WIXLIB

OFFICIALICT User Access SecurityStandard Operating ProcedureNotice:This document has been made available through thePolice Service of Scotland Freedom of InformationPublication Scheme. It should not be utilised as guidanceor instruction by any police officer or employee as it mayhave been redacted due to legal exemptionsOwning Department:ICT DepartmentVersion Number:3.00 (Publication Scheme)Date Published:25/05/2018OFFICIALVersion 3.00(Publication Scheme)

OFFICIALCompliance RecordEquality and Human Rights Impact Assessment (EqHRIA):Date Completed / Reviewed:Information Management Compliant:01/11/2017YesHealth and Safety Compliant:YesPublication Scheme Compliant:YesVersion Control TableVersionHistory of Amendments1.00Initial Approved VersionPeriodic Review. Transferred to corporate templatewith new Police Scotland logo. Formatting standardsin line Police Scotland record setUpdated to reflect changes in data protectionlegislation2.003.00Approval Date23/03/201313/11/201725/05/2018OFFICIALVersion 3.00(Publication Scheme)2

OFFICIALContents1. Purpose2. Overview3. ProcessesAppendicesAppendix ‘A’List of Associated LegislationAppendix ‘B’List of Associated Reference DocumentsAppendix ‘C’Glossary of TermsAppendix ‘D’‘C’ DivisionAppendix ‘E’‘V’ DivisionAppendix ‘F’‘P’ DivisionAppendix ‘G’‘A’ DivisionAppendix ‘H’‘E and J’ DivisionAppendix ‘I’‘N’ DivisionAppendix ‘J’G’. ‘U’, ‘Q’, ‘L’ and ‘K’ DivisionAppendix ‘K’‘D’ DivisionOFFICIALVersion 3.00(Publication Scheme)3

OFFICIAL1.Purpose1.1This Standard Operating Procedure (SOP) supports the Scottish PoliceAuthority (SPA) / Police Service of Scotland, hereafter referred to as PoliceScotland policy for Information Security.1.2This SOP provides information on the control of user access to PoliceScotland/SPA Information and Communication Technology (ICT) Systems andData detailing the steps that need to be taken to ensure that individual staffidentities are provided to ensure that the individual can complete tasksassociated to their respective roles.1.3This SOP should be used in conjunction with the Police Scotland InformationSecurity Policy and SOP’s for: ICT Acceptable Use of Computer Systems SOP IT Security SOP2.Overview2.1All system logins for each system allow a user to perform specific tasks. Aunique login ensures that the authorised and named individual has the correctlevel of access, allowing them to perform their designated role(s). It alsoimproves the auditing capability.2.2Across Scotland, there are regional differences in the way user access ismanaged. These differences are detailed in the geographical appendices atthe rear of this SOP.3.Processes3.1Individuals will be issued unique logins that provide them with the necessaryaccess specific to their job roles, and no more. It is essential that: Each user has a unique set of credentials which affords them access tothe systems and data for which they are authorised; Each user login is accompanied by an additional method ofauthentication; Each Individuals personal login details are secure; Each user has only the access to the systems required to carry out theirrole; Generic logins are not used, except in specific circumstances and aresubject to risk assessment and audit controls;OFFICIALVersion 3.00(Publication Scheme)4

OFFICIAL3.2 Users leaving the organisation have access disabled on the last officialday of service and both user account and profile deleted after six months. Users whom it has been determined should have their system accessrestricted, will have it restricted as soon as reasonably practicable and inany event within two working days (outwith weekends). An expeditedSystems Restriction and Audit Process is available should an operationalrequirement exist.User Access Control3.2.1 All new user requests or changes in access to ICT systems are requested bythe line manager, People and Development, Business Management Units, orMail Administrators, dependent upon local structures. This will include staffbelonging to Police Scotland, the Scottish Police Authority (SPA), temporaryand contracted staff.3.2.2 The request will be submitted via IT Connect and actioned within the ServiceLevel Agreement (SLA) of five working days.3.2.3 For systems where ICT retain administration responsibility, ICT will completethe user set up or change of details and provide user account details to anamed individual or People and Development. Where this function isdelegated to other Business Units, they will have responsibility for usermaintenance.3.2.4 When first created, the username is accompanied by a password giving anadditional method of authentication, which must conform to the complexityrequirements as outlined in the ICT Password Policy. At first login, theindividual must change their password, and ensures from that point that theirlogin details are known only to them.3.2.5 Completed ICT account set up forms are held either within People andDevelopment, or the ICT Department electronically on IT Connect.3.2.6 Regional processes are summarised in the tables provided in the GeographicAppendices (‘D - K).3.3Removal of User Access3.3.1 Removal or temporary suspension of user access will apply to all members ofPolice Scotland, SPA, temporary staff and contractors.3.3.2 Access will be removed on the last official day of service with theOrganisation following resignation, retirement, dismissal or death.3.3.3 Access will be also be removed or suspended in cases of long term absence,such as, but not limited to: Maternity or paternity leave;OFFICIALVersion 3.00(Publication Scheme)5

OFFICIAL Career break; Secondment outwith SPA or Police Scotland; Long term sickness or absence which is likely to exceed 12 weeks; Any other break which may be greater than 12 weeks; Suspension from duty or placed on restricted duties.3.3.4 Suspension of access on instruction from ACU, PSD, People andDevelopment, Line Manager or the Business Management Unit will beprovided to ICT to remove access; this is managed via IT Connect. (Peopleand Development access IT Connect via HR Connect portal).3.3.5 People and Development will be notified immediately if the reason forwithdrawal relates to suspension from duties. If this is the case, the accountwill be disabled / suspended (disabled is the term that is used within ICT,however, this relates to the suspension of an account).3.3.6 Account access is restricted/disabled as soon as reasonably practicable andin any event within two working days (outwith weekends). Notwithstanding,every attempt is made to complete this request within 24 hours, Mondaythrough Friday as local arrangements allow. An expedited process isavailable through the National Service Desk should an operationalrequirement exist.3.3.7 In the case of a suspended officer, system access will only be reinstated withprior agreement of ACU or PSD as per the ICT Systems Restrictions andAudit Process.OFFICIALVersion 3.00(Publication Scheme)6

OFFICIALAppendix ‘A’List of Associated Legislation Computer Misuse Act 1990 Public Records (Scotland) Act 2011 Data Protection Act 2018 The Official Secrets Act 1911 and 1989OFFICIALVersion 3.00(Publication Scheme)7

OFFICIALAppendix ‘B’List of Associated Reference DocumentsPolicy Information Security Policy ICT Password PolicyStandard Operating Procedures ICT Acceptable Use of Computer Systems SOP IT Security SOPProcess ICT Systems Restrictions and Audit Process (Internal Document)OFFICIALVersion 3.00(Publication Scheme)8

OFFICIALAppendix ‘C’Glossary of TermsACU Anti-Corruption UnitPSD Professional Standards DepartmentICTInformation and Communication TechnologySLAService Level AgreementSOP Standard Operating ProcedureSPA Scottish Police AuthorityDCC Deputy Chief Constable DesignateLTDLeadership Training and DevelopmentOFFICIALVersion 3.00(Publication Scheme)9

OFFICIALAppendix ‘D’‘C’ DivisionNew Users / CreationNew user request submitted byPeople and Development and ICTTrainersArea that the new User request issubmitted toICT Operations and Support TeamMethod of submissionIT Connect – via a pre-approved ServiceRequestRequest actioned byICT Operations and Support TeamNew user details provided toPeople and DevelopmentLeavers / DeletionUser access removal requestsubmitted byArea that the user removal requestsubmitted toPeople and DevelopmentICT Operations and Support TeamMethod of submissionHR ConnectRequest actioned byICT Operations and Support TeamAre accounts disabled or deletedDisabled on last official day of serviceTime period for account to be disabledAs soon as reasonably practicable and inany event within two working days(outwith weekends)If disabled, after what time period arethe accounts deleted?Six months after official leaving dateFurther InformationAccess forms for the above arecontrolled by:Long term absence - includingsickness, maternity, paternity, careerbreakAction taken on the account of anemployee who is suspendedBusiness Unit / Mail AdministratorsAccount will be disabled on requestAccount will be disabled based uponrequest from Professional StandardsDepartment or Anti-Corruption Unit(ACU)OFFICIALVersion 3.00(Publication Scheme)10

OFFICIALAppendix ‘E’‘V’ DivisionNew Users / CreationNew user request submitted byBusiness Management Unit/MailAdministrators/LTD AdministrationArea that the new user request issubmitted toOperations West PostmasterMethod of submissionIT Connect User account maintenanceRequest actioned byOperations West PostmasterNew user details provided toRequestor will have user name andsupplied standard passwordLeavers / DeletionUser access removal requestsubmitted byArea that the user removal requestsubmitted toBusiness Management/LTD will submitsuspension of Special ConstablesMethod of submissionHR ConnectRequest actioned byOperations West PostmasterAre accounts disabled or deletedDisabled on last official day of serviceTime period for account to be disabled/ deletedAs soon as reasonably practicable and inany event within two working days(outwith weekends)If disabled, after what time period arethe accounts deleted?Six months after official leaving dateOperations West PostmasterFurther InformationAccess forms for the above arecontrolled by:Long term absence - includingsickness, maternity, paternity, careerbreakAction taken on the account of anemployee who is suspendedBusiness ManagementAccount will be disabled on requestAccount will be disabled based uponrequest from Professional StandardsDepartment or Anti-Corruption Unit(ACU)OFFICIALVersion 3.00(Publication Scheme)11

OFFICIALAppendix ‘F’‘P’ DivisionNew Users / CreationNew user request submitted byPeople and DevelopmentArea that the new user request issubmitted toICT Operations and Support TeamMethod of submissionHR Connect User access maintenanceRequest actioned byICT Operations and Support TeamNew user details provided toDirect to UserLeavers / DeletionUser access removal requestsubmitted byArea that the user removal requestsubmitted toPeople and DevelopmentICT Operations and Support TeamMethod of submissionHR ConnectRequest actioned byICT Operations and Support TeamAre accounts disabled or deletedDisabled on last official day of serviceTime period for account to be disabledAs soon as reasonably practicable andin any event within two working days(outwith weekends)If disabled, after what time period arethe accounts deleted?Six months after official leaving dateFurther InformationAccess forms for the above arecontrolled by:Long term absence - includingsickness, maternity, paternity, careerbreakAction taken on the account of anemployee who is suspendedICT Operations and Support TeamAccount will be disabled on requestAccount will be disabled based uponrequest from Professional StandardsDepartment or Anti-Corruption Unit(ACU)OFFICIALVersion 3.00(Publication Scheme)12