INFORMATION SECURITY POLICY

Transcription

1 YMDDIRIEDOLAETH GIG CEREDIGION A CHANOLBARTH CYMRU CEREDIGION AND MID WALES NHS TRUST INFORMATION SECURITY POLICY Author Head of IT Equality impact Low Original Date September 2003 Equality assessment No This Revision December 2006 done Next Review Date December 2009 Review Body IM&T Steering Group Approved by Management Board Policy Number IMT02 Date of Approval January 2007 Classification IM&T

2 Information Security Policy Contents 1. Introduction Context Framework of Policies Scope Roles and Responsibilities Chief Executive Director of Finance Director of Nursing and Patient Services Head of IM&T Head of IT Head of Information and Health Records Manager Directors and Department Heads All Staff Information Security Defining Security Roles Confidentiality and Data Protection Agreements IT Assets Accountability and Access Information Security Classifications Access to IT Server Rooms PC and Equipment Security IM&T Infrastructure Operations Management of IM&T Security Incidents IM&T Procurement Protection from Viruses Data Back-up Information Sharing User Access Control Computer Access Control Application Access Control Information access restriction System utilities access restriction Data Validation Business Continuity and Disaster Recovery Planning Compliance Risk Assessment Internet Use Miscellaneous Training and Awareness Equality Review Monitoring Discipline...16 Appendix A...17 Computer Users Security Responsibilities...17 Line Managers Security Responsibilities...18 Directors and Senior Managers Security Responsibilities...19 Appendix B Referenced Trust Documents...20 Appendix C Trust Systems Access Request...21 Information Security Policy Page 2 of 21

3 1. Introduction The issue of information security and the security of the IM&T systems is of increasing importance to NHS organisations. Ceredigion and Mid Wales NHS Trust holds and manages a great deal of information, much of it personal and confidential, without which it could not function. The purpose of information security is to enable information to be shared between those who need to use it while protecting information from unauthorised access and loss. The Trust places a very high importance on the security of information that it maintains and processes. This Information Security Policy provides a framework of policies, procedures and controls to ensure a secure operating environment. The NHS IM&T Security Manual was issued to organisations throughout the NHS as the definitive guidance to the management of IM&T security matters. The manual was produced in the knowledge of and is compatible with the British standard produced by the British Standards Institute BS7799 Code of Practice for Information Systems Security. This manual was produced to ensure that: IM&T systems in the NHS are properly assessed for security Appropriate levels of security maintain the confidentiality, integrity and availability of information and information systems All staff are aware of the limits of their authority and their accountability A means is established to communicate appropriate guidance on these issues This policy has been developed to protect the organisation from hazards and threats, to ensure that the valuable information held in information systems is secure from accidental or deliberate unauthorised modification or disclosure. The security policy is intended to preserve confidentiality, integrity and availability of data: Confidentiality is the limitation of data access to those with specified Trust authority to view the data. Integrity is the requirement to ensure that all system assets are operating correctly according to specification and in the way the current users believe they should be operating. Availability is the requirement to ensure that information is delivered to the right person when it is needed. 2. Context Information and IT security is governed by EU directives, UK legislation, nationally recognised standards and NHS guidance. The most significant legislation in this area is: EU Directive on Protection of Individuals 1995 Copyright, Designs and Patents Act 1988 Access to Medical Records Act 1990 Computer Misuse Act 1990 The Caldicott Committee Report on the Review of Patient Identifiable Information (1997) The Data Protection Act 1998 WHC(2000)071 For the Record: Managing Records in NHS Trusts and Health Authorities Freedom of Information Act 2000 Regulation of Investigatory Powers Act 2000 WHC(2002)036 Implementation of BS7799 standards (BS7799 has been replaced by ISO 27001:2005 and ISO 17799:2005) Common Law Duty of Confidentiality Information Security Policy Page 3 of 21

4 While this policy specifically mentions the above information and IT related Acts of Parliament and EU Directives, it should also be considered that the Trust is bound by many other Acts and Directives such as: The Health and Safety at Work Act Freedom of Information Act 2000 The Protection Of Children Act 1999 Mental Health Act 1983 National Health Service and Community Care Act 1990 The NHS Primary Care Act Framework of Policies The following policies are referred to within this policy and must be adhered to in order to ensure appropriate, adequateaqequate information security is provided: IM&T Procurement Policy Disposal of PC and Printer Equipment Policy IT Helpdesk Policy Disposal of Media Policy PC Security Policy Website Content Policy Policy Internet Policy Virus Protection Policy IT Server Room Policy Firewall Access and Static IP Address Policy Safe Use of Videoconferencing Equipment Policy Data Protection Policy Confidentiality Policy Records Management Strategy 4. Scope This policy applies to all employees of the Trust in all locations including the Non-Executive Directors, temporary employees, locums, students and contracted staff. The Information and IT Security Policy statement applies to all forms of information, including but not limited to that stored on computers, transmitted across networks, printed on paper or other media, stored on tapes or disks or other electronic media, sent via s and stored on databases. 5. Roles and Responsibilities 5.1 Chief Executive They are ultimately responsible for ensuring that information and IT systems in use are secure and protected in accordance with national and local standards and ensuring that information and IT security standards are implemented effectively. 5.2 Director of Finance The postholder is the Executive lead for information, IT and records management issues. Information Security Policy Page 4 of 21

5 5.3 Director of Nursing and Patient Services They are nominated as the Caldicott Guardian in line with WHC(99)092. The Caldicott Guardian has a particular responsibility for reflecting patients interests regarding the use of patient identifiable information. They are responsible for ensuring patient identifiable information is shared in an appropriate and secure manner. 5.4 Head of IM&T The Head of IM&T is the Trust s Information Security Manager (ISM) and has overall responsibility for maintaining and implementing the Trust s Information Security Policy and the management and implementation of IM&T security. The ISM is also responsible for: Identifying information systems and physical and logical sets of data. Assigning an owner to the information system and the physical and logical sets of data. Ensure appropriate business continuity and disaster recovery plans, including Secure Operating Procedures and System Security Procedures, are in place for all Trust IM&T systems Ensure each system under the control of the Trust has a current system security policy With regards to risk assessment countermeasures, ensure implementation is effective and regularly re-examined 5.5 Head of IT The Head of IT is the Trust s IT Security Officer and the Data Protection Lead and as a result will: Advise on the access to and security of major IT assets Monitor the effectiveness of IT security within the Trust Receive, consider and where necessary action reports on IT security incidents Plan, manage, record and test backups of all systems located on servers within the IT server rooms Make regular checks of the backup log to ensure the system is robust Ensure fireproof data storage is available to the Trust Retain a record of all IM&T security agreement forms (IM&T1As) Assist system managers with security of their systems As Data Protection Lead: Ensure the Trust s registration is up to date and maintained Advise the Trust on issues related Data Protection, confidentiality and information sharing Be the signatory for release of complaints information for lay panel review Be the signatory for research proposals 5.6 Head of Information and Health Records Manager This postholder is the Trust s Information Management Security Officer and as a result will: Ensure data quality standards are maintained for the Trust s health records and patient administration system Ensure any relevant information processing standards are adhered to Ensure information held on the Trust s patient administration system is validated 5.7 Directors and Department Heads In addition to the roles and responsibilities outlined above, the Director or Head of each department has the responsibility for the protection of IM&T assets within the directorate or department. Similarly the Director or Head of department also has the responsibility for the performance of specific security processes or activities, which relate to the system(s) for which he/she has responsibility. Information Security Policy Page 5 of 21

6 5.8 All Staff All staff are to adhere to this policy and to the appropriate responsibilities outlined in Appendix A. Staff are personally responsible for ensuring no breach of information security results from their actions. All those requiring access to IT systems must complete the IM&T1A form in Appendix C. 6. Information Security 6.1 Defining Security Roles Security will be addressed at the recruitment stage and be included in job descriptions and contracts, and monitored during employment by the Line Manager. Job definitions will define security roles and responsibilities as laid down in the Trust s Information Security Policy and associated IM&T policies. Managers will ensure that where a staff member is required to use IM&T that, according to their responsibilities, they are briefed on the Trust s Information Security Policy and associated legislation. Staff will also be made aware of conduct and disciplinary procedures which may be invoked should a breach of security arise. An Information Management and Technology Security Policy Agreement Form (IM&T1A) must be filled in, signed by the Line Manager, and returned to IT department before any of the Trust s IM&T assets can be used by a new employee. The form is a declaration that the new employee has read and understood the Information Security Policy and associated IM&T policies, and agrees to abide by said policies. Each member of staff is personally accountable for the function s/he performs. It is essential that significant work performed by a key individual can be taken over by someone else in the event of the unavailability of the key person. Dependence on key people can be reduced by the use of clear documentation. Expertise should be shared and for critical systems, training should be given to at least two people so that in the absence of one, the other may pick up work in the critical area. IM&T security privileges and access rights should be allocated on the basis of the specific job function. Systems Managers are responsible for ensuring that procedures are in place to manage access to systems under their responsibility, these procedures need to be agreed with the ISM to ensure compatibility with Trust Security obligations and standards. These procedures should form part of the Secure Operating Procedures (SOP) and Systems Security Procedure (SSP). Contract and temporary staff are to be informed of the IM&T security procedures and treated in the same way as permanent staff. They are to sign the Information Management and Technology Security Policy Agreement Form (IM&T1A) 6.2 Confidentiality and Data Protection Agreements This is currently controlled by the Recruitment Process. A Data Protection and Confidentiality clause is written into this process and fulfils the Trust s legal responsibilities. For additional information regarding confidentiality and Data Protection arrangements, see the Confidentiality Policy (CP1) and the Data Protection Policy (CP15). Information Security Policy Page 6 of 21

7 Only those users who, as a result of their role, require access to person identifiable health data, should be allowed to access such data. Where possible patient data must be anonymised. Identifiable patient information The number and type of health related data items, which could allow identification of an individual, should be reduced to the minimum essential for the purpose if not anonymised. Access limitations principles - Authority to access identifiable patient information must be in accordance with: The Caldicott Committee Report on the Review of Patient Identifiable Information The Data Protection Act There should be locally agreed arrangements for ensuring that patients are personally made aware of the purposes to which information about them may be put, as well as ways in which they can exercise choice. Sharing patient information Identifiable patient information must not be shared with people who are not authorised to see it. Also, refer to section 6.12 of this policy. Local policy Using the national guidelines published in The Protection and Use of Patient Information, the Trust needs to establish its own local policy on use of identifiable patient information. The Trust policy on the protection of patient information must be: Drawn to the attention of all staff, Drawn to the attention of other bodies providing or working in conjunction with the Trust (e.g. GP s, NHS Trusts etc) and, where necessary, discussed or agreed with them, Subject to monitoring and audit. 6.3 IT Assets Accountability and Access All major assets should be accounted for and have a nominated owner for security purposes. Nominated owners need to registered with the ITSO. Nominated owners should be responsible for maintaining appropriate security measures. Responsibility for implementing security measures may be delegated, but accountability should remain with the nominated owner of the asset. Physical access to major IT assets as outlined previously in this policy is the responsibility of the relevant Systems Manager, but must conform to the minimum standard as required in ISO/IEC 17799:2005 and ISO/IEC 27001:2005, and should form part of the Secure Operating Procedure (SOP) and Systems Security Policy (SSP). The ISM (or a delegated representative) reserves the right to audit this without notice. Further advice can be sort from the ITSO. 6.4 Information Security Classifications Information security classifications will be used to indicate the level and priority of security protection. These classifications are: 1. Extremely sensitive (class 1) where data held is of a highly sensitive nature and where security is at the highest level. E.g. data relating to specific patients in highly sensitive Information Security Policy Page 7 of 21

