Remote Access Policy



Similar documents
Information Security Policy September 2009 Newman University IT Services. Information Security Policy

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

USE OF PERSONAL MOBILE DEVICES POLICY

Newcastle University Information Security Procedures Version 3

REMOTE WORKING POLICY

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

NETWORK SECURITY POLICY

Service Children s Education

Information Security Policy

How To Protect Decd Information From Harm

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY

INFORMATION TECHNOLOGY SECURITY STANDARDS

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

How To Ensure Network Security

INFORMATION SECURITY POLICY

Bring Your Own Device (BYOD) Policy

Terms and Conditions of Use - Connectivity to MAGNET

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Information Governance Policy

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

ISO27001 Controls and Objectives

Policy. Social Media Acceptable Use Policy. Executive Lead. Review Date. Low

INFORMATION SECURITY MANAGEMENT POLICY

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

Information Governance Policy

HP Laptop & Apple ipads

Information Governance Policy

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

University of Liverpool

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

INFORMATION GOVERNANCE POLICY

Merthyr Tydfil County Borough Council. Information Security Policy

INFORMATION SECURITY POLICY

Services Policy

Draft Information Technology Policy

Remote Access and Home Working Policy London Borough of Barnet

CCG: IG06: Records Management Policy and Strategy

Rotherham CCG Network Security Policy V2.0

Information Security Policies. Version 6.1

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

Internet Use Policy and Code of Conduct

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Corporate Information Security Management Policy

Remote Working and Portable Devices Policy

NHS FORTH VALLEY Information Governance Remote Working Guidance

IS INFORMATION SECURITY POLICY

University of Brighton School and Departmental Information Security Policy

Policy Document. IT Infrastructure Security Policy

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Information Governance Strategy. Version No 2.0

Information Incident Management Policy

University of Sunderland Business Assurance Information Security Policy

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Network Security Policy

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Network Security Policy

INFORMATION GOVERNANCE POLICY

Information Governance Policy

JOB DESCRIPTION. 4. Configuring and troubleshooting site to site and remote access VPN tunnels

Data Network Security Policy

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt. Monitoring & Audit

Policies for: Information Governance Information Quality Information Management Information Security. Version Control Version: 0.1

Version Number Date Issued Review Date V1 25/01/ /01/ /01/2014. NHS North of Tyne Information Governance Manager Consultation

Information Security and Governance Policy

NHS Commissioning Board: Information governance policy

TERMS AND CONDITIONS GOVERNING THE USE OF NBADS ONLINE TRADING

NHS Business Services Authority Information Security Policy

Accessing Personal Information on Patients and Staff:

Highland Council Information Security Policy

Policy Document. Communications and Operation Management Policy

Access Control Policy

Informatics Policy. Information Governance. Network Account and Password Management Policy

Mobile Devices Security Policy

Other Review Dates: 15 July 2010, 20 October 2011

Information and Compliance Management Information Management Policy

Transcription:

BASINGSTOKE AND NORTH HAMPSHIRE NHS FOUNDATION TRUST Remote Access Policy Summary This is a new document which sets out the policy for remote access to the Trust s network and systems. Remote access is a method of accessing files and systems when away from the normal work environment which is becoming more common in the NHS. 1

Implementation Plan Share with Information Governance Group for comments Share with all Governance Boards for verification Summary of changes This is a new policy which sets out the policy for remote access to the Trust s network and systems. Remote access is a method of accessing files and systems that is becoming more common in the NHS Action needed and owner of action This policy will be sent to the Management Distribution list The policy owner will place an item in Pulse Managers are responsible for dissemination of the information to their staff 2

Table of Contents 1. WHAT IS REMOTE ACCESS?... 4 2. PURPOSE OF POLICY... 4 3. SCOPE... 4 4. OBJECTIVES... 4 5. PRINCIPLES... 5 6. RISKS... 5 7. REMOTE ACCESS PROCEDURES... 5 8. CONDITIONS OF USE... 5 9. PROVISION OF EQUIPMENT... 6 10. REIMBURSEMENT... 7 11. CONFIDENTIALITY... 7 12. COMPLIANCE... 7 13. EQUALITY AND DIVERSITY... 7 14. REVIEW AND MONITORING... 7 15. RELATED POLICIES... 7 16. CONTRIBUTORS... 8 3

1. WHAT IS REMOTE ACCESS? Remote access refers to any technology that enables you to connect users in geographically dispersed locations. It is envisaged that this access will be used for on-call working or working from home where approved. 2. PURPOSE OF POLICY Information and information systems are important corporate assets and it is essential to take all the necessary steps to ensure that they are at all times protected, available and accurate to support the operation and continued success of the Trust. Remote access by staff and other non-nhs organisations is a method of accessing files and systems that is becoming more common in the NHS. This document sets out the policy for remote access and includes a set of common controls, which can be applied to reduce the risks associated with a remote access service. The Trust will support staffs who, in appropriate circumstances, wish to undertake a part of their work either at home or from a remote location. Wilful or negligent disregard of this policy will be investigated and may be treated as a disciplinary offence. 3. SCOPE This policy covers all types of remote access, whether fixed or roving including: Travelling users (e.g. Staff working across sites or are temporarily based at other locations) Home workers (e.g. IT support, Corporate Managers, IT development staff, Clinicians) Non NHS staff (e.g. Social Services, contractors and other 3 rd party organisations) This procedure outlines the method used for remote access. 4. OBJECTIVES The objectives of the Trust s policy on remote access by staff are: To provide secure and resilient remote access to the Trust s information systems. To preserve the integrity, availability and confidentiality of the Trust s information and information systems. To manage the risk of serious financial loss, loss of client confidence or other serious business impact which may result from a failure in security. 4

