Registered Office Boscombe Link, 3 - 5 Palmerston Road, Bournemouth, BH1 4HN Registered Charity No: 1081381 Tel & Fax: (01202) 466130 Company Reg’d in England & Wales No: 4024662 Email: [email protected]
IT SECURITY PROCEDURE
This procedure should be read in conjunction with the IT Policy, Data Protection Policy, Confidentiality Policy and Retention of Information Policy.
1.0For computer security
1.1 The Data Protection Officer will be responsible for checking that all BCVS computers will have Microsoft Windows Defender installed on them to help guard against viruses, spyware, and other malicious software. Twice a year the Data Protection Officer will remind staff to check that Windows Defender and Windows Firewall are turned on.
1.2 All Bournemouth CVS computers will have Windows Update installed on them by default to help make sure that the operating system is set up to receive automatic updates. Each member of staff is responsible for making sure that their systems are fully updated.
1.3 The Data Protection Officer will ensure personal information is securely removed before disposing of old computers (by using technology or destroying the hard disk).
1.4 Each staff member is responsible for removing unused software and services from your devices. Older versions of some widespread software have well docu- mented security vulnerabilities.
1.5 The Premises Officer will change the security alarm to Boscombe Link when a member of staff leaves Bournemouth CVS or when other tenants at Boscombe Link leave. The manual for the alarm is kept on the shelf above the administrator’s desk. The Premises Officer will keep a record of all personnel who are issued with office keys and will also be responsible for ensuring that keys are returned, along with any other items of BCVS equipment, when a staff member leaves. Staff are responsible for escorting and supervising all visitors in the building.
1.6 The CEO is responsible for insuring all equipment against the usual risks – fire, theft, flood and so on. This includes portable equipment such as laptops that get taken out of the office.
1.7 The Data Protection Officer will keep an up to date inventory of hardware and software. This can be done manually (using a template, and keeping a paper copy handy) or by using automated methods such as Belarc Adviser (www.belarc.com) or SpiceWorks (www.spiceworks.com).
1 The Data Protection Officer will record the following information about hardware: Organisational ID Manufacturer Model Serial number Asset tag Processor and speed Hard drive capacity, RAM Operating system Upgrades Purchase date, supplier, invoice reference and price Warranty information
The Data Protection Officer will record the following information about software Name, manufacturer Version Purchase date, supplier, invoice reference and price License key The Finance Officer will be responsible for ensuring there is no Software licensing misuse
2.0Passwords
2.1Staff will only share their passwords including their Drop Box password with the Data Protection Officer who will be responsible for keeping them secure.
2.2 The Data Protection Officer keeps the passwords to all staff Mailbox, Computers and Drop box securely in hard and electronic versions. Staff are responsible for updating the Data Protection Officer should they change their password.
2.3 The CEO will be able to access the stored passwords in the Data Protection Officer’s absence.
2.4 All other personal documents like payroll, and sage accounts will be password protected on individual’s machines.
2.5 Individuals will know their own passwords and the Data Protection Officer stores these as a back-up. Line managers only need to know their own passwords.
2.6The Data Protection Officer will ensure that all members of staff change their password annually at the BCVS spring cleaning day. Passwords should: Be at least eight characters long. Not contain your user name, real name, or ‘Bournemouth Council for Voluntary Service’ Not contain a complete word. Be significantly different from previous passwords.
2 Contains characters from each of the following four categories:
Character category Examples Uppercase letters A, B, C Lowercase letters a, b, c Numbers 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 Symbols found on the keyboard (all keyboard characters ` ~ ! @ # $ % ^ & * ( ) _ - + = not defined as letters or numerals) and spaces { [ ] \ | : ; " ' < > , . ? /
2.7 Staff must choose unique passwords and may not use a password that they are already using for a personal account.
2.8 Leavers accounts will be disabled immediately by the Data Protection Officer and passwords on any shared system to which that they had access to will be changed immediately, (e.g. the passwords to the shared files and admin database.)
2.9 On the last day in work line managers of leavers will ensure that the member of staff has cleared their own IT devices of any BCVS passwords and downloaded BCVS data.
3.0 Portable Devices
3.1 Passwords will be installed on all portable devices. For laptops, memory sticks and disks there are free encryption tools available. These allow you to encrypt folders or whole drives including hard disks, memory sticks, and portable media such as DVDs. Examples include TrueCrypt available from www.truecrypt.org
3.2 Sensitive information should only be passed across public systems if it is encrypted.
4.0 Unattended Computers
4.1 When a computer is left unattended, it is essential that that no unauthorised per- son can gain access to it, either: Log out- this will close down all the programs that you have running Lock the Computer- To do this, press the windows key and the L key at the same time. This simply locks the computer without closing the programs, to unlock, put your password in.
5.0 Homeworking and Remote Access
5.1 If accessing BCVS data and e-mails on a shared device at home then set up a separate profile with a password you do not share and based on the advice in Sec- tion 2
5.2 Staff should always use personal firewalls and make sure all programmes are up to date.
3 5.3 Home computers should not be left unattended if accessing work e-mails or work documents.
5.4 If working remotely then access to BCVS e-mail accounts and Dropbox accounts should be made through a web browser and not downloaded.
5.5 Drop box does not scan for viruses. If a staff member is working from home, they should ensure they have an up to date anti virus software installed on their home PC.
5.6 If working remotely staff should not connect to the web through unsecured public networks to access BCVS confidential data. Make use of BT Wifi.
6.0 Back ups
Bournemouth CVS will regularly back up data as follows:
6.1 The Shared Drive is saved on an encrypted external hard drive. The Data Pro- tection Officer is responsible for plugging the external hard drive in and taking the hard drive off site with them each day. The Data Protection Officer is responsible for ensuring the password to this device is secure.
6.2 Back up of Sage accounts and payroll is saved on an encrypted USB memory stick. The Bookkeeper is responsible for backing them up and taking the USB memory stick offsite with them. The Bookkeeper is responsible for ensuring the password to this device is secure.
6.3 Back ups of files that are not saved in the shared drive are to be saved on per- sonal Drop box accounts (an online cloud.) All staff are to ensure passwords to this are secure.
Date
Signed
Chair of BCVS Board Chief Executive BCVS
Policy agreed: 1 December 2016
Policy to be reviewed and amended by December 2020
4