• No results found

Security Incident Management Policy

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Security Incident Management Policy"

Copied!
18
0
0

Loading.... (view fulltext now)

Download now ( 18 Page )

Full text

(1)

Document Version 2.4

Document Status Published Owner Name Martyn Ward

(2)

Document Control and Information

Status Approval Date Review Date

Published 27/01/2015 27/01/2016

Document Owner’s Name Job Title

Martyn Ward Head of ICT Business Delivery

Do not alter, copy, publish or distribute without the approval of the Document Owner

This instruction applies to:-

This document applies to all Councillors, Committees, Departments, Partners, Employees of the Council both permanent and temporary, contractual third parties and agents of the Council who use Oxfordshire County Council ICT facilities and equipment, or have access to or custody of, sensitive or personal information held by the County Council.

For Action by As above.

For Information As above.

Revision History

Version Date Author / Reviewer Notes

2.4 27/01/2015 IGG Approval.

2.4 20/01/2015 James Willoughby Further changes to content and layout following review by Information Services management.

2.3 07/01/2015 Maggie Donaldson Incorporating further changes after team discussion, including shorter title and incorporation into new layout

2.2 5/12/2014 Maggie Donaldson Further refinement after Karen Wilson reviewed, to ensure consistency of terminology Distribution and/or Publication

Location Date

(3)

Contents

1. Policy Statement ... 4

2. Purpose ... 4

3. Scope ... 4

4. Risks ... 4

5. Procedure for Incident Handling ... 5

6. Policy Compliance ... 5

7. Review and Revision ... 5

8. Definition ... 6

Appendix 1 – Process Flow; Reporting an Information or Personal Data Security Event or Weakness ... 7

Appendix 2 – Procedure for Incident Handling ... 8

Appendix 3 – Examples of Information and Personal Data Security Incidents ... 14

Appendix 4 – Report on an Information or Personal Data Security related incident . 15 Appendix 5 – Risk Impact Matrix ... 1

(4)

1. Policy Statement

The aim of this policy is to ensure that Oxfordshire County Council reacts

appropriately to any actual or suspected security incidents relating to information systems and personal data.

2. Purpose

Council staff, contractors and Councillors will be required to have access to the Council’s ICT systems, applications and equipment in the performance of their duties. For all users of the Council’s ICT facilities, this policy describes the Council’s requirements for security incident management.

3. Scope

This document applies to all Councillors, Committees, Departments, Partners, Employees of the Council both permanent and temporary, contractual third parties and agents of the Council who use Oxfordshire County Council ICT facilities and equipment, or have access to or custody of, sensitive or personal information held by the County Council.

Sensitive or personal data may be held by the County Council in electronic or paper format. It may also be communicated verbally. All media forms and methods of communication fall within the scope of this policy.

All users must understand and adopt use of this policy and are responsible for ensuring the safety and security of the Council’s systems and the information that they use or manipulate.

All users have a role to play and a contribution to make to the safe and secure use of technology and the information that it holds.

4. Risks

Oxfordshire County Council recognises that there are risks associated with users accessing and handling data and information in the conduct of official Council business.

This policy aims to mitigate risk by:

• Reducing the impact of data and information security breaches by ensuring incidents are followed up correctly.

• Identifying areas for improvement to decrease the risk and impact of future incidents.

• Lessening the likelihood of data and information security incidents by raising staff awareness and understanding.

(5)

5. Procedure for Incident Handling

If any Security event is detected, all users must:

• Immediately report it to the ICT Service Desk on 0845 052 1000 or internally 1000 so they can be assessed and investigated.

• Note the symptoms and any error messages on screen.

• Disconnect the workstation from the network if an infection is suspected (with assistance from the ICT Service Desk).

• Not use any removable media (for example USB memory sticks) that may also have been infected.

• If the Security event relates to paper or hard copy information, it must be reported to Senior Management within the Service Area and the Directorate Information Governance (IG) Lead for the impact to be assessed.

Some examples of security events can be found in Section 8, below.

ICT Services needs to identify when a series of events or weaknesses have escalated to become an incident and so it is vital to gain as much information as possible from the business users to identify if an incident is occurring.

For a flowchart of the process for incident handling, please see Appendix 1, and for full details, please refer to Appendix 2.

Where any member of staff wishes to raise concerns regarding poor practice around information systems or personal data, they must approach their line manage,

Directorate IG Lead or the ICT Information Services Manager.

Where any incident is of sufficient severity to notify the Information Commissioner’ Office (ICO), this should be informed by the Risk Matrix set out in Appendix 5. The decision to notify the ICO must be made by the Deputy Head of Law and Culture acting on advice from Head of ICT Services and the Council’s Data Controller.

6. Policy Compliance

If any user is found to have breached or disregarded this policy, they may be subject to Oxfordshire County Council’s disciplinary procedure. If a criminal offence is

considered to have been committed further action may be taken to assist in the prosecution of the offender(s).

If you do not understand the implications of this policy or how it may apply to you, seek advice from your line manager or your Directorate IG Lead.

7. Review and Revision

This policy, and all related appendices, will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

(6)

8. Definition

This policy needs to be applied to Information and Personal Data Security Incidents where information systems or data are suspected to be, or are actually affected by an adverse event.

An adverse event is one that has caused or has the potential to cause damage to an organisation’s assets, reputation and / or personnel.

An Information or Personal Data Security Incident could include, but is not restricted to, the following:

• The loss or theft of data or information or equipment in which sensitive or critical information is stored.

• The transfer of data or information to those who are not entitled to receive that information.

• Attempts (either failed or successful) to gain unauthorised access to data or information storage or a computer system.

• Changes to data or information or system hardware, firmware, or software characteristics without the Council's knowledge, instruction, or consent. • Unwanted disruption or denial of service to a system.

• The unauthorised use of a system for the processing or storage of data by any person.

• The unauthorised downloading of software or firmware using council equipment or networks

(7)

Appendix 1 – Process Flow; Reporting an Information or Personal

Data Security Event or Weakness

Service Area ICT Services

(8)

Appendix 2 – Procedure for Incident Handling

Reporting Procedures for all Employees

Please see Appendix 1 for a flow diagram illustrating the process to be followed when reporting information or personal data security events or weaknesses. To prevent further damage or risk to the Council, all users must:

• Immediately report it to the ICT Service Desk on 0845 052 1000 or internally 1000.

• Note the symptoms and any error messages on screen.

• Disconnect the workstation from the network if an infection is suspected (with assistance from the ICT Service Desk).

• Not use any removable media (for example USB memory sticks) that may also have been infected.

• If the Security event relates to paper or hard copy information (e.g. personal information files stolen from a filing cabinet), this must be reported to Senior Management within the Service Area and the Directorate IG Lead for the impact to be assessed.

The ICT Service Desk will require further information depending on the nature of the incident; including:

• Contact name and number of person reporting the incident (unless anonymity is requested).

• The type of data, information or equipment involved.

• Whether the loss of the data puts any person or other data at risk. • Location of the incident.

• Inventory numbers of any equipment affected. • Date and time the security incident occurred. • Location of data or equipment affected. • Type and circumstances of the incident.

Actions for Directorate IG Leads

Where the incident is a security weakness (e.g. a software malfunction) the Directorate IG Lead must:

• Take immediate steps to determine if there are risks to anyone else, for instance a service user or member of staff whose personal information may have been lost or mislaid.

• Ensure that the manager responsible for the information and/or persons involved in the breach have been made aware of the incident.

(9)

• Work with the manager and team as applicable to determine exactly what happened to trigger the incident, why it happened and how a similar incident can be avoided in future.

Within 2 working days - Produce an initial report on the nature, seriousness of and reason for the incident; it must be sent to the ICT Service Desk quoting the incident reference number.

Within 5 working days - Produce a final report using the form at Appendix 4; it must be sent to the ICT Service Desk quoting the incident reference number.

Actions for ICT Support Staff

All users must report an information or personal security event to the ICT Service Desk immediately they become aware of it.

The ICT Service Desk must:

• Inform the ICT Duty Manager and / or ICT Senior Manager as quickly as possible.

• Follow the incident response and escalation procedure as described in the ICT Services Information Security Incident Handling Process.

Where an incident becomes service affecting it must be reported to the ICT

Information Services Manager and/or the Information Governance and Compliance Manager.

Management of Information and Personal Data Security Incidents and Improvements

To ensure a consistent approach across the Council all Security Incidents will be handled in accordance with the procedures in this document.

The Head of ICT Business Delivery is responsible for managing and coordinating the response to personal data security breaches. Lead officers in the directorates and other managers and staff are required to cooperate and prioritise any request for assistance from ICT Services in the discharge of this responsibility.

(10)

Collection of Evidence

If an incident requires information to be collected for an investigation, strict rules must be adhered to.

The collection of evidence for a potential investigation must be approached with care.

Internal Audit must be contacted immediately for guidance and strict processes must be followed for the collection of forensic evidence. Where evidence collection

involves a member of staff’s account, HR approval must be sought.

If in doubt about a situation, for example concerning computer misuse, contact your line manager or another manager within your Service, or the ICT Service Desk, for advice.

Responsibilities and Procedures

The ICT Service Desk Duty Manager working in conjunction with an ICT Senior Manager must decide when events are classified as an incident and determine the most appropriate response.

The incident management process includes details of:

• Identification of the incident, analysis to ascertain its cause and vulnerabilities it exploited.

• Limiting or restricting further impact of the incident. • Tactics for containing the incident.

• Corrective action to repair and prevent reoccurrence. • Communication across the Council to those affected.

The process also refers to the collection of any evidence that might be required for analysis as forensic evidence. The specialist procedure for preserving evidence must be carefully followed.

The actions required to recover from the security incident must be under formal control. Only identified and authorised staff should have access to the affected systems during the incident and all of the remedial actions should be documented in as much detail as possible.

The officer responsible for an incident should risk assess the incident based on the Risk Impact Matrix (please refer to Appendix 5). If the impact is deemed to be high or medium this should be reported immediately to the Head of ICT Business

Delivery.

Learning from Information and Personal Data Security Incidents

Post Incident Reviews are conducted; these enable the Council to learn and to improve its procedures. To do this these details must be retained:

• Types of incidents.

(11)

• Costs incurred during the incidents.

Any changes to the process made as a result of any Post Incident Review are formally noted.

The information is collated and reviewed by ICT Services Management on a regular basis and any patterns or trends identified

Where appropriate the Deputy Head of Law and Culture will share the information with the Warning, Advice and Reporting Point (WARP) to aid the alert process for the region.

When to Notify Individuals, Other organisations and the Information Commissioner

Informing people and organisations about data security breaches must serve a clear purpose to inform and protect. Informing people about a breach is not an end in itself.

The following guidance should be followed:

Step Description

1

Are there any legal, contractual or service requirements that apply? At present, there is no law expressly requiring that a breach should be notified but the individual circumstances need to be considered

2 Can notification help meet security obligations with regard to the 7th Data Protection principle?

3 Can notification help the individual i.e. to protect them now or at some point in the future

4

If a large number of people are affected and/or there are likely to be serious consequences, then the Information Commissioner should be informed

5 Notifications should be appropriate to the group concerned

6 Be wary of the dangers of ‘over notifying’ as too wide a notification may cause disproportionate enquiries and work

Who to Notify and How to Notify

How to notify will depend on the nature of the breach but it is important to give proper consideration to who to notify, what they will be told and how the message will be communicated. The following guidance from the Information Commissioner should be followed:

(12)

• Consider the security and the urgency of the situation when deciding on the medium for notification.

• Any notification should include at least a description of the how the breach occurred and what data was involved. Details of the response made to contain and address risks should be given.

• When notifying individuals, advice should include steps the individual could take to protect themselves and any further assistance that can be provided. • Provide contact details.

Notifying the Information Commissioner’s Office (ICO)

From data protection and electronic communications to freedom of information and environmental regulations - the ICO is the UK's independent public body set up to protect personal information and promote public access to official information. Full guidance is available on the ICO website and this should be consulted for the latest updates:

http://www.ico.gov.uk/home

If a large number of people are affected by a breach of a personal data security, or there are likely to be very serious consequences for individuals, the Council is required to contact the ICO.

When notifying the Information Commissioner, the following must be included; • Details of the security measures in place at the time the breach occurred. • Details of any information provided to the media.

Any decision to notify the Information Commissioner; should be informed by the Risk Matrix set out in Appendix 5. The decision to notify the Information Commissioner must be made by the Deputy Head of Law and Culture acting on advice from Head of ICT Services and the Council’s Data Controller.

Notifying the Department of Health

Since June 2013 any public body with adult social care responsibility must notify certain serious breaches to the Department of Health. More information can be found at the Health and Social Care Information Centre website.

Roles and Responsibilities - Within ICT Services

• Principal Support Analysts take control of any data security breach reported via the ICT Service Desk.

• ICT Senior Management Team takes charge of the containment, assessment and communication of any breach.

• Head of ICT Business Delivery is responsible for the Council’s response to any reported data security breach.

(13)

Roles and Responsibilities – Outside ICT Services

• All users must follow instructions and must report any actual or suspected data security breach to the ICT service desk.

• Line managers must apply procedures and ensure systems are in place to support their staff who need to report a Data Security Breach and help them to obtain answers to any questions they may have.

• Directorate Information Governance (IG) Leads must act as the liaison, information and communication point for all data security breaches within their Directorate.

• Assistant Head of Law and Governance must decide on whether the Information Commissioner should be informed about any Data Security breach and acts as Data Controller for the County Council and provides advice on contractual obligations for data security.

• Head of Internal Audit must provide a representative to participate in formal reviews of Data Security Breaches.

(14)

Appendix 3 – Examples of Information and Personal Data Security

Incidents

Examples of the most common Information and Personal Data Security Incidents are listed below. It should be noted that this list is not exhaustive.

• Giving data or information to someone who should not have access to it - verbally, in writing or electronically.

• Computer infected by a Virus or other malware.

• Sending a sensitive e-mail to unintended recipients by mistake. • Receiving unsolicited mail of an offensive nature.

• Receiving unsolicited mail which requires you to enter personal data. • Receiving and forwarding chain letters – including virus warnings, scam

warnings and other emails which encourage the recipient to forward onto others.

• Unknown people asking for information which could gain them access to council data (e.g. a password or details of a third party).

• ‘Blagging’ offences where data is obtained by deceit.

• Use of unapproved or unlicensed software on Oxfordshire County Council equipment.

• Printing or copying confidential information or personal data and not storing it correctly or confidentially.

• Theft / loss of a hard copy file.

• Theft / loss of any Oxfordshire County Council computer equipment. • Theft / loss of personal data.

• Access violations – e.g. password sharing or writing a password down where someone else may find and use it.

• Non-compliance with policies.

• Systems being hacked or manipulated; including:

o Finding data that has been changed by an unauthorised person. o Uncontrolled system changes.

• Inadequate firewall or antivirus protection. • System malfunctions or overloads.

(15)

Appendix 4 – Report on an Information or Personal Data Security

related incident

Date & time of Incident: ICT Service Desk Call No:

Service area:

Was personal data involved: Assessed Impact Level (see Security Incident Management Procedure Appendix 5 for guidance):

Description of incident:

Findings of investigation into incident:

Assessment of reason for incident (please highlight) Human error Lack of training Theft of equipment

/ data

Process / practice issue

Technical failing Loss of equipment or data

Misuse of

equipment / data

Actions taken to mitigate incident and prevent similar future incidents:

If personal data involved, were the data subjects told of the incident:

Name: Service

Area/Directorate:

Date:

(16)

Type of Impact Reputational Media and Member Damages Reputational Loss within Government and / or Failure to Meet Statutory / Regulatory Obligations Contractu al Loss Failure to meet Legal Obligations Financial Loss / Commercial Confidential ity Loss Disruption to Activities Personal Privacy Infringement Low

None None None None None None None

(17)
(18)

Term Definition

Data “Data” are raw facts. This would include for example Dates of Birth, phone numbers, addresses, etc. Data is always correct although it can be erroneously recorded and can also change over time.

Please note that a different definition applies to Personal Data and Sensitive Personal Data as defined under the Data Protection Act 1998. Please see the definitions below.

Information “Information” is the organisation and/or capture of data and/or

knowledge in a meaningful manner. This would include, for example, a written report, an email, a spreadsheet etc.

Information can be wrong. Information captures data at a single point and as data can be erroneously recorded or can change over time, information is not always an accurate reflection of data.

Information Asset

“Information Asset” is a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.

Information Governance

References

Download now ( PDF - 18 Page - 199.70 KB )

Related documents

Incident Reporting and Management Policy

As there is no simple definition for an IG a serious incident, the IG team will quality check daily CCG incidents recorded on SIRMS to determine if the

Policy Name. Completed

As there is no simple definition for an IG a serious incident, the IG team will quality check daily CCG incidents recorded on SIRMS to determine if the recoded incident is

PCT Incident Reporting and Management Policy

Incident Reporting and Management Policy Page 15 of 25 There is no simple definition for an IG a serious incident, the IG team will quality check daily CCG

CCG C008 Incident Management Policy

As there is no simple definition for an IG a serious incident, the IG team will quality check daily CCG incidents recorded on SIRMS to determine if the recoded incident

Stellenbosch University. Information Security Regulations

Risk Management Committee Information Security Management Committee Information Security Incident Response Team Cross-cutting, institutional committees Information

Office of Inspector General

The Order required IndyMac to (1) retain tier 1 core capital of 7 percent and total risk based capital of 13 percent at December 31, 2008, (2) accept no new loans in its retail

Elective Care Guide. Referral to Treatment Pathways: A Guide for Managing Efficient Elective Care. Second edition (January 2014)

Below is a suggested list of tasks relating to the management of the admitted patient tracking list (PTL) and admissions processes that staff should be aware

This document contains four General Surgery placement descriptions:

We provide an extensive range of acute medical services at Basildon and Orsett Hospitals, plus x-ray and blood testing facilities at the St Andrew's Centre in