Embed Size (px)
Citation preview
IT SECURITY POLICY
Version 11
Name of responsible (ratifying) committee Data Protection & Data Quality Committee
Date ratified 14 March 2018
Document Manager (job title) Head of IT
Date issued 29 March 2018
Review date 28 March 2020
Electronic location Management Policies
Related Procedural Documents
E-Mail Usage PolicyIT Portable Computing & Mobile Working PolicyIT Procurement PolicyInternet & Internet Services Usage PolicyIT Network Security PolicyBusiness Continuity & Contingency Planning PolicyConfidentiality: Staff Code of ConductData Protection PolicyAdverse Event & Near Misses PolicyInformation Governance PolicyInformation Risk PolicySafe Haven PolicyDisciplinary PolicyIT Guidelines - Managing & Safely Using IT ResourcesIT Guideline - Systems & Software Asset ManagementIT Guidelines - Back-up Disaster Recovery & AvoidanceIT Guidelines - Training
Key Words (to aid with searching)
ICT security, disposal of media and equipment, computer rooms, virus, software, hardware, anti-virus, malicious software, back-up, encryption, business continuity, BCP, portable devices, mobile working, portable equipment, memory stick, USB devices, removable media, electronic media, CD, DVD, hard disk drive, HDD, remote access, PDA, e-mail, information assets, sensitive information, confidential information, identifiable personal information, information sharing, IT systems, core IT, key IT systems, IT equipment, monitoring use of IT, enhanced & privileged access rights, personal responsibility, SLSP, system security policy, IT disposal, software licencing, third party access, equipment siting, software patching, patch management, user accounts, system managers, unacceptable use, safe working practices, security incidents, loss / theft of IT equipment, security breaches, information asset owners
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 1 of 23
Version Tracking
Version Date Ratified Brief Summary of Changes Author
11 March 2018 Updated to include additional requirements of new NHS Digital Information Security policies & guidelines. Other additions, changes & corrections also included
MSF
10 January 2016 Review & minor updates & additions to document MSF
9 January 2014 Full re-write of Policy MSF
8.2 July 2007 IPHIS
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 2 of 23
CONTENTS
1. INTRODUCTION.........................................................................................................................5
2. PURPOSE...................................................................................................................................5
3. SCOPE........................................................................................................................................5
4. DEFINITIONS.............................................................................................................................6
5. POLICY REQUIREMENTS.........................................................................................................6
5.1 Use of IT Resources........................................................................................................................... 6
5.2 System Monitoring............................................................................................................................. 7
5.3 IT Security Risk, Vulnerabilties, Incident Management & Reporting..................................................7
5.4 Information Storage & Sharing...........................................................................................................7
5.5 Control & Management of IT Assets..................................................................................................8
5.6 Access Control................................................................................................................................... 9
5.7 Systems, Database & Application Development, Management & Maintenance..............................10
5.8 Equipment Protection & Security.....................................................................................................10
5.9 Operational Management & Procedures..........................................................................................11
5.10 Business Continuity Planning..........................................................................................................12
6. DUTIES AND RESPONSIBILITIES..........................................................................................12
7. PROCESSES............................................................................................................................14
7.1 Assignment of User Accounts & IT Resources.................................................................................14
7.2 Unacceptable Use of IT Resources.................................................................................................15
7.3 Safe Working Practices for Users & IT Staff....................................................................................16
7.4 Data Accuracy & Correction in IT Systems......................................................................................16
7.5 Action in case of Incident, Alert or Loss...........................................................................................16
7.6 Action in case of Inappropriate use of IT Resources........................................................................17
7.7 Cessation of User Accounts & Return of IT Equipment...................................................................17
7.8 Retention of User Accounts during Periods of Absence..................................................................18
7.9 Change Management Processes.....................................................................................................18
8. TRAINING REQUIREMENTS...................................................................................................18
9. REFERENCES AND ASSOCIATED DOCUMENTATION........................................................19
10. EQUALITY IMPACT STATEMENT...........................................................................................19
11. MONITORING COMPLIANCE WITH PROCEDURAL DOCUMENTS.....................................21
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 3 of 23
QUICK REFERENCE GUIDE
For quick reference the guide below is a summary of actions required. This does not negate the need for the document author and others involved in the process to be aware of and follow the detail of this policy.
1. Information processing is a fundamental part of Portsmouth Hospitals NHS Trust’s (the Trust) business and information held in the Trust’s Information Technology (IT) systems is a most valuable and relied upon asset. It is essential that the Trust’s computer systems are protected against the many and developing threats which may compromise them, and information held within them is accurate, up to date and accessible where and when it is needed.
2. The Trust’s IT resources are business tools and must be used responsibly, ethically, effectively and lawfully. You must be fully aware of the unacceptable uses defined in this policy and not engage in such activity at any time.
3. The Trust employs systems to monitor use of its IT resources and, whilst conditional personal use of some IT resources is permitted, there must be no expectation of user privacy.
4. You are personally responsible for ensuring that no actual or potential security breaches occur as a result of your use of the Trust’s IT resources. You are expected to:
Understand your responsibilities to prevent theft. Protect and maintain the confidentiality and integrity of the Trust’s data. Ensure operational security of information, equipment, networks and systems used.
5. You must only use the user accounts that are assigned to you to access the Trust’s network and IT systems. You must not use accounts of other authorised users or allow others to use your own accounts.
6. You must only use Trust approved systems and solutions to share information, and only share that which is appropriate, relevant and authorised. You must be aware of the specific conditions concerning use and sharing of Sensitive Information and comply with such requirements at all times.
7. You must comply with other appropriate policies, IT guidelines, safe working practices and procedures relevant to the IT systems and resources that you use.
8. You must comply with notifications that are issued by the IT Department concerning collective or individual action that must be undertaken in response to potential or actual information security threats.
9. You are responsible for the correctness and accuracy of data that you input to the Trust’s IT systems, and it is expected that you understand the potential consequential effects of error. You must identify and correct errors promptly and report any loss or corruption of data that you find.
10. To ensure timely erasure of data, and secure disposal, you must return IT equipment that is no longer required at the earliest opportunity.
11. You must ensure that any incident that could potentially affect the security of information or result in data disclosure is reported to the IT Service Desk at the earliest opportunity.
12. Failure to comply with the requirements of this policy or inappropriate use of resources controlled by this policy is a serious matter and may result in rights to use Trust systems and/or IT resources being withdrawn, disciplinary action or prosecution under law.
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 4 of 23
1. INTRODUCTION
This policy supports Portsmouth Hospitals NHS Trust’s (the Trust) overall information security management framework and has been produced to:
Set policy and define processes to be employed in the protection, use and management of the Trust’s Information Technology (IT) systems and resources.
Protect against reputational loss that may arise through confidentiality, integrity and availability data breaches.
Information processing is a fundamental part of the Trust’s business and, as its use of IT systems continues to expand, the information held in them represent one of the Trust’s most valuable and relied upon assets. It is essential that the Trust’s computer systems and information held within are protected against the many and developing threats which may compromise them and, as such, it is important for the Trust to have clear and relevant policies and practices that enables it to comply with legislation, keep safe and confidential its sensitive information and minimise the impact of service interruptions.
2. PURPOSE
The purpose of this policy is to establish an overarching framework, outlining the approach, methodology and responsibilities for IT security that provides assurance that:
IT resources, (including systems and the information contained within) are managed securely and consistently according to NHS Digital and corporately specified standards and practices.
Members of staff are aware of their own responsibilities concerning security of the IT resources and confidentiality of information they use and that information security is an integral part of their day-to-day business.
Safe and secure IT environments are provided for storage and use of the Trust’s information and that information is accessible only on a ‘need to know’ basis.
Information security risks are identified and controlled.
Information is of greatest value when it is accurate, up to date and accessible from where and when it is needed; inaccessible information can quickly disrupt or devalue mission critical processes. This policy aims to preserve the principles of:
Confidentiality - That access to data shall be confined to those with appropriate authority and protected from breaches, unauthorised disclosures of or unauthorised viewing.
Integrity - That information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification and not allow unauthorised modification of data.
Availability - That information shall be available, delivered to the right person, at the right time when it is needed and protected from disruption, loss and denial-of-service-attack.
3. SCOPE
3.1 This policy includes all IT resources under ownership or control of the Trust and applies to: All information (digital, hard copy, photographic or audio) collected, processed, stored,
produced and communicated through the use of IT resources by or on behalf of the Trust.
IT information systems owned by or under the control of the Trust. The Trust’s networks, infrastructure and websites. Any device or equipment that connects to the Trust’s network which is capable of
accessing, reproducing, storing, processing or transmitting information.IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 5 of 23
To all users (including employees, voluntary & bank workers contractors, agency & sub-contract staff, locums, partner organisations, suppliers and customers) of the Trust’s IT resources and information contained within.
3.2 In the event of outbreak of an infection, flu pandemic or major incident the Trust recognises that it may not be possible to adhere to all aspects of this document and in such circumstances, staff should take advice from their manager and all possible action must be taken to maintain ongoing patient and staff safety.
4. DEFINITIONS
4.1 Sensitive Information means personal identifiable information, commercially confidential and sensitive information and confidential, sensitive and critical information of the Trust.
4.2 The/Your Manager means the line manager of a member of staff or other relevant senior member of staff.
5. POLICY REQUIREMENTS
5.1 Use of IT Resources
5.1.1 The Trust’s IT resources are business tools and users are obliged to use them responsibly, ethically, effectively and lawfully. Users of the Trust’s IT resources shall comply with Trust policies, current safe working practices and National Health Service (NHS) standards and best practice guidance.
5.1.2 Any use of the Trust’s IT resources or information which appears to be unacceptable in terms of this policy, or which in any other way appears to contravene the Trust’s policies, regulations and standards may give rise to disciplinary action.
5.1.3 Confidentiality and security clauses associated with use of the Trust’s IT systems, other IT resources and information contained within shall be appropriately included in terms and conditions of employment and addressed during recruitment.
5.1.4 Members of staff shall receive appropriate training in use of the Trust’s IT systems, other IT resources and personal security responsibilities before authorisation of their use is granted.
5.1.5 Members of staff provided with enhanced and privileged access rights (e.g. system and database administrators, superusers, IT staff and similar) shall use such rights solely in the proper undertaking of their duties, and shall not deliberately access Sensitive Information without express and authorised permission.
5.1.6 With the exception of penetration and vulnerability testing that has been authorised by the Trust’s Senior Information Risk Officer, attempting to gain illegal or unauthorised access to data or systems, or seeking and exploiting weaknesses in computer systems or networks for unauthorised purposes, is a serious contravention of Trust policy and a criminal offence. It is strictly forbidden and is not tolerated under any circumstances by the Trust.
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 6 of 23
5.2 System Monitoring
5.2.1 In the interests of maintaining system security, complying with legal requirements, detecting and investigating unlawful activity and ensuring compliance with policies and standards is maintained the Trust reserves the right to monitor use of its IT resources and information. This may include network access and activity, in-bound and out-bound traffic, device status and usage, session activity, password quality, e-mail usage, virus activity and web-browsing and critical event alerting.
5.2.2 Whilst conditional personal use of some IT resources of the Trust is permitted (e.g. e-mail and internet), users should be aware that there must be no expectation of privacy. If privacy is expected, the Trust’s IT resources must not be used for personal matters.
5.3 IT Security Risk, Vulnerabilties, Incident Management & Reporting
5.3.1 Risks associated with use of the Trust’s IT systems, equipment and information shall be considered and mitigated where possible. Risk levels must be proportionate to benefits realised, and where risks cannot be reduced to acceptable levels they shall be escalated to the Trust’s Risk Assurance Committee / Senior Information Risk Owner (SIRO) as appropriate.
5.3.2 Vulnerability assessments (due diligence) shall be undertaken: To ensure that new IT infrastructure is installed in an appropriate secure manner and
when existing IT infrastructure undergoes a significant change. For any new system providing access to the Trust’s or NHS data. When there is a significant change to a system that could affect its security (e.g. change
to authorisation/authentication mechanism, interface change, etc.).
5.3.2 All users of the Trust’s IT resources are personally responsible for ensuring that no actual or potential security breaches occur as a result of their actions.
5.3.3 Potential and actual information security breaches associated with the use of the Trust’s information and IT resources shall be reported and investigated in accordance with the Trust’s incident reporting procedures.
5.3.4 In instances where collection, preservation and protection of digital evidence is required for legal or disciplinary matters the IT Service Desk shall be contacted at the earliest opportunity.
5.4 Information Storage & Sharing
5.4.1 Sensitive Information shall: Only be stored on Trust owned or controlled IT resources or authorised systems. Not be intentionally placed on personal or privately owned computing and storage
resources. Only be sent outside of the Trust with the authorisation of an appropriate Trust
representative.
5.4.2 Staff shall only share information that is appropriate, relevant and authorised. Information that is shared electronically shall only be shared using Trust approved systems and solutions.
5.4.3 Information shall only be shared via e-mail in accordance with the criteria and conditions detailed in the Trust’s E-Mail Usage Policy.
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 7 of 23
5.4.4 Portable and removable media shall only be used to share information where secure direct transfer methods are not available, and under the following conditions: That it shall be in accordance with the requirements of the Trust’s Portable Computing &
Mobile Working Policy and associated IT Guidelines. That Sensitive Information is encrypted in accordance with NHS standards and
guidelines. That, if not being transported personally by an authorised representative of the Trust, it
is sent by a Trust approved courier or special (registered) delivery and confirmation of receipt by the intended recipient must be obtained by the sender.
5.5 Control & Management of IT Assets
5.5.1 All IT resources of the Trust (hardware, software, networks, systems or data) are the property of the Trust; they shall be recorded in appropriate asset registers and have a named information asset owner or system manager who shall be responsible for the control, management and security of that asset.
5.5.2 All IT resources of the Trust shall be securely and appropriately configured and managed in accordance with complimentary IT policies of the Trust and current IT Guidelines.
5.5.3 The networks of the Trust shall be protected through the implementation of a set of well balanced technical and non-technical measures that provide effective and cost effective protection commensurate with assessed risk and vulnerabilities.
5.5.4 Unless approved otherwise by the SIRO, all systems procured for use by the Trust shall comply with the minimum requirements set out within current IT Guidelines and be assessed to identify potential security threats, vulnerabilities and risks that might be introduced by their implementation.
5.5.5 System security policies shall be developed by information asset owners and system managers for all core IT assets and key IT systems.
5.5.6 The use of legacy hardware and software (that is products for which the vendor no longer provides support) shall be minimised and, where unavoidable, plans shall be made to move to supported products as soon as possible. Where legacy products remain in operation the information asset owner or system manager shall regularly consult with the IT Department to agree timely controls to be implemented to minimise risks that may occur from continuing usage (including ongoing monitoring effectiveness of implemented controls).
5.5.7 IT equipment owned or controlled by the Trust, and equipment that has been used for the storage of Sensitive Information, shall only be removed from its premises (temporarily or permanently) with prior, appropriate authorisation/documented release. Equipment shall not be removed by a third party (e.g. the supplier, a repairer or disposal agent) until a signed confidentiality and transfer of responsibility agreement has been exchanged or the equipment has been appropriately sanitised to remove all data.
5.5.8 In instances where IT (including removable media) equipment is to be allocated to a different user, or where it is to be repurposed, the IT Service Desk shall be consulted to advise upon and carry out necessary clearing and sanitisation prior to reassignment.
5.5.9 At end of life, all IT equipment (including removable media) owned or controlled by the Trust shall be returned to the IT Department for erasure of data and secure disposal in accordance with NHS standards and guidelines.
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 8 of 23
5.5.10 The Trust takes seriously its duties and obligations to use software responsibly, lawfully and in compliance with licenced terms and conditions. All software and systems used by the Trust shall be: Properly licenced, and authorisation to use software and systems shall be dependent
upon the availability of licences. Used within the terms and conditions of the software licence. Approved, tested, reliable and robust software that can be supported effectively by the
IT Department or a suitably qualified reputable third party supplier. Deployed or installed by the IT Department or their authorised representative.
5.5.11 All changes associated with the deployment of new services, systems, software and IT solutions shall be subject to and managed via formal and appropriately authorised change control procedures.
5.6 Access Control
5.6.1 Access to the Trust’s IT resources and systems shall be restricted to users who have a justified business need to access the information contained within and are authorised by the relevant information asset owner or system manager.
5.6.2 Access privileges, including enhanced and privileged rights, shall be based upon function of the job and not status of the user’s post. They shall be modified or removed as appropriate when a member of staff changes job or leaves employment of the Trust.
5.6.3 Identification, authentication and passwords shall be used to ensure access to the Trust’s systems, devices and information is controlled and restricted to authorised users only.
5.6.4 Users of the Trust’s IT resources shall comply with requirements and practices for using log-in accounts and passwords as detailed in the most current version of its safe working practices.
5.6.5 Access to and use of the Trust’s IT resources by anybody (persons, organisations, etc), other than an employee of the Trust, shall be suitably authorised and subject to prior written and signed agreement that such access shall be in accordance and compliance with Trust policies, procedures and practices.
5.6.6 Access to and use of the Trust’s information in public areas and outside of its premises shall be subject to the additional measures of authentication, protection and requirements as specified in the Trust’s Portable Computing & Mobile Working Policy and associated IT Guidelines.
5.6.7 Only authorised personnel who have a justified and approved business need shall be given access to restricted areas of the Trust’s buildings containing core and critical computer equipment. Staff entering and working in such areas shall at all times comply with the Trust’s current safe working practices associated with access to such areas.
5.6.8 Remote access by third party suppliers of systems and software for support and maintenance purposes shall be subject to prior written agreement (either as part of a contract or specific separate agreement), and commitment, to maintain confidentiality and integrity of the Trust’s information and data.
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 9 of 23
5.7 Systems, Database & Application Development, Management & Maintenance
5.7.1 Local database or application creation or development shall not be undertaken without prior consultation and agreement of the IT Department. Where agreement is given all database creation and development must align with the Trust’s wider IT strategy and comply with minimum standards for interoperability, data formats, capacity, auditing, performance and maintainability.
5.7.2 Specification of IT systems shall take into account the requirements and recommended practices detailed in the Trust’s IT Guidelines - Managing & Safely Using IT Resources.
5.7.3 In house application development shall comply with the standards and working practices detailed in the Trust’s IT Guidelines.
5.7.4 Changes to IT systems shall be documented and assessed for their impact upon other systems prior to the change taking place.
5.7.5 All new releases of software applications and application developments shall be assessed in appropriate test environments prior to their release and be subject to satisfactory functional, non-functional and end-user-testing before being put into operational use.
5.7.6 Unless expressly and appropriately authorised, live Sensitive Information shall not be used for testing, training or demonstration purposes unless it is transformed so that identification of any individual is not possible.
5.7.7 Live and test data shall be separated. If data is to be moved between live and test environments its migration shall be strictly controlled and subject to formal change control procedures.
5.7.8 Each IT system shall have a suitably trained administrator and documented operational procedures in place together with appropriate maintenance arrangements.
5.8 Equipment Protection & Security
5.8.1 All IT hardware, software and systems purchased shall comply with standards as defined in IT Guidelines at the time of purchase.
5.8.2 IT equipment and systems not purchased by the IT Department shall not be connected to the Trust’s network until the IT Department has authorised such connection.
5.8.3 IT equipment shall be sited where reasonably practicable to reduce risk from environmental threat and unauthorised access. Where equipment is kept or installed in public areas of the Trust’s buildings it shall be positioned as far as reasonably practicable to reduce risk of unauthorised access or casual viewing.
5.8.4 Environmental controls and monitoring systems that trigger alarms should problems occur shall be installed to protect the Trust’s core and critical computer equipment.
5.8.5 Access to areas housing the Trust’s core and critical computer equipment shall be restricted and kept secured at all times.
5.8.6 Reasonable and appropriate measures shall be taken to minimise the risk of theft of the Trust’s IT equipment including the secure anchoring of equipment in public places.
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 10 of 23
5.8.7 Portable equipment (including removable media) shall be subject to the additional measures of protection and requirements as specified in the Trust’s Portable Computing & Mobile Working Policy and associated IT Guidelines.
5.8.8 Where possible core and critical computer equipment of the Trust shall be connected to secured power supplies, using uninterruptible power supplies and generator backup services to ensure that it does not fail during failure of the mains supply or switchover between mains and generated supplies.
5.8.9 Uninterruptible power supplies shall be dimensioned to ensure that relevant equipment and key IT systems can be shutdown by controlled processes in the event of continuing supply failure.
5.8.10 IT and communications cabling shall be protected from interception or damage (via physical fabric of the building or in conduit) and sited in accordance with relevant standards in relation to electrical and heating services.
5.9 Operational Management & Procedures
5.9.1 Core and key IT systems and services shall be backed up according to an appropriate schedule to ensure that business and operational functions of the Trust are not jeopardised and that data is retained for adequate intervals before being overwritten.
5.9.2 Backup media shall be: Reputable and high-quality media and devices. Clearly labeled and securely stored/located separate from the system location to protect
against building loss.
5.9.3 Restoration processes shall be adequately documented to enable other (suitably qualified) staff to understand and employ them.
5.9.4 Backup data and restoration processes shall be regularly tested to ensure that they are effective.
5.9.5 Appropriate boundary protection controls and secure configuration techniques shall be used to ensure that: IT systems, devices and software are successfully and securely configured and locked
down. Gateways are successfully and securely managed. Networks are securely designed and effectively monitored and incidents are promptly
responded to.
5.9.6 Appropriate cryptographic controls, that comply with NHS national standards and requirements, shall be used to ensure the integrity and confidentiality of communication, processing and storage of the Trust’s information.
5.9.7 To ensure that risk of disruption is maintained at an absolute minimum, all data residing on the Trust’s network or flowing to and from it shall be protected against virus, malicious and mobile code software attack and cyber attack.
5.9.8 All IT equipment (including portable equipment and removable media) should be scanned for viruses and malware before being connected to other Trust equipment or its network.
5.9.9 IT equipment and systems infected with viruses or malware that protective measures have not been able to deal with shall be quarantined by the IT Department until they are virus free.
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 11 of 23
5.9.10 Operating systems, core and critical software, key applications and firmware shall be regularly updated with published security patches.
5.10 Business Continuity Planning
5.10.1 Business continuity and disaster recovery plans shall be put into place and regularly tested for all mission critical IT systems, applications and networks.
5.10.2 Where possible and practicable, IT systems shall be designed to include controls that check for data corruption that has resulted from processing errors or other possible deliberate acts.
6. DUTIES AND RESPONSIBILITIES
6.1 Senior Information Risk Officer (SIRO)The SIRO is accountable for:
Information risk within the Trust and advises the board on the effectiveness of information risk management across the organisation.
The Trust’s information risk assessment process and information management. Overseeing adherence to this Policy to the satisfaction of the Trust. Ensuring documentation and appropriate action is taken where non-compliance to
this policy or a need for improvement is identified.
6.2 Caldicott GuardianThe Caldicott Guardian has responsibility for ensuring implementation of the Caldicott Principles & Data Security Standards and confidentiality and appropriate sharing of patient information throughout the Trust.
6.3 Data Protection & Data Quality CommitteeThe Data Protection & Data Quality Committee is responsible for ensuring that this policy is:
In accordance with information governance requirements. Implemented and understood across the Trust.
6.4 Information Governance ManagerThe Information Governance Manager has responsibility for ensuring that Information Governance standards are implemented effectively across the Trust. Including:
The co-ordination, action planning and reporting of information security work and activity.
Maintaining the Trust’s information asset and data flow mapping registers and their regular review.
Ensuring that investigation into all data loss is completed.
6.5 Information Asset Owners & System ManagersInformation asset owners and system managers are responsible for the protection, security and day-to-day management of designated assets/systems. Including:
Development and enforcement of system security policies and appropriate operational and administration procedures.
The environments in which core and critical computer equipment are housed and information is processed or stored.
The control and level of access (including privileged and administration rights) granted to individual users of IT systems, networks and restricted areas housing core and critical computer equipment.
Regular information security risk and vulnerability assessment and submission of results and mitigation action plans to the SIRO.
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 12 of 23
The development and maintenance of necessary business continuity and disaster recovery plans and verification of their regular testing.
Appropriate reporting, investigation and necessary remedial/corrective action relating to incidents, security breaches and data loss associated with respective information assets.
6.6 Human Resources (HR) DepartmentThe HR Department is responsible for:
Ensuring that information security requirements are addressed during recruitment and all contracts of employment contain appropriate confidentiality clauses.
Information security responsibilities, duties and expectations are included within appropriate job descriptions, person specifications and HR policies and codes of conduct.
Information governance and information security awareness training is included in the Trust’s staff induction process and annual mandatory training.
6.7 Head of ITThe Head of IT is responsible for:
Ensuring that the configuration and management of the Trust’s computers and networks is controlled through documented authorised policies and procedures based upon NHS and industry standards, best practice and recommendations.
Authorising IT resources to be used by the Trust. Ensuring this policy is implemented and adhered to by IT Department staff.
6.8 The IT DepartmentThe IT Department and its staff are responsible for ensuring the continuing availability of Trust IT resources and the security and integrity of data within its network. In addition to the other responsibilities and duties detailed in this policy, the IT Department will:
Ensure that all IT assets for which it is assigned responsibility are controlled by and subject to prescribed asset management procedures and processes.
Ensure that IT equipment purchased on behalf of the Trust is added to the asset register, security labeled, protected and stored safely.
Ensure IT equipment is appropriately configured for use and loaded with relevant licenced software.
Allocate and configure individual user accounts and ensure the associated user authentication of each authorised user of the Trust’s IT resources.
Provide and control external connections to the Trust’s network in accordance with NHS standards and requirements.
Ensure the removal of Sensitive Information and identity from the Trust’s IT equipment, its secure disposal and deletion from the asset register.
Perform routine tests of disaster recovery procedures for core and critical computer equipment and key IT systems of the Trust.
Ensure the provision of systems to monitor compliance with the Trust’s IT policies and its legal and statutory obligations.
Provide advice and guidance to users of the Trust’s IT resources.
