A list of cookies used by this website.
Name	Provider	Description	Expiry	Type
PHPSESSID	Website	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.	session	Necessary
sg-cookies	Website	This cookie simply stores your preferences on the website and allows you to continue viewing the website under your terms	1 year	Necessary
sg-popup	Website	This cookie stores whether you have already seen the sitewide popup or not	session	Necessary
sg-expiry	Website	Checks when to expire your accessibility preferences. After an hour, all the 'ch-' cookies are reset	1 hour	Necessary
ch-font-sizes	Website	Controls the preferences set within the accessibility options. This specifically remembers your font-size choices.	1 hour	Necessary
ch-font-times	Website	Controls the preferences set within the accessibility options. This specifically remembers how big you needed your font sizes.	1 hour	Necessary
ch-prefs	Website	Controls the preferences set within the accessibility options	1 hour	Necessary
__cfduid	.bootstrapcdn.com	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.	1 month	Necessary
__cfduid	.fontawesome.com	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.	1 month	Necessary
rc::a	google.com	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.	1 day	Statistics
rc::c	google.com	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.	none	Statistics
_ga	google.com	Registers a unique ID that is used to generate statistical data on how the visitor uses the website.	2 years	Statistics
_ga_#	google.com	Used by Google Analyitics to collect data on the number of times a user has visited the website as well as dates for the first and most recent visit.	2 years	Statistics
_gat	google.com	Used by Google Analytics to throttle request rate	1 day	Statistics
_gid	google.com	Registers	1 day	Statistics
collect	google-analytics.com	Used to send data to Google Analytics about the visitors device and behaviour. Tracks the visitor across devices and marketing channels	session	Statistics
NID	googe.com	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.	6 months	Marketing
CONSENT	youtube.com	Used to detect if the visitor has accepted the marketing category in the cookie banner. Th is cookie is necessary for GDPR-compliance of the website.	195 Months	Necessary
aka_debug	akamaized.net (vimeo)	Used by Vimeo to track usage of their embedded video player	session	Statistics
_p_hfp_client_id	apps.elfsight.com	Used to implement social platforms on the website. Enables the social platforms to track the users by assigning them a specific ID.	1 day	Marketing
OlivieClientCacheYottie#Requests	apps.elfsight.com	Sets a unique ID for the visitor, that allows third party advertisers to target the visitor with relevant advertisement. This pairing service is provided by third party advertisement hubs, which facilitates real-time bidding for advertisers.	persistent	Marketing
VISITOR_INFO1_LIVE	youtube.com	Tries to estimate the users bandwith on pages with intergrated YouTube videos	179 days	Marketing
YSC	youtube.com	Registers a unique ID to keep statistics of what videos from YouTube the user has seen	session	Marketing
yt_cid	youtube.com	registers a unique ID to keep statistics of what videos from YouTube the user has seen	persistent	Marketing

Information Security Policy

Home » Your Council » Governing Documents » Information Security Policy

Document Version Control
Version No.	Date Change Made	Changes Made By (initial)	Comment
00.01	13 Sep 2018	HW	New policy
01.00			Reviewed at MTC Full Council 7.10.2019 Agenda item 11.11
01.01	Jan 2021	HW	Updated with virus protection and cyber security
02.00	Mar 2021		Reviewed at MTC Full Council 29.03.21 Agenda item 10.6
03.00	Dec 2021	HW	Replaced references from EU GDPR to Data Protection Act 2018/UK GDPR as approved at Full Council 06/12/21

toc goes in here

1. Principles & Purpose

1.1 This Policy sets out the Council’s commitment to information security within the Council and provides clear direction on responsibilities and procedures.

1.2 Macclesfield Town Council is a Data Controller, as defined under the Data Protection Act 2018/UK GDPR and has registered as such with the Information Commissioner’s Office.

1.3 This Policy should be read in conjunction with other IT polices including:

BYOD Policy,
ICT Policy,
Internet, Email and Social Media Policy,
Personal Data Breach Policy.

2. System Security Processes and Procedures

2.1 The Council will provide and maintain security processes and procedures for all key information systems. The procedures will uphold the principles of confidentiality, integrity, availability and suitability and be assessed for their impact upon other systems and services.

2.2 The security procedures will provide preventative measures to reduce the risks to the system, the information held within the system and the service it supports.

2.3 The Council will apply controls to comply with the Data Protection Act 2018/UK GDPR.

2.4 A Continuity plan is available to support the continuation of services following failure or damage to systems or facilities.

2.5 The Clerk will be responsible for the implementation and promotion of the procedures.

2.1 Physical Security

2.1.1 Adequate and practical access controls will be provided in all areas in which personal and business data is stored or used. Unattended rooms should be secured at all times with locked doors as a minimum security requirement.

2.1.2 All documents disclosing identifiable information will be transported in sealed containers e.g. envelopes.

2.1.3 Within their level of authority, staff will be responsible for minimising the risk of theft or vandalism of the data and equipment through common-sense precautions. In particular high value equipment such as, laptop computers, should not be left unattended or unsecured and paper records should not be left in public view.

2.1.4 The physical environment in which data and equipment is stored will be suitable and fit for purpose to ensure the safety of the data and equipment.

2.1.5 Staff should abide by a clear desk policy, securing any paper records of a confidential nature or containing personal data in lockable cupboards or pedestals at the end of each working day.

2.2 Logical Security

2.2.1 All data is stored on Microsoft Office 365 under a Sharepoint that is secured for staff usage only. Data is backed up by the MS Office backup service.

2.2.2 All computerised information systems will be password controlled and all passwords will be treated with the strictest confidence and users will not divulge their password to any unauthorised person. All sensitive data will be password protected.

2.2.3 Council owned laptops are configured with two factor authentication.

2.2.4 Windows updates are configured to install automatically to ensure system an security updates are applied as they are made available by Microsoft.

2.3 Network Security

2.3.1 The Council’s office equipment is connected to Cheshire East Council’s internal network which is firewall protected.

2.3.2 Home Wi-Fi networks must be password protected if used for work purposes.

2.4 Virus Protection (including malware and ransomware)

2.4.1 Viruses are undesirable pieces of computer code that can corrupt systems, equipment and data. They are a serious threat to the computer systems of the Council.

2.4.2 The council secures its IT equipment with up to date antivirus and malware protection, including virus detection software for scanning fixed drives and removable storage devices. Antivirus updates will install automatically.

2.4.3 Viruses are easily transmitted via email and internet downloads. In particular, users must:

not transmit by email any file attachments which they know to be infected with a virus.
not download data or programs of any nature from unknown sources.
ensure that an effective anti-virus system is operating on any computer which they use to access council facilities.
not forward virus warnings.

2.4.4 USB flash drives (memory sticks) of unknown origin should not be used in the Council’s computers.

2.4.5 No software should be installed onto the Council’s equipment without the permission of the Town Clerk.

2.4.6 If a virus is suspected, the equipment should be switched off and isolated and the Council’s support contractor should be contacted.

2.4.7 Further information can be found in Appendix 1.

2.5 Cyber Security

2.5.1 Cyber security and cybercrime are increasing risks that, if left unchecked, could disrupt the day to day operations of the council, the delivery of local public services and ultimately have the potential to compromise national security.

2.5.2 Technical advances create opportunities for greater cybercrime efficiency and effectiveness. These include more engaging and efficient digital services, new ways to work remotely and to store and transfer data, such as mobile devices and cloud services.

2.5.3 All employees, contractors and members should not take any action that puts the council’s systems or information at risk from cyber threats. Any incidents must be reported to the Clerk.

2.5.4 As with most local authorities, the council relies heavily on access to the internet and on information held in its systems. There are several IT systems that have an internet presence (website, webmail homeworking), and there are several different access mechanisms to information (Wi-Fi, physical networking, smartphones, tablets). All present threats to cyber security.

2.5.5 It is widely acknowledged that it is not currently possible to keep out all attacks all of the time, but the council employs a range of tools and good practice to minimise the risk to its information and systems:

Password controls
User vigilance for suspicious emails, attachments and links
Regular backups
Regular software updates

2.5.6 Council staff and members shall receive regular cyber training.

2.6 Disposal and movement of equipment and media

2.6.1 Any media or IT equipment disposed of by the Council will not contain any data or codes that could allow an individual to be identified from it. The disposal of equipment will be made under a controlled and documented environment satisfying the requirements of the Data Protection Act 2018/UK GDPR. The disposal of media such as disks and memory sticks must ensure that data cannot be recovered. Disposal of such media through the “everyday” waste collection is not permitted. The Council will implement processes to ensure appropriate disposal of such media.

2.6.2 An inventory of all Council computer equipment will be maintained. Details of any equipment or media disposed of or relocated (other than portable equipment) must be recorded.

2.7 Personal Computers

2.7.1 Computer users have responsibility for the security of the equipment in their care and shall not commit an act to compromise the data or Information Security Policy.

2.7.2 Computer users will be made aware of their responsibilities through this policy and the BYOD Policy.

2.8 Staff and Councillors’ Responsibilities

2.8.1 The Council will make every reasonable effort to ensure that staff and councillors are aware of their responsibilities for the security of information. However, each councillor or member of staff is responsible for ensuring that the Information Security Policy is adhered to and report any breaches of security.

2.8 Incident Reporting

2.9.1 Incidents affecting security must be reported to the Clerk as quickly as possible.

Appendix 1 – Anti-Virus Guidelines

1. What is a virus?

A computer virus is a damaging piece of software that can be transferred between programs or between computers without the knowledge of the user. When the virus software is activated (by incorporated instructions, e.g. on a particular date), it performs a range of actions such as displaying a message, corrupting software, files and data to make them unusable, and deleting files and/or data. While many of the viruses produced are benign and cause no real damage to the infected system, they always constitute a breach of security.

2. Avoid Unauthorised Software

Any software installed on Council equipment must first be authorised by the Clerk.

Do not install software like games, joke programs, cute screensavers, unauthorised utility programs etc as they can sometimes be the source of difficulties even if they are genuinely non-malicious.

3. Treat all attachments with caution

Be cautious about email attachments from people you don’t know. However, if attachments are sent to you by someone you do know, don’t assume they must be OK because you trust the sender.

Worms generally spread by sending themselves without the knowledge of the person from whose account they spread. If you do not know the sender or are not expecting any messages from the sender about that topic, it is worth checking with the sender that they intended to send a message, and if so, whether they intended to include any attachment. If you were expecting an attachment from them, this may not apply.

Bear in mind that even legitimate, expected attachments can be virus infected: worms and viruses are related, but cause slightly different problems.

Regard anything that meets the following criteria with particular suspicion:

If they come from someone you don’t know, who has no legitimate reason to send them to you.
If an attachment arrives with an empty message.
If there is some text in the message, but it doesn’t mention the attachment.
If there is a message, but it doesn’t seem to make sense.
If there is a message, but it seems uncharacteristic of the sender (either in its content or in the way it’s expressed).
If it concerns unusual material like pornographic web-sites, erotic pictures and so on.
If the message doesn’t include any personal references at all, (for instance a short message that just says something like “You must take a look at this”, or “I’m sending you this because I need your advice” or “I love you!”).
If the attachment has a filename extension that indicates a program file (such as those listed below).
If it has a filename with a ’double extension’, like FILENAME.JPG.vbs or FILENAME.TXT.scr, that may be extremely suspicious. As far as Windows is concerned, it’s the last part of the name that counts, so check that against the list below to find out whether it’s a program like those listed, masquerading as a data file, such as a text file or JPEG (graphics) file.

In all the above instances, it is recommended that you check with the sender that they knowingly sent the mail/attachment in question.

4. Avoid unnecessary macros

If Word or Excel warn you that a document you’re in the process of opening contains macros, regard the document with particular suspicion unless you are expecting the document and you know that it’s supposed to contain macros. Even then, don’t enable macros if you don’t need to. It may be worth checking with the person who sent it to you that it is supposed to contain macros.

In Microsoft Word and other programs, a macro is a saved sequence of commands or keyboard strokes that can be stored and then recalled with a single command or keyboard stroke. A macro virus is a computer virus that “infects” a Microsoft Word or similar application and causes a sequence of actions to be performed automatically when the application is started or something else triggers it.

5. Be cautious with encrypted files

If you receive an encrypted (passworded) attachment, it will normally be legitimate mail from someone you know, sent intentionally (though the sender is unlikely to know in the event that they have a virus). However, that doesn’t necessarily mean that it isn’t virus-infected. If it started out infected, encryption won’t fix it. Furthermore, encrypted attachments can’t usually be scanned for viruses in transit: the onus is on the recipient to be sure the decrypted file is checked before it’s opened. This goes not only for heavyweight encryption packages, but also for files compressed and encrypted with PKZip or WinZip.

6. Suspicious filename extensions

The following is a list of filename extensions that indicate an executable program, or a data file that can contain executable programs in the form of macros. This list is by no means all-inclusive. There are probably a couple of hundred filename extensions that denote an executable program of some sort.

An executable is a file that contains a program. It is a particular kind of file that is capable of being executed or run as a program in the computer. In a Windows operating system, an executable file usually has a file name extension of .bat, .com, or .exe.

Furthermore, there are filenames like .RTF that shouldn’t include program content, but sometimes can, while Word documents (for instance) can in principle have any filename extension, or none. Furthermore, zipped (compressed) files with the filename extension .ZIP can contain one or more of any kind of file.

.BAT .CHM .CMD .COM .DLL .DOC .DOT .EXE .FON .HTA .JS .OVL .PIF .SCR .SHB .SHS .VBS .VBA .WIZ .XLA .XLS

If you think that you may have received a virus – report it!