Informatics Policy. Information Governance. Network Account and Password Management Policy

Transcription

1 Informatics Policy Information Governance Policy Ref: 3589

2 Document Title Author/Contact Document Reference 3589 Document Control Network Account Management and Password Policy Pauline Nordoff-Tate, Information Assurance Manager Document Impact Assessed Yes/No Date: 21/11/11 Version 2 Status Approved Publication Date 30/11/11 Review Date 30/11/13 Approved by Dr P Williams, Caldicott Guardian 28/11/11 Ratified by Information Governance Group 28/11/11 Distribution: Royal Liverpool and Broadgreen University hospitals NHS Trust-intranet using Sharepoint which will maintain the policy document in conjunction with each document author. Please note that the Intranet version of this document is the only version that is maintained. Any printed copies should therefore be viewed as uncontrolled and as such, may not necessarily contain the latest updates and amendments. Document Control Document History Version Date Comments Author 1 19/11/2009 New document composed M Haynes of Network account policy and Password policy /12/2009 Minor amendments Information Assurance Manager /09/2011 Minor amendments TS Manager / IT Security Consultant /11/2011 Amendments to Network application form taking out references to HIS and amendments to section 4.4 Pauline Nordoff-Tate

3 Review Process Prior to Ratification: NAME OF GROUP/DEPARTMENT/COMMITTEE DATE Information Governance Group by 31/12/2009 Information Governance Group 28/11/11

4 Heading Table of Contents Page Number 1.0 INTRODUCTION Equality and Diversity OBJECTIVE SCOPE OF THE POLICY POLICY Account Creation Account Amendment Personal Details Change Job title, office location etc Account Expiry/Removal Notification from Manager Notification from Human Resources IT Department Account Expiry/Removal Procedure Dormant Accounts Further Information Managers Human Resources Password Structure Temporary Passwords Forced Password Change Password Renewal ROLES AND RESPONSIBILITIES Managers Staff ASSOCIATED DOCUMENTATION AND REFERENCES TRAINING & RESOURCES MONITORING AND AUDIT Recording and Monitoring of Equality & Diversity 6 APPENDIX A IT NETWORK ACCOUNT REQUEST 8 APPENDIX B SUPPORTING LEGISLATION AND GUIDANCE 9

5 1.0 Introduction This policy details the procedures for network account management. The policy describes the processes that must be adhered to by all staff for registration, de-registration, authorisation and authentication procedures for access to the Trust s network services e.g. file and print. The Data Protection Act 1998 requires the Trust to take organisational and technical measures to keep information safe and secure. Using passwords appropriately is one way of ensuring that patient and staff data is held. 1.1 Equality and Diversity The Trust is committed to an environment that promotes equality and embraces diversity in its performance as an employer and service provider. It will adhere to legal and performance requirements and will mainstream equality and diversity principles through its policies, procedures and processes. This policy should be implemented with due regard to this commitment. To ensure that the implementation of this policy does not have an adverse impact in response to the requirements of the Race Relations (Amendment Act), the Disability Discrimination Act 2005, and the Equality Act 2006 this policy has been screened for relevance during the policy development process and a full impact assessment conducted where necessary prior to consultation. The Trust will take remedial action when necessary to address any unexpected or unwarranted disparities and monitor practice to ensure that this policy is fairly implemented. This policy and procedure can be made available in alternative formats on request including large print, Braille, moon, audio, and different languages. To arrange this please refer to the Trust translation and interpretation policy in the first instance. The Trust will endeavour to make reasonable adjustments to accommodate any employee with particular equality and diversity requirements in implementing this policy and procedure. This may include accessibility of meeting/appointment venues, providing translation, arranging an interpreter to attend appointments/meetings, extending policy timeframes to enable translation to be undertaken, or assistance with formulating any written statements. 1

6 2.0 Objective This policy aims to raise staff awareness of the processes that must be followed in order to manage an end user network account, as well as raise staff awareness of best practice and the importance of password security within the Trust, and to detail the password structure of Trust network account passwords. 3.0 Scope of the Policy This document intends to prevent unauthorised access to the Trust s Information Systems. The policy details the management of the Trust network account password and file structure. 4.0 Policy 4.1 Account Creation Access to the Trust s Network is controlled through a formal User Registration process. Each User is identified by a unique User ID so that Users can be linked and held responsible for their actions. Access to the Trust network is provided by the IT Department and can be enabled only after the proper procedures have been followed. In order to have a network account created, a request must be submitted, via the form detailed in Appendix A, from the new users Line Manager or from Human Resources to the Service Desk. The new account will be created within 5 working days of receipt of the completed form. Forms may be faxed, ed or sent through internal post to the department. A new user account will only be made active on the start date of the new employee; the employee will be requested at first logon to change their password as stated in the letter they receive before starting employment. 4.2 Account Amendment When an employee changes jobs, their network accounts must be altered accordingly to ensure that access permissions are correct for the new position. This notification must be sent to the IT Department by the relevant Line Manager Personal Details Change Requests to change the name of a staff member must come from the staff member themselves. It should be noted that a staff member should have written a formal letter informing the Human Resources Department of this change and their details will have been amended on the system. Changes will only be made after confirmation is obtained from the Human Resources System. 2

7 4.2.2 Job title, office location etc These requests should be made by the staff member themselves due to the fact that this information is not likely to be held on the Human Resource System and so will not be checked. These details will only need to be amended on Active Directory and the User Accounts Database. Any changes made for this purpose will NOT alter any of the access permissions to network services. 4.3 Account Expiry/Removal Accounts will be expired or deleted under the following instances: Notification from Manager Managers must advise the IT Department and log a call with the Service Desk asking them to close/amend an employee account and remove their access, if necessary giving access to their folders to another member of staff. This request will be verified against the Human Resource system to ensure that the member of staff has terminated employment with the Trust Notification from Human Resources The Human Resource system monitors staff starters and leavers for those members of staff employed by the Trust. This list is provided to the IT Department on a monthly basis IT Department The department may disable an account under the following conditions: Disclosure of account credentials Due to an ongoing Information Security Incident investigation Misuse of account This list is not exhaustive. 4.4 Account Expiry/Removal Procedure When an account is to be expired, the following process must be adhered to: a. The account is disabled and kept for three months then deleted as per Trust policy b. Check the user s details are stored in the account database. c. Disable the account and place it in the deleted accounts container within active directory. d. The disabled account is left in this container for three months. During this time if the staff member has moved around within the organisation, the Trust will have been notified about this and changed the account accordingly. e. Each month, the Deleted Accounts container is compared against the Human Resource System to clarify that the 3

8 member of staff has indeed left the Trust and has not been back within that month. The account is then deleted from the container. An amendment is made to the records stored on the User Account Database f. After 3 months the User Account Database is checked and a list of deleted accounts produced for users 3 months prior. If that user has not returned to the Trust within 3 months, their entire account is deleted along with personal drive and s. 4.5 Dormant Accounts A review of all accounts will be performed on a monthly basis. This review is targeted at the existence of dormant accounts and accounts that have not been accessed for a period of time (30 days or more). Any accounts identified as dormant will be expired in order to prevent unauthorised access. If the account is still classed as dormant after 90 days, the account will be deleted from the Trust network. 4.6 Further Information Managers Departmental Managers will ensure that the requirements of this policy are adhered to and that the IT Service Desk be notified of any changes that are required to an end users account profile. This notification should include any member of staff that is on: Maternity leave; Long-term sick leave; Extended annual leave period; Sabbatical. Please note this list is a representative sample and should not be considered exhaustive. Staff should be aware that their managers will have the right to access boxes in the unexpected event that they are absent from work, and where there is a need based on business continuity Human Resources Human Resources will notify the IT Department of all staff who join and leave the Trust on a monthly basis. This information will also include all staff that are entering any of the periods of extended absence as detailed in Section or who are changing employment within the Trust. 4.7 Password Structure All Network passwords will expire after 90 days. The reallocation of passwors will prevent the use of the previous 3 passwords. 4

9 Passwords shall conform to a minimum password length of 7 characters. All passwords must be alphanumeric and should include symbols where possible. 4.8 Temporary Passwords Temporary passwords will only be issued for new accounts and to users who have locked their existing accounts. Temporary passwords will have a forced change implemented upon them and must be changed when the user logs onto the Trust network with them. Access to the network will not be enabled until the temporary password has been changed. 4.9 Forced Password Change After each period of 90 days, the user will be forced to change their Network Password. The user will be requested, at the logon prompt, to change their password 14 days prior to the forced change being implemented. If the user does not change their password in the 14 days prior, they will be forced to change it once the 90 days has expired. Access to the Trust network will not be enabled until the password is changed Password Renewal This is enforced on windows network accounts for logging onto the Trust network, and users should be vigilant in ensuring that these robust mechanisms should be encouraged for use on other systems within the Trust ie regular renewal of passwords. New systems being integrated into the Trust are assessed from a security/accessibility viewpoint to ensure that they have these minimum requirements to help safeguard password management. 5.0 Roles and Responsibilities 5.1 Managers All Managers are responsible for ensuring that all staff within their department are aware of and understand the requirements of this policy. Managers are responsible for ensuring that the Service Desk is notified when a member of staff leaves so that access to systems can be terminated. 5.2 Staff All users shall be mandated to keep passwords confidential. 5

10 All users should NOT keep a paper record of passwords, but electronic storage of passwords can be kept securely if there is a need to do so. Change passwords whenever there is any indication of possible system or password compromise. Select passwords with a minimum length of seven characters, which are: Not based on anything somebody else could easily guess or obtain using person related information, e.g. names, telephone numbers, and dates of birth etc Free of consecutive identical characters or all-numeric or allalphabetical groups. All users should change passwords at regular intervals or based on the number of accesses (passwords for privileged accounts should be changed more frequently than normal passwords), and avoid re-using or re-cycling old passwords. Change temporary passwords at the first log-on. Do not include passwords in any automated log-on process, e.g. stored in a macro or function key. The sharing of passwords with others in strictly prohibited any breach of this rule may result in disciplinary action being taken. Staff should be aware that their managers will have the right to access boxes in the unexpected event that they are absent from work, and where there is a need based on business continuity. 6.0 Associated documentation and references This policy has been developed in accordance with the following documents: The Trust Information Assurance Policy; IS Code of Practice for Information Security 7.0 Training & Resources Password training will be included in all system training programmes and support documentation. 8.0 Monitoring and Audit The Trust will ensure compliance via the Information Governance Toolkit plan, which is monitored by the Information Governance Group. 8.1 Recording and Monitoring of Equality & Diversity The Trust understands the business case for equality and diversity and will make sure that this is translated into practice. Accordingly, all policies and procedures will be monitored to ensure their effectiveness. 6

11 Monitoring information will be collated, analysed and published on an annual basis as part of our Single Equality and Human Rights scheme. The monitoring will cover all strands of equality legislation and will meet statutory employment duties under race, gender and disability. Where adverse impact is identified through the monitoring process the Trust will investigate and take corrective action to mitigate and prevent any negative impact. The information collected for monitoring and reporting purposes will be treated as confidential and it will not be used for any other purpose. 7

12 Appendix A IT Network Account Request This request form is for security purposes and must be completely filled in. The request will not be processed unless all fields are filled in. A password letter will be sent in the internal mail once the request has been received. Please fax this request back to , or post to: I.T Server Team, RLBUHT, Broadgreen Hospital, Thomas Drive, Liverpool. L14 3LB. 8

13 Appendix B Supporting Legislation and Guidance ISO The Code of Practice for Information Security Management Section A states: - Management shall review users access rights at regular intervals using a formal process. 9