Security Policy

1.1.1. The Council ICT Security Policy is relevant to all categories of users of Council equipment or systems, which includes Staff, Council Members, Partner Organisations, and the Public. Individual policy statements will identify any exemptions or exclusions, and some policies may relate specifically to one category (see Conformance Criteria for User Categorisation).
 

1.8.1. Access to all Council networked or standalone computer services, and intelligent network devices, must be via a secure log-on process designed to minimise the opportunity for unauthorised access (see Conformance Criteria for Computer Access Control).

1.8.2. Each user of a computer system must be uniquely identified to the system. Where passwords are used they will be managed in a secure manner to ensure their confidentiality and integrity (see Conformance Criteria for User ID and Passwords).

1.8.3. Computer applications which are essential to the Council, contain information important to the provision of Council services, and/or contain data registered under the Data Protection Act, shall require a user to enter a unique identifier and password before access to the application is provided. This identifier shall determine the individual access rights afforded to the user (see Conformance Criteria for Applications Access)

1.8.4. Access to computer systems and data must be appropriately secured when left unattended (see Conformance Criteria for Unattended Computers).

1.8.5. All system use shall be monitored to ensure conformance with the policy (see Conformance Criteria for System Monitoring).

1.8.6. Each computer application must have a nominated system owner, who shall be responsible for the system performance, integrity, and access control (see Conformance Criteria for System Ownership)

1.8.7. Data owners must be identified who shall assume the role of controller over that data. Only upon authorisation from the data owner may such data be provided, deleted and/or amended (see Conformance Criteria for Data Ownership).

1.8.8. Access to Council data other than that identified as publicly accessible can be provided to third parties only with evidenced agreement of an authorised officer, and only through an agreed route. The rights and obligations of the third party must be clearly evidenced (see Conformance Criteria for Third Party Access)

1.8.9. Formal agreements must be established and evidenced between the Council and external establishments for the exchange of critical or sensitive data (see Conformance Criteria for Data Exchange)

1.8.10. All off-line storage media must be secured against unauthorised access (see Conformance Criteria for Off - Line Storage)

1.8.11. Encryption is not to be used without the consent of the County ICT Security Manager (see Conformance Criteria for Encryption)

1.8.12. Where passwords are used to protect data files (e.g. WP, Spreadsheet) or local databases (e.g. Access) the user is obliged to securely record the password and lodge it under management control to facilitate the recovery of the data (see Conformance Criteria for Passworded Data)

1.8.13. Homeworkers shall ensure that the data and systems under their control within their home environment are adequately secured against misuse, loss, theft, and/or damage (see Conformance Criteria for Home Workers).
 

1.9.1. All systems which are being procured or developed shall conform with the ICT Security Policies and any other relevant Council policies (see Conformance Criteria for Procured Systems).

1.9.2. All computer applications and/or data must be assessed to determine the level of data integrity required, and appropriate system based validation shall be applied to the data during input, amendment and deletion (see Conformance Criteria for Data Validation).

1.9.3. Prior to live implementation all computer applications must be tested and proved to user satisfaction that the system shall: function correctly in respect of business specification, coexist where necessary with other applications, have appropriate security controls (see Conformance Criteria for Implementation).
 

1.10.1. All systems must be regularly assessed for their resilience to continue to provide an agreed level of service (see Conformance Criteria for Resilience).

1.10.2. All business systems and processes must be appropriately and regularly assessed for risks of failure. Adequate documented contingency plans shall be developed , regularly tested, and reviewed (see Conformance Criteria for Contingency).

1.10.3. Appropriate system and data backup must be undertaken, securely stored, and periodically tested, to ensure minimum disruption to business processing in the event of an incident requiring systems and or data to be restored to a position prior to the incident (see Conformance Criteria for Backup).
 

1.11.1. All users of Council ICT equipment are required to comply with all relevant legal statutes, licensing agreements, and Council Policies (see Conformance Criteria for Legal Compliance).

1.11.2. All systems are the property and responsibility of the Council. Whilst users are permitted limited personal use of Email, Internet, Word Processing, Spreadsheets, no document or file can be assumed by a user to be private and any such file which the user requires to remain as private should not be held on Council equipment (see Conformance Criteria for Personal Use of Council Equipment).

1.11.3. The Council retains the right to access and review any document or file stored on Council equipment and shall do so to ensure that no policy, agreement, or legal statute is contravened (see Conformance Criteria for Right of Review).
 

1.12.1. Only authorised users shall have legitimate access to the authorised e-mail facilities provided by the Council. Limited personal use shall be permitted but all use must be in accordance with the Personnel Code of Conduct and within the bounds of public decency (see Conformance Criteria for E-mail Usage).

1.12.2. Users provided access to the Internet shall use it for appropriate business related purposes, and not in excess of legitimate requirements. Limited personal use shall be permitted but all use must be in accordance with the Personnel Code of Conduct and within the bounds of public decency (see Conformance Criteria for Internet Usage).