NFORMATION SYSTEMS ACCESS POLICY - barnet.gov.uka683bb60-fdd6-4904-bc69-98ce65... · INFORMATION SYSTEMS ACCESS POLICY Document Number: Author: ... 12.2 CRM Systems Control Process

LONDON BOROUGH OF BARNET

INFORMATION SYSTEMS ACCESS POLICY

Document Number:

Author: XXXXXX

Owner: London Borough of Barnet Information Manager

Client: London Borough of Barnet

Release Type: Issued V2.0

Release Date: 22nd

July 2014

Document History

ISSUE DATE PURPOSE AUTHOR

0.1 18/03/2014 Draft Created XXXXXX

0.2 28/05/2014 Revised XXXXXX

0.3 04/06/2014 Further editing XXXXXX

0.4 05/06/2014 Minor editorial changes XXXXXX


0.5.1 13/06/2014 Minor revisions XXXXXX


0.7 17/06/2014 Further editing XXXXXX

0.8 20/06/2014 Final Draft XXXXXX

1.0 20/06/2014 Issued

Final changes accepted and put forward for sign-off to CIMB

XXXXXX

2.0 22/07/2014 Barnet Logo added to pages XXXXXX

Associated Documents

This document is associated with the following other documents:

TITLE LOCATION DATE

Information Security Policy

Acceptable Use Policy

Data Protection Policy

Password Policy

Security Incident Management Policy

Shared network drive owners

Approval Groups

Wisdom (EDRM) Service Records Managers

Table of Contents

1 Purpose of the Document ........................................................................................ 1

2 Governance ............................................................................................................... 1

2.1 Overview .................................................................................................................................. 1

3 User Network Accounts ........................................................................................... 1

3.1 Overview .................................................................................................................................. 1

3.2 New Users/Changes: Barnet Council & The Barnet Group ...................................................... 1

3.3 New Users/Changes CAPITA .................................................................................................. 2

3.4 Third Party Access ................................................................................................................... 2

3.5 Leavers .................................................................................................................................... 2

3.6 Checks ..................................................................................................................................... 3

4 E-Mail systems .......................................................................................................... 3

4.1 Overview .................................................................................................................................. 3

4.2 Controls .................................................................................................................................... 3

5 Shared Drives............................................................................................................ 3

5.1 Access Controls ....................................................................................................................... 3

5.2 Controls Check ......................................................................................................................... 3

6 Access to Line of Business Systems ..................................................................... 4

7 Social Care and Education Systems ...................................................................... 4

7.1 Swift Overview ......................................................................................................................... 4

7.2 Swift Control Process ............................................................................................................... 4

7.3 Granting of appropriate access rights. ..................................................................................... 4

7.4 Resetting passwords ................................................................................................................ 5

7.5 Revocation of access rights ..................................................................................................... 5

7.6 Audit/Check .............................................................................................................................. 5

7.7 ICS Overview ........................................................................................................................... 5

7.8 ICS Control Process ................................................................................................................. 5

7.9 Granting of appropriate access rights. ..................................................................................... 5

7.10 Password resets ....................................................................................................................... 5


7.12 ICS Audit/Check ....................................................................................................................... 6

7.13 Tribal Overview ........................................................................................................................ 6

7.14 Tribal Control Process .............................................................................................................. 6

7.15 Granting of appropriate access rights ...................................................................................... 6

7.16 Password Resets ..................................................................................................................... 6


7.18 Tribal Control Check ................................................................................................................ 6

8 Business Objects (BOXI) ......................................................................................... 6

8.1 Business Objects Overview ...................................................................................................... 6

8.2 Business Objects Control Process ........................................................................................... 7

8.3 Business Objects Control Check .............................................................................................. 7

9 Finance & Procurement Systems ........................................................................... 7

9.1 Finance & Procurement System Overview ............................................................................... 7

9.2 Finance & Procurement Systems Control Process .................................................................. 7

9.3 Finance & Procurement System Controls Check ..................................................................... 7

10 HR Systems ............................................................................................................... 7

10.1 HR System overview ................................................................................................................ 7

10.2 HR System Control Process ..................................................................................................... 8

10.3 HR system controls check ........................................................................................................ 8

11 Barnet Data Warehouse ........................................................................................... 8

11.1 Data Warehouse systems Overview ........................................................................................ 8

11.2 Data Warehouse Control Process ............................................................................................ 8

11.3 Data Warehouse Audit/Check .................................................................................................. 8

12 CRM System (Lagan) ................................................................................................ 9

12.1 CRM System Overview ............................................................................................................ 9

12.2 CRM Systems Control Process ................................................................................................ 9

12.3 CRM System Controls Check ................................................................................................... 9

13 WISDOM (EDRMS) .................................................................................................... 9

13.1 EDRMS Overview .................................................................................................................... 9

13.2 EDRMS Controls ...................................................................................................................... 9

13.3 EDRMS Password Resets ....................................................................................................... 9

13.4 EDRMS Controls Check ......................................................................................................... 10

14 Highways and Planning systems .......................................................................... 10

14.1 Exor Overview ........................................................................................................................ 10

14.2 Exor Controls ......................................................................................................................... 10

14.3 Exor Password Resets ........................................................................................................... 10

14.4 Exor Controls Check .............................................................................................................. 10

14.5 Acolaid Overview ................................................................................................................... 10

14.6 Acolaid Controls ..................................................................................................................... 10

14.7 Acolaid password Reset ......................................................................................................... 11

14.8 Acolaid Controls Check .......................................................................................................... 11

15 Remote Access Provision ..................................................................................... 11

15.1 Overview ................................................................................................................................ 11

15.2 Controls Process .................................................................................................................... 11

15.3 Controls Check ....................................................................................................................... 11

16 Operating system access ...................................................................................... 12

16.1 Overview ................................................................................................................................ 12

16.2 Controls Process .................................................................................................................... 12

16.3 Controls Check ....................................................................................................................... 12

17 Policy Exception Process ...................................................................................... 12

18 Security Breaches .................................................................................................. 12

19 Auditing Schedule .................................................................................................. 12

Document Reference .......................................................................................................... 14

1

File: 2014_06_IT_ACCESS_CONTROL_POLICY_V01.0[1]

Doc Reference: Document Type: Project Initiation Documentolicy

1 Purpose of the Document

The Purpose of this Policy is to define how user access to networks and systems are administered in the London Borough of Barnet (LBB), and to provide specific processes where access is managed by CAPITA CSG. It covers how user rights are granted, appropriately managed and revoked.

Access rights should be granted based on least privilege necessary to perform the job role, to assist in preserving data security. Access controls are critical to the protection of information entrusted to CAPITA by the LBB. Through restricting access to information on a need to know basis, these measures will enable CAPITA to provide assurance to LBB that only authorised users have access to required information whether at a physical, electronic, application, network or operating system level. This document outlines the minimum requirements for access control within the CAPITA/LBB account.

2 Governance

2.1 Overview

The approval group for this policy is the Security Forum, which is chaired by the Senior Information Risk Owner (SIRO) for LBB. The Security Forum is a working group of the Customer and Information Management Board, which is chaired by the council’s Chief Operating Officer (COO).

The ICT Team maintain the following lists, which the Security Forum review and approve quarterly:

Application register

Shared drive control matrix

Approval Groups (including delivery units and partners)

Wisdom (EDRM) records managers

IT control audit results (in line with this policy) are presented to the Security Forum as required.

3 User Network Accounts

3.1 Overview

Network access is managed with Active Directory (AD) which determines access rights and what actions users are able to perform on the network. Processes that result in changes to AD are detailed below.

3.2 New Users/Changes: Barnet Council & The Barnet Group

On joining LBB a user will be set up with network access on confirmation of employment by the HR department. The process is initiated by the HR department who will inform the IS service desk daily of any new user account required and provide the required detail.

Requests from HR will be treated as an authorised request to enable the account to be created which will be logged and recorded via a service request.

Some access to systems and data will be pre-approved as part of the New Starter process. These “Standard Changes” include provision of a user e-mail account, user Home drive, access to fixed telephony, and the default shared drives where agreed. The process will include the creation of a

2



service desk account for the user. On setting up the account a one-time password will be used and the user will be forced to change this at first log on in accordance with the password policy.

This process applies for all users, including permanent staff, contractors, agency staff and interims.

Changes to employment resulting in movement between teams or delivery units will be notified to HR by the relevant line manager who will in turn notify the IS service desk. Service desk will generate service requests to control any resulting changes required.

All mover requests must be treated in the same way as a leaver or new user registration. Access to all systems must be removed and only those drives and systems appropriate to the new role added to the user profile.

