Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
This document states the Supplier Remote Access policy for Dyfed-Powys Police and is to be read in conjunction with the Supplier Remote Access Guide.
Dyfed-Powys Police ensures that potential exposure to the Force from risks associated with remote access connections are minimised by ensuring that only secure methods are used to connect to the Force network.
The aims of this policy and the guide are to:
Applies (but not limited) to: All categories of Dyfed-Powys Police Officers and staff, whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates and contractors), seconded staff and volunteers. Police Officers, staff and volunteers accessing and using Force assets and property must have due regard to the contents of this policy.
This policy must be adhered to at all times, specifically in relation to the carrying out of remote access activities by suppliers.
Dyfed-Powys Police recognises that there are risks associated with suppliers remotely accessing Force systems when carrying out legitimate business activities with the Force.
Securing data is of paramount importance – particularly in relation to the need to protect data in line with the requirements of the Data Protection Act 2018 and the UK General Data Protection Regulation.
Any unauthorised access or interference of Force data or information could have a significant effect on the efficient operation of Dyfed-Powys Police. It is therefore essential for the efficient operation of Dyfed-Powys Police that the confidentiality, integrity and availability of all information recording systems are maintained at a level, which is appropriate to Force requirements.
This policy and the associated guide aim to mitigate the following risks:
Non-compliance with this policy could have a significant effect on the efficient operation of Dyfed-Powys Police and may result in financial loss and an inability for the Force to carry out its functions.
This policy affects all ICT users who are part of the supplier remote access process and all suppliers who carry out remote access when accessing Dyfed-Powys Police data/systems.
This policy meets organisational requirements and is compliant with control measures as recommended under the ‘Protect’ function of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, specifically ‘PR.AC-3 Remote Access is Managed’ and ‘PR.AT-3 Third-Party Stakeholders understand their roles and responsibilities’, and with recommendations provided by the National Cyber Security Centre (NCSC) relating to principles of supply chain security.
The Force complies with the following legislation and all other legislation as appropriate, including, but not limited to:
Related policies, standards, procedures, practices, including, but not limited to:
Policy Owner: The policy is owned by the Head of ICT who is responsible for regularly monitoring the policy for its effectiveness, challenges to the policy, any changes to NIST/NCSC guidance, and any inefficiencies in relation to the implementation of this policy.
Approval Process: Approval of decisions regarding the implementation of the policy are made by the Information Assurance Board.
The Supplier Remote Access Guide: This guide identifies the procedures and processes in relation to suppliers carrying out remote access.
The procedures and processes identified within the Supplier Remote Access Guide are applicable to all police officers and police staff. Referral to supervisors and managers for advice and guidance is sought where deemed appropriate.
The following Code of Ethics principles are relevant to this policy:
Accountability - We are answerable for our decisions, actions and omissions.
Fairness - We treat people fairly.
Honesty - We are truthful and trustworthy.
Integrity - We always do the right thing.
Leadership - We lead by good example.
Objectivity - We make choices based on evidence and our best professional judgement.
Openness - We are open and transparent in our actions and decisions.
Respect - We treat everyone with respect.
Selflessness - We act in the public interest.
The ICT Department carries out protective monitoring across Force systems; this is used to monitor security issues and can also highlight any failure in the processes and procedures outlined in the Supplier Remote Access Guide.
Any significant failures within the procedures contained within the Supplier Remote Access Guide are referred for consideration to ICT Management.
Guidance and recommendations from relevant organisations, including NIST and NCSC, are considered when reviewing and updating this policy.
This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.
This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.
Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.
The public sector equality duty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:
The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.
Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty.
EQUALITY IMPACT ASSESSMENT COMPLETED: January 2024