Software acceptable usage policy

Introduction

Information is a valuable asset and is an essential requirement for a local authority to carry out its legal and statutory functions. The information Enfield Council processes is about you. It can be highly confidential and very personal, therefore the council has a legal duty to take care of it. This document will address why the council needs to secure the information we process, identify the security measures required and provide guidance to users of council information.

What is information?

Information can be in a number of forms:

• Spoken in conversations (including telephone)
• Printed out and or written on paper
• Sent by fax
• Sent via email
• Sent via texts (SMS), instant messages (IM)
• Stored on computers
• Transmitted across networks
• Stored on media (for example, tapes, disks, CD’s, film, microfiche)
• Stored in databases
• As part of presentations
• Any other methods used to convey information and knowledge.

What is the security approach?

The most effective way of providing information security is to use a structured approach that will ensure the appropriate controls are applied to specific areas rather than general controls to all areas. The key standards in the area are the ISO27000 series. These standards provide a comprehensive set of security controls comprising the best information security practices in current use. The objective is to provide organisations with a common basis for providing information security and to enable information to be shared between organisations.

Scope

This Software Acceptable Usage Policy (SAUP) applies to all Enfield Council’s systems and is effective from the date of issue of this document. The policy, rules and conditions apply to all Enfield Council Members, employees, contractors, consultants, agency staff, independent contractors and other users of Enfield Council information systems irrespective of the platforms used or where they are located.

Software acceptable usage policy

Enfield Council is committed to the use of authorised software within its computer systems. It is expressly forbidden for ‘users’ to load or operate software gained from the Internet, magazines or other sources. The council is also committed to using software for which it has current licences.

Where software is developed and/or modified in-house, under licence agreement, it should only contain the functionality that was specified in the requirement and must not contain functions that have fraudulent or mischievous intent (generally referred to as Malware).

It is the responsibility of all users to ensure that they do not introduce viruses into computer systems. Users should take care when receiving electronic information from unknown sources, including attachments within email. Where there are reasons to access information from questionable source(s), active virus checking must be performed, preferably on a standalone computer and/or test server, thus having no communication links to other systems.

The following provisions, which apply to the use of all computers, govern all users:

• Only software purchased by Enfield Council and through Digital Services (DS) may reside on Enfield Council computer equipment
• Digital Services will undertake to purchase licences for all products used by Enfield Council and will control the allocation of licences for products that are distributed as single media items and licences for multiple instances of that one distribution
• Only software approved by Digital Service may reside on Enfield Council computer equipment and / or telecoms equipment including smart phones and smart devices
• Only DS authorised technical staff may install or remove software on Enfield Council computer equipment
• Software includes source code, object code and intermediate code that can be firmware as well as software
• Downloading of 'shareware' and/or 'freeware' is prohibited irrespective of the fact that a licence may or may not be needed unless Digital Services has approved the product to be downloaded and installed
• The installation of personal software including screen savers is prohibited
• Upgrades to software products will be treated as new products
• All software media is to be held and securely stored by Digital Services
• Digital Services may copy software media only if they are legally allowed to do so and where approved by the DS Security Team. This is in accordance with Copyright laws and the terms and conditions of the relevant software license. Software media may not be copied under any other circumstances.
• Licenses used for corporate applications or desktop software are owned by Enfield Council, not by the service departments or individual members of staff for whom the initial purchase was intended
• Application not used for any rolling 2-month period, including for staff on long term or maternity leave, DS reserves the right to remove the installation from any desktop device, the license for which will be recycled and held by DS for reallocation upon request by the business
• Egress licence holders will be reviewed every 4 months and if the licence has not been used, DS will remove the licence from the device and reallocate upon request
• No installation of applications shall be carried out unless sufficient licenses exist, regardless of if prior licenses have been procured

Enforcement monitoring

Monitoring of the standard is the responsibility of all managers as part of their management role. The Internal and External Audit may undertake reviews on a planned and ad-hoc basis as part of the audit process. The DS Security Team will conduct quality reviews on cyclical basis as part of their security role.

Penalties for non-compliance

The council has an established staff Disciplinary Code of Conduct. Any breach of policies contained within this document will be dealt with in accordance with those procedures.

Enforcement

A violation of standards, procedures, or guidelines established in support of this policy will be brought to the attention of the DS Security Team or investigation. The IT Security Team enforces this policy by continuously monitoring, through the use of software tools. Business Unit Management, Human Resources, Internal Audit and External Audit will be notified when it is considered a breach has taken place. It is the responsibility of all users (as defined within the Scope of this document) to ensure compliance with the policy. Failure to adhere to the policy may result in a breach of Financial Regulations, Standing Orders and or current legislation. In the event of a breach by a council employee, IT facilities may be suspended/removed and disciplinary action taken against them in accordance with the Disciplinary Code of Conduct. A breach of the Software AUP may be considered as a gross misconduct offence and lead to a penalty up to and including dismissal. Action against non-Enfield employees may result in removal/suspension of IT facilities, removal from site, cancellation of any contracts and possible legal action.

Exceptions to the software acceptable usage policy

The council expects all users to achieve compliance with the directives presented within this policy. In the following exceptional cases, compliance with the council’s Information Security policies may be relaxed. The parts that may be relaxed will depend on the particular circumstances of the incident in question. These exceptional circumstances are outlined below:

• If complying with the policy would lead to physical harm and/or injury to a member of staff or other third party (for example, contractor)
• If complying with the policy would cause significant damage to the council’s reputation and/or ability to operate
• If an emergency arises and a user has no alternative other than to breach council policy to assist with the emergency

In such cases, the council employee or third party (for example, contractor) concerned must take the following action:

• Ensure that a Business Unit Manager is made aware of the situation and the action to be taken
• Ensure the situation and the actions taken are recorded in as much detail as possible
• Ensure the situation is reported to the DS Security Team as soon as possible

(Failure to take these steps may result in disciplinary action).

The DS Security Team will maintain a list of known exceptions and non-conformities to the Information Security Policies. This list will contain:

• known breaches that are in the process of being rectified
• minor breaches that are not considered to be worth rectifying
• any situations to which the Information Security Policies are not considered applicable

The council will not take disciplinary action in relation to known, authorised exceptions to the Information Security Policies.

Non-compliance

Non-compliance is defined as any one or more of the following:

• A breach of the council’s Information Security Policies, standards or controls. Unauthorised disclosure or viewing of confidential information belonging to the council
• Unauthorised modification to information, software or operating systems
• The use of hardware, software, communication networks, equipment, data or information for illicit purposes, which may include violations of law, regulation or reporting requirement of any enforcement agency or government body
• The exposure of the council to adverse publicity or actual or potential monetary loss through any compromise of security
• Any person who knows of, or suspects a breach of the council’s Information Security Policies must report the facts immediately to the DS Security Team or Senior Management, failure to do so will be treated as non-compliance to the Information Security Policy
• Violation or non-compliance with the council’s Information Security Policy may be treated as gross misconduct.
• Penalties may include:
  • suspension of system access rights
  • action in accordance with the council Disciplinary Code of Conduct
  • termination of employment or contractual arrangements and civil or criminal prosecution

Policy details

Author – Information Governance Manager
Owner – Information and Data Governance Board
Version – 1.7
Reviewer – Information and Data Governance Board
Classification – Official – Public
Issue status – Final
Date of first issue – 21.10.2017
Date of latest re-issue – 30.05.2024
Date approved by IGB – 19.05.2024
Date of next review – 30.04.2025