Example of Policy and Procedure to Manage the Information Security Risks Associated with the ICT Products and Services Supply Chain

ICT Security Risk Management policy and Procedure

1. INTRODUCTION

1.1. Overview

XXX’s information and technology assets are highly valuable and must be closely safeguarded. XXX operate within an increasingly electronic, interconnected, and regulated environment that necessitates a consistent and standardized approach to securing technology and information assets. To ensure the continued protection of XXX information and to maintain a secure environment, the management team of XXX strongly believes that an ICT security approach aligned with industry standards is necessary.

1.2. Rationale
It is the mandate of XXX that the information assets are protected from all types of threat, whether internal or external, deliberate or accidental, such that:

• Confidentiality of information is maintained;
• Integrity of information can be relied upon;
• Information is available when the business needs it; and
• Relevant statutory, regulatory, and contractual obligations are met.

1.3. Purpose
This ICT Security Policy is the cornerstone of XXX’s ICT security program/strategy, aimed at securing the information assets of the institution. It is also the purpose of this document to outline the roles and responsibilities of relevant stakeholders that implement the security controls.

1.4. Scope
This policy is applicable to all employees, contractors, consultants, temporary and other workers at XXXincluding all personnel affiliated with external parties must adhere to this policy. This policy is applicable to information assets owned or leased by XXX or to devices that connect to XXX’s network or reside at XXX’s sites.

1.5 ICT Security Roles and Responsibilities

Line Manager Responsibilities
It is every Line Manager’s responsibility to ensure that both they and members of their team within their line management responsibility comply with this policy. Line Managers must inform the ICT Service Desk at least 5 working days before an employee who they are responsible for commences or ends their employment with the Combined Authority. Emails and personal data are retained for three months for all ex-employees unless the ICT Service Desk receives a line management request to vary this.
All Employee Responsibilities
It is the responsibility of every Combined Authority employee to ensure that they comply with and do not abuse the policy and procedure. All employees must ensure they complete the mandatory Human Focus training module covering ICT Security within 48 hours of starting with the Combined Authority and before access to personal and confidential data is granted.

Information Asset Owners
IAO’s should also ensure that when a system requires a password that differs from the network password, e.g Dream/Payrite/Haven, the system should follow the password guidance , such as complexity, length and expiration. ICT Services can assist with the configuration of the systems, but overall responsibility rests with the IAO.

2.0 ICT SECURITY POLICY STATEMENTS

2.1. ICT Security Governance and Management

2.1.1. Management and Direction for ICT Security
2.1.1.1. There shall be an ICT Security Governance Committee which may have members not necessary limited to XXX’s staff.
2.1.1.2. Single Point of Contact (SPOC) for ICT security Matters shall be appointed.
2.1.1.3. There shall be an ICT Security Strategy.
2.1.1.4. XXX’s shall allocate sufficient resources for effective ICT security management.

2.1.2. ICT Security Risk Management
2.1.2.1. XXX shall integrate ICT security risk management that include risk assessment, risk treatment, risk acceptance, risk communication and risk monitoring and evaluation into the Enterprise Risk Management Framework.

2.1.3. ICT Security Policies
2.1.3.1. XXX’s shall define a set of policies for ICT security, which shall be approved by management, published and communicated to employees and relevant external parties.

2.1.4. Review of the ICT Security Policies
2.1.4.1. The ICT security policies shall be reviewed at planned intervals or if significant changes occur, to ensure their continuing suitability, adequacy and Effectiveness.

2.1.5. Segregation of Duties
2.1.5.1. Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the XXX’s ICT assets.

2.1.6 Contact with Authorities
2.1.6.1. XXX shall maintain appropriate contacts with relevant authorities.

2.1.7. ICT Security in ICT Project Management
2.1.7.1. XXX shall ensure that ICT security is addressed in ICT related projects.

2.1.8. Mobile Devices and Teleworking
2.1.8.1. XXX shall adopt a policy and supporting ICT security measures to manage the risks relating to mobile devices.
2.1.8.2. XXX shall implement a policy and supporting ICT security measures to protect information accessed, processed or stored at teleworking sites.

2.2. ICT Security Operations

2.2.1. Documented Operating Procedures
2.2.1.1. Operating procedures shall be documented and made available to all users who need them.

2.2.2. Change Management
2.2.2.1. Changes to the organization, business processes, information processing facilities and systems that affect ICT security shall be controlled.

2.2.3. Capacity Management
2.2.3.1. The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.

2.2.4. Separation of Development, Testing and Operational Environments
2.2.4.1. Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment.

2.2.5. Protection from Malware
2.2.5.1. Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.

2.2.6. Information Backup
2.2.6.1. Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed Backup policy.

2.2.7. Event Logging
2.2.7.1. Event logs recording user activities, exceptions, faults and CT security events shall be produced, kept and regularly reviewed.

2.2.8. Protection of Log Information
2.2.8.1. Logging facilities and log information shall be protected against tampering and unauthorized access.

2.2.9. Administrator and Operator Logs
2.2.9.1. System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.

2.2.10. Clock Synchronization
2.2.10.1. The clocks of all relevant information processing systems within XXX shall be synchronized to a single reference time source.

2.2.11. Installation of Software on Operational Systems
2.2.11.1. Procedures shall be implemented to control the installation of software on operational systems.

2.2.12. Management of Technical Vulnerabilities
2.2.12.1. Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, XXX exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.

2.2.13. Restrictions on Software Installation
2.2.13.1. A policy governing the installation of software by users shall be established and implemented.

2.2.14. Information Systems Audit Controls
2.2.14.1. ICT audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes.

2.2.15. Network Controls
2.2.15.1. Networks shall be managed and controlled to protect information in systems and applications.

2.2.16. Security of Network Services
2.2.16.1. Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, irrespective of whether these services are provided in-house or outsourced.

2.2.17. Segregation in Networks
2.2.17.1. Groups of information services, users and information systems shall be segregated on networks.

2.2.18. Information Transfer Policy and Procedures
2.2.18.1. Formal transfer policy, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.

2.2.19. Agreements on Information Transfer
2.2.19.1. Agreements shall be signed with relevant stakeholders to address the secure transfer of business information between the organization and external parties.

2.2.20. Electronic Messaging
2.2.20.1. Information involved in electronic messaging shall be appropriately protected.

2.2.21. Confidentiality and Non-Disclosure Agreements
2.2.21.1. Requirements for confidentiality or non-disclosure agreements reflecting the XXX needs for the protection of information shall be identified, regularly reviewed and documented.

2.3. Security of ICT Assets

2.3.1. Inventory of ICT Assets
2.3.1.1. ICT assets associated with information and information processing facilities at XXX shall be identified and an inventory of these assets should be drawn up and maintained.

2.3.2. Ownership of ICT Assets
2.3.2.1. ICT assets maintained in the inventory shall be owned by the relevant function or person at XXX.

2.3.3. Acceptable Use Policy for ICT Assets
2.3.3.1. Acceptable use policy of information, assets associated with information and information processing facilities shall be identified, documented and implemented.

2.3.4. Return of ICT Assets
2.3.4.1. All employees of XXXand external party users must return all XXXICT assets in their possession upon termination of their employment, contract or agreement.

2.3.5. Classification of Information
2.3.5.1. Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.

2.3.6. Labelling of Information
2.3.6.1. An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by XXX.

2.3.7. Handling of ICT Assets
2.3.7.1. Procedures for handling ICT assets shall be developed and implemented in accordance with the information classification scheme adopted by XXX.

2.3.8. Management of Removable Media
2.3.8.1. Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by XXX.

2.3.9. Disposal of Media
2.3.9.1. Media shall be disposed off securely when no longer required, using the formal procedures established at XXX as per government directives.

2.3.10. Physical Media Transfer
2.3.10.1. Media containing information shall be protected against unauthorized access, misuse or corruption during transportation in and out of XXX.

2.3.11. Cryptographic Controls
2.3.11.1. XXX shall develop and implement cryptographic controls for protection of information and information processing facilities.

2.4. Identity and Access Management

2.4.1. Access Control Policy
2.4.1.1. Access Control Policy shall be established, documented and reviewed based on business and ICT security requirements of XXX.

2.4.2. Access to Networks and Network Services
2.4.2.1. Users at XXX shall only be provided with access to the network and network services that they have been specifically authorized to use.

2.4.3. User Registration and De-registration
2.4.3.1. A formal user registration and de-registration process shall be implemented at XXX to enable and disable assignment of access rights.

2.4.4. User Access Provisioning
2.4.4.1. A formal user access provisioning process shall be implemented at XXXto assign and revoke access rights for all user types to all systems and services.

2.4.5. Management of Privileged Access Rights
2.4.5.1. The allocation and use of privileged rights shall be restricted and controlled.

2.4.6. Management of Secret Authentication Information of Users
2.4.6.1. The allocation of secret authentication information shall be controlled through a formal management process.

2.4.7. Review of Access Rights
2.4.7.1. All ICT asset owners at XXX shall review users’ access rights at regular intervals.

2.4.8. Removal or Adjustment of Access Rights
2.4.8.1. The access rights of all staff at XXXand external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.

2.4.9. Information Access Restriction
2.4.9.1. Access to information and application system functions shall be restricted in accordance with the Access Control Policy of XXX.

2.4.10. Secure Log-on Procedures
2.4.10.1. Where required by the Access Control Policy, access to systems shall be controlled through a secure log-on procedure.

2.4.11. Password Management System
2.4.11.1. Password management systems must be interactive and must ensure usage of strong passwords.

2.4.12. Use of Privileged Utility Programs
2.4.12.1. The use of utility programs that might be capable of overriding system and application controls must be restricted and tightly controlled.

2.4.13. Access Control to Program Source Code
2.4.13.1. Access to program source code shall be restricted.

2.5. ICT Security Incident Management

2.5.1. Responsibilities and Procedures
2.5.1.1. Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents.

2.5.2. Reporting ICT Security Events
2.5.2.1. ICT security events shall be reported through appropriate management channels as quickly as possible.

2.5.3. Reporting ICT Security Weaknesses
2.5.3.1. Employees and contractors using the XXX information systems and services shall be required to note and report immediately after any observed or suspected ICT security weaknesses in systems or services.

2.5.4. Assessment of and Decision on ICT Security Events
2.5.4.1. ICT security events shall be assessed and it shall be decided if they are to be classified as information security incidents.

2.5.5. Response to ICT Security Events
2.5.5.1. ICT security incidents shall be responded to in accordance with the documented procedures.

2.5.6. Learning from ICT Security Incidents
2.5.6.1. Knowledge gained from analyzing and resolving ICT security incidents shall be used to reduce the likelihood or impact of future incidents.

2.5.7. Collection of Evidence
2.5.7.1. XXX shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.

2.6. Information Systems Continuity Management

2.6.1. Planning ICT Security Continuity
2.6.1.1. XXX shall determine its requirements for ICT security and the continuity of ICT security management in adverse situations, e.g. during a crisis or disaster.

2.6.2. Implementing ICT Security Continuity
2.6.2.1. XXX shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for ICT security during an adverse situation.

2.6.3. Verify, Review and Evaluate ICT Security Continuity
2.6.3.1. XXXshall verify the established and implemented ICT security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

2.6.4. Availability of Information Processing Facilities
2.6.4.1. Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

2.7. Security of ICT Acquisition, Development and Maintenance

2.7.1. ICT Security Requirements Analysis and Specification
2.7.1.1. The ICT security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems.

2.7.2. Securing Application Services on Public Networks
2.7.2.1. Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.

2.7.3. Protecting Application Services Transactions
2.7.3.1. Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

2.7.4. Secure Development Policy
2.7.4.1. A policy for secure development of software and systems shall be established and applied to developments within the organization.

2.7.5. System Change and Control Procedures
2.7.5.1. Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.

2.7.6. Technical Review of Applications after Operating Platform Changes
2.7.6.1. When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or ICT security.

2.7.7. Restrictions on Changes to Software Packages
2.7.7.1. Modifications to software packages shall be discouraged, limited to necessary changes and all changes should be strictly controlled.

2.7.8. Secure System Engineering Principles
2.7.8.1. Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.

2.7.9. Secure Development Environment
2.7.9.1. XXXshall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.

2.7.10. Outsourced Development
2.7.10.1. XXX shall supervise and monitor the activity of outsourced system development.

2.7.11. System Security Testing
2.7.11.1. Testing of security functionality shall be carried out during development.

2.7.12. System Acceptance Testing
2.7.12.1. Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.

2.7.13. Protection of Test Data
2.7.13.1. Test data shall be selected carefully, protected and controlled.

2.8. Human Resource Security

2.8.1. Screening
2.8.1.1. Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and perceived risks.

2.8.2. Terms and Conditions of Employment
2.8.2.1. The contractual agreements with employees and contractors shall state the employee’s and XXX’s responsibilities for information security.

2.8.3. Management Responsibilities
2.8.3.1. Management shall require all employees and contractors to apply information security in accordance with the established policy of XXX.

2.8.4. ICT Security Awareness, Education and Training
2.8.4.1. All employees of XXX and contractors shall receive appropriate awareness education and training and regular updates in XXX’s ICT security policy, as relevant to their job function.

2.8.5. Disciplinary Process
2.8.5.1. There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an ICT’s security breach.

2.8.6. Termination or Change of Employment Responsibilities
2.8.6.1. ICT security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to all employees and contractors of XXX, and shall be enforced.

2.9. Physical and Environmental Security

2.9.1. Physical Security Perimeter
2.9.1.1. Security perimeters shall be defined and used to protect information processing facilities and areas that contain either sensitive or critical information.

2.9.2. Physical Entry Controls
2.9.2.1. Secured areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

2.9.3. Securing Offices, Rooms and Facilities
2.9.3.1. Physical security for offices, rooms and facilities shall be designed and applied.

2.9.4. Protecting Against External and Environmental Threats
2.9.4.1. Physical protection against natural disasters, malicious attack or accidents shall be designed and applied.

2.9.5. Working in Secure Areas
2.9.5.1. XXX shall design and apply procedures for working in secure areas.

2.9.6. Delivery and Loading Areas
2.9.6.1. Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.

2.9.7. Equipment Sitting and Protection
2.9.7.1. Equipment shall be identified and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

2.9.8. Supporting Utilities
2.9.8.1. Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.

2.9.9. Cabling Security
2.9.9.1. Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage.

2.9.10. Equipment Maintenance
2.9.10.1. Equipment shall be properly maintained to ensure its continued availability and integrity.

2.9.11. Removal of ICT Assets
2.9.11.1. Equipment, information or software shall not be taken off-site without prior authorization.

2.9.12. Security of Equipment and Assets Off-premises
2.9.12.1. Security shall be applied to off-site ICT assets taking into account the different risks of working outside XXX’s premises.

2.9.13. Secure Disposal or Re-use of Equipment
2.9.13.1. All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

2.9.14. Unattended User Equipment
2.9.14.1. Users at XXX shall ensure that unattended equipment has appropriate protection.

2.9.15. Clear Desk and Clear Screen Policy
2.9.15.1. A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.

2.10. ICT Security Compliance and Audit

2.10.1. Identification of Applicable Legislation and Contractual Requirements
2.10.1.1. All relevant legislative statutory, regulatory, contractual requirements and the XXX approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and for XXX.

2.10.2. Intellectual Property Rights
2.10.2.1. Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.

2.10.3. Protection of Records
2.10.3.1. Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.

2.10.4. Privacy and Protection of Personally Identifiable Information
2.10.4.1. Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.

2.10.5. Independent Review of ICT Security
2.10.5.1. XXX approach to managing information security and its implementation (i.e. control objectives, controls, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.

2.10.6. Compliance with ICT Security Policy and Standards
2.10.6.1. XXX shall ensure that regular reviews are done, on the compliance of information processing and procedures with the appropriate ICT security policy, standards and any other ICT security requirements.

2.10.7. Technical Compliance Review
2.10.7.1. Information systems shall be regularly reviewed for compliance with the XXXinformation security standards and guidelines.

3.0 Procedure

3.1 Security Organization

3.1.1 Responsibilities

The ICT Manager is responsible for:

• assigning security roles and responsibilities;
• co-ordinating the implementation of the security policy across the XXX;
• reviewing and if appropriate updating the Security Policies and procedure;
• reviewing and monitoring security incidents;
• reviewing third party access and security arrangements;
• monitoring exposure to major threats to information assets;
• agreeing and supporting XXX-wide security initiatives;
• ensuring patch management of devices is performed on a monthly basis and monitored.

The security of all hardware situated in departments and sections is the responsibility of the departmental or service manager. The security of all other hardware, operating systems, PC application, networking, infrastructure and corporate software is the responsibility of the ICT Manager.

3. 1.2 Acquisition of Information and Communications Technology

All acquisitions of Information and Communications Technology (ICT) shall be in accordance with XXX’s Procurement Procedures and be co-ordinated by the ICT Manager who shall obtain specialist advice if he considers it appropriate.

• All new acquisitions of a corporate nature shall be agreed by the Corporate Leadership Team.
• Departmental acquisitions shall be agreed between the appropriate Head of Service and the ICT Manager.
• The ICT Manager has delegated authority to replace obsolete equipment in accordance with an agreed replacement program and to upgrade/replace office productivity tools and software within an agreed programme.
• All new projects will be in accordance with the XXX’s corporate project management policies, have associated business case / justification documents and be in accordance with the current ICT strategy / road map.

3.1.3 Security Information Advice

Specialist advice on information security is available internally from the ICT Manager or Internal Audit.

3.1.4 Security Incidents

All suspected and actual security incidents shall be reported immediately to the ICT Service desk. Each incident will be recorded, investigated and corrective action implemented where appropriate. If the incident is perceived to be of a serious or urgent nature it will be escalated to the ICT manager or the Head of Customer Services. The XXX has a separate ICT Security Incident Reporting Procedure which gives full details on how to report any security incidents and this includes a copy of the reporting form which you may be asked to complete by the ICT Service desk.

3.1.5 Independent Review of Information Security

The content, implementation and practice of this policy will be reviewed independently to provide assurance that organisation practices properly reflect the policy and that the policy is feasible and effective. Independent reviews will be carried out by the internal Audit team or one that has been appointed.

3.2 Identification of Risks from Third Party Connections

Where there is a business need for third party access to ICT facilities and information assets the security implications and requirements will be determined, and controls agreed with the third party. All new systems will be assessed for risks from third party connections and, where appropriate, controls will be defined in a contract with the third party. Arrangements involving third party access, e.g. Support engineers, subcontractors, consultants will be based on a formal contract or security agreement containing, or referring to, all of the necessary security conditions to ensure compliance with the XXX’s security policy including obtaining an indemnity in respect of any loss caused by erasure or alteration of data or incorrect alteration of programs. The contract should be in place before access to the ICT facilities is provided. The implementation of any changes to systems should be strictly controlled using formal change control procedures. Any third party organisation carrying out work for the XXX will be expected to comply with these change control procedures and will ensure that all system changes are documented. All third party access will be controlled and is available to service providers via a secure internet connection using an SSL (secured sockets layer) VPN appliance, or an application such as Team Viewer. Where reasonably possible, for all access will use multi factor authentication using a soft token delivered via SMS to the user’s mobile phone or a mobile app. The remote support user will be given an access code and a onetime use password for that session. All systems have passwords enabled to ensure only authorised parties can access the XXX’s ICT, at agreed times and that each third party can only access the relevant systems. All contractors, consultants or other temporary staff will be issued with a unique user code and password in line with current procedures for the particular system being used. Under no circumstances should XXX staff allow their own user code or password to be used by anyone else. In certain circumstances it may be necessary to divulge a password for access by technical support staff and in such cases, it must be changed immediately after the authorised activities are completed. A log of such activity is maintained by the ICT department. A log of all third party access will be recorded on the Service Desk management system, with a copy of the completed third party access control form. All third parties accessing XXX systems or data must have had their own IT Security tested by a trusted third party or hold a valid accreditation such as Cyber Essentials or ISO 27001.

3.3 Inventory of Assets

An inventory of ICT assets shall be maintained by the ICT Manager who shall promptly update it for all acquisitions, disposals, updates and management of our cyber assets (this include transfer of assets to another user).The accuracy of the inventory shall be verified annually in accordance with Financial Procedure Rules. This includes equipment at staff homes for those who are working in an agile manner. All users must notify ICT if they move an asset to another location, within the XXX Offices or a remote site.

3.4 PERSONNEL SECURITY

3.4.1 General

Security roles and responsibilities for all staff using ICT facilities will be included in job descriptions and contracts where appropriate by the relevant manager. Managers are responsible for ensuring job descriptions or codes of conduct address all relevant security responsibilities. All potential recruits will be screened by:

• obtaining two satisfactory references;
• confirming academic and professional qualifications.

All employees and third party users of ICT facilities will be required to sign a confidentiality (non-disclosure) undertaking. Revenue Services benefits staff will be subject to recruitment procedures included in the Benefits Anti-Fraud Strategy. The appointment of employees with access to information classified as PROTECT or RESTRICTED will be subject to the specific Baseline Personnel Security Standards available on request from the Human Resources department. All users are responsible for the equipment issued to them and information that they have access to. Third party access to ICT equipment and data, without prior arrangement with IT is prohibited. When accessing XXX information, they must ensure that they do so in a secure environment and that persons who are not authorised to view said information cannot view it.

3.4.2 ICT and Cyber Security Training

All users will need to undertake a cyber security user awareness e-learning training module. All ICT users will be briefed in security procedures and the correct use of ICT facilities by IT staff in order to minimise possible security risks to the confidentiality, integrity and availability of data or services through user error. Managers are responsible for ensuring such training is provided to their staff. New user accounts will only be established and issued to staff who have received appropriate ICT induction and have been authorised by the relevant Head of Service or Director. All new ICT users will be issued with either a paper copy of the current ICT Security Policy and procedure or given access to the document on the XXX’s intranet. They must read the document and sign to acknowledgement the terms and conditions within 2 working weeks otherwise network access will be denied. All new ICT users who will have access to the Government Connect Secure Extranet (GCSx) or Government Secure Internet (GSi) networks will be also be required to comply with a Personal Commitment Statement pertaining to those services. Access levels to review / amend / delete data will be determined by the relevant Head of Service in association with the system owner(s) of any ICT applications which the new user intends to use. All third party suppliers, contractors and temporary staff will be required to read and acknowledge the terms and conditions before being granted access to XXX ICT resources. In the case of third party support companies where individual users may not be easily identifiable a board level representative of the company will be required to acknowledge the terms and conditions.

3.4.3 Responding to Incidents

A security incident shall mean:

• any event arising from negligence or deliberate default that has, or could have, resulted in loss or damage to the XXX’s IT systems or data;
• a compromise to the confidentiality, integrity or availability of IT systems or data;
• an action that is in breach of the security policy;
• any cyber security threat or incident.

All security incidents shall be reported immediately to the ICT Service Desk who will pass the calls to the ICT Security Officer or ICT Manager who will instigate an investigation and report any incidents that cause serious loss or damage to the Head of Customer services and the Data protection officer. Any security incident that may have the potential to lead to disciplinary action will involve the appropriate involvement and consultation with the Head of Human Resources and Organisation Development and/or (depending upon the nature of the incident) the Audit Services Manager. The XXX has a separate ICT Security Incident Reporting Procedure which gives full details on how to report any incidents and this includes a copy of the reporting form which you may be asked to complete by the ICT Service desk. This document is available from within the IT section of the XXX Intranet. The security incident will also be logged on the ICT Service Desk system. Any security incident which leads to loss or damage, or wilful abuse of the conditions of this policy may be cause for investigation and, where appropriate, formal action, in accordance with the XXX’s agreed disciplinary policy. Any incident or suspected incident must be handled in the manner as laid out in the XXX’s Incident and Response Policy and Procedures. The above Incident Response Policy and Procedures will be reviewed on a yearly basis

3.5 Physical and Environmental Security

3.5.1 Secure Areas

ICT facilities such as servers, server rooms and hosting facilities, hubs and routers supporting critical or sensitive business activities shall be housed in secure areas, i.e. protected from unauthorized access, damage and interference. Except for systems specifically intended for public use, ICT facilities should only be available to authorized persons, and wherever possible should be kept away from public access, and preferably view. Specialised IT equipment should be further restricted to authorised staff only in areas of extra security. The following specific conditions will apply to such secure areas:

• server rooms will be protected by electronic locking systems or digital locks on all entry points and will always be kept locked;
• access to any hosted / Data Centre facility is only for ICT staff, with proof of identification and access granted via a request system or logging portal;
• access to server rooms will be only to ICT support staff or to others acting under their close supervision;
• server rooms will be protected with fire detection and control equipment. Such equipment will be integrated into the XXX’s overall fire detection system;
• servers will be protected by Uninterruptible Power Supplies (UPS) enough to allow continuous working of equipment for a minimum of 2 hours in the event of loss of electrical supply to the rooms;
• server rooms will be regularly monitored to ensure an adequate operating environment for the equipment contained;
• network distribution cabinets will be protected with UPS enough to allow continuous working for a minimum of one hour;
• network distribution cabinets will always be kept locked and access granted only to ICT network support staff or others acting under their close supervision;
• remote access may be allowed to server, network and telephony equipment but will be limited to ICT support staff and specified third party support organisations. (Access by third parties will be subject to agreements specific to the software / equipment concerned and, always, will be with the express permission of ICT staff). This includes completing the Permit to work and Risk assessment documents, for all external contractors requiring access to the server room;
• A complete log of remote access by third party support organisations will be maintained.

