Application for connection to YJS CUG and Hub (v6.0)

Transcription

1 Application for connection to YJS CUG and Hub (v6.0) Name of Local Authority / Applicant organisation Contact Name Position Address Telephone: I/We wish to apply for connectivity to the Youth Justice System Closed User Group (YJS CUG). In accordance with the terms and conditions of connection, the following information is now supplied: 1. (See clause 13 / Note 13) A requirement of connection is that the management of the remote systems and networks is compliant with the requirements of ISO/IEC To this end, please state the date of last review carried out, and the date when your next compliance review is planned Date of last review Date of next review (It is implicit in this statement that any shortcomings highlighted by the review will be remedied.) 2. We understand and can confirm compliance with all elements of the Terms and Conditions of connection which are attached to this document subject to the qualifications and areas of noncompliance highlighted in the attached covering letter dated [ ] and signed by [ ] for and on behalf of [ ] Local Authority. Signature Name (please print) Date Position On behalf of : (Organisation name) Return to: Wiring up Youth Justice ICT Admin YJB, 11 Carteret Street London, SW1H 1DL Page 1 of 8

2 Terms & Conditions for Connection to YJS CUG and Message Exchange Statement of requirement 1. The connecting authority will ensure that information requested through the YJS CUG system is used only for valid business purposes, and will be proactive in ensuring that YJB services are not abused or misused. The connecting authority will ensure that all users in its organisation comply with the Data Protection Act and applicable professional codes of conduct in order to ensure that all information including that classified as RESTRICTED is treated as the originator intended. The connecting authority acknowledges that any breach of these provisions may result in access to YJS CUG networks and facilities being suspended or terminated. 2. The connecting authority will install and manage a case management server for use by Youth Offending Team (YOT) personnel and take necessary steps to restrict access to those with a need to know. The connecting authority will inform YJS CUG administrators of the internal server address used by that server. 3. As a condition of connection to the YJS CUG, the connecting authority will either permit the installation upon its premises of a dedicated encryption device which will be supplied by, and remotely managed by, YJS CUG personnel, or supply a dedicated IP address from the connecting authorities GCSx network range. 4. The internal network linking the YOT Case Management server to the YJS CUG device shall if possible be an Ethernet or similar wired network. If a Wireless Local Area Network (LAN) is to be employed, directly or indirectly on the same network, it shall comply with, or exceed, the minimum standards outlined in Appendix A. In case of doubt, the matter should be referred to the YJS CUG Administrators. 5. The connecting authority agrees to notify and coordinate with the WUYJ Technical Services Manager of all planned changes to the organisation s technical infrastructure that could impact access to, or could impact the integrity of, the YJS CUG connection and service or any other investments made by the YJB in Youth Justice System information systems (notably Connectivity, easset, Secure , YJ MIS, Remote Working). The connecting authority should present such proposed changes to the WUYJ Technical Services Manager for acceptability, compliance, compatibility and security testing. This includes, but is not limited to, changes to the LAN or WAN infrastructure, software changes to current case management systems which support YJB schemas and components or taking into live service any release of software with interfaces to YJB systems that is not listed on the YJB accredited product list. 6. The connecting authority will ensure that all members and employees of its organisation who are permitted access to the YJS CUG understand the conditions on which connection has been granted as set out in this document. 7. In the event of a breach, or suspected breach, the connecting authority understand that as a part of this agreement the YJS CUG Administrators reserve the right to initiate an investigation into the incident and that the cooperation of connecting organisations is necessary. 8. The connecting authority confirms that in the event of a suspected security breach or security breach they will provide any assistance necessary to locate the source of the breach and fully assist the YJS CUG Administrations in any investigation. 9. The connecting authority confirm that all users of its IT systems: are authorised users and can be individually identified by having unique user names and passwords (passwords should be a minimum of 8 alphanumeric characters and changed at least every 90 days) are instructed not to share their user credentials, and that if any user credential is compromised it will be changed as soon as possible. Page 2 of 8

3 10. The connecting authority will ensure that only users with a documented and approved requirement to access YOT case management services and thus the YJS CUG will be able to do so. A record of approved users will be held by the end user organisation, but made available to the YJS CUG Accreditor if required. User management processes will ensure that only current, valid user accounts exist within the system. 11. The connecting authority will not transmit information through the YJS CUG and /or YJS Hub that it knows, suspects, or has been advised is of a higher level of sensitivity than the service is designed to carry (that is, RESTRICTED material). If a case warranting a higher Protective Marking may be encountered, processing of that case will be handled separately. 12. The connecting authority confirms that its organisation has secure data storage facilities; and that its data archiving and retention policies are consistent with the nature of the data stored. 13. The connecting authority confirms that an appropriate business-focused risk assessment of its computer systems and regular reviews/audits of the IT infrastructure (e.g. to BS7799/ISO17799) have taken place or is planned. 14. The connecting authority confirms that its organisation prevents unescorted visitors from entering areas of its premises where IT systems are held, including those that have access to the YJS CUG. 15. The connecting authority confirms that portable computers or devices that will be used for sending/receiving YJS CUG data or for storing RESTRICTED data is appropriately protected against unauthorised use by encryption/ passwords/ physical locks/ removable disks or memory or other similar devices. 16. The connecting authority confirms that its networks are adequately protected against external interference, and that the mechanisms employed are frequently monitored and maintained. 17. The connecting authority confirms that all servers used to run case management software and access the YJS CUG are running an up-to-date anti-virus package with regular and frequent updates being applied. 18. The connecting authority confirms that operating system updates and security patches are regularly applied to all servers and client machines used to access the YJS CUG. This will include all case management software patches. 19. The connecting authority recognises the guidelines for the use of Data Collection solutions, and confirms that solutions adopted will be compliant. If there is any doubt what this means, the connecting authority will consult YJS CUG Administrators. Page 3 of 8

4 Appendix A: Terms and Conditions Notes General The YJS CUG is managed and administered by the Youth Justice Board for England and Wales (YJB) on behalf of the Youth Justice System (YJS). The YJS CUG is a secured network for providing interconnection between the various parties that make up the Youth Justice Service / System; these include YOTs, the YJB, other CJOs and the secure estates. It is necessary that each part of the user community plays their part in maintaining the security of the overall system, and certain requirements are of necessity placed upon the connecting organisation although these are kept to a minimum. 1. All information being passed between the Local Authority, YJS CUG, or end user is for official use only and should not be exposed to a wider circulation than strictly necessary for the official purpose. Certain information will be of a personal nature and subject to the Data Protection Act 1998 (DPA). Information of a sensitive nature may be marked as RESTRICTED* by government departments or other agencies although not all connecting organisations adhere to the Government s Protective Marking scheme. Information which does not contain any protective marking should therefore be examined and depending upon content it should be regarded as sensitive information and handled appropriately. The YJS CUG and Hub will treat all information as RESTRICTED whilst it is within its domain. * Restricted information, for the purpose of this agreement, is defined as criminal justice / youth justice sensitive business information (that may or may not bear the Government Protective marking of RESTRICTED), the unauthorised disclosure of which would :- cause substantial distress to individuals; prejudice the investigation or facilitate the commission of crime; breach proper undertakings to maintain the confidence of information provided by third parties or undermine the proper management of the public sector and its operations 2. In order to ensure that any information received via the YJS CUG is adequately protected and available only for the stated purpose, and that other connecting organisation information cannot be sent or accessed via the YJS CUG, the server upon which Youth Offending information is stored and processed should be dedicated to the task, and not shared with other services. The YJS CUG connection device (see 3 below) will only accept traffic from the connecting organisations case management server IP address. The network managers in the connecting organisation are required to notify the YJS CUG administrators of the internal address of this server in order that they may set the connectivity and security parameters appropriately. If the case management server(s) is not dedicated to that sole purpose, the YJS CUG Accreditor will need to be satisfied that an equivalent strong separation exists within the system. Such that the YJS CUG connection and YOT case management data and systems cannot be accessed by parties other than YOT personnel. 3. In order to protect the integrity of the YJS CUG and YJS Hub and also to protect connecting organisations, the YJB will either provide an Internet-connected encryption device or use the connecting authorities Government Connect (GCSx) network connection to provide the secure link to the YJS Message Exchange. The encryption device will be installed to provide a direct connection between the YOTs case management server and the YJS Message Exchange. The encryption device will require a fixed public IP address upon the Internet and a fixed internal IP address upon the backend. In order to configure the device, the YJS CUG Administrators will need to be aware of these IP addresses as well as the internal IP address of the YOT case management server(s) and any other intermediate connection information dependent upon the type of connectivity offered. If the secure connection from the YOT case management server to the YJB CUG is to be made via the Government Connect GCSx network, the YJB require a separate, dedicated, IP address feed into the connecting authorities GCSx network. The YJS CUG Administrators will need to be aware of the GCSx IP Page 4 of 8

