MANAGEMENT OF USER ACCOUNTS AND PASSWORD POLICY AUGUST 2011. Version 2.0



Similar documents
ELECTRONIC MAIL ( ) September Version 3.1

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

IT ACCESS CONTROL POLICY

Informatics Policy. Information Governance. Network Account and Password Management Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

How To Protect Decd Information From Harm

Information Security Policy

Data Protection Breach Management Policy

Network Password Management Policy & Procedures

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

Information Security

Policies and Procedures. Policy on the Use of Portable Storage Devices

Rotherham CCG Network Security Policy V2.0

Access Control Policy

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

Information Security Incident Management Policy

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Information Security Policy

NETWORK SECURITY POLICY

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ULH-IM&T-ISP06. Information Governance Board

University of Sunderland Business Assurance Information Security Policy

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Mike Casey Director of IT

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Data Transfer Policy. Data Transfer Policy London Borough of Barnet

Information Security Policy. Policy and Procedures

INFORMATION SECURITY POLICY

Estate Agents Authority

Acceptable Use of Information Systems Standard. Guidance for all staff

Corporate Information Security Policy

Policy Title: HIPAA Security Awareness and Training

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

DATA PROTECTION AND DATA STORAGE POLICY

Network Security Policy

PBGC Information Security Policy

Version: 2.0. Effective From: 28/11/2014

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

Password Standards Policy

Dene Community School of Technology Staff Acceptable Use Policy

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

Service Children s Education

Third Party Security Requirements Policy

Network and Workstation Acceptable Use Policy

Human Resources Policy documents. Data Protection Policy

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

How To Ensure Network Security

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

University of Liverpool

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Privacy and Cloud Computing for Australian Government Agencies

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

REMOTE WORKING POLICY

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé

LSE PCI-DSS Cardholder Data Environments Information Security Policy

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Recommendations. That the Cabinet approve the withdrawal of the existing policy and its replacement with the revised document.

Information Governance Strategy & Policy

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY

Wellesley College Written Information Security Program

Remote Access and Home Working Policy London Borough of Barnet

University of Aberdeen Information Security Policy

Portable Devices and Removable Media Acceptable Use Policy v1.0

Berwick Academy Policy on E Safety

SOCIAL MEDIA POLICY. Introduction

Newcastle University Information Security Procedures Version 3

Working Together Aiming High!

ACCEPTABLE IT AND COMPUTER USE POLICY GUIDE FOR STAFF

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Information Technology Policy and Procedures

Transcription:

MANAGEMENT OF USER ACCOUNTS AND PASSWORD POLICY AUGUST 2011 Version 2.0 Western Health and Social Care Trust Page 0 of 6 Management of User Accounts Policy

Policy Title MANAGEMENT OF USER ACCOUNTS AND PASSWORD POLICY Policy Reference Number CORP09/009 Implementation Date September 2009 Revised Date August 2011 Review Date August 2013 Responsible Officer FERGAL DUREY, HEAD OF ICT Western Health and Social Care Trust Page 1 of 6 Management of User Accounts Policy

Table of Contents 1. Background and Purpose 3 2. Obtaining Access to Systems 3 3. Acceptable Do s and Don ts 3 4. Counter Measures 4 5. Additional Resouces 5 6. Training 5 8. Further Information 5 Western Health and Social Care Trust Page 2 of 6 Management of User Accounts Policy

1. Background and Purpose User accounts and passwords are used by the Trust to grant access to the vast majority of information systems and resources. The effective maintenance of these accounts and passwords on Trust systems, and other electronic services, is a critical part of maintaining our ICT infrastructure and the information it holds. Given the particularly sensitive nature of the data that Trust employees have access to, there is a legislative requirement on the organisation (and its staff) to employ, promote and adhere to standards that will safeguard patient / client data against unauthorised access and / or handling. The purpose of this policy is to establish the rules for the creation, monitoring, control and removal of user accounts. It applies equally to all staff with access to the Trust network, the HSC wide area network (WAN) and any of the clinical or corporate systems that reside thereon. The measures outlined in this policy will not be effective without the cooperation of all Western Trust staff. The cooperation of all such staff, and acceptance of this policy, is therefore a prerequisite to approval for user accounts. 2. Obtaining Access to Systems Requests for network or system user accounts or changes to existing accounts will be actioned upon receipt of an e-mail request from a suitably authorised officer. For the purposes of this policy a suitably authorised officer should be:- The line manager of the member of staff requiring access and at Band 5 or above NB. All account requests should be directed to the ICT Service Desk ithelpdesk@westhealth.n-i.nhs.uk Under specific circumstances 3 rd Party Suppliers may be able to obtain access to the Trust network or systems. For further details contact- ICT Security Manager, ICT Department, Altnagelvin Area Hospital, Glenshane Road, Londonderry, BT47 6SB. Tel: 028 71865286 3. Acceptable use (Do s and Don ts) User accounts For certain systems, e.g. regionally hosted, specific personal information is required such as National Insurance Numbers. The provision of this information is a prerequisite to the allocation of a user account. Staff are NOT permitted to authorise the creation of accounts and set access privileges for their own use. New accounts will be created with a default password that must be changed by the account owner upon receipt. Western Health and Social Care Trust Page 3 of 6 Management of User Accounts Policy