8 specialities (GUM, Mental Health). Class 1 data is normally required to be processed on formally accredited systems. Such data will not normally be committed to NHS Messaging Systems (NHS-wide networking programme). In the event the NHS produce a specific system for carrying class 1 data messages then it may be utilised as appropriate. Such systems will be used in accordance with system specific guidelines. Such information may also be processed on systems that are encrypted to formally recognised NHS standards. Such systems are not normally deployed and managers who need to process and transmit such data are therefore to check with ITSO before commencing the work. (Appropriate countermeasures may change from time to time as new technology is introduced. It is advisable therefore, to check periodically for new information about appropriate standards, software and hardware.) 2. Sensitive (class 2) where data is not of the most sensitive nature but still requires strict security. E.g. all patient data in specialities other than those in class Ordinary (class 3) where data is not patient based but nevertheless security is required. Data in this class will normally be aggregated or lists, e.g. mailing lists, staff or GP lists. Each logical or physical set of data should, for security purposes, be assigned an owner. The owner will be responsible for: Identifying all the data within the area of responsibility Specifying how the data can be used Agreeing how the data can be used Agreeing who can use the data Agreeing what type of access each user is allowed Determining the classification (class 1, 2 or 3) of the data Reviewing the classification Approving appropriate security protection Ensuring compliance with security controls Ensuring compliance with legislation covering personal or medical data Ensuring compliance with Data Protection Act, and that processing is included on the Data Protection Registration through the Trust Data Controller Where data is mixed in classification the most sensitive classification will be used. The review process will check for appropriateness of classification. As over-classification may lead to unnecessary expense, review should be carried out periodically. For example where data has been made public it ceases to be sensitive. Unless specifically identified in this inventory of assets, equipment sited within a department or directorate will be the responsibility of the director or head of that department. This will generally mean that the responsibility for security of PCs (including processor and monitor), printers and similar client based equipment will rest within the directorate where the IT is held and used. All information that requires a Class 1 (extremely sensitive) classification must be identified and each Directorate needs to take appropriate steps to ensure its security and confidentiality. Directorate managers will be the Confidentiality Custodians of Class I information held within their Directorates. All other information should be deemed to be Class 2/3 confidential. Information Security Policy Page 8 of 21

9 Security measures appropriate to the sensitivity of the data must be put in place by the designated Systems Manager, the appropriate level of security must be sought from the ISM and Caldicott Guardian. Directorates or departments who have the majority of use of an application and similar software will be identified as the systems manager, and an appropriate individual would need to be identified for this role. The same directorate or department will also own the data, which results from the use of it. To comply with the Caldicott recommendations the Director of Nursing was appointed as the Caldicott Guardian for Ceredigion and Mid Wales NHS Trust. 6.5 Access to IT Server Rooms This is covered by the IT Server Rooms Policy (IMT13) 6.6 PC and Equipment Security This is covered in the PC Security Policy (IMT07) 6.7 IM&T Infrastructure Operations Access to the Trust s IM&T facilities is controlled in a number of ways: Access to NHSnet is restricted by the NHSIA s Code of Connection, which all entities have to comply with to have access. Access to NHS Wales is restricted by a Firewall Access to IM&T Systems is restricted by Systems Managers, by appropriate means that must be documented in Secure Operating Procedures and Systems Security Policies, and must comply with ISO/IEC 17799:2005 and ISO/IEC 27001:2005 as a minimum baseline. The Trust is also committed to implementing a firewall of its own. 6.8 Management of IM&T Security Incidents IM&T Security incidents must be managed in line with the Trust s current Adverse Incident Procedure. However, in addition the ITSO must be informed immediately that an incident has occurred, either by the person reporting the incident or the Trusts incident reporting systems manager. 6.9 IM&T Procurement Refer to the IT Procurement Policy (IMT03). New systems are also required to comply with this policy and any other relevant Trust policies Protection from Viruses This is covered in the Virus Protection Policy (IMT12) 6.11 Data Back-up The Trust data must be protected by clearly defined and controlled back up procedures, which will generate data for archiving and contingency recovery purposes. Information Security Policy Page 9 of 21

10 The ITSO will plan, manage, test and record backups of all systems located on servers in the IT Server rooms. The backup of systems outside of the IT Server room must be documented by the System Managers in the Secure Operating Procedure (SOP), Systems Security Procedure (SSP), Business Continuity and Disaster Recovery Plans. All routine data backups and restores will be manually logged by IT Staff. The ITSO will check and initial the backup log at regular intervals in order to satisfy the Trust that enough tested regular backups exist to enable full recovery in the face of disaster. The backup log is to record the date\time\the backup occurred or was restored and the result of the action. Logs are to be kept for five years and are subject to audit. Archived and recovery data must be accorded the highest classification of the live data contained within. The ITSO is required to ensure sufficient fireproof data storage is available for the Trust. Media is not to be accumulated in data safes beyond the needs of the Trust for backup purposes. Surplus media is to be destroyed and the destruction recorded. This process is subject to audit and must be done in accordance with the Disposal of Media Policy (IMT06). Backup of documents on local PC hard disks (including Laptop s, PDA s etc), is the responsibility of the PC user. Documents must not be stored on local PC hard disks. It is suggested by the ITSO that documents that need to be retained at all costs should be backed-up to a network server. This facility can be made available to users by contacting the IT Helpdesk. It is the Trust s long term objective to supply this service to all Trust users that are able to access the Trusts Network Infrastructure Information Sharing Any information, which is either patient or staff identifiable, and is shared with either other NHS organisations or third parties, needs to have an Information Sharing Agreement in place to protect the Trust s interest both in terms of the Data Protection Act 1998 and for Caldicott Guidelines User Access Control Access to computer services and to data is to be controlled on the basis of business requirements, which take account of policies for information dissemination and entitlement. There will be formal procedures to control allocation of access rights to IM&T services. Special attention is to be given to the control of allocation of privileged access rights that allow users to override system controls. Users must be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment. A user is defined as any member of the Ceredigion and Mid Wales NHS Trust including members of other NHS and Government organisations working specifically for the Trust and required to have access to computer systems data in the course of their duties. Access to systems will always be at the discretion of the owner, and may be subject to information sharing protocols between Information Security Policy Page 10 of 21

11 organisations. For the purposes of IM&T Security all users will go through the same access control procedures. Where an external user is to work on site, and requires access to systems off site or on another site not owned by the health community, such links as are required will be subject to this policy and the policy in force at the site or on the system in question. (Links will be constructed in such a way as to be exclusive to the appropriate user and a predefined set of protocols.) Use of air gaps and firewalls will always be considered, and links will not be constructed without the express permission of the appropriate authority. Described below is a formally documented procedure for user registration and deregistration for access to systems. This will: Enable the account manager to check that the user has authorisation from the system owner before providing access Check that the level is appropriate for the business purpose Ensure that access is not given until the authorisation process is complete Keep a register of people with permission to operate a particular system Assess access rights of users who change responsibilities and where necessary change to appropriate access levels Remove the access rights of users leaving the Trust On recruitment, new personnel, who are expected to become IM&T Users are to be sent a copy of Information Security policy (IMT02) and a copy of Information Management and Technology Security Policy Agreement Form (IM&T1A). (This must be part of any welcoming in documentation sent out by the Human Resources Department). This form is to be signed, and returned to the Trust ITSO. The ITSO will retain all of the organisation s Information Management and Technology Security Policy Agreement Form (IM&T1A) for future reference. Access rights and privileges are the responsibility of the appropriate Systems Manager. He or she is to review them annually and to log any change in permissions every time a change in the individual circumstances arises and at the end of the employment. This process must be made in conjunction with the user and their appropriate Line Manager. Systems Managers will need to document all users and their appropriate access levels in the appropriate Secure Operating Procedure (SOP) document. Systems Managers will also need an appropriate signoff procedure to authorise systems access in the first place (contact the ITSO for further guidance) Users must be briefed on the importance of passwords and advised as to the appropriate ways of use: Passwords do not display on screens as they are entered. When allocated a new temporary password by the systems manager/ administrator the user must change it immediately. The practice of using a single temporary password for new accounts is to be avoided at all times. On changing passwords the password system is to authenticate by re-keying the password. To be most effective passwords are to consist of a minimum of six characters and contain a mixture of alphabetical and numeric characters. User accounts must be revoked\changed on change of staff or staff resignation. Network operating systems will maintain a record of previously used passwords and prevent users from re-using them. Information Security Policy Page 11 of 21

12 Systems will ideally limit the number of unsuccessful log-on attempts to three, after which the unsuccessful attempt is recorded; the user must contact the IT Helpdesk before access can be re-instated. Users will always have their own passwords but under some circumstances where a standalone (not networked) PC is shared, users may share passwords, unless the operating system is set up to allow multiple users. The ITSO will choose the appropriate operating systems according to the required security model. Where a high degree of temporary staff are working in the organisation the work of adding new accounts in a timely manner may be delayed. Temporary staff, by the nature of their work, are almost always required to start work at short notice, this always causes difficulties in maintaining access control procedures, causing delays and frustration. To avoid this the ITSO may allow Line Managers to operate account sharing arrangements for a defined period to allow immediate access for a new temporary person. Line Managers must ensure that these accounts are only used until full system access is granted by the ITSO and relevant Systems Manager(s). Accounts of this type must also be logged by the Line Manager as to who is using the specific account at any given time. Passwords must not be written down. Passwords must not relate to the system or the user although passwords must be easy to remember Passwords must be set to change where practical every 30 days. Change is to be made if unauthorised personnel know the password Computer Access Control Refer to the PC Security Policy (IMT07) for further details Application Access Control Logical access controls should restrict access to application systems and data to authorised users Applications should: Control user access to data and application system function Provide protection from unauthorised access to software capable of overriding application controls Information access restriction Access to data should only be granted to staff that need to use the data to perform a job function. Special arrangements should be available for emergency purposes (e.g. access to technical staff or engineers) where the password should be changed at the completion of the emergency activity. All detected unauthorised attempts at access should be notified to the ITSO System utilities access restriction The use of systems utilities should be restricted and controlled. Information Security Policy Page 12 of 21

13 Control should be of the following type: Password protection for system utilities Segregation of system utilities from applications Restriction of use to trusted and authorised users Logging of the users of the systems utilities and the levels of authorisation 6.16 Data Validation Appropriate security controls including audit trails should be designed into application systems. Input data validation - Controls should be designed into systems so that: The integrity of data is maintained through the use of reference file data and cross checking and validation Numbers of records, values etc can be checked through systems Batch controls are included where appropriate Rejected data should give output showing reason for rejection and returned to user for correction and completion. A log should be kept of any notified losses or corruption in data. Data Encryption - Consideration of the use of data encryption techniques should be given, however this has not been implemented due to the differences in encryption, national guidance is required from NAfW. Message Authentication - Authentication techniques should be adopted where critical/confidential data is involved Business Continuity and Disaster Recovery Planning There should be a process to develop and maintain appropriate plans for the speedy restoration of critical business processes and services in the event of serious business interruptions. Business continuity and disaster recovery planning should include measures to limit the consequences of any threats that are realised and to provide a resumption of essential operations as soon as required. Systems Managers are required, in conjunction with the ISM, to have business continuity plans in place and a method for annual review of these plans. Business continuity planning process - The planning process should include the following: A formal documented assessment of how long users could manage without each computer system A formal documented assessment of how critical each system is, including the implications of its loss Identification and agreement of all responsibilities and emergency arrangements Documentation of agreed procedures and processes A formal assessment of the resilience of the plans and how quickly continuity will be achieved Information Security Policy Page 13 of 21

14 Multiple copies of plans should be kept both on site and off site, by both the ISM and Systems Managers. Business continuity planning framework - A framework should be in place with four components: Emergency procedures describing the actions to be taken following an incident which will jeopardise business operations Fall back procedures for both short term and long term loss which describe the actions to be taken to move essential business activities to alternative locations Resumption procedures which describe the actions to be taken to return to normal full operations at the original site (e.g. Defined and controlled data back up procedures) Test schedule which specifies how and when the plan can be tested Testing and Updating business continuity plans - A test schedule should be drawn up for each contingency plan 6.18 Compliance All relevant statutory and contractual requirements should be explicitly defined and documented for each system. The controls, countermeasures and individual responsibilities to meet these requirements should be similarly defined and documented.advice on specific legal requirements should be sought from the Trust advisors. Control of proprietary software copying No copyright material should be copied without the copyright owner s consent. Safeguarding of organisational records Guidelines on the retention, storage, handling and disposal of medical and other records and information should be maintained. These guidelines should be aimed at protecting essential records and information from loss, destruction and falsification. Data Protection The Trust s Data Protection Lead will ensure that appropriate procedures are in place to meet the requirements of the Data Protection Act (1998). The system owner is responsible for ensuring that the system is registered under the Data Protection Act (1998) (This will be arranged by the Trust s Data Protection Lead) Prevention of misuse of IM&T facilities - Employees of the Trust and any third party users should be informed that no access to systems is permitted unless formal authorisation has been given. Failure to comply with this could be in breach of the Computer Misuse Act (1990), which identifies three criminal offences: Unauthorised access Unauthorised access with intent to commit a further serious offence Unauthorised modification of computer material 6.19 Risk Assessment The security of IM&T systems should be regularly assessed. Risk assessments should be carried out in accordance with appropriate security policies, and the technical platforms. IM&T facilities are to be checked for compliance with the NHS IM&T Security Manual. Information Security Policy Page 14 of 21

