Policy Register No: Status: Public

Transcription

1 Workstation SecurityPolicy Policy Register No: Status: Public Developed in response to: IG Toolkit,09049 Information Security Management Strategy, ICT Security Policy Contributes to CQC Regulation number: 20 Consulted With Post/Committee/Group Date Diana Smith Helpdesk & Desktop Manager 18/06/13 Barry Stannard ICT Operations Manager 20/06/13 Jon Clark Server Manager 18/06/13 Professionally Approved By Kate Thompson Head of ICT 20/06/13 Version Number 3.0 Issuing Directorate ICT Ratified by: Document Ratification Group Ratified on: 25th July 2013 Executive Management Group Sign August 2013 Off Date Implementation Date 5th August 2013 Next Review Date July 2016 Contact for Information Barry Stannard, Head of IT Operations Policy to be followed by (target staff) All Trust staff, contractors, volunteers and associated third parties Distribution Method Intranet, web site Related Trust Policies (to be read in 13017, ICT Security Policy conjunction with) 09028, IT Systems User Access Policy 08064, IT Encryption Policy 07010, Data Protection Strategy 11061, Removable Media Policy 09023, Anti-Virus and Malware Policy 09036, IT Password Policy Document Review History Review Reviewed by Review Date No 1.0 Dave Shrimpton September Shaun Jeffrey, Interim IT Security Manager October 2010 It is the personal responsibility of the individual referring to this document to ensure that they are viewing the latest version which will always be the document on the Intranet. 1

2 Index 1.0 Purpose 2.0 Aims 3.0 Scope 4.0 Policy 5.0 Responsibilities 6.0 Staffing & Training 7.0 Implementation & Communication 8.0 Audit & Monitoring 9.0 References 2

3 1.0 Purpose 1.1 The purpose of the Trust Workstation Security Policy is to provide guidance for security controls of computing equipment used on Trust premises. 1.2 Controls relating to mobile devices are detailed further in the new Mobile Devices Policy. 1.3 The Trust is committed to the provision of a service that is fair, accessible and meets the needs of all individuals. 2.0 Aims 2.1 To ensure that the Trust provides reliable and accessible means to record, amend and review data and information in a safe and secure manner. 2.2 To ensure that such equipment meets an agreed standard which underpins the confidentiality, integrity and availability of information which is delivered and retrieved in accordance with applicable laws, Trust policies and procedures and in accordance with the NHS Code of Practice 3.0 Scope 3.1 This policy applies to all staff, contactors, locums, agency workers, volunteers and third party agents with access to ICT services provided by or on behalf of Mid Essex Hospital Services NHS Trust. 3.2 This policy covers any Trust end user computing device which is stationary. This includes, but is not limited to PCs, docked laptops, analyser interfaces and kiosks. 4.0 Policy 4.1 Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity and availability of information, including protected health information (PHI) and personally identifiable information (PII), is restricted to authorised users. 4.2 Staff using workstations shall consider the sensitivity of the information, including protected health information (PHI) and personally identifiable information (PII) that may be accessed and minimise the possibility of unauthorised access. 4.3 Mid Essex Hospital Services NHS Trust will implement physical and technical safeguards for all workstations that access electronic PHI or PII to restrict access to authorised users. 4.4 Appropriate measures include the following: Restricting physical access to workstations to only authorised personnel Securing workstations (screen lock or logout) prior to moving away from the screen 3

4 to prevent unauthorised access Screensavers are password protected and are managed across the network to lock the screen after five minutes of inactivity All staff follow the Password Policy and password complexity is enforced for computer access Ensuring workstations are used for authorised business purposes only Never installing unauthorised software on workstations Storing all sensitive information, including protected health information (PHI) and person identifiable information (PII) on secure network servers, never on local computer hard drive Keeping food and drink away from workstations in order to avoid accidental spills Securing laptops that contain sensitive information by using cable locks or locking laptops up in drawers or cabinets Complying with the Encryption policy Ensuring that monitors are positioned away from public view. If necessary, installing privacy screen filters or other physical barriers to public viewing. Exit running applications and close open documents when they are no longer needed. 5.0 Responsibilities 5.1 Chief Executive The Chief Executive has overall responsibility to ensure that the policy is followed trust wide but day to day responsibility is delegated to the Head of ICT. 5.2 Senior Information Risk Owner (SIRO) The SIRO is the member of the Executive Board who is nominated to take ownership of the Trust s Information Risk agenda Be routinely informed of all serious actual/potential security breaches 5.3 Head of ICT The Head of ICT is responsible for day to day management and to ensure that adequate resource is available to support the Information Security function. 5.4 ICT Operations Manager The ICT Operations Manager has a responsibility to ensure that all security controls are implemented and fully operational. To ensure that any actual or suspected security incident(s) are reported to the ICT Helpdesk and Security Manager. 5.5 ICT Security Manager To investigate any actual or suspected security breach that is discovered or reported To report any such incidents to the SIRO and Information Governance Group To maintain this policy 4

5 5.6 Line Managers All Line Managers have responsibility to ensure that their staff are aware of, understand and comply with the contents of this policy. 5.7 All Staff All staff are required to understand and comply with the contents of this policy Any member of staff who witnesses or suspects any information security wrongdoing has the responsibility to report this immediately to The ICT Helpdesk on extension 5000 or by to and for the ICT Security Manager who can also be reached on extension Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 6.0 Staffing & Training 6.1 The Trust will ensure that Information Security forms part of the Induction process of all new Employees. 6.2 The Trust will ensure that Information Security is incorporated into Information Governance Training which is provided to all staff attending Mandatory Update Training. 6.3 The Trust will ensure that all information security related policies will be published on the intranet and on the trust website to ensure availability to both staff and users of the Trust s services. 6.4 The Trust will ensure the services of a suitably qualified Information Security professional. 7.0 Implementation & Communication 7.1 Information Governance will publish this policy on the Trust s intranet and website and notify all staff via Focus. 7.2 The author will notify all heads of services who will be responsible for ensuring that the policy is cascaded throughout their work areas. 7.3 The heads of service may be audited to confirm compliance with the above. 8.0 Audit & Monitoring 8.1 Evidence of reporting of incidents or suspected incidents will be logged on ICT Helpdesk and ed to infosec@meht.nhs.uk. 5

6 8.2 The ICT Security Manager will investigate such incidents and report confirmed breaches or near misses to the Information Governance Group and on the Datix incident reporting system. 8.3 All incidents reported to the Information Governance Group will be recorded in minutes of meetings and forwarded to the Audit Committee. 9.0 References ISO/IEC 27001:2005 ISO/IEC 27002:2005 Information Security Management: NHS Code of Practice Information Governance Toolkit v , IT Password Policy 08064, IT Encryption Policy 6