Dated: 28 Nov 2012
NOT PROTECTIVELY MARKED
POLICY TITLE: Information Security Policy
OWNING DIRECTORATE: Corporate and Strategic Services
AUTHOR: Information Security Advisor
CONTACT DETAILS: Ext 49069
EQUALITY IMPACT ASSESSMENT: Complete
AIM OF POLICY: To enable Northumbria Police to use and share information with confidence; to have in place suitable safeguards to ensure the confidentiality, integrity and availability of Force information systems; and to ensure that all of Northumbria Police’s contractual, statutory and regulatory obligations for information security are met.
BENEFIT OF POLICY: To enable the Force to conduct its operations whilst reducing to an acceptable level the risk of business damage by preventing and minimising the impact of information security incidents. In addition to legislative compliance, the reputational and financial damage that would be caused by a major breach of Information Security act as a major driving force for Information Security standards and best practice.
REASON FOR POLICY: To safeguard the accuracy and completeness of information and information processing methods and to ensure that information is accessible only to those authorised to have access, disclosed only to those authorised to receive it, and so disclosed only for police purposes.
Northumbria Police recognises the importance of Force information assets and the need for proper, effective management of information systems and security safeguards and counter measures within the Force to provide continued security of Force information assets. This will be achieved by:
Maintaining appropriate security standards, specifically with HMG Security Policy Framework;
Maintaining compliance with the ACPO Information Systems Community Security Policy and supporting Codes of Connection;
Adopting the HMG Information Assurance Maturity Model (IAMM) to assist in developing information assurance maturity in the organisation;
Ensuring the security of protectively marked & sensitive information and information assets both belonging to Northumbria Police and entrusted to it by other organisations;
Ensuring all staff* are aware of their responsibilities relating to the security of information and their duty to comply with Force policy and procedures relating to Information Security;
Meeting statutory obligations e.g. Data Protection Act (1998).
*All staff are defined as “all police officers and police staff, including the extended police family and those working voluntarily or under contract to the Northumbria Police Authority”, delivery partners and third party suppliers with access to Force information assets.
Information takes many forms and includes information stored on computers, transmitted across networks, printed out or written on paper, sent by fax, stored on tapes, CD/DVD, USB Memory Sticks, portable hard disk drives or spoken in conversation or over the telephone or airwave terminals.
Northumbria Police’s approach to information security is to balance the business requirements of the Force with the risk and potential impact of an information security breach, and the associated cost and logistics of implementing security controls.
Northumbria Police recognise that information risks can have an impact on the wider policing community and other organisations & agencies. The Force will agree with its partners how information risk will be managed and communicated to an agreed format. This will ensure risks can be managed by the appropriate owners and enable each organisation to discharge its responsibilities appropriately. For information risks which are jointly owned, the Force will consider recording them on the respective corporate risk registers. Examples of shared risk include regional collaboration, third party delivery partners and suppliers.
All personnel have an individual and collective responsibility to fully comply with the requirements of legislation pertaining to the protection of information including the security of information. Legislation includes but is not limited to:
Data Protection Act 1998
Human Rights Act 1998 & European Convention on Human Rights
Official Secrets Act 1989
Copyright Design & Patents Act 1998
Computer Misuse Act 1990
Electronic Communications Act 2000
Intercept of Communications Act 1985
Regulation of Investigatory Powers Act 2000
Freedom of Information Act 2000
Wireless Telegraphy Act 1949
Crime & Disorder Act 1998
Criminal Procedure & Investigations Act 1996
SOURCE DOCUMENT: ACPO/ACPO(S) Community Security Policy and Modular Code of Connection, the British Standard Codes of Practice for Information Security Management (ISO/IEC 27001:2005 and ISO/IEC 27002:2005) and Her Majesty’s Government Security Policy Framework.
GROUPS AFFECTED: All staff
ACCESS AND DISCLOSURE RESTRICTIONS: All staff