FOR PUBLICATION REMOVABLE MEDIA POLICY (B000) MEETING: 1. CABINET 2. EXECUTIVE MEMBER FOR GOVERNANCE AND ORGANISATIONAL DEVELOPMENT

Transcription

1 FOR PUBLICATION REMOVABLE MEDIA POLICY (B000) MEETING: 1. CABINET 2. EXECUTIVE MEMBER FOR GOVERNANCE AND ORGANISATIONAL DEVELOPMENT DATE: 1. 22ND OCTOBER, TH OCTOBER, 2013 REPORT BY: WARD: HEAD OF GOVERNANCE ALL KEY DECISION REFERENCE (IF APPLICABLE): FOR PUBLICATION BACKGROUND PAPERS FOR PUBLIC REPORTS: NONE 1.0 PURPOSE OF REPORT 1.1 To seek Cabinet approval to a proposed Removable Media Policy. 2.0 RECOMMENDATION 2.1 That Cabinet approve the Removable Media Policy (attached at Appendix 1), and agree its corporate implementation. 3.0 BACKGROUND 3.1 In July 2012 Cabinet agreed approval of a series of DPA/FoI/Information Rights Policies to ensure that the Council complied with its statutory obligations.

2 3.2 Additionally, at its July 2012 meeting - in respect of the requirement of maintaining connection to Government Connect (GC) - the Council also needed to identify a Senior Risk Information Officer (SRIO). GC is the secure GSI system which allows the transfer of sensitive data from DWP to the Council in respect of Housing and Council Tax benefit payments. And, it was agreed that the Head of Governance be the SRIO for the above purposes. 3.3 Members should note that Government Connect (GC) has now been replaced by Public Service Network (PSN). And, as with GC, there is the continuing need for the Council to be information security compliant to a standard set by the Cabinet Office. The Council, in line with other authorities, is required to achieve PSN compliance by the 19th December, After this time, the GC of Connection lapses and the Council is at risk of being disconnected from the PSN network for non compliance. 3.4 Members should further note that with PSC there comes a significant greater sharing of services between Government, local authorities and other non governmental organisations. And, therefore, Cabinet Office needs to ensure that connected organisations such as CBC comply with an agreed standard in order to maintain trust and integrity across the IT infrastructure. 3.5 Compliances will be achieved by the Council making a substantial submission to PSN by the above date to evidence that it has obtained the required IT technical and statutory e.g. DPA/FoI information risk management systems, processes and policies in place at the Council. 3.6 This major piece of ICT compliance work can be summarised as follows: 1) Work to complete the 98 organisational PSN controls that apply to the Council. (the Annex B controls) 2) Work to complete the 35 remedial actions identified from an independent organisational IT Health Check report. 3.7 Achievement of PSN compliance is being managed through the development of the Council s information management policies, regular Information Security Working Group meetings and an accompanying risk management action plan. And, at the time of writing approximately 90% of the required actions referred to above have been implemented. 3.8 Additionally, the PSN compliance requirements have been entered onto the Council s Risk Register. This is both to embed organisationally and to demonstrate to the Cabinet Office that the Council is operating a formal risk management process.

3 3.9 As part of the compliance work that is currently being led by the SRIO and the ICT Infrastructure and Security Manager, there is a requirement for the Council to adopt a Removable Media Policy The purpose of the Removable Media Policy is to ensure that the Council has in place a system for the controlled use of removable media devices to store and transfer information by all Council users (including Members) who have access to information, information systems and IT for the purposes of conducting official Council business The scope of the policy is such that it applies to all Councillors, Committees, services, partners, employees of the Council, contractual third parties and agents of the Council who have access to its information, information systems or IT equipment and intends to store any information on removable media devices Removable media devices include, but are not restricted to the following:- CDs DVDs Optical disks External hard drives USB memory sticks (also known as pen drives or flash drives) Media card readers Embedded microchips (including smart cards and mobile phone SIM cards) MP3 players Digital cameras Backup cassettes Audio tapes (including dictaphones and answering machines) Tablets Laptops 3.13 The purpose of the policy is to establish the principles and working practices that are to be adopted by all users in order for data to be safely stored and transferred on removable media It will ensure the integrity of data held by the Council, avoid contravention of any legislation, policies or good practice requirements, build confidence and trust in the data that is being shared between systems or for the disclosure of information as may be necessary by law A copy of the proposed Removable Media Policy is attached at Appendix 1.

4 4.0 FINANCIAL IMPLICATIONS 4.1 There are none arising from the contents of this report. 5.0 LEGAL IMPLICATIONS 5.1 These are set out in the body of the report. 6.0 EQUALITIES IMPLICATIONS 6.1 There is no requirement for full EIAs to be completed in respect of the proposed policies. This is because the policies are not anticipated to have a disproportionate impact on any group the only impact could be positive by ensuring personal data is destroyed when appropriate and in a secure manner; or, the only impact could be positive as sensitive information will be kept even more securely. 7.0 RISKS AND UNCERTAINTIES 7.1 This report concerns compliance with Cabinet Office requirements. All policies and documents have to be published and available for public scrutiny. Description of Risk Likelihood Impact Mitigating Action Failure to achieve PSN compliance, the Council will be disconnected from GSI and PSN systems within three months of the compliance date of the 19th December, 2013 for failing to meet its compliance obligations L H SRIO and ICT Infrastructure and Security Manager prioritising and implementing compliance requirements. Approval of the Removable Media Policy attached at Appendix 1. Progress on required compliance being reviewed and monitored by monthly

5 Corporate Information Security Project Group 8.0 RECOMMENDATION 8.1 That Cabinet approve the Removable Media Policy, (attached at Appendix 1) and agree its corporate implementation. 9.0 REASON FOR RECOMMENDATION 9.1 To develop and embed at the Council a culture of information rights governance and management that protects and uses information for the public good, complies with the statutory DPA/FoI requirements and ensures that the Council achieves PSN compliance status. SARA T. GOODWIN HEAD OF GOVERNANCE You can get more information about this report from Sara Goodwin (345309). Officer recommendation supported/not supported/modified as below or Executive Members recommendation/comments if no Officer recommendation. Signed Executive Member Date 14 th October 2013 Consultee Executive Member/Support Member comments (if applicable)