Digital Services operations and network policy

Purpose

Any loss, compromise, or misuse of council information and associated assets, however caused, could have potentially devastating consequences for the council and may result in financial loss and legal action. The purpose of this document is to define the policies and standards that will be applied to maintain the confidentiality, integrity and availability of the information systems supporting the business functions of the council. This policy provides management direction and support for the implementation of information security and is designed to help council employees carry out the business of the council in a secure manner. By complying with this policy, the risks facing the council are minimised.

Introduction

This policy applies to council employees, including temporary and agency workers, Members, independent consultants and contractors and suppliers/contractors responsible for managing and operating council information systems, computer and network facilities.

The policy is not designed to be obstructive. If you believe that any element of this policy hinders or prevents you from carrying out your duties, please contact the council’s Digital Services (DS) Service Desk.

The following policies should be read in conjunction with this policy:

• Information Security Policy Document
• Access Control Policy
• Acceptable Use Policy
• Information Handling and Protection Policy
• Physical and Environmental Security Policy
• Business Continuity Policy
• Code of Conduct for Council Employees

Operational procedures and responsibilities

Digital Services will prepare appropriate documented operating procedures for all operational information systems, to ensure a correct and secure operation. Documented procedures are required for system development, maintenance and testing work, especially if it requires the support or attention of other organisational functions.

All operating procedures are formal documents and any changes are to be authorised by the process owner. Documented procedures are prepared for:

• system housekeeping activities
• network management
• data back-up
• change control management

Responsibilities and procedures for the management and secure operation of council resources and all connected PCs, laptops and networks are to be established. This is to include appropriate operating instructions and incident response procedures.

Change management

Changes to equipment, software or procedures are subject to a formal change control process. Digital Services will ensure that all changes to the operational environment are:

• assessed, where appropriate, for the potential impact of such changes
• identified and recorded
• formally approved
• communication of change details to all relevant individuals
• procedures and responsibilities for aborting and recovering from unsuccessful changes

Before installation on to the council network, all changes must be logged and authorised by the appropriate member(s) of staff.

On completion of any upgrade, modification or installation, the change control form must be updated to show all the work done and the version numbers of any software packages, patches or upgrades recorded.

Incident management

Incident management and reporting responsibilities and procedures will be established to ensure a quick, efficient and orderly response to security incidents. (For examples of information security incidents, please refer to the Acceptable Use Policy).

Processes must be established to coordinate activities spanning the council and all affected partners, and to determine how information will be disseminated to the public and media should this become necessary.

Once a security incident is reported, employees must immediately follow the incident response procedure. Officers must be clear on incident definitions and escalations for quick and appropriate response upon notification.

Any incident relating to Department for Work and Pensions (DWP) where the data has been compromised, and any proposed resolution, must be reported to DWP to allow them to make a risk based decision on any continued data share arrangements.

Segregation of duties

Segregation of duties will assist in the prevention of fraud, errors, conflict of interest, minimise information security risks and reduce risk of accidental or malicious system misuse.

Care is taken that no single individual can perpetrate fraud in areas of single responsibility without being detected. For example, the initiation of an event is separated from its authorisation. The following points are considered:

• It is important to segregate activities that require collusion in order to defraud, for example, the initiation and authorisation of an event
• If there is danger of collusion, then controls need to be devised so that 2 or more individuals need to be involved, thereby lowering the possibility of conspiracy

Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision are considered.

Business need-to-know should be considered in conjunction with separation of duties to ensure that one does not override the other. Risk management and change management processes should include the discussion of separation of duties as well as business 'need to know'.

No individual may approve his or her own changes. No individual should have unchecked control over an entire business transaction, infrastructure area, or environment.

Job roles and responsibilities should be reviewed to ensure there are no contradictions of responsibilities in this area.

Reporting, logging and monitoring

Monitoring system access and use

Systems will be monitored to detect deviation from the Access Control Policy and record events to provide evidence in case of security incidents.

The application business owner must establish the logging and monitoring requirements for business auditing purposes. Designated employees responsible for the following areas must establish the logging and monitoring requirements for the relevant purposes:

• Security
• Incident investigations
• Audit
• Fraud
• Legal

A process for capturing logging and monitoring requirements must be developed. Audit and event logs will need to be adequately secured, possibly centrally and separately from privileged-level employees (separation of duties). Tools may be required for log analysis.

Clock synchronisation

Council devices are synchronised to an approved standard, for example, PSN time servers.

Reporting security weaknesses

It is vitally important that security events are reported. All security weaknesses must be reported immediately to the DS Service Desk, who in turn will inform the Information Security Officer of associated risks, corrective or preventative actions.

Users should not, in any circumstances, attempt to prove a suspected weakness.

Reporting of software malfunction

Users of information processing services are required to note and report any software that appears not to be functioning correctly to the DS Service Desk.

If it is suspected that the malfunction is due to a malicious piece of software (for example, computer virus) the user is asked to:

• note the symptoms and any messages appearing on the screen
• stop using the equipment (isolate it if possible) and inform the service desk immediately. If any investigations are to be performed on the equipment, it is disconnected from the network before being re-powered.

Users are informed that they should not, under any circumstances, attempt to remove the suspected software. Only trained and authorised employees may undertake recovery action.

Separation of development, test and operational facilities

Digital Services will ensure that development, test and operational systems are segregated (run on different processors or domains) in order to prevent unauthorised access, modification or misuse of information or services.

For each information or service, the need for separating development, production, test and operational facilities is determined through risk assessment.

The following levels of separation are considered and implemented, as appropriate, to mitigate any of the risks:

• Development and production software should, where possible, be run on different processors or in different domains or directories
• Development and test work are separated as far as possible
• Access to compilers, editors and other system utilities are separated from operational systems when not required
• Different logon procedures are used for production and testing systems, to reduce the risk of confusion or error. Users are encouraged to use different passwords for these systems, and menus should display appropriate identification messages.
• Development staff should only have access to operational passwords where controls are in place for issuing passwords for the support of operational systems. Controls should ensure that such passwords are changed after use.
• Live data that contains personal information must not be used for testing without being depersonalised before installation in line with ICO requirements. All use of live data must be authorised by the information owner. Live personal data may not be used in training environments.

All domains/environments must be appropriately protected. Additional technology, both hardware and software, will be required to duplicate the development environment.

System planning and acceptance

Capacity management

The hard drive capacity of the council’s file servers will periodically be monitored by system administrators.

If free space on the file server hard driver becomes less than or equal to 20% of total capacity, users are requested to remove redundant files. If this is not possible, extra hard disk space should be installed.

Projections of future requirements should be made to prevent any bottlenecks and dependencies on the services by the council or third-party organisations.

System acceptance

Acceptance criteria for new systems and system upgrades are to be established by the system owner and appropriate officers and suitable tests carried out prior to acceptance. This must include appropriate testing of security mechanisms. This will ensure that requirements for new systems are clearly defined, documented and tested.

The Information Governance and Security Teams must ensure the evaluation and Risk Assessment has been applied. Digital Services must ensure the correct management of system network provisioning, and hard and software deployment.

Adequate capacity and fallback planning must be carried out to ensure the availability of council resources.

Before installation, the system/upgrade must be appropriately tested to ensure no conflicts or vulnerabilities are introduced to the current council network.

All new systems/upgrades are to be controlled by the Change Control process. No systems/upgrades are to be implemented without due approval.

For major new developments, the operations function is consulted at all stages in the development process to ensure the operational efficiency of the proposed system design. Appropriate tests are carried out to confirm that all acceptance criteria are fully satisfied.

Protection from malicious software and mobile code

Protection from malicious software

Digital Services will deploy appropriate controls to mitigate the risks of viruses and malicious software. A process to update the controls must be in place.

Council file servers, PCs and laptops will have antivirus software installed. The software is to be configured to scan all files for viruses. The software should automatically check for updates on a daily basis.

The system administrator will confirm and document that the latest updated has been installed.

Employees must be educated on the use of these controls and made aware of the types of malicious code and the threats that they impose.

Mobile code

Mobile code is used on the Internet to run animation effects. Examples are ‘Active X’ or ‘Flash Media’. If it installs on council PCs it can cause damage to the network.

Mobile code must be authorised by the Information Security Officer and kept isolated from any production environment. The use of such code must be restricted to authorised staff only.

Where mobile code is authorised, the configuration should ensure that the authorised mobile code operates according to a clearly defined security policy. Unauthorised mobile code should be prevented from executing.

Vulnerability management

All exploitable vulnerabilities must be managed. Digital Services will ensure it has defined processes to identify vulnerabilities, prioritising and mitigating all found. This will include specific patch application periods and a process for auditing compliance.

At minimum, this will include patching vulnerabilities being actively exploited immediately, critical vulnerabilities within 14 days, high vulnerabilities within 30 days and others within 60 days.

Regular network scanning of all devices for vulnerabilities must be carried out, at minimum a full network scan every 60 days.

Information back-up

Digital Services will ensure that adequate back up facilities of the council’s internal systems are provided to ensure that all essential business information and software can be recovered following a computer disaster or media failure:

• A minimum level of back up information (together with accurate and complete records of the backup copies and documented restoration procedures) is stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site. At least 3 generations of cycles of back up are retained for important business applications.
• Back-up copies of essential business data, software and log files are to be taken at a frequency determined by the business owner, auditors and Information Security Officer as appropriate. Back-up arrangements are to meet the requirements of business continuity plans.
• Back-up data is given an appropriate level of physical and environmental protection, consistent with the standards applied to the main site. Back-up data is to be regularly tested to ensure its viability for recovery when required.
• Back up information systems are regularly tested to ensure that they can be relied upon for emergency use when necessary
• Restoration procedures are regularly checked and tested to ensure they are effective and can be completed within the time allotted in the operational procedures for recovery

Access control

Access to information and business processes will be controlled on the basis of business and security requirements.

An access management process for every system/database must be created, documented, approved, enforced and communicated to all relevant employees and partner organisations.

Each business application run by, or on behalf of the council, will have a nominated system administrator who is responsible for managing and controlling access to the application and associated information.

Access to information must be based on 'need to know' and segregation of duties. The appropriate information, system, database, or application owner is the only individual that can authorise a systems administrator to grant or update access via the formal access management process.

Audit must monitor the process to ensure that access control is appropriately implemented according to ‘business need to know’ and ‘segregation of duty’ principles.

Special attention is given, where appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls.

Access control requirements are clearly defined, documented and maintained within an Access Policy Matrix, which specifies the rights of individuals or groups of users. The council has adopted common Windows-based operating systems, and predefined user profiles will be maintained to restrict access. This policy matrix will be reviewed and approved by the data owner and occasionally reviewed by the Security Working Group to ensure consistency.

For further information see the council’s Access Control Policy Unattended User Equipment.

Screen savers or equivalent tools must be installed and enabled as part of a Standard Operating Environment (SOE).

All network equipment (including WAN service termination equipment, routers, hubs, cabling patch panels) will be kept in appropriate locked facilities. All network equipment outside computer rooms must be kept securely. Staff must ensure that doors are secured when they are left unattended. All equipment keys must be limited to staff who need them to carry out their duties. If any key is lost or mislaid, or any door found unlocked, then this must be reported immediately to the Digital Services Security Team.

All servers must be kept physically secure in an area for authorised individuals only. A process of allocating and monitoring access to server rooms must be implemented.

For further information for employees, see the council’s Acceptable Use Policy.

Controls on data in transit

Information will need to be classified in terms of sensitivity and confidentiality. Information must be protected according to its classification and the minimum classification of the network it traverses.

For further information see the council’s Information Classification and Handling Policy.

New and obsolete devices

The infrastructure environment must be closely controlled and documented to minimise the introduction of unknown vulnerabilities.

The connection of new devices to council or partner connected infrastructure that might impact on the delivery of services must be requested via the formal change request process and submitted for approval to the appropriate officer. Upon approval relevant documentation must be updated and submitted to the designated officer.

Similarly, disconnection of obsolete devices that might impact on the delivery of services must be requested via the formal change request process and submitted for approval to the appropriate officer.

A configuration management process must be implemented and enforced.

Detecting unauthorised changes

The IT environment must be monitored to minimise the introduction of unknown vulnerabilities.

