POLICY TITLE: Information Security
OWNING DIRECTORATE: Corporate and Strategic Services
AUTHOR: Information Security and Assurance Manager, Information Management Unit
CONTACT DETAILS: 101
AIM OF POLICY: To enable Northumbria Police to use and share information with confidence; to have in place suitable safeguards to ensure the confidentiality, integrity and availability of Force information systems; and to ensure that all of Northumbria Police’s contractual, statutory and regulatory obligations for information security are met.
BENEFIT OF POLICY: To enable the Force to conduct its operations whilst reducing to an acceptable level the risk of business damage by preventing and minimising the impact of information security incidents. In addition to legislative compliance, the reputational and financial damage that would be caused by a major breach of Information Security Act as a major driving force for Information Security standards and best practice.
REASON FOR POLICY: To safeguard the accuracy and completeness of information and information processing methods and to ensure that information is accessible only to those authorised to have access, disclosed only to those authorised to receive it, and so disclosed only for police purposes.
Information stored in Northumbria Police computer systems represents an extremely valuable asset to the Force, and therefore needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business and operational continuity, and to minimise business damage by preventing and reducing the impact of security incidents.
This policy is the overarching policy outlining the Northumbria Police position of information security. As such its contents and direction should be considered implicit to any other IS policy, guidance or training. All staff should make themselves aware of this policy and adhere to the guidance outlined. If any user of Northumbria Police information assets and systems has any doubt to the meaning of any section of this policy, the guidance of the Information Security and Assurance Manager should be sought.
Information Security Objectives
The objectives of Northumbria Police Information Security policy are to preserve the following:
- Confidentiality: ensuring that information and systems are accessible only to those authorised to have access;
- Integrity: safeguarding the accuracy and completeness of information assets and systems;
- Availability: ensuring that authorised users have access to information and vital services when required.
Northumbria Police recognises the importance of Force information assets and the need for proper, effective management of information systems, alongside security safeguards and counter measures within the Force to provide continued security of Force information assets. This will be achieved by:
- Maintaining appropriate security standards, specifically with Her Majesty’s Government (HMG) Security Policy Framework;
- Maintaining compliance with the National Policing Information Systems Community Security Policy and supporting Codes of Connection;
- Ensuring the security of protectively marked and sensitive information and information assets both belonging to Northumbria Police and entrusted to it by other organisations;
- Ensuring all staff* are aware of their responsibilities relating to the security of information and their duty to comply with Force policy and procedures relating to Information Security;
- Meeting statutory obligations e.g. General Data Protection Regulations (GDPR), Data Protection Act (2018).
*All staff are defined as "all police officers and police staff, including the extended police family and those working voluntarily or under contract to the Office of Police and Crime Commissioner", delivery partners and third party suppliers with access to Force information assets.
Information Security Function
The Deputy Chief Constable is the Force’s Senior Information Risk Officer (SIRO). The SIRO is responsible overall for all Information Security Risks within the Force – the SIRO manages in conjunction with the Information Security and Assurance Manager (ISAM) all information security risks in Northumbria Police.
The ISAM manages information security for the Force, and is responsible for maintaining policies, standards and procedures, and providing advice and guidance on their implementation on a day-to-day basis. The ISAM reports to the SIRO on a regular basis to ensure that appropriate risk management practice is in place and any significant risks are managed strategically.
All Heads of Departments and Managers/Supervisors across the Force must ensure that all staff comply with the Force Information Security Policy and associated procedures. It is the responsibility of all personnel to adhere to the policies, standards and procedures. Failure to do so may result in disciplinary action.
It is the responsibility of any member of staff who is acquiring or deploying information systems solutions to ensure that the information system adheres to the Force Information Security Policy, alongside other related policies and standards. If there is any uncertainty or concern on this issue the ISAM must be consulted.
All Northumbria Police personnel (including contractors) have a collective responsibility to ensure that Northumbria Police assets (information, property and staff) are protected in a proportionate manner from activities which may include harm to the organisation and the data subjects. This includes reducing the risk of unauthorised/inappropriate access to data, or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording or devaluation of information assets and systems.
Information takes many forms and includes information stored on a range of asset types, including: computers, information systems, transmitted across ICT networks, printed out or written on paper, sent by fax, stored on tapes, CD/DVD, USB Memory Sticks, portable hard disk drives or spoken in conversation or over the telephone or airwave terminals.
Information Risk Management
Northumbria Police’s approach to information security is to balance the business requirements of the Force with the risk and potential impact of an information security breach, and the associated cost and logistics of implementing security controls.
Northumbria Police has in place a formal risk management framework for identifying, prioritising and managing Force-wide risks relating to Information Management. Information security risks can arise as a result of any security incidents, data breaches, planned security internal or external audits or general security reporting. All risks highlighted to the Information Security function will be evaluated, graded and recorded appropriately within the Force Information Security Risk Register.
Northumbria Police recognise that information security and management risks can have an impact on the wider policing community and other organisations and agencies. The Force will agree with its partners how information risk will be managed and communicated to an agreed format. This will ensure risks can be managed by the appropriate owners and enable each organisation to discharge its responsibilities appropriately. For information risks which are jointly owned, the Force will consider recording them on the respective corporate risk registers. Examples of shared risks include regional collaboration, third party delivery partners, national system connections and cloud hosting suppliers.
Northumbria Police own and utilise a range of information assets and systems to provide policing services, such information assets can be stored either internal or external to the Force’s ICT network. On occasion that can involve the use of cloud hosting providers to host data and / or information systems off-site external to the Northumbria Police ICT network.
Project Teams are responsible for the early engagement of the Information Security Function in system implementation or change projects where there is a confirmed or potential requirement for the use of cloud hosting – Northumbria Police recognises the need to ensure that robust assessment is undertaken to ensure that appropriate controls are in place with the outcome of the security and technical risk assessments fully auditable and signed off at the appropriate level.
Northumbria Police has an obligatory duty to meet government legislation and regulations.
All staff have an individual and collective responsibility to fully comply with the requirements of legislation pertaining to the protection of information including the security of information. Legislation includes but is not limited to the following:
- Data Protection Act 2018
- Human Rights Act 1998 & European Convention on Human Rights
- Official Secrets Act 1989
- Copyright Design & Patents Act 1998
- Computer Misuse Act 1990
- Electronic Communications Act 2000
- Intercept of Communications Act 1985
- Regulation of Investigatory Powers Act 2000
- Freedom of Information Act 2000
- Wireless Telegraphy Act 1949
- Crime & Disorder Act 1998
- Criminal Procedure & Investigations Act 1996
SOURCE DOCUMENT: National Policing Community Security Policy and Modular Code of Connection, the British Standard Codes of Practice for Information Security Management (ISO/IEC 27001:2005 and ISO/IEC 27002:2005) and Her Majesty’s Government Security Policy Framework. APP Information Assurance
GROUPS AFFECTED: All staff
ACCESS AND DISCLOSURE RESTRICTIONS: All staff