Transcription
OFFICIALIT SecurityStandard Operating ProcedureNotice:This document has been made available through thePolice Service of Scotland Freedom of InformationPublication Scheme. It should not be utilised as guidanceor instruction by any police officer or employee as it mayhave been redacted due to legal exemptionsOwning Department:ICT DepartmentVersion Number:3.00 (Publication Scheme)Date Published:25/05/2018OFFICIALVersion 3.00(Publication Scheme)
OFFICIALCompliance RecordEquality and Human Rights Impact Assessment (EqHRIA)Date Completed / Reviewed:Information Management Compliant:27/10/2017YesHealth and Safety Compliant:YesPublication Scheme Compliant:YesVersion Control TableVersionHistory of AmendmentsApproval Date1.00Initial Approved VersionPeriodic Review. Transferred to corporate templatewith new Police Scotland logo. Formatting standardsin line Police Scotland record setUpdated to reflect changes in data 5/05/2018OFFICIALVersion 3.00(Publication Scheme)2
OFFICIALContents1. Purpose2. Overview3. GuidelinesAppendicesAppendix ‘A’List of Associated LegislationAppendix ‘B’List of Associated Reference DocumentsAppendix ‘C’Glossary of TermsOFFICIALVersion 3.00(Publication Scheme)3
OFFICIAL1.Purpose1.1This Standard Operating Procedure (SOP) outlines information regarding theprotection of the Police Service of Scotland hereinafter referred to as PoliceScotland and the Scottish Police Authority hereinafter referred to as SPAinformation assets.1.2This SOP supports the following Police Scotland and the SPA policies. Information Security Policy1.3Police Scotland and the SPA recognise the need for comprehensive protectionof the information held on Information Communications Technology (ICT)systems. This SOP provides key high level information on some mechanismsused to protect ICT information assets, further detailed procedures are held bythe ICT department.1.4This SOP does not cover all ICT security measures deployed to protect allPolice Scotland and SPA information assets, but does cover areas that PoliceScotland and SPA staff are expected to be made aware of as part of their dayto day working.1.5This SOP should be used in conjunction with Police Scotland SOP’s for: ICT Acceptable Use of Computer Systems; ICT User Access and Security; Security Incident Reporting and Management; National Wireless System (Wifi) Security Operating Procedure (SyOPs).2.Overview2.1Within Police Scotland there is a requirement to ensure that suitable anti-virusand further protection mechanisms are in place across the desktop and serverestate, this is required to reduce the possibility of risk to the confidentiality,integrity and availability of the systems in use by Police Scotland and the SPA.3.Guidelines3.1Anti-virus3.1.1 It is the responsibility of the ICT department to ensure adequate virusprotection is in place to protect Police Scotland and the SPA networks andequipment.OFFICIALVersion 3.00(Publication Scheme)4
OFFICIAL3.1.2 Anti-virus products are installed on all Windows based systems andconfigured to provide automatic daily updates. Unless unavailable, otheroperating systems and devices must have anti-virus installed with dailyupdates applied.3.1.3 Where an automatic update cannot be delivered, for example, standalonemachines, an appropriate and approved process has been adopted throughlocal processes / procedures.3.1.4 Anti-virus must not be disabled unless authorised to do so by the ICTTechnical Audit & Assurance team with written confirmation and agreement fornext steps to ensure this is re-enabled as soon as possible thereafter.3.1.5 This section has been removed, due to its content being exempt in terms ofSection 30 of the Freedom of Information (Scotland) Act 2002.3.1.6 If a machine should become infected, or it is suspected that a machine may beinfected with a computer virus, this must be switched off and disconnectedfrom the network with immediate effect.3.1.7 The machine must be clearly labelled and remain disconnected from thenetwork until approval for reconnection is provided by ICT.3.1.8 If there are any issues or questions relating to anti-virus, guidance should besought from ICT Technical Audit and Assurance via the ICT Service Desk forurgent enquiries or Service Request for non-urgent issues.3.2End Point Management3.2.1 End Point Management is the management of devices that connect to ournetwork to ensure the appropriate security is available, this includes desktops,laptops and servers, and anything that connects to these devices.3.2.2 Under no circumstances must any personal or other unauthorised third partyICT system or device be connected to the Police Scotland and the SPAcomputer systems or networks.3.2.3 Information that is classified as restricted or above must not be transferred toany third party or other unauthorised persons.3.2.4 Where possible End Point security management will be applied by means ofan application/system to reduce the risk of unauthorised external devicesconnecting to the Police Scotland and the SPA computers or network.3.2.5 End points will be provided with the appropriate security products.3.2.6 Any noted or alerted malfunction of security hardware or software must bereported immediately to your line manager and ICT service desk.OFFICIALVersion 3.00(Publication Scheme)5
OFFICIAL3.3Physical Security (Computer Rooms)3.3.1 This section has been removed, due to its content being exempt in terms ofSection 35 of the Freedom of Information (Scotland) Act 2002.3.3.2 The below additional protection should be deployed wherever possibleincluding: Air conditioning units; Uninterruptable Power Supply (UPS); Standby generators; Fire suppression; Closed Circuit Television (CCTV);3.3.3 Only vetted and approved third party contractors and approved visitors will beallowed access to any Police Scotland ICT Computer Room. Access for workto take place in these rooms by third party contractors and approved visitorsmust be agreed prior to attending site.3.3.4 All other visitors must be escorted at all times and will not be left alone towork in any ICT Computer room.3.3.5 Rooms should be left clean and tidy and all refuse to be removed aftercompletion of any works, or daily at the very minimum. No food or drinkshould be consumed in the ICT Computer room.3.3.6 Sign in / out sheets must be used at all times, where provided.3.4Firewalls3.4.1 Internal security checks will take place before the deployment of any newfirewall device, or the relocation of existing equipment.3.4.2 Firewalls will be subject to frequent internal and external penetration testing.3.4.3 All modifications and changes to firewall configurations shall be subject tointernal peer checking and, where required, ICT Change Process.3.4.4 Any change to configuration must be followed by an update of the appropriatedocumentation.3.4.5 Only staff authorised to do so and with the appropriate access and securityclearance will make changes to any firewall equipment.3.4.6 Under no circumstance should unauthorised staff remove or relocateany network cable connected to a firewall.OFFICIALVersion 3.00(Publication Scheme)6
OFFICIAL3.4.7 Firewalls will only allow approved access to external systems, or access tointernally hosted systems.3.5Wireless3.5.1 Only authorised Police Scotland devices and associated users are permittedto use the Corporate WiFi Network. Authenticated Corporate Devices are notpermitted to connect to any Police Scotland Guest WiFi.3.5.2 This section has been removed, due to its content being exempt in terms ofSection 35 of the Freedom of Information (Scotland) Act 2002.3.5.3 It may be permitted for third party contractors and guests to be giventemporary authorisation to access guest wireless network(s) for internet only.3.5.4 Where guest wireless access has been provided this will be managed inaccordance with the Police Scotland National Wireless System SecurityOperating Procedures (SyOPs).3.5.5 Any suspected breach in wireless security should immediately be reported toyour line manager and ICT Technical Audit and Assurance.OFFICIALVersion 3.00(Publication Scheme)7
OFFICIALAppendix ‘A’List of Associated Legislation Computer Misuse Act 1990 Public Records (Scotland) Act 2011 Data Protection Act 2018 Official Secrets Act 1911-1989OFFICIALVersion 3.00(Publication Scheme)8
OFFICIALAppendix ‘B’List of Associated Reference DocumentsPolicy Information Security PolicyStandard Operating Procedures ICT Acceptable Use of Computer Systems SOP ICT User Access Security SOP Security Incident Reporting and Management SOP National Wireless System (WiFi) Security Operating Procedure (SyOPs)OFFICIALVersion 3.00(Publication Scheme)9
OFFICIALAppendix ‘C’Glossary of TermsACUAnti - Corruption UnitICTInformation and Communication TechnologySLAService Level AgreementSOPStandard Operating ProcedureSPAScottish Police AuthoritySyOPsSystem Security Operating ProceduresOFFICIALVersion 3.00(Publication Scheme)10
IT Security Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not be utilised as guidance or instruction by any police officer or employee as it may have been redacted due to legal exemptions Owning Department: ICT Department
