Computer Security Policy and Standards

Resources CONFIDENTIAL Business & Technology Solutions

Scottish Borders Council Computer Security Policy and Standards January 2011

SBC Computer Security Policy and Standards 1 of 22 Version: 2.6 Date: January 2011 Resources CONFIDENTIAL Business & Technology Solutions

Revision history

VERSION NO. REVISED BY DESCRIPTION OF CHANGES DATE

2.0 Head of IT Initial Document 1 September 2000 Changes made to: Quick guide - Data Protection S16 IT Security S31 2.1 Manager S75 22 July 2002 Addition of Responsibilities Section IT Security Formatting changed 2.2 Manager 19 August 2002 IT Security Removed Hyperlinks. Amended Table of 2.3 Manager Contents 24 April 2003 Added in response to GSX requirements:  S35 – GSX connection use  S52 – Statement on the use of personal equipment added  Section 9 added – review section IT Security  Formatting changed 2.4 Manager  Telephony section deleted 7 June 2005 Head of IT, & IT 2.5 Annual update & review 18 September 2007 Security Manger Head of IT, Chief Additions made to Quick Guide – Storage 2.6 7 April 2008 Internal Auditor of Confidential and Sensitive Data – S24

2.7 Head of BTS Updating wording from IT to BTS January 2011

TABLE OF CONTENTS

Contents Page

Computer Security Policy Statement ...... 4

SBC COMPUTER SECURITY POLICY – A QUICK GUIDE ...... 5

1 INTRODUCTION ...... 7

2 ACCESS TO DATA AND SOFTWARE ...... 8 S1 – 14 Control of access rights ...... 8 S15 – 18 Use of passwords ...... 10 S19 – 25 Prevention of unauthorised casual access ...... 11 S26 – 28 Minimising risk through good systems design and testing...... 11 S29 Control of test data ...... 12 S30 – 36 Control of access via external networks ...... 12

3 CORRUPTION OR DESTRUCTION OF DATA OR SOFTWARE ...... 13 S37 – 43 Computer Viruses and other hostile software ...... 14 S44 – 46 Processing errors, hardware or other system faults, and human error ...... 14 S47 – 48 Power supply fluctuations ...... 15

4 OPERATIONAL SECURITY ...... 15 S49 – 53 Procurement, installation and use of software...... 15 S54 – 56 Back-ups ...... 16 S57 – 61 Operational procedures...... 16 S62 IT developments and projects...... 17 S63 – 64 Test and development environments ...... 17 S65 – 66 Disaster Recovery ...... 17 S67 Business Continuity ...... 17

5 PHYSICAL SECURITY...... 17 S68 – 81 Physical Security ...... 18

6 RESPONSIBILITIES...... 19 Systems Management ...... 20 Systems Administration ...... 20

7 PERSONAL DATA...... 21

8 REVIEWS ...... 21

Scottish Borders Council

Computer Security Policy Statement

Scottish Borders Council is committed to ensuring the adequate protection of its computer equipment, software, networks and computerised information from theft, loss, damage whether malicious or accidental, corruption or unauthorised use. The Council is also committed to improving legitimate access to information for the public, other organisations, elected members, and its own staff, through the use of information technology.

The Head of Business & Technology Solutions is responsible for providing guidance on specific procedures and rules to be adopted and on the use of equipment, software or other products to provide an adequate level of protection. All line managers are responsible for ensuring that their staff and contractors, or volunteers (where relevant), are fully aware of the Council’s Computer Security Policy and Standards, that the procedures and rules are adhered to within their own departments, and that any necessary security related products are used where required.

Where computer facilities are provided for the public, adequate security measures will be provided as an integral part of the service offered. Protection of the Council’s systems and information will not be dependent on actions to be taken by the public.

The Council’s Computer Security Policy and Standards are compulsory. Any additional security measures affecting individual departments or systems, agreed by the relevant line manager and Head of Information Technology, are also compulsory.

The security standards adopted by the Council take into account:

 the likelihood of a particular risk;  potential damage should a particular risk occur;  the cost of protection.

Any deliberate breach of the Council’s Computer Security Policy and Standards may result in disciplinary action.

The Council recognises that as its use of technology increases the likelihood and sophistication of threats to the security of equipment, systems and information will increase, as will the costs of protection. In order to minimise risk and costs of protection, any new IT related services or products which would increase risk at a corporate level or incur additional costs of protection at a corporate level will require corporate agreement.

This policy applies to all elected members and employees of the Council and, where appropriate, to contractors, volunteers, agents and computer services and products provided by external suppliers.

These standards do not apply to curricular computing, which is covered by separate standards issued by the Director of Education & Lifelong Learning.

SBC COMPUTER SECURITY POLICY - A QUICK GUIDE

Scottish Borders Council has adopted Computer Security Policy and Standards which are compulsory and apply to all employees of the Council. Any deliberate breach of the Council’s computer security standards may result in disciplinary action. The Council also has a legal obligation under the Data Protection Act 1998 to ensure that any information it holds on computer about individuals is protected from misuse.

It is therefore vital that we provide effective controls, and comply with all rules, in all aspects of computer security and access to information. The undernoted “Quick Guide” provides a summary of the key areas and issues involved with IT Security Policy and the resultant responsibilities you have as a user of IT systems. Please note that the Quick Guide is not a substitute for staff familiarising themselves with the detailed Policy Standards. If required staff should seek guidance in the first instance from their departmental management on the procedures and rules pertaining.

KEY REMINDERS ABOUT COMPUTER SECURITY

 SOFTWARE - Only software authorised by the Head of Business & Technology Solutions and covered by a valid licence agreement may be installed on a computer. Checks may be carried out at any time to ensure that only authorised and licensed software is resident on a machine.

 USE OF COUNCIL EQUIPMENT - Use of Council equipment (including lap-tops) is restricted to Council business unless expressly authorised by the relevant line manager in consultation with the Head of Business & Technology Solutions. (see also Financial Regulations Section 15.3)

 CONFIGURATION OF PCs - The configuration of PCs, lap-tops, file-servers and work stations may only be changed by central BTS support staff or other personnel authorised by the Head of Business & Technology Solutions.

 COMPUTER VIRUSES - Do not use any removable media or computer files unless they have been screened by appropriate anti virus software either resident on your own computer; held in your department; or through the BTS Service Desk.

 ACCESS TO DATA AND SOFTWARE - Treat your access credentials, user names, passwords, e- tokens as strictly confidential, and these should never be shared or disclosed to anyone. If in doubt seek guidance from IT.

 PC BACK UP – If you are using a networked PC, always store your data in your home directory. Your home directory is stored on a server that is automatically backed up. If you store information on your C drive you must be aware that this is not automatically backed up. It is your responsibility to ensure that any important files are copied to your home directory and these will, in turn, be backed up automatically. If you are using a stand alone machine, you should take regular and comprehensive back up security dumps of your systems and data. Responsibility for ensuring this takes place, and responsibility for provision of appropriate training, lies with your departmental line management.

 COMPUTER OUTPUT - Any computer output (paper, or files transferred to removable data, etc.) containing confidential information must be disposed of or erased securely. Guidance should be sought from Internal Audit.

 PHYSICAL SECURITY - The security procedures in force at each of the Council’s buildings must be strictly adhered to, and you should take all practical steps to ensure your equipment is made secure and

can be accounted for (see also Financial Regulations Section 15.3). PCs / lap-top / palm-top users should lock them or log-out prior to leaving them unattended.

 DATA PROTECTION - All systems using personal data within the Council must be notified under the Data Protection Act 1998. Data relating to individuals in word processing or spreadsheet files should be notified and you should not disclose personal information to anyone not covered by the notification entry. The Data Protection Information Commissioner can make individuals responsible for breaches of this act. (see also Data Protection Act - Procedures and Forms, and Data Protection Act - “Quick Guide”. Both of these documents are available on the SBC Intranet).

 STORAGE OF SENSITIVE OR CONFIDENTIAL DATA - should only be stored on shared network drives (G:Drive) or personal network drives (H:Drive) and not on PC C:Drives or other mobile media, ie. USB memory sticks, CDs, DVDs. Where there is a business requirement to store/transfer such data on any mobile device, advice should be obtained from Resources BTS.

COMPUTER SECURITY STANDARDS

1 INTRODUCTION

1.1 Much of the information held by the Council and which it needs in order to carry out its business can only be accessed through the use of computer systems. This means that any loss of equipment, software, information or network availability could result in serious disruption of services and possible financial loss.

1.2 To minimise the likelihood and impact of incidents caused by inadequate security, the Council has adopted a set of computer security standards. These are a number of basic rules to be applied throughout the Council. They cover four main aspects of security:

 access to information and computer programs used to process it;  accuracy and completeness of information and computer programs used to process it;  availability of information, communication links and computer systems;  physical security of computer equipment.

1.3 Adherence to these rules will help to ensure that the Council adheres to good practice as outlined in BS7799, the Code of Practice for Information Security Management, and complies with relevant IT related legislation, eg:

Computer Misuse Act 1990 Copyright, Designs and Patents Act 1977 Data Protection Act 1998. Freedom of Information (Scotland) Act 2002

1.4 Standards cannot guarantee 100% protection but will help to significantly reduce the risk of an incident occurring and the resulting damage should there be an incident. All parts of the standards are mandatory, as lax control in one area could negate effective control in all other areas. They are grouped together under general headings to make them easier to read and absorb, but this is somewhat arbitrary, and most of the rules will help minimise a number of different risks.

1.5 It must be stressed that security standards can only relate to the known risks for the level of technology in use in the Council at the time of writing. Because the Council’s use of computer technology is constantly developing, both the potential risks and techniques for minimising them must be kept under constant scrutiny. The standards will therefore be reviewed on an on-going basis.

1.6 The following sections discuss the issues which present the most likely risks for the Council, based on the current level of technology and methods of working, and detail the standards adopted by the Council to minimise these risks. However, this does not mean that other types of risk can be ignored, or may not happen.

1.7 Wherever possible, the standards are written in plain English, but in many instances the standards are dealing with concepts for which there is no alternative other than to use technical terminology.

1.8 All employees, contractors, and volunteers who are required to make use of any of the Council’s computer equipment must be made aware of these security standards, how they affect their job, and the seriousness with which the Council would regard any breach of the rules. BTS Business Managers will work with Departments to ensure the implications of the Standards are clearly understood and implemented.

1.9 These standards do not apply to curricular computing, which is covered by separate standards issued by the Director of Education.

2 ACCESS TO DATA AND SOFTWARE

2.1 The Council’s computer systems and networks play an important role in making information easily and immediately available to elected members, staff, and the public, and this role will increase in the future. Rules for the Administration of Public Information are given in the Freedom of Information (Scotland) Act 2002. It is important that information which is for general consumption should be presented in a way which makes it easy to access and is not surrounded by unnecessary security measures.

2.2 However, the Council also holds information to which access must be restricted because it is of a confidential or personal nature, commercially or politically sensitive, or to prevent the possibility of fraud or accidental damage. Any attempt to access computer data without proper authorisation is an offence under the Computer Misuse Act 1990. Rules for the administration of personal information are given in the Data Protection Act 1998 ( see also Data Protection Act - Procedures and Forms, and Data Protection Act - “Quick Guide”. Both of these documents are available on the SBC Intranet). The potential damage which could be caused by unauthorised access ranges across:

 malicious or fraudulent tampering with data (eg inserting false payment records);  malicious or fraudulent tampering with programs (eg to suppress issue of a final notice);  accidental alteration or deletion of data or programs, which could potentially result in the complete loss or corruption of information belonging to a system,(eg all Payroll records);  politically sensitive information being made available to the press / general public;  personal information about staff, councillors, and clients being accessed by unauthorised members of staff or the public;  premature release of information affecting staff;  commercially sensitive information.

2.3 The likelihood of any of the above occurring, and the potential damage to the Council, differs between systems, but lax control could easily result in major disruption to the Council. The main sources of risk for the Council are:

 lack of rigour in the use of User Ids, passwords and e-tokens;  lack of rigour in keeping access rights up to date, particularly when staff change duties or leave the Council;  staff being given access to more functions than they actually need or have received training in how to use;  PCs being left unattended and accessible to other staff, visitors or the public;  uncontrolled access to systems by 3rd party suppliers, members of other organisations, or the public;  inadequate training in and awareness of the responsibilities arising out of the Data Protection Act 1998 and its implementation within SBC;  poor system design, with inadequate internal checks, controls, and / or audit trails;  hackers.

2.4 The Council has adopted the following Computer Security Standards to help reduce the above risks:

Control of access rights

S1A system administrator and at least one depute shall be appointed for all multi-user applications, file-servers, local area networks and the wide area network. The system administrator is responsible for controlling allocation of access rights to the functions within the system, maintaining records of access rights which have been granted, and ensuring access rights are kept up to date, particularly where staff or contractors change duties or leave the Council.

S2Access shall only be granted to the functions an individual user requires. If a system administrators existing user Id does not have sufficient rights to allow them to administer the system, they may be required to log on using a separate administration user ID. Where this is necessary, the system administrator must identify and agree with the Chief Internal Auditor a level of security and audit trail appropriate for the content of the system. System administrators for Unix or Windows systems shall not be given direct access to the operating system.

S3Individuals should not normally have update access to their own records within systems which offer any opportunity for fraud (eg payroll, personnel, council tax). Where this is unavoidable, the system design must include an audit trail agreeable to the Chief Internal Auditor to identify who carried out any update actions, with information retained for a period appropriate to the nature of the application.

S4Central BTS support staff are authorised to access any of the Council’s IT equipment, software or data held on any of the Council’s IT infrastructure. Where possible, and if appropriate, they will ask or advise users prior to doing so, and will ensure that all information is treated confidentially.

S5BTS support staff shall not have update access to live data files. When this is required, eg to rectify a system problem, the system administrator shall authorise access on a temporary basis, to be rescinded as soon as the work has been completed. Where BTS support staff are also legitimate users of a system, access for this purpose shall be via a separate User Id.

S6Requests for access to the Council’s data network and networked applications, including requests for changes or deletions, shall be channelled through authorised staff nominated by each department and submitted to the BTS Service Desk using the standard documentation provided by the Service Desk. (the Request for New NT User form and the Request for Change to Existing NT Users form are available on the SBC Intranet).

S7If intervention from central BTS support staff is needed to create, amend or delete User Ids, access rights, or passwords for user controlled systems, this shall only be done on instruction from the system administrator using the standard documentation provided by the BTS Service Desk

S8Access to any networked system by a 3rd party supplier, including remote access support arrangements, shall be controlled by the central BTS Unit. The system administrator shall authorise access on a temporary basis, to be rescinded as soon as the work has been completed. Sessions shall be open only for the duration needed by the supplier to perform specific functions, and access shall be restricted to the application only. Requests for and Records of supplier sessions to systems shall be retained by the central BTS Unit. Suppliers must not be able to initiate a session to a networked system without the knowledge of the central BTS Unit. All contracts or other arrangements involving access to the Council’s computer facilities by external parties shall include an agreement by the external party to abide by the conditions of the Council’s security standards. Line managers may impose additional conditions concerning access to confidential or sensitive information. 3rd Party remote access will only be permitted within core working hours, Monday – Friday, 9am to 5pm. Requests for access outwith these hours must be authorised in advance by the Head of Business & Technology Solutions.

S9Access to the Council’s network shall normally be via a unique User Id which identifies a single individual. Generic User Ids shall not be made available except for support purposes within the central BTS Unit or in circumstances which meet the requirements set out at S11 below. The BTS Desktop Services Manager shall be responsible for controlling access to the Domain for support purposes.

S10 The public and members of other organisations shall not be granted uncontrolled access to the Council’s network. Access to public applications from within the Council’s network shall be controlled by restricting access to the application only. Access from outside the Council’s network shall be channelled through a secure route direct to the application concerned. The BTS Security Manager shall be responsible for authorising any technical solution to be adopted for providing access to any of the Council’s systems by the public or other organisations.

S11 Access to multi-user applications shall be via a unique User Id which identifies a single individual. However, generic User Ids may be made available for direct access to individual applications where the Chief Internal Auditor has confirmed that no audit trail is required within the application concerned, and BTS Managers are satisfied that it is not possible for a user to break out of the application. For applications where the system administrator function is accessed only through a generic User Id, the systems administrator shall be responsible for controlling access to this Id; if a new administrator is appointed, they shall be responsible for ensuring the password is changed at the point of hand over.

S12 Attempts to login to a system or network must abort after a maximum of 3 failed attempts and an audit trail be created. Systems administrators should advise the central BTS Unit of any systems currently in use which do not have this required functionality, and undertake an assessment of the risks having regard to the content and functionality of the system. Early replacement of these systems is advocated.

S13 System administrators shall investigate all failed login attempts to determine if they were accidental, indicating that user training is required, or indicating that unauthorised access was being attempted. System administrators should develop and agree with the central BTS Unit an action plan to be followed if unauthorised access is suspected. Appropriate action may include advising Internal Audit, advising the BTS Service Desk, and closing down the system.

S14 System administrators are responsible for ensuring that there is a clear audit trail of all successful logins, and for how long they should be retained, depending on the nature and content of the system concerned.

Use of passwords

S15 The Council’s networks, multi-user systems, and single user systems containing data of a confidential, sensitive or critical nature, shall also be protected by passwords. Passwords must be at least 7 characters long and complex in nature. They must not be the same as the User Id, “password”, null or space(s). For live systems, passwords should contain at least one non-alphabetic character and not contain common words, the user’s own name or easily guessed pet names. Where systems are supplied with default passwords, these must be changed prior to live use. Network and application passwords should not normally be the same; any proposed exceptions to this should be discussed with the BTS Security Manager or the Head of Business & Technology Solutions.

S16 Systems must be designed to enforce a password change at least every three months. A password change is not forced on the Council’s Microsoft Network because user authentication is carried out using e-tokens and certificates. Password changes are enforced within 35 days on Unix systems. Systems which are designed to provide unrestricted access should not demand input of a password. Where possible, users should be prevented from re-using their previous 5 passwords.

S17 Passwords must not be disclosed; wherever possible they should not be written down, but where this is unavoidable, they must be stored in a secure place. If stored in a computer file, this file must itself be password protected and encrypted. Passwords should not be transferred across the network, but where this is unavoidable, they must be encrypted.

S18 An initial password may be set by the system administrator; the user shall then change it immediately to one which only they know. Values of passwords (other than initial ones) must not be accessible to the system administrator; if a user forgets their password, the system administrator may reset it to a new value, which shall then be changed immediately by the user to one which only they know.

Prevention of unauthorised casual access

S19 All networked PCs/laptops shall be configured to time-out to a standard, password protected screen-saver after 15 minutes of inactivity.

S20 Users of palm-tops should be aware that there is no time-out facility. Palm-tops cannot be used to gain access to the network, however, a user’s calendar and recent mails will be visible and accessible via an unattended palm-top. Users should, therefore, consider locking palm-tops away when not in use.

S21 Users of networked PCs/laptops must lock the screen or log out prior to leaving them unattended. Users logged on with an e-token will achieve this by simply removing the token.

S22 Users of stand alone PCs should be aware that there is no automatic log-out, and should always lock them or log out prior to leaving them unattended.

S23 Users shall ensure their PC/laptop is not sited such that information which is not in the public domain can be seen by visitors, members of the public, or other people not entitled to see it.

S24 Users shall ensure electronic files containing confidential or sensitive data are stored securely, ie. on a file-server, not the local desk-top, and with password protection where necessary. Also, diskettes, CDs, DVDs, memory sticks, paper, and other free- standing files containing confidential or sensitive data must be stored securely at all times. In addition, paper files containing confidential or sensitive data must not be left lying around where the contents could be read by visitors, the public, or other people not entitled to see them.

S25 Where confidential or sensitive data is to be passed across the Council’s network or across an external network, including the Internet, users must be ensure that the most secure methods of transmission are used. Where appropriate, systems should be designed to produce encrypted files. Consideration should also be given to password protection of files, however, systems administrators and line managers should be aware that difficulties may arise if passwords known to an individual are forgotten, and should also ensure that these passwords are revealed and changed before an individual leaves employment.

Minimising risk through good systems design and testing

S26 Specifications of new systems or system enhancements shall include compliance with the Council’s Computer Security Policy & Standards.

S27 New systems and system enhancements shall be tested and documented in accordance with the Council’s IT Testing Procedures prior to live use. Testing shall cover

adherence to the Council’s Computer Security Policy & Standards as well as the internal checks and controls associated with the business aspects of the system. S28 All multi-user systems shall provide audit trails; any exceptions to be authorised by the Chief Internal Auditor.

Control of test data

S29 The Council’s data shall not be made available to a supplier for testing, data conversion, or any other purposes without prior written authorisation from the data owner of the system concerned. This should be issued to the supplier, and a copy lodged with the project documentation for new systems, or with the Data Protection Act notification for existing systems. Wherever possible, dummy or encrypted data should be used for testing purposes. Additionally, suppliers will be required to complete a confidentiality statement, copies of which are available from the central BTS Access to Information Officer.

Control of access via external networks

S30 All Internet traffic to / from networked PCs / lap-tops shall be routed via a central firewalled gateway, managed by the central IT Unit. The BTS Security Manager shall be responsible for maintaining all Firewall and associated software at the most up to date level.

S31 All users must be aware of the risks associated with downloading files from the Internet. The deliberate downloading of any application, programme, executable, script code, or other executable that will install automatically, or can be installed manually, places an unacceptable level of risk on the Council’s network. Users are not allowed to download such files. Internet web browsing facilities have been provided to Council staff in order that they can access and print information. Users who require this type of file to be downloaded should contact the BTS Service Desk, giving details of where the file(s) can be found. Further, more detailed, advice on this issue is contained in the Council Policy and Guidelines on the use of E-mail and the Intranet (copy available on the SBC Intranet).

S32 Modem connections to an external network are not allowed from any network PC/laptop. Specific exceptions to this, for business critical purposes only, must be arranged with the approval of the Head of Business & Technology Solutions.

S33 Remote access from external networks is provided securely by ‘dial up’ through a security demilitarised zone (DMZ), or IPSEC ‘VPN’ through our Firewall. All requests to utilise this facility should be made to the BTS Security Manager.

S34 Internet access from stand alone PCs/laptops should be organised via a Internet Service Provider (ISP); the central IT Unit can advise on cost effective subscription ISPs for business critical use.

S35 All users must be aware of the risks associated with receiving or sending email attachments. The receipt of emails with executable attachments places an unacceptable risk on the Council's network. User could discourage 3rd parties from sending such attachments. All attachments which can potentially execute are blocked at the SBC Internet email gateway. Users who require emails which have, or are suspected of containing an executable file, should contact the BTS Service Desk giving details of the email. Further information is contained in the Council Policy and Guidelines on the use of E-mail and the Internet (available on the Intranet).

S36 The Council has a connection to the Government Secure Extranet (GSX) for secure email and Internet services between subscribing organisations. The GSX is a private network intended as a method for authorised Government Bodies and their partners to share material up to HMG RESTRICTED* classification. Users of the GSX must

complete the Request for Change to Existing NT Users Form detailing their GSX requirement and obtain their line manager’s approval.

*HMG RESTRICTED is defined as: The compromise of this information or material would be likely:  to affect diplomatic relations adversely  to cause substantial distress to individuals  to make it more difficult to maintain the operational effectiveness or security of UK or allied forces  to cause financial loss or loss of earning potential to or facilitate improper gain or advantage for individuals or companies  to prejudice the investigation or facilitate the commission of crime  to breach proper undertakings to maintain the confidence of information provided by third parties  to impede the effective development or operation of government policies  to breach statutory restrictions on disclosure of information  to disadvantage Government in commercial or policy negotiations with others  to undermine the proper management of the public sector and its operations. Information supplied by the Central Government E-envoy's office

3. CORRUPTION OR DESTRUCTION OF DATA OR SOFTWARE.

3.1 Data or software can become corrupted or destroyed for a variety of reasons:

 introduction of computer viruses and other hostile software;  processing errors;  hardware or other system faults;  human error;  power supply fluctuations;  malicious action by user or hacker.

Computer Viruses and other hostile software

3.2 The likelihood of a computer virus being introduced within the Council is high. Although some viruses are only a nuisance, others could cause the loss or corruption of data and significant disruption to Council business either directly or as a result of any virus removal procedure.

3.3 The most common ways for a virus to be introduced are through use of external networks such as the Internet, via e-mail attachments or from interactive web sites, or by someone using and accessing removable media that is already infected with a virus. Further, more detailed, advice on this issue is contained in the Council Policy and Guidelines on the use of E-Mail and the Internet (copy available on the SBC Intranet).

3.4 It is important to remember that computer viruses and other hostile software are developed with malicious intent, and therefore the developers will continually exploit new and unusual ways of infiltrating and corrupting an organisation's data. No externally supplied removable media, disk, file or e-mail message can be regarded as ‘safe’ merely because it comes from a trusted source such as a respectable organisation, a bona fide bulletin board on an external network, another authority, or a friend - as the trusted source may be unaware of any virus infection.

3.5 The approach taken by Scottish Borders Council to protect its IT infrastructure from viruses and other hostile software is to create, as far as possible, an environment in which known viruses, etc. are automatically detected and deleted, without requiring user intervention. However, it must be remembered that although virus checking software can provide a measure of security, it cannot give 100% protection. Comprehensive use of virus checking software, together with strict adherence to the Council’s IT Policies by all computer users, provides the Council with the best level of protection. The Head of Business & Technology Solutions is authorised to close down any equipment, system or network immediately, if any

Virus, Trojan, Worm, or other malware, is identified which may pose a risk to Council systems and data.

3.6 The Council has adopted the following Computer Security Standards in order to minimise the risk from viruses and hostile software:

S37 Virus protection software must be installed on all servers and networked desktops/laptops. The BTS Desktop Services Manager shall be responsible for ensuring a product is used which gives adequate protection, and that it is maintained at the most up to date level. No user shall attempt to disable this software.

S38 Virus protection software must be installed on all new stand alone machines. The central BTS Unit will configure the software to ensure that updates are applied as necessary. If this cannot be accomplished automatically, a manual process will be identified. Departmental Business Partners shall be responsible for ensuring that all stand alone machines receive these updates.

S39 All removable media must be checked for viruses before use on any stand alone legacy machines which does not have adequate anti-virus protection. Where departments do not have their own facilities for scanning removable media for viruses, users should contact the BTS Service Desk for assistance.

S40 Departmental Business Partners shall be responsible for ensuring all networked laptops which are in use are connected to the network when requested by the central BTS Unit. This will be required to ensure an up-to-date level of anti-virus protection is maintained, and that any software packages which are distributed remotely are also picked up timeously.

S41 Removable media for use on Council equipment must be purchased from suppliers who guarantee their products free from infection, and through the contract(s) set up by the central Purchasing Unit in accordance with the Central Purchasing Policy (copy available on the Intranet).

S42 The central BTS Unit will disable the diskette drives on all public access PCs which are connected to the SBC network. For stand alone public access PCs, users will be encouraged to report suspected problems as a priority, and staff will then activate the procedure outlined at S43 (below). All stand alone public access PCs will display disclaimer notices to advise users that Scottish Borders Council does not accept responsibility for any damage or loss incurred as a result of using the PC.

S43 Any user who detects a virus or suspects that there may be one, must stop using the affected equipment (but not switch off) and inform the BTS Service Desk immediately. Investigation of a reported virus shall take priority over other IT support work, and over the work the user had intended doing on the potentially infected equipment. The BTS Security Manager shall be responsible for proposing an action plan to limit or eradicate the virus. Departmental Business Partners shall be responsible for co- ordinating action in their own department and liaising with the relevant business managers. All affected users shall comply with the required actions. The BTS Service Desk shall maintain a record of all reported virus attacks and the action taken.

Processing errors, hardware or other system faults, and human error

3.7 Although steps can be taken to reduce the likelihood of such errors or faults, they can never be completely ruled out. The Computer Security Standards adopted by the Council are therefore designed firstly to minimise the likelihood of such an event, and then to minimise the impact should one occur (see section 4 on Operational Security).

S44 System administrators shall ensure that user and support documentation for their system is made available to the appropriate people and kept up to date.

S45 System administrators, in conjunction with line managers, shall ensure that all users and support staff receive adequate training prior to live use of systems and/or upgrades where appropriate. The systems administrator shall withhold access rights until adequate training has been provided.

S46 Specification of new systems and system enhancements shall include adequate checks and controls to enable processing and human error to be detected timeously. Procedures for all data or file transfers shall include mechanisms to prove that no files or records have been lost, generated or corrupted in the transfer, that the correct file has been transferred, and that files have not been duplicated or applied more than required. Internal system design shall not allow control totals or records to become out of step with detail records.

Power supply fluctuations

3.8 Power fluctuations or failures can cause corruption or destruction of data being processed at the time. The approach taken by SBC to minimise this risk is to protect the main computer systems by means of an Uninterrupted Power Supply. However, only the main computer systems at HQ are currently covered by such arrangements. Other systems and the network remain vulnerable. The Council has adopted the following Computer Security Standards in order to minimise the risk from power fluctuations and outages:

S47 The Estates & Property Unit are responsible for maintaining adequate UPS cover for the main computer room and BTS Support Unit at HQ and advising all affected users of planned power outages in adequate time for arrangements to be made to close systems down. Consideration will be given to publishing the programme of dates for planned power outages on the Intranet.

S48 All users are responsible for ensuring they have logged out of all systems prior to any planned power outages.

4. OPERATIONAL SECURITY

4.1 Many potential risks to data and software integrity can be minimised by maintaining a well- controlled operational environment, with clearly specified roles and responsibilities and the use of change control procedures. For the majority of modern computer systems this requires co-ordination of procedures undertaken by system administrators, general users and BTS support and operations staff.

4.2 The Council has adopted the following Computer Security Standards to help provide a controlled operational environment:

Procurement, installation and use of software & hardware

S49 All IT equipment and software, including upgrades to existing products, shall be procured through the central BTS Unit. Prior to installation on any device connected to the Council’s network, the intended mode of use of any software or hardware must be shown to conform to the requirements of the Council’s Computer Security Policy and Standards. Acceptance criteria for all new systems and / or system enhancements shall include an evaluation of compliance to these security standards. In addition, responsibilities for operational procedures and support shall be agreed and documented prior to live use.

S50 The central BTS Unit shall issue and keep up to date, a list of software and hardware products which constitute the Council’s standard desk-top model; a list of additional products which may be obtained through the Requisition service; and a list of other

products which have been approved to satisfy specific line of business requirements. These lists are published on the SBC Intranet.

S51 Software shall only be used and copied strictly in accordance with the individual licence agreement. The Head of Business & Technology Solutions is authorised to delete any unlicensed software.

S52 Use of Council equipment (including laptops) is restricted to Council business unless expressly authorised by the relevant line manager in consultation with the Head of Business & Technology Solutions (see Financial Regulations). All users with access to the Internet should be aware that the Council’s Internet Gateway monitors and logs all internet access. Details of all sites visited by an individual user are recorded, and this information may be made available to their line manager on request. Access to inappropriate content is blocked, and personal browsing may be restricted.

S53 Use of personal computer systems which includes but is not restricted to PDA’s, laptops, USB storage devices and mobile phones, for processing Council business information is strictly prohibited. Specific exceptions to this, for business critical purposes only, must be arranged with the approval of the Head of Business & Technology Solutions.

Back-ups

S54 All centrally supported applications shall be backed up using a schedule agreed between the relevant system administrator and BTS Support Manager. Where back-up procedures for file servers are carried out by user department staff, guidance notes will be provided by the central BTS Unit. Back-ups shall be held off-site in secure storage. Restoration of back-ups shall be tested at least once a year. Test plans shall include contingency to prevent the system being lost if the restore fails.

S55 The success of every back-up shall be checked as a matter of routine and any suspected problems investigated immediately. Any gaps in the back-up cycle must be investigated by the system administrator and not allowed to re-occur. Evidence of back-ups shall be retained. More detailed information concerning the back-up arrangements for specific systems are set out in the individual Statement of Services available on the Intranet.

S56 All users of stand alone equipment shall be made aware of the need to take back-ups and given instruction in how to do so. Responsibility for ensuring this takes place lies with departmental line management. The central BTS Unit will provide training where required.

Operational procedures

S57 Change control procedures shall be followed for all systems for any alterations to equipment, software, network configuration or systems documentation

S58 Capacity requirements of equipment and networks shall be routinely monitored. The Head of Business & Technology Solutions is authorised to close down any system which is causing an overload which could result in the failure of other systems or networks, pending amendment and satisfactory testing.

S59 System administrators shall retain records of all faults and failures in the live system, along with the action taken to resolve the problem. For systems supported by the central BTS Unit, information on problem resolution will be held by the BTS support teams and made available as and when required. Access to sensitive data on security and access shall be restricted to appropriate staff.

