DOCSLIB.ORG

IT and Information Security Policy

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
IT and Information Security Policy Policy Title IT and Information Security Policy Policy Number OP06 Version Number 4.1 Ratified By Information Governance Assurance Group Date Ratified 15/05/2018 Effective From 01/09/2019 Author(s) Derek Prudhoe, IT Directory and Security Manager (name and designation) Sponsor Nick Black, Chief Digital Information Officer Expiry Date 01/09/2021 Withdrawn Date Unless this copy has been taken directly from Pandora (the Trust’s Sharepoint document management system) there is no assurance that this is the most up to date version This policy supersedes all previous issues IT and Information Security Policy v3 Version Control Version Release Author/ Ratified by/Authorised Date Changes Reviewer by (Please identify page no.) 1.0 20/03/2013 D Prudhoe Health Informatics 06/03/2013 Policies OP6a Assurance Committee & OP6b merged 2.0 04/08/2015 D Prudhoe Health Informatics 04/03/2015 Minor edits to Assurance Committee remove references to CfH 3.0 07/12/2017 D Prudhoe Health Informatics 21/11/2017 Minor updates Assurance Group – remove references to obsolete equipment. 4.0 31/05/2018 D Prudhoe Information 15/05/2018 6.7.1 minor Governance Assurance update to Group introduction 6.7.2 removed reference to Information Security Policy 6.8.2 (b) removed advice to remove hard drive 6.8.2 (d) reworded statement on downloading and installing software, added exception for smart devices 6.8.2 (e) added exception for Apple devices 6.8.2 (f) added exception for Apple devices 6.8.2 (i) added IT and Information Security Policy v4 2 new section for Smart Devices security settings 6.9.3 (a) added additional information for smart devices 6.10.18 Updated to reflect changed process 10. updated group name 4.1 01/09/2019 D Prudhoe Information 02/04/19 6.8.2 – Governance Assurance updated to Group match guidance in OP17 IT and Information Security Policy v4 3 Contents Contents .......................................................................................................................... 4 1 Introduction ............................................................................................................. 5 2 Scope of the IT and Information Security Policy ......................................................... 5 3 Aim of Policy ............................................................................................................. 6 4 Duties (Roles and Responsibilities) ............................................................................ 6 5 Definition of Terms ................................................................................................... 6 6 IT and Information Security Policy ............................................................................. 7 6.1 Policy Statements ..................................................................................................................... 7 6.2 Keeping Information Secure .................................................................................................... 8 6.3 Transfers and Disclosure of Data ............................................................................................. 8 6.4 System Security ........................................................................................................................ 8 6.5 Breaches of the policy ............................................................................................................ 12 6.6 Policy Review and Evaluation ................................................................................................ 12 6.7 Remote Access to Gateshead Network from Home .............................................................. 13 6.8 Mobile Access to Gateshead Network ................................................................................... 15 6.9 Use of Removable Media ....................................................................................................... 19 6.10 Network Security ................................................................................................................ 22 6.11 Legal requirements ............................................................................................................ 27 7. Training .................................................................................................................. 28 8. Diversity and Inclusion ............................................................................................ 28 9. Monitoring Compliance with the Policy ................................................................... 28 10. Consultation and Review ........................................................................................ 28 11. Implementation of Policy (Including Raising Awareness) ......................................... 28 12. Associated documentation...................................................................................... 28 Appendix A - Checklist for Home/Remote Access ............................................................ 30 IT and Information Security Policy v4 4 IT and Information Security Policy 1 Introduction 1.1 The Need for an IT and Information Security Policy The data stored in information systems used by the Trust represents an extremely valuable asset. As systems proliferate, and with the increasing reliance of the NHS on information technology for the delivery of healthcare, it becomes necessary to ensure that these systems are developed, operated, used and maintained in a safe and secure fashion. The increasing needs to transmit information across networks of computers renders data more vulnerable to accidental or deliberate unauthorised modification or disclosure. The use of computers in clinical care activities offers advantages to NHS patients if handled securely, but could present serious hazards if security is inadequate. All NHS organisations need to proactively assess, monitor and manage the risks associated with their IT assets and information services. Indeed, NHS information systems are considered to be key components of the UK’s Critical National Infrastructure. 2 Scope of the IT and Information Security Policy 2.1 This Policy is applicable to all existing and proposed systems and is effective from the date of issue of this policy. The manager responsible for each system must ensure that all risks are identified and all reasonable measures are taken against security breaches. The system administrator for each system will be responsible for ensuring that a current System Specific Security Policy for that system is maintained. 2.2 The value of information, physical assets or processing capability to be protected needs to be estimated and recorded, along with the impact of possible disclosure, inaccuracy, incompleteness or unavailability of that information. The cost of countermeasures should be commensurate with the threats to security, the value of the assets being protected and the impact of security failure. 2.3 The Trust policy is to ensure that IT systems, including computer systems, network components and electronically held data, are adequately protected from a range of threats. The policy and associated guidelines cover all aspects of the environment: IT systems, administration systems, environmental controls, hardware, software, data and networks. It will apply to all stages of the system lifecycle, from feasibility study through to operation. 2.4 The policy applies to: a) all staff employed by the Trust, and to locums, students and trainees on temporary placements; IT and Information Security Policy v4 5 b) other individuals and agencies who may gain access to data, such as volunteers, visiting professionals or researchers, and companies providing IT services to the Trust. 2.5 The requirements of the IT Security Policy are mandatory wherever they are applicable. 3 Aim of Policy 3.1 This document defines the IT and Information Security Policy for Gateshead Health NHS Foundation Trust and Sets out the Trust’s policy for the protection of the confidentiality, integrity and availability of IT and Information Systems. Establishes the Trust and user responsibilities. Provides reference to documentation relevant to this policy. 3.2 The objective of this policy is to ensure the security of the Trust’s IT and Information Systems. The Trust will: Ensure Availability Ensure that the IT systems, administration systems, environmental controls, hardware, software, data and networks are available for users. Preserve Integrity Protect the the IT systems, administration systems, environmental controls, hardware, software, data and networks from unauthorised or accidental modification ensuring the accuracy and completeness of the Trust’s assets. Preserve Confidentiality Protect assets against unauthorised disclosure. 4 Duties (Roles and Responsibilities) The Trust will take all reasonable steps to ensure that users of IT and Information Systems are aware of acceptable use policies and legal obligations relating to them. All staff and Non-Executive Directors are obliged to adhere to this policy. It is the responsibility of the individual to ensure that they understand this policy. Managers at all levels are responsible for ensuring that the staff for whom they are responsible are aware of and adhere to this Policy. They are also responsible for ensuring staff are updated in regard to any changes in this Policy. 5 Definition of Terms 5.1 For the purposes of this policy document, IT and Information security is characterised as the preservation of the confidentiality, integrity and availability of Trust information
Load more

Recommended publications
  • NIST: Implementing Internet Firewall Security Policy
    Internet Firewall Policy DRAFT NIST Special Publication 800-XX IMPLEMENTING INTERNET FIREWALL SECURITY POLICY Barbara Guttman Robert Bagwill IMPLEMENTING INTERNET FIREWALL SECURITY POLICY Information Technology Laboratory Computer Security Division National Institute of Standards and Technology Gaithersburg, MD 20899-0001 April 13, 1998 U.S. Department of Commerce William M. Daley, Secretary Technology Administration Gary R. Bachula, Acting Under Secretary for Technology National Institute of Standards and Technology Raymond Kammer, Director 1 Internet Firewall Policy DRAFT 1 Background and Purpose ..............................................................................0 2 Overview ........................................................................................................0 3 Firewall Architectures ....................................................................................0 3.1 Multi-homed host ............................................................................................... 0 3.2 Screened host.................................................................................................... 0 3.3 Screened subnet................................................................................................ 0 4 Types of Firewalls..........................................................................................0 4.1 Packet Filtering Gateways ................................................................................. 0 4.2 Application Gateways .......................................................................................
    [Show full text]
  • Interim Agency Network Security Policy
    EPA Classification No.: CIO 2150.1 CIO Approval Date: 08/22/2011 CIO Transmittal No.: 11-0005 Review Date: 02/2013 Issued by the EPA Chief Information Officer, Pursuant to Delegation 1-19, dated 7/7/2005 Interim Agency Network Security Policy 1 PURPOSE This Policy – 1.1 establishes a security policy for the Environmental Protection Agency’s (EPA’s) national data communications network (EPA network). 1.2 establishes principles to ensure a secure network infrastructure that integrates confidentiality, availability, and integrity into the infrastructure design, implementation, and maintenance; in order to: 1.2.1 protect the Agency’s infrastructure and critical information assets from internal and external threats arising from connections to the EPA network and the Internet. 1.2.2 ensure that information technology (IT) resources attached to the EPA network are consistent with, and supportive of, a secure network IT infrastructure design. 1.2.3 protect EPA IT resources from malicious threats or unauthorized use, as well as unintentional misuse by authorized persons. 1.2.4 support the Agency in delivering reliable, high quality data in order for EPA to fulfill its mission of protecting human health and the environment. 1.2.5 maintain the appropriate level of security to support the ability of the Agency to conduct its work. 2 SCOPE AND APPLICABILITY 2.1 All EPA employees, contractors, grantees and all other users of the EPA information and systems. 2.2 All EPA information and information systems including information used and information systems used or operated by contractors and other third parties on behalf of EPA.
    [Show full text]
  • User Information Security Policy
    User Information Security Policy Urbano remains linty after Benjy phosphatizing muckle or decease any fuchsias. Rab allowances enclitically if arthropodal Gustavus mediate or stetted. Kerchiefed Hayes metaling or desalinizing some etaerios decorously, however malarious Vaclav clipt frankly or plasticize. Examine the whole section is subject that security information policy Protecting this College resource is a shared responsibility between more data users and the Information Technology staff Network security including firewall. Staff students and lead other user with car to University IT Systems must ready with multiple IT Security Policy 3 Information Handling 31 Classification of. CMS Information Security and sound Overview CMS. What line the security concepts? How miserable you test system security? Periodic user access reviews and education of information security policies. IDENTIFY THE VARIOUS CLASSES OF POLICY USERS 5 REQUIREMENT 3 ORGANIZE INFORMATION SECURITY POLICIES AND STANDARDS INTO. How you write an information security policy with template example. Information Security Policy manage your nutrition with these. Information Security Policy team of Information Technology. The means by provide access to computer files is limited to authorized users only Firewall A device andor software that prevents unauthorized and improper transit. What is dilute IT Security Policy Palo Alto Networks. What is security policy Definition from WhatIscom. Information Security Policy an overview ScienceDirect Topics. Computer network--everything from installation and maintenance to user. These regulations include Mass 93H210 CMR 17 Federal Red Flag Rules FERPA eDiscovery as reciprocal as non-Mass state personal information laws. Computer Security Policies Tutorialspoint. Cyber Security Policy all Library Georgia Institute of. This management is dictionary in order in ensure children access food the University's information and information systems is restricted to authorised users Acceptable.
    [Show full text]
  • User-Oriented Network Security Policy Specification
    User-oriented Network Security Policy Specification Fulvio Valenza1;2*, and Antonio Lioy1 1Politecnico di Torino, DAUIN, corso duca degli Abruzzi 24, Turin, Italy 2CNR-IEIIT, corso duca degli Abruzzi 24, Turin, Italy ffulvio.valenza, [email protected] Abstract The configuration and management of security controls and applications is complex and not well understood by the majority of end-users (i.e. it typically requires specific skills). The security policy language simplifies this task and reduces the number of errors and anomalies. This paper proposes the specification of the two mechanisms for defining user’s security policies, namely High-level Security Policy Language (HSPL) and Medium-level Security Policy Language (MSPL). HSPL is suitable for expressing the protection requirements of typical non-technical users, while MSPL is a lower-level abstraction useful for expressing specific configurations of security controls in a generic format (as such it is more appealing for technical users). Keywords: network security policy, security requirement, policy refinement 1 Introduction Nowadays the common approach to protect personal devices from Internet threats relies on the installa- tion of appropriate security controls (e.g. firewall, VPN concentrator, etc.). To achieve this goal, typically it is required a deep knowledge on how each security control should be configured, which generally involves in setting up several security applications of different vendors and different security functions (or capabilities), like packet filtering, VPN gateway, parental control, etc.. In general, for non-technical users and occasionally for administrators, this may turn out a difficult hurdle to overcome[21]. In order to simplify the configuration of security controls, we propose the definition of two user- oriented network security policy languages.
    [Show full text]
  • Network Security Policy Created: 01/12/2016 Section Of: County Security Policies Modified: Target Audience: Technical Page 1 of 13
    DuPage County Network Security Policy Created: 01/12/2016 Section of: County Security Policies Modified: Target Audience: Technical Page 1 of 13 DuPage County is hereinafter referred to as "the County." 1.0 Purpose The purpose of this policy is to establish the technical guidelines for IT security, and to communicate the controls necessary for a secure network infrastructure. The network security policy will provide the practical mechanisms to support the County's comprehensive set of security policies. However, this policy purposely avoids being overly-specific in order to provide some latitude in implementation and management strategies. 2.0 Scope This policy covers all IT systems and devices that comprise the County network or that are otherwise controlled by the County. This policy also cover systems administered by County-wide Elected Officials. 3.0 Policy 3.1 Network Device Passwords A compromised password on a network device could have devastating, network-wide consequences. Passwords that are used to secure these devices, such as routers, switches, and servers, must be held to higher standards than standard user-level or desktop system passwords. 3.1.1 Password Construction The following statements apply to the construction of passwords for network devices: • Passwords must be at least 12 characters • Passwords must be comprised of a mix of letters, numbers and special characters (punctuation marks and symbols) • Passwords must not be comprised of, or otherwise utilize, words that can be found in a dictionary • Passwords must not be comprised of an obvious keyboard sequence (i.e., qwerty) Network Security Policy DuPage County Network Security Policy Created: 01/12/2016 Section of: County Security Policies Modified: Target Audience: Technical Page 2 of 13 • Passwords must not include "guessable" data such as personal information like birthdays, addresses, phone numbers, locations, etc.
    [Show full text]
  • Guide to Information Technology Security
    Guide to Information Technology Security WMO-No. 1115 WMO-No. 1115 © World Meteorological Organization, 2016 The right of publication in print, electronic and any other form and in any language is reserved by WMO. Short extracts from WMO publications may be reproduced without authorization, provided that the complete source is clearly indicated. Editorial correspondence and requests to publish, reproduce or translate this publication in part or in whole should be addressed to: Chair, Publications Board World Meteorological Organization (WMO) 7 bis, avenue de la Paix Tel.: +41 (0) 22 730 84 03 P.O. Box 2300 Fax: +41 (0) 22 730 80 40 CH-1211 Geneva 2, Switzerland E-mail: [email protected] ISBN 978-92-63-11115-9 NOTE The designations employed in WMO publications and the presentation of material in this publication do not imply the expression of any opinion whatsoever on the part of the Secretariat of WMO concerning the legal status of any country, territory, city or area, or of its authorities, or concerning the delimitation of its frontiers or boundaries. Opinions expressed in WMO publications are those of the authors and do not necessarily reflect those of WMO. The mention of specific companies or products does not imply that they are endorsed or recommended by WMO in preference to others of a similar nature which are not mentioned or advertised. Revision History 2005-02-02 – ET-EUDCS, Draft version. 2006-07-19 – ET-CTS, First complete version. 2012-04-18 – ET-CTS, Second version with review of all text and addition of external references. 2016-04 – ET-CTS, Document review.
