Trust Operational Policy Information Security Department Firewall Management Policy Policy Reference: 3545
Document Control Document Title Author/Contact Document Reference 3545 Firewall Management Policy Pauline Nordoff-Tate, Information Assurance Manager Document Impact Assessed Yes/No Date: January 2012 Version 4 Status Approved Publication Date January 2012 Review Date January 2014 Approved by (Executive) Dr P Williams, Caldicott Guardian Date: 23/01/12 Ratified by (Relevant Group) Information Governance Group Date: 23/01/12 Distribution: Royal Liverpool and Broadgreen University hospitals NHS Trust-intranet using Sharepoint which will maintain the policy document in conjunction with each document author. Please note that the Intranet version of this document is the only version that is maintained. Any printed copies must therefore be viewed as uncontrolled and as such, may not necessarily contain the latest updates and amendments.
Document Control Document History Version Date Comments Author 1.2 01.03.06 Phil Pearse 2.0 27/11/09 Reformatted Paul McGuinness 2.1 2.2 01/12/09 20/09/10 Minor Revisions Minor Revisions Mark Haynes Mark Haynes 3.0 24/01/10 Minor Revisions Mark Haynes 4.0 12/01/12 Format changes and changes in 4.2;4.6 and 6 Pauline Nordoff-Tate Review Process Prior to Ratification: Name of Group/Department/Specialist Committee Date IT Department March 2006 Information Governance Group by email January 2010 Information Governance Group 23 January 2012 Firewall Management Policy 3
Table of Contents 1.0 INTRODUCTION 5 1.1 Equality and Diversity 5 2.0 OBJECTIVES 5 3.0 SCOPE OF POLICY 6 4.0 POLICY 6 4.1 Firewall 6 4.2 Change Procedures 6 4.3 Firewall Security 6 4.4 Physical Security 6 4.5 Logical Security 7 4.6 Firewall Monitoring 7 4.7 Suspicious Activity Monitoring 7 4.8 Log File Monitoring 7 4.9 Security Monitoring 7 4.10 Analysis 8 4.11 Port Control 8 5.0 ROLES AND RESPONSIBILITES 8 6.0 ASSOCIATED DOCUMENTS AND REFERENCES 8 7.0 TRAINING AND RESOURCES 8 8.0 MONITORING AND AUDIT 8 8.1 Recording and Monitoring of Equality & Diversity 9 APPENDIX 1 REQUEST FOR FIREWALL CHANGE 10 Firewall Management Policy 4
1.0 Introduction This document details the procedures undertaken during the operation of the Royal Liverpool & Broadgreen Hospitals NHS Trust Firewall and details the requirements involved in securing the Trust Network Facilities through the use of a firewall. 1.1 Equality and Diversity The Trust is committed to an environment that promotes equality and embraces diversity in its performance as an employer and service provider. It will adhere to legal and performance requirements and will mainstream equality and diversity principles through its policies, procedures and processes. This policy should be implemented with due regard to this commitment. To ensure that the implementation of this policy does not have an adverse impact in response to the requirements of the Race Relations (Amendment Act), the Disability Discrimination Act 2005, and the Equality Act 2006 this policy has been screened for relevance during the policy development process and a full impact assessment conducted where necessary prior to consultation. The Trust will take remedial action when necessary to address any unexpected or unwarranted disparities and monitor practice to ensure that this policy is fairly implemented. This policy and procedure can be made available in alternative formats on request including large print, Braille, moon, audio, and different languages. To arrange this please refer to the Trust translation and interpretation policy in the first instance. The Trust will endeavor to make reasonable adjustments to accommodate any employee/patient with particular equality and diversity requirements in implementing this policy and procedure. This may include accessibility of meeting/appointment venues, providing translation, arranging an interpreter to attend appointments/meetings, extending policy timeframes to enable translation to be undertaken, or assistance with formulating any written statements. 2.0 Objectives This Policy will document the procedures and mechanisms for requesting and applying changes to the firewall rule sets protecting the Trust on its Internet Gateway. Firewall Management Policy 5
3.0 Scope of Policy This policy covers the management of the Trust s firewall. In addition it will further define the security standards that the Trust Firewall must comply with in its operational role. 4.0 Policy 4.1 Firewall A system designed to prevent unauthorised access to or from a private network through protecting and controlling both internal and external connections. 4.2 Change Procedures Firewall changes have been deemed as business as usual (BAU) changes or standard agreed changes by the Change Advisory Board (CAB) and the following process must be followed: 1. Complete a Change Request Form (See Appendix 1) 2. Requested/required change must be assessed and approved by a senior member of the Network Team. This assessment will evaluate such areas as the potential impact upon other Network Devices and Network Services. 3. Change application must be either approved or rejected, providing justification for the change approval/rejection. 4. Change must be implemented at a time that will have the least impact upon normal Firewall/Network Operations. All of the change procedures must be fully documented and authorized and retained by the Network Team. When an emergency change is required, then the procedures set out in the Computer Emergency Response Team Policy must be followed. 4.3 Firewall Security The security of all the network devices may be addressed on two levels: the physical and the logical. These two aspects ensure that all devices are secure and that no unauthorised access is permitted. 4.4 Physical Security The Firewall physical device is located in a secure area of the Trust premises. This location is restricted through the use of secure key codes and swipe cards. These areas may only be accessed by a restricted number of authorised staff. Firewall Management Policy 6
The physical access to secure areas is operated in accordance with the Trusts Secure Area Access Policy. 4.5 Logical Security Access to the Trust Firewall is governed by password authentication. Only the Network Manager and the Network Engineer are permitted access to the Firewall. Any changes to the device must be performed by either of the Network or Network Engineer roles. No other member of staff is authorised or capable of accessing the Firewall. 4.6 Firewall Monitoring Regular monitoring of the Firewall will occur so that the device is functioning properly. It will also ensure that the Trust Network is being provided with the requisite protection as stipulated in NPFIT-FNT-TO- IG-GPG-0024.04 4.7 Suspicious Activity Monitoring The Firewall will be continually monitored for any suspicious activity occurring. This monitoring will enable the Network Manager to identify any potential threats arriving through the Firewall and enable a swift response to potential dangers. 4.8 Log File Monitoring Due to the nature and size of log files, it is accepted that regular monitoring is not always feasible. As such, monitoring of any Firewall logs will occur only under specific circumstances such as: An attempted intrusion Suspicious Inbound/Outbound activity On the request of the IT Management or Information Security Officer This list is not exhaustive. 4.9 Security Monitoring The Network Manager will perform regular auditing of the Firewall to ensure that the integrity of said devices has not been compromised. Examples of this auditing will take the form of: regularly auditing access to the devices to ensure that only authorised users have gained access monitoring the devices for any suspicious activity etc. This list is not exhaustive. Firewall Management Policy 7
4.10 Analysis Information gathered from the monitoring of the Firewall will be utilised to assess such areas as security. This will enable the Network Manager to efficiently assess the performance of the device and ensure that security is maintained. 4.11 Port Control The Firewall will provide access to the Trust Network only through a restricted number of Ports. Any Port that is not used to provide a connection will be disabled to prevent unauthorised access and ensure the Trust Network Security is maintained. 5.0 Roles and Responsibilities Operational responsibility rests with the Network Manager and the Network Engineer when the Network Manager is unavailable 6.0 Associated documents and references The International standards organisation IS0 27001 is the code of practice for information security management soon to be adopted by the NHS. Section 9.4.2 states that: actively controlling allowed source to destination communications via security gateways, e.g. firewalls 7.0 Training and resources The implementation of policies in this area will be carried out across the Trust by all involved staff and will be lead by the Information Assurance Manager at the Trust and the Information Security Manager at the HIS. Reference may be made to this policy during the Data Protection and Information Security Training. Managers will issue the policy to staff as portable device equipment is ordered and ensure they are kept updated at least annually. 8.0 Monitoring and audit The Information Governance Group is the Trust Committee with responsibility for the formulation of Information Governance Policies and approval of work programmes. This group has senior level representation from all appropriate areas to ensure the Trust steers this agenda appropriately. The Information Governance Toolkit (IGT) will be used by the Trust to conduct baseline audit and construct action plans for future compliance with this agenda. Firewall Management Policy 8
The Risk Manager will maintain a Trust corporate risk register which is populated on the Datix system and is the responsibility of all staff within the organisation. 8.1 Recording and Monitoring of Equality & Diversity The Trust understands the business case for equality and diversity and will make sure that this is translated into practice. Accordingly, all policies and procedures will be monitored to ensure their effectiveness. Monitoring information will be collated, analysed and published on an annual basis as part of our Single Equality and Human Rights scheme. The monitoring will cover all strands of equality legislation and will meet statutory employment duties under race, gender and disability. Where adverse impact is identified through the monitoring process the Trust will investigate and take corrective action to mitigate and prevent any negative impact. The information collected for monitoring and reporting purposes will be treated as confidential and it will not be used for any other purpose. Firewall Management Policy 9
Appendix 1 Request for Firewall Change This request form is for security purposes and must be completely filled in. The request will not be processed unless all fields are filled in. Section 1: For completion by the requesting organisation Requesting Organisation: Requestors Contact Details: Organisation Name Position Address Post Code Tel Number Email Requirement: External Host(s): Internal Host(s): IP Address(es): IP Address(es): Port Number(s): Application Protocol: TC P UD P Other (please state): Section 2: For Completion By Trust Network Manager Firewall Change Reference Number: Date Received: Action Taken: Authorised By: Designation: Firewall Management Policy 10
Firewall Management Policy 11