IM&T SECURITY POLICY (Corporate)

Transcription

1 IM&T SECURITY POLICY (Corporate) POLICY NO RATIFYING COMMITTEE IT02 Corporate Document Review Group DATE RATIFIED 16/12/2013 Interim Review Dec 2015 NEXT REVIEW DATE February 2016 POLICY STATEMENT: Mersey Care NHS Trust recognises the importance of a structured, coherent and secure information system and associated systems used to manipulate, communicate and store this information to enable the Trust to conduct its business in a structured and secure manner and in accordance with national and local policies. ACCOUNTABLE DIRECTOR: Executive Director Resources POLICY AUTHOR: IT Security Manager KEY POLICY ISSUES To identify and secure all Trust assets To ensure a secure and reliable system for the transference, manipulation and storage of Trust information Identify and comply with national policies, laws and legislations This policy is also available in other formats upon request Version Date Author Approved by Ratified by 1 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

2 V1.7 October 2013 IT Security Manager SIRO Corporate Policy Review Group V1.4 July 2012 V1.5 October 2012 V1.6 July 2013 B Davis B Davis IT Security Consultant IGC Joint SIRO/Information Governance & Caldicott Committee Meeting Corporate Policy Review Group 2 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

3 Table of Contents Introduction... 5 Rational... 5 Scope... 5 Principles... 5 Laws legislations and guidelines... 6 Information confidentiality... 7 Policy Personal Use... 8 Confidentiality... 8 Housekeeping... 9 Use of Terms of use Spam and Junk Virus Checking Content Filtering Investigation Requests Internet Internet Use Personal Use Internet Security Monitoring Reporting Internet content filtering Internet Use Investigation Requests Remote Working and Mobile devices Site security IT Server and Communications Rooms Desktop Computer Security Virus Protection Network Security Access to National Application New I.T. Systems System access levels Safe Haven Disposal of I.T. Equipment and Media Password Management Network Account Management Account creation IM&T Security Policy (Corporate) v1.7, Review Date October 2015

4 Account deletion Service Users Security incident handling Incident Classification Reporting an incident Responding to an incident Corporate Procedure Business Continuity Training Duties and Responsibilities Monitoring and Compliance Development & Consultation Process Reference Documents Bibliography Glossary Appendices Caldicott Guidelines Computer misuse Act PROCEDURE FOR THE USE OF INTERNET BY SERVICE USERS IM&T Security Policy (Corporate) v1.7, Review Date October 2015

5 Introduction Rational The IM&T Security policy has been put in place for the following reasons Mersey Care NHS Trust (from hereon known as the Trust ) recognises the importance of its information and information systems used for the transference, manipulation and storage of information to ensure business continuity. The security of users and cares information is paramount to the Trust business function. Through this policy, government laws and legislations (see section 5 Reference Documents) the Trust will identify and adopt structured security procedures for the Trust s information systems. To ensure the Availability: that is, ensure that assets are available as and when required adhering to the Trust s business objectives To preserve integrity: that is, protect assets from unauthorized or accidental modification ensuring the accuracy and completeness of the Trust s assets To preserve Confidentiality: that is, protecting information from unauthorized access and disclosure. Trust Staff are bound by the confidentiality and security policies set by the NHS, and by the common law duty to maintain confidentiality concerning the data and information they use as part of their everyday work within the NHS. Scope All information that is created, processed, stored or transmitted or received during the course of the Trust s business activity is an asset of the organisation and as such is governed by this policy and the Confidentiality NHS Code of Practice (see section 5 Reference documents). This policy applies to all Trust employees or other persons working for the Trust or whilst engaged on or involved in any Trust business and service users while using the Trust s computers. The policy applies to all Trust sites and places of work (including home) that are used to conduct the Trust business. This policy must be adhered to at all times. Failure to comply with this policy may lead to the Trust s disciplinary policy being invoked. Principles The term Information can be defined as a collection of facts or data and for the purpose of this policy information includes 5 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

6 Information stored on computers. Transmitted across networks. Information that is retrieved, accessed, transmitted to/received from other organisations using the following mediums 1. Networks (Local or Wide) (including Internet and remote access) 2. Fax machines and any other communications media. Printed out or written on paper Please refer to the Trust policy on and Procedure for Filing within Health Records on the Trust web site olicies_and_procedures.aspx Stored on disk, tape or any other electronic or optical media Recorded on video tape Please refer to the Trust s policy on CCTV on the Trust s web site olicies_and_procedures.aspx Also included are verbal communications and any other methods used to convey knowledge and ideas relating to the Trust or its business. This policy also applies to information relating to the Trust s which is held by members of staff on any external media or devices (see sections & 2.6.3) Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations. Laws legislations and guidelines Due to the nature of the Trust s business, the Trust must comply with but not limited to the following laws, legislations and guidelines The Data Protection Act 1998 The Freedom of information act The Computer Misuse Act 1990 The Caldicott Guidelines Confidentiality NHS Code of Practice Access to Health Records Act 1990 Electronic Communications Act 2000 NHS Connecting For Health Good Practice Guidelines 6 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

7 For more information on the above laws, legislations and guidelines see section 5 reference documents. Information confidentiality Keep all confidential information secure, use it only for the purposes intended and do not disclose to any unauthorised third party. If a document is highly confidential or sensitive in nature, you must store it in a private directory or an equivalent password protected directory. It should be noted that documents in common directories can be accessed by other employees. All data stored within the Trust is subject to the Data Protection Act Any person copying data from a source and storing it on a Home network drive will need to adhere to the Act s stated principles with that data, in particular: Principle 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Principle 4. Personal data shall be accurate and, where necessary, kept up to date. Principle 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Copies of confidential information should only be printed out as necessary, retrieved from the printer immediately and stored or destroyed in an appropriate manner (see section of the Health Records Policy olicies_and_procedures.aspx Staff who roam between the standard environment and High Secure need to be aware at all times of what printers they have set. It is unacceptable to print High Secure documentation to a standard environment printer and vice versa. Clinically confidential information is part of the Health Record and should be transferred to the appropriate electronic or paper based system (Please refer to the Trust policy and procedure for Health Records) olicies_and_procedures.aspx Do not leave documents containing Trust patient / staff information open on any monitor. Always logout or lock from any computer when leaving your desk or lock your computer. When possible position your monitor as to not let other members of staff over see what is on your screen. 7 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

8 Any documents containing any PID (patient identifiable information) must not be saved to the workstation or device s local storage (e.g. C drive), USB devices, CD/DVD/Blu-Ray, Memory Card or any other external storage devices (even those that are encrypted), unless via an approved methodology Policy This security policy covers all Trust owned I.T. systems and information communicated and managed by these IT systems. The Trust employs the use of to facilitate its business objectives. There are two systems available to the Trust Microsoft Outlook This is used for day to day communications of non secure information and is set up as part of the account request process. Sensitive mail can be manually encrypted to any external recipient. NHS.net . This is accessed on N3 and can be requested from the IT service desk. The use of Personal Internet is permitted during break times and rest periods with agreement of your service lead. Staff should be aware that all internet activity is monitored as detailed in section Internet is only for personal use. Trust related s and attachments or anything that is considered sensitive or would bring the Trust into disrepute is prohibited. Failure to comply with this usage the trust reserves the right to invoke the disciplinary policy. Personal Use Although personal use of Trust facilities is discouraged, limited personal use will be permitted provided that the content of messages is appropriate, i.e. is not likely to cause offence or used for personal business for financial gain and that your line manager has agreed to its use. Employees should regard this facility as a privilege that should normally be exercised in their own time without detriment to the job and not abused. Inappropriate use may result in disciplinary action and/or removal of facilities. However, staff should be aware that both private and business use of will be subject to monitoring. Confidentiality Confidentiality can be compromised, when using systems. However, NHS Mail is a secure network within the boundaries of its own users. So sending an using an NHS Mail account to another NHS Mail account or any GSI account (GSi domains that are secure for the exchange of patient data are:.x.gsi.gov.uk;.gsi.gov.uk;.gse.gov.uk;.gsx.gov.uk;.pnn.police.uk;.cjsm.net;.scn.gov.uk;.gcsx.gov.uk,.mod.uk) is considered secure for confidential information. NHS Mail accounts are always in the format of 8 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

9 @NHS.NET. The trust also has the facility to encrypt s from outlook to any external address. Secure s only as secure as the person sending the ; if an is sent to the wrong person then that person can read the , there are no security systems in place to stop the being read if sent to the wrong recipient. When communicating patient related data the minimum amount of patient identifiable information necessary must be used. It is good practice to use the new NHS Number to identify the patient. All staff must seek advice from the Information Governance department regarding sending confidential information via The principles of the Data Protection Act 1998 and the Caldicott guidelines should be adhered to at all times (see section 5 reference documents & 8.1 Caldicott guidelines). Housekeeping The amount of in the personal Inbox must be kept to a minimum. Non essential work related s should be deleted after reading, response, or action. Saved s must be reviewed on a monthly basis and deleted when no longer required. It is good practice to move s that need to be saved to a personal folder. The same housekeeping rules apply to Sent Items. Care must be taken when sending file attachments as these are typically large and may cause network congestion. File attachments must only be sent when necessary and must be deleted as soon as is practicable. Users are responsible for their own housekeeping. Staff should refrain from sending s with inserted graphics or multimedia or large attachments unless absolutely necessary as these s tend to take up a lot of space on the system. After a period of time attachments will be archived outside the mail system and the attachment will link to the original attachment itself. This is to conserve working space on the mail systems. Use of The Trust uses technologies and policies to control who has access to the Trust network. These policies also control who has access to the systems. Expressly agree with the recipient that the use of is an acceptable form of communication bearing in mind that if the material is confidential, privileged, or sensitive, Outlook normally is un-encrypted and is not secure unless specifically manually encrypted. Some intended recipients may have rigorous gateway protocols (or firewalls) which can automatically screen all incoming for content and source. If this is the case, consider whether this means of communication is appropriate. All s are checked for viruses (see section 3.4) and content (see section 3.5) 9 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

10 Terms of use Mersey Care NHS Trust s main purpose in providing IT facilities for is to support the approved business activities of the Trust. IT facilities provided by the Trust for should not be abused. An absolute definition of abuse is difficult to achieve but certainly includes (but is not necessarily limited to): Creation or transmission of material that could bring the Trust into disrepute. Creation or transmission of material that is illegal. The transmission of unsolicited commercial or advertising material, chain letters, press releases or other junk-mail of any kind. The unauthorised transmission to a third party of confidential material concerning the activities of the Trust. The transmission of material such that this infringes the copyright of another person, including intellectual property rights. Activities that unreasonably waste staff effort or networked resources, or activities that unreasonably serves to deny service to other users. Activities that corrupt or destroy other users' data or disrupt the work of other users. Unreasonable or excessive personal use. Creation or transmission of any offensive, obscene or indecent images, data or other material. Creation or transmission of material that is designed or likely to cause annoyance, inconvenience or anxiety. Creation or transmission of material that is abusive or threatening to others, serves to harass or bully others, discriminates or encourages discrimination on racial or ethnic grounds, or on grounds of gender, sexual orientation, marital status and disability, political or religious beliefs. Creation or transmission of defamatory material or material that includes claims of a deceptive nature. Activities that violate the privacy of others or unfairly criticise, misrepresent others; this includes copying distribution to other individuals. Creation or transmission of anonymous messages or deliberately forging messages or header information, (i.e. without clear identification of the sender) The deliberate unauthorised access to services and facilities. 10 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

11 The unauthorised provision of access to Trust services and facilities by third parties. Spam and Junk Spam can be defined as "the mass electronic distribution of unsolicited to individual accounts". Junk mail is usually a result of spamming. In reality spam and junk mail are regarded as interlinked problems. The Trust maintains an content management system (gateway) which filters junk , any mail reaching the gateways which has been marked as Junk mail will be quarantined on the gateway and not delivered. The Trust is constantly striving to improve its Junk mail detection mechanisms but unfortunately no system is 100% and occasionally Junk will evade the detection process and be delivered. Conversely some mail may be tagged as junk mail but is legitimate.(9) Virus Checking Computer viruses, Trojan horses and worms are collectively known as malware. The most common method for distributing malware is via . All communication passing through the Trust s servers is checked for malware. Checking strategies include: refusing messages containing executable attachments, scanning messages for known malware or a combination of both techniques. Messages containing malware will be retained for a limited time for administrative reasons. The sender of such messages will be informed of the viral content of their . A similar message will be sent to the administrator(s) of the gateways. Content Filtering is filtered at the message gateway for both inbound and outbound mail, content filtering is in use to stop the exchange of viruses, chain letters, spam etc. The network bandwidth between the Trust message gateway and the N3 s (10) relay server is limited and the Trust needs to ensure that legitimate business related is delivered as a priority. To accomplish this, the message gateway attempts to blocks messages that contain (or are likely to contain) non-business attachments, movies, pictures, sound files etc. The Trust s content filtering system is configured to reply to internal users informing them that their message has been blocked, detailing the reason for the block and advising on the actions required to have the message released. Investigation Requests Two forms of Investigations are available and should be requested via the Information Security Manager by logging a call with the Service Desk. A basic summary of compliance in line with the Trust s acceptable use of policy statements can be requested. This will need authorising from a Line Director or from the Investigating officer in the case of an ongoing HR investigation. 11 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

12 A full investigation can be requested, but will only be accepted if it forms part of a HR investigation. The HR investigation terms of reference would have to be compatible with analysis. Internet The Trust employs the use of the internet as a communications medium to facilitate its business function. Access to the internet is controlled through network security. Any person or persons accessing the Internet via the Trust s network will be considered to have read, understood and accepted the IM&T Security policy. Any service user accessing the internet via the Trust network will have to comply with this policy and the service user internet use policy (See section 8.3 service user internet use policy). A copy of the service user internet use policy can be requested from the IT service desk and will be sent to the service user s professional health carer who will be responsible for ensuring the service user is aware of the policy content before access to the internet is allowed. The purpose of this document is to define the environment under which full or partial access to the Internet may be granted from a workstation or device attached to the Mersey Care Local Network. To clarify the Trust's policy regarding staff use of the Internet. To mitigate the organisation's exposure to potential liability. To minimise the risk of Internet borne security threats through the promotion of staff awareness and good practice. To encourage the most effective and positive use of the Internet as an information resource. Heads of Departments will be responsible for ensuring that users are aware of and conform to the practices laid out in this document. The internet is a source of information and knowledge of infinite range but offers no guarantee of accuracy, reliability and authenticity. The following internet resource guidelines must be adhered to. FTP (File Transfer Protocol) used to transfer data from and to different sources. FTP access must not be used unless appropriate authorization has been granted. The FTP connection has to be set up by Informatics Merseyside. TELNET (direct connection to other computers) TELNET access must not be used unless appropriate authorization has been granted and Informatics Merseyside has set up the TELNET session. 12 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

13 Discussion, news group and blogging sites The membership of special interest groups is not private and, the fact that a member belonged to the Trust would be easily apparent and could be used to generate adverse publicity therefore the use of Trust accounts must not be used for registering with internet sites for personal business use including but not limited to EBay, TESCO home shopping and holiday sites. The Trust reserves the right to investigate any use that may bring the trust into disrepute. Social Media It is recognised that Social Media is becoming an important channel for effective communication and as such viewing access is permitted during break and rest periods via agreement with your line manager Please ensure the Social Networking Security Standard is read and understood as part of this policy Social Networking Security Standard SS01 Internet Use When entering an internet site, always read and comply with the terms and conditions governing its use; Do not download any images, text or material that is copyright protected other than for private study (see section 5 Reference Documents Copyright, Designs & Patents Act 1988) Do not download any images, text or material that are obscene or likely to cause offence; You must not download or install any software. If you want to download or install any software, first seek permission from the Informatics Merseyside. Service Desk. Informatics Merseyside. will check that the source is safe. Informatics Merseyside. (13)is also responsible for keeping a record of the licences for all software used in Mersey Care NHS Trust, including whether the software was free or paid for. If you are involved in creating, amending or deleting our web pages or content on our web sites, such work should be consistent with your responsibilities and be in our best interests. Always ensure that the proper vetting procedures have been complied with and the information is accurate and up-to-date. Personal Use The Trust has made arrangements for the Internet to be used for the purposes of their business. The facility can be used for employees personal use at the discretion of the user's line manager and during a time agreed by that manager. The Internet may also be used for educational purposes if this is identified as a necessary requirement for the development of that particular member of staff. 13 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

14 Any abuse of this concession or failure to adhere to the terms under which such access is granted will be treated as a disciplinary offence. Please ensure that your personal use of the internet: Does not interfere with the performance of your duties; Does not take priority over your work responsibilities; Does not incur unwarranted expense on the Trust; Does not have a negative impact on the Trust in any way; and is lawful and complies with this policy. Is conducted during official breaks and outside working hours. Is not used for personal business or financial gain Any user found to be using the NHS Internet connection for conducting personal business activities will be subject to disciplinary action under the Trust s disciplinary process. Internet Security The Internet is not a secure transport medium for information. Under no circumstances must Trust carer/user identifiable information be sent via the Internet unless advice has been requested and permission given from Informatics Merseyside, head of department or the IM&T security manager. Any attempt to gain unauthorised access to the Internet will be treated as a disciplinary offence (see section 5 reference documents The Computer Misuse Act), and be dealt with under the Trust s disciplinarily procedures. The internet must never be accessed via any separate device (laptop type or mobile internet enabled device). The internet must only be accessed via the Trust network and only accessed via a Trust owned/approved computer or device. (14) All Trust staff are responsible for the security of the workstation they accessed the internet from. After using the workstation all staff must logout, if a breach of security is identified, the user s account that the offence occurred under will be investigated. Due to the nature of the Trust s business, access to what might be recognised by the Trust and the third party company who supports the internet content filtering as unsavoury sites may need to be accessed for research purposes, for this reason the Trust has set up different levels of internet access from level 1 (only basic access) through to level 4 (full access). Any user who needs level 4 access must get the appropriate authorisation from the head of their directorate. Monitoring All internet traffic is monitored and controlled 24 hours a day for network bandwidth, security purposes and content control. 14 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

15 The systems used to monitor internet traffic are used to generate usage reports. These reports contain the following information User name. Sites accessed. Time spent accessing the internet and individual sites. Amount of information accessed. These access reports will be reviewed on regular bases for audit purposes. Reporting If a member of staff feels that they have accidentally accessed an inappropriate internet site should report this matter to the IT service desk as soon as possible. All Trust staff has a responsibility to report any security incidents or suspected security incidents or any security vulnerabilities to the Trust s systems or information to the IT systems security manager. Internet content filtering All internet traffic is checked for content via the Trust s internet content management system. The content management system checks for illegal or immoral sites, all access to these sites will be blocked; other sites which are blocked will include but are not limited to Gambling sites Adult content Games sites Crime/Terrorism Music Downloads The system is updated by a third party company therefore the Trust cannot be held accountable if any service users / carers get access to internet sites of an unsavory or dubious nature. If any Trust staff feels they have access to any of the above mentioned sites they must report this to the IT service desk immediately. Internet Use Investigation Requests Investigations summarising Internet Use can be requested via the Information Security Manager by logging a call with the Service Desk. The request needs to be authorised by either a Line Director or from the Investigating officer in the case of an ongoing HR investigation. The HR investigation terms of reference would have to be compatible w ith internet usage analysis. 15 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

16 Remote Working and Mobile devices Current Health and Social Care models of delivery are such that staff may need to access Trust information from a location that is not their normal work base. Mersey Care provides a variety of mobile devices and allow the use of mobile storage where necessary. Please ensure the Remote Working and Mobile Devices Security Standard is read and understood as part of this policy Remote Working and Mobile Device Security Standard SS02 Site security It is the responsibility of all Trust staff to make their area of work as secure as is reasonably possible. The following guidelines must be adhered to; this includes but is not limited to IT Server and Communications Rooms All Trust IT server and communications rooms must be locked at all times. This is for security and health and safety due to the fire prevention systems in use. All Staff working in the IT server room must be trained on the fire prevention systems in use. All non-trust staff must be accompanied at all times while conducting work in the server room by a member of the Informatics Merseyside. If a member of Informatics Merseyside leaves the Trust, any door code or server password know to that member of staff must be changed as soon as is reasonably possible. Desktop Computer Security Desktop security is of paramount importance to the Trust and as such Informatics Merseyside controls the following through network security. Network account Password protection Network account password change will be requested every 40 days as required by NHS guidelines. Screen saver password protection. Password protected screen savers will be activated if the computer is idle for 5 minutes. Virus protection. The Virus protection systems employed by the Trust will automatically update while the computer is attached the Trust network and actively check all open files. Access to the local hard drive C drive will not be available on Trust computers while connected to the Trust network. This will be put in place to stop the storage of trust information on the local computers. 16 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

17 The Trust has put in place a system to stop the use of USB devices, this system will record what devices are attached to the computer and can also record what type of documents have been saved to any USB device. USB ports will be restricted to only allow printers, scanners, keyboards and mice. All other USB devices will be blocked e.g. USB memory sticks (see section a), Web cams and cameras. Any user that needs to connect a USB device to a Trust computer must get permission from there manager and from Informatics Merseyside. Under no circumstances must Trust staff copy any personal or multimedia files i.e. MP3, CDA, WMA, GIF, BMP or JPEG files that are none Trust s related to any local or network drive. If files are found on Trust staffs accounts or shared drives, this will be classed as computer misuse and subject to the Trust s disciplinary process. Staff must remain vigilant at all time when working on Trust staff / patient information (see section 1.3.2) Do not use the system in any way, which may damage, overload or affect the performance of the system or the internal or external network. (16c) Use of non-trust I.T. equipment on Trust premises without authorisation from the Informatics Merseyside will be classed as computer misuse and dealt with under the Trust s disciplinary procedures. It is the users responsibility to make there area of work as secure as possible. The Trust will put in pace physical security measures to ensure the security of its assets as is reasonably possible. The Trust will have an asset management system in place to record all Trust IT assets to enable the Trust to maintain an accurate record of I.T. assets and to enable the availability of Trust systems. Virus Protection The Trust recognises the threat to its information assets through malicious programs and as such has put in place a system to check and remove viruses from the Trust network. Each workstation that is purchased from Informatics Merseyside and resides on the Trust s network will have the virus protection system installed and will be automatically updated whenever a new virus is discovered. The Trust will try to protect its assets against the threat of viruses to its best endeavours and recognises the dangers that a virus could do if not detected and removed. It is also the responsibility of all Trust staff to be vigilant and take steps to protect themselves against computer viruses. Never attach or insert any external storage media into any Trust computers without express permission from a line manager and Informatics Merseyside and having it virus-checked by Informatics Merseyside if used outside the Trust network as this will be classed as computer misuse (see section 5 reference documents & section 8.2). 17 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

18 Network Security The Trust recognises the need for a secure and reliable system to transfer Trust information. To facilitate the transference of information throughout the Trust the Trust utilises a switched based network system. All Trust network switches must comply with but are not limited to the following standards All switches must be password protected. Only members of Informatics Merseyside will have access to the switch passwords All switch passwords must be changed if a member of Informatics Merseyside leaves the Trust who has had access to the switch passwords. All switches must be located in a secure location (see section 2.4.1) All Trust external network traffic containing patient / carer information should be encrypted. Access to National Application Access to most national applications will be via a smart card. Smartcards will only be issued to people who have been sponsored for access to national applications and the Trust Registration Authority have setup and issued the smartcard. All smartcard holders must comply with but not limited to the following statements. The smartcard can only be used on Trust premises (or authorised remote users) The issued smartcard must not be used for anything other than access to the national applications. All smartcards must be kept in a safe place at all times. Never give your smartcard password (PIN number) to any other person. Further information relating to access to national applications and smart cards will become available on the Trust web site. The Registration Authority process is outside the scope of this policy and will be covered under the Registration Authority policy. New I.T. Systems To aid business continuity the Trust will have to implement new systems or update old systems. Any new IT based systems installed on the Trust network or stand alone systems must be implemented as part of a recognised and structured IT project. Any IT based systems requested by any department must be in collaboration with Informatics Merseyside. This will ensure that the correct procedures are maintained for the integration of new systems regarding the location, protection and backup of any information produced or stored on or by the new systems. 18 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

19 The following are some key issues used in project planning surrounding the integration of new IT systems. Conformity To keep all Trust systems at the same or equivalent levels of standardisation. Continuity To ensure that all new IT systems are available where and when they are needed. To ensure that all processed and system dependant information is backed up in case of system failure. Security To ensure that any new systems are located in a secure location and under the correct environmental conditions i.e. air conditioned and with the correct fire suppressant systems in use. To ensure that all data produced or processed by the new system is stored in a secure location. To ensure that the correct access levels to the new system are set up and password protection is used with an audit trail of system access. Support To ensure that IT staff are trained on any new systems to allow an acceptable level of support. It is therefore vital to the Trust that Informatics Merseyside are involved with any new system from the planning and procurement to the implementation and support of any new IT based systems and to ensure that any new application comply to NHS Policies and guidelines. System access levels The Trust employs many different systems to facilitate its business function. Most systems will have different access levels which could allow users access to different levels of patient / carer information or access at an administration level. The Trust reserves the right to add, remove or change access to applications or systems to facilitate the Trust s business functions. Access levels to Trust systems will be maintained by Informatics Merseyside using a secure and structured approach (see section 2.8). This allows for a clear and concise audit trail of all access requests. Access to systems outside the administrational control of Informatics Merseyside will be controlled by the companies, department or persons supporting these systems. Request for access or change of access must be via the companies, department or persons supporting these systems. 19 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

20 Safe Haven The Trust has a safe haven room to allow staff access to sensitive information in a secure environment. This will allow staff to use a fax machine, telephone and printer in a private and secure designated room. Disposal of I.T. Equipment and Media The Trust will dispose of its assets in a controlled and secure manor and in line with CFH guidelines document NPFIT-FNT-TO-IG-GPG (see section 5 reference documents) Password Management Passwords are confidential information and must be treated as such. A password is only as secure as the person who knows it and as such the following standards must be adhered to: Keep your system passwords safe. Do not disclose them to anyone. You will be forced to change your passwords from time to time for security purposes and inline with NHS guidelines. Network passwords must be a minimum of 8 characters and at least one character should be none alphabetic. Should be easy to remember but difficult to guess. Should not relate to information that is known to other members of staff. Each user is responsible for maintaining the security of their individual login and password. Staff must not share their user name or password with anyone. Must not be written down unless kept in a sealed envelope and locked in a drawer. Each user is responsible for maintaining the security of their individual login and password. If a breach of security is recorded under your login the burden of proof will be on you to show that you are not responsible for the breach. All passwords should be changed at regular intervals when requested by the system. This should be no less than 40 days If a password is forgotten the following steps must be taken; Use the self service password reset function. If not available: 20 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

21 The member of staff must get their line manager to the IT service desk requesting a password change. Alternatively the line manager can use the Service desk web form The IT service desk will then the line manager with a new password. The line manager must convey the password to the member of staff in person. This policy only covers passwords that are used for access to systems that have been installed and are maintained by the Trust Informatics Merseyside.. Any passwords used for clinical or other computer based systems will be the responsibility of the companies, departments or persons supporting these systems and must be inline with NHS requirements. Network Account Management All IT network accounts will be created and maintained by Informatics Merseyside. Regular network audits will be conducted to check account assignments and user rights are being maintained. The Trust employs the use of disk quotas (predefined amount of space for computer account storage). Informatics Merseyside have set a limit of 300MB per user s account. If this limit is reached the user will be notified by the network management system. The member of staff can request a further 100MB of space from the IT service desk. User accounts must only have the minimum rights assigned to allow the users to conduct Trust business functions. Access to shared files must be requested by the user s manager using the shared drive request form Account creation All new network accounts must be requested by the user s manager using the new account request form from the Trust s web site. Account deletion When a member of staff leaves the Trust, their line manager must inform the IT service desk via an sent from the managers account. The leavers account must then be disabled immediately and all access rights removed. The account will remain on the network for 2 months after being disabled. The account must then be deleted and any information containing PID (Patient identifiable information) created under this account stored for a further 30 years in line with Records Management NHS Code of Practicehttp:// 21 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

