General responsibilities

Please note that as this policy is periodically reviewed and updated, if you print it from the website, its accuracy cannot be guaranteed for more than a 24 hour period following printing.

Introduction

All users of applications are individually responsible for maintaining security and complying with ICT security policies. This document summarises the specific responsibilities of each user of Hampshire Fire and Rescue Service's (HFRS) computer equipment and services.

Note: If you need further advice on complying with the following responsibilities you should consult with your line manager or the IS Service Desk in the first instance.

HFRS operates a centralised computing model - all data is stored centrally and accessed using workstations with a standard set-up. This means that any Hantsfirenet user can use any HFRS workstation and access Hantsfirenet with an identical computing experience.

The security of each session will be managed through access controls and “session locks”, negating the need to secure access to the actual workstation except in exceptional circumstances.

Guidance and Policies on the following specific topics is provided below or via the hyperlinks:

• Ownership
• General user responsibilities
• Workstation security
• Network Security
• USB key security
• Software compliance
• Databases
• Printer, Fax and Photocopier Security
• Using a PC as a workstation
• Remote access from home or other locations
• Passports
• Laptops and handheld devices
• Workstations in public locations

Ownership

All HFRS supplied ICT equipment and any data created using HFRS systems remains at all times the property of HFRS. ICT equipment shall be returned and any non public data residing on personal ICT equipment returned (and/or destroyed as advised) on termination of employment or business relationship with HFRS.

Departmental Line Managers are responsible for all IS equipment that their Department and individual employees with in it, have been issued with and including its return to the IS Department.

General User Responsibilities

Note: in addition to these general responsibilities, there are some specific responsibilities defined below for users of mobile devices (such as laptops and hand-held devices), remote workstations (e.g. home-based workers), and workstations sited in public areas. All HFRS workstations that are attached to the corporate network are subject to interrogation and monitoring for unauthorised or insecure software installations. This includes accidental downloads from the web, or intentional software loads. All equipment issued to HFRS staff shall be used in accordance with the manufacturers instructions to prevent damage to the equipment.

IS computers, screens, printers and phones shall not be moved without prior consent of the IS Service Desk.

Workstation security

• Except as discussed below, HFRS workstations should only be installed and used in physically-secure locations, such as HFRS office space.
• The session lock-out shall be activated manually when leaving a workstation unattended.
• All workstations are configured to activate session locks automatically, if the workstation is left unattended for more than 15 minutes.
• Further information regarding acceptable use of passwords can be found in the Password Policy

USB Key Security

Staff are reminded of their personal responsibility to only use USB devices for work purposes and if they are free from viruses. NB You risk having all the files on the USB device deleted if any viruses are detected. External Drive Policy

Software Compliance

Users are not authorised to install any software on any HFRS computers or laptops. Software Compliance Policy

top

Databases

Users shall register any intended database with both the Information Compliance Officer and the IS Service Desk prior to starting any development, in order to comply with the Data Protection Act (DPA)1998 and the Environmental Information Regulations (EIR) 2004.

Each database which contains electronic data shall be subject to an individual security risk assessment report which shall be in place to protect the contents of the database and ensure that only those who are authorised to access the contents of it are able to do so. It shall be the responsibility of the individual who is the creator or who has inherited the ownership of the database together with that persons department to produce this security risk assessment report and to ensure that it is kept up to date.

The IS Department together with the Information Compliance Officer shall evaluate the security of all data to ensure the protection of that data. This evaluation shall include a risk assessment of the security of all registered databases and the assignment of a risk matrix. In order for this assessment to take place each individual owner together with the department with responsibility for the registered database, shall submit the security risk assessment report in relation to the database to the Information Compliance Officer attached to form FM 11/1/11 as soon as reasonably practicable following the date of the Information and Communication Technology Service Order or upon the creation of a new database (whichever is the earlier).

Assistance in completing this security risk assessment report can be obtained from the Information Security Officer via the IS Service Desk

This security risk assessment report will contain the following information:

1. A summary of the nature of the database and how access is granted, reviewed and revoked
2. Where the Database is stored
3. Present security measures in place
4. Details of the information and in particular any sensitive or personal data which is held on the database
5. If the Database is password protected this password shall be logged with the Service Desk Manager who is CRB certified.

The security risk assessment report shall be dated and shall be the subject of an annual review following the creation of the database and the first security risk assessment report.

Despite the fact that the security assessment report shall be reviewed annually it shall nevertheless be the ongoing responsibility of the owner of the database together with the owner's department to ensure that the IS Department is informed of any changes to the database of a material nature that may alter the security risk assessment matrix level.

The IS Department together with the Information Compliance Officer may make recommendations to the owner of the database following the risk assessment undertaken as described above. Such recommendations shall be implemented by the owner as soon as reasonably practicable.

Network security

Staff shall not connect any non HFRS workstation, PC, laptop or any other device with network capabilities to the internal HFRS network, unless approved by senior management and protected by additional security controls (such as anti virus, firewall) and its use has been agreed with ICT services.

Use of a modem to provide dial-in access to a HFRS workstation and as a consequent provide access to internal networks is expressly forbidden, unless approved by senior management and protected by additional security controls that have been agreed with ICT security group.

Printer, Fax and Photocopier Security

Staff shall not leave documents on printers,  facsimile machines or photocopiers.

Staff shall be aware that  modem facsimile machines, printers and photocopiers have page caches and store pages in case of a paper or transmission fault, which will be printed once the fault is cleared.

top

Additional guidance for those using a PC as a workstation

Protectively marked and sensitive information held on your local disk

Protectively marked and sensitive information shall not be stored on workstation disks unless there is a clear business requirement, in which case ICT shall ensure protection by an approved file or disk encryption mechanism.

External hard drives shall not be used without prior consent from the IS Department. External hard drives shall not be removed from HFRS premises unless approved by the IS Department and the data encrypted.

• Consult your manager or the IS Service Desk for further guidance.

Anti-virus

• ICT Department-approved anti-virus software shall be installed and operational on all HFRS workstations at all times.
• Software shall be configured to scan local disks at least once per week. This is enforced by the ICT department through automatic policies. Where operational needs mean that a scan has to be interrupted, ICT must re-run at a convenient point.
• Virus signatures and scanning software shall be kept up to date on an automatic daily basis by following the virus update procedures provided for the anti-virus software.
• Users shall not undertake any activities with the intention to create and/or distribute malicious programs into HFRS networks (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.)
• Where a virus is detected, the incident shall be reported to the ICT Department Service Desk, using the Incident Reporting guidelines. HFRS ICT Service Desk will provide advice and assistance with dealing with the infection.

File sharing

• Staff shall not share the information on your workstation with other users on internal networks
• Information shall only be shared using the centrally-provided shared drives.
• Local file sharing is not permitted.
• Staff shall not install or use software such as Napster or KaZaA that allow peer-to-peer sharing of files across a network.

top

Additional Responsibilities for remote access from home or third party locations

Workstation security

• Workstations which have remote access to HFRS internal networks via the Internet shall be protected from intrusion to prevent unauthorised access to HFRS networks and systems.
• HFRS ICT support functions shall provide advice and may supply approved solutions for use in such situations.
• Employees who access HFRS email shall ensure that HFRS information assets are not stored on personally owned workstations.
• Home users shall not download or copy HFRS data to their local drive.

Physical workstation security

• HFRS supplied workstations shall be installed in a physically secure part of the building to protect them from theft and inappropriate or unauthorised use.

Anti-virus

• Personal workstations which have remote access to HFRS internal networks such as home PCs or those belonging to partner agencies shall have suitable anti-virus software installed and configured to protect the HFRS and HCC networks and systems from virus-infection.
• HFRS ICT support functions will provide advice on the types of anti virus products available in the market place.

Passports

• Passports requires a two factor authentication, a unique PIN and the owners Hantsfirenet user id.  These shall not be shared, written down or left with the device.  
• Passports shall only be used by the person they have been issued to and the passport owner shall not allow any other user to access the Hantsfirenet system via them.
• Passports remain the property of HFRS and must be returned upon request of the ICT Department.
• Staff shall report any loss, theft or damage of a passport to the HFRS Service Desk at the first available opportunity.

top

Additional Responsibilities for users of laptops and handheld devices

Workstation security

• Workstations that have remote access to HFRS internal networks via the Internet shall be protected from intrusion (prying of a workstation’s desktop activity or data) to prevent unauthorised access to the HFRS networks and systems.
• HFRS has installed a wireless network that shall be used by authorized HFRS employees only. Employees shall not attempt to access the wireless network unless permissions have been explicitly granted to them.
• HFRS ICT support functions shall provide advice and may supply approved solutions for workstation security.

Physical security

• Handheld devices shall be kept in your possession, or locked away during temporary absences.
• If left overnight in your normal office, all equipment shall be locked away in a filing cabinet or drawer.
• Where possible, all equipment shall not be left in cars for long periods. Where unavoidable, equipment shall be locked in an enclosed boot or in a locked glove compartment.
• Equipment shall be kept in your possession during journeys and disguised where possible. Laptops shall not be checked into a baggage hold.

Sensitive information held on your local disk

Sensitive information shall not be held on mobile workstation disks. Where there is a business requirement to do so a formal risk assessment shall be undertaken prior to approval.

External hard drives shall not be used without prior consent from the IS Department. External hard drives shall not be removed from HFRS premises unless approved by the IS Department and the data encrypted.

• Consult your manager or usual ICT support contact for guidance.

Servicing of Laptops

• HFRS Laptops are serviced annually to ensure all aspects of security are kept up to date. The Service Desk  coordinate the recall of Laptops due a service.
• The IS Department reserves the right to remove any software, free or otherwise that is considered to be a security risk.

top

Additional Responsibilities for workstations situated in public locations

Note: the policy statements in this section do not apply to public access workstations.

Workstations located in public locations with access to HFRS internal networks and services pose a particular threat to the security of the HFRS networks and services. For this reason, users of such workstations have a particular responsibility to ensure that workstation security controls are in place and are used correctly.

Workstation security

• The session lock-out shall always be activated manually when leaving a workstation unattended, even for a short period.

Physical security

• A physical locking device (i.e. a lockdown lead) shall be in place to secure equipment at all times.
• Tasks which access sensitive information shall not be performed on workstations in public areas. Consult your manager for guidance. Where business requirements dictate that this is essential, the screen shall be positioned to ensure that the sensitive information cannot be overlooked.

Protectively marked and sensitive information held on your local disk

• Protectively marked and sensitive information shall not be held on workstation disks unless there is a clear business requirement, in which case ICT must ensure that protection is provided by an approved file or disk encryption mechanism. Consult your manager or usual ICT support contact for guidance on suitable products.

Identities and Passwords

• Particular care shall be taken to protect passwords from disclosure when logging in using user-Id's which have access to sensitive applications and information.

Security Incidents

• For the protection of HFRS information, ICT infrastructure and services all employees and contractors have a duty to report potential security incidents, as per the Incident Reporting procedures as soon as possible when they are discovered.
• A security incident is any ICT system, network or user behaviour which does not comply with the HFRS policies of which this security guide is a part.

top