Security

Security

The organisation implements many different methods to secure our data. These include physical measures and third-party services. Below is a summary of these measures. Users must take no action to circumvent these security controls.

Policy acceptance

During induction, new colleagues will be given a copy of this policy document and will be required to indicate their acceptance of its provisions.

Physical access to servers

Physical access to server rooms controlled by the organisation is restricted to members of the ICT and Business Continuity teams.  Contractors and other persons can only access server rooms under the supervision of ICT staff.

Physical media

Access to data held on physical media, including paper, must be restricted to only those who require this access. Users must take all reasonable effort to protect this media and to ensure that we satisfy the provisions of the Data Protection Act 2018.

Data belonging to the organisation must never be copied to any type of removable, portable storage such as USB flash drives. Where we operate CCTV services, the police will provide their own storage devices as necessary.

Logical access control

This is a security process that manages access to resources such as computers, networks, and data. It ensures only authorised users can access specific environments, protecting sensitive information from unauthorised access, tampering, or theft. It requires the validation of an individual's identity through some mechanism, such as a password, PIN, card, biometric, or other token.

We provide logical access using the principle of “least privilege.” This ensures that users, and systems have the absolute minimum access required to perform their daily tasks, thereby reducing the potential for and impact of security breaches.

Use of the web

Given the nature of the whole life support we provide, the organisation does not utilise website blocking or content management and control software.  However, end users are expected to exercise good judgement when using the web.

You must not view content that is unrelated to your work with us.  Nor should you view content likely to offend, considered obscene or that may be illegal.  You will be responsible for all content viewed using your account.

We do take measures to protect ourselves.  Our malware protection software features time of click URL protection.  This blocks links to known malicious websites.  If you are at all suspicious of any website, you should contact the ICT Support Team right away.

Identity management

Every person will have a unique user identity, which must never be shared. This identity links the user to their actions and makes them responsible for these actions. Records of user access may be used to provide evidence for investigations.

All users shall keep their passwords confidential, and these must not be shared with anyone. If a user suspects their account password is known to others, they must immediately change it.

All user accounts must have multi-factor authentication enabled. Users should have a least 2 methods registered.

If you need to store a copy of your password, this must be on a non-work provided device that no one else can access. Your username should not be stored on the same device.

The use of group or shared identities is permitted under only exceptional circumstances. These must be documented, and risk assessed ahead of time. They should also be subject to regular review.

Network
security

ICT implement measures to separate servers, systems and users to limit the impact of any attack on our networks.  These measures are detailed in the ICT Handbook along with the routing controls implemented to support this plan.

Only equipment purchased and provided by the organisation can be physically connected to Ethernet networks or wirelessly connected to corporate Wi-Fi networks.  Whenever possible, ICT will provide guest Wi-Fi networks in the organisation’s offices and bases.  This is for business purposes only and there are limitations to where we can provide this.

Public Wi-Fi

Devices provided by the organisation, and personal devices used to access data belonging to us must only be connected to public Wi-Fi networks to access our virtual desktop service.

Public Wi-Fi includes, but is not limited to, those in retail establishments, transport services and other public venues.  The security of such networks cannot be assessed; therefore, no other use is permissible.

Operating Systems

No standard user will be provided with administrative access to any device.  Users must take no action to circumvent security controls.  Devices issued by the organisation will be enrolled in a device management system whenever possible.

All users must lock their device whenever they leave it.  When a device is protected by a password or PIN these must never be attached to or stored in a way that allows others to access them.

System configuration

All default accounts provided with operating systems shall be disabled following system installation.

Application security

ICT teams shall ensure that applications utilised by us are securely configured and managed.

They will further ensure that all applications are captured within the ICT inventory. This shall be used to manage application configuration, patches and updates.  Vendor issued patches and updates will be installed as soon as is practicable.

Virtual desktops and end user devices shall be configured to prevent the download and installation of unauthorised applications.

Anti-virus and malware protection

ICT teams shall ensure that effective anti-virus and anti-malware services are implemented.  They will further ensure that:

  • Software is kept up to date.
  • Real time scanning is enabled.
  • Tamper protection is enabled to prevent malware from altering or disabling protection.

Users must not:

  • Accept or connect removable media from colleagues or external persons.

Secure configuration

Access to systems and data is based on the principle of least privilege.

Baseline security configurations shall be developed in conjunction with security best practices from hardware and software vendors to ensure a consistent build status for all client and server systems.

Protective monitoring shall be in place to detect any attempt to modify the configuration of client and server systems.

All client systems shall be configured to start into a secure state. It should not be possible to modify the startup configuration.

Device encryption

Whenever possible end user devices shall be protected by a full disk encryption solution approved to protect the identified security classification.

If full disk encryption solution has not or cannot be configured on the device, then the risks to the information shall be assessed and either:

  • An alternative encryption solution shall be utilised for which the risks have been accepted by ICT services.
  • or the risks shall be qualified and accepted by both ICT staff and operational managers

Security updates and patching

ICT staff shall ensure that infrastructure and associated components comply with baseline security configurations.

ICT staff will ensure that server, commercial off-the-shelf applications and in house owned or managed apps are patched and updated as quickly as possible after release.

End users must ensure that updates to applications and operating systems on devices issued to them are applied whenever they become available.