avon and somerset constabulary … · 6.1 avon and somerset constabulary information security...

NOT PROTECTIVELY MARKED

AVON AND SOMERSET CONSTABULARY CORPORATE INFORMATION MANAGEMENT DEPARTMENT

(CIMD) Document Title: Internet System Security Manual (includes E- Mail, Web

Browsing and Web Site) Author: Gareth Davies Revision: Version 10 Date: 01.04.2011 Supersedes: Version 9 (23.08.2010) Review Date: 31.03.2013

NOT PROTECTIVELY MARKED 1


1 Scope 1.1 This document is intended to set out policy for all aspects of the Avon and

Somerset Constabulary Internet facility. 1.2 It is intended to serve as a Security Operating Procedure, ensuring that the

internet system maintains the appropriate levels of security, confidentiality, integrity and access to the Constabulary’s data and information.

1.3 This document refers to the Force Information Security Policy. The Force

policy is an overarching corporate baseline which applies in all cases except where modified by local policies.

1.4 This document is supported by the publication of the “Good e-mail Guide”,

which can be found at Appendix B 1.5 This document is intended to conform to English law, with the relevant

International Standard ISO 27001, the Security Policy Framework, the ACPO Community Security Policy, and the Constabulary’s Information Security Policy. In the event of conflict this subject specific policy is subordinate to these sources.

1.6 The purpose of the Force internet facility is rapid and efficient communication,

although it is important to note that special rules apply to sensitive information, or information which is classified (i.e. personal information). The facility can be broken into two components:

1. Web site (publishing, browsing and service delivery)

2. E-mail (internal e-mail – within the Force network and external

(world-wide)

This policy is intended to govern both of the above aspects. 1.7 These facilities are available to all members of the Avon and Somerset

Constabulary and to affiliated organisations including the Crown Prosecution Service, the Police Authority and staff associations subject to assurances as to security standards and enforcement (Network Affiliation Agreement).

2 Terms and Definitions 2.1 See Appendix A for a Glossary of Information Security terms included in this

manual. 3 Security Policy 3.1 This is the policy of the Chief Constable.



3.2 The purpose of policy is to protect the business of the Constabulary by protecting the confidentiality, integrity and availability of information, and by providing evidence of trustworthiness in information sharing arrangements.

3.3 This Manual will be reviewed at least annually. 3.4 Breach of the rules in this document may result in criminal, civil or disciplinary

action. 4 Security Organisation 4.1 Avon and Somerset Constabulary Information Security Policy describes the

corporate organisation of its Information Security. 4.2 Head of Corporate Communications will be the Business Process Owner. 4.3 The Internet Development Manager and his staff will be the super users in

respect of the web publishing facility. The TS Exchange Administrator will be the Super User in respect of the E-mail facility. Technical support will be provided through Technical Services.

5 Asset classification and control 5.1 Hardware and software assets will be recorded and monitored in the normal

way (Asset Management System) by the implementing team (Technical Services).

5.2 The Intranet system will be treated as RESTRICTED whilst within the Force

network. CJX (also referred to as the Police National Network) is also treated as a separate RESTRICTED environment.

5.3 Classified or sensitive material will not exist on the internet web site. This

facility will be treated as Not Protectively Marked. 5.4 Classified or sensitive material will not be sent by e-mail via the Internet

except by reference to an approved form of encryption. 5.5 These systems are designed and implemented for police business purposes.

Staff have no entitlement to use the systems for private (i.e. personal or domestic) purposes. However, at the discretion of District Commanders / Departmental Heads, restricted use may be allowed for personal and domestic purposes on certain conditions:

this is a privilege which may be withdrawn by the Business Process

Owner

the rules in this section (section 5) above apply when the systems are used for personal or domestic purposes



it is accepted by the user that the content of all material developed, sent or received will be monitored – all content will be electronically examined for unsuitable material

no liability attaches to the force for any breach of confidentiality,

breach of integrity or lack of availability of police systems.

6 Personnel Security 6.1 Avon and Somerset Constabulary Information Security Policy applies. 6.2 All members of the Constabulary may use the e-mail facilities, both internal

and external. 7 Physical and Environmental Security 7.1 Avon and Somerset Constabulary Information Security Policy applies. 8 Communications and Operations Management 8.1 Technical support (including database administration and the functions

normally fulfilled by a super-user) for this system will be the responsibility of the Technical Services Manager of the Technical Services Department. Technical support includes the making of backup copies (which will otherwise be in accordance with the Force Information Security Policy.)

