AGENDA ITEM 20
BOROUGH OF POOLE
CABINET
3rd April 2007
PUBLICATION OF NEW AND UPDATED ICT ‘ACCEPTABLE USE’ AND SECURITY POLICIES
PART OF THE PUBLISHED FORWARD PLAN – YES
1. Purpose of the Report
1.1To consider the approval and implementation of new and updated framework of ICT Security Policies.
2. Decisions Required
2.1The Cabinet are asked to:
2.1.1Agree to endorse and support the implementation of the updated ICT Security Policy.
2.1.2Approve the content and purpose of the new Access Control Policy.
2.1.3Approve the content and purpose of the updated ICT ‘Acceptable Use’ policies.
3.Background
3.1The ICT Acceptable Use and Security policies are now a number of years old. As such they no longer reflect the needs of our ‘e-enabled’ organisation.
3.2The ICT Security Officer has been working with a 3rd party consultant to achieve ISO 27001 compliance. ISO 27001 is an accepted international standard for the management of ICT security.
3.3As part of our roadmap towards achieving ISO 27001 compliance we are required to have in place a framework of up to date, concise and corporately owned ICT policies governing the key aspects of ICT security management.
3.4ISO 27001 compliance is already mandatory within Central Government departments. In anticipation of this standard becoming mandatory within the wider public sector officers felt it prudent to make an early move towards achieving compliance.
4.The policies
4.1The policies have been updated and developed in consultation with officers from Internal Audit and Review, Personnel and Training Services and UNISON:
- ICT Security Policy (Appendix A)
- Access Control Policy (Appendix B)
- Email and Internet Policy (Appendix C)
- Use of Computers Policy (Appendix D)
- Remote Access policy (Appendix E)
- Software Copyright Compliance Policy (Appendix F)
Together all documents complete a framework of ICT policies, as demonstrated in the diagram below:
4.2The policies are driven and supported by the high level corporate ICT Security Policy. Cabinet should note the requirement for this policy document to be officially endorsed by the Chief Executive and Leader of the Council.
4.3The policies will be made available and publicised to all staff via The Loop, Splash and within the Code of Conduct. As part of this implementation process all staff will be made aware of their own responsibilities in supporting and complying with the policies.
4.4It is expected the policies will help further educate all staff on acceptable computer use, which in turn should lead to a reduction in security incidents and instances of email or internet misuse. It is also expected to provide confidence to all customers (both corporately and to members of the public) that information security is corporately owned and that a recognised industry standard framework has been adopted to manage it effectively.
5.Financial and Legal Implications
5.1There are no financial implications.
5.2Advice has been sought from Legal and Democratic Services to ensure that the policies are of an acceptable legal standard.
KATIE LACEY
Head of ICT & Business Support
Background Papers
Name & Telephone number of Officer Contact
Marc Biondic, 01202-633515
Appendix A
Information Security Policy
1.Introduction
The Borough of Poole’s citizens look to it to maintain the confidentiality, integrity and availability of their information, some of which may contain very sensitive details. Information security therefore is extremely important to the Borough of Poole in order to preserve its reputation, brand and credibility.
2.Objective
The objective of this Policy is to protect the Borough of Poole’s information assets from all threats, whether internal or external, deliberate or accidental.
In support of this objective, the Chief Executive and Council Leader of the Borough of Poole accepts their role in being fully accountable for information security and are committed to:
- Treating information security as a critical business issue
- Creating a security-positive work environment
- Implementing controls that are proportionate to risk
- Achieving individual accountability for compliance with information security policies and supporting procedures.
3.Scope
The scope of this policy extends to:
- All information processed by the Borough of Poole in pursuit of all its operational activities, regardless of whether it is processed electronically or in paper form, including but not limited to:
- Citizen information and reports
- Operational plans, accounting records, and minutes
- Staff records
- All processing facilities used in support of the Borough of Poole’s operational activities to store, process and transmit information
- All external companies that provide contracted information services to the Borough of Poole.
4.Policy
As part of its over-arching business strategy and to meet its operational objectives, it is the policy of the Borough of Poole to ensure that:
- Information and information processing assets will be protected against unauthorized access
- Confidentiality of information will be assured
- Integrity of information will be maintained
- Business requirements for the availability of information and information systems will be met
- Legislative and contractual obligations will be met
- The Borough of Poole’s intellectual property rights and those of others will be protected and respected
- Business continuity plans will be produced, maintained and tested
- Unauthorised use of the Borough of Poole’s information and systems will be prohibited, and the use of obscene, racist or otherwise offensive statements dealt with
- This Policy will be communicated to all staff for whom information security training will be available
- All breaches of information security, actual or suspected, will be reported and investigated.
More detailed security policies and procedures for users and specific information systems will be developed and made available to all staff. Particular reference is made to the Email and Internet Policy and the Use of Computers Policy.
The Chief Executive and Council Leader of the Borough of Poole have approved this policy.
