The Service
Policies & Initiatives
Please note that as this policy is periodically reviewed and updated, if you print it from the website, its accuracy cannot be guaranteed for more than a 24 hour period following printing.
Owner: Neil Moore Review Date: 01/06/2010
Version 1.1
Information Security ISMS OverviewPage 18 of 18
The objective of the information security policy is to protect the Hampshire Fire and Rescue Service’s (HFRS) ability to maintain business continuity and reduce the risk of business damage by preventing and minimizing the effects of information security breaches.
The HFRS Information Security Management System (ISMS) is deployed by the Information Services (IS) Information Security Manager and a delegated team to achieve this.
The purpose of the policy is to protect HFRS information assets from all threats, whether internal or external, deliberate or accidental. It will ensure that:
This policy is enacted by:
The signatories of this policy are the Chief Fire Officer, the Head of Corporate Services, the IS Security Manager and members of the Information and Physical Asset Security Forum.
HFRS shall establish, implement, operate, monitor, review, maintain and improve the ISMS documentation within the context of the activities and the risks it faces. For the purposes of this international standard, the process used is based on the Plan Do Check Act (PDCA) model.
The ISMS is to help promote and deliver the aims of HFRS.
The scope of the ISMS is applicable to the support, development, maintenance decommissioning and hosting of HFRS applications, the management and support of the LAN, and WAN and the protection of system information.
The scope of the ISMS is applicable to all staff and activities within the IS department located at HFRS headquarters.
Although the scope is limited to the Information Services department, the security of information outside of the scope is managed by the publication and adoption of HFRS wide information security policies. Compliance to these polices is validated by internal audit.
The implementation of the HFRS incident reporting process provides visibility to both the Information and Physical Asset Security Forum and the Information Services Information Security Forum of issues outside the scope of the ISMS that may impact the security of HFRS.
HFRS information security policies are applicable to all HFRS personnel, including temporary staff, contractors, and consultants. Where necessary these information security policies are augmented by Information Services department specific policies and processes.
The configuration and management of all IS systems in accordance with policies developed for the ISMS will ensure that all HFRS systems are protected in accordance with industry best practice.
It is the intention of the HFRS senior management to achieve and maintain certification with the ISO27001 Information Security Standard for the following reasons:
HFRS has established the ISMS to ensure business continuity by protecting the Confidentiality, Integrity and Availability of information and to minimise business damage by preventing and minimising the impact of the security incidents.
It is HFRS policy to ensure that all information security breaches will be investigated.
The Information and Physical Asset Security Forum is responsible for the overall direction and commitment to Information Security and Physical Asset Security. The Information Security Manager and delegated team have direct responsibility for maintaining the policies and providing guidance on their implementation. The Information and Physical Asset Security Forum is responsible for implementation and monitoring of compliance with policies within HFRS, supported by the IS Level Information Security Forum.
The High Level Policy has been authorised by the Information and Physical Asset Security Forum, the Chief Officer, IS Security Manager and the Information Security Officer.
All other policies and procedures have been created and authorised by the
Information Security Manager and the Information Security Officer
As part of their training, all users are made aware of the importance of information security, the impact a security breach will have upon HFRS, its customers and partners and the business benefits of an ISO27001:2005 certified information security management system.
Senior management appointed an Information Security Manager, an Information Security Officer and a delegated team to fully support the implementation of this Information Security.
All documentation and processes generated by this ISMS are reviewed and authorised by the Information and Physical Asset Security Forum where applicable and supported in their work by the IS Level Information Security Forum.
The Information Security Manager will implement the Information Security Review. The Information Security Manager and the Information and Physical Asset Security Forum will periodically review the ISMS to ensure that it meets with objectives of HFRS. A Management Review report will be presented to the Information and Physical Asset Security Forum at least once a year.
HFRS has appointed an Information Security Manager, who has established both an Information and Physical Asset Security Forum and an IS Level Information Security Forum. The Security Forums and Senior Management review all security initiatives to ensure that they align with HFRS policy, its culture and business requirements.
IS Line managers are responsible for ensuring that processes implemented within their jurisdiction are working as expected.
The Information Security Manager and the delegated internal auditors will undertake compliance auditing to ensure conformance to policy and contractual and legal obligations.
The Information and Physical Asset Security Forum will review the ISMS annually.
The Information Security Manager will undertake a management review of the ISMS, at least once a year. The results of the review and its recommendations will be documented and a report will be presented to the Information and Physical Asset Security Forum
The review will include:
This Forum has been established to ensure that there is clear direction and visible
management support for security initiatives and is dedicated to the principles of Information Security best practice, standards and initiatives.
The Information and Physical Asset Security Forum is a focus for consideration of security and continuity issues which may affect the ability of HFRS to provide services to citizens and customers. The forum is in place to provide a strategic lead to HFRS wide security, improvement and maintenance programmes.
The long-term goal is to reduce the amount of time, money and effort involved in resolving security breaches, continuity issues and incidents by introducing management controls that prevent or avoid them.
The Information and Physical Asset Security Forum will consider and set policies on security issues that affect HFRS. This includes security in terms of personnel, physical location, operational procedures and Information and Technical protection arrangements.
The scope of the Information and Physical Asset Security Forum includes but is not limited to the following:
The RiskSS approach and methodology for risk management was used to identify the specific risks to Information.
Information assets were identified during the analysis stage of the process and were subjected to a Business Impact analysis. Information assets were then grouped into types and similar impacts and where appropriate assessed by an in-depth risk assessment. The risk assessment approach has assessed the risks of internal, external deliberate or accidental threats to the information assets.
HFRS has established a training and awareness programme for all users.
All users are provided with a security guidance that explains their responsibilities in accordance with HFRS Information Security Policy during their induction training. Staff shall also be given information security guidance appropriate to their job function.
Support staff that have operational responsibility for designing, installing,
configuring, maintaining or supporting systems receive detailed security guidance relevant to their area of responsibility. Security Training will be given as part of the induction process to new starters.
Additional training, recommended by the Security Forum, will be given to existing users as deemed necessary.
A training programme for information security awareness has been implemented within HFRS.
Line managers must ensure that people working for them maintain an appropriate level of information security awareness.
The objectives of the training and awareness programme are to:
Elements may include:
A record of all training is kept including details of:
HFRS has established security incident handling procedures. Firewall
activity, internet activity and email usage are all monitored by Hampshire County Council.
The Information Security Manager has delegated the responsibility for investigating security incidents to the Information Security Officer and delegated team. A monthly report is produced summarising any information security issues that might have arisen. This report will give feedback on incidents and audit reports to the IS Level Information Security Forum.
The Policy applies to all scales of security incident from a technical or management issue that has no apparent immediate effect to a wide-ranging life-threatening crisis.
The information systems and its management of security incidents requires a formalised process of both reporting and managing all security incidents. A single security reporting system has been implemented..
It is the responsibility of all HFRS employees, contractors and third parties to report any incident or suspected incident. Failure to do so will be deemed a contravention of policy or an attempt to aid and abet an incident and will be investigated as such.
An information security incident is defined as:
A building security incident is defined as:
All documents that form part of the Information Security Management System will be controlled and approved.
As a minimum, the documents shall be approved by the Information Security Manager or the Information Security Officer, in their absence. The Information and Physical Asset Security Forum has approved the High Level Security policy.
Proposed changes to the policies and procedures within the ISMS are identified as a result of:
In the event that the information security policies or the high level policy change significantly, they are again submitted to the Information and Physical Asset Security Forum for approval.
A list of all documents identified within the ISMS is maintained by the Information Security Manager. This list provides details of the latest released copy of each document such as:-
Each document has the date of issue, version number, location, owner and review date.
The master document of all ISMS documents is held on Hantsfirenet. The owner of each document within the ISMS is responsible for ensuring that the document remains legible, accessible, and identifiable by revising and updating its format in line with HFRS corporate identity. No document or policy can be changed with out a “Change Control” and authorization of the IS level Information Security Forum.
