This document states the Supplier Remote Access policy for Dyfed-Powys Police and is to be read in conjunction with the Supplier Remote Access Guide.
Dyfed-Powys Police ensures that potential exposure to the Force from risks associated with remote access connections are minimised by ensuring that only secure methods are used to connect to the Force network.
The aims of this policy and the guide are to:
Minimise risk associated with remote connections related to data and systems
Maintain Force confidentiality, integrity and accessibility where remote access is carried out by suppliers
Provide a defined process in which supplier remote access is carried out
Applies (but not limited) to: All categories of Dyfed-Powys Police employees, whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates and contractors) or seconded staff. Any employee accessing and using Force assets and property must have due regard to the contents of this policy.
2. Policy Scope
This policy must be adhered to at all times, specifically in relation to the carrying out of remote access activities by suppliers.
Dyfed-Powys Police recognises that there are risks associated with suppliers remotely accessing Force systems when carrying out legitimate business activities with the Force.
Securing data is of paramount importance – particularly in relation to the need to protect data in line with the requirements of the Data Protection Act 2018 and the UK General Data Protection Regulation.
Any unauthorised access or interference of Force data or information could have a significant effect on the efficient operation of Dyfed-Powys Police. It is therefore essential for the efficient operation of Dyfed-Powys Police that the confidentiality, integrity and availability of all information recording systems are maintained at a level, which is appropriate to Force requirements.
This policy and the associated guide aim to mitigate the following risks:
Unauthorised disclosure of information to non-Dyfed-Powys Police
Contamination of Dyfed-Powys Police ICT networks or equipment through the introduction of viruses through the transfer of data from one form of ICT equipment to another.
Potential sanctions against Dyfed-Powys Police or individuals imposed by the Information Commissioner’s Office as a result of information loss or misuse.
Potential legal action against Dyfed-Powys Police or individuals as a result of information loss or misuse.
Reputational damage to Dyfed-Powys Police as a result of information loss or misuse.
Non-compliance with this policy could have a significant effect on the efficient operation of Dyfed-Powys Police and may result in financial loss and an inability for the Force to carry out its functions.
This policy affects all ICT users who are part of the supplier remote access process and all suppliers who carry out remote access when accessing Dyfed-Powys Police data/systems.
3. Powers and Policy/Legal Requirements
This policy meets organisational requirements and is compliant with control measures as recommended under the ‘Protect’ function of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, specifically ‘PR.AC-3 Remote Access is Managed’ and ‘PR.AT-3 Third-Party Stakeholders understand their roles and responsibilities’, and with recommendations provided by the National Cyber Security Centre (NCSC) relating to principles of supply chain security.
The Force complies with the following legislation and all other legislation as appropriate, including, but not limited to:
Computer Misuse Act 1990
Data Protection Act 2018
UK General Data Protection Regulation
Human Rights Act 1998
Official Secrets Act 1989
Electronic Communications Act 2000
Regulation of Investigatory Powers Act 2000 (RIPA)
Freedom of Information Act 2000
Related policies, standards, procedures, practices, including, but not limited to:
Dyfed-Powys Police Supplier Remote Access Guide
Dyfed-Powys Police Information Security Policy and Associated Standards
Dyfed-Powys Police Cyber Security Policy
Dyfed-Powys Police Data Protection Policy
4. Options and Contingencies
Policy Owner: The policy is owned by the Head of ICT who is responsible for regularly monitoring the policy for its effectiveness, challenges to the policy, any changes to NIST/NCSC guidance, and any inefficiencies in relation to the implementation of this policy.
Approval Process: Approval of decisions regarding the implementation of the policy are made by the Information Assurance Board.
The Supplier Remote Access Guide: This guide identifies the procedures and processes in relation to suppliers carrying out remote access.
The procedures and processes identified within the Supplier Remote Access Guide are applicable to all police officers and police staff. Referral to supervisors and managers for advice and guidance is sought where deemed appropriate.
The following Code of Ethics principles are relevant to this policy:
Accountability - We are answerable for our decisions, actions and omissions.
Fairness - We treat people fairly.
Honesty - We are truthful and trustworthy.
Integrity - We always do the right thing.
Leadership - We lead by good example.
Objectivity - We make choices based on evidence and our best professional judgement.
Openness - We are open and transparent in our actions and decisions.
Respect - We treat everyone with respect.
Selflessness - We act in the public interest.
5. Take action and review
The ICT Department carries out protective monitoring across Force systems; this is used to monitor security issues and can also highlight any failure in the processes and procedures outlined in the Supplier Remote Access Guide.
Any significant failures within the procedures contained within the Supplier Remote Access Guide are referred for consideration to ICT Management.
Guidance and recommendations from relevant organisations, including NIST and NCSC, are considered when reviewing and updating this policy.
CODE OF ETHICS CERTIFICATE OF COMPLIANCE
This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.
HUMAN RIGHTS ACT CERTIFICATE OF COMPLIANCE
This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.
EQUALITY IMPACT ASSESSMENT
Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.
The public sector equalityduty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:
eliminate discrimination, harassment, victimisation, and any other conduct that is unlawful under the Act;
advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it;
foster good relations between persons who share a relevant protected characteristic and persons who do not share it.
The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.
Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty.