Supplier Remote Access Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Purpose or aim...3. 3. Scope...3. 4. Definitions...



Similar documents
IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

Records management policy. Document author Assured by Review cycle. Audit and Risk Commitee. 1. Introduction Purpose or aim Scope...

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Information Governance Policy

Information Governance Policy

Information Governance Strategy. Version No 2.1

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

CCG: IG06: Records Management Policy and Strategy

Somerset County Council - Data Protection Policy - Final

Information Governance Strategy. Version No 2.0

Network Security & Connection Policy

Document No: IG10f. Version: 1.0. Information Governance Contracts Guidance. Name of Procedure: Version Control

NHS Commissioning Board: Information governance policy

Information Governance Training Plan v13

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

Information Governance Management Framework

Information Governance Policy

SECURITY POLICY REMOTE WORKING

BEFORE USING THIS GUIDANCE, MAKE SURE YOU HAVE THE MOST UP TO DATE VERSION GUIDANCE 2 POLICY AREA: INFORMATION GOVERNANCE

Information Governance Plan

Policy Checklist. Head of Information Governance

University of Sunderland Business Assurance Over-arching Information Governance Policy

External Authentication with CiscoSecure ACS. Authenticating Users Using. SecurAccess Server. by SecurEnvoy

Information Governance Strategy

How To Ensure Network Security

Information Security Management System (ISMS) Policy

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

Division of Information Technology Lehman College CUNY

Information Governance Strategy & Policy

INFORMATION GOVERNANCE POLICY & FRAMEWORK

Information Governance Standards in Relation to Third Party Suppliers and Contractors

INFORMATION SECURITY POLICY

Information Security and Governance Policy

Information Governance Policy

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

Remote Working and Portable Devices Policy

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY

Guardian365. Managed IT Support Services Suite

Overview of products, services and capabilities

Hosted Desktop for Business

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

INFORMATION GOVERNANCE STRATEGY NO.CG02

Service Support Kasse Initiatives, LLC. ITIL Configuration Management - 1. version 2.0

Information Security Assurance Plan 2015/16

USB Data Stick Procedure

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September Information Governance Manager

University of Sunderland Business Assurance. Over-arching Information Governance Policy. Document Classification: Public

All your apps & data in the cloud, all in one place.

Citrix XenApp Manager 1.0. Administrator s Guide. For Windows 8/RT. Published 10 December Edition 1.0.1

Information Governance Strategy

University of Ulster Standard Cover Sheet

How To Protect School Data From Harm

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Citrix Remote Access Work Instructions

INFORMATION RISK MANAGEMENT POLICY

Information Governance Policy

Information Governance Strategy :

How to set up Outlook Anywhere on your home system

Records Management Policy & Guidance

Central London Community Healthcare NHS Trust. Data protection audit report

NHS Waltham Forest Clinical Commissioning Group Information Governance Policy

Remote Access and Home Working Policy London Borough of Barnet

Advice on how schools can connect into their servers remotely

Cloud Storage Policy (Draft for consultation)

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

INFORMATION GOVERNANCE POLICY

MRU Secure Remote Access Service (SRAS) External User Guide

Information Governance Policy (incorporating IM&T Security)

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Information Security Incident Management Policy

Access Control Policy

Information Governance Framework

Information Governance Strategy Includes Information risk & incident management methodology

DOMAIN CENTRAL HOSTING

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

Information Governance Strategy

UBC Digital Signage Service: CoolSign 5.0 Initial Set- up Guide

Sage Pay User Guide for Sage 200

INFORMATION GOVERNANCE POLICY

Highland Council Information Security Policy

Version Number Date Issued Review Date V1 25/01/ /01/ /01/2014. NHS North of Tyne Information Governance Manager Consultation

Appendices Device Destruction/ Disposal process 7

West Dunbartonshire Council. Follow-up data protection audit report

Mac Installation and User Guide

Enterprise Mail User Manual Advanced Internet Technologies, Inc. June 2012

UNCLASSIFIED. UK Archiving powered by Mimecast Service Description

Information Security Policy. Chapter 13. Information Systems Acquisition Development and Maintenance Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Dublin City University

Information Governance Strategy Includes Information risk & incident management methodology

WEST LOTHIAN COUNCIL RECORDS MANAGEMENT POLICY. Data Label: Public

NETWORK SECURITY POLICY

Information Governance Policy. 2 RESPONSIBLE PERSON: Steve Beeho, Head of Integrated Governance. All CCG-employed staff.

