WIXLIB

Information Security PolicyVersion:2.1.1Document Status:PublishedDate:Published 06/03/14, minor updates 30/08/15Author:Information Services Management TeamComment:First approved by board 29/08/2013.Amendments reviewed by KITGG August 2015 and Management TeamSeptember 2015.Next Review:February 2016Introduction and objectives1.Information, in whatever form it takes, is a valuable asset to our organisation andconsequently needs to be suitably protected.2.We regard the integrity and security of our computer and information management systems ascentral to our success. In this respect, employees are expected to act with integrity at alltimes. Our code of conduct sets out expected standards of behaviour in some detail. Thispolicy describes what is expected of you when and how you should manage information.3.This policy will support our achievement of ISO 27001 the Information Security Managementstandard and our agile methods of working.4.This policy has six main sections: Scope Hardware Software Network services Information management Monitoring and breach of policy.Page 1Information Security Policy

Section 1- ScopeSection 1- Scope5.This policy applies to the Auditor General, the Accounts Commission and Audit Scotland; theiremployees including temporary staff and students and organisations acting on their behalf. Itapplies to all locations where information and data are accessed and used. It does not applyto firms working as appointed auditors. Audit Scotland is committed to achieving the higheststandards in protecting the information.6.It is everyone's responsibility to ensure they implement this policy.7.Information Asset Owners (IAO’s) and line managers are responsible for communicating theimportance of this policy and monitoring and reporting on its compliance within their businessgroup.8.It is the Knowledge, Information & Technology Governance Group's (KITGG) role to keep thispolicy up-to-date.9.The key stakeholders who can help ensure this policy is implemented effectively and their keyresponsibilities are outlined in appendix 1. The responsibilities for security as detailed in thispolicy cannot be delegated.10.Legal Context11.Further information on the legal context relating to information security can be found inappendix 2.12.Information Classification13.Audit Scotland uses three information classifications: Public Controlled Personal.14.Their description can be found in appendix 4.15.Supplementary documentation16.The following documents should be used to support and supplement this policy:17. Audit Scotland’s data protection policy. Audit Scotland’s information security policy. Data Protection Act 1998. Staff guidance on the implementation of the clear desk and screen policy.Current versions of these documents can be found on ishare.Information Security PolicyPage 2

Section 2 - HardwareSection 2 - Hardware18.Audit Scotland equipment must be kept secure at all times and should only beaccessible to other Audit Scotland employees.19.We store business critical, sensitive and confidential data on our network and mobile devices,so security is very important. Loss of such data could impact our ability to carry out our workand be both embarrassing and damaging to our reputation. It could also result in a financialpenalty for the organisation. Therefore: our hardware must not be used by, given or loaned to anyone who does not work for or iscontracted, or seconded to Audit Scotland our visitors must not have access to unsecured or unattended equipment our hardware must be stored safely and securely, for example in the locked boot of a car,rather than on a seat we must store portable equipment securely when it is left unattended in environments where other people can access our equipment, we must lock ourkeyboards, use a password-locked screen saver and prevent others from viewinginformation on our screens.Practical examplesDuring lunchtime, a team working in a council’s office should secure their laptops, lock the screenon the thin client terminals, and ideally lock their office door.Make sure that no one else uses your laptop or has access to your Citrix session, even at home.20.You must take reasonable care of Audit Scotland hardware and protect it from physicaldamage wherever possible.21.Damage to equipment is expensive to repair and can disrupt our work. Therefore: wherever possible, staff should avoid placing drinks or liquids next to computerequipment. We acknowledge that employees may have drinks at their workstation employees should take adequate precautions to prevent spillages e.g. move keyboardsto the side, keep drinks at arms distance to avoid knocking them over, etc. whilst Information Services carry out most cabling at Audit Scotland, if employees arerequired to set up cables, they should make sure they do not trail across areas whereothers walk or sit do not place computer equipment on furniture that is not designed to support it keep all equipment away from the edge of desks always carry computer equipment in the protective bags or boxes providedInformation Security PolicyPage 3

Section 2 - Hardware 22.do not change the initial setup on a PC or mobile device without instructions fromInformation Services.When hardware is being transferred between employees or returned to the equipmentpool, it is your responsibility to remove all data from the equipment beforehand.You are responsible for removing data from your equipment after use. This will protect thedata from unauthorised access and make sure that any personal data subject to the DataProtection Act is removed.23.You must only connect Audit Scotland equipment to authorised networks.In order to avoid damaging the network, Audit Scotland’s hardware can only be connected toAudit Scotland’s network. You may however, connect Audit Scotland’s laptops and mobiledevices to any network service that gives a direct connection to the internet, including wirelessconnections. Some external sites offer access to wireless networks for a fee. You might not beable to access these networks due to the security configuration of the fee-charging service.Please contact Information Services for advice.Practical examplesExample 1: A health board offers auditors a secure wireless connection to the internet. This isallowed because it means the auditor can connect to the Audit Scotland network over a secureinternet connection.Example 2: When working from a hotel, an auditor cannot connect to the hotel wireless network.This is due to the security configuration of our equipment and cannot be changed. The auditorshould plan to use a 3G dongle to connect to our network.24.On request encrypted memory keys are provided for the temporary storage of data.Memory keys should only be used for moving data between equipment or for backups if youare out of the office for short periods.Memory keys belonging to a client can be used if the client prevents the use of AuditScotland's memory keys. However, they can only be used while staff are on the client’spremises.Unencrypted memory keys are not allowed.A flow diagram in appendix 3 will help employees decide on the correct use of memory keys.25.Use of Audit Scotland PhonesMobile phones and direct dial phone numbers are provided to staff for Audit Scotlandbusiness use. Personal use should be kept to a minimum. .Information Security PolicyPage 4

Section 2 - HardwareYou may not use an Audit Scotland phone for: storing copyright or personal data on the device calling premium rate telephone numbers messaging premium rate SMS services international use (unless on Audit Scotland business), including taking the phone onholiday frequent personal use.Employees are responsible for adhering to the law in respect of not using a mobile phonewhile driving a vehicle.Employees must not add extra data storage to an Audit Scotland phone because theadditional storage does not support encryption.Employees should be aware that Information Services provide reports on phone use to localmanagement teams on a regular basis.Practical exampleAn auditor is sent on a stay away audit for one week. During the week a phone call is made eachevening to stay in touch with family. This type of personal use is permitted.26.Bring Your Own Device (BYOD)Audit Scotland permits staff to use their own equipment to access our system with thefollowing restrictions: The only software that is permitted to connect to the Audit Scotland network from apersonal device is: Touchdown, Citrix, OneDrive and Microsoft Office apps (Word, Excel,PowerPoint, Sway & Outlook) and Lync/Skype for Business. Staff may reclaim the cost ofinstalling Touchdown, through the expenses system. Staff must not connect their own device to any Audit Scotland equipment for the purposeof data transfer (including photos). Charging via a USB connection is permitted. Staff using BYOD are required to protect business data using encryption and a securePIN. Staff may opt in to using their own mobile phone or tablet computer for convenience, butAudit Scotland will not contribute to the cost of the device and call or data costs will onlybe paid if there is a receipt for the costs incurred on Audit Scotland business. If your personal device is lost or stolen after being configured for BYOD, you must reportthe loss to Information Services. You must ensure that only you have access to the device and the software installed on it,to prevent unauthorised access to our data and systems.Information Security PolicyPage 5

Section 2 - HardwarePractical examplesAn auditor wants to carry only one phone and uses their personal phone for BYOD. In the firstmonth the auditor spends 27 minutes on phone calls and downloads 54MB of data relating to AuditScotland business. The Auditor has a 500Mb data limit and 500 free minutes on the phonepackage, but cannot identify the cost that relates to the Audit Scotland business, therefore cannotreclaim any costs.An auditor wants to take a tablet computer to an external meeting to view papers during themeeting. The auditor should synchronise the documents via email, or OneDrive. During themeeting, these documents can be accessed from within the secure email application or OneDrive,even if there is no network connectivity at the meeting location.27.Use of equipmentAudit Scotland is responsible for the type of information, text, photographic, pictorial, video oraudio format stored on our equipment. Therefore:28. you must not store your own personal (non-work related) files on Audit Scotlandequipment mobile devices must be configured with one of the approved desktop wallpapers. Forexample, laptop images should reflect our professional standing, and you must not useimages that are unprofessional, may cause offence or infringe copyright. under no circumstances store a file containing: defamatory, obscene, threatening or abusive text, audio or pictures pornographic images files covered by copyright or trademark law without proper authorisation trade secret or intellectual property used without proper authorisation movie or audio files covered by copyright.Return of equipmentEmployees must ensure they return all Audit Scotland equipment to their line manager beforeleaving the organisation. In other circumstances, if the requirement for equipment changes,surplus equipment should be returned to Information Services. For example, if an auditor hasa laptop but is reassigned to a fixed audit site which is furnished with Citrix terminals, thelaptop should be returned to Information Services (unless it is required for use in the businessgroup's pool of laptops).29.Loss of EquipmentInformation Security PolicyPage 6