Software acceptable usage policy

Introduction

Information is a valuable asset and is an essential requirement for a local authority to carry out its legal and statutory functions. The information Enfield Council processes is about you. It can be highly confidential and very personal, therefore the council has a legal duty to take care of it. This document will address why the council needs to secure the information we process, identify the security measures required and provide guidance to users of council information.

What is information?

Information can be in a number of forms:

What is the security approach?

The most effective way of providing information security is to use a structured approach that will ensure the appropriate controls are applied to specific areas rather than general controls to all areas. The key standards in the area are the ISO27000 series. These standards provide a comprehensive set of security controls comprising the best information security practices in current use. The objective is to provide organisations with a common basis for providing information security and to enable information to be shared between organisations.

Scope

This Software Acceptable Usage Policy (SAUP) applies to all Enfield Council’s systems and is effective from the date of issue of this document. The policy, rules and conditions apply to all Enfield Council Members, employees, contractors, consultants, agency staff, independent contractors and other users of Enfield Council information systems irrespective of the platforms used or where they are located.

Software acceptable usage policy

Enfield Council is committed to the use of authorised software within its computer systems. It is expressly forbidden for ‘users’ to load or operate software gained from the Internet, magazines or other sources. The council is also committed to using software for which it has current licences.

Where software is developed and/or modified in-house, under licence agreement, it should only contain the functionality that was specified in the requirement and must not contain functions that have fraudulent or mischievous intent (generally referred to as Malware).

It is the responsibility of all users to ensure that they do not introduce viruses into computer systems. Users should take care when receiving electronic information from unknown sources, including attachments within email. Where there are reasons to access information from questionable source(s), active virus checking must be performed, preferably on a standalone computer and/or test server, thus having no communication links to other systems.

The following provisions, which apply to the use of all computers, govern all users:

Enforcement monitoring

Monitoring of the standard is the responsibility of all managers as part of their management role. The Internal and External Audit may undertake reviews on a planned and ad-hoc basis as part of the audit process. The DS Security Team will conduct quality reviews on cyclical basis as part of their security role.

Penalties for non-compliance

The council has an established staff Disciplinary Code of Conduct. Any breach of policies contained within this document will be dealt with in accordance with those procedures.

Enforcement

A violation of standards, procedures, or guidelines established in support of this policy will be brought to the attention of the DS Security Team or investigation. The IT Security Team enforces this policy by continuously monitoring, through the use of software tools. Business Unit Management, Human Resources, Internal Audit and External Audit will be notified when it is considered a breach has taken place. It is the responsibility of all users (as defined within the Scope of this document) to ensure compliance with the policy. Failure to adhere to the policy may result in a breach of Financial Regulations, Standing Orders and or current legislation. In the event of a breach by a council employee, IT facilities may be suspended/removed and disciplinary action taken against them in accordance with the Disciplinary Code of Conduct. A breach of the Software AUP may be considered as a gross misconduct offence and lead to a penalty up to and including dismissal. Action against non-Enfield employees may result in removal/suspension of IT facilities, removal from site, cancellation of any contracts and possible legal action.

Exceptions to the software acceptable usage policy

The council expects all users to achieve compliance with the directives presented within this policy. In the following exceptional cases, compliance with the council’s Information Security policies may be relaxed. The parts that may be relaxed will depend on the particular circumstances of the incident in question. These exceptional circumstances are outlined below:

In such cases, the council employee or third party (for example, contractor) concerned must take the following action:

(Failure to take these steps may result in disciplinary action).

The DS Security Team will maintain a list of known exceptions and non-conformities to the Information Security Policies. This list will contain:

The council will not take disciplinary action in relation to known, authorised exceptions to the Information Security Policies.

Non-compliance

Non-compliance is defined as any one or more of the following:


Policy details

Author – Information Governance Manager
Owner – Information and Data Governance Board
Version – 1.7
Reviewer – Information and Data Governance Board
Classification – Official – Public
Issue status – Final
Date of first issue – 21.10.2017
Date of latest re-issue – 30.05.2024
Date approved by IGB – 19.05.2024
Date of next review – 30.04.2025

Council news directly to you

The latest news in your inbox every week. Council news, community updates, local events and more.

Sign up Sign up