
Information Security Policy
Corporate Lead Officer, Customer Contact, ICT & Digital
Published: 08/10/2025 Version 6.2
Contents
- 1 Introduction
- 2 Policy Statement
- 3 Scope
- 4 Objectives
- 5 Privacy and Monitoring
- 6 Personal Usage
- 7 Consequences
- 8 Training and Induction
- 9 Incident Reporting
- 10 Password Controls
- 11 Roles and Responsibilities
- 12 Review
- 13 Exceptions
Policy Section
- 14 Physical Security Policy
- 15 Password Policy
- 16 Email Security Policy
- 17 Instant Messaging Usage Policy
- 18 Internet Usage Policy
- 19 Telephone (fixed and mobile) Usage Policy
- 20 Network Connection Policy
- 21 Mobile & Home Working Policy
- 22 Computer Software Policy
- 23 Computer Hardware Policy
- 24 Information Classification & Usage Policy
- 25 Removable Media Policy
- 26 Confidential Waste Policy
- 27 Faxing Policy
- 28 Printing Policy
- 29 Mailing Policy
- 30 Shared Services Policy
- Appendix 1 – Quick Recap and Guidance
- Appendix 2 – Legislation
- Appendix 3 – Secure Document Send Process (Fax/E-Mail/Post)
- Appendix 4 – Secure Government E-Mail
- Appendix 5 – ICT Operating Procedures
1. Introduction
This document sets out the Information Security Policy (‘’the Policy’’) for Ceredigion County Council (‘’the Council’’). The Council has a duty to meet legislative and regulatory requirements in relation to ICT security and security of information in all other media.
Information is an essential asset to the Council in delivering its services and a consistent approach must be adopted in safeguarding and validating the information stored. It is essential that the Council’s systems are adequately protected against physical, technical, business, and criminal risks. Such risks include accidental/intentional data disclosure, malicious user damage, fraud, theft, accidental/intentional technical physical changes, and natural disasters.
2. Policy Statement
The Council is committed to preserving the confidentiality, integrity, and availability of all the physical and electronic information assets throughout the Council. Information and information security requirements will continue to be aligned with the Council’s goals and the Policy is intended to be an enabling mechanism for information sharing, electronic operations, and reducing information-related risks to acceptable levels. In particular, business continuity and contingency plans, data back-up procedures, avoidance of malware and hackers, access control to systems and information security incident reporting are fundamental to the Policy.
3. Scope
The Policy is applicable to all Council staff, elected Members, volunteers, contractors and suppliers of the Council that have access to the Council’s information, computers, systems, and networks.
4. Objectives
- Protect integrity of data against misuse (accidental or deliberate), loss and any abuse or damage.
- Ensure data access rights are maintained as per classification.
- Ensure systems are accessible and performing properly.
- Make sure that appropriate plans and arrangements are available to deal with disasters and to provide continuity plans for critical services.
- Audit, detect and hold accountable users and services for their use and any misuses of the Council’s computer systems, networks, and information assets in all media.
- Comply with the Council’s legal obligations under the Data Protection Act, Computer Misuse Act, UK GDPR, Freedom of Information Act, and all other relevant legislation including that set out in Appendix 2.
- Identify, classify, catalogue, manage and dispose the Council’s information assets and associated risks.
- Ensure that responsibilities for information ownership, management and risk management are clearly defined.
- Comply with the Council’s contractual agreements for interconnection with other networks and application systems.
- Ensure users have sufficient training and assistance to enable them to understand and comply with the Policy.
- Develop and maintain documentation and business processes to support the Policy and ensure that these are being properly implemented and adhered to.
- Maintain public confidence in the Council’s ability to secure and protect their data.
- Keep all users aware of the limits of privacy while using the Council’s information systems, computers, and networks to meet the security requirements.
5. Privacy and Monitoring
The Council will restrict access to any user that does not accept the Council’s information security policy. Logs will be maintained of users’ activity. The logs will be monitored and, where appropriate, will be disclosed to line-managers, internal investigators, senior management, auditors, IT staff and other relevant bodies such as law enforcement, external auditors, and central government departments.
Any user that logs on to the Corporate ICT services is formally notified that their activity will be logged and monitored. The log files are monitored for any unusual activity and will be used for any investigation of unauthorised activity either on, or using, the Council’s systems.
Audit logs and alerts may be processed by our security monitoring systems and any outsourced security service providers.
6. Personal Usage
Personal usage is defined as usage of Council resources that is not directly associated with the performance of a user’s official Council duties or job description. The Council shall reserve the right to introduce access controls that limit the extent of personal usage.
Personal usage is only permitted where all the following apply:
- such use is of a private nature, not for financial gain and does not contravene any other Council policies.
- such use does not incur costs to the Council.
- such use does not disrupt the official business of the Council.
- such use must not involve anything that promotes illegal, sexual, or other activities that contravenes the Council's policies.
Personal usage will be monitored, and where a user’s personal usage appears unreasonable it will be reported to his/her line-manager, internal audit, human resources and/or other staff with responsibility for employee performance monitoring, for investigation and action.
7. Consequences
Where appropriate, failure to abide by this Policy will be handled in accordance with the Council's "Managing Employee Performance", "Disciplinary Policy’’ and ‘’Code of Conduct’’. Disciplinary action (as defined by the Disciplinary Procedure) for failure to adhere to the Policy, may ultimately lead to dismissal.
8. Training and Induction
All employees, Members, and volunteers of the Council and, where relevant, contractors and third-party users shall receive policy and procedural awareness training (including updates) relevant for their function via an electronic method or through formal training events.
All new staff, Members and volunteers must attend formal induction training. Any equipment issued or systems access controls should follow the ICT operating procedures.
All staff, Members and volunteers must be appropriately security vetted, as part of the appointment process, to the minimum of the baseline personnel security standard (BPSS) that would include ID checks, previous employment checks (confirmation of employment/educational history for the last 3 years), self-certified spent convictions and DBS enhanced or standard (where applicable), which are renewable every 3 years.
9. Incident Reporting
It is the duty of all employees to report any inappropriate use of the Council’s ICT systems and misuse of information in any media. Such incidents include loss of data, accidental or deliberate disclosure of data, use of data/systems for personal gain, unlawful use of ICT systems, accidental or deliberate damage to data integrity, etc. All suspected incidents must be reported to the ICT Service Desk or via an appropriate reporting mechanism (e.g., Data Protection Officer, Member of CRIGG, Monitoring Officer etc.)
The Council has an obligation to report information security incidents to external government approved bodies such as Action Fraud, NCSC, NLAWARP, CISP, ICO and PSNA.
10. Password Controls
Passwords, pin codes and other authentication information such as 2FA/MFA issued to an individual user must be kept secret and not disclosed to anyone. Passwords must be changed on a regular basis. Users are responsible for protecting their password and ensuring that it is sufficiently complex that it cannot be easily guessed. Systems will be configured to enforce password complexity and aging.
If a password is disclosed in any way, then the password must be changed immediately. Passwords should not be reused across unrelated systems.
11. Roles and Responsibilities
All Users must adhere to the Policy.
All Managers are responsible for implementing the Policy within their business area and for ensuring adherence by their staff.
Information Asset Owners are the service managers having responsibility for their service information and for classifying information in accordance with the Council’s Information Classification standards.
SIRO is responsible for ensuring that management of information risks is weighed alongside the management of other risks facing the Council in areas such as financial, legal, and operational.
Data Protection Officer (DPO) ensures that all staff are aware of the principles they must follow when handling personal information, including breach reporting procedures.
IT Security Officer (ITSO) is responsible for the security of all information held in an electronic form. ITSO is also responsible for reporting incidents to Government Computer Emergency Response Team UK (GovCertUK) and other relevant government bodies.
Information and Records Manager ensures that the information resource of the Council is managed as a corporate asset and assists in establishing the strategic direction of information management for the Council.
Cyber Resilience and Information Governance Group (CRIGG) has an ICT Governance role to oversee, review and monitor information risks.
12. Review
The SIRO and CRIGG will formally review the policy annually and amend if necessary. The amended policy will be distributed to all staff. The policy will be reported to Council on a 5 yearly basis or when significant changes are made.
13. Exceptions
Any policy exception must be documented, risk accessed and recorded on the CRIGG risk register.
Policy Section
14. Physical Security Policy
The Physical security policy applies to all Council buildings where Council information is available for access, either via physical access (paper records) or electronic access (computers, whether on or off the Council network). Physical security will prevent physical damage to content and building, theft of equipment and information and physical attack on staff working in the building. Where practical, these measures should also be applied to home or remote working.
14.1. Access Control to Council Buildings
Physical access to non-public areas in buildings must be restricted to authorised staff only, and no other person must be allowed access without first signing in and then being accompanied by a member of staff. All restricted areas, such as Computer Data Centres, Secure File rooms must always have access control and only approved staff will have access.
14.2 Think Security
Everyone has a responsibility to maintain a secure environment and be vigilant in not allowing any unauthorised access. All security doors, and fire doors, must be kept closed at all times. Door codes will not be disclosed, and keys kept securely, and not made available to any unauthorised person. All windows must be closed and locked before exiting the building. All computer equipment left unattended must be in a secure mode (screen locked, logged off or shutdown) and blinds (where fitted) are closed at night for lower ground and ground floor only, to prevent anyone looking into the offices.
14.3. Clear Desk & Safe Screen
At the end of the working day, or when leaving the office or home office for a major part of the day, papers and any files will be stored securely and out of sight.
During the working day ensure that information is not visible to unauthorised persons, both on your computer screen and in paper form.
15. Password Policy
This Password policy applies to all users having access to any information system that requires password access.
15.1. Authentication
All users must be authenticated via an individual password before gaining access to the Council’s ICT corporate domain or Microsoft account. The users are responsible for safeguarding their password(s) and must NOT share or disclose their password(s) to anyone at any time. Users must not allow anyone else to use their login details to gain access to the Council’s corporate domain or Microsoft account.
All passwords for users, application systems, networking equipment and any other ICT device/service must meet a minimum standard of 8 characters long, including at least one numeric and one upper case character, and be changed regularly.
Advice and guidance is available from the NCSC on selecting an appropriate password policy.
Authentication for systems MUST incorporate Multi Factor Authentication if that is available.
Access to any systems considered to hold substantial personal data should enforce Multi Factor Authentication (MFA) as standard if accessing from a remote location.
Any password that is lost or disclosed or suspected of being breached in any way must be changed immediately. If it is suspected that this loss could result in an inappropriate access to Council data, it must also be reported.
16. Email Security Policy
This Email policy applies to all staff that have access to a corporate Email account (i.e., @ceredigion.gov.uk or @ceredigion.llyw.cymru)
16.1. Email Usage
The use of the Corporate Email service is for performance of official duties and any personal emails sent or received must be kept to a minimum. The Council’s Email service is provided for the delivery of Council services and must not be used for the delivery of any other business or service.
No emails should be sent to all addressees on the corporate address book. If there is a need to send a broadcast via email, this must be arranged via the people and Organisation Service.
17. Instant Messaging Usage Policy
This Instant Messaging policy applies to all staff.
17.1. Messaging Usage
The use of any messaging service is for performance of official duties and any personal messages sent or received must be kept to a minimum. The Council’s messaging service is provided for the delivery of Council services and must not be used for the delivery of any other business, service or non-work-related messaging.
17.2. Using non-corporate communication channels. (NCCC, e.g., WhatsApp / Messenger etc.)
Services should, as far as reasonably practicable, enable approaches in their core systems that reduce the need for NCCCs.
This guidance requires you to exercise professional judgement appropriate to your circumstances, including the codes of conduct and legal obligations which apply to you and the post you hold within your service. Use NCCCs with care and be prepared to explain and defend your choices.
Particular care should be applied if communicating significant government information; and/or information with additional marking or personal information requiring additional protective controls or behaviours.
Significant information in NCCCs should be captured or copied into service or corporate systems to support accountability. You are responsible for deciding whether this applies to each communication using professional judgement and considering the context.
18. Internet Usage Policy
This internet usage policy applies to staff, Members and volunteers accessing websites and other network services on the public internet, using equipment or networks supplied by the Council.
18.1. Online Behaviour
All access to Internet based resources will be associated with the Council. In the course of their work, employees must therefore only access internet-based resources in accordance with their job description, or requirements, and in accordance with the Council's employee code of conduct.
All users are prohibited from accessing sites that violate the law or could be offensive to fellow users; and may only access sites for personal reasons under the terms and conditions specified under 'Personal Usage' above.
18.2. Transmission of Personal/Sensitive Data
When online, users must be careful as to what they disclose to other users or online systems. Users must remember that the internet is not a private or a secure communications medium. Users must not transmit or publish anything that may be damaging to the Council or themselves. Privileged, restricted or protected information, as covered in other policies, must not be transmitted without proper precautions.
Users should remember that the use of any online system which processes data (for example, video editing, sound editing, transcription, translation, or Artificial Intelligence support tools) must not be used to process personal or sensitive data without a DPIA and appropriate authorisation.
If in doubt users must discuss with their manager and the DPO.
19. Telephone (fixed and mobile) Usage Policy
This telephone usage policy applies to all users that have access to a corporate telephone line and/or corporate mobile phone.
19.1. Telephone Usage
The use of Corporate Telephone and/or mobile phones is for performance of official duties. The council telephone service (fixed and mobile) is provided for the delivery of council services and must not be used for the delivery of any other business or service. Only nominated council telephone numbers must be published in any public domain (internet, telephone books etc.) and for the purpose of Council service delivery only.
19.2. Personal Calls
Personal calls are defined as telephone calls that are not directly associated with an employee's job description. Personal calls are permitted, provided that the call is kept to a minimum and only when necessary.
20. Network Connection Policy
The network connection policy applies to everyone that connects their device (both council and personal) to the Council network.
20.1. Network Security
Only managed and approved devices should be connected to the Council’s network for both fixed and wireless connections. The only exception being where the corporate ICT section has provided public or “guest” Wi-Fi access for the convenience of staff, partners, or service users.
21. Mobile & Home Working Policy
This Mobile & Home Working policy applies to all users that have access to a laptop/tablet PC, or any other mobile phone device, that enables them to work from their normal place of work or home.
21.1. Mobile Working
For all mobile devices, an access code must be set (Pin code for mobile phones and two factor authentications for laptop/tablets) and the access codes must not be disclosed to anyone to gain access to the device. Users that have been allocated a mobile device are responsible for that device at all times when outside a Council office and must take extra care of the device when in public areas and on public/private transport. Any loss or damage to a mobile device must be reported immediately to the ICT Service desk. When using mobile devices in public areas, extra care must be taken by turning off Bluetooth and wireless connections when not needed. When using a mobile phone in a public area, be aware of other people overhearing your conversation. If you need to take a Council mobile device (laptop or phone) abroad, you will need to get approval from your line manager and only take the device if necessary for work purposes.
21.2. Home Working
It is the responsibility of staff members electing to work from home or any other location that these working arrangements are compliant with all other areas of this policy and does not introduce new risks, including the measures outlined in the Physical Security Policy.
Particular care should be taken with locking and securing mobile devices and paper materials when not in use.
Staff are advised to seek advice from their line-manager, ICT Section and/or DPO if they have any doubts about the appropriateness of any home or flexible working location.
22. Computer Software Policy
This Computer Software policy applies to all users that have access to a corporate PC/Laptop.
22.1. Software
Only software approved by corporate ICT will be installed on PCs/Laptops (including Councillors’ Laptops) and all software must be licensed for Council use. Software can only be installed by corporate ICT with appropriate administration rights. No other user will have administration rights to install/amend or remove software, or alter configuration settings, on any PC/Laptop. Requests for installation of software for personal use will not usually be accepted.
23. Computer Hardware Policy
This computer hardware policy applies to all users that have access to a corporate PC/Laptop.
23.1. Staff Computer Hardware Usage
The use of computer hardware is for the delivery of Council services and must not be used for personal gain, or financial and business purposes. Care must be taken of all computer hardware, especially laptops, and users must always use the provided laptop carry case when they are used from the office. When any hardware device supplied by the Council is taken from the office, the user is responsible for the safeguard of that device until it is returned. Any loss or damage must be immediately reported to the ICT Service desk.
Care must be always taken to ensure that computer equipment is physically secure (not left unattended outside the office) and that the appropriate access lock is enabled on all PC’s and laptops that are left unattended. All security features enabled on computer equipment (virus protection, encryption etc.) must not be turned off at any time.
23.2. Councillors’ Computer Hardware Usage
Councillors may use Council owned computer hardware for Ward and Council work purposes, and personal use as described in this policy.
23.3. Disposal of Computer Hardware
All computer hardware, including mobile devices, screens and peripherals must be returned to ICT Service desk when staff leave or move to alternative employment within the Council. Any redundant or broken computer equipment must also be returned to the ICT service desk as soon as possible.
All equipment will be disposed of by ICT support service securely and in accordance with the WEEE regulation. All electronic information stored on any hardware will be wiped clean.
23.4 Lost or stolen computer hardware
Users must report any suspected loss or theft of any end-user device (e.g., laptop, tablet, smartphone) immediately to the ICT Service Desk and their Line Manager. Upon receiving the report, ICT will attempt to remotely lock, locate, and if necessary, wipe the device to protect council data. Users are required to provide an account of the circumstances leading to the loss or theft. This information will be documented as part of the incident response procedure. Users who lose devices or fall victim to theft may be required to undergo additional security training to ensure they understand the risks and responsibilities associated with managing council issued devices. Failure to report lost or stolen devices in a timely manner may result in disciplinary actions.
24. Information Classification & Usage Policy
This information classification & usage policy applies to all users that have access to any Council information either electronically or in paper format.
24.1. Information Sharing for personal or sensitive information
Information can be shared both internally and externally where appropriate agreements are in place, provided that due consideration has been given to the data protection implications of the sharing have been considered; this may include carrying out a Data Protection Impact Assessment before sharing commences and ensuring that appropriate agreements are in place. Information sharing for personal or sensitive information must be approached carefully. It is important that we understand that the recipient has appropriate training / technical controls in other that this information is safely handled outside of our own organisation.
A secure data transfer process is described in Appendix 3.A secure e-mail process is described in Appendix 4.
Responsibility lies with the sender to perform an appropriate risk assessment. If you lack the capability to make this assessment you are advised to contact the DPO for advice.
24.2. Information Access
Staff should not attempt to access either electronic or paper records that may be accessible to them unless specific permission is given.
In line with the council’s code of conduct, staff accessing information that may cause a conflict of interest to themselves, such as information about a relative, friend or neighbour who is receiving a council service, have a duty to notify their line manager immediately and ensure appropriate safeguards are implemented.
25. Removable Media Policy
This Removable Media policy applies to all users.
25.1. Removable Media usage
Removable media is defined as any device that enables a user to copy data and transport it on a device outside the place of work. The use of non-Council approved removable media is always prohibited and anyone found copying Council data onto a personal removable media device may be the subject of disciplinary action. Requests for a Council approved encrypted removable media device shall only be done through logging a request with the ICT Service desk.
Any removable media received by the Council must be from a verified source and must be virus checked before transferring the information. The removable media must be either returned to sender, if requested or securely disposed and not used by the recipient for future use.
26. Confidential Waste Policy
26.1. Paper Disposal
Staff should not attempt to distinguish between confidential and non-confidential documents on a per-document basis. All day-to-day paperwork, printouts, and correspondence shall be immediately shredded or disposed of in the confidential waste facilities.
Exceptions are:
-
- Tissues, hand towels and other soiled items shall be disposed of in other appropriate bins.
- Non-confidential bulky items such as catalogues, cardboard packaging, books, newspapers, and magazines shall be placed into recycling facilities.
Cross cut shredding machines and confidential waste sacks are provided by the Facilities Management Service for disposing. Confidential waste will be recycled after shredding.
27. Faxing Policy
This Faxing policy applies to all staff that have access to a Council Fax Service/machine.
27.1. Faxing
The use of the corporate faxing service is for performance of official duties only and any personal faxing is prohibited. The Council fax service is provided for the delivery of council services and must not be used for the delivery of any other business or service.
Wherever possible, frequently dialled numbers must be stored in the memory of the fax machine (speed dial) to reduce the chances of dialling an incorrect number. The fax machine must not be left unattended if waiting to re-dial. If it is necessary to send information by fax, the sender must notify the recipient (or duly authorised person) prior to transmission. If sending restricted or protected information to a new recipient or non-speed dial number, a test fax of unclassified data must be sent to the recipient and the recipient asked (using the detail on the test fax) to confirm via telephone that they have received the test fax. Once the live transmission is sent the sender must then contact the recipient to confirm receipt. A standard cover sheet containing a “Confidentiality Clause” must be used. Only the minimum amount of relevant information required by the recipient must be sent. In the event of the intended recipient not being present, received faxes must be handed to the intended recipient (or duly authorised person) immediately, and not left in the print tray.
28. Printing Policy
This Printing policy applies to all users that have access to Council printers.
28.1. Printing
The use of the corporate printing service is for performance of official duties only and any personal printing is prohibited. The Council print service is provided for the delivery of council services and must not be used for the delivery of any other business or service.
Users are responsible for all printed material they produce and should only print what is necessary. Printouts should not be left on the back of printers, and any unwanted prints must be disposed of in the confidential waste bins/bags provided. Whenever possible, users should use a secure print release printer and retrieve the printouts as soon as the print has completed. If printing to a non-secure release printer, users should collect the printed material as soon as possible and ensure that only relevant printouts are retrieved from the printer trays.
If the central printer does not, for any reason, print any items of a personal/sensitive information, upon request, but lists it as ‘queued’ on the machine, users should contact the ICT service desk immediately with the printer reference code, to request them to delete the queued documents before printing is resumed.
29 Mailing Policy
This Mailing policy applies to all users.
29.1. Mailing
When mailing any paper correspondence, either internally or externally, staff must ensure that they insert the correct correspondence in an envelope. Ensure that all the pages of the document to be posted are included, and that no other non-relating documents are included that could have been picked up in error from the printer. Extra care must be taken when posting personal/sensitive information.
Staff must ensure that the correct address is used and should, wherever possible, use Names and Addresses for mailing from corporately managed systems. Only windowed envelopes should be used, unless not practicable to do so, to ensure that the correct address on the correspondence is used as the postal address - this will minimise the risk of correspondence being inserted into an incorrect addressed envelope.
30. Shared Services Policy
The Shared Services policy applies to all contractual third parties and agents of the Council who use Ceredigion County Council IT facilities, or who require access to the Council’s Information Systems.
30.1. Shared Services
For all Shared Services, a Third-Party Connection Agreement must be signed by all other organisations that form the shared service. This agreement covers connection requirements and procedures relevant to third party suppliers and business support contractors. Any breach of conditions could result in automatic disconnection from the Ceredigion County Council Network until satisfactory conditions can be restored.
Appendix 1 – Quick Recap and Guidance
A quick at-a-glance guide to the expectations and responsibilities placed on staff by this Policy is available on Cerinet intranet pages.
Appendix 2 – Legislation
Regulation of Investigatory Powers Act 2000
Copyright, Designs and Patents Act 1988
Freedom of Information Act 2000
Regulations: Waste Electrical and Electronic Equipment (WEEE)
The Telecommunications Act 1984
Telecommunications (Fraud) Act 1997
Appendix 3 – Secure Document Send Process (Fax/E-Mail/Post)
When sending Personal/Sensitive information the following steps must be followed:
- Double check that the content of the files to be sent is only what’s required by the recipient.
- Check that the correct address has been entered (i.e., to ensure that it is sent to the intended recipient).
- Verify that the address / contact information is current. Consult the primary source for this information. Do not use second/third tier sources that may be out of date.
- Check that any personal information referred to in the content matches the address. (To avoid copy/paste errors on letter templates)
- If there’s any doubt, you should send unclassified information as a test transmission and request the recipient to confirm receipt before going on to send personal/sensitive information.
- Ensure that you are following a recognised business process prior to sending the file out. If you are unsure, then contact the Data Protection Officer.
- If sending data files, ensure that these are encrypted. See Appendix 4 for pre-encrypted (in-transit destinations).If this is not possible then password should be sent via alternative means (e.g., over the phone or text message, with file sent via e-mail). The password should be suitably complex. (15.1 of Information Security Policy)
If the sending of personal/sensitive information is routine in your service area, please seek advice from the Data Protection Officer. Routine transfers should undergo a proper risk assessment with a view to identifying a stream-lined simple process.
Appendix 4 – Secure Government E-Mail
For the purposes of Sending mails from Ceredigion to other public sector organisations in Wales. Secure sending is available using existing @ceredigion.gov.uk or @ceredigion.llyw.cymru addresses.
For organisations not on this list. Please utilise a secure Document Send Process (Appendix 3), use the secure mail facilities provided by that organisation OR Contact ICT/DPO for advice.
Wales National:
- NHS Wales: www.nhs.wales
- Welsh Government
- Welsh Assembly
- WLGA
- National Adoption Service (adoptcymru.com)
- Shared Resource Service Wales
Police/Fire:
- Dyfed Powys Police
- Gwent Police
- Mid & West Wales Fire Service
- North Wales Police
- South Wales Fire Service
- South Wales Police
Local Government (All 22 Local Authorities):
- Blaenau Gwent County Borough Council
- Bridgend County Borough Council
- Caerphilly County Borough Council
- Cardiff Council
- Carmarthenshire County Council
- Ceredigion County Council
- Conwy County Borough Council
- Denbighshire County Council
- Flintshire County Council
- Gwynedd Council
- Isle of Anglesey County Council
- Merthyr Tydfil County Borough Council
- Monmouthshire County Council
- Neath Port Talbot Council
- Newport City Council
- Pembrokeshire County Council
- Powys County Council
- Rhondda Cynon Taf County Borough Council
- Swansea Council
- Torfaen County Borough Council
- Vale of Glamorgan Council
- Wrexham County Borough Council
National Parks:
- Bannau Brycheiniog National Park
Appendix 5 – ICT Operating Procedures
For reference the following ICT operating procedures are in place and used by ICT staff to support this policy. These are available in the ICT Teams site.
- 001 – User Onboarding
- 002 – User Offboarding
- 003 – User Service or Departmental Moves
- 004 – Administrator Controlled Password Changes
- 005 – Equipment Issue
- 006 – Equipment Return