ISMS Security Management System - Angus Council · 2018-12-18 · 6.5 Network Management ......

INFORMATION SECURITY

MANAGEMENT SYSTEM

Version 1c

Revised April 2011

Angus Council Information SecurITy System Manual

Page : 2 May 2013

CONTENTS

Introduction ................................................................................................................................. 5

1 Security Policy ......................................................................................................................... 7

1.1 Information Security Policy ............................................................................................... 7

1.2 Scope

2 Security Organisation ............................................................................................................. 8

2.1 Information Security Infrastructure ................................................................................. 11

2.1.1 Management Information Security Forum .......................................................... 11 2.1.2 Information Security Co-ordination ..................................................................... 11 2.1.3 Allocation of Information Security Responsibilities ............................................. 12 2.1.4 Authorisation Process for IT Facilities ................................................................ 12 2.1.5 Specialist Information Security Advice ............................................................... 12 2.1.6 Co-operation Between Organisations ................................................................. 12 2.1.7 Independent Review of Information Security ...................................................... 12

2.2 Security of Third Party Access ........................................................................................ 12

2.2.1 Identification of risks from third party connections ............................................. 13 2.2.2 Security conditions in third party contracts ......................................................... 13

3 Assets Classification and Control ......................................................................................... 13

3.1 Accountability for Assets............................................................................................ 13

3.1.1 Inventory of Assets ............................................................................................. 13

3.2 Information Classification ........................................................................................... 13

3.2.1 Classification Guidelines .................................................................................... 14 3.2.2 Classification Labelling ....................................................................................... 14

4 Personnel Security ............................................................................................................... 11

4.1 Security in Job Definition ........................................................................................... 11

4.2 User Training ............................................................................................................. 14

4.3 Staff Movements ........................................................................................................ 14

4.4 Responding to Incidents ............................................................................................ 15

4.4.1 Disciplinary Process ........................................................................................... 15

5 Physical and Environmental Security ................................................................................... 15

5.1 Secure Areas ............................................................................................................. 15

5.1.1 Physical Security Perimeter ................................................................................ 15 5.1.2 Physical Entry Controls ....................................................................................... 15 5.1.3 Clear Desk Policy ............................................................................................... 15 5.1.4 Removal of Property ........................................................................................... 15

5.2 Equipment Security .................................................................................................... 16

5.2.1 Equipment Siting and Protection ........................................................................ 16 5.2.2 Power Supplies ................................................................................................... 16


Page : 3 May 2013

5.2.3 Equipment Maintenance ..................................................................................... 16 5.2.4 Security of Equipment Off-premises ................................................................... 16 5.2.5 Secure Disposal of Equipment ........................................................................... 16

6 Computer and Network Management .................................................................................. 17

6.1 Operational Procedures and Responsibilities ............................................................ 17

6.1.1 Documented Operating Procedures ................................................................... 17 6.1.2 Incident Management Procedures...................................................................... 17 6.1.3 Segregation of Duties ......................................................................................... 17 6.1.4 Separation of Development and Operational Facilities ...................................... 17

6.2 System Planning and Acceptance ............................................................................. 17

6.2.1 Capacity Planning ............................................................................................... 18

6.3 Protection from Malicious Software ........................................................................... 18

6.4 Housekeeping ............................................................................................................ 18

6.4.1 Data Back-up ...................................................................................................... 18 6.4.2 Fault Logging ...................................................................................................... 19

6.5 Network Management ................................................................................................ 19

6.5.1 Network Security Controls .................................................................................. 19

6.6 Media Handling and Security ..................................................................................... 19

6.6.1 Management of Removable Computer Media .................................................... 19 6.6.2 Data Handling Procedures ................................................................................. 19 6.6.3 Security of System Documentation .................................................................... 19 6.6.4 Disposal of Media ............................................................................................... 19

6.7 Data and Software Exchange .................................................................................... 19

6.7.1 Data and Software Exchange Agreements ........................................................ 20 6.7.2 Security of Media in Transit ................................................................................ 20 6.7.3 EDI Security ........................................................................................................ 20 6.7.4 Security of Electronic Mail .................................................................................. 20 6.7.5 Security of Electronic Office Systems ................................................................. 20

7 System Access Control ........................................................................................................ 20

7.1 Business Requirement for System Access ................................................................ 20

7.1.1 Documented Access Control Policy ................................................................... 21

7.2 User Access Management......................................................................................... 21

7.3 User Responsibilities ................................................................................................. 21

7.4 Network Access Control ............................................................................................ 19

7.4.1 Policy on Use of Network Services ..................................................................... 19

8 Systems Development and Maintenance ............................................................................. 22

8.1 Security Requirements of Systems ............................................................................ 22

8.1.1 Security Requirements Analysis and Specification............................................. 22

8.2 Security in Application Systems ................................................................................. 22


Page : 4 May 2013

8.3 Security in Development and Support Environments ................................................ 22

8.3.1 Change Control Procedures ............................................................................... 22

9 Business Continuity Planning ............................................................................................... 23

10 Compliance ........................................................................................................................ 23

10.1 Compliance with Legal Requirements .................................................................... 24

10.1.1 Control of Proprietary Software Copying ............................................................ 24 10.1.2 Safeguarding of Organisational Records............................................................ 24 10.1.3 Data Protection ................................................................................................... 24 10.1.4 Prevention of Misuse of IT facilities .................................................................... 24

10.2 Security Reviews of IT Systems ............................................................................. 25

10.2.1 Compliance with Security Policy ......................................................................... 25

10.3 System Audit Considerations and Controls ............................................................ 25


Page : 5 May 2013

Introduction

The continuing availability of information is essential to the operation of Angus Council. Rapid and continuing technical advances in information processing have increased the dependence of the Council on information and automated systems. The value of data and software, in terms of restoration costs or losses due to unauthorised disclosure, far exceeds the value of its associated hardware. For that reason, information processed by computers and transmitted through networks must be recognised as a major Council asset and be protected accordingly.

The expanded use of computers and telecommunications has resulted in more accurate, reliable, and faster information processing, with information more readily available to management and staff than ever before. As a direct result of its growing commitment to the use of information technology, the Council has achieved increased productivity in terms of improved delivery of services, enhanced administrative capabilities and reduced costs. Information technology has also brought new management concerns, challenges, and responsibilities. Information assets must be protected from natural and human hazards. Policies, standards and procedures must be established to ensure that hazards are eliminated or their effects minimised. The main focus of information security is on ensuring the continuation of Council services. Providing efficient accessibility to necessary information is the primary reason for establishing and maintaining automated information systems. Protecting that information and the investment that surrounds it is the motivation for establishing an information security and risk management program.

The first step of a risk analysis is to identify the items which need to be protected. Some things are obvious, like all the various pieces of hardware. It is essential to identify all categories of things that could be affected by a security problem. A list of suggested categories follows:

• Hardware: workstations, laptops, servers, printers, communication lines, modems, hubs, routers’ etc.

• Software: source programs, object programs, utilities, diagnostic programs, operating systems, database management systems, communication programs, etc.

• Data: during execution, stored on-line, archived off-line backups, audit logs, databases, in transit over communication media, etc.

• People: users, operators needed to run systems, external contractors, etc.

• Documentation: on programs, hardware, systems, local administrative procedures, etc.

• Supplies: magnetic media, etc.

Protecting information assets includes:

• Physical protection of information processing facilities and equipment;

• Protection against external intrusion;

• Maintenance of application and data integrity;

• Assurance that automated information systems perform their critical functions correctly, in a timely manner, and under adequate controls;

• Protection against unauthorised use of data or disclosure of information;

• Assurance of the continued availability of reliable and critical information;

Many functions which were traditionally manual or partially automated are today fully dependent on the availability of automated information services to perform and support their daily functions. The interruption, disruption, or loss of information support services may adversely affect the Council’s ability to provide its services. The effects of such risks must be eliminated or minimised. Additionally, information entered, processed, stored, generated, or disseminated by automated information systems must be protected from internal data or programming errors


Page : 6 May 2013

and from misuse by individuals internal or external to the organisation. Specifically, information must be protected from unauthorised or accidental modification, destruction, or disclosure. In the case of purchased information system components, the integrity, competence, and economic stability of the vendor must be assured. Otherwise, there is a risk of compromising the integrity of Council’s reputation, or violating individual rights to privacy.

While it is unlikely that security risks can be eradicated, by selecting and implementing the appropriate controls we can ensure that any risks identified are reduced to an acceptable level. These controls should be selected based on the cost of implementation in relation to the reduction in risk and the potential losses if a security breach occurs while also taking into account the need to preserve the confidentiality, integrity and availability of the information being protected. Non-monetary factors such as loss of reputation should also be taken into account.


Page : 7 May 2013

1 Security Policy

1.1 Information Security Policy

This information security management system and associated operational procedures will, as far as practicable, address the Information security management principles defined within BS7799 (1999) ‘Code of Practice for Information Security Management’. As such, this Policy will enable the Council’s I.T. users, suppliers and contractors to accurately address the Information Security requirements of the Council, thus avoiding ambiguity in the specification, delivery and implementation of Information systems.

Operational procedures will be established to implement the corporate information security requirements outlined in this Security Management System, and appropriate mechanisms will be put in place to monitor and manage these procedures.

This Information Security Management System is supplemented by an “Information Security - User Guidelines” document.

Security Organisation A management framework will be established to initiate and control the implementation of information security within the organisation.

The Council’s Head of Information Technology will serve as the designated officer responsible for developing, publishing maintaining and administering the Information Security Policy.

Heads of Service are deemed to be owners of their departmental information assets. They may delegate their security responsibilities to individuals or service providers. Nevertheless the owner remains ultimately responsible for the security of the asset and should be able to determine that any delegated responsibility has been discharged correctly.

Implementation of the information security policy will be independently reviewed to ensure that practices laid down within the policy are feasible and effective and are being adhered to.

Security of Third Party Access

To maintain the security of Council I.T. facilities and information assets access to council I.T. facilities by (non-organisational) third parties will be rigorously controlled.

Assets Classification and Control

To ensure that information assets receive an appropriate level of protection, security classifications will be used to indicate the need and priority.

The Head of Information Technology will maintain a computer based inventory register which will fully address the requirements of the Council’s Audit or Inventory Procedures. This register will include all major items of I.T. hardware, software systems, applications and data owned or licensed by the Council

The responsibility for classifying and declassifying departmental information assets will reside with the designated asset owners. The Head of Information Technology will be responsible for classifying and declassifying corporate information assets.

Personnel Security

The Council’s Chief Officers will take all appropriate measures to minimise the risks of human error, theft, fraud or misuse of the Council’s information assets and facilities. In addition, steps will be taken to ensure that all users of the Council’s information systems are made aware of security risks and are equipped to adhere to, and support the Council’s Information Security


Page : 8 May 2013

Policy in the course of their normal duties.

User Training

The Council’s Chief Officers will take all appropriate measures to minimise the risks of human error, theft, fraud or misuse of the Council’s information assets and facilities. In addition, steps will be taken to ensure that all users of the Council’s information systems are made aware of security risks and are equipped to adhere to, and support the Council’s Information Security Policy in the course of their normal duties.

Relevant information security issues will be included in any formal and informal training given to the users of the Council’s information systems.

Responding to Incidents

All council staff have a responsibility to report suspected breaches of this Information Security Policy to their own departmental management.

All security incidents will be reported and recorded by means of a formal logging and follow-up system and referred to the Audit, VFM and Risk Manager

Unless authorised by the Head of Information Technology staff will on no account attempt to replicate or simulate any suspected security breach or incident.

Council staff suspected of causing a security breach will be subject to investigation under established formal disciplinary procedures.

Physical and Environmental Security

Appropriate control mechanisms will be established to prevent unauthorised access, damage and interference to Council information services, including all physical information assets which support critical or sensitive departmental activities.

Removal of Property

Removal of property or information belonging to the Council is prohibited without prior authorisation by the departmental head.

Any piece of Council computer equipment authorised for use outwith Council premises, including laptop computers, will be subject to the same guidelines for use as I.T. equipment within the workplace.

Whilst off-site, such equipment will be protected by the user from the risk of theft and will not be left unattended in public places. When being transported equipment will be stored out of view.

Computer and Network Management

To ensure the correct and secure operation of computer and network facilities responsibilities and procedures for the management and operation of all computers and networks will be established.

Protection from Malicious Software

To safeguard the integrity of software and data no unlicensed or unauthorised software will be permitted on any of the Council’s I.T. systems.

Data files may only be downloaded from external sources, such as bulletin boards or the internet in accordance with Angus council’s “E-Mail and Internet Usage Policy”.

Council employees must read and comply with Angus council’s “E-mail and Internet Usage Policy”.

Pro-active measures will be taken to safeguard the integrity of software and data by detecting


Page : 9 May 2013

and counteracting the effects of ‘malicious’ software such as computer viruses. This will include the provision of virus detection software on the Council’s computer systems.

Staff who use Council I.T. systems will be responsible for reporting any suspected incidents of computer virus infection to the I.T. Help Desk for further assessment and rectification.

Data Back-up

Adequate backup facilities will be provided to ensure that all essential business information can be backed up and recovered if necessary.

Backup tapes and accurate and complete records of backup copies should be stored in a remote location, sufficient to escape any damage from a disaster at the main site.

Fault Logging

Faults will be reported to the IT Division Help, desk where they will be processed in accordance with the help desk procedures.

Only persons authorised by the Head of Information Technology will carry out repairs and servicing of Council equipment.

Network Management

To ensure the safeguarding of information in networks and the protection of the supporting infrastructure data networks will be managed in such a way as to prevent unauthorised logical and physical connection, and to detect unauthorised connection should this occur.

No connection to the corporate communications network will be permitted without the prior approval of the Head of Information Technology.

Media Handling and Security

To prevent the possibility of damage, theft or unauthorised access to council information assets and interruptions to business activities, all computer media containing valuable data will be stored securely.

System Access Control

It is the policy of Angus Council to restrict access to information systems to only those staff and authorised agents of the Council who require such access to enable them to undertake their duties.

It is the responsibility of all Heads of Department, and Head of Information Technology to implement this policy as required.

Access controls and the use and protection of passwords is set out in the “Information Security User Guidelines”. These guidelines will be distributed to all users of information systems within the Council.

The installation and upgrade of operational systems will only be performed by arrangement with the Head of Information Technology.

Business Continuity Planning

To counteract interruptions to business activities and to protect critical business processes from the effects of major failures and disasters departmental business continuity management processes will be implemented.

Compliance

The Council’s Information Security Policy is intended to fully comply with all statutory, criminal


Page : 10 May 2013

and civil obligations to which the Council is required to adhere in relation to the implementation, management and use of Information systems and services.

In addition, the Head of Information Technology will implement appropriate procedures to ensure that all procurement conforms to appropriate European Community legislative requirements in addition to the Council’s Standing Orders and Financial Regulations.

The copyright of all software applications systems developed by Council staff or authorised agents using Council resources will rest with the Council.

The departmental owners of software applications will ensure that copies of data on magnetic media are retained for the period of time necessary for the equivalent paper copies, and that such data is regularly restored and archived to ensure their continued integrity.

Important Council records will be protected from loss, destruction and falsification.

Some records may need to be securely retained to meet statutory or regulatory requirements as well as to support essential business activities.

Data Protection

Applications handling personal data on individuals will comply with data protection legislation and principles.

Prevention of Misuse of IT facilities

The Councils information processing facilities are provided for business purposes.

The use of departmental information processing facilities will be authorised by the departmental director.

If any misuse is identified it will be subject to the appropriate disciplinary action.

Compliance with Security Policy

All areas within the organisation will be regularly reviewed to ensure compliance with security policies and standards.

Chief Officers will ensure that all security procedures within their area of responsibility are carried out correctly.

System Audit Considerations and Controls

Periodic audits of working practices will be undertaken to ensure compliance with this Security Policy

The Head of Information Technology will arrange a continual review of operational information systems to ensure that security controls have been properly implemented and continue to be effective.

Other related documentation

Data Protection Act 1998

Computer Misuse Act 1990

Copyright, Designs and Patents Act 1989

Angus Council E-mail and Internet Usage Policy

Angus Council Information Security Management System

Angus Council Information Security User Guidelines

Information Security Incident Reporting Procedure


Page : 11 May 2013

1.2 Scope

The implementation of this Policy ensures the protection of the Council’s information infrastructure, which is taken to include :

• All physical data communications networks and components ;

• All software applications resident on PC’s file servers and networking equipment ;

• All Computer systems and accompanying operating system software;

• All corporate software applications ;

• All magnetic storage media ;

• All IT related system and software applications documentation;

• All hard copy (printer output);

The rigorous implementation of this Policy will help to ensure the confidentiality, integrity and availability of all electronically stored data, systems and application software.

2 Security Organisation

2.1 Information Security Infrastructure

Objective: To manage information security within the organisation.

A management framework will be established to initiate and control the implementation of information security within the organisation.

The Council’s Head of Information Technology will serve as the designated officer responsible for developing, publishing maintaining and administering the Information Security Policy.

2.1.1 Management Information Security Forum

Management direction will be provided through a suitable high level steering forum.

The Information Security Group, chaired by the Head of Information Technology, will provide a focus for the implementation and development of the Information Security Policy within the Council.

Meetings of the group will be convened at regular intervals to address the following objectives

• Ensure that the Information Security Policy is formally adopted by all of the Council’s constituent departments;

• Provide a mechanism for reviewing, amending and monitoring adherence to the Information Security Policy;

• Review major information security incidents, and the exposure to major threats to the Council’s information systems and infrastructure;

The group will be authorised to approve initiatives to enhance information security subject to suitable funding arrangements.

2.1.2 Information Security Co-ordination

It will be necessary to co-ordinate information security measures through a cross-functional forum with all user departments represented at a management level with the authority to implement necessary measures.


Page : 12 May 2013

2.1.3 Allocation of Information Security Responsibilities

Heads of Department are deemed to be owners of their departmental information assets. They may delegate their security responsibilities to individuals or service providers. Nevertheless the owner remains ultimately responsible for the security of the asset and should be able to determine that any delegated responsibility has been discharged correctly.

2.1.4 Authorisation Process for I.T. Facilities

Installation of I.T. facilities will be authorised by the Head of Information Technology and carried out by contractors approved and authorised by him.

2.1.5 Specialist Information Security Advice

When specialist advice on information security is required all enquiries will be directed to the Head of Information Technology.

2.1.6 Co-operation Between Organisations

When necessary appropriate contacts with law enforcement authorities, regulatory bodies, and service providers will be made to ensure that appropriate action can be taken in the event of a security incident.

Membership of security groups and forums will be actively considered.

Exchange of security information will be restricted to ensure that confidential information is not passed to unauthorised persons.

2.1.7 Independent Review of Information Security

Implementation of the information security policy will be independently reviewed to ensure that practices laid down within the policy are feasible and effective and are being adhered to.

2.2 Security of Third Party Access

Objective: To maintain the security of Council I.T. facilities and information assets accessed by third parties.

Access to council I.T. facilities by (non-organisational) third parties will be rigorously controlled.

As appropriate, all contracts established for the purposes of external third party connection to the Council’s I.T. infrastructure and systems will include the following elements :

• A general policy statement on Information security, including reference to this Policy and to BS7799 ;

• Permitted methods of access, and the control and use of unique user identifiers and passwords ;

• Involvement of sub-contractors ;

• Description of each I.T. service for which third party connection is required ;

• Requirement to maintain a register of authorised third party users and associated authorisation processes ;

• Times and dates of availability ;

• Respective liabilities, and rights to revoke the contract ;


Page : 13 May 2013

• Responsibilities for user training, equipment installation, physical and data protection ;

• Measures to ensure the return, or destruction, of information assets at the end of the contract ;

• Software virus protection ;

2.2.1 Identification of risks from third party connection

No third party access to the Council’s information technology infrastructure will be permitted without the express permission of the Head of Information Technology.

The risks associated with third party connection to the Council’s information technology infrastructure and systems will be individually assessed in the context of the policy.

Third party connection will only be authorised when the appropriate Head of Department has requested the need for such connection, the IT Division has established appropriate controls, and a suitable contract defining the terms of connection has been signed by the third party.

2.2.2 Security conditions in third party contracts

Contracts with third parties requiring access to council I.T. facilities will be created in conjunction with the Head of Law and Administration to specifically include the necessary security conditions.

3 Assets Classification and Control

Appropriate measures will be established to ensure that protection of the Council’s physical I.T. assets and computer stored data is maintained at all times.

3.1 Accountability for Assets

Objective: To maintain appropriate protection of Council information assets.

All major information assets will be accounted for and have a designated owner. (See 2.1.3.)

3.1.1 Inventory of Assets

Inventories will be maintained of all major information and IT assets.

Each Department will maintain a computer based inventory register which will fully address the requirements of the Council’s Audit or Inventory Procedures. This register will include all major items of I.T. hardware, but will exclude minor equipment such as connection cables.

The register will also include all major software systems, applications and data owned or licensed by the Council including software applications which have been developed by other departments within the Council.

Other information assets which are required for business continuity purposes (such as magnetic media, power supplies, communications services and air-conditioning equipment, etc.) will be identified and recorded in the Emergency Inventory List of each department's Business Continuity Plan.

3.2 Information Classification

Objective: To ensure that information assets receive an appropriate level of protection, security classifications will be used to indicate the need and priorities for security protection.


Page : 14 May 2013

A Council wide Information Asset Inventory will be maintained to classify the security requirements of information assets in one of the two classes defined below

Normal Security Level. This will be the default classification and will cover the majority of Council’s Information assets. No physical identification of this level will require to be shown.

High Security Level. Certain commercially sensitive systems, or systems which contain personal data protected under the terms of data protection legislation, will be classified at the High Security Level.

Information assets (physical, application or data) which if lost, due to technical failure or accidental deletion, would cause major disruption, should also be classed as High.

The responsibility for classifying and declassifying departmental information assets as Normal or High Security Level will reside with the designated asset owners. The Head of Information Technology will be responsible for classifying and declassifying corporate information assets.

3.2.1 Classification Guidelines

Protection for classified information will be consistent with business needs.

3.2.2 Classification Labelling

Outputs from systems containing information classified as sensitive will be labelled appropriately.

Items for consideration may include printed reports, display screens and recorded media.

4 Personnel Security

Objective: To reduce the risks of human error, theft, fraud or misuse of facilities.

The Council’s Chief Officers will take all appropriate measures to minimise the potential risk of human error, theft, fraud or the misuse of the Council’s information assets.

In addition, steps will be taken to ensure that all users of the Council’s information systems are made aware of security risks and are equipped to adhere to, and support the Council’s Information Security Policy in the course of their normal duties.

The employees responsibility for information security will be highlighted and addressed at the induction stage, included in job descriptions where appropriate, and monitored during the individual's employment.

4.1 Security in Job Definition

Where an employee has specific responsibilities for information security these will be highlighted in their job outline or description.

4.2 Staff Movements

To allow user accounts and group memberships to be kept up to date departmental heads shall inform the Head of Information Technology of all staff movements (terminated employment, maternity leave, long term sick, etc.) where staff members have access to I.T. facilities.

4.3 User Training


Page : 15 May 2013

Objective: To ensure that users are aware of information security threats and concerns, and are equipped to support organisational security policy in the course of their normal work.

Chief officers will ensure that users of council information systems (including, when necessary, third party organisations) are trained in their proper use. This will include, where necessary, highlighting the security implications and legal responsibilities associated with the improper use of information processing facilities.

Relevant information security issues will be included in any formal and informal training given to the users of the Council’s information systems.

4.4 Responding to Incidents

Objective: To minimise the damage from security incidents and malfunctions and to monitor and learn from such incidents.

All Council staff have a responsibility for reporting suspected breaches of this Information Security Policy to their own departmental management.

Unless authorised by the Head of Information Technology staff will on no account attempt to replicate or simulate any suspected security breach or incident.

4.4.1 Disciplinary Process

Council staff suspected of causing a security breach will be subject to investigation under established formal disciplinary procedures.

5 Physical and Environmental Security

5.1 Secure Areas

Objective: To prevent unauthorised access, damage and interference to Council information services

Appropriate control mechanisms will be established to prevent unauthorised access, damage or interference to the Council’s information infrastructure and systems, including all physical information assets which support critical or sensitive departmental activities.

5.1.1 Physical Security Perimeter

Appropriate physical security will be applied to protect areas which contain information processing facilities or equipment.

5.1.2 Physical Entry Controls

Designated secure areas will be protected by appropriate entry controls to ensure that only authorised persons can gain access.

5.1.3 Clear Desk Policy

Areas dealing with confidential materials and information should consider operating a clear desk policy to reduce the risk of unauthorised access, loss of or damage to information.

5.1.4 Removal of Property


Page : 16 May 2013

Removal of property belonging to the Council is prohibited without prior authorisation by the departmental head.

5.2 Equipment Security

Objective: To prevent loss, damage or compromise of assets and interruption to business activities.

Where deemed necessary and where reasonably practicable, appropriate measures will be taken to ensure that equipment is physically protected from security threats and environmental hazards.

5.2.1 Equipment Siting and Protection

Equipment will be sited and protected to reduce the risks of damage, interference and unauthorised access.

Equipment which requires additional security, and cannot be stored in secure areas, will be sited in areas where staff require only occasional access.

5.2.2 Power Supplies

All equipment deemed to support critical operational or business functions, will be protected from power supply failure or fluctuation by un-interuptable power supplies (UPS).

5.2.3 Equipment Maintenance

Only persons authorised by the Head of Information Technology will carry out repairs and servicing of Council equipment.

Where necessary information technology staff will implement appropriate controls for the protection of data before sending equipment off site for repair or allowing third party access to perform maintenance on council equipment.

5.2.4 Security of Equipment Off-premises

Any piece of Council computer equipment authorised for use outwith Council premises, including laptop computers, will be subject to the same guidelines for use as I.T. equipment within the workplace.

Authorisation from the appropriate departmental director will be required before equipment is taken off-site.

