PUBLIC Information Security Document Secure Email Policy Version 3.0 Version 3.0 Derbyshire County Council Secure Email Policy 1 PUBLIC Version History Version Date 1.0 27/09/2013 2.0 03/11/2014 3.0 15/12/2015 Detail Approved by Information Governance Group Reviewed by Information Governance Group Reviewed by Information Governance Group. Remove Elected Members from breaches section. Author Jo White Jo White Jo White This document has been prepared using the following ISO27001:2013 standard controls as reference: ISO Control Description A.9.4.4 A.12.1.1 A.13.2.1 A.13.2.3 A.14.1.2 A.18.1.3 A.18.1.4 A.18.2.3 Use of privileged utility programs Documented Operating Procedures Information Transfer Policies and Procedures Electronic Messaging Securing application services on public networks Protection of records. Privacy and Protection of personally identifiable information Handling of assets Version 3.0 Derbyshire County Council Secure Email Policy 2 PUBLIC 1 Introduction The security of electronic information is critical in today’s environment, with potential interception of unsecured email sent over the internet being a realistic possibility. To mitigate this risk, any electronic information considered restricted or sensitive should be secured in transit. As such, all Derbyshire County Council employees, including elected members, partner agencies, contractors and vendors with access to Council systems are responsible for taking the appropriate steps, as outlined below, to use the correct method of email appropriate to the content and recipient(s). 2 Purpose The purpose of this policy is to define the Council’s agreed methods for sending emails securely. Other established government secure email networks are in use but a large proportion of the private population do not have access to these. The Council has therefore adopted a third encryption solution for sending email securely to external parties. Using an encryption solution ensures that the content of a message can only be read by the intended recipient. Even if a message was intercepted the content could not be read due to the encryption protection applied which essentially scrambles the content of the email whilst in transit. 3 Scope This policy applies to all employees, elected members, contractors, vendors and partner agencies who: 4 have or are responsible for sending personal and sensitive data to parties external to the Council in the course of conducting council business. have or are expected to receive personal and sensitive information from external parties in the course of council business. Policy Statement With continuing reliance on electronic communication, it has become increasingly important to ensure the correct method of email transfer for personal and sensitive information. The Transformation Service Information Security Team will be responsible for handling requests for secure email accounts. The following procedures and practices must be followed when setting up secure email accounts. As it is a nearly impossible task to get one secure email solution to fit all circumstances a number of secure email solutions need to be employed in a preferential order. 4.1 GCSx Secure Email This is the most secure environment and is limited as to who have been enabled with the service by the Transformation service. Anyone wishing to use GCSx email would need to apply and adhere to a set of guidelines. It requires a separate logon to use this email service and uses a separate mailbox (not the usual Derbyshire.gov.uk address). Version 3.0 Derbyshire County Council Secure Email Policy 3 PUBLIC GCSx email should be used to send/receive email with those external agencies, such as the Police, NHS, DWP and those who are on Public Services Network (PSN) which is the conduit for secure GCSx email. Applications for a GCSx email account must be placed with the Transformation Service Security/Business continuity Team. Each applicant must sign the ‘Acceptable Usage policy’ which dictates the rules to be adhered to when using the GCSx email account. The signed policy must be seen by a line manager before the application is submitted. As per the Council’s PSN Code of Compliance, each individual applicant must have a Baseline Personnel Security Standard Check. Each applicant and their manager must complete the respective portions of the ‘Baseline Personnel Security Standard Check’, this must include a ‘Third-party verification of unspent convictions’ i.e. a DBS check. Both the Acceptable Usage Policy and Baseline Personnel Security Standard Check are required items by the government agency who administer and authorise the Councils connection to the PSN, through which the GCSx service is accessed. A GCSx email account will not be set up without these completed documents. Only Council provisioned PCs and Laptops can be configured with the correct environment for GCSX. Non Council equipment must not be used for GCSx. PCs and laptops that are to be used by people for GCSx must be configured for the purpose by the Transformation Service Desk. No other devices can be used for GCSx email. Generic GCSx email accounts can be set up by the Service desk on request for teams or related Council functions but each individual with access to the generic account must have their own GCSx email account. Information sent or received as attachments via GCSx should only be stored on secure folders as set up by the Service Desk specific for this purpose, or on Council issued encrypted memory sticks. Information stored on such sticks should be transferred to secure Council servers at the earliest possible convenience prior to deletion from the memory stick. Connection to and transfer of data from/to back office systems is not permissible via the domain on which GCSx email exists. Emails must not be sent to/from general internet or Derbyshire email systems to/from GCSx. Passwords for the domain on which GCSx is accessed, are initially set by the Service desk but account holder is require to change this at the first available opportunity before the GCSx mailbox is created by the Service Desk on the domain. Passwords must comply with the Password policy. Version 3.0 Derbyshire County Council Secure Email Policy 4 PUBLIC 4.2 CJSM Secure Email CJSM is widely accepted by the Law Courts and is more flexible in its use (email can be sent to and from an existing Derbyshire.gov.uk mailbox), but can only be