Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
1.1 This procedure/SOP has been updated on its 2 yearly review. Changes are as follows:
2.1 This procedure/SOP defines the Essex Police and Kent Police procedure for the management of user accounts that provide access to their networks and information systems.
Compliance with this procedure/SOP and any governing policy is mandatory.
3.1 Access to the forces’ network(s) must be via an authorised user account. There are two different user types:
i) Police Personnel (internal user)
The IT Access Management team will create only a basic computer account (that being DevelopMe and College Learn) for a new joiner. Any subsequent application access will only be granted upon successful completion of the mandated training (see para 3.6). In compliance with the IT Access Management Policy W 4001 Procedure/SOP - IT Access Management
ii) Non-Police Personnel (external, volunteer or third party user)
These accounts are created in the same way but must be supported by a senior business sponsor / IAO – Information Asset Owner and have a valid account expiry date activated. That expiry date should be set annually and will lapse every 3 years in tandem with their vetting clearance. The ‘senior business sponsor’ will be accountable for ensuring the mandated training (see para 3.6) is completed and the account is deleted if the relationship with the force is concluded. In the case of external business partners, access must be supported by a current Data Protection or Information Sharing Agreement that supports direct access to the Force(s) IT systems and specifies ‘Responsible Primary Designated Officers’ for both parties. The users’ account expiry date should be matched to the agreement review date. The relevant Information Asset Owner must sign the agreements. The relevant documentation must be reviewed and agreed or otherwise by the relevant Information Security Team prior to an external partner being granted IT System access.
3.2 All users will be given their own, unique user ID and will be accountable for their actions.
3.3 This ID will never be reissued to another user and only in exceptional circumstances will authority be given for users to share an ID – this must be formally authorised and documented in the relevant system’s accreditation document set.
3.4 All users will have understood and agreed to comply with the forces’ Information Management and Assurance policy and relevant operating procedures, including the ICT Acceptable Use SOP, before using their user account.
3.5 All users must be appropriately vetted prior to being granted access to the network or information systems. The corporate vetting unit will confirm the correct level of vetting for police and non-police personnel, commensurate with the information and services being accessed. It is then the line managers’ or sponsors’ responsibility to ensure vetting is correctly carried out and remains current, in accordance with the forces’ vetting policies. This must be in line with the Corporate Vetting Unit criteria for each force.
3.6 Other than having a ‘basic account’ access, all other users must complete the following e-learning packages before additional application access will be granted:
3.7 The Information Asset Owner, or someone authorised to do so on the IAO’s behalf, must authorise access to individual information systems. No access will be granted before receiving this authorisation. Refer to the procedures for the relevant system(s).
3.8 A central record will be maintained by the IT Access Management Team of all rights granted to a user.
3.9 Privileged Access Rights or Elevated Accounts
3.9.1 In addition, privileged access rights or elevated access rights will sometimes be required for certain systems and networks. These rights will only be granted to authorised Essex Police and Kent Police officers, staff or consultants and contractors who are required contractually to perform system administration related duties and are responsible for maintaining software applications. Additional access will be created under separate, dedicated accounts and kept to a minimum, and must be approved by a member of the appropriate Senior Leadership Team.
3.9.2 Authorised generic administration IDs must be changed whenever a privilege user leaves or changes role. A secure mechanism for communicating changes must be approved by the relevant force Information Security Officer. A user must not grant/revoke access to any other user and a user must not change any privileged account credentials without authorisation.
3.9.3 Individuals with privileged access shall take necessary precautions to protect the confidentiality of information encountered in the performance of their duties. If, during the performance of their duties, individuals with privileged access are inadvertently exposed to information that might indicate inappropriate use, they must inform their line manager at the earliest opportunity. Annual review process should be implemented for these accounts by Line Managers.
3.10 Removal of Access Rights
3.10.1 Regular reviews of access rights will be undertaken for each system or network in accordance with the Information Asset Owner’s accredited security operating procedures for that information system.
3.10.2 Access rights for all users must be revoked on termination of employment, contract or agreement, or if no longer required for a given role.
3.10.3 It is the responsibility of the ‘senior business sponsor’ for the third party to ensure the IT Access Management Team are informed of the need to renew or delete external users’ accounts, especially in the cases where the account cannot be updated automatically from SAP.
EIA – July 2023
5.1 There is an overall risk concerning the use and management of Essex Police and Kent Police information. Advice and guidance relating to the assessment of risk is contained within the individual procedures. The Corporate Risk Register will contain any risks in relation to Information Security.
6.1 The following have been consulted during the formulation of this document:
7.1 The Information Security Officer will be responsible for ensuring that the procedure/SOP will remain current in line with the National policing Community Security Policy and NPCC National Security Guidelines.
7.2 This procedure/SOP will be reviewed by or on behalf of the forces’ SIROs every two years.
8.2 Essex Police and Kent Police have measures in place to protect the security of your data in accordance with our Information Management Policy – W 1000 Policy – Information Management
8.3 Retention & Disposal of Records
8.3. Essex Police and Kent Police will hold data in accordance with our Records Review, Retention & Disposal Policy – W 1012 Procedure/SOP - Records Review, Retention and Disposal.
8.3.2 We will only hold data for as long as necessary for the purposes for which we collected.
9.1 There are no other source documents.
Policy reference: User account management SOP (W1002)
Contact point: The Information Security Officer (ISO)
Date last reviewed:July 2023
If you require any further information or to request any documentation referenced within the policy please email [email protected]. For general enquiries, contact us.