Remote Network Access Procedure

Transcription

1 Remote Network Access Procedure Version: 1.1 Bodies consulted: - Approved by: PASC Date Approved: Lead Manager: Ade Sulaiman Responsible Director: Simon Young Date issued: Aug 13 Review date: Jul 16 Is this policy current? Check the intranet to find the latest version! Remote Network Access Procedure, Ver 1.1, Aug 13 Page 1 of 8

2 Remote Network Access Procedure 1 Introduction Purpose Scope Definitions Duties and responsibilities Procedures Training Requirements Process for monitoring compliance with this Procedure References Associated documents... 7 Appendix A : Equality Impact Assessment... 8 Remote Network Access Procedure, Ver 1.1, Aug 13 Page 2 of 8

3 Remote Network Access Procedure 1 Introduction Remote Access refers to any technology that enables users to connect to the Trust s network from any location. This access is typically over some kind of dial-up connection, although it can include WAN connections. The Remote Access system employed by the Trust uses secure token technology to allow authorised staff access to Trust systems. This includes Intranet, , Personal and Shared folders and, where appropriate, to bespoke departmental systems such as RiO. The authorised user requires in an internet connection and appropriate passwords 2 Purpose This document sets out the Procedure for control of remote access and includes a set of security controls, which can be applied to reduce the risks associated with remote access. 3 Scope This Procedure applies to staff, students and contractors. This Procedure covers staff use of all types of remote access, whether fixed or roving including: Remote users (e.g. Staff working at one or more sites or who are work at locations other than the Tavistock Centre or Portman Clinic) Home working Non-NHS staff (e.g. Social Services, contractors and other 3rd party organisations) Wilful and/or negligent disregard of this Procedure will be investigated and may be treated as a disciplinary offence. 4 Definitions Remote Access - Remote access by staff and other non-nhs organisations is a method of accessing files and systems that is becoming more common in the NHS. For example, our contracting processes rely on staff having access to Remote Network Access Procedure, Ver 1.1, Aug 13 Page 3 of 8

4 our PAS (Patient Administration Systems) regardless of their location. In practice, the benefits of securing remote access are considerable business can be conducted remotely with confidence and sensitive corporate information remains confidential Dial Up Connection - A term used to describe the method for connection to a network WAN - Wide area Network, a term used to describe a network which connects terminals/sites over a wide geographical area. Firewall - provides a barrier to traffic crossing a network's "perimeter" and permits only authorised traffic to pass, according to a predefined security policy Router - is a networking device whose software and hardware are usually tailored to the tasks of routing and forwarding information. For example, on the Internet, information is directed to various paths by routers. Switch - is a networking device that joins multiple computers together within one local area network (LAN). Virus Scanners (or Anti Virus solutions) is a software solution that tries to prevent and remove computer viruses, including worms and trojan horses form the host machine. Such programs may also detect and remove adware, spyware, and other forms of malware. Content Filters - software designed and optimized for controlling what content is permitted to a reader, especially when it is used to restrict material delivered via the Web. Basically determines which websites a user can access. 5 Duties and responsibilities In relation to developing and managing policies within the Trust the following key duties have been identified: 5.1 Chief Executive: has ultimate responsibility for ensuring that the Trust has systems in place for the full implementation and monitoring of this Procedure. 5.2 Governance Manager: will monitor compliance via incident reporting and make reports to the Information Governance Work Stream meetings. 5.3 IT Manager: has responsibility for providing clear guidance and authorisation to all remote access users and for managing the level of access provided, ensuring user profiles and logical access controls are implemented to deliver secure access. Will also ensure procedures for authorisation are in place and maintained to auditable standard. Remote Network Access Procedure, Ver 1.1, Aug 13 Page 4 of 8