Whilst off-site, such equipment will be protected by the user from the risk of theft and will not be left unattended in public places. When being transported equipment will be stored out of view.

Information (magnetic media, printed, etc.) will not be removed for use outside council premises without permission from the appropriate departmental director.

5.2.5 Secure Disposal of Equipment

All data will be erased from equipment prior to disposal.

All equipment and media declared as redundant will be disposed of in accordance with Council procedures. In the case of PC equipment, specific care will be taken to ensure that all licensed systems software and data are erased from disk prior to disposal.


Page : 17 May 2013

Magnetic media removed from equipment will be disposed of in a similar manner.

6 Computer and Network Management

6.1 Operational Procedures and Responsibilities

Objective: To ensure the correct and secure operation of computer and network facilities.

Responsibilities and procedures for the management and operation of all computers and networks will be established.

6.1.1 Documented Operating Procedures

Formally documented operational procedures will be established to ensure the correct and secure operation of council information systems.

Detailed procedures will be established for the management of system failures. These will include the development of comprehensive contingency plans for critical corporate systems and security incident policies.

6.1.2 Incident Management Procedures

Incident management responsibilities and procedures will be established to ensure a quick, effective and orderly response to security incidents.

All security incidents will be reported and recorded by means of a formal logging and follow-up system and referred to the Audit, VFM and Risk Manager

For each incident, this will include the investigation of the cause and options for the prevention of a recurrence.

An audit trail suitable for internal statistical analysis, and for use as evidence on contractual and legal issues such as computer misuse and data protection will be created.

6.1.3 Segregation of Duties

Duties within council departments will be segregated to minimise the risk of negligent or deliberate system misuse.

6.1.4 Separation of Development and Operational Facilities

As far as is practicable, the IT Division will take the following steps to separate operational and development / test environments :

• Operational and development software will not be run on the same system ;

• System test environments will, as far as practicable, mirror the planned operational environment ;

• Unless specifically required, code compilers, editors and system utilities will not reside in operational environments ;

• Different log-on procedures will be used for operational and test systems.

6.2 System Planning and Acceptance

Objective: To minimise the risk of systems failure.


Page : 18 May 2013

Projections of future capacity requirements will be made to reduce the risk of system overload.

The operational requirements of new systems will be established, documented and tested prior to acceptance of the system.

6.2.1 Capacity Planning

The Head of Information Technology will adopt capacity planning and monitoring procedures to minimise the potential risk of system failure due to overload in the I.T. infrastructure.

The utilisation of system resources such as processing power, memory capacity, disk and tape storage capacity, throughput and the capacity of the corporate network will be monitored to identify performance bottlenecks and allow assessments of increases in system demands.

6.3 Protection from Malicious Software

Objective: To safeguard the integrity of software and data.

No unlicensed or unauthorised software will be permitted on any of the Council’s I.T. systems.

Pro-active measures will be taken to safeguard the integrity of software and data by detecting and counteracting the effects of ‘malicious’ software such as computer viruses. This will include the provision of virus detection software on the Council’s computer systems.

Virus detection software will be updated at frequent and regular intervals to ensure that the Council information systems are being protected from infection from new software viruses.

All Council staff who use PC equipment will be required to pre-scan all floppy disks received from other external or internal Council sources.

Data files may only be downloaded from external sources, such as bulletin boards or the internet in accordance with Angus council’s “E-Mail and Internet Usage Policy”.

Staff who use Council I.T. systems will be responsible for reporting any suspected incidents of computer virus infection to the I.T. Help Desk for further assessment and rectification. Staff will not attempt to rectify the situation themselves.

6.4 Housekeeping

Objective: To maintain the integrity and availability of information services.

Housekeeping measures are required to maintain the integrity and availability of services.

6.4.1 Data Back-up

Back-up copies of essential business data and software will be taken regularly and in accordance with procedures required by the appropriate head of department.

Adequate backup will be provided to ensure that all essential business information can be backed up and recovered if necessary.

Critical systems backups will be taken daily or as prescribed by the appropriate head of department.

Accurate and complete records of backup copies should be stored in a remote location, sufficient to escape any damage from a disaster at the main site.

Backed up information will be given an appropriate level of physical and environmental protection.

Backed up media will be regularly tested where practicable to ensure reliability.


Page : 19 May 2013

6.4.2 Fault Logging

Faults will be reported and corrective action taken.

Faults will be reported to the IT Division Help desk where they will be processed in accordance with the help desk procedures.

6.5 Network Management

Objective: To ensure the safeguarding of information in networks and the protection of the supporting infrastructure.

6.5.1 Network Security Controls

Data networks will be managed in such a way as to prevent unauthorised logical and physical connection, and to detect unauthorised connection should this occur.

Controls as specified in the Councils “Information Security Controls” document will be applied as necessary.

No connection to the corporate communications network will be permitted without the prior approval of the Head of Information Technology.

6.6 Media Handling and Security

Objective: To prevent damage to assets and interruptions to business activities.

6.6.1 Management of Removable Computer Media

When not in use all computer media containing valuable data will be stored securely.

When no longer required the previous contents of reusable media will be erased.

6.6.2 Data Handling Procedures

Operational procedures will be established to protect computer media (tapes, disks, cassettes, etc) and sensitive documentation from the possibility of damage, theft and unauthorised access.

