6.1 The Council is in the process of updating its Intranet. The information includes (amongst other things) the following: -

• Contact details for all the Members of the Council, including the committees on which they serve

• Contact details for officers of the Council

• A calendar of Council and Committee meetings

• Agendas and Reports

• Minutes of Meetings

• Information about Council services

7.0 Council Agendas, Committee Agendas and Reports

7.1 Although you will be able to access agendas, reports and minutes of all Committees, Members of Committees will also be sent a 'hard' copy to take to the meeting. As a general rule, it will be more cost effective for non-members who require a hard copy to ask the Committee Services Section to produce one rather than attempt to print the whole document at home.

7.2 The Intranet will be used to 'post' the decisions of the Cabinet within three working days of the meeting. This will enable Members to consider whether to request the 'call in' of any decision.

8.0 E-Mail

8.1 This facility is a very valuable tool but it can be misused. You should observe the following guidelines:-

• use the e-mail service excessively for personal messages

• send messages in anger – cool down first!

• send messages that could be perceived as aggressive, abusive, sexually offensive, racially biased or discriminatory

• send an e-mail for the sake of it

• open an attachment from an unknown source without consulting IT Services

• use your Council e-mail address to express a personal opinion. That may be interpreted as Council policy.

• include a meaningful subject line

• try and ensure your message is clear and not open to interpretation

• remember that both the civil and criminal law recognises e-mail as evidence of libel, copyright infringement, software theft, discrimination and harassment

• be aware that an e-mail is not secure – do not send confidential information.

9.0 Internet

9.1 The 'Web' contains a significant volume of information from numerous sources. It is entirely unregulated, insecure and open to exploitation. You are advised to exercise extreme caution, particularly in terms of the type of information accessed.

9.2 You should observe the following guidelines:-

DON'T

• download software from the Internet without first seeking approval from Computer Services. This excludes static data or bulletin information.

• access websites which contain material which is pornographic, obscene or otherwise offensive

• use 'chat rooms'

• use it for your own commercial activities

• be aware of copyright infringement
• exercise caution when using search tools
• remember that possession of certain material is a criminal offence – think before you download or print
• remember that the Council reserves the right to check your computer to monitor the sites accessed by you

9.3 The above is not an exhaustive list. If in doubt contact Computer Services on 01743 281075

10.0 Conditions of Use

10.1 The equipment and other facilities are provided primarily in relation to the official work of the Borough Council. Reasonable personal use is, however permitted subject to observance of the guidelines set out in this Protocol. As a general rule the following test should be applied.

10.2 Examples of reasonable and unreasonable use are:

• to communicate with Borough Council staff, constituents and other members of a political group on the Council
• access to information on the intranet or internet provided that in every case it is directly connected with Council business

• accessing, storing, transmitting or downloading material which is insulting, offensive, abusive or otherwise inappropriate
• excessive use of consumable materials

10.3 For further advice on e-mail and Internet use Members should read the Internet and Email Policy Document. Members are reminded that Internet access and e-mail can be monitored and users must abide by the policy guidance.

10.4 A member’s failure to comply with this Protocol will be regarded as a breach of the general Code of Conduct for Members, which was adopted by Council with effect from 2 March 2002 and which has been circulated to all members.

10.5 The Council Manager may, at his discretion, authorise the return of IT equipment where there has been a breach of this Protocol and require the reimbursement of any costs incurred by the Council in respect of inappropriate use.

10.6 Where any criminal activity is suspected the Council will refer the matter for police investigation.

MOBILE TECHNOLOGY GOOD PRACTICE GUIDE

The development and costs of mobile laptop computing has given users the power and flexibility to access information remotely. Although mobile computing provides improved flexibility to Staff and Councillors the trend has led to new and specific security risks relating to wireless technology.

Loss of your laptop or data held on the Laptop could mean a loss of information, loss of confidentiality, financial loss and serious disruption to your work and the Council.

1. PURPOSE OF DOCUMENT

• The policy is issued as guidance to Staff and Councillors who use Laptop Computers and Mobile devices. It is important that this guidance is observed.
• The document should be read in conjunction with the Council’s other Security documents and Members Protocol for use of IT facilities issued by ICT Services. These documents form part of the Council’s constitution.
• Any questions or concerns about laptop security should be directed through the ICT Security Officer Chris Taylor on 01743 281081.

