Protected: RD Essentials Home

This content is password protected. To view it please enter your password below:

RD Essentials Standard

 

Introduction

  • Each User accessing ResilienceDirect™ must accept and agree on his/her own behalf to abide by the terms of this End User Agreement (EUA). Any breach of this agreement will entitle Cabinet Office to suspend or revoke a User’s access to ResilienceDirect. Administrators who sign the EUA have an additional responsibility in that they agree to the terms on behalf of his/her organisation.

 

  • Administrators are responsible for ensuring that those User’s supplied accounts within their organisation remain current. Users are advised that they must relinquish their account when they no longer work within an environment responsible for and involved in emergency planning and response, or leave their current organisation. Administrators should run regular checks and deactivate accounts where appropriate.

 

  • ResilienceDirect contains sensitive material with handling caveats and or UK government security classifications up to and including OFFICIAL. This includes any documents marked as OFFICIAL SENSITIVE. Users of ResilienceDirect must familiarise themselves with policy and guidance on government protective markings to ensure they fully understand and follow the requirements placed on them for protecting information. Failing to adhere to the requirements in relation to government security classifications may result in the suspension or revocation of a User’s account. Guidance on the UK government security classifications. OFFICIAL, SECRET and TOP SECRET can be found here:

https://www.gov.uk/government/publications/government-security-classifications

 

  • This document sets out the terms and conditions by which a User’s ongoing access to ResilienceDirect is determined and contains guidance on handling material on ResilienceDirect. User’s agree to the EUA upon registration. Users may decide to print and scan a hard copy to keep for their own records. However, please be aware that this agreement is subject to regular review and updates and continued access of ResilienceDirect will signify the User’s continued agreement to the EUA as amended and updated. The latest version of this agreement is available on ResilienceDirect in the help section.

 

  • If you are representing an organisation on ResilienceDirect as an ADMINISTRATOR, it is your responsibility to ensure your Senior Management Team (or equivalent) are aware of their responsibilities under the EUA. Each organisation must take all reasonable measures to ensure that individual User’s within their organisation or for whom they have administrative responsibility, comply with this EUA.

 

  1. Questions

 

 

 

 

 

  1. Access to ResilienceDirect

 

  • Access criteria for ResilienceDirect is determined by the Cabinet Office and access will be granted to those responsible for, and involved in, emergency planning, response and recovery.

 

  • Access will be based on organisations and roles. Access will usually only be granted to named User’s, however in some circumstances Role Based log-ins may be possible to support duty roles. Role Based log-ins will only be provided to organisations to allow them to effectively manage an incident where shift patterns require several individuals to rotate through a single role. Administrators must be named User’s.

 

 

  • Verification of criminal record (“unspent” convictions only)” element of BPSS is NOT required for users accessing ResilienceDirect. A formal declaration from the employee that they have no unspent criminal convictions is sufficient.

 

  • BPSS is usually completed via pre-employment checks; if you are unsure or have not undergone these checks please contact your information security team. Annex B of HMG Personnel Security Controls also provides further guidance in this area.

 

  • Access to Civil Contingencies Secretariat Risk Documents Group requires additional controls, as referenced in Section 14

 

 

  1. What you need to do

 

  • It is the responsibility of the USER to ensure that their log-in details are kept safe and separate and not shared with others either inside or outside of their organisation.

 

  • Users must not attempt to gain unauthorised access to any part of ResilienceDirect.

 

  • Users must not probe, scan or test the vulnerability of ResilienceDirect, nor breach or attempt to breach the security or authentication measures of ResilienceDirect.

 

  • Users must only use ResilienceDirect for the purposes for which they have been granted access and must not use ResilienceDirect or its content for any purpose that is unlawful or prohibited.

 

  • User’s and their organisations should be aware that access to and use of ResilienceDirect may be monitored.

 

  • If a User’s details change, they must update their user profile and contact details on ResilienceDirect at the earliest opportunity.

 

  • Users must also relinquish their account when they no longer work within an environment responsible for and involved in emergency preparation and response or leave their current organisation.

 

  • Once a User is logged into ResilienceDirect they must not leave the screen unattended at any point.

 

 

  1. Handling material

 

  • ResilienceDirect complies with the government security classifications as documented in Para 1.3. ResilienceDirect shares documents from a variety of originators in a single environment. This makes it significantly easier to search for information and utilise ResilienceDirect as a reference tool to support day-to-day working or to respond to an emergency.

 

  1. Printing

 

  • Care must be taken when using local or networked printers to ensure documents are collected immediately. All information should be considered OFFICIAL and handled accordingly. Users should consider taking extra precautions with information clearly marked as OFFICIAL SENSITVE. Precautions for any information stored on ResilienceDirect may include the use of password protected printers and storage in locked drawers. If any User is unsure they should consult the information originator.

 

  1. Security Controls for Personally-Owned Devices

 

  • In some situations it is recognised that Users may need to connect to the service from personally-owned devices.

 

  • When accessing ResilienceDirect via a personally-owned devices, Users should make best endeavours to ensure these devices are secure.

 

  • Personally owned devices should be secured using security tools (which are widely available) and following consumer best practice.

 

  • ResilienceDirect must only be accessed on devices:

 

  • That use a modern operating system[1] with the latest security patches and service packs applied – this will significantly reduce vulnerability to viruses and malware;

 

  • That use anti-virus products and a have personal firewall – this will stop malicious software and viruses from executing and prevent attackers from remotely accessing the device;

 

  • Where other software on the device (e.g. web browsers, PDF viewers) is modern and set to auto-update – most viruses rely on vulnerabilities out-of-date or un-patched software.
  • If you are unsure whether your device meets these requirements you should contact Cabinet Office to verify if that device is appropriate to use before accessing ResilienceDirect on it.

 

  • Users should consider what information they are viewing or have access to. For instance, during a response to an emergency, information owners may choose to release more sensitive information to a wider group of people.
  • Users should have personal awareness of the risks and use good judgement when accessing ResilienceDirect.

 

 

  1. Security Incidents

 

  • In the event of a security incident or security breach or a breach of the EUA users must contact their organisation’s Information and Security officers and the Cabinet Office as soon as it is practicable. The Cabinet Office can be contacted by email via resiliencedirect@cabinetoffice.gov.uk.

 

  • A security incident or security breach may include (but are not limited to) the following:

 

  • Infection of hardware of software utilised to access ResilienceDirect by virus or malicious software

 

  • Loss or theft of a device utilised to access ResilienceDirect

 

  • Unauthorised access to the ResilienceDirect system

 

  • Unauthorised modification or removal of system software, hardware or connections

 

  • Unauthorised modification or deletion of ResilienceDirect system data

 

  • Disclosure of ResilienceDirect system data to unauthorised personnel

 

  • Unattended terminals left logged in to ResilienceDirect

 

  • Repeated lock out of ResilienceDirect users’ accounts due to repeated failure to enter correct password

 

  • Attempts to obtain ResilienceDirect information by deception (e.g. bogus phone calls, social engineering or e-mails)

 

  • Disclosure of classified or confidential information (especially ResilienceDirect passwords or other access control data) to unauthorised personnel

 

  • Sharing of information to unauthorised individuals which could cause harm and / or embarrassment

 

  1. Sharing material

 

  • Any handling instructions or protective markings should not be removed from material reproduced from ResilienceDirect and given to others.

 

  • Some information on ResilienceDirect, especially those assets owned by Her Majesty’s Government, may be protected against further disclosure without lawful authority by the provisions of the Official Secrets Acts 1911 to 1989. Should Users have any doubts as to the effects of the Acts, and their obligations under them, they should seek legal advice.

 

  1. Protective markings

 

  • Material on ResilienceDirect should be handled as OFFICIAL whether it clearly marked or not. OFFICIAL SENSTIVE information should be clearly marked. Details have been covered in Para 1.3.

 

  1. Links to other websites

 

  • A link to ResilienceDirect mapping is provided within ResilienceDirect. A separate EUA governs access to this service.

 

  • ResilienceDirect may also contain links to independent third-party websites. These are provided solely as a convenience to Users. These websites are not controlled by the Cabinet Office and links do not imply endorsement of the content.

 

  1. FOI, EIR and DPA

 

  • The Freedom of Information Act 2000 (FOIA), Freedom of Information (Scotland) Act 2002 (FOIAS), Environmental Information Regulations 2004 (EIR), Environmental Information (Scotland) Regulations 2004 (EISR) will apply to information placed on ResilienceDirect by Users.

 

  • The Cabinet Office does not have ownership of all of the information on ResilienceDirect. The Cabinet Office only owns the information that it has prepared and uploaded to ResilienceDirect. Individual Users or their organisations who upload information to ResilienceDirect however continue to own that piece of information, the Users are also likely to hold the information for the purpose of FOIA, FOIAS, EIR and EISR.

 

  • If Users only have access to information uploaded by other Users/organisations and it is only being viewed within the ResilienceDirect environment, i.e. on screen within the web browser, then for the purposes of the FOIA, FOISA, EIR, EISR and DPA, the USER does not own it and is unlikely to hold that information for the purposes of FOIA, FOIAS, EIR and EISR.

 

  • Before downloading or recording any information from the ResilienceDirect, Users are referred to the restrictions in paragraph 15. If, however a User downloads or records information from the ResilienceDirect as permitted by paragraph 15, for example placing it on an organisation’s storage area network or a local hard disk drive and/or holds it manually the User and/or their organisation are likely to hold it for the purposes of FOIA, FOIAS, EIR and EISR. Where a request for that information is received, the User should consult the owner(s) of the information before reaching a decision regarding releasing it and where necessary take legal advice. Where the User holds the information, the decision as to whether under the relevant legislation to release the information is the User’s decision, however, Users must take the views of the information owners into account.

 

  • The Data Protection Act 1998 (DPA) also applies to any personal data (as defined in the DPA) that is held on ResilienceDirect.

 

  1. Disclaimer

 

  • To the fullest extent permitted by law the Cabinet Office accept no liability for any loss or damage (whether direct, indirect or consequential and including, but not limited to, loss of profits or anticipated profits, loss of data, business or goodwill) incurred by any person and howsoever caused arising from or connected with any error or omission in information, including all documents and their references, in ResilienceDirect or from any person acting, omitting to act or refraining from acting upon, or otherwise using, the information contained in ResilienceDirect.

 

  • The above disclaimer also applies to any damage, liability or injury caused by any failure of performance, error, omission, interruption, deletion, defect, delay in operation or transmission, computer virus, communication line failure, theft or destruction of or unauthorised access to, alteration of, or use of ResilienceDirect.

 

  • The Cabinet Office shall make reasonable efforts to ensure that information it directly owns on ResilienceDirect is up to date. However, this may not always be possible and the Cabinet Office does not commit to doing so.

 

  • The Cabinet Office reserves the right to modify, suspend or terminate operation or access to ResilienceDirect, to modify or change ResilienceDirect, and to interrupt the operation of ResilienceDirect as necessary to perform routine or non-routine maintenance, error correction or other changes.

 

  1. The Civil Contingencies Secretariat Risk Documents Group

 

  • The Civil Contingencies Secretariat Risk Documents Group has a restricted membership that provides server-only access to the National Risk Assessment, the Local Risk Management Guidance and other risk products owned by the Cabinet Office. This means the documents are not owned or held by members of the Group but are owned and held by Cabinet Office. Access is granted exclusively to Users who both have undergone (pre-)employment checks that meet the Baseline Personnel Security Standard (BPSS) and have a business need to view the documents in order to ensure their organisation fulfils its duties under the Civil Contingencies Act 2004.

 

  • Each Local Resilience Forum (LRF) (in England and Wales), Regional Resilience Partnership (Scotland) and Emergency Planning Group (Northern Ireland) will have an Administrator nominated by the LRF (or equivalent) Secretariat, who will be given access to the Risk Documents Group by the Cabinet Office as well as the necessary administrative permissions to fulfil their role. It is the Administrator’s duty to manage access to the Risk Documents Group for their wider LRF (or equivalent).

 

  • All Risk Documents Group members must have named ResilienceDirect accounts. Administrators are must not grant Group access to Role Based User accounts.

 

  • All documents within the Risk Documents Group are Official Sensitive and should be handled in line with the Government Security Classifications Users must consult with the Cabinet Office before releasing any information held within this section of Resilience Direct.

 

  • Users are prohibited from:

 

  • printing, copying or downloading the documents contained in the Risk Documents Group; or,

 

  • Accessing the Group from personal devices or devices which do not subscribe to best IT security practice see 14.6 for more details.

 

  • ResilienceDirect must only be accessed on devices:

 

  • That use a modern operating system with the latest security patches and service packs applied – this will significantly reduce vulnerability to viruses and malware;

 

  • That use anti-virus products and a have personal firewall – this will stop malicious software and viruses from executing and prevent attackers from remotely accessing the device;

 

  • Where other software on the device (e.g. web browsers, PDF viewers) is modern and set to auto-update – most viruses rely on vulnerabilities out-of-date or un-patched software.

 

  • If you are unsure whether your device meets these requirements you should contact Cabinet Office to verify if that device is appropriate to use before accessing ResilienceDirect on it.

 

 

  1. Ownership of information and Intellectual Property Rights

 

  • No ResilienceDirect content may be copied, reproduced, republished, uploaded, posted, publicly displayed, encoded, translated, transmitted or distributed in any way (including “mirroring”) to any other computer, server, website or other medium for publication or distribution, without Cabinet Office’s or the copyright owner’s express prior written consent. By placing the material onto ResilienceDirect and making it available to other Users and organisations you are granting them permission to utilise it for the purposes of resilience and emergency planning including functions under the Civil Contingencies Act 2004.

 

  1. Privacy

 

  • If a User accesses ResilienceDirect over the public internet you are effectively acknowledging that internet traffic is never completely private or secure. You understand that any message or information you send over ResilienceDirect could be read or intercepted by others.

 

  • The Cabinet Office will use the Users personal data to provide access to ResilienceDirect and access to any other services you have requested or are subscribed to.

 

  1. Updates to this agreement

 

  • Any further updates to this EUA will be published on ResilienceDirect in help and support. .
  • Users will be notified of any updates to the EUA when logging into ResilienceDirect. Users will be asked to review and accept the EUA as amended. It is the responsibility of the user to ensure that they read all updates and amendments to the EUA. By logging into ResilienceDirect the User is deemed to have accepted the terms of the EUA as amended from time to time.

[1] Operating systems only receive security support for a limited period. One example is that Microsoft security support for Windows XP ended in 2015 so users utilising this operating system will be violating the EUA.

 

Address

QG Business Solutions Ltd

Westwinds, Lambley Bank,
Scotby, Carlisle
CA4 8BX

t 01228 631681

e info@qgbiz.co.uk