Secure email policy

advertisement
PUBLIC
Information Security Document
Secure Email Policy
Version 3.0
Version 3.0
Derbyshire County Council Secure Email Policy
1
PUBLIC
Version History
Version Date
1.0
27/09/2013
2.0
03/11/2014
3.0
15/12/2015
Detail
Approved by Information Governance
Group
Reviewed by Information Governance
Group
Reviewed by Information Governance
Group. Remove Elected Members from
breaches section.
Author
Jo White
Jo White
Jo White
This document has been prepared using the following ISO27001:2013 standard controls as
reference:
ISO Control
Description
A.9.4.4
A.12.1.1
A.13.2.1
A.13.2.3
A.14.1.2
A.18.1.3
A.18.1.4
A.18.2.3
Use of privileged utility programs
Documented Operating Procedures
Information Transfer Policies and Procedures
Electronic Messaging
Securing application services on public networks
Protection of records.
Privacy and Protection of personally identifiable information
Handling of assets
Version 3.0
Derbyshire County Council Secure Email Policy
2
PUBLIC
1
Introduction
The security of electronic information is critical in today’s environment, with potential
interception of unsecured email sent over the internet being a realistic possibility. To
mitigate this risk, any electronic information considered restricted or sensitive should
be secured in transit. As such, all Derbyshire County Council employees, including
elected members, partner agencies, contractors and vendors with access to Council
systems are responsible for taking the appropriate steps, as outlined below, to use
the correct method of email appropriate to the content and recipient(s).
2
Purpose
The purpose of this policy is to define the Council’s agreed methods for sending
emails securely. Other established government secure email networks are in use but
a large proportion of the private population do not have access to these. The Council
has therefore adopted a third encryption solution for sending email securely to
external parties. Using an encryption solution ensures that the content of a message
can only be read by the intended recipient. Even if a message was intercepted the
content could not be read due to the encryption protection applied which essentially
scrambles the content of the email whilst in transit.
3
Scope
This policy applies to all employees, elected members, contractors, vendors and
partner agencies who:


4
have or are responsible for sending personal and sensitive data to parties
external to the Council in the course of conducting council business.
have or are expected to receive personal and sensitive information from
external parties in the course of council business.
Policy Statement
With continuing reliance on electronic communication, it has become increasingly
important to ensure the correct method of email transfer for personal and sensitive
information.
The Transformation Service Information Security Team will be responsible for
handling requests for secure email accounts.
The following procedures and practices must be followed when setting up secure
email accounts.
As it is a nearly impossible task to get one secure email solution to fit all
circumstances a number of secure email solutions need to be employed in a
preferential order.
4.1 GCSx Secure Email
This is the most secure environment and is limited as to who have been enabled with
the service by the Transformation service.
Anyone wishing to use GCSx email would need to apply and adhere to a set of
guidelines. It requires a separate logon to use this email service and uses a separate
mailbox (not the usual Derbyshire.gov.uk address).
Version 3.0
Derbyshire County Council Secure Email Policy
3
PUBLIC

GCSx email should be used to send/receive email with those external
agencies, such as the Police, NHS, DWP and those who are on Public
Services Network (PSN) which is the conduit for secure GCSx email.

Applications for a GCSx email account must be placed with the
Transformation Service Security/Business continuity Team.

Each applicant must sign the ‘Acceptable Usage policy’ which dictates the
rules to be adhered to when using the GCSx email account. The signed policy
must be seen by a line manager before the application is submitted.

As per the Council’s PSN Code of Compliance, each individual applicant must
have a Baseline Personnel Security Standard Check. Each applicant and
their manager must complete the respective portions of the ‘Baseline
Personnel Security Standard Check’, this must include a ‘Third-party
verification of unspent convictions’ i.e. a DBS check.

Both the Acceptable Usage Policy and Baseline Personnel Security Standard
Check are required items by the government agency who administer and
authorise the Councils connection to the PSN, through which the GCSx
service is accessed. A GCSx email account will not be set up without these
completed documents.

Only Council provisioned PCs and Laptops can be configured with the correct
environment for GCSX. Non Council equipment must not be used for GCSx.

PCs and laptops that are to be used by people for GCSx must be configured
for the purpose by the Transformation Service Desk. No other devices can be
used for GCSx email.

Generic GCSx email accounts can be set up by the Service desk on request
for teams or related Council functions but each individual with access to the
generic account must have their own GCSx email account.

Information sent or received as attachments via GCSx should only be stored
on secure folders as set up by the Service Desk specific for this purpose, or
on Council issued encrypted memory sticks. Information stored on such sticks
should be transferred to secure Council servers at the earliest possible
convenience prior to deletion from the memory stick.

Connection to and transfer of data from/to back office systems is not
permissible via the domain on which GCSx email exists.

Emails must not be sent to/from general internet or Derbyshire email systems
to/from GCSx.

Passwords for the domain on which GCSx is accessed, are initially set by the
Service desk but account holder is require to change this at the first available
opportunity before the GCSx mailbox is created by the Service Desk on the
domain. Passwords must comply with the Password policy.
Version 3.0
Derbyshire County Council Secure Email Policy
4
PUBLIC
4.2 CJSM Secure Email
CJSM is widely accepted by the Law Courts and is more flexible in its use (email can
be sent to and from an existing Derbyshire.gov.uk mailbox), but can only be sent
securely to an existing CJSM email address. There is also an administration
overhead which requires the email addresses to be created via a third party internet
based portal.

