Information Security Policy

The Council is committed to using information technology and computer systems in a secure, efficient and legitimate manner. It fully supports compliance with the Data Protection Acts (1984 & 1998), and other legislation relating to the use of computers.

1. INTRODUCTION

1. Shrewsbury and Atcham Borough Council has experienced a considerable increase in the use of information technology since Computer Services became an independent Service in 2000. Usage of its services is set to continue growing in light of the Government’s initiatives for Best Value and Electronic Service Delivery.

2. It is essential that all information processing systems within the authority are protected to an adequate level from disruption and loss of service, whether through accident or deliberate damage.

3. This document has been produced in line with the British Standard for Information Security (BS7799 – part 1) which is acknowledged as the appropriate standard for a security policy.

4. The document outlines the Council’s policy in relation to the use of computers and especially the areas of:-

• Fraud
• Theft
• Use of unlicensed software
• Private work
• Hacking
• Sabotage
• Misuse of personal data
• Use of the Internet and email
• Disposal of Equipment

2. PURPOSE OF THE SECURITY POLICY

1. The purpose of the policy is to provide a set of rules, measures and procedures that determine the Council’s commitment to ensuring that its I.T. (Information Technology) resources are protected from physical and logical risk.

2. The main objectives of the policy are:-

• To ensure that all the Council’s assets, staff, members, data and equipment are adequately protected against any action that could adversely affect the I.T. services required to conduct the Council’s business;
• To ensure that staff and members are aware and comply with all relevant legislation and Council policies related to how they conduct their day-to-day duties in relation to IT.

3. APPLICATION OF THE SECURITY POLICY

1. The policy is relevant to all I.T. services, irrespective of the equipment in use, or location, and applies to:

• All members, employees and agents;

• Employees and agents of other organisations who directly or indirectly support or use the Council's Computer Services;

• All use of I.T. services within the Council.

4. MANAGEMENT OF THE I.T. POLICY

4.1  I.T. security is the responsibility of the Council, Councillors and all members of staff. The Corporate Management Team approves the policy.

4.2  The policy has been reviewed by Internal Audit in terms of the policy's scope, content and effectiveness. Audit will periodically review this policy as part of their strategic plan.

4.3  The Authority will nominate an Information Security Officer who's responsibilities will include implementing, monitoring, documenting and communicating information security in compliance with the security policy and legislation.

4.4  Managers and Administrators are responsible for ensuring that all staff are aware of their responsibilities under the policy and have access to the contents of this document and it's associated 'User guide' ('Good Practice Guide for Computer Users').

4.5  All providers of I.T. services must ensure the security, integrity and availability of data within the service provided.

4.6  The I.T. policy document is intended to be a living document, which will be updated, as and when necessary. Sections and appendices can be added to reflect new or amended procedures and guidelines when determined.

5. VIOLATIONS

5.1  Violations of this policy may include, but are not limited to, any act that:

• Exposes the Council to actual or potential monetary loss through the compromise of IT security;

• Involves the disclosure of confidential information or the unauthorised use of corporate data;

• Involves the use of data, which causes, for example, the law to be broken.

5.2 Any individual who suspects that this policy is being violated by another individual must report the violation immediately to his or her Manager, who, in appropriate circumstances, must report the matter to Computer Services.

5.3 A log of all security incidents will be kept by Computer Services. The log is the responsibility of the Security Officer. The log records any reported incidents and action taken.

5.4 Any breach of the security policy will be investigated and may result in the individual being subjected to the Council's disciplinary procedure. Councillor breaches will be referred to the Council's Standards Committee.

5.5 Internet use and access to web sites can be monitored. Any unacceptable use of this service may lead to disciplinary action against the individual concerned.

6. LEGISLATION COMPLIANCE

6.1 The Council has to comply with all UK legislation affecting I.T. All organisations, employees and agents must comply with the following Acts and they may be held personally responsible for any breach of current legislation as listed below.

6.2 The following are brief descriptions on 'key legislation' affecting IT users. Do not assume that this covers all your legal responsibilities. If you are in any doubt about your legal responsibilities ask the Legal Section for assistance.

• Data Protection Act 1994 & 1998

• Computers are in use throughout society – collating, storing, processing and distributing information. Much of the information is about people - 'personal data'. This is subject to the Data Protection Acts.

• The Council is only allowed to record and use personal data if, under the Acts, there is a legitimate purpose for doing so and if details of the information, its use and source have been registered with the Data Commissioner. There are strict rules about how the information is used and to whom it is disclosed.

• The Act gives rights to individuals about whom information is recorded on computer and in certain manual files. They may request copies of the information about themselves challenge it if appropriate and claim compensation in certain circumstances.

• If there is any doubt about whether the information can be collected, used or disclosed please address queries to the Council's designated Data Protection Officer.

• A separate policy document covering the responsibilities under the Act is available via the Council's Intranet site or from the Data Protection Officer direct.

• http://www.dataprotection.gov.uk/

• http://sabc/services/legal/dataprotection.html

• Copyright Designs and Patent Act 1998

• Under this Act, any duplication of licensed software or associated documentation (e.g. manuals) without copyright owner's permission is an infringement under copyright law. All proprietary software manuals are usually supplied under licence agreement, which limits the use of the products to specified machines and will limit copying to the creation of backup copies only. However in some instances, site licenses, permitting the use of software on all machines within a specified site are obtainable.

• To combat the problems of illegal copying, software suppliers have formed their own organisation to police the use of software throughout the UK. The 'Federation Against Software Theft' (FAST) is able to conduct 'spot' checks on organisations, including local authorities, under a court order and without prior warning.

• According to the Act, individuals found to be involved in the illegal reproduction of software may be subject to unlimited civil damages and to criminal penalties including fines and imprisonment.

• http://www.fast.org.uk/

• http://www.hmso.gov.uk/acts/acts1988/

• Computer Misuse Act, 1990

• The Computer Misuse Act, 1990 was introduced to deal with three specific offences that were not adequately covered under existing laws:

• Unauthorised access or attempt to access computer material (such as 'hacking'). Under this offence it is not necessary to prove the users intent to cause harm;

• Unauthorised access with intent. For example, hacking is carried out with the intention of committing a more serious crime such as fraud. Under this offence, if a plan has been hatched which involves the unauthorised use of a computer, the unauthorised use will be sufficient to prove an attempt to commit the crime;

• Unauthorised modification. This part of the act makes it an offence to intentionally cause unauthorised modification such as the introduction of viruses.

• The intention of the act is to enable an organisation to take legal action to protect their data and equipment from unauthorised access and damage.

• http://www.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm

• Health and Safety Act (1992)

• The Council shall ensure, through the appointed Health and Safety Officer that all IT equipment is located and used in such a way to not impede health of users or others.

• http://www.hmso.gov.uk/si/si1999/19993242.htm

• Defamation

• Facts concerning individuals or organisations must be accurate and verifiable. Views or opinions must not portray their subjects in any way, which could damage their reputation.

• Race Relations Act (1976) & Sex Discriminations Act (1976)

• Accessing or distributing material, which might cause offence to individuals or damage the Council's reputation, is forbidden. For example pornographic, racist or sexist material.

• http://www.homeoffice.gov.uk/raceact/

• Criminal Justice and Public Order Act 1994, and Obscene Publications Act (1959 & 1964)

• To ensure this law is complied with, any use of Shrewsbury and Atcham Borough Council's computer equipment for viewing, reading, downloading, uploading, distributing, circulating or selling any material which is pornographic, obscene, racist, sexist, grossly offensive or violent is strictly forbidden. This is irrespective of laws regarding the material in the country of origin.

• http://www.hmso.gov.uk/acts/acts1994/

• Human Rights Act 1998 (operative October 2000)

• Under this Act, everyone has a right to respect for their private life, their home and correspondence, which is commensurate with the need to protect the Council from fraud, introduction of viruses or breach of other overriding considerations. To this end, the Council reserves the right to monitor usage of PC's and telephones.

• Individuals using the Internet, e-mail or telephone should respect the confidence of the Council and colleague's information in disclosing it to other people. E-mail, in particular, should not be circulated in a tone, which may give rise to a claim of inhuman or degrading treatments.

• http://www.hmso.gov.uk/acts/acts1998/19980042.htm

• Freedom Of Information Act (2000)

• Any person making a request for information to a public authority is entitled-

(a) to be informed in writing by the public authority whether it holds information of the description specified in the request, and

(b) if that is the case, to have that information communicated to him.

• http://www.lcd.gov.uk/foi/foiact2000.htm

• Electronic Communication Act 2000

• The main purpose of the Act is to help build confidence in electronic communications. The Act creates a legal framework for electronic commerce, It:

• clarifies the legal status of electronic signatures.

• gives the Government powers to modernise outdated legislation so that the option of electronic communication and storage can be offered as an alternative to paper.