5 address as well as the internal IP address of the YOT case management server(s) and any other intermediate connection information dependent upon the type of connectivity offered. Further technical information can be obtained from the YJS CUG Administrators. 4. The security assessment of the YJS CUG assumes that the network structure of the connecting authority is hard-wired. Early wireless LAN (WLAN) installations were notoriously insecure, and although modern WLAN installations are much improved, the YJS CUG Accreditor will wish to have detail of the particular WLAN installation not compliant with at least the minimum standard below for reassurance that the security assessment is not affected by the presence of WLAN in the network. As a minimum, the WLAN should be protected by WPA2 using either certificate or shared-key. Traffic encryption should be enforced at its highest possible level, but at least 128bit AES. Only authorised and authenticated users must be allowed access to the system where practical, Access Control Lists should be used as a control mechanism. All default username and password combinations should be changed or removed from the devices, which should be managed by suitably-qualified support staff from a secure network management centre. Wireless access points should be controlled to keep the network signals within building boundaries, and the WLAN should not be used to link buildings across public spaces. The WLAN should not broadcast its identity. Internal IP addresses or other details of the Wireless devices should not be revealed unnecessarily. 5. The installation of the crypto device to facilitate a connection to the YJS CUG, and the initial acceptance of the code of connection, will have reassured the YJS CUG Accreditor of the security of the installed link and that the risk to the YJS CUG as a result of the connecting organisation s presence is acceptable. The connecting authority should not deploy technical infrastructure changes which would impact access to, or could impact the integrity of YJS services. Any change of circumstance within the systems and networks of the connecting organisation which affects the YJS CUG connection and service or any other investments made by the YJB in Youth Justice System information systems (notably Connectivity, easset, Secure , YJ MIS, Remote Working) and/or changes (or may change) the security assessment should be presented to the WUYJ Technical Services Manager. This process will enable assessment and proving of service and connectivity and also allow for the security impact of proposed changes to be assessed to preserve the investments made in information sharing. 6. It is a requirement that all staff within the connecting organisation that is permitted to use the YJS CUG for any purpose understand the conditions under which connectivity is granted, and undertake personally not to abuse the system or the information supplied, or circumvent any security measures put in place. I.e. staff with access to the YOT Case Management System(s). This must be implemented as a part of induction training and staff awareness programmes. Management must be aware of their responsibility to enforce compliance with this requirement. 7. Any actual or suspected breach of security is a potential risk to all participants in the YJS CUG, and YJS CUG Administrators will wish to investigate and correct any problem. In doing so, it is important that the connecting organisation and their technical staff offer assistance if required. If a security breach is found to have occurred within the connecting organisation, or as the result of accidental or deliberate action of the staff of the connecting organisation, the investigation will be passed to the connecting organisation to be resolved. The YJS CUG Administrators will notify all connecting parties of any security breach. 8. A necessary part of any investigation carried out under the terms of note 7 above is accurate record keeping by all parties. The YJS CUG Administrators will maintain traffic records relating to all traffic flowing through the YJS Hub system. It is expected that the connecting organisation will maintain logging on their systems at a level which would enable the investigating officers to follow a suspect message to its source or destination the connecting organisation. The connecting organisation should maintain these records for a minimum period of one calendar month after which they may be destroyed if not required from any other purpose. 9. It is a requirement of the YJS CUG that within the connecting organisation the actions of individual members of staff are traceable. In practice, this means that each user of the system shall have an Page 5 of 8

