IT SECURITY POLICY (ISMS 01)

Transcription

1 IT SECURITY POLICY (ISMS 01) NWAS IM&T Security Policy Page: Page 1 of 14 Date of Approval: Status: Final Date of Review

2 Recommended by Approved by Information Governance Management Group Trust Board Approval date Version number 1.7 Review date January 2017 Responsible Director Responsible Manager For use by Director of Finance Head of Informatics All Trust employees NWAS IT Security Policy Page: Page 2 of 14

3 Change record form Version Date of change Date of release Changed by Reason for change Kate Cushion Document Creation To be reviewed March Maria Kane Kate Cushion Template change due to reconfiguration from Mersey Regional Ambulance to North West Ambulance service Authorised by on front cover sheet included Chief Executive and Director of IM&T and signed off at board meeting (Removed authorisation of front cover sheet as chief executive does not want his signature as a standard format on policies however board minutes for approval are available.) Maria Kane 3.1 And 4.1 Information Security Officer removed and replaced with IT Security Manager Kate Cushion Trust Board Approval Maria Kane Joanne Moran Annual Review of Policy, updated changes, Trust Board Approval. Annual Review of Policy updated 3.1 has been amended to include IG Training has been included in the Mandatory work programme. 5.2 Standards and Guideline link has been updated pg. 13 has been updated with the links to the IT policies on the Trust Intranet. NWAS IT Security Policy Page: Page 3 of 14

4 1.7 Nov Joanne Moran Updated to replace Director of IM&T with Director of Finance. Also, replaced Assistant Director of Health Informatics with Head of Informatics. IT Directorate has been changed to Quality Directorate. IMT has been replaced with ICT Table of Contents NWAS IT Security Policy Page: Page 4 of 14

5 Section Contents 1 Introduction 2 Scope of IT Security 3 Security Management 4 Roles & Responsibilities 5 Policy Documentation 6 Outline of Standards & Guidelines by Category 1.0 Introduction NWAS IT Security Policy Page: Page 5 of 14

6 Information represents an increasingly valuable asset to the organisation as systems proliferate and increased reliance is placed on the access and use of information. North West Ambulance Service NHS Trust, known throughout this document as NWAS, seeks to protect its information storage on both computer systems and paper based systems from misuse and to minimise the impact of service breaks by developing an IT Security Policy and procedures to manage and enforce it known as its Information Security Management System (ISMS). Key issues addressed by the IT Security Policy are: Confidentiality - data access is confined to those with specified authority to view the information Integrity - all system assets are operating correctly according to specification. Availability - information is delivered to the right person when it is needed The organisation also has legal obligations to maintain security and confidentially notably under the Data Protection Act (1998), Copyright Patents and Designs Act (1988), and Computer Misuse Act (1990), Records Management Code of Practice, as well as the NHS Information Governance Agenda. NWAS acknowledges that it has an obligation to ensure appropriate security for all Information Technology data, equipment and processes in its domain of ownership and control. Every member of NWAS shares this obligation to varying degrees, when processing personal and sensitive data. Personal data means data which relates to a living individual who can be identified: (a) From those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. (Data Protection Act, section 1) This document will: Enumerate the elements that constitute IT security. Explain the need for IT security and identify major threats to NWAS. Specify the various categories of IT data, equipment and processes subject to this policy. Indicate appropriate levels of security through standards and guidelines. The impact on individuals privacy before developing new IT systems or when changing the way in which personal data is handled is considered by performing a Privacy Impact Assessment (PIA). This is a process which enables the Trust to anticipate and address the NWAS IT Security Policy Page: Page 6 of 14

7 likely privacy impacts of new initiatives, foresee problems and negotiate solutions to ensure data protection compliance. These Privacy Impact Assessments will be subject to internal audits. 2.0 Scope of IT Security 2.1 Definition of Security Security can be defined as "the state of being free from unacceptable risk". The risk concerns the following categories of losses: Confidentiality of Information. Integrity of data. Assets. Efficient and Appropriate Use. System Availability. Fraudulent activities. Confidentiality refers to the privacy of personal or corporate information. It also includes issues of copyright and other intellectual property rights. Integrity refers to the accuracy of data. Loss of data integrity may be gross and evident, as when a computer disc fails, or subtle, as when a character in a file is altered. The assets that must be protected include: Computer and Peripheral Equipment. Telecommunications Equipment. Computing and Communications Premises. Power, Water, Environmental Control and Communications Utilities. Supplies and Data Storage Media. System Computer Programs and Documentation. Application Computer Programs and Documentation. Data & Information. NWAS IT Security Policy Page: Page 7 of 14

8 Mobile equipment Efficient and Appropriate Use ensures that NWAS IT resources are used for the purposes for which they were intended and in a manner that does not interfere with the rights of others. Availability is concerned with the full functionality of a system (e.g. Emergency Control Centre or Patient Transport Service) and its components. The potential causes of these losses are termed "threats". These threats may be human or non-human, natural, accidental or deliberate. 2.2 Major Threats to NWAS In general terms most companies who lose vital information or information systems for a relatively short period of time will, sooner or later, cease to trade. Although this situation is not possible within the NHS the loss of credibility within the wider health economy as a creditable service provider and with the public would be just as damaging. Information and information systems are an extremely valuable asset of the business and as such we are required to identify major areas of risk or threat. The major threats this policy has been written to cover are: a) Theft or destruction of: Physical equipment Essential operating data Confidential or sensitive information b) Interruption to the operating environment: Loss Emergency Computer aided dispatch systems Loss Non-emergency Patient Transport Service systems Loss of the Telecommunications systems Loss of essential Business systems and data. Loss of Rostering Systems Loss of Networking Environment c) Breaking the law. Examples of the legislation relevant in this area are: Data Protection Act (1998) Copyright, Design and Patents Act (1988) Computer Misuse Act (1990) Records Management Code of Practice Any or all of the above can lead to criminal prosecution, a loss of confidence and credibility and ultimately legal proceedings for damages etc. The standards and guidelines described in this policy have been developed to avoid such situations arising. NWAS IT Security Policy Page: Page 8 of 14

9 2.3 Domains of Security This policy will deal with the following domains of security: Computer system security: CPU, Peripherals, Operating Systems. This includes data security. Physical security: The premises occupied by all personnel and equipment. Operational security: Environmental controls, power equipment and operational activities. Procedural security by ICT, vendor, management personnel, as well as ordinary users. 2.4 Reasons for IT Security Confidentiality of certain information is mandated by common law, legislation, explicit agreement or convention. Different classes of information require different degrees of confidentiality. The hardware and software components that constitute NWAS ICT assets represent a sizeable monetary investment that must be protected. The same is true for the information stored in its IT systems, some of which have taken huge resources to generate and some of which can never be reproduced. The Quality Directorate is responsible for ensuring the integrity and availability of all Trust data. There are controls in place to protect data in the event of a hardware failure, accidental deletion, unauthorised change or loss of estate. All Information electronic or paper will follow NHS Guidelines for the minimum retention period for each record type. The Records Management and Life Cycle policy has been implemented providing a process by which the Trust manages all the aspects of records. This includes internally or externally generated records and in any format or media type, from their creation, all the way through their lifecycle to their eventual disposal. The use of NWAS ICT assets other than in a manner and for the purpose for which they were intended represents a misallocation of valuable NWAS resources and possibly a danger to its reputation or a breach of the law. NWAS computer equipment must never be used for private business or commercial purposes. Finally, proper functionality of IT systems is required for the efficient operation of NWAS. Some systems, such as the Emergency Computer aided dispatch, Non-emergency Patient Transport Service, Risk Management, Rostering and Business Intelligence systems are of paramount importance to the success of NWAS. NWAS IT Security Policy Page: Page 9 of 14

10 3.0 Security Management 3.1 IT Security Structure/Organisation Management The Head of Informatics supported by the Information Governance Manager, who is responsible for ensuring a framework, is in place, to enforce organisational security management through Information Governance Training and the implementation of Standards and Guidelines. This framework includes: Monitoring and reporting on the state of information security within the organisation Ensuring that the Information Security Policy is implemented throughout the organisation Developing and enforcing detailed procedures to maintain security All the organisation s personnel are aware of their responsibilities and are accountable for information security and compliance with relevant legislation. Monitoring for actual or potential IT security breaches Information Governance Training is delivered on the Mandatory Training Programme 3.2 All staff have a responsibility for security, should report and ensure all security incidents are documented. They are responsible for their own property whether personal or provided by the Trust and are advised to follow Trust Standards and Guidelines. 3.3 National Management The NHS Information Governance Agenda has been established to provide a framework to assist organisations assessing information management risks. 3.4 Auditors The implementation of this policy on systems will be subject to periodic review by both internal and external auditors, the recommendations from which will normally be implemented subject to meeting the wider organisational management requirements. Any major security incident is liable to be referred to the auditors for investigation. 4.0 Roles & Responsibilities 4.1 Policy Management NWAS IT Security Policy Page: Page 10 of 14