8.2 In the event of a technical difficulty, users should call the Information Services

Service Desk on Ext 66480. 8.3 In the event of difficulty in respect of how to use the system users should seek

assistance from the ICT Training Unit at Police Headquarters. 8.4 The Business Process Owner will be responsible for managing enhancements

to the system, including specifying requirements for change and obtaining the necessary finance and strategic approval. He may delegate responsibility for acceptance of changes.

8.5 The Business Process Owner for these facilities will be the Head of the

Corporate Communications. 8.6 Development and testing will take place in an environment which is separated

from the live system. 8.7 Capacity planning was based on a calculation involving the size of the user

population and recent experience as to the level of usage. 8.8 The Avon and Somerset Constabulary Information Security Policy applies in

respect of defences against malicious software.



8.9 Traffic entering and leaving the force network will be monitored by reference to an automated process, managed by the Information Security Officer. Only items intercepted as “suspect” by the automated process will be viewed by a member of staff. In many cases it will immediately be clear that the suspicion was misplaced, and the item will be returned to the data flow. In remaining cases, the Information Security Officer will consider appropriate investigation and action.

9 Systems Development and Maintenance 9.1 These Internet systems are generic off-the-shelf products. 9.2 First line support is available through the Technical Services Service Desk

(Ext 66480), and is provided by A & S technical specialists in the same way as the Infrastructure and conformant with the Information Security Policy.

9.3 If necessary, software support will be provided by Microsoft, and obtained by

the technical specialists only. 9.4 These systems will be backed up under the arrangements for the

Infrastructure and in accordance with the Information Security Policy. 9.5 Responsibility for testing and version control lies with the Technical Services

Manager. 9.6 Rules for retention of Internet data are:

Logs will be retained for three months from the date of the event.

E-mail will be swept from users Inbox after three months - unless they have put it into a different folder, such as a Reference folder within (this implies that there is some business need to keep it)

E-mail sweepings are retained in an archive for a further 9 months

giving a total retention period of 12 months and then destroyed. 10 Business Continuity Management 10.1 Business Continuity Management of this system is currently under review (led

by the Information Security Officer). 11 Compliance 11.1 Avon and Somerset Constabulary Information Security Policy applies. 11.2 Managers wishing to ascertain details of e-mails sent/received by

subordinates should contact Professional Standards Unit (Ext 66251). TS will reject direct approaches. Contents or sources or destinations will not normally be examined in this connection unless there is reasonable suspicion of a criminal offence or serious misconduct.



11.3 All Mail entering and leaving the Force network will be monitored including

scrutiny in relation to content (see Section 5 above) (as permitted by the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000). It will be the responsibility of the TS Security Administrator to establish and maintain this monitoring scheme; it will be the responsibility of the Information Security Officer to carry out the monitoring task.

11.4 Monitoring may lead to disciplinary action. 11.5 Zipped files will be opened for the purposes of monitoring. Encrypted files

will be blocked if they cannot be opened for the purpose of monitoring. 11.6 All mail will be automatically examined as a protection against malicious

software. Suspicious items will not be allowed to pass (see 8.9 for more detail).

11.7 Anomalies will be reported to the Information Security Officer and treated as

Incidents. 11.8 Software licensing arrangements will be the responsibility of the Technical

Services Manager of the Technical Services. Staff will be prevented from loading software by the configuration of the network Infrastructure.



Section 12 Web site (Internet & Intranet) 12.1 This policy assumes that Internet facilities will not be available unless either

protected by firewall or through a stand-alone machine (isolated from the network).

12.2 The Internet facilities rely on a pre-existing infrastructure, which is the subject

of a separate system policy. 12.3 Machines which are isolated from the Force network will be subject to

separate policies. 12.4 The Internet Development Manager and his staff will be the super users in

respect of the web publishing facility. 12.5 Users may include any member of the Constabulary who has been

appropriately vetted and members of external organisations with the necessary affiliation agreements. Users who are not members of the Constabulary will not be allowed access to the system without the express agreement of the Information Security Officer.

