Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director of Finance and Information Expiry Date 16/09/2017 Withdrawn Date This policy supersedes all previous issues. Anti Virus Policy v2
Version Control Version Release Author / Reviewer Ratified By / Authorised By 1.0 04/04/2009 D Prudhoe Information Governance Committee 2.0 28/11/2014 D Prudhoe Health Informatics Assurance Committee Date April 2009 17/09/2014 Changes (Please identify page no.) Anti Virus Policy v2 2
Contents 1 Introduction... 4 2 Scope... 4 3 Aim of Policy... 4 4 Duties (Roles and Responsibilities)... 4 5 Definitions... 5 6 Anti Virus Policy... 5 6.1 Use of e mail and the internet... 5 6.2 Anti Virus Controls... 5 6.3 What to do if a virus is found or suspected... 6 6.4 Hoax Viruses... 7 6.5 Data Protection Act 1998... 7 7 Training... 7 8 Equality and Diversity... 7 9 Monitoring Compliance with the Policy... 8 10 Consultation and Review... 8 11 Implementation of Policy (including raising awareness)... 8 12 Associated Documentation... Anti Virus Policy v2 3
Anti Virus Policy 1 Introduction The software and hardware that make up the computer networks are essential resources for the NHS Organisations. They aid staff in carrying out their everyday duties and without them important communication systems would not exist. Computer viruses pose considerable risks to these systems. They can cause them to run erratically, cause loss of information, and information to become corrupted, with the consequential loss of productivity for the organisation. This policy is designed to give guidance and direction on minimising the risk of a virus infection, and what to do if they are encountered. 2 Scope. This policy applies to: All employees whilst using Trust equipment and accessing the Trust s Network at any location, on any computer or Internet connection. Other persons working for the organisation, persons engaged on business or persons using equipment and networks of the organisation. Anyone granted access to the network. 3 Aim of Policy. The Aim of this policy is to ensure that: All staff are aware of their responsibilities in relation to safeguarding the confidentiality, integrity, and availability of data and software within the organisation. Best practice concerning the use of software within the organisation is identified. Instructions are provided on the prevention of virus infection, and what steps to take should a virus be found 4 Duties (Roles and Responsibilities). All staff and Non Executive Directors are obliged to adhere to this policy. It is the responsibility of the individual to ensure that they understand this policy. Managers at all levels are responsible for ensuring that the staff for whom they are responsible are aware of and adhere to this Policy. They are also responsible for ensuring staff are updated in regard to any changes in this Policy. Breaches of this policy should be regarded as serious misconduct which could lead to disciplinary action in accordance with the Trust s Disciplinary Policy. Anti Virus Policy v2 4
Every individual defined within the scope of this document is responsible for the implementation of this policy whilst operating any personal computer resources to access any of the Trust s systems. 5 Definitions. For the scope of this policy, a virus is defined as a self replicating piece of software, which may cause damage to the operating system of the computer, the storage devices, and any data and/or software stored on them. For the scope of this policy, software is defined as a computer program that is designed to carry out specific functions For the scope of this policy, a personal computer is defined as any one of the following. Desktop computers, laptop computers, tablet computers and any other mobile device capable of executing and/or running malicious software. For the scope of this policy, the Anti Virus software used by the Trust will include protection against virus, spyware and malware. 6 Anti Virus Policy. 6.1 Use of e mail and the internet. E mail is one of the main ways used to distribute computer viruses. This is due to the ease of which information can be distributed globally. Viruses can be hidden in email attachments or in material downloaded from the internet. To help protect against viruses being distributed over the network, the following should be applied: Make sure you know the sender of the e mail is genuine before opening any attachments. If you are suspicious in any way then contact the sender to confirm they have sent the e mail. If you think you have received an e mail virus, or have received an alert from your PC to this effect then please contact the IT Service Desk. Any form of software, screen savers, or games must not be downloaded or copied from any source. Do not action any e mails that suggest they have been sent to fix a problem with your machine (e.g. Emails from Microsoft). Reputable vendors would never distribute software patches in this way. If you have any suspicions regarding a received e mail do not open it, but contact the IT Service Desk immediately. 6.2 Anti Virus Controls. 6.2.1 Requirements Anti Virus software must only be installed and configured by IT Services. Users must not disable or interfere with anti virus software installed on any computer or server. Anti Virus Policy v2 5
