INFORMATION GOVERNANCE POLICY: NETWORK SECURITY

Transcription

1 INFORMATION GOVERNANCE POLICY: NETWORK SECURITY Original Approved by: Policy and Procedure Ratification Sub-group on 23 October 2007 Version 1.2 Approved by: Information Governance Group Approval Date: 16 December 2009 Review Date: 16 December 2011 Responsible Person: Steve Ingleson, Director of Performance Management Circumstances may arise or there may be a change in guidance (e.g. NICE or Employment Law) where changes may be required to the Policy before the planned review date. Staff are responsible to identify this to the Policy Group via their Line Manager who will then put in place a policy review process. NOTE: All policies remain extant until notification of an amended policy is placed on the intranet. Policy Name: Network Security Author: Carol Mitchell, Information Governance Manager Version: 1.2 Date: December 2009

2 2 of 8

3 Version Control Sheet: Version Date Author Status Comment 1.1 Sept 07 C Mitchell Approved 1.2 Dec 09 C Mitchell Approved No changes required 3 of 8

4 BRADFORD AND AIREDALE TEACHING PRIMARY CARE TRUST 4.2 NETWORK SECURITY Introduction This policy is in place to enable access to and assure the security of the data communications network of the tpct. It establishes the responsibilities of IT Services in managing the network and users responsibilities in using it. Additionally it provides information in taking action to foresee, detect, prevent or rectify security risks which threaten the activities of the tpct and its staff. Supporting Procedures None Risk Management The risks identified under this policy include unauthorised access to information, loss of information, loss of availability to information. 1.0 Purpose As a key part of its role, IT Services is responsible for the ownership, development, installation, operation and maintenance of the data communications network on behalf of the tpct and its staff. With this responsibility comes the authority to take action necessary to safeguard the security of the network to minimise and contain potential risks to the tpct and its staff, both operational and legal, from the consequences of network-related security violations and misuse. In this context, the purpose of this policy is to state clearly both IT Services responsibility and authority for the tpct s network infrastructure and devices connected to that infrastructure, and users responsibilities in using such devices. 2.0 Scope The coverage of this policy includes: a. The tpct s data communications network and devices connected to it. b. All users of such devices. c. External connections from the network to N3. d. Trust WAN links to other NHS organisations such as: Skipton Hospital Keighley Health Centre Ilkley Coronation Hospital 4 of 8

5 Others e. The protection, detection and action against threats, including but not restricted to: Virus attacks Denial of service attacks Hacking internally or from external sources Downloads and uploads of unacceptable material (as defined by the tpct s Surf Control Server policy) Unacceptable content of outgoing Unsolicited bulk Theft, corruption or loss of data or software from external sources Theft of bandwidth f. Unauthorised connection of devices to the network 3.0 Responsible Authorities The term Designated I.T. Services Authority used in this guidance means the Head of IT or their authorised delegate. This policy is issued under the authority of the Head of IT who is responsible for enforcing sanctions where necessary to safeguard the tpct and its members. The IT Infrastructure is managed by the IT Services Manager who is responsible for the prevention and detection of IT misuse. This policy is managed by the Head of IT who is responsible for investigating incidents of IT misuse. 4.0 Policy Statements The tpct s Network Security guidance addresses the following: Who can and cannot make use of the tpct s data communications network. Who can and cannot extend, remove or change the cabling or fibres that constitute the tpct s data communications network either within or between Trust buildings. What connections or changes can or cannot be made to the network. What devices can and cannot be attached to the network. Who can and cannot attach such devices. What they can and cannot use it for. How IT Services manages the control of the network and the approval of connections both from devices and from other networks. 5 of 8

6 How IT Services is able to foresee, detect, or prevent security threats and rectify the consequences of those threats to the network. What sanctions are available to IT Services when threats and misuse are encountered, to deter further misuse of the network. 5.0 Network Controls 5.1 Users of the Network As defined by the NHS Statement of Compliance, only registered users (i.e. those holding a valid username and password) or those given permission by the Head of IT are permitted to use the tpct s data network. The tpct s data network may be used for any purpose that is in accordance with the aims and policies of the tpct and for no other purpose. 5.2 Modifiers of the Network Only IT Services and tpct approved data communications contractors are permitted to modify the network infrastructure. 5.3 Network Devices Network devices are defined as active equipment required to connect and operate the tpct s data network. Examples are switches, routers and firewalls. Only IT Services and tpct approved data communications contractors are permitted to install such devices which will be solely managed by IT Services. These devices will be located in designated Communications Cabinets/Racks. 5.4 User Devices Any device, other than network devices defined above, is defined as a user device. User devices fall into two categories user and non-user equipment. A non-user device e.g. a server, is defined as equipment which provides a service to one or more users. tpct owned non-user devices may be connected to the network by competent users once it has been given an I.T. asset tag. The recognised owner of the equipment should then abide by this policy at all times. Client devices are defined as equipment generally used by one person. Examples are PCs or PDAs. Network connectivity is achieved by either plugging this equipment directly into an activated data point on the tpct network or indirectly by connection via the public Internet. Trust owned client devices may be connected to the network by any member of staff of the tpct provided the equipment is used in 6 of 8

7 accordance with the aims and policies of the tpct and for no other purpose. Users should note that they are not allowed to connect their own equipment as this breaches the NHS Statement of Compliance (Previously NHS Code of Connection). 6.0 Network Security Management (ISO Network controls & Security of network services) 6.1 IT Services are responsible for managing and being accountable for access to the N3 Network by the PCT s users. Staff should complete a network access form in order to gain access to the tpct s network. 6.2 IT Services are also responsible for managing the risks of any network device connected to the network and implementing any necessary security measures to protect the network. 6.3 IT Services manages the provision of IP addresses; protection via a central firewall and access lists; user registration; authorisation and authentication; and data point activation. Any approved tpct owned device may be connected to the tpct network and will be automatically assigned an IP address which gives access to internal resources. External resources can only be accessed through the Internet filter appliance firewall. Exceptions must be authorised by the Head of IT. 6.4 IT Services holds sole authority and responsibility for the connections of networking equipment to the network e.g. hubs, switches and routers. 6.5 Traffic entering and leaving the tpct s network will be monitored and managed by the IT Services. 6.6 IT Services are responsible for any equipment connected to the network to ensure that the latest level of anti-virus software and security patches are installed. 6.7 The management of remote network equipment should only be conducted by authorised IT Services staff. All network equipment, where available, should have a username and password set to access the device. Where possible only determined clients should be configured to access network equipment remotely. 6.8 The confidentiality and integrity of data passing over public networks should be maintained using industry standard security protocols such as IPSec. 6.9 Disruption to the network should be kept to a minimum. Procedures are in place to arrange for network downtime to include notification to end users in advance of scheduled maintenance. Change control documentation will be used on network equipment to ensure that only approved work is conducted and that work is logged. 7 of 8

8 6.10 When a new device is required to connect to the tpct s network IT Services should be contacted. They will then patch an existing LAN point or create a proposal for a new network point. 7. IT Services powers of detection, prevention and restitution IT Services proactively monitor the data network for performance issues, abnormal loading, port and IP scanning. The consequences of these are counter measured by regularly updating firmware and configuration files of firewalls and routers, and adding security patches and anti-virus updates when necessary. 8. Sanctions IT Services are responsible for investigating, containing and resolving breaches of security and may disconnect, block traffic to / from, impound, or log information about any machine using the data network. Under tpct disciplinary procedures, IT Services are authorised to initiate investigations of users who abuse this policy. Such investigations may result in IT Services banning users without prior notice, pending resolution of the incident and dependent upon the nature of the offence may involve the Police. 9. References N3 Network details can be viewed on NHS Statement of Compliance (Previously NHS Code of Connection) details can be viewed on 8 of 8