MANAGEMENT OF USER ACCOUNTS AND PASSWORD POLICY AUGUST Version 2.0

Transcription

1 MANAGEMENT OF USER ACCOUNTS AND PASSWORD POLICY AUGUST 2011 Version 2.0 Western Health and Social Care Trust Page 0 of 6 Management of User Accounts Policy

2 Policy Title MANAGEMENT OF USER ACCOUNTS AND PASSWORD POLICY Policy Reference Number CORP09/009 Implementation Date September 2009 Revised Date August 2011 Review Date August 2013 Responsible Officer FERGAL DUREY, HEAD OF ICT Western Health and Social Care Trust Page 1 of 6 Management of User Accounts Policy

3 Table of Contents 1. Background and Purpose 3 2. Obtaining Access to Systems 3 3. Acceptable Do s and Don ts 3 4. Counter Measures 4 5. Additional Resouces 5 6. Training 5 8. Further Information 5 Western Health and Social Care Trust Page 2 of 6 Management of User Accounts Policy

4 1. Background and Purpose User accounts and passwords are used by the Trust to grant access to the vast majority of information systems and resources. The effective maintenance of these accounts and passwords on Trust systems, and other electronic services, is a critical part of maintaining our ICT infrastructure and the information it holds. Given the particularly sensitive nature of the data that Trust employees have access to, there is a legislative requirement on the organisation (and its staff) to employ, promote and adhere to standards that will safeguard patient / client data against unauthorised access and / or handling. The purpose of this policy is to establish the rules for the creation, monitoring, control and removal of user accounts. It applies equally to all staff with access to the Trust network, the HSC wide area network (WAN) and any of the clinical or corporate systems that reside thereon. The measures outlined in this policy will not be effective without the cooperation of all Western Trust staff. The cooperation of all such staff, and acceptance of this policy, is therefore a prerequisite to approval for user accounts. 2. Obtaining Access to Systems Requests for network or system user accounts or changes to existing accounts will be actioned upon receipt of an request from a suitably authorised officer. For the purposes of this policy a suitably authorised officer should be:- The line manager of the member of staff requiring access and at Band 5 or above NB. All account requests should be directed to the ICT Service Desk ithelpdesk@westhealth.n-i.nhs.uk Under specific circumstances 3 rd Party Suppliers may be able to obtain access to the Trust network or systems. For further details contact- ICT Security Manager, ICT Department, Altnagelvin Area Hospital, Glenshane Road, Londonderry, BT47 6SB. Tel: Acceptable use (Do s and Don ts) User accounts For certain systems, e.g. regionally hosted, specific personal information is required such as National Insurance Numbers. The provision of this information is a prerequisite to the allocation of a user account. Staff are NOT permitted to authorise the creation of accounts and set access privileges for their own use. New accounts will be created with a default password that must be changed by the account owner upon receipt. Western Health and Social Care Trust Page 3 of 6 Management of User Accounts Policy

5 Line managers are responsible for ensuring that staff changes which affect system accounts or access are reported immediately to the ICT Team or the respective system manager. ICT Security officers and respective system managers will carry out regular audits of user accounts to ensure such things as; employment status; access rights and privileges etc Passwords Passwords are the first line of protection for user accounts and the strength of a user s passwords is key in the Trust s defence against security breaches. Trust staff are discouraged from using Trust account passwords for external purposes e.g. registering with external websites. Screens, keyboards and printers should be appropriately positioned so that they are protected against accidental disclosure of passwords or any other sensitive data. Passwords should:- Not be disclosed or shared. (No ing) Not be written down. If it is necessary to write down a password (e.g. for contingency purposes) it should be stored in a sealed envelope in a secure cabinet. Not attached to any PC, portable device, CD etc Consist of at least one non-alphabetic character. Be a minimum of 7 characters Be changed at regular intervals. (Currently 90 days) Be unique for each individual login account. Not relate to the user or system being accessed. Not be pre-coded into scripts or icons for convenience Be changed immediately on suspicion of any compromise. Such incidents must be reported to the ICT Service Desk Be changed more frequently for privileged accounts e.g. those with higher levels of systems administration. The above is not a comprehensive list; for further guidance the reader is referred to the ICT Operations Policy.Note: Use of software for password-cracking or any other means of discovering passwords is strictly prohibited and may lead to disciplinary action. 4. Countermeasures This policy should be seen as one of a number of countermeasures put in place to protect the organisation and its employees from such things as inadvertent exposure to illicit material, malicious software etc, and also the possibility of legal action as a direct result of the abuse or misuse of ICT systems. Additional protection is provided by the following:- Western Health and Social Care Trust Page 4 of 6 Management of User Accounts Policy

6 Password aging Where systems allow, passwords will be limited to a specific period of use (currently 90 days) before a forced change Monitoring i) The Trust reserves the right to monitor the use of all accounts and may in certain circumstances (e.g. annual leave) approve access to an account in the absence of a member of staff. ii) Suspected cases of abuse on the system or breaches in policy will be rigorously investigated within HR guidelines and in conjunction with HR staff. Removal i) Access to systems may be withdrawn at any time as a result of, or pending the outcome of, investigations into suspected abuse or misuse ii) iii) User accounts will be terminated for staff who leave the organisation Dormant accounts, or accounts not otherwise accessed on a regular basis (6 months), will be deemed suitable for removal. Accounts will initially be disabled then, after a further 6 months, and data will be archived. The account will be deleted unless ICT is notified. There may be occasions where accounts may have to be deleted retrospectively. Special leave or periods of extended absence will be taken into consideration. 5. Additional Resources This policy should be read in conjunction with other policies relating to effective and appropriate use of ICT services, including 1) ICT Operations Policy 2) Policy 3) Internet policy 4) Server, Desktop and Portable Security Policy 5) Malicious Software Policy 6. Training The Trust is committed to staff development and seeks to consistently improve development standards and opportunities for staff in line with organisational objectives, policies and procedures. Should you or your staff require support in the effective use of ICT systems or applications please contact the ICT Training Team via the IT Service Desk. 7. Further Information For further information in relation to this policy please contact:- ICT Training Department ICT Department Altnagelvin Area Hospital Glenshane Road Londonderry BT47 6SB Tel: Western Health and Social Care Trust Page 5 of 6 Management of User Accounts Policy