itpolicycontent

This content is a version of the ICT Security Policy, November 2012. This is Legacy IA Policy. It is under review and likely to be withdrawn or substantially revised soon. Please contact us before using this on a new project: itpolicycontent@digital.justice.gov.uk.

The objective of ICT security is to ensure business continuity and minimise damage by preventing and reducing the impact of ICT security incidents. This policy applies to all MoJ’s ICT systems, including those managed by ICT service providers. It covers:

• the use of ICT equipment
• the information processed on those ICT systems
• documentation about those systems, irrespective of location

The purpose of this policy and ICT Security Policy Framework as a whole is to:

• inform you how to safeguard information assets from unauthorised access and modification
• describe acceptable use, access and disclosure of information in accordance with protective marking policies, regulations, and applicable legislation
• allow the MoJ to detect, manage and recover from security incidents with the least disruption to the organisation
• ensure MoJ ICT suppliers and service providers comply with the minimum requirements set out in this policy and within the wider security policy framework
• ensure that MoJ information and ICT assets are utilised for MoJ business use only
• enable the MoJ to make best use of its investment in ICT

This policy covers the areas of information security for which MoJ ICT is responsible. The elements of the MoJ covered by this policy are:

• all MoJ business groups
• ALBs
• agencies
• contractors
• ICT suppliers and partners who have access to, or process MoJ information

Privacy and ICT Security

• You must be aware that the MoJ monitors and audits its ICT systems
• MoJ and MoJ ICT service providers must ensure any system monitoring or auditing complies with relevant legislation

MoJ may require access to audit logs in investigating incidents (investigations may be of a purely technical nature such as a virus incident, but may also include investigations into malicious behaviour). MoJ will comply with all relevant legislation and MoJ HR policy in its monitoring and auditing activities. As such, the MoJ will exercise its rights to ensure that its computer equipment and systems are used in a legitimate and lawful manner. This applies equally to MoJ ICT service providers.

Review of security policies

MoJ ICT Security Policies must be maintained and reviewed on a regular basis to a schedule determined by the ITSO – This is currently annually for all policies in this policy set.

The MoJ ICT security policy and any supporting ICT security guides will be reviewed by the ITSO according to the following schedule and criteria:

• annually
• following a serious ICT security incident
• in the light of any significant future changes (e.g. relating to major changes in policy or context of operations; modification, replacement or creation of new services or major applications; or recommendations following formal risk analysis reviews)

Risk Assessment, Management and Audit

Risk Assessment and Management

• all ICT systems must undergo a technical risk assessment. The type of risk assessment and application criteria is available in the Accreditation Framework
• all ICT systems which process protectively marked data must be accredited in accordance with HMG Information Assurance Standards (in particular, for personal data, HMG Information Assurance Standard No.6). This could include the production of an RMADS
• all ICT systems which are subject to the accreditation process must be subject to (at least) an annual technical risk assessment in accordance to HMG Information Assurance Standard No. 1 & 2
• all risk management decisions must be recorded. For ICT systems undergoing accreditation, risk management decisions must be recorded in the RMADS

The Cabinet Office mandates that all central government department ICT systems (which process protectively marked data) must be accredited in accordance with HMG Information Assurance standards and HMG security policy. All ICT systems must be subject to (at least) an annual technical risk assessment in accordance to HMG Information Assurance standard No. 1 & 2 and documentary evidence that the security risks have been assessed in accordance with the accreditation or reaccreditation process.

Assessment and the risk management decisions made must be recorded in a Risk Management and Accreditation Documentation Set (RMADS), using HMG Information Assurance Standard No. 1 & 2 - Supplement. The submitted RMADS document must provide justification and accountability for any management decisions taken regarding risk management.

Business Impact

• a Business Impact Assessment must be conducted for all ICT systems
• all new ICT systems must be assessed as to whether a Privacy Impact Assessment (PIA) is required

As part of the MoJ approach to risk management, the potential impact of a successful attack on the Confidentiality, Integrity and Availability of the asset/s supported or processed by an ICT system is assessed in terms of business impact. The definition of an asset is taken from HMG Information Assurance Standard No.1 & 2:

Anything that has value to the organisation, its business operations and its continuity.

In the context of an ICT system, this includes (but not limited to) data, hardware, software and business services provided by the system.

HMG Business Impact Levels should be used as the bases for conducting a business impact assessment. The MoJ Accreditation Framework provides guidance and further information on how to conduct a business impact assessment and guidance on whether a PIA is required.

Audit

Documentary evidence must be:

• made available (upon request) which details the implementation of any technical security control in an ICT system. This includes evidence that any technical security controls are operating correctly and provide the desired risk mitigation as documented in the RMADS
• maintained to catalogue all changes (including configuration changes) to ICT systems and the ICT security implications of those changes (this includes the case where no significant ICT security impact are identified)

MoJ ICT IA is responsible for reviewing all RMADS submissions before system accreditation is considered. It is the responsibility of the ICT service provider/s and ICT system manager/s to ensure that an RMADS document is generated, factually correct, complete and includes all the information required for an accreditation decision to be made. This includes details of any risk mitigating controls and residual risks.

The Accreditor (or delegate) may require further information, clarification or further documentary evidence regarding the submitted RMADS.

Roles and Responsibilities

The foundation of good Information Security is the establishment and operation of an effective Information Security Management System (ISMS). Establishing an effective ISMS involves clearly defining the security management structure and the roles and responsibilities which sit within it.

ICT security management structure

• All MoJ ICT Users must be made aware of their role/s and responsibilities for IT security
• The mandatory set of ICT security roles which must be fulfilled is detailed in this policy

The ICT security management structure falls within the overall MoJ security management structure.

The Permanent Secretary, as Accounting Officer, has overall responsibility for all aspects of security. The Departmental Security Officer (DSO) and MoJ SIRO support the Permanent Secretary by providing advice on personal, physical and information security policy and procedure. The Chief IT Security Officer (CISO) supports the DSO by providing advice on ICT security policy.

Identification and Authentication Controls

• all ICT systems must implement appropriate controls, in relation to the risks identified, to identify users, authenticate their actions, control their access to system services and data, and revoke access to system services and data
• authorised access to the ICT systems, the services they provide and information held on them must be made available on a need-to-know basis. This includes access to protectively marked data and personal information
• where users are provided with access credentials to confirm their identity and authenticate themselves (e.g. a password token), they must ensure that they do not divulge those credentials and report (as a security incident) any incidents where access credentials have or may have been compromised or lost

Identification, authentication and authorisation security controls are implemented by both technical controls within the ICT system and by procedural controls which are followed by users and administrators of that ICT System.

Where these security controls are implemented within the ICT system, the ICT Security – Technical Controls Policy provides further detail on the MoJ policy in this area.

For procedural controls, the ICT Security - Acceptable Use Policy provides details on the MoJ policy with regards to the usage of ICT systems.

For both technical and procedural controls, the ICT Security - Information Classification and Handling Policy sets the MoJ policy on how information assets must be handled by ICT systems (including users of those systems) and provides the context for the application of those controls.

Technical Controls and Codes of Connection

• the implementation of all ICT systems must consider technical security controls with respect to the ICT Security - Technical Controls Policy for any risks identified through the business impact assessment and/or accreditation process. This is subject to any risk management decisions taken as part of the accreditation process.
• where a MoJ ICT system shares services and/or data with; a) another system in different MOJ ICT business domain, b) another government department and/or c) a third party, technical Codes of Connection must be established and agreed with the relevant parties which include (but are not limited to): system Accreditor, CISO, IAO and information sharing parties. Further details provided in ICT Security – Acceptable Use Policy

ICT Security Incident Management

Incident Management is the ability to react to different types of security incidents in a controlled, pre-planned manner. Preparation and planning are key factors to successful information security management and it is important that ICT security incident management is considered for every MoJ ICT system.

Forensic investigation is a component of incident management and allows the MoJ to respond to security incidents which require the collection, storage, analysis and preparation of digital evidence that may be required in legal or disciplinary proceedings. All:

• MoJ ICT domains must have an IT Security Incident Management Plan which conforms to the ICT Security – IT Incident Management Policy
• ICT Security Incidents must be reported in accordance with the relevant IT Security Incident Management Plan
• ICT systems must make provision for ICT Security incident management (including identifying budget lines which could be used to manage an incident) with reference to the MoJ ICT Security Management Plan. This provision must be documented and included as part of system accreditation
• ICT systems must consider the collection of digital evidence as part of a forensic investigation in system design and operation where applicable, this in accordance to the ICT Security – Forensic Readiness Policy

Use of Cryptography

Some ICT systems at the MoJ make use of HMG supplied cryptographic material. These systems are generally those which provide functionality to connect to 3rd party systems or protect information at rest on mobile devices (e.g. laptops).

• all ICT systems which require cryptographic controls must conform to Information Assurance Standard No. 4
• there are strict controls around the use of this material. Any use of HMG cryptographic material or products must conform to the MoJ ICT Security – Use of HMG Cryptography Policy

Note: Information Assurance Standard No. 4 states that if HMG cryptographic material is handled, Departments and Agencies must appoint a Communications Security Officer (COMSO). The COMSO is responsible to the SIRO and DSO for ensuring the MoJ’s compliance with the minimum HMG Comsec and cryptography requirements, and developing, implementing and maintaining organisational communications. For further details on the use of HMG cryptographic material can be found in the MoJ ICT Security – Use of HMG Cryptography Policy.

Remote Working and Mobile Computing

Remote working means any working away from the office, whether from home, another MoJ or government office, whilst travelling, at conferences, in hotels, etc, while using ICT equipment to access and connect to ICT systems and services.

Mobile computing is the use of portable computing equipment. Remote working will usually involve the use of portable computing equipment, usually a laptop computer, but portable computing equipment is evolving rapidly and now includes personal electronic devices (PEDs), such as personal digital assistants (PDAs), Blackberry devices, functionally rich mobile ‘phones and palmtop computers which may include the functionality of mobile ‘phones, digital cameras, voice recorders etc as well as email, web browsing and other computing functionality.

• all Users who use remote working and/or mobile computing must be aware of the security operating procedures which must be followed
• mobile Computing equipment provided by the MoJ must only be used for authorised purposes and must be returned to the MoJ upon request by a line manager, or, when the user in receipt of the equipment leaves the MoJ or has no further remote working requirement
• any request to take MoJ ICT equipment abroad must be authorised prior to being taken abroad. This authorisation must be provided by a member of the Senior Civil Service (SCS) or equivalent where approval is required from MoJ Corporate Security and MoJ ICT IA. Further details provided in ICT Security – Acceptable Use Policy

Procurement, Development, and Maintenance

For the MoJ IA strategy to be effective, it must be extended to organisations working on behalf of the MoJ, or handling MoJ assets such as contractors, offshore or nearshore managed service providers and suppliers of ICT systems.

• when the MoJ buys ICT goods, services, systems or equipment, ICT security implications must be considered
• all MoJ ICT suppliers who handle and store personal data or protectively marked material on behalf of the MoJ must, on an annual basis, be formally assessed against the HMG Security Policy Framework mandatory requirements and MoJ ICT Security Policy. MoJ ICT suppliers are responsible for undertaking this assessment

Asset Disposal

All ICT assets (e.g. computers, laptop and removable media), must be appropriately disposed off to ensure MoJ data is not compromised when ICT assets are either redeployed or decommissioned.

• all electronic media used to store protectively marked data must be securely deleted before being re-used or disposed of, or securely destroyed where re-use is not possible or required. This must be in accordance with ICT Security – Technical Controls Policy
• unless otherwise specified by MoJ ICT IA, all electronic media must be disposed of in accordance with HMG Information Assurance Standard No.5.
• all ICT systems must have a documented asset disposal procedure.

Further information on asset disposal, in particular the procedural controls are provided in ICT Security - Acceptable Use Policy.

Business Continuity

MoJ business groups are required to maintain Business Continuity Plans (BCPs) to ensure the prompt and efficient recovery of key business activities in the event of a disaster or other disruption affecting its premises or assets (including both staff and information).

As ICT systems support the majority of MoJ business activities, business continuity needs to be considered in their design and operation. Business continuity itself in ICT is split between ICT Incident Management and ICT Disaster Recovery.

• all MoJ Systems must have an ICT Disaster Recovery Plan. This plan must conform to the ICT Security – ICT Disaster Recovery Policy

Further details can be found in the ICT Incident Management Policy [Ref, 4] and ICT Disaster Recovery Policy.

Physical and Environment

MoJ ICT is not directly responsible for the physical security and environment of MoJ sites. However, physical security controls and the environment in which MoJ ICT systems operate form part of a systems overall risk landscape which is considered during the accreditation process.

• the physical security controls required to maintain the Confidentiality, Integrity and Availability of an ICT system must be considered
• the environmental risks (e.g. flood or fire) to an ICT system and services must be considered in order to maintain its Confidentiality, Integrity and Availability

Further information is available from Corporate Security and Business Continuity Branch.

Personnel Security

MoJ ICT is not directly responsible for personnel security; this is the responsibility of MoJ Corporate Security. This includes aspects such as employee (including contractors and agency staff) joining, moving and leaving, and, assessment of security clearance levels.

However, the security controls associated with personnel form part of the risk assessment of an ICT system and may lead to addition controls being required.

Line managers are responsible for personnel security (of their staff/contractors), including starting, ongoing, and leaver arrangements, under a policy framework set by MoJ HR (recruitment and exit policies) and Corporate Security (National Security Vetting).

• all ICT systems must consider the personnel security controls (for example, security clearance) required in addition to ICT security controls. These should be recorded in a Security Aspects Letter (SAL) provided by the MoJ

Further information is available from Corporate Security and Business Continuity Branch.

Staff Education, Training and Awareness

The MoJ Information Security Education and Awareness strategy is to ensure that users are provided with the necessary training to assist the MoJ in meeting its security objectives of:

• preventing security breaches and any resulting loss of Confidentiality, Availability or Integrity of information, or in confidence in the Ministry of Justice as a secure organisation
• minimising the disruption caused by actual breaches/incidents
• all MoJ ICT users (including contractors, agency staff and consultants) must be made aware of, understand and adhere to MoJ ICT Security Policies and security operating procedures as defined in ICT Security – Acceptable Use Policy

Note: The MoJ Information Security Education and Awareness strategy is the responsibility of the Corporate Security and Business Continuity Branch. The Central IA Branch leads on Information Assurance training; Corporate Security provides training for security liaison officers in HQ and ALBs which includes aspects of physical, personnel and information security.

CISO Terms of Reference

The MoJ Chief IT Security Officer (CISO) is responsible for ICT security within MoJ. The CISO is responsible for maintaining this policy (and ICT Security Policy Framework) and providing advice and guidance on its implementation.