11 Approval of the IT Security Policy is vetted with the Executive Management Team of NWAS. Advice and opinions on the Policy will be sought from: Information Governance Management Group ICT Security Forum ICT Department Senior Managers from within NWAS Formulation of the policy is the responsibility of the Head of Informatics. Maintenance of the policy is the responsibility of the Information Governance Manager. 4.2 Policy Implementation Each member of NWAS will be responsible for reading all published IT standards and guidelines of behaviour. IT security of each system and its data will be the responsibility of the Senior Information Risk Officer (SIRO) and the Information Asset Owners. Managers are responsible for implementing the IM&T Security Policy and associated Standards within their Directorate and to take preventative action where necessary. 4.3 Information Asset Owners Head of Service for Emergency control centres will be the Information Asset Owner of the Emergency Command and Control Centre system. Head of Service for Patient Transport Service Control Room will be the Information Asset Owner of Non-emergency Command &Control system. Data Centre Managers will be the Information Asset Owners of all strategic system platforms. Individual departments will be Information Asset Owners of strategic applications under their managerial control (e.g. Finance for North East Patches). Departmental managers will be Information Asset Owners of all non-strategic systems under their control. Individuals will be Information Asset Owners of desktop systems and laptop computers under their control. 4.4 NWAS Services It is recognised that various sections of NWAS provide services that relate to IT security, both directly and indirectly. It is expected that there will be collaboration between these sections NWAS IT Security Policy Page: Page 11 of 14

12 and the ICT department in the generation of standards, guidelines and implementation of this policy. Some of these sections and their services are: Human Resources: Personnel selection, induction, exit processing, policies concerning confidentiality, privacy, and the use of NWAS computer equipment and telecommunications systems. Estates: Physical building security. Risk and Safety: - CCTV Emergency Preparedness: Terrorism 5.0 Policy Documentation 5.1 Standards and Guidelines Standards (mandatory) and guidelines (best practice) will be published separately from this policy to assist ordinary users and system Information asset Owners to meet their IT security responsibilities. These standards and guidelines are an integral part of NWAS IT Security Policy and therefore define it in detail. Various links to the Standards and Guidelines are presented in Section 6 of this document. Although guidelines are given as suggestions they do form best working practice. Likewise, standards are given to ensure best working practice is employed and ensure as far as possible that all risks to NWAS have been minimised. It should also be noted that where standards have been applied, failure to follow the standards could render an employee liable to NWAS disciplinary procedure which could result in disciplinary action from NWAS and may, in circumstances where the action or conduct is illegal or unlawful, render the employee personally liable and or subject of criminal proceedings. Please refer to Principle standards 12a Incident Reporting Standard, 12b - Incident Response (Legal Forensics) and 12c Incident Response (Operational). Although not part of IT Security, the ICT department will also publish guidance given as IT Advice covering topics such as Health and Safety. 5.2 Documents The detail of the policy is laid out in the standards and guidelines which are published separately on the intranet Subsequent standards and guidelines and changes thereto will be made available to all employees via the Intranet and Trust Bulletins. NWAS IT Security Policy Page: Page 12 of 14

13 5.3 Availability It is intended that this IT Security Policy be publicly accessible in its entirety via NWAS World Wide Web Home Page, the internal Intranet Home Page and in printed format within both the ICT and Human Resources Departments. All users of NWAS ICT resources must be made fully aware of this policy, standards and guidelines. 5.4 Changes The IT Security Policy is a "living" document that will be amended as required to deal with changes in technology, applications, procedures, legal and social imperatives, perceived dangers, etc. Major changes will be made in consultation with the groups mentioned in Section 4.1, and with the approval of the Executive Management Team. The Head of Informatics will be responsible for and approve minor changes. 6.0 Standards and Guidelines Standards and Guidelines Principle Standards Procedures Legal Requirements Data Protection Act (1998) This standard is intended to make users aware of the implications of the Data Protection Act (1998). NWAS IT Security Policy Page: Page 13 of 14

14 The Computer Misuse Act (1990) This standard is intended to make users aware of the implications of The Computer Misuse Act (1990). Sensitive Information This standard is intended to raise the level of awareness within the user population with regards to the use of commercially sensitive information, its disclosure and the security measures that need to be taken. NHS Information Governance Agenda As a key part of the Information Governance agenda, the Department of Health and NHS Connecting for Health jointly produced an Information Governance Toolkit. The Toolkit also contains specific organisational views. It is the tool by which organisations can assess their compliance with current legislation, standards and national guidance. NWAS IT Security Policy Page: Page 14 of 14