Minimum security controls – third party information sharing and processing policy

Policy overview

Aim

The aim of this policy is to ensure that we define a minimum set of security controls when:

  • third parties process personal data on our behalf
  • we share personal data with third parties, often as part of an information sharing agreement
  • we share other data which if compromised would have a negative impact on:
    • service delivery
    • reputation
    • finance
    • people

Introduction

We regularly share information with third parties to maximise public service delivery. It is important that this information is protected to:

  • help reduce information risk
  • assist us in meeting our legal obligations

Minimum security controls

The type and complexity of security controls and the extent to which they are deployed will be dictated by various factors.  This includes:

  • the method of processing and sharing
  • the sensitivity of information
  • the amount of information involved

It is necessary to set out minimum security controls to protect information. This promotes

  • a consistent approach
  • helps support service areas perform their business activity in a safe and secure manner 

To ensure the standards are communicated and agreed by third parties they must be formalised.  This can be within an information sharing agreement or written contract depending on the nature of the third-party relationship. 

Any deficiencies in controls must be subject to a documented risk management process.  Where appropriate, a remedial action plan must be implemented with the aim of reducing those deficiencies where possible.  

Levels of assurance

To gain confidence that security measures are genuine and effective we will seek assurance in three areas:

  • assertion from the third party, and an evaluation of relevant security measures that support that assertion
  • evidence of independent validation of security measures
  • commitment to meeting minimum standards via contract or other formal agreement

The method of processing by third parties will normally define the level and type of assurance required. Methods of processing include:

  • on demand over the internet, for example cloud-based:
    •  the use of cloud-based services to process our information will require a specific form of security assurance.  This is due to the types of threat these services face.
  • limited to third party premises and network environment:
    • this may involve both electronic and hard-copy information.  We will require assurances around the third party’s local security controls. 
  • limited to our own premises and network

The Information Assurance team will ensure that staff are provided with support relevant to:

  • the type of processing
  • level of assurance required
  • any associated risks 

Management and review

During the life of any agreement or contract the security controls defined at the initial stages must be reviewed as part of the contract management process.  This will ensure they continue to be applied and remain current.

Any remedial action plan borne out of a deficiency in controls must also be reviewed.  This will ensure progress is being made in line with target dates.

Further Information

For further information please contact the Information Assurance team by email at IA@lincolnshire.gov.uk.

Annex A – minimum security controls

General

A security policy must be in place which:

  • sets out management commitment to information security
  • defines information security responsibilities
  • ensures appropriate governance

All staff must complete data protection and information security training commensurate with their role. 

We will apply pre-employment checks to all staff that consider relevant employment legislation.  This will include verification of identity and right to work. 

IT infrastructure

Boundary firewall and internet gateways

Information, applications, and devices must be protected against unauthorised access and disclosure from the internet.  This will be done by the use of:

  • boundary firewalls
  • internet gateways
  • equivalent network devices

Secure configuration

Information and communications technology (ICT) systems and devices must be configured to reduce the level of inherent vulnerabilities.  They will only provide the services required to fulfil their role.

User access control

User accounts must:

  • be assigned to authorised individuals only
  • managed effectively
  • provide the minimum level of access to:
    • applications
    • devices
    • networks
    • data

Access control (such as username and password, two-factor authentication) must be in place.  

A password policy must be in place which includes:

  • avoiding the use of weak or predictable passwords
  • ensuring all default passwords are changed
  • ensuring robust measures are in place to protect administrator passwords
  • ensuring account lock out or throttling is in place to defend against automated guessing attacks

End user activity must be auditable and include the identity of end-users who have accessed systems. 

Malware protection

Mechanisms to identify detect and respond to malware on ICT networks, systems and devices must be in place.  It must be fully licensed, supported, and have all available updates applied.

Patch management and vulnerability assessment

Updates and software patches must be applied in a controlled and timely manner. They must be supported by patch management policies. 

You must adopt a method for gaining assurance in your organisation's vulnerability assessment and management processes, for example by undertaking regular penetration tests.

Software that is no longer supported must be removed from ICT systems and devices.

Backups and recovery

ICT systems processing our data must be subject to operational procedures which support effective and secure backup. Backup arrangements must be regularly tested to ensure the process is successful and meets the requirements of the Backup Policy.

Cloud services

Controls applied to the use of cloud services must satisfactorily support the relevant security principles set out in the National Cyber Security Centre Cloud Security Principles

Protecting data

International transfers of personal data

In accordance with data protection legislation a transfer of personal data must be within the UK unless:

  • the rights of the individuals in respect of their personal data is protected in another way (subject to our approval), or 
  • one of a limited number of exceptions applies.  We must be made aware of any exceptions and the location of data transfers

Electronic data

Electronic copies of data must be encrypted at rest to protect against unauthorised access. 

Data stored on servers must also be adequately protected for example by encryption.  Alternatively there must be suitably robust physical security controls.

An encrypted communication protocol must be used for example Transport Layer Security (TLS) when transmitting data

  • over the internet
  • over a wireless communication network such as Wi-Fi
  • over an untrusted network 

You must only use ICT which is under your governance and subject to the controls set out in this policy.

Hard copy data

Hard copy data must be stored securely when not in use.  Access to the data must be controlled. 

It must be transported in a secure manner:

  • commensurate with the impact a compromise or loss of information would have
  • which reduces the risk of loss or theft

Secure deletion of data

Electronic copies of data must be securely deleted when no longer required.  This includes data stored on:

  • servers
  • desktops
  • laptops
  • other hardware and media 

Hard copy data must be securely destroyed when no longer required. 

Secure destruction and deletion means the removal of data so it cannot be recovered or reconstituted.

Evidence of secure deletion or destruction may be required to provide the necessary assurance.

Security incidents or personal data breach

You must notify us without undue delay of any fact or event which results in, or has the potential to result in, the compromise, misuse, or loss of our:

  • information
  • ICT services
  • assets

You must notify us without undue delay of any personal data breach if it relates to personal data processed on our behalf. 

You must fully co-operate with any investigation we require as a result of such a security incident or personal data breach.

Compliance 

We must be informed of any non-compliance with these controls.  Any deficiencies in controls must be subject to a documented risk management process. Where appropriate a remedial action plan is to be implemented with the aim of reducing, where possible, those deficiencies.  

Independent validation which has been used as evidence of appropriate security controls must be maintained throughout the life of the contract or agreement.  

We must be made aware of any expired or revoked evidence used as independent validation.