Information Security Policy Physical and Environmental Security

7/27/2019 Information Security Policy Physical and Environmental Security

1/9

PROTECT POLICY

PROTECT POLICY

- Page 1 of 9-

If printed, copied or otherwise transferred from its originating electronic file this document must be considered to be

Information Security PolicySAG/IA5

Communications andOperations Management

The purpose of this document is to set guidelines to:o Ensure the correct and secure operation of information processing facilities;o Implement and maintain appropriate level of information security and service delivery in

line with third party service delivery agreements;o Minimise the risk of system failures;o Protect the integrity of software and information;o Maintain the integrity and availability of information and information processing facilities;o Ensure the protection of information in networks and the protection of the supporting

infrastructure;o Prevent unauthorised disclosure, modification, removal or destruction of assets and

interruption to business processes;o Maintain the security of information and software exchange within an organisation and any

external entity;o Ensure the security of electronic commerce services, and their secure use;o Detect unauthorised information processing activities.

1 Operational procedures and responsibilities ...........................................................32 Third party service delivery and management.........................................................33 System planning and acceptance............................................................................43.1 Capacity management ............................................................................................43.2 System acceptance .................................................................................................44 Protection against malicious and mobile code ........................................................55 Back-up ...................................................................................................................55.1 Information back-up.................................................................................................56 Network security management................................................................................56.1 Network controls......................................................................................................56.2 Security of network services....................................................................................67 Media handling........................................................................................................67.1 Management of removable computer media ...........................................................67.2 Disposal of media....................................................................................................67.3 Security of system documentation...........................................................................68 Exchanges of information........................................................................................68.1 Information exchange policy and procedures..........................................................68.2 Exchange agreements ............................................................................................78.3 Physical media in transit..........................................................................................78.4 Electronic messaging ..............................................................................................78.5 Business information systems.................................................................................79 Electronic commerce services.................................................................................79.1 Electronic commerce...............................................................................................79.2 On-line transactions ................................................................................................79.3 Publicly available information ..................................................................................710 Monitoring ...............................................................................................................8

an uncontrolled copy. When documents are updated notification will be circulated throughout the organisation.Policy amendments may occur at any time and you should consult the principle electronic file if in doubt.


2/9

PROTECT POLICY

PROTECT POLICY

- Page 2 of 9-


10.1 Audit logging ...........................................................................................................810.2 Monitoring system use ............................................................................................810.3 Protection of log information....................................................................................810.4 Administrator and operator logs ..............................................................................810.5 Fault logging............................................................................................................810.6 Clock synchronisation .............................................................................................811 Compliance .............................................................................................................8

Related Policies

Accredi tat ion Controls Addressed



3/9

PROTECT POLICY

PROTECT POLICY

- Page 3 of 9-


1 Operational procedures and responsibi litiesDocumented Operating ProceduresSystem Operating Procedures must be fully documented for accreditation. This forms partof the systems Risk Management and Accreditation Document Set (RMADS) and shouldinclude the processing and handling of information, system startup and shutdown

procedures, account management, support and maintenance, data retention, data backup,Business Continuity plans and audit and accounting log analysis (protective monitoring).Change managementAny changes to systems must be logged with the Change Advisory Board (CAB) andfollow standard Force procedures for ensuring that security risks are reassessed as part ofa formal approval process. Implementation of changes must be planned for a time thatcauses the minimum disruption to the organisation.Segregation of dutiesSegregation of duty, as a security principle, has as its primary objective the prevention offraud and errors. This objective is achieved by disseminating the tasks and associatedprivileges for a specific business processes among multiple users. The system must allowthe secure segregation of user activities to reduce the risk of accidental or deliberate

system misuse.Separation of development, test and operational facili tiesThere must be proper separation of development, test and production environments.Different login-procedures must exist between environments to minimise the risk ofaccidental changes to operational systems.

The following items should be considered:

Rules for the transfer of software from development to operational status should bedefined and documented.

Development and operational software should run on different systems or computerprocessors and in different domains or directories.

Compilers, editors, and other development tools or system utilities should not be

accessible from operational systems when not required.The test system environment should emulate the operational system environment as

closely as possible.Users should use different user profiles for operational and test systems, and menus

should display appropriate identification messages to reduce the risk of error.Sensitive data should not be copied into the test system environment.

2 Third party service delivery and managementService deliverySecurity controls, service definitions and delivery levels should be included in third-partyservice delivery agreements.Monitoring and review of third party servicesServices, reports and records provided by the third party should be regularly monitoredand reviewed, and appropriate audits conducted.Managing changes to third party servicesChanges to the provisions of services, including maintaining and improving existinginformation security polices, procedures and controls, should be appropriately managedtaking into account:-The criticality of the particular information system(s) and process(es).Using appropriate change management procedures, similar to those applied to internalservice changes.



4/9

PROTECT POLICY

PROTECT POLICY

- Page 4 of 9-


3 System planning and acceptance3.1 Capacity management

There must be advanced planning and preparation to ensure the availability of adequatecapacity and resources to meet the current and future need of any new or changedsystem.

3.2 System acceptance

Acceptance criteria must be established that ensures performance targets and securityrequirements have been met. It must also provide evidence that the system has notadversely affected the security of existing systems and the overall security of theorganisation.The Information Security Officer will hold responsibility for local accreditation ofinformation systems.The role of the Accreditor is to act as an impartial assessor of the residual risk affectingInformation Systems, and to formally accredit those systems on behalf of the SeniorInformation Risk Owner (SIRO). If following the risk assessment, the Accreditordetermines that a risk is too high, the risk is raised to the SIRO for advice and ifnecessary, a decision to accept a desired level of residual risk is made.Successful accreditation requires the Accreditor to be engaged throughout the lifecycle of

the information process. This requires the formal involvement of the Accreditor at allstages of the lifecycle of the information process, including:-

At concept.During project/programme planning. This will include the Accreditation process

being included as project activities and milestones.Development of the business case.Procurement.Development.Deployment.Live operation.Decommissioning.

To ensure that the information assurance controls meet the business needs of the

organisation and that information assurance is embedded into the information system, theAccreditor should have direct access to: Programmes and Project Boards. The Senior System Owner. The Senior Information Risk Owner.

The HMG Infosec Standard, Risk Management & Accreditation of Information SecuritySystems July 2005 states the Accreditation functions as being; Advice and guidance on the Information Assurance (IA) risk management and

accreditation requirements of specific Information Systems (IS) throughout thelifecycle.

Advice on preparation of the Risk Management and Accreditation Document Set(RMADS) and approval of the RMADS, including all changes, throughout thelifecycle of the IS this includes staged approval, as appropriate, of the varioussections or documents.

Confirmation that the proposal, contract and IA risk management plan meet the IArequirements, prior to contract let.

Specification and management of compliance verification and validation during theIS lifecycle (e.g. periodic inspections or IT health checks).

The accreditation decision based on adequate verification and assessment ofresidual risk, prior to acceptance of the IS and periodically throughout its in-servicelife, and issue of the accreditation statement.



5/9

PROTECT POLICY

PROTECT POLICY

- Page 5 of 9-


Reporting business impact of residual risks to the appropriate information riskowner.

Confirmation of IA compliance on decommissioning or disposal.

4 Protection against malicious and mobile codeControls against malicious code

If malicious code is introduced onto the Force network either maliciously or throughnegligence, it will constitute a disciplinary offence and be dealt with through theappropriate disciplinary process.Appropriate controls should be implemented for prevention, detection and response tomalicious code, including appropriate user awareness. Control includes: Formal procedures prohibiting the use or installation of unauthorised software,

including a prohibition of obtaining data and software from external networks. Formal procedures requiring protective measures, such as installation of anti-virus

and anti-spyware software, and for the regular updating of it. Periodic reviews/scans of installed software and the data content of systems to

identify and, where possible, remove any unauthorised software. Defined procedures for response to identification of malicious code or unauthorised

software. Business continuity and recovery plans to deal with system interruptions and

failures caused by malicious code. User awareness training on these policies and methods.

Controls against mobi le codeAppropriate controls should be implemented to control the operation of, and preventdamage from malicious versions of, mobile code.

