Supplier Remote Access Policy Board library reference Document author Assured by Review cycle P157 Information Security and Technical Assurance Manager Finance and Planning Committee 1 year This document is version controlled. The master copy is on Ourspace. Once printed, this document could become out of date. Check Ourspace for the latest version. Contents 1. Introduction...3 2. Purpose or aim...3 3. Scope...3 4. Definitions...3 4.1 IS&T Systems... 3 4.2 Information Asset (or Asset)... 3 4.3 Devices... 3 4.4 SIRO Senior Information Risk Owner (SIRO)... 4 4.5 IAO Information Asset Owners... 4 4.6 IAA - Information Asset Administrators... 4 4.7 Secure Envoy... 4 4.8 Citrix XenApp... 4 4.9 RDP... 4 5. Standard Solution...4 5.1 Citrix access... 4 5.2 Securenvoy... 4 5.3 RDP... 4 6. Request Process...5 6.1 Request for remote access... 5 Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 1 of 9
6.2 Technical & Security review... 5 7. Standard Process...5 7.1 Supplier sign off of AUP... 5 7.2 Account Request... 5 7.3 Account & SecurEnvoy setup... 5 7.4 Citrix/RDP... 5 7.5 System Access... 5 7.6 Update asset documentation... 5 7.7 Account change or cessation... 6 7.8 Annual review... 6 8. Non Standard process...6 8.1 Agreement by SIRO... 6 9. Roles and responsibilities...6 9.1 Information Asset Owners (IAOs)... 6 9.2 Information Security team... 6 9.3 IT Service Desk... 6 9.4 Datacentre team... 6 9.5 IT Applications Support and IAA... 6 10. Document Lifecycle Control...6 11. References...7 12. Appendices...8 12.1 Form SRA1 Supplier Remote Access Request... 8 Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 2 of 9
1. Introduction Avon and Wiltshire Mental Health Partnership NHS Trust (AWP) is bound by the provisions of a considerable number of items of legislation and regulation affecting the stewardship of data and information. Information Governance (IG) ensures the Trust s compliance with applicable legislation, the regulatory framework, Common Law, and mandated best practice. In short, IG exists to ensure the Integrity, Availability, Confidentiality and Accountability of the Trust s operational, patient, staff and management information. The Trust s Overarching Information Governance Policy defines the Trust s mandated base-line strategy for compliance and effective management in each of the following six areas of Information Governance. Information Governance Management Confidentiality & Data Protection Assurance Information Security Assurance Clinical Information Assurance Secondary Use Assurance Corporate Information Assurance The other information governance policies constitute the top level documentation of the Trust s Information Governance Management System (IGMS). Compliance with all Policies, Procedures and Guidelines contained in the IGMS is mandatory for all persons and organisations operating under the auspices of, or delivering a service to the Trust, whether they are staff, students, volunteers, contractors or partner organisations. 2. Purpose or aim The purpose of this policy is to define the standard approach to providing access to AWP IS&T systems for use by third parties for the purposes of contracted systems support 3. Scope This process applies to the standard approach used by AWP for all contractors, vendors and agents with authorised access to the AWP IS&T systems for support, administration and diagnostic purposes. 4. Definitions 4.1 IS&T Systems Computer, Network and Telephony systems belonging or contracted by the Trust. 4.2 Information Asset (or Asset) Any combination of IS&T systems used to deliver a specific information system, application or business process 4.3 Devices Desktop computers, laptops, notebooks, mobile phones, tablets. Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 3 of 9
4.4 SIRO Senior Information Risk Owner (SIRO) An Executive Director or Senior Management Board Member who will take overall ownership of the Organisation s Information Risk Policy, act as champion for information risk on the Board and provide written advice to the Accounting Officer on the content of the Organisation s Statement of Internal Control in regard to information risk 4.5 IAO Information Asset Owners Senior individuals with AWP with named reasonability for specific Information assets. Their role is to understand and address risks to the information assets they own and to provide assurance to the SIRO on the security and use of those assets. 4.6 IAA - Information Asset Administrators Operational staff nominated by the IAO to ensure that policies and procedures are followed, recognise actual or potential security incidents, consult their IAO on incident management, and ensure that information asset registers are accurate and up to date. 4.7 Secure Envoy A radius based two factor tokenless authentication system 4.8 Citrix XenApp A Server based application virtualisation solution 4.9 RDP Microsoft s Remote Desktop Protocol 5. Standard Solution 5.1 Citrix access Access to AWP is provided via our Citrix XenApp solution. This provides access to AWP s IS&T systems in a secure, controlled and device independent environment. Access to this solution requires either the client specific Citrix receiver software to be installed or use of the Java based client if a zero install option is required. 5.2 Securenvoy The Trust used a two factor security solution to secure access to its systems. This consists of a standard username and password combination as well as a one-time PIN that is generated on a per session basis will be issued on request to allow access. The Trust s IT Applications Support team will be the primary contact point for remote access requests. This duty may also be shared with the specific information assets IAA if appropriate. The Trust s Information Security team will be the secondary contact point for remote access requests. The Trust s Datacentre team will be the tertiary contact point for remote access requests. 5.3 RDP Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 4 of 9
Once connect to the AWP Citrix gateway the supplier will be presented with the option to launch preconfigured instance of Microsoft terminal service client (MSTSC) to initiate a RDP session to any specific servers to which they have been granted access. 6. Request Process 6.1 Request for remote access Where a supplier requires remote access to any AWP IS&T system the IAO for that system must request access via the AWP Information Security team. This should be requested using from SRA1 form at the end of this document and emailed to the Trusts IT Service Desk. 6.2 Technical & Security review On receipt of a valid request the AWP Information Security team will assess the request and work with the supplier to determine if the Trusts standard solution is appropriate or if a custom solution is required. 7. Standard Process 7.1 Supplier sign off of AUP The Trusts Information Security team will request a copy of the Trust s Remote Access AUP be signed on behalf of all users at the supplier by their senior responsible office. 7.2 Account Request The Trusts Information Security team will request, on behalf of the IAO, a remote access account be set up. 7.3 Account & SecurEnvoy setup The Trust IT service desk will then set up the needed accounts on the Trust s network. This will consist of a remote access account of the form Remote_assetname and an associated mail box on the AWP internal mail system. This mail box will be configured will access permissions for the IT Application Support, IT security and Datacentre teams. The IT security team may also request access for the IAA or other Trust staff if appropriate. A secure envoy account will then be set up for this user and configured to use the mailbox as the delivery location for the PINs. 7.4 Citrix/RDP The Trusts Information Security team will request the Datacentre team set up and configure the required MSTSC published applications with permissions assigned to the account above. They will also set up local admin access for the named account on the respective servers. 7.5 System Access The IAA will work with the supplier and the Trusts datacentre and application support teams to configure any additional access permissions needed on the specific servers or applications being accessed 7.6 Update asset documentation The Trusts Information Security team will work with the IAA to update the assets documentation and risk plan based on the agreed remote access. The IAA will then inform the supplier that Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 5 of 9
access is available and confirm the account details and the specific process and contacts needed to arrange access. The IAA should arrange any testing needed to ensure that remote access and any needed system or application configuration is in place and working as expected. 7.7 Account change or cessation Where any changes are needed to the remote access process or account the IAO or IAA must requires this via the Trusts Information Security team 7.8 Annual review As part of asset risk management process the Trusts Information Security team and IAA will review the Remote access arrangements for their specific system. 8. Non Standard process Where the Trusts standard solution is inappropriate then a custom solution will need to be agreed with the Trust s IS&T Information security, Datacentre and Business systems teams. As a minimum this should include the production of an AUP, a custom technical specification, a custom operational specification and risk management plan. 8.1 Agreement by SIRO Any nonstandard solution must be agreed by the Trusts IT Security Team and Senior Information Risk Officer prior to being implemented. 9. Roles and responsibilities 9.1 Information Asset Owners (IAOs) Information asset owners have overall responsibility for access to their assets. 9.2 Information Security team The Information Security team are responsible for evaluating and approving requests from new third parties for systems access. They are also responsible for coordinating the process of setting up access. 9.3 IT Service Desk The Service Desk are responsible to setting network accounts 9.4 Datacentre team The Datacentre team are responsible for configuring AWP IS&T systems to support remote access. 9.5 IT Applications Support and IAA The IT Applications Support and IAA (if agreed) will configure the specific asset as needed and gate keep access on a session by session basis. 10. Document Lifecycle Control Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 6 of 9
This policy document form part of a formal Trust record, and is to be managed in accordance with the Trust s records management policies and retention and disposal schedules. Users must familiarise themselves with the national standards defined by the Department of Health in the Records Management: NHS Code of Practice. The Document Library on OurSpace is the only recognised repository for master versions of policy documents. Copies of this document must therefore not be stored elsewhere on the system, e.g. in workgroups. The OurSpace document library system shall provide records management functionality to allow for the retrieval of previous versions of policy documents for audit purposes. 11. References Supplier Remote Access - Acceptable Use Policy Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 7 of 9
12. Appendices Supplier Remote Access Policy 12.1 Form SRA1 Supplier Remote Access Request Where remote access to an information asset is required by a third party the Information Asset Owner (IAO) should copy, completed and then email this form to the AWP IT Service Desk (itservicedesk.awp@nhs.net). System Name Who requires access? See live asset register on Ourspace Name of the third party requiring access, This can be a specific organisation or individual Reason for access? Why does this organisation or person require access Please supply the contact details of the person at third party organisation who should be contacted by AWP IT to arrange the technical and administrative elements of setting up remote access. Name Address Job Title Email Phone Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 8 of 9
Version History Version Date Revision description Editor Status 0.1 13 January 2014 0.2 18 November 2015 1.0 22 January 2016 Initial draft ISTAM Draft Version for approval RB Draft Approved by Finance and Planning Committee HD Approved Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 9 of 9