Information and Communications Technology (ICT) Security Policy

Overview of our ICT Security Policy that outlines how staff and volunteers use our systems appropriately and securely

Introduction

This Information & Communications Technology (ICT) Policy forms a key part of the Confidentiality Policy of METRO. It focuses on the technical and usage issues in relation to METRO’s ICT system. The use of ICT is vital to every day running of METRO and its services.  Staff have the ability to create, store and/or access a wide range of electronic information. Therefore, the aim is to ensure that:

  • The relevant information is always available to the relevant users
  • Confidentiality is always maintained
  • The integrity of the information is maintained

METRO needs to be aware of ICT security as there are a range of undesirable consequences associated with breaches of ICT security which include but are not limited to:

  • Systems being unavailable
  • Bad publicity and embarrassment
  • Fraud
  • Illegal personal investigation

The term ICT refers to any communication device or application, encompassing: radio, television, smart phones, cellular phones, computer and network hardware and software, satellite systems etc. as well as their various services and applications associated with them.

Relevant Laws and regulations relation to this document and ICT

It is the policy of METRO that all of its activities must be conducted in accordance with current legislation. If a user of information is unsure as to their responsibilities in relation to the laws, they should seek advice through their immediate supervisor.

The use of information is governed by a variety of different Acts of Parliament. These currently include but are not fully exclusive of:

  • The Copyright, Designs and Patents Act 1988
  • The General Data Protection Regulation 2016
  • The Data Protection Act 2018
  • The Human Rights Act 1998
  • The Computer Misuse Act 1990
  • The Regulation of Investigatory Powers Act 2000
  • The Freedom of Information Act 2000
  • The Electronic Communications Act 2000

Management Responsibilities

Managers are responsible for:

  • Ensuring that their staff, service users and/or visitors only use METRO ICT when they have agreed to follow the policy. This includes staff from partner organisations who have access to the METRO systems
  • For handling any disciplinary issues that arise and proactively investigate any suspected breaches.
  • Ensuring all breaches of Information Security are reported immediately or at least within 72 hours of the staff member being made aware of the breach.

All existing users of ICT will be notified of this policy and future changes. The users continued use of ICT after notification will constitute acceptance and agreement to the policy document.

Breaches of any section of this policy will be dealt with in line with the METRO Disciplinary Policy and could lead to dismissal.      

Any suspicion of breach of the policy must be reported to the Senior Management Team immediately. Failure to do so constitutes a breach of this policy.

METRO is committed to maintaining standards and all METRO ICT must conform to Health and Safety requirements such as carrying out workstation assessments, reviewing display screen equipment and investigating any discomfort or ill-health believed to be associated with the use of display screen equipment. For more information please see the Health and Safety Policy.

Use of METRO ICT is open to recognised current staff and volunteers of METRO and any other persons authorised by METRO management. Service users must only use METRO ICT in the presence of staff.

Users must not in any way cause any form of damage to the METRO’s computing equipment or software, nor to any of the office space and/or their facilities, nor to any of the network wiring infrastructure or communications equipment. The term ‘damage’ includes modifications to hardware or software which, whether or not causing harm to the hardware or software, incur time and/or cost restoring the system to its original state. Where damage has been determined to be caused due to user carelessness or wilfulness an investigation will be undertaken in accordance with internal disciplinary processes and Volunteer Code of Conduct

Users must comply with the terms and conditions of all licence agreements, available from their direct Line Manager or the Head of Finance and Facilities

Users must not modify any software.

Users must not introduce any virus, worm, Trojan horse or any other nuisance program or file onto any system or take any action to circumvent or modify any precautions taken by METRO to prevent infection of these machines.

Users must not use the ICT facilities for sending any message textual or graphic or voice or artistic that is offensive, abusive, obscene, defamatory, homophobic, biphobic, transphobic, racist, sexist or otherwise unlawful. Users must not initiate or spread electronic chain mail.

Any electronic mail must be relevant to the user’s job or role within METRO.

Users may only access files which they have been given express permission to access.  Tiers of access are based on individual job roles and METRO domain membership. Access permissions once approved by domain Information Managers by email are actioned by either an Office Manager or a representative of METRO’s external IT Support consultant

Users must not use another user’s username/password nor permit or allow another use to use his/her own Username/password.

Users must not allow any password associated with his/her Username to become known to another user. The user will be held responsible for any unlawful action carried out under his/her computer account unless there is evidence to prove otherwise.

Users must not make known any other passwords which may be supplied to them in order to enable access to documents, databases or programmes.

Some programmes require joint logins so several people may access the one profile, in these circumstances the Head and manager of the service must control access and ensure that group passwords are changed regularly. The password must not reflect any personal information, or that of the service.

Users must not connect any equipment to METRO’s network without prior authority from Administration.

When users have finished using any equipment all users must terminate their session by completely closing down the computer.

No equipment or software may be borrowed without permission from your line manager

The use of METRO’s facilities for commercial gain as well as for private work or work on behalf of others is not allowed without prior agreement with management.

Unreasonable recreational use of the internet by staff during working hours is not allowed. For further clarification on this please see the Staff Handbook Section K: Policy on Use of Email and Access to the internet.

Personal staff drives (U:Drive) and Outlook profiles are taken off line and archived, however once Information Managers have deemed the above are no longer necessary for reference purposes they are deleted. Former staff access rights to the ‘M’ drive are removed immediately after their date of leaving the organisation. All files, folders and documents necessary for the running and management of programmes should be stored in public folders. METRO will not be liable for the non-return of the member of staff’s files beyond this time.

METRO may at any time permit the inspection, monitoring, or disclosure of ICT Systems and Data:

  • When required by and consistent with English law: the Senior Management Team evaluate all such requests against the precise provisions of the Freedom of Information Act, the Regulation of Investigatory Powers Act, and other laws concerning disclosure and privacy, or other applicable law.
  • At the request of the SMT or MT to determine compliance with METRO policies and standards
  • METRO reserves the right to monitor ICT Systems: to carry out system management, problem resolution, maintenance and capacity planning, address security issues including virus management and authorised surveillance and tracking unauthorised access to system.

Failure to comply with these conditions of use for facilities may result in disciplinary action as detailed in the Disciplinary Policy

Management of the Production Systems Environment

User ID’s and passwords used in the ICT environment provide privileged access to systems for system management and operational reasons and? must be managed as below

  • Senior Management/System administrators Level – access to all areas
  • Management Level – access to general files & management files
  • All users – access to general files only pertaining to their department

In addition, there are departmental security levels, for example: Clinical Access or Youth Specific Access. These files are not accessed under general access and only by those directly employed by that department.

Passwords must be changed at least twice a year.

All profile passwords are required to be changed on a six monthly cycle as per a system group policy.

METRO’s Head of Finance & Facilities sets all mobile device passwords at the point at which they are issued. These passwords are removed when devices are reset to Factory Default between users. Simple PIN codes are not used only complex passwords.

Version

This overview is drawn from version 4.2 of the full policy document below:

Information and Communications Technology (ICT) Security Policy v4.2