3.5.2 Equipment Security

ICT equipment and cabling should be protected from spillage or leaks and must be sited away from where staff or the public walk and also to minimise opportunities for unauthorised access or removal. Staff should also be warned of the dangers of spilling liquids or food on IT equipment. Except for laptop and portable computers only IT staff should move, or supervise the moving, of IT equipment. All critical ICT equipment shall be protected by an uninterruptible power supply (UPS). UPS equipment should be self-testing and shall also be manually tested by IT staff at least every six weeks and serviced as necessary. Officers and members should always ensure that computer equipment and screens are positioned to prevent unauthorised viewing of data. Any faulty ICT equipment shall be reported to the IT section who will arrange for its repair or replacement. Under no circumstances shall members of staff attempt to repair, move, change equipment or open casings except for printers to replace consumables or clear a paper jam. Computers provided by the XXX for use at home are for the sole use of that officer or member, no unauthorised third party is allowed access to the computer equipment for any reason. The officer or member will be responsible for ensuring that computer is, always, used in accordance with XXX conditions of use. Laptop, portable computers and smart phones (unless permanently assigned to an officer or member) may be borrowed, with the permission of the officer’s manager, from the IT section who will maintain a record of issue and returns. Such equipment must be transported in appropriate carrying cases, such equipment must be transported in appropriate carrying cases and must not be left in clear view. If left in a vehicle it MUST be out of sight. Officers should treat laptop, smart phones and portable computers as if it were their own possession and uninsured. Any laptops, smart phones or computers currently assigned on a permanent basis to an officer or member can be recalled for a software audit on a one-week notice. The officer or member must arrange a mutually convenient time when the computer can be returned to the IT department within that week period. Once the audit has been conducted the IT department will either return the computer or inform the officer or member and arrange a collection time and date.

3.5.3 Equipment and Data Destruction

Obsolete equipment shall be checked by IT staff and all hard disks will be thoroughly cleansed of data before disposal, whether by sale, donation or destruction. Equipment will normally be disposed of via a third party accredited data disposal organisation who will ensure recycling, where possible. Any PCs disposed of by sale / donation will not include the operating system installed and no application software. All ICT equipment will be disposed of in accordance with the relevant environmental legislation.

3.5.4 Remote Access to Systems and Data

Where there is a business need, the XXX will allow employees and members to have remote access to data and systems from locations not covered by the XXX local and wide area networks. This will include ‘roaming’ users who with suitable technology are able to access data anywhere and ‘fixed point’ users such as home workers. Access to systems from non-XXX devices, will be controlled via multi factor authentication. The XXX will allow such remote users to make use of their own PC equipment subject to meeting minimum security standards including having up to date anti-virus and firewall software. Remote access to XXX systems will only be granted on the Authority of the relevant Head of Service or Director. Remote access will be only available by using multi factor authentication (i.e. the use of a 2 part password). XXX operates soft tokens which require the use of a unique personal PIN either sent to the work mobile combination with a dynamically generated pass code or generated with a mobile app. Specific conditions and responsibilities will apply to those users:

• data must not be stored on non-XXX devices used for remote access;
• confidential data must be encrypted on storage devices supplied by the ICT department;
• particular care should be taken with removable storage devices such as USB sticks, etc and if these are used to move or transfer data it must be stored in encrypted format using supplied “Safe Sticks”;
• any XXX data downloaded or stored on employees’ remote users’ PC equipment must be kept secure and inaccessible to others. Data must be removed as soon as is practicable when it is no longer required;
• any loss of equipment (own or XXX) must be reported immediately to the ICT Service Desk;
• any actual or perceived security threat relating to remote use of XXX IT systems must be reported immediately to the ICT Service Desk;
• no RESTRICTED information should ever be used on employees / members own equipment.

When undertaking video or conference calls discussing or displaying XXX information, they must ensure that no unauthorised person are privy to that information

3.6 Computer and Network Management

3.6.1 Operational Procedures and Responsibilities

The ICT Manager is responsible for the management and operation of all servers and networks and associated specialised hardware. Departmental managers are responsible for the safe day to day operation of portable and desktop computers and printers issued to them or their staff. Appropriate documented procedures for the management and operation of all servers and networks will be established by computer staff. Clearly documented procedures shall be prepared by computer staff and/or the system administrator for all operational computer systems to ensure their correct, secure operation.

3.6.2 System Planning and Acceptance

Advance planning and preparation are required to ensure the availability of adequate capacity and resources. Acceptance procedures for new systems will include the following:

• performance and computer capacity;
• preparation of error recovery and restart procedures;
• preparation and testing of routine operating procedures;
• evidence that the new system will not adversely affect existing systems, particularly at peak processing times
• training in the operation or use of new systems;
• formal consideration of the need for ongoing maintenance and support by a third party.

Emergency fall back arrangements should be identified for each system and adequate fall-back arrangements made wherever possible. Fall back arrangements for each system should be fully documented and responsibility for this lies with the relevant system administrator.

3.6.3 Configuration and Change Management

Operational changes must be controlled to reduce the risk of system or security failures. The ICT Manager is responsible for ensuring that changes to software or hardware are carried out in a controlled manner and appropriately documented. A formal change control (and authorisation) is in place which requires significant changes to software and hardware to be assessed, tested and verified before completion. This procedure will apply to anyone making such changes including permanent staff, temporary and contract staff, suppliers and third party support organisations. All PCs and servers are configured and installed with a standard security configuration, which may be changed only on the authority of the ICT Manager. Any attempts to amend the standard configuration will be logged and monitored.Specific protective measures are applied to servers accessed by users outside the XXX’s main network. Such servers are in a separate secure zone of the network known as a de-militarised zone or DMZ. Changes to software and hardware will, wherever possible, be applied in a test environment before being applied to operational systems.

3.6.4 Protection from Malicious and Unauthorised Software

It is essential that special measures, as detailed below, are implemented to prevent the introduction of malicious software such as computer viruses, ransomware and malware or the use of unauthorised software. Using unlicensed software can result in a raid (authorised by the courts) to identify the use of such unlicensed software which can result in a fine, adverse publicity and a block on the use of ANY computers until the licences are paid for or the offending software is removed, resulting in very serious disruption to the organisation’s activities. In extreme cases staff could face imprisonment. A computer virus or similar can cause severe damage to data and hence serious disruption. Every precaution must be taken to protect XXX data and programs. Unauthorised software is software that has not been purchased by, or whose purchase or use has not been agreed by the ICT Manager.To reduce the risks of infection or use of unauthorised software the following preventive, detective and corrective measures will be instituted:

• the introduction and/or use of unauthorised software, including screensavers, is prohibited and may lead to the application of relevant, formal disciplinary action;
• software licences will be complied with at all times;
• Reputable, up to date anti-virus software will be used to detect and remove or isolate viruses and malware;
• staff or members must not transfer data from their home PC to the XXX computers, whether by removable storage media or e-mail, unless their home PC has up to date (i.e. definitions updated within the previous week) anti-virus software and firewall installed. The anti-virus software used must be one verified by the XXX’s ICT support staff;
• removable storage media devices are blocked from being connected to corporate devices;
• any suspected viruses must be reported immediately to the computer section and, where appropriate, logged as a security incident;
• except where there is a justifiable business reason that has been expressly agreed with the ICT Manager, users should not open unsolicited e-mails from unverifiable sources and especially any attachments as there is a significant risk, they may contain a virus;
• users must not attempt to download executable files, i.e. program software, from the Internet without prior specific clearance from IT staff;
• any incoming e-mail that contains executable or compressed attachments will be automatically quarantined and routed to IT staff for checking before delivery to the intended recipient.

USB devices and removable media are not allowed on any machine. Device management software is in place to detect and block this type of activity. ICT can provide encrypted USB “safe sticks” for transfer of data, which is prohibited on all machines.

3.6.5 Housekeeping

Housekeeping measures are required to maintain the integrity and availability of services. Routine procedures will be established by computer staff for taking back-up copies of data, logging events and, where appropriate, monitoring the equipment environment. Documented procedures for each system shall include:

• data back-up,
• operator logs,
• fault logging,
• environmental monitoring,
• network and application restart procedures,
• change request logs,
• system updates / upgrades.

3.6.6 Network Management

Appropriate controls must be implemented to ensure the security of data in networks and the protection of connected services from unauthorised access. Each authorised user will be allocated a unique logon identifier by ICT Support staff and a password that the user must change at least every 90 days. The password must contain at least eight characters including a mixture of three of the following four elements (a complex password):

• lower case alpha characters,
• upper case alpha characters,
• numbers,
• special characters.

Access to the network is automatically barred after four successive unsuccessful attempts to logon. Users are responsible for ensuring the secrecy and quality of their password and shall be held responsible for all actions recorded against their unique logon identifier. The ICT Manager is responsible for ensuring the security of the networks.

3.6.7 Media Handling and Security

Computer media containing data shall be controlled and physically protected. Appropriate operating procedures will be established to protect computer media (tapes, disks, cassettes) input / output data and system documentation from damage, theft and unauthorised access. At least one copy of all computer media containing data or critical software will be stored in media fire safes. A copy of all such media should also be kept securely offsite. Computers that rarely physically connect to the network such as laptops or computers provided to members and some officers are not covered under our backup policy and data backups of these computers is the responsibility of the member or officer. A means of backing up the computer and a lesson on how to backup data will be provided by the ICT department

3.6.8 Data and Software Exchange

Exchanges of data or software between the XXX and third parties should be managed in accordance with the Information classification policy. For critical or sensitive data and software, formal agreements, (including software escrow agreements where appropriate) for exchange of data and software (whether electronic or manual) between organisations should be established. These agreements should specify appropriate security conditions which reflect the sensitivity of the information involved, including:

• management responsibilities for controlling and notifying transmission, despatch and receipt,
• minimum technical standards for packaging and transmission,
• courier identification standards,
• responsibilities and liabilities in the event of loss of data,
• data and software ownership and responsibilities for data protection, software copyright compliance and similar considerations,
• technical standards for recording and reading data and software,
• any special measures required to protect very sensitive items
• The use of personal e-mails for sharing of data is prohibited

In order to ensure security of physical media in transit reliable transport couriers should always be used. Packaging should be sufficient to protect the contents from any physical damage during transit and should be in accordance with manufacturers’ instructions. Data in transit should be sealed with tamper proof or evidence devices and have accompanying documentation to list package contents. All electronic commerce should be in accordance with the XXX’s Contract Procedure Rules / Financial Procedure Rules and subject to formal contract(s) drawn up between the XXX and the trading partner(s), including the specialised areas of communication processes, transaction message security and data storage. Managers will need to obtain the appropriate specialised advice upon, identify and take into account all external and internal requirements affecting this activity. These requirements are likely to include the acts and directives listed in section 9.1 of this policy. Also relevant will be international and local (to other countries) laws and directives, any national or international professional regulations such as accounting practice and tax regimes, any conditions specified by the XXX’s insurers, fair trade and human rights standards, and the requisite information and technology standards and controls to preserve the timeliness, accuracy and integrity, security, recoverability and processing of this activity.

3.6.9 Connection to Other Networks

For operational purposes, the XXX will sometimes require access to external networks both to make use of business applications and to exchange data. Access to such networks is only allowed under the following conditions:

• must be authorised by the relevant Head of Service;
• must be agreed by the ICT manager or ICT Security Officer;
• must be protected by a firewall configured to provide protection of all networks concerned;must be subject to a suitable data sharing agreement / contract;
• must have protocols in place to protect data in transit and at rest.

3.6.10 Electronic Mail

Controls to reduce the security risks associated with electronic mail (e-mail) should be implemented covering:

• vulnerability to unauthorised interception or modification. Confidential data should only be sent in encrypted form;
• vulnerability to error, for example incorrect addressing;
• legal considerations such as the need for proof of origin, despatch, delivery and acceptance;publication of directory entries;
• remote access to e-mail accounts.

All staff have internal e-mail facilities, and external e-mail will be made available to all members and those officers with the authorisation of their director or head of service.Users shall avoid responding to unsolicited e-mails from unverifiable sources, and in particular, except where there is a justifiable business reason that has been expressly agreed with the ICT Manager, shall not open such mail or any attachments in such circumstances as there is a significant risk they may contain a virus. IT staff shall monitor usage of e-mail and report any concerns to the appropriate director or head of service. All e-mail sent to external parties shall contain a standard disclaimer inserted by the e- mail system and in a form approved by the XXX’s Legal Officer. All e-mail inbound and outbound will be subject to security scans for spyware, malware and viruses.Electronic e-mail is not to be used via the Outlook App installed on personal devices. Forwarding of e-mails to personal e-mail accounts is prohibited. The use of personal e-mails for sharing of data is prohibited.

3. 6.11 Internet

The use of the Internet on the XXX’s computer systems shall be controlled and monitored to prevent:

• users wasting time and public resources by playing or “surfing” when they are paid to work;
• users accessing sites and importing material which the XXX, as a matter of policy, may find unacceptable;
• users accessing sites and importing illegal material;
• users importing a virus or other malicious software and hence compromising the accuracy, availability and confidentiality of XXX systems;
• users committing the XXX to expenditure in an unauthorised fashion.

Internet access is to be used only for access to sites relevant to work or vocational training during an individual’s working hours . Personal use of the internet is permitted outside of staff’s working hours and is subject to compliance with the XXX’s “Internet and E-mail Access – Conditions of Use” policy document. Internet access and e-mail is provided via a central connection to the internet which incorporates security features (intrusion detection and intrusion prevention) to safeguard the security and integrity of the XXX’s IT systems and data. This connection will always be used by Officers and members located at XXX offices unless specifically authorised to use other methods. The key terms and conditions are as follows:

• Authority to use the Internet and/or e-mail facility will only be granted by the Chief Executive, Directors, Heads of Service or Service Managers.
• All Officers and Members using the facility will be required to sign the “Conditions of Use” document to confirm that they have read and agree to abide by its conditions. A breach of the conditions of use may result in disciplinary action and/or criminal proceedings.
• All “Conditions of Use” forms must be countersigned electronically or manually, by a designated authorising supervisor and completed documents will be held by the IT section and Human Resources section.
• All users of the facility will be issued with their own unique User ID and password and users will be deemed responsible for any activity logged against the user ID so User IDs and passwords should not be disclosed to other persons.
• The XXX maintains logs of activity on our central Internet connection and may analyse and monitor those logs and all internet traffic.

All access to the Internet will be traceable to an originating user ID, both currently and retrospectively. All access and attempted access to the Internet will be logged by the IT section, and comprehensive information on usage, including the time and length of visits, will be supplied on request or in the event of concerns by the ICT Manager, to a user’s director or head of service or Chief Executive in the case of members. The IT section has implemented and maintains an automatic method for restricting which Internet sites may be accessed. No user shall attempt to access an Internet site which, from its address, may reasonably be considered to contain pornographic material or any other material prohibited by the “Conditions of use” policy. The corporate leadership team will define which sites are not to be accessed and any deliberate attempt to access such site/s will be considered in accordance with the disciplinary procedure. Intrusion protection system (IPS) is in place, to detect, monitor, analyse and alert on attempted cyber-attacks. Access to restricted and prohibited sites is automatically monitored and reports of activity will be made available to the user’s director or head of service. A monthly security review will be conducted to ensure security and compliance, led by the ICT security officer. The IT section has implemented and maintains a resilient security gateway device or “firewall” (software and hardware facilities) to control and vet and filter, incoming data to guard against recognized forms of Internet assaults and malicious software. Only IT staff may download software, including freeware from the Internet. This does not apply to documents, i.e. Word, Excel, PDF format.

3.7.1 System Access Control

3.7.1 Business Requirements for System Access

Access to computer services and data should be controlled on the basis of business requirements, but accesses granted to a system should not compromise situations where separation (segregation) of duties is important. Each system administrator will set up the system access rights of each user or group of users according to authorised business needs. Update access rights should be restricted to the minimum number of people commensurate with the need to maintain service levels. System access controls are reviewed by Internal Audit during their routine systems audit work program. Domain privileged access will be reviewed periodically.

3.7.2 User Access Management

Formal procedures will be developed for each system by the system administrator to cover the following:

• formal user registration and de-registration procedure for access to all multi-user IT services;
• restricted and controlled use of special privileges;
• Allocation of passwords securely controlled;ensuring the regular change and where appropriate quality and complexity of passwords;regular review of user access rights and privileged access rights;
• controlled availability of master passwords in emergencies.

User access will be suitably administered to ensure that the type of account granted to employees is such that it allows them to perform their day-to-day user activities and prevents access to any sensitive information not required for the purpose of undertaking their duties. Ensuring members of staff, contractors and third party access to information systems does not exceed the needs of the role on a ‘need to know’ basis; that their use of ICT is appropriate and the starter, leaver and amendments changes are properly processed and authorised. Network accounts which have not been logged into for 90 days will be reviewed and actioned taken. This activity will occur every 90 days to ensure accounts are disabled in quick and secure manner.

3.7.3 User Responsibilities

Effective security requires the co-operation of authorised users. Users must comply with XXX policies, standards and procedures regarding access controls, in particular the use of passwords and the security of equipment. In order to maintain security users must:

• not write passwords down where others may readily discover them;
• not tell anyone else their password/s;
• not use obvious passwords such as their name;
• not let other people observe when entering their password;
• use a password with at least eight characters in it including numeric or special characters;
• promptly change their password if they suspect anyone else may be aware of it;log out of applications if they will be away from their desk for any length of time;
• ‘lock’ their PC when away from their desk to prevent it being used by others (by using Ctrl + Alt + Del keys or the Windows key + L key);
• if working at home the device must be shut down at the end of the day, so that security polices can be applied on next start up and stored in a secure location, when not in use;
• follow the XXX’s ICT security policy (including reading and signing confidentiality and conditions of use agreements);
• restart PCs and laptops as required after the application of security updates;
• report security incidents to the ICT Service Desk;
• not to open e-mails containing suspicions attachments;check e-mail and names of people they received a message from to ensure they are legitimate;report scams, privacy breaches and hacking attempts;
• do not re-use password from other systems.

Staff will be held responsible for all activities logged to their unique user ID.

3.7.4 Network Access Control

Connections to networked services shall be controlled in order to ensure that connected users or services do not compromise the security of any other networked services. The ICT Manager is responsible for the protection of networked services. All machines including servers are patched every month, this is the patch management cycle, to keep our estate up to date and protected. A daily operations check is carried out as part of the daily checks procedure to ensure Antivirus, Antimalware and Anti Spyware updates are up to date on all PCs laptops and desktops. Devices not purchased by the ICT department are not to be plugged into or connected wirelessly to the XXX’s corporate network unless authorised by the ICT Manager or ICT Security officer. All mobile devices and including tablets, laptops and smartphones will be encrypted using device management software.