A small group of administrators exist for the CJSM at the Council who can set
up new accounts and reset passwords : o Administrator for Legal Service and Call Derbyshire – Jo White
o Administrator for Youth Offending – Brian Redding
o Administrator for Road Safety – Wendy Cavens

Passwords are initially set by the CJSM system but any subsequent
password must comply with the Password policy. CJSM passwords expire
after 90 days

Emails cannot be sent or received if the account is not kept active by the
authorized individual. If accounts lapse, they can only be re-activated through
application to one of the administrators.

The username will be the individuals Derbyshire email address and must be
used with the given/updated password
4.3 Microsoft 365 Email Encryption Service.
This does not require any special software or email setup by the recipient, only
internet access and a Derbyshire email address. It has a low cost to the Council
(Approximately £12.50 per licence per year) and does not cost the recipient anything.
One license can be used for an individual or generic Derbyshire email account. Once
a license is obtained, an employee can send to any number of email recipients and
the administration can be managed by the Transformation Service Desk.

The 365 Email Encryption facility must be requested via the Transformation
Service desk and attempts to send Encrypted emails should only be
attempted once the employee has been informed the Encryption facility has
been enabled on the requisite email account.

365 Email Encryption should only be used to send emails securely to external
agencies/individuals that do not have access to the GCSx (Public Service
Network) or CJSM email.

Each employee must ensure they have the correct recipient email address
and the words ‘Encrypted message’ are included on the subject line.

Generic email accounts can be set up to use the 365 Email Encryption facility
but this can only be done via application to the Transformation Service Desk.

External recipients of 365 Email Encryption will be able to open the message
either by logging onto a Microsoft Account or obtaining a ‘one-time passcode’.
The recipient will be able to view and reply to DCC encrypted message
Version 3.0
Derbyshire County Council Secure Email Policy
5
PUBLIC
emails on a secure Microsoft web page. The chain of replies between DCC
and recipient will also be encrypted as long as the replies are composed
when viewing the chain via the relevant DCC outlook or Microsoft window.
5
6
Responsibilities

Emails containing personal or sensitive information must be sent by a secure
email system according to the destination of that email.

Officers sending secure email would choose the appropriate secure email
solution according to the circumstances of the destination of the email. See
Appendix I.

The officer should be extremely vigilant about the recipients email address, so
as to not send any sensitive data to the wrong user.

The use of email systems available via the internet (such as Hotmail,
Hightail) and storage systems (such as Dropbox) or any system of
email/storage not provisioned by the Council is not permissible.
Compliance with legal and contractual obligations
Data protection is of concern regarding secure email as any sensitive data sent via
email that is not sent on a secure system is open to interception as the email travels
across the internet to the recipients email systems. By sending this information by a
secure email service only the intended recipient will be able to access the data and
hence mitigate the risk of being fined by the Information Commissioners Office for
breaches of the Data Protection Act.
7
Breaches of Policy
Breaches of this policy and/or security incidents can be defined as events which
could have, or have resulted in, loss or damage to Council assets, or an event which
is in breach of the Council’s security procedures and policies.
All employees, elected members, partner agencies, contractors and vendors have a
responsibility to report security incidents and breaches of this policy as quickly as
possible through the Council’s Incident Reporting Procedure. This obligation also
extends to any external organisation contracted to support or access the Information
Systems of the Council.
In the case of third party vendors, consultants or contractors non-compliance could
result in the immediate removal of access to the system. If damage or compromise of
the Council’s ICT systems or network results from the non-compliance, the Council
will consider legal action against the third party. The Council will take appropriate
measures to remedy any breach of the policy through the relevant frameworks in
place. In the case of an individual the matter may be dealt with under the disciplinary
process.
This document forms part of the Council's ISMS Policy and as such, must be
fully complied with.
Version 3.0
Derbyshire County Council Secure Email Policy
6
PUBLIC
APPENDIX I
Secure
e-mail
solution
Cost
Maintenance/setup Accessibility with
DCC systems
GCSx
Medium
High – requires a
separate mailbox and
user account. User’s
computer also
requires to be
encrypted.
CJSM
Low
Medium –
departmental
administrator
maintains a list of
users
365 Email Medium Medium – Service
Encryption –
Desk maintains a list
£12.50
of users
per
License
for each
mailbox
per
year.
Poor – unable to
access other DCC
systems with a
Derbyshire account.
Accessibility
outside the
authority
Medium – only other
GCSx and GSi
accredited government
bodies can use this
system. Requires a
specific infrastructure
setup.
Good – is used from Medium – only CJSM
same email account accredited bodies can
(a Derbyshire.gov.uk access this email
mailbox).
system. Requires a
specific infrastructure
setup.
Good – the secure e- High – anyone can use
mail is sent from the this system with an
same Derbyshire
internet connection.
email account (by
using an e-mail
template).
Risk of exposure
Low – all email from GCSx
mailbox is forced over a
private connection
Medium – email sent from a
user not setup for CJSM or
to a non CJSM address will
not be transmitted securely.
Low – if an email template
is used the message will
always be sent securely.
Derbyshire County Council Secure Email Policy
Version 3.0
7
Download