Identification and Authentication

Similar documents
Hardware and Software Security

Information Security Incident

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

Data Security Standard 9 IT protection The bigger picture and how the standard fits in

Authentication Methods

State of Colorado Cyber Security Policies

Mobile Computing Policy

Accessing Encrypted s Guide for Non-NHSmail users

INFORMATION TECHNOLOGY SECURITY POLICY

Data Encryption Policy

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Patient Reported Outcome Measures (PROMs)

CESG:10 Steps to Cyber Security WORKING WITH GOVERNMENT, INDUSTRY AND ACADEMIA TO MANAGE INFORMATION RISK

Credentials Policy. Document Summary

Patient Information Security

How to complete the NHSmail Social Care Provider Registration Portal

HSCN Quality of Service (QoS) Policy

HSCN Internet Protocol (IP) addressing policy

Development Authority of the North Country Governance Policies

Information Security Controls Policy

CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

INFORMATION SECURITY AND RISK POLICY

Social care: local sponsorship model application process guidance

ICT Portable Devices and Portable Media Security

GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017

Information Security Controls Policy

Transition Network IP Addressing Policy

Smart Cards and Authentication. Jose Diaz Director, Technical and Strategic Business Development Thales Information Systems Security

NIST Security Certification and Accreditation Project

Cyber Essentials Questionnaire Guidance

INFORMATION ASSET MANAGEMENT POLICY

HIPAA Compliance Checklist

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Information technology Security techniques Telebiometric authentication framework using biometric hardware security module

AUTHORITY FOR ELECTRICITY REGULATION

Cyber Security Requirements for Electronic Safety and Security

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

NHSmail Skype for Business

COMMON CRITERIA CERTIFICATION REPORT

Pharmacy - Frequently Asked Questions

National Policing - Accreditation Policy

Security Principles for Stratos. Part no. 667/UE/31701/004

IT Services Policy. DG19 Remote Access. Prepared by: < Shelim Miah> Version: 2.0

National Diabetes Audit and Diabetes Prevention Programme Pilot

MRC Information Security Policy (IT_pg_003)

Security analysis and assessment of threats in European signalling systems?

Information Technology Security Plan (ITSP)

Information Security Policy for Associates and Contractors

IoT & SCADA Cyber Security Services

Guide to ITK Compliant Output Based Specification

Protecting Personal Health Information on Mobile and Portable Devices. Guidance from the Information and Privacy Commissioner of Ontario

Data Security Standards

Encryption Guide for NHSmail

Policies, Procedures, Guidelines and Protocols. John Snell - Head of Workforce Planning, Systems and Contributors

John Snare Chair Standards Australia Committee IT/12/4

University of Sunderland Business Assurance PCI Security Policy

Information Governance Incident Reporting Procedure

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Digital Health Cyber Security Centre

Qualification Specification. Level 2 Award in Cyber Security Awareness For Business

Security Policies and Procedures Principles and Practices

SERVICE DESCRIPTION. Population Register Centre s online services

5. The technology risk evaluation need only be updated when significant changes or upgrades to systems are implemented.

Job Aid: Introduction to the RMF for Special Access Programs (SAPs)

Assessment, Discharge and Withdrawal Notices between Hospitals and Social Services

COMMON CRITERIA CERTIFICATION REPORT

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

National Policing Community Security Policy

Alberta Reliability Standard Cyber Security Electronic Security Perimeter(s) CIP-005-AB-5

Technical Information Assurance Team Structure. and Role Description

Information Security Strategy

Access to University Data Policy

Bring Your Own Device (BYOD) Policy

Congratulations! You just ordered IdentaMaster software package featuring Biometric login, File/Folder Encryption and Entire Drive Encryption.

Syllabus: The syllabus is broadly structured as follows:

BCS Level 4 Award in Risk Assessment QAN 603/0830/8

External Supplier Control Obligations. Cyber Security

Singapore s National Digital Identity (NDI):

Desktop Configuration Guide for NHSmail

Bring Your Own Devices (BYOD) Information Governance Guidance

Implementing Electronic Signature Solutions 11/10/2015

Network Security Policy

Compliance of Panda Products with General Data Protection Regulation (GDPR) Panda Security

Use of Mobile Devices on Voice and Data Networks Policy

SWAMID Person-Proofed Multi-Factor Profile

Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice

INFORMATION SECURITY POLICY

COMMON CRITERIA CERTIFICATION REPORT

INFORMATION TO BE GIVEN 2

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Integrated Access Management Solutions. Access Televentures

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

21 CFR Part 11 LIMS Requirements Electronic signatures and records

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Viewer Sites

Cloud Security Standards

Data Quality Maturity Index (DQMI) Power BI Interactive Report User Guide

Transcription:

Identification and Authentication Example Policy Author: A Heathcote Date: 24/05/2017 Version: 1.0 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body created by statute, also known as NHS Digital.

Contents 1 Purpose 3 2 Scope 3 3 Applicability 3 4 Guidance 3 Terminology 3 Policy 3 Principles 3 Identification and Authentication Mechanisms 4 Remote Access Identification and Authentication Requirements 4 5 Key Words 5 Copyright 2017 Health and Social Care Information Centre. 2

1 Purpose The purpose of this Identification and Authentication Example Policy is to provide exemplar guidance in line with HMG and private sector best practice for the production of an organisation wide Identification and Authentication Policy. This is in order to allow the reader to produce the necessary policy and guidance for their business area and to ensure that the applicable and relevant security controls are set in place in line with the Department for Health, the wider NHS, health and social care and HMG requirements. 2 Scope The drafting of any policy governing the production of an Identification and Authentication policy for NHS systems, devices or applications and information deployed in support of NHS or health and social care business functions. 3 Applicability This Example Policy is applicable to and designed for use by any NHS, health and social care or associated organisations that use or have access to NHS systems and/or information at any level. 4 Guidance This Example Policy provides guidance on the production of an Identification and Authentication Policy. The Example Policy is in italics with areas for insertion shown as <> and the rationale for each paragraph or section, where required, in [.]. Terminology Term SHALL SHOULD MAY Definition This term is used to state a Mandatory requirement of this policy This term is used to state a Recommended requirement of this policy This term is used to state an Optional requirement Policy Principles Identification and authentication shall be used to identify and prove which users have accessed and utilised <insert name of organisation> systems and the data within them. The identification and authentication mechanism shall support the Access Control Policy requirements. Copyright 2017 Health and Social Care Information Centre. 3

Identification and authentication shall be used to identify and prove that access is authorised to encrypted media (such as laptops or USB sticks) utilized by <insert name of organisation> IT systems. [The aim of this section is to outline what identification and authentication achieves; i.e. that it is a mechanism to support access control to workstations, laptops, folders and electronic media.] Identification and Authentication Mechanisms Identification shall be achieved through username for individual users. Authentication of that username (identifier) shall be achieved through the use of one of the following mechanisms: Passwords these shall meet the <insert name of organisation> Password Policy. Tokens these may be defined or referred to as: hardware token, authentication token, USB token, cryptographic token, software token, virtual token or key fob. Biometrics - metrics related to human characteristics. These may include mechanisms that use fingerprint, face recognition, iris or retina recognition as the authentication character. Or a combination of any of these elements. The degree of authentication (single or 2 factor) shall be assessed for the level of protection required for the processed information and the risk factors to it by the Information Asset Owner (IAO) and Senior Information Risk Owner (SIRO). Where it is deemed 2 factor is required the authentication mechanisms shall be provided by different methods e.g. password and token. [This section is used to outline how identification and authentication can be achieved. It should be tailored to the mechanisms the organisation is likely to use. The decision on what mechanisms to use and whether single or two factor authentication is required is a risk based decision. For larger organisations this will be achieved via the IAOs, SIRO and CISO; for organisations using NHS managed assets (such as NHS managed networks or e-mail) it will be defined by the system access requirements; whilst for smaller organisations the decision will be decided by the senior partners/owners and the information governance lead. As a general rule if the data to be accessed is sensitive 2 factor authentication should be considered as the policy requirement; if the data is normal office management single factor authentication is probably sufficient.] Remote Access Identification and Authentication Requirements Two factor authentication shall be used for all remote access to <insert name of organisation> IT systems processing OFFICIAL and OFFICIAL-SENSITIVE information or sensitive legacy NHS data. The two-factor authentication shall as a minimum be: Password with Secondary authentication such as a token or biometrics. Where possible the secondary authentication shall be an assured method, such as NCSC assured for OFFICIAL-SENSITIVE. Copyright 2017 Health and Social Care Information Centre. 4

The complexity of the password required shall be determined by the risk assessment of the IT system and shall be managed in accordance with the <insert name of organisation> Password Policy. [Where organisations, of whatever size, employ the use of remote access (i.e., from a laptop at home or on the road to access the organisation s network/data stores) then 2- factor authentication is recommended to be the minimum policy as single factor is more vulnerable. For smaller organisations this requirement may be reflected as a policy requirement for contracts that are arranged with third party IT providers who provide the IT network and/or remote access capability.] 5 Key Words Authentication, Biometric, Cryptographic, IAO, Identification, Password, Risk Assessment, SIRO, Token Copyright 2017 Health and Social Care Information Centre. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback