNIVERSITY OF ST ANDREWS. POLICY November 2005

Use of Social Networking Websites Policy. Joint Management Trade Union Committee. ENDORSED BY: Consultative Committee DATE: 14 February 2013

Information Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy

INTERNET, USE AND

INFORMATION SECURITY: UNDERSTANDING BS BS 7799 is the most influential, globally recognised standard for information security management.

University of Brighton School and Departmental Information Security Policy

Information Incident Management Policy

Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25

GENERAL CONDITIONS OF USE OF COMPUTING AND NETWORK FACILITIES

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_ Effective of 7 Title: Corporate Information Technology Usage Policy

Data Governance Policy. Staff Only Students Only Staff and Students. Vice-Chancellor

Dublin Institute of Technology IT Security Policy

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt. Monitoring & Audit

<COMPANY> P01 - Information Security Policy

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

APHIS INTERNET USE AND SECURITY POLICY

Transcription:

If you have inquiries about this Standard, contact the Business Policy Team of the ICF on 0121 675 1431 or 0121 464 2877. Standard Owner: Author: Version: 2.0 Date: 22/04/2009 Classification Unclassified Business Policy Team, ICF, Birmingham City Council Madeleine Westrop (Service Birmingham) and Caroline Hobbs (ICF) 2009 Produced in conjunction with v2.0 Page 1

Contents Contents...2 Document History...3 Overview...3 1. OBJECTIVES OF THE INTERNET MONITORING STANDARD...5 Why the Internet is Monitored...5 What is not Monitored...5 Scope...5 Responsibilities...6 The in relation to other Council Policy...6 The Internet Monitoring Procedure...6 2. INTERNET USE MONITORING REPORTS...7 Monitoring access to the Internet...7 Monitoring information transferred across the Internet...7 Investigation Access...8 3. REPORTS ON BLOCKED INTERNET SITES...9 Operational Changes to Site Access...9 Report of sites Blocked...9 Internet Access requests and complaints...9 4. COMPLAINTS ABOUT INTERNET MONITORING AND REQUESTS FOR ACCESS TO BLOCKED SITES...9 v2.0 Page 2

Document History Version Amendment Date Purpose Author Draft 1 10/01/2006 Network Security Team discussions Sue Smith Draft 2 16/01/2006 Network Security Team amendments Sue Smith Draft 3 18/01/2006 Information Security Team amendments Sue Smith Draft 4 14/03/2006 CISG amendments Sue Smith Draft 5 03/04/2006 Further CISG amendments Sue Smith Draft 0.6 1Completely Rewritten & changes arising from the new Internet Use Policy Note draft 5 was never formally approved Madeleine Westrop Draft 0.7 09022007 Changes after comments from Audit to make it clear monitoring Madeleine Westrop is individual, global and for groups. Syntax changes from ICF. PS&BS reviewed but no comments. Draft 0.8 09032007 Amended to make it clear the standard covers email only with Madeleine Westrop respect to web mail, which is not covered by the Email Policy 1.0 24042007 Final document approved by Business Transformation Advisory Caroline Hobbs Group 1.1 March 2009 Review as part of the Internet Reporting Project Caroline Hobbs 1.2 April 2009 Version for review by CISG Caroline Hobbs 1.3 15/04/2009 Amended with review comments Caroline Hobbs 2.0 22/04/2009 Approved by BTAG Caroline Hobbs Standard Distribution once signed off Name Organisation Role All Staff All Staff Service Birmingham Standard Reviewers Name Organisation Role Audit Strategy, Policy & Service Birmingham Note: drafts 0.1 1.0 see version history above. Business Security and Network Security Standards Database Distribution List ICF Legal Department Network Services Service Birmingham CISG Version 1.2 Standard Approval Name Organisation Role Date BTAG Authorising Body 22 nd April 2009 Overview Purpose Authority Ownership Scope Review Related docs BS ISO/IEC 27001:2005 BS 7799-2:2005 control reference See Objectives Below See Scope Below Annually Listed in Glossary and Appendix to the Internet Policy. 5.1 Information Security Policy 6.3 To minimize damage from security incidents and to monitor and learn from such incidents 7.1 To achieve protection of organizational assets 8.4.2 Operational staff should maintain a log of activities to include timings, system errors, confirmation of correct handling and names of persons making the log entry. v2.0 Page 3

7.1.3 acceptable use of assets 8.2 Human Resources security principles to ensure employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities. 10.4.1 Protection against malicious and mobile code 10.3.1 Capacity management 10.10 to detect unauthorised information processing 15.2 Compliance with security policies and standards ; Etc. v2.0 Page 4

1. OBJECTIVES OF THE INTERNET MONITORING STANDARD Why the Internet is Monitored This Standard is published in order to make it clear to all Internet users that Birmingham City Council monitors and reports on use of the Internet in a fair and appropriate way. In particular, Internet use is monitored in order to: analyse the use of Internet resources and to manage those resources; control security risks and in particular to protect the confidentiality, integrity and availability of Council information; make sure that excessive personal use of the Internet, or the email, system does not use up the resources needed by and to make sure personal use does not affect the conduct of Council business; establish the existence of other facts relevant to the business; regulate the use of the Internet and make sure it is used in compliance with s policies, standards and codes of practice; regulate the way the Internet is used in compliance with the law; perform public duties such as those required in the interests of national security or public safety. What is not Monitored All traffic to and from the Internet, including web mail - (email sent through the Internet service), is automatically logged by the Council s Bluecoat Proxy Management software. Birmingham City Council does not specifically monitor personal use of the Internet but Users should be aware that this activity is logged and will be available to Internal Audit and Council management along with information about business use in the case of an investigation. Private information is only deliberately recorded or processed as part of an investigation where the degree of intrusion into what is private, is clearly justified and not excessive, in order to investigate or prevent criminal activity, breach of policy, wrongdoing or public harm. Scope This Standard applies whenever the Internet Use Policy applies. Please refer to this document which is available in the PSPG database on Lotus Notes or via Inline. Also note that this Standard applies to all web mail and does not include Lotus Notes email, which is transferred by a different route. (For Lotus Notes email monitoring guidance, see the Email Policy and Code of Practice available in the PSPG database or via Inline). v2.0 Page 5

Responsibilities Please refer to the Glossary and Appendix to the Internet Policy available in the PSPG database or via Inline. The in relation to other Council Policy This Standard is part of the City Council s set of corporate security policies and codes of practice which are listed in the document, Glossary and Appendix to the Internet Policy available in the PSPG database on Lotus Notes and via Inline. All monitoring will be carried out in accordance with the ISO27001 Standard for Information Security Management and in accordance with the law. In particular, the Lawful Business Practice Regulations (issued under the Regulation of Investigatory Powers Act 2000) permit to monitor their own communications systems in order to make sure that policies, codes, rules and terms and conditions are followed. The Internet Monitoring Procedure The Bluecoat Proxy Management software categorises each Internet site (this is maintained by the software provider). Each category has been reviewed and has been assigned one of the following actions: Accessible to all Internet users all of the time (Allowed) Blocked to all Internet users all of the time (Denied) Accessible to all users outside Internet Reporting Core Time (10am -12pm and 2pm 4pm) (Non Core) Accessible to Users with an approved business need in and out of Internet Reporting Core Time(Exception) A list of the categories and the actions assigned to them is available on the PSPG and via Inline. If access to a blocked category is required for business purposes, a request must be submitted to the Business Policy Team of the ICF (Lotus Notes Business Policy Team ICF) using the form for requesting access to restricted internet categories (available on Inline) accompanied by a legitimate business reason for the access. The form must be forwarded to the ICF from the manager of the individual requiring access. This forwarding is taken as authority for access to be granted. In exceptional circumstances, when access is required urgently an Assistant Director must sign and submit the form. Managers should be aware that spot checks will be carried out by Internal Audit and by the ICF to verify that business access is legitimate and that the decision to grant authority may be challenged should an investigation be required. Approved access requests will be sent to Service Birmingham for action. If access is requested to a category that is perceived to pose a security risk, Service Birmingham will perform a risk assessment. If the risks identified are deemed to pose an unacceptable threat to the Council or its network access will not be granted. It is the manager s responsibility to ensure that Exception access to blocked sites is withdrawn when there is no longer a business need for it (e.g. when a person s job role changes). v2.0 Page 6

2. INTERNET USE MONITORING REPORTS Monitoring access to the Internet Service Birmingham will record details when the Internet is accessed through the Birmingham City Council Internet service. The following details, among others, will be kept in logs: The identity used when somebody accesses the Internet; the date and time the Internet is accessed by that identity; the duration of access by that identity; the web sites and addresses visited through the Internet by that identity; attempts by that identity to access web sites which are blocked ; details about which workstation is used to access the Internet by that identity; use during Internet Reporting Core and Non Core Time; Internet reports will be kept in line with the Council s Corporate Retention Schedules available on Inline. Monitoring information transferred across the Internet Certain details will be logged when information is downloaded from the Internet. This information is mostly contained in files and the files may originate from a web site, or from a distant computer participating in file sharing networks. The following details, among others, will be kept in addition to the access data mentioned above: The types of files downloaded, particularly files containing software or computer viruses; the size of files downloaded; the web sites and addresses from which files are downloaded; the times that data is downloaded from the Internet. Raw data from the Internet logs will be kept for a period of 2 years, during which time it will be available for reporting as required. Note that the content of private web-based emails sent across the Internet will be stored and recorded within these reports. This information is not sought by. The Council monitors only for the purposes listed in the section on Why the Internet is Monitored, above. However, information obtained in this way may be used where there is a legal justification. For example, information obtained in this way may be used as part of an investigation if the information points to a sufficiently serious breach of the law or of Birmingham City Council policy. v2.0 Page 7

On a monthly basis Service Birmingham will produce reports from Business Objects using the information from the Bluecoat logs. Reports will be made available to nominated managers in the Council for action. The standard reports are: Top users in Internet Reporting Core Time (10am to 12pm and 2pm to 4pm) Top users in Internet Reporting Non Core Time Top categories used in Internet Reporting Core Time (10am to 12pm and 2pm to 4pm) Top categories used in Internet Reporting Non Core Time Trend reports will also be produced to monitor overall usage and sites used. Ad-hoc reports can be requested by Internal Audit or Council managers using any of the information that is logged by Bluecoat. However any information required to investigate potential wrongdoing must be obtained following the Investigation Access procedure (see below) which is available in full on the PSPG database or via Inline. Investigation Access If analysis of the standard reports described above, or other information, raises a reasonable suspicion of wrongdoing by a particular individual, then more detailed forensic reports may be produced for the Council by Service Birmingham. In this case, the Investigation Access procedure must be followed. This procedure has the following overriding objectives: 1. The degree of Access must be considered and described in the Impact Assessment. 2. Wherever possible the person doing the investigation must avoid unjustified intrusion into personal data and correspondence. 3. Wherever possible the investigation should be revealed only to those who need to know about it and are sufficiently responsible to keep details confidentially. 4. The evidence must not be corrupted. More information about the Investigation Access Procedure is available on the PSPG database on Lotus Notes and via Inline. v2.0 Page 8

3. REPORTS ON BLOCKED INTERNET SITES Operational Changes to Site Access blocks access from their systems to certain Internet sites or categories of Internet sites (see the Internet Use Policy and Code of Practice). The Service Birmingham Security Team can make operational decisions to block or change the access to particular Internet sites. In making these operational decisions, Service Birmingham are informed by general principles provided by. is kept informed through regular reports, about what sites or categories of sites are currently blocked and may revise the operational decisions made by Service Birmingham. The list of which sites are blocked will change constantly because web sites themselves change and the classification of those sites is always being revised. However, the City Council aims to use consistent principles to guide its decisions about whether particular sites should be blocked. Two sorts of reports may be produced: Report of sites Blocked Regular reports about which sites and which categories of sites are blocked are produced by Service Birmingham and are made available to. Birmingham City Council ultimately decides which sites should be blocked. Internet Access requests and complaints The Service Birmingham Service Desk may receive requests to make a change to allow access to a particular Internet site, or to disallow access, or to permit particular information to be downloaded from the Internet. Service Birmingham may be authorised to make an operational change (see above) at once. If Service Birmingham is not clearly authorised, or if the matter is contentious, Service Birmingham will forward these requests to s Corporate Information Security Group who decide whether to change the access or not. Records of what decisions are reached and why they were reached, will be kept by the Council. These records will be used by and by Service Birmingham in order to control the Internet blocking consistently. 4. COMPLAINTS ABOUT INTERNET MONITORING AND REQUESTS FOR ACCESS TO BLOCKED SITES. Internet users should address all complaints and enquiries about the Internet service, monitoring or blocking to the Service Birmingham Service Desk on 464 4444. v2.0 Page 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information