Embed Size (px)
Citation preview
INFORMATION SECURITY POLICY
September 2014
Information Security policy for Six Town Housing July 2014 last saved 02/07/14
Page 1
Table of Contents
OPENING STATEMENT FROM THE CHIEF EXECUTIVE 5Security of Information Systems 5Software Compliance 5
1. INTRODUCTION 61.1. Scope 61.2. Aims and Objectives of Policy 61.3. Personal commitment statement 61.4. Information Classification 61.5. Legal Requirements 71.6. Responsibilities 71.7. Reporting “security incidents” 81.8. On-going management of the security policy 8
2. ACCESS TO SIX TOWN'S NETWORK 92.1. Standard access 92.2. Access to the GCSX network 92.3. Remote working and home working 9
3. INTERNET 103.1. Internet access and use 103.2. Misuse 103.3. Software downloads 113.4. Purchases over the Internet 11
4. EMAIL 124.1. Legal Implications 124.2. Monitoring email use 124.3. Access 124.4. Personal use 124.5. Use and Misuse 124.6. Global Emails and Emails sent to large numbers of people 134.7. Chain emails 144.8. Viruses via the Email system 144.9. Emails and Contracts 144.10. Emails and Harassment / Pornography 144.11 Emails and confidential information 144.12 GCSX email 154.13 Security Classification : Protective Marking for email 154.14 E-mail disclaimer 15
5. SOFTWARE ASSET MANAGEMENT 175.1. Software Acquisition 175.2. Software Delivery 175.3. Software Installation 175.4. Software Compliance and Documentation 175.5. Software Movements 175.6. Software Disposal 175.7. Shareware, Freeware and Public Domain Software 175.8. Games and Screensavers 175.9. Illegal software copying 176. HARDWARE ASSET MANAGEMENT 186.1. Nominated officer for Hardware Management 186.2. Hardware Acquisition 186.3. Hardware Maintenance 186.4. Hardware Inventories 18
Page 2
6.5. Hardware Movements 186.6. Hardware Disposal 18
7. COMPUTER SYSTEMS AND DATA 197.1. Virus Controls 197.2. Procurement of computer systems 197.3. Systems Development 197.4. Control of proprietary software copying 207.5. Data Security 20
8. COMPUTER AND NETWORK MANAGEMENT 238.1. Housekeeping 238.2. Network Management 248.3. Fault logging 258.4. Change Control 25
9. PHYSICAL SECURITY 279.1. Central Computer Suite 279.2. IT Equipment located in Departments 279.3. IT Equipment in Public Access Areas 289.4. Equipment Security 289.5. Personal use of Six Town’s IT equipment 289.6. Laptop Computers / PDAs / Mobile Phones / Home Workers 289.7. Advice on the use of pen drives, CDs, DVDs and other portable devices 29
10. SYSTEM SECURITY 3010.1. Access control 3010.2. User registration 3010.3. Systems Access Management 3010.4. User password management 3010.5. User Responsibilities 3010.6. Public Access PCs 31
11. USE OF SIX TOWN’S TELEPHONE NETWORK 3211.1. Telephone Installations and amendments 3211.2. Private Telephone Calls 3211.3. Mobile Phones 3211.4. Calls to Directory Enquiries 3211.5. Telephone Bills 3211.6. The organisation’s telephone directory on Six Town Intranet 3211.7. Telecommunications records and reports 3211.8. SMS Texting Service 3211.9. International calls 3211.10. Malicious Call Tracing (MCT) 33
APPENDIX A - THE LEGAL POSITION 34Copyright, Designs and Patents Act 1988 34Computer Misuse Act 1990 35Freedom of Information Act 2000 35Theft Acts 1968 and 1978 35Human Rights Act 1998 35RIPA 36Caldicott Report Principles 36Computer Evidence in Criminal Cases 36
APPENDIX B - DISPOSAL OF IT EQUIPMENT 38
APPENDIX C - DATA PROTECTION ACT 1998 PRINCIPLES 39
Page 3
APPENDIX D - EXAMPLE OF AN ACCEPTABLE USE POLICY 40
APPENDIX E – INFORMATION SECURITY 41
APPENDIX F – GLOSSARY OF TERMS 44
APPENDIX G – PERSONAL COMMITMENT STATEMENT 46
APPENDIX H – GCSX SIGN-UP APP (VIA ICT E FORM SYSTEM) 50
APPENDIX I – SIX TOWN HOUSING ICT UNIT 51
APPENDIX J – HOME WORKING POLICY 53
APPENDIX K – REMOTE WORKING POLICY 57
Page 4
Opening Statement from the Chief Executive
Security of Information Systems
Information resources and systems are crucial in supporting Six Town Housing’s daily activities.
The increasing use of ICT across Six Town Housing allows for greater accuracy and sharing of data and provides faster and more efficient means of accessing information. Any loss of data or unauthorised access to information systems can therefore have a serious impact on the operation and provision of Six Town Housing’s services.
To ensure that Six Town Housing’s Information Systems continue to operate and provide accurate and confidential information, a high level of information security is essential. All employees are responsible for maintaining the confidentiality, security and accuracy of information and information systems to which they have access.
The primary objective of this Policy is to introduce and enforce procedures and good practices that ensure the high level of security required on Six Town Housing’s information systems.
Software Compliance
Six Town Housing uses software in all aspects of its business to support the work carried out by its employees. In all instances we are required to have a licence for every piece of software used and Six Town Housing will not condone the use of any software that does not have a licence. It will be regarded as a disciplinary offence should any employee be found in possession of, or using, unlicensed software. This Policy details the procedures that must be followed when purchasing and installing software on Six Town Housing’s IT equipment.
The successful operation of this Policy cannot be achieved without the wholehearted cooperation of every employee. It is therefore imperative that employees and other relevant persons are aware of, and fully comply with, the Policy and other instructions derived from it.
Page 5
1. IntroductionThe increasing use of Information and Communication Technology at Six Town Housing and the development of information strategies to support the process of providing effective services make it necessary to take appropriate action to ensure that these systems are developed, operated and maintained in a safe and secure manner.
1.1. Scope
Six Town Housing’s ICT Security Policy applies to all its Employees, Agents and Contractors, who directly or indirectly support, or have, access to Six Town Housing Information Systems.All employees, agents, contractors must be made aware of the policy and understand the importance of information security to Six Town Housing and their responsibilities for security.The provisions of this document apply to all employees in the execution of their duties, whether on Six Town Housing premises or at any other location (e.g. at the employee’s home).
1.2. Aims and Objectives of Policy
The main aims of this policy are:
1. To ensure that IT systems used within Six Town Housing are properly assessed for appropriate levels of security to maintain the confidentiality, integrity and availability of information and information systems.
2. To ensure that all of Six Town Housing’s IT assets; people, programmes, information and equipment are adequately protected, on a cost-effective basis, against threats to the level of IT service required by Six Town Housing.
3. To ensure that Six Town Housing employees are aware of and fully comply with all UK legislation and directives of the EC.
4. To create, within all departments, a level of awareness of the need for Information Security to be an integral part of the day to day operation of Six Town Housing’s business systems. To maintain that level of awareness so that all employees understand the importance of Information Security to Six Town Housing and their responsibilities for security.
In order to preserve the following:
Confidentiality Data Access is confined to those with specified authority to view the data.Integrity Safeguarding the accuracy and completeness of information and computer
software.Availability Ensuring that information and vital services are available to users when
required.
1.3. Personal commitment statement
All staff that need to use Six Town Housing's network are required to sign up to Six Town Housing’s current Personal Commitment Statement (Appendix G) as a condition of being given network access. This Statement contains a summary of the key advice from this document, as it applies to individuals.
1.4. Information Classification
From a security viewpoint, there are four types of information, namely:
RESTRICTED highly confidential information where loss or unauthorised disclosure would have serious financial or commercial consequences for Six Town Housing, or serious privacy consequences for any of its customers.
Page 6
Examples include minutes of political or management meetings relating to ongoing commercial negotiations; any person-related data or case files in any service area; any information from central government departments which they class as “RESTRICTED”.RESTRICTED information should only be available on a “need to know” basis.
CONFIDENTIAL Information where loss or unauthorised disclosure would cause embarrassment or difficulty to Six Town Housing or privacy invasion to individuals referenced in the information.
INTERNAL Information generally available within Six Town Housing but not intended for general public access.
PUBLIC Information where loss, or unauthorised disclosure, would cause no administrative embarrassment or difficulty within Six Town Housing.
You must take care to prevent loss or disclosure of all Six Town Housing information, but particularly so for CONFIDENTIAL and RESTRICTED information.
If you will be handling information classified as RESTRICTED by any central government department, you will get prior training on confidentiality issues.
1.5. Legal Requirements
Everyone is obliged to abide by relevant UK and EC legislation / guidance / directives / regulations and this and any other relevant policy of Six Town Housing. To this end, employees who need network access must sign up to the Personal Commitment Statement and will be reminded of security issues and security policy changes by regular email.
Please refer to Appendix A for an indication of the current legislation.
1.6. Responsibilities
General
It is imperative that all employees are aware of and fully comply with this policy, in order to maintain security on Six Town Housing’s IT systems.
Specific Responsibilities
All employees are responsible for the confidentiality, security and accuracy of information and information systems during the day-to-day use of Six Town Housing’s ICT facilities, whether working at a Six Town Housing location or at another site, including an employee’s home.
Failure to comply with the provisions of this policy or related documents may lead to disciplinary action and / or criminal proceedings.
The Chief Executive and Directors are ultimately responsible for the proper use of computer equipment and for ensuring that all software in use within their organisation are being used in accordance with the terms and conditions of the software licences. They are also ultimately responsible for ensuring that employees receive adequate levels of IT training to enable them to carry out their duties.
The Strategic ICT Coordinator, in conjunction with Bury Council’s ICT Security Working Party, is responsible for ensuring that Six Town Housing’s ICT Security Policy is subject to continuous review and kept up-to-date.
Page 7
The Strategic ICT Coordinator must ensure that all line managers and users are aware of their responsibilities pursuant to ICT security.
Line Managers are responsible for the secure use of Information systems by employees under their control. They must ensure that employees are adequately trained and comply with the Six Town ICT Security Policy and any departmental standards and policies.
The Six Town ICT Unit is responsible for maintaining the security and availability of Information Systems, in accordance with Six Town Housing’s ICT Security Policy.
Agents and ContractorsAgents of Six Town Housing must comply with relevant aspects of the Policy. ICT contracts with external organisations must include requirements to comply with this policy.
1.7. Reporting “security incidents”
If at any time you suspect that your PC is behaving oddly and so may have been infected with a computer virus or other malicious software, you must immediately contact the Six Town ICT Team to report the potential security incident.
The Six Town ICT Team will provide immediate advice on any action needed to prevent possible spreading of virus infection and will arrange an urgent visit from support staff if appropriate.If you become aware of any significant breach of Six Town Housing Security Policy (e.g. sharing/disclosing personal passwords or abusing personal information) you should immediately inform your supervisor and/or Six Town Housing ICT, as appropriate.
For further information, see Appendix I, Reporting Security Related Incidents.
1.8. On-going management of the security policy
The ICT Security Policy is maintained by the Strategic ICT Coordinator in conjunction with Bury Council’s ICT Security Working Party and will be subject to regular review to ensure that it remains both relevant and up to date.
Page 8
2. Access to Six Town's network
2.1. Standard access
Most “non-manual” staff working for Six Town Housing are provided with access to Six Town Housing's network so that they can use a computer to access Six Town Housing’s systems, including email.
New staff will be provided with a user id and password for connecting to the network, alongside any login details for software relevant to their post via an email from the Six Town Housing ICT Team (this is normally sent to their manager or the person requesting access for the user).
They will also receive a Personal Commitment Statement which they must read and agree to in order to have ongoing access to network facilities.
This Personal commitment Statement (Appendix G) is a summary of all the key points covered in this Security Policy, as they apply to all network users.
2.2. Access to the GCSX network
Some Six Town Housing staff need access to systems not run by Six Town Housing as part of their job.
Access to systems like these will generally use a dedicated link between the Six Town Housing network and the GCSX network, managed on behalf of Central Government by Cable & Wireless. This network is also sometimes known as the GSI (Government Secure Intranet).
Staff required to access GCSX must go through an additional “sign up” procedure (Appendix H) through their supervisor and appropriate departmental contact – and maybe subject to further personal checks.
2.3. Remote working and home working
Six Town Housing’s network provides access “gateways” for staff who need to work with laptop PCs in the field and for staff who wish to work from home. Connection is via mobile networks or home broadband links.
For staff wishing to access these facilities, line managers must contact Six Town Housing ICT to request and authorise this access.
In both cases, the Line Manager must re-emphasis the Personal Commitment Statement requirements to the employee concerned.
Copies of the Home-working Policy and Remote Working Policy are provided in Appendixes J and K.
Page 9
3. Internet
3.1. Internet access and use
Use of the Internet is permitted and encouraged where such use is suitable for Six Town Housing’s business purposes.
You may also access the Internet on Six Town Housing’s equipment for personal use in your own time, on the clear understanding that you must comply with the provisions of this policy and any other relevant Six Town Housing policy.
Users of the Internet should be aware that all Internet activity is continuously monitored and recorded. Six Town Housing reserves the right to monitor all usage in accordance with the Human Rights Act 1998 and Regulation of Investigatory Powers Act 2000.
Use of Six Town Housing’s equipment for personal access to the Internet is made entirely at your own risk.
3.2. Misuse
You must not knowingly use Six Town Housing’s Internet facilities to access or download the following types of information:
criminal information (e.g. racist or terrorist propaganda) pornography, abusive, defamatory, offensive, obscene, or malicious information information that makes improper or discriminatory reference to a person’s race, colour,
religion or belief, gender, gender re-assignment, sexuality, age, creed, national origin, disability, caring responsibilities or physique
any information that might be perceived as damaging or likely to damage Six Town Housing’s reputation
If you need access to any filtered sites in order to do your job, you must ask your Supervisor / Manager to submit a request on your behalf to the Six Town ICT Team.
If you encounter inappropriate information by accident you must inform the Six Town ICT Team. Six Town Housing ICT must also ensure that the site is added to the Six Town Housing Internet Firewall to prevent further access.
You must adhere to relevant legislation and to existing Six Town Housing Policies e.g. The Race Relations Amendment Act, Dignity at Work policy and to the Code of Conduct with regard to your use of the Internet.
You must not use Six Town Housing’s Internet facilities to upload, download or otherwise transmit commercial software or any copyrighted materials belonging to parties outside of the organisation, or to the organisation itself.
You must not make unauthorised use of the Six Town Housing corporate logo or name on any websites.
You must not use the Internet at any time for either private commercial purposes or personal gain.
You must not post advertisements for the sale of goods on Internet Websites (e.g. the ‘eBay’Internet web site) using your Six Town Housing Email address as your contact details.You must not download files for personal use (including video, music, other multimedia, etc.) using "peer to peer networking" or similar technologies even during your own time. This type of traffic can seriously disrupt the performance of the Internet link and interfere with legitimate Six Town Housing business.
Page 10
You must not use "instant messaging" software (Microsoft Messenger, Skype, etc.,) on Six Town Housing's Internet connection, as this contravenes anti-virus controls.
Any employee, agent or contractor found to be in breach or in any way contravening the provisions of this document will be subject to disciplinary action.
3.3. Software downloads
You must not download software from the Internet for non work-related purposes.The Six Town ICT Team will make available the latest versions of approved downloadable software on the Intranet, e.g. Adobe Acrobat Reader. If the downloadable software requires a licence, you must Six Town Housing ICT who will purchase the necessary licence and update software inventories. See Section 5 – Software Asset Management.
The greatest risk from viruses lies in downloaded programmes and executable files. The deliberate act of spreading viruses is subject to prosecution under the Computer Misuse Act 1990.
3.4. Purchases over the Internet
You can make purchases over the Internet on behalf of Six Town Housing as long as yourDirector has approved this for your department.
You may make personal purchases on the Internet in your own time, at your own expense and entirely at your own risk, providing that the goods are not delivered to Six Town Housing premises.
Page 11
4. Email
4.1. Legal Implications
Any communications and information transmitted, received or archived by Six Town computer systems belong to Six Town Housing. Emails held on Six Town equipment are considered to be part of the corporate record. Reasonable personal use is permitted, provided that it is legal, not excessive and does not interfere with work-related performance. Six Town Housing reserves the right to monitor usage of email to ensure security and operational availability. It also reserves the right to access and disclose any email to ensure compliance with all relevant UK and EC legislation / guidance / directives / regulations and this and any other relevant policy of this organisation.
Please refer to Appendix A for an indication on the current legislation.
In particular, it should be noted that the contents of emails may be disclosed under the Freedom of Information Act 2000. With this in mind, you must word emails appropriately in all cases and, in particular, not send emails that contain references which could be construed as:
Personally insulting to a third party A show of personal bias by an employee against someone / organisation Exchange of views about the personality of a third party
4.2. Monitoring email use
Use of Six Town Housing’s email system is subject to regular monitoring and filtering for security and or network management reasons. We reserve the right to intercept emails that contravene the provisions of this policy.
You should have no expectation of privacy for any personal email that you send or receive via your work email account.
Managers or authorised officers may access an employee’s email account without the employee’s permission in exceptional circumstances, such as:
Absence (e.g. due to sickness, holiday or business commitment) where there is a need to access messages in order to carry out the normal functions of Six Town Housing.
Where there is a suspicion of misuse.
4.3. Access
All requests for email access must be made to the Six Town ICT, via your Line Manager.
4.4. Personal use
You are allowed to send personal emails in your own time, as long as you abide by the provisions listed in Section 4.5 ‘Use and Misuse’.
You should have no expectation of privacy for any personal email that you send or receive via your work email account.
4.5. Use and Misuse
Email has the same legal standing as other forms of written communication and requires considerable care.You must be aware that you and/or Six Town Housing might be held liable in law for any email sent by you that could be construed as libellous or defamatory. It is your responsibility to ensure that your emails cannot be construed in this way. If you are unsure of the suitability of the content of an email, you should seek clarification from your line manager.
Page 12
Certain types of misuse of the email system could lead to disciplinary action under Six Town Housing’s existing policies e.g. The Race Relations Amendment Act, Dignity at Work policy, the staff Code of Conduct or any such established policies that may apply.
You must comply with the provisions listed below in your use of Six Town Housing’s email system; failure to do so may lead to disciplinary action.
You must not exchange frivolous personal emails with other Six Town Housing employees.
You must not send an excessive number of personal external emails using the corporate email service. Personal emails should only be used exceptionally, sparingly and in your own time. Anything in excess of 10 per week should be done using a non-work email account (e.g. a web-based email account), again in your own time.
You must not use Six Town Housing’s email system in pursuit of any private commercial interests or for personal gain.
You must not send unsolicited advertising or promotional material not connected with Six Town Housing’s business on Six Town Housing’s email system.
You must not use Six Town Housing’s email system for fraudulent purposes or in connection with a criminal offence or unlawful activity.
You must not use your Six Town Housing email address to register on any non-work related websites or distribution lists. In such instances you should use your home email or webmail address as your contact address.
The sending of email messages which are abusive, defamatory, offensive, obscene, or malicious; or which make improper or discriminatory reference to a person’s race, colour, religion or belief, gender, gender re-assignment, sexuality, age, creed, national origin, disability, caring responsibilities or physique; or which might be perceived as damaging or likely to damage Six Town Housing’s reputation are prohibited.
If you receive an email that falls within any of the above mentioned categories, you must report it to Six Town Housing ICT.
You must not send emails to cause annoyance, inconvenience or needless anxiety.
It is forbidden to make emails appear as though they have originated from someone else.
4.6. Global Emails and Emails sent to large numbers of people.
Global emails are emails sent to the ‘Six Town Housing’ address or to all entries in the Email address book. Only nominated officers are permitted to send global emails and these officers must follow the guidelines below:
Where possible, the Staff Message Board should be used instead of a global email.
Global emails must relate to Six Town Housing business.
Where possible, they must be sent before 09.00 or after 17.00
Where possible, attached documents should not be sent and a link to an Intranet web page used instead. You should contact the Six Town Housing ICT Team if you do not know how to do this.If you require temporary permissions to send a global email, you should contact Six Town Housing ICT.
Page 13
You should not send emails to large numbers of people unless the subject of the email is directly relevant to their job. Sending unsolicited emails to many users is wasteful of their time and can disrupt the service for other users.
4.7. Chain emails
Chain emails are emails that request the recipient to forward the email to a number of other users, instructing them to do the same. The sending of chain emails is strictly forbidden.
4.8. Viruses via the Email system
The Email system is protected, as far as possible, against viruses, by means of anti-virus software, which operates automatically. You should, however, remain aware of the danger of spreading viruses. Negligent virus transmission is classed as inappropriate use of email and may be subject to disciplinary action.You should also note that the deliberate act of spreading viruses is subject to prosecution under the Computer Misuse Act 1990.Attachments in unsolicited emails from sources that are not known or reputable must not be opened. Similarly, don’t attempt to access any links that are included in any unsolicited emails or follow any instructions that tell you to delete or otherwise tamper with PC files, unless the email originates from the Six Town ICT Team. If you are ever unsure, contact the Six Town ICT Team.
4.9. Emails and Contracts
Employees must be conscious that binding contracts can be formed by the exchange of emails.As any outgoing email will identify the sender as working for Six Town Housing, it may be seen as an official response. No unauthorised indication of ostensible authority to enter into contracts on behalf of Six Town should be given in any email.
4.10. Emails and Harassment / Pornography
It is not permitted to transmit, retrieve or store information that is offensive, discriminatory, harassing, or pornographic, on any of the computer systems or magnetic media belonging to Six Town Housing. If you receive an email of this nature, you must inform your line manager, who should then exercise discretion upon appropriate follow-up action.
4.11 Emails and confidential information
Non-work email accounts (such as webmail accounts) must not be used to conduct or support official Six Town Housing business. Staff must ensure that any emails containing sensitive information must be sent from an official Six Town Housing email account. All emails that represent aspects of Six Town Housing business or Six Town Housing administrative arrangements are the property of Six Town Housing and not of any individual employee. All emails that are used to conduct or support official Six Town Housing business must be sent using a Six Town Housing email address.Six Town Housing data must not be forwarded to personal web-based email accounts.You must not assume that electronic communications are totally private; emails may be intercepted or misdirected.Email messages cannot be protected from unauthorised access caused by the user failing to maintain password confidentiality or leaving the computer unattended when logged onto the system. It is your responsibility to not divulge your password to anyone and to ensure you log out of, or lock, your workstation when it is left unattended. You should not expect any messages sent on Six Town Housing’s network between the sender and the recipient(s) to be for private viewing only.This should be taken into consideration should you need to send confidential, personal or other sensitive information via email. When sending confidential or sensitive information by email, the measures below must be followed:
Page 14
Do not send e-mails and attachments containing sensitive information to a generic e-mail address (e.g. [email protected]) the email address should be a named individual.Make sure that you have sent data to the right person and check that they have received itIt is possible to increase the security of information sent by email by placing it in a ‘zip’ file and password-protecting the zip file. The password can then be passed to the recipient by phone.
Even if you are sending e-mail and attachments internally, remember it may not be read in a secure environment as Six Town Housing employees can remotely access their e-mails.If you receive an incorrectly addressed email message, you should return it to the sender.If such emails contain confidential information, use must not be made of that information, nor must it be disclosed or sent to other users.Care must be taken when replying to emails, particularly those that consist of a chain of passed-on emails. These emails may hold sensitive and/or confidential information. You must either read and thoroughly vet all information before replying or passing on the email, or sever the chain and write a fresh email.
4.12 GCSX email
Staff who use the GCSX network will also have access to a secure GCSX mailbox, separate from their normal Six Town Housing mailbox. This will be used for all GCSX mail. Mail sent via this route will go through processing and filters as appropriate on the GCSX network and will be subject to security monitoring by the GCSX network operators.The GCSX email service provides a secure and encrypted path for exchanging information with central government departments and other public bodies using the network. Email between GCSX users is not transmitted over public networks.Protective marking (see section 4.13 below) is applicable to all email sent via the GCSX route.
4.13 Security Classification : Protective Marking for email
Outgoing email should be protectively marked according to the sensitivity of the information being transmitted. Classification is used in order to ensure the required level of protection is afforded to information. The practice is covered in the HMG Security Policy Framework and focuses on the impact of release / loss of information. Six Town Housing uses three categories for classification of data that indicates the impact of the unauthorised disclosure of the information.
RESTRICTED : causes substantial distress to a large section of the community or has a detrimental impact on the running of Six Town Housing.
PROTECTED : causes some distress to a limited number of individuals.
NOT PROTECTED : information that doesn’t need protective marking.
4.14 E-mail disclaimer
All external e-mails (i.e. e-mails sent outside of Six Town Housing) automatically include the following disclaimer:“Incoming and outgoing email messages are routinely monitored for compliance.The information contained in this e-mail and any files transmitted with it is for the intended recipient(s) alone. It may contain confidential information that is exempt from the disclosure under English law and may also be covered by legal,professional or other privilege.If you are not the intended recipient, you must not copy, distribute or take any action in reliance on it.If you have received this e-mail in error, please notify us immediately by using the reply facility on your e-mail system.If this message is being transmitted over the Internet, be aware that it may be intercepted by third parties.
Page 15
As a public body, Six Town Housing may be required to disclose this e-mail or any response to it under the Freedom of Information Act 2000 unless the information in it is covered by one of the exemptions in the Act.”
Page 16
5. Software Asset Management
5.1. Software Acquisition
All computer software must be purchased via Six Town Housing ICT, in accordance withSix Town Housing’s Financial Regulations and Procurement Procedures (including e- procurement).
5.2. Software Delivery
All Computer software must be delivered to Six Town Housing ICT, who must ensure thatthe software is stored in a fireproof lockable cupboard, and that access to it is controlled.All software must be included in the organisational inventories.
5.3. Software Installation
The Six Town Housing ICT Unit must be contacted for software installations, who will either install the software or make appropriate arrangements with individual sections / officers for regular updates to approved software, where necessary.
5.4. Software Compliance and Documentation
Six Town Housing ICT must ensure that the appropriate software licence is bought for all software purchased or installed within the organisation. Software licences and any other proof of licence must be securely stored.Six Town Housing ICT are also responsible for ensuring that an inventory is maintained of all software licences purchased by the department.
5.5. Software Movements
Six Town Housing ICT must be contacted when software needs to be installed and / or deleted, and must update software inventories accordingly.
5.6. Software Disposal
Six Town Housing ICT are responsible for destroying software media and licences, in accordance with the Procedure for the disposal of computer software and IT equipment, which is in Appendix B of this document. Software inventories must be updated accordingly.
5.7. Shareware, Freeware and Public Domain Software
Shareware, Freeware and Public Domain Software are bound by the same policies and procedures as all software, no user may install any free or evaluation software onto Six Town Housing’s systems without prior approval from the Six Town ICT Unit.
5.8. Games and Screensavers
Only the Six Town Housing’s standard screensaver and Desktop ‘wallpaper’ may be used.Games that form part of the operating system must only be used in employees’ own time.Use of any other games is strictly prohibited. Games or screensavers must not be downloaded from the Internet.
5.9. Illegal software copying
You must not make copies of computer software owned by Six Town Housing for private use.Misuse of Six Town Housing’s software in this manner will result in disciplinary action.
Page 17
6. Hardware Asset Management
6.1. Hardware Acquisition
All computer hardware must be purchased from the organisation’s approved hardware suppliers via Six Town Housing ICT, in accordance with the organisation’s Financial Regulations and Procurement Procedures (including e-procurement).
6.2. Hardware Maintenance
Maintenance of IT equipment must only be undertaken by, or a contractor approved by, the Six Town Housing ICT Unit. All maintenance requests and fault reporting must be made to the Six Town Housing ICT Unit.
6.3. Hardware Inventories
The Six Town Housing ICT Unit is responsible for ensuring that all IT equipment is asset labelled, and included in any organisational inventories, in accordance with Financial Regulations. This inventory must include a description of the equipment, the serial number and the Six Town Housing ICT Unit’s asset number.
6.4. Hardware Movements
The Six Town Housing ICT Unit must be notified of all movement of hardware equipment.No IT equipment may be removed, except by, or a contractor appointed by, the Six Town Housing ICT Unit.Equipment, data or software must not be taken off-site by employees, without management authorisation. See Section 8.6 ‘Laptops/ Home Workers’
Six Town Housing ICT must maintain records detailing all IT assets taken off-site, and are also responsible for carrying out periodic checks of ‘off-site’ assets. See Section 8.6 ‘Laptops/ PDAs / Home Workers’
6.5. Hardware Disposal
Six Town Housing ICT are responsible for ensuring that all IT equipment is disposed of in accordance with the Six Town Housing’s Procedure for the disposal of computer software and IT equipment (see Appendix B for details of this procedure).
Page 18
7. Computer Systems and Data
7.1. Virus Controls
Anti-Virus Software
Anti-virus software must be installed on all file-servers, and networked and standalone PCs. The Six Town ICT Unit is responsible for ensuring that the anti-virus software is automatically updated on all file-servers and networked PCs.
Procedures for Virus Controls
The following procedures must be followed to minimise the risk of software virus infection:
Six Town Housing ICT Unit must be contacted about software installations (see Section 5.3 Software Installation).
You must not open files attached to unsolicited Emails that do not originate from known or reputable sources. If in doubt, contact Six Town Housing ICT.
All Six Town Housing-owned laptops must be connected to Six Town Housing network at least once a month for at least four hours in order to receive the latest anti-virus software and security software updates.
To ensure that Six Town Housing-owned PDAs are automatically updated with the latest antivirus software, they must be regularly connected to a networked-PC to synchronise files. The Anti-Virus updates will then be downloaded once a week.
If you are using a PDA for Six Town Housing business and it does not belong to Six Town Housing, you MUST ensure that the appropriate client software is installed to enable the download of anti-virus software from networked PCs. Contact Six Town ICT to arrange this.
To ensure that all ‘Smartphones’ (i.e. those that run the Windows Operating System, iOS, Android etc) are regularly updated with the latest anti-virus software, they must be manually synchronised once a week.
7.2. Procurement of computer systems
All relevant aspects of the policy must be taken into account during the development and maintenance of systems both by in-house staff and contractors. The provisions of this policy and the organisation’s Procurement Procedures must also be considered during the procurement of new computer systems.
Six Town Housing ICT must be informed of all proposals for software and hardware procurement, or software development.
7.3. Systems Development
All computer programmes and data developed by Six Town Housing are for the sole purpose of Six Town Housing’s business and access by employees is solely for this purpose except by express written permission of Six Town Housing or Chief Executive. Staff negotiating contracts, under which specific software is to be written for Six Town Housing must seek to ensure that suitable arrangements are made for the copyright to be vested in Six Town Housing.
Page 19
Six Town Housing owns the Copyright for all Software that has been developed by Employees and Contractors in the course of their employment with Six Town Housing, for specific use by Six Town Housing.
7.4. Control of proprietary software copying
Proprietary software products are usually supplied under a licence agreement that limits the use of the products, and limits the copying to back-up copies only.In line with the Copyright, Design and Patents Act 1988, it is Six Town Housing policy that no copyright material is to be copied without the owner’s consent.If copies of software in excess of those specified in the licence agreement are required the owner’s written consent must be obtained. This consent must then be held together with the licence.Under certain licence agreements a copy of the software may be held on computers not belonging to the organisation. Clarification of the legal position must be obtained before installing such a copy, which must then conform to all requirements of the owner.
7.5. Data Security
All Six Town Housing data remains the property of Six Town Housing and is confidential. All employees must take due care when handling and sharing Six Town Housing data to prevent unauthorised access to information; this applies to all information, whether it’s held on a computer or on any other media, including paper.
Managers' responsibilities
Managers are responsible for agreeing and monitoring procedures for ensuring the security of work, information, data and files under an employee’s control. Where individuals need to work from home or out of the office, you must consider the option of Remote Access to ICT Systems, which provides secure access to ICT systems and files. Contact Six Town Housing ICT to arrange this.
Managers must take due care in the positioning of PC monitors in public areas, taking into consideration the sensitivity of the information that may be displayed on them.
Users' responsibilities
Whether working at a Six Town Housing location or at another site, including the employees’ home, employees must take all reasonable precautions to protect information relating to employment with the organisation.
Computer files not held on the organisation’s networked drives must be regularly backed up onto disc and stored securely at the office base. Special care must be taken to safeguard the security of Six Town Housing data stored on removable media, in particular CDs, DVDs, Floppy disks, Pen Drives, Digital Camera memory cards, Digital Pens, and data held on PDAs and ‘Smartphones’ (i.e. those that run the Windows Operating System, iOS, Android etc).
It is recommended that flexible work base employees keep work life and domestic life separate. In particular, where there is a risk that other household occupants might gain access to work related computer files, these should be password protected.
Care should be taken not to inadvertently disclose passwords.Flexible work base employees should comply with the organisation’s systems and departmental procedures for keeping anti-virus software up-to-date (see Section 7.1) and logging off or locking their workstation when a computer is not in use.
Data Protection Act 1988
Page 20
Computer systems that hold personal information about individuals must comply with the requirements of the Data Protection Act 1998. Six Town Housing’s Data Protection Policy sets out in detail how compliance will be achieved. The 2 main requirements of the Act are:
Notification to the Information Commissioner of the purpose(s) for which information is processed.
Compliance with the 8 Data Protection Principles (see Appendix C for further details)
The officer responsible for controlling the data held on a system must ensure that Six Town Housing’s Data Protection Co-ordinator has made the appropriate Notification and that the use of the system complies with the Notified Entry. Any subsequent changes to the system or use of data must also be notified immediately to the Co-ordinator before the system uses such data.
“Processing” is a term defined in the Data Protection Act as any action that is done in respect of data whilst in Six Town Housing’s possession. It includes obtaining, recording, viewing, transmission, storing, adapting or alteration, disclosure, destruction and erasing.
The Data Protection principles form the backbone of the Act and their importance is emphasised by the penalties that can be imposed on Six Town Housing for non-compliance.The Principles set out the framework within which Six Town Housing must operate in respect of the data it processes.
Personal data must only be disclosed in accordance with Six Town Housing’s Notification Entry that sets outs to whom the information can be disclosed. Storage and disposal of such data either in the form of computer print out or original manuscript copy must be made with due regard to its sensitivity. Do not leave people’s personal files on your desk.
Disposal of waste computer printed output must be done with due regard to its sensitivity. Each department is responsible for deciding on retention periods of printouts and ensuring that all legal requirements are met. After the expiry date confidential waste must be shredded prior to disposal.
If you are disposing of pen drives, CDs, DVDs and any other electronic devices, do so securely, so that the information previously stored on them cannot be recovered. CDs and DVDs can be scratched to damage them and therefore make the data unreadable. If you need to dispose of a pen drive, please contact Six Town Housing ICT. Do not place any of these portable devices in the rubbish bin.
Information held on computer which contains data about any identifiable living individuals is likely to be subject to the Data Protection Act 1998. Flexible work base employees, as employees, do not need to register separately under this Act as they are covered by the organisation’s Register entry. But flexible work base employees must know and understand their obligation to keep data about any identifiable living individuals confidential and secure, to operate within the terms of the organisation’s Data Protection Register entry, and to comply with the 8 Data Protection Principles.
Sending personal data on paper or on portable media. If it is necessary to send personal data to another organisation on disk or other portable media such as CD, DVD, memory stick, the following measures must be followed:
Consider what the effect would be on individuals if the data were lost
Use Royal Mail special delivery or a courier firm that has track and trace
Third party requests
Page 21
Be careful if you receive a request from a third party (an organisation or individual outside Six Town Housing) for personal data we hold. ’Blaggers’ make a business out of, and are very skilled at, obtaining personal data under false pretences. You must consult with your line manager when dealing with these requests.
If there is a business rule to deal with such situations, follow it! If there is not one in place, check with your Business Manager.
Satisfy yourself that the person is who they say they are.
Ask for the request in writing
Take a phone number (preferably a switchboard number, not a direct line)
Keep a record of such requests
Page 22
8. Computer and Network Management
8.1. Housekeeping
General
It is vital that backup procedures are in place and documented to maintain the availability, integrity and confidentiality of data. A full Disaster Recovery plan will be available in a separate document in the near future.
The Six Town ICT Unit must ensure that appropriate back-ups are undertaken for all Unix systems and Windows servers located in the Central Computer Suite and at the Backup Computer Suites.
They are also responsible for ensuring that appropriate backups are undertaken for all fileservers and standalone PCs located in their department.
Procedures
The following procedures must be followed:
Media containing back-ups must be stored in a fireproof safe or lockable cupboard.
Back-up tapes should be stored away from the primary site. If this is not practicable, consideration must be given to backing up electronically, to a remote hard disk over the network.
Recovery procedures using back-ups must be tested annually, as a minimum.
Fileservers and Unix Systems
The Six Town ICT Unit and system owners must together decide on appropriate back-up procedures for fileservers and Unix systems. Where fileservers are located in user departments, a nominated user is responsible for the loading and storing of back-up tapes. All back-up tapes must be clearly marked and stored in a secure location (see ‘Tape Storage’ section below)
The Email Server
The Exchange email system is backed up every evening and the backup cycle is rotated over a 4 week period.
Users are responsible for the management of their own email account. Any email item that is deleted by the user from their ‘Deleted Items’ folder remains on the Email Server for 35 days, after which it is removed and is unrecoverable.
All Email items older than 3 months are automatically moved to an Email Archive facility, known as the ‘Enterprise Vault’. The Enterprise Vault archives information stored in private and public folders on the Microsoft Exchange Server, including messages, documents, spreadsheets, and graphics, all of which are visible and accessible via Outlook.Archived items stored in the Enterprise Vault are also backed up every evening on a4 week cycle.
PCs, Laptops, Tablet PCs, PDAs and all mobile devices
All users whose PCs have access to a fileserver must store all data on the fileserver and not on the local hard drive of the PC.
Page 23
Users who do not have access to a fileserver must make appropriate arrangements to ensure all data is regularly and safely backed-up. You should contact the Six Town Housing ICT if you are unsure of the best back-up solution for your data.
Whilst working in PC applications, you should regularly save your work to avoid losing data in the case of a system failure.
If you are using a laptop off the network, you must ensure that the data is backed up regularly to floppy disks, CDs, DVDs or pen drives, which should be stored securely.
This data must also be transferred to a fileserver, where possible.
Data entered on a PDA or collected via a Digital Pen must also be transferred to a networked PC as soon as possible, and the PDA and Digital Pen stored safely when not in use.
Tape Storage
Back-up copies of data must be held in a safe and secure environment separate from the computer installation. The selection of this secure area should take into account the same hazards as the computer installation itself. The location should be sufficiently remote from the computer installation to avoid the possibility of any disaster affecting the computer also affecting the back-up.
Recovery from Back-up
It is important to check regularly that the recovery from back-up files works satisfactorily. This must include being able to identify and re-input all important data that have been entered since the last back-up was taken.
8.2. Network Management
Access
If you require access to the Six Town Housing network you must contact Six Town Housing ICT via your Line Manager.
When an employee leaves the organisation, their access to computer systems and datamust be deleted on the employee’s last working day. It is the responsibility of Six Town Housing HR to request this deletion via Six Town Housing ICT.Similarly, Six Town Housing HR must inform Six Town Housing ICT when any staff change jobs within the organisation. Six Town Housing ICT will then amend that user’s systems access, as appropriate.
Administrator Access
The privilege levels assigned to members of the Six Town Housing ICT Unit must be commensurate with the tasks they are expected to perform. Full domain administrator privileges must be restricted to fully-trained Technical Support staff only.
External connections to the Network
Remote access to the network by Six Town Housing staff must be authorised by your line manager or supervisor. Access is by two factor authentication consisting of network username and password plus an access pin generated from an Entrust authentication token.
Suppliers’ and External agencies’ access to Six Town Housing Network
Page 24
Partner agencies or third-party suppliers must contact the Six Town Housing ICT in order to be setup for remote access to the Six Town Housing network. A remote access account is setup for each external supplier once they have provided the necessary company information and system access requirements and the request has been sanctioned by the Strategic ICT Coordinator.
Once setup and enabled, two factor authentication is required to access the account.The third-party supplier`s account is disabled when not in use. Any changes to, or request for a supplier connection or disconnection must be sent to the Bury Council ICT Service Desk (copying in Six Town Housing ICT) so that access can be updated or ceased.
All permissions and access methods must be controlled by Bury Council’s ICT Service Desk (asking Six Town Housing ICT for permission to activate the third-party account where appropriate). No partner agency or third-party supplier should be given details of how to access Six Town’s network without the formal approval of the Strategic ICT Coordinator.
The disclosure of connectivity details without the formal approval of the Strategic ICT Coordinator will be considered a breach of Six Town Housing’s Security Policy.
General
You must not intentionally interfere with the normal operation of the network, including the propagation of computer viruses and sustained high volume network traffic that substantially hinders others in their use of the network.
8.3. Fault logging
You should report all apparent faults with computer services to the Six Town Housing ICT, who will issue you with a unique call reference number. This call number should then be quoted in any subsequent communication regarding the incident.
8.4. Change Control
When implementing any change to IT equipment or software used in the provision of any agreed service, Six Town Housing ICT will maintain and follow change control procedures to ensure minimal disruption to service.
Six Town Housing ICT will ensure that:
changes are tested within a test environment, when possible, and implemented.
using change control procedures.
compatibility is maintained between the changed item and all related hardware and software (whether operating system or application software).
changes are scheduled in order to minimise risk to the operation of services.
Where a major system change is required on a customer’s system, Six Town Housing ICT will agree an implementation date with the customer in advance, after first assessing any impact on other related services.
Six Town ICT must ensure that advice is provided to departments to ensure that no requested change compromises security, ICT standards, ICT Strategies, other relevant codes, policies or standards, or conflicts with other user demands.
Where Six Town Housing ICT wishes to implement a change that requires a period of downtime for any service, or alters the usage of the service, the Six Town Housing ICT will
Page 25
notify the system’s key users in advance. These key users must then notify all other users of that system within their section / department.
Page 26
9. Physical Security
9.1. Central Computer Suite
Environmental ControlThe Central Computer suite must have environmental controls to detect fire, flooding and fluctuation in humidity and temperature.
Emergency ‘power off’ facilities must be available in the Central Computer Suite.UPS (Uninterrupted Power Supply) must be in place to avoid failure following lightning or power surges.
Physical Access control
The Computer Suite doors must be secured at all times, and access restricted to authorised personnel only.
A log must be kept of all visitors, maintenance and engineering staff given access to the Central Computer suite.
All visitors to the Central Computer Suite must have specific visitor badges and be accompanied at all times.
Employees must bring to the attention of their Supervisor any unauthorised access to the Central Computer Suite.
Employees must not transfer identity cards or access tokens to unauthorised personnel.All known breaches of security in the Central Computer Suite must be reported to the Six Town ICT Unit, who will inform the relevant Officers. Such incidents include:
Emergencies and disasters such as flood, fire, power failure and theft
Any suspected security violations
Any suspected sabotage attempts
Computer virus contamination
9.2. IT Equipment located in Departments
All fileservers located outside of the Central Computer Suite must be sited in a physically secure environment.
The user department must ensure that doors and windows are properly secured.
The user department must not allow such equipment to be moved, modified, maintained or repaired by any person other than those authorised or approved by Six Town Housing ICT.
All Fileservers and communications equipment must remain switched on. Such equipment should be properly identified and marked.
Access codes to Six Town Housing’s buildings must not be disclosed to unauthorised personnel.
Page 27
9.3. IT Equipment in Public Access Areas
Where equipment is located within areas freely used by members of the public, or in insecure offices and left unattended for periods of time, particular measures must be taken to make the equipment as secure as possible e.g. secure it to the work surface.
See Section 10.6 ‘Public Access PCs’ for measures that must be taken to ensure system security on public access PCs.
9.4. Equipment Security
Equipment should be sited:
to avoid unauthorised access or theft; workstations handling sensitive data should be positioned so as to eliminate the risk of overlooking.
to reduce risks from environmental hazards, for example, heat, fire, smoke, water, dust, vibration, chemical effects, electrical supply interference and electromagnetic radiation.
Other considerations:
Equipment should not be located near windows, where possible
Appropriate safety equipment should be installed, such as heat and smoke detectors, fire alarms, fire extinguishing equipment and escape routes. Safety equipment should be checked regularly, in accordance with manufacturers’ instructions and Health & Safety procedures.
9.5. Personal use of Six Town Housing’s IT equipment
IT equipment is provided primarily for business-related tasks only, but with the prior agreement of your line manager, you may be permitted to use the equipment in your own time for personal use. You may be required to contribute to the cost of computer consumables in respect of personal use.
However, you must not use Six Town Housing-owned equipment to store personal files e.g. photographs, music and movie files. Storing these files takes up valuable resources and can seriously hamper the recovery of Six Town Housing data in a disaster recovery situation.
9.6. Laptop Computers / PDAs / Mobile Phones / Home Workers
Six Town Housing ICT
Each section or department must have a nominated officer who is responsible for the management of all IT equipment that is taken off council premises. The nominated officer must maintain records to indicate which IT equipment has been taken off-site, by whom and the dates of the loan.
The provisions of this Policy apply to the use of IT equipment used off Six Town Housing premises, and users must be made aware of their responsibilities when taking IT equipment off-site.
If any inappropriate material is found on Laptops, PDAs, or Tablet PCs, the Line Manager must be informed immediately. Six Town Housing reserves the right to inspect and recall IT Equipment at any time.
From December 2008, all new laptops must be purchased with the recommended encryption solution and have their hardware drives encrypted to help safeguard the data stored on them.
Page 28
Please contact Six Town Housing ICT to arrange this. Once the encryption software has been installed, the equipment must be connected to Six Town Housing network at least once every 58 days in order to resynchronise the software.
In addition, Managers should review the use of laptops within their area of responsibility and purchase encryption software for any that may have been used for storing sensitive data.
Users’ responsibilities
Adequate steps must be taken to ensure the physical safety of IT equipment and the safety of any data stored on it. This applies to laptops, tablet PCs, PDAs, ‘Smartphones’ (i.e. those that run the Windows Operating System) and any removable media, including Pen Drives, CDs, DVDs, floppy disks, Digital Camera Memory Cards, Digital Pens etc.
Six Town Housing laptop computers and similar devices must not be taken outside of the United Kingdom and connections to Six Town Housing's Citrix Access Gateway (CAG) must not be made from anywhere outside the UK. This is a condition of having the connection from Six Town Housing's network to GCSX.
9.7. Advice on the use of pen drives, CDs, DVDs and other portabledevices
Do not store confidential/sensitive information on these devices (unless encrypted and protected with a secure password).
Do delete confidential/sensitive information from (encrypted) devices as soon as it no longer needs to be there.
You are personally responsible for the safety of any Six Town Housing information/data you store on such devices. If you remove it from Six Town Housing premises you are responsible for ensuring its safe transport.
If you lose a device, report the loss to your line manager and/or the owner of the data immediately.
Page 29
10. System Security
10.1. Access control
Each user should be allocated access rights and permissions to computer systems and data commensurate with the tasks they are expected to perform.
10.2. User registration
If you require access to Six Town Housing’s computer systems, you must firstly contact your Line Manager for authorisation. The Line Manager must then process the request via Six Town Housing ICT.
10.3. Systems Access Management
When an employee leaves Six Town Housing, their access to computer systems and data must be deleted on the employee’s last working day. It is the responsibility of Six Town HR to request this deletion via Six Town Housing ICT.Similarly, Six Town Housing HR must inform Six Town Housing ICT when any staff change jobs within the organisation, who will then amend that user’s systems access, as appropriate.
10.4. User password management
Access to Six Town Housing’s computer network must be dependent upon the entry of a valid user id and password.Each user must have their own user id and password.All users must have unique passwords for both connecting to the network and for access into different systems.The Six Town Housing ICT Unit ensures that network passwords are set to expire automatically after 30 days, and the user is asked on screen to change their password.Where it is not possible to enforce automatic password changes on individual systems, the system owner should set standards for password changes, and devise procedures to ensure compliance.The password system must ‘end session’ after three unsuccessful log-in attempts.Where PC systems or files are to be password protected, departments must ensure that suitable procedures are in place to control password use.
10.5. User Responsibilities
Employees must not examine, change or use another person’s email account, files, or output for which they do not have explicit authorisation.
Password use
Passwords should be a minimum of seven characters, not be readily “guessed” i.e. not in a dictionary and comprise a mixture of alphabetic and numeric characters.
Avoid the use of passwords based on dates, family names, car registration numbers, telephone numbers, user names, or other easily guessed words. Passwords should include a mixture of upper and lower case letters, symbols and numbers e.g. P@ssW0rd98.
Passwords must never be disclosed to anyone.
Keep your password secure and private.
The use of another person’s user id and password is not allowed.
Temporary passwords must be changed at the first log-on.
Page 30
Passwords should not be written down.
Passwords must be changed immediately if it is suspected that it has been compromised, and the matter reported to Six Town Housing ICT.
Passwords must not be included in any automated log-on procedures, macros or function keys.
Unattended user equipment
PCs must not be left unattended when logged-in to applications. Whenever you leave your PC you must lock the screen to prevent anyone using it in your absence. This is to protect Six Town data and the integrity of your own email facilities. If any networked PCs are left unattended inadvertently (and/or are unused) then the screen will lock automatically after 30 minutes.You must log out of systems and the network every night and switch off your PC, unless specifically requested not to do so.
In addition to security considerations, this saves electricity and reduces the risk of fire.
10.6. Public Access PCs
Where PCs are provided for public access, consideration must be given to PC system security and the security of Six Town Housing’s network and other computer networks. This can be achieved through the implementation of specialist software and an Acceptable Use policy.
Contact Six Town Housing ICT for advice and guidance on specialist software that helps to maintain system security on public access PCs.
Appendix D gives an example of an Acceptable Use policy that is currently in use in the Council libraries. This example can be used as a guide by other departments when drawing up an Acceptable Use policy for public access PCs in their department.
Page 31
11. Use of Six Town Housing’s telephone network
11.1. Telephone Installations and amendments
All requests for telephone installations or changes to telephone details must be made in the first instance to Six Town Housing ICT.
11.2. Private Telephone Calls
Private telephone calls should be made in your own time, where possible. You must make a note of the private calls you have made and pay for them, in line with the organisation’s charging procedure for Private Telephone Calls.
11.3. Mobile Phones
Should you require a mobile phone, you must contact your Line Manager, in accordance with departmental procedures. All new mobile phones must be obtained in line with corporate arrangements through Corporate Procurement. Mobile phones provided by the organisation must be used in accordance with the current Mobile Telephone User Procedure.
11.4. Calls to Directory Enquiries
Calls to Directory Enquiries cannot be made. Please use the BT or Yellow Pages websites instead.
11.5. Telephone Bills
All telephone lines should form part of Six Town Housing’s corporate contract. All invoices fortelephone usage and rental are paid centrally and are monitored and checked by the ICTUnit’s Telephone Team to ensure appropriate usage.If there are telephone lines which are not part of the corporate contract then users shouldcontact the ICT Telephones Team to get the lines ported to the corporate contract.
11.6. The organisation’s telephone directory on the Intranet
All relevant names and extension details should be available on the organisation’s Who’s Who pages held on the Intranet.
11.7. Telecommunications records and reports
All telecommunications records and reports should be treated as confidential and disposed of as confidential waste.
11.8. SMS Texting Service
SMS texting is another mode of communication that enables users to send texts to mobile phones and landlines.You must not use this service in any way that conflicts with email or telephone acceptable usage. Failure to comply with these provisions may result in disciplinary action.Use of the organisation’s SMS Texting service is subject to regular monitoring for security and / or network management reasons.
11.9. International calls
All requests to make International telephone calls must be made to Six Town Housing ICT confirming the call is for business use and has been approved by your Line Manager.
Page 32
11.10. Malicious Call Tracing (MCT)
MCT is a call recording system for use when dealing with an abusive or threatening caller. This should only be used in very serious cases e.g. where the caller is threatening the safety of the staff member, the organisation or the Public. If you require this facility, your line manager should contact Six Town Housing ICT.
Page 33
Appendix A - The Legal positionEveryone is obliged to abide by relevant UK and EC Legislation / guidance / directives / regulations and this and any other relevant policy of this organisation in connection with the use of ICT.
An illustrative list of relevant legislation / guidance / directives / regulations is set out below:Copyright, Designs and Patents Act 1988Freedom of Information Act 2000Computer Misuse Act 1990Thefts Act 1968 and 1978Human Rights Act 1998Regulation of Investigatory Powers (RIP) Act 2000Police and Criminal Evidence Act 1984 [PACE]Caldicott Report PrinciplesData Protection Acts 1998 (See Section 6.4)Fraud Act 2006
The following may also be relevant to aspects of the operation or acquisition of information systems:
Copyright, Designs and Patents Act 1988Freedom of Information Act 2000Trademarks Act 1994Computer Misuse Act 1990Human Rights Act 1998Regulation of Investigatory Powers (RIP) Act 2000Police and Criminal Evidence Act 1984 [PACE]Caldicott Report PrinciplesData Protection Acts 1998 (See Section 6.5)
The legislation / guidance / directives / regulations etc. listed in this policy is not exhaustive in relation to information security but is intended only as indication of the range of measures that must be addressed / complied with. It is no substitute for reading and/or taking legal advice on the actual legislation.
Any reference to any statute / directive / guidance / regulation includes any statutory modification or re-enactment thereof.
Copyright, Designs and Patents Act 1988
Software is subject to the same copyright laws as other intellectual property.
Only software licensed from a software company, or developed by Six Town Housing's staff or agents, shall be installed and used.
Public Domain or Shareware software is available licence-free, or on a 'try before you buy' basis. Such software must only be used with the express permission of Management and should be registered and/or licence fees paid. Any form of software media can be a source for viruses. Accordingly, all media must be virus checked before use.
Copying of licensed software must only be in accordance with the licence.
The copyright of software developed by Six Town Housing staff, or its agents, is vested in Six Town Housing.
You must not copy, for your own use or gain, software licensed to Six Town Housing.Computer Misuse Act 1990
Page 34
This Act creates a criminal offence where there is:Unauthorised access to computer 'material’
Unauthorised access with the intent to commit or facilitate a further, more serious, offence.
Unauthorised modification of any computer 'material'
Freedom of Information Act 2000
The Freedom of Information Act 2000 (FOIA 2000) makes provision for the disclosure of information held by public authorities or by persons providing services for them.
A request for information is any request which is in writing (including email or fax), in legible form and states the name and address of the correspondent.
The organisation must comply with the request for information promptly and, in any event, not later than 20 working days.
The Act describes what information is exempt from the requirement to give information, and they can be either ‘Absolute’ or ‘Qualified’. Where a qualified exemption applies, the organisation will have to apply a ‘Public Interest Test’.
Six Town Housing has a Document Management and Retention policy for all electronic and paper records, which must be adhered to. Keeping records for longer than is necessary breaks the 5 th Data Protection Principle.
In addition, the contents of emails may be disclosed under this Act; therefore all emails should be appropriately worded in all cases.
Theft Acts 1968 and 1978
It is a criminal offence to appropriate any other person's property dishonestly with the intention of permanently depriving that person of it.
This includes intellectual property, and IT hardware, software and any related equipment, installation or facility.
It is also a criminal offence to obtain services or evade any liability for payment, by deception or to deliberately "make off" without paying for equipment or software.
Human Rights Act 1998
The Act brings into our law various human rights, including in particular, the right to respect for a person's private and family life which includes the right to private communications. The right can be interfered with in certain situations. In particular the monitoring by an employer of personal e-mails sent by an employee at work can be justified on the basis that:-
1. The interference is in accordance with the law (see Regulations below)
2. It is necessary to protect the rights and freedoms of others, or to prevent crime and disorder
3. The interference is proportionate i.e. the rights of the person whose e-mail is being intercepted are balanced against the rights of the employer and it is not excessive.
So if it is within the law (see below) and it prevents the sending of offensive or libellous emails, for example, it is justified because it prevents harassment of other employees or members of the public, and prevents damage to Six Town Housing's reputation as an organisation and thus the public of Bury.
Page 35
RIPA
The Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 (made under the Regulation of Investigatory Powers Act (RIPA)2000.These Regulations set out a new legal framework to govern the interception of communications, and establishes when it is lawful to do so.
Organisations may authorise to monitor or record communications systems without consent for the following purposes:
1. in order to establish the existence of facts relevant to the employer's business2. to ensure compliance with regulatory practices or procedures3. to ensure that standards are being achieved (e.g. in call centres)4. in the interests of national security5. to prevent or detect crime6. to investigate unauthorised use of a system7. to secure the effective operation of the system (e.g. to check for viruses)8. to check whether the communications are relevant to the business (e.g. where the employee
is absent and the employer needs to check the employee's emails)9. to monitor communications made to anonymous telephone lines
In order to make such interceptions without consent, the employer must make all reasonable efforts to inform its staff that communications may be intercepted.
Caldicott Report Principles
1. Justify the purpose for which information is required;2. Don’t use person-identifiable information unless it is absolutely necessary;3. Use the minimum necessary person-identifiable information to satisfy the purpose;4. Access to person-identifiable information should be on a strict need-to-know basis;5. Everyone with access person-identifiable information should be aware of their responsibilities;6. Understand and comply with the law.
Computer Evidence in Criminal Cases
It is now not necessary to prove the reliability of a computer before any statement in a document produced by a computer can be admitted in evidence. However, if it is shown that the computer is not working properly, it will affect the weight given to the evidence by the court. Therefore, this necessitates the requirement for maintenance to be undertaken periodically.
The following may also be relevant to aspects of the operation or acquisition of Information systems:
Children Act 1989Companies Act 1985Criminal Justice and Public Order Act 1994Defamation Act 1996European Directives and RegulationsHuman Rights Act 1998The Health and Safety (Display Screen Equipment) Regulations 1992Local Government Finance Act 1982Race Relations Act 1976Sex Discrimination Act 1975The Theft Act 1968
Page 36
Transfer of Undertakings (Protection of Employment) Regulations 1981RIP Act 2000
N.B. - This second list is only intended to be indicative of the range of issues that must be considered. It is not a comprehensive list of legislation relating to information security.
Fraud Act 2006
Under the Fraud Act 2006, it is a criminal offence to: dishonestly makes a false representation intending to make a gain for himself or cause loss to
another; or dishonestly fails to disclose information being under a legal duty to do so intending to make a
gain for themselves or cause loss to another; or dishonestly abuses their position where they occupy a position in which they are expected to
safeguard the interests of others or expected not to act against the financial interests of others
Page 37
Appendix B - Disposal of IT Equipment
Procedure for the disposal of Computer hardware andSoftware
Computer Hardware
It is important that all computer hardware and software written off by the organisation is disposed of in a consistent and environmentally friendly way.
All disposals must also comply with the Waste electrical and electronic equipment (WEEE) directive. Bury Council ICT Unit are registered with the Environment Agency to dispose of hazardous waste.
Bury Council ICT Unit has arranged for a local company to collect such equipment for recycling. (That is, equipment that has a red label with an asset number on it, consisting of a screen, keyboard and/or base unit).
This company undertakes further cleansing of the hard disk before any reusable components are recovered and recycled. Six Town Housing are subject to charges for this service.
The following procedure must be followed whenever computer equipment is scrapped or written off.
1. The nominated officer within the department must approve the item of computer equipment to be written off and ensure that it is removed from their own departmental inventories/records. ( See below for the names of nominated officers)
2. Six Town Housing ICT must format the hard drive to remove all Six Town Housing data before the equipment leaves the organisation’s premises.
3. Six Town Housing ICT must then notify the Bury Council ICT Service Desk (preferably by email) of the asset numbers involved, so that the Asset Register held on the ICT Service Desk can be updated accordingly.
4. Six Town Housing ICT will arrange for the delivery of the hardware to the Bury Council ICT Service Desk, Town Hall Basement.
Disposal of electronic devicesIf you are disposing of pen drives, CDs, DVDs and any other electronic devices, do so securely, so that the information previously stored on them cannot be recovered. CDs and DVDs can be scratched to damage them and therefore make the data unreadable. If you need to dispose of a pen drive, please contact the ICT Service Desk. Do not place any of these portable devices in the rubbish bin.
Movement of computer hardware from one department to another
There may be occasions when equipment is being removed from one department, and passed on for use by another department. In this case, the above points 1 and 3 must still be followed.The equipment must then be returned to the ICT Unit, along with a completed installation form (from the department who is receiving the equipment). The ICT Unit will then rebuild the PC and check the specification and software licence where necessary.
Computer Software
Six Town Housing ICT are responsible for ensuring that redundant software media is destroyed and that Software Asset registers are altered accordingly.
Appendix C - DATA PROTECTION ACT 1998 PRINCIPLESPage 38
The 8 principles require that data shall be:
1. Fairly and lawfully obtained.Data shall be processed fairly and lawfully and not processed unless the data has been obtained subject to specific conditions. In addition "sensitive data” is subject to additional conditions.
2. Processed for limited purposesData shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Adequate, relevant and not excessiveData shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed.
4. AccurateData shall be accurate and where necessary kept up to date.
5. Not kept longer than necessaryData shall not be kept longer than is necessary for that purpose(s).
6. Processed in accordance with the data subjects’ rightsData shall be processed in accordance with the rights of Data Subjects under this Act.
7. SecureAppropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Not transferred to countries outside the EEA without adequate protection.Personal data shall not be transferred to a country or territory outside the E.U unless that country/territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Page 39
Appendix D - Example of an Acceptable Use PolicyBelow is an example of an Acceptable Use policy currently in use in Bury Councils libraries. This example can be used as a guide by other departments when drawing up an Acceptable Use policy for public access PCs in their department.
1. Our service promise
1.1 Access to information and culture on the Internet is a fundamental part of the library service (please ask if you wish to see a copy of our ICT Policy, ‘Access the Future’).
1.2. The service will be free, with advertised charges for print outs. Access is available to all on a drop-in basis, and library members may book computers in advance. Because access is free we reserve the right to restrict computer access time to ensure fair access to all.
1.3 Staff will supervise use of these facilities and provide basic assistance for ‘quick’ problem solving.Staff will not, however, be able to provide lengthy assistance except when operating special services such as Bury Learning Libraries, Visual & Hearing Impairment Services.
1.4 Free 'Get You Started' training sessions will be available at all full-time libraries.
1.5 Dedicated access for children (aged 16 and under) will be available at some locations.Children 13 or younger may use the adult services as long as an adult is present (proof of agemay be requested).
2. Your responsibilities as a user
2.1 We reserve the right to monitor your computer usage, and ban users who are behaving unacceptably. You must not;
Break the Law e.g. illegal downloads, altering official documents Search for offensive/pornographic sites on the internet Mistreat the computer equipment either physically or attempt to crack our systems or
networks. Use the internet antisocially (e.g. to distribute offensive messages, spam or attempt
to crack other systems/networks). Install additional software onto the computers.
2.2 Access is provided to Microsoft Office programmes (word, publisher etc.) and the World Wide Web. For E-mail, please use one of the Web-based providers such as Hotmail. Users take full responsibility for messages sent electronically.
2.3 You are responsible for the privacy of any information that you wish to transmit via the Internet (e.g. credit card details for on-line purchases). Remember libraries are public places, and someone could be looking over your shoulder. Log out properly from such services or it may be possible for the next computer user to access your information.
2.4 You may save your work to a floppy disk, or USB memory key. You are responsible for ensuring that your work has been saved. When taking print outs or saving to a disk, you are responsible for remaining within copyright law.
2.5 You should be considerate of other users of the library, and not make excessive noise or mistreat equipment. Only 2 persons will be allowed at any one computer.
2.6 If you are epileptic, or have any other illness that may be affected by using a computer, please consult your doctor for advice on using computer equipment.
Page 40
Appendix E – Information SecurityWe all have a responsibility for keeping Six Town Housing data secure; this document details some Do’s and Don’ts on basic information security.
Passwords
Do keep your passwords secure and private. Do not write any usernames and/or password down where it can easily be found by someone
else - on a post-it note on your desk, in your open draw. If you must write it down, keep it secure.
Do not disclose your username and/or passwords to anyone or share them with anyone. Do not use another person’s username or password to access systems. Do not create a password which can be guessed easily, such as your name
Your desk
Do use the screen saver lock (press the Windows key and L) or log out of your session, if you are working away from your computer.
Do make sure that confidential information displayed on your screen is not seen by others. Do not leave confidential files or papers unattended on your desk – always store these
securely. Do not remove equipment or information without the appropriate approval.
Secure disposal
Do not put papers which are CONFIDENTIAL or RESTRICTED into the recycling bins, do put them into a confidential waste bag for secure disposal.
If you are disposing of pen drives, CDs, DVDs and any other electronic devices, do so securely, so that the information previously stored on them cannot be recovered. CDs and DVDs can be scratched to damage them and therefore make the data unreadable. If you need to dispose of a pen drive, please contact the ICT Service Desk. Do not place any of these portable devices in the rubbish bin.
If you are disposing of computers do ensure that all hard drives are wiped by followingSix Town's procedures for the disposal of IT equipment (see Appendix B for details).
Remote working
You are personally responsible for any Six Town Housing information you take out of the office. The only place where confidential or sensitive electronic information should be held is on Six Town network or a physically secure environment (generally an encrypted device with a secure password)
Do take particular care whenever you are taking any information out of the office, whether it is stored on paper, a CD, memory stick, laptop, PDA, Digital Pen, etc.
Do not keep any confidential or sensitive information or anything that you do not want to see in the public domain on a CD, memory stick, laptop, PDA, or any other mobile device.
Do not leave the information unattended Do not leave information in a car where it can be easily seen If you need to work from home or out of the office on a regular basis, you must get
authorisation from your Line Manager; contact Six Town Housing ICT for more information on remote working.
If you are working from home you must comply with the policies on Individual Home working (ad-hoc home working).In particular, the policies state:
“Employees working from home have the same responsibilities under the DataProtection Act to ensure all data is kept secure. Employees should ensure that no
Page 41
members of their family use Six Town Housing equipment. They should also ensure that any documents are stored securely, particularly those containing personal data, which should be stored in a locked cabinet. Managers should ensure that employees are aware of their responsibilities and that any breach of security would result in disciplinary action being taken against them.”
Sending confidential and sensitive information by Email
This type of information should only be sent by email where there is no reasonable alternative and where not sending the information would cause a risk to a service user / customer.
When sending an email under these circumstances, the measures below must be followed:
Do not send e-mails and attachments containing sensitive information to a generic email address (e.g. [email protected]), the email address should be a named individual.
Do make sure that you have sent data to the right person and check that they have received it.
Do increase the security of information sent by email convert it to a ‘zip’ file and password-protect the zip file. The password can then be passed to the recipient by phone. Contact the Six Town ICT Unit if you need advice on this.
Even if you are sending e-mail and attachments internally, remember it may not be read in a secure environment as Six Town Housing employees can remotely access their e-mails.
Sending hard copy data (paper) or information on disk, tape, memory stick or other portable media
If it is necessary to post/send personal data to another organisation on CD/DVD or other portable media then this must be done via a sufficiently secure mechanism. In general this means that the data must be properly encrypted before sending. You should also only use Royal Mail special delivery or a courier firm with “signed-for” delivery. You must contact Six Town ICT for advice if you need to send confidential/sensitive data and have not used encryption previously.
Third party requests
Be very careful if you receive an unexpected request from a third party (an organisation or individual outside Six Town) for personal data we hold. Some individuals make a business out of, and are very skilled at, obtaining personal data under false pretences. Consult with your line manager when dealing with any unusual requests.
Do follow the process for dealing with such situations (e.g. requests for Tenant data, subject access request, data sharing agreements), follow it. If you re unsure or there is not one in place, check with our Governance and Compliance Lead for advice.
Do satisfy yourself that the person is who they say they are.
Do ask for the request in writing
Do take a phone number (preferably a switchboard number, not a direct line)
Do keep a record of such requestsSharing personal data
Page 42
There are many situations in which we share personal data within Six Town and with external organisations including central government. These range from ‘one-off’ requests, to formal arrangements. We only do this where we have a legal power or duty to do so, and the sharing has to meet the conditions of the Data Protection Act. Sharing data may itself create an information security risk which needs to be addressed.If you are not sure whether you should be sharing particular information, consult your supervisor for guidance or Six Town ICT for further advice.
Advice on the use of pen drives, CDs, DVDs and other portable devices
Ensure that the information is backed up on Six Town network before it is also saved onto the device.
You are personally responsible for the safety of any Six Town Housing information/data you store on such devices. If you remove it from Six Town Housing premises you are responsible for ensuring its safe transport
Do delete confidential/sensitive information from (encrypted) devices as soon as it no longer needs to be there.
Do not store confidential/sensitive information on these devices. The only devices which can be used to hold such information must be encrypted and protected with a secure password.
If you lose a device, report the loss to your line manager and/or our Governance and Compliance Lead immediately.
If you are disposing of pen drives, CDs, DVDs and any other electronic devices, do so securely, so that the information previously stored on them cannot be recovered.CDs and DVDs can be scratched to damage them and therefore make the data unreadable. If you need to dispose of a pen drive, please contact the ICT Service Desk. Do not place any of these portable devices in the rubbish bin.
Page 43
Appendix F – Glossary of termsApplication The name given to a programme or set of programmes to do a
specific task, for example Payroll.
Back-up A copy of data / information which can be used in the event of theoriginal data becoming damaged.
Data Information held in computer-readable format that is processed bycomputer programs.
Data encryption Data is held in a format, which cannot be understood unless thecorrect password or PIN number is used.
Development The programmes and data files used to run a specificApplication application in a “test” environment.
Dial-in Access A method of connecting a PC or laptop to Six Town’s network via atelephone line.
Downloads The loading of software and or other data onto the PC (Internet) directly from the Internet.
E-mail The transfer of messages and files over computer networks between individual users. Any user with appropriate software and equipment can send and receive.
Encryption The scrambling of data using appropriate software. Data can only be re-constituted by de-decryption software. Encryption is used to maintain the confidentiality of data during storage or transfer between computers.
Executable Code An instruction or set of instructions in a format which the computer operating system is able to interpret and execute.
File Server A powerful computer, which is used to electronically store andretrieve documents across the network.
Financial Regs The Director of Finance and E-Government is the responsible officer under section 151 of the Local Government Act 1972 and section 114 of the Local Government Finance Act 1988 for the proper administration of the financial affairs of Six Town. The Financial Regulations have been designed to meet these legal requirements.
Firewall A firewall is a generic term used to describe a device that controls information and traffic across the internal network and to external networks.
Hardware A piece of computer equipment.
ICT Change The procedures followed by the ICT section whenever a Control change is made to executable code.
ISDN Integrated Services Digital Network – Switched digital networking that can handle a range of digital voice, data and digital image transmission.
Line Monitor A piece of equipment used for fault investigation to monitor data across the network.
Live Application An application which uses live data as opposed to test data.Log-on The initial entry point to a computer system. The user must enter a valid user
name and password to gain access.
Page 44
Media Items used for storing data, for example, tapes, cartridges, CDROMs and disks. Back-up media is used to retain extra copies of data, for use if the original data is lost or corrupted.
Modem A device used to send / receive data through a telephone line.
Network The collective name for items of computer equipment linked together, including file servers, terminals and other devices, enabling communication between users.
Password During log-on to a computer system, a user must provide a userid and a special word associated only with that user name before access to the system is granted.
Programme A set of instructions that can be understood by a computer.
Public Domain Software not subject to copyright. The author has placed the software in
Software the “public domain”, for free use.
Secure Area An office or area with restricted access. Only people with keys or “access codes” are allowed into the area.
Shareware Software, subject to copyright, for use on a “try before you buy” basis.
Software After a specified period, the software should be registered with the distributor and a licence fee paid.
Software A general term covering all computer programs, applications etc.Software Programmes which run on a piece of computer equipment.
Standalone PC A PC that is not physically connected to the network.
Surf Term used to describe the examination of data on the Internet.
System Owner The officer responsible for a specific system.
Terminal A visual display unit (VDU) or computer screen for example, throughwhich users can input or access information.
Userid Each user of an application or network is identified by a user name,for example, SmithJ. To gain access at log-on, the operator mustprovide a valid user name and password.
Viruses Viruses (so-called because they behave like biological viruses)replicate without the user’s knowledge. They can be relativelyharmless or very destructive, for example, deleting contents of a harddisk.
Page 45
Appendix G – Personal Commitment Statement
INFORMATION SECURITYPersonal Commitment Statement
October 2014We all have a responsibility for keeping Six Town Housing data secure and using facilities sensibly; this document gives brief guidance on basic information security and this Personal Commitment Statement provides a summary of the key points as they apply to individual staff. All staff who use Six Town's ICT facilities must agree specifically that they have read and understood what is expected of them, as detailed in this summary document. Six Town Housing’s comprehensive ICT Information Security Policy covering all aspects of ICT Security is published on the intranet.
All the points included in this document are covered in greater detail in the ICT Information Security Policy – the Policy is regularly updated with information on significant changes sent out to all staff. It is your responsibility to familiarise yourself with this Policy. New staff should ask their line manager to make the policy available to them within the first week of employment.
Each employee is personally responsible for the confidentiality, security and accuracy of information and information systems they use as part of their job, whether working at a Six Town Housing location or at another site, or at home. You must not attempt to access any computer system that you have not been given explicit permission to access.
All Six Town Housing representatives should bear in mind that information they share throughsocial networking applications, even if they are on private space, are still subject to copyright, data protection, Freedom of Information, the Safeguarding Vulnerable Groups Act and other legislation. They must also operate in line with Six Town’s Code of Conduct and Equality and Diversity Policy. Failure to comply with the guidelines detailed here may lead to disciplinary action and / or legal proceedings.
If you need more detailed guidance, look at the full ICT Information Security Policy or contact Six Town ICT for advice.
1. Passwords Do keep your passwords secure and private. Do not write any usernames and/or password down where it can easily be found by someone
else - on a post-it note on your desk, in your open draw. If you must write it down, keep it secure.
Do not disclose your username and/or passwords to anyone or share them with anyone. Do not use another person’s username or password to access systems.
2. Your desk Do use the screen saver lock (press the Windows key and L) or log out of your session, if you
are working away from your computer. Do make sure that confidential information displayed on your screen is not seen by others. Do not leave confidential files or papers unattended on your desk – always store these
securely. Do not remove equipment or information without the appropriate approval.
3. Information classificationFrom a security viewpoint, there are four types of information, shown below:
RESTRICTED - highly confidential information where loss or unauthorised disclosure would have serious financial or commercial consequences for Six Town, or serious privacy consequences for any of its customers. Examples include minutes of political or management meetings relating to ongoing commercial negotiations; any person-related data or case files in any service area;
Page 46
any information from central government departments which they class as “RESTRICTED”.RESTRICTED information should only be available on a “need to know” basis.
CONFIDENTIAL – Information where loss or unauthorised disclosure would cause embarrassment or difficulty to Six Town or privacy invasion to individuals referenced in the information.
INTERNAL – Information generally available within Six Town but not intended for general public access.
PUBLIC – Information where loss or unauthorised disclosure would cause no administrative embarrassment or difficulty within Six Town.
You must take care to prevent loss or disclosure of all Six Town Housing information, but particularly so for CONFIDENTIAL and RESTRICTED information.If you will be handling information classified as RESTRICTED by any central government department, you will get prior training on confidentiality issues.
4. Secure disposal Do not put papers which are CONFIDENTIAL or RESTRICTED into the recycling bins.
Do put them into a confidential waste bag for secure disposal. If you are disposing of pen drives, CDs, DVDs and any other electronic devices, do so
securely, so that the information previously stored on them cannot be recovered. CDs and DVDs can be scratched to damage them and therefore make the data unreadable. If you need to dispose of a pen drive, please contact the ICT Service Desk. Do not place any of these portable devices in the rubbish bin.