• provides a fallback to self-regulatory scheme that will ensure the quality of electronic signature and other cryptography support services.

• http://www.hmso.gov.uk/acts/acts2000/20000007.htm

• http://www.dti.gov.uk/cii/ecommerce/ukecommercestrategy/electronicactguide/

• Regulatory Investigatory Powers Act 2000

• Interception of communications including computer communications such as email, are unlawful unless in accordance with the RIP Act 2000.

• The Council may monitor and record communications for the following purposes:-

• To establish facts and monitor performance of standards.

• In the interests of national security.

• To deter crime.

• To detect unauthorised use of the system.

• To secure a system.

• http://www.homeoffice.gov.uk/ripa/ripact.htm

7. ASSETS CLASSIFICATION AND CONTROL

7.1 The Authority positively identifies and keeps documentary evidence of all computer equipment. It is the responsibility of Computer Services to ensure that these records are accurate and continuously maintained.

7.2 Each inventory item must clearly identify each asset by an identity tag detailing its unique asset number.

7.3 The inventory is maintained using a database, including information relating to location, user, asset tag number, and serial number.

7.4 On receipt of new equipment it must be labelled and recorded on the inventory. No IT equipment should be purchased without prior consultation with Computer Services.

7.5 No equipment should be installed on the Council's network without prior consent of Computer Services who must first record the equipment within the inventory.

7.6 All disposals of equipment should be recorded against its original entry. The Authority actively pursues a 'green policy' on recycling IT equipment.

7.7 An annual audit of equipment should be carried out by all departments and accounted for to Computer Services.

7.8 No equipment should be relocated without prior consultation with Computer Services.

7.9 All equipment is DNA tagged to identify ownership to Shrewsbury and Atcham Borough Council. All Council buildings will have signage to display positively the operation of DNA equipment tagging.

8. PERSONNEL SECURITY

Security in Job Definition and Resourcing

8.1 The authority should ensure that there is adequate definition of responsibilities in Job descriptions for security responsibilities.

8.2 All potential employees should be screened before commencement of employment.

8.3 All Staff commencing employment with the Council agree to comply with this policy and it's associated 'Email and Internet Policy' and 'Good Practice Guide'.

8.4 Personnel procedures ensure that all Staff are made aware of these policies during their 'induction process'.

8.5 Copies of all the policy and guidance notes are available from Managers, Administrative Officers, Computer Service and via the Council's Intranet site.

Training

1. Each new employee is made aware of his or her obligations for security during the Council's induction-training program. This includes Staff being told of the existence of the Security Policy, the Email and Internet Policy and the 'Good Practice Guide for Computer Users'.

2. Training requirements are reviewed on a regular basis to take account of the needs of the individual, and to ensure that staff are adequately trained in the use of technology.

3. Corporate IT training is the responsibility of Personnel Services.

4. Where training is required for a specific application this may be carried out in consultation with the Users Manager.

9. PHYSICAL SECURITY AND ENVIRONMENTAL SECURITY

Physical Access Controls

9.1 All Staff are issued with identification badges and these should be worn at all times during working hours. The transfer of badges, keys and other security devices is prohibited. Officers leaving employment with the Council must return all badges, keys and portable computer equipment they have responsibility for.

9.2 Supervising Officers have a responsibility for ensuring that Staff leaving the Council's employment account for their identify badges, keys and portable computer equipment.

9.3 An identification badge grants access to non-public areas of the authority. All Visitors to Council premises are issued with visitor passes.

9.4 No member of Staff should take responsibility for a guest or contractor within non-public areas without ensuring the individual has been issued with a visitor pass. Guests should be supervised throughout the duration of their visit.

9.5 The Council has security-coded access to all non-public areas. Security codes to these areas are changed at periodic intervals.

9.6 Access to the Computer Services Suite is clearly defined as a security perimeter. Access is controlled by a different sequence of Security coded doors. Codes are changed at periodic intervals. Only staff who have legitimate business and whose jobs require it should be allowed to enter areas where computer systems are located.

9.7 No staff or Guests are left unsupervised whilst in this secure area.

9.8 Staff who have suspicion about the identity of an individual within a non-public area are instructed to politely ask them to determine the purpose of their visit. Employees who are uncomfortable with this responsibility are instructed to report the incident to a Senior Officer immediately

9.9 Loss of identity badges or keys must be reported to a Senior Officer as soon as the loss is discovered.

Security of Equipment

1. Where possible Computer equipment is sited away from public areas. Where this is not possible the equipment is always supervised.

