Table of contents

System Users and Application Administrators

Note: This document is Legacy IA Policy. It is under review and likely to be withdrawn or substantially revised soon. Before using this content for a project, contact the Security team.

How to use this document

This policy applies to all staff and contractors who work for the Ministry of Justice (MoJ).

Who does it apply to?

All Users of the “[ORGANISATION]” Information and Communications Technology (IT) systems.

This document is designed to help Users utilise and access “[ORGANISATION]” IT systems in a safe and secure manner. Everyone using “[ORGANISATION]” IT systems must follow these procedures.

When and how should these procedures be used?

Users’ Security Awareness training will cover these procedures.

Users must read this document prior to using any “[ORGANISATION]” IT Systems for the first time, and revisit it every six (6) months to remind themselves of the procedures. Regular audits will be performed to check that these procedures are being followed.

Users must understand that they are responsible for maintaining the security of “[ORGANISATION]” systems, and that failure to comply with these SyOPs could lead to compromise of the “[ORGANISATION]“‘s infrastructure or even the entire GSI. Users must note further that either failure to comply with this SyOPs or failure to return the security sign off form would be considered a breach of the “[ORGANISATION]” IT Security Policy.

For further all the security related information required, please refer to:

  • The “[ORGANISATION]” staff intranet Security homepage

  • Remote User Security Operating Procedures (SyOPs) (if applicable)

  • Blackberry User SyOPs (if applicable)

|Area of control|All Users|Application Administrators Only| |Shut-down and start-up|Start-up: - A physical inspection of the workstation must be carried out for any signs of tampering prior to switching the machine on.

  • The sharing of credentials, and attempting to logon as someone else (or with credentials which you are not authorised to use), are strictly forbidden.

Shut-down: - Users must log-off the workstation and ensure it is switched off whenever left unattended for more than 4 hours or overnight.

| |Physical access controls|- Only authorised members of staff with registered user accounts are permitted access to the system.

  • The equipment used to access the system must be checked on a daily basis for evidence of tampering or suspicious devices attached to it, for example unknown Universal Serial Bus (USB) devices attached to the rear of the main workstation.
  • Protectively marked and sensitive hardcopy material must be securely stored away under lock and key following the [ORGANISATION] Clear Desk Policy, published on the [ORGANISATION] intranet.
  • When accessing the system from portable computing devices, access is only to be made in approved area (refer to the SyOPs for Remote Access use.
  • Visitors must be supervised during working hours, and any sensitive documentation being worked on is to be hidden from line of sight as much as possible.

| |Awareness|- When visitors are present, ensure that they are only able to access information for which they have a need-to-know.

  • Users must be aware of anyone ‘shoulder surfing’ and viewing information for which they do not have a need-to-know.
  • Users must not hold conversations over any telephone or send communications via fax or email if the information being discussed is protectively marked RESTRICTED.

| |Identification and authentication|- Users must not attempt to log on as another user, or share their system access credentials with others.

  • Users must not allow unauthorised users to observe their screen.
  • Users must not allow any person to observe them entering their system access credentials (e.g. password).
  • Passwords used on the system must be created in line with the [ORGANISATION] Password Standard.
  • Users must invoke the screensaver before leaving their workstation unattended (by pressing ‘windows’ key + L).
  • A User account must only be created with permissions commensurate to that User’s business role, and are only to be enabled once a signed copy of these SyOPs have been received from the user.
  • A User account must be disabled when that staff member leave the [ORGANISATION] or where their business role does not require them to have access.

|| |Resetting user passwords|- To change a password, Users must hold down Ctrl + Alt + Delete on their keyboard and select ‘Change Password’.

| |System Use|- Users must not exceed (or attempt to exceed) their given access privileges, amend the system configuration or plug in any unauthorised devices.

  • Any unauthorised attempt at changing the configuration of the system, escalating privileges or installing devices/software may be subject to investigation and formal disciplinary action.
  • Unauthorised software must not be installed or used on the system.
  • Administrator level accounts should only be used when carrying out administrative tasks; at all other times a Normal User account should be used.

|| |Acceptable use|- The system must only be used in accordance with the [ORGANISATION] Acceptable Use Policy.

  • The system must only be used for the business purposes for which it is intended.
  • Any attempt to use it for other reasons may constitute a disciplinary offence.

| |Import/Export|- A log must be maintained of all file imports/exports, this can either be a paper based or held electronically.

  • All imports/export of electronic data/files to the System must be scanned for malicious code.
  • Users must check and file exports to ensure that only files that they intended to export from one environment to another are exported.
  • Where a network printer are used, Users must ensure print outs are collected promptly to minimise the risk of inadvertent disclosure.

| |Anti virus|In the event of a User suspecting a virus attack on the network, they must carry out the following steps: - If operationally possible, leave the system switched on in its infected condition;

  • Disconnect the affected workstation from the network (where possible);
  • Mark the system and any associate storage media with a label stating that the machine has a suspected virus;
  • Inform the IT Service Desk who will provide assistance.

| |Removable media|- No System media or document is to be removed from the building without prior authorisation from the Information Asset Owner.

  • All media and documents exported from the system must be registered in the media/document register and clearly marked with their protective marking in accordance with the Information Classification and Handling Policy.
  • When a media/document is sent outside the [ORGANISATION] to an external body the following procedures must be adhered to:
    • The export must be covered by an Information Sharing Agreement between the Authority and the external body which has been approved by the Information Asset Owner.
    • Each export must be authorised by the Local/System Manager.
    • Each export must have a data export receipt filled out and returned by the receiver to account for the transactions successful delivery

| |Secure Disposal of Protectively Marked material|- Protectively Marked material must be disposed separately from general waste. Such waste should not be accessible to those without the proper authority.

  • PROTECT and RESTRICTED classified information can be disposed via standard office provided shred bins allocated to hold material up to and including RESTRICTED.
  • For CONFIDENTIAL, SECRET OR TOP SECRET information, Corporate Security Team must be contacted when securely disposing of paper documents, and [ORGANISATION] Security Team must be contacted for the secure disposal of IT devices.
  • Further instructions can be found on the [ORGANISATION] Intranet, Confidential Waste Disposal page.

| |Security Incident and General Reporting Procedures|- All requests for IT support and all reports of IT failures must be logged with the IT Service Desk.

  • Any incident involving a suspected or known security breach involving personnel, hardware, software, communications, document or physical security must be reported immediately to the IT System Manager and the [ORGANISATION] Security Team.
  • Any loss of IT equipment, [ORGANISATION] or personal data should be reported. Report also to the Users’ line manager, the Security team and to the Data Access & Compliance Unit (DACU).

To ensure a quick response all emails must be marked Urgent and have ‘Data Incident’ in the title/subject heading.

By signing I acknowledge that I have read the Security Operating Procedures (SyOPs) and agree to be bound by them.

Name:  
Date:  
Signature:  

Incidents

Note: If you work for an agency or ALB, refer to your local incident reporting guidance.

Security Team

General enquiries, including theft and loss

Technology Service Desk - including DOM1/Mojo, and Digital & Technology Digital Service Desk. Use one of the following two methods for contacting service desk:

Note: The previous itservicedesk@justice.gov.uk and servicedesk@digital.justice.gov.uk email addresses, and the Digital & Technology Digital Service Desk Slack channel (#digitalservicedesk), are no longer being monitored.

HMPPS Information & security:

Feedback

If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.