Remote Access Policy

Transcription

1 BASINGSTOKE AND NORTH HAMPSHIRE NHS FOUNDATION TRUST Remote Access Policy Summary This is a new document which sets out the policy for remote access to the Trust s network and systems. Remote access is a method of accessing files and systems when away from the normal work environment which is becoming more common in the NHS. 1

2 Implementation Plan Share with Information Governance Group for comments Share with all Governance Boards for verification Summary of changes This is a new policy which sets out the policy for remote access to the Trust s network and systems. Remote access is a method of accessing files and systems that is becoming more common in the NHS Action needed and owner of action This policy will be sent to the Management Distribution list The policy owner will place an item in Pulse Managers are responsible for dissemination of the information to their staff 2

3 Table of Contents 1. WHAT IS REMOTE ACCESS? PURPOSE OF POLICY SCOPE OBJECTIVES PRINCIPLES RISKS REMOTE ACCESS PROCEDURES CONDITIONS OF USE PROVISION OF EQUIPMENT REIMBURSEMENT CONFIDENTIALITY COMPLIANCE EQUALITY AND DIVERSITY REVIEW AND MONITORING RELATED POLICIES CONTRIBUTORS

4 1. WHAT IS REMOTE ACCESS? Remote access refers to any technology that enables you to connect users in geographically dispersed locations. It is envisaged that this access will be used for on-call working or working from home where approved. 2. PURPOSE OF POLICY Information and information systems are important corporate assets and it is essential to take all the necessary steps to ensure that they are at all times protected, available and accurate to support the operation and continued success of the Trust. Remote access by staff and other non-nhs organisations is a method of accessing files and systems that is becoming more common in the NHS. This document sets out the policy for remote access and includes a set of common controls, which can be applied to reduce the risks associated with a remote access service. The Trust will support staffs who, in appropriate circumstances, wish to undertake a part of their work either at home or from a remote location. Wilful or negligent disregard of this policy will be investigated and may be treated as a disciplinary offence. 3. SCOPE This policy covers all types of remote access, whether fixed or roving including: Travelling users (e.g. Staff working across sites or are temporarily based at other locations) Home workers (e.g. IT support, Corporate Managers, IT development staff, Clinicians) Non NHS staff (e.g. Social Services, contractors and other 3 rd party organisations) This procedure outlines the method used for remote access. 4. OBJECTIVES The objectives of the Trust s policy on remote access by staff are: To provide secure and resilient remote access to the Trust s information systems. To preserve the integrity, availability and confidentiality of the Trust s information and information systems. To manage the risk of serious financial loss, loss of client confidence or other serious business impact which may result from a failure in security. 4

5 To comply with all relevant regulatory and legislative requirements (including data protection laws) and to ensure that the Trust is adequately protected under computer misuse legislation. 5. PRINCIPLES In providing remote access to staff, the following high-level principles will be applied: A formal risk assessment will be conducted for each application to which remote access is granted to assess risks and identify controls needed to reduce risks to an acceptable level. Remote users will be restricted to the minimum services and functions necessary to carry out their role. 6. RISKS The Trust recognises that by providing staff with remote access to information systems, risks are introduced that may result in serious business impact, for example: unavailability of network, systems or target information degraded performance of remote connections loss or corruption of sensitive data breach of confidentiality loss of or damage to equipment breach of legislation or non-compliance with regulatory or ethical standards. 7. REMOTE ACCESS PROCEDURES This section outlines the control procedures in place for remote access. Remote access must be approved by the line manager with final approval given by the Chief Executive. Connection will only be made to the Trust network via secure access. A single entry point will control access to the network, e.g. firewall and secure ID Token. Users must authenticate to the network, by using two-factor authentication o Secure Token across a broadband line o Relevant Trust network user account (User name and password) 8. CONDITIONS OF USE Employees must identify themselves to the network by using their own logon credentials. Two-factor credentials must be kept confidential at all times. Lost tokens must be reported immediately so accounts can be disabled, this would also need to be documented as a security incident. 5

6 Employees who are leaving the Trust must ensure that all equipment is returned to the IT Department so accounts can be disabled on the last day of employment. If an employee s contract is terminated, it is the responsibility of HR to notify the IT Department in order to ensure the necessary accounts are disabled. Any agreement on remote access is not permanent and may be brought to an end at any time by the member of staff or the Trust. An authorisation will be based on the needs of the Trust, the job, and the department. Members of staff must comply with all the Trust rules, policies and practices and instructions whilst accessing remotely. Any failure to do so may result in approval to access remotely being revoked and/or disciplinary action. 9. PROVISION OF EQUIPMENT The Trust will not provide or maintain a home PC or broadband connection, but will provide the necessary additional equipment to enable remote connection to the Trust's network if necessary and required to suit the needs of the user. This equipment could include: An active Token, synchronised to the network to provide once only passwords for secure login; Trust laptops to enable remote connection to the network Radiology diagnostic monitors The Trust is not liable or responsible for the support of home equipment except in respect of the equipment and software detailed above and directly relevant to remote access the Trust's systems. The Trust monitors who logs into the network and activity within the network. Access to the remote access server is provided on the understanding that this is the case. Any hardware or software provided by the Trust remains the property of the Trust and shall be returned at the end of the remote access arrangement. An equipment/software inventory will be maintained by the IT Service Desk for assigned Trust equipment to be used off-site. Products, documents and other records used and/or developed while working remotely remain the property of, and will be available to, the Trust. This information is subject to Trust policies regarding confidentiality and access, including the Caldicott recommendations. Trust owned software may not be duplicated. Staff working remotely using Trust software must adhere to the manufacturer's licensing agreements. 6

7 Each member of staff accessing remotely is responsible for protecting the integrity of copyrighted software, and following policies, procedures, and practices related to them to the same extent applicable in the conventional workplace. 10. REIMBURSEMENT The Trust will not reimburse staff for the use of any privately owned equipment. Purchasing and maintenance of personal office furniture or equipment eg desks, filing cabinets, answering devices, etc, is the responsibility of the member of staff accessing remotely. Charges for calls made to the specified remote access server numbers will be reimbursed against completed expenses claim form with the appropriate paid and itemised invoice. The member of staff should pay the standard broadband connection. 11. CONFIDENTIALITY Staff should ensure that they are meeting the requirements of the Data Protection Act 1998, and at all times behave in accordance with UK law. Staff working on Trust or associated organisations material/work must at all times take extreme care to ensure that confidentiality is maintained. Sensitive and confidential material must not be taken out of the conventional workplace without prior approval by a member of staff's line manager. 12. COMPLIANCE It is the responsibility of all users to ensure that they have read, understood and abide by this standard. 13. EQUALITY AND DIVERSITY Staff, where applicable, will have access to remote access, subject to the normal criteria being met and in line with any reasonable adjustments required under The Disability Discrimination Act 2005 as set out in the Trust s Equality & Diversity Policy. 14. REVIEW AND MONITORING The Trust has in place routines to regularly audit compliance with this and other standards. 15. RELATED POLICIES IT Security Policy (CO/163/09) Equality & Diversity Policy 7

8 16. CONTRIBUTORS Sarah Elmendorf, Chief Information Officer Nicola Lappin, Information Governance Manager Victoria Turner, Head of IT Information Governance Group Roy Ebanks, Equality & Diversity Manager 8

9 Appendix 1: APPROVAL FOR REMOTE ACCESS The member of staff named below has received express approval to access remotely and has read, understood and agrees to the conditions within the Trust's policy on remote access. Equipment being used Description Asset Number Name of applicant Signature Date Line Manager Signature Date Head of IT Signature Date Valid until An approved remote access application should be kept by the member of staff and one copy to the IT department. 9