ICT Security Policy - Shetland Islands Council · Page 1 of 34 ICT Security Policy RELEASE: v2.10...

of 34

ICT Security Policy

RELEASE: v2.10

Reviewer: James Cunningham

OWNER: Shetland Islands Council DATE: 06/10/2015

Shetland Islands Council

of 34

This page intentionally left blank

of 34

CONTENTS

This page intentionally left blank CONTENTS ................................................. 2

CONTENTS ..................................................................................................... 3 EXECUTIVE SUMMARY ................................................................................. 5 INTRODUCTION ............................................................................................. 6

1.1 Objectives ........................................................................................ 6 1.2 Purpose ........................................................................................... 6

1.3 Approval ........................................................................................... 6 1.4 Policy ............................................................................................... 6 1.5 Operating Policies and Procedures ................................................. 7 1.6 Business .......................................................................................... 7

GENERAL RESPONSIBILITIES ...................................................................... 8 2.1 ICT Security Policy .......................................................................... 8 2.2 ICT Security Policy Implementation ................................................. 8

2.3 Data Protection Act .......................................................................... 8 2.4 Freedom of Information (Scotland) Act ............................................ 8 2.5 Policy Development ......................................................................... 8 2.6 Review ............................................................................................. 8

ICT SYSTEMS ACCESS CONTROL ............................................................... 9 3.1 Access Control Policy Specifics ....................................................... 9

3.2 Access Control Policy Implementation ............................................. 9 3.3 Access Control Documentation ...................................................... 10

ICT USER CREDENTIALS POLICY .............................................................. 11

4.1 User Credentials Policy Specifics .................................................. 11

4.2 Password Responsibilities ............................................................. 11 4.3 Password Properties ...................................................................... 11

INTERNET USAGE POLICY ......................................................................... 13

5.1 Internet Usage Policy Specifics ..................................................... 13 5.2 Internet Usage Implementation Specifics....................................... 13

E-MAIL USAGE POLICY ............................................................................... 15 6.1 E-mail Usage Policy Specifics ....................................................... 15 6.2 E-mail Usage Implementation Specifics......................................... 15

PRINTED OUTPUT, COMPUTER STORAGE MEDIA, AND ELECTRONIC ID DEVICE POLICY ........................................................................................... 18

7.1 Printed Output and Computer Storage Media Policy Specifics ...... 18 7.2 Printed Output and Computer Storage Media Handling ................. 18 7.3 Personal Data & Sensitive Personal Data Storage on Removable

Media Devices ............................................................................... 18 7.4 Unauthorised computer devices .................................................... 19

7.5 Building Management Control Systems ......................................... 19 SOFTWARE POLICY .................................................................................... 20

8.1 Software Policy Specifics ............................................................... 20

8.2 Software Licensing ........................................................................ 20 8.3 Installing and Removing Software ................................................. 20

8.4 Media ............................................................................................. 20 8.5 Software Upgrades and Maintenance ............................................ 21

8.6 Anti-Virus Upgrades and Maintenance .......................................... 21 8.7 Computer Games and Entertainment Software ............................. 21

ICT MOBILE PHONE AND MOBILE DATA DEVICE POLICY ....................... 22

9.1 ICT Mobile Phone and Mobile Data Device Policy Specifics ......... 22

of 34

9.2 General User Responsibilities ........................................................ 22 9.3 Use of Mobile devices when travelling abroad ............................... 23 9.4 Mobile Phone Usage...................................................................... 23 9.5 Liabilities ........................................................................................ 23

BREACHES OF THE ICT SECURITY POLICY ............................................. 24 10.1 Investigation ................................................................................... 24 10.2 Penalties ........................................................................................ 24

ICT SECURITY POLICY REVIEW AND COMPLIANCE CHECKING ............ 25 11.1 Review ........................................................................................... 25

11.2 Compliance .................................................................................... 25 APPENDIX A - ICT SUPPORT CHARTER .................................................... 26

A.1 Support, Testing and Disposal of Systems .......................................... 26

APPENDIX B - E-MAIL USAGE GUIDELINES .............................................. 27 B.1 Usage of the E-Mail System ................................................................. 27 B.2 Recipient List ....................................................................................... 27 B.3 Attachments ......................................................................................... 28 B.4 Composing An E-Mail .......................................................................... 29

B.5 Replying To An E-Mail ......................................................................... 29 B.6 Forwarding An E-Mail........................................................................... 30 B.7 Organising Your E-Mail Account .......................................................... 30

APPENDIX C - SECURE OPERATING PROCEDURES ............................... 32 C.1 SOP Introduction ................................................................................. 32 C.2 SOP Contents ...................................................................................... 32

APPENDIX D - DOCUMENT ACCEPTANCE SIGN-OFF .............................. 34

of 34

EXECUTIVE SUMMARY

The purpose of this policy is to provide Shetland Islands Council with a framework of procedures and behaviour to ensure the electronic security and protection of all users of its ICT systems including mobile phones, laptops and office based equipment. This policy should be read alongside the Staff Code of Conduct as it sets out specific behaviours and conduct relating to information security.

You are issued with credentials to access the Council's computer systems. These credentials must be kept secret and not divulged to anyone not authorised to know.

You are granted usage of the internet and email services, but you must not use these systems to break the law, break Council policy or in any way cause distress, harassment or harm to anyone.

Your access to the computer systems is restricted to the areas that have been identified as necessary for you to perform your duties.

Any information that you view, print out or email must not be divulged to anyone not authorised to see this information.

You are given software programs to use in the course of your work, which have been tested and passed as fit for use on the Council's network.

You must not install your own software without proper licences and authorisation from ICT to do so.

You have a duty of care for the computer systems, the data and equipment issued to you by the Council.

If you see anyone breach this Security Policy, or suspect that in some way that any of the Council's ICT Security has been compromised you must report this.

of 34

INTRODUCTION

The purpose of this document is to provide Shetland Islands Council with an ICT Security Policy for its computer systems, services and operations. It seeks to cover all relevant areas of ICT operations with cross-references to other key security and control documentation.

1.1 Objectives

1.1.1 The objective of information security is to ensure business continuity and minimize business damage by preventing and minimizing the impact of security incidents.

1.2 Purpose

1.2.1 Information takes many forms and includes data stored on computers, transmitted across networks, printed out or written on paper, sent by fax, stored on tapes and diskettes, or spoken in conversations and over the telephone (land and mobile).

1.2.2 The purpose of the ICT Security Policy is to protect the organisation’s information assets from all threats, whether internal or external, deliberate or accidental.

1.2.3 The organisation includes Shetland Islands Council facilities and systems, systems and services provided by Shetland Islands Council for public access, and systems and services provided by Shetland Islands Council for public sector organisations.

1.3 Approval

1.3.1 Shetland Islands Council has approved the ICT Security Policy

1.4 Policy

1.4.1 It is the Policy of the organisation to ensure that:

1.4.2 Information will be protected against unauthorised access. Confidentiality of information will be assured through the protection of valuable or sensitive information from unauthorised or inappropriate disclosure or interception, or intelligible interruption.

1.4.3 Integrity of information will be maintained, safeguarding the accuracy and completeness of information by protecting against unauthorised modification.

1.4.4 Availability of information is ensured as required by the business processes.

1.4.5 Regulatory and legislative requirements will be met - This applies to record keeping and most controls will already be in place. Includes but is not limited to the requirements of legislation such as:

of 34

Companies Act 1989

Computer Misuse Act 1990

Data Protection Act 1998

Civic Government (Scotland) Act 1982

Obscene Publications Act

Criminal Justice and Public Order Act 1994

Telecommunications Act

Sex Discrimination Act 1975

Race Relations Act 1976

Disability Act 1985

Regulation of Investigatory Powers (Scotland) Act 2000

1.4.6 Business Continuity (Disaster Recovery) plans will be produced, tested and maintained. This will ensure that information and vital services are available to users when and where they need them.

1.4.7 Information security training will be available to all staff.

1.4.8 All breaches of information security, actual or suspected, will be reported to, and investigated by the ICT Executive Manager.

1.4.9 The policy will comply with all existing and emerging minimum requirements for the Government Secure Extranet (GSX).

1.5 Operating Policies and Procedures

1.5.1 Operating Policies and Procedures will be produced to support the ICT Security Policy. These will include, but are not limited to:

1.5.2 Flexible, remote or home working procedures. Staff using computer systems, infrastructure, and devices belonging to the Council away from their normal base of work must use them to the same standards as they would in the workplace regardless of time of day or whether during working hours or not.

1.5.3 Information backup, storage and recovery procedures

1.5.4 Printed and Computer Media security – See Code of Practice on Records Management, Data Protection Policy, and Disciplinary Procedures

1.5.5 Business Continuity

1.5.6 Secure Operating Procedures for ICT Systems (For requirements see Appendix C)

1.6 Business

1.6.1 Business requirements for the availability of information and information systems will be met.

of 34

GENERAL RESPONSIBILITIES

2.1 ICT Security Policy

2.1.1 The ICT Executive Manager has direct responsibility for maintaining the ICT Security Policy and providing advice and guidance on its implementation.

2.1.2 All ICT is provided for work purposes, but limited reasonable personal use is permitted. All files, e-mails, internet access and other data are the property of the council and may be accessed if required.

2.2 ICT Security Policy Implementation

2.2.1 It is the responsibility of the ICT Executive Manager or the ICT Executive Manager's delegated officer for implementing the ICT Security Policy and for providing the procedures and controls for the implementation of the same.

2.2.2 All Executive Managers, Team Leaders and Head Teachers are responsible for implementing the Policy within their service areas, and for adherence by their staff (including awareness and training).

2.2.3 It is the responsibility of each employee to familiarise themselves with the Policy and fully adhere to its requirements.

2.2.4 It is the responsibility of each employee to inform the ICT Helpdesk or the ICT Executive Manager should any discrepancy in computer access be discovered.

2.2.5 It is the responsibility of the ICT Executive Manager or delegated officer to investigate and report on any reported discrepancy in computer access and/or usage.

2.2.6 All staff have a duty of care for all Council assets, equipment and data.

2.3 Data Protection Act

2.3.1 Responsibility for Data Protection, within the context of the Data Protection Act, is delegated to the Data Protection Officer.

2.4 Freedom of Information (Scotland) Act

2.4.1 Responsibility for Freedom of Information (Scotland) Act, within the context of FOISA, is delegated to the Records Manager.

2.5 Policy Development

2.5.1 The ICT Unit will produce Security Policies for all information systems, applications and networks.

2.6 Review

2.6.1 The Policy will be reviewed by the ICT Executive Manager.

of 34

ICT SYSTEMS ACCESS CONTROL

3.1 Access Control Policy Specifics

It is the Policy of the organisation to ensure that:

3.1.1 Systems are available to authorised users requiring access, subject to but not limited to installation of client software, desktop shortcuts, and hyperlinks.

3.1.2 Systems have a designated owner to authorise access to the systems. All systems must have a designated authorising contact acting as the definitive authoritative source for granting access to the respective system. This 'owner' can be an individual or a specific post such as the Head of Finance or designated deputies.

3.1.3 Authorised access to systems is granted on a basis of requirement and is fit for purpose, on the condition that the System Owner(s) have identified suitable levels of access and have defined suitable groupings for specific user needs.

3.1.4 Access levels, groups and individual user type profiles are dependent on the system being implemented. While not all may be implemented, it is very difficult to adequately audit and control computer systems without them. Computer systems that do not have all of the above should not be considered secure for use.

3.1.5 Servers are in physically secured environments with appropriate measures taken to prevent access to these computers by unauthorised personnel.

3.1.6 Systems should have a Secure Operating Procedure (see Appendix C).

3.2 Access Control Policy Implementation

3.2.1 Network access is authorised and implemented by the ICT Unit. Executive Managers and Head Teachers are responsible for ensuring that new starts, leavers and other changes (e.g. internal moves, promotions, secondments, maternity and other breaks in service, especially suspension etc.) are notified to the ICT Unit promptly and timeously. When staff leave the Council or move on to new jobs within the Council, all network access and individual system access will be terminated.

3.2.2 Systems Administration will be performed by the ICT Unit for all ICT systems, except by specific agreement between the System Owner and the ICT Executive Manager. It is expected that there is clear segregation between Administrators and Users of any systems.

3.2.3 System Owners are responsible for defining levels of access, groups and profiles for access to their systems and modules.

of 34

3.2.4 System Owners are responsible for authorising access and changes in access to their systems for users. Unauthorised granting of access and changes to access are prohibited.

3.2.5 The System Owner must ensure suitable separation of data for the purposes of live usage, test usage and training usage. The same access control procedure should apply to all three areas of use.

3.2.6 Where Data Processing Agreements or Information Sharing Protocols are required for the processing of, or access to, personal information, advice should be sought from the Council’s Data Protection Officer.

3.3 Access Control Documentation

3.3.1 System Owners are responsible for documenting ICT Systems Access Controls as applied to their own systems.

3.3.2 System Owners are responsible for documenting the auditable trail for systems access controls as applied to their own systems.

3.3.3 System Owners are responsible for documenting any changes to the systems access controls as applied to their own systems and for informing all interested parties.

3.3.4 System Owners are responsible for the safe storage and retrieval of the documented auditable trail for systems access controls as applied to their own.

3.3.5 The ICT Unit is responsible for documenting instances of systems access controls as applied to its own changes for the purposes of resolving reported support incidents.

3.3.6 The Systems Owners are responsible for documenting instances of systems access controls as applied to their own changes for the purposes of testing, installing and upgrading or updating ICT Systems.

of 34

ICT USER CREDENTIALS POLICY

4.1 User Credentials Policy Specifics


4.1.1 User Credentials (username and password) are issued to authorised users of the organisation's computer systems and software.

4.1.2 User credentials issued are fit for purpose.

4.1.3 Procedures and controls of User Credentials are fit for purpose.

4.2 Password Responsibilities

4.2.1 User Credentials are issued to individuals and the disclosure of these credentials to another party is strictly prohibited

4.2.2 Passwords must not be recorded and/or stored in an easy to retrieve manner, for instance on post-it notes adhered to a computer screen. Written records of passwords, if specifically required must be stored in a locked secure facility such as a fire safe and all access and changes recorded including date, time and by whom.

4.2.3 It is recommended that Council employees log off when leaving machines unattended for any considerable period. e.g. at lunchtimes. In addition, approved screen savers with password protection set to activate after a set period must be installed on all desktops. Staff must ensure that the screen saver facility is active and that they use this facility. Internal Audit will check this as part of their audit programmes. The minimum period for activation is 10 minutes for all staff, excepting teaching staff where the minimum is 55 minutes.

4.2.4 In the event of an investigation into a potential breach of this policy, employees should be aware that a reasonable presumption will be made that the owner of a password is the author of any material created on a password protected system, or the sender of any e-mail associated with the user account. During any investigation ICT would investigate the possibility of hacking on the system.

4.3 Password Properties

4.3.1 Passwords must not comprise recognisable names or be easy to guess. Proper nouns including but not limited to children's names, house names, spouses' names are prohibited. Recognisable passwords such as but not limited to car registration numbers, dates of birth, current month/date, post number, job title are also prohibited.

of 34

4.3.2 Passwords must have a minimum of nine characters in them and must be complex i.e. a mix of upper, lower case and at least one digit or special character (e.g.!”£$%^&*() etc…).

4.3.3 Passwords must be changed at least once every ninety days, and the new password must not have been used within the past twelve months. If there is any suspicion that a password has become known by any unauthorised third party, the authorised user must change the password immediately and notify both their line manager and the ICT Service.

of 34

INTERNET USAGE POLICY

5.1 Internet Usage Policy Specifics


5.1.1 Internet services are provided to Council computer users to support and facilitate their work.

5.1.2 Internet services are provided in a safe and secure manner. Internet usage will be logged and monitored and sites considered inappropriate (e.g. illegal, pornographic, racist, sexist, violent, gambling, likely to cause offence, or any material that may harm the organisations reputation etc.) will be blocked by the Council's web filtering system.

5.2 Internet Usage Implementation Specifics

5.2.1 Employees may use Council facilities to access non-work related Internet sites within reason, during breaks, lunch-hours and before and after the working day. If accessing non-work related sites during breaks, these should not be left open during work time. E.g. news, sports results, etc. Employees must not access these types of sites during the time they are expected to be concentrating on their Council work.

5.2.2 The Council currently has filter software in place which blocks entry to certain Internet sites deemed inappropriate to Council business. Sites containing inappropriate content (see 5.1.1) should not be accessible at any time from Council computers. Should sites containing this type of material be accidentally accessed, this must be reported in line with section 2 of this policy.

5.2.3 Requests to unblock sites that contain material relevant to Council business can be made to the ICT Unit. Similarly, staff must inform the ICT Unit about inappropriate sites that can be accessed and are not blocked.

5.2.4 The ICT Unit operates an Internet logging facility in order to monitor Internet connections. This automatically logs site addresses, user identifications and data transfer and is monitored by ICT Unit staff on a weekly basis. The purpose of this is to provide further protection for the Council by allowing ICT staff to identify excessive data transfer and use of Internet facilities during work-time.

5.2.5 The Internet logging facility records every time people are blocked from accessing websites. The vast majority of blocks are inadvertent and innocent. However, a large number of blocks can indicate a deliberate attempt to bypass the filters. Line managers will therefore be notified where any of their employees have recorded an inappropriate number of blocks in one week. It will be the responsibility of the line manager to determine what action is appropriate, with such advice as is necessary from Human Resources and the ICT Executive Manager. The ICT Executive Manager may withdraw Internet Access or suspend User Accounts

of 34

pending satisfactory resolution. In such cases re-instatement can only be authorised by the Director of Corporate Services.

5.2.6 Employees should also be aware that external auditors check the Internet logs periodically (normally annually) to ensure that the logs are being maintained properly and to search for obvious signs of Internet misuse. These checks may, therefore, result in usage investigations. Internal audit also review logs on a three monthly basis and may also instigate an employee Internet usage audit.