5 Back-up5.1 Information back-up

Data can be saved to the following areas:- The Shared drive for a group/team (known as the S: drive). Work undertaken here

can be saved securely and is backed up daily. The Home drive (known as the H: drive). This is a personal secure area to which

only a particular user has access. It should be used for work related informationonly. This is also backed up daily.

Other drive letters will be provided when necessary with arrangement the same asthe S drive.

The A: and C: drives. Work saved in these areas wil l not be backed up.The C:drive is not secure; as such work is accessible by any other users of the PC bydefault.

In the event of a document or file being damaged or deleted on server H, S and othernetworked drives, a previous days version may be retrievable. Contact the InformationServices Response desk with your requirements.For security purposes, all files should be saved on networked drives. Users areadvised not to use the C: drive and should note that information saved there is unlikely tobe accessible from any other machine.Additional mappings may be granted depending on your role and should be relevant toyour work.

6 Network security management6.1 Network controls

Connection should not be made between computers on the Force network and otherorganisations, except through approved and tested connections and with the formal



6/9

PROTECT POLICY

PROTECT POLICY

- Page 6 of 9-


permission of the Head of Information Services and advising the Information SecurityOfficer as there may be implications relating to the CJX code of connection.

6.2 Security of network servicesConnection to the Internet may only be made from a networked computer through afirewall to the CJX or from computers which are permanently unable to connect to theForce network.

Any attempt to connect any device (attached directly or indirectly through a personalcomputer to the Force Network) to any external network (e.g. the World Wide Web(internet)) without approval by the Information Services Department will be a disciplinaryoffence.A computer cannot have a network card and a modem connection. In this respect, laptopcomputers which use a dial-in connection to the Force network are considered part of theForce network and must not be connected to the Internet at the same time.Portable computers and mobile data terminals which have a dial-up connection to deviceson the Force network should only connect via a private land circuit or secure cellular orradio signals. The entry to the Force network should be through an approved firewall.

7 Media handling

7.1 Management of removable computer mediaAll removable media should be handled in accordance with the SAG/IA/G2 AssetManagement and SAG/IA/G12 Removable Media Acceptable Use Policy Guidance.

7.2 Disposal of mediaProvision must be made for ensuring that any data storage media used for processingForce information is securely erased in accordance with the Force Policy before reuse,exchange or disposal. Reference Policy GuidanceSAG/IA/G4 Physical and EnvironmentalSecurity Section 2.6.

7.3 Security of system documentationSystem documentation must be protected from unauthorised access. This includesbespoke documentation that has been created by Information Services or any otherdepartmental IT staff (not general manuals that have been supplied with software).

Examples of the documentation to be protected include descriptions of: Applications Processes Procedures Data structures Authorisation details

8 Exchanges of information8.1 Information exchange policy and procedures

The integrity and security of data should not be compromised by the exchange of datawith other organisations or applications. The procedures must be designed to protectexchanged information from: Interception Copying Modification Mis-routing Destruction

Information must be protected with appropriate controls based on the informationsclassification e.g. Confidential. Any regular data exchange with another organisationshould be the subject of a formal agreement. The Data Protection Section of theProfessional Standards Department can advise.



7/9

PROTECT POLICY

PROTECT POLICY

- Page 7 of 9-


Force data containing personal information should not be given to computer softwaresuppliers for the purpose of application testing. Mass storage devices holding live Forcedata should be handled in accordance with the Protective Marking guidelines if takenoutside of the Force establishment.

8.2 Exchange agreementsAny exchange of information with another organisation must be through a legal gateway,

and/or supported by a formal, documented Information Sharing Agreement that complieswith relevant Force Policy and legislation, and describes procedures for ensuring that theinformation is protected at all time. The Force Data Protection Officer will assist businessareas in the formation of such agreements.

8.3 Physical media in transitMedia containing information should be protected against unauthorised access, misuse orcorruption. Procedures and standards for authorising couriers, and a list of authorisedcouriers should be requested.Packaging standards, including technical protections (e.g. encryption) and physicalprotection standards such as locked containers and tamper-evident tagging should alsobe used where appropriate in accordance with the to the level of protective marking.

