• No results found

Information & ICT Security Policy Framework

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Information & ICT Security Policy Framework"

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

Information & ICT Security Policy

Framework

(2)

Version Control

Date Version Comments

November 2011 1.0 First draft for comments to IT Policy & Regulation Group and IMG

January 2012 1.1 Updated version following comments received. Added in diagrammatic framework to Appendix A

June 2012 1.1 Approved at Chief Officer Group

(3)

Table of Contents

1. Introduction ...4 2. Objectives ...4 3. Scope...5 4. Internal Organisation ...5 5. Principles ...5 5.1. ISO 27001 ...5

5.2. Government Connect Secure Extranet (GCSx)...5

5.3. Payment Card Industry Data Security Standards (PCI DSS) ...5

5.4. HM Government Security Policy Framework...6

6. Legal Compliance ...6

6.1. Software Licensing ...7

6.2. Material Subject to Copyright ...7

7. Hardware Asset Management ...7

7.1. Hardware Acquisition...7

7.2. Hardware Maintenance ...7

7.3. Hardware Movements ...7

7.4. Hardware Disposal ...7

8. Policy Compliance ...8

9. Governance and Review ...8

(4)

1. Introduction

The increasing use of Information and Communication Technology and the development of information strategies to support the process of providing effective services make it

necessary to take appropriate action to ensure that these systems are developed, operated and maintained in a safe and secure manner.

Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means. Whatever form the information may take, or means by which it is shared or stored, it should always be appropriately protected.

Information Security is an asset that, like other important business assets, has value to an organisation and consequently needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimise business damage and maximise return on investments and business opportunities.

2. Objectives

This document presents the Council’s overarching Information & ICT Security Policy Framework and governance arrangements in place. A diagrammatic representation of the framework can be found in Appendix A.

The main objectives of this document are to protect the Council’s information through clear direction and guidance:

• To ensure the integrity and accuracy of the Council’s information and systems • To minimise the risk of business damage caused by security incidents

• To ensure that confidentiality of personal and other sensitive information is assured • To ensure all legislative and regulatory requirements are met

• To ensure that the Council’s Information Technology is used responsibly, securely and with integrity at all times

• To create a level of awareness throughout the Council, of the need for information security to be an integral part of the day-to-day operation of Council business. • To ensure all policies and guidelines that form part of the Information and ICT

Security Policy Framework, take account of the Council’s Codes of Conduct and Equality Policy including:

o Duty of Fidelity – includes actions or omissions, which could damage the business prospects or reputation of the Council or in any way, bring the Council into disrepute.

o Duty of Care – is defined as carrying out your particular occupation using the skills, ability and knowledge (for which you are employed), to the best interest of the Council, and using Council equipment and resources with proper regard.

(5)

3. Scope

The Council’s Information and ICT Security Policy Framework applies to all users granted access to the Council’s network, information and systems.

4. Internal

Organisation

The Council has a management framework to initiate and control the implementation of information security within the organisation in line with the corporate aims and objectives. The IT Policy & Regulation Group is responsible for:

• Developing and producing policy and procedures in relation to Information and Communication Technology management and governance across the authority. • Discussing and planning for the effects of changes in legislation/regulations in

relation to ICT.

Outcomes from the IT Policy & Regulation Group are reported to the Information Management Group (IMG).

The Information Management Group (IMG) is made up of departmental representatives from across the council. The remit of the group is to enable a co-ordinated and multi-disciplinary approach to the management of information throughout their departments.

5. Principles

The principles of Information Security applied by St Helens Council are based on the following:

5.1. ISO 27001

ISO 27001 is the international best practice standard for the management of Information Security. The standard ensures that adequate and proportionate security controls are in place.

5.2. Government Connect Secure Extranet (GCSx)

In order to be connected to GCSx, the Council must comply with a Code of Connection (CoCo), which sets out the minimum security requirements to ensure that the government networks are not compromised by the connection to local authorities’ networks. The minimum standards must be maintained at all times. An external audit will be undertaken annually in order to ensure ongoing compliance.

Users of the GCSx will be required to sign the Councils GCSx Personal Commitment Statement before being granted access.

5.3. Payment Card Industry Data Security Standards (PCI DSS)

(6)

5.4. HM Government Security Policy Framework

As an important reference point, the HMG Security Policy Framework contains the primary internal protective security policy and guidance on security and risk management for HM Government Departments and associated bodies. It is the source on which all localised security policies should be based. The framework also provides technical information, advice and guidance to support implementation of the policy requirements

6. Legal

Compliance

The following key statutory legislation governs aspects of the Council’s information security arrangements:

Legislation Areas Covered

The Freedom of Information Act 2000 Public access to Council information The Human Rights Act 1998 Right to privacy and confidentiality The Electronic Communications Act

2000

Cryptography, electronic signatures

The Regulation of Investigatory Powers Act 2000

Hidden surveillance of staff

The Data Protection Act 1998 Protection and use of personal information The Copyright Designs and Patents Act

1988

Software piracy, music downloads, theft of Council data

The Computer Misuse Act 1990 Hacking and unauthorised access The Environmental Information

Regulations 2004

Public access to Council information related to the environment

The Re-use of Public Sector Information Regulations 2005

The Council’s ability to sell certain data sets for commercial gain

Equality Act 2010 Right to equality covering age, disability, gender identity and gender reassignment, race, religion or belief, sex, sexual orientation, marriage and civil partnerships and

pregnancy and maternity Privacy and Electronic Communications

Regulations

Covers rights over electronic marketing and regulation of the telecommunications industry

Data protection and privacy must be ensured as required in relevant legislation, regulations, and, if applicable, contractual clauses. Key records must be protected from loss, destruction and falsification, in accordance with statutory, regulatory, contractual, and business

(7)

6.1. Software Licensing

The Council uses software in all aspects of its business to support the work carried out by its employees. In all instances every piece of software is required to have a licence and the Council will not condone the use of any software that the Council is not officially licensed to use. Computer software must be purchased through Council’s procurement system, or approved by the IT section.

