New Community Security Policy aims to reduce computer misuse

The ACPO has unveiled a Community Security Policy, which aims to reduce computer misuse in the police force. Learn how one police force has met the new compliance standard.

Regulatory compliance is affecting all areas of IT, and the police force is no exception. At the end of March, the Association of Chief Police Officers (ACPO), which coordinates policy for police forces in England, Wales and Northern Ireland, will introduce the ACPO Information Systems Community Security Policy.

The information security management policy includes a requirement for all 52 regional police forces to apply what it calls "protective monitoring" to ensure computer systems are used for proper purposes by police officers and administrative staff.

The move follows a revelation in January by the police that, during the last five years, more than 400 officers and police support staff had faced internal action, ranging from dismissal to verbal warnings, for the inappropriate use of computers.

Offences ranged from visiting inappropriate websites, to leaking confidential information from police files, and sending abusive emails.

One force that has already taken action to meet the standard is the Lancashire Constabulary, which has installed the Monitoring and Auditing System (MAS) from Skelmersdale software supplier 3ami Ltd.

MAS works by installing a client-based agent on every PC. The agent records all user activity, whether or not the device is connected to the corporate network. This means that if a laptop has been working offline, the user's actions will be recorded and automatically uploaded to the central MAS SQL database when the machine reconnects to the network.

The information is held securely and encrypted in the central database, where it can then be searched by various parameters, such as time, user and application usage. The client software can also be configured to issue real-time alerts if a user contravenes the usage policy, and can even block unauthorised actions.

Once fully implemented, MAS will monitor nearly all data input on Lancashire Constabulary's network of terminals. The only exceptions will be passwords and some areas of confidential reporting.

Detective superintendent Martyn Leveridge, who leads the project in Lancashire, said the system is intended to monitor all computer usage, and to streamline any investigations into misuse.

"It will provide us with the ability to resolve allegations of systems misuse more quickly and with more certainty," Leveridge said, "and it will give the public additional confidence that systems are in place to protect data."

The new system has been piloted with a small group of users, and Leveridge said a full implementation to all 7,000 users is due to be completed within the next couple of months to meet the compliance deadline. The system will store data for up to six years.

Leveridge said the implementation of MAS follows consultation with Unison, the trade union that represents civilian staff in the police, and also the Police Federation, which represents police officers. "The majority of our people who do not misuse their computers will have no problems with the new system," he said.

He added that once staff know their computer habits are being recorded and may be used as evidence in any investigation, the incidence of computer misuse is likely to drop dramatically.

"We need to get protective monitoring in place for our force, and MAS brings it all under one umbrella. It will allow us to do the job, which up to now has been a bit hit-and-miss," he said.

"Once we have it fully implemented it will actually save us money," Leveridge added. "When we get a referral or an investigation, we'll be able to get to the nub of the problem and investigate it quickly and more efficiently. It gives us very good quality evidence, and that gives us a cost savings in terms of time and productivity."

Read more on Hackers and cybercrime prevention