• No results found

Information Systems (IS) Visiting Worker Information Security Policy

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Information Systems (IS) Visiting Worker Information Security Policy"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

Information Systems (IS)

Visiting Worker Information Security Policy

(2)

INFORMATION SYSTEMS (IS)

VISITING WORKER

INFORMATION SECURITY

POLICY

Reference:

AFBI POL 02/09

Date:

25 March 2009

Version:

1.0

(3)

Page 2 of 7

1 INTRODUCTION ... 3

2 POLICY OBJECTIVE ... 3

3 SCOPE OF THIS POLICY ... 3

4 VISITING WORKER INFORMATION SECURITY POLICY ... 4

4.1 Policy Status... 4

4.2 Visiting Worker Information Pack (VWIP)... 4

4.3 Supporting Security Procedures... 4

5 VALIDITY OF THIS POLICY ... 5

6 CURRENT POST HOLDERS - DECEMBER 2008... 5

7 Further Information... 5

(4)

1 INTRODUCTION

The Agri-Food & Biosciences Institute (AFBI)'s declared intent to be innovative and entrepreneurial means that it is constantly seeking to expand its work programmes and forge new partnerships with other scientific institutes and research bodies. This results in the need for flexibility in offering visitor work or study positions to non-AFBI staff and providing these individuals with a range of AFBI IT network services commensurate with legitimate business need. Visiting workers coming to work or study in AFBI fall into two categories:

1. those with a UK address for a minimum of 3 years within the last 5 years, for whom it is possible to seek Baseline Standard security clearance through AccessNI;

2. those for whom Baseline Standard security clearance cannot be obtained, mostly because they haven't been in the UK for a minimum of 3 years within the last 5 years and the requisite AccessNI disclosure service only provides details of offences committed in the UK.

In the latter case, it is the responsibility of the employer or hosting organisation to consider and evaluate the risks involved.

Many countries allow their citizens to obtain certificates of good conduct or extracts from their criminal records; these could be provided to employers or hosting organisations. However, the level of information disclosed in this way varies from country to country and it is difficult to confirm that it is genuine or complete. Such certificates should be treated with caution and should form part of a portfolio of supporting documentation that collectively seeks to establish that the individual is who they claim to be, that they are of good character and that they have the right to work in the UK.

This document defines the Visiting Worker Information Security Policy (VWISP) for the Agri-Food & Biosciences Institute (AFBI) network. This policy establishes the supplementary security responsibilities for information security in respect of authorised users who do not have Baseline Standard security clearance. The establishment of, and adherence to, a VWISP is an essential component for ensuring the security of AFBI’s business in respect of authorised visiting (non-AFBI) workers who for legitimate practical reasons do not have Baseline Standard security clearance.

This VWISP applies to all business functions within the defined scope and covers all information systems which support those business functions. It has been developed in line with the provisions of HMG incorporating BS ISO/IEC 27001.

This policy is not protectively marked on the grounds that it contains no protectively marked information or any facts which could compromise information systems security.

Information processed, stored and transmitted by AFBI Information Systems has been assigned a protective marking of RESTRICTED. The network itself therefore attracts a protective marking of RESTRICTED.

Specific policy requirements are given in detail later in this document.

2 POLICY OBJECTIVE

The objective of this policy is to ensure adequate security of AFBI’s information systems, all of which adhere to AFBI’s overriding business objectives, particularly:

• To preserve Confidentiality by protecting assets against unauthorised disclosure

• To preserve Integrity by protecting assets from unauthorised or accidental modification • To retain Availability by ensuring that assets are available as/when required

The fundamental issue is that of managing risk to the organisation's IT assets whilst seeking to facilitate legitimate business need. The need to be mindful of equality, equal opportunity and human rights legislation has allowed some flexibility providing adequate safeguards are in place.

3 SCOPE OF THIS POLICY

This policy is owned by AFBI and applies to all authorised visiting (non-AFBI) workers whose duties require access to AFBI IT network services and who, for legitimate practical reasons, do not have Baseline Standard security clearance.

(5)

Page 4 of 7 This policy aims to achieve a comprehensive and consistent approach to the granting of access to AFBI IT network services to visiting workers who have the necessary authority based on risk assessments and other information as contained in the visiting worker information pack (Appendix A).

An “authorised user” of AFBI Information Systems is defined as any AFBI staff member or contracted other who has approval to access AFBI IT network services to input, store or process information. All authorised users shall have Baseline Standard security clearance as defined in the HMG Manual of Protective Security (MPS), or shall be compliant with the AFBI Visiting Worker Information Security Policy (this document).

4 VISITING WORKER INFORMATION SECURITY POLICY

The overall AFBI Information Security Policy statement is:

“AFBI’s information systems will be available when needed, will be accessed only by legitimate users and will contain complete and accurate information. The information systems will also be able to withstand, or recover from, threats to their confidentiality, integrity and availability.” To satisfy this overall policy statement, AFBI will implement security measures, commensurate with the value of AFBI’s assets, to protect its information systems with priority given to those systems which are considered to be critical to the business.

The following statements constitute the agreed protocol in respect of authorised visiting (non-AFBI) workers whose duties require access to AFBI IT network services and who, for legitimate practical reasons, do not have Baseline Standard security clearance.

4.1 Policy Status

This policy is subservient to the AFBI Information Security Policy. 4.2 Visiting Worker Information Pack (VWIP)

The VWIP shall be completed at Branch level for each visiting worker. The completed VWIP shall be approved at Divisional level and submitted to the Security Manager where possible at least four weeks in advance of the intended start date.

The term ‘AFBI Host Manager’ is used extensively in this document and is taken to mean a senior line manager within the Branch which is hosting the visiting worker. Here "senior" refers to Senior Scientific Officer/Deputy Principal or above.

The AFBI Host Manager shall take lead responsibility for completion and maintenance of the VWIP. The Security Manager shall, upon receipt of a completed and approved VWIP, make suitable arrangements for the granting of access to AFBI IT resources and network services in respect of the visiting worker. This shall include instructions for completion of the user account request form and confirmation of automatic system monitoring of the specific user account and any reasonable additional restrictions that, in the opinion of the Security Manager, should apply based on information contained in the completed VWIP. The Security Manager shall confirm these arrangements, in writing, to the AFBI Host Manager. Responsibility for ensuring that the visiting worker abides with any restrictions applied to them remains with the AFBI Host Manager.

All staff will be made aware of the contents and implications of the VWIP. 4.3 Supporting Security Procedures

AFBI Human Resources shall seek, in advance, a letter on headed paper direct from the sponsoring institution/university giving full details on the visiting worker and the work that is to be undertaken.

AFBI Human Resources shall seek, in advance, a copy of the page of the passport containing a photograph of the visiting worker.

AFBI Human Resources shall check the passport and other documentation pertinent to the visiting worker (e.g. work permit, insurance, qualifications, visa, police report) on arrival.

AFBI Human Resources shall issue the visiting worker with an appropriate work pass on arrival. AFBI Human Resources shall retain copies of any supporting security documentation and confirm these as seen in the VWIP.

(6)

The AFBI Host Manager shall immediately inform the Security Manager, in writing, when IT access in respect of the visiting worker is no longer required. Upon receipt of this notification, the Security Manager shall arrange for the withdrawal of access to AFBI network services in respect of the visiting worker. The Security Manager shall confirm these arrangements, in writing, to the AFBI Host Manager.

4.4 Sanctions

All users must be informed that irresponsible or improper actions which breach this policy, any other AFBI policies, frameworks or security operating procedures (SYOPS), may result in disciplinary action.

The Security Manager shall, at any time and pending further investigation, invoke procedures to immediately suspend IT access services in respect of the visiting worker, where it is reasonably suspected that a security breach may have occurred.

Where a user is found to have broken the law then the matter will be reported to, and dealt with by, the appropriate authorities.

5 VALIDITY OF THIS POLICY

This policy is reviewed annually by the AFBI Accreditor acting under the authority of the Senior Information Risk Owner (SIRO). Associated information security standards are subject to an on-going development and review programme.

6 CURRENT POST HOLDERS - DECEMBER 2008

Senior Information Risk Owner (SIRO) George McIlroy, AFBI CEO

Senior Responsible Owner (SRO) David Armstrong, AFBI Head of ICT

Accreditor David Kilpatrick, AFBI Head of Biometrics & Information Systems

Security Manager John Ward, AFBI Business Systems IT Manager

7 FURTHER INFORMATION

(7)

Page 6 of 7 APPENDIX A: VISITING WORKER INFORMATION PACK (VWIP)

To be completed and submitted in accordance with the current AFBI Visiting Worker Information Security Policy, where possible at least four weeks in advance, when requesting access to AFBI IT network services.

AFBI Host Manager shall email VWIP with Parts 1 & 2 completed to AFBI HR (Roisin Meehan) and shall follow up with signed paper copy of relevant page.

1. ADVANCE NOTIFICATION (to be completed by AFBI Host Manager)

Name (in capitals):

Nationality: Intended Start Date: Projected End Date: AFBI Host Division: VISITING WORKER

AFBI Site at which based:

Brief details about:

a. the visiting worker (incl. sponsoring institution/university, previous employment/study, qualifications)

b. the work to be undertaken (incl. location, purpose, competences/proficiencies needed)

c. AFBI IT network services required (e.g. internet, email, applications)

d. reporting lines, level of supervision, pattern of work

2. DECLARATION (be completed by Visiting Worker in advance of visit)

I agree to adhere to this policy (including any reasonable additional restrictions that, in the opinion of the Security Manager, should apply based on information contained in the completed VWIP) and understand the consequences of violating the policy (see Sanctions 4.4).

Signature: Date:

(name in capitals) (signature) (date)

AFBI HOST MANAGER AFBI HEAD OF BRANCH AFBI HEAD OF DIVISION

(8)

APPENDIX A: VISITING WORKER INFORMATION PACK (VWIP)

AFBI HR shall email VWIP with Parts 1, 2 & 3 completed to AFBI Security Manager (John Ward).

3. SUPPORTING SECURITY DOCUMENTATION (to be conformed as seen by AFBI Human Resources)

Document (name in capitals) (signature) (date) Letter on headed paper direct

from sponsoring institution/university, in advance

Copy of passport page containing photograph, in advance

Passport, on arrival

Certificate of good conduct or similar obtained from country’s representative in UK

Other relevant documentation (e.g. work permit, insurance, qualifications, visa, police report) – specify below:

AFBI Security Manager shall email VWIP with Parts 1, 2, 3 & 4 completed to AFBI Host Manager.

4. IT ARRANGEMENTS (to be completed by AFBI Security Manager)

(name in capitals) (signature) (date)

Account Issued Account Terminated

Confirmation of IT resources and network services made available to the user, including terms of usage

AFBI Host Manager shall email VWIP with Parts 1, 2, 3, 4 & 5 completed to AFBI HR (Roisin Meehan) and shall follow up with signed paper copy of page with Part 5. AFBI HR shall then arrange for Parts 3 & 4 of the VWIP to be fully signed and shall retain the original complete document.

5. DECLARATION (be completed by Visiting Worker on provision of access to AFBI IT network services)

I agree to adhere to the IT arrangements detailed above and understand the consequences of violating them (see Sanctions 4.4).

Signature: Date:

References

Download now ( PDF - 8 Page - 440.39 KB )

Related documents

Real-time simulation of induction motor IGBT drive on a PC-cluster

The whole system, with external I/O IGBT fiber optic gate signals, executes in real- time at 80 µ s time step under the RT-Lab real-time distributed simulation software on

Moving Towards an Integrated Framework of IT-Outsourcing Success

Such an extension of this research will not only establish a sound theoretical framework for offshore IT outsourcing success, but will also enable researchers to focus on

Prevalence and corrrelates of 12- month prescription drug misuse in Alberta

Conversely, 43.7% of all respondents who misused prescription drugs met criteria for alcohol dependence, problem gambling, and (or) had used illicit drugs in the past year..

Intel IT Data Center Solutions: Strategies to Improve Efficiency

Although our storage strategy encompasses office and enterprise data centers, our emphasis at this time is optimizing storage in the area of design computing. In design computing,

NACIR New Applications for CPV's: A fast way to improve reliability and technology progress

Banda “Energy Losses Estimation for CPV Plants”, 6th International Conference on Concentrating Photovoltaic Systems, Freiburg, April 2010. 35 th

Concurrency Control and Recovery Management for Open e-business Transactions

concurrency control, recovery management, lock mechanism, compensation, long-term transactions, service-oriented architecture, consistency, recoverability, partial results,

Marketing: Permission to Pester

The instrument contained 13 attitudinal statements related to the newsletter received, measured on a seven-point Likert scale: reactions to the site (newsletter frequency, drop

How To Understand Cloud Computing

• Executive leadership in small businesses list cloud computing as a priority at the same rate as executives with large companies?. • Small businesses are likely to receive