sent securely to an existing CJSM email address. There is also an administration overhead which requires the email addresses to be created via a third party internet based portal. A small group of administrators exist for the CJSM at the Council who can set up new accounts and reset passwords : o Administrator for Legal Service and Call Derbyshire – Jo White o Administrator for Youth Offending – Brian Redding o Administrator for Road Safety – Wendy Cavens Passwords are initially set by the CJSM system but any subsequent password must comply with the Password policy. CJSM passwords expire after 90 days Emails cannot be sent or received if the account is not kept active by the authorized individual. If accounts lapse, they can only be re-activated through application to one of the administrators. The username will be the individuals Derbyshire email address and must be used with the given/updated password 4.3 Microsoft 365 Email Encryption Service. This does not require any special software or email setup by the recipient, only internet access and a Derbyshire email address. It has a low cost to the Council (Approximately £12.50 per licence per year) and does not cost the recipient anything. One license can be used for an individual or generic Derbyshire email account. Once a license is obtained, an employee can send to any number of email recipients and the administration can be managed by the Transformation Service Desk. The 365 Email Encryption facility must be requested via the Transformation Service desk and attempts to send Encrypted emails should only be attempted once the employee has been informed the Encryption facility has been enabled on the requisite email account. 365 Email Encryption should only be used to send emails securely to external agencies/individuals that do not have access to the GCSx (Public Service Network) or CJSM email. Each employee must ensure they have the correct recipient email address and the words ‘Encrypted message’ are included on the subject line. Generic email accounts can be set up to use the 365 Email Encryption facility but this can only be done via application to the Transformation Service Desk. External recipients of 365 Email Encryption will be able to open the message either by logging onto a Microsoft Account or obtaining a ‘one-time passcode’. The recipient will be able to view and reply to DCC encrypted message Version 3.0 Derbyshire County Council Secure Email Policy 5 PUBLIC emails on a secure Microsoft web page. The chain of replies between DCC and recipient will also be encrypted as long as the replies are composed when viewing the chain via the relevant DCC outlook or Microsoft window. 5 6 Responsibilities Emails containing personal or sensitive information must be sent by a secure email system according to the destination of that email. Officers sending secure email would choose the appropriate secure email solution according to the circumstances of the destination of the email. See Appendix I. The officer should be extremely vigilant about the recipients email address, so as to not send any sensitive data to the wrong user. The use of email systems available via the internet (such as Hotmail, Hightail) and storage systems (such as Dropbox) or any system of email/storage not provisioned by the Council is not permissible. Compliance with legal and contractual obligations Data protection is of concern regarding secure email as any sensitive data sent via email that is not sent on a secure system is open to interception as the email travels across the internet to the recipients email systems. By sending this information by a secure email service only the intended recipient will be able to access the data and hence mitigate the risk of being fined by the Information Commissioners Office for breaches of the Data Protection Act. 7 Breaches of Policy Breaches of this policy and/or security incidents can be defined as events which could have, or have resulted in, loss or damage to Council assets, or an event which is in breach of the Council’s security procedures and policies. All employees, elected members, partner agencies, contractors and vendors have a responsibility to report security incidents and breaches of this policy as quickly as possible through the Council’s Incident Reporting Procedure. This obligation also extends to any external organisation contracted to support or access the Information Systems of the Council. In the case of third party vendors, consultants or contractors non-compliance could result in the immediate removal of access to the system. If damage or compromise of the Council’s ICT systems or network results from the non-compliance, the Council will consider legal action against the third party. The Council will take appropriate measures to remedy any breach of the policy through the relevant frameworks in place. In the case of an individual the matter may be dealt with under the disciplinary process. This document forms part of the Council's ISMS Policy and as such, must be fully complied with. Version 3.0 Derbyshire County Council Secure Email Policy 6 PUBLIC APPENDIX I Secure e-mail solution Cost Maintenance/setup Accessibility with DCC systems GCSx Medium High – requires a separate mailbox and user account. User’s computer also requires to be encrypted. CJSM Low Medium – departmental administrator maintains a list of users 365 Email Medium Medium – Service Encryption – Desk maintains a list £12.50 of users per License for each mailbox per year. Poor – unable to access other DCC systems with a Derbyshire account. Accessibility outside the authority Medium – only other GCSx and GSi accredited government bodies can use this system. Requires a specific infrastructure setup. Good – is used from Medium – only CJSM same email account accredited bodies can (a Derbyshire.gov.uk access this email mailbox). system. Requires a specific infrastructure setup. Good – the secure e- High – anyone can use mail is sent from the this system with an same Derbyshire internet connection. email account (by using an e-mail template). Risk of exposure Low – all email from GCSx mailbox is forced over a private connection Medium – email sent from a user not setup for CJSM or to a non CJSM address will not be transmitted securely. Low – if an email template is used the message will always be sent securely. Derbyshire County Council Secure Email Policy Version 3.0 7