An Organisation-Wide Policy for Internet/Intranet Usage and Security

Transcription

1 An Organisation-Wide Policy for Internet/Intranet Usage and Security Status: Ratified Date ratified: 05/11/2014 Version: 1.1 Ratifying Board: Executive Committee Approved Sponsor Group: Information Governance Steering Group Type of Procedural Document Policy Owner: Dipa Bhella Owner s job title: Information Governance & Security Manager Author: Dipa Bhella Author s job title: Information Governance & Security Manager Equality Analysis completion date: 22/09/2014 Date issue: November 2014 Review date: November 2017 Replaces: Version 1 Unique Document Number: 2012/055 An Organisation-wide policy for Internet/Intranet Usage and Security - 1 -

2 Equality statement This document demonstrates commitment to create a positive culture of respect for all individuals, including staff, patients, their families and carers as well as community partners. The intention is, as required by the Equality Act 2010, to identify, remove or minimise discriminatory practice in the nine named protected characteristics of age, disability, sex, gender reassignment, pregnancy and maternity, race, sexual orientation, religion or belief, and marriage and civil partnership. It is also intended to use the Human Rights Act 1998 to promote positive practice and value the diversity of all individuals and communities. This document is available in different languages and formats upon request to the Trust Procedural Documents Coordinator and the Equality and Diversity Lead. An Organisation-wide policy for Internet/Intranet Usage and Security - 2 -

3 Contents 1. RATIONALE SCOPE POLICY OVERVIEW MANAGEMENT OF INTERNET USE TECHNICAL SECURITY RESPONSIBILITIES COMPLIANCE MONITORING ARRANGEMENTS TRAINING TO ENSURE COMPLIANCE WITH THIS DOCUMENT REFERENCE AND ASSOCIATED DOCUMENTS GLOSSARY/ EXPLANATION OF TERMS USED IN THIS DOCUMENT DOCUMENT CONTROL APPENDICIES APPENDIX 1 EQUALITY ANALYSIS (EQA) An Organisation-wide policy for Internet/Intranet Usage and Security - 3 -

4 1. Rationale This document explains the policy and procedure that governs use of the Internet and World Wide Web within the trust. Compliance with this policy will ensure that access to the Internet will be available and responsive to the business needs of the trust. This policy also assists the trust to comply with NHS security regulations relating to controlled connections to national computer networks, for example, Health & Social Care Information Centre Statement of Compliance. 2. Scope Use of the Internet is encouraged in the execution of day-to-day business to the extent that it supports the trust s objectives. Users must not use the Internet within the trust in the same way they do at home all users must respect the trust s standards of business conduct whenever the Internet is used. This policy applies to all authorised users of the trust s computer network (including all permanent and temporary employees of the trust, agency workers, agents, subcontractors, consultants, and third party vendors). A valid user account is required to access the computer network. Access to the Internet via the trust s network is only possible using computers issued by the trust assembled using standardised hardware and software and connected to the trust s computer network. The web browser used by the trust is Microsoft Internet Explorer. 3. Policy Overview It is the intention of Trust to provide access to the resources of the Internet. The facilities to provide such access commit a considerable amount of organisational resources for telecommunications, networking, software, storage etc and this policy is designed to help you understand the Trust's expectations for the use of those resources in the particular conditions of the Internet, and to help you use those resources efficiently and effectively. Access to the Internet will be provided automatically to networked PCs. The Trust reserves the right to refuse or remove access subject to the terms of this policy. An Organisation-wide policy for Internet/Intranet Usage and Security - 4 -

5 Employees may use their Internet facilities for non-work research or browsing during meal times or other breaks, or outside of work hours, provided that all other usage policies are adhered to. In order to restrict access to certain sites, the Trust subscribes to a service which maintains a database of forbidden sites. This is updated on a daily basis and exists to protect staff from visiting sites, which are deemed to be contrary to this policy. While explicit requirements for Internet usage are set out below, it is worth summarising the overall intent. First and foremost for the Trust, the Internet is a business tool, provided at significant cost and we expect Internet access to be used primarily for Healthcare business related purposes, e.g. to communicate with colleagues, customers and suppliers, to research relevant topics; and to obtain useful information pertinent to your work responsibilities. You are required to conduct yourself honestly and appropriately on the Internet, and respect the copyrights, software licensing rules, property rights, privacy and prerogatives of others, just as you would in any other business dealings. In this respect, as a communication medium, the Internet is not exceptional. All existing Trust policies apply to your conduct on the Internet, especially (but not exclusively) those that deal with intellectual property rights, privacy, misuse of organisation resources, sexual or racial harassment, information and data security, confidentiality and discipline. Unnecessary or unauthorised Internet usage can cause network and server congestion. It can delay other users, take away from work time, consume supplies, and tie up printers and other shared resources. Unlawful Internet usage may also result in negative publicity for the Trust and expose both it and the individual concerned to significant legal liabilities. Computer-mediated communication, which can be synchronous (such as instant messaging, online chat, web and video conferencing), asynchronous ( , blogs, wikis, newsgroups) or a mixture of both (social networking sites) is increasing in variety and scope. This offers unprecedented opportunity for the individual user to communicate widely and to promote the Trust. Because of this, we must take special care to maintain the clarity, consistency and integrity of the Trust's corporate image. Anything that one employee writes or says on the Internet can be taken as representing the Trust as a whole. For this reason we expect you to forgo a measure of your individual freedom when you participate in such communication for the organisation's business, as outlined below. While direct connection to the Internet offers a plethora of potential benefits, it can also open the door to some significant risks to our data and systems if we do not follow appropriate security discipline. This may mean preventing systems with sensitive data or applications from connecting to the Internet entirely, or it may mean that certain users must be prevented from using certain Internet An Organisation-wide policy for Internet/Intranet Usage and Security - 5 -

6 features like file transfers. The overriding principle is that security is to be everyone's first concern. An Internet user can be held accountable for any breaches of security or confidentiality. 3.1 Management of Internet Use The Trust reserves the right to inspect (or in the case of encrypted confidential data files, verify with the user of) any and all files stored on the network or on local hard drives in order to assure compliance with policy. The display of any kind of "offensive" material (including pornographic images or documents) on any Trust system is a disciplinary offence and will be dealt with in accordance with the relevant procedure. In addition, "offensive" material (including pornographic material) may not be archived, stored, distributed, edited or recorded using the Trust's network or computing resources. For the purposes of this Policy, "offensive" material is defined as that which would contravene the Trust's Equal Opportunities and Harassment Policies. Such examples will include hostile or derogatory material (including images) relating to gender, ethnicity, race, sex/sexual orientation, religious or political convictions and disability, although these categories are not exhaustive. If you find yourself accidentally connected to a site that contains sexually explicit or otherwise "offensive" material, you must disconnect from that site immediately, regardless of whether that site had been previously deemed acceptable by any screening or rating program and advise your line manager as a matter of priority. The Trust's Internet facilities and computing resources must not be used knowingly to violate the laws and regulations of the United Kingdom or any other nation, or the laws and regulations of any country, state, city, province or other local jurisdiction in any material way. Use of the Trust's resources for illegal activity is also deemed a disciplinary offence and will be dealt with under the Trust's procedure, and the trust will cooperate with any legitimate law enforcement activity. Any software or files downloaded via the Internet onto the Trust network or local hard drive become property of the Trust. Any such files or software may be used only in ways that are consistent with their licences or copyrights. Large files, such as.mpg files, music on demand or any other entertainment media files should not be downloaded. Media streaming is forbidden due to the negative impact it creates on the performance of the network. Should this access be a work related requirement, formal approval should be sought from the IT Support team. An Organisation-wide policy for Internet/Intranet Usage and Security - 6 -

7 No employee may use Trust facilities knowingly to download or distribute pirated software or data. No employee may use the Trust's Internet facilities to propagate deliberately any malicious code (e.g. virus, worm, Trojan Horse or trap-door program) that is designed to interfere with the normal running of other users' machines or applications. No employee may use the Trust's Internet facilities knowingly to disable or overload any computer system or network, or to circumvent any system intended to protect the privacy or security of another user. Each member of staff using the Trust's Internet facilities shall identify himself or herself honestly, accurately and completely (including his/her organisation affiliation and function where requested) when participating in online discussion groups or similar fora, or when setting up accounts on outside computer systems. Only those employees who are duly authorised to speak to the media, or to analysts or in public meetings on behalf of the Trust may speak/write in the name of the Trust on online discussion fora. Other employees may participate in such fora in the course of work activities when relevant to their duties, but they may only as individuals speaking only for themselves and not for the Truts. Where an individual participant is identified as an employee or agent of the Trust, he/she must refrain from any unauthorised political advocacy or from the unauthorised endorsement or appearance of endorsement by the organisation of any (commercial) product or service not sold or provided by the Trust, its subsidiaries or its affiliates. The Trust retains as normal the copyright to any material posted to any online discussion site (or similar computer-mediated communication forum) or World Wide Web page by any employee in the course of his or her duties. Employees are reminded that online discussion fora are public areas where it is inappropriate to reveal confidential Trust information of any sort, including patient or employee data, professional secrets, financial data or any other material covered by existing Trust policies and procedures on confidentiality, or any other material that could identify these subject matters. Employees releasing any such protected information via such a forum - whether or not the release is inadvertent - will be subject to all penalties as identified in the Trust's ICT, Security, Confidentiality and Acceptable Use Policy. Use of the Trust's Internet access facilities to commit breaches of conduct or offences which contravene Trust policies and procedures will be dealt with in accordance with the relevant procedures. An Organisation-wide policy for Internet/Intranet Usage and Security - 7 -