22 Service Users The Trust has an obligation to supply training to its service users / patients and as such this training will be conducted on Trust computers which reside on the Trust network. This policy applies to any persons including but not limited to service users / patients. Service users / patients must be supervised at all time while using Trust computers. Any misuse of Trust computers by the service user / patient will be the responsibility of the person or persons supervising the service users / patient. The policy and procedures for setting up service users / patients and their access to the internet is covered in section 8.3 service user internet user policy. Security incident handling The Trust recognises the risk of an incident occurring involving Trust I.T. systems and as such has put in place the following IT security incident handling procedures. An I.T. Security Incident can be described as any situation involving Information Technology systems or information that is stored, manipulated or communicated by or through these systems being affected in an adverse way either through controlled or uncontrolled circumstances which could result in: Loss, damage or theft of information Disclosure of confidential information to unauthorised persons The integrity of I.T. systems or information being put at risk Availability of I.T. systems or information being put at risk The Trust recognises the importance of all I.T. related security incidents being handled using a structured, coherent and proven method, ensuring all incidents are handled in a consistent manner. All IT related incidents will be processed through the Trust s Adverse Incidents Department to keep continuity on the handling of all incidents within the Trust. Incident Classification The Trust s Adverse Incident department are responsible for classifying incidents. There are four levels of seriousness from D being least serious to A being most serious (see section 7.2 Reference documents Policy & Procedure for the Reporting, Management and Review of Adverse Incidents appendix 2). These classes are measured using the Adverse Incident Classification Matrix. Classification of I.T. incidents under the Adverse Incidents classification matrix Class D incidents can include but are not limited to: Inappropriate use of Inappropriate use of internet access not causing the Trust any financial or adverse publicity 22 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

23 Equipment failure with no loss of information or impact on Trust business functions. Class C incidents can include but are not limited to: Equipment failure which leads to service disruption Class B incidents can include but are not limited to: Loss of data, Illegal attempts to access trust networked services or breaches of information policies. Class A incidents can include but are not limited to: Permanent loss of data with failed backup or restore function. It is important to remember that although an incident class is initially decided by the Adverse Incidents Department the incident class can be changed after an investigation into an incident. Depending on the different types of incidents and their severity the following is a guideline on the actions that should be taken following an I.T. security related incident. Reporting an incident 1. All I.T. security related incidents must be reported to the Adverse Incidents Department using the Adverse Incidents form. The form must be completed by the person who discovered the incident or who is affected by the incident. The form must be completed and sent within 24 hours of the incident occurring and sent directly to the Adverse Incidents Department. 2. The Adverse Incidents Department will progress the incident inline with the POLICY & PROCEDURE FOR THE REPORTING, MANAGEMENT AND REVIEW OF ADVERSE INCIDENTS. The incident must be recorded on the Trust incident management system (DATIX system) 3. The Adverse Incidents Department will then report all I.T. security related incidents to the I.T. Security Manager via or phone who will log the incident on the service desk call logging system. 4. If the incident was caused through a malicious act, the Adverse Incidents Department will contact the member of staff s (who was responsible for the incident) line manager and will request that they contact the member of staff s HR manager who will progress the incident further and in line with HR procedures. Any further action will be taken up by the HR department under HR policies and procedures Responding to an incident 1. The I.T. Security Manager will contact theservice Delivery Manager and the member of staff s manager to discuss the incident. 2. The I.T. Security Manager will contact the line manager to discuss the incident in relation to How the incident occurred How the incident will be resolved 23 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

24 Actions needed to stop any future reoccurrence of the incident. 3. The I.T. Service Desk will issue communications to all staff affected by an incident causing a service interruption. 4. If there has been loss, damage or theft to patient information the I.T. Security Manager will contact the Service Governance Department and the Caldicott Guardian. 5. If it is decided that access to I.T. systems needs to be removed, a request must come from the member of staff s manager or head of directorate unless there is a direct threat to the Trust systems, in which case the I.T. Security Manager or Operations Manager will authorise the removal of I.T. resources from the member of staff with immediate affect. 6. When an incident involving computer misuse occurs the I.T. Security Manager must investigate the member of staff s computer and / or computer accessories to collect any evidence needed for legal proceedings. 7. The I.T. department reserve the right to disconnect and disable a user s account if it is suspected that they are in breach of the IM&T Security policy pending an investigation. Examples of I.T. security related incidents as stated in the Computer Misuse Act 1990 and IM&T security policy Misuse of or internet access Use of another person's ID and password in order to: o Access a computer, use data or run a program o To alter, delete, copy, or move a program or data, or simply to output a program or data; or to lay a trap to obtain a password. Unauthorised access to a computer system with intent to commit or facilitate the commission of a further offence Disclosure of confidential information to any unauthorised persons Risk to information due to system integrity Loss, Theft of or damage to I.T. systems. Corporate Procedure This policy will be implemented through compliance with statuary requirements and legal obligations (see section 5 reference documents) and NHSIA and CfH guidelines and Caldicott guidelines (see section 8.1). 24 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

25 Through annual policy reviews, training in IT security awareness and IT security reviews. Business Continuity The Trust is aware that some form of disaster may occur, and as such, all directorates will implement and regularly update a business continuity management process to counteract interruptions to normal activity and to protect critical processes from the effects of failures or damage to vital services or facilities. Training The Trust will endeavor to train or supply training to all IT personnel on IT systems in use within the Trust. Extra training for IT staff to include security awareness relating IT systems will also be made available due to increasing security risks surrounding IT systems. The Trust will supply training to cares on software used within the Trust to facilitate the Trust s business functions. Duties and Responsibilities Director of Finance The Director of Finance as the accountable officer is responsible for the management of IM& T Security and for ensuring appropriate mechanisms are in place to comply with Information Governance/ IT Securiy and all current legislation. IT Security Manager The Trust s IT Security Manager has a particular responsibility in ensuring that a robust framework to comply with all legislation is in place across the Trust. It is the responsibility of the IT Security Manager to ensure that every member of staff within the Trust complies with all requirements of the IM & T Security policy, which is driven by various legislation and guidelines issued by the Department of Health and other sources. Information Governance Committee The Information Governance Committee ensures the Trust operates within the Information Governance framework and reports to the Integrated Governance Committee. Senior Managers It is the responsibility for all Senior Managers to ensure that staff work within the boundaries of the Trust policies and procedures and are aware of their responsibilities. All staff All employees of the Trust, or staff working in a voluntary capacity, independent contractors must adhere to the current legislative framework and Trust policies. 25 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

26 Monitoring and Compliance. The policy will be monitored for effectiveness by measurement of the number of reported IT security Incidents and also the IT Security linked IG Toolkit compliance scoring Development & Consultation Process The Policy has been developed by the IT Operations Manager and the IT Security Manager. The Policy has been reviewed by the Organizational Lead for IT This policy will be under continual development and consultation due to the nature of Information technology and its constant evolvement with the introduction of new technologies. The policy will also be reviewed on a yearly basis. Reference Documents Confidentiality NHS Code of Practice ISO The Data Protection Act The Health & Safety Act The Freedom of Information Act The Computer Misuse Act The Caldicott Guidelines Copyright, Designs & Patents Act Access to Health Records Act The Human Rights Act Electronic Communications Act (19) CFH Guidelines on the disposal and destruction of sensitive data 26 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

27 NHS CFH (20) CFH Good Practice Guidelines Mersey Care NHS Trust Policies Bibliography Confidentiality NHS Code of Practice CfH Guidelines on the disposal and destruction of sensitive data The Data Protection Act 1990 Information technology 'Code of practice for information security management' BS ISO/IEC 17799:2000 NHSIA Sysops CfH Good Practice Guidelines Glossary BES BMP CDA CfH FTP GIF Informatics Merseyside. JPEG LAN MP3 N3 NHS Net NPfIT PDA PID Secure Token TELNET VPN WAN WMA Blackberry Enterprise Server Bitmap / Picture files Compact Disk Audio / Music file Connecting for Health File Transport Protocol Graphics Interchange Format / Picture file Health Informatics Service Joint Photographic Experts Group / Picture file Local Area Network Moving Picture Experts Group Layer-3 Audio / Video / Audio file New NHS National network NHS Network National Program for Information Technology Personal Digital Assistant Patient Identifiable Information Device that creates a secure password. Telecommunications Network Virtual Private Network Wide Area Network Windows Media Audio/ Video Audio file 27 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

28 Appendices Caldicott Guidelines The Caldicott Report (December 1997) was a review commissioned by the Chief Medical Officer to make recommendations to improve the way the National Health Service handles and protects patient information. The Caldicott Committee was set up to review the confidentiality and flows of data throughout the NHS for purposes other than direct care, medical research or where there is a statutory requirement for information. Its recommendations are now being put into practice throughout the NHS and in the Health Protection Agency. The Caldicott report identified 6 principles, similar in many respects to the principles outlined in the Data Protection Act. 1. Justify the purpose(s) for using patient data 2. Don't use patient-identifiable information unless it is absolutely necessary. 3. Use the minimum necessary patient-identifiable information 4. Access to patient-identifiable information should be on a strict need to know basis. 5. Everyone should be aware of their responsibilities to maintain confidentiality. 6. Understand and comply with the law, in particular the Data Protection Act. Computer misuse Act 1990 For your information, the following activities are criminal offences under the Computer Misuse Act 1990: Unauthorised access to computer material i.e. hacking; Unauthorised modification of computer material; and Unauthorised access with intent to commit/facilitate the commission of further offences For further information regarding the Computer Misuse Act 1990 see section 5 reference documents. 28 IM&T Security Policy (Corporate) v1.7, Review Date October 2015

29 PROCEDURE FOR THE USE OF INTERNET BY SERVICE USERS Final Version 01/07/2012 PROCEDURE STATEMENT: The organization regards the use of the Internet by Service Users as an important tool to facilitate education, learning and development. All line managers and staff need to be aware of their responsibilities when allowing Service Users access to the Trust Internet facility and ensure they and Service Users comply with this procedure and relevant trust policy. ACCOUNTABLE DIRECTOR: Director of Service Users and Carers PROCEDURE AUTHOR: Robin Clout 29 IM&T Security Policy (Corporate) v1.7, Review Date October 2015