IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This document is version controlled. The master copy is on Ourspace. Once printed, this document could become out of date. Check Ourspace for the latest version. Contents 1. Introduction...3 2. Policy Statement...3 3. Purpose...4 4. Scope...4 5. Content...5 5.1 Risk Assessment... 5 5.2 Physical & Environmental Security... 5 5.3 Access Control to Secure IM&T Infrastructure Areas... 5 5.4 Access Control to the Network... 5 5.5 Third Party Access Control to the IM&T Infrastructure... 6 5.6 External Network Connections... 6 5.7 Maintenance Contracts... 6 5.8 Data and Software Exchange... 6 5.9 Fault Logging... 6 5.10 Data Backup and Restoration... 6 5.11 All backup systems will be stored securely off-site.... 7 5.12 User Responsibilities, Awareness & Training... 7 5.13 Accreditation of IM&T infrastructure Systems... 7 5.14 Technical Security Measures... 7 IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 1 of 11
5.15 Secure Disposal or Re-use of Equipment... 8 5.16 System Change Control... 8 5.17 Reporting IM&T Security Incidents & Weaknesses... 8 5.18 System Configuration Management... 8 5.19 Business Continuity & Disaster Recovery Plans... 8 6. Roles and Responsibilities...8 6.1 The Chief Executive... 8 6.2 The Senior Information Risk Owner (SIRO)... 8 6.3 Executive Directors and Strategic Business Unit Directors... 8 6.4 Information Governance Group... 9 6.5 Head of IM&T (HoIM&T)... 9 6.6 Information Security and Technical Assurance Manager (ISTAM)... 9 6.7 All Users of AWP IM&T Systems... 9 6.8 Line Manager's Responsibilities... 9 7. Standards... 10 8. Training... 10 9. Monitoring or Audit... 10 10. Associated and Related Procedural Documents... 10 11. References... 10 IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 2 of 11
1. Introduction Avon and Wiltshire Mental Health Partnership NHS Trust (AWP) is bound by the provisions of a considerable number of items of legislation and regulation affecting the stewardship of data and information. Information Governance (IG) ensures the Trust s compliance with applicable legislation, the regulatory framework, Common Law, and mandated Best Practice. In short, IG exists to ensure the Integrity, Availability, Confidentiality and Accountability of the Trust s operational, patient, staff and management information. The AWP Overarching Information Governance Policy defines the Trust s mandated base-line strategy for compliance and effective management in each of the following six areas of Information Governance. Information Governance Management Confidentiality & Data Protection Assurance Clinical Information Assurance Information Security Assurance Secondary Use Assurance Corporate Information Assurance Collectively the information governance policies constitute the top level documentation of the Trust s Information Governance Management System (IGMS). Compliance with all Policies, Procedures and Guidelines contained in the IGMS is mandatory for all persons and organisations operating under the auspices of, or delivering a service to the Trust, whether they are staff, students, volunteers, contractors or partner organisations. Staff should be aware that IGMS Policies are intended to protect the Trust and staff from adverse outcomes in terms of compliance with the law. Where IGMS policies are breached by staff it may be necessary for managers to consider retraining staff, or following the Trust s Disciplinary Procedures. Staff should also note that legal penalties could also be imposed upon the Trust or its employees for non-compliance with relevant legislation and NHS guidance, and in serious cases individuals may not be immune from prosecution or civil legal action by virtue of their employment within the Trust. 2. Policy Statement The AWP information IM&T infrastructure will be available when needed, can be accessed only by legitimate users and will contain complete and accurate information. The IM&T infrastructure must also be able to withstand or recover from threats to its availability, integrity and confidentiality. To satisfy this, AWP will undertake the following: Protect all hardware, software and information assets under its control. This will be achieved by implementing technical and non-technical measures; Provide both effective and cost-effective protection that is commensurate with the risks to its IM&T infrastructure information assets; Implement the IM&T Infrastructure Security Policy in a consistent, timely and cost effective manner; IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 3 of 11
Comply with other laws and legislation as appropriate. 3. Purpose The Information Management & Technology (IM&T) infrastructure is a collection of information Technology equipment, and it related software, such as servers, computers, printers, and routers and switches, which are inter-connected. This policy applies to all networks within AWP used for: The storage, sharing and transmission of clinical data and images; The storage, sharing and transmission of non-clinical data and images; Printing or scanning non-clinical or clinical data; The provision of Internet systems for receiving, sending and storing non-clinical or clinical data; To set out the Trust s policy on security of its IM&T infrastructure. This Infrastructure Security Policy applies to all business functions and information contained on the network, the physical environment and relevant people who support the network. It sets out the organisation s policy for the protection of the confidentiality, integrity and availability of the network; establishes the security responsibilities for IM&T infrastructure security and provides reference to documentation relevant to this policy. The aim of this policy is to ensure the security of AWP's network. To do this the Trust will: Ensure availability of the IM&T infrastructure for authorised users and protect it from unauthorised access. Preserve Integrity by protecting the IM&T infrastructure from unauthorised or accidental modification ensuring the accuracy and completeness of the organisation's information assets. Preserve Confidentiality by protecting information assets against unauthorised disclosures and ensuring it is capable of being audited and monitored for compliance and regulatory purposes 4. Scope This is a Trust-wide Policy and applies to IM&T systems and the data held, processed or transmitted by them, including staff, service user, management, audit and all other types of information used by the Trust. This Policy shall apply to all staff and personnel operating under the auspices of the Trust, including locums, contractors, temporary, students, service user representatives, volunteers and partner agency staff. Where a third party has an organisational policy that differs from this policy, a formal agreement as to which policy statement applies shall be outlined and agreed in an appropriate protocol if necessary. In the absence of such an agreement, this Policy shall be deemed to have precedence. IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 4 of 11
5. Content 5.1 Risk Assessment AWP will carry out security risk assessment(s) in relation to all the elements of its IM&T infrastructure. The risk assessments will identify the appropriate security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability. 5.2 Physical & Environmental Security All IM&T infrastructure equipment will be housed in a controlled and secure environment. Critical or sensitive IM&T infrastructure equipment will be housed in secure areas, protected by a secure perimeter, with appropriate security barriers and entry controls. Critical or sensitive IM&T infrastructure equipment will be housed in an environment that is monitored for temperature, humidity and power supply. The Head of IM&T (HoIM&T) is responsible for ensuring that door lock codes are changed periodically, and following a compromise of the code, or if they suspect the code has been compromised, or when required to do so by the Information Security and Technical Assurance Manager (ISTAM). Critical or sensitive IM&T infrastructure equipment will have precautions in place to protect from power supply failures. Critical or sensitive IM&T infrastructure equipment will be protected by intruder alarms and fire detection/suppression systems. Eating and drinking is forbidden in areas housing critical or sensitive IM&T infrastructure equipment. All visitors to secure IM&T infrastructure areas must be authorised by the HOIM&T or their delegates. All visitors to secure IM&T infrastructure areas must be logged in and out. The log will contain name, organisation, purpose of visit, date, and time in and out. The HOIM&T will ensure that all relevant staff are made aware of procedures for visitors and that visitors are monitored, when necessary. 5.3 Access Control to Secure IM&T Infrastructure Areas Entry to secure areas housing critical or sensitive IM&T infrastructure equipment will be restricted to those whose job requires it. The HOIM&T will maintain and periodically review a list of those with unsupervised access. 5.4 Access Control to the Network Access to the IM&T infrastructure will be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access. Remote access to the IM&T infrastructure will conform to the Trust's Remote Access Standards. IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 5 of 11
There must be a formal, documented user registration and de-registration procedure for access to the network. Security privileges to the IM&T infrastructure will be allocated on the requirements of the user's job, rather than on a status basis. All users to the IM&T infrastructure will have their own individual user identification and password. Users are responsible for ensuring their password is kept secret and accounts are not shared. User access rights will be immediately removed or reviewed for those users who have left the Trust or changed jobs. 5.5 Third Party Access Control to the IM&T Infrastructure Third party access to the IM&T infrastructure will be based on a formal contract that satisfies all necessary NHS security conditions. All third party access to the IM&T infrastructure must be logged by the appropriate IAO/IAA. 5.6 External Network Connections The HoIM&T shall ensure that all connections to external networks and systems have been documented by the IAA and approved by the ISTAM. Ensure that all connections to external networks and systems conform to the NHS-wide Network Security Policy, Code of Connection and supporting guidance. The ITSS must approve all connections to external networks and systems before they commence operation. 5.7 Maintenance Contracts The Information Asset Owner (IAO) will ensure that appropriate maintenance contracts are maintained and periodically reviewed for all IM&T infrastructure. All contract details will be included within the system documentation retained by the IAO/ISTAM. 5.8 Data and Software Exchange Formal agreements for the exchange of data between organisations must be established and approved by the Trusts Head of Compliance or ISTAM. 5.9 Fault Logging The IAO/Information Asset Administrator (IAA) is responsible for ensuring that a log of all faults on the IM&T infrastructure is maintained and reviewed. IM&T infrastructure Operating Procedures The IAO/IAA will produce Standard Operating Procedures and security contingency plans that reflect this policy. 5.10 Data Backup and Restoration The HoIM&T is responsible for ensuring that appropriate configuration information is recorded to allow the restoration of core systems. IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 6 of 11
The HoIM&T will produce an overarching back up strategy and supporting procedures for the backing up of all data. The IAOs are responsible for ensuring that the backup regime for their information assets meet their requirements for business continuity and is included in the back up strategy. 5.11 All backup systems will be stored securely off-site. The HoIM&T will be responsible for the physical integrity of the back-up. The IAO/IAAs are responsible for ensuring that their data is fit for purpose by implementing a suitable testing program. 5.12 User Responsibilities, Awareness & Training The Trust will ensure that all users of the IM&T infrastructure are provided with the necessary security guidance, awareness and where appropriate training, to discharge their security responsibilities. All users of the IM&T infrastructure must be made aware of the contents and implications of the Acceptable Use Policy and associated procedures. All IAO/IAAs must be aware of the contents and implications of this IM&T infrastructure policy. 5.13 Accreditation of IM&T infrastructure Systems All IM&T infrastructure systems within the Trust must be accredited in line with the Trusts Information Asset release procedure and must be approved by the ISTAM and HoIM&T. 5.14 Technical Security Measures Malicious Software: the HoIM&T will ensure that sufficient technical measures are in place to minimise the risk of intrusion from malicious software. All users will be trained and alerted to their responsibility not to take any actions which may result in malicious software entering the system. Data Loss: the HoIM&T will ensure that sufficient technical measures are in place to minimise the risks of data loss. All users will be trained and alerted to their responsibility with regard to data loss. Zero day vulnerabilities: the HoIM&T will ensure that sufficient technical measures are in place to minimise the risks of zero day vulnerabilities. Unauthorised software: the HoIM&T will ensure that sufficient technical measures are in place to minimise the risks of unauthorised software. All users will be trained and alerted to their responsibility with regard to unauthorised software. System misconfiguration: the HoIM&T will ensure that sufficient technical and operational measures are in place to minimise the risks due to misconfiguration of systems. Unauthorised access to Trust systems: the HoIM&T will ensure that sufficient technical measures are in place to minimise the risks of data loss. All users will be trained and alerted to their responsibility with regard to unauthorised access. Access to inappropriate or dangerous web content: the HoIM&T will ensure that sufficient technical measures are in place to allow the Trust to effectively manage and monitor internet usage. Any other identified risk: the HoIM&T will ensure that, where warranted, technical measures will be implemented to detect and protect the IM&T infrastructure systems as they are identified. IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 7 of 11
5.15 Secure Disposal or Re-use of Equipment All IM&T equipment must be disposed of by the IM&T department adhering to the Trust procedures and legal compliance requirements as referred to in the Confidential Disposal of Media Waste procedure. 5.16 System Change Control The relevant IAO will approve the relevant change control procedure; the IAA will be responsible for operating the change control procedure. 5.17 Reporting IM&T Security Incidents & Weaknesses IM&T Security incidents will be reported through the adverse incident reporting procedure Any identified weaknesses will be reported on the IAOs own departmental risk register. 5.18 System Configuration Management There should be effective configuration management system for all elements of the IM&T infrastructure. 5.19 Business Continuity & Disaster Recovery Plans The HoIM&T is responsible for maintaining the Trusts IT Disaster Recovery Plan The IAOs/IAAs are responsible for the Business Continuity plans for their identified information assets. 6. Roles and Responsibilities 6.1 The Chief Executive The Chief Executive is responsible for ensuring the Trust s compliance with applicable legislation and regulation. The Chief Executive has delegated the overall IT security responsibility for policy and implementation to the Head of Information Systems and Technology. Responsibility for implementing this policy within the context of IT systems development and use in the organisation is delegated further to the IT Security Specialist. 6.2 The Senior Information Risk Owner (SIRO) The Executive Director of Finance and Commerce and Deputy Chief Executive shall be the Trust Senior Information Risk Owner (SIRO) and shall represent any relevant information risk to the Board of Directors. The SIRO shall receive specialist advice from the IT Security Specialist. 6.3 Executive Directors and Strategic Business Unit Directors IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 8 of 11