If you are disposing of computers do ensure that all hard drives are wiped by followingSix Town's procedures for the disposal of IT equipment (see the Security Policy for details).
5. Remote working and home working You are personally responsible for any Six Town Housing information you take out of the
office. The only place where confidential or sensitive electronic information should be held is on Six Town network or a physically secure environment (generally an encrypted device with a secure password)
Do take particular care whenever you are taking any information out of the office, whether it is stored on paper, a CD, memory stick, laptop, PDA, Digital Pen, etc.
Do not keep any confidential or sensitive information or anything that you do not want to see in the public domain on a CD, memory stick, laptop, PDA, or any other mobile device.
Do not leave the information unattended Do not leave information in a car where it can be easily seen If you need to work from home or out of the office on a regular basis, you must get
authorisation from your Line Manager; contact Six Town Housing ICT for more information on remote working.
If you are working from home you must comply with the policies on Individual Home working (ad-hoc home working).In particular, the policies state:
“Employees working from home have the same responsibilities under the DataProtection Act to ensure all data is kept secure. Employees should ensure that nomembers of their family use Six Town Housing equipment. They should also ensure that any documents are stored securely, particularly those containing personal data, which should be stored in a locked cabinet. Managers should ensure that employees are aware of their responsibilities and that any breach of security would result in disciplinary action being taken against them. “
6. Sending personal data and sensitive information by EmailThis type of information should only be sent by email where there is no reasonable alternative and where not sending the information would cause a significant problem for a service user / customer. When sending an email under these circumstances, the guidelines below must be followed:
Do not send e-mails and attachments containing sensitive information to a generic e-mail address ([email protected]); the email address should be a named individual.
Do make sure that you have sent data to the right person and check that they have received it.
Page 47
Do increase the security of information sent by email convert it to a ‘zip’ file and password-protect the zip file. The password can then be passed to the recipient by phone. Contact the Six Town ICT if you need advice on this.
7. Sending confidential information on CD/DVD, USB memory stick or other portable media
If it is necessary to post/send personal data to another organisation on CD/DVD or other portable media then this must be done via a sufficiently secure mechanism. In general this means that the data must be properly encrypted before sending. You should also only use Royal Mail special delivery or a courier firm with “signed-for” delivery. You must contact Six Town ICT for advice if you need to send confidential/sensitive data and have not used encryption previously.
8. Sharing personal dataThere are many situations in which we share personal data within Six Town and with external organisations including central government. These range from ‘one-off’ requests, to formal arrangements. We only do this where we have a legal power or duty to do so, and the sharing has to meet the conditions of the Data Protection Act. Sharing data may itself create an information security risk which needs to be addressed.If you are not sure whether you should be sharing particular information, consult your supervisor for guidance or Six Town ICT for further advice.
9. Third party requests for sensitive or personal informationBe very careful if you receive an unexpected request from a third party (an organisation or individual outside Six Town) for personal data we hold. Some individuals make a business out of, and are very skilled at, obtaining personal data under false pretences. Consult with your line manager when dealing with any unusual requests.
Do follow the process for dealing with such situations (e.g. requests for Tenant data, subject access request, data sharing agreements), follow it. If you re unsure or there is not one in place, check with our Governance and Compliance Lead for advice.
Do satisfy yourself that the person is who they say they are. Do ask for the request in writing Do take a phone number (preferably a switchboard number, not a direct line) Do keep a record of such requests
10.Advice on the use of pen drives, CDs, DVDs and other portable devices You are personally responsible for the safety of any Six Town Housing
information/data you store on such devices. If you remove it from Six Town Housing premises you are responsible for ensuring its safe transport
Do delete confidential/sensitive information from (encrypted) devices as soon as it no longer needs to be there.
Do not store confidential/sensitive information on these devices. The only devices which can be used to hold such information must be encrypted and protected with a secure password.
If you lose a device, report the loss to your line manager and/or our Governance and Compliance Lead immediately.
11.Email and Internet use You may make limited private use of Six Town email system for personal needs – but this
should be very limited and in your own time, in accordance with the ICT Security Policy. However any personal mail may be subject to recording and monitoring, as with business mail, so you should have no expectation of privacy.
You may access the Internet for personal use in your own time via Six Town's network.You should again bear in mind that this personal use is subject to recording and monitoring, as with business use.
12.Use of the GCSX network You may need to use the GCSX network (sometimes known as GSI, the Government Secure
Intranet) to communicate with central government departments by email or to use some of their computer systems.
Page 48
You should be aware that all communications sent or received over GCSX will be monitored and may be intercepted under GCSX security arrangements.
Should you need to use this network you will be given specific training on handlingGCSX-transmitted information classed as “RESTRICTED” and you may be subject to additional security clearance requirements.
13.Other security issues Do not disable anti-virus/malware protection installed on equipment. Do not do anything which could introduce a virus or spy ware onto the network. If at any time you suspect that your PC is behaving oddly and so may have been infected with
a computer virus or other malicious software, you must immediately contact Six Town ICT to report the potential security incident. Six Town ICT will provide immediate advice on any action needed to prevent possible spreading of virus infection and will arrange an urgent visit from support staff if appropriate.
If you become aware of any significant breach of Six Town Housing Security Policy (e.g.sharing/disclosing personal passwords or abusing personal information) you should immediately inform your supervisor and Six Town ICT.
When leaving Six Town’s employment you must return all Six Town Housing property to your line manager (items like encrypted memory sticks, keys, security access tokens etc.)
Name:
Date:
Page 49
Appendix H – GCSX sign-up Application (via ICT E Formsystem)
Six Town Housing ICT UnitApplication for Access to the Government Connect network
From:
NameJob TitleDepartmentSection
Please arrange for the staff member below to be given access to the Government Connectnetwork and also a GSI mailbox.
NameJob TitleDepartmentSection
I certify that this members of staff -
has been cleared for GCSX access under departmental personnel procedures has been trained on properly handling information classed as “RESTRICTED” by central
government departments has recently signed (or resigned) Six Town's Personal Commitment Statement relating to the
secure handling of information and the use of ICT systems on being given access, will be properly trained in the use of the GSI mailbox and any central
government information systems to be used.
Notes:This form should be completed by a supervisor whenever a new member of staff requires access to the GCSX network.The form should be sent to the appropriate Departmental representative for approval and forwarding to the ICT Service Desk. The Service Desk (5050) can provide details of Departmental representatives if required. (January 2009 version)
Page 50
Appendix I – Six Town Housing ICT Unit
Information Security Incident Handling – May 2009We are all responsible for ensuring that the information we handle is kept secure and thatSix Town Housing systems are not abused.
From April 2009, Six Town’s network was connected to the wider central government network and so any security issues with Six Town’s network could have wider implications.
We need to ensure that potential security threats are picked up rapidly and reported to an appropriate management level for monitoring and resolution.
If we are to achieve this, all Six Town Housing staff and all contractors, agency staff and staff from partner organisations who use Six Town’s network and/or information systems must promptly report any suspected security incidents that they become aware of.
Some examples are given below, but these are not exhaustive.
a PC is behaving strangely and so appears to be infected by a computer virus or spyware
you suspect someone unauthorised is trying to access Six Town network.
you become aware of password sharing among users
you become aware of any misuse of personal or confidential data.
you believe that a screen used to display confidential information may be in a position that is overlooked, compromising sensitive information.
you see staff transferring sensitive data to unencrypted laptop PCs or to USB data sticks, or CD/DVD drives.
Please report any potential or suspected security incident to the Six Town ICT Unit as soon as possible, making it clear that you are
reporting a “security incident”.ICT staff will treat the call as high priority and ensure that the Strategic ICT Coordinator is briefed.
If the incident relates to individual misuse of data, you may alternatively report this to your manager. You may also wish to report the incident in confidence to an independent person. Guidance on how to do this can be found in Six Town's “whistle blowing” policy.
Page 51
You should immediately reportAny incident that seems to threaten the security of the Six Town
Housing network or any Six Town Housing information system.
Any incident that seems to threaten the security of confidential or sensitive Six Town Housing information, particularly information
relating to people.
Procedure for Six Town ICT staffOn receiving a call relating to a security incident, you should immediately log a “security incident” call at priority 1, 2 or 3 with central Bury ICT, depending on your judgement of the incident's severity and impact.You should then ensure that the Strategic ICT Coordinator is made aware the problem as quickly as possible.
In the event that the problem appears to be “technical” (e.g. relating to virus or spy-ware infection, or external network penetration attempts), then a member of Technical Support / User Support should be immediately informed so that they can arrange appropriate short-term actions.
In the event that the problem appears to be related to data misuse, the contacted manager will decide on the appropriate course of action.
Page 52
Appendix J – Home working Policy
POLICY ON INDIVIDUAL HOMEWORKING
1. DefinitionIndividual home working allows employees to apply to work from home on an ad-hoc basis, permanent basis for part of their working hours or temporary basis for all of their working hours.
During periods of home working an employee’s base is still in the workplace.
Home working is suitable for employees whose work is normally carried out in the workplace and requires sustained concentration away from the interruptions received in an office environment.
Working from home is also suitable for disabled employees who may be experiencing difficulties travelling to and from work. Home working should only be carried out if the particular task can be done as well as or better than it would have been done in the workplace and the level and quality of service provision is unaffected.
It is particularly suitable for employees who may be carrying out research or project work. It would not be suitable for employees whose work requires them to be in the workplace liaising with colleagues or customers or using particular equipment (e.g. cashiers or receptionists).
2. Why we should do itThere are a number of benefits for both employers and employees: -
For Employers
increases productivity and quality of work promotes retention of experienced employees who may otherwise have to leave can help to free up office accommodation reduces sickness absence and labour turnover increases motivation and job satisfaction
For Employees
allows employees to balance their home and work lives more effectively allows flexibility over when work is carried out, enhancing terms and conditions reduces or eliminates travelling time/costs increases motivation and job satisfaction work can be carried out when the employee is most productive work can be carried out without interruptions offers equal opportunities to disabled people allows work to fit around child care arrangements Six Town Housing currently has a draft home working policy and a number of employees
throughout the departments have worked from home for various reasons.
3. Implications on current conditions of serviceFor employees who are office based but work from home for some of the time existing conditions of service will apply, however, any permanent, regular pattern of home working should be outlined in a revised contract of employment. The following areas should also be considered: -
Leave
Page 53
Standard leave entitlement will apply under appropriate National and Local Conditions of Service and annual and special leave should be applied for in the usual way.
Sickness
Employees who are sick when working from home should follow existing sickness reporting procedures.
Overtime
Overtime may be payable if an individual works more than the standard full time hours per week (following management approval).
Training
Employees working from home should have the same access to training opportunities/courses.
Hours of Work
Employees are expected to work their contracted hours and working hours should be agreed between the manager and employee to avoid any negative effects on an employee’s home life. (For example, to avoid managers contacting employees at home when they are not officially working).
The employee should use an agreed method of time recording. This will enable managers to ensure that the Working Time Regulations are complied with.
4. Working practices and optionsThe following are examples of home working patterns: -
Splitting one or two days per week, so that an employee is available for telephone calls in the morning and can work from home in the afternoon.
Working from home one day a week. Working from home on an ad hoc basis when a specific piece of work can be done more
effectively without interruptions.
Managers should agree with employees working from home the expected quality and quantity of work to be carried out and how this will be monitored. Adequate two way communication arrangements should be agreed to avoid the employee feeling isolated and to enable the manager to contact the employee in the case of emergencies. For this purpose, employees will need to be prepared to issue their home/mobile telephone numbers to their managers with the understanding that the numbers will not be divulged to a third party without the employee’s permission.
5. Practical implicationsThe implications on service provision, the effect on the rest of the team and the individual’s workload should be considered when an application for home working is received.
Criteria for consideration by Managers
Do some duties of the post require sustained concentration? Could these duties be done more effectively at home without interruptions? Do the individual’s home circumstances enable them to work from home? Does the employee have a disability or temporary health condition, which makes travel to
work difficult? Would there be enough cover in the office to provide an effective service without the
individual?
Page 54
What would the impact on other members of staff be? Would they be expected to provide cover or carry out additional duties in the person’s absence? Could this be dealt with in another way to avoid the rest of the team feeling put upon by the change?
Do other staff in the office work from home? It may be impractical to have a number of employees in the same office working from home.
Review PeriodIt is very important that managers specify a review period. At the end of the specified period, both manager and employee should meet to discuss how home working is affecting them both. Some people cannot work from home due to personal reasons or may have difficulty adapting to home working. They may feel isolated or unable to separate work and their personal lives, being distracted by personal issues. If the arrangement does not work and there is no obvious solution then the employee would be advised to return to their workplace.
Promotion/Change of Post
Home working arrangements are a variation to a Contract of Employment relating to one specific post. Any employee that works at home for part of their working week who applies for another post within the organisation would not necessarily be able to work from home in that post. It may be possible to negotiate this but no assurance should be given to continue the existing agreement.
Provision of Equipment/Insurance
Six Town Housing should provide all necessary stationery to enable the employee to work from home. It may also be necessary to provide employees with equipment such as a lap top computer. This should be discussed and considered at the application stage.
Risk Assessment
The employee working from home is responsible for carrying out a risk assessment by completing an HS3 form (see attached). Training should be given for this purpose. Managers are then responsible for assessing the implications of the risk assessment. This is to ensure that the working environment and any equipment is safe and that the tasks are suitable to be carried out at home. For advice and guidance on carrying out risk assessments, managers should contact the Health and Safety Section of the Personnel and Administration Division
The initial risk assessment should highlight any potential problems/situations which may arise. For example could children interfere with Authority equipment? Steps should be taken to separate work activity from the rest of the household as far as possible as employees’ personal lives should not be affected by home working
Equipment should be deemed safe by the organisation and tested on a regular basis.Chairs/desks etc. may be provided by the employee but must be suitable and present no risk.
Data Protection
Employees’ working from home have the same responsibilities under the Data Protection Act to ensure all data is kept secure. Employees should ensure that no members of their family use Six Town Housing equipment. They should also ensure that any documents are stored securely, particularly those containing personal data, which should be stored in a locked cabinet.Managers should ensure that employees are aware of their responsibilities and that any breach of security would result in disciplinary action being taken against them.
Introduction of Home workingThe following points should be addressed when introducing individual home working:-
Page 55
Consult and communicate with all relevant parties.
Carry out risk assessment.
Provide stationery and necessary equipment, ensuring adequate insurance is in place.
Draw up and agree home working procedures covering supervision, time recording, tasks, quality, quantity, monitoring, frequency of office contact, use of equipment, sickness and holiday procedures etc.
Ensure employees are adequately trained in the use of any equipment provided.
Introduce security/audit trails where necessary.
Ensure communication processes are in place and understood.
Ensure employee is aware of and complies with relevant legislation such as Data Protection Act, Working Time Regulations, Health and Safety Regulations. Make any necessary amendments to contracts of employment.
Applications will be considered in line with service requirements and decisions will be made at the discretion of the Business Manager, following consultation with HR as appropriate.
Page 56
Appendix K – Remote Working Policy
Six Town HousingREMOTE WORKING POLICY
SECTION TITLE PAGE1 Scope 22 Definition & background 23 Roles and responsibilities under the policy 34 Assessing the suitability of a post for remote working 45 Assessing an individual’s suitability for remote working 46 Terms and conditions for remote workers 4 – 77 Training and Development 78 Risk assessment 79 Additional Health and Safety requirements 810 Review 8
1. Scope
This policy covers all Six Town Housing employees. The remote working policy applies when anindividual applies for remote working or when a manager requests that a new or existing postbe considered for remote working. Options for remote working include:
For the employee to work remotely for all of their contractual hours, or; To work remotely in part only, for example working remotely for two days out of five.
This policy does not apply to employees who from time to time negotiate with their line manager to work from home as this is covered by Six Town Housing’s existing Policy on Individual Home Working.
2. Definition & background
Remote working relates to employees working from their home on a regular or full time basis or employees working remotely at client sites etc. It will seek to encourage employees to work in a flexible and more productive fashion by enabling them to carry out work previously undertaken at their office base at home or off site.
Employees will be equipped with the appropriate technology (e.g. laptop or desktop computer, mobile phone etc) to carry out their duties either at home or at a client site.
There are a number of reasons why working in a more mobile fashion with a flexible work base may be seen as desirable. These include:
The greater flexibility provided to employees
Employees can choose the right space and time for particular tasks and have freedom from interruptions enabling them to work effectively and efficiently
Promotes employees to work in a more autonomous way, and workingtime can be more purposeful generally as they have to plan ahead
Encourages managers to measure individual productivity by outcome
Potential to reduce absence taken for life priorities
Attraction and retention of staff who have commitments outside of workand prefer this type of working
Page 57
Reduced travel time to / from work and the associated environmentaladvantages
Contribution to delivery against e-government targets (BVPI 157)
3. Roles and responsibilities under the policy
Senior / Departmental Managers / Managers of remote workersTo ensure the remote working policy is fairly implemented and applied. Ensure cost / benefit analysis is carried out during assessment of suitability of a post or individual for remote working (see section A of the Guidelines for Remote Working).Approve remote working where this option can provide demonstrable efficiency savings or other significant benefits to Six Town Housing.Undertake effective management of remote workers, as per the Guidelines for Remote Working.
Remote workersTo abide by the terms of their remote working agreement.
Health and Safety AdvisorsTo assist in the development and implementation of policies specific to the unique health and safety requirements of remote workers.
To ensure existing corporate health and safety policies, systems and standards are also appropriate for remote workers and their managers.
Organisational Development sectionTo ensure that the development of learning events and activities take account of the working arrangements and practices of a diverse workforce. This includes considering opportunities for flexible methods of training and increasing access to learning through e-learning where possible.
To support remote workers, their managers and the departmental training representatives in meeting identified training needs.
Six Town ICT Unit
Managers must contact the Six Town ICT Unit prior to setting up a pilot study for remote workingto:
discuss whether it is technically possible and/or viable to set up the post(s) for remoteworking
agree appropriate ICT equipment to be used by the remote worker resolve problems, establish ground rules, guidelines and procedures which are clear
and unambiguous to enable the rollout of remote working on a larger scale for theirsection
Once a pilot study has been completed, there will be no further home visits made by the ICT Unit; first-line support is supplied remotely i.e. by telephone, email or by remote connection to the PC.
In cases where the equipment is faulty, the manager/remote worker makes arrangements for it to be transported to the Six Town ICT Unit for further investigation and repair. It is recommended that the manager supplies the remote worker with spare equipment during this period to enable the remote worker to carry on working, where resources allow.
4. Assessing the suitability of a post for remote working
Remote working is likely to affect more than the individual service, post or post holder. The implications on service provision (service users, suppliers, partners and colleagues) should be considered when assessing the suitability of remote working.A cost benefit analysis must be undertaken. The impact on issues including health and safety, equality and diversity, and efficiency must all be assessed.
Page 58
The guidelines and checklist in the Remote Working Guidelines must be used to determine the suitability of a post for remote working.
5. Assessing an individual’s suitability for remote working
In cases where Six Town Housing has identified certain posts as suitable for remote working, when the post becomes vacant and requires advertising this aspect will be a requirement of the person specification. The person specification will state that the individual must be able to work remotely.
Thorough assessment of suitability must be carried out. Tools and guidance are provided in the Remote Working Guidelines.
6. Terms and conditions for remote workers
Hours of Work
Employees are expected to work their contractual hours. Hours of work shall normally be worked in accordance with the organisation’s extended flexi time policy (between 7am – 7pm).However, an employee may choose to negotiate with their line manager to vary their hours of work and/or working pattern. Some employees may prefer to do some work very early in the morning or later in the evening. Where a varied working pattern is agreed breaks etc must comply with the Working Time Regulations. The employee should use an agreed method of time recording. This will enable managers to ensure that the Working Time Regulations are complied with and that appropriate records are being maintained for other monitoring purposes.
Employees must also be aware that not all of Six Town’s services operate extended hours.For example the ICT Service Desk operates from 7am – 7pm, Monday to Friday only. Also the employee’s line manager and work colleagues may not be available during certain times.This is not necessarily a barrier to working more flexibly, however the employee should be aware from the outset of when services are available should they require them.
Any amendment to working hours and / or patterns shall be considered taking into consideration service needs.
Leave
Standard leave entitlement will apply under appropriate National and Local Conditions ofService and annual and special leave should be applied for in the usual way.
Sickness
Employees who fall sick when working remotely should follow existing sickness reporting procedures.
Overtime
Overtime shall be subject to prior approval and will be carefully monitored. Flexi-time and time off in lieu arrangements will be explored first before any overtime is agreed.
Promotion / Change of Post
Remote working arrangements are a variation to a Contract of Employment relating to one specific post. Any employee that works remotely for part or whole of their working week who applies for another post within the organisation would not necessarily be able to work remotely in that post. It may be possible to negotiate this but no assurance should be given to continue the existing agreement.
Telephone costs
Page 59
Where an employee is using their home as their office base the organisation will pay for an additional phone line and Broadband connection to be installed so that they can use the Avaya softphone facility from home.
In cases where an employee is working remotely from home for some but not all of their time or working at various locations, then the organisation will provide them with a mobile phone.
Travel arrangements
Arrangements for claiming car mileage shall be as per Local Conditions of Service. Most car insurance policies only cover journeys to the ‘usual place of work’ unless ‘business use’ is added to the policy. Therefore, remote workers must have ‘business use’ insurance cover if any ‘at work’ journey is made.Remote workers and managers who make journeys for work purposes should familiarise themselves with the Six Town Housing Occupational Road Risk Policy paying particular attention to the need for:
Annual document checks (driving licence, insurance, MoT, road fund licence)Risk Assessments (generic or specific if travelling more than 200 miles in one day)Driver Training (Smart Drive) for those who travel more than 2,000 miles per year (usually ‘essential’ users)
Data Protection and Data Confidentiality
Employees working from home must ensure that all information stored and accessed (including that held on computer) is secure and cannot be accessed by anyone else, in order to comply with the Data Protection Act. Failure to keep information secure will be considered a serious matter and may result in disciplinary action.
Provision of Equipment
Any equipment taken from Six Town Housing premises must be identified by its serial number.
Equipment should only be taken off the organisation’s premises with the approval of the employee’s line manager. Where equipment, such as a laptop, is regularly used outside of the organisation’s premises on a semi-permanent basis, a letter of authorisation will be issued by the employee’s line manager. Such details should be recorded and tracked for audit purposes.
Where an employee is going to be working remotely on a permanent basis, for example from home, then it may be necessary for Six Town Housing to provide additional equipment other than ICT equipment. For example the employee may require a desk and a chair etc. Any such requirements should be identified in the initial stages and shall be subject to cost.
Any items purchased by the organisation belong to the organisation. If a remote worker leaves the organisation or moves to a post where remote working is not applicable then the equipment must be returned to the organisation.
Whilst the equipment is being utilised by the employee it must be maintained appropriately and not intentionally damaged in any way. If the organisation suspects that an employee has intentionally damaged organisation equipment the matter will be investigated in accordance with the organisation’s disciplinary procedure.
Remote Workers are expected to notify the organisation of any problems with equipment so that the matter can be resolved effectively. Where possible, spare equipment will be provided in the interim whilst the faulty equipment is being fixed. It may also be necessary to complete a defective equipment form.
The Organisation will ensure that equipment is inspected for safe use. Where possible the remote worker will be asked to bring the equipment to the relevant Six Town Housing base.
ICT equipment supplied by the organisation is intended for use by authorised personnel only. All
Page 60
ICT equipment provided should be used in accordance with the Organisation’s ICT Security Policy.
Meetings
Remote workers are not permitted to hold meetings at their home due to insurance reasons.
7. Training and Development
When a post and / or individual is being considered for remote working, training needs must be identified before a final decision is taken regarding the proposal.
Remote workers and their managers may have some training needs which are unique to their remote working arrangements, and these must be also identified prior to a final decision on the suitability for remote working.
Remote workers will have the same access to training and development opportunities as non-remote workers (refer to the Remote Working Guidelines).
8. Risk Assessment
The employee is responsible for carrying out a risk assessment by completing an HS 3 form.If computers are to be used, then a display screen equipment assessment should be carried out, using HS05. Training should be given for this purpose. Managers are then responsible for assessing the implications of the risk assessment.
This is to ensure that the working environment and any equipment is safe and that the tasks are suitable to be carried out at that location. For advice and guidance on carrying out risk assessments, managers should contact the Health and Safety Section of the Personnel and Administration Division. Risk assessments are to be reviewed annually.
The initial risk assessment should highlight any potential problems / situations which may arise. For example could children interfere with Organisation’s equipment?
If working remotely from home steps should be taken to separate work activity from the rest of the household as far as possible as employees’ personal lives and work lives should not be adversely affected by remote working.
9. Additional Health & Safety Requirements
If an employee is working remotely from their home then the Organisation must be satisfied that there are working smoke alarms fitted and a fire extinguisher available. If these items are not already available then the Organisation will supply them.
Any accidents / incidents that take place must be reported and recorded appropriately on formHS1.
If the employee will be lifting and carrying loads, for example a lap top and files, then a manual handling risk assessment should be carried out. This might identify the need for the use of a small luggage trolley or lifting and handling training.
Where remote workers are undertaking work in locations other than their home, management may want to consider additional security measures. A risk assessment will identify if additional security measures are required.
10. Review
Page 61
This policy will be reviewed after 12 months of implementation and every 3 years thereafter.
Page 62