5 5.4 Directors have the responsibility to ensure arrangements are in place in their Directorates for the dissemination and implementation of new and updated polices 5.5 Line managers are responsible for nominating staff for access by completing the user access authorisation form. 5.6 All Remote Access Users: are responsible for complying with this Procedure and associated policies and procedures. 6 Procedures Remote Access Principles In providing remote access to staff, the following high-level principles will be applied: 6.1. The IT manager will be appointed to have overall responsibility for each remote access connection to ensure that the Trust s Procedure and standards are applied A formal risk analysis process will be conducted by the IT Manger for each application to which remote access is granted to assess risks and identify controls needed to reduce risks to an acceptable level. 6.3 Remote users will be restricted to the minimum services and functions necessary to carry out their role. Eligibility 6.4 Trust staff may apply for Remote Access by completing a Remote Access Request Form if they satisfy the following conditions: They have a contract of employment Staff have a valid network username, password and account A request form is completed, and approval by the relevant manager. Staff have read and acknowledged the relevant policies and agree to be bound by those policies by signing an undertaking. 6.5 Contractors and other support/service staff (i.e. system proprietors) who may require access in the course of providing system support and maintenance can be granted access once they have signed the Confidentiality Agreement for Contractors. 6.6 That access will be restricted to the minimum necessary for the user to be able to safely carry out their duties. Remote Network Access Procedure, Ver 1.1, Aug 13 Page 5 of 8

6 Registration 6.7 All remote users must be registered and authorised by the IT Manager. User identity will be confirmed by strong authentication and User ID and password authentication. The Trust s Network Manager is responsible for ensuring a log is kept of all users Remote Access. 6.8 It is the responsibility of the IT Manager to ensure that robust administration and filing procedures are in place so that user access is strictly controlled and that this can stand up to detailed audit. Security Technologies To ensure comprehensive protection, every network will include components that address the following 5 aspects of network security:- 6.9 User identity will be confirmed by strong authentication and User ID and password authentication. The Network Manager is responsible for ensuring a log is kept of all user remote access Perimeter Security - The IT Manager is responsible for ensuring perimeter security devices are in place and operating properly. Perimeter security solutions control access to critical network applications, data, and services so that only legitimate users and information can pass through the network. Routers and switches handle this access control with access control lists and by dedicated firewall appliances. Remote Access Systems with strong authentication software control remote dial in users to the network. Complementary tools, including virus scanners and content filters, also help control network perimeters. Firewalls are generally the first security products that organisations deploy to improve their security postures Secure Connectivity - The Trust will protect confidential information from eavesdropping or tampering during transmission Security Monitoring - Network vulnerability scanners will be used to identify areas of weakness, and intrusion detection systems to monitor and reactively respond to security events as they occur Remote diagnostic services and 3rd parties Suppliers of central systems/software expect to have dial up access to such systems on request to investigate/fix faults. The Trust will permit such access subject to it being initiated by the computer system and all activity monitored. Each supplier or Trust user requiring remote access will be required to commit to maintaining confidentiality of data and information and only using qualified representatives. Remote Network Access Procedure, Ver 1.1, Aug 13 Page 6 of 8

7 Each request for dial up access will be authorised by approved computer services staff, who will only make the connection when satisfied of the need. The connection will be physically broken when the fault is fixed/supplier ends his session. User Responsibilities, Awareness & Training - The Trust will ensure that all users of information systems, applications and the networks are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities. Irresponsible or improper actions may result in disciplinary action(s). Reporting Incidents & Weaknesses - All security weaknesses and incidents must be recorded and reported via the Trust Risk Management Procedures for assessment, with action taken as appropriate. 7 Training Requirements Na 8 Process for monitoring compliance with this Procedure The IT Manager will provide assurance reports to the SIRO to show that that periodic checks have been undertaken The Information Governance Work Stream will consider, by exception, (via incident reporting) incidents relating to remote access 9 References - 10 Associated documents 1-1 For the current version of Trust procedures, please refer to the intranet. Remote Network Access Procedure, Ver 1.1, Aug 13 Page 7 of 8

8 Appendix A : Equality Impact Assessment 1. Does this Procedure, function or service development affect patients, staff and/or the public? YES 2. Is there reason to believe that the Procedure, function or service development could have an adverse impact on a particular group or groups? NO 3. If you answered YES in section 2, how have you reached that conclusion? (Please refer to the information you collected e.g., relevant research and reports, local monitoring data, results of consultations exercises, demographic data, professional knowledge and experience) 4. Based on the initial screening process, now rate the level of impact on equality groups of the Procedure, function or service development: Negative / Adverse impact: Low. Positive impact: Medium... May have positive effect for disaled people who could work from home Date completed Name Jonathan McKee Job Title Governance Manager Remote Network Access Procedure, Ver 1.1, Aug 13 Page 8 of 8