Not Protectively Marked POLICY IDENTIFICATION PAGE POLICY Security Classification: Not Protectively Marked Disclosable under Freedom of Information Act 2000 Yes / No: POLICY TITLE: PND Audit Strategy and Plan POLICY REFERENCE NUMBER: 2564555 Yes POLICY OWNERSHIP Business Area: Department Responsible: Post-holder: Enabling Services Directorate Corporate Services Superintendent Tedds (Title and name) POLICY IMPLEMENTATION DATE: 2011 POLICY REVIEW DATE: June 2014 Warwickshire Police welcomes comments and suggestions from the public and staff about the contents and implementation of this policy. Please write to the Force Policy Manager, Corporate Services Department, at Leek Wootton, Warwick, CV35 7QB or complete the feedback form located on our website (http://www.warwickshire.police.uk/contactingthepolice/ccf) Not Protectively Marked Not Protectively Marked 1.0 POLICY OUTLINE 1.1 The Police National Database (PND) is a CONFIDENTIAL system, which houses a vast amount of sensitive information. It is vital that a structured and robust audit regime is in place both centrally and locally in Forces. The PND has massive benefits for Forces and assists investigations and operations across the country. By placing all our information into one ‘pot’ the service is taking a risk to ensure there is better ‘policing’ across the UK. 1.2 The Deputy Chief Constable of Warwickshire Police as the Senior Information Risk Officer (SIRO) for the PND is responsible for ensuring that: • • • • The Warwickshire Police records on the PND achieve acceptable levels of data quality The PND records are only accessed for a policing purpose Only authorised personnel who have received the necessary security clearance are allowed to access the PND system The computers used to access the system are located in appropriate environments restricted to authorised personnel 2.0 PURPOSE OF POLICY 2.1 The purpose of this policy is to ensure that the responsibilities described in paragraph 1.2 above are enforced. 2.2 This policy has been guided by: ACPO Data Protection Manual of Guidance (Part II Audit) (ACPO) ACPO/ACPOS Community Information Security Policy (ACPO/ACPOS) NPIA Minimum NSS Supervision and Audit Standards (NSS Governance Authority) NPIA Audit and Inspection (Graham Cox) ACPO Guidance on the Management of Police Information (second edition) 3.0 IMPLICATIONS of the POLICY 3.1 Consider the below implications of the policy and make comment only in those areas of significance. The following are examples: • • • • The financial implications of this policy are restricted to the need to employ skilled staff in order to conduct the audit plan No training implications are anticipated No Health and Safety risks are anticipated as a result of this policy This policy will comply with Human Rights / Equality / Data Protection / Freedom of Information / Health and Safety legislation? 4.0 CONSULTATION 4.1 See Appendix C for the Equality Analysis (EA) for this policy. 4.2 This policy has been prepared in consultation with the SIRO, Force Security Officer, Force Data Protection Officer, Force Information Assurance Manager and the PNC Bureau Manager. Not Protectively Marked Not Protectively Marked 5.0 DOCUMENT HISTORY 5.1 The policy will be subject of regular review once ratified by the Monthly Alliance Chief Officer Group (MACOG). 5.2 The history of the policy will be recorded using the below chart: Version & Date V1.0 Author / Reviewer Paul Hoskins V1.1 Jackie Whordley Amendment(s) New Policy Addition of process for Non Standard Services Approval / Adoption JNCC 3/3/2011 FEB 22/3/2011 MACOG 12.07.2012 6.0 PROCEDURE 6.1 Procedure is the method by which the ‘strategic intent’ of this policy is realised please see appendix A for a description of the procedure. 6.2 Appendix B relates to the audit framework for the Non Standard Services (NSS) of the Police National database. Not Protectively Marked Not Protectively Marked APPENDICES Appendix A PND Audit Procedure 1. 2. 3. 4. 5. 6. 7. 8. Appendix B Non Standard Services (NSS) Audit Framework 1. 2. 3. 4. 5. 6. 7. 8. 9. Appendix C Data Quality Audits Local Data Security Audits Transaction Audits Transaction Audit Sample Size Retention of Transaction Audit Records PND Reporting Output Audit Security of Environment Check User Access Audit PND Overview Personnel Security Security Breach and Incident Reporting Audit Process Introduction Risk Assessments NSS Audit Objectives Transaction Validation Retention Conclusion Equality Analysis Not Protectively Marked Not Protectively Marked Back to Index Appendix A PND Audit Procedure 1. Data Quality Audits 1.1 The PND contains data uploaded from the 43 Police Forces of England and Wales, as well as other agencies such as CEOP (Child Exploitation and Online Protection Centre) and the Civil Nuclear Constabulary. The data is made up of records from forces’ Intelligence, Child Protection, Domestic Abuse, Crime and Custody systems. The Warwickshire Police records held on the PND system are not created or modified on the PND system, but are copies of the records held on the source systems within the Force. The Warwickshire Police PND implementation team ensure that the quality of the data upload is acceptable by monitoring data quality and providing feedback to each source system owner. The data quality of the records on the system depends upon the local data quality audits carried out on each of the source data systems. This policy is not concerned with the local data quality audits, but with the audits that are required to ensure the security of data and security of access to data for PND within Warwickshire Police. The local data quality audits are described elsewhere (see Warwickshire Audit and Inspection Policy). 2. Local Data Security Audits 2.1 Warwickshire Police local data security audits encompass the bulk of the auditing function with regard to end user activities within the PND. These cover the following: • • • • • • 3. Searching – incorrect justifications, incorrect search template, non-policing purpose search, inappropriate disclosure of data Ensuring the correct Management Information reports are in place Extraction – incorrect justification, inappropriate use of information, excessive extraction Ensuring that access to PND desktop computers is controlled and that the computers are located within a secure environment appropriate for a Confidential system Ensuring that users of the PND system are authorised and have the necessary level of security clearance required to access the system Ensuring that the PND access levels granted to users are appropriate to their role within the Force and that user access is managed correctly when users change their role or leave the Force Transaction Audits 3.1 The security of any database depends, to a large extent, on being able to retrospectively account for each transaction. The audit procedure tests this capability. 3.2 Transaction audits are conducted on a regular basis to: • • • • 3.3 Deter and detect inappropriate use of the PND system Deter and detect unauthorised access to the PND system Raise staff awareness of data protection issues, and maintain public confidence Ensure that all relevant transaction fields are completed to provide an adequate audit trial for retrospective investigations into transactions that have been carried out When examining transactions, the following areas are examined: • • Transaction fields are examined for quality Is there sufficient detail to be able to trace the inquiry back to the originator? Not Protectively Marked • Not Protectively Marked The legitimacy of the check is confirmed by questioning the originator or by checking any references provided to source documents 3.4 Any errors found as a result of the transaction checks are categorized and noted. The collation of results enables recurrent errors, error trends and the individuals involved to be identified and permit corrective action. 3.5 The business processes for running a query on the PND within Warwickshire Police are: • • Centralised input by a dedicated data bureau (e.g. 24/7 Intel) Individual input by Police Officers or Police Staff who are working on a case 3.6 Given the small number of licences available to Warwickshire for the PND, and the need to keep the computers used to access the PND in a secure environment, running queries through a centralised bureau is the most secure and efficient option. Some Departments will have their own direct access to PND. Officers or Police Staff who do not have direct access are required to fill in a request form to be submitted to the bureau. 3.7 The bureau business process has the advantage that it reduces the level of risk because specialist data input staff run the queries. This minimises the number of errors such as data transcription, spelling and incorrect completion of fields. The bureau approach provides a greater degree of confidence in the data quality of the queries submitted. 3.8 When a transaction is selected as part of an audit, a form is sent to its originator. The originator is requested to supply the reason for the enquiry . Any originating source records also need to be identified. 3.9 Whilst the Data Protection Officer (DPO) is not necessarily involved directly in the audit process, it is essential that the DPO should have input into the planning and consultation of the process, and be provided with details of the results of the checks annually. 3.10 Any misuse of the PND system or patterns of behaviour, which are indicative of misuse, are reported to the Force Professional Standards Department with supporting evidence. Professional Standards then carry out an impartial investigation to establish if there has been any misuse. 4. Transaction Audit Sample Size 4.1 The number of transactions checked is proportionate to the total number of transactions carried out. The proportion is determined by the Audit Inspection Unit. 4.2 Where appropriate, the formula recommended in the ACPO Data Protection Manual of Guidance (Part II Audit) will be used to establish a more proportionate sample size. 4.3 The sample of PND queries selected for audit is made randomly and transaction audit forms are sent to those Officers selected for sample regardless of Age, Disability, Gender, Race, Religion/Belief or Sexual Orientation. 5. Retention of Transaction Audit Records 5.1 Transaction audit records will be maintained for 6 years in line with the Management of Police Information System (MOPI) and DPA guidelines. Back to Index Not Protectively Marked Not Protectively Marked 6. PND Reporting Output Audit 6.1 Annually the Departments who have access to the PND system will be audited to check that the outputs from the system are being processed in a correct manner. 6.2 The PND system has been classified as a confidential system. Therefore any data extracted from the system must be handled according to the Government Protective Marking Scheme (GPMS). 6.3 The audit will examine departmental processes to ensure that extracted PND data is handled appropriately and in a secure manner. Data must not be transmitted over unsecured networks or copied to unsecured media in order to communicate the results of PND queries to the query originator. 6.4 A short report will be produced annually detailing the findings of this audit. The report will be circulated to the Force Security Officer (FSO) and the SIRO. 7. Security of Environment Check 7.1 Annually Departments will be checked for the location and security of the computers used to access the PND: • • • Computers used to access the PND must be located in a secure environment only accessible to security cleared staff at all times Computers used to access the PND must have the required secure-id card access All access to PND computers must be controlled by an “identity access management” (IAM) system with access levels controlled to only allow access to authorised personnel 7.2 These checks and any others specified by the FCO will be carried out for each department with access to the PND system. 7.3 A short report will be produced detailing the findings of this audit. The report will be circulated to the FCO and the SIRO. 8. User Access Audit 8.1 Annually an audit will be performed of the users who have accounts on the PND system. The accounts will be checked to ensure: • • • That users are still valid (that they have not left the Force, or moved to a role that no longer justifies access to the PND system) That the access level granted to the user is appropriate to their role in the organisation That users have received the necessary security clearance required to access data on a confidential system 8.2 A short report will be produced detailing the findings of this audit. The report will be circulated to the FCO and the SIRO. Not Protectively Marked Not Protectively Marked Back to Index Appendix B Non Standard Services (NSS) Audit Framework 1. PND Overview 1.1 This appendix provides an audit framework for the Non Standard Services (NSS) of the Police National Database, (PND) within Warwickshire. It provides a background to the auditing processes associated with the PND and it goes on to explain how the force will conduct its audit framework. It should be read in conjunction with the Warwickshire PND Code of Practice 2010 and the NPIA guidance on the Police National Database 2010. 1.2 It is aimed at all officers and staff who may seek to utilise the NSS functionality within PND in the course of their duties both as a requestor or user of PND information. 2. Personnel Security 2.1 All authorised users must be cleared to at least the ACPO Management Vetting level. All users of Information and Communication Technology (ICT) are to be aware of the Computer Misuse Act 1990 and the law covering the authorised access or modification of computer data. 2.2 All users of ICT have a part to play in ensuring the security and integrity of the systems they use. The authorised user is to sign as having read, understood and agree to comply with these SyOP’s. The PND System Administrator will arrange this. 2.3 The sharing of user accounts and associated passwords / authentication is prohibited. 3. Security Breach and Incident Reporting 3.1 In order to minimise risk, impact or embarrassment to Warwickshire Police, it is important that details of actual or suspected breaches of the above procedures and related security incidents are reported to the FISO as swiftly as possible as per the Force Information Security Policy. 3.2 Through the course of the investigation into any alleged breach of SyOP's or network misuse, all authorised users are advised that an audit of their network usage may be requested by the FISO or Professional Standards Department at any time. 4. Audit Processes Introduction 4.1 An audit is an evaluation of a person, organisation, system, process, enterprise, project or product against a defined standard. The purpose of the audit is to ensure that the NSS functionality of PND is being used in a manner that is secure and proportionate within the relevant legislation and agreed terms and standards. The audit should provide assurances to staff, stakeholders and 3rd parties that the information contained within the system is being treated with due care and attention. This is particularly important to Chief Constables who will be sharing information they own, with other Police Forces. Not Protectively Marked Not Protectively Marked 5. Risk Assessments Back to Index 5.1 The NPIA have advised that each Force must evaluate their own risks internally and formulate an audit plan based on this assessment. An assessment of each area will need to be completed using the risk assessment spreadsheet provided by the NPIA. The completed risk assessments will allow the auditor to identify those areas of the force that carry a higher risk and the audits will primarily focus on the higher risk areas. 6. NSS Audit Objectives 6.1 In order to comply with the minimum audit standards of the NSS that have been set by the NPIA, it is necessary to complete transaction validations for searches made in the NSS PND. 6.2 Local supervision is necessary to validate that the use of NSS for the transaction is proportionate to the requirements and that there is no obvious improper use of either the covert facility or the information available on the system. 6.3 This responsibility will fall to the line manager in units where there are NSS users as this person will be best placed to understand: • The level of access allocated to staff • The appropriate volume of transactions • That the use of NSS is in accordance with the PND covert searching principles. 6.4 It is anticipated that the line manager will not need access to the audit capabilities in NSS to fulfil this responsibility and that there will be sufficient detail available in the NSS MI reports to identify if NSS user activity is proportionate to the needs of the unit. If a supervisor needs to look deeper into any of the transactions examined during dip sampling, then Transaction Validation will be used. 6.5 It has been recommended that daily dip samples should take place, but as a minimum requirement these audits should be undertaken on a monthly basis. 6.6 There should be a minimum dip sample of 5% of all covert transactions. 7. Transaction Validation 7.1 Transaction validation will take place to validate that a transaction carried out by an NSS user on PND is in compliance with National and Local Policy. 7.2 This will be the responsibility of the local NSS auditor and will involve an in-depth investigation into the transaction to verify all aspects of the activity that was undertaken by the user. 7.3 The local NSS auditors should carry out sufficient in-depth transaction validation checks per month that will satisfy them that NSS functionality is being used correctly by the force NSS users. As a minimum, at least 3 transaction validation checks will be carried out per month. 7.4 Transactions will be randomly selected by the local NSS auditor for validation, and verified by a local supervisor to ensure compliance with the law and guidance on use of the PND. Equally the activity of transaction validation may be triggered by the results a line manager finds during local supervision activities. 7.5 The transaction validation procedure can be undertaken jointly by the line manager of the user and the local NSS auditor. The fundamental aim of this process is to be in a position to correctly validate the transaction. Not Protectively Marked Not Protectively Marked Back to Index 7.6 As an example, a transaction validation activity should include some or all aspects of the following, as appropriate: • Examine the audit log entry for the NSS transaction selected: o o o o o o o o Who conducted the PND search? The date and times of the session Was the user on duty at date / time? Does transaction match the usual area of work? Is the search justification sufficiently detailed? What was the likely result of the search, and does this cause any concern? If transaction ‘on behalf of’, examine above re the originator? Does the 'on behalf of' field contain a traceable individual? • o o • Validation: Ask user / originator for evidence of the need for the search – reference numbers / paperwork Establish if NSS was necessary for transaction Review: o o o Manager / auditor conducting validation reviews the evidence and determines if NSS transaction validated Record steps taken to validate transaction and result. Return to be logged by the local NSS Auditor or refer for further action It is essential that a sufficient number of transactions are selected and the procedure is carried out in a thorough manner to ensure the validity of transactions. 7.7 The audit results should be recorded in order to determine if there are any recurrent errors or individuals involved in the errors. 7.8 In all cases, a record of the Local Supervision Review and Transaction Validation Reviews will be maintained by the Independent Auditor in Professional Standards. Supervisors will ensure that the details of the reviews that they conduct are forwarded to the Independent Auditor in Professional Standards for recording. 7.9 The National NSS auditor will have responsibility for conducting reviews of force covert audit regimes. The level of NSS use in each force will be available to the National NSS auditor in order to establish if the minimum audit standards are being applied. 8. Retention 8.1 All audit documentation will need to be retained for external inspections this is to include: • • • • • Force audit plans including supporting risk assessments Schedules showing summary detail of work carried out. Papers to support the audit conclusions Copies of audit reports Management responses to audit reports Not Protectively Marked Not Protectively Marked 8.2 All audit documentation will be held in accordance with MOPI and retained for six years. 9. Conclusion 9.1 This audit document will need to be continually reviewed as the Police National Database develops and further functionality becomes available. 9.2 The version control will confirm that changes have been made. 9.3 In the event a PND user is subject to a Tribunal or Court proceedings, the National Auditor will need to be contacted in order to validate the findings of all audit activity undertaken. 