POLICY Supplier Portal Access & Security Policy If you have any enquiries about this Policy, contact Sharon OReilly, Head of Category Systems & Governance, Corporate Procurement Policy Owner:Jean B RobbAuthor: Sharon OReillyVersion: 0.1Date: 5th December 2012Classification:PROTECT Birmingham City Council 2012 CONTENTS 1. OVERVIEW AND PUBLICATION PARTICULARS 3 2. Introduction 5 3. Definitions 5 4. Policy Particulars 5 5. Roles and responsibilities 7 6. EXCEPTIONS 8 7. ENFORCEMENT 8 8. IMPLEMENTATION8 OVERVIEW AND PUBLICATION PARTICULARS Document History VersionDatePurposeAuthor0.18th October 2012DraftSharon OReilly0.15TH December 2012Draft issued to group for reviewSharon OReilly Document Approval by Birmingham City Council NameOrganisationRoleDateJean RobbShared ServicesAssistant Director Overview Authority Birmingham City Council Owner Birmingham City Council Assistant Director Shared ServicesScope This access and security policy is applicable to all people who have access to Birmingham City Councils Supplier Portal.Review period This document will be reviewed at least annually or more often if justified by a change in circumstances. INTRODUCTION 2.1 Scope This security Policy is applcable to all people who have access to Birmingham City councils Supplier Portal 2.2 Overview and Purpose The Supplier Portal is used to support the Birmingham City Council payment process. The system supports the electronic submission of external purchase order supported invoices through manual submission or XML file. This can be omitted from the overviewLegislation or Regulatory Control references eg BS ISO/IEC 27001:2005 BS 7799-2:2005 Control Reference Example textA.6.1.3 Allocation of information security responsibilities A.6.2.3 Addressing security in third party agreements A.11.1.1 Access control policy  INTRODUCTION 2.1 Scope This security Policy is applcable to all people who have access to Birmingham City councils Supplier Portal 2.2 Overview and Purpose The Supplier Portal is used to support the Birmingham City Council payment process. The system supports the electronic submission of external purchase order supported invoices through manual submission or XML file. It also allows suppliers to track invoices submitted through other means This document defines the minimum security requirements to protect the information held on Supplier Portal and Voyager DEFINITIONS Any non-self explanatory terms, or terms that may be new to the Council or Business Areas that are used within this document should be briefly defined in this section POLICY PARTICULARS Detailed Description of the Policy Approval (Gaining Access) Suppliers will register via the Supplier Portal. Access will only be granted to those suppliers known to BCC via the vendor management process. A user ID will be generated when checks have been completed. Access to the Portal is granted only on the condition that the individual formally agrees to the terms of this policy and any specific rules which are notified to those who want to make use of the service. Identities and Passwords You must assume personal responsibility for your identity (ID) and password. Never use anyone elses identity or password. The ID and password issued to you is for your use only and consequently you are responsible for the activities undertaken with that ID. You must not share your password with any other person. Control of Access to your Portal session Do not leave your computer connected with the Portal when unattended for any length of time. For short abscences, Users should lock the screen (Press ctrl, alt and delete at the same time, followed by the enter key). Every user will be expected to use a password that conforms to the Birmingham City Council Password Control Standard. The password should be a minimum of 8 characters long. Wherever possible, the password should contain digits ( numbers) as well as letters. Having digits at the end of the password is not the only possibility. Consider using digits at the start of the password, and or within the body of the password. The password should not be composed solely of digits. Password Maintenance If you are issued with a new user ID and password to access the system, you must change the password as soon as you receive notification of the new user ID and password. If the administrator of the system has re-set your password or unlocked your account, you must change the password when you next log into the Portal. If you become aware, or suspect that your password has become known to someone else, you must change it immediately. You should change your password at least every 30 days Password Management Passwords will only be issued to genuine system users who have agreed to the terms and conditions. A request to re-set a Users password or unlock a users account will only be actioned if it has been formally logged as an incident with Accounts Payable Password resets will only be accepted following an email request, Passwords will only be released via an encryted email using standard Lotus Notes encryption. The password will be transmitted to the account of the User concerned, and not to any shared mailbox. Information Access Access for Users to individual screens is controlled by the allocation of users to a Voyager role and the assignment of security priviledges. Invoice submission manually Invoice submission via XML Invoice submission and payment tracking Payment tracking - display only Internal staff Accounts Payable Users must inform BCC where access if no longer required or if a persons role has changed. Training Training guides and FAQs wil be available on the Supplier Portal Monitoring The City Council will monitor the use of the Supplier Portal to ensure that Users of the service ahere to the rules and that any breaches of the rules may result access being withdrawn. ROLES AND RESPONSIBILITIES This section should provide detail on the roles & responsibilities of any person involved with either reviewing, updating or implementing/ using this Policy. Simply, but clearly explaining what is expected of them and defining their involvement RoleResponsibilitiesAssistant Director Shared Services AP Manager Data Owner Policy Implementation 6. EXCEPTIONS There are no exceptions to this policy. 7. ENFORCEMENT Any internal User who contravenes the rules in this policy or the associated procedures will be disciplined under the Birmingham City Council Disciplinary Policy and procedure wherever this is appropriate for that use. For non- council employees with access, there will, in most cases, be separate disciplinary arrangements or codes of conduct for breach of this policy. Any suspected breach will result in immediate termination of the ID while an investigation takes place. If it becomes obvious that you have shared a personal password with someone else, your access to the system concerned will be suspended. If your access has been suspended and you wish to use the system again, then you will need to re-apply for a new identity via the registration process Anyone who contravenes this policy or jeopardises the security of BCCs information are liable to be investigated and, where appropriate, legal or other appropriate action may be taken 8. IMPLEMENTATION 8.1 Implementation of the policy This policy will be held on the Supplier Portal. 