Line managers are responsible for ensuring that staff changes which affect system accounts or access are reported immediately to the ICT Team or the respective system manager. ICT Security officers and respective system managers will carry out regular audits of user accounts to ensure such things as; employment status; access rights and privileges etc Passwords Passwords are the first line of protection for user accounts and the strength of a user s passwords is key in the Trust s defence against security breaches. Trust staff are discouraged from using Trust account passwords for external purposes e.g. registering with external websites. Screens, keyboards and printers should be appropriately positioned so that they are protected against accidental disclosure of passwords or any other sensitive data. Passwords should:- Not be disclosed or shared. (No e-mailing) Not be written down. If it is necessary to write down a password (e.g. for contingency purposes) it should be stored in a sealed envelope in a secure cabinet. Not attached to any PC, portable device, CD etc Consist of at least one non-alphabetic character. Be a minimum of 7 characters Be changed at regular intervals. (Currently 90 days) Be unique for each individual login account. Not relate to the user or system being accessed. Not be pre-coded into scripts or icons for convenience Be changed immediately on suspicion of any compromise. Such incidents must be reported to the ICT Service Desk Be changed more frequently for privileged accounts e.g. those with higher levels of systems administration. The above is not a comprehensive list; for further guidance the reader is referred to the ICT Operations Policy.Note: Use of software for password-cracking or any other means of discovering passwords is strictly prohibited and may lead to disciplinary action. 4. Countermeasures This policy should be seen as one of a number of countermeasures put in place to protect the organisation and its employees from such things as inadvertent exposure to illicit material, malicious software etc, and also the possibility of legal action as a direct result of the abuse or misuse of ICT systems. Additional protection is provided by the following:- Western Health and Social Care Trust Page 4 of 6 Management of User Accounts Policy

Password aging Where systems allow, passwords will be limited to a specific period of use (currently 90 days) before a forced change Monitoring i) The Trust reserves the right to monitor the use of all accounts and may in certain circumstances (e.g. annual leave) approve access to an account in the absence of a member of staff. ii) Suspected cases of abuse on the system or breaches in policy will be rigorously investigated within HR guidelines and in conjunction with HR staff. Removal i) Access to systems may be withdrawn at any time as a result of, or pending the outcome of, investigations into suspected abuse or misuse ii) iii) User accounts will be terminated for staff who leave the organisation Dormant e-mail accounts, or accounts not otherwise accessed on a regular basis (6 months), will be deemed suitable for removal. Accounts will initially be disabled then, after a further 6 months, e-mail and data will be archived. The account will be deleted unless ICT is notified. There may be occasions where accounts may have to be deleted retrospectively. Special leave or periods of extended absence will be taken into consideration. 5. Additional Resources This policy should be read in conjunction with other policies relating to effective and appropriate use of ICT services, including 1) ICT Operations Policy 2) E-mail Policy 3) Internet policy 4) Server, Desktop and Portable Security Policy 5) Malicious Software Policy 6. Training The Trust is committed to staff development and seeks to consistently improve development standards and opportunities for staff in line with organisational objectives, policies and procedures. Should you or your staff require support in the effective use of ICT systems or applications please contact the ICT Training Team via the IT Service Desk. 7. Further Information For further information in relation to this policy please contact:- ICT Training Department ICT Department Altnagelvin Area Hospital Glenshane Road Londonderry BT47 6SB Tel: 028 71865286 Western Health and Social Care Trust Page 5 of 6 Management of User Accounts Policy

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information