2. LAPTOP COMPUTERS

Physical Security

Ensure the Laptop is Kept Secure at all Times

• Never leave your laptop in open view in an unattended public place.
• Never leave your laptop in open view in an unattended vehicle.
• When leaving a vehicle, either take your laptop with you or put it out of sight in the boot. The Council’s insurers only provide cover where your equipment is locked in a vehicle boot. This does not apply where the laptop is left locked in a vehicle boot overnight.
• When using a laptop in your home you should make sure that it is stored safely and out of public view. The Council’s insurers do provide cover for Council equipment stolen from an Employee’s or Councillor’s premises.
• You should use common sense and observe precautions to safeguard peripherals such as external drives, charger cards. Apply the same precautions as above.
• Laptops should be secured physically when used in vulnerable public places. Cables with locks are available that are specially designed for Laptops. These are cost efficient and a simple solution to safeguard mobile devices. The cables use graded steel and fibre and utilise a universal security slot on the laptop. The other end is locked around a fixed object, thus making a loop. If you would like further information please contact the ICT Helpdesk on 01743 281077.

Security Marking

• All laptops are security marked with DNA and labelled by ICT Services. If your equipment does not have a visual marker indicating that the equipment has been DNA marked please contact the ICT Services Helpdesk on 01743 281077.
• All Laptop computer serial numbers are recorded by ICT Services.

Software Security

• Wireless capabilities in laptop computers raise additional security concerns not addressed specifically within the Council’s Security policies. When laptops are used away from the Council’s network, whether at home, or in an alternative business environment the potential risks are significantly increased. Whilst computers use the Council network or authorised remote connection they are automatically protected from potential risks by corporate network tools (i.e. firewall, antispam and anti virus tools). When the laptop is used away from the Council’s network there is no longer this protection and hence the risk is increased.

Wireless Capabilities

• ICT do not enable wireless capabilities without a specific request from a laptop user. By default the functionality is disabled by ICT to minimise potential risk. If this has not been done please contact the ICT Services Helpdesk on 01743 281077.
• Where there is a requirement to use wireless capabilities a request should have be made through ICT Services to configure these services. The request is necessary to install additional software to protect the user and the Council from wireless threats away from the corporate network.
• Under no account should wireless services be enabled by any Staff member or Councillor without prior consultation and configuration by ICT Services. Failure to observe this guidance could potentially lead to significant risks to both the individual and Council.

Potential threats posed by un-configured wireless connections

• Malicious Programs and Hackers
• Malicious programs can be classified into various types like viruses, Trojans, Worms, Diallers, Malware, Spyware and Spam. These programs are written by malicious users in to corrupt, destroy or gain access to the information stored on computers.
• Interception wireless traffic
  Using various ‘sniffer’ tools and interception software, hackers can intercept the data that is passed over the wireless communication links where these have not been correctly configured.
• Hijacking attacks

Once the attacker is able to access (‘sniff’) the wireless traffic, it’s possible for the attacker to inject false data or commands into the existing wireless network stream and thus compromise the wireless laptop or the wireless network that the attacker is connected to. Potentially this permits access to all data on the laptop.

• Peer to peer attacks / Ad Hoc mode

Ad Hoc mode is used to form a connection between two wireless devices/laptops. This is used to share files or access devices which are near each other’s vicinity. When this option is turned on in a wireless enabled laptop another computer user can access any data stored on the laptop. Malicious users can transfer files or execute commands onto a victim’s laptop without the knowledge of the user.

• Wiphishing
  Wiphishing is used by hackers to attack wireless network and wireless enabled devices. Attackers can set-up a wireless access point and attract unsuspecting users. This attack is carried out on users who have their wireless adapter enabled on their laptop and have the connection configured to automatically connect to any wireless access point in vicinity.

Bluetooth Technology

• Bluetooth wireless technology is a short-range communications technology intended to replace the cables connecting portable and/or fixed devices while maintaining high levels of security. The key features of Bluetooth technology are robustness, low power, and low cost. The Bluetooth specification defines a uniform structure for a wide range of devices to connect and communicate with each other.
• Bluetooth wireless technology has, from its inception, put great emphasis on wireless security. Lately, confusion and misinformation surrounding security and Bluetooth wireless technology has increased. The current security issues and potential weaknesses typically apply to mobile phones not Laptop computers. The encryption algorithm used by Bluetooth is secure and provides secure connections for devices such as mice and keyboards connecting to a PC, a mobile phone synchronising with a PC, and a PDA using a mobile phone as a modem to name just a few of the many use cases.
• By default Staff and Councillors should not need to enable or configure these bluetooth services. If there is a business requirement to have these then please request the service through the ICT Services Helpdesk on 01743 281077.

Data Security on Laptops

• Regardless of the appropriate enabled wireless security there are additional software security measures that should be applied to ensure that data held of the laptop remains secure and confidential at all times.

• Never leave your laptop logged in and unattended. The laptop screen should be password protected if it is left unattended in a public place.
• When using the Laptop in a public place ensure that you screen contents cannot be overlooked by a third party.
• The data on the laptop is your responsibility. Ensure that the information you record is not in contravention of the Data Protection Act 1984 & 1998. If you are unsure on this issue please check the data you are holding is compliant with the Data Protection Officer Gareth Owens on 01743 281046.
• Any Data stored on your Laptop should be backed up to the network periodically. Systems such as Novell Ifolder provide this facility and are configured for users on request. The system uses a local folder on the computer (My Documents). Documents are saved here and then periodically, when connected to the Council network, replicates the contents of this folder with the network copy, thus providing a full backup facility.
• Do not store documents on your laptop that are not backed up. If you are unsure whether you documents are being backed up please contact the ICT Helpdesk for further guidance.
• It is possible that your laptop may be stolen, not for its value, but for the value of the information it holds. This could be, for example, confidential data, reports or other intellectual property. If your laptop holds valuable intellectual property, the following measures should to enabled to ensure that the information stays secure:-

• Laptops with Windows 2000 Professional and Windows XP Professional offer secure logon and file-level security using a file system (NTFS) to protect your data from laptop thieves who may try to access your data. The system relies on users using strong password protection to access your data. Passwords should be unique, and changed periodically. Without the username and password an ‘opportunist’ thief is unable to access the data.
• Even without a username and password a determined data thief can use software to hack the data stored on the laptop. In order to ensure that this data is protected ICT Services ‘encrypt’ the data stored in the default area that documents are stored (my documents).

• Do not allow family members to use Council equipment. The equipment is provided for your work purposes only.

Shared Use Laptops

• ICT and some services provide laptops for ’pool’ use.
• It is extremely important that Staff and Councillors observe common sense when using these corporate resources. Please ensure that you delete any data files that you have created before returning. Because these computers use generic user accounts the data remains available to all Staff who share these resources.

Lost Laptop

3. BLACKBERRY DEVICES

Blackberry devices are mobile handsets that provide corporate email, internet access and mobile phone use through the GPRS and 3G telecommunications network. Users connect to the Councils network through a secure encrypted connection providing end to end security.

Lost or Stolen BlackBerry device

• ICT enforces all users to protect their BlackBerry device with a password that must be entered to unlock and use the device. This is enabled by ICT when the device is issued. The device can be set to automatically lock at specified time intervals (e.g., every 30 minutes) and can also be set to lock whenever it is holstered. Users should not alter the settings that have been set by ICT.

• Content Protection is enabled on all Blackberry devices. This ensures that data on the device is encrypted. Thus, even if someone reads the user data directly from the device hardware, there is no way to decrypt the data without the device password.
• A lost or stolen BlackBerry device can be remotely locked or even erased by ICT Services, provided that the server can communicate with the device. The administrator can also remotely change the device password and delete applications from the device.

If your Blackberry is lost or stolen please report the incident immediately to the ICT Services Helpdesk on 01743 281076 or email the ICTHELPDESK.

4. USB FLASH DRIVES

USB Flash drives are pocket sized ultra portable storage devices (about the size of a highlighter pen) that hold 8Mb - 1GB of data that can be instantly accessed from any PC with a USB port. The introduction of these devices offers users a convenient alternative to floppy disks, but also pose a significant security risk to the corporate network.

These devices present two primary threats to the Council’s network: the introduction of malicious software and data theft/loss.

Viruses

The majority of viruses are populated through internet and email systems. ICT maintain corporate anti virus solutions to restrict these potential threats including the scanning of removal devices such as USB drives. However, these controls do not remove the need for extra diligence when using USB drives. Users can use the devices to bring in infected documents from home, or take home a business document to an infected PC, update it, and return it to a corporate file server. Thus increasing the potential risk of corporate infection. ICT Services recommend that you do not use flash drives on other computers that do not have upto date anti virus software.

Malicious software

In addition to viruses, users could bring in unauthorised software or data files from home that didn't previously fit on a floppy disk. This includes shareware programs, software pranks, MP3 files, video clips, pornography, and other inappropriate files that affect productivity and violate the Council’s ICT Security policy.

Data Theft

Corporate data theft is more realistic opportunity with USB drives. Disgruntled Staff with USB drives can take home corporate data with little or no audit trail. ICT Services are investigating the use of third party software to restrict access and report instances of data extraction to USB drives.

Data Loss

The portability of USB drives creates a further risk. The devices can be easily mislaid which can result in potentially sensitive data falling into the wrong hands. Most USB devices have little or no security features and if you lose the device other people could access the data on it. The devices can also be stolen easily off a desk, or "borrowed" and later returned to the office once the data has been copied. ICT recommend that you do not use USB drives without any password or biometric security on the device. These devices are more expensive than a standard unsecured flash drive but provide you with assurances over your data. The ICT Services Helpdesk (ext 1076) can provide you with a costing for a device on request.