Introduction
Shaping Tomorrow Ltd. (the Company) is responsible for the security and integrity of all data it holds. The Company must protect this data using all means necessary by ensuring at all times that any incident which could cause damage to the Company's assets and reputation is prevented and/or minimised. There are many types of incidents which could affect security:
A computer security incident is an event affecting adversely the processing of computer usage. This includes:
Other incidents include:
Ensuring efficient reporting and management of security incidents helps reduce and in many cases, prevent incidents occurring.
Purpose
Management of security incidents described in this policy requires the Company to have clear guidance, policies and procedures in place.
The purpose of this policy is to:
Scope
This policy applies to:
Policy Statement
Password disclosures
Unique IDs and account passwords are used to allow an individual access to systems and data. It is imperative that individual passwords are not disclosed to others - regardless of trust. If an individual needs access to data or a system, they must go through the correct procedures for authorisation.
Virus warnings/alerts
All computers in use across the Council have Antivirus (including Anti-Spyware/Malware). For the most part, the interaction between the computer and antivirus software will go unnoticed by users of the computer. On occasion, an antivirus warning message may appear on the computer screen. The message may indicate that a virus has been detected which could cause loss, theft or damage to data. The warning message may indicate that the antivirus software may not be able to rectify the problem and so must be reported by the user as soon as possible.
Data loss/disclosure
The potential for data loss applies to any data which is:
The Company, it's contractors and vendors must act responsibly, professionally and be mindful of the importance of maintaining the security and integrity of Company and client data at all times.
Any loss of data and/or disclosure whether intentional or accidental must be reported immediately.
Physical Security
Maintaining the physical security of offices and rooms where data is stored, maintained, viewed or accessed is of paramount importance. Rooms or offices which have been designated specifically as areas where secure information is located or stored must have a method of physically securing access to the room - e.g. a combination key lock mechanism. Lower floor/level windows could also provide access to the room/office and must also be securely locked - particularly when the room is left unattended. Rooms which have not been secured should not be used to store sensitive and personal information and data - concerns about any rooms/office which should be securely locked or access restricted must be reported.
Logical Security / Access Controls
Controlling, managing and restricting access to the Authority's Network, Databases and applications is an essential part of Information Security. It is necessary to ensure that only authorized employees can gain access to information which is processed and maintained electronically.
Missing correspondence
Data or information which has been sent either electronically or physically which cannot be accounted for e.g. not arrived at the intended destination via physical post, sent electronically, sent for printing but no printed output retrieved etc… must be reported.
Found correspondence/media
Data stored on any storage media or physically printed information which has been found in a place other than a secure location or a place where the security and integrity of the data/information could be compromised by unauthorised viewing and/or access e.g. unlocked printouts, discarded CD (media), must be reported.
Loss or theft of IT/information
Data or information which can no longer be located or accounted for e.g. cannot be found in a location where it is expected to be, filing cabinet etc… or which is known/or suspected to have been stolen needs to be reported immediately.
Responsibilities
It is the responsibility for the Company, it's contractors and vendors who undertake work for the Company, on or off the premises to be proactive in the reporting of security incidents. The Company's Incident Reporting procedures are in place to prevent and minimise the risk of damage to the integrity and security of Company or client data and information.
It is also a responsibility of all individuals and handlers of Company and client data and information to ensure that all policies and procedures dealing with the security and integrity of information and data are followed.
Compliance with legal and contractual obligations
The Data Protection Act (1998) requires that personal data be kept secure against unauthorised access or disclosure.
The Computer Misuse Act (1990) covers unauthorised access to computer systems.
Breaches of Policy
Breaches of this policy and/or security incidents are incidents which could have, or have resulted in, loss or damage to Company or client assets, including IT equipment and information, or conduct which is in breach of the Company's security procedures and policies.
All The Company, it's contractors and vendors have a responsibility to report security incidents and breaches of this policy as quickly as possible. through the Company's Incident Reporting Procedure. This obligation also extends to any external organisation contracted to support or access the Information Systems of the Company.
In the case of third party vendors, consultants or contractors non-compliance could result in the immediate removal of access to the system. If damage or compromise of the Company's ICT systems or network results from the non-compliance, the Company will consider legal action against the third party. The Company will take appropriate measures to remedy any breach of the policy through the relevant frameworks in place.