• No results found

28400 POLICY IT SECURITY MANAGEMENT

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "28400 POLICY IT SECURITY MANAGEMENT"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

Version: 2.2

Last Updated: 30/01/14 Review

Date:

27/01/17

ECHR

Potential Equality Impact Assessment:

Low

1. About This Policy

1.1. The objective of this policy is to provide direction and support for IT Security in accordance with business requirements and relevant laws and regulations.

1.2. This policy outlines Hampshire Constabulary’s approach to the protection of its IT infrastructure. This policy is intended to prevent major and widespread damage to Constabulary assets such as the network, user applications, files, and hardware. 1.3. The policy applies to all Hampshire Constabulary staff

(permanent and temporary personnel), contractors and third parties with contractual obligations to maintain Force IT systems.

2. General Principles

2.1. Information systems represent essential core assets to the daily operation of the Constabulary. Availability, performance and security of the network including its computers and systems are key to service delivery.

2.2. New viruses represent a continual threat, requiring continual research to plan proactive measures against them.

2.3. Information systems are subject to the discovery of operating system or application vulnerabilities and the subsequent emergence of exploits of such vulnerabilities which have the potential to cause disruption or damage to those systems.

2.4. Hampshire Constabulary recognises that there may be legitimate business needs for members of the Constabulary and other third parties to be able to access information systems on the

Constabulary’s network from remote locations that are not linked directly to the network.

(2)

3.1.

Asset Management

3.1.1. Responsibilities for assets

3.1.2. Objective – To achieve and maintain appropriate protection of Hampshire Constabulary assets Inventory of

assets Control

All assets shall be clearly identified and an inventory of all information security assets drawn up and maintained.

Ownership of

assets Control

All information and assets associated with information processing facilities shall have nominated Information Asset ‘Owners’. Acceptable use

of assets Control

Rules of acceptable use of information and assets associated with information processing facilities shall be identified, documented, and implemented in the form of Security Operating Procedures (SyOPs).

3.2.

Communications and Operations Management

3.2.1. Operational Procedures and Responsibilities

3.2.2. Objective – To ensure the correct and secure operation of information processing facilities

Documented operating procedures

Control

Operating procedures shall be documented, maintained and made available to all users who need them.

Change

management Control

Changes to information processing facilities and systems shall be controlled.

Segregation of

duties Control

Duties and areas of responsibility shall be segregated to reduce opportunities for

(3)

development, test and operational facilities

Development, test and operational facilities shall be separated to reduce the risks of unauthorised access or changes to the operational system.

3.2.3. Third Party Service Delivery Management

3.2.4. Objective - to implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.

Service

delivery Control

It shall be ensured that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated and maintained by the third party.

Monitoring and review of third party services

Control

The services, reports and records provided by third party shall be regularly monitored and reviewed, and audits shall be carried out regularly. Managing changes to third party services Control

Changes to the provision of services, including maintaining and improving exiting information security policies, procedures and controls, shall be managed, taking into account of the

criticality of business systems and processes involved and re-assessment of risks.

Remote Access Control

Remote access by third parties will be uniquely identified, subjected to robust risk analysis and supported via contracts between the

Constabulary and the third party. All request for remote access will be authorised by the Sy&IA Unit.

3.2.5. System Planning and Acceptance

3.2.6. Objective – to minimise the risk of systems failures Capacity

management Control

(4)

and projections made of future capacity requirements to ensure the required system performance.

System

acceptance Control

Acceptance criteria for new information systems, upgrades, and new versions shall be established and suitable tests of the system(s) carried out during development and prior to acceptance. 3.2.7. Protection Against Malicious and Mobile code

3.2.8. Objective – to protect the integrity of software and information.

Controls against

malicious code Control

Detection, prevention and recovery controls to protect against malicious code and appropriate user awareness procedures shall be

implemented, these will include the provisions to detect, remove and protect against viral

infections.

All computers connected physically or remotely to the Hampshire Constabulary network will have anti-virus software correctly installed,

configured, activated, and up-dated with the latest version of virus definitions.

Controls against

mobile code Control

Where the use of mobile code is authorised, the configuration shall ensure that the authorised mobile code operates according to a clearly defined security policy, and unauthorised mobile code shall be prevented from executing.

Patch

Management Control

Critical system updates will be deployed as soon as practicable, after an assessment of risks and ensuring patch stability.

Where patching of the infrastructure us not a viable option other security measures will be sought.

3.2.9. Back-up

(5)

Information

back-up Control

Back-up copies of information and software shall be taken and tested regularly in accordance with the agreed backup policy.

3.2.11. Network Security Management

3.2.12. Objective – to ensure the protection of information in networks and the protection of the supporting

infrastructure. Network controls Control

The network will be adequately managed and controlled in order to be protected from threats and to maintain security for the systems and applications using the network, including information in transit.

Security of

network services Control

Security features, service levels and management requirements of all network services shall be identified and included in any network services agreement, whether these services are provided in-house or outsourced. 3.2.13. Media Handling

3.2.14. Objective – to prevent unauthorised disclosure, modification, removal or destruction of assets and interruption to business activities.

Management of removable media

Control

There shall be documented procedures in place for the management of removable media. Disposal of

media Control

Media shall be disposed of securely and safely when no longer required, using formal

procedures. Information

handling procedures

Control

Procedures for the handling and storage of information shall be established to protect this information from unauthorised disclosure or misuse.

Security of

(6)

documentation System documentation shall be protected against unauthorised access.

3.2.15. Exchange of Information

3.2.16. Objective – To maintain the security of information and software exchanged within Hampshire Constabulary and with any external entity.

Information exchange policies and procedures

Control

Formal exchange policies, procedures and

controls shall be in place to protect the exchange of information through the use if all types of communication facilities.

Information Sharing agreements

Control

Agreements shall be established for the

exchange of information and software between Hampshire Constabulary and external parties. Physical media

in transit Control

Media containing information shall be protected against unauthorised access, misuse or

corruption during transportation beyond

Hampshire Constabulary’s physical boundaries. Electronic

messaging Control

Information involved in electronic messaging shall be appropriately protected.

Business information systems

Control

Policies and procedures shall be developed and implemented to protect information associated with the interconnection of business information systems

4. Implications Of The Policy

4.1. The implementation of the required information security standards will incur substantial resource implications for the Hampshire Constabulary. The cost of physical and technical security controls required for new initiatives will be included in their procurement.

(7)

5.1. Monitoring for compliance with this policy is the responsibility of the Joint Information Management Unit. The Force Information Security Policy and associated documents are independently evaluated by the CJX / Airwave Accreditor as part of the annual process for seeking to renew the Force’s Codes of Connection to those national services.

6. Review

6.1. This policy and all associated documents will be every three years or more frequently as deemed necessary.

7. Other Related Policies, Procedures And Information

Sources

7.1. 06100 Policy - Information Security 7.2. AD203 Equality Impact Assessment 7.3. Information sources:

HMG IA Standards

CESG Good Practice Guides Security Policy Framework ISO 27001

References

Download now ( PDF - 7 Page - 34.52 KB )

Related documents

Overcoming the odds: Exploring barriers and motivations for male trainee primary teachers

Three themes also emerged as motivators for the participants that enabled them to overcome the barriers they faced and experience resilience, these were perceiving the profession as

NACIR New Applications for CPV's: A fast way to improve reliability and technology progress

Banda “Energy Losses Estimation for CPV Plants”, 6th International Conference on Concentrating Photovoltaic Systems, Freiburg, April 2010. 35 th

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

The CCG has provided sufficient evidence that a formal information security risk assessment and management programme for key Information Assets has been documented, implemented

Richard Gadsden Information Security Office Office of the CIO Information Services

MUSC's Security Policies ➲ Computer Use Policy (updated) ➲ Information Security Policies (new) ●

G r a p h i c a l A p p l i c a t i o n D e v e l o p m e n t w i t h B o n i t a S t u d i o

When the fields of the Form(s) for a step are defined, a default page template is generated by Bonita Open Solution and linked with an html file that directs how the Form is to be

Governance and Management of Information Security

<University>'s current business strategy and framework for risk management are the guidelines for identifying, assessing, evaluating and controlling information related

7tipsforsofter. lookinglight. Beginners Digital Photography - Tutorial 03. Making Photography Easier. www. DIGITAL Beginners.com

This softens the light as it travels through the thin tissue paper and lets light reflect back from the white inside, softening the shadows even fur ther and making the colours

ISO/IEC 27001:2013 Thema Änderungen der Kontrollen der ISO/IEC 27001:2013 im Vergleich zur Fassung aus 2005 Datum

A.5.1 Management direction for information security A.5.1 Information security policy A.5.1.1 Policies for information security A.5.1.1 Information security policy document