Lancashire County Council Information Governance Framework

Lauren Hamill, Information Governance Officer

INFORMATION GOVERNANCE STRATEGY

Information Governance Framework

Transcription:

Supplier Remote Access Policy Board library reference Document author Assured by Review cycle P157 Information Security and Technical Assurance Manager Finance and Planning Committee 1 year This document is version controlled. The master copy is on Ourspace. Once printed, this document could become out of date. Check Ourspace for the latest version. Contents 1. Introduction...3 2. Purpose or aim...3 3. Scope...3 4. Definitions...3 4.1 IS&T Systems... 3 4.2 Information Asset (or Asset)... 3 4.3 Devices... 3 4.4 SIRO Senior Information Risk Owner (SIRO)... 4 4.5 IAO Information Asset Owners... 4 4.6 IAA - Information Asset Administrators... 4 4.7 Secure Envoy... 4 4.8 Citrix XenApp... 4 4.9 RDP... 4 5. Standard Solution...4 5.1 Citrix access... 4 5.2 Securenvoy... 4 5.3 RDP... 4 6. Request Process...5 6.1 Request for remote access... 5 Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 1 of 9

6.2 Technical & Security review... 5 7. Standard Process...5 7.1 Supplier sign off of AUP... 5 7.2 Account Request... 5 7.3 Account & SecurEnvoy setup... 5 7.4 Citrix/RDP... 5 7.5 System Access... 5 7.6 Update asset documentation... 5 7.7 Account change or cessation... 6 7.8 Annual review... 6 8. Non Standard process...6 8.1 Agreement by SIRO... 6 9. Roles and responsibilities...6 9.1 Information Asset Owners (IAOs)... 6 9.2 Information Security team... 6 9.3 IT Service Desk... 6 9.4 Datacentre team... 6 9.5 IT Applications Support and IAA... 6 10. Document Lifecycle Control...6 11. References...7 12. Appendices...8 12.1 Form SRA1 Supplier Remote Access Request... 8 Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 2 of 9

1. Introduction Avon and Wiltshire Mental Health Partnership NHS Trust (AWP) is bound by the provisions of a considerable number of items of legislation and regulation affecting the stewardship of data and information. Information Governance (IG) ensures the Trust s compliance with applicable legislation, the regulatory framework, Common Law, and mandated best practice. In short, IG exists to ensure the Integrity, Availability, Confidentiality and Accountability of the Trust s operational, patient, staff and management information. The Trust s Overarching Information Governance Policy defines the Trust s mandated base-line strategy for compliance and effective management in each of the following six areas of Information Governance. Information Governance Management Confidentiality & Data Protection Assurance Information Security Assurance Clinical Information Assurance Secondary Use Assurance Corporate Information Assurance The other information governance policies constitute the top level documentation of the Trust s Information Governance Management System (IGMS). Compliance with all Policies, Procedures and Guidelines contained in the IGMS is mandatory for all persons and organisations operating under the auspices of, or delivering a service to the Trust, whether they are staff, students, volunteers, contractors or partner organisations. 2. Purpose or aim The purpose of this policy is to define the standard approach to providing access to AWP IS&T systems for use by third parties for the purposes of contracted systems support 3. Scope This process applies to the standard approach used by AWP for all contractors, vendors and agents with authorised access to the AWP IS&T systems for support, administration and diagnostic purposes. 4. Definitions 4.1 IS&T Systems Computer, Network and Telephony systems belonging or contracted by the Trust. 4.2 Information Asset (or Asset) Any combination of IS&T systems used to deliver a specific information system, application or business process 4.3 Devices Desktop computers, laptops, notebooks, mobile phones, tablets. Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 3 of 9

4.4 SIRO Senior Information Risk Owner (SIRO) An Executive Director or Senior Management Board Member who will take overall ownership of the Organisation s Information Risk Policy, act as champion for information risk on the Board and provide written advice to the Accounting Officer on the content of the Organisation s Statement of Internal Control in regard to information risk 4.5 IAO Information Asset Owners Senior individuals with AWP with named reasonability for specific Information assets. Their role is to understand and address risks to the information assets they own and to provide assurance to the SIRO on the security and use of those assets. 4.6 IAA - Information Asset Administrators Operational staff nominated by the IAO to ensure that policies and procedures are followed, recognise actual or potential security incidents, consult their IAO on incident management, and ensure that information asset registers are accurate and up to date. 4.7 Secure Envoy A radius based two factor tokenless authentication system 4.8 Citrix XenApp A Server based application virtualisation solution 4.9 RDP Microsoft s Remote Desktop Protocol 5. Standard Solution 5.1 Citrix access Access to AWP is provided via our Citrix XenApp solution. This provides access to AWP s IS&T systems in a secure, controlled and device independent environment. Access to this solution requires either the client specific Citrix receiver software to be installed or use of the Java based client if a zero install option is required. 5.2 Securenvoy The Trust used a two factor security solution to secure access to its systems. This consists of a standard username and password combination as well as a one-time PIN that is generated on a per session basis will be issued on request to allow access. The Trust s IT Applications Support team will be the primary contact point for remote access requests. This duty may also be shared with the specific information assets IAA if appropriate. The Trust s Information Security team will be the secondary contact point for remote access requests. The Trust s Datacentre team will be the tertiary contact point for remote access requests. 5.3 RDP Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 4 of 9