Shareware, Freeware and Public Domain Software are bound by the same policies and procedures as all other software. No user may install any free or evaluation software onto the Council’s systems without prior approval from Business IT.

Employees must not make copies of computer software owned by the Council for private use including Programme Code written within the IT Development environment. Misuse of the Council’s software in this manner will result in disciplinary action.

6.2. Material Subject to Copyright

Users must not, under any circumstances store any material or electronic content for which the Council does not have a legitimate right to own or use. For example, this includes music/videos etc.

7. Hardware

Asset

Management

7.1. Hardware Acquisition

All computer hardware must be purchased in accordance with the Council’s Financial Instructions.

7.2. Hardware Maintenance

Maintenance of IT equipment must only be undertaken by Business IT, or a contractor approved by Business IT. All maintenance requests and fault reporting must be made to the IT Service Desk.

All items of equipment must be recorded on an inventory in line with the Council’s Financial Instructions.

7.3. Hardware Movements

The IT Service Desk must be notified of all movement of hardware equipment (with the exception of mobile devices being taken off premises for work purposes). No IT equipment should be disconnected or removed, except by Business IT or a contractor approved by Business IT.

Employees must not take equipment, data or software off-site without prior approval from their manager.

7.4. Hardware Disposal

(8)

A call must be logged with Business IT via the IT Service Desk on ext. 6525 or via the IT Service Desk Portal, who will arrange for the secure recycling or disposal of the equipment.

8. Policy

Compliance

All requests for changes to this policy must be tested against the Code of Connection. Any change that does not conform to the Code of Connection will not be accepted.

ICT contracts with external organisations must include requirements to comply with this Policy and should include relevant paragraphs provided by the Council’s Legal Services. Wherever there is the potential for the sharing of the Council’s client information, adequate arrangements must be made to create Information Sharing Protocols and where appropriate these should be embedded into Agreements / Contracts with external providers for the security of data and its appropriate disposal.

Failure to comply with the provisions of this policy or related documents may lead to

disciplinary action and / or criminal proceedings. If you do not understand the implications of this policy or how it may apply to you, please seek advice from Internal Audit (Regulation and Compliance).

9.

Governance and Review

The IT Policy and Regulation Group will develop, create and maintain the Information and ICT Security Policy Framework and related policies and procedures.

(9)

Appendix A - St.Helens Council Information & ICT Security Policy

Framework

N.B: Policies in red are currently being revised/developed

St.Helens Council Information & ICT Security Policy Framework

Data Protection Policy Information Management Policy PCI DSS Policy Statement Internet and Email

Acceptable Use Policy Access Control Policy Freedom of Information Policy Corporate Information

& ICT Security

User Information & ICT Security Removable Media Policy Information Systems Development & Operations Management Policy

Mobile Devices and Remote Working Policy Members ICT Protocol Information Security Incident Management Policy Operational Information & ICT Security

Retention Policy

Social Media Policy

3rd Party Access Policy

References

Download now ( PDF - 9 Page - 51.90 KB )

Related documents

WEST COAST DISTRICT MUNICIPALITY IT GOVERNANCE FRAMEWORK IT CHARTER

IT Governance Framework “IT Charter” Internal Audit IT Risk Assessment (RiskIT) IT Controls Maturity Assessment (CobiT 5) Information Security Policy Day-to-day

Kieso IFRS TestBank Ch01

a... has issue has issued a series d a series of pronou of pronouncement ncements entitled s entitled &tatemen &tatements on ts on uditing uditing

Information and ICT Security Policy

Users are made aware of the value and importance of such ICT systems and data, particularly data of a confidential or sensitive nature, and be made aware of their

Records Management & Data Quality in the Contact Centre. Internal Audit Report 2013/14

Internal Audit reviewed the Council’s Document Retention Policy, Data Quality Policy and ICT Security Policies to ensure that they are current.. Testing found that two of the

ISO/IEC 27001:2013 Thema Änderungen der Kontrollen der ISO/IEC 27001:2013 im Vergleich zur Fassung aus 2005 Datum

A.5.1 Management direction for information security A.5.1 Information security policy A.5.1.1 Policies for information security A.5.1.1 Information security policy document

The PCI Security Standards Council. Bob Russo, General Manager January 30, 2009

Summary of General Changes (cont.) Maintain an Information Security Policy. Requirement 12: Maintain a policy that addresses information security for employees

Information Security and Governance Policy

Each process/procedure will be subject to review and approval by the information security manager to ensure that the security controls applied are in line with Security policies,

Performance characterization of influent and effluent treatment systems: A case study at Craig Brook National Fish Hatchery

The wild fish receiving building effluent microscreen filtration and UV irradiation equipment are also performing well, as indicated by the water quality data for TSS, UV