Information Security Policy
Date Change Made
New Version No.
Changes Made By (initial)
13 Sep 2018
Reviewed at MTC Full Council 7.10.2019 Agenda item 11.11
Updated with virus protection and cyber security
Reviewed at MTC Full Council 29.03.21
Agenda item 10.6
Replaced references from EU GDPR to Data Protection Act 2018/UK GDPR as approved at Full Council 06/12/21
1. Principles & Purpose
1.1 This Policy sets out the Council’s commitment to information security within the Council and provides clear direction on responsibilities and procedures.
1.2 Macclesfield Town Council is a Data Controller, as defined under the Data Protection Act 2018/UK GDPR and has registered as such with the Information Commissioner’s Office.
1.3 This Policy should be read in conjunction with other IT polices including:
- BYOD Policy,
- ICT Policy,
- Internet, Email and Social Media Policy,
- Personal Data Breach Policy.
2. System Security Processes and Procedures
2.1 The Council will provide and maintain security processes and procedures for all key information systems. The procedures will uphold the principles of confidentiality, integrity, availability and suitability and be assessed for their impact upon other systems and services.
2.2 The security procedures will provide preventative measures to reduce the risks to the system, the information held within the system and the service it supports.
2.3 The Council will apply controls to comply with the Data Protection Act 2018/UK GDPR.
2.4 A Continuity plan is available to support the continuation of services following failure or damage to systems or facilities.
2.5 The Clerk will be responsible for the implementation and promotion of the procedures.
2.1 Physical Security
2.1.1 Adequate and practical access controls will be provided in all areas in which personal and business data is stored or used. Unattended rooms should be secured at all times with locked doors as a minimum security requirement.
2.1.2 All documents disclosing identifiable information will be transported in sealed containers e.g. envelopes.
2.1.3 Within their level of authority, staff will be responsible for minimising the risk of theft or vandalism of the data and equipment through common-sense precautions. In particular high value equipment such as, laptop computers, should not be left unattended or unsecured and paper records should not be left in public view.
2.1.4 The physical environment in which data and equipment is stored will be suitable and fit for purpose to ensure the safety of the data and equipment.
2.1.5 Staff should abide by a clear desk policy, securing any paper records of a confidential nature or containing personal data in lockable cupboards or pedestals at the end of each working day.
2.2 Logical Security
2.2.1 All data is stored on Microsoft Office 365 under a Sharepoint that is secured for staff usage only. Data is backed up by the MS Office backup service.
2.2.2 All computerised information systems will be password controlled and all passwords will be treated with the strictest confidence and users will not divulge their password to any unauthorised person. All sensitive data will be password protected.
2.2.3 Council owned laptops are configured with two factor authentication.
2.2.4 Windows updates are configured to install automatically to ensure system an security updates are applied as they are made available by Microsoft.
2.3 Network Security
2.3.1 The Council’s office equipment is connected to Cheshire East Council’s internal network which is firewall protected.
2.3.2 Home Wi-Fi networks must be password protected if used for work purposes.
2.4 Virus Protection (including malware and ransomware)
2.4.1 Viruses are undesirable pieces of computer code that can corrupt systems, equipment and data. They are a serious threat to the computer systems of the Council.
2.4.2 The council secures its IT equipment with up to date antivirus and malware protection, including virus detection software for scanning fixed drives and removable storage devices. Antivirus updates will install automatically.
2.4.3 Viruses are easily transmitted via email and internet downloads. In particular, users must:
- not transmit by email any file attachments which they know to be infected with a virus.
- not download data or programs of any nature from unknown sources.
- ensure that an effective anti-virus system is operating on any computer which they use to access council facilities.
- not forward virus warnings.
2.4.4 USB flash drives (memory sticks) of unknown origin should not be used in the Council’s computers.
2.4.5 No software should be installed onto the Council’s equipment without the permission of the Town Clerk.
2.4.6 If a virus is suspected, the equipment should be switched off and isolated and the Council’s support contractor should be contacted.
2.4.7 Further information can be found in Appendix 1.
2.5 Cyber Security
2.5.1 Cyber security and cybercrime are increasing risks that, if left unchecked, could disrupt the day to day operations of the council, the delivery of local public services and ultimately have the potential to compromise national security.
2.5.2 Technical advances create opportunities for greater cybercrime efficiency and effectiveness. These include more engaging and efficient digital services, new ways to work remotely and to store and transfer data, such as mobile devices and cloud services.
2.5.3 All employees, contractors and members should not take any action that puts the council’s systems or information at risk from cyber threats. Any incidents must be reported to the Clerk.
2.5.4 As with most local authorities, the council relies heavily on access to the internet and on information held in its systems. There are several IT systems that have an internet presence (website, webmail homeworking), and there are several different access mechanisms to information (Wi-Fi, physical networking, smartphones, tablets). All present threats to cyber security.
2.5.5 It is widely acknowledged that it is not currently possible to keep out all attacks all of the time, but the council employs a range of tools and good practice to minimise the risk to its information and systems:
- Password controls
- User vigilance for suspicious emails, attachments and links
- Regular backups
- Regular software updates
2.5.6 Council staff and members shall receive regular cyber training.
2.6 Disposal and movement of equipment and media
2.6.1 Any media or IT equipment disposed of by the Council will not contain any data or codes that could allow an individual to be identified from it. The disposal of equipment will be made under a controlled and documented environment satisfying the requirements of the Data Protection Act 2018/UK GDPR. The disposal of media such as disks and memory sticks must ensure that data cannot be recovered. Disposal of such media through the “everyday” waste collection is not permitted. The Council will implement processes to ensure appropriate disposal of such media.
2.6.2 An inventory of all Council computer equipment will be maintained. Details of any equipment or media disposed of or relocated (other than portable equipment) must be recorded.
2.7 Personal Computers
2.7.1 Computer users have responsibility for the security of the equipment in their care and shall not commit an act to compromise the data or Information Security Policy.
2.7.2 Computer users will be made aware of their responsibilities through this policy and the BYOD Policy.
2.8 Staff and Councillors’ Responsibilities
2.8.1 The Council will make every reasonable effort to ensure that staff and councillors are aware of their responsibilities for the security of information. However, each councillor or member of staff is responsible for ensuring that the Information Security Policy is adhered to and report any breaches of security.
2.8 Incident Reporting
2.9.1 Incidents affecting security must be reported to the Clerk as quickly as possible.
Appendix 1 – Anti-Virus Guidelines
1. What is a virus?
A computer virus is a damaging piece of software that can be transferred between programs or between computers without the knowledge of the user. When the virus software is activated (by incorporated instructions, e.g. on a particular date), it performs a range of actions such as displaying a message, corrupting software, files and data to make them unusable, and deleting files and/or data. While many of the viruses produced are benign and cause no real damage to the infected system, they always constitute a breach of security.
2. Avoid Unauthorised Software
Any software installed on Council equipment must first be authorised by the Clerk.
Do not install software like games, joke programs, cute screensavers, unauthorised utility programs etc as they can sometimes be the source of difficulties even if they are genuinely non-malicious.
3. Treat all attachments with caution
Be cautious about email attachments from people you don’t know. However, if attachments are sent to you by someone you do know, don’t assume they must be OK because you trust the sender.
Worms generally spread by sending themselves without the knowledge of the person from whose account they spread. If you do not know the sender or are not expecting any messages from the sender about that topic, it is worth checking with the sender that they intended to send a message, and if so, whether they intended to include any attachment. If you were expecting an attachment from them, this may not apply.
Bear in mind that even legitimate, expected attachments can be virus infected: worms and viruses are related, but cause slightly different problems.
Regard anything that meets the following criteria with particular suspicion:
- If they come from someone you don’t know, who has no legitimate reason to send them to you.
- If an attachment arrives with an empty message.
- If there is some text in the message, but it doesn’t mention the attachment.
- If there is a message, but it doesn’t seem to make sense.
- If there is a message, but it seems uncharacteristic of the sender (either in its content or in the way it’s expressed).
- If it concerns unusual material like pornographic web-sites, erotic pictures and so on.
- If the message doesn’t include any personal references at all, (for instance a short message that just says something like “You must take a look at this”, or “I’m sending you this because I need your advice” or “I love you!”).
- If the attachment has a filename extension that indicates a program file (such as those listed below).
- If it has a filename with a ’double extension’, like FILENAME.JPG.vbs or FILENAME.TXT.scr, that may be extremely suspicious. As far as Windows is concerned, it’s the last part of the name that counts, so check that against the list below to find out whether it’s a program like those listed, masquerading as a data file, such as a text file or JPEG (graphics) file.
In all the above instances, it is recommended that you check with the sender that they knowingly sent the mail/attachment in question.
4. Avoid unnecessary macros
If Word or Excel warn you that a document you’re in the process of opening contains macros, regard the document with particular suspicion unless you are expecting the document and you know that it’s supposed to contain macros. Even then, don’t enable macros if you don’t need to. It may be worth checking with the person who sent it to you that it is supposed to contain macros.
In Microsoft Word and other programs, a macro is a saved sequence of commands or keyboard strokes that can be stored and then recalled with a single command or keyboard stroke. A macro virus is a computer virus that “infects” a Microsoft Word or similar application and causes a sequence of actions to be performed automatically when the application is started or something else triggers it.
5. Be cautious with encrypted files
If you receive an encrypted (passworded) attachment, it will normally be legitimate mail from someone you know, sent intentionally (though the sender is unlikely to know in the event that they have a virus). However, that doesn’t necessarily mean that it isn’t virus-infected. If it started out infected, encryption won’t fix it. Furthermore, encrypted attachments can’t usually be scanned for viruses in transit: the onus is on the recipient to be sure the decrypted file is checked before it’s opened. This goes not only for heavyweight encryption packages, but also for files compressed and encrypted with PKZip or WinZip.
6. Suspicious filename extensions
The following is a list of filename extensions that indicate an executable program, or a data file that can contain executable programs in the form of macros. This list is by no means all-inclusive. There are probably a couple of hundred filename extensions that denote an executable program of some sort.
An executable is a file that contains a program. It is a particular kind of file that is capable of being executed or run as a program in the computer. In a Windows operating system, an executable file usually has a file name extension of .bat, .com, or .exe.
Furthermore, there are filenames like .RTF that shouldn’t include program content, but sometimes can, while Word documents (for instance) can in principle have any filename extension, or none. Furthermore, zipped (compressed) files with the filename extension .ZIP can contain one or more of any kind of file.
.BAT .CHM .CMD .COM .DLL .DOC .DOT .EXE .FON .HTA .JS .OVL .PIF .SCR .SHB .SHS .VBS .VBA .WIZ .XLA .XLS
If you think that you may have received a virus – report it!