ict information security policy - login · 1.07 07/12/07 cv arun revisions for discussion at igg...

ICT Information Security Policy

April 2008

Version 1.11

Information and Communication Technology

London Borough of Tower Hamlets

London Borough of Tower Hamlets Council


Document Control

Overview

This document defines the London Borough of Tower Hamlets’ policy for the use of ICT systems in the work environment in order to maintain the Confidentiality, Integrity and Availability of the London Borough of Tower Hamlets resources.

Ownership

This document has been developed based on materials owned or licensed by the London Borough of Tower Hamlets and, as such, remains the property of the London Borough of Tower Hamlets at all times.

© London Borough of Tower Hamlets 2007

Document History

Version Date Author Description

0.1 29/09/2005 Sam O’Brien Initial draft created.

0.2 14/10/2005 Sam O’Brien Document updated and released for review by ICT DMT.

0.3 16/11/2005 Sam O’Brien Document updated to include comments of ICT DMT.

0.4 23/12/2005 Sam O’Brien Document updated to include additional comments of ICT DMT, awaiting comments and signoff from IGG.

0.5 05/01/2006 Sam O’Brien Document update to include glossary and revision schedule. Submitted for signoff from IGG.

0.6 06/02/2006 Sam O’Brien Comments of Service Head – Quality and Performance – Social Services incorporated.

0.7 23/03/2006 Sam O’Brien Comments of Information Governance Manager incorporated. Submitted to ICT DMT for approval and submission for sign-off.

0.8 30/05/2006 Sam O’Brien Internal ICT team leader review complete. Document forwarded to ICT Strategy Board for sign-off.

0.9 09/06/2006 Sam O’Brien Document updated to reflect comments of ICT Strategy Board.

1.0 18/08/2006 Sam O’Brien Document updated to reflect comments of Corporate Management Team. Published as 1.0

1.05 11/07/2007 Charles Fagbuyi

Revisions for discussion at IGG

1.06

28/09/07

Tim Rodgers

Round up of revisions and documenting new USB policy

1.07 07/12/07 CV Arun

Revisions for discussion at IGG

1.08 15/01/08 Tim Rodgers Post-IGG discussion

Author: CV Arun ICT Information Security Policy Version: 1.11 Revision date: 02/04/2008 of 21



1.09 04/02/08 CV Arun New password policy

1.10

19/03/08

Tim Rodgers

Following Deloittes review

1.11

02/04/08 CV Arun Revisions after internal ICT team leaders review

Release

This is a managed document. This document will not be formally released until it has been accepted by the Director of Resources and tabled in the ICT Strategy Board meeting minutes. All previous versions of this document are to be considered obsolete and should be destroyed.

Important update to previous versions

Your attention is drawn to Section 8.3 of the Information Security Policy which, for convenience has been reproduced below.

Storage of Data

LBTH works to ensure the protection of all electronic information through the provision of a data backup facility. This facility is only effective for information that is stored on a network drive, i.e. your M: or U: drive. Information saved locally, on PCs or laptops, is not secured and can be lost in the event of disk or system failure or if documents are deleted or modified. To ensure that all LBTH information is protected, users are to ensure that all business critical information is stored on the network (M: drive and not local drives)

Remote access

Remote access to the LBTH network and subsequent ICT systems is controlled using an additional authorisation process and additional hardware. This process is defined in the ICT enrolments section on Towernet

http://towernet/Intranet/staff_services/ict/it_systems/access_to_ict_systems.aspx

Use of removable media and internet e-mail

The use of USB sticks, compact or digital video discs or other digital storage to transfer personally identifiable data by council employees and agencies working on behalf of the Council is strictly prohibited. Council staff should use the Outlook Web Access functionality if they need to send personally identifiable data to another location e.g. home. Under no circumstances should personally identifiable data be sent to an account outside of the council network unless secure e-mail capabilities exist. Where regular access to personally identifiable data is required, managers should consider investing in SecureID technology to allow staff to work from home on a virtual desktop. The loss of personally identifiable data on a USB stick, or through unsecure email channels will be regarded as a disciplinary offence The council reserves to right to inspect USB devices on demand.




Statement of Management Intent

The London Borough of Tower Hamlets Council, located at Town hall Mulberry place, 5 Clove Crescent, London E14 2BG and Anchorage House, 2 Clove Crescent London E14 2BE is committed to preserving the confidentiality, integrity and availability of all physical and electronic information assets throughout the Council in order to preserve its competitive edge, cash flow, profitability, legal, regulatory and contractual compliance and commercial image. Information and information security requirements will continue to be aligned with the Council goals and, as the custodian of a range of information that is politically, commercially or personally sensitive, the Council has a fundamental responsibility to ensure that such information is protected to a level commensurate with its value. To ensure that satisfactory protection is made available, to aid compliance with legislation such as the Data Protection Act and Freedom of Information Act and to assist in achieving our objectives for Information Governance, LBTH is committed to the implementation and operation of an Information Security Management System (ISMS) that is aligned with industry best practice and the International Standard – ISO27001.

In particular, business continuity, contingency plans, data back up procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this policy.

The ICT information security policy will be reviewed updated and changed from time to time as needs and circumstances dictate. All employees of the Council and external contractors are expected to read, interpret and comply with this policy and with the ISMS that implements this policy. All staff, and certain external parties, will receive appropriate training.

The Council has established the Information Governance Group chaired by the Assistant Chief Executive (Legal Services) and the Information Security Officer to support the ISMS framework and periodically review the security policy.

The Council is committed to achieving and maintaining certification of its ISMS to ISO27001:2005.

Future information related to the Information Security Management System will be released through the LBTH Intranet, newsletters and management briefings as part of a programme to bring full awareness of this important initiative to all concerned.

Any questions in relation to the Information Security Management System should be directed to the Information Security Officer – ICT, on 020 7364 4951 or to the Information Governance Manager, Tim Rodgers, on 0207 364 4354 or at [email protected]

Martin Smith

Chief Executive


mailto:[email protected]



Table of Contents

Storage of Data..........................................................................................................3 1 Policy Principles ...........................................................................................................................7

1.1 Background .......................................................................................................7 1.2 Objectives .........................................................................................................7 1.3 Scope ...............................................................................................................7 1.4 Audience and locations affected ............................................................................7 1.5 Effective Date ....................................................................................................7 1.6 Any legislation referred to in this policy..................................................................7

2 The need for Information Security ..............................................................................................8 2.1 What is Information Security? ..............................................................................8

2.1.1 Confidentiality ........................................................................................8 2.1.2 Integrity ................................................................................................8 2.1.3 Availability .............................................................................................8 2.1.4 Preserving .............................................................................................8

2.2 Why does LBTH need Information Security?............................................................8 3 Roles and Responsibilities ...........................................................................................................9

3.1 Director of Resources ..........................................................................................9 3.2 Members of the Information Governance Group ......................................................9 3.3 Service Head, ICT...............................................................................................9 3.4 Business Support Manager, ICT ............................................................................9 3.5 Information Security Officer, ICT ..........................................................................9 3.6 Information Governance Team, Legal Services......................................................10 3.7 All Managers ....................................................................................................10 3.8 All Staff, Contractors and Authorised Third Parties.................................................10 3.9 System and Application Administrators ................................................................10

4 Acceptable Usage Policies..........................................................................................................10 4.1 General Requirements.......................................................................................10 4.2 Internet, Intranet and Email...............................................................................11 4.3 Desktop and Laptop PCs ....................................................................................11 4.4 Other Mobile Devices ........................................................................................11

5 Asset Management.....................................................................................................................11 6 Human Resources Security ........................................................................................................12

6.1 Awareness of Information Security......................................................................12 6.2 Confidentiality agreements.................................................................................12

7 Physical and Environmental Security.........................................................................................12 7.1 Secure Areas ...................................................................................................12 7.2 Equipment Security...........................................................................................13 7.3 Clear screen and clear desk................................................................................13 7.4 Removal of information .....................................................................................14

8 Communications and Operations Management.........................................................................14 8.1 Use of software ................................................................................................14

8.1.1 Malicious software controls .....................................................................14 8.1.2 Software License controls.......................................................................14




8.2 Use of hardware ...............................................................................................14 8.3 Storage of Data................................................................................................15

9 Access Control............................................................................................................................15 9.1 Enrolment .......................................................................................................15 9.2 Password use...................................................................................................16 9.3 Privileged Accounts ...........................................................................................16 9.4 Access to Information........................................................................................16 9.5 Access Administration .......................................................................................16 9.6 Access Monitoring.............................................................................................16 9.7 Access Removal and Modification ........................................................................17 9.8 Delegation of Access .........................................................................................17

10 Systems Acquisition, Development and Maintenance ...............................................................17 11 Information Security Incident Management .............................................................................18 12 Business Continuity ...................................................................................................................18

12.1 Disaster Recovery Planning ................................................................................18 13 Compliance.................................................................................................................................19

13.1 Audit and Review..............................................................................................19 14 Details of how to work with the new policy ..............................................................................19 15 Highlight the consequences of failing to meet the policy..........................................................19 16 Policy owner, version number and date of next review ............................................................19 Annex A Glossary ............................................................................................................................20




1 Policy Principles

1.1 Background

The purpose of this policy is to provide unified direction for the security of LBTH Information and Communication Technology systems and the information contained within.

This policy sets out the principles for the acceptable use of the Information within the Council Systems, the relevant controls and the process for implementing these controls in order to maintain confidentiality, integrity and availability of the Council’s information. It is designed to help employees understand the Council’s expectations for the use of these resources and to ensure that they are used correctly.

1.2 Objectives

The Information Security Policy has been developed to:

• Define the concept of and need for Information Security

• Define LBTH’s approach to Information Security

• Ensure that roles and responsibilities for the provision of information security are known

• Define the operational requirements and specific policies that exist to support the provision of Information Security throughout the LBTH infrastructure.

1.3 Scope

This policy applies to all staff (temporary or permanent), contractors and authorised third parties that make use of LBTH ICT systems.

This policy applies to all business-related information held in ICT systems and their supporting facilities, data, equipment, software and documentary records. While the principles of this policy, Confidentiality, Integrity and Availability, are to be considered for all types of information, whether paper or electronic, this policy does not specifically cover non ICT-based information (i.e. paper-based records).

1.4 Audience and locations affected

This document is to be read and followed by all authorised users of LBTH ICT systems, including staff (temporary or permanent), contractors and authorised third parties.

1.5 Effective Date

3rd October 2007

1.6 Any legislation referred to in this policy

The following legislation are relevant, however this is not a comprehensive list and other appropriate existing or future legislation may need to be considered.

Computer Misuse Act 1990

Data Protection Act 1998

Freedom of Information Act 2000

Re-Use of Public Sector Information Regulations 2005




2 The need for Information Security

2.1 What is Information Security?

For LBTH, Information Security is defined as the ability to suitably ensure the Confidentiality, Integrity and Availability of its ICT systems and the information contained within.

2.1.1 Confidentiality

Confidentiality can be defined as the ability to ensure that information can only be accessed by those authorised to do so. Some pieces of information, such as social care records, have a high need for confidentiality, whereas other information, such as the Council’s Annual Report, does not have such a need. Further information on the importance of confidentiality to LBTH can be found within the Information Governance section of the Intranet.

2.1.2 Integrity

Integrity can be defined as the ability to ensure that information is accurate and complete and can only be modified by those entitled to do so. Most, if not all, information handled by LBTH has a high need for integrity.

2.1.3 Availability

Availability can be defined as the ability to ensure that information is available to those authorised to access it, when required. As with confidentiality, the requirement for availability can vary depending on the nature of the information.

2.1.4 Preserving

This means the management, all full time or part time staff, sub contractors, project consultants and any external parties have, and will be made aware of, their responsibilities (which are defined in their job descriptions or contracts) to preserve information security, to report security breaches and to act in accordance with the requirements of the ISMS. The consequences of security policy violations are described in the Councils disciplinary policy. All staff will receive information security awareness training.

2.2 Why does LBTH need Information Security?

The information stored within LBTH ICT systems represents, collectively, an extremely valuable asset. The increasing reliance LBTH has on Information and Communication Technology for the delivery of services to its customers and working partnerships with other organisations makes it necessary to ensure that these systems are developed, operated, utilised and maintained in a secure fashion. For example the Council conforms to the Payment Card Industry Data Security Standards (PCI DSS) mandated to ensure that customers credit and debit card details are kept secure.

Information Security forms an important part of the Council’s approach to Information Governance by facilitating secure use of ICT based information. Information Governance is a term used to describe how information is used. It provides a unified approach for handling information that complies with the law and outlines best practice. Further information on Information Governance can be found on Towernet

In addition to the fundamental responsibilities to protect information, LBTH is also bound by the following legislation and Protocols.

• Computer Misuse Act 1990

• Data Protection Act 1998

• Freedom of Information Act 2000




• Re-use of Public Sector Information Regulations 2005

• North East London Information Sharing Agreement

It should be noted as in Section 1.6 that the above list is not exhaustive and other legislation and Protocols are relevant.

3 Roles and Responsibilities

The following subsections serve to describe the roles that exist for the Information Security Management System, along with their specific responsibilities for the provision of Information Security throughout the organisation.

3.1 Director of Resources

The overall responsibility for LBTH’s Information Security Policy lies with the Director of Resources. The Director of Resources is the ultimate point of escalation for issues relating to the LBTH Information Security Policy and also for reviewing its on going effectiveness.

3.2 Members of the Information Governance Group

The Information Governance Group is a cross-functional management team that oversees the collated series of senior management approaches, systems, processes and accountabilities that seek to minimise organisational risks and maximise the business opportunities derived from effective capture, storage, sharing and use of information.

A sub-function of the Information Governance Group is to provide a management forum for information security. In providing this function, the group assumes the following responsibilities:

• Reviewing and approving information security policy and overall responsibilities

• Monitoring significant changes in the exposure of information assets to major threats

• Reviewing and monitoring information security incidents

• Reviewing and approving major initiatives to enhance information security

Further information on the function, composition and responsibilities of the Information Governance Group can be found in the Information Governance Group Terms of Reference, available on Towernet

3.3 Service Head, ICT

The Service Head, ICT is responsible for the implementation, improvement and operation of the Information Security Management System and providing specific ICT input to the Information Governance Group.

3.4 Business Support Manager, ICT

The Business Support Manager, ICT ensures that operational compliance with internal policies and external security standards is achieved.

3.5 Information Security Officer, ICT

The Information Security Officer is responsible for the development and day-to-day operation and administration of the Information Security Management System. The Information Security Officer is the first point of contact for all information security related actions and is responsible for the conduct and reporting of information security incident investigations.




3.6 Information Governance Team, Legal Services

The Information Governance Team, headed up by the Information Governance Manager, are responsible for providing specialist input to the ISMS with regard to Corporate Information Governance matters, Freedom of Information requests, Re-use of Public Sector information and the Data Protection Act, and also for providing assistance with the investigation and management of certain security incidents. The Information Governance Manager, is also the nominated Data Protection Officer for LBTH.

3.7 All Managers

Managers, as custodians of information within their specific areas of business, have a responsibility to protect that information. All Managers are directly responsible for implementing the Information Security Policy within their business areas, and for adherence by their staff. Management, in conjunction with Human Resources under the Council’s Induction scheme, are responsible for ensuring new staff and contractors are aware of this policy and request a User ID for ICT systems. In particular all managers shall inform ICT of any changes to their staff, including additions, moves and leavers, so as to ensure that privileges are managed appropriately.

3.8 All Staff, Contractors and Authorised Third Parties

All authorised users of LBTH ICT systems are responsible for abiding by the policies, procedures and guidelines that comprise the LBTH Information Security Management System and, in doing so, actively support the provision of information security throughout the organisation.

3.9 System and Application Administrators

The administrators of the various ICT systems and applications within LBTH are responsible for:

• Ensuring that user accounts are managed (created, modified and removed) in accordance with this policy and advice provided

• Reporting any perceived weaknesses or attempts to break or otherwise avoid the security controls within their systems or applications, in accordance with the Information Security Incident Management Policy.

4 Acceptable Usage Policies

4.1 General Requirements

The following is a listing of general usage requirements that exist for all authorised users of LBTH ICT systems:

• Each authorised user of LBTH ICT systems is provided with unique user IDs and passwords for the various systems that are in place

• The sharing of passwords for individual accounts is strictly forbidden 1

• Attempting to break or avoid the security controls of LBTH equipment or any other third party computer system is strictly forbidden

• Accessing network traffic not intended for yourself or doing anything that would adversely affect the ability of others to access ICT services is strictly prohibited

• Intentionally accessing or transmitting information about or software designed for breaching security controls, creating computer viruses or any other activity that

1 Where there is a requirement for delegated access to an account or files, a process of delegation is to be utilised. Further information is available in Section 10.8 below.




compromises the confidentiality, integrity or availability of ICT systems or third party computer systems is strictly prohibited 2

• Knowingly doing anything that is illegal under English or European Law and any other relevant country is strictly prohibited

• Carrying out activities to support any private business without permission is strictly prohibited

• No information can be copied or transferred from LBTH computer environments including desktops or laptops without the permission of the owner of said information.

• Staff must not take part in online or computer based discussions on matters that are politically controversial (unless such discussions are specific to their role), must not participate in discussions relating to matters that are the responsibility of another officer within the Council and must not provide information or advice known to be contrary to the Council’s policies or interests

• Misrepresentation of one's digital identity to gain an advantage of any nature is strictly prohibited

• Playing games, other than those authorised and supplied with legitimate software that can be played during non-work hours or those used in LBTH training courses, is strictly forbidden

• The storage of personal non-business related data, such as music, pictures or video, on ICT equipment, be it on a PC, a laptop or on networked storage, is not permitted

• The use of any unauthorised encryption software is strictly prohibited.

Records may be kept of ICT usage making it possible to discover and track usage that does not comply with these requirements, which can be inspected by systems administrators for the purpose of monitoring system performance and efficiency, and by management in the event of any suspected malpractice. Further information on monitoring of policy compliance is available in the Internet, Intranet and Email Policy, available on Towernet.

http://towernet/Intranet/staff_services/ict/policies/policies_and_guidance.aspx

4.2 Internet, Intranet and Email

An Internet, Intranet and Email Policy is available on Towernet, which describes, in detail, the acceptable usage of corporately provided Internet, Intranet and Email access. Compliance with this Policy is required as part of the overall Information Security Policy.

4.3 Desktop and Laptop PCs

Desktop PCs, Laptop PCs and other network resources, such as printers and scanners are provided for staff to access and make use of information that they need to do their job. Using the Council's IT equipment and software for anything other than work or for personal usage as defined within the Internet, Intranet and Email policy risks facilities being withdrawn, disciplinary action and/or prosecution under law.

4.4 Other Mobile Devices

Council issued Mobile phones, Blackberry’s and Personal Digital Assistants (PDAs) capable of accessing the Council network are covered by this Policy. Personal equipment used in the course of working for the Council are also covered.

5 Asset Management

LBTH handles information of varying value. Some information may be considered highly confidential, whereas other information may be considered less confidential or for general

2 The Information Security Officer is exempted from this statement where preventative or investigative research is required, though only for the purposes of strengthening the security provisions.




release. As such, there is a requirement that some information be handled in a manner that reflects its value and also satisfies the requirements of the Data Protection Act and Freedom of Information Act. Compliance with the PCI DSS is an example of a specific set of requirements to secure specific information.

As a component of the ISMS development exercise ICT shall be developing an Information Assets Register that list all ICT-based information assets, their value, owner and the infrastructure that supports provision of their confidentiality, integrity and availability. This will be maintained by ICT in association with the Information Governance Team.

LBTH will also develop and implement an information classification, labelling and handling system so as to ensure that information is handled in a manner that is appropriate to its purpose and value. Information classification would be defined by the data owner. This schema is currently being developed by the Information Governance Team under the auspices of the Information Management project.

6 Human Resources Security

6.1 Awareness of Information Security

Towernet, Email and Manager’s Briefings will be the major points of contact for receiving updates to ICT policies and procedures. Staff must take the time to read new materials as they become available. Security awareness will be created at the enrollment stage and reference to the Information Security Policy will be included in employee contracts. Additionally there is a Corporate Learning and Development course on Information Governance which includes a specific module on Information Security and there are plans for web-based training software to include specific reference to Information Security.

6.2 Confidentiality agreements

All members of staff will have signed a contract of employment including a clauses regarding information that they receive in the course of employment that requires them to ensure the confidentiality of LBTH information during and after their employment. All employees handling critical information must be subject to a formal pre-employment screening, which must include satisfactory professional references. Council information is to be kept confidential during and after employment with Tower Hamlets.

Where agency and contract staff and other third party users are concerned, a confidentiality agreement is required before they are granted access to LBTH ICT facilities. Agency contracts and supplier contracts may exist which contain clauses relating to confidentiality, which satisfy this requirement. Where such clauses do not exist, the Information Security Officer should be contacted so that an appropriate agreement can be created (24-hour turnaround).

7 Physical and Environmental Security

7.1 Secure Areas

Physical security protection for LBTH is based on defined perimeters and achieved through barriers within the organisation to prevent, detect, and minimize the effects of unauthorized access. Critical installations are protected at least by lock and key and are to be kept secure at all times.

All LBTH buildings in the Borough are designated as secure areas and entry to each is controlled by general access procedures:

• To gain entry, visitors must enter via a public entrance and report to reception.

• Admittance is under the control of the reception staff. Visitors are not admitted beyond the reception area until the member of staff being visited has been contacted and a member of staff is then requested to collect the visitor from the reception area.




• Prior to admission, visitors are given a visitors pass and required to sign the visitor’s book. The pass is to be affixed to their person and must be visible at all times. They are then placed under the responsibility of the member of staff being visited, for the duration of their stay.

• All staff and other visitors are issued with a badge for identification. All badge holders must wear the badge at all times while in LBTH buildings.

• Entry to specifically identified key areas, such as the computer room, is by separate swipe card, which shall be granted by senior ICT Management. Only those staff whose jobs require them to enter these areas are issued with access to these areas.

• All contractors entering the Computer Room must sign the log book for the Computer Room.

• Video surveillance cameras are located at computer room entrance and main building entrances and exit. The CCTV are monitored by trained personnel. The video surveillance recording must be retained for a minimum of 4 weeks, for possible future playback.

• Access Violation Reports from the Access Control Software for sensitive areas such as computer room be securely maintained and reviewed by the respective Administration Department on regular basis.

• Staffs are instructed to challenge people who are visitors or otherwise unknown to them and are not displaying the appropriate identification or acting in an appropriate manner.

7.2 Equipment Security

LBTH ICT Equipment must be protected from security and environmental threats to a suitable level. Such threats include (but are not limited to) theft, sabotage etc..

Corporate ICT systems shall be sited in an appropriate environment, including temperature, humidity and power supply control. Corporate ICT systems must be provided with appropriate supply of power, in line with manufacturer’s specification, and that supply shall be protected by an Uninterruptible Power Supply (UPS).

Equipment taken off site must only be with the approval of the appropriate manager. Portable computers must be protected by suitable access and physical protection (such as locks on laptop computers). Staff who have obtained authorisation to take equipment off site must ensure that such equipment is given a high level of protection. Equipment must not be left in cars, etc., as the high incidence of car theft leads to a substantial level of risk for LBTH’s equipment and data.

A formal policy to manage this process is currently being developed with appropriate prevention and detection controls against environmental hazards.

Disposal of ICT equipment (both devices and media such as backup tapes, CDs) is subject to legislation and may also be subject to various licensing agreements. Equipment should only be disposed under the direct supervision of ICT. It is essential that, prior to disposal, the data on the equipment is either removed to a secure location or permanently deleted. Where other devices have been used, again any Council data should be removed or deleted.

7.3 Clear screen and clear desk

In order to reduce the likelihood of security breaches resulting from information being left unattended, staff must ensure that their PC terminals are locked or logged out at all times when they leave their terminal for any reason.

Staff shall also ensure that all information (business. personal or sensitive information is kept secure at all times and filed away and not left in plain view in their workspaces when they are to be away from their desk for over an hour. The Council operates a clear desk policy and as such workstations need to be cleared at the end of each day.




7.4 Removal of information

Information must only be taken offsite after completion of a proper risk assessment. Examples of such situations include positions requiring work offsite, such as social work, Remote Access and Home Working arrangements.

8 Communications and Operations Management

8.1 Use of software

Precautions are required to prevent and detect the introduction of malicious software, such as viruses and spyware. All managers and staff should be alert to the dangers of malicious software. Measures have been introduced to the LBTH ICT infrastructure to assist in the prevention and detection of malicious software.

8.1.1 Malicious software controls

To minimise the threat of virus and other malicious software outbreaks within the LBTH ICT environment, a number of practices have been introduced. Virus checking of all computer media used is to be conducted. All PCs are provided with virus checking software and this is to be used to scan all floppy disks and memory keys prior to usage. All data sent via email, including both messages and attachments, is scanned by antivirus software, however, users should still be aware of the potential dangers of receiving attachments through email and must only open attachments they are expecting and are from trusted sources.

Users should endeavour to ensure that antivirus applications are operating at all times. Users of portable equipment must ensure that their devices are regularly connected to the LBTH network to ensure that virus protection measures are kept up-to-date. In addition:

- Staff must not disable virus scanning software on laptops

- Staff must scan all floppy, CD, USB devices and other types of mobile storage devices prior to connection to the LBTH equipment or the network.

8.1.2 Software License controls

LBTH requires that all software used within the organisation is appropriately licensed and authorised and that no unlicensed software is used. The use of such software is prohibited. Software that is installed must be for business purposes associated with the Council. It is the line-manager's responsibility to ensure that only licensed software is used on machines within their control and that suitable documentation is retained. The use of unlicensed software will result in disciplinary proceedings and possibly criminal access. The use of unlicensed software is not only illegal, it is potentially damaging to the ICT operations of LBTH.

Users may not purchase or install any hardware or software on LBTH equipment without the express authorisation of ICT, as supported by an approved business case. The ICT Service Desk is the initial point of contact for all software acquisitions.

Any incidents relating to viruses, malicious or unlicensed software should be reported to the Service desk on x4444

8.2 Use of hardware

• Users shall not install, relocate or modify hardware allocated to them without the express permission of ICT

• Users shall not connect any hardware devices to LBTH computer equipment connected to the LBTH network without the express permission of ICT

• Users shall use computer hardware allocated to them in a responsible manner and in compliance with this policy




• The responsibility for the protection of ICT portable computers and the information stored in them shall reside with the person to whom the equipment has been loaned or allocated to

• No privately owned computer equipment, including equipment used by contractors or third party suppliers, may connect directly to the LBTH network. Such devices may however be connected over the internet using the appropriate remote access software (VPN), provided that the user has formally requested such access in accordance with the procedures for remote access, available on Towernet

• Only approved PDAs with approved software may be connected to the LBTH network.

8.3 Storage of Data

LBTH works to ensure the protection of all electronic information through the provision of a data backup facility. This facility is only effective for information that is stored on a network drive, i.e. your M: or U: drive. Information saved locally, on PCs or laptops, is not secured and can be lost in the event of disk or system failure or if documents are deleted or modified. To ensure that all LBTH information is protected, users are to ensure that all business critical information is stored on the network (M: drive and not local drives)

8.3.1 Remote access

Remote access to the LBTH network and subsequent ICT systems is controlled using an additional authorisation process and additional hardware. This process is defined in the ICT enrolments section on Towernet

8.3.2 Use of removable media and internet e-mail

The use of USB sticks, compact or digital video discs or other digital storage to transfer personally identifiable data by council employees and agencies working on behalf of the Council is strictly prohibited. Council staff should use the Outlook Web Access functionality if they need to send personally identifiable data to another location e.g. home. Under no circumstances should personally identifiable data be sent to an account outside of the council network unless secure e-mail capabilities exist. Where regular access to personally identifiable data is required, managers should consider investing in SecureID technology to allow staff to work from home on a virtual desktop. The loss of personally identifiable data on a USB stick, or through unsecure email channels will be regarded as a disciplinary offence The council reserves to right to inspect USB devices on demand.

9 Access Control

Authorised users are provided with access to LBTH ICT systems based on a strict business need. Access is based on the need-to-know and least privilege principles where officers are only privy to information that is in direct support of the conduct of their responsibilities.

9.1 Enrolment

• Access to LBTH ICT systems is controlled using the ICT Systems Enrolment Form, available in the ICT section of Towernet.

http://towernet/Intranet/staff_services/ict/it_systems/access_to_ict_systems.aspx

• All users of ICT resources are to be individually enrolled. Individual user accounts are not to be shared with the exception of email delegation.

• When applications for enrolment are successfully completed, a login ID and password is provided. Passwords are to remain confidential at all times.




• Approval for enrolments is to be given by the system owner or line manager under delegation.

9.2 Password use

When staff are creating or updating passwords, the following guidelines are to be used. Passwords should:

• Be at least 7 characters in length

• Contain a mix of alphabetical (e.g. a, b, c, etc), numerical (e.g. 1, 2, 3, etc) and special characters (e.g. £. &, @, etc)

• Contain a mix of upper and lower case characters

• Not be anything that could be easily guessed, such as a pet’s name or birth date

• Be easy to remember

• Not be written down

• Not be divulged to any other person

• Must contain at least one capital letter

• Password should be changed every 60 days

Failure to correctly enter a password more than three times in a row may result in a lock being placed upon the account, disabling access. The ICT service desk is to be contacted on x4444 to apply to have the lock removed. Users will be required to suitably identify themselves before this can be processed.

9.3 Privileged Accounts

• The use of all Operating System or Database System Administrator accounts must be approved by the Service Head, ICT

• The use of all application-specific administrator and other privileged accounts shall be approved by ICT systems administrators once approved by the System Owner.

9.4 Access to Information

Users are authorised to access LBTH information only whilst in the employment of LBTH or as an authorised volunteer, work experience student or person having a contractual relationship with LBTH. No information can be copied or transferred from LBTH computer environments including desktops or laptops without the permission of the owner of said information.

9.5 Access Administration

• Every system shall have a System Owner who shall have overall responsibility for granting access rights to users of their particular applications.

• Each authorised user shall be granted access to those information resources needed to perform that officer's duties.

• If an application function has an official delegation, then only staff with that delegation shall be able to access that function.

9.6 Access Monitoring

Where the capability exists, the use of LBTH ICT systems shall be monitored using audit trails that log security-related events. The following time stamped events shall be recorded as a minimum:

• Details of all logon attempts, whether successful or not;

• Details of attempts to access protected resources, whether successful or not;




• All activities relating to the use of special system privileges;

• All modifications to security information (user IDs and passwords); and

• All modifications to system control parameters.

• All transactional activity

Such logs shall be reviewed, when necessary, to identify any misuse of access privileges or attempts to do so. Security investigations shall be subsequently carried out as required.

9.7 Access Removal and Modification

When the employment of a staff member is to end, advice is to be delivered to the appropriate system and application administrators to ensure that unnecessary user accounts are disabled and/or removed in a timely fashion. The leaving staff member’s line-manager to report this to ICT through Towernet

http://towernet/Intranet/staff_services/ict/it_systems/access_to_ict_systems.aspx.

The ICT Service Desk will then raise this with the appropriate administrator to ensure that the account is disabled.

When a contract is to be terminated or the need for an authorised third party supplier to access LBTH ICT resources ends, the manager responsible for that person or persons is to contact the ICT Service Desk to inform them of the change. The ICT Service Desk will then raise this with the appropriate administrator to ensure that the account is disabled.

Any requirements for change to access rights, such as a member of staff changing their role within the organisation and therefore needing different access, shall be raised with the Service Desk for action by the appropriate administrator. It shall be the responsibility of the former line-manager to ensure that any privileged access is removed should it no longer be required and the responsibility of the new line-manager to request any additional access.

9.8 Delegation of Access

At times, it may be necessary to delegate access to certain systems or portions of systems to users that would not generally be assigned such access. This may be due to periods of absence (such as access to an officer’s files or email during sickness or recreational leave) or perhaps to fulfil operational requirements (such as Personal Assistant requiring access to their superior’s mail and calendar). Accounts must not be shared to suit this requirement. Instead, delegation of access shall be used.

If the delegation is required during a period of leave, steps should be taken to ensure that this is completed prior to the officer going on leave. The delegated access should also be removed as soon as it is no longer required.

Assistance with Delegation of Access can be obtained through the Service Desk (x4444).

10 Systems Acquisition, Development and Maintenance

Application owners need to define security requirements with the help of information security officer. This will consist of the following sections:

• Controlled Environment

• Change Management

• Source Code Management

• Version Control

• Testing




• Retention Requirements

• Reverse Engineering

• Security Requirements in Software development and acquisition

There should be documentation of system specifications and current settings. There should also be documented data input controls (in accordance with ISO 27001).

11 Information Security Incident Management

A security incident is one that can be defined as having resulted in:

• The disclosure of confidential information to an unauthorised individual,

• The integrity of the data or the system being put at risk,

• The availability of the data or the system being put at risk,

• Non-compliance with ICT policies,

• Unexpected behaviour of ICT systems,

• An adverse impact on the Council, for example:

• Embarrassment to LBTH

• Threat to personal safety or privacy

• Legal obligation or penalty

• Financial loss

• Disruption of activities

Incidents, perceived weaknesses or information indicating a suspected or actual security breach should be reported to a Line Manager, the Information Security Officer or the ICT Service Desk. Incidents that are found to be of significance will be investigated in a confidential manner and dealt with accordingly. Any disciplinary actions resulting from this investigation will be managed in accordance with the organisation’s Disciplinary Procedure.

As incidents are reported details will be referred to the relevant Line Manager and the appropriate Directorate Human Resources Manager. Where the incident involves the Line Manager or the investigating officer, appropriate alternate personnel shall be informed.

Where appropriate, investigations may be referred to the Information Governance Manager for comment or further action. Regular reports of Information Security Incidents shall be provided to the Information Governance Group.

For more information please consult the Information Security Incident Procedure available, in the first instance, from the Information Governance Manager.

12 Business Continuity

12.1 Disaster Recovery Planning

An ICT Disaster Recovery Plan has been developed to provide a structured and tested set of procedures and necessary resources for the temporary and potentially long-term recovery of critical ICT infrastructure and services following the occurrence of an event (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions ) that interrupts normal operations. This process shall identify the critical business processes and integrate the information security management requirements of business continuity with other continuity requirements relating to such aspects as operations, staffing, materials, transport and facilities.

Proper backup and recovery procedures shall also be in place to ensure quick and accurate restoration.




For further information on the systems and data repositories protected by the ICT Disaster Recovery Plan, please contact the Business Support Manager – ICT.

13 Compliance

The design, operation, use, and management of information systems must abide by relevant statutory, regulatory, and contractual requirements.

13.1 Audit and Review

The information security policy is currently being reviewed annually by the information security officer and any changes will be submitted to the Information Governance Group for final approval.

14 Details of how to work with the new policy

Employees will need to follow the Information Security Policy at all times.

15 Highlight the consequences of failing to meet the policy

Failing to meet the Information Security policy requirements present a threat to confidentiality of the Councils information and to the availability of the tools for employees to complete their jobs. As such, non-compliance with this policy will be viewed seriously and will result in disciplinary action, in accordance with the LBTH Disciplinary Procedure, which may result in warning (verbal or written), counselling sessions and potentially dismissal, depending on the severity of the misuse.

The following sanctions have been developed so as to deal with cases of misuse of this policy:

• Withdrawing access to ICT equipment, software and services

• Legal action, which could result in the award of damages, fines and/or possible imprisonment for breaches of legislation such as the Data Protection Act, the Computer Misuse Act or for breaches of any law

16 Policy owner, version number and date of next review

This policy is owned by the Information Governance Group, if you have any questions regarding this policy please contact either Tim Rodgers on ext 4354 or the Information Security Officer on ext 4951

The version of this policy is 1.11 and is next due for review in April 2008




Annex A Glossary

The following is a glossary of terms used in this document.

Term Definition

Asset Anything that has value to the organisation

Availability The ability to ensure that information is available and usable upon demand by an authorised individual or entity

BS7799 and ISO27001 The British Standard that LBTH has based its approach to Information Security upon.

Part 1 of the standard, also referred to as ISO17799, defines security controls available for use.

Part 2 of the standard, now referred to as ISO27001, defines an approach for the development and operation of an Information Security Management System.

Confidentiality The ability to ensure that information is not made available or disclosed to unauthorised individuals or entities

DPA Data Protection Act 1998

FOI or FoIA Freedom of Information Act 2000

Information Asset Any piece or collection of information that has value to the organisation and needs to be protected in terms of its confidentiality, integrity and availability.

Information processing facility

An information processing system, service or infrastructure, or the physical location housing them

Information Security Preservation of confidentiality, integrity and availability of information

Information security incident

An event or series of unwanted or unexpected events that affect the Council’s ability to ensure the confidentiality, availability and integrity of its information

Information Security Management System

The management system used to establish, implement, operate, monitor, review, maintain and improve information security within LBTH. Also referred to as ‘ISMS’.

Integrity The ability to safeguard the accuracy and completeness of information

ICT Information and Communication Technology

LBTH London Borough of Tower Hamlets

Physical Asset Any piece of equipment/hardware, software or service used to facilitate the usage of information assets

Risk Management Activities to direct and control an organisation with regard to risk

Risk Treatment Process of selection and implementation of measures to control risk

Security Control A means of managing risk through the application of policies, guidelines, practices and technology




Term Definition

Spyware Stand-alone programs that can secretly monitor system activity. These may detect passwords or other confidential information and transmit them to another computer.

Spyware can be downloaded from Web sites (typically in shareware or freeware), email messages, and instant messengers. A user may unknowingly trigger spyware by accepting an End User License Agreement from a software program linked to the spyware.

Threat A potential cause of an information security incident, which may result in harm to a system or organisation

Trojan Horse A program that neither replicates nor copies itself, but causes damage or compromises the security of the computer. Typically, an individual emails a Trojan Horse to you-it does not email itself-and it may arrive in the form of a joke program or software of some sort.

Virus A program or code that replicates; that is, infects another program, boot sector, partition sector, or document that supports macros, by inserting itself or attaching itself to that medium. Most viruses only replicate, though, many do a large amount of damage as well.

Vulnerability A weakness of an asset or group of assets that can be exploited by one or more threats

Worm A program that makes copies of itself; for example, from one disk drive to another, or by copying itself using email or another transport mechanism. The worm may do damage and compromise the security of the computer. It may arrive in the form of a joke program or software of some sort.


ict information security policy - login · 1.07 07/12/07 cv arun revisions for discussion at igg...

Documents