Executive Directors and Strategic Business Unit Directors are responsible for the implementation of the standards of compliance specified in this policy within their areas of responsibility. 6.4 Information Governance Group The Information Governance Group shall monitor and report on the implementation of the Trust s Information Governance Management System (IGMS). 6.5 Head of IM&T (HoIM&T) The Head of IM&T (HoIM&T) will define and implement effective security countermeasures. Produce all relevant security documentation, security operating procedures and contingency plans reflecting the requirements of the IM&T infrastructure Security Policy. All such documentation will be included in the IT Department's Asset register. 6.6 Information Security and Technical Assurance Manager (ISTAM) The ISTAM shall monitor system and user activity for compliance with this policy. Investigate reported Incidents or alerts have that may affect the organisation's systems, applications or networks and liaise with HR, IG and Security Management as appropriate Review and approve proposals for connecting the Trust s systems, applications or networks to third party systems, applications or networks. Produce organisational standards, procedures and guidance on Information Security matters for approval by the IGMG Working with the HOIM&T, IOAs and SIRO to ensure that risks to IT systems are reduced to an acceptable level by applying security countermeasures identified following an assessment of the risk. Approving system security measures for the infrastructure, systems and common services. 6.7 All Users of AWP IM&T Systems All users of AWP IM&T systems are responsible for ensuring that their use of Trust systems is conducted in compliance with this policy and have a duty to report any instances of noncompliance they witness to their managers. Prevent the introduction of malicious software on the organisation's IT systems. Report any suspected or actual breaches in information security 6.8 Line Manager's Responsibilities Line Managers are responsible for ensuring compliance with this policy through appropriate managerial arrangements including supervision, training, performance management and the use of disciplinary procedures where necessary. It is the responsibility of Line Managers to enable their staff to attend suitable information governance training. IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 9 of 11
7. Standards This policy shall be assessed against the Information Governance Toolkit standards. 8. Training The Trust's overarching policy for training is the Learning and Development Policy and this should be read in conjunction with this policy. The Learning and Development Policy also describes the Trust's arrangements for training, in particular how there are processes in place to ensure staff receive the training they require and how non-attendance is followed up. These arrangements are further supported by management supervision and appraisal processes. Individual Line Managers are responsible for ensuring their staff are aware and adhere to this policy. 9. Monitoring or Audit Monitoring shall be proactive and designed to highlight issues before an incident occurs, and should consider both positive and negative aspects of any examined process. Compliance with this policy shall be monitored by the ISTAM and formally reported to the Information Governance Group (IGG) quarterly, and shall be assessed annually using the Information Governance Toolkit. Internal Audit shall conduct an annual audit of Information Governance Assurance Statement and the NHS Operating Framework and report their findings and recommendations to the IGMG. Where failings have been identified, action plans shall be drawn up and changes made to arrangements to reduce the risks. The IGG shall facilitate the review and update of this policy and supporting IG policies. 10. Associated and Related Procedural Documents A list of related Trust policies can be found on Ourspace 11. References A full list of the applicable legislation referenced in the compilation of this policy can be viewed in the NHS Information Governance Guidance on Legal and Professional Obligations at the following link: http://www.dh.gov.uk/en/publicationsandstatistics/publications/publicationspolicyandguidance/ DH_079616 IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 10 of 11
Version History Version Date Revision description Editor Status 1.0 13 /01/2011 Review by Information Governance Group Information Technology Security Specialist Approved 2.0 01/03/2011 Reviewed by Quality & Healthcare Governance Committee 3.00 19/02/2013 Approved by Finance and Planning Committee Information Technology Security Specialist Information Technology Security Specialist Approved Approved 3.1 04/04/2016 Update and Tidy ISTAM 4.0 19/04/2016 Approved by Finance and Planning Committee ISTAM Approved IM&T Infrastructure Security Policy Expiry date: 15/04/2019 Version No: 4.0 Page 11 of 11