Mike Casey Director of IT



Similar documents
Network Security Policy

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Rotherham CCG Network Security Policy V2.0

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

ULH-IM&T-ISP06. Information Governance Board

Network Security Policy

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

NETWORK SECURITY POLICY

How To Ensure Network Security

NETWORK SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

How To Protect Decd Information From Harm

INFORMATION TECHNOLOGY SECURITY STANDARDS

Information Security Policy

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Information Governance Policy (incorporating IM&T Security)

Newcastle University Information Security Procedures Version 3

University of Liverpool

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

ISO27001 Controls and Objectives

Information Security

Service Children s Education

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

NHS Business Services Authority Information Security Policy

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Information security policy

University of Sunderland Business Assurance Information Security Policy

ISO Controls and Objectives

Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

University of Aberdeen Information Security Policy

IS INFORMATION SECURITY POLICY

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

ISO 27002:2013 Version Change Summary

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

INFORMATION SECURITY PROCEDURES

HIPAA Information Security Overview

Information Security Management. Audit Check List

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

Estate Agents Authority

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA Security Alert

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

Information Resources Security Guidelines

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

Policy Document. Communications and Operation Management Policy

How To Ensure Information Security In Nhs.Org.Uk

Physical Security Policy

06100 POLICY SECURITY AND INFORMATION ASSURANCE

Supplier Security Assessment Questionnaire

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

INFORMATION SECURITY POLICY

Highland Council Information Security Policy

Corporate Information Security Management Policy

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

Access Control Policy

Dublin Institute of Technology IT Security Policy

Information Security Policy

INFORMATION SYSTEMS. Revised: August 2013

Information Security Policy

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

ABERDARE COMMUNITY SCHOOL

INFORMATION SECURITY POLICY

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Incident Management Policy

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

Informatics Policy. Information Governance. Network Account and Password Management Policy

VMware vcloud Air HIPAA Matrix

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

SECURITY POLICY REMOTE WORKING

Draft Information Technology Policy

An Approach to Records Management Audit

Information Security Programme

Music Recording Studio Security Program Security Assessment Version 1.1

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Data Access Request Service

Supplier Information Security Addendum for GE Restricted Data

VIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY INFORMATION TECHNOLOGY

CCG: IG06: Records Management Policy and Strategy

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Transcription:

Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date John Stuckey Network Project Manager 18 th March 2009 Andrew Smith Network Manager 18 th March 2009 Professionally Approved By Mike Casey Director of IT 18 th March 2009 Version Number 1.0 Issuing Directorate IT Ratified by: Document Ratification Group Ratified on: 26 th March 2009 Trust Executive Board Date April 2009 Implementation Date 31 st March 2009 Next Review Date January 2011 Author/Contact for Information Dave Shrimpton Policy to be followed by (target staff) All Staff, Contractors and Affiliates Distribution Method Intranet, Internet Related Trust Policies (to be read in conjunction with) Remote Working Policy Anti Virus Policy Backup Policy IT Systems User Access Policy Acceptable Use of IT Policy Password Policy Document Review History Review No Reviewed by Review Date It is the personal responsibility of the individual referring to this document to ensure that they are viewing the latest version which will always be the document on the intranet 1

Index 1. Purpose 2. Aim 3. Scope 4. Policy 5. Responsibilities 6. Physical & Environmental Security 7. Access Control to Secure Network Areas 8. Access Control to the Network 9. Third Party Access Control to the Network 10. External Network Connections 11. Maintenance Contracts 12. Fault Logging 13. Network Operating Procedures 14. Data Backup and Restoration 15. User Responsibilities, Awareness & Training 16. Security Audits 17. Malicious Software 18. Secure Disposal or Re-use of Equipment 19. System Change Control 20 Security Monitoring 21. Reporting Security Incidents & Weaknesses 22. System Configuration Management 23. Business Continuity & Disaster Recovery Plans 24. Unattended Equipment and Clear Screen 25. Monitoring 26. References 2

1. Purpose 1.1 The network is a collection of equipment such as servers, computers, printers, and modems, which has been connected together by cables or using wireless networking capabilities. The network is created to share data, software, and peripherals such as printers, modems and Internet connections. 1.2 This document defines the Network Security Policy for Mid Essex Hospital Services NHS Trust. The Network Security Policy applies to all business functions and information contained within the network environment, the physical environment and relevant people who support the network. 1.3 This document sets out the Mid Essex Hospital Services NHS Trust s policy for: The protection of the confidentiality, integrity and availability of the network Establishes the security responsibilities for network security Provides reference to documentation relevant to this policy 2. Aim 2.1 The aim of this policy is to ensure the security of Mid Essex Hospital Services NHS Trust's network. To do this the Trust will: Ensure Availability Preserve Integrity Preserve Confidentiality Protect assets against unauthorised disclosure Protect the network from unauthorised or accidental modification ensuring the accuracy and completeness of the organisation's assets 3. Scope 3.1 This policy applies to all networks within Mid Essex Hospital Services NHS Trust used for: The storage, sharing and transmission of clinical data and images The storage, sharing and transmission of non-clinical data and images Printing or scanning non-clinical or clinical data or images The provision of Internet systems for receiving, sending and storing clinical or nonclinical data or images 4. Policy 4.1 The Mid Essex Hospital Services NHS Trust network will be available when required, may be accessed only by legitimate users and will contain complete and accurate information. The network must also be able to withstand or recover from threats to its availability, integrity and confidentiality. To satisfy this, Mid Essex Hospital Services NHS Trust will undertake to the following: Protect all hardware, software and information assets under its control 3

Provide effective protection that is commensurate with the risks to its network assets Implement the Network Security Policy in a consistent, timely manner Where relevant, Mid Essex Hospital Services NHS Trust will comply with o Copyright, Designs & Patents Act 1988 o Access to Health Records Act 1990 o Computer Misuse Act 1990 o The Data Protection Act 1998 o The Human Rights Act 1998 o Electronic Communications Act 2000 o Regulation of Investigatory Powers Act 2000 o Freedom of Information Act 2000 o Health & Social Care Act 2001 o And any other legislation, NHS requirements or guidance that may come into force during the lifespan of this policy 5. Responsibilities 5.1 Chief Executive The Chief Executive has delegated the overall security responsibility for security, policy and implementation to the Director of IT 5.2 Director of IT Ensure the Network Security Policy is implemented 5.3 IT Operations Manager Ensure that an effective configuration management system for the network is in place Deputise for the Director of IT Ensure that business continuity plans and disaster recovery plans are produced for the network Responsible for ensuring that door lock codes are changed periodically, following a compromise of the code, if s/he suspects the code has been compromised, or when required to do so by the Information Security Manager 5.4 Network Manager Design and implement effective security countermeasures Ensure that maintenance contracts are maintained and periodically reviewed for all network equipment Responsible for ensuring that a log of all faults on the network is maintained and reviewed Produce all relevant security documentation, security operating procedures and contingency plans reflecting the requirements of the Network Security Policy Design / Contribute to the network disaster recovery plan All such documentation will be included in the Information Security management System 4

5.5 IT Contracts Manager Ensure maintenance contracts are maintained and periodically reviewed for all supported network equipment 5.6 IT Security Manager Act as a central point of contact on information security within the organisation, for both staff and external organisations Produce organisational standards, procedures and guidance on Information Security matters for approval by the Document Ratification Group Liaise with external organisations on information security matters Ensure that risks to IT systems are reduced to an acceptable level by applying security countermeasures identified following an assessment of the risk Approve system security policies for the infrastructure and common services Provide a central point of contact on IT security issues Providing advice and guidance on o Policy Compliance o Incident Investigation o IT Security Awareness o IT Security Training 5.7 Line Management Ensuring the security of the network, that is information, hardware and software used by staff and, where appropriate, by third parties is consistent with legal and management requirements and obligations Ensuring that their staff are made aware of their security responsibilities Ensuring that their staff have had suitable security training 5.8 All Staff All personnel or agents acting for the organisation have a duty to: Safeguard hardware, software and information in their care Prevent the introduction of malicious software on the organisation's IT systems Report on any suspected or actual breaches in security 6. Physical & Environmental Security 6.1 Network computer equipment will be housed in a controlled and secure environment. 6.2 Critical or sensitive network equipment will be housed in an environment that is monitored for temperature, humidity and power supply quality. 6.3 Critical or sensitive network equipment will be housed in secure areas, protected by a secure perimeter, with appropriate security barriers and entry controls. 6.4 Critical or sensitive network equipment will be protected by intruder alarms and fire suppression systems. 5

6.5 All visitors to secure network areas must be authorised by the appropriate Manager. 6.6 All visitors to secure network areas must be made aware of network security requirements. 6.7 All visitors to secure network areas must be logged in and out. The log will contain name, organisation, purpose of visit, date, and time in and out. 6.8 The Network Manager will ensure that all relevant staff are made aware of procedures for visitors and that visitors are escorted, when necessary. 6.9 Eating and drinking is forbidden in areas housing critical or sensitive network equipment. 7. Access Control to Secure Network Areas 7.1 Entry to secure areas housing critical or sensitive network equipment will be restricted to only those whose job function requires it. 8. Access Control to the Network 8.1 Access to the network will be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access. Remote access to the network will conform to the Trust's Remote Access Policy. 8.2 There must be a formal, documented user registration and de-registration procedure for access to the network. 8.3 HR or Departmental managers must request user access. 8.4 Access rights to the network will be allocated on the requirements of the user's job function. 8.5 Security privileges (i.e. administrator or network administrator rights) to the network will be allocated on the requirements of the user's job function. 8.6 All users to the network will have their own individual user identification and password. 8.7 Users are responsible for ensuring their password is kept secret. 8.8 User access rights will be immediately removed or reviewed for those users who have left the Trust or changed jobs. 9. Third Party Access Control to the Network 9.1 Third party access to the network will be based on a formal contract that satisfies all necessary NHS security conditions. 9.2 All third party access to the network must be logged. 6

10. External Network Connections 10.1 Ensure that all connections to external networks and systems have documented and approved System Security Policies. 10.2 Ensure that all connections to external networks and systems conform to the NHSwide Network Security Policy, Code of Connection and supporting guidance. 10.3 The Network Manager or IT Security manager must approve all connections to external networks and systems before they commence operation. 11. Maintenance Contracts 11.1 The Trust will ensure that maintenance contracts are maintained and periodically reviewed for all network equipment. 12. Fault Logging 12.1 The Trust will ensure that a log of all faults on the network is maintained and reviewed. 13. Network Operating Procedures 13.1 Documented operating procedures should be prepared for the operation of the network, to ensure its correct, secure operation. Changes to operating procedures must be authorised by the Director of IT or a nominated deputy. 14. Data Backup and Restoration 14.1 Ensure that procedures are in place to backup data on Trust systems and to restore data in a timely manner. See Backup Policy 15. User Responsibilities, Awareness & Training 15.1 The Trust will ensure that all users of the network are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities. 15.2 All users of the network must be made aware of the contents and implications of the Network Security Policy. 15.3 Breaches, irresponsible or improper actions by users may result in disciplinary action(s). 16. Security Audits 16.1 The IT Security Manager will require checks on, or an audit of, actual implementations based on approved security policies. 7

17. Malicious Software 17.1 Ensure that measures are in place to detect and protect the network from viruses and other malicious software. See Anti-Virus Policy 18. Secure Disposal or Re-use of Equipment 18.1 Ensure that where equipment is being disposed of, IT Department staff must ensure that all data on the equipment (e.g. on hard disks or tapes) is securely overwritten. Where this is not possible IT Department staff should physically destroy the disk or tape. 18.2 Ensure that where disks are to be removed from the premises, the data is securely overwritten or the disk is de-gaussed by the IT Department. 19. System Change Control 19.1 Ensure that the Network Manager reviews changes to the security of the network. All such changes must be reviewed and approved. The Network Manager is responsible for updating all relevant Network Security Policies, design documentation, security operating procedures and network operating procedures. 19.2 The IT Security Manager may require checks on, or an assessment of the actual implementation based on the proposed changes. 20. Security Monitoring 20.1 Ensure that the network is monitored for potential security breaches. All monitoring will comply with current legislation. See IT Systems Monitoring Policy 21. Reporting Security Incidents & Weaknesses 21.1 All potential security breaches must be reported to the IT Helpdesk. Security incidents and weaknesses must be reported in accordance with the requirements of the organisation's incident reporting procedure. All Security incidents and weaknesses - actual or potential will be investigated and reported to the Corporate Governance Group. See IT Security Reporting Policy 22. System Configuration Management 22.1 Ensure that there is an effective configuration management system for the network. 23. Business Continuity & Disaster Recovery Plans 23.1 Ensure that business continuity plans and disaster recovery plans are produced for the network. 23.2 The plans must be reviewed and tested on a regular basis. 8

24. Unattended Equipment and Clear Screen 24.1 Users must ensure that they protect the network from unauthorised access. They must log off the network when finished working. 24.2 The Trust operates a clear screen policy that means that users must ensure that any equipment logged on to the network must be protected if they leave it unattended, even for a short time. Workstations must be locked or a screensaver password activated if a workstation is left unattended for a short time. 24.3 Users failing to comply may be subject to disciplinary action. 25. Monitoring 25.1 Any exceptions will be investigated and reported to the Corporate Governance Group. 25.2 Minutes of the Corporate Governance Group will be made available to the Trust Audit Committee. 26. References ISO/IEC 27001:2005 Section A 12.3.1 Backup Policy Remote Working Policy Anti Virus Policy Backup Policy IT Systems User Access Policy Password Policy 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information