5.2.7 In the event of a manager having reasonable suspicions that an employee is misusing the Internet facility, an employee Internet usage audit may be requested. A usage audit can only be initiated following prior authorisation being provided by the relevant Executive Manager (or equivalent/higher level of management) and the ICT Executive Manager. In line with the Council’s Disciplinary Procedure, should any employee usage audit indicate that disciplinary action may be necessary, Human Resources must be consulted at an early stage to ensure that the correct procedure is followed.

5.2.8 The Council system is equipped with systems that will automatically check for viruses contained in software. However, employees have a duty of care to ensure that opportunities for the transmission of viruses are limited by avoiding downloading non-work related Internet software, such as PC games and screensavers. Further advice on this can be provided by the ICT Unit.

5.2.9 All Council Employees should refer to the “Social Media Guidelines for Staff” document available on the Council Intranet for rules and guidelines for the use of Social Media sites.

of 34

E-MAIL USAGE POLICY

6.1 E-mail Usage Policy Specifics


6.1.1 E-mail services are provided to Council computer users to support and facilitate their work.

6.1.2 All staff are responsible for the content of their e-mail. The Council reserves the right to examine all mailboxes stored on its systems subject to appropriate authorisation.

6.1.3 E-mail services are provided in a safe and secure manner. E-mail usage will be logged and monitored and messages containing inappropriate material (e.g. spam, viruses illegal, pornographic, racist, sexist, violent, likely to cause offence, or any material that may harm the organisations reputation etc.) will be blocked by the Council's e-mail filtering system.

6.2 E-mail Usage Implementation Specifics

6.2.1 Employees may use Council facilities to send non-work-related e-mails during breaks, lunch-hours and before and after the working day. It should be recognised that over-use of e-mail facilities for personal or non-work-related purposes will be viewed in the same light as any other form of unproductive behaviour or substandard work and, depending upon the circumstances, may result in disciplinary action being taken.

6.2.2 In order to ensure that employees are aware of the most effective use of e-mails, the “SIC E-Mail Guidelines” are attached to this Policy in Appendix B. These should be read, along with the provisions of this policy.

6.2.3 The Council currently has filter software in place to monitor and deal with e-mails that contain inappropriate or offensive material. The filters automatically quarantine multiple unsolicited e-mails or e-mails which contain inappropriate content. These e-mails are then automatically destroyed.

6.2.4 Should a manager have reasonable suspicions of an employee’s inappropriate e-mail use, a full investigation of that person’s e-mail files and, where appropriate, previously deleted e-mail messages can be requested. An investigation can only be initiated following prior authorisation being provided by the relevant Executive Manager (or equivalent/higher level of management) and the ICT Executive Manager.

6.2.5 In line with the Council’s Disciplinary Procedure, should any investigation indicate that disciplinary action may be necessary, Human Resources must be consulted at an early stage to ensure that the correct procedures are followed.

6.2.6 The inappropriate content of internal or external e-mail could result in libel or defamatory cases being brought. It is highlighted that personal opinions should not be capable of being attributed to the

of 34

Council in any way. E-mail messages are not necessarily restricted to the intended recipients, therefore, the content of messages should be carefully considered before sending.

6.2.7 Comments and remarks made by e-mail can be interpreted as harassment and bullying and may result in complaints of discrimination under the Sex Discrimination Act (1975), Disability Discrimination Act (1995) or Race Relations Act (1976). Employees must not use electronic communications to harass or bully an individual or group of individuals. The definition of “harassment and bullying” is provided in Section 3 of the Council’s Policy on Harassment and Bullying at Work.

6.2.8 Due to the nature of electronic communications, when e-mailing “personal or sensitive information”, as defined by Section 2 of the Data Protection Act (1998), to external e-mail, employees must ensure that any sensitive data is sent as an attachment and not in the body of the e-mail. Furthermore, all attachments must be encrypted and password protected. This is because external emails go out over the internet and this is not secure and there is a potential risk that they email could be intercepted and read. For the avoidance of doubt, all internal emails are secure and do not need to be encrypted. The ICT Unit provides software to encrypt and password protect attachments on all council computers. The password to unlock encrypted attachments must be sent by other means; for example, telephone call or, at least, by separate email.

6.2.9 The exception to 6.2.8 is when confidential, personal or sensitive information is required to be sent to an external GSX (or GSI) email address. In this case, a Council GSX email account must be used because some external organisations’ GSX networks do not permit encrypted attachments (for example, NHS). In this case, separate encryption is unnecessary as all GSX to GSX emails are intrinsically secure. GSX email accounts must be requested through the ICT helpdesk and users must undergo baseline security checks and complete ICT Security and Data Protection training available from Train Shetland. For infrequent or ad-hoc requirements to send to a GSX account, this may be relayed through an existing Council GSX user. The ICT Helpdesk are set up with a GSX account to relay emails to other GSX accounts on an ad-hoc basis.

6.2.10 Employees are bound by existing confidentiality requirements.

6.2.11 The Council’s electronic communications should not be used to cause harm to other systems, internal or external to the Council. All employees using these facilities are constrained by the Computer Misuse Act (1990) and thus may incur personal liability for such actions.

6.2.12 Employees must not forge identity or attempt to communicate under an assumed name, for the purpose of misleading other users.

6.2.13 The Council’s electronic communications must not be used to contravene any European, national or local Laws. Any such misuse

of 34

will be dealt with through reference to the Council’s Disciplinary Procedure, in addition to legal enforcement, as required, e.g. the viewing, downloading or circulation of paedophiliac material is a criminal offence and will constitute gross misconduct, warranting summary dismissal from the Council.

6.2.14 The use of the Council’s electronic communications to conduct private commercial business is expressly forbidden. This is in accordance with the Council’s Code of Conduct for Employees.

6.2.15 Electronic communications must not be used for electioneering or other political purposes. Communications relating to Trade Union activity should be limited to Trade Union members, with use also being made of any Intranet facilities that may be available.

of 34

PRINTED OUTPUT, COMPUTER STORAGE MEDIA, AND ELECTRONIC ID DEVICE POLICY

7.1 Printed Output and Computer Storage Media Policy Specifics


7.1.1 Information from Council computer systems in the form of Printed Output or files stored on magnetic (Hard/Floppy Disc), optical (CD/DVD), solid state (Pen Drive) or stored on laptops or workstations and servers are treated with appropriate confidentiality.

7.2 Printed Output and Computer Storage Media Handling

7.2.1 Printed Output and files stored on Computer Storage Media should only be created when absolutely necessary.

7.2.2 Printed Output and files stored on Computer Storage Media should be subject to the following additional restrictions:

It should not be passed to, photocopied, faxed, e-mailed or otherwise transferred to anyone not allowed to view that material.

If filing is required, Printed Output and/or Computer Storage Media, whether confidential or not, should be stored in a secure location behind at least one locked door for ordinary information and at least two locked doors for confidential information, for example within a locked filing cabinet in a locked office for confidential information.

Unless specifically required for filing it should be irrevocably deleted and/or shredded and incinerated as appropriate in accordance with accepted retention periods and destruction methods contained within the Council Retention and Destruction Schedule. Advice should be sought from the Council’s Records Manager.

7.3 Personal Data & Sensitive Personal Data Storage on Removable Media Devices

7.3.1 Any personal data or sensitive personal data stored on removable media devices, including USB memory sticks and laptops, must be encrypted with bio-metric data or a password that complies with the password properties detailed in section 4.3 of the ICT Security Policy.

7.3.2 Personal data is information which relates to a living individual who can be identified from that information, or could be identified if that information was used with other information that the Council holds. It also includes any expression of opinion about the individual and any indication of the intentions of the holder of that information or any other person in respect of the individual.

of 34

7.3.3 Other information relating to an individual’s medical circumstances, their religious or political beliefs or opinions, is classed as “sensitive personal data”. Specifically, the Data Protection Act 1998 defines sensitive information as being:

i. The racial or ethnic origin of an individual ii. Their political opinions iii. Their religious beliefs or other beliefs of a similar nature iv. Whether they are a member of a trade union (within the

meaning of the [1992 c. 52.] Trade Union and Labour Relations (Consolidation) Act 1992)

v. Their physical or mental health or condition vi. Their sexual life vii. The commission or alleged commission by them of any

offence viii. Any proceedings for any offence committed or alleged to have

been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings

7.4 Unauthorised computer devices

7.4.1 Unauthorised computer devices such as personal laptops, tablets, pc or mobile phones must not be connected to the Council’s network (either physically connected through network port, or through credential based wireless such as SICDATASSID) unless prior authorisation has been approved by the Executive Manager ICT.

7.4.2 For clarity, SICGUEST is a public access network, and is exempt from 7.4.1 above.

7.5 Building Management Control Systems

7.5.1 Electronic ID devices are unique identification devices that permit allocated staff to access doors in council buildings as required. The usage of these devices is logged every time the device comes into contact with an electronic door lock.

7.5.2 If your electronic ID becomes lost, or is stolen, it is your responsibility to notify ICT or your line manager as soon as possible so that the device can be deactivated. Outwith normal working hours, the ICT helpdesk should be notified.

7.5.3 These devices should remain secure at all times, and must not be given to another member of staff.

The Council will monitor device usage and this information will be routinely monitored.

of 34

SOFTWARE POLICY

8.1 Software Policy Specifics


8.1.1 Software used on systems within the organisation is legal and properly licensed.

8.1.2 Software used on systems within the organisation is safe to use within the organisation and does not conflict or otherwise adversely affect other software in use.

8.1.3 Software used on systems within the organisation should normally be chosen from existing third party packages rather than in-house developed or bespoke solutions, with the exception of end user created straightforward spreadsheets and databases.

8.2 Software Licensing

8.2.1 The downloading of unlicensed software or material in violation of the Copyright, Designs and Patents Act 1988 is prohibited.

8.2.2 Software must not be installed and used without a valid licence agreement.

8.2.3 Unauthorised copying and distribution of licence details and/or licence keys is prohibited.

8.2.4 Any software used under a trial or time limited license must be removed when the trial or time limit is reached and if required the fully licensed product purchased and installed.

8.2.5 Software licences for software procured by Invitation To Tender must be filed with Legal and Administration

8.2.6 Software licences (not procured through Invitation to Tender) and installable media for products installed and supplied by ICT will be securely stored within the ICT Unit.

8.2.7 Software licences and installable media for products installed by end users must be securely stored within the appropriate end users’ Service or Department.

8.2.8 Employees who accept terms and conditions when installing or downloading software should be aware that they may be entering into a legally binding contract and may be held accountable.

8.3 Installing and Removing Software

8.3.1 Software (including software downloaded from the Internet) must not be installed or removed from the organisation's systems and facilities unless the software is approved by the ICT Executive Manager or the ICT Executive Manager’s delegated officer.

8.4 Media

8.4.1 The original software media should be stored in a secure manner, for example in a fireproof safe or a locked offsite storage facility. Software downloaded from the vendor/supplier’s Internet

of 34

presences should be stored in a secure backed up area of a file server.

8.4.2 Unauthorised copying and distribution of these media is prohibited.

8.5 Software Upgrades and Maintenance

8.5.1 All software should be maintained and upgraded to the latest versions unless:

The ICT Executive Manager specifically approves the continued use of the current version; or

The ICT Executive Manager specifically instructs (for example, for strategic, technical, cost etc reasons) that the software is not to be upgraded.

8.5.2 Software Upgrades must be licensed and legal. Software supplied and installed by the ICT Unit will be maintained and upgraded by the ICT Unit in accordance with section 6.5.1.

8.6 Anti-Virus Upgrades and Maintenance

8.6.1 The ICT Unit will provide up to date anti-virus software.

8.6.2 Users must check at least weekly to ensure that the systems they use are receiving these virus definitions and that they are up to date. (Guidance is available from the ICT Helpdesk).

8.7 Computer Games and Entertainment Software

8.7.1 Computer Games and Entertainment Software must not be installed or used unless approved by the appropriate Executive Manager or Head Teacher in addition to the approval required in section 8.3.1.

of 34

ICT MOBILE PHONE AND MOBILE DATA DEVICE POLICY

9.1 ICT Mobile Phone and Mobile Data Device Policy Specifics


9.1.1 Mobile Phones and Mobile Data Devices (Personal Data Assistants, Blackberrys and Laptop Computers) are issued as required in line with service requirements and as authorised by the Mobile Phone / Mobile Data Device Budget Responsible Officer (BRO) and appropriate Management.

9.1.2 Mobile Phones and Mobile Data Devices are only purchased and operated within the framework of a Corporate Contract.

9.2 General User Responsibilities

9.2.1 Mobile Data Devices and Mobile Phones are issued to users primarily on the basis of a recognised business need. Personal use of the mobile data devices or mobile phones is allowed on the condition that call charges and data charges are paid for by the mobile device's user.

9.2.2 Mobile Data Devices must be secured by means of a password.

9.2.3 Users are encouraged to further secure their mobile phones and mobile data devices by means of a SIM PIN number if a cell phone SIM is fitted (Guidance available from the ICT Helpdesk). Users will be responsible for the cost of unauthorised use.

9.2.4 Users must notify the ICT Helpdesk or the Mobile Phone Provider immediately on noticing a loss or theft or failure of a mobile data device or mobile phone noting both the phone number of the device (if applicable) and the make/model.

9.2.5 All due care must be taken to look after an allocated mobile data device or mobile phone.

9.2.6 When employees leave, or change jobs within the organisation, they must surrender their mobile phone or mobile data device to the ICT Unit or BRO - the BRO must then notify the ICT Unit of the change of user in order to keep inventory and audit records up to date.

of 34

9.3 Use of Mobile devices when travelling abroad

9.3.1 Make sure all antivirus, anti-spyware, security patches are up to date and that a Firewall is enabled if possible.

9.3.2 Check mobile voice and data tariff with ICT before travelling to minimise the risk of costly bills.

9.3.3 Enable Passcode for mobile voicemail access and delete voicemails once listened to.

9.3.4 Do not leave mobile devices unattended.

9.3.5 Do not connect to unsecured wireless networks.

9.3.6 Do not allow foreign electronic storage devices to be connected to your mobile device.

9.4 Mobile Phone Usage

9.4.1 All premium rate numbers are prohibited and so are blocked unless there is a specific work related requirement.

9.4.2 Users should not use corporate mobile phones for international services without the specific prior permission of the relevant BRO. (Users should be aware that you may be charged for receiving international calls)

9.4.3 Directory enquiry services should be avoided where possible due to the high call charges per instance of use Users should refer to the SIC online phone directory, the Shetland Directory, or the online Yellow Pages via the web in the first instance before using directory enquiries.

9.4.4 All devices used to browse the Internet whether in the office or not should be used in accordance with the ICT Security Policy and the user must pay any subsequent costs incurred during personal use.

9.5 Liabilities

9.5.1 The user being the designated 'keeper' of a specific mobile data device or mobile phone is responsible for paying for all non-business usage charges appearing on the bill.

9.5.2 BROs are responsible for ensuring that billing anomalies are resolved and that non-business usage is monitored and properly accounted for.

9.5.3 BROs are responsible for the collection of the payments for users' non-business usage charges appearing on the bill.

9.5.4 Mobile Device liabilities including Blackberrys include charges for web browsing, SMS texts, as well as call charges.

of 34

BREACHES OF THE ICT SECURITY POLICY

10.1 Investigation

10.1.1 The ICT Unit, relevant Line Management or Internal Audit (as appropriate) will investigate reported and discovered breaches of the ICT Security Policy. Any such investigation will conform to current legislation including but not limited to the Regulation of Investigatory Powers (Scotland) Act, 2000.

10.1.2 All ICT is provided for work purposes, but limited reasonable personal use is permitted. Data is collected on all use as a matter of routine and can be used and analysed during investigations into breaches of the ICT Security Policy. Investigations will only be initiated where there are reasonable suspicions of misuse; and with appropriate authorisation.

10.1.3 In line with the Council's Disciplinary Procedure, should any investigation indicate that disciplinary action may be necessary, Human Resources and, where appropriate, Legal Services must be consulted at an early stage to ensure that the correct procedure is followed.

10.2 Penalties

10.2.1 Any individual found to be in breach of the ICT Security Policy may be subject to disciplinary action in accordance with the Shetland Islands Council Disciplinary Procedure.

10.2.2 Dependent on the type and level of the breach of this policy, an individual may be subject to summary dismissal in accordance with Section 11 of the Council's Disciplinary Procedure. For example, the viewing, downloading or circulation of paedophiliac material is a criminal offence and may constitute gross misconduct, warranting summary dismissal from the Council.

10.2.3 The ICT Executive Manager may, as circumstances demand, at his or her own discretion suspend computer access for any user and access may only be restored by direction of the Director of Corporate Services following appropriate review of the circumstances.

of 34

ICT SECURITY POLICY REVIEW AND COMPLIANCE CHECKING

11.1 Review

11.1.1 The Policy will be reviewed by the ICT Executive Manager annually from the date signed.

11.2 Compliance

11.2.1 The ICT Executive Manager or designated officer will from time to time review procedures and systems and verify policy compliance either by direct inspection of documents, files and data or using automated software tools.

11.2.2 Shetland Islands Council's Internal Audit service will review procedures and systems and verify policy compliance either by direct inspection or using automated software tools as part of the audit process.

of 34

APPENDIX A - ICT SUPPORT CHARTER

A.1 Support, Testing and Disposal of Systems

In the normal course of their duties to resolve reported technical problems, to test systems and to implement new systems, ICT staff will require access to computers, data storage devices such as hard disks, flash drives, optical media etc. This may require access to data involving the disclosure of individual user credentials and/or access to sensitive or confidential files and information.

of 34

APPENDIX B - E-MAIL USAGE GUIDELINES

B.1 Usage of the E-Mail System

B.1.1 Think about whether an e-mail is really necessary in the first place. Would telephone or a meeting be more appropriate? E-mail is sometimes too easy to use.

B.1.2 Consider using the Intranet to post bulletins and large documents. If you really need to bring this to the attention of all staff – send a short e-mail and embed the Intranet link.

B.1.3 Take time to make an e-mail and its attachments as straightforward as possible for the recipients to read and understand the point and what actions, if necessary, are required. Many people, especially senior managers and councillors, receive huge amounts of e-mail, which is very time consuming to read through.

B.1.4 Don’t expect an immediate answer. Technically, e-mails can get queued, in some cases for hours, or people may be out of the office and will not get back to you for a few days. If you want an immediate answer, use the telephone – or follow up an e-mail with a telephone call.

B.1.5 If you are away from the office for a few days or more, set your out-of-office message on, explaining when you will be back and who to contact in the meantime.

B.1.6 Don’t use fancy backgrounds. They take up unnecessary space and can make reading the actual e-mail difficult.

B.1.7 When setting up internal meetings, use the Invite-attendees function of the E-mail system calendar. Avoid using normal e-mail unless some of the attendees are not on the main council MS Exchange 2000 system.

B.1.8 You should not circulate non Council-related multiple messages or enter into chain mail. The e-mail system operates on equipment with a limited capacity and this may slow down the system or cause other disruption. This also relates to the sending of large attachments to an e-mail message.

B.2 Recipient List

B.2.1 Don’t Spam people or flood their inboxes with e-mails they don’t really need.

B.2.2 Use CC: for people you are copying the e-mail for information. B.2.3 Think about whether every recipient really needs or wants to get

a copy. The e-mail system makes it very easy to copy to a large number of recipients, many of whom may not in reality have the time to read it.

B.2.4 Use address groups appropriately. For example, think very carefully before using All Council Staff. Do you really need/want everyone to read this?

B.2.5 Don’t use BCC: (blind copy). B.2.6 Put a meaningful subject in. This lets people judge what the

message is about and how much importance they should place

of 34

on it. It also makes the e-mail easier to find if you need to retrieve it.

B.2.7 Don’t get someone else to send an e-mail on your behalf. When faced with an inbox of dozens or even hundreds of unread messages, people make an initial assessment of the importance of a message by the subject and who the sender is. This may be unfortunate but is a fact of life. If they don’t know who it is really from, they may not allocate the correct importance to the e-mail. Again, it can also make the e-mail difficult to find.

B.2.8 You should be aware that e-mail communications are equivalent to sending a memo or letter on Council-headed paper. To avoid the unintentional formation or varying of contracts, the issue of news releases, statements or information on behalf of the Council should be restricted to authorised personnel.

B.3 Attachments

B.3.1 Think about whether all attachments are really necessary. It takes time to open and read all attachments.

B.3.2 Use e-mail as it is supposed to be used. Do not put the content of an e-mail into a Word document and attach it to a blank e-mail. It is cumbersome and time-consuming to open the attachments to find out what the e-mail is about.

B.3.3 Keep the size of any attachments to a minimum. Remember that often people will not have a fast broadband e-mail system and some attachments are better zipped.

B.3.4 Attachments containing sensitive data must be encrypted and password protected, unless being sent from a GSX email account to another GSX account. The ICT Unit provides the software PKZip on all computers to do this. Instructions on the use of PKZip can be found on the council’s intranet. Users can request a copy of PKZip be installed on any computer that does not already have it installed.

B.3.5 Ensure Word attachments are as small as possible. Repeated use of the same document (eg. Job Adverts) means that Word stores every change in the document and a one page document can end up unnecessarily large. If you use the <select all>, and cut and paste into a fresh document the document size can reduce from several megabytes to a few hundred kilobytes.

B.3.6 Think about the type of e-mail your recipient has. If they are connected by a modem, it may take hours to download. Also many e-mail systems (eg. RM EasyMail) place restrictions on the size of an e-mail and the number of attachments allowed. Account space is also limited.

B.3.7 Don’t attach file formats which the recipient doesn’t have software to read. You can assume that all Council Staff and Members have compatible versions of Word and Excel. But don’t assume that everyone has PowerPoint, Project or Publisher, for example.

of 34

B.4 Composing An E-Mail

B.4.1 Always start with a greeting (Hello, Hi, Dear …. ) and end with a farewell (Thanks, Regards, Best regards, Yours sincerely, etc).

B.4.2 Sign off with your name, job title, service, organisation and telephone number. This is especially true for external e-mails.

B.4.3 Always start with a short paragraph summarising the e-mail and detail any actions required by the recipient(s), or state that it is for information only. Again this lets the recipient quickly judge how much importance they should allocate to the e-mail.

B.4.4 DON’T SHOUT AT PEOPLE BY USING CAPITALS ALL THE TIME.

B.4.5 Try not to ramble. Keep e-mails short and to the point. B.4.6 Try not to mix up different subjects. Send shorter e-mails on

each subject. B.4.7 Use short paragraphs separated by a blank line. Don’t keep

typing in one big block. It is difficult to read. B.4.8 Use bullet points. It’s clearer. B.4.9 Be careful about how you word an e-mail. Lacking vocal or

visual clues to the context of what is being said, it is easy for people to get the wrong end of the stick and for you to unintentionally annoy people.

B.4.10 Be polite. B.4.11 Don’t overuse exclamation marks!!!!!!!!!! Or other

punctuation??????? They can easily confuse what you are trying to say and be picked up the wrong way.

B.4.12 Emoticons (eg, , ;-), ) are useful but use them sparingly. B.4.13 Avoid jokes unless you know the recipient(s) well. They can

backfire. B.4.14 Don’t use abbreviations unless they are generally understood.

Cul8r will confuse many people (answer: “see you later”). B.4.15 Use absolute dates and times. For example, state 30th January,

2pm rather than this afternoon. By the time the recipient gets the message, it may be confusing.

B.4.16 If including a web address, use the full URL to make it easy for people to click on right there and then.

B.5 Replying To An E-Mail

B.5.1 Be careful when using Reply-to-all, especially when it’s a general bulletin to All Council Staff & Members. Do you really want everyone to read your reply, or did you just mean to Reply to the sender.

B.5.2 Don’t flame people. It is easy to get the wrong end of the stick in an e-mail. Pick up the phone or meet face to face to get clarification. In the vast majority of cases the sender did not intend to annoy you, and it is a misunderstanding.

B.5.3 If an e-mail really does annoy you, allow yourself to cool down before replying or phoning the sender. If possible, sleep on it.

of 34

B.5.4 Try to respond as quickly as possible. If you can’t answer the question right away, send a holding reply saying you understand and state when you will get back to the sender.

B.5.5 Consider interweaving your response with the sender’s original text. This can be especially useful if replying to a number of points.

B.6 Forwarding An E-Mail

B.6.1 As with every other type of e-mail, always start with a short paragraph summarising the e-mail and detail any actions required by the recipient(s), or state that it is for information only. Summaries are especially necessary when forwarding an e-mail which has a series of replies. It can be very time-consuming for the recipient to unpick the series of replies and understand what the e-mail is about.

B.6.2 Remember that when you forward an e-mail, all attachments are forwarded with them. Are they all really necessary for the recipient to understand?

B.7 Organising Your E-Mail Account

B.7.1 All e-mail systems have limits on user account size and limits on the size of e-mails which can be sent or received. You should manage your e-mails within these limits.

B.7.2 Delete any unnecessary e-mails from sent items and inbox folders.

B.7.3 Tidy up your folders periodically by deleting old e-mails which are no longer worth keeping.

B.7.4 Don’t try to use your e-mail as a partial filing system for attachments. Save the attachments as normal and delete the e-mail.

B.7.5 Create folders to better organise your work. For example, if working on a project, consider setting up a Project folder and keep all correspondence there.

B.7.6 Consider setting up a still-to-action folder for e-mails that you have not dealt with yet.

B.7.7 When returning to dozens or hundreds of unread e-mails try to “touch” each e-mail once only:- a. Ensure preview is switched on. b. Scan the e-mail by sender, subject line and list of recipients

to try to assess how important the e-mail is. c. Read the content of the message in the preview panel.

(This is where a summary paragraph comes in really handy).

d. Delete unimportant e-mails e. Reply to any e-mails which can be dealt with quickly. f. Move more complex e-mails to another folder for later (this

may be a still-to-action folder on any other folder you have set up).

B.7.8 Archive old e-mails periodically.

of 34

B.7.9 Ensure your archives are on the network server. Do not store archives on your C: drive as they won’t be backed up.

B.7.10 Ensure you keep a note of where your archives are located. If you would like to know more about any of the issues mentioned above, please call the ICT Helpdesk on 01595 74 4777.

of 34

APPENDIX C - SECURE OPERATING PROCEDURES

Each Systems Owner is responsible for ensuring that secure operating procedures are produced and followed for each system and addresses the following issues:

C.1 SOP Introduction

C.1.1 Documented operational procedures are required to ensure correct and secure operation of computer applications and network facilities.

C.1.2 The system owner must ensure the creation and maintenance of secure operating procedures (SOPs) for all networked computer systems, to ensure a correct, secure operation. Documented procedures must also be prepared for system development, maintenance or testing work where this is carried out on a networked system.

C.1.3 The purpose of the SOP is to specify the rules necessary to comply with the System Security Policy. For example the policy might specify that a computer needs to be kept in a room that is locked during silent hours. In this case, the SOP will state who will be responsible for locking and opening the room, where the key is held, and the times the room is to be open. SOPs serve to define who is to do what, when, and in what manner.

C.1.4 All operating procedures must be treated as formal documents, changes to which may only be approved by authorised management. They must be reviewed at least annually, and maintained regularly.

C.2 SOP Contents

C.2.1 The SOP must contain the following:

description of the system functions;

responsibilities;

system security and accountability;

staff conduct and discipline;

systems management and administration;

security administration;

change control;

third party maintenance of hardware and/or software (if appropriate);

external visitors - including rules for disclosure of data (if appropriate);

timings;

procedures to: - protect confidentiality, integrity & availability - report security incidents - monitor compliance with the SOP - maintain the SOP

of 34

C.2.2 The procedures must specify the correct instructions for the detailed execution of each job, including, as appropriate:

the correct handling of data files;

scheduling requirements (including any inter-dependencies with other systems);

instructions for handling errors or other exceptional conditions, including restrictions on the use of system utilities;

support contacts in the event of unexpected operational or technical difficulties;

output handling instructions;

system restart and recovery procedures for use in the event of system failure;

system housekeeping activities associated with computer and network management (eg system start-up and close down, data backup and equipment maintenance).

C.2.3 If batch processing is to be used, the following rules must be observed:

a. Batches of sensitive data must be logged in and out of the installation.

b. All batches of sensitive data must have control totals which must be logged and checked.

c. Computer jobs must be protected such that they cannot be run without appropriate authorisation.

d. Media containing sensitive data must be kept secure when not in use.

e. Only authorised and logged production jobs may be run against sensitive data.

f. Test jobs must not access live sensitive data. g. System utilities may only be used under strictly controlled

conditions. h. Audit trails must be maintained.

of 34

APPENDIX D - DOCUMENT ACCEPTANCE SIGN-OFF RELEASE: v2.10 AUTHOR: James Cunningham PUBLICATION DATE: 06/10/2015 REVIEW DATE: November 2015 by ICT Management Board CHANGE NOTE: Modified password security notes

TITLE: ICT SECURITY POLICY

Signed: ………………………………………………………………… Title: ………………………………………………………………… Date: ………………………………………………………………… Document adopted as policy in the meeting of the Shetland Islands Council on 19th March 2008 – see Council Minutes Ref: 48/08.

(http://www.shetland.gov.uk/coins/opendocpack.asp?documentid=1157&meetingid=2291)

http://www.shetland.gov.uk/coins/opendocpack.asp?documentid=1157&meetingid=2291

http://www.shetland.gov.uk/coins/opendocpack.asp?documentid=1157&meetingid=2291

ICT Security Policy - Shetland Islands Council · Page 1 of 34 ICT Security Policy RELEASE: v2.10...

Documents

Transcript of ICT Security Policy - Shetland Islands Council · Page 1 of 34 ICT Security Policy RELEASE: v2.10...