6.6.3 Security of System Documentation

Systems documentation will be subject to the same rules as data for storage, distribution, back-up and disposal.

6.6.4 Disposal of Media

Confidential paper based printouts will be collected and disposed of in accordance with Council directives for the disposal of confidential waste.

All confidential or sensitive data stored on magnetic media which is deemed to be redundant, will be erased prior to the disposal of the media.

6.7 Data and Software Exchange


Page : 20 May 2013

Objective: To prevent loss, modification or misuse of data.

6.7.1 Data and Software Exchange Agreements

When deemed necessary the physical or electronic exchange of any software or data between the Council and external bodies shall be subject to formal agreement. Such agreements will include the identification of data formats, secure carrier arrangements and documented verification of receipt.

6.7.2 Security of Media in Transit

When information or software is to be transported, for instance via post or courier, appropriate controls will be applied to safeguard it.

6.7.3 Electronic Data Interchange Security

Special security controls will be applied where necessary, to protect electronic data interchange.

Wherever practicable, software applications which depend upon Electronic Data Exchange facilities will include precautions to deal with the possibility that data has been intercepted or modified during transmission, and will include checks that data has been dispatched and delivered in accordance with the system requirements.

Communications will be managed through a managed gateway that incorporates controls to prevent any unauthorised access to the Council’s data communications network.

Data which has been classified as High Security Level will not be transmitted un-encrypted.

6.7.4 Security of Electronic Mail

Controls will be applied where necessary, to reduce the business and security risks associated with electronic mail.

Council employees must read and comply with Angus council’s “E-mail and Internet Usage Policy”.

6.7.5 Security of Electronic Office Systems

Clear policies and guidelines will be maintained to control the business and security risks associated with electronic office systems.

7.0 System Access Control

7.1 Business Requirement for System Access

Objective: To control access to business information.

Access to computer services and data will be controlled on the basis of business requirements.

Procedures will be established to control access to computer systems and data. These procedures will take full account of policies for the dissemination of, and entitlement to access corporate data.

Steps will be taken to make users aware of their responsibilities for maintaining effective system access controls, particularly regarding the use of user accounts, passwords and the security of information systems.


Page : 21 May 2013

7.1.1 Documented Access Control Procedures

Business requirements for access control will be defined and documented.

It is the policy of Angus Council to restrict access to information systems to only those staff and authorised agents of the Council who require such access to enable them to undertake their duties.

It is the responsibility of all Heads of Department, and Head of Information Technology to implement this policy as required.

Each multi-user software application will have user access control procedures clearly defined by the departmental owner of the system.

This procedure will define :

• The access rights of each user or group of users ;

• The security requirements of individual departments and support applications ;

• The relevant policy for information dissemination and entitlement ;

• Adherence to relevant legislation eg., Data Protection Act.

7.2 User Access Management

Objective: To prevent unauthorised computer access.

Information resources will be subject to risk assessment.

Based on the results of the assessments, the necessary controls as specified in the Angus Council information Security Controls document will be applied.

To maintain effective control over access to data and information systems, departmental directors will be responsible for ensuring and regularly reviewing;

• The level of access granted to a user is appropriate their business needs.

• Use of unique user accounts and passwords.

• Records of user access rights and group memberships are maintained..

• The IT Division is informed immediately of all staff movements.

7.3 User Responsibilities

Objective: To prevent unauthorised user access.

The responsibilities of staff and authorised system users for the effective security of information systems, access controls and the use and protection of passwords is set out in the “Information Security - User Guidelines”. These guidelines will be distributed to all users of information systems within the Council.

7.4 Network Access Control

Objective: Protection of Network Services

Access to both internal and external networked services will be controlled.

This is necessary to ensure that users that have access to Council network services do not compromise their security.


Page : 22 May 2013

This will be done by ensuring,

• Appropriate interfaces between Council networks and others (public or private);

• Appropriate authentication systems for users;

• Control of user access to information systems.

7.4.1 Policy on Use Of Network Services

Insecure connections to network services can affect the security of the whole Council.

Users will only be granted access to services that they are specifically authorised to use.

To protect Council information systems, controls as specified in the Angus Council “Information Security Controls” document will be applied as deemed necessary.

8 Systems Development and Maintenance

8.1 Security Requirements of Systems

Objective: To ensure that security is built into information systems.

The design and implementation of the business process supporting the application or service can be crucial for security.

Security requirements will be identified and included in the system specification prior to the development or implementation of new information systems.

8.1.1 Security Requirements Analysis and Specification

Specific checks will be made when upgrading operating systems or applications to ensure that systems security will not be compromised.

To minimise the chance of compromising security, strict control will be exercised over the implementation of new software on operational systems.

The installation and upgrade of operational systems will only be performed by arrangement with the Head of Information Technology.

8.2 Security in Application Systems

To prevent loss, modification or misuse of user data in application systems, controls as specified in the Councils “Information Security Controls” document will be applied as necessary.

8.3 Security in Development and Support Environments

Objective: To maintain the security of application system software and data.

Managers and staff responsible for application systems development will ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system, data or operating system necessary and that formal agreement and approval for any change is obtained.

8.3.1 Change Control Procedures


Page : 23 May 2013

In order to prevent the corruption of information systems, there will be strict control over the implementation of changes.

Formal change control procedures will be implemented.

These will ensure that security and control procedures are not compromised, and that developers are given access only to those parts of the system necessary for the purpose of effecting changes.