8 Staff must not under any circumstances use the Internet to conduct personal commercial or business activities. Access to the Internet will not be allowed from PCs connected to medical equipment. 3.2 Technical User IDs and passwords help maintain individual accountability for Internet resource usage. Any employee who obtains a password or ID for an Internet resource must keep that password confidential. Trust policy prohibits the sharing of user IDs or passwords obtained for access to Internet sites. Employees should schedule communications-intensive operations such as large file transfers, mass ings and the like for off-peak times, which for the Trust are normally defined as outside the hours of 8 am to 6 pm Mondays to Fridays inclusive, excepting Bank Holidays. Whilst every effort will be made to maintain satisfactory availability and performance of the Internet connection, users should recognise that this facility will normally be subject to a lower support priority than the existing core network and its key applications. Any file that is downloaded must be scanned for viruses before it is run or accessed and the Trust has provided Anti-Malware (Antivirus) software to enable this to happen. 3.3 Security The Trust has installed a variety of network security mechanisms to assure the safety and security of the organisation's network. Any employee who attempts to disable, defeat or circumvent any Trust security system will be subject to the Trusts disciplinary procedure and should be aware than if proven could result in dismissal. Files containing sensitive Trust data that are transferred in any way across the Internet must be secure and encrypted. Computers that have data connections independent of the Trust network circumvent the Trust's network security mechanisms and contravene the Information Governance Statement of Compliance (IGSoC). The IGSoC is the agreement between HSCIC and the Trust that sets out the information governance policy and terms and conditions for use. It contains a number of obligations to enable use of HSCIC services, which aim to preserve the integrity of these services. A computer with a private connection to another outside computer or network can be used by an attacker to compromise any internal An Organisation-wide policy for Internet/Intranet Usage and Security - 8 -

9 network to which that computer is attached. Computers used for independent dial-up, broadband or leased-line connections to any outside computer or network must be physically isolated from the Trust's network. 4. Responsibilities The Caldicott Guardian is responsible for ensuring person identifiable clinical information is received, stored and used in line with the Trust obligations under the Data Protection Act The Senior Information Risk Owner (SIRO) is responsible for leading and fostering a corporate culture which values, protects and uses information for the success of the organisation and benefit of its customers. Service, Department and Line Managers are responsible for ensuring Trust procedures are known and followed in all areas. Administrative Staff are responsible for following Trust policy and contributing to good practice within the Trust. Clinical Staff are responsible for ensuring information is dealt with appropriately and professionally both in line with this policy and to their professional code of conduct. All staff in the organisation are responsible for ensuring the safe communication of information and that disclosure of person identifiable information is carried out strictly in line with this policy and that good practice is maintained throughout the organisation. Failure to comply with this policy may result in disciplinary action being taken up to and including dismissal. If there is reason to believe a criminal offence may have been committed, the matter will be referred to the Trust s Counter Fraud Specialist. An Organisation-wide policy for Internet/Intranet Usage and Security - 9 -

10 5. Compliance Monitoring Arrangements The Trust will monitor its Internet connection to ensure that usage complies with this policy. Monitoring will be done as described in the ICT, Acceptable Use Policy. Data from this monitoring process maybe used in any disciplinary proceedings. To support the need for network performance, and ensure any limitations imposed are reasonable limitations, the Trust will use this data to review and shape internet access. 6. Training to ensure compliance with this document Annual Information Governance Training for all NHS staff is mandated within the NHS Operating Framework Informatics Planning 2010/2011 and the IG toolkit requirement Reference and associated documents Organisation Author Date of publication SASH Information March Governance 2014 & Security Manager / IT Manager SASH SASH SASH SASH Information Governance & Security Manager Information Governance & Security Manager Information Governance & Security Manager Information Governance & Security Manager March 2014 July 2012 March 2014 September 2014 Title of document ICT, Security, Confidentiality & Acceptable Use Policy Information Governance Policy Memory Stick Policy Policy Data Protection and Confidentiality Policy An Organisation-wide policy for Internet/Intranet Usage and Security

11 8. Glossary/ explanation of terms used in this document Acronym/ Abbreviation/ Term Browser Extranet Firewall FTP HTML Internet Internet servers Intranet Meaning A PC software application that facilitates searching and accessing the World Wide Web. Electronic mail; a means of exchanging messages with other connected users across a network or the Internet. Similar to an intranet but used by organisations to provide communications for external groups such as suppliers and customers. A specialised network device that protects an organisation s LAN and/or intranet from unauthorised external access. File Transfer Protocol -a piece of software that enables the transfer of a file of information from one computer to another via a network connection. Short for Hypertext Mark-up Language is the predominant mark-up language for the creation of web pages. It provides a means to describe the structure of text-based information in a document by denoting certain text as headings, paragraphs, lists and so on and to supplement that text with interactive forms, embedded images or objects and links to other documents. Global network for exchanging information held on computers as Web sites and pages. Nobody owns or manages it; it has grown by adopting common standards. Hardware that runs the Internet. These are computers that store Web site information, route calls and handle and data traffic. A private version of the Internet, used increasingly by organisations as the basis of their own networks. They use the same technology as the Internet An Organisation-wide policy for Internet/Intranet Usage and Security

12 Java LAN Malware Pornography Server (servers, Web sites etc.) but are usually made secure from outsiders by use of firewall techniques. Software developed by Sun Microsystems that works on any platform. It can be downloaded from a network or Internet server in the form of applets (small packets of software that perform or execute when you click on them) whenever it is needed. Local Area Network, typically used to connect members of a workgroup, department or single-sited organisation. Short for Malicious Software, a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or programme code. It includes computer viruses, worms, Trojan horses, spyware, dishonest adware, crimeware, rootkits, and other malicious and unwanted software. Pornography can take many forms. For example, textual descriptions, still and moving images, cartoons and sound files. Some pornography is illegal in the UK and some is legal. Pornography considered legal in the UK maybe illegal elsewhere. Because of the global nature of the internet and , these issues must be taken into consideration. Therefore, the Trust defines pornography as the description or depiction of sexual acts or naked people that are designed to be sexually exciting. The Trust will not tolerate its facilities being used for this type of material and considers such behaviour to constitute a serious disciplinary offence. A computer connected centrally and accessible from terminals and other computing devices such as PCs. An Organisation-wide policy for Internet/Intranet Usage and Security

13 9. Document Control Consultation record Relevant Speciality, service Sponsor or User Group SIRO, Caldicott Guardian, Medical records, Human Resources, Finance, Information Management, and Data Quality. name Information Governance Steering Group members Individual s name IG Members Job title Date consulted 26/09/2014 Date feedback received Change History Version Date Author/ Lead Job title Details of Change 1.1 Sept 14 Dipa Bhella IGSM Minor changes to all sections, new policy template An Organisation-wide policy for Internet/Intranet Usage and Security

14 Appendix 1 Equality Analysis (EqA) By completing this document in full you will have gathered evidence to ensure, documentation, service design, delivery and organisational decisions have due regard for the Equality Act This will also provide evidence to support the Public Sector Equality Duty. Name of the policy / function / service development being assessed Date last reviewed or created & version number Briefly describe its aims and objectives: An organisation-wide Policy for the Internet/Intranet Usage and Security V1 November 2009 This document explains the policy and procedure that governs use of the Internet and World Wide Web within the trust. Directorate lead Target audience (including staff or patients affected) Screening completed by (please include everyone s name) Dipa Bhella, Information Governance & Security Manager Karen Anglim, Information Governance Administrator Ian Mackenzie, Director of Information & Facilities This policy applies to all authorised users of the trust s computer network (including all permanent and temporary employees of the trust, agency staff, agents, subcontractors, consultants, and third party vendors). Organisation Date Surrey & Sussex NHS Trust 22/09/2014 Surrey & Sussex NHS Trust 22/09/2014 An Organisation-wide policy for Internet/Intranet Usage and Security

15 Equality Group (Or protected characteristic): What evidence has been used for this assessment? What engagement and consultation has been used Identify positive and negative impacts How are you going to address issues identified? Lead and Timeframe Age Disability Gender reassignment Marriage & Civil partnership Pregnancy & maternity Race Religion & Belief Sex Sexual orientation Carers An Organisation-wide policy for Internet/Intranet Usage and Security