9.4 The [email protected] will need to be consulted for NSS audits. Not Protectively Marked Not Protectively Marked Appendix C Equality Analysis Policy/Function being assessed PND Audit Strategy and Plan 1. Identify all aims of the policy/function 1.1 Identify the aims and projected outcomes of the policy This policy describes the strategy and plan for the audits to be carried out on the Police National Database (PND) within Warwickshire Police. 1.2 Which individuals and organisations are likely to have an interest in, or likely to be affected by, the policy? All members of Warwickshire Police Force. Members of the public whose personal data is held on the database. 2. Consider the evidence 2.1 What relevant quantitative data has been considered? There is no relevant data for the purposes of this assessment. Age Disability Gender Reassignment Marriage and Civil Partnerships Pregnancy & Maternity Race Religion or Belief Sex Sexual Orientation 2.2 What relevant qualitative information has been considered? This policy is based on guidance from the National Policing Improvement Agency and ACPO. There is no qualitative information available to add to this assessment. Age Disability Gender Reassignment Marriage and Civil Partnerships Pregnancy & Maternity Race Religion or Belief Sex Sexual Orientation 2.3 None. What gaps in data / information were identified? 2.4 What consideration has been given to commissioning research? Research is not considered necessary to complete this assessment. Not Protectively Marked Not Protectively Marked 3. Assess likely impact 3.1 From the analysis of data and information has any potential for differential / adverse impact been identified? Age None. Disability None. Gender Reassignment None. Marriage and Civil None. Partnerships Pregnancy & Maternity None. Race None. Religion or Belief None. Sex None. Sexual Orientation None. 3.2 N/A If yes, explain any intentional impact. 3.3 If yes, explain what impact was discovered which you feel is justifiable in order to achieve the overall policy aims. Please provide examples. N/A 3.4 None. 4. Are there any other factors that might help to explain differential / adverse impact? Consider alternatives 4.1 Summarise what changes have been made to the policy to remove or reduce the potential for differential / adverse impact. N/A 4.2 Summarise changes to the policy to remove or reduce the potential for differential / adverse impact that were considered but not implemented, and explain why this was the case. N/A 4.3 If potential for differential / adverse impact remains, explain why implementation is justifiable in order to meet the wider policy aims. N/A 5. Consult formally 5.1 Has the policy been subject to consultation? If no, please state why not. If yes, state which individuals and organisations were consulted and what form the consultation took. Consultation has been carried out internally as per Force policy and procedure. This includes being subject of discussion at JNCC where representatives of senior management and all staff associations/networks are represented. Age As above. Disability As above. Gender Reassignment As above. Not Protectively Marked Not Protectively Marked Marriage and Civil Partnerships Pregnancy & Maternity Race Religion or Belief Sex Sexual Orientation 5.2 As above. As above. As above. As above. As above. As above. What was the outcome of the consultation? No issues were identified relevant to equality issues. 5.3 Has the policy been reviewed and / or amended in light of the outcomes of consultation? No – not required. 5.4 Have the results of the consultation been fed back to the consultees? N/A 6. Decide whether to adopt the policy 6.1. Provide a statement outlining the findings of the impact assessment process. If the policy has been identified as having a possibility to adversely impact upon diverse communities, the statement should include justification for the implementation. This assessment has not identified potential for adverse impact in relation to equality. The policy acts as a safeguard to ensure public data held on the PND database is being recorded, processed and used in accordance with national standards. The auditing strategy helps to ensure that national standards and requirements are being upheld. 7. Make Monitoring Arrangements 7.1. What consideration has been given to piloting the policy? This policy was not piloted because Warwickshire Police requires immediate implementation of a strategy and plan for PND auditing. This is a mandatory requirement for the implementation of the PND system 7.2. What monitoring will be implemented at a national level by the policy owning agency and / or other national agency? We anticipate that external inspection agencies such as the HMIC will inspect the force in the future to ensure that audit and security measures are in place for the PND 7.3. Is this policy intended to be implemented by local agencies that have a statutory duty to impact assess policies? If so, what monitoring requirements are you placing on that agency? No, this is a Warwickshire Police policy. Not Protectively Marked Not Protectively Marked 8. Publish Assessment Results 8.1. What form will the publication of the impact assessment take? As per Force policy – viz. on the force website. This impact assessment has been undertaken by: Date: 2nd February 2011 Reviewed 30th May 2012 Name: D P Hoskins Not Protectively Marked
© Copyright 2024 ExpyDoc
