IT Security Policy
Total Page:16
File Type:pdf, Size:1020Kb
IT Security Policy
Version 9
Name of responsible (ratifying) committee Information Governance Steering Group
Date ratified January 2014
Document Manager (job title) Head of IT
Date issued 11th February 2014
Review date December 2015
Electronic location Management Policies E-Mail Usage Policy IT Disaster Recovery Plan IT Portable Computing & Mobile Working Policy IT Procurement Policy Internet & N3 Usage Policy IT Network Security Policy Confidentiality: Staff Code of Conduct Data Protection Policy Related Procedural Documents Adverse Event & Near Misses Policy Information Governance Strategy Information Risk Policy Safe Haven Policy Security Operational Procedure Disciplinary Policy IT Guidelines - Managing & Safely Using IT Resources IT Guidelines - Training
ICT security, disposal of media and equipment, computer rooms, virus, software, hardware, anti-virus, malicious software, back-up, encryption, business continuity, BCP, portable devices, mobile working, portable equipment, memory stick, USB devices, removable media, electronic media, CD, DVD, hard disk drive, HDD, remote access, PDA, e-mail, information assets, sensitive information, confidential information, Key Words (to aid with searching) identifiable personal information, information sharing, IT systems, core IT, key IT systems, IT equipment, monitoring use of IT, enhanced & privileged access rights, personal responsibility, SLSP, system security policy, IT disposal, software licencing, third party access, equipment siting, software patching, patch management, user accounts, system managers, unacceptable use, safe working practices, security incidents, loss / theft of IT equipment, security breaches, information asset owners
IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 Version Tracking
Version Date Ratified Brief Summary of Changes Author 8.2 July 2007 IPHIS 9 January 2014 Full re-write of Policy MSF
IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 CONTENTS
1. INTRODUCTION...... 5
2. PURPOSE...... 5
3. SCOPE...... 6
4. DEFINITIONS...... 6
5. POLICY REQUIREMENTS...... 6 5.1 Use of IT Resources...... 6 5.2 System Monitoring...... 7 5.3 IT Security Risk & Incident Management & Reporting...... 7 5.4 Information Storage & Sharing...... 7 5.5 Control & Management of IT Assets...... 8 5.6 Access Control...... 8 5.7 Systems Development, Management & Maintenance...... 9 5.8 Equipment Protection & Security...... 10 5.9 Operational Management & Procedures...... 10 5.10 Business Continuity Planning...... 11
6. PROCESSES...... 11 6.1 Assignment of User Accounts & IT Resources...... 11 6.2 Unacceptable Use of IT Resources...... 12 6.3 Safe Working Practices for Users & IT Staff...... 13 6.4 Data Accuracy & Correction in IT Systems...... 13 6.5 Action in case of Incident, Alert or Equipment Loss...... 13 6.6 Action in case of Inappropriate use of IT Resources...... 14 6.7 Cessation of User Accounts & Return of IT Equipment...... 14 6.8 Change Management Processes...... 14
7. DUTIES AND RESPONSIBILITIES...... 15
8. TRAINING REQUIREMENTS...... 17
9. REFERENCES AND ASSOCIATED DOCUMENTATION...... 18
10. EQUALITY IMPACT STATEMENT...... 19
11. MONITORING COMPLIANCE WITH PROCEDURAL DOCUMENTS...... 20
IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 QUICK REFERENCE GUIDE
For quick reference the guide below is a summary of actions required. This does not negate the need for the document author and others involved in the process to be aware of and follow the detail of this policy.
1. Information processing is a fundamental part of the Trust’s business and information held in the Trust’s IT systems is a most valuable and relied upon asset. It is essential that the Trust’s computer systems are protected against the many threats which may compromise them, and information held within them is accurate, up to date and accessible where and when it is needed.
2. The Trust’s IT resources are business tools and must be used responsibly, effectively and lawfully. You must be fully aware of the unacceptable uses defined in this policy and not engage in such activity at any time.
3. The Trust employs systems to monitor use of its IT resources and, whilst conditional personal use of some IT resources is permitted, there must be no expectation of privacy.
4. You are personally responsible for ensuring that no actual or potential security breaches occur as a result of your use of the Trust’s IT resources. You are expected to: Understand your responsibilities to prevent theft. Protect and maintain the confidentiality and integrity of the Trust’s data. Ensure operational security of information, equipment and systems used.
5. You must only use the user accounts that are assigned to you to access the Trust’s network and IT systems. You must not use accounts of other authorised users or allow others to use your own accounts.
6. You must only use Trust approved systems and solutions to share information, and only share that which is appropriate, relevant and authorised. You must be aware of the specific conditions concerning use and sharing of Sensitive Information and comply with such requirements at all times.
7. You must comply with other appropriate policies, IT guidelines, safe working practices and procedures relevant to the IT systems and resources that you use. This includes but is not limited to the E-Mail Usage Policy, the Internet & N3 Usage Policy and the Portable Computing & Mobile Working Policy.
8. You are responsible for the correctness and accuracy of data that you input to the Trust’s IT systems, and it is expected that you understand the potential consequential effects of error. You must identify and correct errors promptly and report any loss or corruption of data that you find.
9. To ensure timely erasure of data, and secure disposal, you must return IT equipment that is no longer required at the earliest opportunity.
10. Failure to comply with the requirements of this policy or inappropriate use of resources controlled by this policy is a serious matter and may result in rights to use Trust systems and/or IT resources being withdrawn, disciplinary action or prosecution under law.
IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 1. INTRODUCTION
This policy supports the Trust’s overall information security management framework and has been produced, particularly, to set policy and define processes to be employed in the use and management of the Trust’s IT systems and resources.
Information processing is a fundamental part of the Trust’s business and, as its use of IT systems continues to expand, the information held in them represent one of the Trust’s most valuable and relied upon assets. It is essential that the Trust’s computer systems and information held within are protected against the many threats which may compromise them and, as such, it is important for the Trust to have clear and relevant policies and practices that enables it to comply with legislation, keep safe and confidential its sensitive information and minimise the impact of service interruptions.
All users of Trust IT resources shall comply with this policy.
2. PURPOSE
The purpose of this policy is to establish an overarching framework for IT security that provides assurance that: IT resources, (including systems and the information contained within) are managed securely and consistently according to corporately specified standards and practices. Members of staff are aware of their own responsibilities concerning security of the IT resources and confidentiality of information they use and that information security is an integral part of their day-to-day business. Safe and secure IT environments are provided for storage and use of the Trust’s information and that information is accessible only on a ‘need to know’ basis. Information security risks are identified and controlled.
Information is of greatest value when it is accurate, up to date and accessible from where and when it is needed; inaccessible information can quickly disrupt or devalue mission critical processes. This policy aims to preserve the principles of: Confidentiality - That access to data shall be confined to those with appropriate authority. Integrity - That information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification. Availability - That information shall be available and delivered to the right person, at the right time when it is needed.
IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 3. SCOPE
3.1 This policy includes all IT resources under ownership or control of the Trust and applies to: All information (digital, hard copy, photographic or audio) collected, processed, stored, produced and communicated through the use of IT resources by or on behalf of the Trust. IT information systems owned by or under the control of the Trust. The Trust’s networks, infrastructure and websites. Any device or equipment that connects to the Trust’s network which is capable of accessing, reproducing, storing, processing or transmitting information. To all users (including employees, voluntary & bank workers contractors, agency & sub- contract staff, locums, partner organisations, suppliers and customers) of the Trust’s IT resources and information contained within.
3.2 In the event of outbreak of an infection, flu pandemic or major incident. The Trust recognises that it may not be possible to adhere to all aspects of this document and in such circumstances, staff should take advice from their manager and all possible action must be taken to maintain ongoing patient and staff safety.
4. DEFINITIONS
4.1 Sensitive Information means identifiable personal information, commercially confidential and sensitive information and confidential, sensitive and critical information of the Trust.
4.2 The/Your Manager means the line manager of a member of staff or other relevant senior member of staff.
5. POLICY REQUIREMENTS
5.1 Use of IT Resources
5.1.1 The Trust’s IT resources are business tools and users are obliged to use them responsibly, effectively and lawfully. Users of the Trust’s IT resources shall comply with Trust policies, current safe working practices and NHS standards and best practice guidance.
5.1.2 Any use of the Trust’s IT resources or information which appears to be unacceptable in terms of this policy, or which in any other way appears to contravene the Trust’s policies, regulations and standards may give rise to disciplinary action.
5.1.3 Confidentiality and security clauses associated with use of the Trust’s IT systems, other IT resources and information contained within shall be appropriately included in terms and conditions of employment and addressed during recruitment.
5.1.4 Members of staff shall receive appropriate training in use of the Trust’s IT systems, other IT resources and personal security responsibilities before authorisation of their use is granted.
5.1.5 Members of staff provided with enhanced and privileged access rights (e.g. system and database administrators, superusers, IT staff and similar) shall use such rights solely in the proper undertaking of their duties, and shall not deliberately access Sensitive Information or personal information without express and authorised permission.
IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 5.1.6 Hacking - that is the breaking into computer systems, or attempting to gain illegal or unauthorised access to data or systems, or seeking and exploiting weaknesses in computer systems or networks - is a serious contravention of Trust policy and a criminal offence. It is strictly forbidden and is not tolerated under any circumstances by the Trust.
5.2 System Monitoring
5.2.1 In the interests of maintaining system security, complying with legal requirements and monitoring activity that is suspected to be in breach of this policy the Trust reserves the right to monitor use of its IT resources and information. This shall include network access, e-mail usage, virus activity and web-browsing.
5.2.2 Whilst conditional personal use of some IT resources of the Trust is permitted (e.g. e-mail and internet), users should be aware that there must be no expectation of privacy. If privacy is expected, the Trust’s IT resources must not be used for personal matters.
5.3 IT Security Risk & Incident Management & Reporting
5.3.1 Risks associated with use of the Trust’s IT systems, equipment and information shall be considered and mitigated where possible. Risk levels must be proportionate to benefits realised, and where risks cannot be reduced to acceptable levels they shall be escalated to the Trust’s Risk Assurance Committee / Senior Information Risk Owner (SIRO) as appropriate.
5.3.2 All users of the Trust’s IT resources are personally responsible for ensuring that no actual or potential security breaches occur as a result of their actions.
5.3.3 Potential and actual information security breaches associated with the use of the Trust’s information and IT resources shall be reported and investigated in accordance with the Trust’s incident reporting procedures.
5.4 Information Storage & Sharing
5.4.1 Sensitive Information shall: Only be stored on Trust owned or controlled IT resources. Not be intentionally placed on personal or privately owned computing and storage resources. Only be sent outside of the Trust with the authorisation of an appropriate Trust representative.
5.4.2 Staff shall only share information that is appropriate, relevant and authorised. Information that is shared electronically shall only be shared using Trust approved systems and solutions.
5.4.3 Information shall only be shared via e-mail in accordance with the criteria and conditions detailed in the Trust’s E-Mail Usage Policy.
IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 5.4.4 Portable media (CD, DVD, memory sticks and similar) shall only be used to share information where secure direct transfer methods are not available, and under the following conditions: That it shall be in accordance with the requirements of the Trust’s Portable Computing & Mobile Working Policy and associated IT Guidelines. That Sensitive Information is encrypted in accordance with NHS standards and guidelines. That, if not being transported personally by an authorised representative of the Trust, it is sent by a Trust approved courier or special (registered) delivery and confirmation of receipt by the intended recipient must be obtained by the sender.
5.5 Control & Management of IT Assets
5.5.1 All IT resources of the Trust (hardware, software, systems or data) are the property of the Trust; they shall be recorded in appropriate asset registers and have a named information asset owner or system manager who shall be responsible for the control, management and security of that asset.
5.5.2 System security policies shall be developed by information asset owners and system managers for all core IT assets and key IT systems.
5.5.3 IT equipment owned or controlled by the Trust shall only be removed from its premises (temporarily or permanently) with prior, appropriate authorisation/documented release. Equipment shall not be removed by a third party (e.g. the supplier, a repairer or disposal agent) until a signed confidentiality and transfer of responsibility agreement has been exchanged.
5.5.4 At end of life, all IT equipment owned or controlled by the Trust shall be returned to the IT Department for erasure of data and secure disposal in accordance with NHS standards and guidelines.
5.5.5 The Trust takes seriously its duties and obligations to use software responsibly, lawfully and in compliance with licenced terms and conditions. All software and systems used by the Trust shall be: Properly licenced, and authorisation to use software and systems shall be dependent upon the availability of licences. Used within the terms and conditions of the software licence. Approved, tested, reliable and robust software that can be supported effectively by the IT Department or a suitably qualified reputable third party supplier. Deployed or installed by the IT Department or their authorised representative.
5.5.6 All changes associated with the deployment of new services, systems, software and IT solutions shall be subject to and managed via formal and appropriately authorised change control procedures.
5.6 Access Control
5.6.1 Access to the Trust’s IT systems shall be restricted to users who have a justified business need to access the information contained within and are authorised by the relevant information asset owner or system manager.
5.6.2 Access privileges shall be based upon function of the job and not status of the user’s post. They shall be modified or removed as appropriate when a member of staff changes job or leaves employment of the Trust. IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 5.6.3 Users of the Trust’s IT resources shall comply with requirements and practices for using log- in accounts and passwords as detailed in the most current version of its safe working practices.
5.6.4 Access to and use of the Trust’s IT resources by anybody (persons, organisations, etc), other than an employee of the Trust, shall be suitably authorised and subject to prior written and signed agreement that such access shall be in accordance and compliance with Trust policies, procedures and practices.
5.6.5 Access to and use of the Trust’s information in public areas and outside of its premises shall be subject to the additional measures of protection and requirements as specified in the Trust’s Portable Computing & Mobile Working Policy and associated IT Guidelines.
5.6.6 Only authorised personnel who have a justified and approved business need shall be given access to restricted areas of the Trust’s buildings containing core and critical computer equipment. Staff entering and working in such areas shall at all times comply with the Trust’s current safe working practices associated with access to such areas.
5.6.7 Remote access by third party suppliers of systems and software for support and maintenance purposes shall be subject to prior written agreement (either as part of a contract or specific separate agreement), and commitment, to maintain confidentiality and integrity of the Trust’s information and data.
5.7 Systems Development, Management & Maintenance
5.7.1 Specification of IT systems shall take into account the requirements and recommended practices detailed in the Trust’s IT Guidelines - Managing & Safely Using IT Resources.
5.7.2 In house application development shall comply with the standards and working practices detailed in the Trust’s safe working practices.
5.7.3 Changes to IT systems shall be documented and assessed for their impact upon other systems prior to the change taking place.
5.7.4 All new releases of software applications and application developments shall be assessed in appropriate test environments prior to their release and be subject to satisfactory functional, non-functional and end-user-testing before being put into operational use.
5.7.5 Unless expressly and appropriately authorised, live Sensitive Information shall not be used for testing, training or demonstration purposes unless it is transformed so that identification of any individual is not possible.
5.7.6 Live and test data shall, preferably, be physically and logically separated. Where such physical separation is not possible, controls shall be put into place to ensure proper logical separation. If data is to be moved between live and test environments its migration shall be strictly controlled and subject to formal change control procedures.
5.7.7 Each IT system shall have an identified and suitably trained administrator and documented operational procedures in place together with appropriate maintenance arrangements.
IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 5.8 Equipment Protection & Security
5.8.1 All IT hardware, software and systems purchased shall comply with standards as defined in the Trust’s current safe working practices at the time of purchase.
5.8.2 IT equipment and systems not purchased by the IT Department shall not be connected to the Trust’s network until the IT Department has authorised such connection.
5.8.3 IT equipment shall be sited where reasonably practicable to reduce risk from environmental threat and unauthorised access. Where equipment is kept or installed in public areas of the Trust’s buildings it shall be positioned as far as reasonably practicable to reduce risk of unauthorised access or casual viewing.
5.8.4 Environmental controls and monitoring systems that trigger alarms should problems occur shall be installed to protect the Trust’s core and critical computer equipment.
5.8.5 Access to areas housing the Trust’s core and critical computer equipment shall be restricted and kept secured at all times.
5.8.6 Reasonable and appropriate measures shall be taken to minimise the risk of theft of the Trust’s IT equipment including the secure anchoring of equipment in public places and security coding.
5.8.7 Portable equipment (including removable media) shall be subject to the additional measures of protection and requirements as specified in the Trust’s Portable Computing & Mobile Working Policy and associated IT Guidelines.
5.8.8 Core and critical computer equipment of the Trust shall be connected to secured power supplies, using uninterruptible power supplies and generator backup services to ensure that it does not fail during failure of the mains supply or switchover between mains and generated supplies.
5.8.9 Uninterruptible power supplies shall be dimensioned to ensure that relevant equipment and key IT systems can be shutdown by controlled processes in the event of continuing supply failure.
5.8.10 IT and communications cabling shall be protected from interception or damage (via physical fabric of the building or in conduit) and sited in accordance with relevant standards in relation to electrical and heating services.
5.9 Operational Management & Procedures
5.9.1 Core and key IT systems and services shall be backed up according to an appropriate schedule to ensure that business and operational functions of the Trust are not jeopardised and that media is retained for adequate intervals before being overwritten.
5.9.2 Backup media shall be clearly labeled and stored separate from the system location to protect against building loss.
5.9.3 Restoration processes shall be adequately documented to enable other (suitably qualified) staff to understand and employ them.
5.9.4 Backup media and restoration processes shall be regularly tested to ensure that they are effective.
IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 5.9.5 Appropriate cryptographic controls shall be used to ensure the integrity and confidentiality of communication, processing and storage of the Trust’s information.
5.9.6 To ensure that risk of disruption is maintained at an absolute minimum, all data residing on the Trust’s network or flowing to and from it shall be protected against virus and malicious and mobile code software attack.
5.9.7 Operating systems, core and critical software, key applications and firmware shall be regularly updated with published security patches.
5.10 Business Continuity Planning
5.10.1 Business continuity and disaster recovery plans shall be put into place and regularly tested for all mission critical IT systems, applications and networks.
5.10.2 Where possible and practicable, IT systems shall be designed to include controls that check for data corruption that has resulted from processing errors or other possible deliberate acts.
6. PROCESSES
6.1 Assignment of User Accounts & IT Resources
6.1.1 Requests for user network accounts and IT equipment must be submitted by The Manager, or other Trust authorised representative to the IT Department Service Desk in accordance with its current ordering processes and procedures.
6.1.2 The following types of request must be supported with appropriate authorisation of the information asset owner or system manager:
Accounts (and changes to accounts) for IT systems. Requests for access to particular IT systems are subject to completion of necessary prior training.
Granting of enhanced or privileged access rights.
6.1.3 Requests for allocation of portable equipment or access to mobile working solutions must be submitted in accordance with the procedure detailed in the Portable Computing & Mobile Working Policy.
6.1.4 Requests for access to and use of IT resources by third parties (persons not employed by the Trust and remote access support requirements of suppliers) must be supported with prior appropriate written agreement authorised by appropriate representative of the Trust.
6.1.5 The Manager shall ensure that the IT Department’s Service Desk is promptly notified of any changes:
To ownership or location of IT equipment.
Necessitated to a user’s access rights due to circumstantial change.
6.1.6 Requests will be processed by the IT Department in accordance with established procedures and published timescales.
IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 6.2 Unacceptable Use of IT Resources Effective information security primarily concerns people and their behaviour. It is facilitated by appropriate use of technology, which must be appropriately protected. The security of the Trust’s information and its systems is everybody’s daily responsibility; you are fully liable if you disregard the rules set out in this policy. You must not:
Use Trust IT resources for personal purposes, except where specifically permitted, with the prior agreement of Your Manager and in accordance with relevant policies, safe working practices and NHS standards and guidelines.
Deliberately damage the Trust’s IT resources or information contained within, or attempt to make unauthorised modification of the same that might impair operation or prevent or hinder access to the programmes or data held on Trust equipment or systems.
Remove covers from any Trust IT equipment for any purposes, including changing or adding components.
Connect equipment (including removable media) to Trust IT equipment that is not approved or authorised by the IT Department.
Add or install equipment to the Trust’s networks without the prior authorisation of the IT Department.
Modify or disable the anti-virus software on the Trust’s IT equipment or prevent it from updating.
Download, install, or attempt to install, any software onto the Trust’s IT equipment without prior authorisation of the IT Department.
Permit other’s to use your Trust computer account, even if they are an authorised Trust account holder.
Disclose your password to anyone, including management and IT Department staff.
Attempt to access IT systems or data to which you have no legitimate right.
Use IT systems which you are authorised to use for purposes for which you are not authorised or which are in breach of Trust’s policies, procedures and regulations or unlawful.
Attempt to introduce and transmit material (including but not limited to computer viruses, Trojan horses and worms) designed to be destructive to computer systems, or try to get around precautions in the Trust’s systems and network designed to prevent such material.
Use Trust IT resources to access or process offensive material (e.g. pornographic or racist material).
IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 6.3 Safe Working Practices for Users & IT Staff All users of Trust IT resources are required to comply with the most current version of IT Guidelines published by the IT Department.
IT staff shall also comply with the most current version of IT Guidelines in respect to the IT Department’s own implementation and compliance with this policy.
Any questions or queries relating to these practices should be addressed to the IT Department Service Desk.
6.4 Data Accuracy & Correction in IT Systems The importance of data accuracy and integrity in safe and reliable use of the Trust’s IT systems cannot be over emphasised. It is paramount that you understand your responsibility to enter data correctly and accurately into the Trust’s systems and potential consequential effects if you do not.
The key points to remember are:
Data accuracy is the direct responsibility of the person inputting the data supported by their line manger.
Error correction should be done at the source of input as soon as it is detected. Correction is increasingly important as the Trust’s IT systems become more integrated, and risk of errors being transmitted between systems increases.
Any loss or corruption of data should be reported to the relevant system manager/administrator at once.
6.5 Action in case of Incident, Alert or Equipment Loss
6.5.1 In case of Theft or Loss of Equipment or Suspected Unauthorised Access Users of IT resources must report instances of theft, loss or damage to The Manager at the earliest instance. The Manager shall evaluate reports on a case-by-case basis to determine whether the occurrence necessitates reporting via the Trust’s incident reporting procedure.
The Manager shall inform the IT Department Service Desk of instances of theft and loss to ensure that appropriate action is taken.
In instances where a user suspects that unauthorised use of the Trust’s IT equipment has occurred, or unauthorised access to the Trust’s IT network, systems or information may have been gained, they must report the occurrence of such incident to The Manager at the earliest instance.
The Manager shall evaluate reports on a case-by-case basis to determine whether the occurrence necessitates reporting via the Trust’s incident reporting procedure.
6.5.2 In case of Virus Alert on your Computer If a virus is detected on your computer or device you must contact the IT Department Service Desk immediately.
Take a note of the alert message displayed and do not use the computer/device until the virus has been dealt with. If you have been using any removable media (e.g. CDs, DVDs, memory sticks, etc) ensure that these are handed to the IT Department for assessment.
IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 6.5.3 In case of Suspected or Actual Information Security Breach The following suspected or actual information security breaches must be reported to the IT Department Service Desk at the earliest opportunity:
Password violations
User account sharing
Occurrences of any of the unacceptable uses defined in section 6.2 of this document
6.6 Action in case of Inappropriate use of IT Resources Failure to comply with the requirements of this policy or inappropriate use of IT systems, equipment and other resources is a serious matter and may result in an individual’s right to use Trust IT resources being withdrawn. In cases it may result in disciplinary action, and in some circumstances it might lead to prosecution under UK law.
In accordance with the Trust’s disciplinary policies & procedures, line managers shall investigate failures to comply with the requirements of this policy and cases of inappropriate use of resources. Support from the IT Department may be obtained by contacting the IT Department Service Desk.
6.7 Cessation of User Accounts & Return of IT Equipment The Manager or other Trust authorised representative shall ensure that all IT equipment is recovered from users leaving the Trust and that the IT Department Service Desk is promptly informed of user accounts that are no longer required.
Following receipt of such instruction the IT Department will disable specified accounts rendering them to be no longer useable, but available for reactivation should the need occur.
Accounts will be retained in such condition for a period of six months after which they will be fully deleted. After this time recovery of information from such accounts will no longer be possible.
Surplus, redundant and obsolete IT equipment that has been used for the processing, storage or transportation of the Trust’s information must be returned to the IT Department at the earliest opportunity.
6.8 Change Management Processes All change to the Trust’s core and critical computer equipment and key IT systems must be managed consistently and systematically to ensure a sound and auditable change trail.
Documented change management processes, that enable timely, efficient and effective management of change through the entire lifecycle of equipment and systems, shall include:
The generation, progression and completion of change requests as the mechanism for managing change.
Appropriate technical and business impact assessment by a third party/body (e.g. a Change Manager, Change Advisory Board or Project Board) with the authorisation to accept or reject change requests.
IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 Structured implementation of changes including appropriate points of sign-off and back-out contingencies to be followed in the event of failure.
Post implementation recorded review noting successes/failures and lessons learnt.
7. DUTIES AND RESPONSIBILITIES
7.1 Senior Information Risk Officer (SIRO) The SIRO is responsible for: The Trust’s information risk assessment process and information management. Overseeing adherence to this procedure to the satisfaction of the Trust. Ensuring documentation and appropriate action is taken where non-compliance to this policy or a need for improvement is identified.
7.2 Caldicott Guardian The Caldicott Guardian has responsibility for the confidentiality and appropriate sharing of patient information throughout the Trust.
7.3 Information Governance Steering Group The Information Governance Steering Group is responsible for ensuring that this policy is: In accordance with information governance requirements. Implemented and understood across the Trust.
7.4 Information Governance Manager The Information Governance Manager has responsibility for ensuring that Information Governance standards are implemented effectively across the Trust. Including: The co-ordination, action planning and reporting of information security work and activity. Maintaining the Trust’s information asset and data flow mapping registers and their regular review.
7.5 Information Asset Owners & System Managers Where nominated, information asset owners and system managers are responsible for the protection, security and day-to-day management of designated assets/systems. Including: Development and enforcement of system security policies and appropriate operational and administration procedures. The environments in which core and critical computer equipment are housed and information is processed or stored. The control and level of access (including privileged and administration rights) granted to individual users of IT systems, networks and restricted areas housing core and critical computer equipment. Regular information risk assessment and submission of results and mitigation action plans to the SIRO. The development and maintenance of necessary business continuity and disaster recovery plans and verification of their regular testing.
7.6 Human Resources Department The Human Resources Department is responsible for: Ensuring that information security requirements are addressed during recruitment and all contracts of employment contain appropriate confidentiality clauses. Information security responsibilities, duties and expectations are included within appropriate job descriptions, person specifications and HR policies and codes of conduct.
IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 Information governance and information security awareness training is included in the Trust’s staff induction process and annual mandatory training.
7.7 Head of IT The Head of IT is responsible for: Ensuring that the configuration and management of the Trust’s computers and networks is controlled through documented authorised policies and procedures based upon NHS and industry standards, best practice and recommendations. Authorising IT resources to be used by the Trust. This policy is implemented and adhered to by IT Department staff.
7.8 The IT Department The IT Department and its staff are responsible for ensuring the continuing availability of Trust IT resources and the security and integrity of data within its network. In addition to the other responsibilities and duties detailed in this policy, the IT Department will: Ensure that all IT assets for which it is assigned responsibility are controlled by and subject to prescribed asset management procedures and processes. Ensure that IT equipment purchased on behalf of the Trust is added to the asset register, security labeled, protected and stored safely. Ensure IT equipment is appropriately configured for use and loaded with relevant licenced software. Allocate and configure individual user accounts and ensure the associated user authentication of each authorised user of the Trust’s IT resources. Provide and control external connections to the Trust’s network in accordance with NHS standards and requirements. Ensure the removal of Sensitive Information and identity from the Trust’s IT equipment, its secure disposal and deletion from the asset register. Perform routine tests of disaster recovery procedures for core and critical computer equipment and key IT systems of the Trust. Ensure the provision of systems to monitor compliance with the Trust’s IT policies and its legal and statutory obligations. Provide advice and guidance to users of the Trust’s IT resources.
7.9 Managers Managers are responsible for ensuring that their permanent and temporary staff and contractors have read and understood this policy and, in addition to the other responsibilities and duties detailed in this policy, that: Staff are instructed in their security responsibilities, work in compliance with this policy, related processes, guidelines and safe working practices. Staff are appropriately trained in use of the Trust’s IT resources and systems. Property registers in ESR are kept up to date with IT equipment that has been assigned to staff. Agreements are in place with suppliers and external contractors that ensure staff and sub-contractors comply with appropriate policies and procedures before access to Trust systems or use of its IT resources is permitted.
7.10 Staff Every member of staff is personally responsible for ensuring that no breaches of computer security result from their actions and shall: Comply with this policy, its related processes, guidelines and safe working practices. Ensure that they are fully aware of the unacceptable uses of IT resources as outlined in this policy. Understand their responsibilities to prevent theft, and protect and maintain the confidentiality and integrity of the Trust’s data. Ensure operational security of the information and IT equipment and systems used. Receive adequate training or guidance in the use of any IT equipment or systems provided by the Trust in relation to their own duties and responsibilities. IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 Understand their responsibilities to accurately enter data into IT systems and take appropriate action to identify and report missing, lost and incorrect data.
7.11 Other Authorised Users of Trust IT Resources Other authorised users of the Trust’s IT resources are personally responsible for ensuring that no breaches of computer security result from their actions and shall: Comply with this policy, its related processes, guidance and safe working practices and other relevant Trust policies, procedures and standards. Confirm such agreement in writing, via contract, memorandum of understanding or other mutually agreed mechanism.
8. TRAINING REQUIREMENTS
Members of staff are individually responsible for ensuring that they comply with Trust policies and procedures and complete induction and annual mandatory training which includes Information Governance and information security principles and practices.
Users of Trust IT resources must ensure that they are familiar with and follow IT Guidelines issued by the IT Department.
Specific questions relating to the use of IT resources for the Trust’s business and operation needs can be addressed to the IT Department Service Desk.
IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 9. REFERENCES AND ASSOCIATED DOCUMENTATION
9.1 The Trust is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of the Trust, who may be held personally accountable for any breaches of information security for which they may be held responsible. The Trust shall comply with the following legislation and other legislation as appropriate:
The Data Protection Act (1998)
Computer Misuse Act (1990)
Common Law Duty of Confidentiality
Human Rights Act 1998
Privacy and Electronic Communications Regulations
Regulation of Investigatory Powers Act 2000
Copyright, Designs and Patents Act 1988
Freedom of Information Act (2000)
9.2 The Trust complies with all national NHS information security and governance requirements and aims to adopt other standards and recognised best practice it considers appropriate. This includes:
Information Governance Toolkit V11 requirements 11-300, 11-305, 11-309, 11-310, 11- 311, 11-313 and 11-323
Information Security Management: NHS Code of Practice 2007
Good Practice Guide - Safe Computing, security against viruses, malware & e-mail hoaxes: Connecting for Health 2008
General Principle for Securing Information Systems: Good Practice Guideline 2009
Password Policy for Non-Spine Connected Applications - Good Practice Guideline 2010
Securing Against Viruses, Malware & E-Mail Hoaxes: Good Practice Guideline 2010
Approved Cryptographic Algorithms - Good Practice Guideline 2012
Patch Management: Good Practice Guideline 2009
Destruction & Disposal of Sensitive Data: Good Practice Guideline 2012
Application Security: Good Practice Guidelines 2006
Health & Social Care Information Centre (HCSIS) website
ISO27001:2005 International Standard for Information Security Management
ISO27002:2005 Code of Practice for Information Security Management IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 IT Infrastructure Library (ITIL®)
Projects in Controlled Environments (Prince 2®)
IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 10. EQUALITY IMPACT STATEMENT
Portsmouth Hospitals NHS Trust is committed to ensuring that, as far as is reasonably practicable, the way we provide services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on any grounds.
This policy has been assessed accordingly.
IT Security Policy Issue 9 Review Date - December 2015 Issue Date – 11th February 2014 11. MONITORING COMPLIANCE WITH PROCEDURAL DOCUMENTS
This document will be monitored to ensure it is effective and to assurance compliance.
Minimum requirement to Frequency of Report Lead(s) for acting on Lead Tool Reporting arrangements be monitored of Compliance Recommendations Appropriate confidentiality & HR representative to the Report to Information To be assigned by security clauses are Report to Information Information Governance Governance Steering Annually Information Governance included in terms & Governance Steering Group Steering Group Group Steering Group conditions of employment Information Governance Report to Information To be assigned by IT assets are recorded in Manager & Information Report to Information Governance Steering Annually Information Governance appropriate asset registers Security Management Governance Steering Group Group Steering Group Assurance Lead Information Governance System Security Policies Annual summary of position To be assigned by Manager & Information IG Toolkit compliance exist for core IT assets & Annually to Information Governance Information Governance Security Management returns key IT systems Steering Group Steering Group Assurance Lead Information Governance Risk assessments of core IT Annual summary of position To be assigned by Manager & Information IG Toolkit compliance assets & key IT systems are Annually to Information Governance Information Governance Security Management returns regularly undertaken Steering Group Steering Group Assurance Lead Adequate business Information Governance continuity/disaster recovery Annual summary of position To be assigned by Manager & Information IG Toolkit compliance plans exist for core IT assets Annually to Information Governance Information Governance Security Management returns & key IT systems that are Steering Group Steering Group Assurance Lead regularly tested IT Guidelines for Managing Report to Information & Safely Using IT Resources IT Department nominated Report to Information Governance Steering Annually Not applicable is regularly reviewed & responsible Governance Steering Group Group updated
IT Security Policy Issue 9 Review Date - December 2015 Issue Date - January 2014