INFORMATION TECHNOLOGY SECURITY POLICY

Transcription

1 INFORMATION TECHNOLOG SECURIT POLIC Document Author Written By: Deputy Director of IM&T / Interim Head of ICT Authorised Signature Authorised By: Chief Executive Date: February 2015 Date: 17 March 2015 Policy Lead Director: Executive Director of Transformation and Integration Effective Date: 17 March 2015 Review Date: 16 March 2018 Approval at: Policy Management Group Date Approved: 17 March 2015 Information Technology Security Policy Page 1 of 22

2 DOCUMENT HISTOR (Procedural document version numbering convention will follow the following format. Whole numbers for approved versions, e.g. 1.0, 2.0, 3.0 etc. With decimals being used to represent the current working draft version, e.g. 1.1, 1.2, 1.3, 1.4 etc. For example, when writing a procedural document for the first time the initial draft will be version 0.1) Date of Issue Version No. Date Approved Director Responsible for Change 26 Mar Mar 12 Executive Director of Transformation and Integration 14 Jan Executive Director of Transformation and Integration 06 Feb Executive Director of Transformation and Integration 23 Feb Executive Director of Transformation and Integration 17 Mar Mar 15 Executive Director of Transformation and Integration Nature of Change Minor Amendments Via Voting Buttons Ratification / Approval Approved at Provider Executive Board Ratified at Information Governance Steering Group Ratified at Risk Management Committee Approved at Policy Management Group N.B. This Policy relates to the Isle of Wight NHS Trust hereafter referred to as the Trust. Information Technology Security Policy Page 2 of 22

3 SECTION PAGE 1. Executive Summary 4 2. Introduction 4 3. Scope 4 4. Key Responsibilities 4 5. Policy Detail / Course of Action Consultation Implementation / Training / Awareness Dissemination Monitoring & Key Performance Indicators References Links To Other Policies Disclaimer 13 Appendices: A Key Definitions For Documentation 14 B Impact Assessment Forms on Policy Implementation 15 (Including Checklist) C Equality Impact Assessment Tool 17 D Equality Analysis and Action Plan 20 Information Technology Security Policy Page 3 of 22

4 1. EXECUTIVE SUMMAR This document sets out the Trust policy for the protection of the confidentiality, integrity and availability of the computer network and its resources. It establishes the security responsibilities for IT security. It provides reference to documentation relevant to this policy. 2. INTRODUCTION 2.1 The aim of this policy is to ensure the security of the Trust s network. To do this the Trust will: Preserve integrity of the computer network Protect the computer network and its resources from unauthorised or accidental modification ensuring the accuracy and completeness of the Trust's assets. Preserve confidentiality Protect assets against unauthorised disclosure. 3. SCOPE 3.1 The Information Technology Security Policy applies to all business functions and information contained on the computer network, the physical environment and relevant people who support the network. 4. KE RESPONSIBILITIES Head of IT, unless stated otherwise 4.1 Chief Executive The Chief Executive has delegated the overall responsibility for security, policy and implementation to the Senior Information Risk Officer (SIRO). 4.2 Senior Information Risk Officer (SIRO) The SIRO is responsible for ensuring the Information Asset Owners comply with their responsibilities. 4.3 Physical & Environmental Security Network computer equipment will be housed in a controlled and secure environment. Critical or sensitive network equipment will be housed in an environment that is monitored for temperature, humidity and power supply quality. Critical or sensitive network equipment will be housed in secure areas, protected by a secure perimeter, with appropriate security barriers and entry controls. The Head of IT is responsible for ensuring that door lock codes are changed periodically, following a compromise of the code, if s/he suspects the code has been compromised. Critical or sensitive network equipment will be protected from power supply failures. Information Technology Security Policy Page 4 of 22

5 Critical or sensitive network equipment will be protected by intruder alarms and fire suppression systems. Smoking, eating and drinking is forbidden in areas housing critical or sensitive network equipment. All visitors to secure network areas must be authorised by the Head of IT, following a risk assessment. All visitors to secure network areas must be made aware of network security requirements. All visitors to secure network areas must be signed in and out. The log will contain name, organisation, purpose of visit, date, and time in and out. The Head of IT will ensure that all relevant staff are made aware of procedures for visitors and that visitors are escorted, when necessary. For further details see Network operating procedure. 4.4 Access Control to Secure Network Areas Entry to secure areas housing critical or sensitive network equipment will be restricted to those whose job requires it. The Head of IT will maintain and periodically review a list of those with unsupervised access. See service delivery procedure. 4.5 Access Control to the Network Access to the network will be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access. There must be a formal, documented user registration and de-registration procedure for access to the network. Departmental managers must approve user access. Access rights to the network will be allocated on the requirements of the user's role. Security privileges (i.e. 'superuser' or network administrator rights) to the network will be allocated on the requirements of the user's role. 4.6 Third Party Access Control to the Network Third party access to the network will be based on a formal contract that satisfies all necessary NHS security conditions. All third party access to the network must auditable. See network operating procedure. Information Technology Security Policy Page 5 of 22

6 4.7 External Network Connections The Head of IT is responsible for ensuring that all connections to external networks and systems conform to the NHS-wide Network Security Policy, Code of Connection and supporting guidance. The Head of IT must approve all connections to external networks and systems before they commence operation. 4.8 Maintenance Contracts The Head of IT will ensure that maintenance contracts are maintained and periodically reviewed for all network equipment. All contract details will constitute part of the IT Department's Asset register. 4.9 Data and Software Exchange Formal agreements for the exchange of data and software between organisations must be established and approved by the Head of Information Management Fault Logging The Head of IT is responsible for ensuring that a log of all faults on the network is maintained and reviewed. A report of any faults and review of countermeasures will be taken to the IT User Group Security Operating Procedures (SyOps) The Head of IT is responsible for producing Security Operating Procedures (SyOps) and security contingency plans that reflect this Network Security Policy. Where appropriate will co-ordinate with the Local Security Management Specialist (LSMS) so that a robust and integrated security systems SyOps can be developed, which will take into account National Security Intelligence which the LSMS is privy to. Changes to operating procedures must be authorised by the Head of IT Network Operating Procedures The Head of IT is responsible for documented operating procedures for the operation of the computer network and is resources, to ensure its correct, secure operation. Changes to operating procedures must be authorised by the Head of IT. Data Backup and Restoration The Head of IT is responsible for: Ensuring that backup copies of network configuration, network storage and server data are taken regularly. All backup tapes will be stored securely in the fire proof safes Business Continuity & Disaster Recovery Plans The Head of IT is responsible for ensuring that business continuity plans and disaster recovery plans are produced for the network. Information Technology Security Policy Page 6 of 22

7 4.14 Unattended Equipment and Clear Screen The Trust operates a clear screen policy that means users must ensure that workstations are locked or logged off if a workstation is left unattended. Users failing to comply may be subject to disciplinary action Security Responsibilities To produce and implement effective security countermeasures. Produce all relevant security documentation, security operating procedures and contingency plans reflecting the requirements of this Information Technology Security Policy. All such documentation will be included in the IT Department's Asset register. Acting as a central point of contact on information security within the Trust, for both staff and external organisations. Implementing an effective framework for the management of security. Produce Trust standards, procedures and guidance on Information Security matters for approval by the Information User Group. Co-ordinate information security activities particularly those related to shared information systems or IT infrastructures. Liaise with external organisations on information security matters, including representing the Trust on cross-community committees. Creating, maintaining, giving guidance on and overseeing the implementation of IT Security. Representing the Trust on internal and external committees that relate to IT security. Ensuring that risks to IT systems are reduced to an acceptable level by applying security countermeasures identified following an assessment of the risk. Ensuring that access to the Trust's computer network is limited to those who have the necessary authority and clearance. Providing advice and guidance to development teams to ensure that the policy is complied with. Approving system security policies for the infrastructure and common services. Approving tested systems and agreeing rollout plans. Providing a central point of contact on IT security issues. Information Technology Security Policy Page 7 of 22

8 Providing advice and guidance on: Policy Compliance Incident Investigation IT Security Awareness IT Security Training IT Systems Accreditation Security of External Service Provision Contingency Planning for IT systems Proposals have been made to connect the Trust's systems, applications or networks to systems, applications or networks that are operated by external organisations. Passing on the advice of external sources / authorities on IT security matters Information Governance Manager Responsibilities To ensure that appropriate Data Protection Act 1998 notifications are maintained for information stored on the network. Dealing with enquires, from any source, in relation to the Data Protection Act 1998 and facilitating Subject Access Requests. Advising users of information systems, applications and networks of their responsibilities under the Data Protection Act 1998, which may include Subject Access Requests. Advising the Head of IT on breaches of the Data Protection Act 1998 and recommended actions. Encouraging, monitoring and checking compliance with the Data Protection Act Liaising with external organisations regarding Data Protection 1998 Act matters. Promoting awareness and providing guidance and advice related to the Data Protection Act 1998 as it applies within the Trust Information Asset Owners (IAO) Responsibilities Ensuring the security of the network, that is information, hardware and software used by staff and, where appropriate, by third parties is consistent with legal and management requirements and obligations. Ensuring that their staff are made aware of their security responsibilities. Ensuring that their staff have had suitable security training Local Security Management Specialist (LSMS) To undertake the duties of an LSMS in accordance with Secretary of State Directions to health bodies on measures to tackle violence and general security management measures, and any subsequent advice or guidance issued by the NHS SMS. Information Technology Security Policy Page 8 of 22

9 To undergo and successfully complete propriety checking and the professional and accredited training in security management provided by the NHS SMS, and to co-operate with any further training provided by the NHS SMS and with the NHS SMS programme of quality assurance. To undergo and successfully complete propriety checking and the professional and accredited training in security management provided by the NHS SMS, and to co-operate with any further training provided by the NHS SMS and with the NHS SMS programme of quality assurance. To ensure that all NHS security management work is carried out within a professional and ethical framework developed and provided by the NHS SMS. To ensure that an inclusive approach to security management work is taken, involving both internal and external NHS stakeholders where appropriate and necessary. To report to the health body s Security Management Director on security management work locally. To ensure strong links are built with the NHS SMS in particular, with the Area Security Management Specialists (ASMSs). To lead on day-to-day work in their health body to tackle violence against staff and professionals in accordance with the NHS SMS national framework and guidance. To ensure, within the Trust and, where applicable, within those organisations contracted to provide services for the Trust, that: They attend the health body s risk management, health and safety and audit committee meetings and ensure appropriate links are made with the health body s risk assessment process, including the health body s health and safety representatives, so that security-related issues are an integral part of that process. Appropriate steps are taken to create a pro-security culture within the health body and amongst contractors so that staff and patients accept responsibility for this issue and ensure that any security incidents or breaches that occur are detected and reported. They participate in the health body s induction programme for new staff and develop and deliver security awareness sessions for stakeholders. Appropriate security incidents and breaches are publicised in accordance with guidelines issued by the NHS SMS so that a deterrent effect is created User Responsibilities All personnel or agents acting for the Trust have a duty to: Safeguard hardware, software and information in their care. Prevent the introduction of malicious software on the Trust's IT systems. Report on any suspected or actual breaches in security. Information Technology Security Policy Page 9 of 22

