IT Security Standard Operating Procedure

Transcription

1 IT Security Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not be utilised as guidance or instruction by any police officer or employee as it may have been redacted due to legal exemptions Owning Department: Version Number: ICT Department 2.00 Date Published: 27/11/2017

2 Compliance Record Equality and Human Rights Impact Assessment (EqHRIA) Date Completed / Reviewed: Information Management Compliant: Health and Safety Compliant: Publication Scheme Compliant: 27/10/2017 Yes Yes Yes Version Control Table Version History of Amendments Approval Date 1.00 Initial Approved Version 23/03/ Periodic Review. Transferred to corporate template with new Police Scotland logo. Formatting standards in line Police Scotland record set 13/11/2017 2

3 Contents 1. Purpose 2. Overview 3. Guidelines Appendices Appendix A Appendix B Appendix C List of Associated Legislation List of Associated Reference Documents Glossary of Terms 3

4 1. Purpose 1.1 This Standard Operating Procedure (SOP) outlines information regarding the protection of the Police Service of Scotland hereinafter referred to as Police Scotland and the Scottish Police Authority hereinafter referred to as SPA information assets. 1.2 This SOP supports the following Police Scotland and the SPA policies. Information Security Policy 1.3 Police Scotland and the SPA recognise the need for comprehensive protection of the information held on Information Communications Technology (ICT) systems. This SOP provides key high level information on some mechanisms used to protect ICT information assets, further detailed procedures are held by the ICT department. 1.4 This SOP does not cover all ICT security measures deployed to protect all Police Scotland and SPA information assets, but does cover areas that Police Scotland and SPA staff are expected to be made aware of as part of their day to day working. 1.5 This SOP should be used in conjunction with Police Scotland SOP s for: ICT Acceptable Use of Computer Systems; ICT User Access and Security; Security Incident Reporting and Management; National Wireless System (Wifi) Security Operating Procedure (SyOPs). 2. Overview 2.1 Within Police Scotland there is a requirement to ensure that suitable anti-virus and further protection mechanisms are in place across the desktop and server estate, this is required to reduce the possibility of risk to the confidentiality, integrity and availability of the systems in use by Police Scotland and the SPA. 3. Guidelines 3.1 Anti-virus It is the responsibility of the ICT department to ensure adequate virus protection is in place to protect Police Scotland and the SPA networks and equipment. 4

5 3.1.2 Anti-virus products are installed on all Windows based systems and configured to provide automatic daily updates. Unless unavailable, other operating systems and devices must have anti-virus installed with daily updates applied Where an automatic update cannot be delivered, for example, standalone machines, an appropriate and approved process has been adopted through local processes / procedures Anti-virus must not be disabled unless authorised to do so by the ICT Technical Audit & Assurance team with written confirmation and agreement for next steps to ensure this is re-enabled as soon as possible thereafter This section has been removed, due to its content being exempt in terms of Section 30 of the Freedom of Information (Scotland) Act If a machine should become infected, or it is suspected that a machine may be infected with a computer virus, this must be switched off and disconnected from the network with immediate effect The machine must be clearly labelled and remain disconnected from the network until approval for reconnection is provided by ICT If there are any issues or questions relating to anti-virus, guidance should be sought from ICT Technical Audit and Assurance via the ICT Service Desk for urgent enquiries or Service Request for non-urgent issues. 3.2 End Point Management End Point Management is the management of devices that connect to our network to ensure the appropriate security is available, this includes desktops, laptops and servers, and anything that connects to these devices Under no circumstances must any personal or other unauthorised third party ICT system or device be connected to the Police Scotland and the SPA computer systems or networks Information that is classified as restricted or above must not be transferred to any third party or other unauthorised persons Where possible End Point security management will be applied by means of an application/system to reduce the risk of unauthorised external devices connecting to the Police Scotland and the SPA computers or network End points will be provided with the appropriate security products Any noted or alerted malfunction of security hardware or software must be reported immediately to your line manager and ICT service desk. 5

6 3.3 Physical Security (Computer Rooms) This section has been removed, due to its content being exempt in terms of Section 35 of the Freedom of Information (Scotland) Act The below additional protection should be deployed wherever possible including: Air conditioning units; Uninterruptable Power Supply (UPS); Standby generators; Fire suppression; Closed Circuit Television (CCTV); Only vetted and approved third party contractors and approved visitors will be allowed access to any Police Scotland ICT Computer Room. Access for work to take place in these rooms by third party contractors and approved visitors must be agreed prior to attending site All other visitors must be escorted at all times and will not be left alone to work in any ICT Computer room Rooms should be left clean and tidy and all refuse to be removed after completion of any works, or daily at the very minimum. No food or drink should be consumed in the ICT Computer room Sign in / out sheets must be used at all times, where provided. 3.4 Firewalls Internal security checks will take place before the deployment of any new firewall device, or the relocation of existing equipment Firewalls will be subject to frequent internal and external penetration testing All modifications and changes to firewall configurations shall be subject to internal peer checking and, where required, ICT Change Process Any change to configuration must be followed by an update of the appropriate documentation Only staff authorised to do so and with the appropriate access and security clearance will make changes to any firewall equipment Under no circumstance should unauthorised staff remove or relocate any network cable connected to a firewall. 6

7 3.4.7 Firewalls will only allow approved access to external systems, or access to internally hosted systems. 3.5 Wireless Only authorised Police Scotland devices and associated users are permitted to use the Corporate WiFi Network. Authenticated Corporate Devices are not permitted to connect to any Police Scotland Guest WiFi This section has been removed, due to its content being exempt in terms of Section 35 of the Freedom of Information (Scotland) Act It may be permitted for third party contractors and guests to be given temporary authorisation to access guest wireless network(s) for internet only Where guest wireless access has been provided this will be managed in accordance with the Police Scotland National Wireless System Security Operating Procedures (SyOPs) Any suspected breach in wireless security should immediately be reported to your line manager and ICT Technical Audit and Assurance. 7

8 Appendix A List of Associated Legislation Computer Misuse Act 1990 Public Records (Scotland) Act 2011 Data Protection Act 1998 Official Secrets Act

9 Appendix B List of Associated Reference Documents Policy Information Security Policy Standard Operating Procedures ICT Acceptable Use of Computer Systems SOP ICT User Access Security SOP Security Incident Reporting and Management SOP National Wireless System (WiFi) Security Operating Procedure (SyOPs) 9

10 Appendix C Glossary of Terms ACU ICT SLA SOP SPA SyOPs Anti - Corruption Unit Information and Communication Technology Service Level Agreement Standard Operating Procedure Scottish Police Authority System Security Operating Procedures 10