Trust Operational Policy. Information Security Department. Firewall Management Policy



Similar documents
Trust Operational Policy. Information Security Department. Network Services Management Security Policy

Informatics Policy. Information Governance. Network Account and Password Management Policy

Trust Informatics Policy. Information Governance. Information Governance Policy

Trust Operational Policy. Information Security Department. Third Party Remote Access Policy

Trust Informatics Policy. Information Governance Department. Computer Antivirus Management Policy

The Informatics Policy Information Governance Process

How To Write A Code Of Conduct For A Trust

NHS Commissioning Board: Information governance policy

Trust Informatics Policy. Information Governance. Secure Transfer of Information Policy

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE STRATEGY

Informatics Policy. Information Governance. and Internet Use and Monitoring Policy

Information Governance Strategy

Information Governance Strategy 2015/16

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY

Policy Document Control Page

MOORLAND SURGICAL SUPPLIES LTD INFORMATION GOVERNANCE POLICY

USE OF PERSONAL MOBILE DEVICES POLICY

RECORDS MANAGEMENT POLICY

Policy: Remote Working and Mobile Devices Policy

Information Governance Standards in Relation to Third Party Suppliers and Contractors

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September Information Governance Manager

Information Governance Policy

Gloucestershire Hospitals

INFORMATION GOVERNANCE POLICY

Trust Informatics Policy. Information Governance. Information Assurance Policy

Information Governance Strategy

JOB DESCRIPTION. Information Governance Manager

Remote Working and Portable Devices Policy

Information Management Policy CCG Policy Reference: IG 2 v4.1

Information Governance Policy

Information Governance Policy

NHS Business Services Authority Information Governance Policy

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

INFORMATION GOVERNANCE POLICY & FRAMEWORK

Information Governance Framework

Information Governance Strategy & Policy

Information Governance Policy

Information Governance Policy

IT change management policy

Information Governance Strategy. Version No 2.0

Equality and Diversity in Service Planning and Performance Management

Information Governance Policy

INFORMATION GOVERNANCE POLICY

CONTRACTS REVIEW FOR INFORMATION GOVERNANCE COMPLIANCE PROCEDURE

IS INFORMATION SECURITY POLICY

Information Incident Management and Reporting Procedures

Records Management Policy

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY

Information Governance Framework

Policy Information Management

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16

GEM CSU - IT Services Change Control Policy

Information Governance Policy

Records Management and Information Lifecycle Strategy

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Information Governance Policy

Information governance policy

Information Governance Plan

NETWORK SECURITY POLICY

Information Governance Policy

Information Governance Strategy

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Information Governance Policy (incorporating IM&T Security)

Data Quality Policy SH NCP 2. Version: 5. Summary:

SALISBURY NHS FOUNDATIONTRUST

JOB DESCRIPTION. Corporate Governance Manager. 45 hours per week. Director of Compliance & Governance. London with national responsibilities

BUSINESS CONTINUITY MANAGEMENT POLICY

Policy Document Control Page

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY

Information Governance Strategy

NHS Waltham Forest Clinical Commissioning Group Information Governance Strategy

D-CRIS Information Governance Assurance

Remote Access and Mobile Working Policy. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.1. Approval. Review By June 2012

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

<COMPANY> P01 - Information Security Policy

INFORMATION GOVERNANCE POLICY

NHS North Durham Clinical Commissioning Group. Information Governance Strategy 2015/16

Information Governance Framework and Strategy. November 2014

Version Number Date Issued Review Date V1 25/01/ /01/ /01/2014. NHS North of Tyne Information Governance Manager Consultation

INFORMATION GOVERNANCE

The Newcastle upon Tyne Hospitals NHS Foundation Trust. IT Change Management Policy and Process

Grievance and Disputes Policy and Procedure. Document Title. Date Issued/Approved: 10 August Date Valid From: 21 December 2015

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

Job Description. Line Management of a small team of staff administrating and managing patient and professional feedback and incidents.

RISK MANAGEMENT STRATEGY

CCG: IG06: Records Management Policy and Strategy

ULH-IM&T-ISP06. Information Governance Board

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February Title: Information Security Policy

How To Ensure Network Security

Policies for: Information Governance Information Quality Information Management Information Security. Version Control Version: 0.1

Data Breach Management Policy and Procedures for Education and Training Boards

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy

Internet Security Good Practice Guide. August 2009

INFORMATION SECURITY POLICY

Transcription:

Trust Operational Policy Information Security Department Firewall Management Policy Policy Reference: 3545

Document Control Document Title Author/Contact Document Reference 3545 Firewall Management Policy Pauline Nordoff-Tate, Information Assurance Manager Document Impact Assessed Yes/No Date: January 2012 Version 4 Status Approved Publication Date January 2012 Review Date January 2014 Approved by (Executive) Dr P Williams, Caldicott Guardian Date: 23/01/12 Ratified by (Relevant Group) Information Governance Group Date: 23/01/12 Distribution: Royal Liverpool and Broadgreen University hospitals NHS Trust-intranet using Sharepoint which will maintain the policy document in conjunction with each document author. Please note that the Intranet version of this document is the only version that is maintained. Any printed copies must therefore be viewed as uncontrolled and as such, may not necessarily contain the latest updates and amendments.