12.6 Any web site under the name of the Avon and Somerset Constabulary will not

be published without the authority of the Internet and Multimedia Manager. Where there is collaboration on partnership websites, either existing or in development, the Internet and Multimedia Unit will be consulted.

12.7 The Intranet system will be treated as RESTRICTED whilst within the Force

network. CJX (also referred to as the Police National Network) is also treated as a separate RESTRICTED environment.

12.8 Classified or sensitive material will not exist on the internet web site. This

facility will be treated as Not Protectively Marked. 12.9 Web browsing can be considered as Not Protectively Marked. 12.10 Material will be authorised for inclusion on the internet web site (or removal)

by the authority of Head of Corporate Communications. 12.11 The Internet will not be used for:

Any form of private or personal business or any activity for personal gain or benefit.

Any form of “instant messaging” Gambling, betting and lottery activities. Engaging in political activity (this will not prevent the transaction of

approved Staff Association business).



Posting disciplinary outcomes or grievance information from which an individual can be personally identified.

Discrediting or misrepresenting the Avon and Somerset

Constabulary and or any other organisations. Promotion or canvassing of social functions without authorisation. Seeking charitable donations without authorisation. Unsolicited and repeated requests for services (e.g. nagging /

bullying / harassing reminders). Unsolicited, repeated and unauthorised message broadcasts. Any communication motivated by racial, sexual, gender, ethnic

origin, language, religious, political opinion, national or social origin, association with a national minority, property, birth, sexual orientation, disability or other status. (This definition complies with article 14 ECHR) which could be considered as harassment, discriminatory, defamatory, offensive or slanderous.

Distributing and transmitting information or material (internally or

externally) which is Protectively Marked RESTRICTED or above.

Distributing and transmitting information or material (externally) which is Protectively Marked CONFIDENTIAL unless it is protected by a nationally approved form of encryption.

Publishing or distributing aggressive, abusive, obscene, offensive,

pornographic, lewd, inflammatory and deliberately anti-social mail (flame mail).

Staff will not post comments on message boards or other forums

(e.g. “blogs”) other than in an official capacity.

Accessing personal web-mail accounts such as “Hotmail, Yahoo etc”.

12.12 The intranet provides an area in which private individuals who are members of staff may make announcements, including advertising items for sale. Advertisements will not be accepted from (or on behalf of) anyone who is not a member of the Constabulary. Exceptional cases will be decided by the Head of Corporate Communications.

12.13 The following may be treated as disciplinary matters:

Neglect of duty (e.g. due to excessive or frivolous browsing



Access/attempt to access any web site which is by nature offensive or discriminatory, including particularly sites which are racist, sexist, discriminatory or otherwise inflammatory.

Breach of any of the rules in 5 above.

12.14 These systems are designed and implemented for police business purposes. Staff have no entitlement to use the systems for private (i.e. personal or domestic) purposes. However, at the discretion of District Commanders / Departmental Heads, restricted use may be allowed for personal and domestic purposes on certain conditions:


Owner

the rules in this section above apply when the systems are used for personal or domestic purposes

it is accepted by the user that the content of all material developed,

sent or received will be monitored – all content will be electronically examined for unsuitable material


breach of integrity or lack of availability of police systems. 12.15 It is emphasised that there can be no expectation of privacy in relation to any

material processed or stored by Force IT and Communication Systems. The Constabulary reserves the right to monitor and or intercept data when properly authorised:

To ensure the security and integrity of the system.

To formally investigate complaints.

To maintain discipline and professional standards.

During any criminal enquiries or allegations.

To provide evidence of transactions.

To provide evidence of other communications to establish facts.

To ascertain compliance with regulatory practices and procedures.

For audit purposes.

To detect the unauthorised use of electronic communication

systems.



Protecting the network against malicious software/ code incidents, service denial and unauthorised penetration attacks.

This right will normally be exercised by electronic content filtering techniques on the first instance.

12.16 Reasons for withdrawing the restricted privilege of private and personal use

include:

Technical difficulty including volume control and cost implications

Misuse, such as neglect of duty, or breach of other rules in section 5 above.

Unreasonable or excessive use of the facility afforded to

employees. Managers and supervisory staff will need to make a judgement about what amounts to unreasonable or excessive use in the context of the workplace at the time. This judgement may be based on analysis of the time spent, the number of transactions sent or received, disruption to official work, and/or the effect on other staff members and their schedules of work.

12.17 A benchmark will be sending/receiving in excess of 10 messages during any

working day. These are only guidelines and may vary according to other considerations or judgements made by managers or supervisors.

12.18 The following will be trained as guidance:

Evidence may be open to challenge unless it is handled properly. For example, a photograph taken by a mobile phone is likely to be admissible only if secured as soon as possible.

Space is limited. Video takes large amounts of space and its

retention will be discouraged except for operational purposes. Users are responsible for the weeding of material. They should bear in mind the requirements of the Data Protection Act apply – to keep personal information for no longer than necessary

12.19 The system is subject of constant electronic monitoring which is capable of

providing extensive information as to use/misuse

12.20 Training for new recruits will be included as a part of the Induction Course. 12.21 All users will be trained by the ICT Training Unit before being granted access

to the system.



Section 13 E-mail 13.1 Introduction 12.1.1 The E-mail facility is an official channel of communications for all members

of the Constabulary, which creates a duty for all staff to refer to it daily. 13.1.2 E-Mail means the ability to send and receive mail electronically, including

attachments within the rules laid out in this policy. This may be sent:

Within the Force (intranet) Within the Criminal Justice Extranet (CJX) and Government Secure

Intranet (GSI) (recognisable by the address which the sender types) Via the Internet, (world wide) (recognisable by the address typed by

the sender). 13.1.3 Users will log onto the mail facilities each workday and read mail received

(except where duties prevent them from attending a police station). 13.1.4 All members of the Avon and Somerset Constabulary will have access to

the system as users. An audit facility exists within the Corporate Information Management. Nominated Technical Services staff will have the ability to manage the system.

13.1.5 An audit facility exists within the Corporate Information Management.

Nominated Technical Services staff will have the ability to manage the system.

13.1.6 This system will not be subject to password controls. 13.1.7 Use of e-mail facilities will be monitored through firewall security, automated

content checking and virus checking facilities. Content checking will be designed to enforce the rules in section 5 above.

13.2 Access Control 13.2.1 The e-mail systems include a calendar facility. Each user may choose to

operate his/her calendar; this is mandatory for staff of Inspector (or police staff grade PO1) or above.

13.2.2 A user may choose to allow access to other users (e.g. secretarial

functions, or even general availability). This does not replace any existing diary or office management systems, operational shift or resource management facilities.

13.2.3 The TS Exchange Administrator will be the Super User in respect of the E-

mail facility. Technical support will be provided through Technical Services.



13.2.4 Users may include any member of the Constabulary who has been

appropriately vetted and members of external organisations with the necessary affiliation agreements. Users who are not members of the Constabulary will not be allowed access to the system without the express agreement of the Information Security Officer.

13.3 System use 13.3.1 Mail up to RESTRICTED may be routed internally and via the Police

National Network (PNN3). Staff can be confident that if they address mail to [email protected], the item will be securely handled. If in doubt about the security of an address / route, users may contact the Information Security Team for advice.

13.3.1.1 Material, text or other data, which is protectively marked CONFIDENTIAL or

above will not normally be transmitted by e-mail. In exceptional emergency operational cases, Detective Inspector (Child Protection) or Detective Inspector (Force Intelligence Bureau) may authorise circulations containing confidential information to be transmitted by Force Intelligence Desk Officer.

13.3.2 Staff will be individually responsible for e-mail messages that they send and

for all aspects of the conduct of their e-mail account. Where a reply or response is required, it must be sent within 14 days.

13.3.3 The e-mail facilities will not be used for:

Distributing and transmitting information or material (internally or externally) which is Protectively Marked RESTRICTED or above.

Distributing and transmitting information or material (externally)

which is Protectively Marked CONFIDENTIAL unless it is protected by a nationally approved form of encryption.

Any form of private or personal business or any activity for personal

gain or benefit. Any form of “instant messaging” Gambling, betting and lottery activities. Engaging in political activity (this will not prevent the transaction of

approved Staff Association business). Posting disciplinary outcomes or grievance information from which

an individual can be personally identified. Discrediting or misrepresenting the Avon and Somerset

Constabulary and or any other organisations.



Promotion or canvassing of social functions without authorisation. Seeking charitable donations without authorisation. Unsolicited and repeated requests for services (e.g.

nagging/bullying/harassing reminders). Unsolicited, repeated and unauthorised message broadcasts. Any communication motivated by racial, sexual, gender, ethnic

origin, language, religious, political opinion, national or social origin, association with a national minority, property, birth, sexual orientation, disability or other status. (This definition complies with article 14 ECHR) which could be considered as harassment, discriminatory, defamatory, offensive or slanderous.

Publishing or distributing aggressive, abusive, obscene, offensive,

pornographic, lewd, inflammatory and deliberately anti-social mail (flame mail).

13.3.4 It is best practice when using the e-mail facilities to target the distribution

and publication of information to individuals or mailing groups. 13.3.5 Global broadcasts (to all police and all police staff or multiple districts) are

not permitted unless in extraordinary circumstances: The authority of an Inspector or any higher rank, or police staff equivalent is required for the sending of a Global broadcast.

13.3.6 Global broadcasts will (in extraordinary circumstances) be permitted only

via a template for the purpose, and provided that it does not include any: Information which is not strictly Police business Information which contains personal details of a sensitive nature

which may cause offence or embarrassment to the individual should not be the subject of a global broadcast.

Detailed information of an operational nature which is of interest,

utility or application to specific individuals or groups of officers/staff only should not be the subject of a global broadcast.

Detailed information of victims, witnesses, crime scenes, modus

operandi, investigation progress, reports, forensic samples, and other evidence which is of interest, utility or application to specific individuals or groups of officers/staff only should not generally be the subject of a global broadcast.

13.3.7 Where operational Global messages are given a lower status, they may be

authorised by Information Security Team.



Force organisations such as the Force Club may use the facility, but

must communicate to a membership list rather than on a global basis

13.3.8 The sending or receiving mail attachments, to and from personal home

computers, for the purpose of home working without authorisation (which is subject to mandated security procedures being in place) is prohibited. See also Section 5 of the Information Security Manual for further detail.

13.3.9 The auto-forward facility will not be used to forward E-mails to a home

address without the authority of the Head of IT or Force Information Security Officer.

13.3.10 The system has been designed and implemented for police business

purposes. Staff have no entitlement to use the systems for private (i.e. personal or domestic) purposes. However, at the discretion of District Commanders / Departmental Heads, restricted use may be allowed for personal and domestic purposes on certain conditions:


Owner

the rules in section 5 above apply when the systems are used for work, personal or domestic purposes

it is accepted by the user that the content of all material developed,

sent or received will be monitored – all content will be electronically examined for unsuitable material


breach of integrity or lack of availability of police systems. 13.3.11 It is emphasised that there can be no expectation of privacy in relation to

any material processed or stored by Force IT and Communication Systems. The Constabulary reserves the right to monitor and or intercept data when properly authorised. This right will normally be exercised by electronic content filtering techniques on the first instance:

To ensure the security and integrity of the system.

To formally investigate complaints.

To maintain discipline and professional standards.

During any criminal enquiries or allegations.

To provide evidence of transactions.



To provide evidence of other communications to establish facts.

To ascertain compliance with regulatory practices and procedures.

For audit purposes.

To detect the unauthorised use of electronic communication systems.

Protecting the network against malicious software/ code incidents,

service denial and unauthorised penetration attacks.

13.3.12 The following may be treated as disciplinary matters:

Neglect of duty (e.g. due to excessive or frivolous mailing) Sending (or attempting to send) or soliciting any obscene, racist,

sexist, or discriminatory or otherwise abusive, offensive or inflammatory material which would be eligible for discipline if it had otherwise been distributed, displayed or said orally or in writing. Or sending or soliciting material which breaches other law (e.g. Copyright and Patents Act)

Unauthorised disclosure – exporting (or attempting to export)

sensitive or classified information. This will include sending or exporting classified information without authorisation to another Constabulary, or government organisation, and including to a domestic e-mail facility in order to work at home

Advertising or other unauthorised commercial activities (includes

chain letters) whether or not for gain

Unauthorised use of false identities Use/attempted use of unauthorised software or services. Software,

electronic information facilities and services are authorised by the Technical Services Manager and implemented through specialists from the Information Services only.

Access/attempt to access e-mail belonging to others except for the

purpose of supervision Access/attempt to access any web site which is by nature offensive

or discriminatory, including particularly sites which are racist, sexist, discriminatory or otherwise inflammatory.

Breach of any of the rules in 5 above.

13.3.13 Reasons for withdrawing the restricted privilege of private and personal use

include:



Technical difficulty including volume control and cost implications

Misuse, such as neglect of duty, or breach of other rules in 5.

above. Unreasonable or excessive use of the facility afforded to

employees. Managers and supervisory staff will need to make a judgement about what amounts to unreasonable or excessive use in the context of the workplace at the time. This judgement may be based on analysis of the time spent, the number of transactions sent or received, disruption to official work, and/or the effect on other staff members and their schedules of work.

A benchmark will be sending/receiving in excess of 10 messages during any working day. These are only guidelines and may vary according to other considerations or judgements made by managers or supervisors.

13.3.14 The following will be trained as guidance:

This is a recognised and official method of communication within the Constabulary

Treat unexpected e-mail as suspicious Treat unexpected attachments as highly suspicious Observe E-mail etiquette: do not over use capitals (it may be

understood as SHOUTING) Keep messages short and simple Space is limited. Limits are likely to be reached at about 1000

messages per user. Video takes large amounts of space and its retention will be discouraged except for operational purposes. Users are responsible for the weeding of material. They should bear in mind the requirements of the Data Protection Act apply – to keep personal information for no longer than necessary.3

Tell recipients what you want them to do with the information (e.g. respond, act, file, and destroy)

The system is subject of constant electronic monitoring which is

capable of providing extensive information as to use or misuse Sending a message is not always enough, especially where the fact

/ time / date of receipt is in some way critical. E.g. in cases of duty change, it is incumbent upon the supervisor to ensure that the subject is actually aware of the change: Responsibility for ensuring arrival lies with the sender.



Every opportunity should be taken to ensure that members of the

public do not rely on this system in relation to emergencies, material or issues of operational importance or where confidentiality is important. (This includes the provision of an automated response in accordance with the national standard.)

There is no restriction on the sending and receiving of E-mail

attachments. Many users of e-mail complain about receiving too much. Users are

encouraged to consider this aspect before sending. Outlook Calendar is a more appropriate method of arranging

meetings than a series of e-mails. It is bad practice to send RESTRICTED information to large groups

of people because it increases the likelihood of security breach. 13.3.15 Users must be aware that this system is available to a large number of

people. All should be vetted, but not all of them are members of the Force (the system includes Crown Prosecution Service, Police Authority, some Probation Service staff, staff from other forces, Police Federation and Unison).

13.3.16 However, when sending an e-mail, users will be required (by an automated

process) to classify the information contained (as RESTRICTED or Not Protectively Marked). As a result, the e-mail item will show that Marking within the Subject line.

13.3.17 The extent to which staff are permitted to use the facilities for personal

purposes within working time will be a matter for the discretion of line managers. In the absence of other agreement a maximum of 10 personal e-mails sent externally will apply per working day.

13.3.18 When giving an e-mail address orally, electronically or in writing, staff will

give advice that the police e-mail system is monitored. 13.3.19 The e-mail monitoring process will not block the sending of messages by

police users, although a copy will be retained for audit purposes. 13.3.20 Incoming mail will be monitored and blocked where necessary. 13.3.21 Users seeking the early release of inbound messages should call the

Information Security Team via extension 66103 13.3.22 The Team will monitor the system during office hours and routinely release

mail as appropriate without prompting. 13.4 Training



13.4.1 The following will be trained as guidance:

Evidence may be open to challenge unless it is handled properly. For example, a photograph taken by a mobile phone is likely to be admissible only if secured as soon as possible.

This is a recognised and official method of communication within

the Constabulary Intelligence is circulated force-wide by FIB staff.

13.4.2 The following are examples of e-mails which should not be sent on a global basis:

Social events Congratulations Lost/Found property (including ID cards) Shared transport Births/Marriages (NB Staff/pensioner Death messages are

acceptable) Users must be aware that this system is available to a large number

of people. All should be vetted, but not all of them are members of the Force (the system includes Crown Prosecution Service, Police Authority, some Probation Service staff, staff from other forces, Police Federation and Unison).

13.4.3 When sending an e-mail, users will be required (by an automated process)

to classify the information contained (as RESTRICTED or Not Protectively Marked). As a result, the e-mail item will show that Marking within the Subject line.