To comply with all relevant regulatory and legislative requirements (including data protection laws) and to ensure that the Trust is adequately protected under computer misuse legislation. 5. PRINCIPLES In providing remote access to staff, the following high-level principles will be applied: A formal risk assessment will be conducted for each application to which remote access is granted to assess risks and identify controls needed to reduce risks to an acceptable level. Remote users will be restricted to the minimum services and functions necessary to carry out their role. 6. RISKS The Trust recognises that by providing staff with remote access to information systems, risks are introduced that may result in serious business impact, for example: unavailability of network, systems or target information degraded performance of remote connections loss or corruption of sensitive data breach of confidentiality loss of or damage to equipment breach of legislation or non-compliance with regulatory or ethical standards. 7. REMOTE ACCESS PROCEDURES This section outlines the control procedures in place for remote access. Remote access must be approved by the line manager with final approval given by the Chief Executive. Connection will only be made to the Trust network via secure access. A single entry point will control access to the network, e.g. firewall and secure ID Token. Users must authenticate to the network, by using two-factor authentication o Secure Token across a broadband line o Relevant Trust network user account (User name and password) 8. CONDITIONS OF USE Employees must identify themselves to the network by using their own logon credentials. Two-factor credentials must be kept confidential at all times. Lost tokens must be reported immediately so accounts can be disabled, this would also need to be documented as a security incident. 5

Employees who are leaving the Trust must ensure that all equipment is returned to the IT Department so accounts can be disabled on the last day of employment. If an employee s contract is terminated, it is the responsibility of HR to notify the IT Department in order to ensure the necessary accounts are disabled. Any agreement on remote access is not permanent and may be brought to an end at any time by the member of staff or the Trust. An authorisation will be based on the needs of the Trust, the job, and the department. Members of staff must comply with all the Trust rules, policies and practices and instructions whilst accessing remotely. Any failure to do so may result in approval to access remotely being revoked and/or disciplinary action. 9. PROVISION OF EQUIPMENT The Trust will not provide or maintain a home PC or broadband connection, but will provide the necessary additional equipment to enable remote connection to the Trust's network if necessary and required to suit the needs of the user. This equipment could include: An active Token, synchronised to the network to provide once only passwords for secure login; Trust laptops to enable remote connection to the network Radiology diagnostic monitors The Trust is not liable or responsible for the support of home equipment except in respect of the equipment and software detailed above and directly relevant to remote access the Trust's systems. The Trust monitors who logs into the network and activity within the network. Access to the remote access server is provided on the understanding that this is the case. Any hardware or software provided by the Trust remains the property of the Trust and shall be returned at the end of the remote access arrangement. An equipment/software inventory will be maintained by the IT Service Desk for assigned Trust equipment to be used off-site. Products, documents and other records used and/or developed while working remotely remain the property of, and will be available to, the Trust. This information is subject to Trust policies regarding confidentiality and access, including the Caldicott recommendations. Trust owned software may not be duplicated. Staff working remotely using Trust software must adhere to the manufacturer's licensing agreements. 6

Each member of staff accessing remotely is responsible for protecting the integrity of copyrighted software, and following policies, procedures, and practices related to them to the same extent applicable in the conventional workplace. 10. REIMBURSEMENT The Trust will not reimburse staff for the use of any privately owned equipment. Purchasing and maintenance of personal office furniture or equipment eg desks, filing cabinets, answering devices, etc, is the responsibility of the member of staff accessing remotely. Charges for calls made to the specified remote access server numbers will be reimbursed against completed expenses claim form with the appropriate paid and itemised invoice. The member of staff should pay the standard broadband connection. 11. CONFIDENTIALITY Staff should ensure that they are meeting the requirements of the Data Protection Act 1998, and at all times behave in accordance with UK law. Staff working on Trust or associated organisations material/work must at all times take extreme care to ensure that confidentiality is maintained. Sensitive and confidential material must not be taken out of the conventional workplace without prior approval by a member of staff's line manager. 12. COMPLIANCE It is the responsibility of all users to ensure that they have read, understood and abide by this standard. 13. EQUALITY AND DIVERSITY Staff, where applicable, will have access to remote access, subject to the normal criteria being met and in line with any reasonable adjustments required under The Disability Discrimination Act 2005 as set out in the Trust s Equality & Diversity Policy. 14. REVIEW AND MONITORING The Trust has in place routines to regularly audit compliance with this and other standards. 15. RELATED POLICIES IT Security Policy (CO/163/09) Equality & Diversity Policy 7

16. CONTRIBUTORS Sarah Elmendorf, Chief Information Officer Nicola Lappin, Information Governance Manager Victoria Turner, Head of IT Information Governance Group Roy Ebanks, Equality & Diversity Manager 8

Appendix 1: APPROVAL FOR REMOTE ACCESS The member of staff named below has received express approval to access remotely and has read, understood and agrees to the conditions within the Trust's policy on remote access. Equipment being used Description Asset Number Name of applicant Signature Date Line Manager Signature Date Head of IT Signature Date Valid until An approved remote access application should be kept by the member of staff and one copy to the IT department. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information