Trust Operational Policy. Information Security Department. Third Party Remote Access Policy



Similar documents
Informatics Policy. Information Governance. Network Account and Password Management Policy

NHS Commissioning Board: Information governance policy

TEXTURA AUSTRALASIA PTY LTD ACN ( Textura ) CONSTRUCTION PAYMENT MANAGEMENT SYSTEM TERMS AND CONDITIONS OF USE

MTS GUI LICENCE SCHEDULE TO. MTS Data Terms & Conditions End Customer; or. MTS and EuroMTS Membership Documentation; or. MTS Registered ISV Agreement

DASHBOARD CONFIGURATION SOFTWARE

Conditions of Contract for Consultancy Services

Information Security Policies. Version 6.1

REQUEST FOR QUOTE. RFQ Reference Number: RFQ <<INSERT e.g SWR 03-11/12>> <<Enter Course Name>>

Janison Terms and Conditions. Updated Jan 2013

Module 12 Managed Services TABLE OF CONTENTS. Use Guidelines

Information Governance Policy (incorporating IM&T Security)

SAMPLE BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

How To Ensure Network Security

[Escrow Product] November 2014 [Supplier B.V.] [Beneficiary B.V.] EscrowDirect.eu

If you are in full agreement with the document, kindly return the signature page at the end of the documents

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

Overview Software Assurance is an annual subscription that includes: Technical Support, Maintenance and Software Upgrades.

PointCentral Subscription Agreement v.9.2

Terms of Business (Clients) of Evolve Consulting UK Ltd for the supply of Consultants

USE OF PERSONAL MOBILE DEVICES POLICY

Support Services Agreement

SCOTLAND S COMMISSIONER FOR CHILDREN AND YOUNG PEOPLE STANDARD CONDITIONS OF CONTRACT FOR SERVICES

CONSULTING SERVICES AGREEMENT

Information Governance Policy

Ya-YaOnline Platform ( Service ).

CRM in a Day Support Services Agreement

Business Associate Agreement

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

SOFTWARE AS A SERVICE AGREEMENT

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

ALL WEATHER, INC. SOFTWARE END USER LICENSE AGREEMENT

COMPUTER SOFTWARE AS A SERVICE LICENSE AGREEMENT

Entee Global Services General Terms and Conditions

Trinity Online Application - Terms and Conditions of Use

fdsfdsfdsfdsfsdfdsfsdfdsfsdfsd Square Box Systems Technical Support Agreement

Canon USA, Inc. WEBVIEW LIVESCOPE SOFTWARE DEVELOPMENT KIT DEVELOPER LICENSE AGREEMENT

Special Terms and Conditions for HGC Business Services

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

ZIMPERIUM, INC. END USER LICENSE TERMS

PerfectForms End-User License Agreement

Supplier IT Security Guide

EHR Contributor Agreement

Information Governance Policy

NETWORK SECURITY POLICY

Kaiser Permanente Affiliate Link Provider Web Site Application

TERMS AND CONDITIONS GOVERNING THE USE OF NBADS ONLINE TRADING

BOLT Software Technology Terms of Use Last Updated: November 4, 2015

Application to access Chesters Trade

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

UBS Electronic Trading Agreement Global Markets

BUSINESS ASSOCIATE AGREEMENT

VIETNAM LAWS ONLINE DATABASE License Agreement Multi-user Subscription

MEMORANDUM OF UNDERSTANDING AND NON-DISCLOSURE AGREEMENT (Template)

BUSINESS ASSOCIATE AGREEMENT

Geomant Americas Inc. END USER SOFTWARE LICENSE AGREEMENT

VOLVO CONSTRUCTION EQUIPMENT. CARETRACK LICENCE (Version 3 April 2010)

END USER LICENSE AGREEMENT DATABASE MANAGEMENT TOOL LICENSE

technical factsheet 176

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

BUSINESS ASSOCIATE AGREEMENT

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

Terms and Conditions of Use - Connectivity to MAGNET

Service Agreement Hosted Dynamics GP

ELECTRONIC DATA INTERCHANGE (EDI) TRADING PARTNER AGREEMENT THIS ELECTRONIC DATA INTERCHANGE TRADING PARTNER AGREEMENT

Licence Fee means the fees calculated as set out on the Website or such other fee as is agreed between You and the Supplier from time to time.

PLEASE READ THIS AGREEMENT CAREFULLY. BY INSTALLING, DOWNLOADING OR OTHERWISE USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THIS AGREEMENT.

Disclaimer: Template Business Associate Agreement (45 C.F.R )

APP SOFTWARE LICENSE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

INVITATION TO QUOTE ITQ REF NO: NKF/BL/2015/015 Date: 30 September 2015

CLIENT REFERRAL AGREEMENT

BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

Website terms and conditions

University of Liverpool

SOFTWARE DEVELOPMENT AGREEMENT

Evaluation, Development and Demonstration Software License Agreement

Hosting Agreement. WHEREAS, Lanex is a software development and hosting firm that offers design, programming and hosting services; and

S4E EYFS TRACKER SOFTWARE LICENCE AGREEMENT

Mako Networks Sales & Marketing, Inc. Terms & Conditions for End User System Access, Use & Service Supply

Transcription:

Trust Operational Policy Information Security Department Policy Reference: 3631

Document Control Document Title Author/Contact Document Reference 3631 Pauline Nordoff-Tate, Information Assurance Manager Document Impact Assessed Yes/No Date: January 2012 Version 3 Status Approved Publication Date January 2012 Review Date January 2014 Approved by (Executive) Peter Williams, Caldicott Guardian 23/01/12 Ratified by (Relevant Group) Information Governance Group 23/01/12 Distribution: Royal Liverpool and Broadgreen University hospitals NHS Trust-intranet using Sharepoint which will maintain the policy document in conjunction with each document author. Please note that the Intranet version of this document is the only version that is maintained. Any printed copies must therefore be viewed as uncontrolled and as such, may not necessarily contain the latest updates and amendments. Document History Version Date Comments Author Draft 10.12.07 First Draft produced for review Neil Morgan 1 30.01.08 Minor textual changes Neil Morgan 2 06.05.09 Post HIS Organisation Darren Mort changes minor changes 2.2 27/11/09 Reformatted Paul McGuinness 2.3 01/12/09 Minor Revisions Mark Haynes 3.0 23/01/12 Re-ordered points within document. Some reference to HIS taken out. Minor revisions Pauline Nordoff-Tate 2 Information Assurance Manager

Review Process Prior to Ratification: Name of Group/Department/Specialist Date Committee IT Department March 2007 Information Governance Group by email January 2010 Information Governance Group 23/01/2012 Information Assurance Manager 3

Heading Table of Contents Page Number 1.0 INTRODUCTION 5 1.1 Equality and Diversity 5 2.0 OBJECTIVE 5 3.0 SCOPE OF POLICY 6 4.0 POLICY 6 4.1 Third party definitions 6 4.2 Network/Operational Device 6 4.3 Sensitive Data 6 4.4 Remote Access 6 4.5 3 rd Party Access Sessions Internal session requests 6 4.6 External/Non-HIS Session Requests 6 4.7 Required Information 7 4.8 Authorised 3 rd Party Organisations 7 4.9 Change Management 7 4.10 Restriction of 3 rd Party Access authorised personnel 7 4.11 Web Based Sessions 7 4.12 N3 Sessions 7 4.13 Access Restrictions 8 4.14 Access Monitoring 8 4.15 Termination of Access 8 4.16 Outbound Communications 8 4.17 Audit Lifecycle 8 4.17 Reports 8 4.18 Contractual Obligations 8 5.0 ROLES AND RESPONSIBILIITES 9 5.1 Trust/HIS Staff 9 5.2 Third Party Organisation 9 6.0 ASSOCIATED DOCUMENTATION AND REFERENCES 9 7.0 TRAINING AND RESOURCES 10 8.0 MONITORING AND AUDIT 10 8.1 Recording and Monitoring of Equality & Diversity 10 APPENDIX A CHANGE MANAGEMENT FORM 11 APPENDIX B NON-DISCLOSURE AGREEMENT 13 Information Assurance Manager 4

1.0 Introduction In order to ensure that the Trust provides a secure and robust IT service, it is essential that 3 rd Party access to key operational devices and/or systems is conducted through a robust framework that ensures that: Access is permitted through a mechanism that ensures appropriate controls are in place to restrict access to authorised 3 rd Party organisations only; Any changes that are conducted are done so in accordance with the Trust Change Management procedures; There is a robust accountability framework present. 1.1 Equality and Diversity The Trust is committed to an environment that promotes equality and embraces diversity in its performance as an employer and service provider. It will adhere to legal and performance requirements and will mainstream equality and diversity principles through its policies, procedures and processes. This policy should be implemented with due regard to this commitment. To ensure that the implementation of this policy does not have an adverse impact in response to the requirements of the Race Relations (Amendment Act), the Disability Discrimination Act 2005, and the Equality Act 2006 this policy has been screened for relevance during the policy development process and a full impact assessment conducted where necessary prior to consultation. The Trust will take remedial action when necessary to address any unexpected or unwarranted disparities and monitor practice to ensure that this policy is fairly implemented. This policy and procedure can be made available in alternative formats on request including large print, Braille, moon, audio, and different languages. To arrange this please refer to the Trust translation and interpretation policy in the first instance. The Trust will endeavour to make reasonable adjustments to accommodate any employee/patient with particular equality and diversity requirements in implementing this policy and procedure. This may include accessibility of meeting/appointment venues, providing translation, arranging an interpreter to attend appointments/meetings, extending policy timeframes to enable translation to be undertaken, or assistance with formulating any written statements. 2.0 Objective This document details the control mechanism for enabling remote access by a third party that requires legitimate access to any device. The implementation and maintenance of these controls will ensure that the Trust is able to: Manage Risk from Third Party Access; Information Assurance Manager 5

Ensure a secure Technical Environment through the control of access; Manage the connection life-cycle; Restrict access to authorised parties only; Limit liability. 3.0 Scope of policy This document applies to all third party organisations that access the Trust infrastructure remotely. 4.0 Policy 4.1 Third party definitions A third party is defined as any individual or organisation that is not a Trust or North Mersey HIS employee who requires access to any aspect of the Trust IT infrastructure for a specified purpose. 4.2 Network/Operational Device Any item that forms part of the infrastructure of the Trust network, this includes servers, routers, firewalls and PC s. This list is intended as a representative sample and is not exhaustive. 4.3 Sensitive Data Sensitive data is defined as either personal data, as defined by the Data Protection Act 1998, or Trust proprietary information. 4.4 Remote Access For the purposes of this document, remote access is defined as any form of access obtained from an external location. 4.5 3 rd Party Access Sessions Internal session requests All 3rd party access sessions must be logged as a call with the service desk by the individual who will be managing that particular access session. The scheduled session will then be entered into to the WebEx scheduling calendar and will include the incident reference number. 4.6 External/Non-HIS Session Requests In the event that a 3rd party access request is received by the service desk, a call will be raised and passed to the appropriate team for action. When a member of staff requires a third party to connect, a call must be logged with the service desk by the originator and the appropriate change management procedures must be adhered to. Appendix A is an example of a change management form. Information Assurance Manager 6

4.7 Required Information Whenever a call is raised in relation to a remote access session, the following information must be recorded in the service desk call as a minimum: Third Party (Organisation) Name Third Party Name (Designated Personnel) person who will be connecting Verification of Designated Personnel contact details Trust Authorisation (if required) Comprehensive Reason for Access RFC Details (If required) Status of Request (Approved, Rejected etc) Date Access to be facilitated Details of Remote Access Session (Time/Date initiated, performed by, date session terminated etc) 4.8 Authorised 3 rd Party Organisations Details of authorised 3 rd Party organisations will be maintained by the Technical Support team and distributed to all relevant parties within the Trust. 4.9 Change Management If the session is related to a change, as defined by the Change Management Policy, approval must be obtained from change management process and the session inserted into the Forward Schedule of Change. 4.10 Restriction of 3 rd Party Access authorised personnel The third party will ensure that the authorised personnel are appropriately trained for providing the remote service. 4.11 Web Based Sessions Each member of staff enabling a web based access session will have their own individual account in order to enable appropriate audit functionality. Accounts will be created for all Trust staff that has a requirement to facilitate remote access. Accessing the web based solution via an account not belonging to the individual may result in disciplinary action. 4.12 N3 Sessions It is accepted that there is a requirement for certain 3rd parties to access the Trust infrastructure via an N3 connection; these organisations are bound by the terms of this document. Information Assurance Manager 7

Any remote access to the Trust infrastructure will be via a secure virtual private network (VPN) and the use of a security token, a connection to the Trust network will then be established with all traffic passing through the Trust firewall. 4.13 Access Restrictions Any Third Party access session MUST only occur when prior approval has been provided by the Trust. Unauthorised access may result in further action being taken against the third party in question. 4.14 Access Monitoring Each remote access session must have a member of the appropriate Trust team monitoring the activity of the third party. In the event of the third party accessing sensitive data, a recording of the session will be maintained. Failure to comply with this requirement may result in disciplinary action. Where the access is via N3, copies of the pre and post configuration of the accessed system will be retained for audit purposes. 4.15 Termination of Access The Trust reserves the right to terminate any remote access session without prior notice. Access may also be terminated if an unauthorised session is detected. These sessions will be terminated as soon as it is established that there will be no adverse impact upon the system that is currently being accessed. 4.16 Outbound Communications It is accepted that during a physical visit to the site, there may be a requirement for a third party to remotely connect to their organisations network whilst connected to a Trust device. Any such connection will be bound by the contents of this policy in a non-disclosure agreement (a copy of which is enclosed in Appendix B), and it is incumbent upon the third party that there is adequate security architecture in place. 4.17 Audit Lifecycle All remote access sessions will be subject to a full and comprehensive audit trail. 4.17 Reports Reports will be produced on a regular basis in order to facilitate audit requirements. These reports will be stored for an appropriate period of time to ensure that they are available in the event of an incident. 4.18 Contractual Obligations Any third party requiring remote access to Trust systems must sign and abide by the following document: Non-disclosure Agreement Failure to sign and comply with the requirements of these documents will prevent access from being obtained by the Third Party. Information Assurance Manager 8

These documents may be substituted with other formal documents providing that they match the Trust s requirements. For further information, please contact the Information Security Officer on 3671. All agreements will be reviewed on a regular basis to ensure that they are both accurate and appropriate. A physical copy of the agreement will be retained by both the third party and the Trust. 5.0 Roles and Responsibiliites 5.1 Trust/HIS Staff It is the responsibility of Trust/HIS staff to ensure that this policy document is adhered to when enabling access for ANY third party individual or organisation. 5.2 Third Party Organisation It is the responsibility of all third party organisations to: Abide by the controls detailed within this document; Sign and comply with the Non-Disclosure Agreement; To comply with the standards detailed within the Trust Information Assurance Policy and to ensure that a robust information security infrastructure is implemented and adhered to within their own organisation; To ensure that each access session is used solely for the agreed purpose for that connection. 6.0 Associated documentation and references This document has been created in accordance with the following supporting documents: Information Assurance Policy The Data Protection Act 1998 The Computer Misuse Act 2000 The Copyright, Designs and Patents Act 1988 ISO 27001 The Code of Practice for Information Security Management Access is permitted through a mechanism that ensures appropriate controls are in place to restrict access to authorised 3 rd Party organisations only; Any changes that are conducted are done so in accordance with the Trust Change Management procedures; There is a robust accountability framework present. Information Assurance Manager 9

7.0 Training and resources The IT team will ensure that there is a robust structure present, providing that the controls are in place to restrict third party access. The team has the technological capability to and will perform periodic reviews to ensure compliance with the requirements of this policy. 8.0 Monitoring and audit This policy will be reviewed regularly or when there is significant change by the Information Assurance Manager and the Information Governance Group, in conjunction with Human Resources. Changes to the policy may also be made due to changes in legislation, technology or NHS guidance. The Information Governance Group will monitor all Data Protection/Information Security policies, programmes and work plans. 8.1 Recording and Monitoring of Equality & Diversity The Trust understands the business case for equality and diversity and will make sure that this is translated into practice. Accordingly, all policies and procedures will be monitored to ensure their effectiveness. Monitoring information will be collated, analysed and published on an annual basis as part of our Single Equality and Human Rights scheme. The monitoring will cover all strands of equality legislation and will meet statutory employment duties under race, gender and disability. Where adverse impact is identified through the monitoring process the Trust will investigate and take corrective action to mitigate and prevent any negative impact. The information collected for monitoring and reporting purposes will be treated as confidential and it will not be used for any other purpose. Information Assurance Manager 10

APPENDIX A CHANGE MANAGEMENT FORM REQUEST FOR CHANGE RFC Ref Related RFC Incident Ref Change Requestor Change Implementer Contact Telephone No Contact Telephone No Downtime Duration Start Date End Date Change Duration Start Time End Time Category Priority Impact Risk Sites Involved Change Type Item Server Name System/Application CHANGE DESCRIPTION Supporting documentation may be attached CHANGE JUSTIFICATION Why is this Change required? Is this RFC a follow on activity for a previous RFC? If this is an EMERGENCY request, is it to resolve an incident or a related Change? Has an Incident record been opened with the Service Desk? (Is the reference number included above?) IMPACT ASSESSMENT What will be the impact of not implementing the Change? Who / which User group(s) will be affected by the Change? Which interfaces to other systems are affected? Please include details. Will there be a cost associated with implementing the Change?(e.g. resources / time allocation/ equipment) Information Assurance Manager 11

IMPLEMENTATION PLAN / ACTIVITIES Is any User training required and how will this be managed? Who / What / Where / When / How? Include names and contact details of other change implementer(s), including any 3 rd parties involved Firewall Change? Detail; Rules, route, source and destination IP, protocol and ports BACK OUT / ROLLBACK PLAN Who will make the decision to back-out the Change Who else needs to be contacted in the event the change requires back-out? How long will back-out take? What will be the trigger? What back out activities will be required and who will action? PRE IMPLEMENTATION TESTING Has this change been tested? Where, when and on what was the testing performed? What was the result? Has the back-out plan been tested and what was the result? If not tested, why? AFFECTS ON CAPACITY / DISASTER RECOVERY Will this Change impact Disaster Recovery? Will this Change impact server, network, storage / space capacity? (Current and future) Are any follow-on activities required? POST IMPLEMENTATION CHECKS What post implementation checks will be carried out? How will Change success be proven? COMMUNICATION DETAILS Has / have the relevant Service Desk(s) been advised? Is a User Communication required? Please provide details. Information Assurance Manager 12

Appendix B Non-Disclosure Agreement Confidentiality/Non-Disclosure Agreement for the Processing of Information for the [Insert title] Dated: Parties: (1) RLBUHT. (Discloser) (2) [Insert partner organisation name(s)] Background In consideration of the parties processing and disclosing confidential information to each other, they have each agreed to treat such information in accordance with and to otherwise abide by this agreement and the legislative requirements of the Data Protection Act 1998. It is hereby agreed as follows: 1 Interpretation 1.1 Confidential Information means, subject as provided in Clause 3, all information of whatever nature (including without limitation business or technical information) in whatever form (tangible or intangible, human or machinereadable or otherwise) obtained by either party (the Recipient ) directly or indirectly from the other party (the Discloser ) and whether or not such information (if in tangible form) is embodied in any materials or is classed as confidential or proprietary. Furthermore, Confidential Information is defined as Data as per the definition under the Data Protection Act 1998. 1.2 Discloser has the meaning given in Clause 1.1 1.3 Materials means documents, drawings, computer programs and other materials and physical items of any kind obtained from the Discloser and/or recording any Confidential Information including, without limitation, any of the same produced by or on behalf of the Recipient. 1.4 Recipient has the meaning given to it in Clause 1.1 2 Confidentiality 2.1 No Use Recipient agrees not to use the Confidential Information in any way, or to manufacture or test any product embodying Confidential Information, except for the purpose defined within Section 9. 2.2 No Disclosure The Recipient agrees to use appropriate controls to prevent and protect the Confidential Information, or any part thereof, from disclosure to any person or organisation other than the Recipients employees having a need for disclosure in connection with the Recipients authorised use of the Confidential Information. 2.3 Protection of Secrecy The Recipient agrees to take all steps reasonably necessary to protect the secrecy of the Confidential Information, and to prevent the Confidential Information from falling into the public domain or into the possession of unauthorised persons. Furthermore, to prevent any person from unlawfully accessing or disclosing the data. Information Assurance Manager 13

3 Limits on Confidential Information Confidential Information shall not be deemed proprietary and the Recipient shall have no obligation with respect to such information where the information: (a) was known to the Recipient prior to receiving any of the Confidential Information from the Discloser; (b) has become publicly known through no wrongful act of the Recipient; (c) was received by the Recipient without breach of this agreement from a third party without restriction as to the use and disclosure of the information; (d) was independently developed by the Recipient without use of the Confidential Information; or (e) was ordered to be publicly released by the requirement of a government agency. 4 Ownership of Confidential Information 5 Breach The Recipient aggress that all Confidential Information shall remain the property of the Discloser, and that the Discloser may use such Confidential Information for any purpose without obligation to the Recipient. Nothing contained herein shall be construed as granting or implying any transfer of rights to the Recipient in the Confidential Information, or any patents or other intellectual property protecting or relating to the Confidential Information. 5.1 The breach by any of the persons referred to in Clause 2.2 of any of the obligations imposed on them as referred to in Clause 2.2 shall be deemed a breach of this Agreement by the Recipient. 5.2 The Recipient acknowledges that any breach by the Recipient of this agreement is likely to result in extensive loss and damage to the Discloser and that, as well as damages, an injunction would be an appropriate remedy for the Discloser in the event of such a breach. 5.3 If the Recipient becomes aware of any breach by the Recipient of this agreement the Recipient shall forthwith notify the Discloser in writing thereof, giving all available details, and shall at its own cost and at the Disclosers direction take such steps as the Discloser may decide in order to minimise the loss which the Discloser may otherwise suffer as a result of such a breach. 6 Destruction of Data The Recipient agrees that once the purpose for receiving the Confidential Information is complete, that the Information shall be confidentially destroyed and a destruction certificate issued to the Discloser. 7 Survival of Rights and Obligations This Agreement shall be binding upon, inure to the benefit of, and be enforceable by (a) the Discloser, its successors, and assigns; and (b) the Recipient and assigns. 8 Miscellaneous 8.1 No delay or failure by either party to exercise any right or remedy available to it under or in connection with this agreement shall prevent the later exercise of any such right or remedy. Information Assurance Manager 14

8.2 Neither party shall sign this agreement without the prior written consent of the other, which shall not be unreasonably withheld. 8.3 This agreement does not create any partnership, agency or further relationship between the parties and does not oblige either party to negotiate or enter into any further contract with the other. 8.4 This agreement shall be governed and construed in accordance with English law and the parties hereby submit to the non-exclusive jurisdiction of the English courts. 9 Purpose of Agreement [Insert precise purpose(s) of processing including any restrictions] Information Assurance Manager 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information