Document Control Document History Version Date Comments Author 1.2 01.03.06 Phil Pearse 2.0 27/11/09 Reformatted Paul McGuinness 2.1 2.2 01/12/09 20/09/10 Minor Revisions Minor Revisions Mark Haynes Mark Haynes 3.0 24/01/10 Minor Revisions Mark Haynes 4.0 12/01/12 Format changes and changes in 4.2;4.6 and 6 Pauline Nordoff-Tate Review Process Prior to Ratification: Name of Group/Department/Specialist Committee Date IT Department March 2006 Information Governance Group by email January 2010 Information Governance Group 23 January 2012 Firewall Management Policy 3

Table of Contents 1.0 INTRODUCTION 5 1.1 Equality and Diversity 5 2.0 OBJECTIVES 5 3.0 SCOPE OF POLICY 6 4.0 POLICY 6 4.1 Firewall 6 4.2 Change Procedures 6 4.3 Firewall Security 6 4.4 Physical Security 6 4.5 Logical Security 7 4.6 Firewall Monitoring 7 4.7 Suspicious Activity Monitoring 7 4.8 Log File Monitoring 7 4.9 Security Monitoring 7 4.10 Analysis 8 4.11 Port Control 8 5.0 ROLES AND RESPONSIBILITES 8 6.0 ASSOCIATED DOCUMENTS AND REFERENCES 8 7.0 TRAINING AND RESOURCES 8 8.0 MONITORING AND AUDIT 8 8.1 Recording and Monitoring of Equality & Diversity 9 APPENDIX 1 REQUEST FOR FIREWALL CHANGE 10 Firewall Management Policy 4

1.0 Introduction This document details the procedures undertaken during the operation of the Royal Liverpool & Broadgreen Hospitals NHS Trust Firewall and details the requirements involved in securing the Trust Network Facilities through the use of a firewall. 1.1 Equality and Diversity The Trust is committed to an environment that promotes equality and embraces diversity in its performance as an employer and service provider. It will adhere to legal and performance requirements and will mainstream equality and diversity principles through its policies, procedures and processes. This policy should be implemented with due regard to this commitment. To ensure that the implementation of this policy does not have an adverse impact in response to the requirements of the Race Relations (Amendment Act), the Disability Discrimination Act 2005, and the Equality Act 2006 this policy has been screened for relevance during the policy development process and a full impact assessment conducted where necessary prior to consultation. The Trust will take remedial action when necessary to address any unexpected or unwarranted disparities and monitor practice to ensure that this policy is fairly implemented. This policy and procedure can be made available in alternative formats on request including large print, Braille, moon, audio, and different languages. To arrange this please refer to the Trust translation and interpretation policy in the first instance. The Trust will endeavor to make reasonable adjustments to accommodate any employee/patient with particular equality and diversity requirements in implementing this policy and procedure. This may include accessibility of meeting/appointment venues, providing translation, arranging an interpreter to attend appointments/meetings, extending policy timeframes to enable translation to be undertaken, or assistance with formulating any written statements. 2.0 Objectives This Policy will document the procedures and mechanisms for requesting and applying changes to the firewall rule sets protecting the Trust on its Internet Gateway. Firewall Management Policy 5

3.0 Scope of Policy This policy covers the management of the Trust s firewall. In addition it will further define the security standards that the Trust Firewall must comply with in its operational role. 4.0 Policy 4.1 Firewall A system designed to prevent unauthorised access to or from a private network through protecting and controlling both internal and external connections. 4.2 Change Procedures Firewall changes have been deemed as business as usual (BAU) changes or standard agreed changes by the Change Advisory Board (CAB) and the following process must be followed: 1. Complete a Change Request Form (See Appendix 1) 2. Requested/required change must be assessed and approved by a senior member of the Network Team. This assessment will evaluate such areas as the potential impact upon other Network Devices and Network Services. 3. Change application must be either approved or rejected, providing justification for the change approval/rejection. 4. Change must be implemented at a time that will have the least impact upon normal Firewall/Network Operations. All of the change procedures must be fully documented and authorized and retained by the Network Team. When an emergency change is required, then the procedures set out in the Computer Emergency Response Team Policy must be followed. 4.3 Firewall Security The security of all the network devices may be addressed on two levels: the physical and the logical. These two aspects ensure that all devices are secure and that no unauthorised access is permitted. 4.4 Physical Security The Firewall physical device is located in a secure area of the Trust premises. This location is restricted through the use of secure key codes and swipe cards. These areas may only be accessed by a restricted number of authorised staff. Firewall Management Policy 6