15 Compliance with security policy - The ISM should ensure that each major system under the control of the Trust has a current System Security policy is subject to regular security risk assessments. The degree of detail of the risk assessment will depend on the value of the asset(s). All reports should remain confidential. Risk Assessment can be broken down into four main functions: Identification of the assets, Evaluation of the impact of an adverse event (threat) on the assets, Assessment of the likelihood of the adverse event occurring, Identification of appropriate countermeasures to protect the asset and/or limit the damage caused by an event. Countermeasures - The ISM must: Ensure that countermeasures are implemented sensibly, effectively and cost efficiently, Regularly re-examine the use of any countermeasures and their continuing suitability and effectiveness. A report should be produced following the examination Internet Use Refer to Internet Access Policy (IMT11) 6.21 Miscellaneous Intruder detection - The ITSO may deploy software that logs and warns when unexpected occurrences take place on networks and servers. Hacking tools and Network Analysers - IT Staff or sophisticated users may not deploy hacking tools or network sniffers against Trust assets without authorisation from the Head of IT. When such tools are deployed the results and any security loopholes revealed must be promptly reported to ITSO for further analysis. Network sniffers are only to be deployed for the purpose of fault finding and are not to be utilised for analysing traffic. Use of Network sniffers will be confined specifically to the network-requiring fault finding. Software Patches Care must be taken to account for all published vulnerabilities in equipment and software in use, and the recommended updates to software are to be applied by appropriate IT Staff in a timely fashion. 7. Training and Awareness This Policy along with the IM&T related policies will be posted on the Ceredigion and Mid Wales NHS Trust intranet and internet sites. Staff will be able to print local copies if required. Staff will be familiarised with standing instructions by: a. Attending a Trust induction course. This is an internal course, which may or may not be provided by use of an interactive multimedia training session, to be run at a frequency dependent upon demand. All staff will attend an induction course within three months of taking up employment and have refresher training annually. Training will be designed to brief staff on: Trust s Information Security Policy; Relevant legislation; Information Security Policy Page 15 of 21

16 Relevant new specific threats to IM&T. Individual accountability. Disciplinary procedures which may be involved should a breach of security arise. b. Hysbysrwrdd Periodic reminders about all aspects of IM&T security and policy will be included in Hysbysrwrdd c. Intranet site The Trust s intranet site will be the primary location for all Trust policies. Additional guidance will also be posted there as required. Non-IT Users have an important contribution to make to IM&T Security and this is to be addressed in awareness programs. Staff, for example, should know who the normal user of IT is and be made aware that if any unusual person is seen using it, to question this by challenging and reporting it. 8. Equality The Trust recognises the diversity of the local community and those in its employ. Our aim is therefore to provide a safe environment free from discrimination and a place where all individuals are treated fairly, with dignity and appropriately to their need. The Trust recognises that equality impacts on all aspects of its day to day operations and has produced an Equality Policy Statement to reflect this. All policies and procedures are assessed in accordance with the Equality initial screening toolkit, the results for which are monitored centrally. This policy has undergone the initial screening process in line with the Trust s Race Equality Scheme and has shown a low level of impact. 9. Review This policy will be reviewed in 3 years time. Earlier review may be required in response to exceptional circumstances, organisational change or relevant changes in legislation or guidance. 10. Monitoring This policy will be monitored by the Head ot IT. Details of incidents related to Information Security and confidentiality will be monitored as one of the IM&T Steering Group s key performance indicators. 11. Discipline Breaches of this policy will be investigated and may result in the matter being treated as a disciplinary offence under the Trust s disciplinary procedure. Information Security Policy Page 16 of 21

17 Computer Users Security Responsibilities Appendix A If you use a Trust computer system then you have the following responsibilities. Under no circumstances is any non-nhs owned equipment to be connected or installed to the Trust s network or any Trust owned computer without the written consent of the Head of IT. You will have a log on account which is unique to you and which you must not let anyone else use. You will maintain a password as set out below which you will not allow anyone else to use. (Access to other people s data through your own account can be arranged through the IT Helpdesk) In all cases any passwords given to you personally are for your use only. Passwords should not be written down in an insecure location or given to others under any circumstances. Passwords should be a minimum of 8 characters and should be a combination of upper and lower case characters and numbers. Do not use family or pet names and if at all possible try not to use proper words. This makes the accidental discovery of a password more difficult. Your passwords must be changed on a regular basis. The Trust s policy for network password is every 120 days. Some systems will prompt for this others do not. If they do not it is your responsibility to change them You must report any suspected tampering with your log-on accounts to your head of department and to the Head of IT. You must not load any private programs, personal video, audio or picture files or games onto any of the computers. You must not load any other software (other than data) without the express permission of the Head of IT. No unauthorised private work/projects are to be carried out on the Trust s PC s All data disks and all files from any source (including ) must be virus checked prior to being used. All data to which you have access during the course of your work is to be treated in strict confidence and its accuracy must be maintained. You must not access information unless your job specifically requires it. You must abide by the terms of the Data Protection Act 1998 and the Computer Misuse Act Do not store patient identifiable or other confidential data on portable PCs, which are taken out of the office and will be left unattended. Do not use any of the Trust s Computer Systems for accessing any sites or functions (including ) that would constitute a breach of the Trust s Internet and policies. Failure to carry out these responsibilities will be treated as a serious matter and may result in disciplinary action. Information Security Policy Page 17 of 21

