The Cyber Security Policy states the principles to maintain and support an effective cyber security capability within Dyfed-Powys Police.
It is of paramount importance that Dyfed-Powys Police upholds the ability to Identify, Protect, Detect, Respond and Recover in line with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and that Dyfed-Powys Police continually follows the standards and guidelines as set out by the National Cyber Security Centre (NCSC).
The NIST Cybersecurity Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure, following a prioritised, flexible and repeatable approach. The adoption of NIST methodology for cyber security management facilitates effective management of the cyber security capability and supports associated functions in achieving a strong cyber security posture.
The functional areas of the NIST Cybersecurity Framework are:
Identify – the identification of the cyber threat landscape in relation to the business context, the identification of assets and the level of protection in place, and identification of relevant legal and regulatory requirements.
Protect – the methods used to protect assets, inclusive of ICT procedures and staff awareness training.
Detect – the means and processes to detect the occurrence of a cyber security event, inclusive of protective monitoring and the initial reporting of actual or suspected cyber security events.
Respond – the activities undertaken to respond to a cyber security event and the ability to mitigate the impact of such an event.
Recover – the restoration of functions or services to expected levels and reduction in the overall impact of a cyber security event.
The NCSC is the lead for cyber security in the United Kingdom, providing guidance and support to critical organisations in the UK, the wider public sector, industry, and small and medium enterprises. The NCSC creates practical cyber security guidance, responds to cyber security incidents, and works alongside industry and academia to develop the United Kingdom’s cyber security capability. The guidelines set out by the NCSC facilitate a strong cyber security posture.
Applies (but not limited) to: All categories of Dyfed-Powys Police employees, whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates and contractors) or seconded staff. Any employee accessing and using Force assets and property must have due regard to the contents of this policy.
2. Policy Scope
Maintaining confidentiality, integrity and availability of data is of paramount importance to Dyfed-Powys Police, particularly in relation to the need to protect data in line with the requirements of the Data Protection Act 2018 and the UK General Data Protection Regulation.
Any event which impacts, or may potentially impact, upon the confidentiality of data, the ability to access data, or the level of data integrity could have an adverse effect on the efficient operation of policing services, and upon the reputation of Dyfed-Powys Police as an organisation.
Dyfed-Powys Police recognises and undertakes practices and procedures, including timely patch management, the use of firewall technology, the production of risk and vulnerability assessments, the carrying out of penetration testing, and the application of mitigations to prevent and/or reduce the impact of cyber security events. The Force operates a dynamic and adaptable cyber incident response capability, in accordance with the potential cyber security events existent within the cyber threat landscape.
Information Communications Technology is continually vulnerable to illegal and malicious activity, and to exploitation via internal and external sources. Cyber incident management is a paramount component to effectively manage and protect against the potential or actual outcome of such vulnerabilities, and to mitigate the impact of cyber security events. Whilst it is impossible to eliminate all cyber security events, proactive prevention is a critical element of a mature incident management capability.
Damage to ICT systems from a cyber security event can occur in a relatively short time period. All users of Dyfed-Powys Police systems should have an awareness of basic cyber security and all users are required to promptly report potential or actual cyber security events, or suspicions thereof, via the dedicated channels available, including the Workstream Tracker system and the ICT Service Desk.
This policy mitigates and reduces the impact of the following risks:
Loss of data confidentiality, integrity and/or availability
Negative impacts upon ICT resources
Disruption to policing services
Negative reputational and/or financial effects
Compliance with this policy protects Dyfed-Powys Police systems and data, thereby supporting the effective delivery of policing services, whilst also providing assurance to the local community, partner organisations, and the wider policing family that cyber security is effectively managed within Dyfed-Powys Police.
3. Powers and Policy/Legal Requirements
This policy is fit for purpose in that it meets organisation requirements and is reflective of measures recommended as part of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and is supportive of practices and guidance endorsed by the National Cyber Security Centre (NCSC) relating to cyber security and incident response.
The Force complies with the following legislation and all other legislation as appropriate, including, but not limited to:
Computer Misuse Act 1990
Data Protection Act 2018
UK General Data Protection Regulation
Human Rights Act 1998
Official Secrets Act 1989
Electronic Communications Act 2000
Regulation of Investigatory Powers Act 2000 (RIPA)
Freedom of Information Act 2000
Related policies, standards, procedures, practices, including, but not limited to:
Dyfed-Powys Police Information Security Policy and Associated Standards
Dyfed-Powys Police Removable Media Policy
Dyfed-Powys Police Protective Monitoring Policy
Dyfed-Powys Police Data Protection Policy
4. Options and Contingencies
Policy Owner: The policy is owned by the Head of ICT who is responsible for regularly monitoring the policy for its effectiveness, challenges to the policy, any changes to National Institute of Standards and Technology (NIST) and National Cyber Security Centre (NCSC) practices and guidance, and any inefficiencies in relation to the implementation of this policy.
Approval Process: Approval of decisions regarding the implementation of this policy are made by the Information Assurance Board.
Key roles in Cyber Security:
Senior ICT Operational Management
Overall ICT leadership and management
Information Security Officer / IT Security Officer
Incident management, liaison and support
Principal ICT Specialist - Security
Technical security lead
ICT Specialists – Security Team
Cyber Security awareness, reporting of actual or suspected incidents
The following Code of Ethics principles are relevant to this policy:
Accountability - We are answerable for our decisions, actions and omissions.
Fairness - We treat people fairly.
Honesty - We are truthful and trustworthy.
Integrity - We always do the right thing.
Leadership - We lead by good example.
Objectivity - We make choices based on evidence and our best professional judgement.
Openness - We are open and transparent in our actions and decisions.
Respect - We treat everyone with respect.
Selflessness - We act in the public interest.
5. Take action and review
Incident reporting in relation to cyber security events are used to quantify issues relating to cyber security which have been reported.
The ICT Department maintains the ability to detect events using various Security Information and Event Management (SIEM) tools; these are used to monitor cyber security events and to highlight any issues relating to cyber security and related policies and procedures.
As part of the Force’s Protective Monitoring capability, the ICT Department receives alerts from the National Management Centre (NMC); these are used to further support ICT in the carrying out of protective monitoring and the identification of cyber security issues.
Any relevant issues relating to cyber security are referred for consideration to the Cyber Resilience Group and are escalated to the Information Assurance Board where necessary.
Practices and guidance from the National Institute of Standards and Technology (NIST) and the National Cyber Security Centre (NCSC) are considered when reviewing and updating this policy, which shall take place annually as a minimum.
CODE OF ETHICS CERTIFICATE OF COMPLIANCE
This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.
HUMAN RIGHTS ACT CERTIFICATE OF COMPLIANCE
This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.
EQUALITY IMPACT ASSESSMENT
Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.
The public sector equalityduty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:
eliminate discrimination, harassment, victimisation, and any other conduct that is unlawful under the Act;
advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it;
foster good relations between persons who share a relevant protected characteristic and persons who do not share it.
The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.
Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty.