INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011
CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information Security Infrastructure... 11 2.1.1 Management Information Security Forum... 11 2.1.2 Information Security Co-ordination... 11 2.1.3 Allocation of Information Security Responsibilities... 12 2.1.4 Authorisation Process for IT Facilities... 12 2.1.5 Specialist Information Security Advice... 12 2.1.6 Co-operation Between Organisations... 12 2.1.7 Independent Review of Information Security... 12 2.2 Security of Third Party Access... 12 2.2.1 Identification of risks from third party connections... 13 2.2.2 Security conditions in third party contracts... 13 3 Assets Classification and Control... 13 3.1 Accountability for Assets... 13 3.1.1 Inventory of Assets... 13 3.2 Information Classification... 13 3.2.1 Classification Guidelines... 14 3.2.2 Classification Labelling... 14 4 Personnel Security... 11 4.1 Security in Job Definition... 11 4.2 User Training... 14 4.3 Staff Movements... 14 4.4 Responding to Incidents... 15 4.4.1 Disciplinary Process... 15 5 Physical and Environmental Security... 15 5.1 Secure Areas... 15 5.1.1 Physical Security Perimeter... 15 5.1.2 Physical Entry Controls... 15 5.1.3 Clear Desk Policy... 15 5.1.4 Removal of Property... 15 5.2 Equipment Security... 16 5.2.1 Equipment Siting and Protection... 16 5.2.2 Power Supplies... 16 Page : 2 May 2013
5.2.3 Equipment Maintenance... 16 5.2.4 Security of Equipment Off-premises... 16 5.2.5 Secure Disposal of Equipment... 16 6 Computer and Network Management... 17 6.1 Operational Procedures and Responsibilities... 17 6.1.1 Documented Operating Procedures... 17 6.1.2 Incident Management Procedures... 17 6.1.3 Segregation of Duties... 17 6.1.4 Separation of Development and Operational Facilities... 17 6.2 System Planning and Acceptance... 17 6.2.1 Capacity Planning... 18 6.3 Protection from Malicious Software... 18 6.4 Housekeeping... 18 6.4.1 Data Back-up... 18 6.4.2 Fault Logging... 19 6.5 Network Management... 19 6.5.1 Network Security Controls... 19 6.6 Media Handling and Security... 19 6.6.1 Management of Removable Computer Media... 19 6.6.2 Data Handling Procedures... 19 6.6.3 Security of System Documentation... 19 6.6.4 Disposal of Media... 19 6.7 Data and Software Exchange... 19 6.7.1 Data and Software Exchange Agreements... 20 6.7.2 Security of Media in Transit... 20 6.7.3 EDI Security... 20 6.7.4 Security of Electronic Mail... 20 6.7.5 Security of Electronic Office Systems... 20 7 System Access Control... 20 7.1 Business Requirement for System Access... 20 7.1.1 Documented Access Control Policy... 21 7.2 User Access Management... 21 7.3 User Responsibilities... 21 7.4 Network Access Control... 19 7.4.1 Policy on Use of Network Services... 19 8 Systems Development and Maintenance... 22 8.1 Security Requirements of Systems... 22 8.1.1 Security Requirements Analysis and Specification... 22 8.2 Security in Application Systems... 22 Page : 3 May 2013
8.3 Security in Development and Support Environments... 22 8.3.1 Change Control Procedures... 22 9 Business Continuity Planning... 23 10 Compliance... 23 10.1 Compliance with Legal Requirements... 24 10.1.1 Control of Proprietary Software Copying... 24 10.1.2 Safeguarding of Organisational Records... 24 10.1.3 Data Protection... 24 10.1.4 Prevention of Misuse of IT facilities... 24 10.2 Security Reviews of IT Systems... 25 10.2.1 Compliance with Security Policy... 25 10.3 System Audit Considerations and Controls... 25 Page : 4 May 2013
Introduction The continuing availability of information is essential to the operation of Angus Council. Rapid and continuing technical advances in information processing have increased the dependence of the Council on information and automated systems. The value of data and software, in terms of restoration costs or losses due to unauthorised disclosure, far exceeds the value of its associated hardware. For that reason, information processed by computers and transmitted through networks must be recognised as a major Council asset and be protected accordingly. The expanded use of computers and telecommunications has resulted in more accurate, reliable, and faster information processing, with information more readily available to management and staff than ever before. As a direct result of its growing commitment to the use of information technology, the Council has achieved increased productivity in terms of improved delivery of services, enhanced administrative capabilities and reduced costs. Information technology has also brought new management concerns, challenges, and responsibilities. Information assets must be protected from natural and human hazards. Policies, standards and procedures must be established to ensure that hazards are eliminated or their effects minimised. The main focus of information security is on ensuring the continuation of Council services. Providing efficient accessibility to necessary information is the primary reason for establishing and maintaining automated information systems. Protecting that information and the investment that surrounds it is the motivation for establishing an information security and risk management program. The first step of a risk analysis is to identify the items which need to be protected. Some things are obvious, like all the various pieces of hardware. It is essential to identify all categories of things that could be affected by a security problem. A list of suggested categories follows: Hardware: workstations, laptops, servers, printers, communication lines, modems, hubs, routers etc. Software: source programs, object programs, utilities, diagnostic programs, operating systems, database management systems, communication programs, etc. Data: during execution, stored on-line, archived off-line backups, audit logs, databases, in transit over communication media, etc. People: users, operators needed to run systems, external contractors, etc. Documentation: on programs, hardware, systems, local administrative procedures, etc. Supplies: magnetic media, etc. Protecting information assets includes: Physical protection of information processing facilities and equipment; Protection against external intrusion; Maintenance of application and data integrity; Assurance that automated information systems perform their critical functions correctly, in a timely manner, and under adequate controls; Protection against unauthorised use of data or disclosure of information; Assurance of the continued availability of reliable and critical information; Many functions which were traditionally manual or partially automated are today fully dependent on the availability of automated information services to perform and support their daily functions. The interruption, disruption, or loss of information support services may adversely affect the Council s ability to provide its services. The effects of such risks must be eliminated or minimised. Additionally, information entered, processed, stored, generated, or disseminated by automated information systems must be protected from internal data or programming errors Page : 5 May 2013
and from misuse by individuals internal or external to the organisation. Specifically, information must be protected from unauthorised or accidental modification, destruction, or disclosure. In the case of purchased information system components, the integrity, competence, and economic stability of the vendor must be assured. Otherwise, there is a risk of compromising the integrity of Council s reputation, or violating individual rights to privacy. While it is unlikely that security risks can be eradicated, by selecting and implementing the appropriate controls we can ensure that any risks identified are reduced to an acceptable level. These controls should be selected based on the cost of implementation in relation to the reduction in risk and the potential losses if a security breach occurs while also taking into account the need to preserve the confidentiality, integrity and availability of the information being protected. Non-monetary factors such as loss of reputation should also be taken into account. Page : 6 May 2013
1 Security Policy 1.1 Information Security Policy This information security management system and associated operational procedures will, as far as practicable, address the Information security management principles defined within BS7799 (1999) Code of Practice for Information Security Management. As such, this Policy will enable the Council s I.T. users, suppliers and contractors to accurately address the Information Security requirements of the Council, thus avoiding ambiguity in the specification, delivery and implementation of Information systems. Operational procedures will be established to implement the corporate information security requirements outlined in this Security Management System, and appropriate mechanisms will be put in place to monitor and manage these procedures. This Information Security Management System is supplemented by an Information Security - User Guidelines document. Security Organisation A management framework will be established to initiate and control the implementation of information security within the organisation. The Council s Head of Information Technology will serve as the designated officer responsible for developing, publishing maintaining and administering the Information Security Policy. Heads of Service are deemed to be owners of their departmental information assets. They may delegate their security responsibilities to individuals or service providers. Nevertheless the owner remains ultimately responsible for the security of the asset and should be able to determine that any delegated responsibility has been discharged correctly. Implementation of the information security policy will be independently reviewed to ensure that practices laid down within the policy are feasible and effective and are being adhered to. Security of Third Party Access To maintain the security of Council I.T. facilities and information assets access to council I.T. facilities by (non-organisational) third parties will be rigorously controlled. Assets Classification and Control To ensure that information assets receive an appropriate level of protection, security classifications will be used to indicate the need and priority. The Head of Information Technology will maintain a computer based inventory register which will fully address the requirements of the Council s Audit or Inventory Procedures. This register will include all major items of I.T. hardware, software systems, applications and data owned or licensed by the Council The responsibility for classifying and declassifying departmental information assets will reside with the designated asset owners. The Head of Information Technology will be responsible for classifying and declassifying corporate information assets. Personnel Security The Council s Chief Officers will take all appropriate measures to minimise the risks of human error, theft, fraud or misuse of the Council s information assets and facilities. In addition, steps will be taken to ensure that all users of the Council s information systems are made aware of security risks and are equipped to adhere to, and support the Council s Information Security Page : 7 May 2013
Policy in the course of their normal duties. User Training The Council s Chief Officers will take all appropriate measures to minimise the risks of human error, theft, fraud or misuse of the Council s information assets and facilities. In addition, steps will be taken to ensure that all users of the Council s information systems are made aware of security risks and are equipped to adhere to, and support the Council s Information Security Policy in the course of their normal duties. Relevant information security issues will be included in any formal and informal training given to the users of the Council s information systems. Responding to Incidents All council staff have a responsibility to report suspected breaches of this Information Security Policy to their own departmental management. All security incidents will be reported and recorded by means of a formal logging and follow-up system and referred to the Audit, VFM and Risk Manager Unless authorised by the Head of Information Technology staff will on no account attempt to replicate or simulate any suspected security breach or incident. Council staff suspected of causing a security breach will be subject to investigation under established formal disciplinary procedures. Physical and Environmental Security Appropriate control mechanisms will be established to prevent unauthorised access, damage and interference to Council information services, including all physical information assets which support critical or sensitive departmental activities. Removal of Property Removal of property or information belonging to the Council is prohibited without prior authorisation by the departmental head. Any piece of Council computer equipment authorised for use outwith Council premises, including laptop computers, will be subject to the same guidelines for use as I.T. equipment within the workplace. Whilst off-site, such equipment will be protected by the user from the risk of theft and will not be left unattended in public places. When being transported equipment will be stored out of view. Computer and Network Management To ensure the correct and secure operation of computer and network facilities responsibilities and procedures for the management and operation of all computers and networks will be established. Protection from Malicious Software To safeguard the integrity of software and data no unlicensed or unauthorised software will be permitted on any of the Council s I.T. systems. Data files may only be downloaded from external sources, such as bulletin boards or the internet in accordance with Angus council s E-Mail and Internet Usage Policy. Council employees must read and comply with Angus council s E-mail and Internet Usage Policy. Pro-active measures will be taken to safeguard the integrity of software and data by detecting Page : 8 May 2013
and counteracting the effects of malicious software such as computer viruses. This will include the provision of virus detection software on the Council s computer systems. Staff who use Council I.T. systems will be responsible for reporting any suspected incidents of computer virus infection to the I.T. Help Desk for further assessment and rectification. Data Back-up Adequate backup facilities will be provided to ensure that all essential business information can be backed up and recovered if necessary. Backup tapes and accurate and complete records of backup copies should be stored in a remote location, sufficient to escape any damage from a disaster at the main site. Fault Logging Faults will be reported to the IT Division Help, desk where they will be processed in accordance with the help desk procedures. Only persons authorised by the Head of Information Technology will carry out repairs and servicing of Council equipment. Network Management To ensure the safeguarding of information in networks and the protection of the supporting infrastructure data networks will be managed in such a way as to prevent unauthorised logical and physical connection, and to detect unauthorised connection should this occur. No connection to the corporate communications network will be permitted without the prior approval of the Head of Information Technology. Media Handling and Security To prevent the possibility of damage, theft or unauthorised access to council information assets and interruptions to business activities, all computer media containing valuable data will be stored securely. System Access Control It is the policy of Angus Council to restrict access to information systems to only those staff and authorised agents of the Council who require such access to enable them to undertake their duties. It is the responsibility of all Heads of Department, and Head of Information Technology to implement this policy as required. Access controls and the use and protection of passwords is set out in the Information Security User Guidelines. These guidelines will be distributed to all users of information systems within the Council. The installation and upgrade of operational systems will only be performed by arrangement with the Head of Information Technology. Business Continuity Planning To counteract interruptions to business activities and to protect critical business processes from the effects of major failures and disasters departmental business continuity management processes will be implemented. Compliance The Council s Information Security Policy is intended to fully comply with all statutory, criminal Page : 9 May 2013
and civil obligations to which the Council is required to adhere in relation to the implementation, management and use of Information systems and services. In addition, the Head of Information Technology will implement appropriate procedures to ensure that all procurement conforms to appropriate European Community legislative requirements in addition to the Council s Standing Orders and Financial Regulations. The copyright of all software applications systems developed by Council staff or authorised agents using Council resources will rest with the Council. The departmental owners of software applications will ensure that copies of data on magnetic media are retained for the period of time necessary for the equivalent paper copies, and that such data is regularly restored and archived to ensure their continued integrity. Important Council records will be protected from loss, destruction and falsification. Some records may need to be securely retained to meet statutory or regulatory requirements as well as to support essential business activities. Data Protection Applications handling personal data on individuals will comply with data protection legislation and principles. Prevention of Misuse of IT facilities The Councils information processing facilities are provided for business purposes. The use of departmental information processing facilities will be authorised by the departmental director. If any misuse is identified it will be subject to the appropriate disciplinary action. Compliance with Security Policy All areas within the organisation will be regularly reviewed to ensure compliance with security policies and standards. Chief Officers will ensure that all security procedures within their area of responsibility are carried out correctly. System Audit Considerations and Controls Periodic audits of working practices will be undertaken to ensure compliance with this Security Policy The Head of Information Technology will arrange a continual review of operational information systems to ensure that security controls have been properly implemented and continue to be effective. Other related documentation Data Protection Act 1998 Computer Misuse Act 1990 Copyright, Designs and Patents Act 1989 Angus Council E-mail and Internet Usage Policy Angus Council Information Security Management System Angus Council Information Security User Guidelines Information Security Incident Reporting Procedure Page : 10 May 2013
1.2 Scope The implementation of this Policy ensures the protection of the Council s information infrastructure, which is taken to include : All physical data communications networks and components ; All software applications resident on PC s file servers and networking equipment ; All Computer systems and accompanying operating system software; All corporate software applications ; All magnetic storage media ; All IT related system and software applications documentation; All hard copy (printer output); The rigorous implementation of this Policy will help to ensure the confidentiality, integrity and availability of all electronically stored data, systems and application software. 2 Security Organisation 2.1 Information Security Infrastructure Objective: To manage information security within the organisation. A management framework will be established to initiate and control the implementation of information security within the organisation. The Council s Head of Information Technology will serve as the designated officer responsible for developing, publishing maintaining and administering the Information Security Policy. 2.1.1 Management Information Security Forum Management direction will be provided through a suitable high level steering forum. The Information Security Group, chaired by the Head of Information Technology, will provide a focus for the implementation and development of the Information Security Policy within the Council. Meetings of the group will be convened at regular intervals to address the following objectives Ensure that the Information Security Policy is formally adopted by all of the Council s constituent departments; Provide a mechanism for reviewing, amending and monitoring adherence to the Information Security Policy; Review major information security incidents, and the exposure to major threats to the Council s information systems and infrastructure; The group will be authorised to approve initiatives to enhance information security subject to suitable funding arrangements. 2.1.2 Information Security Co-ordination It will be necessary to co-ordinate information security measures through a cross-functional forum with all user departments represented at a management level with the authority to implement necessary measures. Page : 11 May 2013
2.1.3 Allocation of Information Security Responsibilities Heads of Department are deemed to be owners of their departmental information assets. They may delegate their security responsibilities to individuals or service providers. Nevertheless the owner remains ultimately responsible for the security of the asset and should be able to determine that any delegated responsibility has been discharged correctly. 2.1.4 Authorisation Process for I.T. Facilities Installation of I.T. facilities will be authorised by the Head of Information Technology and carried out by contractors approved and authorised by him. 2.1.5 Specialist Information Security Advice When specialist advice on information security is required all enquiries will be directed to the Head of Information Technology. 2.1.6 Co-operation Between Organisations When necessary appropriate contacts with law enforcement authorities, regulatory bodies, and service providers will be made to ensure that appropriate action can be taken in the event of a security incident. Membership of security groups and forums will be actively considered. Exchange of security information will be restricted to ensure that confidential information is not passed to unauthorised persons. 2.1.7 Independent Review of Information Security Implementation of the information security policy will be independently reviewed to ensure that practices laid down within the policy are feasible and effective and are being adhered to. 2.2 Security of Third Party Access Objective: To maintain the security of Council I.T. facilities and information assets accessed by third parties. Access to council I.T. facilities by (non-organisational) third parties will be rigorously controlled. As appropriate, all contracts established for the purposes of external third party connection to the Council s I.T. infrastructure and systems will include the following elements : A general policy statement on Information security, including reference to this Policy and to BS7799 ; Permitted methods of access, and the control and use of unique user identifiers and passwords ; Involvement of sub-contractors ; Description of each I.T. service for which third party connection is required ; Requirement to maintain a register of authorised third party users and associated authorisation processes ; Times and dates of availability ; Respective liabilities, and rights to revoke the contract ; Page : 12 May 2013
Responsibilities for user training, equipment installation, physical and data protection ; Measures to ensure the return, or destruction, of information assets at the end of the contract ; Software virus protection ; 2.2.1 Identification of risks from third party connection No third party access to the Council s information technology infrastructure will be permitted without the express permission of the Head of Information Technology. The risks associated with third party connection to the Council s information technology infrastructure and systems will be individually assessed in the context of the policy. Third party connection will only be authorised when the appropriate Head of Department has requested the need for such connection, the IT Division has established appropriate controls, and a suitable contract defining the terms of connection has been signed by the third party. 2.2.2 Security conditions in third party contracts Contracts with third parties requiring access to council I.T. facilities will be created in conjunction with the Head of Law and Administration to specifically include the necessary security conditions. 3 Assets Classification and Control Appropriate measures will be established to ensure that protection of the Council s physical I.T. assets and computer stored data is maintained at all times. 3.1 Accountability for Assets Objective: To maintain appropriate protection of Council information assets. All major information assets will be accounted for and have a designated owner. (See 2.1.3.) 3.1.1 Inventory of Assets Inventories will be maintained of all major information and IT assets. Each Department will maintain a computer based inventory register which will fully address the requirements of the Council s Audit or Inventory Procedures. This register will include all major items of I.T. hardware, but will exclude minor equipment such as connection cables. The register will also include all major software systems, applications and data owned or licensed by the Council including software applications which have been developed by other departments within the Council. Other information assets which are required for business continuity purposes (such as magnetic media, power supplies, communications services and air-conditioning equipment, etc.) will be identified and recorded in the Emergency Inventory List of each department's Business Continuity Plan. 3.2 Information Classification Objective: To ensure that information assets receive an appropriate level of protection, security classifications will be used to indicate the need and priorities for security protection. Page : 13 May 2013
A Council wide Information Asset Inventory will be maintained to classify the security requirements of information assets in one of the two classes defined below Normal Security Level. This will be the default classification and will cover the majority of Council s Information assets. No physical identification of this level will require to be shown. High Security Level. Certain commercially sensitive systems, or systems which contain personal data protected under the terms of data protection legislation, will be classified at the High Security Level. Information assets (physical, application or data) which if lost, due to technical failure or accidental deletion, would cause major disruption, should also be classed as High. The responsibility for classifying and declassifying departmental information assets as Normal or High Security Level will reside with the designated asset owners. The Head of Information Technology will be responsible for classifying and declassifying corporate information assets. 3.2.1 Classification Guidelines Protection for classified information will be consistent with business needs. 3.2.2 Classification Labelling Outputs from systems containing information classified as sensitive will be labelled appropriately. Items for consideration may include printed reports, display screens and recorded media. 4 Personnel Security Objective: To reduce the risks of human error, theft, fraud or misuse of facilities. The Council s Chief Officers will take all appropriate measures to minimise the potential risk of human error, theft, fraud or the misuse of the Council s information assets. In addition, steps will be taken to ensure that all users of the Council s information systems are made aware of security risks and are equipped to adhere to, and support the Council s Information Security Policy in the course of their normal duties. The employees responsibility for information security will be highlighted and addressed at the induction stage, included in job descriptions where appropriate, and monitored during the individual's employment. 4.1 Security in Job Definition Where an employee has specific responsibilities for information security these will be highlighted in their job outline or description. 4.2 Staff Movements To allow user accounts and group memberships to be kept up to date departmental heads shall inform the Head of Information Technology of all staff movements (terminated employment, maternity leave, long term sick, etc.) where staff members have access to I.T. facilities. 4.3 User Training Page : 14 May 2013
Objective: To ensure that users are aware of information security threats and concerns, and are equipped to support organisational security policy in the course of their normal work. Chief officers will ensure that users of council information systems (including, when necessary, third party organisations) are trained in their proper use. This will include, where necessary, highlighting the security implications and legal responsibilities associated with the improper use of information processing facilities. Relevant information security issues will be included in any formal and informal training given to the users of the Council s information systems. 4.4 Responding to Incidents Objective: To minimise the damage from security incidents and malfunctions and to monitor and learn from such incidents. All Council staff have a responsibility for reporting suspected breaches of this Information Security Policy to their own departmental management. Unless authorised by the Head of Information Technology staff will on no account attempt to replicate or simulate any suspected security breach or incident. 4.4.1 Disciplinary Process Council staff suspected of causing a security breach will be subject to investigation under established formal disciplinary procedures. 5 Physical and Environmental Security 5.1 Secure Areas Objective: To prevent unauthorised access, damage and interference to Council information services Appropriate control mechanisms will be established to prevent unauthorised access, damage or interference to the Council s information infrastructure and systems, including all physical information assets which support critical or sensitive departmental activities. 5.1.1 Physical Security Perimeter Appropriate physical security will be applied to protect areas which contain information processing facilities or equipment. 5.1.2 Physical Entry Controls Designated secure areas will be protected by appropriate entry controls to ensure that only authorised persons can gain access. 5.1.3 Clear Desk Policy Areas dealing with confidential materials and information should consider operating a clear desk policy to reduce the risk of unauthorised access, loss of or damage to information. 5.1.4 Removal of Property Page : 15 May 2013
Removal of property belonging to the Council is prohibited without prior authorisation by the departmental head. 5.2 Equipment Security Objective: To prevent loss, damage or compromise of assets and interruption to business activities. Where deemed necessary and where reasonably practicable, appropriate measures will be taken to ensure that equipment is physically protected from security threats and environmental hazards. 5.2.1 Equipment Siting and Protection Equipment will be sited and protected to reduce the risks of damage, interference and unauthorised access. Equipment which requires additional security, and cannot be stored in secure areas, will be sited in areas where staff require only occasional access. 5.2.2 Power Supplies All equipment deemed to support critical operational or business functions, will be protected from power supply failure or fluctuation by un-interuptable power supplies (UPS). 5.2.3 Equipment Maintenance Only persons authorised by the Head of Information Technology will carry out repairs and servicing of Council equipment. Where necessary information technology staff will implement appropriate controls for the protection of data before sending equipment off site for repair or allowing third party access to perform maintenance on council equipment. 5.2.4 Security of Equipment Off-premises Any piece of Council computer equipment authorised for use outwith Council premises, including laptop computers, will be subject to the same guidelines for use as I.T. equipment within the workplace. Authorisation from the appropriate departmental director will be required before equipment is taken off-site. Whilst off-site, such equipment will be protected by the user from the risk of theft and will not be left unattended in public places. When being transported equipment will be stored out of view. Information (magnetic media, printed, etc.) will not be removed for use outside council premises without permission from the appropriate departmental director. 5.2.5 Secure Disposal of Equipment All data will be erased from equipment prior to disposal. All equipment and media declared as redundant will be disposed of in accordance with Council procedures. In the case of PC equipment, specific care will be taken to ensure that all licensed systems software and data are erased from disk prior to disposal. Page : 16 May 2013
Magnetic media removed from equipment will be disposed of in a similar manner. 6 Computer and Network Management 6.1 Operational Procedures and Responsibilities Objective: To ensure the correct and secure operation of computer and network facilities. Responsibilities and procedures for the management and operation of all computers and networks will be established. 6.1.1 Documented Operating Procedures Formally documented operational procedures will be established to ensure the correct and secure operation of council information systems. Detailed procedures will be established for the management of system failures. These will include the development of comprehensive contingency plans for critical corporate systems and security incident policies. 6.1.2 Incident Management Procedures Incident management responsibilities and procedures will be established to ensure a quick, effective and orderly response to security incidents. All security incidents will be reported and recorded by means of a formal logging and follow-up system and referred to the Audit, VFM and Risk Manager For each incident, this will include the investigation of the cause and options for the prevention of a recurrence. An audit trail suitable for internal statistical analysis, and for use as evidence on contractual and legal issues such as computer misuse and data protection will be created. 6.1.3 Segregation of Duties Duties within council departments will be segregated to minimise the risk of negligent or deliberate system misuse. 6.1.4 Separation of Development and Operational Facilities As far as is practicable, the IT Division will take the following steps to separate operational and development / test environments : Operational and development software will not be run on the same system ; System test environments will, as far as practicable, mirror the planned operational environment ; Unless specifically required, code compilers, editors and system utilities will not reside in operational environments ; Different log-on procedures will be used for operational and test systems. 6.2 System Planning and Acceptance Objective: To minimise the risk of systems failure. Page : 17 May 2013
Projections of future capacity requirements will be made to reduce the risk of system overload. The operational requirements of new systems will be established, documented and tested prior to acceptance of the system. 6.2.1 Capacity Planning The Head of Information Technology will adopt capacity planning and monitoring procedures to minimise the potential risk of system failure due to overload in the I.T. infrastructure. The utilisation of system resources such as processing power, memory capacity, disk and tape storage capacity, throughput and the capacity of the corporate network will be monitored to identify performance bottlenecks and allow assessments of increases in system demands. 6.3 Protection from Malicious Software Objective: To safeguard the integrity of software and data. No unlicensed or unauthorised software will be permitted on any of the Council s I.T. systems. Pro-active measures will be taken to safeguard the integrity of software and data by detecting and counteracting the effects of malicious software such as computer viruses. This will include the provision of virus detection software on the Council s computer systems. Virus detection software will be updated at frequent and regular intervals to ensure that the Council information systems are being protected from infection from new software viruses. All Council staff who use PC equipment will be required to pre-scan all floppy disks received from other external or internal Council sources. Data files may only be downloaded from external sources, such as bulletin boards or the internet in accordance with Angus council s E-Mail and Internet Usage Policy. Staff who use Council I.T. systems will be responsible for reporting any suspected incidents of computer virus infection to the I.T. Help Desk for further assessment and rectification. Staff will not attempt to rectify the situation themselves. 6.4 Housekeeping Objective: To maintain the integrity and availability of information services. Housekeeping measures are required to maintain the integrity and availability of services. 6.4.1 Data Back-up Back-up copies of essential business data and software will be taken regularly and in accordance with procedures required by the appropriate head of department. Adequate backup will be provided to ensure that all essential business information can be backed up and recovered if necessary. Critical systems backups will be taken daily or as prescribed by the appropriate head of department. Accurate and complete records of backup copies should be stored in a remote location, sufficient to escape any damage from a disaster at the main site. Backed up information will be given an appropriate level of physical and environmental protection. Backed up media will be regularly tested where practicable to ensure reliability. Page : 18 May 2013
6.4.2 Fault Logging Faults will be reported and corrective action taken. Faults will be reported to the IT Division Help desk where they will be processed in accordance with the help desk procedures. 6.5 Network Management Objective: To ensure the safeguarding of information in networks and the protection of the supporting infrastructure. 6.5.1 Network Security Controls Data networks will be managed in such a way as to prevent unauthorised logical and physical connection, and to detect unauthorised connection should this occur. Controls as specified in the Councils Information Security Controls document will be applied as necessary. No connection to the corporate communications network will be permitted without the prior approval of the Head of Information Technology. 6.6 Media Handling and Security Objective: To prevent damage to assets and interruptions to business activities. 6.6.1 Management of Removable Computer Media When not in use all computer media containing valuable data will be stored securely. When no longer required the previous contents of reusable media will be erased. 6.6.2 Data Handling Procedures Operational procedures will be established to protect computer media (tapes, disks, cassettes, etc) and sensitive documentation from the possibility of damage, theft and unauthorised access. 6.6.3 Security of System Documentation Systems documentation will be subject to the same rules as data for storage, distribution, backup and disposal. 6.6.4 Disposal of Media Confidential paper based printouts will be collected and disposed of in accordance with Council directives for the disposal of confidential waste. All confidential or sensitive data stored on magnetic media which is deemed to be redundant, will be erased prior to the disposal of the media. 6.7 Data and Software Exchange Page : 19 May 2013
Objective: To prevent loss, modification or misuse of data. 6.7.1 Data and Software Exchange Agreements When deemed necessary the physical or electronic exchange of any software or data between the Council and external bodies shall be subject to formal agreement. Such agreements will include the identification of data formats, secure carrier arrangements and documented verification of receipt. 6.7.2 Security of Media in Transit When information or software is to be transported, for instance via post or courier, appropriate controls will be applied to safeguard it. 6.7.3 Electronic Data Interchange Security Special security controls will be applied where necessary, to protect electronic data interchange. Wherever practicable, software applications which depend upon Electronic Data Exchange facilities will include precautions to deal with the possibility that data has been intercepted or modified during transmission, and will include checks that data has been dispatched and delivered in accordance with the system requirements. Communications will be managed through a managed gateway that incorporates controls to prevent any unauthorised access to the Council s data communications network. Data which has been classified as High Security Level will not be transmitted un-encrypted. 6.7.4 Security of Electronic Mail Controls will be applied where necessary, to reduce the business and security risks associated with electronic mail. Council employees must read and comply with Angus council s E-mail and Internet Usage Policy. 6.7.5 Security of Electronic Office Systems Clear policies and guidelines will be maintained to control the business and security risks associated with electronic office systems. 7.0 System Access Control 7.1 Business Requirement for System Access Objective: To control access to business information. Access to computer services and data will be controlled on the basis of business requirements. Procedures will be established to control access to computer systems and data. These procedures will take full account of policies for the dissemination of, and entitlement to access corporate data. Steps will be taken to make users aware of their responsibilities for maintaining effective system access controls, particularly regarding the use of user accounts, passwords and the security of information systems. Page : 20 May 2013
7.1.1 Documented Access Control Procedures Business requirements for access control will be defined and documented. It is the policy of Angus Council to restrict access to information systems to only those staff and authorised agents of the Council who require such access to enable them to undertake their duties. It is the responsibility of all Heads of Department, and Head of Information Technology to implement this policy as required. Each multi-user software application will have user access control procedures clearly defined by the departmental owner of the system. This procedure will define : The access rights of each user or group of users ; The security requirements of individual departments and support applications ; The relevant policy for information dissemination and entitlement ; Adherence to relevant legislation eg., Data Protection Act. 7.2 User Access Management Objective: To prevent unauthorised computer access. Information resources will be subject to risk assessment. Based on the results of the assessments, the necessary controls as specified in the Angus Council information Security Controls document will be applied. To maintain effective control over access to data and information systems, departmental directors will be responsible for ensuring and regularly reviewing; The level of access granted to a user is appropriate their business needs. Use of unique user accounts and passwords. Records of user access rights and group memberships are maintained.. The IT Division is informed immediately of all staff movements. 7.3 User Responsibilities Objective: To prevent unauthorised user access. The responsibilities of staff and authorised system users for the effective security of information systems, access controls and the use and protection of passwords is set out in the Information Security - User Guidelines. These guidelines will be distributed to all users of information systems within the Council. 7.4 Network Access Control Objective: Protection of Network Services Access to both internal and external networked services will be controlled. This is necessary to ensure that users that have access to Council network services do not compromise their security. Page : 21 May 2013
This will be done by ensuring, Appropriate interfaces between Council networks and others (public or private); Appropriate authentication systems for users; Control of user access to information systems. 7.4.1 Policy on Use Of Network Services Insecure connections to network services can affect the security of the whole Council. Users will only be granted access to services that they are specifically authorised to use. To protect Council information systems, controls as specified in the Angus Council Information Security Controls document will be applied as deemed necessary. 8 Systems Development and Maintenance 8.1 Security Requirements of Systems Objective: To ensure that security is built into information systems. The design and implementation of the business process supporting the application or service can be crucial for security. Security requirements will be identified and included in the system specification prior to the development or implementation of new information systems. 8.1.1 Security Requirements Analysis and Specification Specific checks will be made when upgrading operating systems or applications to ensure that systems security will not be compromised. To minimise the chance of compromising security, strict control will be exercised over the implementation of new software on operational systems. The installation and upgrade of operational systems will only be performed by arrangement with the Head of Information Technology. 8.2 Security in Application Systems To prevent loss, modification or misuse of user data in application systems, controls as specified in the Councils Information Security Controls document will be applied as necessary. 8.3 Security in Development and Support Environments Objective: To maintain the security of application system software and data. Managers and staff responsible for application systems development will ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system, data or operating system necessary and that formal agreement and approval for any change is obtained. 8.3.1 Change Control Procedures Page : 22 May 2013
In order to prevent the corruption of information systems, there will be strict control over the implementation of changes. Formal change control procedures will be implemented. These will ensure that security and control procedures are not compromised, and that developers are given access only to those parts of the system necessary for the purpose of effecting changes. 9 Business Continuity Planning Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures and disasters departmental business continuity management processes will be implemented. Departmental directors are responsible for formulating their departments Business Continuity Plan based on the following points. Council computer systems will be classified into three main categories, these being Council Core, Departmental Core and Non Core. The Head of Information Technology will provide the lead in carrying out risk assessment in relation to Council Core Systems and advising on the formulation of continuity plans for all likely disasters. Departmental Core and Departmental Non Core systems are the sole responsibility of the user department. Departments will appoint a lead officer to manage the business continuity process. Departments will carry out risk assessment in relation to Core Council business and (in cooperation with Head of Information Technology) formulate continuity plans for all likely disasters. Departments will assume responsibility for the maintenance and documentation of alternative manual procedures. Departments will establish an annual test procedure for continuity plans. Plans must include the disaster checklists required for each risk identified, resumption procedures, a list of contacts and a list of the minimum equipment required for ensuring business continuity. The Head of Information Technology will instigate a test programme in order to satisfy the adequacy of those aspects of the plans for which his staff have significant responsibility. Continuity plans are to be familiar to all staff within Departments Departments are responsible for the interim arrangements required to manage the continuity process. Continuity plans are to be stored in a secure, off site location. Departments will test the adequacy of current backup procedures to ensure the availability of complete backups including data, operating system and application software. The Head of Information Technology will accept responsibility for the co-ordination of IT systems recovery within the priority framework. Procedures will be established to annually review the contingency plans in response to operational or technological changes. 10 Compliance Page : 23 May 2013