IT Services must ensure that automatic updates are applied to all workstations and servers on a daily basis and that all devices are up to date with the latest signature file. No computer or server may be connected to the network without adequate protection i.e. up to date anti virus software being installed and activated. Only portable devices owned by the Trust may be connected to the network. Portable device users must regularly connect to the network to ensure that the anti virus software remains updated. Failure to do so could result in unnecessary virus outbreaks. Users must not change or delete any anti virus software that is installed on the Trusts network, servers or PC s. 6.2.2 Software Controls No software programs or executable files should be downloaded from the Internet and installed onto a PC without the consent of IT Services. Unauthorised downloading of software may breach the copyright licence, could introduce a computer virus to the system, and is a breach of the Trusts Internet Policy. The unauthorised copying of software is a criminal offence under the Copyright, Design and Patents Act 1998. 6.2.3 Avoiding virus infection Avoid the transfer of information by floppy disc, CD or USB memory sticks between computers. Do not introduce the above media from home onto NHS computers. Do not start up a PC with a floppy disk, CD or USB memory stick inserted unless instructed by IT Services. Where practical write protect floppy disks and USB memory sticks until the write option is required. Save data/documents etc. on your home directory. Do not save information on the PC so that if infection does occur, data can be recovered. 6.3 What to do if a virus is found or suspected 6.3.1 If you find or suspect a virus on your PC Contact IT Services immediately. Do not use the PC until approved by the IT Department. 6.3.2 The responsibilities of IT Services are to: Check the infected PC Anti Virus Policy v2 6
6.4 Hoax Viruses Check any media that have been used in the infected PC Check any other PC that the media has been used with Delete or clean any infected files Check any Servers that may have been accessed during the incident Inform the IT Security Officer of any viruses detected Ensure that the incident is addressed within an appropriate timescale Hoax emails are very common. The usual format is a warning of a virus (usually labelled as the worst yet or some other equally alarmist phrase). The email will give details of a virus carried in an email with a particular subject line or attachment name then give details of how the virus will cause huge amounts of data loss. The email will then go on to tell you to send the warning to everyone you know. Staff should not pay heed to these emails. If there is any doubt whether the details are genuine staff should contact the IT Service Desk for advice. 6.5 Data Protection Act 1998 7 Training. The Data Protection Act governs the processing of personal identifiable data, and protecting the data from loss, damage or destruction, whether accidental or deliberate. This includes having anti virus controls in place to safeguard information and ensure the Act is complied with. The security measures must take into account the harm that may result from unauthorised or unlawful processing, loss, damage or destruction. The nature of the data being protected also needs to be considered. Appropriate personnel checks need to be taken to ensure the integrity of the staff that have access to the data being protected. Any training required can be provided via the IT Directory and Security Team within the IT Department. 8 Equality and Diversity. The Trust is committed to ensuring that, as far as is reasonably practicable, the way we provide services to the public and the way we treat our staff reflects their individual needs and does not discriminate against individuals or groups on any grounds. Reasonable adjustments can be made to ensure disabled staff and people with other health conditions can utilise the system. Anti Virus Policy v2 7
9 Monitoring Compliance with the Policy. Standard/process/issue Ensure Anti Virus installations are up to date Monitoring and audit Method By Committee Frequency Reports via Directory Daily admin Services console Team Ensure infections are dealt with promptly Ensure inappropriate file types are not downloaded Highlight report to Health Informatics Assurance Committee Automatic email alerts via admin console/ser vice Calls via Service Desk Automatic email alerts via admin console Directory Services Team Directory Services Team Directory Services Team Health Informatics Assurance Committee Real Time Real Time Bi Monthly 10 Consultation and Review. Health Informatics Assurance Committee 11 Implementation of Policy (including raising awareness). This Policy will be published as per normal policies and circulated as per standard. This Policy will be available at all the Trust s designated locations. 12 Associated Documentation. IT Security Policy Internet, Intranet and Email Acceptable Use Policy Anti Virus Policy v2 8