6.9 ManagersManagers are responsible for ensuring that their permanent and temporary staff and contractors have read and understood this policy and, in addition to the other responsibilities and duties detailed in this policy, that:
Staff are instructed in their security responsibilities, work in compliance with this policy, related processes, guidelines and safe working practices.
Staff are appropriately trained in use of the Trust’s IT resources and systems. Property registers in Electronic Staff Records (ESR) are kept up to date with IT
equipment that has been assigned to staff.
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 13 of 23
Agreements are in place with suppliers and external contractors that ensure staff and sub-contractors comply with appropriate policies and procedures before access to Trust systems or use of its IT resources is permitted.
6.10 StaffEvery member of staff is personally responsible for ensuring that no breaches of computer security result from their actions and shall:
Comply with this policy, its related processes, guidelines and safe working practices. Ensure that they are fully aware of the unacceptable uses of IT resources as outlined
in this policy. Understand their responsibilities to prevent theft, protect and maintain the
confidentiality and integrity of the Trust’s information assets and data and security of the Trust’s networks.
Ensure operational security of the information and IT equipment and systems used. Receive adequate training or guidance in the use of any IT equipment or systems
provided by the Trust in relation to their own duties and responsibilities. Comply with notifications that may be issued from time-to-time by the IT Department
concerning any collective or individual action that must be undertaken in response to potential or actual information security threats.
Understand their responsibilities to accurately enter data into IT systems and take appropriate action to identify and report missing, lost and incorrect data.
Ensure that any incident that could potentially affect the security of information is reported in a timely manner.
6.11 Other Authorised Users of Trust IT ResourcesOther authorised users of the Trust’s IT resources are personally responsible for ensuring that no breaches of computer security result from their actions and shall:
Comply with this policy, its related processes, guidance and safe working practices and other relevant Trust policies, procedures and standards.
Confirm such agreement in writing, via contract, memorandum of understanding or other mutually agreed mechanism.
7. PROCESSES
7.1 Assignment of User Accounts & IT Resources
7.1.1 Requests for user network accounts and IT equipment must be submitted by The Manager, or other Trust authorised representative to the IT Service Desk in accordance with its current service request processes and procedures.
7.1.2 The following types of request must be supported with appropriate authorisation of the information asset owner or system manager:
Accounts (and access changes to accounts) for IT systems. Requests for access to particular IT systems are subject to completion of necessary prior training.
Granting of enhanced or privileged access rights.
7.1.3 Requests for allocation of portable equipment or access to mobile working solutions must be submitted in accordance with the procedure detailed in the Portable Computing & Mobile Working Policy.
7.1.4 Requests for access to and use of IT resources by third parties (persons not employed by the Trust and remote access support requirements of suppliers) must be supported with prior appropriate written agreement authorised by appropriate representative of the Trust.
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 14 of 23
7.1.5 The Manager shall ensure that the IT Department’s Service Desk is promptly notified of any changes:
To ownership or location of IT equipment.
Necessitated to a user’s access rights due to circumstantial change.
7.1.6 Requests will be processed by the IT Department in accordance with established procedures and published timescales.
7.2 Unacceptable Use of IT ResourcesEffective information security primarily concerns people and their behaviour. It is facilitated by appropriate use of technology which, in turn, must be appropriately protected. The security of the Trust’s information, network and systems is everybody’s daily responsibility; you are fully liable if you disregard the rules set out in this policy. You must not:
Use Trust IT resources for personal purposes, except where specifically permitted, with the prior agreement of Your Manager and in accordance with relevant policies, safe working practices and NHS standards and guidelines.
Deliberately damage the Trust’s IT resources or information contained within, or attempt to make unauthorised modification of the same that might impair operation or prevent or hinder access to the programmes or data held on Trust equipment or systems.
Remove covers from any Trust IT equipment for any purposes, including changing or adding components, without prior authorisation of the IT Department.
Connect equipment (including removable media) to Trust IT equipment that is not approved or authorised by the IT Department, or that has not been scanned for viruses and malware by the Trust’s own virus and malware protection systems before connection.
Add or install equipment to the Trust’s networks without the prior authorisation of the IT Department.
Modify or disable the protection software on the Trust’s IT equipment (including anti virus, web filtering, etc) or prevent it from updating.
Download, install, or attempt to install or run, any software onto the Trust’s IT equipment without prior authorisation of the IT Department.
Permit other’s to use your Trust access credentials, even if they are an authorised Trust account holder.
Disclose your password to anyone, including management and IT Department staff.
Attempt to access IT systems or data to which you have no legitimate right or need.
Attempt to override or circumvent any security controls for ease of use or access.
Use IT systems which you are authorised to use for purposes for which you are not authorised or which are in breach of Trust’s policies, procedures and regulations or unlawful.
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 15 of 23
Attempt to introduce and transmit material (including but not limited to computer viruses, malware, malicious software and potentially unwanted applications) designed to be destructive to computer systems, or try to get around precautions in the Trust’s systems and network designed to prevent such material.
7.3 Safe Working Practices for Users & IT StaffAll users of Trust IT resources are required to comply with the most current version of IT Guidelines published by the IT Department.
IT staff shall also comply with the most current version of IT Guidelines in respect to the IT Department’s own implementation and compliance with this policy.
Any questions or queries relating to these practices should be addressed to the IT Service Desk.
7.4 Data Accuracy & Correction in IT SystemsThe importance of data accuracy and integrity in safe and reliable use of the Trust’s IT systems cannot be over emphasised. It is paramount that you understand your responsibility to enter data correctly and accurately into the Trust’s systems and potential consequential effects if you do not.
The key points to remember are:
Data accuracy is the direct responsibility of the person inputting the data supported by their line manger.
Error correction should be done at the source of input as soon as it is detected. Correction is increasingly important as the Trust’s IT systems become more integrated, and risk of errors being transmitted between systems increases.
Any loss or corruption of data should be reported to the relevant system manager/administrator at once.
7.5 Action in case of Incident, Alert or Loss
7.5.1 In case of Theft or Loss of Equipment or Suspected Unauthorised AccessUsers of IT resources must report instances of theft, loss or damage to The Manager at the earliest instance. The Manager shall evaluate reports on a case-by-case basis to determine whether the occurrence necessitates reporting via the Trust’s incident reporting procedure.
The Manager shall inform the IT Service Desk of instances of theft and loss to ensure that appropriate action is taken.
In instances where a user suspects that unauthorised use of the Trust’s IT equipment has occurred, or unauthorised access to the Trust’s IT network, systems or information may have been gained, they must report the occurrence of such incident to The Manager at the earliest instance.
The Manager shall evaluate reports on a case-by-case basis to determine whether the occurrence necessitates reporting via the Trust’s incident reporting procedure.
7.5.2 In case of Virus Alert or Malicious Activity on your ComputerIf a virus or malicious activity is detected on your computer or device you must contact the IT Service Desk immediately.
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 16 of 23
Take a note of the alert message displayed and do not use the computer/device until the virus has been dealt with. If you have been using any removable media (e.g. CDs, DVDs, Blu-rays memory sticks, etc.) ensure that these are handed to the IT Department for assessment.
7.5.3 In case of Suspected or Actual Information Security Breach or Data LossThe following suspected or actual information security breaches and any data loss must be reported to the IT Service Desk at the earliest opportunity:
Password violations
User account sharing
Suspected data loss
Theft of IT equipment
Occurrences of any of the unacceptable uses defined in section 7.2 of this document
In instances where the IT Department believes that an information security breach may arise, or risk of loss of the Trust’s data exists, the IT Department is authorised to take necessary and appropriate steps to prevent unauthorised access, disclosure or data loss occurring. This may include suspension of user accounts, access to specific systems or services and quarantine of equipment.
7.6 Action in case of Inappropriate use of IT ResourcesFailure to comply with the requirements of this policy or inappropriate use of IT systems, equipment and other resources is a serious matter and may result in an individual’s right to use Trust IT resources being withdrawn. In cases it may result in disciplinary action, and in some circumstances it might lead to prosecution under law.
In accordance with the Trust’s disciplinary policies & procedures, line managers shall investigate failures to comply with the requirements of this policy and cases of inappropriate use of resources. Support from the IT Department may be obtained by contacting the IT Service Desk.
7.7 Cessation of User Accounts & Return of IT EquipmentThe Manager or other Trust authorised representative shall ensure that all IT equipment is recovered from users leaving the Trust and that the Service Desk is promptly informed of user accounts that are no longer required.
Following receipt of such instruction the IT Department will disable specified accounts rendering them to be no longer useable, but available for reactivation should the need occur.
Accounts will be retained in such condition for a period of six months after which they will be fully deleted. After this time recovery of information from such accounts will no longer be possible.
Surplus, redundant and obsolete IT equipment that has been used for the processing, storage or transportation of the Trust’s information must be returned to the IT Department at the earliest opportunity.
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 17 of 23
7.8 Retention of User Accounts during Periods of AbsenceThe Manager shall inform the IT Service Desk where long term absence of staff is expected and user accounts need to be temporarily suspended.
The IT Department shall fully delete any account for which activity has not been recorded, or a request to re-enable has not been received, after six months. After this time reinstatement of the account, or recovery of previous information from it, will no longer be possible.
7.9 Change Management ProcessesAll change to the Trust’s core and critical computer equipment and key IT systems must be managed consistently and systematically to ensure a sound and auditable change trail.
Documented change management processes, that enable timely, efficient and effective management of change through the entire lifecycle of equipment and systems, shall include:
The generation, progression and completion of change requests as the mechanism for managing change.
Appropriate technical and business impact assessment by a third party/body (e.g. a Change Manager, Change Advisory Board or Project Board) with the authorisation to accept or reject change requests.
Structured implementation of changes including appropriate points of sign-off, acceptance testing and back-out contingencies to be followed in the event of failure.
Post implementation recorded review noting successes/failures and lessons learnt.
8. TRAINING REQUIREMENTS
Members of staff are individually responsible for ensuring that they comply with Trust policies and procedures and complete induction and annual mandatory training which includes information governance and information security principles and practices.
Users of Trust IT resources must ensure that they are familiar with and follow IT Guidelines issued by the IT Department.
Specific questions relating to the use of IT resources for the Trust’s business and operation needs can be addressed to the IT Service Desk.
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 18 of 23
9. REFERENCES AND ASSOCIATED DOCUMENTATION
9.1 The Trust is obliged to abide by all relevant United Kingdom and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of the Trust, who may be held personally accountable for any breaches of information security for which they may be held responsible. The Trust shall comply with the following legislation and other legislation as appropriate:
The Data Protection Act 1998 www.legislation.gov.uk Computer Misuse Act 1990 www.legislation.gov.uk Common Law Duty of Confidentiality Copyright, Designs and Patents Act 1988 www.legislation.gov.uk Human Rights Act 1998 www.legislation.gov.uk Privacy & Electronic Communications Regulations www.legislation.gov.uk Regulation of Investigatory Powers Act 2000 www.legislation.gov.uk Freedom of Information Act 2000 www.legislation.gov.uk Health & Social Care (Safety & Quality) Act 2015 www.legislation.gov.uk
9.2 The Trust complies with all national NHS information security and governance requirements and aims to adopt other standards and recognised best practice it considers appropriate. This includes:
Information Governance Toolkit: NHS Digital www.igt.hscic.gov.uk Information Security Management: NHS Code of Practice 2007: NHS Digital
www.digital.nhs.uk Cyber & Data Security Policy & Good Practice in Health & Care: NHS Digital
www.digital.nhs.uk ISO27001, Information Security Management: ISO www.iso.org ISO27002, Code of Practice for Information Security Controls: ISO www.iso.org IT Infrastructure Library V3: ITIL ® 2007 www.axelos.com Projects in Controlled Environments: Prince 2® 2009 www.axelos.com
10. EQUALITY IMPACT STATEMENT
The Trust is committed to ensuring that, as far as is reasonably practicable, the way we provide services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on any grounds.
This policy has been assessed accordingly.
Our values are the core of what the Trust is and what we cherish. They are beliefs that manifest in the behaviours our employees display in the workplace. Our values were developed after listening to our staff. They bring the Trust closer to its vision to be the best hospital, providing the best care by the best people and ensure that our patients are at the centre of all we do.
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 19 of 23
We are committed to promoting a culture founded on these values which form the ‘heart’ of our Trust:
Respect and dignityQuality of careWorking togetherEfficiency
This policy should be read and implemented with the Trust values in mind at all times.
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 20 of 23
11. MONITORING COMPLIANCE WITH PROCEDURAL DOCUMENTS
This document will be monitored to ensure it is effective and to assurance compliance.
Minimum requirement to be monitored Lead Tool Frequency of Report
of Compliance Reporting arrangements Lead(s) for acting on Recommendations
Appropriate confidentiality & security clauses are included in terms & conditions of employment
HR representative to the Data Protection & Data
Quality Committee
Report to Data Protection & Data Quality Committee Annually Report to Data Protection &
Data Quality Committee
To be assigned by Data Protection & Data Quality Committee
IT assets are recorded in appropriate asset registers
Information Governance Manager & Information Security Management
Assurance Lead
Report to Data Protection & Data Quality Committee Annually Report to Data Protection &
Data Quality Committee
To be assigned by Data Protection & Data Quality Committee
System Security Policies exist for core IT assets & key IT systems
Information Governance Manager & Information Security Management
Assurance Lead
IG Toolkit compliance returns Annually
Annual summary of position to Data Protection & Data Quality Committee
To be assigned by Data Protection & Data Quality Committee
Risk assessments of core IT assets & key IT systems are regularly undertaken
Information Governance Manager & Information Security Management
Assurance Lead
IG Toolkit compliance returns Annually
Annual summary of position to Data Protection & Data Quality Committee
To be assigned by Data Protection & Data Quality Committee
Adequate business continuity/disaster recovery plans exist for core IT assets & key IT systems that are regularly tested
Information Governance Manager & Information Security Management
Assurance Lead
IG Toolkit compliance returns Annually
Annual summary of position to Data Protection & Data Quality Committee
To be assigned by Data Protection & Data Quality Committee
IT Guidelines for Managing & Safely Using IT Resources is regularly reviewed & updated
IT Department nominated responsible
Report to Data Protection & Data Quality Committee Annually Report to Data Protection &
Data Quality Committee Not applicable
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 21 of 23
EQUALITY IMPACT SCREENING TOOL
To be completed and attached to any procedural document when submitted to the appropriate committee for consideration and approval for service and policy
changes/amendments.
Stage 1 - Screening
Title of Procedural Document: IT Security Policy
Date of Assessment December 2017Responsible Department IT Department
Name of person completing assessment
Mark Futcher Job Title IT Business & Contracts Manager
Does the policy/function affect one group less or more favourably than another on the basis of :
Yes/No Comments
Age No
DisabilityLearning disability; physical disability; sensory impairment and/or mental health problems e.g. dementia
No
Ethnic Origin (including gypsies and travellers) No
Gender reassignment No
Pregnancy or Maternity No
Race No
Sex No
Religion and Belief No
Sexual Orientation No
If the answer to all of the above questions is NO, the EIA is complete. If YES, a full impact assessment is required: go on to stage 2, page 2
More Information can be found be following the link belowwww.legislation.gov.uk/ukpga/2010/15/contents
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 22 of 23
Stage 2 – Full Impact Assessment
What is the impact Level of Impact
Mitigating Actions(what needs to be done to minimise /
remove the impact)
Responsible Officer
Monitoring of Actions
The monitoring of actions to mitigate any impact will be undertaken at the appropriate level
Specialty Procedural Document: Specialty Governance CommitteeClinical Service Centre Procedural Document: Clinical Service Centre Governance CommitteeCorporate Procedural Document: Relevant Corporate Committee
All actions will be further monitored as part of reporting schedule to the Equality and Diversity Committee
IT Security PolicyVersion: 11Issue Date: 29 March 2018Review Date: 28 March 2020 Page 23 of 23