5.Risk Strategy
The Borough of Poole will follow a balanced information risk strategy aimed at avoiding the unacceptability of high business risks on one side and unnecessarily expensive and bureaucratic controls on the other.
The implementation of the Borough of Poole’srisk strategy will be based on formal methods for risk assessment, risk management and risk acceptance.
6.Responsibilities
The Chief Executive and Council Leader will be accountable for ensuring that cost-effective security and legal controls are implemented that are commensurate with its identified operational risks. They will be supported in this task by all members of staff.
The role and responsibility for managing information security at an operational level will be performed by the ICT Security and Operations Manager. This role has direct responsibility for maintaining this Policy and providing advice and guidance on its implementation.
As owners of all information assets within the Borough of Poole, the Chief Executive and Council Leader will be responsible for the implementation of controls that are commensurate with the value of the asset and the risks to which the assets are exposed.
It is the responsibility of all members of staff to adhere to this Policy.
Failure to adhere to this policy may involve the Borough of Poole in serious financial loss, embarrassment, legislative action or loss of reputation. Non-compliance by any member of staff may therefore result in disciplinary action.
7.Conventions
Throughout this policy:
- “Staff” refers to anyone who is employed by the Borough of Poole whether permanent or a contractor
- “Contractor” refers to any “non-permanent” member of the Borough of Poole’s staff:
- Independent consultants or contractors
- Consultants or contractors engaged through third party companies
- Staff supplied through a third party Agency
- “Will” has been used to indicate that the Policy requirements are mandatory.
8.Policy review and maintenance
This Policy will be reviewed annually and at other times as dictated by operational needs.
9.Policy Approval
______
John McBride, Chief ExecutiveBrian Leverett, Council Leader
Date:______
Appendix B
Access Control Policy
1.Purpose
This Policy defines the Borough of Poole’s requirements to ensure that information assets are adequately protected with identification, authentication and entitlement controls.
2.Scope
This Policy applies to all users of information assets to include Borough of Poole employees, employees of temporary employment agencies, vendors, business partners, contractor personnel, customers and functional units regardless of geographic location. The term “information asset” is defined as “electronic and non-electronic assets owned by the Borough of Poole or entrusted to the Borough of Poole (by internal and external customers) and includes, but is not limited to, all documentation, electronic data, products, hardware and software”.
3.Requirements
3.1Information Owner
All information assets must be “owned” by a named individual within the company.
3.2User Identification, Authentication and Accountability
Access to information assets must be restricted to authorised users and must be protected by appropriate physical and logical authentication and authorisation controls. Protection for information assets must be commensurate to the classification level assigned to the asset.
3.3User Access Privilege and Entitlement
Individuals are required to satisfy the necessary personal security criteria before they can be authorised to access information assets of a corresponding classification. Individuals who have satisfied all necessary access criteria may be granted access to information assets only on the basis that they have a specific need to know, or to “have-access-to”, those information assets. The classification of an information asset does not, in itself, define who is entitled to have access to that information. Access is further filtered by any applicable privacy restrictions.
Access privileges must be allocated to users, based on the minimum privileges required to fulfil the users’ job function. Access privileges must be authorised by the appropriate Information Owner.
3.4Password Management
All passwords used to access information assets must conform to the Borough of Poole’s standards relating to password composition, length, expiration and confidentiality (please refer to the Use of Computers Policy).
3.5Access Termination, Modification or Revocation
Detailed procedures must be developed and followed for terminating, modifying or revoking user access.
3.6Operating System, Network, Application and Remote Access Control
Based on an information asset risk classification, baseline security standards must be defined and implemented for all operating system, networks, applications and remote access.
3.7Third Party Access
All third party access (contractors, business partners, consultants, vendors, customers) must be appropriately authorised and monitored. Third party access to information assets will be granted on a per request basis. In cases where access is needed for long periods, the business owners must specify access timeframes and justification for such access.
3.8Audits
The Information Security Manager must maintain plans indicating time schedules of all information security audits to be performed within the Borough of Poole to ensure compliance.
3.9System Monitoring
Critical systems will be monitored to detect non-compliance with this Access Control Policy and to record evidence in case of security incidents. The level of monitoring required for individual systems and facilities must be determined by an information security risk assessment. Monitoring results must be reviewed on a regular basis as determined by the information asset risk classification.
3.10Access to Information Assets in Physical Form
Access to physical information assets - for example printed paper documents, and diskettes containing information - is governed by the same principles as above.
4.Compliance Measurement
Compliance with this Access Control Policy is mandatory.
5.Sponsor
This Access Control Policy is owned by the Chief Executive and the Council Leader.
6.Custodian
It is the responsibility of the ICT Security and Operations Manager to ensure that this policy is kept up to date.
Appendix C
E-mail and Internet Policy
When you logon to Borough of Poole systems you will be asked to confirm that you have read and understood this policy. By clicking ‘Ok’ you will have confirmed you have done so. Not having read this is not an excuse should you breach this policy.
E-mail and Internet is a valuable business tool. Employees must not abuse e-mail and Internet facilities provided. Abuse will result in disciplinary action, serious misuse may result in summary dismissal. Attention is drawn to the detailed advice contained within this policy.
1.Purpose & Scope
1.1The purpose of this policy is to ensure that employees of the Borough of Poole understand the way in which Electronic mail (e-mail) and the Internet should be used in the organisation. It aims to ensure that email and the Internet are used efficiently and for their intended purpose, without infringing legal requirements or creating unnecessary business risk.
1.2We have tried to make these standards as simple and straightforward as possible. If you are unsure about any of them or believe that you cannot comply with them for any reason, you must discuss and resolve this with your Line Manager. Assistance is also available from the ICT Security Office.
1.3These standards apply to all staff, contractors, volunteers, temporary staff, third party or partner organisations that use our non-public ICT facilities.
1.4It is a line management responsibility to take steps to ensure that the above people are aware of the policy and standards set therein and to take reasonable steps to achieve compliance. As with all corporate standards and policies, breaches will be treated as a disciplinary matter and, in serious cases, as gross misconduct.
1.5Employees have a responsibility to behave reasonably and not to abuse the e-mail and Internet facilities. Individual responsibility is important.
1.6At the same time, your conduct and/or action(s) may be unlawful or illegal and you may be personally liable.
1.7If you become aware of any breaches of these standards, or believe that you have inadvertently breached them, you should report this straight away to your Line Manager.
1.8There will need to be a few exceptions to some of these standards for certain business functions but these must be agreed with ICT and Business Support if not agreed already.
1.9This policy will be reviewed annually.
2.Use of e-mail
This standard applies to all internal and external email.
2.1In addition to normal business use, email may be used responsibly for personal use during working hours, providing you have agreement from your Line Manager, it is not to the detriment of your work and that any time spent is not excessive and is made up.
2.2It may be used responsibly outside your agreed working hours for personal use, providing you have agreement from your Line Manager.
2.3Email relating to Council business must only be sent using the Council’s installed email system[1]
2.4Email, both business and personal is not private and the contents and volumes are logged and may be examined at any time at the discretion of the Council (for more detail refer to the section on Monitoring contained within this document). If there is evidence that you are not adhering to these standards the Council may withdraw your email access and notify your manager, who may take disciplinary action.
2.5Emails must not contain inappropriate[2] wording or attachments that could bring the Council into disrepute.
2.6If you receive inappropriate external email you should delete it or report it to the ICT Help Desk, or your Line Manager, if you have concerns.
2.7Council emails represent the organisation in the same way as a letter and so the same degree of care in their wording must be taken.
2.8Emails, both in hard copy and electronic form, are admissible in a court of law.
2.9If you are not able to reply to your external emails your must arrange for them to be forwarded to someone else.
2.10Where emails are sent to generic email addresses, such as , the Service Unit concerned must have a protocol in place to ensure that they are dealt with properly and in a timely manner.
2.11You must not send very sensitive information by email without guidance from ICT and Business Support on how to adequately secure that information (e.g. password protection/encryption).
2.12You must not attach software, music or anything else that could breach copyright, data protection or other appropriate legislation.
2.13Internal emails should not be sent to more people than necessary – use email groups to target where possible.
2.14You may allow others to read your email (using Microsoft Outlook delegation facilities, for example) but they must not send email under your name.
2.15You must not forward chain letters, spam, jokes or any other inappropriate email internally or externally.
2.16You must not use a Council email address for a personal contact point for the public or groups of people, for example clubs.
2.17There is a restriction in place that limits the maximum message size of emails to 10Mb. If you wish to transfer files larger then please contact the ICT & BS Help Desk for guidance.
2.18The Council has placed a limit on the maximum size of mailboxes. Council mailboxes must not exceed 150Mb. Guidance is available on The Loop to help staff effectively manage their mailboxes.
3.Use of the Internet
3.1The Internet (web) may be used responsibly for business use if authorised by your Line Manager.
3.2It may be used for personal use during working hours, providing you have agreement from your Line Manager, it is not to the detriment of your work and that any time spent is not excessive and is made up.
3.3It may be used responsibly outside your agreed working hours for personal use, providing you have agreement from your Line Manager.
3.4You must not access inappropriate websites[3]. If this happens by mistake, let your Line Manager know to prevent any unnecessary action being taken against you.
3.5The Council will monitor all Internet usage in terms of sites visited and volumes. More detail is included in the section ‘Monitoring’ contained within this document.
3.6You must not use Internet facilities that are accessed other than through the Internet Explorer browser – for example Peer to Peer services such as Limewire, Napster or Kazaa, or use any Instant Messaging or FTP software.
3.7You must not, on behalf of the Council, order goods or services or enter into any agreement or make commitments through the Internet, unless you are authorised to do so.