The designated officer will ensure that any new unauthorised device added to the network or device removed from the network without authorisation will be detected, logged and the appropriate action taken. A configuration management process must be established.

Information handling

Media handling and security

In order to prevent damage to assets and interruption to business activities, appropriate operating procedures will be established to protect information, documents, computer media, input/output data and system documentation.

Appropriate controls need to be established for media handling and security.

Hard drives that contain ‘highly restricted’ information that are reused or require replacement are securely erased or physically destroyed. If using the services of a third party for the management of media, a certificate is obtained as proof of destruction.

Software to securely erase hard drives will be considered and where possible configured to overwrite the media at least seven times.

A record is maintained of all removable media, for example, back up tapes, to prevent any opportunity for loss or theft.

Exchanges of information and software

Exchanges of information and software between organisations will be controlled and compliant with relevant legislation, information sharing protocol(s), and handling requirements detailed in the appropriate risk assessment.

Security of system documentation

Manuals, configuration details and network drawings are to be stored securely. Access to this documentation is only permissible by authorised employees. Copies of system documentation are stored off site. Access is limited to employees who are system administrators (staff with administrator privileges and the DS Security Manager).

Mobile computing and teleworking

When using mobile computing or teleworking the risks of working in an unprotected environment are to be considered and appropriate protection applied.

Managers must be satisfied that an alternative work site (such as a home office) is appropriate for the tasks that are to be performed by the involved employee’s member.

Supporting material:

• Acceptable Use Policy
• Bring Your Own Device Policy
• Information Classification and Handling Policy

Network access control

Access to both internal and external networked services should be controlled to ensure that employees who have access to networks and network services do not compromise the security of these network services.

It must be ensured that:

• There should be appropriate interfaces between the council’s network and networks owned by other organisations or public networks
• All users and equipment on the network are authorised, uniquely identified and authenticated
• User access to information services is monitored

Enforced path to limit routing capabilities will need to be considered.

Policy on use of network services

Digital Services will undertake the following activities to control the use of its network.

• A risk assessment is undertaken for all connections to and from council networks, which is reviewed by the Information Security Officer to ensure the process followed is adequate and comprehensive
• All connections to external networks must pass through a firewall or other appropriate network security device approved by Corporate DS
• Modems and other external network connections, for example, VPNs may not be connected directly to the council network unless requested by the Head of Service and approved by the Information Security Manager
• Modems with auto answer are not permitted
• Council employees will be granted access rights to external networks only where there is a clear business requirement
• Access to external networks and systems must be authorised by a manager and used for business purposes only
• Access rights are revoked when access is no longer required
• The relevant system administrator or data owner will maintain a list of all access rules (Access Control Matrix) that will be approved by the senior management team
• Only authorised DS staff will be allowed to access diagnostic and configuration ports within the council. All diagnostic ports not required are disabled.
• The council will separate access to its network in accordance with the Access Policy Matrix
• Access control requirements are clearly defined and documented within the council’s Access Policy matrix, which specifies the rights of individuals or groups of users to the council’s network
• The council should ensure that appropriate routing controls are implemented in accordance with the Access Policy matrix and are based on source and destination address

User authentication for external connections

Remote access rights to council systems are generally granted except where data processed is under third party agreements that forbid such access. Access for third parties is covered by the Third-Party Access Policy.

• All remote access to council systems is authenticated by user account/password and where needed a second authentication factor
• Access is subject to the same logical access controls as normal system access
• All communication will be encrypted

Equipment identification in networks

Automatic equipment identification is used as a means to authenticate connections from specific locations and equipment. All equipment will be identified using appropriate methods and validated for compliance with policy before connection is permitted.

Operating system access and control

Security facilities at the operating system level will be used to restrict access to computer resources. These facilities are to be capable of the following:

• Identifying and verifying the identity, and if necessary, the terminal or location of employees
• Recording successful and failed system accesses
• Providing appropriate means for authentication - if a password management system is used, it should ensure quality passwords
• Where appropriate, restricting the connection times of employees

Automatic terminal identification to authenticate connection to specific locations may be required. Terminal logon procedures must be implemented. Use of system utilities may need to be restricted and tightly controlled.

Security in applications and access control

Logical access to software and information should be restricted to authorised employees.

When designing an application system, security requirements, including appropriate controls and audit trails or activity logs, must be considered from the beginning of the project. The security requirements must balance the cost of implementation and the associate risks to the business.

Applications will:

• control user access to information and application system functions
• provide protection from unauthorised access
• not compromise the security of other systems with which information resources are shared
• be able to provide access to information only to the owner, other nominated authorised individuals, or defined groups of employees

Systems development and maintenance policy

Security is an integral component of any systems acquisition, development and maintenance and applies to all aspects of systems development and maintenance whether performed directly by or on behalf of the council.

The method for articulating security requirements is to be based on the 3 security core principles that guide the information security area:

• Confidentiality: preserve the access control and disclosure restrictions on information. Guarantee that no one will break the rules of personal privacy and proprietary information.
• Integrity: avoid the improper (unauthorised) information modification or destruction
• Availability: the information must be available to access and use all the time and with reliable access

The agreed requirements will be used as input to the design and implementation of the service and any subsequent accreditation.

Security requirements of systems

Security requirements should be identified and agreed prior to the development of information systems and aligned to the perceived threats and the value of the assets.

The UK Minimum UK Cyber Security Standard requirements will be used as the basis for security architecture, NCSC (National Cyber Security Centre) will apply to areas not covered by this standard.

All security requirements, including the need for back-up arrangements, will be identified at the requirements phase of a project and justified, agreed and documented as part of the overall business case for an information system.

Considering security requirements from the beginning of a project minimises costs since rework can be avoided as well as non-safe projects.

A process must be in place for reviewing the information security risk in all development projects.

The Information Security Manager must be aware of all DS projects and their information security implications in order to provide recommendations and approval. It is the project manager's responsibility to obtain the Information Security Officer’s approval prior to commencing each project phase such as proposal, design, release to production and maintenance.

Additional time and resources will be required in the project to incorporate information security risk assessment. Information security must be part of the formal application development methodology.

The Information Governance Board must establish the standard whereby adherence with the Information Security Policy Set is incorporated into DS projects.

Approving information security in projects

Information security requirements in terms of confidentiality, integrity and availability must be considered during the proposal, design, and release to production and maintenance phases for all projects, including acquisition of third-party software. The project manager must obtain approval for each phase from the Information Security Officer.

The Data Protection Officer must by law be involved in all new or changed uses of information.

Cryptographic controls

Cryptographic systems and techniques will be used for the protection of information that is considered at risk and for which other controls do not provide adequate protection.

When evaluating the need for encryption, costs must be measured against the business risk. Particular attention should be paid to information held on portable devices.

Security of system files

Access to system files should be controlled to ensure that DS projects and support activities are conducted in a secure manner.

There must be controls for the implementation of operational software.

Controls may need to be applied around system test data. Access to confidential or restricted data stored in a shared system file must be commensurate with the classification of that data.

Security in development and support processes

Inadequate control of changes to information processing facilities and systems is a common cause of system or security failures. Lack of management and procedures to control changes to equipment, software or procedures can compromise operations.

Development and support environments will be strictly controlled to maintain the security of applications, system software and information.

Change management and configuration management processes must be defined that include procedures and responsibilities for aborting or recovering from unsuccessful changes.

Change control procedures

The formal change management process is to be followed for all operational changes to systems, equipment, software, standards, configuration or Processes/Procedures.

Reporting, logging and monitoring

Audit logging

Within each information system, appropriate audit logging must be implemented. The application business owner must establish the logging and monitoring requirements. Auditing should be configured to be operational at all times and sufficient information recorded to enable a thorough review of any suspected incident to be completed. The following events may be considered for audit as appropriate:

• User IDs
• Dates, times and details of key events, for example, log-on and log off
• Terminal identity or location if possible
• Records of successful and rejected system access attempts
• Records of successful and rejected data and other resource access attempts
• Changes to system configuration
• Use of privileges
• Use of system utilities and applications
• Files accessed and the kind of access
• Network addresses and protocols
• Alarms raised by the access control system
• Activation and deactivation of protection systems, such as antivirus systems and intrusion detection systems

Monitoring system use

The system administrator is responsible for monitoring access periodically or if a security breach has been detected or is suspected. Access to events logs will be restricted to security administrators. Events logs will monitor all system events, long on and log times, and include:

• authorised access:
  • user ID
  • date and time of event
• privileged operations:
  • user of Administrator
  • root accounts
  • system start up and stop
  • all changes to privileges and user rights
• unauthorised access:
  • Unauthorised attempts to access information and information systems
  • Unauthorised attempts to system commands

For each audited event, the Audit Log Record will contain at least the following:

• Date, time and nature of event
• User, process or PC ID (the user ID and the physical identifier of the PC involved will be used to assist in the investigation of any specific security related incident)
• Success or failure of the event
• Identity of the object being accessed (for example, sufficient information is recorded to uniquely identify which database records are affected)

System access controls must be set to ensure that only the DS support staff have read access to audit logs and only system administrators have delete/archive access to audit information.

Administrator and operator logs

System administrator and computer operators should maintain a log of all work carried out. Operator logs should include, as appropriate:

• Systems start and finish
• System errors and corrective action taken
• Confirmation of the corrective action taken
• The name of the person making the log entry

Operator logs are subject to regular, independent checks against operating procedures. All audit logs in support of the information security quality management should be retained for a minimum of 6 months.

Fault logging

Faults are reported to the system administrator and logged via the Service/Help Desk (even if subsequently dealing with the supplier directly). The system administrator is responsible for:

• reviewing fault logs to ensure that faults have been satisfactorily resolved
• reviewing corrective measures to ensure that security controls have not been compromised and that the action taken is fully authorised and appropriate

Environmental monitoring

Information processing facilities environments are monitored where necessary. Temperature, humidity and power supply quality is monitored where necessary to identify conditions that might adversely affect the correct operation of information processing equipment. These procedures are carried out in accordance with the manufacturers’ recommendations.

Refer to the Physical and Environmental Security Policy.

Compliance

The council expects that all employees will achieve compliance to with this policy. This policy will be included within the internal audit information security programme, and compliance checks will take place to review the effectiveness of its implementation.

Exceptions

In the following exceptional cases compliance with some parts of the policy may be relaxed. The parts that may be relaxed will depend on the particular circumstances of the incident in question:

• If complying with the policy would lead to physical harm or injury to a member of staff
• If complying with the policy would cause significant damage to the company’s reputation or ability to operate
• If an emergency arises

In such cases, the staff member concerned must take the following action:

• Ensure that their manager is aware of the situation and the action to be taken
• Ensure that the situation and the actions taken are recorded in as much detail as possible on a non-conformance report
• Ensure that the situation is reported to the Information Security Officer as soon as possible

Failure to take these steps may result in disciplinary action.

In addition, the Information security officer maintains a list of known exceptions and non-conformities to the policy. This list contains:

• known breaches that are in the process of being rectified
• minor breaches that are not considered to be worth rectifying
• any situations to which the policy is not considered applicable

The council will not take disciplinary action in relation to known, authorised exceptions to the information security management system.

Penalties

Non-compliance is defined as any one or more of the following:

• Any breach of policy statements or controls listed in this policy
• Unauthorised disclosure or viewing of confidential data or information belonging to the council or partner organisation
• Unauthorised changes to information, software or operating systems
• The use of hardware, software, communication networks and equipment, data or information for illicit purposes which may include violations of any law, regulation or reporting requirements of any law enforcement agency or government body
• The exposure of the council or partner organisation to actual or potential monetary loss through any compromise of security
• Any person who knows of or suspects a breach of this policy must report the facts immediately to the Information security officer or senior management

Any violation or non-compliance with this policy may be treated as serious misconduct.

Penalties may include termination of employment or contractual arrangements, civil or criminal prosecution.

Policy details

Author - Information Governance Manager
Owner - Information and Data Governance Board
Version - 4.9
Reviewer - Information and Data Governance Board
Classification - Official
Issue status - Final
Date of first issue - 16.01.2008
Date of latest re-issue - 30.05.2023
Date approved by IGB - 19.05.2023
Date of next review - 30.04.2024