8.4 Electron ic messaging

Information involved in electronic messaging should be appropriately protected.Electronic messaging includes email, audio-video conferencing and any other one-to-one,one-to-many, or many-to-many personal communications. Control includes: Protecting messages from unauthorised access, modification or diversion. Ensuring correct addressing and transportation. Ensuring the general reliability and availability of messaging services. Stronger levels of authentication and message content protection when using public

networks.If you unsure how to adequately protect electronic messages contact the InformationSecurity Officer.

8.5 Business information systemsPolicies and procedures should be developed and implemented to protect information

associated with the interconnection of business systems. Control includes: Accreditation including a risk assessment for development of appropriate

countermeasures against vulnerabilities associated with such interconnections. Policies and appropriate controls to manage information sharing using such

interconnections. Fallback and recovery arrangements in the event of interconnection failure.

9 Electron ic commerce services9.1 Electron ic commerce

Information involved in electronic commerce passing over public networks should beappropriately protected from fraudulent activity, contract dispute and unauthoriseddisclosure and modification. All electronic commerce solutions must undergo formalsystem accreditation and IT health checks.

9.2 On-line transactionsInformation involved in on-line transactions should be appropriately protected to preventincomplete transmission, mis-routing, unauthorised message alteration, unauthoriseddisclosure, duplication or replay.

9.3 Publicly available informationExternal-facing systems, especially Internet and publicly available systems must haveadequate controls to protect against unauthorised access and use. These often involvemore technical controls, such as cryptographic techniques.



8/9

PROTECT POLICY

PROTECT POLICY

- Page 8 of 9-


10 Monitoring10.1 Audit logging

An audit trail should be kept for each system. This will record:- User-id. Log on/log off time and date. Records accessed.

Records updated. Records printed.

These audit trails will be retained by the Business Area Systems Administrator withaccess permissions for the Information Security Officer or Force Data Protection Officerfor a predetermined period.

10.2 Monitoring system useProcedures must be in place monitoring the use of information system processingfacilities. The results of monitoring activities are regularly reviewed.

10.3 Protection of log informationThe logs must be protected and routinely inspected by appropriate personnel. Suitabletools should be specified and available to assist in the analysis and alerting of key logevents.

10.4 Administrator and operator logsSystem event logs should be reviewed periodically by Business Area SystemAdministrators to search for suspicious events or trends, which should be reported to theInformation Security Officer.

10.5 Fault loggingFaults should be appropriately logged, analysed and actions taken as appropriate.

10.6 Clock synchronisationAll servers now automatically sync once an hour with the Rugby clock attached to theCommand and Control System. All workstations sync with the Domain controllers at userlog on. Network devices should be synchronised to the Rugby clock where possible. TheInformation Services department should check synchronisation of the system clocks on aweekly basis and log any changes made. This is important to ensure the accuracy of audit

logs, which may be required for investigations or used as evidence.

11 ComplianceInformation Security will regularly assess for compliance against this policy. Any violationof this policy will be investigated and if the cause is found due to wilful disregard ornegligence, it will be treated as a disciplinary offence. All disciplinary proceedings arecoordinated through the Professional Standards Department.

12 Monitoring and ReviewMonitoring for changes of ISO 17799 and the Information Security Policy is theresponsibility of the Information Security Officer, who will ensure ongoing monitoring andaudit of the processes/guidance in place under the policy.

Changes to the attached guidance documents are the responsibility of the InformationSecurity Officer but will be dependant on, for example, changes in; technology, localprocedure, legislation and the Force computer/network infrastructure.

The Head of the Professional Standards Department is responsible for monitoring theimplementation and impact of this policy.

The policy will be reviewed 1 year from its implementation date and the outcome of thismonitoring process will inform this review.



9/9

PROTECT POLICY

PROTECT POLICY

- Page 9 of 9-


13 Appeals ProcessIf any individual feels that this policy has been applied unfairly, they should discuss thiswith their line manager in the first instance. Individuals may also include a Unison or staffassociation representative in these discussions. If the matter is not resolved successfullyat this stage, they may initiate the Dispute Resolution Procedure by completing Form 51.

Date Reviewed Reviewed By Date Approved Policy Review Date

Under Review 6969 Smith / 4336Woodin


Documents

Information Security Policy Physical and Environmental Security