Digital Services operations and network policy

Purpose

Any loss, compromise, or misuse of council information and associated assets, however caused, could have potentially devastating consequences for the council and may result in financial loss and legal action. The purpose of this document is to define the policies and standards that will be applied to maintain the confidentiality, integrity and availability of the information systems supporting the business functions of the council. This policy provides management direction and support for the implementation of information security and is designed to help council employees carry out the business of the council in a secure manner. By complying with this policy, the risks facing the council are minimised.

Introduction

This policy applies to council employees, including temporary and agency workers, Members, independent consultants and contractors and suppliers/contractors responsible for managing and operating council information systems, computer and network facilities.

The policy is not designed to be obstructive. If you believe that any element of this policy hinders or prevents you from carrying out your duties, please contact the council’s Digital Services (DS) Service Desk.

The following policies should be read in conjunction with this policy:

Operational procedures and responsibilities

Digital Services will prepare appropriate documented operating procedures for all operational information systems, to ensure a correct and secure operation. Documented procedures are required for system development, maintenance and testing work, especially if it requires the support or attention of other organisational functions.

All operating procedures are formal documents and any changes are to be authorised by the process owner. Documented procedures are prepared for:

Responsibilities and procedures for the management and secure operation of council resources and all connected PCs, laptops and networks are to be established. This is to include appropriate operating instructions and incident response procedures.

Change management

Changes to equipment, software or procedures are subject to a formal change control process. Digital Services will ensure that all changes to the operational environment are:

Before installation on to the council network, all changes must be logged and authorised by the appropriate member(s) of staff.

On completion of any upgrade, modification or installation, the change control form must be updated to show all the work done and the version numbers of any software packages, patches or upgrades recorded.

Incident management

Incident management and reporting responsibilities and procedures will be established to ensure a quick, efficient and orderly response to security incidents. (For examples of information security incidents, please refer to the Acceptable Use Policy).

Processes must be established to coordinate activities spanning the council and all affected partners, and to determine how information will be disseminated to the public and media should this become necessary.

Once a security incident is reported, employees must immediately follow the incident response procedure. Officers must be clear on incident definitions and escalations for quick and appropriate response upon notification.

Any incident relating to Department for Work and Pensions (DWP) where the data has been compromised, and any proposed resolution, must be reported to DWP to allow them to make a risk based decision on any continued data share arrangements.

Segregation of duties

Segregation of duties will assist in the prevention of fraud, errors, conflict of interest, minimise information security risks and reduce risk of accidental or malicious system misuse.

Care is taken that no single individual can perpetrate fraud in areas of single responsibility without being detected. For example, the initiation of an event is separated from its authorisation. The following points are considered:

Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision are considered.

Business need-to-know should be considered in conjunction with separation of duties to ensure that one does not override the other. Risk management and change management processes should include the discussion of separation of duties as well as business 'need to know'.

No individual may approve his or her own changes. No individual should have unchecked control over an entire business transaction, infrastructure area, or environment.

Job roles and responsibilities should be reviewed to ensure there are no contradictions of responsibilities in this area.

Reporting, logging and monitoring

Monitoring system access and use

Systems will be monitored to detect deviation from the Access Control Policy and record events to provide evidence in case of security incidents.

The application business owner must establish the logging and monitoring requirements for business auditing purposes. Designated employees responsible for the following areas must establish the logging and monitoring requirements for the relevant purposes:

A process for capturing logging and monitoring requirements must be developed. Audit and event logs will need to be adequately secured, possibly centrally and separately from privileged-level employees (separation of duties). Tools may be required for log analysis.

Clock synchronisation

Council devices are synchronised to an approved standard, for example, PSN time servers.

Reporting security weaknesses

It is vitally important that security events are reported. All security weaknesses must be reported immediately to the DS Service Desk, who in turn will inform the Information Security Officer of associated risks, corrective or preventative actions.

Users should not, in any circumstances, attempt to prove a suspected weakness.

Reporting of software malfunction

Users of information processing services are required to note and report any software that appears not to be functioning correctly to the DS Service Desk.

If it is suspected that the malfunction is due to a malicious piece of software (for example, computer virus) the user is asked to:

Users are informed that they should not, under any circumstances, attempt to remove the suspected software. Only trained and authorised employees may undertake recovery action.

Separation of development, test and operational facilities

Digital Services will ensure that development, test and operational systems are segregated (run on different processors or domains) in order to prevent unauthorised access, modification or misuse of information or services.

For each information or service, the need for separating development, production, test and operational facilities is determined through risk assessment.

The following levels of separation are considered and implemented, as appropriate, to mitigate any of the risks:

All domains/environments must be appropriately protected. Additional technology, both hardware and software, will be required to duplicate the development environment.

System planning and acceptance

Capacity management

The hard drive capacity of the council’s file servers will periodically be monitored by system administrators.

If free space on the file server hard driver becomes less than or equal to 20% of total capacity, users are requested to remove redundant files. If this is not possible, extra hard disk space should be installed.

Projections of future requirements should be made to prevent any bottlenecks and dependencies on the services by the council or third-party organisations.

System acceptance

Acceptance criteria for new systems and system upgrades are to be established by the system owner and appropriate officers and suitable tests carried out prior to acceptance. This must include appropriate testing of security mechanisms. This will ensure that requirements for new systems are clearly defined, documented and tested.

The Information Governance and Security Teams must ensure the evaluation and Risk Assessment has been applied. Digital Services must ensure the correct management of system network provisioning, and hard and software deployment.

Adequate capacity and fallback planning must be carried out to ensure the availability of council resources.

Before installation, the system/upgrade must be appropriately tested to ensure no conflicts or vulnerabilities are introduced to the current council network.

All new systems/upgrades are to be controlled by the Change Control process. No systems/upgrades are to be implemented without due approval.

For major new developments, the operations function is consulted at all stages in the development process to ensure the operational efficiency of the proposed system design. Appropriate tests are carried out to confirm that all acceptance criteria are fully satisfied.

Protection from malicious software and mobile code

Protection from malicious software

Digital Services will deploy appropriate controls to mitigate the risks of viruses and malicious software. A process to update the controls must be in place.

Council file servers, PCs and laptops will have antivirus software installed. The software is to be configured to scan all files for viruses. The software should automatically check for updates on a daily basis.

The system administrator will confirm and document that the latest updated has been installed.

Employees must be educated on the use of these controls and made aware of the types of malicious code and the threats that they impose.

Mobile code

Mobile code is used on the Internet to run animation effects. Examples are ‘Active X’ or ‘Flash Media’. If it installs on council PCs it can cause damage to the network.

Mobile code must be authorised by the Information Security Officer and kept isolated from any production environment. The use of such code must be restricted to authorised staff only.

Where mobile code is authorised, the configuration should ensure that the authorised mobile code operates according to a clearly defined security policy. Unauthorised mobile code should be prevented from executing.

Vulnerability management

All exploitable vulnerabilities must be managed. Digital Services will ensure it has defined processes to identify vulnerabilities, prioritising and mitigating all found. This will include specific patch application periods and a process for auditing compliance.

At minimum, this will include patching vulnerabilities being actively exploited immediately, critical vulnerabilities within 14 days, high vulnerabilities within 30 days and others within 60 days.

Regular network scanning of all devices for vulnerabilities must be carried out, at minimum a full network scan every 60 days.

Information back-up

Digital Services will ensure that adequate back up facilities of the council’s internal systems are provided to ensure that all essential business information and software can be recovered following a computer disaster or media failure:

Access control

Access to information and business processes will be controlled on the basis of business and security requirements.

An access management process for every system/database must be created, documented, approved, enforced and communicated to all relevant employees and partner organisations.

Each business application run by, or on behalf of the council, will have a nominated system administrator who is responsible for managing and controlling access to the application and associated information.

Access to information must be based on 'need to know' and segregation of duties. The appropriate information, system, database, or application owner is the only individual that can authorise a systems administrator to grant or update access via the formal access management process.

Audit must monitor the process to ensure that access control is appropriately implemented according to ‘business need to know’ and ‘segregation of duty’ principles.

Special attention is given, where appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls.

Access control requirements are clearly defined, documented and maintained within an Access Policy Matrix, which specifies the rights of individuals or groups of users. The council has adopted common Windows-based operating systems, and predefined user profiles will be maintained to restrict access. This policy matrix will be reviewed and approved by the data owner and occasionally reviewed by the Security Working Group to ensure consistency.

For further information see the council’s Access Control Policy Unattended User Equipment.

Screen savers or equivalent tools must be installed and enabled as part of a Standard Operating Environment (SOE).

All network equipment (including WAN service termination equipment, routers, hubs, cabling patch panels) will be kept in appropriate locked facilities. All network equipment outside computer rooms must be kept securely. Staff must ensure that doors are secured when they are left unattended. All equipment keys must be limited to staff who need them to carry out their duties. If any key is lost or mislaid, or any door found unlocked, then this must be reported immediately to the Digital Services Security Team.

All servers must be kept physically secure in an area for authorised individuals only. A process of allocating and monitoring access to server rooms must be implemented.

For further information for employees, see the council’s Acceptable Use Policy.

Controls on data in transit

Information will need to be classified in terms of sensitivity and confidentiality. Information must be protected according to its classification and the minimum classification of the network it traverses.

For further information see the council’s Information Classification and Handling Policy.

New and obsolete devices

The infrastructure environment must be closely controlled and documented to minimise the introduction of unknown vulnerabilities.

The connection of new devices to council or partner connected infrastructure that might impact on the delivery of services must be requested via the formal change request process and submitted for approval to the appropriate officer. Upon approval relevant documentation must be updated and submitted to the designated officer.

Similarly, disconnection of obsolete devices that might impact on the delivery of services must be requested via the formal change request process and submitted for approval to the appropriate officer.

A configuration management process must be implemented and enforced.

Detecting unauthorised changes

The IT environment must be monitored to minimise the introduction of unknown vulnerabilities.

The designated officer will ensure that any new unauthorised device added to the network or device removed from the network without authorisation will be detected, logged and the appropriate action taken. A configuration management process must be established.

Information handling

Media handling and security

In order to prevent damage to assets and interruption to business activities, appropriate operating procedures will be established to protect information, documents, computer media, input/output data and system documentation.

Appropriate controls need to be established for media handling and security.

Hard drives that contain ‘highly restricted’ information that are reused or require replacement are securely erased or physically destroyed. If using the services of a third party for the management of media, a certificate is obtained as proof of destruction.

Software to securely erase hard drives will be considered and where possible configured to overwrite the media at least seven times.

A record is maintained of all removable media, for example, back up tapes, to prevent any opportunity for loss or theft.

Exchanges of information and software

Exchanges of information and software between organisations will be controlled and compliant with relevant legislation, information sharing protocol(s), and handling requirements detailed in the appropriate risk assessment.

Security of system documentation

Manuals, configuration details and network drawings are to be stored securely. Access to this documentation is only permissible by authorised employees. Copies of system documentation are stored off site. Access is limited to employees who are system administrators (staff with administrator privileges and the DS Security Manager).

Mobile computing and teleworking

When using mobile computing or teleworking the risks of working in an unprotected environment are to be considered and appropriate protection applied.

Managers must be satisfied that an alternative work site (such as a home office) is appropriate for the tasks that are to be performed by the involved employee’s member.

Supporting material:

Network access control

Access to both internal and external networked services should be controlled to ensure that employees who have access to networks and network services do not compromise the security of these network services.

It must be ensured that:

Enforced path to limit routing capabilities will need to be considered.

Policy on use of network services

Digital Services will undertake the following activities to control the use of its network.

User authentication for external connections

Remote access rights to council systems are generally granted except where data processed is under third party agreements that forbid such access. Access for third parties is covered by the Third-Party Access Policy.

Equipment identification in networks

Automatic equipment identification is used as a means to authenticate connections from specific locations and equipment. All equipment will be identified using appropriate methods and validated for compliance with policy before connection is permitted.

Operating system access and control

Security facilities at the operating system level will be used to restrict access to computer resources. These facilities are to be capable of the following:

Automatic terminal identification to authenticate connection to specific locations may be required. Terminal logon procedures must be implemented. Use of system utilities may need to be restricted and tightly controlled.

Security in applications and access control

Logical access to software and information should be restricted to authorised employees.

When designing an application system, security requirements, including appropriate controls and audit trails or activity logs, must be considered from the beginning of the project. The security requirements must balance the cost of implementation and the associate risks to the business.

Applications will:

Systems development and maintenance policy

Security is an integral component of any systems acquisition, development and maintenance and applies to all aspects of systems development and maintenance whether performed directly by or on behalf of the council.

The method for articulating security requirements is to be based on the 3 security core principles that guide the information security area:

The agreed requirements will be used as input to the design and implementation of the service and any subsequent accreditation.

Security requirements of systems

Security requirements should be identified and agreed prior to the development of information systems and aligned to the perceived threats and the value of the assets.

The UK Minimum UK Cyber Security Standard requirements will be used as the basis for security architecture, NCSC (National Cyber Security Centre) will apply to areas not covered by this standard.

All security requirements, including the need for back-up arrangements, will be identified at the requirements phase of a project and justified, agreed and documented as part of the overall business case for an information system.

Considering security requirements from the beginning of a project minimises costs since rework can be avoided as well as non-safe projects.

A process must be in place for reviewing the information security risk in all development projects.

The Information Security Manager must be aware of all DS projects and their information security implications in order to provide recommendations and approval. It is the project manager's responsibility to obtain the Information Security Officer’s approval prior to commencing each project phase such as proposal, design, release to production and maintenance.

Additional time and resources will be required in the project to incorporate information security risk assessment. Information security must be part of the formal application development methodology.

The Information Governance Board must establish the standard whereby adherence with the Information Security Policy Set is incorporated into DS projects.

Approving information security in projects

Information security requirements in terms of confidentiality, integrity and availability must be considered during the proposal, design, and release to production and maintenance phases for all projects, including acquisition of third-party software. The project manager must obtain approval for each phase from the Information Security Officer.

The Data Protection Officer must by law be involved in all new or changed uses of information.

Cryptographic controls

Cryptographic systems and techniques will be used for the protection of information that is considered at risk and for which other controls do not provide adequate protection.

When evaluating the need for encryption, costs must be measured against the business risk. Particular attention should be paid to information held on portable devices.

Security of system files

Access to system files should be controlled to ensure that DS projects and support activities are conducted in a secure manner.

There must be controls for the implementation of operational software.

Controls may need to be applied around system test data. Access to confidential or restricted data stored in a shared system file must be commensurate with the classification of that data.

Security in development and support processes

Inadequate control of changes to information processing facilities and systems is a common cause of system or security failures. Lack of management and procedures to control changes to equipment, software or procedures can compromise operations.

Development and support environments will be strictly controlled to maintain the security of applications, system software and information.

Change management and configuration management processes must be defined that include procedures and responsibilities for aborting or recovering from unsuccessful changes.

Change control procedures

The formal change management process is to be followed for all operational changes to systems, equipment, software, standards, configuration or Processes/Procedures.

Reporting, logging and monitoring

Audit logging

Within each information system, appropriate audit logging must be implemented. The application business owner must establish the logging and monitoring requirements. Auditing should be configured to be operational at all times and sufficient information recorded to enable a thorough review of any suspected incident to be completed. The following events may be considered for audit as appropriate:

Monitoring system use

The system administrator is responsible for monitoring access periodically or if a security breach has been detected or is suspected. Access to events logs will be restricted to security administrators. Events logs will monitor all system events, long on and log times, and include:

For each audited event, the Audit Log Record will contain at least the following:

System access controls must be set to ensure that only the DS support staff have read access to audit logs and only system administrators have delete/archive access to audit information.

Administrator and operator logs

System administrator and computer operators should maintain a log of all work carried out. Operator logs should include, as appropriate:

Operator logs are subject to regular, independent checks against operating procedures. All audit logs in support of the information security quality management should be retained for a minimum of 6 months.

Fault logging

Faults are reported to the system administrator and logged via the Service/Help Desk (even if subsequently dealing with the supplier directly). The system administrator is responsible for:

Environmental monitoring

Information processing facilities environments are monitored where necessary. Temperature, humidity and power supply quality is monitored where necessary to identify conditions that might adversely affect the correct operation of information processing equipment. These procedures are carried out in accordance with the manufacturers’ recommendations.

Refer to the Physical and Environmental Security Policy.

Compliance

The council expects that all employees will achieve compliance to with this policy. This policy will be included within the internal audit information security programme, and compliance checks will take place to review the effectiveness of its implementation.

Exceptions

In the following exceptional cases compliance with some parts of the policy may be relaxed. The parts that may be relaxed will depend on the particular circumstances of the incident in question:

In such cases, the staff member concerned must take the following action:

Failure to take these steps may result in disciplinary action.

In addition, the Information security officer maintains a list of known exceptions and non-conformities to the policy. This list contains:

The council will not take disciplinary action in relation to known, authorised exceptions to the information security management system.

Penalties

Non-compliance is defined as any one or more of the following:

Any violation or non-compliance with this policy may be treated as serious misconduct.

Penalties may include termination of employment or contractual arrangements, civil or criminal prosecution.


Policy details

Author – Information Governance Manager
Owner – Information and Data Governance Board
Version – 4.9
Reviewer – Information and Data Governance Board
Classification – Official
Issue status – Final
Date of first issue – 16.01.2008
Date of latest re-issue – 30.05.2024
Date approved by IGB – 19.05.2024
Date of next review – 30.04.2025

Council news directly to you

The latest news in your inbox every week. Council news, community updates, local events and more.

Sign up Sign up