The physical access to secure areas is operated in accordance with the Trusts Secure Area Access Policy. 4.5 Logical Security Access to the Trust Firewall is governed by password authentication. Only the Network Manager and the Network Engineer are permitted access to the Firewall. Any changes to the device must be performed by either of the Network or Network Engineer roles. No other member of staff is authorised or capable of accessing the Firewall. 4.6 Firewall Monitoring Regular monitoring of the Firewall will occur so that the device is functioning properly. It will also ensure that the Trust Network is being provided with the requisite protection as stipulated in NPFIT-FNT-TO- IG-GPG-0024.04 4.7 Suspicious Activity Monitoring The Firewall will be continually monitored for any suspicious activity occurring. This monitoring will enable the Network Manager to identify any potential threats arriving through the Firewall and enable a swift response to potential dangers. 4.8 Log File Monitoring Due to the nature and size of log files, it is accepted that regular monitoring is not always feasible. As such, monitoring of any Firewall logs will occur only under specific circumstances such as: An attempted intrusion Suspicious Inbound/Outbound activity On the request of the IT Management or Information Security Officer This list is not exhaustive. 4.9 Security Monitoring The Network Manager will perform regular auditing of the Firewall to ensure that the integrity of said devices has not been compromised. Examples of this auditing will take the form of: regularly auditing access to the devices to ensure that only authorised users have gained access monitoring the devices for any suspicious activity etc. This list is not exhaustive. Firewall Management Policy 7

4.10 Analysis Information gathered from the monitoring of the Firewall will be utilised to assess such areas as security. This will enable the Network Manager to efficiently assess the performance of the device and ensure that security is maintained. 4.11 Port Control The Firewall will provide access to the Trust Network only through a restricted number of Ports. Any Port that is not used to provide a connection will be disabled to prevent unauthorised access and ensure the Trust Network Security is maintained. 5.0 Roles and Responsibilities Operational responsibility rests with the Network Manager and the Network Engineer when the Network Manager is unavailable 6.0 Associated documents and references The International standards organisation IS0 27001 is the code of practice for information security management soon to be adopted by the NHS. Section 9.4.2 states that: actively controlling allowed source to destination communications via security gateways, e.g. firewalls 7.0 Training and resources The implementation of policies in this area will be carried out across the Trust by all involved staff and will be lead by the Information Assurance Manager at the Trust and the Information Security Manager at the HIS. Reference may be made to this policy during the Data Protection and Information Security Training. Managers will issue the policy to staff as portable device equipment is ordered and ensure they are kept updated at least annually. 8.0 Monitoring and audit The Information Governance Group is the Trust Committee with responsibility for the formulation of Information Governance Policies and approval of work programmes. This group has senior level representation from all appropriate areas to ensure the Trust steers this agenda appropriately. The Information Governance Toolkit (IGT) will be used by the Trust to conduct baseline audit and construct action plans for future compliance with this agenda. Firewall Management Policy 8

The Risk Manager will maintain a Trust corporate risk register which is populated on the Datix system and is the responsibility of all staff within the organisation. 8.1 Recording and Monitoring of Equality & Diversity The Trust understands the business case for equality and diversity and will make sure that this is translated into practice. Accordingly, all policies and procedures will be monitored to ensure their effectiveness. Monitoring information will be collated, analysed and published on an annual basis as part of our Single Equality and Human Rights scheme. The monitoring will cover all strands of equality legislation and will meet statutory employment duties under race, gender and disability. Where adverse impact is identified through the monitoring process the Trust will investigate and take corrective action to mitigate and prevent any negative impact. The information collected for monitoring and reporting purposes will be treated as confidential and it will not be used for any other purpose. Firewall Management Policy 9

Appendix 1 Request for Firewall Change This request form is for security purposes and must be completely filled in. The request will not be processed unless all fields are filled in. Section 1: For completion by the requesting organisation Requesting Organisation: Requestors Contact Details: Organisation Name Position Address Post Code Tel Number Email Requirement: External Host(s): Internal Host(s): IP Address(es): IP Address(es): Port Number(s): Application Protocol: TC P UD P Other (please state): Section 2: For Completion By Trust Network Manager Firewall Change Reference Number: Date Received: Action Taken: Authorised By: Designation: Firewall Management Policy 10

Firewall Management Policy 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information