INFORMATION TECHNOLOGY SECURITY POLICY

Similar documents
Information Security Policy

ICT Portable Devices and Portable Media Security

Data Encryption Policy

Data Protection Policy

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

Institute of Technology, Sligo. Information Security Policy. Version 0.2

Corporate Information Security Policy

Information Security Strategy

Ulster University Standard Cover Sheet

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

INFORMATION ASSET MANAGEMENT POLICY

Information Security Incident

ADIENT VENDOR SECURITY STANDARD

PS Mailing Services Ltd Data Protection Policy May 2018

INFORMATION SECURITY AND RISK POLICY

IT Security Standard Operating Procedure

INFORMATION GOVERNANCE. Caldicott Approval Procedure

Information Governance Incident Reporting Policy

National Policing Community Security Policy

HSCIC Audit of Data Sharing Activities:

We reserve the right to modify this Privacy Policy at any time without prior notice.

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

Apex Information Security Policy

Information Governance Incident Reporting Procedure

GDPR Draft: Data Access Control and Password Policy

Policy General Policy GP20

UCL Policy on Electronic Mail ( )

GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017

Motorola Mobility Binding Corporate Rules (BCRs)

University of Liverpool

GLOBAL PAYMENTS AND CASH MANAGEMENT. Security

ISC10D026. Report Control Information

General Data Protection Regulation

Information Security Incident Reporting Policy

Employee Security Awareness Training Program

Information Governance Incident Reporting Policy and Procedure

INFORMATION SECURITY POLICY

Bring Your Own Device Policy

Data Loss Assessment and Reporting Procedure

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

The University of British Columbia Board of Governors

Bring Your Own Device (BYOD) Policy

Privacy Policy Inhouse Manager Ltd

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Data Breach Notification Policy

Learning Management System - Privacy Policy

University of Ulster Standard Cover Sheet

Version 1/2018. GDPR Processor Security Controls

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

PCA Staff guide: Information Security Code of Practice (ISCoP)

Requirements for a Managed System

BYOD Policy (bring your own device)

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Mobile Working Policy. Item 15.3

Policies, Procedures, Guidelines and Protocols. John Snell - Head of Workforce Planning, Systems and Contributors

Information Security Policy for Associates and Contractors

SCHOOL SUPPLIERS. What schools should be asking!

Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice

PS 176 Removable Media Policy

UWTSD Group Data Protection Policy

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

NHS Ayrshire & Arran Organisation & Human Resource Development Policy. Appropriate Use of IT Facilities Policy

A Homeopath Registered Homeopath

DATA PROTECTION POLICY THE HOLST GROUP

Information Security Policy

Access Control Policy

EA-ISP-009 Use of Computers Policy

TERMS & CONDITIONS PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE SITE

Schedule EHR Access Services

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Prohire Software Systems Limited ("Prohire")

DATA PROTECTION POLICY

Data Warehouse Risk Assessment (GDPR)

Information Security Data Classification Procedure

Access to personal accounts and lawful business monitoring

Eco Web Hosting Security and Data Processing Agreement

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

Cloud Security Standards and Guidelines

Data Breach Incident Management Policy

St Bernard s Primary School Data Protection Policy

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HPE DATA PRIVACY AND SECURITY

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

INFORMATION SYSTEMS SECURITY POLICY (ISSP)

Information Security Controls Policy

GDPR Compliance. Clauses

MRC Information Security Policy (IT_pg_003)

CTI BioPharma Privacy Notice

UWC International Data Protection Policy

Information Governance Policy (incorporating IM&T Security)

Data Processing Amendment to Google Apps Enterprise Agreement

Responsible Officer Approved by

Introductory guide to data sharing. lewissilkin.com

Information Security Controls Policy

Data Protection Policy

Data Protection Privacy Notice

IT ACCEPTABLE USE POLICY

Transcription:

INFORMATION TECHNOLOGY SECURITY POLICY Author Responsible Director Approved By Data Approved September 15 Date for Review November 17 Version 2.3 Replaces version 2.2 Mike Dench, IT Security Manager Robin Wright, Director of Health Information and Technology IG Steering Group

Contents 1.0 Introduction... 3 2.0 Scope... 4 3.0 Roles and Responsibilities... 4 3.1 Role of Directors and Heads of Departments... 4 3.2 Role of Staff... 4 4.0 New IT Facilities /Applications... 4 5.0 Access to IT Systems... 5 6.0 Use of IT Systems... 5 7.0 Auditing of... 5 8.0 Procedures... 6 9.0 Copyright... 6 10.0 Policy Review... 6 11.0 Communication & Implementation... 6 12.0 Further Advice... 6 2

1.0 Introduction The purpose of information security is to safeguard the Organisation s information within a secure environment and where appropriate, to share that information without compromising its confidentiality. Information Security Management is critical to the business needs of NHS Greater Glasgow & Clyde. The objective of information security is to ensure the confidentiality, integrity and availability of information, whilst minimizing the risk of loss, through the implementation of standards, controls and procedures, which support this policy. Associated Legislation: Access to Health Records Act 1990 Computer Misuse Act 1990 Copyright, Design and Patents Act 1988 Data Protection Act 1998 Freedom of Information Act 2000 Freedom of Information (Scotland) Act 2002 Human Rights Act (2000) Privacy and Electronic Communication (EC Directive) Regulations 2003 RIP Act 2000 RIP(S) Act 2000 Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 Associated Policies and Standards: ISO/IEC 27005:2005 NHSScotland Caldicott Guardian s Principles into Practice Nov 2010 NHS Code of Practice: Protecting Patient Confidentiality NHSiS IT Security Manual Having read, understood and accepting to be bound by the terms of this policy, and given a valid business reason, the reader may apply for access to the NHS Greater Glasgow & Clyde computer network and to applications which they require to use. Access forms are available on StaffNet (The NHS Greater Glasgow and Clyde Intranet). 3

2.0 Scope This policy applies to all staff employed by NHS Greater Glasgow & Clyde. It also applies to contractors, partnership organisations and visitors not employed by NHS Greater Glasgow & Clyde but engaged to work with, or who have access to, information systems and applications. Additional policies and guidance documents are provided to address specific areas of IT Security. 3.0 Roles and Responsibilities 3.1 Role of Directors and Heads of Departments Directors and Heads of Departments are responsible for ensuring that staff within their own directorates and departments work in a manner consistent with the principles outlined in the Policy. 3.2 Role of Staff It is the responsibility of all staff to ensure they have read and understood this Policy and to ensure high standards of confidentiality are met. Staff must take ownership of this and other related policies and support their aims. This applies to all staff regardless of their contractual status within the organisation. Specifically staff must: Always ensure a password protected screensaver is activated (this is done by using the +L keys) or log off when leaving a PC; Only view information that is relevant to the work that they are performing. Viewing information which is not pertinent to their work is a breach of several UK laws. (It is not permitted to view the records of a patient for whose care they are not party to); Never disclose their passwords even to IT Support. Many computer users have Tap & PIN to logon using Improvata One- Sign (Single Sign On). The PIN must never be disclosed: Never use somebody else s userid and password; to do so is a breach of the Computer Misuse Act. Using someone else s ID Card and PIN is the same as using their userid and password. 4.0 New IT Facilities /Applications The procurement of IT facilities may only be undertaken with the prior approval of the HI&T Directorate. Staff introducing new IT facilities and applications (i.e. systems ) must ensure that the applications, their use and management are compliant with the requirements of the NHS Scotland IT Security Policy and Manuals. The Policy and manuals can be found at: http://www.security.scot.nhs.uk/. 4

5.0 Access to IT Systems Staff must fully understand that all systems and services are provided as business tools and that there is no individual right of privacy when accessing these services. Very limited trials are underway to permit restricted use of personal equipment to NHSGGC IT facilities. Outwith these trials Personal Equipment must not be connected to any NHS Greater Glasgow & Clyde computer or network. Only authorised persons may access IT systems. Access must be restricted to information required for the authorised person s job function (i.e., on a need to know basis). There are very many situations where PCs are shared, particularly in wards. To reduce the time to access applications there are currently many Generic network accounts (logons) where the passwords are shared, however no home or shared drive access will be permitted from these accounts, their sole purpose being to facilitate faster access to applications such as TrakCare and Clinical Portal. The end user will log onto each application using their own userid and password. This arrangement ensures controlled access and auditability of systems. Technology changes are being rolled out that enable fast access to the network and applications and remove the need for generic network accounts. 6.0 Use of IT Systems Users will be supported in their use of information systems, they may however be held accountable for their actions. If inappropriate use of any NHS Greater Glasgow & Clyde computer is known or suspected, then investigations will be instigated, either under the direction of H.R., by the police or other regulatory body as appropriate. If managers believe that there is cause to initiate an investigation then they must contact a senior member of H.R. in the first instance. Please also refer to the Board s Data Breach Policy. Investigations will be undertaken by IT staff once instructions to do so have been given by an appropriate senior H.R. manager. 7.0 Auditing of IT Systems Evidence of who has viewed / entered / changed data in an application (e.g. TrakCare or Clinical Portal) is contained within the audit trail. The audit trail will record the ID of the person who was logged in and note which data the person viewed / entered / changed. The audit log provides irrefutable evidence of the account that was used to perform the action and is effectively the user s signature. Where HR 5

investigate cases of potential inappropriate access, the audit log may be provided by the IT Department as evidence. 8.0 Procedures It is the policy of NHS Greater Glasgow & Clyde to ensure that: Information will be protected and controlled against unauthorised access or misuse; Confidentiality of information will be assured1 Integrity of information will be maintained; 2 Business continuity planning and risk assessment processes will be maintained; Regulatory, contractual and legal obligations will be complied with;3 Information security training will be provided to staff; Information assets will be registered, classified and protected; All health board owned computers will have centrally controlled, automatically updated anti-virus software installed. Such controls shall ensure that there can be no user intervention; Cryptographic technologies will be employed as appropriate; Physical, logical and communications security will be monitored and maintained; Operational procedures, protocols and policies will be regularly reviewed and maintained; If using any mobile computing or removable storage media, then the Mobile Devices and Media Policy shall apply. 9.0 Copyright Downloading, copying or re-using any third party copyright material from the internet must be in compliance with both the Copyright, Designs and Patents Act 1988, and the NHS Scotland Copy Policy 2011. For more information see the guidance provided on the Copyright page on StaffNet. 10.0 Policy Review This policy will be reviewed on a bi-annual basis, unless the introduction of any new or amended relevant legislation warrants an earlier review. 11.0 Communication & Implementation This Policy will be communicated through the Information Governance and IT Security Framework. 12.0 Further Advice For further advice on this Policy please contact the IT Security Manager. Tel: 0141 349 8137 Email: mike.dench@ggc.scot.nhs.uk 6

Notes: 1 Valuable information will be protected against unauthorised access and disclosure. 2 Safeguards will be created to protect against unauthorised modification or destruction of data. 3 This ensures compliance with the legal requirements listed under section 1 of this policy. Further information may be obtained from NHS Scotland s IT Security Manual, BS ISO/IEC 17799:2005, ITIL s Best Practice for Security Management and the Information Security Forum s - Standard of Good Practice for Information Security. These documents can be accessed through the IT Security Manager. 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback