IT Security Procedure

Transcription

1 IT Security Procedure 1. Purpose This Procedure outlines the process for appropriate security measures throughout the West Coast District Health Board (WCDHB) Information Systems. 2. Application This Procedure is to be followed by all staff members of the WCDHB. 3. Definitions For the purposes of this Procedure: User is taken to mean any individual having authorised access to WCDHB Information Systems, whether internally or externally, and includes both staff members and contractors. Information Systems is taken to mean any networked, stand alone, or portable workstation or personal computer and any peripheral devices attached to such a machine (e.g. printer, scanner) Data is taken to mean any information stored electronically in any format. Information Security is taken to mean protection of the WCDHB's data, applications, networks, and computer systems from unauthorized access, alteration, or destruction. iaccess is the electronic system available on the intranet, under IT Services which allows requests for IT access, changes and deactivations. 4. Responsibilities For the purposes of this Procedure: Chief Information Officer is required to: - ensure this Procedure is reviewed and updated on an annual basis and published as appropriate.; - ensure appropriate training is provided to data owners, network and system administrators, and users; - appoint a staff member to be responsible for security implementation, incident response, periodic user access reviews, and education. All Information Systems Users are required to: - ensure they abide by the requirements of this Procedure. 5. Resources Required This Procedure requires no specific resources. IT Security Procedure Page 1 of 1 1

2 6. Process 1.00 Introduction 1.01 The WCDHB will use a layered approach of overlapping controls, monitoring and authentication to ensure overall security of the WCDHB s data, network and system resources Security reviews of servers, firewalls, routers and monitoring platforms must be conducted on a annual basis. These reviews must include monitoring access logs and results of intrusion detection software, where it has been installed Vulnerability and risk assessment tests of external network connections should be conducted on a regular basis. Ideally, testing should be performed annually, but this should depend on the sensitivity of the information secured Security awareness training should be implemented to ensure that users understand data sensitivity issues, levels of confidentiality, and the mechanisms to protect the data. This should be tailored to the role of the individual users Access Control 2.01 Where possible and financially feasible, more than one person must have full rights to any WCDHB owned server storing or transmitting high risk data Access to the network and servers and systems should be achieved by individual and unique logins, and should require authentication. Authentication includes the use of passwords, smart cards, biometrics, or other recognized forms of authentication As stated in the current WCDHB IT Procedures on appropriate and acceptable use, users must not share usernames and passwords, nor should they be written down or recorded in unencrypted electronic files or documents All users must secure their username or account, password, and system access from unauthorized use by non disclosure of their password information either in written or verbal form, by securing their computer workstation when they are not present All users of systems that contain high risk or confidential data must have a strong password Empowered accounts, such as administrator or supervisor accounts which are not part of password aging, must be changed annually Passwords must not be placed in s unless they have been encrypted Default passwords on all systems must be changed after installation. All administrator or supervisor accounts must be given a password that conforms to the password selection criteria when a system is installed, rebuilt, or reconfigured The gold standard for computer systems should be standardised where possible and financially practical on the below set of policies: i. Password cannot repeat any of your previous 10 passwords ii. Current password must be at least 2 days old before changing iii. Password must contain at least 8 characters iv. Password must contain at least 1 numeric characters v. Password must contain at least 2 upper and lower case characters vi. Password cannot match any word from a list of dictionary words vii. Password should be changed every aging 90 days IT Security Procedure Page 2 of 1 2

3 viii. Account life 120 days. So if password is expired and not changed within 30 days, account is automatically disabled. ix. Unlimited maximum period of inactivity on account (Will be disabled in 120 days due to password age) x. No maximum password length xi. 5 unsuccessful login tries before account is locked, only administrator or oncall/helpdesk IT staff can unlock 2.10 Logins and passwords should not be coded into programs or queries unless they are encrypted or otherwise secure Terminated staff members access must be reviewed monthly and adjusted as found necessary. Terminated staff members should have their accounts disabled upon transfer or termination. It is the responsibility for the relevant HOD or hiring manager through the iaccess system to notify IT of the staffs departure and what should be done with data within their home folder and account. IT will also disable accounts (not remove) as soon as payroll has notified them of terminations on a monthly basis. IT will also audit inactive Active Directory accounts that have been inactive for more than 90 days on a monthly basis to determine if these accounts can be removed Since there could be delays in reporting changes in user responsibilities, periodic user access reviews should be conducted mostly through IT account auditing Monitoring should be implemented on key systems including recording logon attempts and failures, successful logons and date and time of logon and logoff. There should be a documented procedure for reviewing system logs Activities performed as administrator or Super User must be logged where it is feasible to do so Staff members who have administrative system access should use other less powerful accounts for performing non-administrative tasks Virus Protection 3.01 The willful introduction of computer viruses or disruptive/destructive programs into the WCDHB environment is prohibited, and violators may be subject to prosecution All desktop systems that connect to the network must be protected with an approved, licensed anti-virus software product that it is kept updated according to the vendor's recommendations All servers and workstations that connect to the network and that are vulnerable to virus or worm attack must be protected with an approved, licensed anti-virus software product that it is kept updated according to the vendor's recommendations Headers of all incoming data including electronic mail must be scanned for viruses by the server where such products exist and are financially feasible to implement Outgoing electronic mail should be scanned where such capabilities exist Where feasible, system or network administrators should inform users when a virus has been detected Virus scanning logs must be maintained whenever is centrally scanned for viruses Intrusion Detection 4.01 Intruder detection must be implemented on the firewall and where possible/practical servers and workstations containing data classified as high risk. IT Security Procedure Page 3 of 1 3

4 4.02 Operating system and application software logging processes must be enabled on all host and server systems. Where possible, alarm and alert functions, as well as logging and monitoring systems must be enabled Server, firewall, and critical system logs should be reviewed frequently. Where possible, automated review should be enabled and alerts should be transmitted to the administrator when a serious security intrusion is detected Intrusion tools should be installed where appropriate and checked on a regular basis Internet Security 5.01 All connections to the Internet must go through a properly secured connection point to ensure the network is protected when the data is classified high risk All connections to the Internet should go through a properly secured connection point to ensure the network is protected when the data is classified confidential System Security 6.01 All systems connected to the Internet should have a vendor supported version of the operating system installed All systems connected to the Internet must be current with security patches All servers should have security patches applied on a periodic basis, monthly in most instances System integrity checks of host and server systems housing high risk WCDHB data should be performed where practical Where possible and practical logins into computer systems should be standardised as firstname.lastname Where possible systems should be integrated into Microsoft Active Directory 7.00 Acceptable Use 7.01 WCDHB computer resources must be used in a manner that complies with WCDHB policies and relevant laws and regulations It is against WCDHB policy to install or run software requiring a license on any WCDHB computer without a valid license Use of the WCDHB's computing and networking infrastructure by WCDHB staff members unrelated to their WCDHB positions must be limited in both time and resources and must not interfere in any way with WCDHB functions or the staff member's duties Uses that interfere with the proper functioning or the ability of others to make use of the WCDHB's networks, computer systems, applications and data resources are not permitted Use of WCDHB computer resources for personal profit is not permitted except as addressed under other WCDHB policies Decryption of passwords is not permitted, except by authorized staff performing security reviews or investigations. IT Security Procedure Page 4 of 1 4

5 7.07 Use of network sniffers shall be restricted to system administrators who must use such tools to solve network problems. Auditors in the performance of their duties may also use them. They must not be used to monitor or track any individual's network activity except under special authorization from the Chief Information Officer Exceptions 8.01 In certain cases, compliance with specific procedure requirements may not be immediately possible. Reasons include, but are not limited to, the following: xii. Required commercial or other software in use is not currently able to support the required features; xiii. Legacy systems are in use which do not comply, but near-term future systems will, and are planned for; xiv. Costs for reasonable compliance are disproportionate relative to the potential damage. 7. Precautions And Considerations Security reviews of servers, firewalls, routers and monitoring platforms must be conducted on a regular basis. Vulnerability and risk assessment tests of external network connections should be conducted on a regular basis. Education should be implemented to ensure that users understand data sensitivity issues, levels of confidentiality, and the mechanisms to protect the data 8. References There are no references associated with this Procedure 9. Related Documents WCDHB Access To Information Systems Procedure WCDHB Use Procedure WCDHB Health Intranet Connection Procedure WCDHB Information Systems Procedure WCDHB Internet Use Procedure WCDHB Portable Data Storage Devices Use Procedure Collection, Collation, Correction & Alteration Of Personal Health Information/Medical Records Procedure IT Security Procedure Page 5 of 1 5