10 All users to the computer network will have their own unique user identification and password. Users are responsible for ensuring their password is kept secret (see User Responsibilities). User access rights will be immediately removed or reviewed for those users who have left the Trust or changed roles. Users are responsible for ensuring that they save their own data to the designated network storage area. Users must ensure that they protect the computer network from unauthorised access. They must log off the computer network when finished working. 5. POLIC DETAIL / COURSE OF ACTION 5.1 The overall Information Technology Security Policy for the Trust is described below: 5.2 The Trust s computer network will be available when needed, can be accessed only by authorised users and will contain complete and accurate information. The computer network must also be able to withstand or recover from threats to its availability, integrity and confidentiality. To satisfy this, the Trust will undertake to the following: Protect all hardware, software and information assets under its control. This will be achieved by implementing a set of well-balanced technical and non-technical measures. Provide both effective and cost-effective protection that is commensurate with the risks to its computer network assets. Implement the Information Technology Security Policy in a consistent, timely and cost effective manner. 5.3 Where relevant, the Trust will comply with: Copyright, Designs & Patents Act 1988 Access to Health Records Act 1990 Computer Misuse Act 1990 The Data Protection Act 1998 The Human Rights Act 1998 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000 Health & Social Care Act The Trust will comply with other laws and legislation as appropriate. 5.5 The policy must be approved by the Head of IT. Information Technology Security Policy Page 10 of 22

11 6. CONSULTATION 6.1 The policy has been to the IT Seniors Team meeting for discussion and consultation, Information Governance Steering Group and Risk management Group. The recommendation from the latter was that a review should take place in six months time to reflect additional policies currently in production (Agile Worker for example). 7. IMPLEMENTATION / TRAINING / AWARENESS 7.1 This Information Technology Security Policy does not have a mandatory training requirement but the following non mandatory training is recommended. 7.2 The Trust will ensure that all users of the computer network are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities. 7.3 All users of the computer network must be made aware of the contents and implications of the Information Technology Security Policy. 7.4 Key responsibilities contained in the Information Technology Security policy will be covered by the Information Governance training provided to all staff. 7.5 Irresponsible or improper actions by users may result in disciplinary action(s). 8. DISSEMINATION 8.1 When approved this document will be available on the Intranet and will be subject to document control procedures. Approved documents will be placed on the Intranet within five working days of date of approval once received by the Risk Management Team. 8.2 When submitted to the Risk Management Team for inclusion on the Intranet this document will have fully completed document details including version control. Keywords and description for the Intranet search engine will be supplied by the author at the time of submission. 8.3 Notification of new and revised documentation will be issued on the Front page of the Intranet, through e-bulletin, and on staff notice boards where appropriate. Any controlled documents noted at the Trust Executive Committee / Policy Management Group will be notified through the e-bulletin. 8.4 Staff using the Trust s intranet can access all procedural documents. It is the responsibility of managers to ensure that all staff are aware of where, and how, documents can be accessed within their areas of work. 8.5 It is the responsibility of each individual who prints a hard copy of any document to ensure that the printed hardcopy is the current version. Current versions are maintained on the Intranet. Information Technology Security Policy Page 11 of 22

12 9. MONITORING & KE PERFORMANCE INDICATORS 9.1 Security Audits The Head of IT will require checks on, or an audit of, actual implementations based on approved security policies and kept in a master file. 9.2 Malicious Software Ensure that measures are in place to detect and protect the computer network from viruses and other malicious software. 9.3 Secure Disposal or Re-use of Equipment Ensure that where equipment is being disposed of, IT Department staff must ensure that all data on the equipment (e.g. on hard disks or tapes) is securely overwritten. Where this is not possible IT Department staff should physically destroy the disk or tape. Ensure that where disks are to be removed from the premises for repair, where possible, the data is securely overwritten or the equipment de-gaussed by the IT Department. 9.4 System Change Control Ensure that the Head of IT reviews changes to the security of the computer network. All such changes must be reviewed and approved by the Head of IT. The IT Team leaders are responsible for updating all relevant design documentation, security operating procedures and computer network operating procedures appertaining to their specialty. The Head of IT may require checks on, or an assessment of the actual implementation based on the proposed changes. The Head of IT is responsible for ensuring that selected hardware or software meets agreed security standards. As part of acceptance testing of all new computer network systems, the IT department with the permission of the IT Manager will attempt to cause a security failure and log other criteria against which tests will be undertaken prior to formal acceptance. Testing facilities will be used for all new computer network systems. Development and operational facilities will be separated. 9.5 Security Monitoring Ensure that the computer network is monitored for potential security breaches. All monitoring will comply with current legislation. 9.6 Reporting Security Incidents & Weaknesses All potential security breaches must be investigated and reported to the Head of IT. Security incidents and weaknesses must be reported in accordance with the requirements of the Trust's incident reporting procedure. 9.7 System Configuration Management Ensure that there is an effective configuration management system for the computer network. Information Technology Security Policy Page 12 of 22

13 10. REFERENCES 10.1 Copyright, Designs & Patents Act 1988 Access to Health Records Act 1990 Computer Misuse Act 1990 The Data Protection Act 1998 The Human Rights Act 1998 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000 Health & Social Care Act LINKS TO OTHER POLICIES / DOCUMENTS 11.1 Network Operating Procedure Service Delivery Procedure 12. DISCLAIMER 12.1 It is the responsibility of all staff to check the Trust intranet to ensure that the most recent version / issue of this document is being referenced. Information Technology Security Policy Page 13 of 22

14 Appendix A KE DEFINITIONS FOR DOCUMENTATION Define any word or phrase that may need explaining or clarifying in more detail Configuration Management - focuses on establishing and maintaining consistency of a system's or product's performance and its functional and physical attributes with its requirements, design, and operational information throughout its life. Computer Network refers to all the IT resources of the Trust (the Data centre, the wired and wireless networks, desktop pcs, servers etc.) Information Technology Security Policy Page 14 of 22

15 CHECKLIST FOR THE DEVELOPMENT AND APPROVAL OF CONTROLLED DOCUMENTATION Appendix B To be completed and attached to any document when submitted to the appropriate committee for consideration and approval. Title of document being reviewed: /N/ Unsure Comments 1. Title/Cover Is the title clear and unambiguous? Does the title make it clear whether the controlled document is a guideline, policy, protocol or standard? 2. Document Details and History Have all sections of the document detail/history been completed? 3. Development Process Is the development method described in brief? Are people involved in the development identified? Do you feel a reasonable attempt has been made to ensure relevant expertise has been used? 4. Review and Revision Arrangements Including Version Control Is the review date identified? Is the frequency of review identified? If so, is it acceptable? Are details of how the review will take place identified? Does the document identify where it will be held and how version control will be addressed? 5. Approval Does the document identify which committee/group will approve it? If appropriate have the joint Human Resources/staff side committee (or equivalent) approved the document? N 6. Consultation Do you have evidence of who has been consulted? 7. Table of Contents Has the table of contents been completed and checked? 8. Summary Points Have the summary points of the document been included? 9. Definition Is it clear whether the controlled document is a guideline, policy, protocol or standard? 10. Relevance Has the audience been identified and clearly stated? 11. Purpose Are the reasons for the development of the document stated? 12. Roles and Responsibilities Are the roles and responsibilities clearly identified? 13. Content Is the objective of the document clear? Is the target population clear and unambiguous? Are the intended outcomes described? Are the statements clear and unambiguous? Information Technology Security Policy Page 15 of 22

