ICT User Access Security Standard Operating Procedure

Transcription

1 ICT User Access Security Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not be utilised as guidance or instruction by any police officer or employee as it may have been redacted due to legal exemptions Owning Department: Version Number: ICT Department 3.00 (Publication Scheme) Date Published: 25/05/2018 (Publication Scheme)

2 Compliance Record Equality and Human Rights Impact Assessment (EqHRIA): Date Completed / Reviewed: Information Management Compliant: Health and Safety Compliant: Publication Scheme Compliant: 01/11/2017 Yes Yes Yes Version Control Table Version History of Amendments Approval Date 1.00 Initial Approved Version 23/03/ Periodic Review. Transferred to corporate template with new Police Scotland logo. Formatting standards 13/11/2017 in line Police Scotland record set 3.00 Updated to reflect changes in data protection legislation 25/05/2018 (Publication Scheme) 2

3 Contents 1. Purpose 2. Overview 3. Processes Appendices Appendix A List of Associated Legislation Appendix B List of Associated Reference Documents Appendix C Glossary of Terms Appendix D C Division Appendix E V Division Appendix F P Division Appendix G A Division Appendix H E and J Division Appendix I N Division Appendix J G. U, Q, L and K Division Appendix K D Division (Publication Scheme) 3

4 1. Purpose 1.1 This Standard Operating Procedure (SOP) supports the Scottish Police Authority (SPA) / Police Service of Scotland, hereafter referred to as Police Scotland policy for Information Security. 1.2 This SOP provides information on the control of user access to Police Scotland/SPA Information and Communication Technology (ICT) Systems and Data detailing the steps that need to be taken to ensure that individual staff identities are provided to ensure that the individual can complete tasks associated to their respective roles. 1.3 This SOP should be used in conjunction with the Police Scotland Information Security Policy and SOP s for: ICT Acceptable Use of Computer Systems SOP IT Security SOP 2. Overview 2.1 All system logins for each system allow a user to perform specific tasks. A unique login ensures that the authorised and named individual has the correct level of access, allowing them to perform their designated role(s). It also improves the auditing capability. 2.2 Across Scotland, there are regional differences in the way user access is managed. These differences are detailed in the geographical appendices at the rear of this SOP. 3. Processes 3.1 Individuals will be issued unique logins that provide them with the necessary access specific to their job roles, and no more. It is essential that:- Each user has a unique set of credentials which affords them access to the systems and data for which they are authorised; Each user login is accompanied by an additional method of authentication; Each Individuals personal login details are secure; Each user has only the access to the systems required to carry out their role; Generic logins are not used, except in specific circumstances and are subject to risk assessment and audit controls; (Publication Scheme) 4

5 Users leaving the organisation have access disabled on the last official day of service and both user account and profile deleted after six months. Users whom it has been determined should have their system access restricted, will have it restricted as soon as reasonably practicable and in any event within two working days (outwith weekends). An expedited Systems Restriction and Audit Process is available should an operational requirement exist. 3.2 User Access Control All new user requests or changes in access to ICT systems are requested by the line manager, People and Development, Business Management Units, or Mail Administrators, dependent upon local structures. This will include staff belonging to Police Scotland, the Scottish Police Authority (SPA), temporary and contracted staff The request will be submitted via IT Connect and actioned within the Service Level Agreement (SLA) of five working days For systems where ICT retain administration responsibility, ICT will complete the user set up or change of details and provide user account details to a named individual or People and Development. Where this function is delegated to other Business Units, they will have responsibility for user maintenance When first created, the username is accompanied by a password giving an additional method of authentication, which must conform to the complexity requirements as outlined in the ICT Password Policy. At first login, the individual must change their password, and ensures from that point that their login details are known only to them Completed ICT account set up forms are held either within People and Development, or the ICT Department electronically on IT Connect Regional processes are summarised in the tables provided in the Geographic Appendices ( D - K). 3.3 Removal of User Access Removal or temporary suspension of user access will apply to all members of Police Scotland, SPA, temporary staff and contractors Access will be removed on the last official day of service with the Organisation following resignation, retirement, dismissal or death Access will be also be removed or suspended in cases of long term absence, such as, but not limited to: Maternity or paternity leave; (Publication Scheme) 5