6 individual logon identity and password, to which the individual alone shall have access. Group accounts should not be used for access to the YOT case management system (and YJS CUG), and neither should a single dedicated terminal, under a generic user name, be used for the purpose. Staff in the connecting organisation should be told that the sharing of identities and passwords is not permitted. This is necessary in order to undertake any investigation outlined in Para 7, which requires the ability to trace a suspect transaction to the individual generating it. 10. In order to ensure that only appropriate members of staff within the connecting organisation have access to information supplied through the YJS CUG, the connecting organisation shall ensure that access to the appropriate server and case management software is controlled and that a list is maintained of those having access. A formal process should exist in order to grant an individual user access to the system. If an individual user resigns or moves on, his access right should be revoked, and a formal modification process must be in place to ensure that this happens. The YJS CUG Administrators may wish to be assured that adequate processes are in place. 11. The YJS CUG is an accredited system which is designed to handle material which is protectively marked to the government classification of RESTRICTED and can be safely used for most personal information or other official information which fits within the definition of that classification level. Any material of a more sensitive nature which properly falls within the definition of a higher classification cannot be transmitted across the YJS CUG. Such information will not be adequately protected, and the presence of premium information may increase the risk of attack against the network to the detriment of the service as a whole. Connecting organisations are asked to make sure that their users understand this requirement. 12. The YJS CUG is designed to provide secure delivery mechanisms for information which is sensitive or protectively marked as detailed in Note 11 above. It is the responsibility of the connecting organisation to protect this information in an appropriate manner once received. This will imply that such information will be stored in ways which restrict access to those with a need to know the content of the information, that the information will not be placed in any open data repository and that it will be securely deleted when no longer required. 13. All connecting organisations are expected to be compliant with standard ISO/IEC 17799, which is the international standard for information security management. This standard defines a common approach to the management of information security, and ensures that all organisations are operating to the same minimum standard. Local authorities were also obliged to comply with the security standard by 2005 as part of their Implementing Electronic Government (IEG) requirements. The requirement that all participants connecting to YJS CUG are compliant with the standard also assists in building confidence that information can be shared without unnecessary risk. 14. Information supplied by means of the YJS CUG may be of a sensitive nature, and access to this information is controlled. A part of this control is that visitors within the connecting organisations premises should not be offered the opportunity to misuse equipment or view information by being offered unescorted access. All visitors to areas where this information is available, and who are not employees of the connecting organisation should be escorted at all times. 15. In many offices, users may be supplied with portable computers which enable them to connect remotely to their place of work. In this case, it may be possible for end-users to receive, download, or transmit information via the YJS CUG and that information should be protected whilst at the user's laptop or portable device. Because of the likelihood of theft or loss, and the difficulty in maintaining full access control of portable devices at all times, special precautions need to be taken with all sensitive information including that supplied through YJS CUG. There are many mechanisms available in the market place to assist organisations in this, and it is not the intention to dictate any specific solution. However, if the connecting organisation intends providing a remote access solution for users with access to YJS CUG, the YJS CUG Administrators may wish to know which precautions are in place and to be assured that the information which is supplied is adequately protected. 16. It is expected that the network services of the connecting organisation which are externally facing will be protected by some suitable mechanism and most commonly a firewall security solution. This is Page 6 of 8

7 assumed to be the case when considering the risk profile of the YJS CUG. Any applicant for connectivity who has an alternative approach to network protection should discuss this with the YJS CUG Administrators. 17. It is expected that the connecting organisation will run appropriate antivirus software on their network servers and client computers. It is mandated for servers providing connectivity to the YJS CUG. The chosen antivirus product should be updated regularly to ensure that all information passed to the YJS CUG and connecting organisations is virus free. 18. In order to reduce vulnerabilities of systems within the connecting organisation it is expected that all servers and networked devices are routinely patched to the latest relevant patch state. A failure to do so may permit exploitation through known vulnerabilities which will damage the system of the connecting organisation and may additionally endanger the security of the YJS CUG. Connecting organisations are therefore asked to confirm that they apply relevant updates regularly. 19. Following a security review of Digital Pens and Citrix / 3G solutions the following guidelines on technology used in automated information-gathering should be taken into account: If a local authority has developed or intends to develop an alternative solution to this problem, the solution must be evaluated by YJS CUG Administrators prior to use as a part of the wider YJS CUG network. Several solutions have been evaluated and passed by YJS CUG Security Accreditors as part of the Wiring up Youth Justice Programme: (a) (b) (c) The Bradford Solution to remote working is based upon a thin client terminal server solution, in their case a tablet PC employing a CITRIX service. The tablet PC connects via a 3G mobile phone card. This operates across an encrypted VPN (Virtual Private Network) which uses a 6-digit Secure-ID token as part of the authentication process. This solution, and others similar, is secure for use within YJS provided that users are made aware of the need to keep tokens and access information safe, and that the technical teams keep software at its latest patch state. The Leeds Solution to remote working is built upon a digital-pen with which written material can be captured and subsequently transmitted by mobile phone. It is secure under normal circumstances provided that the mobile phone being used is supplied by the local authority and has a control over the Bluetooth settings to avoid promiscuous sharing of data, and of software installed upon it. Another requirement would be that data is not downloaded to the phone until transmission of the information is about to take place. This solution and others similar to it may be used in normal circumstances provided that, where cases are particularly sensitive, alternative arrangements for transmission of the data should be made. Other solutions to remote data capture may be added to this list from time to time. Page 7 of 8

8 Document Control Date Version Change Reference 09/10/ Initial approved version 19/03/ /07/ Cover page updated to cater for recording that supplementary documentation has been provided to support the submitted Code of Connection Clause 5 updated to clarify the scope of changes to local authority infrastructure which should be notified to the WUYJ Technical Service Manager. Page 8 of 8