Protective monitoring is essential to identify and detect threats to ICT systems.
The active use of protective monitoring tools supports the identification of signs of attack, unusual system behaviour, or activity that is not in accordance with organisational policies. The retrospective use of protective monitoring tools supports the investigation and understanding of identified incidents.
The use of protective monitoring within Dyfed-Powys Police not only supports the protection of local systems, but also provides assurance to partner agencies and organisations as to the security of Dyfed-Powys Police ICT systems and the data held on these systems.
Dyfed-Powys Police is supported by the National Management Centre (NMC), the nationally-supported cyber security protection facility for police forces across England and Wales, who carry out a monitor and alert function on behalf of the Force.
The business processes and technology used as part of protective monitoring within Dyfed-Powys Police provide oversight as to how ICT systems are used, or misused, and provide assurance of user accountability in the use of ICT facilities.
Examples of protective monitoring include, but are not limited to, the inspection of firewall logs, the investigation of security alerts, and the monitoring of intrusion detection systems.
The main aims of protective monitoring are:
To ensure the data integrity of the information held
To enhance operational security
To identify misuse
To monitor exceptional usage
To support intelligence led investigations
To aid in the investigation of any abuse of position for personal gain / benefit of others
To protect Dyfed-Powys Police information and assets from malicious or accidental disclosure
Dyfed-Powys Police deploys protective monitoring systems across the Force network. Users must accept that at some time their activities, whilst accessing or processing information, may be subject to scrutiny and monitoring.
Applies (but not limited) to: All categories of Dyfed-Powys Police employees, whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates and contractors) or seconded staff. Any employee accessing and using Force assets and property must have due regard to the contents of this policy.
2. Policy Scope
This policy does not over-ride any existing procedures or policies nor negate any existing guidance regarding Information Security, Data Protection or Acceptable Use, however, it does supplement such policies, with a specific focus on the protective monitoring of the Dyfed-Powys ICT network, and the data held within or transported by it.
Securing data is of paramount importance to Dyfed-Powys Police, particularly in relation to the need to protect data in line with the requirements of the Data Protection Act 2018 and the UK General Data Protection Regulation.
Any loss of the ability to access information or interference with its integrity could have a significant effect on the efficient operation of Dyfed-Powys Police. It is therefore essential for the continued operation of Dyfed-Powys Police that the confidentiality, integrity and availability of all ICT systems is maintained at a level which is appropriate to Dyfed-Powys Police needs.
Protective monitoring is a key requirement to ensure:
Attacks can be detected, whether internally or externally, deliberate or accidental, and against technical infrastructure or services
Reactionary measures can be implemented, by understanding the threat vector as identified via protective monitoring
Activity can be accounted for, to ensure attacks do not go unnoticed and that any non-compliance with legal or regulatory requirements (by users/systems/services) can be identified
Non-compliance with this policy could have a significant effect on the efficient operation of Dyfed-Powys Police activities as a result of potential/actual harm to Force systems, services and data, and could lead to legal and/or reputational damage to the Force.
3. Powers and Policy/Legal Requirements
This policy meets organisational requirements and is compliant with control measures as recommended both by the National Institute of Standards and Technology (NIST), primarily the ‘Detect’ function and range of related controls as part of the NIST Cybersecurity Framework, and by the National Cyber Security Centre (NCSC), namely ‘Logging and Monitoring’ as part of the NCSC’s ’10 Steps to Cyber Security’.
The Force complies with the following legislation and all other legislation as appropriate, including, but not limited to:
Computer Misuse Act 1990
Data Protection Act 2018
UK General Data Protection Regulation
Human Rights Act 1998
Official Secrets Act 1989
Electronic Communications Act 2000
Regulation of Investigatory Powers Act 2000 (RIPA)
Freedom of Information Act 2000
Related policies, standards, procedures, practices, including, but not limited to:
Dyfed-Powys Police Information Security Policy and Associated Standards
Dyfed-Powys Police Cyber Security Policy
Dyfed-Powys Police Acceptable Use Policy
Dyfed-Powys Police Data Protection Policy
4. Options and Contingencies
Policy Owner: The policy is owned by the Head of ICT who is responsible for regularly monitoring the policy for its effectiveness, challenges to the policy, any changes to NIST and NCSC guidance, and any inefficiencies in relation to the implementation of this policy.
Approval Process: Approval of decisions regarding the implementation of the policy are made by the Information Assurance Board.
The following Code of Ethics principles are relevant to this policy:
Accountability - We are answerable for our decisions, actions and omissions.
Fairness - We treat people fairly.
Honesty - We are truthful and trustworthy.
Integrity - We always do the right thing.
Leadership - We lead by good example.
Objectivity - We make choices based on evidence and our best professional judgement.
Openness - We are open and transparent in our actions and decisions.
Respect - We treat everyone with respect.
Selflessness - We act in the public interest.
5. Take action and review
Protective monitoring is carried out by the ICT Department. Any findings are subject to review and where required are escalated to the Cyber Resilience Group, the role of which is to provide oversight on all matters pertaining to the current and emerging cyber threat landscape, and to define an appropriate and acceptable security posture for the Force.
Any issues that cannot be resolved by the Cyber Resilience Group or require escalation will be formally considered at the Information Assurance Board.
Guidance and recommendations from relevant organisations, including NIST and NCSC are considered when reviewing this policy.
This policy is reviewed annually.
CODE OF ETHICS CERTIFICATE OF COMPLIANCE
This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.
HUMAN RIGHTS ACT CERTIFICATE OF COMPLIANCE
This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.
EQUALITY IMPACT ASSESSMENT
Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.
The public sector equalityduty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:
eliminate discrimination, harassment, victimisation, and any other conduct that is unlawful under the Act;
advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it;
foster good relations between persons who share a relevant protected characteristic and persons who do not share it.
The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.
Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty.