Identification and Authentication Example Policy Author: A Heathcote Date: 24/05/2017 Version: 1.0 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body created by statute, also known as NHS Digital.
Contents 1 Purpose 3 2 Scope 3 3 Applicability 3 4 Guidance 3 Terminology 3 Policy 3 Principles 3 Identification and Authentication Mechanisms 4 Remote Access Identification and Authentication Requirements 4 5 Key Words 5 Copyright 2017 Health and Social Care Information Centre. 2
1 Purpose The purpose of this Identification and Authentication Example Policy is to provide exemplar guidance in line with HMG and private sector best practice for the production of an organisation wide Identification and Authentication Policy. This is in order to allow the reader to produce the necessary policy and guidance for their business area and to ensure that the applicable and relevant security controls are set in place in line with the Department for Health, the wider NHS, health and social care and HMG requirements. 2 Scope The drafting of any policy governing the production of an Identification and Authentication policy for NHS systems, devices or applications and information deployed in support of NHS or health and social care business functions. 3 Applicability This Example Policy is applicable to and designed for use by any NHS, health and social care or associated organisations that use or have access to NHS systems and/or information at any level. 4 Guidance This Example Policy provides guidance on the production of an Identification and Authentication Policy. The Example Policy is in italics with areas for insertion shown as <> and the rationale for each paragraph or section, where required, in [.]. Terminology Term SHALL SHOULD MAY Definition This term is used to state a Mandatory requirement of this policy This term is used to state a Recommended requirement of this policy This term is used to state an Optional requirement Policy Principles Identification and authentication shall be used to identify and prove which users have accessed and utilised <insert name of organisation> systems and the data within them. The identification and authentication mechanism shall support the Access Control Policy requirements. Copyright 2017 Health and Social Care Information Centre. 3
Identification and authentication shall be used to identify and prove that access is authorised to encrypted media (such as laptops or USB sticks) utilized by <insert name of organisation> IT systems. [The aim of this section is to outline what identification and authentication achieves; i.e. that it is a mechanism to support access control to workstations, laptops, folders and electronic media.] Identification and Authentication Mechanisms Identification shall be achieved through username for individual users. Authentication of that username (identifier) shall be achieved through the use of one of the following mechanisms: Passwords these shall meet the <insert name of organisation> Password Policy. Tokens these may be defined or referred to as: hardware token, authentication token, USB token, cryptographic token, software token, virtual token or key fob. Biometrics - metrics related to human characteristics. These may include mechanisms that use fingerprint, face recognition, iris or retina recognition as the authentication character. Or a combination of any of these elements. The degree of authentication (single or 2 factor) shall be assessed for the level of protection required for the processed information and the risk factors to it by the Information Asset Owner (IAO) and Senior Information Risk Owner (SIRO). Where it is deemed 2 factor is required the authentication mechanisms shall be provided by different methods e.g. password and token. [This section is used to outline how identification and authentication can be achieved. It should be tailored to the mechanisms the organisation is likely to use. The decision on what mechanisms to use and whether single or two factor authentication is required is a risk based decision. For larger organisations this will be achieved via the IAOs, SIRO and CISO; for organisations using NHS managed assets (such as NHS managed networks or e-mail) it will be defined by the system access requirements; whilst for smaller organisations the decision will be decided by the senior partners/owners and the information governance lead. As a general rule if the data to be accessed is sensitive 2 factor authentication should be considered as the policy requirement; if the data is normal office management single factor authentication is probably sufficient.] Remote Access Identification and Authentication Requirements Two factor authentication shall be used for all remote access to <insert name of organisation> IT systems processing OFFICIAL and OFFICIAL-SENSITIVE information or sensitive legacy NHS data. The two-factor authentication shall as a minimum be: Password with Secondary authentication such as a token or biometrics. Where possible the secondary authentication shall be an assured method, such as NCSC assured for OFFICIAL-SENSITIVE. Copyright 2017 Health and Social Care Information Centre. 4
The complexity of the password required shall be determined by the risk assessment of the IT system and shall be managed in accordance with the <insert name of organisation> Password Policy. [Where organisations, of whatever size, employ the use of remote access (i.e., from a laptop at home or on the road to access the organisation s network/data stores) then 2- factor authentication is recommended to be the minimum policy as single factor is more vulnerable. For smaller organisations this requirement may be reflected as a policy requirement for contracts that are arranged with third party IT providers who provide the IT network and/or remote access capability.] 5 Key Words Authentication, Biometric, Cryptographic, IAO, Identification, Password, Risk Assessment, SIRO, Token Copyright 2017 Health and Social Care Information Centre. 5