The Information Security Manager will store all records that show the implementation of the ISMS (see list below) securely.
Records relating to ISMS will be kept for a minimum of 3 years plus 1. The distribution of records applicable to this ISMS will be restricted to the Information and Physical Asset Security Forum, senior management, auditors and authorised personnel. records will be maintained in accordance with the requirements of the Data Protection Act 1998 and Freedom of Information Act 2000. Hard copies will be stored in accordance with manufacturers instructions, electronic records will be backed up regularly.
The records generated by ISMS have been defined by the Plan-Do-Check-Act cycle. The Information Security Manager is responsible for determining what records are needed to show performance of the ISMS cycle, whilst each department is responsible for identifying the appropriate records which shall provide evidence of the performance and implementation of the controls selected in their area.
Where services have been outsourced to third parties, controlling SLAs state what records must be provided and when. Reports and records may be provided on request, monthly or an ad hoc basis and some during audit process only. Records must be available to show evidence of conformity to requirements, performance of the ISMS and occurrence of incidents.
The following records must be maintained as part of the PDCA Cycle defined within the ISMS in accordance with ISO27001:
Other records must be maintained to show that the applicable controls within ISO27001 have been implemented. These records may be in hard copy or electronic form, they may be documents, reports, forms or database entries. Examples of these records are listed in point 8 above.
The Information Security Manager is responsible for the audit schedule. It is anticipated that each control will be audited at least once within a one year period. Internal audits within HFRS will be carried by the delegated team.
The audit schedule will include plans to audit managed service providers and external third parties as required and any additional audits required to confirm successful implementation of the risk register and any other initiative affecting information security.
The Information Security Manager will ensure that each section of the ISMS is verified at least annually and will maintain an ISMS Audit Programme with the help of internal audit team.
Audits may be organised more frequently depending on the importance of the activities being audited. The following sources of information are reviewed to determine the audit programme:
The programme covers audits that are carried out either internally within HFRS, on or by third parties as part of the outsourced or third party contracts by other third parties on ad hoc basis.
The programme is reviewed on a monthly basis to check progress and consider any changes (e.g. to policy, system or service provision) that might need to be reflected.
To ensure objectivity and impartiality, the internal audit team will undertake internal audits within HFRS to ensure satisfactory implementation of any initiatives and corrective or preventive actions.
In preparation for each audit:
The ISMS policies, procedures and standards may be reviewed to establish whether they:
The auditor’s task is to establish if the ISMS and security initiatives are being followed in practice and conforms to ISO27001 and any legal or regulatory requirements. This is achieved by interviewing staff to establish current practice and verifying this practice against records kept. The auditor examines the records selected in order to determine whether the activities identified above have been carried out correctly. The auditor keeps a record of the process and the findings of the ISMS Audit.
The ISMS audit record and all other documents relating to internal audits are passed to the Information Security Manager. The ISMS audit records and all other documents relating to internal ISMS Audits are retained for inspection by Information Security Manager, the Information and Physical Asset Security Forum, senior management and external auditors.
All issues arising from the internal ISMS Audits requiring attention are discussed with the appropriate personnel and a record kept on an Audit Report. The auditor will document their findings and present them to the Information Security Officer and the Information Security Manager.
When required, the Information Security Officer will liaise with the Information
Security Manager to agree corrective or preventive actions (where potential weaknesses or non-conformities were identified). As part of this process it will be decided who will carry out the action and within what timescale.
The Information Security Manager ensures the Audit results are discussed at the next IS Information Security Forum. Once corrective and preventative actions are implemented they are reviewed by the Information Security Manager to ensure that the initiatives are working correctly.
Non-conformity reports may be produced when an incident arises or an audit is undertaken.
When non-conformities are reported, they are investigated and appropriate corrective actions are taken. In addition, various preventive actions are implemented on a regular basis to identify potential areas for non-conformities.