    [Show full text]
  • Implementation of the Esa Network Security Policy
    fEISD QMS document title/ titre du document IMPLEMENTATION OF THE ESA NETWORK SECURITY POLICY prepared by/préparé par Christoph Kröll reference/réference EISD-EPNS-00003 issue/édition 2 revision/révision 2(.3) date of issue/date d’édition 28/09/2004 status/état Second Issue Document type/type de document Implementation Document Distribution/distribution ESA a ESACERT http://www.esacert.esa.int Implementation of the ESA Network Security Policy s issue 2 revision 2 – 28/09/2004 EISD-EPNS-00003 page 2 of 45 APPROVAL Title Implementation of the ESA Network Security Policy issue 2 revision 2 titre issue revision author Christoph Kröll date 28/09/2004 auteur date approved by ESA Information Systems Security Advisory Group (EISSAG) date 28/09/2004 approuvé par date Implementation of the ESA Network Security Policy s issue 2 revision 2 – 28/09/2004 EISD-EPNS-00003 page 3 of 45 CHANGE LOG reason for change /raison du changement issue/issue revision/revision date/date Update by Christoph Kröll 2 2 28/09/2004 CHANGE RECORD ISSUE: 1 REVISION: 0 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) First Issue by Christoph Kröll All. All. ISSUE: 1 REVISION: 1 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll following Internal Review All. All. ISSUE: 1 REVISION: 2 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll following Internal Review All. All. ISSUE: 1 REVISION: 3 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll following Internal Review All.
    [Show full text]
  • Acceptable Use Policy
    2500 – CORPORATE SECURITY POLICY ACCEPTABLE USE POLICY 1.0 Overview Though there are a number of reasons to provide a user network access, by far the most common is granting access to employees for performance of their job functions. This access carries certain responsibilities and obligations as to what constitutes acceptable use of the corporate network. This policy explains how corporate information technology resources are to be used and specifies what actions are prohibited. While this policy is as complete as possible, no policy can cover every situation, and thus the user is asked additionally to use common sense when using company resources. Questions on what constitutes acceptable use should be directed to the user's supervisor. 2.0 Purpose Since inappropriate use of corporate systems exposes RETA to risk, it is important to specify exactly what is permitted and what is prohibited. The purpose of this policy is to detail the acceptable use of RETA information technology resources for the protection of all parties involved. 3.0 Scope The scope of this policy includes any and all use of RETA IT resources, including but not limited to, computer systems, email, the network, and the corporate Internet connection. 4.0 Policy 4.1 E-mail Use Personal usage of RETA email systems is permitted as long as A) such usage does not negatively impact the RETA computer network, and B) such usage does not negatively impact the user's job performance. • The following is never permitted: spamming, harassment, communicating threats, solicitations, chain letters, or pyramid schemes. This list is not exhaustive but is included to provide a frame of reference for types of activities that are prohibited.
    [Show full text]
  • Security Technologies for the World Wide Web, 2Nd Ed..Pdf
    Y L F M A E T Team-Fly® Security Technologies for the World Wide Web For quite a long time, computer security was a rather narrow field of study that was populated mainly by theoretical computer scientists, electrical engineers, and applied mathematicians. With the proliferation of open sys- tems in general, and of the Internet and the World Wide Web (WWW) in particular, this situation has changed fundamentally. Today, computer and network practitioners are equally interested in computer security, since they require technologies and solutions that can be used to secure applications related to electronic commerce. Against this background, the field of computer security has become very broad and includes many topics of interest. The aim of this series is to publish state-of- the-art, high standard technical books on topics related to computer security. Further information about the series can be found on the WWW at the following URL: http://WWW.esecurity.ch/serieseditor.html Also, if you’d like to contribute to the series by writing a book about a topic related to computer security, feel free to contact either the Commissioning Editor or the Series Editor at Artech House. Recent Titles in the Artech House Computer Security Series Rolf Oppliger, Series Editor Computer Forensics and Privacy, Michael A. Caloyannides Demystifying the IPsec Puzzle, Sheila Frankel Developing Secure Distributed Systems with CORBA, Ulrich Lang and Rudolf Schreiner Implementing Electronic Card Payment Systems, Cristian Radu Implementing Security for ATM Networks, Thomas Tarman and Edward Witzke Information Hiding Techniques for Steganography and Digital Watermarking, Stefan Katzenbeisser and Fabien A.
    [Show full text]
  • Corporate Security Policies
    Corporate Security Policies Corporate Security - Acceptable Use Policy - Backup Policy - Confidential Data Policy - Consumer Disputes Policy - Criminal Database Searches Policy - Data Classification Policy - Encryption Policy - Guest Access Policy - Incident Response Policy - Mobile Device Policy - Network Access & Authentication policy - Network Security Policy - Outsourcing Policy - Password Policy - Physical Security Policy - Remote Access Policy - Retention Policy - Third Party Connection Policy - VPN Policy - Wireless Access Policy TruDiligence, LLC Acceptable Use Policy Created: 3/3/2009 Section of: Corporate Security Policies Target Audience: Users, Technical CONFIDENTIAL Page 1 of 8 TruDiligence, LLC is hereinafter referred to as "the company." 1.0 Overview Though there are a number of reasons to provide a user network access, by far the most common is granting access to employees for performance of their job functions. This access carries certain responsibilities and obligations as to what constitutes acceptable use of the corporate network. This policy explains how corporate information technology resources are to be used and specifies what actions are prohibited. While this policy is as complete as possible, no policy can cover every situation, and thus the user is asked additionally to use common sense when using company resources. Questions on what constitutes acceptable use should be directed to the user's supervisor. 2.0 Purpose Since inappropriate use of corporate systems exposes the company to risk, it is important to specify exactly what is permitted and what is prohibited. The purpose of this policy is to detail the acceptable use of corporate information technology resources for the protection of all parties involved. 3.0 Scope The scope of this policy includes any and all use of corporate IT resources, including but not limited to, computer systems, email, the network, and the corporate Internet connection.
    [Show full text]
  • 1 Document Name: Network Security Policy Document Type: Policy Staff
    Document name: Network Security Policy Document type: Policy Staff group to whom it applies: All staff within the Trust Distribution: The whole of the Trust How to access: Intranet Issue date: March 2013 Next review: April 2015 Approved by: Executive Management Team Developed by: Portfolio Manager – IM&T Infrastructure Director leads: Director of Finance/Deputy Chief Executive Contact for advice: Portfolio Manager, Performance & Information Department 1 NETWORK SECURITY POLICY 1 Introduction 1.1 This document defines the Network Security Policy for South West Yorkshire Partnership NHS Foundation Trust (referred to hereafter as the Trust). The Network Security Policy applies to all business functions and information contained on the network, the physical environment and relevant people who support and are Users of the network. 1.2 This document: a. Sets out the Trust's policy for the protection of the confidentiality, integrity and availability of the network; b. Establishes the security responsibilities for network security; c. Provides reference to documentation relevant to this policy. 1.3 The network is a collection of communication equipment such as servers, computers, printers, and modems, which has been connected together by cables or wireless devices. The network is created to share data, software, and peripherals such as printers, modems, fax machines, Internet connections, CD-ROM and tape drives, hard disks and other data storage equipment. 2 Purpose/Scope of this Policy 2.1 The purpose of this policy is to ensure the security of The Trust's network. To do this the Trust will: a. Ensure Availability Ensure that the network is available for Users; b.
    [Show full text]