18 Line Managers Security Responsibilities As a line manager responsible for other staff you have the following responsibilities in addition to those you have as a user. Under no circumstances is any non-nhs owned equipment to be connected or installed to the Trust s network or any Trust owned computer without the written consent of the Head of IT. You are not permitted to give any local exemptions to this policy. You must maintain a record of the access rights your staff have. You must notify the IT Helpdesk or the manager responsible for particular computer systems of any changes of staff (i.e. joiners and leavers) and what levels of access you require your staff to have to the various systems. HR will notify the IT Helpdesk of any starters and leavers You must ensure that all your staff are aware of their responsibilities and that they carry them out. Any breaches must be treated as serious and be reported to the Head of IT or the HR Department You must only provide staff with the minimum access required to carry out their duties. You must ensure that all your staff are aware of their responsibilities and have the appropriate training before they are allowed access to the Trust s computer systems. You must set an example to all your staff in your conduct and attitude towards computer use and security. Failure to carry out these responsibilities will be treated as a serious matter and may result in disciplinary action. Information Security Policy Page 18 of 21

19 Directors and Senior Managers Security Responsibilities As a Director or Senior manager in addition to your responsibilities as a computer and a line manager user you must also: Under no circumstances is any non-nhs owned equipment to be connected or installed to the Trust s network or any Trust owned computer without the written consent of the Head Of IT. You are not permitted to give any local exemptions to this policy. Ensure that your line managers are implementing this security policy. Set an example to all your staff in your conduct and attitude towards computer use and security. Failure to carry out these responsibilities will be treated as a serious matter and may result in disciplinary action. Information Security Policy Page 19 of 21

20 Appendix B Referenced Trust Documents IM&T Procurement Policy (IMT03) Disposal of PC and Printer Equipment Policy (IMT04) IT Helpdesk Policy (IMT05) Disposal of Media Policy (IMT06) PC Security Policy (IMT07) Website Content Policy (IMT09) Policy (IMT10) Internet Access Policy (IMT11) Virus Protection Policy (IMT12) IT Server Room Policy (IMT13) Firewall Access and Static IP Address Policy (IMT14) Safe Use of Videoconferencing Equipment Policy (IMT16) Data Protection Policy (CP15) Information Security Policy Page 20 of 21

21 Appendix C Trust Systems Access Request Form IM&T1A Please note that access to the systems below will mean access to the Trust s network is granted PART 1 To be completed by the Line Manager prior to the commencement date: (please print) Name of User Staff Number Ward/Department Position Hospital/Base Date Access Required Line Manager Name Systems/Access Required Internet Line Manager Signature (In each of the boxes below, as required) Results Reporting Once the above is completed, please send to the Head of IT. Access will be arranged and the form returned to the Line Manager to ensure Part 2 (below) is completed. Date PART 2 To be completed by the user at the time of commencing employment. I accept responsibility for controlling my use of the Trust s systems and that the Trust can monitor my usage of these systems for security, human resource management and business continuity purposes (see IM&T Security policy). I certify that I have read, understood and will comply with the policies listed below. Information Security Policy Policy Internet Policy User Signature (In each of the boxes below, as required) Information Security Policy must be signed, for internet or access to be granted. Failure to comply with Trust policies will be investigated and may result in the matter being treated as a disciplinary offence under the Trust s disciplinary procedure. Date PART 3 For IT Department only use User ID: Date Account Created: Date Sent to User: Date form received from User: Information Security Policy Page 21 of 21