3.7.5 Computer and Application Access Control

Access to computer facilities should be restricted to authorised users. Computer facilities that serve multiple users should be capable of:

• identifying and verifying the identity of each authorised user, particularly where the user has update access;
• recording successful and unsuccessful attempts to access the system including files and folders;
• providing a password management system which ensures quality passwords;
• where appropriate restricting the connection times of users;controlling user access to data and system functions;
• restricting or preventing access to system utilities which override system or application controls;
• complete ‘lock out’ of user access after a pre-agreed number of unsuccessful attempts to access data.

3.8 Systems Development and maintenance

3.8.1 Security Requirements in Systems

All security requirements, including a risk analysis and the need for fall back arrangements, should be identified at the requirements phase of a project by the officer requesting the system in consultation with computer and audit staff. Security requirements should be justified, agreed and documented. The analysis of security requirements should:

• consider the need to safeguard the confidentiality, integrity and availability of information assets;
• identify controls to prevent, detect and recover from major failures or incidents;
• when specifying that a system requires a particular security feature, the quality of that feature must be specified, e.g. Password controlled – “the password must be held in encrypted format. Passwords must expire after a number of days set by the system administrator, passwords should not be reusable, the system administrator should be able to specify a minimum length and other rules concerning password composition”.

In order to ensure IT staff and users are aware of security controls in place, controls must be explicitly defined by the relevant system administrator in all relevant documentation.

3.8.2 Security of Application System Files

Access to application software, data files and system management files should be formalised and documented according to the sensitivity and importance of the system. Maintaining the integrity of applications is the responsibility of the system administrator who will ensure that:

• strict control is exercised over the implementation of software on the operational system;
• test data is protected and controlled.

3.8.3 Security in Development and Support Environments

All proposed system changes must be reviewed to ensure they do not compromise the security of either the system or operating environment. The ICT Manager is responsible for all operating systems and the appropriate system administrator is responsible for the application. It is essential that both parties work together to ensure the security of application software and data is maintained. Unsupported modifications to packaged software will only be authorised in exceptional circumstances. Wherever possible the required changes should be obtained from the vendor as standard program updates. The implementation of any changes to systems should be strictly controlled using formal change control procedures. All system changes will be documented. It should be a standard that any operational system has separate and secure test, training and development environments.

3.9 Compliance

3.9.1 Compliance with Legal Requirements

The XXX’s statutory obligation to have sound information and cyber security arrangements in place originates in the Indian IT Act 2000, The XXX depends on the confidentiality, integrity and availability of its information and ICT to such an extent however, that a serious breach of information security could impact on the XXX’s ability to deliver a wide range of statutory services. In addition the XXX has contractual obligations to ensure sound security if it is to use the Government Public Services Network (PSN) or receive or share information with partner agencies under information sharing arrangement

3.9.2 Control of Proprietary Software Copying

Proprietary software is usually supplied under a licence agreement which limits the number of users and/or limits the use to a specified machine. Copyright infringement can lead to legal action, fines and adverse publicity. It is XXX policy that no copyright material is copied without the owner’s consent.

3.9.3 Use of Unlicensed Software

Except for freeware, the use of unlicensed software amounts to theft and the XXX’s policy is only to use licensed software. The introduction and/or use of unlicensed software is prohibited and may be treated as gross misconduct.

3.9.4 Safeguarding of the XXX’s Records

Important records must be protected from loss, destruction and falsification. All financial records need to be retained for seven years or more to meet audit requirements. All historic data should be periodically archived by the relevant system administrator with copies being retained in media fire safes on and off site, in accordance with Goverment regulations.

3.9.5 Auditing and logging the use of ICT resources

The XXX maintains audit logs of events taking place across its complete network. This includes, but not limited to:

• user login times;
• details if failed login attempts;
• details of access to data files and software applications (user ID, times);
• details of any privileged access to system;software and hardware configuration changes;
• details of internet web usage and restricted access reports;
• details of files, folder and network access to objects.

3.9.6 Prevention of Misuse of IT Facilities

The XXX’s computer facilities are provided for XXX business or in connection with approved study courses. Staff and members are allowed to use the XXX’s computer facilities for personal use for the following:

• personal use of e-mail in accordance with the “Internet and E-Mail Access – Conditions of Use” policy document;
• access to the Internet, if granted for work purposes, in accordance with the Internet and E-Mail Access – Conditions of Use” policy document;
• limited use of PC software, particularly word processing, in their own time.

The following conditions will apply:

• all private printing must be paid for unless an agreement has been reached with the ICT Manager or the printing service;
• unauthorised or excessive personal use may be subject to disciplinary action;
• The Computer Misuse Act 1990 introduced three criminal offences:
• unauthorised access;
• unauthorised access with intent to commit a further serious offence;
• unauthorised modification of computer material, i.e. alteration, erasure or addition to programs or data.

Users should not attempt to gain access to systems they are not authorised to use or see, as they could face criminal prosecution.

3.9.7 Security Reviews of IT Systems

The internal and external security of IT systems including external penetration testing, will be regularly reviewed and subject to cyber security and penetration testing. The review of security processes will be carried out by Internal Audit, External Audit and managers. ICT will use specialist third parties to perform external and internal security and cyber security health checks, annually in order to maintain the Cyber Essential PLUS accreditation as well as meeting out PSN security obligations. Annual reviews will ensure compliance and assurance with the security policy, standards and best practice.

3.9.8 System Audit Considerations

Audit requirements and activities involving checks on operational systems shall be carefully planned and agreed to minimise the risk of disruptions to business processes. There should be controls to safeguard operational systems and audit tools during system audits. The following are to be observed:

• audit requirements to be agreed with the appropriate manager;
• the scope of any checks to be agreed and controlled;
• checks to be limited to read only access to software and data wherever possible;
• access, other than read only, only to be allowed for isolated copies of system files which must be erased when the audit is completed;
• IT resources for performing checks should be identified and made available;requirements for special or additional processing should be identified and agreed with service providers;
• wherever possible access should be logged and monitored;
• all procedures and requirements should be documented.

Access to system audit tools should be controlled

4.0 IMPLEMENTATION, REVIEWS AND ENFORCEMENT

4.1. Implementation and Reviews

4.1.1. This document shall come into operation once tabled and agreed in management meeting, and approved in its first page, and then shall be considered mandatory for all XXX’s business operations.
4.1.2. XXX’s staff found to have violated this policy may be subject to disciplinary action in accordance with rules defined by XXX’s administrative regulations.
4.1.3. This document shall be reviewed within three years, or whenever business environment of XXXchanges in a way that affects the current policy.

4.2. Exceptions

4.2.1. In case of any exceptions to this policy, it shall be thoroughly documented and follow through a proper channel of authorization using the same authority which approved this document.