The Information Security Manager has delegated the maintenance of the following records to the Information Security Officer:
With the support of the Chief Officer, Head of Corporate Services and the Information and Physical Asset Security Forum, the Information Security Manager is responsible for implementing improvements to the ISMS.
When required he can delegate this responsibility, however, ownership of the project remains with the Information Security Manager. All improvements will be documented within the IS Information Security Forum. The Information Security Manager is responsible for confirming that improvements to the ISMS are functioning correctly.
When a non-conformity report is raised, all interested parties involved, including the relevant line managers, receive copies of the report and any recommended actions. The managers confirm what actions they intend to take as a result of the points raised in the report and their planned implementation dates. The Information Security Manager is responsible for checking the effectiveness of any new initiatives. Whenever possible this should be done within one week of the security enhancement.
The Information Security Officer will report, on monthly basis, the results of audit, incidents, and status of corrective and preventive actions to establish day to day improvements to the ISMS. The Information Security Manager will review, on a monthly basis, the results of audit, incidents and corrective action to establish processes, or products that will improve the ISMS.
The Information and Physical Asset Security Forum with receive reports from the IS Security Manager and lead the overall improvements for HFRS.
A non-conformity is defined as:
The absence of, or the failure to implement and maintain one or more ISMS requirements or a situation which would, on the basis of available objective evidence, raise significant doubt as to the capability of the ISMS to fulfill the Information Security Policy and security objectives of HFRS.
Non-conformities may be identified during the investigation following an incident or during an internal audit. Potential non-conformities might be identified as part of day-to-day activities.
To ensure a consistent approach these are reported as potential incidents and treated in same way as an actual incident. In the event of an incident occurring the Information Security Manager will liaise with relevant teams to determine the reason for the non-conformity.
During an audit the auditor will attempt to identify the reason for non-conformities, however where the auditor does not have the necessary skill set they will liaise with the Information Security Manager. Having identified the cause of the non-conformity the situation is investigated with a view to taking corrective actions. Additional action may be taken to prevent recurrence of the non-conformity, either immediately or following approval from the IS Information Security Manager or management reviews. Corrective action may take many forms, such as removing authorisation, changing system values or invoking disciplinary process.
The auditor or Information Security Manager will review the nonconformity with the relevant teams and agree the appropriate action that should be taken. In the event of an Audit, the Auditor will document the non-conformity whilst the Information Security Manager will document any non-conformities resulting from an Incident. Either the Auditor or the Information Security Manager will recommend corrective actions, which will be presented to the IS Information Security Forum.
Each non-conformity report will as minimum hold the following details:
For each corrective action the following details are held:
The IS Information Security Forum will review all corrective actions. The
Information Security Manager will confirm that all corrective actions are correctly implemented.
HFRS aim to prevent security incidents and potential non conformances by implementing the following:
Responsible for the IS Security Management process, dealing with information security from the perspective of IS Management and for maintaining the relationship with all other Service Management processes as appropriate to achieve the purpose of IS Security Management.
This role is normally held by the Information Services Manager.
The IS Security Management process can be summarised as comprising of six key
activities:
Control, plan, implement, evaluate, maintain, report.
Implement a range of measures relating to:
Ensure effective evaluation methods are in place for each of the implemented security measures. These include:
Review changes to threats, infrastructure, organisation and processes for impact on security measures.
Ensure a history of security incidents is maintained to enable trend analysis and evaluation of business case for additional/revised measures.
To be a leading member of the Information and Physical Asset Security Forum, participating wherever appropriate in its aims of promoting the various aspects of IS security in the Authority by, for example,:
Information Security Officer has delegated responsibilities from the Information Security Manager and will also deputise during any absence.
This role is normally held by the Service Delivery Manager.
At the departmental level the specific activities include:
To be an active member of both the Information and Physical Asset Security Forum and the IS level Information Security Forum, participating wherever appropriate in its aims of promoting the various aspects of IS security in HFRS by, for example:
