NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction



Similar documents
LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Information Security

Newcastle University Information Security Procedures Version 3

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

NETWORK SECURITY POLICY

REMOTE WORKING POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

How To Protect Decd Information From Harm

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Information Security Code of Conduct

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Version: 2.0. Effective From: 28/11/2014

Network Security Policy

HIPAA Security Alert

IT ACCESS CONTROL POLICY

INFORMATION TECHNOLOGY SECURITY STANDARDS

Rotherham CCG Network Security Policy V2.0

NETWORK AND INTERNET SECURITY POLICY STATEMENT

Data Access Request Service

Data Network Security Policy

Information Security Policies. Version 6.1

Mike Casey Director of IT

Services Policy

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

How To Write A Health Care Security Rule For A University

Information Security Policy

HIPAA Security Training Manual

Information Technology Security Policies

MOBILE DEVICE SECURITY POLICY

Network Security Policy

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3

Policy Document. IT Infrastructure Security Policy

Service Children s Education

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY

The Internet and 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3

A Guide to Information Technology Security in Trinity College Dublin

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

MOBILE COMPUTING & REMOTE WORKING POLICY AND PROCEDURE. Documentation Control. Consultation undertaken Information Governance Committee

University of Liverpool

Portable Devices and Removable Media Acceptable Use Policy v1.0

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

Dene Community School of Technology Staff Acceptable Use Policy

ULH-IM&T-ISP06. Information Governance Board

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

Working Together Aiming High!

Information Governance Policy (incorporating IM&T Security)

ACCEPTABLE IT AND COMPUTER USE POLICY GUIDE FOR STAFF

Computer Security Policy (Interim)

PS177 Remote Working Policy

Dublin Institute of Technology IT Security Policy

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

Data and Information Security Policy

Remote Working and Portable Devices Policy

Grasmere Primary School Asset Management Policy

ABERDARE COMMUNITY SCHOOL

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

The Bishop s Stortford High School Internet Use and Data Security Policy

St. Peter s C.E. Primary School Farnworth , Internet Security and Facsimile Policy

Students are expected to have regard to this policy at all times to protect the ipads from unauthorised access and damage.

Protection of Computer Data and Software

Information Management and Security Policy

INFORMATION UPDATE: Removable media - Storage and Retention of Data - Research Studies

TELEFÓNICA UK LTD. Introduction to Security Policy

Information Security Policy. Policy and Procedures

Policy Document. Communications and Operation Management Policy

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Information Security Management. Audit Check List

A practical guide to IT security

USE OF PERSONAL MOBILE DEVICES POLICY

SECURITY POLICY REMOTE WORKING

PHI- Protected Health Information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Policies and Procedures. Policy on the Use of Portable Storage Devices

Mobile Devices Security Policy

Network Password Management Policy & Procedures

How To Ensure Network Security

Transcription:

NHSnet : PORTABLE COMPUTER SECURITY POLICY 9.2 Introduction This document comprises the IT Security policy for Portable Computer systems as described below. For the sake of this document Portable Computers are defined as Laptop and Notebook computers. The security of Digital devices such as PDAs, Palmtops, Advanced Mobile Phones etc is NOT covered by this document. The policy is issued by the Chief Executive/Senior Partner in accordance with References 1, 2 and 3. All personnel using the Portable Computer system are to comply with this IT Security Policy,Which is based upon elements of BS7799-2:2002. Unauthorised modification and/or amendment of this document is forbidden 1

9.2.1 PORTABLE COMPUTER DETAILS/DESCRIPTION: 1. Make: 2. Model: 3. Serial Number: 4. Additional Hardware (HDD etc.) 5. Additional Serial Numbers: 9.2.2 HARDWARE CONTROL The responsibility of ultimate control for issue and security of portable hardware lies with the Chief Executive/Senior Partner. The person nominated to oversee this on their behalf is: 1. Job Title: 2. Name: 3. Telephone Number: 9.2.3 PERSONNEL SECURITY Only authorised staff are allowed access and use of the Portable Computer System. The NHSnet Connection is not provided for personal and recreational use. Persons accessing data and using it for medical purposes should afford all material stored and processed on these systems adequate protection. 9.2.4 PHYSICAL /HARDWARE SECURITY The following guidelines should always be adhered to by the user of the Portable Computer: 2

Treat the Portable Computer as if it is your own property The Portable Computer must be placed in a securely locked away when not in use. If storage facilities are not available for the Portable Computer then, where possible, the Hard Drive should be removed and stored securely. Portable Computer security is your responsibility at all times. If you have and use a Portable Computer security cable, keep one key with you and the other in a secure separate location. Do not leave the Portable Computer unattended in a public place e.g. car park Do not leave your Strong Authentication token in the same location as the Portable Computer. Do not keep password details in the same location as the Portable Computer. Avoid leaving the Portable Computer within sight of ground floor windows or within easy access of external doors. 9.2.5 STRONG AUTHENTICATION CARD SECURITY Access to NHSnet is must always be strongly authenticated. That is, a strong authentication hardware token is used to authenticate the user before access is granted. The use of biometric authentication (e.g. fingerprint recognition) providing it meets NHSnet standards is also permitted. The Strong Authentication Device must be afforded a high degree of protection. Security and confidentiality of patient information could be breached if a card is lost or stolen. The card provides the owner with virtually unlimited access to NHSnet and ultimately any clinical system connected to the network if access rights and privileges are provided/breached. If a card is lost or stolen it is to be reported immediately to the organisations IT Security Officer who will in turn inform the Network Security Manager at the NHS Information Authority. 9.2.6 SOFTWARE SECURITY Users of Portable Systems are not authorised to load any software onto the Portable Computer system without express permission of the Hardware/Software Control Officer. Software downloaded from the Internet must not be loaded onto systems containing patient sensitive information. Software obtained illegally will not be loaded onto Portable Computer Systems. 9.2.7 VIRUS CONTROL The Portable Computer System must have an Anti-Virus software package installed. Users are not to alter the configuration of this package unless express permission has been obtained from the organisations IT Security Officer. The anti-virus system s database of virus definitions must be updated on a regular basis, each day if possible. 3

This package has been installed to prevent an attack from malicious software and to prevent loss of data and corruption of programs/files. If a virus is discovered the following actions must be carried out: Turn the Computer off. Place a label over the switch and floppy drive stating that the machine has a virus infection and should not be used. Isolate any Floppy disks that have been used on that machine. Inform the Organisation/Practice IT Security Officer. The Organisation/Practice IT Security Officer in conjunction with the IT department will have the software and technology available to eradicate any infections. All virus infections are to be reported by the IT Security. All serious virus infections which have not been automatically eradicated by the system s anti virus system must immediately be reported to the NHS Information Authority. 9.2.8 PASSWORD SECURITY Password Security is the responsibility of the individual, passwords should be formulated in such a way that they are easily remembered but difficult to guess and should be formulated using letters (upper and lower case), figures and other characters. Passwords must not be displayed on screens as they are entered. When allocated a new/temporary password for start-up use by the systems manager/ administrator the user must immediately change it. Passwords must consist of a minimum of 6 characters. Passwords must be changed on change of staff or staff resignation. Passwords must not be shared amongst users. Passwords must not be written down. Passwords should not relate to the system or the user, although passwords must be easy to remember. Password must be changed regularly, at intervals not exceeding 90 days. Standard operating system password protection is very limited. The use of other third party software applications to protect both the system and the data contained on it should be considered. 4

Where sensitive data is to be kept on hard disks the use of an encryption software or hardware package should be considered to provide protection to the data if the machine is lost or stolen. 9.2.9 INTERNET/E-MAIL The Personal Computer has been provided by the organisation for use off site. It should be noted that the Internet is an uncontrolled, unmanaged and largely unsupported global network. It is a source of much valuable information not least on the area of Healthcare, however it is also an unrestricted source of much illegal and illicit material. Additionally it has a large recreational attraction. Policy for Internet and e-mail use: Internet and e-mail services will only be used for business purposes directly related to the users area of work. No illicit or illegal material will be viewed/downloaded or obtained via the Internet or E-mail. Any material downloaded must be automatically virus checked immediately by the Portable Computer s anti-virus software. The user will make their system available at any time for audit either by the local IT Department and/or representatives of the NHS Information Authority. Breaches of security abuse of service or non-compliance with the NHSnet Code of Connection may result in the withdrawal of all NHSnet services including E-mail. Disciplinary Action Inappropriate use of NHSnet will result in disciplinary action and may ultimately lead to dismissal it may also be necessary to proceed with criminal charges depending on the nature of the incident. 9.2.10 MAINTENANCE Maintenance is to be controlled by the IT Security Officer in conjunction with the IT department or nominated person responsible for IT maintenance. All equipment that requires repair or maintenance must have patient sensitive/confidential information removed from it. It is not sufficient just to delete files using the computer operating system. The data must be removed correctly using a third party software application that guarantees approved deletion of files. If the hard disk has failed and the maintenance engineer is required to replace it with a new device then the old hard disk must be physically destroyed. If the hardware is returned to the supplier for repair a note of all serial numbers should be taken including the hard disk. If the hard disk is irreparable organisation must insist that the old hard disk be returned for destruction. 5

9.2.11 BACKUP Backup of the system software and configuration must be made on a regular basis. Regular backups of all critical and/or sensitive data should be made to a separate system where possible to help prevent the loss of critical information. The restoration of backed up data must be tested on a regular basis. 9.2.12 LOSSES AND CONFIDENTIALITY/SECURITY BREACHES Incidents that constitute a Loss of Hardware or Data, which could potentially lead to a breach of patient confidentiality, are to be reported directly to the organisation IT Security Officer. The Organisation IT Security Officer will instigate investigation procedures to try and establish the nature and potential threat of the incident. All such losses will be reported to the NHS Information Authority. Incidents could involve: Loss of Hardware. Loss of Software/Data. Virus attack Unauthorised access. Misuse of System/Privileges. 9.2.13 ACCOUNTING AND AUDIT The software and information held on Portable Computer Systems is subject to the same audit procedures as the Organisation/Practice Computer Systems. This also covers information and data stored on removable media e.g. floppy disks. 9.2.14 LEGISLATION Users of portable systems must comply with current legislation regarding the use and retention of Patient information and use of computer systems. These include, but are not limited to: The Data Protection Act, 1998. Access to Health Records Act, 1990. The Copyright, Designs and Patents Act, 1988. The Computer Misuse Act, 1990. 6

An explanation of the above can be found in both refs. 1 and 2. 7

9.2.15 USERS ACCEPTANCE I have read and understood the Code of Connection document and IT Security Policy detailed above and agree to abide by the requirements laid down in them. Users signature: Date: Approved/Authorised by Name (in Caps): Signature: Date: 8

9.2.16 REFERENCES: N O Title Version 1 NHSnet Networking Security Policy 2002 2 Ensuring Security & Confidentiality I NHS Organisations 1 1 9.2.17 DOCUMENT CONTROL DATA: Security Policy for Portable Computers Issue and Date VI 14 Aug 2002 Identity (electronic filename) Location of Electronic Copy Owner NHSIA NHSIA Change Authority Distribution (electronic) Distribution (Paper) 9

9.2.18 REGISTER OF AMENDMENTS: This table is to be used to record any amendments made to the Portable Computer Security Policy. The Policy will be kept up to date and Policy requirements will be constantly implemented and enforced. The responsibility for enforcing this policy lies with the Chief Executive/Senior partner and Nominated Security Officer within the organisation. Whenever an event occurs which may affect the Policy statements hereafter the Document Control officer must be informed immediately. On receipt of an amendment instruction responsible security officers must ensure that the amendment is completed as required and that the amendment record is completed. Amendment Date of Issue Amended by Amendment Action Checked (holder) Published by: Cliff Conrad Network Security Manager NHSIA - Access to Information Published: 25 September 2002 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information