Information Security Policy

Transcription

1 Shropshire Community Health Service NHS Trust Policies, Procedures, Guidelines and Protocols Title Trust Ref No Local Ref (optional) Main points the document covers Who is the document aimed at? Author Approved by (Committee/Director) Document Details Information Security Policy N/A This document details the security arrangements for information, including information held in electronic systems All Staff Andrew Crookes Approval Date 09 July 2013 Initial Equality Impact Screening Full Equality Impact Assessment Lead Director Category Sub Category Approval process Information Governance Committee Yes No Trish Donovan General Information Governance Review date 30 June 2015 Who the policy will be distributed to Method Required by CQC Required by NHSLA Other No Date All staff Distribution By Information Governance training and publication on the Trust Intranet Yes No None Document Links Amendments History Amendment 1 30 June 2013 Updates in terminology to reflect the Health and Social Care Act 2012 and updates to information security processes 2 3

2 Information Security Policy Page 1 of 158

3 Contents 1 Introduction Information Governance Statement of Principles Scope and Purpose of the Information Security Policy Policy Coverage Related Policy and Codes of Conduct Overall Structure and Responsibilities Legal and Regulatory Framework Legal Acts NHS Regulatory Framework Information Security Infrastructure Allocation of Information Security Responsibilities Authorisation Process for Information Assets Co-Operation between Organisations Security of Third Party Access Identification of Risks from Third Party Access Governance Requirements in Third Party Contracts Outsourcing Governance Requirements in Outsourcing Contracts Asset Classification and Control Accountability for Assets Inventory of Assets Information Classification Classification Guidelines Information Retention and Disposal Security Responsibilities for Individuals Information Security in Job Descriptions and Person Specifications Including Information Security in Job Descriptions Human Resources Screening and Policy Confidentiality Agreements Terms and Conditions of Employment User Training Information Governance Education and Training Responding to Incidents and Malfunctions Reporting Incidents Page 2 of 158

4 5.10 Reporting Weaknesses Reporting Software Malfunctions Learning from Incidents Preliminary Incident Assessment Disciplinary Process and Removal of Access Rights Physical and Environmental Security Controlled/Secure Areas Physical Security Perimeter Physical Entry Controls Securing Offices, Rooms and Facilities Working in Controlled/Secure Areas Equipment Security Protection and Siting of Equipment Power Supply Cabling Security Equipment Maintenance Security of Equipment Off-Site Special Considerations for Leased/Hired Equipment Secure Disposal or Re-Use of Equipment General Controls Clear Desk/Area and Clear Screen Guidance Removal of Property Handling and Secure Storage of Digital Evidence Specific Considerations in Relation to Uncontrolled/Unsecured Areas 30 7 Communications and Operations Management Operational Guidelines and Responsibilities Documented Operating Procedures Operational Change Control Incident Management Procedures Segregation of Duties Separation of Development and Operational Facilities External Facilities Management System Planning and Acceptance Capacity Planning System Acceptance Protection Against Malicious Software Controls Against Malicious Software Page 3 of 158

5 7.13 Back-up Strategy Information Back-up Operator Logs Network Management Network Controls Handling and Governance of Media Management of Media Disposal of Media Secure Disposal of Digital Printers and other Multi Function Devices Information Handling Procedures Security of System Documentation Exchanges of Information and Software Information Exchange Agreements Security of Media in Transit Electronic Commerce Security Security of Electronic Mail Security of Electronic Office Systems Publicly Available Systems Other Forms of Information Exchange Access Control Business Requirement for Access Control Access Control Policy System access control policy statements: Exceptional Access to Restricted Data User Access Management User Registration Privilege Management User Password Management Review of User Access Rights User Responsibilities Password Use Unattended User Equipment Network Access Control Use of Network Services Enforced Path User Authentication for External Connections Remote Diagnostic Port Protection Page 4 of 158

6 8.18 Segregation in Networks Network Routing Control Documentation of Security of Network Services Operating System Access Control Automatic Terminal Identification Log-On Procedures User Identification and Authentication Password Management Use of System Utilities Duress Alarm to Safeguard Users Device Time-Out Limitation of Connection Time Application Access Control Information Access Restriction Sensitive System Isolation Monitoring System Access and Use Event Logging/Audit Trails Monitoring System Use Clock Synchronisation Mobile and Home Working Systems Development and Maintenance Information Governance Requirements of Systems Governance Requirements Analysis and Specification Governance in Information Systems, Paper Records and Processes Input Data Validation/Paper Record Creation Control of Internal Processing Data Item (including message) Authentication Cryptographic Controls (Including Encryption) Policy on Use of Cryptographic Controls Encryption Security of System Files Control of Operational Software Protection of System Test Data Access Control to Program Source Library Information Governance in Development and Support Processes Change Control Policy Technical Review of Operating System Changes Page 5 of 158

7 9.17 Restrictions on Changes to Software Covert Channels and Trojan Code (back-door methods) Business Continuity Aspects of Business Continuity Management Business Continuity Management Process Business Continuity and Impact Analysis Writing and Implementing Continuity Plans Business Continuity Planning Framework Continuity Plan Testing Related Documents Dissemination Advice and Training Compliance Compliance with Legal Requirements and Regulation Framework Identification of Applicable Legislation/Regulations Intellectual Property Rights (IPR) Safeguarding of Organisational Records Data Protection and Privacy/Confidentiality of Personal Information Prevention of Misuse of Information Processing Facilities Regulation of Cryptographic Controls Collection of Paper Evidence Collection of Digital Evidence (Forensic Readiness) Review of Information Security Policy Technical Compliance Compliance with Information Governance Procedures Technical Compliance Checking System Audit Considerations System Audit Controls Access to System Audit Tools Access to Restricted Information Appendix A - Acceptable Use Overview Purpose Scope Definitions General Principles for Using Information General Misuse Page 6 of 158

8 Page 7 of Security of IT and Information Systems Becoming an Authorised User User Accounts, Smartcards And Security of Files Confidentiality User Privacy and Monitoring of Activity Virus Protection Data Quality Ensuring Accuracy Personal Use of IT Systems Use of IT and Information Systems Copyright Backups Dormant Accounts Leaving Employment Network, Telephone and Internet Connections Taking Information and IT Equipment off-site Installing and Configuring Software Licensing Procurement of IT Equipment Donated Equipment Moving or Disposing of IT Equipment Legislation Disciplinary Guideline IM&T Security Incidents IM&T User Queries Appendix A1: Reporting Stolen IT Equipment Appendix A2: Authorised User Form Appendix B: Overview Purpose Scope Definitions Responsibilities of the User What the User Should Do What the User Must Not Do User Conduct Appropriate/Non Appropriate Usage Usernames/Passwords and Device Security Notice Boards/Public Folders... 89

9 18.11 Attachments Responsibilities of the Organisation Access to Systems Monitoring of s Virus Control Access Control Management What the Organisation Will Do What the Organisation Will Not Do Disclaimer Legal Admissibility Guidance on Using General Guidance and Good Practice Responding to Patient Correspondence Third Party Access to Users Mailboxes Storage and Retention of Team/Group Addresses Appendix C: Internet Overview Purpose Scope Definitions Responsibilities of the User What the User Can Do What the User Must Not Do User Conduct User Related Overview Statements Appropriate/Non Appropriate Usage Usernames/Passwords and PC/Laptop Security Downloading Documents and Files Responsibilities of the Organisation Access to Systems Monitoring of Internet Usage Virus Control Access Control Management What the Organisation Will Do What the Organisation Will Not Do Legal Admissibility Appendix D: Mobile and Home Working Overview Page 8 of 158

10 Page 9 of Purpose Scope Authorisation Process for Mobile and Home Working Definitions Responsibilities of the User What the User Must Do What the User Must Not Do Physical Security and Access Control Usage in Any Public Access Area Usage in Areas not Generally Accessible to the Public (including Other Organisational Premises) Usage at Home Organisationally Supplied Equipment Personally Owned IT Equipment Tele-Working Access Control Authorisation to Access/Remove Data/Information Files Sending PID / PCD by to and from Home Transport of Equipment, Files and Paper Documents Disposal of IM&T Equipment/Media (electronic and paper) Disaster Recovery/Major Incident Planning Changes to Employment Change of Duties/Post Termination of Employment Legal Liability Appendix D1: Authorisation Form for Mobile and Home Working Appendix D2: Virtual Private Network (VPN) Tokens Appendix E: Registration Authority Overview Appendix F: Safe Haven Overview Purpose Definition Management Arrangements Receipt of Information Physical Location Managing the Information Procedures for Handling Information Disclosure of Information

11 24.9 Storage of Paper Information IT Systems Archiving and Destruction of Information Appendix G: The Care Record Guarantee Introduction Our Twelve commitments to you: Six things that you can do in return The Summary Care Record How do we make sure your electronic care record stays secure and confidential? For Parents and Young People How do we make sure your electronic care record stays secure and confidential? How to complain Appendix H: Data Security Overview Purpose Scope Definitions Responsibilities of the User Responsibilities of the Organisation Appendix H-1: Encryption Appendix H-2: Guidance to Staff on Use of USB Storage Devices Logging in and Using the USB Storage Device (Memory Stick) Logging Off Changing the Memory Stick Password Important Notes on the Usage of USB Storage Devices Appendix H-3: Advice for Users on Laptop Encryption Logging into a Laptop with SafeBoot Installed Initial Password Changing your SafeBoot Password Forgotten Passwords Backup Advice Laptop Recovery USB Storage Devices (Configuration) PC Encryption Appendix H-4: Media encryption Instructions for Downloading 7-ZIP Page 10 of 158

12 30.2 Instructions for Using 7-ZIP to Encrypt PID / PCD User Responsibilities Additional Advice Known Issue Appendix H-5: Use of Non-encrypted Electronic Devices Introduction Guidelines that must be followed: Appendix I: Terminology Page 11 of 158

13 1 Introduction This policy forms part of the Organisation s Information Governance Strategy and sets out minimum standards, guidance and procedures for ensuring confidentiality, integrity and availability of Information and Information Management and Technology (IM&T) assets. This policy relates to the overlapping areas of Data Protection, Data Quality, Confidentiality, Information Sharing, Freedom of Information, Information Risk Management, IT Security, Information Security and Records Management. It addresses requirements of the Information Governance Toolkit. Throughout this document the term Organisation refers to Shropshire Community Health NHS Trust and any successor Organisation(s). 2 Information Governance Statement of Principles Information will be classified and where appropriate kept confidential Integrity of information will be developed, monitored and maintained, to ensure that it is of sufficient quality for use within the purposes for which it was collected Availability of information for operational purposes will be maintained within set parameters relating to its importance, via appropriate guidelines and computer system resilience Compliance with legal and regulatory requirements will be achieved, monitored and maintained Awareness and understanding of all staff, with regard to their responsibilities, should be routinely assessed and appropriate education and awareness provided Risk assessment should be undertaken in conjunction with the overall planning of the Organisation s activities to determine that appropriate, effective and affordable information governance controls are in place Page 12 of 158

14 3 Scope and Purpose of the Information Security Policy 3.1 Policy Coverage This policy covers all aspects of information within the Organisation, including (but not limited to): Patient/Client/Service User information Staff related information Organisational information This policy covers all aspects of information handling and processing, including (but not limited to): Structured record systems (paper and electronic) Transmission of information (Fax, , post and telephone) This policy covers all information systems purchased, developed, managed or utilised by the Organisation, and any individual (directly employed or otherwise by the Organisation) accessing information owned entirely or partially by the Organisation. 3.2 Related Policy and Codes of Conduct In setting out standards relating to Information Governance a number of controls are specified relating to: Job responsibilities Applicant screening Terms and conditions of employment Disciplinary action Physical Environments Professional Codes of Conduct Research and Ethics These controls must be integrated with related Human Resources, Estates and Facilities, Records Management Policies; Professional and Organisational Codes of Conduct. Page 13 of 158

15 3.3 Overall Structure and Responsibilities Information Governance Strategy Information Security Policy Overall framework for security, integrity, availability and confidentiality of Information Chief Executive (Overall responsibility for Information Governance) Director of Finance, Informatics and Performance Management (Information Governance Lead/Data Protection Co-ordinator/Senior Information Risk Owner) Associated Overviews The IS policy sets the high level direction and required standard across the Organisation. This is supported where necessary by associated Overviews, where the required controls are explained in detail. Information Services Programme Manager (Information Security Officer) Information Project Manager (Information Governance and Deputy for Data Protection Co-ordinator) Local adoption of policy and associated Overviews IT Services Manager (IT Security) Caldicott Guardian Records Manager 3.4 Legal and Regulatory Framework This policy is set out to comply with the following list of legal acts and the NHS regulatory framework. 3.5 Legal Acts Provisions of a number of items of legislation affecting the stewardship and control of information bind the Organisation. The main relevant legislation is: Data Protection Act 1998 (and subsequent Special Information Notices) Human Rights Act 1998 The Freedom of Information Act 2000 Access to Health Records Act 1990 (where not superseded by the Data Protection Act 1998) Computer Misuse Act 1990 Copyright, Designs and Patents Act 1988 (as amended by the Copyright (Computer Programs) Regulations 1992) Crime & Disorder Act 1998 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 (and Lawful Business Practice Regulations 2001) Communications Act 2003 Page 14 of 158

16 This policy describes the way in which information should be managed, in particular, the way in which personal or sensitive information should be protected. In addition to the above, other legislation can impact upon the way in which we should use, process and transmit information. This includes, but is not limited to: Public Interest Disclosure Act 1998 Audit & Internal Control Act 1987 NHS Sexually Transmitted Disease Regulations 2000 National Health Service Act 1977 Health and Social Care Act 2008 Health and Social Care Act 2012 Human Fertilisation and Embryology Act 1990 Abortion Regulations 1991 Prevention of Terrorism (Temporary Provisions) Act 1989 and Terrorism Act 2000 Civil Contingencies Act 2004 Road Traffic Act 1988 Regulations under Health and Safety at Work Act 1974 Environmental Protection Act 1990, Landfill Regulations 2002 and WEEE Directive 2003 Telecommunications Act 1984 and Telecommunications (Fraud) Act 1997 CCTV Code of Practice (relates to Data Protection Act 1998) Mental Capacity Act NHS Regulatory Framework The NHS has issued guidance under Information Governance initiatives relating to Information Security. This is a developing area, and changes will be required as new processes emerge. Current initiatives are: Caldicott ISO (BS 7799) British Standard for Information Security Management, mandated for the NHS in 2001 Healthcare Standards and Data Accreditation PRIMIS+ Clinical Negligence Scheme for Trusts (CNST) NHS Code of Confidentiality Using Mobile Phones in NHS Hospitals (DoH) 04 May 2007 UK Strategy for Information Assurance (Cabinet office) NHS Strategy for Information Assurance (DoH) 2008 NHS Information Risk Management (NHS Connecting for Health) January 2009 Information Security Management NHS Code of Practice (DoH) April 2007 Page 15 of 158

17 3.7 Information Security Infrastructure 3.8 Allocation of Information Security Responsibilities Ownership of Information Assets - Each identified asset will have an appointed owner who is ultimately responsible for the security of the information asset. In the case of systems this will be a senior figure within the Organisation. Where there is no obvious owner the role will default to the Caldicott Guardian of the Organisation. Ownership of a system maybe vested in a management forum where the strategic development of that system or Organisation facility is decided. System owners will be responsible for determining the access policy for the system or area, in conjunction with advice from system management and information governance. System Management - Each system should have an identified manager. The role of the system manager is to implement the system related processes that govern: Management of access to the system. Audit of user activity. System data validation processes (input, internal processing, output and backup) Supplier support (where applicable). Caldicott Guardian Role - This role is responsible for establishing and maintaining Guidelines governing access to, and the use of, patientidentifiable data held or processed within systems or networks which are the responsibility of the Organisation. Also, the transfer of such data from the Organisation to other bodies. The Caldicott Guardian also agrees local Guidelines and protocols to ensure consistency with any relevant central requirements and guidance. Data Protection Co-ordinator Role This role is to ensure that the Organisation complies with Data Protection legislation and carries out its business in accordance with its Data Protection Registration. Information Security Role - The main features of this role are to facilitate advice and support to the Organisation, whilst leading on audit and improvement plans relating generally to information governance. The role is responsible for co-ordinating activity across the Organisation to ensure that policy and process around the information assets achieve the required level of security and compliance with legal frameworks. This includes acting as deputy to the nominated Data Protection Co-ordinator as well as activity required that is Organisation wide and not specific to systems or areas. Physical Security - Responsibility for providing advice on the physical security information assets will lie with the Informatics Department and Estates/Facilities Department and/or other relevant departments. Line Management/Personnel Governance Elements - Organisation Line Managers will be responsible for ensuring that appropriate activities (training/user management) are facilitated for their staff and that compliance with the Information Security Policy and associated Overviews are supported. Page 16 of 158

18 3.9 Authorisation Process for Information Assets Information is an extremely valuable asset for which loss or lack of control can cause operational difficulties. The Organisation needs to know what information is collected, used and shared, so the Organisational responsibilities can be maintained. New Systems Any requirement for a new system, regardless of size and cost will be put through the process for authorisation. Authorisation will be formally sought from the IM&T Steering Group(s) and if required (e.g. major procurement) the Board, and will be aligned with the NHS Connecting for Health and or successor organisations (HSCIC, NHSE etc..) local implementation programme or successor programmes if appropriate. Significant New Function (of existing system) It is important to draw a distinction between new functions and changes to existing functions. Both will have an impact on information, however changes to existing functions are covered by the policy controls and processes associated with change control. Significant new functionality will be initiated by: User forum/senior management requirement and will be aligned with the NHS Connecting for Health and or successor organisations (HSCIC, NHSE etc..) local implementation programme or successor programmes if appropriate National strategic requirement Local requirements Following this initiation the request will be put through the same authorisation process The authorisation process will include: Identification of new sources of information and data items Identification of new purposes Identification of new disclosures Identification of risks to the confidentiality, integrity and availability of information (to include technical specification for resilience and hardware/software compatibility) User representation sign-off (group, or senior User) IM&T Steering Group sign-off (and if required Board approval) including alignment with the NHS Connecting for Health and or successor organisations (HSCIC, NHSE etc..) local implementation programme if appropriate The post authorisation process should see new assets included in appropriate registers The Organisation is a partner in a joint Information Governance Group that provides specialist advice, in conjunction with the Organisation s Caldicott Guardian Co-Operation between Organisations Incident Management - The information security infrastructure includes appropriate contacts in partner Organisations: Counter Fraud Team Page 17 of 158

19 Department of Health Health and Social Care Information Centre NHS Connecting for Health NHS England Collaborative Working Staff involved in the security of information should actively participate in collaborative developments within the Local Health Economy. Information Sharing Protocol - The Organisation will, where there is a defined purpose that is beneficial and justifiable, sign up to information sharing agreements with partner Organisations, provided these agreements are set out within the boundaries of applicable legislation and regulation and do not compromise the Organisation or the confidentiality of the personal/sensitive data that it holds Security of Third Party Access Objective: To maintain the security of Organisation information processing facilities and information assets, when accessed by third parties Identification of Risks from Third Party Access Risks vary dependant on the type of access required. Physical on-site access has different risks from off-site networked access. Risks from third party access are in effect the same as the risks for any User; however the nature of third parties removes the direct control over individuals that is present in a formal first party employment arrangement. Following identification of risks, controls will be applied via contractual arrangements as below: 3.13 Governance Requirements in Third Party Contracts Contractual arrangements with third parties will include agreement on the classification of information, the need for confidentiality control and how this will be applied. Where confidential information is to be (or could be) accessed, the Organisation will require any supplier to have formal contractual confidentiality clauses with all employees accessing such data. Two standard areas for inclusion are: System Access Authorisation - Will be via the same process as any other User, but will identify the individual as a third party. Off-site Access - Network access for suppliers or partner Organisations will be via approved code of connection (adhering to N3/NHS HSCIC Statement of Compliance). It is permissible for access to a system to be put into a third party facility by extension of the Organisations network, provided the network and the recipients own networks are kept separate. Other items that should be considered for inclusion: Methods for assessing whether information assets have been compromised. Controls over return/destruction of information. Agreement on acceptable levels of data integrity and availability. Liabilities of the parties to the agreement. Page 18 of 158

20 3.14 Outsourcing Legal responsibilities (Data Protection, Intellectual Property etc). The right to revoke agreement or access by any party in particular circumstances. Protection against malicious software. Arrangements for reporting and investigating potential breaches including full audit trails. Involvement with additional subcontractors. Authorisation and authentication processes for Users. Objective: To maintain the security of information when the responsibility for information processing has been outsourced to another Organisation. Arrangements must address the risks and required security controls in the contract between the parties Governance Requirements in Outsourcing Contracts It is important to draw distinction between third party supplied/supported software and outsourcing arrangements. Outsourcing is when a third party is paid to deliver a complete service (or element of larger service). The main areas of responsibility (including legal compliance requirements) that must be included in any third party service level agreement/contract are: Availability of service, usually specifying a percentage of availability within operational parameters e.g. 99% availability Monday-Friday 09:00-17:00. Support arrangements including severity, urgency, response and fix times Maintenance arrangements including upgrades and licensing Data integrity (quality checks) and data migration Confidentiality and security (access control and secure logon) Provision of audit facilities (full audit trails) Training (if appropriate) Disaster Recovery and back-up facilities Respective responsibilities (legal and contractual requirements) including revocation Use of subcontractors and interdependencies Project Management (project planning and consultancy) Costs Page 19 of 158

21 4 Asset Classification and Control 4.1 Accountability for Assets Objective: To maintain appropriate protection for Organisational assets. All major assets to have identified owners and maintenance responsibilities assigned. Responsibility can be delegated but accountability remains with the asset owner. 4.2 Inventory of Assets It is impossible to implement required controls completely across the Organisation without an inventory of assets. Information and Software Assets - Systems, databases, files, associated documentation (training manuals, Guidelines etc). Each owner is accountable for implementation and maintenance of information assets relating to their system or area. This may be delegated to system management staff. Hardware Assets these are physical assets e.g. Computer equipment, communications equipment etc. Where ownership of an item resides with the Organisation, then the IT Division will be responsible for implementing and maintaining an asset register. Individual departments are responsible for keeping a departmental asset register for the use of their service. This register should contain at least the following details for each asset: Tag or ID number Make Model Serial number Date purchased Cost Description of asset e.g. printer, laptop Date of disposal Location Nominated owner/user Ideally as part of IT operational policy, purchase and supply of equipment should be handled through a centralised process. Departments purchasing their own equipment must notify the IT Division before deployment. 4.3 Information Classification Objective: To ensure that information assets receive an appropriate level of protection, each significant asset will be classified in order to produce clarity in the need for controls when handling the asset. Page 20 of 158

22 4.4 Classification Guidelines The NHS has not historically classified information. Therefore this policy is set at a basic level to introduce the concepts. Information will be classified in one of two categories: Personally Identifiable Data / Personal Confidential Data - Structured filing systems (electronic or paper) containing Individually identifiable information is subject to the terms of the Data Protection Act 1998 and afforded a degree of legal protection in its handling. Public Information - Information that does not contain data on individuals or is not covered by an exemption under The Freedom of Information Act will be considered in the public domain. This information will be contained within publication schemes and/or made freely available. Responsibility for definition of an information asset into these categories remains with the originator or owner. By default any information identifying an individual falls into the Personally Identifiable Data / Personal Confidential Data category. If the owner or originator of information is unclear about the appropriate classification of information they must contact Caldicott Guardian. 4.5 Information Retention and Disposal All retention and disposal of information will operate within the good practice guidelines of Records Management: NHS Code of Practice Parts 1 (2006) and 2 (2009) and the Organisations Records Management Policy. Reference should also be made where appropriate to Secure Disposal or Re-Use of Equipment and 7.18 Handling and Governance of Media Page 21 of 158

23 5 Security Responsibilities for Individuals 5.1 Information Security in Job Descriptions and Person Specifications Objective: To reduce the risks of human error, theft, fraud or misuse of facilities. Responsibilities will be addressed during recruitment, included in contracts and monitored during an individual s employment. 5.2 Including Information Security in Job Descriptions All staff handling information (of any sort) within the Organisation will have their responsibilities outlined within their job descriptions. All managers should make it clear to their staff where the job description is not explicit, the level of responsibility that they have for information that they handle. 5.3 Human Resources Screening and Policy As part of separate, but linked, Human Resources policies, the Organisation has implemented all of the following: Validating references for new employees Validation of claimed academic and professional qualifications Pre-employment checks As reliance on information is key to the efficient and safe running of the Organisation, there is a need to be as sure as possible about the identity, character and qualifications of employees (including temporary staff). 5.4 Confidentiality Agreements As part of the employee s terms and conditions of employment, there will be an agreement to maintain confidentiality of information. This links with the Organisations Confidentiality Code of Practice. Agreement to maintain confidentiality will also form part of the Acceptable Use Overview (see 15.9 Confidentiality) Anyone not covered by an employment contract will be required to sign a confidentiality agreement prior to being given access to information processing facilities. All staff will be informed about the need and methods for maintaining confidentiality, regardless of what access their role gives them to information. 5.5 Terms and Conditions of Employment Terms and Conditions should reflect the employee s responsibility for information security and should explain that these responsibilities are required in perpetuity and not for the length of the staff member s employment. Terms and Conditions will also state these responsibilities extend to all places and at all times, including outside the work environment. Breach of confidentiality can lead to summary dismissal. 5.6 User Training Objective: To ensure Users are aware of threats to confidentiality, quality and security of information. Users should be trained in the use of systems and appropriate procedures/guidelines to ensure the quality and Page 22 of 158

24 appropriate handling of information, in order to minimise risks to the Organisation from poor information security. 5.7 Information Governance Education and Training Information Governance training is mandatory within the Organisation. Induction - The Organisation will ensure that all newly employed staff receive basic guidance in Organisational policy in relation to information governance as part of an overall Organisation induction programme. This training will be focussed around the User elements of this policy (defined in the Acceptable Use Overview ). System Training - All User training on systems should include details and education on appropriate policy and procedure elements for that system. These should focus on both security and data quality elements. Processes for system based tasks, such as search and registration of patients, should be detailed in user manuals. The Organisational Development Team provides the majority of training on all planned implementations of National Reference Solution products and successor programmes. This will include Information Security as an integral part of the Information Governance training. 5.8 Responding to Incidents and Malfunctions Objective: To minimise the damage from incidents and malfunctions and to monitor and learn from incidents. Appropriate procedures will be in place to communicate incidents to appropriate areas of the Organisation. As part of training, employees and third party contractors should also be made aware of definitions of incidents/weaknesses and the process for dealing with them. 5.9 Reporting Incidents Incidents are defined for the purposes of this document as being an unplanned/untoward event e.g. confidentiality breach, poor quality or lack of information, loss or theft of IT equipment. The Organisation must include details of Serious Incidents (SI) involving data loss or confidentiality breach in their annual reports. The Organisation must make specific reference to information governance in terms of identifying and managing information risks in their annual Statement of Internal Controls. The Organisation has identified the Senior Information Risk Owner as the Director of Finance. All incidents should follow the appropriate risk reporting procedure. Incidents Relating to Clinical use of Data - Where an information incident relates to the clinical care of a patient, the reporting procedure will be integrated with the clinical incident reporting Guidelines and the Caldicott Guardian notified. Incidents Relating to Non-Clinical use of Data - Where an information incident relates to non-clinical use of information (including administration data) the reporting procedure should be integrated with the non-clinical Page 23 of 158

25 incident reporting procedure and the Information Security Officer or System Manager notified in addition to the Organisation s Risk Manager. Incidents Relating to the Theft of IT Equipment staff should follow the procedure detailed in Appendix A1: Reporting Stolen IT Equipment e.g. Raise Incident Report and send to the Risk Adviser (if the IT equipment contains Personal Identifiable Data / Personal Confidential Data (PID / PCD) this must be specifically identified by the User). The Risk Advisor can then assess the level of risk and raise a SI. Risks at level 1 and 2 are dealt with locally, for level 3 and above the Information Commissioner requires notification. Near Misses - Near misses will be reported to both the Organisation s Risk Manager and the appropriate System Manager (3.12 Identification of Risks from Third Party Access) as valuable learning can be gathered from them as to why an incident itself did not occur Reporting Weaknesses Within User training, awareness of weaknesses should be raised, and Users should be instructed to report these to either line managers or the system managers. Users should be instructed not to test weaknesses Reporting Software Malfunctions Users should be made aware of the process for reporting malfunctions to the IT Service Desk as part of their local induction training from their line manager Learning from Incidents The Organisation has set up the following processes for learning from incidents, near misses and weaknesses: User Groups and Forums - As part of the development and management of systems, incidents and weaknesses will be discussed within the User Group framework Training Integration - Incidents are used to highlight learning points in staff training 5.13 Preliminary Incident Assessment In order to ascertain whether or not an incident has occurred which may potentially be in violation of Organisational policy and/or procedure/guideline, a preliminary assessment may be requested by the appropriate manager e.g. possible breach of confidentiality. Requests for all preliminary incident assessments should be submitted in writing to the Head of Informatics. The preliminary assessment request will be communicated at the discretion of the appropriate manager Disciplinary Process and Removal of Access Rights Any incident where Organisation policy and/or procedure/guideline have been violated maliciously by staff will be subject to the formal disciplinary procedure under the Organisations Human Resource policy framework, and where appropriate the Professional Regulatory framework. Such policy will Page 24 of 158

26 form the basis of any investigation and outcome. Any incident where Organisation policy and/or procedure/guideline have been violated accidentally by staff may be subject to formal disciplinary policy under the Organisations Human Resource policy framework and where appropriate the Professional Regulatory framework. Such policy will form the basis of any investigation and outcome. The Organisation reserves the right to remove system access rights for staff under investigation or disciplined, either temporarily or permanently. Page 25 of 158

27 6 Physical and Environmental Security 6.1 Controlled/Secure Areas Objective: To prevent unauthorised access, damage and interference to business premises and information. Areas should be protected by a defined security perimeter. Protection provided should be commensurate with the identified risks. A clear desk and clear screen ethos is desirable to reduce risk of unauthorised access or damage to papers, media and information processing facilities. This section of the policy needs to be viewed and read in conjunction with the Organisation s Confidentiality Code of Practice where applicable and also with reference to the Organisation s Safe Haven Overview. 6.2 Physical Security Perimeter Perimeters are defined as: walls, card controlled entry gates or doors, manned reception desks, fences etc. A physical security perimeter within a public area is difficult to achieve, so three levels of area are defined and the perimeters should be set around these: Open Public Area Where the public is allowed to move freely, such as corridors, waiting areas, some ward environments etc. Security is based on general security arrangements, such as staff vigilance, security patrols, CCTV and secure storage Controlled Public Area In which the public can be present but only following authorised access by staff (through controlled entry systems). This covers places such as sensitive clinical areas. Once within these areas, control over the public is again via staff vigilance and CCTV Staff Only Areas No member of the general public is allowed access, except on controlled occasions, when they are accompanied at all times by a member of staff. In restricted staff only areas, authorised staff members must accompany visitors 6.3 Physical Entry Controls Entry to either controlled public areas or staff only areas require physical entry controls. Care and thought should be taken to place these controls in the most appropriate position e.g. swipe card access to a department should be placed beyond the reception desk. 6.4 Securing Offices, Rooms and Facilities Users processing Information and utilising Information processing facilities should use appropriate security facilities e.g. lockable filing cabinets. These facilities should be subject to regular review to ensure adequate protection for the information whilst maintaining appropriate availability. Doors and windows should be locked, blinds in place and curtains drawn when offices are unoccupied, with external protection for windows and doors if considered appropriate. Page 26 of 158

28 6.5 Working in Controlled/Secure Areas All members of staff must wear a current ID badge at all times. Third party support services should only be granted limited/supervised access to controlled/secure areas, which should be authorised and monitored. 6.6 Equipment Security Objective: To prevent loss, damage or compromise of assets and interruption to business activities, equipment should be physically protected from security threats or environmental hazards. This will also consider equipment siting and disposal. 6.7 Protection and Siting of Equipment All of the following guidance points should be considered when siting equipment: Computer screens and paper records should be positioned to reduce the risk of being overlooked during use. Privacy barriers and folders should be routinely considered for open public areas Equipment should be sited away from windows which may be easily overlooked (unless additional window protection is in place) Use of cages and security cables should be considered for equipment in open public and controlled public areas Equipment should be sited away from fire risks, water, dust, chemicals, excessive heat and electromagnetic radiation Critical equipment such as servers, network infrastructure should be sited in an appropriately controlled environment, in terms of power supply, temperature, humidity, fire control and physical access Eating and drinking is not allowed near critical equipment and is actively discouraged near other equipment. Staff causing damage to equipment due to spillage may be responsible for the cost of repair or replacement 6.8 Power Supply Power supply to equipment should be routinely considered in all new installations of equipment or systems and the existing power supply should be regularly reviewed. Special care needs to be taken on sites that operate standby generators, as these can generate fluctuations in the supply when they are switched on/off. Critical Systems Any system that is used for Diagnostic support (e.g. Pathology, Radiology) or Direct Provision of Patient Care (e.g. Pharmacy, or Clinical systems) must be provided with power supply protection. As a minimum this must be UPS (Uninterruptible Power Supply) for the Server. This is to enable access in the event of a power failure, so the system can be shut down in an orderly manner, whilst business continuity plans are invoked. UPS equipment must be regularly checked to ensure it has adequate capacity and tested in accordance with the manufacturer s recommendations. (See 10 Business Continuity). Page 27 of 158

29 If the Organisation has a protected circuit available, there should be a formal Guideline for evaluating system infrastructure and access points that should be attached to that. All power supply related issues or queries should be directed through the Organisation s Estates function. 6.9 Cabling Security Cabling security should be considered for all new builds and refurbishment of existing premises during the planning stage in consultation with the Estates Department Equipment Maintenance Appropriate maintenance and/or warranty agreements should be in place for all critical equipment and systems. Authorised staff should maintain equipment in accordance with supplier recommendations Security of Equipment Off-Site When taking or removing equipment off-site the guidelines below must be followed: Users must seek approval and authorisation from their Line Manager to remove equipment off-site Equipment and media taken off-site should not be left unattended in public places Manufacturer s instructions for protection of equipment should be followed Portable equipment should be transported appropriately e.g. laptop case in car boot Home-working controls should be determined by a risk assessment and suitable controls applied as appropriate For more details see 20 Appendix D: Mobile and Home Working Overview. Special attention is drawn to 8.37 Mobile and Home Working especially when a mobile device is accessed in the home environment The IT Division must be notified if equipment is to be permanently moved from site to site 6.12 Special Considerations for Leased/Hired Equipment It is important to note that digital printers, copiers, and multifunction devices may contain storage media such as hard drives. The Informatics department cannot manage the safe disposal of this type of storage media, or the purging of information from this type of equipment where it is leased. Therefore it is the responsibility of the procuring officer to ensure that the appropriate clauses relating to the safe management of this storage media are included in the contract before the equipment is returned or serviced. Where equipment is being maintained, consideration must be given to control the introduction or removal of storage media or other components by visiting service/maintenance staff. Equally should the device or its parts need to be removed for off-site repair or replacement there is a risk that information stored could be accessed, particularly where faults have Page 28 of 158