16 Title of document being reviewed: 14. Training Have training needs been identified and documented? 15. Dissemination and Implementation Is there an outline/plan to identify how this will be done? Does the plan include the necessary training/support to ensure compliance? 16. Process to Monitor Compliance and Effectiveness Are there measurable standards or Key Performance Indicators (KPIs) to support the monitoring of compliance with and effectiveness of the document? Is there a plan to review or audit compliance within the document? Is it clear who will see the results of the audit and where the action plan will be monitored? 17. Associated Documents Have all associated documents to the document been listed? 18. References Have all references that support the document been listed in full? 19. Glossary Has the need for a glossary been identified and included within the document? 20. Equality Analysis Has an Equality Analysis been completed and included with the document? 21. Archiving Have archiving arrangements for superseded documents been addressed? Has the process for retrieving archived versions of the document been identified and included within? 22. Format and Style Does the document follow the correct style and format of the Document Control Procedure? 23. Overall Responsibility for the Document Is it clear who will be responsible for co-ordinating the dissemination, implementation and review of the documentation? Committee Approval /N/ Unsure Comments Distributed Trust Policy Section of Intranet If the committee is happy to approve this document, please sign and date it and forward copies for inclusion on the Intranet. Name of Committee Print Name Date Signature of Chair Information Technology Security Policy Page 16 of 22

17 Appendix C IMPACT ASSESSMENT ON DOCUMENT IMPLEMENTATION Summary of Impact Assessment (see next page for details) Document title Information technology Security Policy Totals WTE Recurring Non Recurring Manpower Costs Nil Nil Nil Training Staff Nil Nil Nil Equipment & Provision of resources Nil Nil Nil Summary of Impact: All referral systems and processes detailed in this policy are already embedded within the Trust. The approval and implementation of this policy will incur no further costs. Risk Management Issues: The implementation of this policy should ensure that any significant Information Security and Governance risk to the Trust are minimised. Benefits / Savings to the organisation: Equality Impact Assessment Has this been appropriately carried out? ES Are there any reported equality issues? NO If ES please specify: Use additional sheets if necessary. Information Technology Security Policy Page 17 of 22

18 IMPACT ASSESSMENT ON POLIC IMPLEMENTATION Please include all associated costs where an impact on implementing this policy has been considered. A checklist is included for guidance but is not comprehensive so please ensure you have thought through the impact on staffing, training and equipment carefully and that ALL aspects are covered. Manpower WTE Recurring Non-Recurring Operational running costs Additional staffing required - by affected areas / departments: Nil Nil Nil Totals: Staff Training Impact Recurring Non-Recurring Affected areas / departments Nil Nil e.g. 10 staff for 2 days Totals: 1 Equipment and Provision of Resources Recurring * Non-Recurring * Accommodation / facilities needed Nil Nil Building alterations (extensions/new) Nil Nil IT Hardware / software / licences Nil Nil Medical equipment Nil Nil Stationery / publicity Nil Nil Travel costs Nil Nil Utilities e.g. telephones Nil Nil Process change Nil Nil Rolling replacement of equipment Nil Nil Equipment maintenance Nil Nil Marketing booklets/posters/handouts, etc Nil Nil Totals: Capital implications 5,000 with life expectancy of more than one year. Funding /costs checked & agreed by finance: Signature & date of financial accountant: N/A N/A Information Technology Security Policy Page 18 of 22

19 Funding / costs have been agreed and are in place: Signature of appropriate Executive or Associate Director: N/A N/A IMPACT ASSESSMENT ON DOCUMENT IMPLEMENTATION - CHECKLIST Points to consider Have you considered the following areas / departments? Have you spoken to finance / accountant for costing? Where will the funding come from to implement the policy? Are all service areas included? o Ambulance o Acute o Mental Health o o Community Services, e.g. allied health professionals Public Health, Commissioning, Primary Care (general practice, dentistry, optometry), other partner services, e.g. Council, PBC Forum, etc. Departments / Facilities / Staffing Transport Estates o Building costs, Water, Telephones, Gas, Electricity, Lighting, Heating, Drainage, Building alterations e.g. disabled access, toilets etc Portering Health Records (clinical records) Caretakers Ward areas Pathology Pharmacy Infection Control Domestic Services Radiology A&E Risk Management Team / Information Officer responsible to ensure the policy meets the organisation approved format Human Resources IT Support Finance Rolling programme of equipment Health & safety/fire Training materials costs Impact upon capacity/activity/performance Information Technology Security Policy Page 19 of 22

20 Appendix D Equality Analysis and Action Plan (This template should be used when assessing services, functions, policies, procedures, practices, projects and strategic documents) Step 1. Identify who is responsible for the equality analysis. Name: Jake Gully Role: Interim Head of ICT Other people or agencies who will be involved in undertaking the equality analysis: Step 2. Establishing relevance to equality Show how this document or service change meets the aims of the Equality Act 2010? Equality Act General Duty Eliminates unlawful discrimination, harassment, victimization and any other conduct prohibited by the Act. Advance equality of opportunity between people who share a protected characteristic and people who do not share it Foster good relations between people who share a protected characteristic and people who do not share it. Step 3. Relevance to Equality Act General Duties There are no discrimination issues relating to this policy Relevant to all staff N/A Scope your equality analysis What is the purpose of this document or service change? Who will benefits? What are the expected outcomes? Relevance Protected Groups Staff Service Users Wider Community Age Gender Reassignment Race Sex and Sexual Orientation Religion or belief Disability Marriage and Civil Partnerships Human Rights Pregnancy and Maternity Scope This document has been reviewed in line with the policy review date. All staff. To ensure that all staff are aware of their responsibilities in relation to Information Governance Information Technology Security Policy Page 20 of 22

21 Why do we need this document or do we need to change the service? To meet legislative requirements, reduce the risk of Information Governance related incidents and ensure organisational learning. It is important that appropriate and relevant information is used about the different protected groups that will be affected by this document or service change. Information from your service users is in the majority of cases, the most valuable. Information sources are likely to vary depending on the nature of the document or service change. Listed below are some suggested sources of information that could be helpful: Results from the most recent service user or staff surveys. Regional or national surveys Analysis of complaints or enquiries Recommendations from an audit or inspection Local census data Information from protected groups or agencies. Information from engagement events. Step 4. Analyse your information. As yourself two simple questions: What will happen, or not happen, if we do things this way? What would happen in relation to equality and good relations? In identifying whether a proposed document or service changes discriminates unlawfully, consider the scope of discrimination set out in the Equality Act 2010, as well as direct and indirect discrimination, harassment, victimization and failure to make a reasonable adjustment. Findings of your analysis No major change Adjust your document or service change proposals Continue to implement the document or service change Stop and review Description our analysis demonstrates that the proposal is robust and the evidence shows no potential for discrimination. This involves taking steps to remove barriers or to better advance equality outcomes. This might include introducing measures to mitigate the potential effect. Despite any adverse effect or missed opportunity to advance equality, provided you can satisfy yourself it does not unlawfully discriminate. Adverse effects that cannot be justified or mitigated against, you should Justification of your analysis Implementation of this policy will have no potential for discrimination, as it applies to all staff. Information Technology Security Policy Page 21 of 22

22 consider stopping the proposal. ou must stop and review if unlawful discrimination is identified 5. Next steps. 5.1 Monitoring and Review. Equality analysis is an ongoing process that does not end once the document has been published or the service change has been implemented. This does not mean repeating the equality analysis, but using the experience gained through implementation to check the findings and to make any necessary adjustments. Consider: How will you measure the effectiveness of this change When will the document or service change be reviewed? Through regular monitoring and reporting as defined in the policy Annually in November of each year in preparation for the completion of the annual IG Toolkit assessment. Who will be responsible for monitoring and review? Deputy Director of IM&T, Risk Management and the Information Governance Steering Group What information will you need for monitoring? How will you engage with stakeholders, staff and service users Evidence of all IS and IG related work initiatives and Incident investigation from Datix Through consultation and discussion 5.2 Approval and publication The Trust Executive Committee / Policy Management Group will be responsible for ensuring that all documents submitted for approval will have completed an equality analysis. Useful links: Under the specific duties of the Act, equality information published by the organisation should include evidence that equality analyses are being undertaken. These will be published on the organisations Equality, Diversity and Inclusion website. Equality and Human Rights Commission Information Technology Security Policy Page 22 of 22