IT and Information Security Policy - WhatDoTheyKnow · IT and Information Security Policy v1 4 1...

Policy No: OP06 Version: 1.0

Name of Policy: IT and Information Security Policy

Effective From: 20/03/2013

Date Ratified 06/03/2013

Ratified Health Informatics Assurance Committee

Review Date 01/03/2015

Sponsor Director of Finance and Information

Expiry Date 19/03/2016

Withdrawn Date

This policy supersedes all previous issues.

IT and Information Security Policy v1 2

Version Control

Version Release Author/ Reviewer

Ratified by/Authorised by

Date Changes (Please identify page no.)

1.0

20/03/2013

D Prudhoe

Health Informatics Assurance Committee

06/03/2013

Policies OP6a & OP6b merged


Contents

Contents .......................................................................................................................... 3

1 Introduction ............................................................................................................. 4

2 Scope of the IT and Information Security Policy ......................................................... 4

3 Aim of Policy ............................................................................................................. 4

4 Duties (Roles and Responsibilities) ............................................................................ 5

5 Definition of Terms ................................................................................................... 5

6 IT and Information Security Policy ............................................................................. 5

6.1 Policy Statements ............................................................................................................ 5

6.2 Keeping Information Secure ............................................................................................ 6

6.3 Transfers and Disclosure of Data .................................................................................... 6

6.4 System Security ............................................................................................................... 7

6.5 Breaches of the policy ..................................................................................................... 9

6.6 Policy Review and Evaluation .......................................................................................... 9

6.7 Remote Access to Gateshead Network from Home ...................................................... 10

6.8 Mobile Access to Gateshead Network .......................................................................... 11

6.9 Use of Removable Media .............................................................................................. 14

6.10 Network Security ....................................................................................................... 16

6.11 Legal requirements ................................................................................................... 20

7.0 Training .................................................................................................................. 20

8.0 Equality and Diversity ............................................................................................. 20

9.0 Monitoring Compliance with the Policy ................................................................... 21

10.0 Consultation and Review ..................................................................................... 21

11.0 Implementation of Policy (Including Raising Awareness) ..................................... 21

12.0 Associated documentation .................................................................................. 21

Appendix A - Checklist for Home/Remote Access ............................................................ 22


1 Introduction 1.1 The Need for an IT and Information Security Policy

The data stored in information systems used by the Trust represents an extremely valuable asset. As systems proliferate, and with the increasing reliance of the NHS on information technology for the delivery of healthcare, it becomes necessary to ensure that these systems are developed, operated, used and maintained in a safe and secure fashion.

The increasing needs to transmit information across networks of computers renders data more vulnerable to accidental or deliberate unauthorised modification or disclosure. The use of computers in clinical care activities offers advantages to NHS patients if handled securely, but could present serious hazards if security is inadequate.

All NHS organisations need to proactively assess, monitor and manage the risks associated with their IT assets and information services. Indeed, NHS information systems are considered to be key components of the UK’s Critical National Infrastructure.

2 Scope of the IT and Information Security Policy 2.1 This Policy is applicable to all existing and proposed systems and is effective from the date

of issue of this policy. The manager responsible for each system must ensure that all risks are identified and all reasonable measures are taken against security breaches. The system administrator for each system will be responsible for ensuring that a current System Specific Security Policy for that system is maintained.

2.2 The value of information, physical assets or processing capability to be protected needs to

be estimated and recorded, along with the impact of possible disclosure, inaccuracy, incompleteness or unavailability of that information. The cost of countermeasures should be commensurate with the threats to security, the value of the assets being protected and the impact of security failure.

2.3 The Trust policy is to ensure that IT systems, including computer systems, network

components and electronically held data, are adequately protected from a range of threats. The policy and associated guidelines cover all aspects of the environment: IT systems, administration systems, environmental controls, hardware, software, data and networks. It will apply to all stages of the system lifecycle, from feasibility study through to operation.

2.4 The policy applies to:

a) all staff employed by the Trust, and to locums, students and trainees on temporary placements;

b) other individuals and agencies who may gain access to data, such as volunteers,

visiting professionals or researchers, and companies providing IT services to the Trust.

2.5 The requirements of the IT Security Policy are mandatory wherever they are applicable.

3 Aim of Policy 3.1 This document defines the IT and Information Security Policy for Gateshead Health NHS

Foundation Trust and

Sets out the Trust’s policy for the protection of the confidentiality, integrity and availability of IT and Information Systems.

Establishes the Trust and user responsibilities.


Provides reference to documentation relevant to this policy. 3.2 The objective of this policy is to ensure the security of the Trust’s IT and Information

Systems. The Trust will:

Ensure Availability Ensure that the Intranet, Internet and email system is available for users.

Preserve Integrity Protect the Intranet, Internet and email system from unauthorised or accidental modification ensuring the accuracy and completeness of the Trust’s assets.

Preserve Confidentiality Protect assets against unauthorised disclosure.

4 Duties (Roles and Responsibilities) The Trust will take all reasonable steps to ensure that users of IT and Information Systems are aware of acceptable use policies and legal obligations relating to them. All staff and Non-Executive Directors are obliged to adhere to this policy. It is the responsibility of the individual to ensure that they understand this policy. Managers at all levels are responsible for ensuring that the staff for whom they are responsible are aware of and adhere to this Policy. They are also responsible for ensuring staff are updated in regard to any changes in this Policy.

5 Definition of Terms

5.1 For the purposes of this policy document, IT and Information security is characterised as the preservation of the confidentiality, integrity and availability of Trust information technology and associated systems, where:

a) CONFIDENTIALITY is defined as the restriction of information and assets to

authorised individuals; b) INTEGRITY is defined as the maintenance of information systems and

physical assets in their complete and proper form; c) AVAILABILITY is defined as the continuous or timely access to information,

systems or physical assets by authorised individuals.

6 IT and Information Security Policy 6.1 Policy Statements All managers have a responsibility to ensure that:

The value of information, physical assets or processing capability to be protected and for which they are responsible is recorded, along with the impact of possible disclosure, inaccuracy, incompleteness or unavailability of that information;

All systems for which they are responsible are reviewed to identify potential threats to the system, and the likelihood of those threats occurring;

They implement cost effective controls that are consistent with the business risks and are fit for purpose, to protect information assets from any misuse which could act to the detriment of the Trust or its partners;

All staff receive training appropriate to their information security needs, and are fully trained in the use of the systems that they are required to operate;


Staff, contractors and other agencies are fully aware of the Trust’s security requirements and have sufficient resources necessary to meet their obligations to those requirements;

Business continuity plans are in place to protect the Trust from any threats to its continued provision of healthcare services arising from the effects of major failures of IT systems or other disasters;

The Trust’s information systems are protected from the threat of viruses and other malicious software;

All staff have a responsibility to ensure that:

The use of information assets shall be restricted to activities approved by the owner(s) of those assets, but in any case shall not be used for the distribution of obscene, racist or otherwise offensive material;

They use all proprietary software in accordance with the terms and conditions of the associated licence(s);

They comply with all legal, regulatory and compliance requirements and regulations that apply to the Trust’s information assets;

They use data, computer equipment, software and communications facilities in a manner that ensures appropriate security of those assets;

Their password(s) or other means of authentication for access to computer systems are not compromised;

They report any incidents or information indicating a breach or suspected breach of security to their immediate supervisor or the IT Security Manager at the earliest opportunity;

Management shall ensure that the security policy is observed, by themselves and their staff.

6.2 Keeping Information Secure All paper records/documents containing personal or sensitive information must be stored

securely. For example, staff records should be held in a locked filing cabinet or cupboard. Filing cabinets etc. containing personal data must be locked outside of normal working hours and keys must be held securely by nominated staff. All electronic data must be stored in secure server areas, not on computer hard drives, laptops or other mobile devices. Removable media should not be used as a permanent or long term storage device. Any electronic data backed up to media such as CD must be kept physically secure. Where outside bodies/companies process or hold any of the Trust’s personal data then the Trust must be satisfied that the data is held securely and with due regard to the obligations of the Data Protection Act 1998. Where such arrangements are in place a risk assessment should be carried out by the Information Governance Officer to establish compliance with the Act.

6.3 Transfers and Disclosure of Data

Data must not be transmitted or transferred out of the European Economic Area (i.e. the EU member states, Iceland, Norway and Liechtenstein) unless the country they are being transferred to has the same or equivalent standards of Data Protection. This has implications for data placed on the Internet and use of e-mail where servers are based abroad.

If information is required to be transferred abroad then checks must be made to ensure that the data are held securely during transfer and that data recipients apply data protection rules equivalent to those in the UK Data Protection Act 1998. Advice on this should be sought from the Information Governance Officer.


For further information regarding the disclosure and safe transfer of personal information please refer to the Records Management Policy (IG05) and the Caldicott and Safe Havens Procedure (IG07).

6.4 System Security 6.4.1 System Owners and Information Asset Administrators

All systems must have a designated ‘owner’. This may be a system administrator or manager or the system may be maintained by the IT department. The designated system owner will be the nominated Information Asset Administrator for the system.

6.4.2 System Specific Security Policy and Risk Assessment

All systems must have a System Specific Security Policy (SSSP) in place in line with the Trust’s standard SSSP document which: • Identifies the security requirements of the individual system • Asset security • User access controls • Use and sharing of personal data • Data Quality The accompanying risk assessment form should also be completed.

6.4.3 Business Continuity plan

All systems must have a Business Continuity Plan (BCP) in place in line with the Trust’s standard BCP document. The BCP should undergo a documented test at least annually.

6.4.4 User Access Management

The Trust must ensure that access to information is only granted to those who require access in order to perform their duties. Where appropriate, the Trust must employ logical access restrictions. This should be enabled through the provision of tailored menus, which allow access only to those functions required, controlling such rights as, read, write, delete and execute. There must be formal user registration and de-registration procedures for granting access to systems. The procedure must include:

The formal completion of an access application form, which is endorsed by the users’ immediate line manager and countersigned by an authorised individual within the organisations IT department,

The use of unique user ID’s to ensure that users can be linked to and made responsible for their actions.

Checks that the user has received appropriate authorisation from the system owner and that appropriate management approval has been obtained.

The provision of written confirmation of access rights to the user and the requirement for users to sign to acknowledge that they understand the conditions of their access.

Maintenance of a formal record of all users.

Immediate removal of access rights of users who have left the organisation or change their role.

Regular checks against the organisations personnel files, to ensure that redundant accounts do not remain live.

The Trust must ensure that the allocation and use of special privileges (the ability to override system or application controls) is restricted and controlled. The allocation of privileges must be controlled through a formal authorisation process and be dependent


upon the role of the user. Special privileges, e.g. Administrator rights, must be assigned to a different user identify from those used for normal access. Access to all critical systems within the Trust must be controlled by password. The allocation of passwords must be controlled through a formal management process, which must:

Include the requirement of users to sign a statement binding them to keep passwords confidential.

Ensure that users are required to maintain their own passwords and change them on a regular basis, where password changes are not enforced by the system.

Ensure passwords are a minimum of six alphanumeric characters and not relating to the user or the system being accessed.

Ensure procedures for positive identification of users who forget their passwords prior to temporary ones being issued are in place.

The access log on procedure must not display system or application identifiers until the process has been completed. The system must display a general warning notice to users that unauthorised access is a criminal offence, and where appropriate that information within the system is subject to the requirements of the Data Protection Act The system owner must regularly review user access rights to maintain effective control over access to data and information services. Access rights for normal users should be reviewed on a six monthly basis and rights of privileged users on a three monthly basis. The Trust HR department should ensure that all leavers are notified to the IT department and system owners, to ensure the prompt removal of redundant user accounts.

6.4.6 User Responsibilities

All users of organisational information processing facilities are required to follow good security practices in the selection and use of passwords. This will include:

Keeping passwords confidential, not writing passwords down or sharing them.

Changing their password immediately they suspect it has been compromised.

Ensure that unattended equipment has appropriate protection.

Leave computer terminals unattended whilst connected to the system, ensure that when a session is finished they log-out and ensure that, where available, screen saver passwords are used.

Failure to follow good security practices may lead to disciplinary action being taken against the user. Deliberate sharing of system access passwords, is a criminal offence under the Computer Misuse Act 1990.

6.4.7 Access Logs/Audits

Records should be kept by the systems owner of new accounts set up on the systems together with copies of the corresponding signed access forms. Similarly, the system owner should keep a record of all accounts deactivated which should be cross referenced with HR leavers records in order to ensure that accounts are deactivated in a timely manner when a member of staff leaves the organisation. Where possible, unsuccessful log on attempts must be limited to three, all unsuccessful logon attempts to the system after the third attempt must be recorded.

6.4.8 Security Requirements of New Systems

It is the responsibility of the Information Governance Officer and the IT Security Manager to provide advice on the appropriate security requirements for information systems and best practice for implementation, and where necessary to liaise with partner Organisations and Connecting for Health (CfH) to ensure that a coherent approach has been adopted. A number of system requirements are set out in the IG Systems Checklist. Individual system owners are responsible for ensuring that appropriate security requirements have been included in system specifications for new systems and system


upgrades, and to ensure that all modifications to systems are logged and up to date documentation exists for their systems. The Trust must ensure that statements of business requirements for new systems, or enhancements to existing systems specify the security controls required for that system. Security requirements should be based on the classifications of information assets to be held within the system and take into account relevant legislation and guidance and an appropriate risk assessment.

6.4.9 Security in Application Systems

Application systems should wherever possible validate input to ensure that it is correct and appropriate, and should consider the following controls;

Out-of-range values and invalid characters.

Missing or incomplete data.

Periodic review of the content of key fields or data files to confirm their validity and inspecting hard copy input documents for any unauthorised changes.

Defining responsibilities of staff involved in the input process.

Validation checks should be incorporated into the system in order to detect corruption of data that has been correctly input, accidentally or deliberately, during processing.

6.4.10 Security of System Files

All modifications to the system, including changes, updates and servicing of hardware as well as software must be conducted with the security of the overall system in mind.

6.4.11 Security in Development and Support Processes

Changes to systems must be assessed under a formal change control system. This must include an assessment of the change’s impact on existing security. A record of all changes made must be maintained, and must include; the identity of the person making the change, details of the changes made, other systems affected, date and time of the change and test results. When changes to operating systems are performed, application security should be reviewed to ensure no adverse impact on existing security. Access to data should wherever practical be limited to anonymised data and must be authorised by the data owner. Copies of data must retain the same levels of security and access controls as the original data. Live data must not be used for testing, training or demonstration purposes

6.5 Breaches of the policy

Violations of the provisions of the policy will be handled under the Trust’s existing Personnel Policies.

6.6 Policy Review and Evaluation 6.6.1 The policy will be reviewed in response to any changes affecting the basis of the original

risk assessment, e.g. significant security incidents, new vulnerabilities or changes to the Trust organisation or technical infrastructure.

6.6.2 There will additionally be an annual review of the following:

a) the policy’s effectiveness, demonstrated by the nature, number and impact of recorded security incidents;

b) cost and impact of controls on business efficiency; c) effects of changes to technology.


6.7 Remote Access to Gateshead Network from Home

6.7.1 Teleworking

Introduction

In exceptional circumstances the Trust may consider remote access to certain critical systems from home for suitable members of staff. By using remote access, many organisations allow staff to perform duties from home that they would otherwise carry out in an office-based environment. This can bring significant benefits to both the Trust and its staff. Examples of these benefits include:

a) flexibility for staff (particularly those with young children); b) improvements in productivity and staff morale; c) reductions in travel time and cost; d) more effective use of office space.

Teleworking i.e. home access to the Trust network, uses communications technology to enable staff to work remotely from a fixed location outside of the Trust. Suitable protection of the teleworking site should be in place against, for example, the theft of equipment and information, the unauthorised disclosure of information, unauthorised remote access to the Trust’s internal systems or misuse of facilities. It is important that teleworking is both authorised and controlled by management, and that suitable arrangements are in place for this way of working.

Procedures and Standards

Procedures and standards to control teleworking activities must be in place. Management should only authorise teleworking activities if they are satisfied that appropriate security arrangements and controls are in place and that these comply with the Trust’s IT Security Policy and IT Security Guidelines. The following should be considered:

a) the existing physical security of the teleworking site, taking into account the physical

security of the building and the local environment; b) the proposed teleworking environment; c) the communications security requirements, taking into account the need for remote

access to the Trust’s internal systems, the sensitivity of the information that will be accessed and passed over the communication link and the sensitivity of the internal system;

d) the threat of unauthorised access to information or resources from other people using the accommodation, e.g. family and friends.

Controls

The controls and arrangements to be considered include:

a) the provision of suitable equipment and storage furniture for the teleworking

activities; b) a definition of the work permitted, the hours of work, the classification of information

that may be held and the internal systems and services that the teleworker is authorised to access;

c) the provision of suitable communication equipment, including methods for securing remote access;

d) physical security of the location housing the equipment; e) rules and guidance on family and visitor access to equipment and information; f) the provision of hardware and software support and maintenance;


g) the procedures for back-up and business continuity; h) audit and security monitoring; i) revocation of authority, access rights and the return of equipment when the

teleworking activities cease. 6.7.2 PC Systems

Minimum Specification

Any PC system used for Teleworking must meet the Trust standards for:

a) Anti virus (AV) protection – the PC must be protected using McAfee virus protection

software, or other software approved by the IT Security Manager. In all cases the AV software must be the current version and must be updated with the latest DAT files;

b) Acceptable use of e-mail and the Internet (see the Trust E-mail, Internet and Intranet Acceptable Use Policy);

c) Management of patient-identifiable information (see the Trust Information Security Policy);

d) Management of other confidential information; e) Securing the Trust’s information and ensuring data integrity. To this end, encryption

software must be installed on any PC holding personal identifiable information or other information of a confidential nature.

6.7.3 Request for Home Access

Request for Access

All requests for home access to the Trust network must be directed to the IT Services Department and be accompanied by a completed checklist (see Appendix A). Any request for access must be signed off by the line manager of the member of staff. They must be aware of the considerations laid down in this policy and ensure that the person requesting access is also aware of these. The IT Services Department will use the information provided to assess suitability for the provision of a home connection, and the most appropriate technology to be used for that connection.

Approval

If the request is approved, the IT Services Department will complete the checklist by specifying the connection technology and equipment required. The costs for the provision of service will also be given.

NB: All costs associated with the provision and operation of a home connection will be the responsibility of the requesting Department/Directorate.

6.8 Mobile Access to Gateshead Network

6.8.1 Introduction

This section comprises the IT Security policy for Mobile Computer systems. For the sake of this document Mobile Computers are defined as Laptop and Notebook computers. The security of Digital devices such as Personal Digital Assistants (PDA’s), Palmtops, and Advanced Mobile Phones etc. is NOT covered in this section but can be found in the Removable Media section.


6.8.2 Security Measures

a) Personnel Security

Only authorised staff may access and use Mobile Computer Systems. Mobile computers are not provided for personal and recreational use. Persons accessing data and using it for medical purposes should afford all material stored and processed on these systems adequate protection.

b) Physical/Hardware Security

The following guidelines should always be adhered to by the user of the Mobile Computer:

Treat the Mobile Computer as if it is your own property

The Mobile Computer must be securely locked away when not in use. If storage facilities are not available for the Mobile Computer then, where possible, the Hard Drive should be removed and stored securely.

Mobile Computer security is the responsibility of the member of staff who is using it at all times.

If you have and use a Mobile Computer security cable, keep one key with you and the other in a secure separate location.

Do not leave the Mobile Computer unattended in a public place e.g. car park

Do not leave your Strong Authentication token (if applicable) in the same location as the Mobile Computer.

Do not keep password details in the same location as the Mobile Computer.

Avoid leaving the Mobile Computer within sight of ground floor windows or within easy access of external doors.

c) Strong Authentication

Remote access to Gateshead Health Foundation Trust network must always be strongly authenticated. It is considered best practice for two-factor authentication to be used when controlling access to a Remote Access Virtual Private Network (VPN). Where remote access to the Trust network is approved, the IT Department will provide the appropriate means to connect to the network using two-factor authentication. All requests for access to the Trust network on a mobile computer must be directed to the IT Services Department and be accompanied by a completed checklist (see Appendix A). Any request for access must be signed off by the line manager of the member of staff. They must be aware of the considerations laid down in this policy and ensure that the person requesting access is also aware of these. The IT Services Department will use the information provided to assess suitability for the provision of a home connection, and the most appropriate technology to be used for that connection. If the request is approved, the IT Services Department will specify the connection technology and equipment required. The costs for the provision of service will also be given. All costs associated with the provision and operation of remote access will be the responsibility of the requesting Department/Directorate. d) Software Security

Mobile users are not authorised to load any software onto the Mobile Computer system. Software must be loaded by the IT Department. Software must not be downloaded from the Internet and must not be loaded onto systems containing personal identifiable information. Software obtained illegally will not be loaded onto Mobile Computer Systems.


e) Virus Control

The Mobile Computer System must have an Anti-Virus software package installed. Users are not to alter the configuration of this package unless express permission has been obtained from the IT Security Manager. The anti-virus system’s database of virus definitions must be updated on a regular basis.

If a virus is discovered the following actions must be carried out:

a. Turn the Computer off. b. Place a label over the switch and floppy drive stating that the machine has a virus

infection and should not be used. c. Isolate any removable media that has been used on that machine. d. Inform the IT Security Manager

f) Security of Data

Password Security

Password Security is the responsibility of the individual, passwords should be formulated in such a way that they are easily remembered but difficult to guess and should be formulated using letters (upper and lower case), figures and other characters. Passwords must consist of a minimum of 6 characters. Passwords must not be shared amongst users. Passwords must not be written down. Passwords should not relate to the system or the user. Password must be changed regularly, at intervals not exceeding 60 days.

Hardware Security

Standard operating system password protection is very limited. The following measures should be taken before the Mobile Computer is taken off site.

The use of the Trust encryption software package must be used to provide protection to the data if the machine is lost or stolen.

The use of other third party software applications to protect both the system and the data contained on it should be considered.

g) Internet/e-mail

The Mobile Computer has been provided by the organisation for use off site. It should be noted that the Internet is an uncontrolled, unmanaged and largely unsupported global network. It is a source of much valuable information not least on the area of Healthcare, however it is also an unrestricted source of much illegal and illicit material. Additionally it has a large recreational attraction.

No illicit or illegal material will be viewed, downloaded or obtained via the Internet or E-mail.

Any material downloaded must be automatically virus checked immediately by the Mobile Computer’s anti-virus software.

The user will make their system available at any time for audit by the local IT Department.

Breaches of security, abuse of service or non-compliance with the Trust Code of Connection may result in the withdrawal of all network services including internet and E-mail.


h) Maintenance

Maintenance is to be controlled by the IT Department Desktop Support team in conjunction with the IT Security Manager. All equipment that requires repair or maintenance must be returned to the IT Department. If the hard disk has failed and the maintenance engineer is required to replace it with a new device then the old hard disk must be disposed of in a secure manner so that it is impossible to recover any data from it. If the hardware is returned to the supplier for repair it must have patient sensitive/confidential information removed from it in a manner whereby the data cannot be recovered. A note of all serial numbers should be taken including the hard disk. If the hard disk is irreparable the old hard disk must be returned for destruction.

6.8.3 Losses and Confidentiality/Security breaches

Incidents that constitute a Loss of Hardware or Data, which could potentially lead to a breach of personal identifiable information are to be reported directly to the IT Security Manager. The IT Security Manager will instigate investigation procedures to try and establish the nature and potential threat of the incident.

Incidents could involve:

a. Loss of Hardware. b. Loss of Software/Data. c. Virus attack d. Unauthorised access. e. Misuse of System/Privileges.

6.8.4 Accounting and Audit

The software and information held on Mobile Computer Systems is subject to the same audit procedures as the Trust Computer Systems. This also covers information and data stored on removable media.

6.9 Use of Removable Media

6.9.1 Introduction

a) Purpose

The purpose of this section is to define the security standards that removable media deployed on networks and computer systems connected to Gateshead Health NHS Foundation Trust network must meet.

b) Scope

This section deals with media handling requirements to secure Gateshead Health NHS Foundation Trust network boundaries, internal and external.

c) Objectives

This section aims to provide security guidance to Gateshead Health NHS Foundation Trust staff to ensure that the risks associated with the use of removable media and networks are subject to the appropriate level of security controls to prevent damage to assets and interruptions to business activities.


6.9.2 Overview

a) What is Removable Media

Removable media can be classified as any portable device which can be used to store and/or move data. Media devices traditionally can come in various shapes and forms: Universal Serial Bus (USB) memory sticks, floppy disks, read/write compact disks (CD), magnetic tapes and cassettes, Bluetooth capable devices, mobile phones with picture or video capabilities, iPads, Personal Digital Assistants (PDA’s), blackberrys, portable music players. Basically anything you can copy/save/write data to which can then be taken away and restored on another computer or network.

b) What are the threats associated with Removable Media

Disclosure of confidential data could occur if a CD or USB memory sticks, for example, fell into the wrong hands. Most forms of removable media require no form of authentication or configuration to install or use. USB memory sticks tend to make use of “plug and play” technologies to get up and running and generally do not require any administrator privileges to install. Computer users are able to save vast amounts of data onto these high capacity media devices and can very easily transport data and possibly unwittingly “malware” between PC systems and associated networks. Users need to be educated with regard to the possible virus issues that removable media brings to the Trust network and computers, so as to manage the risk.

6.9.3 Requirements

a) Management of removable computer media

The following controls have been implemented, so as to prevent damage, theft or unauthorised access to NHS data:

Only NHS owned and managed media should be used with NHS equipment and networks. No personal or non-nhs removable media should be used.

The Trust Removable Media encryption software will ensure all devices are encrypted.

All USB memory devices will be encrypted prior to being issued.

Any data written to CD will be automatically encrypted by the Trust removable Media software.

Patient Identifiable Information must be protected by encryption using the CfH recommended algorithm with the correct bit strength when stored on electronic removable media. This information should only be saved on such media if there is a business need to do so.

Any device which is capable of having a power-on password should have this enabled and where possible should be encrypted.

If the media is no longer required by the organisation, the previous contents of any re-usable media that are to be removed should be forensically erased. The erasure must operate across the totality of the media. The IT Security Manager can advise on how this can be carried out. Careless disposal of media could enable confidential information to fall into unauthorised hands.

Authorisation to remove media from the Trust should be required prior to its removal. A record should be made of such removals to maintain an audit trail. Any routine removals, such as off-site backup storage should be documented in the local Security Policy.

All media should be stored in a safe, secure environment in line with the manufacturer’s recommendations. Media safes, with appropriate fire resistance, should be used for business critical data.


“On Access” anti-virus scanner controls should be configured on servers and workstations to check for removable media devices. Rather than scanning whole systems, on-access scanners scan files and other objects, such as removable media and their associated drives when they are accessed. Access is not allowed to such objects until they have been checked by the scanner.

Any removable media which relies on an operating system e.g. Windows Mobile on a PDA, should be returned to the IT Department on a regular basis to check for updates required. The time interval for these checks should not exceed 6 months. All staff who are issued this type of device are to be made aware of this requirement.

Blackberry operating system updates will be carried out when required via the update facility on the Blackberry Enterprise Server.

6.9.4 Legal Requirements

a) Data Protection Act 1998

Principle 7 of the Data Protection Act 1998 states that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Given the speed at which removable media is being developed or enhanced, organisations must therefore have the capability to deal with their introduction into the working environment i.e. change control. The Office of the Information Commissioner has clearly stated that organisations are responsible for information that is held not only on equipment held by them, but personal equipment that they know is being used by its staff. The use of mobile phones with picture capability has been reported in the press within the NHS with examples of equipment purchased by the organisation and where individuals have used their own personal equipment. This therefore poses clear legal issues as well as fundamental records management issues which are likely to impact on Trust equipment as part of the resolution.

6.10 Network Security 6.10.1 Introduction

This section defines the Network Security Policy for Gateshead Health Foundation NHS Trust. The Network Security Policy applies to all business functions and information contained on the network, the physical environment and relevant people who support the network. This section: a. Sets out the organisation's policy for the protection of the confidentiality, integrity and

availability of the network. b. Establishes the security responsibilities for network security. c. Provides reference to documentation relevant to this policy.

6.10.2 Aim

The aim of this policy is to ensure the security of Gateshead Health Foundation NHS Trust's network. By doing this the Trust will: a. Ensure Availability b. Ensure that the network is for users. c. Preserve Integrity d. Protect the network from unauthorised or accidental modification ensuring the accuracy

and completeness of the organisation's assets. e. Preserve Confidentiality f. Protect assets against unauthorised disclosure.


6.10.3 Network definition

The network is a collection of communication equipment such as servers, computers, printers, and modems, which has been connected together by cables. The network is created to share data, software, and peripherals such as printers, modems, fax machines, Internet connections, CD-ROM and tape drives, hard disks and other data storage equipment.

6.10.4 Scope

This applies to all networks within Gateshead Health Foundation NHS Trust used for:

a. The storage, sharing and transmission of non-clinical data and images b. The storage, sharing and transmission of clinical data and images c. Printing or scanning non-clinical or clinical data or images d. The provision of Internet systems for receiving, sending and storing non-clinical or

clinical data or images 6.10.5 The Network Security Policy

The overall Network Security Policy for Gateshead Health NHS Foundation Trust is described below: The Gateshead Health NHS Foundation Trust information network will be available when needed, can be accessed only by legitimate users and will contain complete and accurate information. The network must also be able to withstand or recover from threats to its availability, integrity and confidentiality. To satisfy this, Gateshead Health NHS Foundation Trust will undertake to the following. Gateshead Health NHS Foundation Trust will:

a. Protect all hardware, software and information assets under its control. This will be

achieved by implementing a set of well-balanced technical and non-technical measures. b. Provide both effective and cost-effective protection that is commensurate with the risks

to its network assets. c. Implement the Network Security Policy in a consistent, timely and cost effective

manner. 6.10.6 Physical and Environmental Security

a. Network computer equipment will be housed in a controlled and secure environment. Critical or sensitive network equipment will be housed in an environment that is monitored for temperature, humidity and power supply quality.

b. Critical or sensitive network equipment will be housed in secure areas, protected by a secure perimeter, with appropriate security barriers and entry controls.

c. Critical or sensitive network equipment will be protected from power supply failures. d. Smoking, eating and drinking is forbidden in areas housing critical or sensitive network

equipment. e. All visitors to secure network areas must be authorised by the Data Comms Manager. f. All visitors to secure network areas must be made aware of network security

requirements. g. All visitors to secure network areas must be logged in and out. The log will contain

name, organisation, purpose of visit, date, and time in and out. h. The Data Comms Manager will ensure that all relevant staff are made aware of

procedures for visitors and that visitors are escorted, when necessary.


6.10.7 Access Control to Secure Network Areas

Entry to secure areas housing critical or sensitive network equipment will be restricted to those whose job requires it. The Data Comms Manager will maintain and periodically review a list of those with unsupervised access.

6.10.8 Access Control to the Network

a. Access to the network will be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access. Remote access to the network will conform to the Remote Access section of this Policy (para 3).

b. There must be a formal, documented user registration and de-registration procedure for access to the network.

c. Departmental managers must approve user access. d. Access rights to the network will be allocated on the requirements of the user's job,

rather than on a status basis. e. Security privileges (i.e. 'superuser' or network administrator rights) to the network will be

allocated on the requirements of the user's job, rather than on a status basis. f. Access will not be granted until the Directory & Security Manager registers a user. g. All users to the network will have their own individual user identification and password. h. Users are responsible for ensuring their password is kept secret (see User

Responsibilities). i. User access rights will be immediately removed or reviewed for those users who have

left the Trust or changed jobs. 6.10.9 Third Party Access Control to the Network

a. Third party access to the network will be based on a formal contract that satisfies all necessary NHS security conditions.

b. All third party access to the network must be logged. 6.10.10 External Network Connections

a. Ensure that all connections to external networks and systems have documented and approved System Security Policies.

b. Ensure that all connections to external networks and systems conform to the NHS-wide Network Security Policy, Code of Connection and supporting guidance.

c. The IT Security Officer and Data Comms Manager must approve all connections to external networks and systems before they commence operation.

6.10.11 Maintenance Contracts

The Data Comms Manager will ensure that maintenance contracts are maintained and periodically reviewed for all network equipment. All contract details will constitute part of the IT Department's Configuration Management database.

6.10.12 Data and Software Exchange

Formal agreements for the exchange of data and software between organisations must be established and approved by the IT Security Officer.

6.10.13 Fault Logging

The Data Comms Manager is responsible for ensuring that a log of all faults on the network is maintained and reviewed. This log will be maintained in the IT Department Service Desk application. A written procedure to report faults and review countermeasures will be produced.


6.10.14 Network Operating Procedures

a. Documented operating procedures should be prepared for the operation of the network, to ensure its correct, secure operation.

b. Changes to operating procedures must be authorised by the IT Department Change Advisory Board.

6.10.15 Data Backup and Restoration

a. The Data Comms Manager is responsible for ensuring that backup copies of network configuration data are taken regularly.

b. Documented procedures for the backup process and storage of backup tapes will be produced and communicated to all relevant staff.

c. All backup tapes will be stored securely and in a separate fire zone to the equipment or system to which it relates.

d. Documented procedures for the safe and secure disposal of backup media will be produced and communicated to all relevant staff.

6.10.16 User Responsibilities, Awareness & Training a. The Trust will ensure that all users of the network are provided with the necessary

security guidance, awareness and where appropriate training to discharge their security responsibilities.

b. All users of the network must be made aware of the contents and implications of the Network Security Policy.

c. Irresponsible or improper actions by users may result in disciplinary action(s).

6.10.17 Malicious Software

The network must be protected from viruses and other malicious software through use of measures including firewall, anti-virus and email filters.

6.10.18 Secure Disposal or Re-use of Equipment

a. Ensure that where equipment is being disposed of, IT Department staff must ensure that all data on the equipment (e.g. on hard disks or tapes) is securely overwritten. Where this is not possible IT Department staff should physically destroy the disk or tape.

b. Ensure that where disks are to be removed from the premises for repair, where possible, the data is securely overwritten or the equipment de-gaussed by the IT Department.

6.10.19 System Change Control

a. All changes to any aspect of the network (configuration, equipment, operation etc) are controlled through the IT Department Change Advisory Board. This is chaired by the Change Manager, and where relevant the IT Security Officer will attend to review any security-related changes. The Data Comms Manager is responsible for updating all relevant Network Security Policies, design documentation and network operating procedures.

b. The IT Security Officer may require checks on, or an assessment of the actual implementation based on the proposed changes.

c. The IT Security Officer is responsible for ensuring that selected hardware or software meets agreed security standards.


6.10.20 Reporting Security Incidents & Weaknesses

All potential security breaches must be investigated and reported to the IT Security Officer. Security incidents and weaknesses must be reported in accordance with the requirements of the organisation's incident reporting procedure, including where appropriate in the Datix incident logging system, or, if individuals are involved, the Personnel Department.

6.10.21 System Configuration Management

The network configuration will be documented and all devices and systems managed through the IT Department Service Desk Configuration Management Database.

6.10.22 Business Continuity & Disaster Recovery Plans

Ensure that business continuity plans and disaster recovery plans are produced for the network.

6.10.23 Security Responsibilities

a. The Chief Executive has delegated the overall security responsibility for security, policy and implementation to the Head of IT.

b. Responsibility for implementing this policy within the context of IT systems development and use in the organisation is delegated further to the IT Security Officer.

6.10.24 Guidelines

Detailed advice on how to determine and implement an appropriate level of security is available from the IT Security Officer.

6.11 Legal requirements

Users of all systems must comply with current legislation regarding the use and retention of Patient information and use of computer systems. These include, but are not limited to:

a. The Data Protection Act, 1998. b. Access to Health Records Act, 1990. c. The Copyright, Designs and Patents Act, 1988. d. The Computer Misuse Act, 1990. e. The Human Rights Act 1998 f. Electronic Communications Act 2000 g. Regulation of Investigatory Powers Act 2000 h. Freedom of Information Act 2000 i. Health & Social Care Act 2001

7.0 Training Training for the use of Trust IT equipment/systems is carried out by the relevant teams. Information Security Training is carried out by the Information Governance team.

8.0 Equality and Diversity The Trust is committed to ensuring that, as far as is reasonably practicable, the way we provide services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on any grounds. Reasonable adjustments can be made to ensure disabled staff and people with other health conditions can utilise the system.


9.0 Monitoring Compliance with the Policy

Standard/process/issue Monitoring and audit

Method By Committee Frequency

Policy Compliance Review of Datix incidents

Confidentiality and Data Protection Group

Monthly

Service desk Incidents Assigned to IT Directory Services Team

Directory Services Team

When reported

10.0 Consultation and Review Health Infomatics Assurance Comittee

11.0 Implementation of Policy (Including Raising Awareness) This Policy will be published as per normal policies and circulated as per standard. This Policy will be available at all the Trust’s designated locations.

12.0 Associated documentation

OP17 Internet, Intranet and Email Acceptable Use Policy OP58 Anti Virus Policy IG06 Confidentiality & DP Policy


Appendix A - Checklist for Home/Remote Access In order to be able to have access you must have the following –

For anything other than access to email only, a Trust Laptop with wireless and pointsec encryption installed.

For working at home, a broadband internet connection with a wireless router.

Authorisation from your Head of Service or Head of Department. Please complete the following checklist - Do you have equipment as detailed above? Yes/No Does your position require you to provide on-call services which use IT systems? Yes/No What does your position require you to be able to access?

Email □

Email + Office Applications □

Do you frequently work away from the Trust in locations other than home which requires access to the Trust IT systems? Yes/No Do you frequently do work from home which requires access to the trust IT systems? Yes/No Does your position require you to be able to access Trust IT systems from home in order to respond to emergency situations? Yes/No If home working will be a regular occurrence, has advice been sought from the Occupational Health department? Yes/No Any further requirements: ……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………… I have read and understand the IT Security and Information Security Policies and agree to abide by them and the Trust’s Internet, Intranet and E-mail Acceptable Use Policies while using a remote connection. I also agree to ensure that, if dealing with Personal Identifiable Information I will deal with it and protect it in accordance with all relevant Trust Policies and Procedures. First Name: ............................. Surname: ................................ Department: ........................................ Authorised by Head of Service or Head of Department: I confirm that the above member of staff has a requirement for home/remote access to the Trust network and that the procedures, standards and controls contained within the IT Security Policy have been considered and adhered to. I also confirm that they have read and understood the relevant trust policies and in particular the IT Security Policy, Information Security Policy and the Internet, Intranet and E-mail acceptable use policies. Name ……………………………………………………………………………… Job Title ……………………………………………………………………………... Signature …………..………………………………………………………………..... Date ………………….…………………………………………………………..

For IT Services Department use

Request for access approved? Yes/No Technology recommended: Equipment Required:

Date post:	15-Aug-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

IT and Information Security Policy - WhatDoTheyKnow · IT and Information Security Policy v1 4 1...

Documents