invest ni ictinformation systems acceptable … · web viewthe ict team must be informed about...

INVEST NI INFORMATION SYSTEMS ACCEPTABLE USAGE POLICY

CONTENTS

1 Introduction 2

2 Purpose 2

3 Scope 2

4 Roles & Responsibilities 3

5 Authorised Use of Systems 4

6 Prevention of Information System Misuse 5

7 Password Policy 7

8 Internet & Email Usage Policy 9

9 Remote Access & Teleworking Policy 11

10 Mobile Device Policy 13

11 Intellectual Property Policy 14

12 Access By External Parties Policy 15

13 Loss & Damage 16

14 Monitoring 18

15 Breaches of the Information Systems Acceptable Usage Policy 19

APPENDIX A – Information Security Declaration 20

APPENDIX B – Information Asset Owners 21

APPENDIX C – External Acts 22

APPENDIX D – Remote Access Justification 23

APPENDIX E – Mobile Device Justification 24

APPENDIX F – Mobile Phone Online Billing Agreement 25

Version Control 26

Invest NI Information Systems Acceptable Usage PolicyVERSION:

3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27

Uncontrolled Copy When Printed


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


1 INTRODUCTION

1.1 Invest NI provides Information system services including IP telephony, voicemail, teleconferencing, electronic mail, internet access, social networking facilities, wireless access, application systems and web site hosting.

1.2 Information Security requirements are based on an analysis of the risks facing Invest NI so that they may be properly countered. There are various aspects of computer misuse to be considered, namely its prevention, detection, investigation and related disciplinary procedures. This document provides guidance on how these aspects are managed.

1.3 New risks, technologies and legislation continually appear in regards to electronic systems. This policy provides a framework to help staff use the technology appropriately and may be subject to change.

2 PURPOSE

2.1 The objective of this policy is to ensure that: Information on any of Invest NI’s Information systems is protected from

unauthorised sources Confidentiality required through regulatory and legislative requirements is

ensured Integrity of information is maintained Information is available to authorised personnel as and when required. Users are aware of their responsibilities towards the security of all electronic

and communications systems

3 SCOPE

3.1 All authorised network users are subject to this policy. Contractors and those third parties given access to Invest NI systems are also subject to this policy. Throughout this policy, the word ‘user’ will be used collectively to refer to all such individuals or groups.

3.2 All electronic information held by Invest NI is regarded as falling within the scope of this policy. This policy relates to all elements of Invest NI where information within Information systems is used or operated, including those supplied or operated on its behalf by external contractors. This policy also applies to joint working arrangements with Departments, other agencies and External Delivery Organisations (EDOs).


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


4 ROLES AND RESPONSIBILITIES

4.1 All Users:

4.1.1 Users accessing any Invest NI Information system will have a personal responsibility in the use of that system for its security and integrity.

4.1.2 Users will ensure that they themselves uphold the principles of this policy and the Information Security Handbook.

4.1.3 Use of Invest NI’s Information systems must not bring the organisation into disrepute.

4.1.4 Users are responsible for informing the ICT Team if a Third Party requires access to any of Invest NI’s Information Systems and ensuring relevant documentation is signed.

4.1.5 All users must accept the security responsibility for any ICT assets given to them by the ICT Team, whether software or hardware.

4.2 Line Managers:

4.2.1 Line managers will inform HR (or ICT directly if they are responsible for a contractor i.e. the Sponsor) about user changes affecting systems access so that permissions and accounts can be changed or withdrawn.

4.2.2 Line managers will determine individual requirements to systems and ensure that access is based on need rather than status.

4.2.3 Line managers will ensure that no unauthorised users are allowed access to systems under their aegis.

4.3 System Managers:

4.3.1 All key systems in Invest NI will have a nominated Information Asset Owner (IAO). The nominated System Administrator has responsibility for the information security of that system (see Appendix B).


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


https://secure.investni.com/static/library/invest-ni/documents/information-governance-information-security-handbook.pdf

5 AUTHORISED USE OF SYSTEMS

5.1 The use of Invest NI’s systems and services constitutes acceptance of this policy and is subject to the limitations described hereafter to ensure reliable operation. All Invest NI resources, including email and internet access, are provided for business purposes and for carrying out activities consistent with job responsibilities (with the exception of occasional personal use of email, internet access, mobile phones and WiFi services).

5.3 Information, whatever Information System or device it is contained within, is a valuable asset and must be protected from unauthorised, incorrect or accidental access, use, modification, destruction or disclosure in line with the Invest NI Data Protection Policy.

5.2 Only authorised users have the right to access and update Invest NI’s information systems. Access is restricted to information required for the authorised user’s job function and is on a need-to-know basis.

5.3 All network users must be positively identified before the user is allowed access to the programs or applications.. A warning message stating the need for authorisation will be put in place for all Invest NI systems unauthorised access is a breach of the Computer Misuse Act.

5.4 Where multiple users share access to an Information system, each user must possess a verifiable and unique identity.

5.5 Updates and changes to data must be made by authorised personnel with the intention to maintain data accuracy and integrity. Other user’s data can only be changed with their express permission or the permission of HR.

5.6 Information stored in any of Invest NI’s information systems must not be transferred out of the organisation via an unsecure method of transport and without permission e.g. documents stored in applications like Google Desktop, using web-based email accounts such as Hotmail for business use or utilising non-Invest NI unencrypted memory sticks. See ‘Policy on sending Information Outside Invest NI’.

5.7 All users will store confidential hardcopy documents and media in locked safes, locked cabinets or locked desk drawers and adhere to the Clear Desk Policy.

5.8 All users will take adequate care when eating or drinking near ICT equipment.


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


https://intranet.investni.com/static/documents/clear-desk-policy.pdf

http://secure.investni.com/static/library/invest-ni/documents/information-governance-sending-information-outside-invest-ni.pdf

https://secure.investni.com/static/library/invest-ni/documents/data-protection-policy.pdf


6. PREVENTION OF INFORMATION SYSTEM MISUSE

6.1. All users MUST be committed to Information Security within Invest NI and have signed the Appendix A of this policy. When a user is appointed, changes role or leaves Invest NI, the user access rights will be reviewed or cancelled by the ICT Team. The ICT Team will be informed of staff changes by Human Resources or the Sponsor in the case of non-Invest NI Staff.

6.2. All hardware, software and procurement for ICT related services must be approved by the appropriate person in Internal Operations in accordance with the delegated limits. Requests must be sent via the ICT Service Desk. Users must not download software from any source without prior authorisation. If a user finds software on the internet that may be useful as part of their job role, they must in the first instance contact the ICT Service Desk and complete a business justification.

6.3. Any hardware (e.g. tablets, synchronising mobile devices or flash drives) not procured by Invest NI’s ICT Team must not be introduced to the Invest NI network nor must personal or confidential Invest NI information be transferred on to such devices.

6.4. Users must comply with the Invest NI Visitor Care Policy in relation to bringing third parties on-site.

6.5. Hardware should be positioned so that it cannot be viewed by outsiders e.g. display screens should not be visible from windows outside the building.

6.6. PCs and mobile devices e.g. tablets must be locked immediately when being left unattended by a user. All users must switch off all hardware when not in use for extended periods, such as overnight or during weekends.

6.7. Users must not attempt to access server rooms, stores or cabinets within any Invest NI premises where physical access has not been granted.

6.8. The security of laptops and mobile devices requires extra consideration:

6.8.1.Do not leave a laptop unattended within the office environment unless secured with a cable lock

6.8.2.Take care if you take a laptop or mobile device out of the office especially at airports, on all forms of transport and at meetings.

6.8.3.All users must ensure the security of the Invest NI wireless network. Usernames and passwords required for use of the guest wireless SSIDs must not be either written down or divulged to unauthorised persons.

6.9. Print cards are required to validate users printing documents. User assigned with print cards must keep them secure in order that information security is not compromised and report any loss to the ICT Service Desk


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


https://secure.investni.com/static/library/intranet/documents/visitor-care-policy.docx

http://bel-sdesk/ServiceDesk.investni.com.WebAccess/


6.10. Invest NI applications and systems must not be used in the following ways

6.10.1. The illegal copying of software or data. This is theft and will be treated as a disciplinary offence.

6.10.2. Connecting personal or third party ICT devices (including any associated software) to the Invest NI network. Exceptions can be made only with the permission of the ICT Manager and Information Governance Manager. USB memory sticks and personal phones are discouraged but not currently prohibited.

6.10.3. Deliberately introducing malware (including viruses, worms, Trojans or malicious code) to Invest NI systems. If a user detects or suspects malware on their machine this should be reported immediately to the ICT Service Desk

6.10.4. Using computing resources (e.g. CPU, time, disk space, bandwidth etc.) in such a way that it causes excessive strain on ICT systems or disrupts/creates problems for other users.

6.10.5. Removing hardware from Invest NI premises without the approval of the ICT Team Management, except for assigned laptops or mobile devices/media that are the responsibility of each individual user.

6.11. Except to the extent required for the proper performance of work duties, users may not upload, download, use, retain, distribute or disseminate any images, text, materials or software which:

Are or might be considered to be indecent, obscene or contain profanity; Are or might be offensive or abusive in that its context is or can be considered

to be a personal attack, rude or personally critical, sexist, racist, or generally distasteful;

Encourage or promote activities which make unproductive use of user time; Encourage or promote activities which would, if conducted, be illegal; Involve activities outside the scope of user responsibilities – for example,

unauthorised selling/advertising of goods and services; Might affect or have the potential to affect the performance of, damage or

overload Invest NI’s system, network and/or external communications in any way;

Might be defamatory or incur liability on the part of Invest NI or otherwise adversely impact on the image of Invest NI.


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


http://svrsdesk/WebAccess

7 PASSWORD POLICY

7.1 Introduction

7.1.1 Passwords ensure that only authorised individuals have access to relevant ICT systems and establish accountability for all changes made to system resources.

7.2 Policy

7.2.1 User Account passwords must be kept confidential, never be shared with other users and never be written down or emailed. In the event where a password becomes known to another it is the responsibility of the user to ensure that it is changed as soon as possible.

7.2.2 Invest NI policy for domain passwords ensures the following: passwords must be at least 8 characters long and be composed of alphanumeric mixed case characters and will be changed every 45 days.

7.2.3 Privileged and administrative passwords (including router, switch, firewall and system passwords) will be subject to stringent composition and secured by the ICT Team.

7.2.4 Critical systems must implement account lockout policies and disconnect idle sessions after a set period.


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


8 INTERNET & EMAIL USAGE POLICY

8.1 Introduction

8.1.1 Invest NI owns the corporate email system which can be defined as messages (regardless of format), calendar items, attachments and supporting infrastructure (the servers that transmit and store email).

8.1.2 Incidental and occasional personal use of internet and email systems is permitted, subject to the restrictions contained in this policy. It is Best Practice that all non-business related sites and emails are accessed during users’ ‘own time’. A user’s own time would be defined as time when they are not on duty (i.e. not signed in for work or on a lunch or sanctioned break).

8.2 Use of Email Policy

8.2.1 Care should be taken when using email as it is perceived to be less formal than paper-based communication. All expressions of fact, intention and opinion via email can be held against an individual user and/or Invest NI, in the same way as verbal and written expressions or statements.

8.2.2 Users must not include anything in an email which cannot be accounted for. Users must not make any statements on an individual’s behalf or on behalf of Invest NI, which do or may defame or damage the reputation of any person or organisation. All users must create their own designed email signature which contains an Invest NI disclaimer underneath it.

8.2.3 Do not forward non-work related emails containing jokes, lurid imagery or executable attachments to colleagues. Email messages, which have been deleted from internal systems, can be traced and retrieved. Email, both in hard copy and electronic form, is admissible as evidence in a court of law.

8.2.4 Care should be taken when adding attachments to corporate email. It is Invest NI policy that no sent or received attachments should exceed 40Mb in size. Attachments over 40Mb should be broken down into smaller attachments, shrunk via a data compression utility or sent via an encrypted solution such as an Ironkey or the Encrypted File Transfer Service. If sending personal or business sensitive information by email outside the NICS network this must be sent via the encrypted email facility – see Policy on Sending Information Outside Invest NI

8.2.5 There should be no improper use of email distribution e.g. sending emails that are not relevant to the business.

8.2.6 Users must not configure the corporate email system to auto-forward email to any personal email accounts such as Hotmail, GoogleMail or Yahoo.


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


https://secure.investni.com/static/library/invest-ni/documents/information-governance-sending-information-outside-invest-ni.pdf

https://secure.investni.com/static/library/invest-ni/documents/information-governance-sending-information-outside-invest-ni.pdf

https://webmail-uk.mimecast.com/u/login/?gta=portal#/login

http://apps/ini_signature/

http://apps/ini_signature/

8.2.7 Users must be alert for fraudulent emails. These emails pretend to come from banks, credit card companies, online shops and auction sites as well as other trusted organisations, sophisticated ones may even quote some publicly available (or stolen) information about you.

Do not open or forward emails which you suspect as being scams. Do not open attachments from unknown sources. Do not click on links in emails from unknown sources. Do not respond to emails from unknown sources. Hover your mouse over any hyperlinks in order to see the web

address – is it the correct one for the organisation, is it spelt correctly – or a subtle variation to trick you?

If in doubt, contact the IT Security Officer or ICT Service Desk. For further information see Phishing Scams Guidance and Email

Scam examples

8.2.8 Web-based email should not be used by users for business purposes.

8.3 Use of Internet Policy

8.3.1 When visiting an Internet site users should be aware that identities (which are linked to Invest NI’s) may be logged. Therefore, any activity engaged in, undertaking given or transaction made may impact on Invest NI.

8.3.2 The following should be observed at all times:

Users should ensure that Invest NI is neither embarrassed nor liable in any way by use of the Internet.

Users must not access or download any material which is pornographic, offensive or illegal.

Users must not download any software or executable files on to an Invest NI PC unless you have obtained prior permission from the ICT Team.

Users must not use Invest NI equipment to access the Internet from outside the Invest NI network unless connected via the invest NI VPN.

It is Best Practice that all non-business related sites (i.e. sports, news etc.) are accessed during a user’s ‘own time’. Users are personally responsible for what they view. This information is logged and reported on across the organisation.

It is prohibited to use the internet or Invest NI email to carry out activities for personal gain (e.g. gambling, share dealing, selling on eBay etc.).

Users must not make any statements on their own behalf or on behalf of Invest NI which do or may defame or damage the reputation of any person.


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


https://secure.investni.com/static/library/intranet/documents/email-scam-examples-guidance.docx

https://secure.investni.com/static/library/intranet/documents/email-scam-examples-guidance.docx

https://secure.investni.com/static/library/intranet/documents/phishing-scams-guidance.docx

8.4 Use of Cloud & Collaboration Technologies

8.4.1 To be read in conjunction with the Social Media Policy.

8.4.2 Whereas cloud based services may be used to download information from external parties this can only be accommodated on a case by case basis after obtaining approval from the Information Management Governance Team (via [email protected] ) and completing the website access request form (if prompted by the Web Filter). Non-approved applications (e.g. GoogleDocs, Dropbox) must not be used to upload or send information.

8.4.2 The sensitivity of any information discussed and files shared via social networking, cloud or collaboration media must be considered. In particular users may not post, blog or upload information outside of Invest NI that:

Is commercially sensitive or that may have contractual or other legal implications to Invest NI, unless it is sent for a specific, authorised business purpose and is encrypted.

May damage or embarrass Invest NI’s reputation or its relationship with its business partners.

8.4.3 Some collaboration technologies allow a user to give permission for someone else to take control of a workstation. This facility should never be used without the express permission of the ICT Team. An individual given control of a PC could potentially access network resources


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


https://secure.investni.com/static/library/intranet/documents/social-media-policy.pdf

9 REMOTE ACCESS POLICY

9.1 Purpose

9.1.1 The objective of Remote Access services (RAS) is to facilitate users working from outside Invest NI’s premises that need access to internal systems. This access may be during normal hours or outside of normal working hours.

9.1.2 For the purpose of this policy Invest NI defines remote access as follows: Users connecting into Invest NI’s network or systems from any external location.

9.2 Remote Access Principles

9.2.1 Any user requiring an ongoing remote connection to Invest NI systems must sign the Remote Access Justification in the form set out in the Appendix D.

9.2.2 Remote access operates to Invest NI’s systems is a mutually co-operative arrangement between Invest NI and the user. It is an approved and agreed voluntary arrangement, based on the business needs of the job, the team and Invest NI. It is not an entitlement.

9.3 Equipment Considerations

9.3.1 Invest NI may choose to provide equipment and related supplies for use by the user in conjunction with Remote Access or may permit the use of user-owned equipment subject to Invest NI security policies. The decision as to type, nature, function, and/or quality of hardware and systems shall rest entirely with Invest NI.

9.3.2 The use of equipment, software, data and supplies provided by Invest NI for use at the remote location, is limited to authorised users and for purposes related to Invest NI business.

9.3.3 Remote access must only be carried out using methods and equipment approved by the ICT Team.

9.3.4 If hardware is given to a user to facilitate remote access it will be encrypted to mitigate potential loss. Users must never knowingly take an unencrypted device out of the office environment.

9.3.5 Laptop cases, if provided, should only house associated equipment i.e. power cables, mouse etc. Items such as Ironkeys or remote access tokens must not be stored within a laptop case.

9.4 Additional Conditions & Guidelines

9.4.1 In the event that Invest NI deems that the user’s role no longer necessitates/requires Remote Access services, or the user has terminated


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


employment with Invest NI, the user must return all Invest NI-owned equipment, software, data and supplies. The decision to remove or discontinue use of such equipment rests solely with Invest NI.

9.4.2 Users with home internet connections are expected to pay their own costs. Invest NI will only reimburse the user if they are accessing a wireless hotspot or hotel for business reasons. Appropriate evidence will be required to support claims.

9.4.3 Invest NI may, after an agreed notice period, change any or all of the conditions under which users are permitted to use Remote Access, and will not be liable for user costs, including but not limited to any investment in furniture or equipment for designated work spaces.

9.4.4 Any remote access expenses not specifically covered in this policy will be dealt with on a case-by-case basis between user and manager.

9.4.5 The ICT Team reserves the right to review usage periodically and may remove the service on the grounds that it is not being used in the most cost effective manner.

9.5 Security

9.5.1 All security requirements that apply to on-site users apply to those using Remote Access. Any user who utilises Remote Access is responsible for ensuring security is upheld as detailed in this policy.

9.5.2 Users must not leave remote access equipment unattended whether laptop or other mobile device.

9.5.2 When working remotely users must ensure information must not be accessible by others (e.g. screens, printed paper, etc.)

9.5.3 Any remote access must be approved by the relevant Director or Head of Division.

9.5.4 Users setting up wireless access to an Invest NI laptop at home must comply with the Remote Access Connection Procedure. It is recommended that home routers have default passwords changed, encryption enabled for security and are locked down by MAC address.


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


http://secure.investni.com/static/library/intranet/documents/remote-access-connection-instructions.docx

10 MOBILE DEVICE POLICY

10.1 Introduction

10.1.1 Mobile devices may take the form of a smartphone, tablet or a cellular phone and can be defined as any portable hand-held device that provides computing and information storage/retrieval capabilities for personal or business use. This policy applies to use of all mobile devices by users on Invest NI premises or in conjunction with Invest NI equipment.

10.2 Ownership of Mobile Device

10.2.1 The mobile devices utilised by users for corporate work must be owned and maintained by Invest NI. The ICT Team must install any mobile device software for users.

10.2.2 Any user requiring an Invest NI mobile phone must sign the Mobile Phone Justification in the form set out in the Appendix E. If a smartphone is assigned to the user then Appendix F must also be signed and returned to the Finance team.

10.2.3 Users must not connect their personal mobile device or personal hardware to the internal Invest NI network.

10.3 Use of Mobile Devices

10.3.1 Users must not access corporate information via Bluetooth or any other type of wireless synchronisation without prior authorisation from the ICT Team. Such an act could leave corporate information vulnerable to interception and will be recorded as a breach of security. Authorised synchronisation methods are by Wireless or USB connection to an Invest NI owned device.

10.3.2 Passwords will be enforced on all mobile devices. Users should ensure that mobile phones have passwords that differ from their other passwords used on the corporate network.

10.3.3 Mobile phones will be configured to lock following a maximum of 5 minute of inactivity in line with CESG advice. A password must be required to re-establish access with the mobile phone. Individuals are not allowed to share mobile devices or their mobile device passwords.

10.3.4 All mobile devices and installed memory cards must be fully encrypted.

10.3.5 Data enabled (i.e. Exchange email receiving) devices, including their installed memory cards, will be automatically encrypted via policy.

10.3.6 In the event that mobile device is stolen or lost, the ICT Service Desk will take steps to disable the device and ensure that the service provider blocks the SIM card.


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


11 INTELLECTUAL PROPERTY POLICY

11.1 Intellectual property (IP) is the term used to describe intangible assets resulting from creative work carried out by an individual or an organisation. For example, IP can arise from contracts or letters of agreement with the providers of activities for Invest NI. IP can be traded in the same way as physical assets.

11.2 Invest NI owns the intellectual property created by its employees under the conditions stated below:

11.2.1 IP created by an employee within the scope of employment.11.2.2 IP created on Invest NI’s time with the use of corporate facilities or Invest NI

financial support.11.2.3 IP commissioned by Invest NI pursuant to a signed contract.11.2.4 IP resulting from research funded by Invest NI.

11.3 Invest NI claims ownership of all IP which is devised, made or created:

11.3.1 by persons employed by Invest NI in the course of their employment:11.3.2 by other persons engaged in research for Invest NI. A condition of their

being granted access to corporate premises or facilities is that they agree in writing that this claim shall apply to them;

11.3.3 by persons engaged by Invest NI under contracts for services during the course of or incidentally to that engagement.

12 ACCESS BY EXTERNAL PARTIES POLICY

12.1 Introduction

12.1.1 An authorised signatory of all third-party companies requiring connection to Invest NI systems must sign the Third Party Connection and Confidentiality Agreement. Third party employees must sign this policy.

12.1.2 A third party could be defined as any of the following:

Hardware & software maintenance/support contractors. NICS or other public sector staff Any other third party who must have access to Invest NI

information systems

12.2 Scope

12.2.1 All connections and network access by third parties that require access to internal network resources fall under this policy, regardless of the technology used for the connection.

12.3 Prerequisites for Network/System Access


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


https://intranet.investni.com/static/documents/invest-ni-policy-third-party-access-to-information-systems.docx


12.3.1 External entities must have an executed contractual agreement with Invest NI prior to any third party system access being granted. The ICT Team must be informed about the third party requiring access to Invest NI’s internal network resources in order to allow a security review to be conducted which will ascertain the level of access needed to match the business requirements.

12.3.2 It is required that the third party and an Invest NI Director or Head of Division (normally of the division arranging systems access) signs the Third Party Connection and Confidentiality Agreement.

12.3.3 The Director or Head of Division acts on behalf of Invest NI and is responsible for ensuring that the sections of this policy are adhered to and for putting in place the Third Party Connection and Confidentiality Agreement. The Director or Head of Division may allocate the day to day management of the relationship to a sponsor. The relevant third party person/organisation must be informed in the event that the Director, Head of Division or sponsor changes.

12.3.4 All connectivity requests will have a specific beginning and end date. In no case will Invest NI rely upon the third party to protect Invest NI’s network and/or resources. The ICT Team will grant access to all approved resources but reserves the right to refuse access at any time on the basis of legitimate security concerns.

12.3.5 Any changes in access must be accompanied by a valid business justification that is subject to security review by the IT Security Officer.

12.3.6 When access is no longer required the sponsor must inform the ICT Team who will then terminate the access. The ICT Team conducts regular audits of existing connections. Connections that are no longer used to conduct Invest NI business will be terminated immediately.

12.3.7 Invest NI may allow a form of remote access (e.g. virtual private network connection or web conferencing) in order to access Invest NI’s internal systems. This access will be at the discretion of Invest NI’s IT Security Officer.

12.3.8 If remote access has been agreed, the following procedures must be followed:

12.3.8.1 The Invest NI liaison must be informed at least one day in advance of any potential work to be carried out remotely. Details of the work requiring to be done, length of time and individual(s) carrying out the work must be given to Invest NI. The liaison will forward the request to Invest NI’s Infrastructure Team who will record details of the work carried out.


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27






12.3.8.2 An internal Change Control will be written detailing the changes by Invest NI.

13 LOSS & DAMAGE TO ICT EQUIPMENT

13.1 Owner Responsibility

13.1.1 Laptops, tablets, smartphones and other portable ICT equipment are particularly vulnerable to both opportunist and planned theft. This may entail inconvenience, cost of replacement, and breach of confidentiality.

13.1.2 All Invest NI owned laptops, tablets and smartphones will be issued with software to encrypt all data held on the hard drive. Unless the individual’s portable device is installed with encryption software, users must not copy any PID (Personally Identifiable Data) or Confidential Data onto the device.

13.1.3 Users are required to take every reasonable precaution for the physical security of portable ICT equipment. Where loss has occurred due to negligence on behalf of the user this will be addressed in accordance with the Disciplinary Process.

13.1.4 In the event of damage to any Invest NI ICT equipment, users must contact the ICT Service Desk and provide details of the incident. Users must not hand over damaged equipment to third parties for repair as this may constitute unauthorised access to corporate devices and lead to a potential security breach.

13.2 Reporting Equipment Losses

13.2.1 In the event that ICT equipment is stolen or lost, the user must report the incident as soon as is feasibly possible to;

Either the ICT Service Desk (02890698140) or, if the incident has occurred outside of normal working hours, to [email protected]

Once informed, the ICT Service Desk will take steps to disable the device where possible.

13.2.2 In the event that a mobile phone is stolen or lost, the user must: Report a Windows Mobile loss to EE Customer Service (8-8

Monday-Sunday). This team will deal with lost, stolen, faulty and damaged handsets - call 07973 100 158 (or 158 from your EE handset).

If working in an overseas office, report a loss to your local provider

Inform the ICT Service Desk (02890698140) or, if the incident has occurred outside of normal working hours, [email protected] and ask for a block to be placed on the phone.


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


mailto:[email protected]






The ICT Service Desk will take steps to disable the device and ensure that the service provider blocks the SIM card.

In the event of theft, report the loss to local police and get an incident number, then inform the IT Security Officer.

13.3 Liability

13.3.1 Invest NI will be liable for appropriate insurance cover for any Invest NI equipment utilised by users. However this does not cover the following scenarios:

13.3.1.1 When ICT equipment is left unattended. Equipment will not be considered as being unattended when left in a user’s home if they are out, provided that normal security measures were taken i.e. locking doors/closing windows. However leaving equipment unattended at an airport or other public place would not be acceptable.

13.3.1.2 When ICT equipment is damaged as a result of personal use by users.

13.3.1.2 When ICT equipment or services are affected by external providers and/or faults in their networks and equipment.

13.3.2 The user is responsible for any Invest NI equipment whilst it is located in a motor vehicle.

13.3.2.1 Any valuable items including Invest NI laptops should be locked in the boot or out of sight in the event that their vehicle is unattended and it is not practical to take the laptop on their person.


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27



14 MONITORING

14.1 All Invest NI resources, including internet browsing and corporate email, are provided for business purposes. Any information stored on a PC, server, hard drive, CD, USB device, mobile device etc. may be subject to scrutiny by Invest NI.

14.2 Invest NI has the right, but not the duty, to monitor and record any aspect of its Information and electrical systems including, but not limited to, monitoring and recording web sites visited and email sent by users.

14.3 It may be necessary as part of technical/legal proceedings in respect of harassment, defamation or breach of contract etc. to review a system. Users must be aware that material on Invest NI hardware cannot be regarded as private or confidential to any specific user.

14.4 Internet sites classed as containing inappropriate content will be barred from all access. Attempts to access such sites may lead to appropriate action being taken by Human Resources as defined in Section 15. Users with a request to open up web sites for business purposes should fill in the form at https://intranet.investni.com/website-access-request.html .


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


https://intranet.investni.com/website-access-request.html

15 BREACHES OF THE INFORMATION SYSTEMS ACCEPTABLE USAGE POLICY

15.1 Breaches of the Information Systems Acceptable Usage Policy shall be logged by the ICT Team and, where data has potentially been lost, by the Privacy Officer. Any breach discovered by a user should be forwarded to the IT Security Officer for further investigation.

15.2 The ICT Team will assess the level of risk associated with any violation and take appropriate action to minimise the risk and prevent re-occurrence of the violation.

15.3 The Privacy Officer will notify the appropriate individual/line manager depending on the seriousness of any breach as well as the consequences related to the breach and remedial action taken.

15.4 Serious breaches will be reported to the Information Governance Group. Breaches may also be reported to Human Resources, especially where the Equal Opportunities Policy or Harassment Policy may have been breached. In any case of possible theft/fraud the Human Resources and Finance & Operations Executive Directors will be notified as stated in the Invest NI Anti Fraud Policy.


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


https://secure.investni.com/static/library/invest-ni/documents/anti-fraud-policy-and-fraud-response-plan.pdf



Appendix A – Information Security Declaration

I, ______________________________________ (Print Name)

Of Company______________________________________ (Print Company Name if not Invest NI))

Having read this policy and:PleaseTick √

The Invest NI Information Security Handbook

The Invest NI Data Protection Policy

Completed the Data Protection Training on e-Learning

I do acknowledge the necessity for information security and affirm that I will do my utmost to ensure the integrity of all information by applying the principles described above.

Signature: _______________________

Date: _______________________

---------------------------------------------- For Departmental/Sponsor Use --------------------------------------

BUSINESS PARTNER/SPONSOR(Print Name): ______________________________________

I confirm that the person above has read the above documents and completed the training.

SIGNATURE: ________________________ DATE: _____________

When this policy is completed and signed, please return the complete policy document to either:

your HR Business Partner (for staff members) or to your Sponsor (the person who manages your contract) for

third parties.

If you are not sure of you Sponsor please scan and email to [email protected]


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27



https://secure.investni.com/static/library/invest-ni/documents/information-governance-information-security-handbook.pdf

Appendix B – Information Asset Owners

The following table contains the contact names of the Information Asset Owners (IAOs) and system administrators for the major Invest NI application systems:

System IAO System Administrator

CRM Brian Dolaghan Ian BoylanCognos Reporting System Steve Chambers Joan BooneMeridio EDRMS Steve Chambers Laurence TwinamSnowdrop HRMS Amanda Braden Siobhan KingOracle Financials Mel Chittock Ian MaxwellOracle BI Mel Chittock Ian MaxwellOaCMS Mel Chittock Siobhan KingPayroll System Mel Chittock Ian MaxwellWeb Content Mgt System Peter Harbinson Rodney McMullanWAN & Network Steve Chambers Jonathan Caugheywww.nibusinessinfo.co.uk Vicki Kell Shauna Fentonwww.investni.com Peter Harbinson Rodney McMullanwww.buynifood.co.uk John Hood Shauna MagillTelephony System Steve Chambers Jonathan CaugheyInformation Security Systems Steve Chambers Neil McGarryeMail Steve Chambers Jonathan CaugheyMobile Devices Steve Chambers Paul GrahamSkype Steve Chambers Jonathan CaugheyData in above systems The relevant Divisional

Head/DirectorN/A


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


http://www.buynifood.co.uk/

http://www.investni.com/

http://www.nibusinessinfo.co.uk/

Appendix C – External Acts

Invest NI is required by law to comply with the following Acts. Please note that this list is not exhaustive.

Computer Misuse Act (1990) - http://www.legislation.gov.uk/ukpga/1990/18/contents

Copyright, Designs & Patents Act (1988) - http://www.legislation.gov.uk/ukpga/1988/48/contents

Data Protection Act (1998) - http://www.legislation.gov.uk/ukpga/1998/29/contents

Employment Act (2002) -http://www.legislation.gov.uk/ukpga/2002/22/contents

Environmental Information Regulations (2004) -http://www.legislation.gov.uk/uksi/2004/3391/contents

Freedom of Information Act (2000) - http://www.legislation.gov.uk/ukpga/2000/36/contents

Malicious Communications Act (1988) - http://www.legislation.gov.uk/ukpga/1988/27/contents

Obscene Publication Act (1964) - http://www.legislation.gov.uk/ukpga/1964/74?view=extent

Protection of Children Act (1978) - http://www.legislation.gov.uk/ukpga/1978/37

Regulation of Investigatory Powers Act (2000) - http://www.legislation.gov.uk/ukpga/2000/23/contents

Sex Discrimination Act (1975) - http://www.legislation.gov.uk/ukpga/1975/65/contents

Privacy and Electronic Communications Regulations (2003) –http://www.legislation.gov.uk/uksi/2003/2426/contents/made


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


http://www.legislation.gov.uk/ukpga/1975/65/contents


http://www.legislation.gov.uk/ukpga/1978/37

http://www.legislation.gov.uk/ukpga/1964/74?view=extent



http://www.legislation.gov.uk/uksi/2004/3391/contents





Appendix D – Remote Access Justification (not required for Invest NI Surface / Laptop users)

Why is remote access critical for your working needs? Please indicate if you will be connecting from one location (e.g. home) or many. If you are connecting from many locations (particularly international) please give the reason.

What type of work will remote access be used for (e.g. working from home, client visits etc.)? Please list the applications that will be used and the reasons why?

What will be the estimated frequency of remote access use?

Daily Set period

Weekly (please highlight period required for)

Occasional

Do you currently have broadband and if so are you willing to use it to connect to Invest NI?

I, ______________________________________ (Print Name)

confirm that I have read and fully understand section 9 of the Information Systems Acceptable Usage Policy and agree to abide by all the terms and guidelines within this document. I confirm I have read the Remote Access Procedure document.

Signed: _______________________________ Date: ______________

Authorised by (signed): ______________________ (G7 or higher in Business Unit or Sponsor for third parties )

Authorised by (PRINT): ___________________________

Grade: ______________ Date: _____________


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


Appendix E – Mobile Phone Justification

Why is the need for a Mobile Device critical for your working needs?

What will be the estimated frequency of mobile device use?

While out of the office; is there a requirement to send and receive emails or access the internet via mobile device?

Daily No, supply a mobile device

Weekly Yes, supply a device with Data services*

Monthly * if yes, is this a new connection or an upgrade

New Upgrade

Occasional

I, ______________________________________ (Print Name)

confirm that I have read and fully understand section 10 of the Information Systems Acceptable Usage Policy and agree to abide by all the terms and guidelines within this document.

I have signed the Mobile Device Billing Agreement and sent to the Finance Team

Signed: _______________________________ Date: ______________

Authorised by (signed): ______________________ (Team Director/Head of Division)

Authorised by (PRINT): ___________________________

Grade: ______________ Date: ______________


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


Appendix F – Mobile Phone Online Billing Agreement

Billing for Vodafone, O2 and EE will be online. You will receive an email that will give you instructions on how to activate this facility. The email will supply a username and password.

You will be emailed monthly when your billing information is available. It will be your responsibility to allocate calls made as either personal or business; the allocation for each number will be stored and carried forward as a default in subsequent months.

Finance will deduct personal usage amounts from your salary. Any calls not allocated as business 30 days after your bill has been sent to you will be treated as personal usage.

A link to an online tutorial will be accessible from within the billing system.

In order to make this facility operate as smoothly as possible for users and administration staff, we would ask you to authorise deductions from your salary. If you have any questions please raise these with the ICT Service Desk. Please note failure to sign the form may result in a delay issuing your new mobile phone.

I hereby authorise Invest NI to deduct any amount not classified as being 'Business Use' 30 days after being notified of my bill being available for classification. I understand I will be given a reminder email (or emails) before the 30 days and a further email before the deduction is made from my salary.

PRINT NAME: ____________________________________

Signature: _______________________________________

Mobile Number: __________________________________

PLEASE READ, SIGN & RETURN TO FINANCE


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


Version Control Author: Martin Graham Issue Date: 1st June 2002 Issue Number: 1.0 Approver: Liam Hagan & NIPSA Status: Approved Review Date: 1st September 2003

Review History

Issue No.

Reviewer Review Date Approver Amendment History

1.0 Martin Graham June 2002 NIPSA & Liam Hagan

1.1 Susan Cairns 14 August 2003 Neil McGarry1.2 Neil McGarry 21 November 2003 Susan Cairns1.3 Neil McGarry 7th March 2005 Ian Boylan1.4 Neil McGarry 9th November 2005 Ian Boylan1.5 Neil McGarry 5th April 2006 Ian Boylan1.6 Neil McGarry 11th April 2007 Liam Hagan1.6.1 Neil McGarry 19 May 2009 Ian Boylan www.nibspdatabase.co.uk

changed to www.edpmis.co.uk1.7 Neil McGarry 31st October 2010 Charles Hamilton Policy title changed from

Computer Misuse Policy2.0 Neil McGarry 1st February 2010 Liam Hagan Password Policy section

amended3.0 Neil McGarry 30th August 2012 Steve Chambers Policy now combined with all

other IT Security policies

3.1 Neil McGarry 30th September 2013 Steve Chambers Minor wording adjustments3.2 Neil McGarry 28th February 2014 Addition guidance in regards to

device loss added3.3 Ian Boylan 5th June 2014 Steve Chambers Update to Mobile Phone Billing

Agreement3.4 Neil McGarry 26th September

2014Steve Chambers Update due to Windows Mobile

rollout3.5 Neil McGarry 28 April 2016 Steve Chambers Wording adjustments regarding

print procedures and Ransomware guidance added

3.6 Ian Boylan 16 June 16 Steve Chambers Renamed Information Systems Acceptable Policy and Authorisations changed to Business Areas on page 20 and 23. Forms updated to include Sponsor

3.7 Ian Boylan 19th November 18 Steve Chambers System Owners Updated


3.7ISSUE DATE:

Nov 18REVIEW DATE:

Nov 20 of 27


http://www.edpmis.co.uk/

http://www.nibspdatabase.co.uk/

invest ni ictinformation systems acceptable … · web viewthe ict team must be informed about...

Documents