Page 1 of 12 Anti-virus Policy Version No 2.0

ANTI-VIRUS POLICY

Document Author Authorised

Written By: Information Security Manager Date: April 2019

Authorised By: Chief Executive Date: 24th June 2019

Lead Director: Director of Finance, Estates and IM&T

Effective Date: 24th June 2019

Review Date: 23rd June 2022

Approval at: Policy Management Sub-Committee

Date Approved: 24th June 2019

Page 2 of 12 Anti-virus Policy Version No 2.0

DOCUMENT HISTORY (Procedural document version numbering convention will follow the following format. Whole numbers for approved versions, e.g. 1.0, 2.0, 3.0 etc. With decimals being used to represent the current working draft version, e.g. 1.1, 1.2, 1.3, 1.4 etc. For example, when writing a procedural document for the first time – the initial draft will be version 0.1)

Date of Issue Version

No. Date

Approved Director Responsible

for Change Nature of Change

Ratification / Approval

19 Mar 16 0.1 Executive Director for Integrtation and Transformation

New Policy

24 Mar 16 0.1 Executive Director for Integrtation and Transformation

Approved Deputy SIRO

24 Mar 16 1 24 Mar 16 Executive Director for Integrtation and Transformation

Approved Trust Executive Committee

April 2019 1.1 Director of Finance, Estates and IM&T

Policy review

13 June 19 1.1 Director of Finance, Estates and IM&T

Endorsed at Information Governance Sub-Committee

24 June 19 2.0 24 June 19 Director of Finance, Estates and IM&T

Approved at Policy Management Sub-Committee

NB This policy relates to the Isle of Wight NHS Trust hereafter referred to as the Trust

Page 3 of 12 Anti-virus Policy Version No 2.0

Contents 1 Executive Summary ....................................................................................................... 4

2 Introduction .................................................................................................................... 4

3 Definitions ...................................................................................................................... 4

4 Scope ............................................................................................................................. 4

5 Purpose ......................................................................................................................... 4

6 Roles and Responsibilities ............................................................................................. 4

6.1 Information Communication Technology Executive Led Sub Committee ................. 4

6.2 Senior Information Risk Officer (SIRO) ................................................................... 4

6.3 Deputy Director for IM&T ........................................................................................ 4

7 Policy detail/Course of Action ......................................................................................... 5

8 Consultation ................................................................................................................... 6

9 Training .......................................................................................................................... 6

10 Monitoring Compliance and Effectiveness ...................................................................... 6

11 Appendices .................................................................................................................... 6

Page 4 of 12 Anti-virus Policy Version No 2.0

1 Executive Summary This policy defines the requirements for Anti-virus on all computing devices relation to the Isle of Wight NHS Trust.

2 Introduction Malware is an increasing problem for companies often resulting in systems being taken off-line for several days whilst infections are resolved and data recovered. This policy provides a baseline to which all systems connected to the Trust’s network must adhere to in order to mitigate risks of this nature.

3 Definitions Malware (Malicious Software) is a generic name given to software which is designed to cause disruption or data loss. This includes common used terms such as ‘Virus’, ‘Trojan’, ‘Spyware’

4 Scope This policy is applicable to all computing devices which connect to the Trust’s Information Comunication Technology (ICT) network.

5 Purpose The purpose of this Policy is to set the minimum protection required to allow computing devices to connect to the Trust’s ICT network.

6 Roles and Responsibilities

6.1 Information Communication Technology Sub Committee The Information Communication Technology Sub Committee, are responsible for monitoring compliance with this policy.

6.2 Senior Information Risk Officer (SIRO) The SIRO is responsible for ensuring that the Trust has in place robust arrangements for the management of viruses and that all risks are reported and managed to mitigate any risks.

6.3 Deputy Director for IM&T The Deputy Director for IM&T, must ensure that the Trust has in place a robust anti-virus policy that is adopted across the breadth of the Trust.

Page 5 of 12 Anti-virus Policy Version No 2.0

7 Policy detail/Course of Action

All workstations, laptops and servers must be running approved anti-virus and anti-malware protection which has been configured in accordance with appendix C.

All removable media must be subject to an anti-virus scan upon use.

Users must not accept, or run, software from untrusted sources.

Users must not undertake any activities with the intention to create and/or distribute malicious programs (e.g. viruses, worms, Trojans, e-mail bombs, etc) into the Trusts networks or systems.

Users must inform the IT Service Desk immediately if a virus is detected on their system.

Portable Device users (laptops) must connect to the Trust network periodically (either whilst on-site or remotely via VPN) to ensure that the anti-virus software is updated.

Any system or workstation found to be without adequate protection as defined by this policy will be removed from the network until adequate protection is implemented. Any user being found to be wilfully violating the anti-virus policy may be subject to one or more of the following sanctions:

Removal of any equipment used from the network until adequatly protected

Revocation of rights to Trust ICT systems and networks

Any costs incurred by the IT department to remove the virus may be passed to the on to the department or organisation responsible for the outbreak..

Subject to disciplinary action In the event of a virus outbreak, the Information Communication Technology (ICT) Team reserves the right to temporarily remove equipment, or disable parts of the network to safeguard other systems. Procedure for suspected infection If a user suspects the system may be infected, the follow actions must be taken

Inform the ICT service desk immediately

Switch off the machine

Ensure no-one uses the machine

Be prepared to inform IT of any actions taken which may have caused the system to be infected.

Page 6 of 12 Anti-virus Policy Version No 2.0

The IT Team will:

Check the infected PC and any media

Rebuild the PC if the infection is severe (e.g. Conficker, Cryptolocker)

Check any servers that may have been accessed from the infected system

Attempt to determine the source of the infection

Ensure the incident is logged.

8 Consultation This policy has been circulated to the ICT and Information Governance Team prior to ratification and approval.

9 Training This anti-virus policy does not have a mandatory training requirement or any other training needs.

10 Monitoring Compliance and Effectiveness The effectiveness of the anti-virus solution will be demonstrated through system generated reports against potential virus infections recorded on the ServiceDesk.

11 Appendices Appendix A Financial and Resourcing Impact Assessment on Policy Implementation Appendix B Equality Impact Assessment (EIA) Screening Tool Appendix C Approved Software Products

Page 7 of 12 Anti-virus Policy Version No 2.0

Appendix A

Financial and Resourcing Impact Assessment on Policy Implementation

NB this form must be completed where the introduction of this policy will have either a positive or negative impact on resources. Therefore this form should not be completed where the resources are already deployed and the introduction of this policy will have no further resourcing impact.

Document title

Anti-virus Policy (No change in resourcing requirements)

Totals WTE Recurring £

Non Recurring £

Manpower Costs

Training Staff

Equipment & Provision of resources

Summary of Impact: Risk Management Issues:

Benefits / Savings to the organisation: Equality Impact Assessment Has this been appropriately carried out? YES/NO Are there any reported equality issues? YES/NO If “YES” please specify:

Use additional sheets if necessary Please include all associated costs where an impact on implementing this policy has been considered. A checklist is included for guidance but is not comprehensive so please ensure you have thought through the impact on staffing, training and equipment carefully and that ALL aspects are covered.

Manpower WTE Recurring £ Non-Recurring £

Operational running costs

Totals:

Staff Training Impact Recurring £ Non-Recurring £

Totals:

Page 8 of 12 Anti-virus Policy Version No 2.0

Equipment and Provision of Resources Recurring £ * Non-Recurring £ *

Accommodation / facilities needed

Building alterations (extensions/new)

IT Hardware / software / licences

Medical equipment

Stationery / publicity

Travel costs

Utilities e.g. telephones

Process change

Rolling replacement of equipment

Equipment maintenance

Marketing – booklets/posters/handouts, etc

Totals:

Capital implications £5,000 with life expectancy of more than one year.

Funding /costs checked & agreed by finance:

Signature & date of financial accountant:

Funding / costs have been agreed and are in place:

Signature of appropriate Executive or Associate Director:

Page 9 of 12 Anti-virus Policy Version No 2.0

Appendix B

Equality Impact Assessment (EIA) Screening Tool

1. To be completed and attached to all procedural/policy documents created within

individual services. 2. Does the document have, or have the potential to deliver differential outcomes or affect

in an adverse way any of the groups listed below? If no confirm underneath in relevant section the data and/or research which provides evidence e.g. JSNA, Workforce Profile, Quality Improvement Framework, Commissioning Intentions, etc. If yes please detail underneath in relevant section and provide priority rating an determine if full EIA is required.

Gender

Positive Impact Negative Impact Reasons

Men N/A N/A

Women N/A N/A

Race

Asian or Asian British People

N/A N/A

Black or Black British People

N/A N/A

Chinese people

N/A N/A

People of Mixed Race

N/A N/A

White people (including Irish people)

N/A N/A

People with Physical Disabilities,

N/A N/A

Document Title: Anti-virus Policy

Purpose of document Policy on the Use of anti-virus software

Target Audience Users of devices attached to the ICT Network

Person or Committee undertaken the Equality Impact Assessment

Carl Moreira-Smith

Page 10 of 12 Anti-virus Policy Version No 2.0

Learning Disabilities or Mental Health Issues

Sexual Orientation

Transgender N/A N/A

Lesbian, Gay men and bisexual

N/A N/A

Age

Children

N/A N/A

Older People (60+)

N/A N/A

Younger People (17 to 25 yrs)

N/A N/A

Faith Group N/A N/A

Pregnancy & Maternity N/A N/A

Equal Opportunities and/or improved relations

N/A N/A

Notes: Faith groups cover a wide range of groupings, the most common of which are Buddhist, Christian, Hindus, Jews, Muslims and Sikhs. Consider faith categories individually and collectively when considering positive and negative impacts. The categories used in the race section refer to those used in the 2001 Census. Consideration should be given to the specific communities within the broad categories such as Bangladeshi people and the needs of other communities that do not appear as separate categories in the Census, for example, Polish. 3. Level of Impact If you have indicated that there is a negative impact, is that impact:

YES NO

Legal (it is not discriminatory under anti-discriminatory law)

Intended

If the negative impact is possibly discriminatory and not intended and/or of high impact then please complete a thorough assessment after completing the rest of this form. 3.1 Could you minimise or remove any negative impact that is of low significance? Explain how below:

3.2 Could you improve the strategy, function or policy positive impact? Explain how below:

Page 11 of 12 Anti-virus Policy Version No 2.0

3.3 If there is no evidence that this strategy, function or policy promotes equality of opportunity or improves relations – could it be adapted so it does? How? If not why not?

Scheduled for Full Impact Assessment Date:

Name of persons/group completing the full assessment.

Date Initial Screening completed 20/03/2016

Page 12 of 12 Anti-virus Policy Version No 2.0

Appendix C Approved Software Products Sophos Endpoint Protection (www.sophos.com) Configuration Standards Approved anti-virus software should be installed and configured to the following standards on all applicable desktop and server equipment:

All anti-virus configuration settings will be locked down to prohibit unauthorised users from disabling the software or altering the standard configuration

Anti-virus software on desktops will periodically check (at least daily) for updates to the anti-virus engine and the DAT (pattern/signature) file and will automatically apply.

Anti-virus software on servers and gateways will check for updates on a (minimum) daily basis.

Anti-virus will be automatically enabled at all times when the system is in use with the following exceptions:

When software upgrades dictate disablement

To facilitate problem diagnosis.