In the case of long term sickness or maternity leave, network access will be suspended on notification by HR and reinstated on return to work

3.3 New Users/Changes CAPITA

For CAPITA Employees where detail is not available from the Barnet HR service, individual requests for new users must be from authorised managers shown in the CAPITA Approvals Group detailing all the facilities required. A form authorised by the appropriate member of the Approval Group will be sent to the IS Service Desk to progress a request for a new starter.

It is the responsibility of the employing manager to inform the ICT Service promptly of any changes to access/system requirements.

In the case of long term sickness or maternity leave, network access will be suspended on notification by the appropriate Re / CAPITA manager and reinstated on return to work.

3.4 Third Party Access

Network accounts required by 3rd

parties for application support must be requested by system owners by a service request. Such accounts will only have the privileges required to support the application and will have no additional facilities such as e-mail, user home drives etc., unless authorised by exception.

3.5 Leavers

On leaving LBB a user network access account must be closed. This will remove right to access all facilities and information on the Barnet network. For Barnet Council and The Barnet Group staff, the leaving notification is initiated by HR who will provide the IS service desk with the details of the leaver. This request will be logged and recorded via a service request, and the account will be disabled at the appropriate date. The AD account will be set to automatically expire at the end of the last day of employment.

This applies whether the user is a permanent employee or a contractor on a temporary or part time contract with LBB.

For CAPITA Employees who are accessing the LBB network in delivery of the contract services, the authorising manager shall give notice to the ICT service to disable the AD account.

In an emergency a manager may request an immediate suspension of a user account which will remove right to access all facilities and information on the LBB network.

User home drives will be retained for 6 Months from departure date and then deleted unless otherwise instructed.

3



3.6 Controls Checks

Checks will be run weekly by CSG ICT and any user account that has not been accessed for 60 days will be investigated and if appropriate disabled.

A list of users who have access to AD will be reviewed by the LBB Approval Group to validate that processes are maintaining an appropriate set of users in Active Directory.

4 E-Mail systems

4.1 Overview

Standard E-mail accounts are provided as part of the new starter process. In addition to the standard E-mail system, LBB also has access to GCSx mail systems used for conducting secure communication with the police, NHS and government departments.

GCSx accounts can be provided through a service request. Users of GCSx mail will be required to accept an additional set of terms and conditions as part of the setup process.

To send secure communications to external partners who do not have access to GCSx mail, the Message Labs “Encrypt and Send” service must be used. Message Labs secure mail can be provided through a service request.

4.2 Controls

On leaving LBB a user network account will be closed, which includes access to E-mail. This applies whether the user is a permanent employee or a contractor on a temporary or part time contract with the London Borough of Barnet.

E-mail accounts will be retained for 6 months from departure date and then deleted unless otherwise instructed.

5 Shared Drives

5.1 Access Controls

Standard access to the established delivery unit network shared drives is allocated as part of the new starter process. Additional access for other shared drives will be requested by a service request. The request requires authorisation by the Approval Group associated with that network drive.

For CAPITA Employees shared drives access is requested by individual requests approved by the Approval Group for the specific drive requested.

The Shared Drive Control Matrix identifies shared drives, the business owners and the Approval Group required to grant access where requested. It also identifies what organisational information triggers the drive to be allocated as a standard change and part of the starter process.

5.2 Controls Check

A list of Shared drives and the associated owners (Approval group) will be held by CSG ICT and reviewed quarterly at the Security Forum.

A 6 monthly review of user access to a network share will take place by the owner of that share to ensure that user access is still appropriate for business need. CSG ICT will trigger

4



this review, and the results of the review will be presented to the Security Forum and appropriate changes to access carried out

6 Access to Line of Business Systems

Line of Business systems are specialist systems used for business purposes within the organisation. A prerequisite of access to any business system is that an active LBB network (AD) account exists for the user. Line Managers, Data Owners, Approval Groups and IT must satisfy themselves as far as possible that user access privileges and access requests are appropriately allocated and do not compromise any defined ‘Segregation of Duty’ requirements. Any apparent conflicting requests for access must be challenged.

The following basic checks must be undertaken to ensure that conflicting requests are identified and rejected:

Permission Enforced Controls – Specialist Application Support Teams must use the contents of the Service request and any reports available from within the system itself to confirm to the best of their ability that the individual is not being granted conflicting permissions (e.g. being granted access to approve invoices as well as having access to raise them)

Segregation of Duty Across Application – Specialist Application Support Teams must attempt to confirm that the individual is not being granted conflicting access across multiple systems if any such cross-application Segregation of Duty rules have been specified. This may involve liaising with the administrators and/or the Business Operational Managers of other systems.

IT Systems Development – Specialist Application Support Teams must attempt to confirm that the individual is not a developer being granted access to production environments, or an operational user being given access to development environments.

For access to any systems not specifically mentioned in this document please refer to the CAPITA ICT department for advice

7 Social Care and Education Systems

7.1 Swift Overview

The Swift social care systems used by the London Borough of Barnet are used in the Adults and Family Services Delivery Units. The systems are however totally separate and are individually managed. The systems contain sensitive personal information and data must be protected accordingly.

7.2 Swift Control Process

Access to SWIFT is via a service request approved by the relevant Approval Group. Both Adults and Family Services follow the same process but have separate approval groups. Staff are removed from SWIFT via instruction from the respective Approval Group.

7.3 Granting of appropriate access rights

The level of access to be granted to a user is defined by the role allocation. This is requested by the Approval Group member in the service request.

5



Changes to allocated roles are requested by the Approval Group member via a service request call. In certain cases access to client records needs to be further restricted. In such cases an Approval Group member in the appropriate service will complete a “restricted client” form forwarded to the relevant ICT support team for action.

7.4 Resetting passwords

Password resets in Swift systems are processed via a service request. A temporary password to enable access is communicated via email to the users Barnet e-mail account which is changed at initial system login

7.5 Revocation of access rights

Requests to revoke access rights in an emergency can be initiated by Approval Group members by logging a service request. On leaving the users’ network accounts are disabled. Closure of the network account will suspend Swift access

7.6 Audit/Check

An audit of users and access rights is conducted quarterly by the relevant Approval Groups, based on the structure information circulated by the business and user rights are amended accordingly by the CAPITA Swift support team. Evidence of the quarterly review of users is held by the relevant Approval Group.

7.7 ICS Overview

The ICS system in LBB is used in the Family Services Delivery Unit. . The system contains sensitive personal information and data must be protected accordingly.

Service requests for ICS access are authorised by the Family Service Approval Group.

7.8 ICS Control Process

Users accessing ICS are first required to be set up in Children’s Swift. Once the user is added integration will transfer the user to the ICS system where the user profiles (Roles) indicated by the business in the helpdesk call can be added.


ICS user access rights are advised by the Children’s Service Approval Group in the Service desk call requesting the user setup. The initial password is allocated by the CAPITA support team and the user is advised by Barnet e- mail. .The password is changed by the user at initial log on to the system. Any subsequent changes are controlled by further service requests In certain cases access to records needs to be further restricted. In such cases a member of the Family Service ICS Approval Group will log a call with a completed ‘restricted access request’ which would be forwarded to the CAPITA support teams for action. Records of these requests are maintained by the delivery unit themselves outside of the helpdesk system to maintain confidentiality.

7.10 Password resets

Password resets in ICS systems are processed via a service request. A temporary password to enable access is communicated via email to the users Barnet e-mail account which is changed at initial system login

6




Access rights can be revoked in an emergency by logging service request call. On leaving the users’ network accounts are disabled. Closure of the network account will suspend access and the 3 month audit process in the Swift system is used to correct any errors.

7.12 ICS Audit/Check

An audit of users and access rights is conducted every 3 months by the Family Services Delivery Unit

7.13 Tribal Overview

The Tribal systems in LBB are used in the Family Services Delivery Unit for managing early years and educational data. The system contains sensitive personal information and data must be protected accordingly.

Service requests for Tribal access are authorised by the Family Service Approval Group.

7.14 Tribal Control Process

Users requesting access to Tribal systems contact the Family Service Approval Group who will log a service request for action. The required access software will then be loaded on the user’s computer and the user added to the AD group to enable access by CSG ICT. The service desk call is closed after this is done, and the responsibility for further actions passed back to the Family Service Approval Group


The Tribal user profiles (roles) are allocated and administered by the Family Service Approval Group. The allocated roles give access to transactions within the system

7.16 Password Resets

Passwords are synchronised with the standard Barnet network (AD )passwords so individual password maintenance within the Tribal application is not required


On leaving the users’ accounts are disabled by the Family Service Approval Group. Closure of the LBB network account will automatically suspend access to Tribal.

7.18 Tribal Control Check

An audit of users and access rights is conducted every 6 months by the Family Services Delivery Unit

8 Business Objects (BOXI)

8.1 Business Objects Overview

Business Objects reporting software is run in conjunction with the Swift and ICS Care systems to produce a range of reports for business use. Reports are developed internally by Barnet staff. Roles giving access to reports are allocated by the Adults and Children’s approval groups

7



8.2 Business Objects Control Process

Access to Business Objects is granted via a service request. The access to the solution is administered via a service request from an Approval Group, which is passed to the CSG IS support team for action. They will pick up the call and process it appropriately. The call must request the required role to be allocated

On setup the Approval Group will be mailed confirmation that the user has been set up as required. The requesting Approval Group will be sent a onetime password for the user which the user will be required to change at the user training given before Business Objects access is granted

Users where access is being revoked would be requested via a ‘service request. Closure of the Barnet network account will automatically suspend access to the Data Warehouse.

8.3 Business Objects Control Check

Access rights can be revoked in an emergency by logging a service request. On leaving the users’ accounts are disabled and the 3 month audit process in the Swift system is used to correct any errors.

9 Finance & Procurement Systems

9.1 Finance & Procurement System Overview

Finance and Procurement systems are used to control and report on finance and manage procurement activities in LBB. The general financial system in use within the authority is Integra; the Income system is Axis and access is provided to authorised users. Roles giving access to transactions are maintained by Finance

9.2 Finance & Procurement Systems Control Process

All access to the finance systems within LBB are controlled by the Finance Approval Group who set up users and allocate business roles within the systems. LBB users requesting access to financial systems must log a service call requesting access which will be forward to the Approval Group for authorisation and action.

The Finance Approval Group will action the request and feedback to the service desk so the call can be appropriately completed

9.3 Finance & Procurement System Controls Check

Managers are provided with a report to check the appropriate staff are setup against their cost centre. It is the responsibility of each Cost Centre Manager to ensure that the correct staff have access to their cost centre and report any errors to the Finance Approval Group via a service request for correction

On leaving the users’ network accounts are disabled. Closure of the network account will suspend access to financial systems

10 HR Systems

10.1 HR System overview

The CAPITA core HR system is used for the administration of Barnet personnel and payroll.

8



It is administered from the CAPITA location in Belfast and access for LBB employees is granted via an employee portal. The HR system is accessed to check personnel details, book leave and access payslips etc. It is also used by managers to notify new starters/ movers / leavers and to approve tasks via the integrated workflow

10.2 HR System Control Process

A Barnet manager uses the secure portal to request New Users / Movers and Leavers activities in the HR department HR will check the manager’s authority against the Barnet organisation charts and if the authorisation is correct will action requests in the HR system. When requests are actioned information is issued to ICT via the service desk to enable the New Users / Movers and Leavers process.

Employee access to the portal is granted when a user is set up in the HR system as a Barnet employee. On user setup a onetime password will be allocated which is changed at first use. If a user subsequently requires a password reset for the HR portal. This is achieved by phoning the CAPITA HR Helpdesk desk in Belfast on (9) 0330 606 444. They will then be taken through the security process to enable a new password to be issued

10.3 HR system controls check

On leaving the users’ network accounts are disabled. Closure of the network account will suspend access to the HR portal

11 Barnet Data Warehouse

11.1 Data Warehouse systems Overview

The Data Warehouse is a system used by the CAPITA Insight team to support its analytical work for the Council. It is used predominantly by the Insight team located at LBB. The system accepts feeds from a number of source systems within the Council (e.g. Integra, Lagan and Electoral Roll) to generate the “single view of the customer”, a consolidated view of Customers and Addresses within the borough. It is also used to provide a number of standard analytical views for use by Insight. The solution includes a Cognos reporting solution that is used by Insight to deliver project-specific reports and analytics to members.

11.2 Data Warehouse Control Process

Access is limited to members of the CAPITA CSG Insight Team who form the Approval Group The access to the solution is administered via a service request which will need to be passed to the ETL / Cognos support team. They will pick up the call and process it appropriately

When the call is completed the service desk team will be mailed confirmation that the user has been set up. Requests to remove access should be made via a service request. Closure of the LBB network account will automatically suspend access to the Data Warehouse.

These activities are controlled by local CAPITA procedures

11.3 Data Warehouse Audit/Check

An audit log is in place alongside the access procedure which will be kept by the CAPITA Data Warehouse support team and will be available when required.

9



12 CRM System (Lagan)

12.1 CRM System Overview

Lagan is the primary Customer Relationship Management (CRM) system used by LBB to deliver services to residents. It is used both in LBB and in the CAPITA Local Government Services Call Centre in Coventry where all user administration is undertaken.

12.2 CRM Systems Control Process

The access to Lagan is administered via a service request which will be addressed by the CAPITA Channel Development Team (Approval Group) in Coventry who will pick up the request and process it appropriately. On setup the users business e-mail account will be e-mailed the log in details required to access the system. Request to revoke user access should be requested via a service request. Closure of the LBB network account will automatically suspend access to the Lagan CRM system

These activities are controlled by CAPTIA local Coventry procedures

12.3 CRM System Controls Check

An audit log is in place alongside the new user/revocation procedure which will be kept in the Coventry Location and will be available when required

13 WISDOM (EDRMS)

13.1 EDRMS Overview

The Wisdom system is the Electronic Document & Records Management System (EDRMS) used by the council for storage of documents relating to Adults social care, Children’s Services, HR, Customer Services, Accounts receivable, and the Barnet Programme office. The Barnet / CAPITA joint venture RE (Environmental Health), also access the application and Barnet Homes store housing needs documentation.

13.2 EDRMS Controls

The access to records in the EDRMS is controlled by file plans which are administered by the ICT team. Changes to high level file plans are by service requests. The file plans for each service area are separate and user access is granted to a particular file plan at a predetermined level by the designated business service records managers.

When access needs to be restricted down to a specific folder level additional security is available. This is done by Capita CSG ICT creating a new team with access to the restricted folder via a ‘Service Now’ call and the team membership allocated by the Service Records Manager

A table of the authorised Service Record Managers will be held by CSG ICT and reviewed quarterly at the Security Forum. Business service records managers are responsible for ensuring the access granted is appropriate.

13.3 EDRMS Password Resets

Passwords are synchronised with the standard Barnet network (AD )passwords so individual password maintenance within the EDRMS application is not required

10



13.4 EDRMS Controls Check

On leaving the users’ network accounts are disabled. Closure of the network account will suspend access to the Wisdom EDRMS system. Additionally the local Service Records Manager will perform an audit at least every 6 months to confirm user access to records is still valid and maintain records of the audit locally for inspection

14 Highways and Planning systems

Highways and Planning activities are the responsibility of Re a joint venture company between LBB / CAPITA set up to manage these activities

14.1 Exor Overview

The Exor system is used by RE to manage the Barnet road network and highway assets, and provide management for skip licences and other associated statutory activities

14.2 Exor Controls

All access to the Exor systems within LBB is controlled by the Re Approval Group who set up users and allocate business roles within the systems. LBB users requesting access to highways systems must log a service call requesting access which will be forward to the Re Approval Group for authorisation and action.

The Re Approval Group will action the request and feedback to the service desk so the call can be appropriately completed

14.3 Exor Password Resets

Password resets for Barnet users in Exor systems are processed via a service request which will be forwarded to the Re Approval Group for action. The Re Approval Group will action the request and feedback to the service desk so the call can be appropriately completed

14.4 Exor Controls Check

On leaving the users’ network accounts are disabled. Closure of the network account will suspend access to Exor systems

14.5 Acolaid Overview

Acolaid is an integrated planning, building control and licencing system used by Re on behalf of LBB to administer these activities

14.6 Acolaid Controls

All access to the Acolaid systems within LBB are controlled by the Re Approval Group who set up users and allocate business roles within the systems. LBB users requesting access to Acolaid systems must log a service call requesting access which will be forward to the Re Approval Group for authorisation. Following authorisation the required access software will be loaded on the user’s computer by CSG ICT. After this is done the responsibility is passed back to the Re teams to allocate user roles

The Re Approval Group will action the request and feedback to the service desk so the call can be appropriately completed

11



14.7 Acolaid password Reset

Password resets for Barnet users in Acolaid systems are processed via a service request which will be forwarded to the Re Approval Group for action The Re Approval Group will action the request and feedback to the service desk so the call can be appropriately completed

14.8 Acolaid Controls Check

On leaving the users’ network accounts are disabled. Closure of the network account will suspend access to Acolaid systems.

15 Remote Access Provision

15.1 Overview

Remote access to the LBB network is only allowed from LBB Corporate and Partner corporately owned and managed machines. LBB and partner organisations must when working remotely use two factor authentication (2FA) to facilitate the connection. LBB use RSA tokens for this purpose.

External third parties given access to support applications are required to confirm in writing to the CSG Security Manager that the machines used for access are corporately owned and have current patching and anti-virus in place. The access given when properly authenticated users connect to Barnet systems is the same as those given when working from an office location

User accounts required for support contractors are only normally made available for the support session so access periods can be controlled. In many cases the 2FA RSA tokens are not given to the support contractor but are held within Capita CSG to further control the ability to access. In these cases the support contractor must dial the CSG ICT infrastructure team to gain access to the token codes required to be able to access the network This policy can be varied by exception. If there is an agreed need to access systems for support purposes outside normal working hours

Any directly connecting organization (e.g. a directly connected VPN) must be subject to a CAPITA Network Security Assessment (NSA) carried out by Capita security staff and the users validated against an active directory (AD) entry. Contracts covering the access and purpose of the access must be place before VPN access is granted

Remote access must be via corporately managed devices. In normal circumstances users should not attempt access from personally owned computers or other personally owned devices which are not specifically authorised. Any such attempt is a breach of the remote access policy.

15.2 Controls Process

Users request the issue of an RSA Token via the service desk with a service request.

15.3 Controls Check

Closure of the LBB network user account will automatically suspend all access to the LBB network. 3

rd Party support contractor access must be terminated when the support for an application is no

longer required. Users holding RSA tokens can be tracked on the RSA administration console which is integrated with AD. The RSA Token must be returned to CAPITA CSG when no longer required.

12



16 Operating system access

16.1 Overview

Elevated administrator privileges to line of business systems and computer networks must be restricted to ICT support teams in order to preserve network security, integrity and availability.

16.2 Controls Process

Only ICT Department Managers and agreed delegated authorisers can approve requests for elevated access to Server and networks such as account or Domain administrator. Usage must be recorded, logged and monitored.

ICT Line Managers must monitor the users with elevated access and remove access when a user moves roles, leaves, or access is no longer required to perform his job function.

Use of administrator/privileged user IDs must be restricted to minimum numbers required to administer the estate. CAPITA CSG IT must review all default, vendor or service accounts included in any new software, or used for software development and must delete these before the system is commissioned into production.

Where such accounts are essential to the operation of a system, the passwords for those accounts must be changed from the default values and managed by the Infrastructure Manger.

Where the vendor accounts are required for support and maintenance, these accounts must be kept disabled and enabled when only required unless a risk assessment has been completed and approved.

16.3 Controls Check

IT Line Managers must monitor elevated access to servers and networks and remove access when a user moves roles, leaves, or access is no longer required to perform his / her job function. This will be further checked during the annual IT Healthcheck to ensure that minimum numbers of elevated users exist..Closure of the network account will suspend access to LBB networks

17 Policy Exception Process

Any exception to this policy will be managed according to the agreed LBB security risk management exception process and monitored by the Security Forum. The log of exceptions will be maintained by the ICT Information Security Manager.

18 Security Breaches

Any suspected security breaches, or loss of equipment must be reported immediately to the Service Desk and logged with a service request. If it is suspected that LBB information has been compromised the incident must be reported immediately to LBB’s Information Management Team. Reported security breaches will be investigated in line with the Security Incident Management Policy.

19 Auditing Schedule

This document will be subject to a continuous review process but will be formally reviewed at least every 12 Months following issue

13



Ref Process Frequency Evidence

2.1 Application register Quarterly Security Forum Minutes

2.1 Shared drive control matrix Quarterly Security Forum Minutes

2.1 Approval Groups (including delivery units and partners).

Quarterly Security Forum Minutes

2.1 Wisdom (EDRM) records managers 6 Monthly Local Service Records Manager audit

2.1 IT control results As Required Security Forum Minutes

14



Document Reference

Document Signatories

Author(s) Name / Role Signature(s) Date

XXXXXX CAPITA IS Security Manager

20 June 2014

Approvers(s) Name / Role Signature(s) Date

Document Reference

Document Title: Information systems access policy

Document Type: IT Policy

Confidentiality Level:

Document Reference:

Issue Date: 19/03/2014

Issue Number: 0.3

Document Production Software: Microsoft Word 2010

Pages 20Total