2. Computer screens and printed output should not be in view of unauthorised persons.

3. All computer screens that are in public areas should be controlled by time delayed screensavers which require a password to access information.

4. Staff should take responsibility for the physical security of their Computer Equipment within their working environment. Windows and doors should be kept shut whilst unattended.

Environmental Controls

1. The Computer Suite is situated away from Public areas and is unobtrusive.

2. All Stationery and hazardous materials are located outside of the Server suite.

3. The Computer Suite has environmental controls including temperature and humidity, power supply, and fire prevention.

4. The Council's Health and Safety Officer is responsible for periodically checking the condition of equipment.

Power Supplies

1. Critical equipment is protected from potential power loss by uninterruptable power supplies (UPS).

2. All UPS's are periodically tested and upgraded where necessary.

Cable Security

1. All networking devices (i.e. routers) are securely located within Council premises.

2. Power and BT lines into the Computer Suite are underground where possible.

3. Data transmission between remote locations is encrypted.

Equipment Maintenance

1. All equipment is maintained to ensure availability. Critical systems are supported by annual maintenance agreements, which provide for Technical support and call out.

2. IT equipment is maintained by Computer Services. Repairs and servicing should only be carried out by authorised Staff and Contractors.

3. A record of all faults is maintained by Computer Services. Staff who wish to report faults of their equipment are able to do so by reporting the incident to the Computer Services Help Desk on Ext 1077.

4. Staff are issued with a 'call reference number' to provide an audit trail for their call.

Security of Equipment off-premises

1. Before equipment is taken out of Council premises a member of Computer Services should book it out.

2. Equipment used outside of the Authority is only to be used for work purposes.

3. Portable computers are very vulnerable to theft; loss and unauthorised access when travelling. Personnel who have portable equipment should acquaint themselves with the instructions included in the 'Good Practice Guide'.

4. The high incidence of car theft makes it inadvisable to leave equipment or media in an unattended vehicle.

5. All portable computer equipment is insured with the Council's Insurance Officer.

Equipment Disposal

1. All items of equipment containing storage media are only disposed of after reliable precautions have been taken to destroy the media.

2. A record is maintained of all equipment recycled.

10. COMPUTER MANAGEMENT

Operational procedures

1. All regular operational procedures are fully documented and have restricted access to authorised personnel.

2. Backup and system procedures are kept of all fundamental systems, including:-

• General Operations of Computer Services.

• Day to Day operations and work schedules.

• Month-end and Year-end procedures.

• Recovery procedures.

Incident Management Procedures

1. All system failures are logged and recorded on the Helpdesk. The Deputy Computer Manager is responsible for investigating, resolving the failure, and implementation of remedies to prevent reoccurrence.

2. All hardware failures are logged and recorded on the Helpdesk. The Deputy Computer Manager is responsible for investigating, resolving the failure, and implementation of remedies to prevent reoccurrence.

Segregation of Duties

1. Segregation of duties are in place wherever practically possible. The objective is to minimise the risk of negligent or deliberate misuse of computer systems.

Capacity Planning

1. The Network capacity is monitored to ensure that there are adequate system resources. These include processors, main storage, file storage, printers and other output devices.

Protection from Malicious Software

1. The Council uses antivirus software as a means of protecting itself from malicious attack.

2. All Servers and workstations are installed with up to date antivirus software. Software is updated at 15-minute intervals. Users files are scanned for viruses each time Users log onto the network or attempt to access files from disk.

3. Computer Services periodically check to ensure that all workstations and Servers are updated with the most up to date version of antivirus software available.

4. Staff are instructed to report all Virus incidents, including 'hoaxes' immediately to Computer Services.

5. Computer Services notify Staff periodically of any relevant procedures for specific virus prevention.

6. No Staff should load or install software on any Council computer without the prior consent of Computer Services.

7. No diskettes should be loaded onto a Council workstation without them first being swept for viruses. No MP3 players or USB/Memory Sticks should be connected to Council computers without prior approval from ICT Services.

8. All staff are made aware of good practice for virus control including email and Internet protocol (Email and Internet Policy).

Housekeeping

1. Computers Services regular review data stored on the network to ensure that it continues to conform to operational requirements. Surplus data is archived or removed after consultation with the User.

Data Backup/Media Storage

1. Back-up copies are taken of all essential data, software and system files daily. The backup procedures ensure that all critical systems can be recovered in the event of a disaster.

2. Backups are checked daily to ensure that they have completed.

3. Records of all Backups are kept securely.

4. All Backups are clearly labelled and after completion are removed off-site each evening. Tapes are stored in fireproof safes. Documented procedures provide for the rotation of backups between two off-site locations at the end of each week.

5. Backups consist of:-

• 4 weekly backup sets.

• 12 monthly backup sets.

• Year-end.

6. Backup procedures are tested regularly. Records are maintained of all successful restores.

Operational Logs

1. Operational logs are maintained of all work carried out. The log records details of the job and the time that processing commenced.

Fault Logging - Help Desk

1. The Helpdesk exists for reporting faults to Computer Services. All Staff are aware of the helpdesk and are encouraged to report incidents to the 'desk'.

2. The ICT Officer(PC Support) is responsible for responding to faults reported.

3. The Computer Services Manager is responsible for ensuring the faults are being responded to in accordance with the Services performance targets.

4. The Helpdesk is also used to report 'network' and 'systems' faults.

11. NETWORK MANAGEMENT

Network Security Controls

1. Computer Services have the responsibility for the security of data on the network and protect connected services from unauthorised access.

2. The ICT Officer (Network) has responsibility for security access to the network.

Enforced Path

1. Users are set up with default network contexts. This prevents undesirable 'straying of users'.

Network Access

1. Network access is controlled by Computer Services.

2. Users and their access to resources are created, modified and deleted as appropriate when requested or notified by an authorising Officer. No access or amendment is made unless appropriate authorisation is received from the Data Owner.

3. Access by third parties (Software maintenance) to the Network is only allowed in the following circumstances:-

• The Systems Owner has confirmed in advance with Computer Services that maintenance is due to take place.

• The identity of the User has been notified to Computer Services.

4. Network modems are only activated on request. Computer Services are responsible for logging third parties onto network resources. Computer Services record access time and details and monitor usage until maintenance is complete, at which point the modems are switched off and Servers locked. Systems owners are responsible for checking that system maintenance is carried out is accordance with action agreed upon.

5. Data that passes outside Council buildings via radiowave transmitters (WAN) is restricted to broadcast to specific network addresses. The data passing between these Council sites is encrypted.

Media Data Handling Procedures

1. See also Data Backup procedures.

2. No data is removed from Computer Services unless it is signed for or collected by an authorised employee or Courier.

3. All data is packaged accordingly to protect it during transit.

Security of System Documentation

1. All systems should be adequately documented. Documentation is kept up to date and matches the state of the system at all times.

2. Systems documentation is physically secured at all times with access restricted to authorised personnel. An additional copy should be kept (hardcopy or softcopy), which will remain secure in the event of the original copy being destroyed.

Media Disposal

1. All hardcopy media containing sensitive data is disposed of in accordance with the Council's corporate policy for disposal of sensitive data.

2. All magnetic data is destroyed if the equipment is to be disposed of. Where the equipment is to be recycled the magnetic data is reformatted or checked with specific software to clear the data. Where a third party Contractor is used to 'clear data' a legal disclaimer is required.

Security of Electronic Mail

1. The protocols for sending and receiving email are addressed in the attached appendix - Email and Internet policy.

2. BS7799 recommends a specific policy for email. An associated policy has been produced and is an appendix to this policy.

3. Email may be used for personal use provided it falls within the guidance defined a "acceptable use" within the Good Practice Guide.

12. SYSTEM ACCESS CONTROL

Business requirement for system access

1. Systems and Data Owners should have clearly defined access policies, which determine the access rights for users and groups to their Data and Systems. The policy should take account of:-

• The security requirements for specific applications and systems.

• The policy for disseminating information.

• The need for access to carry out the duties as specified in their job description.

2. All Systems and Data Owners should consider the access they want to allow Users. Computers Services will give Users file rights only after they receive a formal documented request (See User Access Management) from the Systems and Data owner.

User Access Management

1. There is a formal user registration and deregistration procedure for access to networked services.

2. No User is allowed access to the network without a formal 'network access request' or 'job request' being submitted to Computer Services. The request authorised by an appropriate Data Owner or Manager should detail the User and the access rights they wish the User to have. There should be an adequate period of notification to Computer Services for new employees (2 weeks minimum).

3. No alteration to User rights is granted without formal written request from an Authorised Officer.

4. System access rights are withdrawn by Computer Services as soon as an individual leaves the Council's employment, changes jobs, or is classed as 'long term sick. Details of the accuracy of this information reside with the Personnel Section who formally notify Computer Services. Managers and Supervisors are responsible for notifying Personnel.

5. A network account is maintained by Computer Services of each User. The account details the Users access rights and privileges. These are periodically monitored for acceptability by Computer Services.

User Password Management

1. No individual should be given access to a live system unless properly trained. All new Users should be provided adequate training in the systems they will require access to. System Owners are responsible for ensuring that users have the adequate training before requesting User access to the 'live' system.

2. All new Users should be made aware of their security responsibilities as defined in their job description.

3. Users should keep their passwords secret and never disclose them to colleagues. It is s breach of this policy for Users to share passwords or sign in other Users and can lead to disciplinary action.

4. All Users should change their passwords periodically. Computer Services include password ageing by default when accounts are set up.

5. Where systems permit Computer Services set password length to a minimum of 6 digits for all new accounts.

6. All passwords are conveyed verbally to new Users by Computer Services. Users are immediately prompted to change their password.

7. Passwords are not displayed when entering them.

8. Users who forget their passwords are instructed to contact Computer Services.

9. Computer Services verify the validity of the request before issuing a new password. The identity of the individual is always checked before issuing a revised password.

10. Computer Services maintain a record of previous User passwords. This prevents Users reusing a previous password.

11. High security and system administration passwords are only issued to IT Staff. These passwords are changed regularly.

User Responsibilities

1. Users are issued with guidance on good password management within the 'Good Practice for Computer Users'. The guidance advocates the following:-

• Keep passwords confidential;

• Avoid keeping a paper record of passwords;

• Change passwords wherever there is any potential compromise in security;

• Select passwords with a minimum of six digits;

• Avoid basing passwords on potentially guessable formats;

• Change passwords regularly

2. Users are instructed not to leave equipment logged on and unattended. Users should ensure that they are logged off systems and sessions.

3. Where Users are in Public areas they are instructed to use Screen Saver passwords. These passwords together with BIOS passwords need to be made available to Computer Services.

Network Access Controls

1. See Network Management

Login Procedure

1. Users accessing the network must comply with the security policy. Prior to logging on Users may be prompted with a display notice warning users that 'the computer must only be used by authorised personnel'.

2. Users accounts are disabled after three attempts. Users must notify Computer Services to regain access. A User will be asked to identify themselves before their account is reactivated.

3. Login times are restricted to Office working hours for Staff, unless otherwise requested and authorised.

4. All Users should be prompted for a Username and password. No user should access the system without using their own User ID.

Application Access Control

1. System Owners (See 12.2) define access and use of application systems.

2. Systems Owners control access to applications and are responsible for ensuring that they support the objective of this security policy.

3. System Owners should strictly control access to System Utilities within applications. Only authorised users should have access to these utilities. Managers are responsible for ensuring that there is adequate 'internal checks' carried out on the procedures exercised by these users.

4. All unnecessary system utilities are disabled during installation.

5. All application systems should provide adequate audit trails of transactions.

13. SYSTEMS DEVELOPMENT AND MAINTENANCE

New projects

1. No formal feasibility studies should be carried out without initial consultation with Computer Services.

2. All formal projects should be submitted to the IT Steering Group for consideration.

3. New systems should follow a formal feasibility study of the options prior to selection.

4. All projects for new systems should consider the security requirements of the system to safeguard the confidentiality, integrity and availability of the information assets. This should be considered during the feasibility stage of the project. Consideration should include:-

• Control of access to information;

• Segregation of duties;

• Access to audit trail;

• Verification of critical data;

• Compliance with legislative requirements;

• Backup procedures;

• Recovery procedures;

• Ease of use

• Data Protection

Change Control Procedures

1. Any change to systems, files and data, should be undertaken in a controlled manner. All changes should be documented and tested prior to implementation.

2. There should be a separate 'test' environment set up for new programs. All new programs should be acceptance tested and signed off by the User before going 'live'.

14. BUSINESS CONTINUITY PLANNING

Risks and Planning

1. Computer Services has identified and maintains a record of business critical systems and processes.

2. ICT Services periodically review their Operational Risks and their impact on the Authority.

3. Computer Services have identified responsibilities and procedures to follow in the event of disasters for specific Servers and Systems. Documentation of these procedures and processes are kept on file in Computer Services.

4. Computer Services intend to develop a comprehensive Business Recovery plan which includes all IT business processes and recovery action.

5. Staff responsibilities will be determined and conveyed in the Business Recovery Plan.

6. All Staff responsible for Recovery procedures will be trained accordingly.7. Procedures are tested and reviewed regularly.