S60 Security measures within communications and networking, devices and software must be invoked. The configuration of programmable devices shall only be altered by authorised central IT support staff or their 3rd party suppliers.

S61 Access to source code shall be restricted to the authorised users noted in the documented support arrangements for the system.

IT developments and projects

S62 All IT developments and projects are governed by the procedures laid down by the Corporate Programme and Project Support Office.

Test and development environments

S63 All multi-user applications shall be supported by a test system which is separate from the live environment and can be separately backed up and restored.

S64 All centrally supported multi-user applications shall be supported by a development environment which is separate from the live environment and can be separately backed up and restored.

Disaster Recovery

S65 The BTS Systems Support Manager shall maintain a Disaster Recovery Plan covering the Council’s main line of business applications, within available budget constraints, and will be responsible for testing aspects of plan as part of an annual rolling programme.

S66 The BTS Customer Support Manager shall provide Disaster Recovery facilities for the Council’s network and standard desk-top software, within available budget constraints.

Business Continuity

S67 Line managers, in conjunction with appropriate systems administrators, shall be responsible for developing and rehearsing business continuity plans for all departmental systems.

5. PHYSICAL SECURITY

Physical Security

5.1 The main concerns around the physical security of computer equipment, software and data relate to either damage or theft.

5.2 Physical damage may be caused by, poor environmental conditions, careless use, etc.

5.3 Computer theft falls into 2 main categories:

 opportunist theft of single items, particularly lap-tops;  organised crime, either involving theft of complete pieces of equipment with every single PC and printer being taken; or thieves opening the equipment and taking only certain types of printed circuit board from inside the PCs, usually damaging the rest of the equipment beyond repair in the process.

5.4 The Council has already suffered from both types of incident on a number of occasions. The main risks to the Council result from:

 unrestricted access (or easily avoided security checks) to offices or other buildings which are open early in the morning before most staff have arrived, during lunch-breaks, and in the early evening after most staff have left;  computer equipment easily visible from the street;  computer equipment held in public areas,  computer equipment held in offices not protected by alarm systems  computer equipment left in vehicles.

5.5 There are several aspects to the approach taken by Scottish Borders Council to counter potential theft, including:

 All main items of computer equipment, eg processors, monitors and printers, have uniquely numbered SBC Asset tags on them. The Asset tag number is held in the central Inventory System which also holds model and serial numbers, allowing an individual item to be identified. The Asset tags are allocated by the central BTS Unit at the point the equipment is issued to a department.  Many Council buildings now have security systems in place restricting access during the day, as well as out of hours.  Staff may be issued with identity cards to enable verification when visiting other offices.  Departmental reception areas provide a further level of control of visitors and prevention of unauthorised access.

5.6 The Council has adopted the following Computer Security Standards to help reduce the likelihood of damage or theft:

S68 The security procedures in force at each of the Council’s buildings must be strictly adhered to, eg keeping unoccupied rooms locked, requiring visitors to sign in and out, etc. Keys for computer equipment and rooms or cupboards used to store equipment must be kept in a secure place.

S69 PC monitors should be switched off before leaving the office at the end of each working day. Lap-tops with docking stations that have a key lock should be in the locked position with the key removed; any lap-tops with docking stations that cannot be locked should be secured out of view as far as practicable. Stand alone or networked lap-tops without docking stations, should also be secured and out of view. The same advice applies to palm-tops, however, users should be aware that if these are left undocked for more than a couple of days, they will need to be put back onto the docking cradle and left to charge before they can be used.

S70 All items of computer equipment (other than consumables) shall be tagged by the central IT unit and recorded on a central inventory held by the BTS unit. The configuration of each item shall be recorded, including additional boards and memory chips, along with a complete record of software, and the name of the member of staff (or post) responsible for it. The BTS Service Desk Administrator is responsible for the control and secure storage of all unused asset tags. Asset tags shall not be removed except where equipment is being disposed of. A copy of the full inventory of supported IT equipment for each department is listed in the individual departmental Statement of Services which are available from Section Heads in BTS.

S71 Departmental Business Partners are responsible for ensuring that the BTS Service Desk is advised of any computer equipment which is moved to a new location or needs to be disposed of. Resources BTS Unit will advise on appropriate procedures for the disposal of IT equipment.

S72 Departments shall maintain a record of the allocation of all portable equipment, eg laptops, to enable any piece of equipment to be traced at any time. (See Internal Audit Guidelines on Inventory Maintenance.)

S73 Access to the main computer room shall be restricted to relevant BTS support staff and suppliers / contractors, as agreed with the Computer Operations Administrator.

S74 Unattended machine rooms, consoles or areas containing network equipment shall be kept secure and must only be accessible by authorised personnel.

S75 Network monitoring equipment shall be kept in a secure place when not in use; procedures must be in place to ensure it can only be used by authorised personnel.

S76 All pre-printed computer stationery shall be kept in a secure place; pre-signed cheques shall be kept in accordance with controls laid down by Internal Audit.

S77 Adequate controls shall be put in place to restrict distribution of and access to printed output to authorised personnel, and to ensure correct delivery.

S78 Computer output containing confidential or sensitive information (paper, disks, tapes, etc.) must be disposed of, or erased securely. Guidance should be sought from Internal Audit. This applies equally to test data based on live data. Destruction of cheques must be in accordance with the controls laid down by Internal Audit. All tapes, disks and cartridges should be erased before disposal; the central IT unit will provide assistance in achieving this. Removal of personal data should be in accordance with the advice given in the Data Protection Act - Procedures and Forms , which is published on the Intranet. If computer output (paper, disks, tapes, etc.) containing confidential or sensitive information is removed by a 3rd party (e.g. a maintenance contractor replacing a faulty disk drive), SBC will exercise the right to recall media for destruction.

S79 Adequate security measures shall be agreed with line management in advance of any employee or contractor taking sensitive Council information off-site, for example to another organisation or their home, either by e-mailing, using removable media or stored on a laptop. The Council has an insurance policy providing cover for all IT equipment including laptops. All items are covered for accidental damage, theft and fire, provided users have not been careless with equipment. The Council is also covered for the loss of data and information, including the cost of data re-entry.

S80 Departmental procedures shall require any member of staff who leaves, or whose duties change significantly, to return all IT related equipment such as a laptop, mobile telephone, e-tokens or keys to equipment which are no longer required.

S81 Environmental conditions shall be monitored to minimise accidental damage to equipment, eg from flooding caused by extreme weather conditions, or the risk of accidentally switching equipment off. Equipment shall be used in conditions which conform to the environmental standards dictated by the supplier, including a clean, uninterrupted power supply where necessary; this applies equally to portable equipment when used away from the office. Desk-top equipment shall be kept clean and dust free by individual users, using products as recommended by the central BTS Unit. Arrangements for cleaning file-servers and communications equipment shall be agreed with the central BTS Unit at the time of installation. Liquids (eg cups of coffee) and food must be kept away from equipment. Equipment shall not be used in a way which could cause an overload on the electricity supply; users should contact the Health & Safety unit if in doubt.

6. RESPONSIBILITIES

6.1 The following security roles and responsibilities are defined and allocated to individuals:  Security Management  BTS Security Officer  Systems Management

 Systems Administration

6.2 BTS Security Manager is responsible for:  Security Management periodically reviewing the security policy  the work of any subordinate personnel with security responsibilities  issuing, publicising and enforcing security standards  notifying security breaches or threats to the ISCJIS Project Board  bringing any significant changes in security policy or standards to the attention of the appropriate ISCJIS group

6.3 BTS Security Officer is responsible for:  ensuring that security incidents are properly investigated, and appropriate corrective action taken  obtaining specialist advice on IT security as appropriate

Systems Management

Systems management is split into three areas  Customer Support are responsible for the core network including Corporate servers and desktops.  Systems Support are responsible for individual dedicated application servers.  Systems Administrators are based in the user departments and have some responsibilities for their individual applications.

6.4 The Customer Support Manager is responsible for:

 deciding who should have access to the IT system(s)  setting the level of access for users  providing security instructions  investigating security incidents and reporting them to the BTS Security Officer  ensuring that security procedures are adequate, functioning efficiently, effectively, and in the manner intended  periodically monitoring system logs

6.4.1 The Systems Support Manager is responsible for:

 deciding who should have access to the core operating system  setting the level of access for users of the core operating system and deciding the types of access available to and approving the user requests from the Systems Administrators  providing security instructions  investigating security incidents and reporting them to the BTS Security Officer  ensuring that security procedures are adequate, functioning efficiently, effectively, and in the manner intended  periodically monitoring system logs

6.4.2 The Systems Administrators are responsible for:

 deciding who should have access to the Application  setting the level of access for users within the application only and requesting any changes

Systems Administration

Systems administration is split into three areas  Customer Support are responsible for the core network including Corporate servers and desktops.

 Systems Support are responsible for individual dedicated application servers.  Systems Administrators are based in the user departments and have some responsibilities for their individual applications.

6.5 The Customer Support Manager is responsible for:  reviewing and monitoring day to day security controls and incidents and identifying unauthorised or unusual use of the system  advising users (including all new users) on security procedures  maintaining records of security incidents, and reporting them to the Systems Manager  managing the allocation, deletion or amendment of user rights and passwords  maintaining records of authorised users  carrying out risk assessments and ensuring that agreed controls are implemented  periodically auditing systems to ensure that only authorised software is installed, and that systems are being used only for legitimate purposes  carrying out checks on storage media to ensure that media containing sensitive information are not available to third parties  producing contingency plans, and testing them periodically  ensuring that adequate backup procedures are available, and are functioning  ensuring the integrity of backups, and their availability for data recovery, if required.

6.6 The Systems Support Manager is responsible for:  reviewing and monitoring day to day security controls and incidents and identifying unauthorised or unusual use of the system  advising users (including all new users) on security procedures  periodically auditing systems to ensure that only authorised software is installed, and that systems are being used only for legitimate purposes  carrying out checks on storage media to ensure that media containing sensitive information are not available to third parties  producing contingency plans, and testing them periodically  ensuring that adequate backup procedures are available, and are functioning  ensuring the integrity of backups, and their availability for data recovery, if required.

6.7 The Systems Administrators are responsible for:  maintaining records of security incidents, and reporting them to the Systems Support Manager  managing the allocation, deletion or amendment of user rights and passwords  maintaining records of authorised users  carrying out risk assessments and ensuring that agreed controls are implemented

7. PERSONAL DATA

The Data Protection Act 1998 lays down specific rules concerning personal information held in both computer and manual files and systems. The Council’s Computer Security Standards require all users of computer systems or output to comply with the Council’s Data Protection Policy, Code of Practice and Procedures (copy available on the SBC Intranet).

8. REVIEWS

8.1 An annual review of this policy will be undertaken to ensure that the levels of protection in place are commensurate with the value and importance of Scottish Borders Councils’ assets.

8.2 The policy will be also be reviewed when there are significant changes to the organisation, significant security changes to the organisation or in response to major security incidents and new vulnerabilities.

8.3 Policy updates will be communicated to staff via an email link to the current document on the SBC Intranet.

SBC Computer Security Policy and Standards 22 of 22 Version: 2.6 Date: January 2011