Informatics Policy. Information Governance. Network Account and Password Management Policy

Similar documents
Trust Operational Policy. Information Security Department. Third Party Remote Access Policy

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

IT ACCESS CONTROL POLICY

ICT USER ACCOUNT MANAGEMENT POLICY

IT Operations User Access Management Policies

Access Control Policy

NHS Commissioning Board: Information governance policy

Information Security Incident Management Policy

NETWORK SECURITY POLICY

How To Ensure Network Security

How To Protect Decd Information From Harm

INFORMATION GOVERNANCE POLICY

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

MANAGEMENT OF USER ACCOUNTS AND PASSWORD POLICY AUGUST Version 2.0

Network Password Management Policy & Procedures

Newcastle University Information Security Procedures Version 3

INFORMATION GOVERNANCE STRATEGY

Mike Casey Director of IT

Rotherham CCG Network Security Policy V2.0

USE OF PERSONAL MOBILE DEVICES POLICY

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

University of Liverpool

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

INFORMATION GOVERNANCE POLICY

Information Governance Strategy

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Data Protection Policy

Network Security Policy

Services Policy

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

NETWORK SECURITY POLICY

Policy Document Control Page

Remote Working and Portable Devices Policy

Network Security Policy

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

ULH-IM&T-ISP06. Information Governance Board

Information Governance Strategy :

INFORMATION SECURITY POLICY

Information Governance Policy

Information Governance Policy

Data Encryption Policy

DATA PROTECTION AND DATA STORAGE POLICY

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY

Information Governance Policy (incorporating IM&T Security)

Hang Seng HSBCnet Security. May 2016

University of Aberdeen Information Security Policy

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Information Governance Strategy & Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

INFORMATION GOVERNANCE POLICY

Policies and Procedures. Policy on the Use of Portable Storage Devices

Data Quality Policy SH NCP 2. Version: 5. Summary:

RECORDS MANAGEMENT POLICY

DHHS Information Technology (IT) Access Control Standard

ICT Password Protection Policy

Information Security Policies. Version 6.1

ISO27001 Controls and Objectives

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY

Password Standards Policy

IS INFORMATION SECURITY POLICY

Information Governance Strategy

Information Governance Policy

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Information Governance Framework

The Internet and 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3

Service Children s Education

An Approach to Records Management Audit

Information Security Policy

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

Transcription:

Informatics Policy Information Governance Policy Ref: 3589

Document Title Author/Contact Document Reference 3589 Document Control Network Account Management and Password Policy Pauline Nordoff-Tate, Information Assurance Manager Document Impact Assessed Yes/No Date: 21/11/11 Version 2 Status Approved Publication Date 30/11/11 Review Date 30/11/13 Approved by Dr P Williams, Caldicott Guardian 28/11/11 Ratified by Information Governance Group 28/11/11 Distribution: Royal Liverpool and Broadgreen University hospitals NHS Trust-intranet using Sharepoint which will maintain the policy document in conjunction with each document author. Please note that the Intranet version of this document is the only version that is maintained. Any printed copies should therefore be viewed as uncontrolled and as such, may not necessarily contain the latest updates and amendments. Document Control Document History Version Date Comments Author 1 19/11/2009 New document composed M Haynes of Network account policy and Password policy 1.1 29/12/2009 Minor amendments Information Assurance Manager 1.2 26/09/2011 Minor amendments TS Manager / IT Security Consultant 2.0 07/11/2011 Amendments to Network application form taking out references to HIS and amendments to section 4.4 Pauline Nordoff-Tate

Review Process Prior to Ratification: NAME OF GROUP/DEPARTMENT/COMMITTEE DATE Information Governance Group by email 31/12/2009 Information Governance Group 28/11/11

Heading Table of Contents Page Number 1.0 INTRODUCTION 1 1.1 Equality and Diversity 1 2.0 OBJECTIVE 2 3.0 SCOPE OF THE POLICY 2 4.0 POLICY 2 4.1 Account Creation 2 4.2 Account Amendment 2 4.2.1 Personal Details Change 2 4.2.2 Job title, office location etc 3 4.3 Account Expiry/Removal 3 4.3.1 Notification from Manager 3 4.3.2 Notification from Human Resources 3 4.3.3 IT Department 3 4.4 Account Expiry/Removal Procedure 3 4.5 Dormant Accounts 4 4.6 Further Information 4 4.6.1 Managers 4 4.6.2 Human Resources 4 4.7 Password Structure 4 4.8 Temporary Passwords 5 4.9 Forced Password Change 5 4.10 Password Renewal 5 5.0 ROLES AND RESPONSIBILITIES 5 5.1 Managers 5 5.2 Staff 5 6.0 ASSOCIATED DOCUMENTATION AND REFERENCES 6 7.0 TRAINING & RESOURCES 6 8.0 MONITORING AND AUDIT 6 8.1 Recording and Monitoring of Equality & Diversity 6 APPENDIX A IT NETWORK ACCOUNT REQUEST 8 APPENDIX B SUPPORTING LEGISLATION AND GUIDANCE 9

1.0 Introduction This policy details the procedures for network account management. The policy describes the processes that must be adhered to by all staff for registration, de-registration, authorisation and authentication procedures for access to the Trust s network services e.g. file and print. The Data Protection Act 1998 requires the Trust to take organisational and technical measures to keep information safe and secure. Using passwords appropriately is one way of ensuring that patient and staff data is held. 1.1 Equality and Diversity The Trust is committed to an environment that promotes equality and embraces diversity in its performance as an employer and service provider. It will adhere to legal and performance requirements and will mainstream equality and diversity principles through its policies, procedures and processes. This policy should be implemented with due regard to this commitment. To ensure that the implementation of this policy does not have an adverse impact in response to the requirements of the Race Relations (Amendment Act), the Disability Discrimination Act 2005, and the Equality Act 2006 this policy has been screened for relevance during the policy development process and a full impact assessment conducted where necessary prior to consultation. The Trust will take remedial action when necessary to address any unexpected or unwarranted disparities and monitor practice to ensure that this policy is fairly implemented. This policy and procedure can be made available in alternative formats on request including large print, Braille, moon, audio, and different languages. To arrange this please refer to the Trust translation and interpretation policy in the first instance. The Trust will endeavour to make reasonable adjustments to accommodate any employee with particular equality and diversity requirements in implementing this policy and procedure. This may include accessibility of meeting/appointment venues, providing translation, arranging an interpreter to attend appointments/meetings, extending policy timeframes to enable translation to be undertaken, or assistance with formulating any written statements. 1

2.0 Objective This policy aims to raise staff awareness of the processes that must be followed in order to manage an end user network account, as well as raise staff awareness of best practice and the importance of password security within the Trust, and to detail the password structure of Trust network account passwords. 3.0 Scope of the Policy This document intends to prevent unauthorised access to the Trust s Information Systems. The policy details the management of the Trust network account password and file structure. 4.0 Policy 4.1 Account Creation Access to the Trust s Network is controlled through a formal User Registration process. Each User is identified by a unique User ID so that Users can be linked and held responsible for their actions. Access to the Trust network is provided by the IT Department and can be enabled only after the proper procedures have been followed. In order to have a network account created, a request must be submitted, via the form detailed in Appendix A, from the new users Line Manager or from Human Resources to the Service Desk. The new account will be created within 5 working days of receipt of the completed form. Forms may be faxed, emailed or sent through internal post to the department. A new user account will only be made active on the start date of the new employee; the employee will be requested at first logon to change their password as stated in the letter they receive before starting employment. 4.2 Account Amendment When an employee changes jobs, their network accounts must be altered accordingly to ensure that access permissions are correct for the new position. This notification must be sent to the IT Department by the relevant Line Manager. 4.2.1 Personal Details Change Requests to change the name of a staff member must come from the staff member themselves. It should be noted that a staff member should have written a formal letter informing the Human Resources Department of this change and their details will have been amended on the system. Changes will only be made after confirmation is obtained from the Human Resources System. 2

4.2.2 Job title, office location etc These requests should be made by the staff member themselves due to the fact that this information is not likely to be held on the Human Resource System and so will not be checked. These details will only need to be amended on Active Directory and the User Accounts Database. Any changes made for this purpose will NOT alter any of the access permissions to network services. 4.3 Account Expiry/Removal Accounts will be expired or deleted under the following instances: 4.3.1 Notification from Manager Managers must advise the IT Department and log a call with the Service Desk asking them to close/amend an employee account and remove their access, if necessary giving access to their folders to another member of staff. This request will be verified against the Human Resource system to ensure that the member of staff has terminated employment with the Trust. 4.3.2 Notification from Human Resources The Human Resource system monitors staff starters and leavers for those members of staff employed by the Trust. This list is provided to the IT Department on a monthly basis. 4.3.3 IT Department The department may disable an account under the following conditions: Disclosure of account credentials Due to an ongoing Information Security Incident investigation Misuse of account This list is not exhaustive. 4.4 Account Expiry/Removal Procedure When an account is to be expired, the following process must be adhered to: a. The account is disabled and kept for three months then deleted as per Trust policy b. Check the user s details are stored in the account database. c. Disable the account and place it in the deleted accounts container within active directory. d. The disabled account is left in this container for three months. During this time if the staff member has moved around within the organisation, the Trust will have been notified about this and changed the account accordingly. e. Each month, the Deleted Accounts container is compared against the Human Resource System to clarify that the 3

member of staff has indeed left the Trust and has not been back within that month. The account is then deleted from the container. An amendment is made to the records stored on the User Account Database f. After 3 months the User Account Database is checked and a list of deleted accounts produced for users 3 months prior. If that user has not returned to the Trust within 3 months, their entire account is deleted along with personal drive and emails. 4.5 Dormant Accounts A review of all accounts will be performed on a monthly basis. This review is targeted at the existence of dormant accounts and accounts that have not been accessed for a period of time (30 days or more). Any accounts identified as dormant will be expired in order to prevent unauthorised access. If the account is still classed as dormant after 90 days, the account will be deleted from the Trust network. 4.6 Further Information 4.6.1 Managers Departmental Managers will ensure that the requirements of this policy are adhered to and that the IT Service Desk be notified of any changes that are required to an end users account profile. This notification should include any member of staff that is on: Maternity leave; Long-term sick leave; Extended annual leave period; Sabbatical. Please note this list is a representative sample and should not be considered exhaustive. Staff should be aware that their managers will have the right to access email boxes in the unexpected event that they are absent from work, and where there is a need based on business continuity. 4.6.2 Human Resources Human Resources will notify the IT Department of all staff who join and leave the Trust on a monthly basis. This information will also include all staff that are entering any of the periods of extended absence as detailed in Section 4.6.1 or who are changing employment within the Trust. 4.7 Password Structure All Network passwords will expire after 90 days. The reallocation of passwors will prevent the use of the previous 3 passwords. 4

Passwords shall conform to a minimum password length of 7 characters. All passwords must be alphanumeric and should include symbols where possible. 4.8 Temporary Passwords Temporary passwords will only be issued for new accounts and to users who have locked their existing accounts. Temporary passwords will have a forced change implemented upon them and must be changed when the user logs onto the Trust network with them. Access to the network will not be enabled until the temporary password has been changed. 4.9 Forced Password Change After each period of 90 days, the user will be forced to change their Network Password. The user will be requested, at the logon prompt, to change their password 14 days prior to the forced change being implemented. If the user does not change their password in the 14 days prior, they will be forced to change it once the 90 days has expired. Access to the Trust network will not be enabled until the password is changed. 4.10 Password Renewal This is enforced on windows network accounts for logging onto the Trust network, and users should be vigilant in ensuring that these robust mechanisms should be encouraged for use on other systems within the Trust ie regular renewal of passwords. New systems being integrated into the Trust are assessed from a security/accessibility viewpoint to ensure that they have these minimum requirements to help safeguard password management. 5.0 Roles and Responsibilities 5.1 Managers All Managers are responsible for ensuring that all staff within their department are aware of and understand the requirements of this policy. Managers are responsible for ensuring that the Service Desk is notified when a member of staff leaves so that access to systems can be terminated. 5.2 Staff All users shall be mandated to keep passwords confidential. 5

All users should NOT keep a paper record of passwords, but electronic storage of passwords can be kept securely if there is a need to do so. Change passwords whenever there is any indication of possible system or password compromise. Select passwords with a minimum length of seven characters, which are: Not based on anything somebody else could easily guess or obtain using person related information, e.g. names, telephone numbers, and dates of birth etc Free of consecutive identical characters or all-numeric or allalphabetical groups. All users should change passwords at regular intervals or based on the number of accesses (passwords for privileged accounts should be changed more frequently than normal passwords), and avoid re-using or re-cycling old passwords. Change temporary passwords at the first log-on. Do not include passwords in any automated log-on process, e.g. stored in a macro or function key. The sharing of passwords with others in strictly prohibited any breach of this rule may result in disciplinary action being taken. Staff should be aware that their managers will have the right to access email boxes in the unexpected event that they are absent from work, and where there is a need based on business continuity. 6.0 Associated documentation and references This policy has been developed in accordance with the following documents: The Trust Information Assurance Policy; IS027001 Code of Practice for Information Security 7.0 Training & Resources Password training will be included in all system training programmes and support documentation. 8.0 Monitoring and Audit The Trust will ensure compliance via the Information Governance Toolkit plan, which is monitored by the Information Governance Group. 8.1 Recording and Monitoring of Equality & Diversity The Trust understands the business case for equality and diversity and will make sure that this is translated into practice. Accordingly, all policies and procedures will be monitored to ensure their effectiveness. 6

Monitoring information will be collated, analysed and published on an annual basis as part of our Single Equality and Human Rights scheme. The monitoring will cover all strands of equality legislation and will meet statutory employment duties under race, gender and disability. Where adverse impact is identified through the monitoring process the Trust will investigate and take corrective action to mitigate and prevent any negative impact. The information collected for monitoring and reporting purposes will be treated as confidential and it will not be used for any other purpose. 7

Appendix A IT Network Account Request This request form is for security purposes and must be completely filled in. The request will not be processed unless all fields are filled in. A password letter will be sent in the internal mail once the request has been received. Please fax this request back to 0151 706 5758, or post to: I.T Server Team, RLBUHT, Broadgreen Hospital, Thomas Drive, Liverpool. L14 3LB. 8

Appendix B Supporting Legislation and Guidance ISO27001 - The Code of Practice for Information Security Management Section A11.2.4 states: - Management shall review users access rights at regular intervals using a formal process. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information