9 Business Continuity Planning

Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures and disasters departmental business continuity management processes will be implemented.

Departmental directors are responsible for formulating their departments Business Continuity Plan based on the following points.

• Council computer systems will be classified into three main categories, these being Council Core, Departmental Core and Non Core.

• The Head of Information Technology will provide the lead in carrying out risk assessment in relation to Council Core Systems and advising on the formulation of continuity plans for all likely disasters.

• Departmental Core and Departmental Non Core systems are the sole responsibility of the user department.

• Departments will appoint a lead officer to manage the business continuity process.

• Departments will carry out risk assessment in relation to Core Council business and (in co-operation with Head of Information Technology) formulate continuity plans for all likely disasters.

• Departments will assume responsibility for the maintenance and documentation of alternative manual procedures.

• Departments will establish an annual test procedure for continuity plans.

• Plans must include the disaster checklists required for each risk identified, resumption procedures, a list of contacts and a list of the minimum equipment required for ensuring business continuity.

• The Head of Information Technology will instigate a test programme in order to satisfy the adequacy of those aspects of the plans for which his staff have significant responsibility.

• Continuity plans are to be familiar to all staff within Departments

• Departments are responsible for the interim arrangements required to manage the continuity process.

• Continuity plans are to be stored in a secure, off site location.

• Departments will test the adequacy of current backup procedures to ensure the availability of complete backups including data, operating system and application software.

• The Head of Information Technology will accept responsibility for the co-ordination of IT systems recovery within the priority framework.

• Procedures will be established to annually review the contingency plans in response to operational or technological changes.

10 Compliance


Page : 24 May 2013

The Council’s Information Security Policy is intended to fully comply with all statutory, criminal and civil obligations to which the Council is required to adhere in relation to the implementation, management and use of Information systems and services.

In addition, the Head of Information Technology will implement appropriate procedures to ensure that all procurement conforms to appropriate European Community legislative requirements in addition to the Council’s Standing Orders and Financial Regulations.

The Council’s obligations will include the establishment of measures to prevent the copying of licensed software systems, and procedures that address the requirements for data protection.

10.1 Compliance with Legal Requirements

Objective: To avoid breaches of any statutory, criminal or civil obligations and of any security requirements.

All Council staff and authorised agents will conform to the terms of software licence agreements and no software will be copied on to another I.T. system without the authorisation by the Head of Information Technology.

The copyright of all software applications systems developed by Council staff or authorised agents using Council resources will rest with the Council.

The departmental owners of software applications will ensure that copies of data on magnetic media are retained for the period of time necessary for the equivalent paper copies, and that such data is regularly restored and archived to ensure their continued integrity.

10.1.1 Control of Proprietary Software Copying

Attention is drawn to the legal restrictions on the use of copyright material.

Propriety software products are usually supplied under a licence agreement which limits the use of the products to specified machines or numbers of installations.

It is the responsibility of the department owning the licensed software to ensure that the terms of the licence are adhered to.

10.1.2 Safeguarding of Organisational Records

Important Council records will be protected from loss, destruction and falsification.

Some records may need to be securely retained to meet statutory or regulatory requirements as well as to support essential business activities.

10.1.3 Data Protection

Applications handling personal data on individuals will comply with data protection legislation and principles.

In terms of the requirements of the Data Protection Act (1998), the Head of Law and Administration is the nominated Data Protection Officer.

Through the Chief Executive, each of the departmental directors will be responsible for the registration of data for their own departments.

Further information is available from the Council’s Data Protection Policy.

Any council employees who access data (including manual data) must be made aware of, and

comply with all relevant data protection legislation and procedures.

10.1.4 Prevention of Misuse of IT facilities


Page : 25 May 2013

The Councils information processing facilities are provided for business purposes.

The use of departments information processing facilities will be authorised by the departmental director.

If any misuse is identified it will be subject to the appropriate disciplinary action.

10.2 Security Reviews of IT Systems

To ensure compliance of systems with organisational security policies and standards the security of information systems will be regularly reviewed.

Such reviews will be performed against the appropriate security policies.

Owners of information systems will support regular reviews of the compliance of their systems with the appropriate security policies, standards and any other security requirements.

10.2.1 Compliance with Security Policy

All areas within the organisation will be regularly reviewed to ensure compliance with security policies and standards.

Departmental directors will ensure that all security procedures within their area of responsibility are carried out correctly.

10.3 System Audit Considerations and Controls

Periodic audits of working practices will be undertaken to ensure compliance with this Security Management System.

The purpose and scope of each audit study and the procedures to be used will be agreed with the director responsible for the area or system which is subject to audit.

Auditors will only be given access to the software and data on the systems which are subject to audit, except where this is not practical due to technical limitations eg., processing data on PC equipment.

Auditors will be provided with the resources required for audit purposes, except where this would endanger delivery of service of the system subject to audit.

Auditors will be required to log all their access to systems, and the procedures they have employed during audit.

All system audit software and data files will be separated from development and operational systems and will be accessible only to the Councils audit function.

The Head of Information Technology will arrange a continual review of operational information systems to ensure that security controls have been properly implemented and continue to be effective.

ISMS Security Management System - Angus Council · 2018-12-18 · 6.5 Network Management ......

Documents

Transcript of ISMS Security Management System - Angus Council · 2018-12-18 · 6.5 Network Management ......