13.4.4 The extent to which staff are permitted to use the facilities for personal

purposes within working time will be a matter for the discretion of line managers. In the absence of other agreement a maximum of 10 personal e-mails sent externally will apply per working day.

13.4.5 When giving an e-mail address orally, electronically or in writing, staff will

give advice that the police e-mail system is monitored. 13.4.6 The e-mail monitoring process will not block the sending of messages by

police users, although a copy will be retained for audit purposes. 13.4.7 Incoming mail will be monitored and blocked where necessary.



13.4.8 Users seeking the early release of inbound messages should call the Information Security Team via extension 66392.

13.4.9 The Team will monitor the system during office hours and routinely release

mail as appropriate without prompting. 13.4.10 All users will be trained by the ICT Training Unit before being granted

access to the system. 13.4.11 Training for new recruits will be included as a part of the Induction Course.

References ACPO Community Security Policy CESG Memos Computer Misuse Act 1990 Copyright Designs and Patents Act 1988 Data Protection Act 1998 “Electronic Communications at Work” (2nd Edition) (Cabinet Office Publication) Employment Practices Data Protection Code Part 3 Monitoring at Work ISO17799/BS 7799 Information Security Management ITSEC Certified Product List Her Majesty’s Government Infosec Standards Manual of Protective Marking and Catalogue of Security Products Regulation of Investigatory Powers Act 2000 Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 SI 2000 No 2699. V9 23/08/2010 4 Derived from Manual of Protective Security.




Appendix A Terms and Definitions

Abbreviation Description

ACPO Association of Chief Police Officers

A & S Avon and Somerset Constabulary

CJX Criminal Justice Extranet

ECHR European Commission for Human Rights

GSI Government Secure Intranet

ICT Information Computer Training

IT Information Technology

TS Technical Services – part of South West One



Please DO use e-mail to

Please DO NOT use e-mail to Meetings

invite people to meetings by using the Outlook Calendar attendee button (see the panel on the right for instructions on how to do this)

circulate documents such as agendas, minutes and policies for comment or review

leave a message for someone you know to be out (as an alternative to a post-it)

send the same message to multiple recipients. however please ensure you only send it to those people who really need to see it

send a message which would be easier to understand in writing than verbally

ask for a simple decision on something by using the voting buttons option (see overleaf for instructions on how to do this)

tell your colleagues about news or social events . but please make sure it is only sent to immediate colleagues who will be interested in the information

send global messages to everyone in the Force, or any large group of people, unless there is a clear operational need to do so and you have District Commander / Department head authorisation

ask people what dates they are available for a meeting . use the Outlook Calendar attendee button instead (see next panel)

circulate jokes, for sale notices, wanted notices, lost and found notices, work do.s, and other trivia force-wide . if your item is appropriate, use the bulletin boards on the Intranet instead

send court results to the whole force. use the corporate communication unit.s new screen saver message to publicise them instead

send photos for identification to the whole force . e-mail them to the new Briefing Officers mailbox instead and get them included in sector intelligence briefings

send RESTRICTED information such as crime reports containing personal details to large groups of people . we have a duty of care to protect that information

send CONFIDENTIAL information under any circumstances . e-mail is

ugh for this level of not secure enoinformation.

You can use the Outlook system to schedule group meetings. Outlook can check the calendar of everyone coming to the meeting for you and find a time convenient to everyone. To plan or request a meeting @ Open your calendar @ Create a new appointment or meeting request (File/New/Meeting request) @ Click the Attendee Availability tab @ Click the Show Attendee Availability button @ Enter the names of the people you want to

attend the meeting underneath your name, or click Invite Others to select names from the address book

@ You can now see the calendar for everyone you want at the meeting. Pick a date and time manually or click on Auto Pick to have Outlook find a date and time that everyone can make

@ Click on the Appointment tab @ Describe the meeting in the subject box, add

any extra details in the body text, and then click Send

Outlook puts the meeting in your calendar and then sends an e-mail to everyone inviting them to that meeting. To respond to a meeting request: @ Open the meeting request e-mail in your

Outlook INBOX @ Decide if you want to accept the meeting and

add any comments explaining your decision @ Click the appropriate response ie. Accept,

Tentative or Decline Outlook will send your reply to the meeting

organiser. If you accept the meeting it is automatically added to your calendar.

avon and somerset constabulary … · 6.1 avon and somerset constabulary information security...

Documents