6 Career break; Secondment outwith SPA or Police Scotland; Long term sickness or absence which is likely to exceed 12 weeks; Any other break which may be greater than 12 weeks; Suspension from duty or placed on restricted duties Suspension of access on instruction from ACU, PSD, People and Development, Line Manager or the Business Management Unit will be provided to ICT to remove access; this is managed via IT Connect. (People and Development access IT Connect via HR Connect portal) People and Development will be notified immediately if the reason for withdrawal relates to suspension from duties. If this is the case, the account will be disabled / suspended (disabled is the term that is used within ICT, however, this relates to the suspension of an account) Account access is restricted/disabled as soon as reasonably practicable and in any event within two working days (outwith weekends). Notwithstanding, every attempt is made to complete this request within 24 hours, Monday through Friday as local arrangements allow. An expedited process is available through the National Service Desk should an operational requirement exist In the case of a suspended officer, system access will only be reinstated with prior agreement of ACU or PSD as per the ICT Systems Restrictions and Audit Process. (Publication Scheme) 6

7 Appendix A List of Associated Legislation Computer Misuse Act 1990 Public Records (Scotland) Act 2011 Data Protection Act 2018 The Official Secrets Act 1911 and 1989 (Publication Scheme) 7

8 Appendix B List of Associated Reference Documents Policy Information Security Policy ICT Password Policy Standard Operating Procedures ICT Acceptable Use of Computer Systems SOP IT Security SOP Process ICT Systems Restrictions and Audit Process (Internal Document) (Publication Scheme) 8

9 Glossary of Terms Appendix C ACU Anti-Corruption Unit PSD Professional Standards Department ICT SLA Information and Communication Technology Service Level Agreement SOP Standard Operating Procedure SPA Scottish Police Authority DCC Deputy Chief Constable Designate LTD Leadership Training and Development (Publication Scheme) 9

10 C Division Appendix D New Users / Creation New user request submitted by Area that the new User request is New user details provided to Leavers / Deletion User access removal request submitted by Area that the user removal request Are accounts disabled or deleted Time period for account to be disabled If disabled, after what time period are the accounts deleted? Further Information Access forms for the above are controlled by: Long term absence - including sickness, maternity, paternity, career break Action taken on the account of an employee who is suspended People and Development and ICT Trainers IT Connect via a pre-approved Service Request People and Development People and Development HR Connect Disabled on last official day of service As soon as reasonably practicable and in any event within two working days (outwith weekends) Six months after official leaving date Business Unit / Mail Administrators Account will be disabled on request Account will be disabled based upon request from Professional Standards Department or Anti-Corruption Unit (ACU) (Publication Scheme) 10

11 Appendix E V Division New Users / Creation New user request submitted by Area that the new user request is New user details provided to Leavers / Deletion User access removal request submitted by Area that the user removal request Are accounts disabled or deleted Time period for account to be disabled / deleted If disabled, after what time period are the accounts deleted? Further Information Access forms for the above are controlled by: Long term absence - including sickness, maternity, paternity, career break Action taken on the account of an employee who is suspended Business Management Unit/Mail Administrators/LTD Administration Operations West Postmaster IT Connect User account maintenance Operations West Postmaster Requestor will have user name and supplied standard password Business Management/LTD will submit suspension of Special Constables Operations West Postmaster HR Connect Operations West Postmaster Disabled on last official day of service As soon as reasonably practicable and in any event within two working days (outwith weekends) Six months after official leaving date Business Management Account will be disabled on request Account will be disabled based upon request from Professional Standards Department or Anti-Corruption Unit (ACU) (Publication Scheme) 11

12 Appendix F P Division New Users / Creation New user request submitted by Area that the new user request is New user details provided to Leavers / Deletion User access removal request submitted by Area that the user removal request Are accounts disabled or deleted Time period for account to be disabled If disabled, after what time period are the accounts deleted? Further Information Access forms for the above are controlled by: Long term absence - including sickness, maternity, paternity, career break Action taken on the account of an employee who is suspended People and Development HR Connect User access maintenance Direct to User People and Development HR Connect Disabled on last official day of service As soon as reasonably practicable and in any event within two working days (outwith weekends) Six months after official leaving date Account will be disabled on request Account will be disabled based upon request from Professional Standards Department or Anti-Corruption Unit (ACU) (Publication Scheme) 12

13 Appendix G A Division New Users / Creation New user request submitted by Area that the new user request is New user details provided to Leavers / Deletion User access removal request submitted by Area that the user removal request Are accounts disabled or deleted Time period for account to be disabled If disabled, after what time period are the accounts deleted? Further Information Access forms for the above are controlled by: Long term absence - including sickness, maternity, paternity, career break Action taken on the account of an employee who is suspended People and Development ICT Service Desk IT Connect ICT Operations and Support Requestor Staff User s line manager ICT Service Desk HR Connect ICT Operations and Support Disabled on last official day of service As soon as reasonably practicable and in any event within two working days (outwith weekends) Six months after official leaving date N/A Account will be disabled on request Account will be disabled based upon request from Professional Standards Department or Anti-Corruption Unit (ACU) (Publication Scheme) 13

14 Appendix H E and J Divisions New Users / Creation New user request submitted by Area that the new user request is New user details provided to Leavers / Deletion User access removal request submitted by Area that the user removal request Are accounts disabled or deleted Time period for account to be disabled If disabled, after what time period are the accounts deleted? Further Information Access forms for the above are controlled by: Long term absence - including sickness, maternity, paternity, career break Action taken on the account of an employee who is suspended People and Development Edinburgh Postmaster IT Connect User account maintenance Edinburgh Postmaster New user or Line Manager People and Development Edinburgh Postmaster HR Connect Edinburgh Postmaster Disabled on last official day of service As soon as reasonably practicable and in any event within two working days (outwith weekends) Six months after official leaving date People and Development / Force Business Managers request access / removal Account will be disabled on request Account will be disabled based upon request from Professional Standards Department or Anti-Corruption Unit (ACU) (Publication Scheme) 14

15 Appendix I N Division New Users / Creation New user request submitted by Area that the new user request is New user details provided to Leavers / Deletion User access removal request submitted by Area that the user removal request Are accounts disabled or deleted Time period for account to be disabled If disabled, after what time period are the accounts deleted? Further Information Access forms for the above are controlled by: Long term absence - including sickness, maternity, paternity, career break Action taken on the account of an employee who is suspended People and Development HR Connect via a user account maintenance or pre-approved Service Request Business Management Unit (BMU) Business Management Unit HR Connect Disabled on last official day of service As soon as reasonably practicable and in any event within two working days (outwith weekends) Six months after official leaving date Business Management Unit Account will be disabled on request Account will be disabled based upon request from Professional Standards Department or Anti-Corruption Unit (ACU) (Publication Scheme) 15

16 Appendix J G, U, Q, L and K Divisions New Users / Creation New user request submitted by Area that the new user request is New user details provided to Leavers / Deletion User access removal request submitted by Area that the user removal request Are accounts disabled or deleted Time period for account to be disabled If disabled, after what time period are the accounts deleted? Further Information Access forms for the above are controlled by: Long term absence - including sickness, maternity, paternity, career break Action taken on the account of an employee who is suspended Business Management Unit/Mail Administrators Operations West Postmaster IT Connect User Account Maintenance Operations West Postmaster Requestor will have user name and supplied standard password Business Management Unit This is HR. HR will submit ICT requirements via User Access process HR Connect Operations West Postmaster Disabled on last official day of service As soon as reasonably practicable and in any event within two working days (outwith weekends) Six months after official leaving date Business Management Unit/Mail Administrators Account will be disabled on request Account will be disabled based upon request from Professional Standards Department or Anti-Corruption Unit (ACU) (Publication Scheme) 16

17 Appendix K D Division New user request submitted by Area that the new user request is New Users / Creation People and Development or Line Manager or Data Maintenance Unit ICT Service Desk IT1 Pro-forma via IT Connect or UAM depending if Police Scotland or SPA New user details provided to Leavers / Deletion User access removal request submitted by Area that the user removal request Are accounts disabled or deleted Time period for account to be disabled If disabled, after what time period are the accounts deleted? Further Information Access forms for the above are controlled by: Long term absence - including sickness, maternity, paternity, career break Action taken on the account of an employee who is suspended Line Manager or Business support area People and Development or Line Manager ICT Service Desk HR Connect Disabled on last official day of service As soon as reasonably practicable and in any event within two working days (outwith weekends) Six months after official leaving date IT Connect and the Data Input Bureau (within Criminal Justice D Division) Account will be disabled on request Account will be disabled based upon request from Professional Standards Department or Anti-Corruption Unit (ACU) (Publication Scheme) 17