Once connect to the AWP Citrix gateway the supplier will be presented with the option to launch preconfigured instance of Microsoft terminal service client (MSTSC) to initiate a RDP session to any specific servers to which they have been granted access. 6. Request Process 6.1 Request for remote access Where a supplier requires remote access to any AWP IS&T system the IAO for that system must request access via the AWP Information Security team. This should be requested using from SRA1 form at the end of this document and emailed to the Trusts IT Service Desk. 6.2 Technical & Security review On receipt of a valid request the AWP Information Security team will assess the request and work with the supplier to determine if the Trusts standard solution is appropriate or if a custom solution is required. 7. Standard Process 7.1 Supplier sign off of AUP The Trusts Information Security team will request a copy of the Trust s Remote Access AUP be signed on behalf of all users at the supplier by their senior responsible office. 7.2 Account Request The Trusts Information Security team will request, on behalf of the IAO, a remote access account be set up. 7.3 Account & SecurEnvoy setup The Trust IT service desk will then set up the needed accounts on the Trust s network. This will consist of a remote access account of the form Remote_assetname and an associated mail box on the AWP internal mail system. This mail box will be configured will access permissions for the IT Application Support, IT security and Datacentre teams. The IT security team may also request access for the IAA or other Trust staff if appropriate. A secure envoy account will then be set up for this user and configured to use the mailbox as the delivery location for the PINs. 7.4 Citrix/RDP The Trusts Information Security team will request the Datacentre team set up and configure the required MSTSC published applications with permissions assigned to the account above. They will also set up local admin access for the named account on the respective servers. 7.5 System Access The IAA will work with the supplier and the Trusts datacentre and application support teams to configure any additional access permissions needed on the specific servers or applications being accessed 7.6 Update asset documentation The Trusts Information Security team will work with the IAA to update the assets documentation and risk plan based on the agreed remote access. The IAA will then inform the supplier that Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 5 of 9

access is available and confirm the account details and the specific process and contacts needed to arrange access. The IAA should arrange any testing needed to ensure that remote access and any needed system or application configuration is in place and working as expected. 7.7 Account change or cessation Where any changes are needed to the remote access process or account the IAO or IAA must requires this via the Trusts Information Security team 7.8 Annual review As part of asset risk management process the Trusts Information Security team and IAA will review the Remote access arrangements for their specific system. 8. Non Standard process Where the Trusts standard solution is inappropriate then a custom solution will need to be agreed with the Trust s IS&T Information security, Datacentre and Business systems teams. As a minimum this should include the production of an AUP, a custom technical specification, a custom operational specification and risk management plan. 8.1 Agreement by SIRO Any nonstandard solution must be agreed by the Trusts IT Security Team and Senior Information Risk Officer prior to being implemented. 9. Roles and responsibilities 9.1 Information Asset Owners (IAOs) Information asset owners have overall responsibility for access to their assets. 9.2 Information Security team The Information Security team are responsible for evaluating and approving requests from new third parties for systems access. They are also responsible for coordinating the process of setting up access. 9.3 IT Service Desk The Service Desk are responsible to setting network accounts 9.4 Datacentre team The Datacentre team are responsible for configuring AWP IS&T systems to support remote access. 9.5 IT Applications Support and IAA The IT Applications Support and IAA (if agreed) will configure the specific asset as needed and gate keep access on a session by session basis. 10. Document Lifecycle Control Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 6 of 9

This policy document form part of a formal Trust record, and is to be managed in accordance with the Trust s records management policies and retention and disposal schedules. Users must familiarise themselves with the national standards defined by the Department of Health in the Records Management: NHS Code of Practice. The Document Library on OurSpace is the only recognised repository for master versions of policy documents. Copies of this document must therefore not be stored elsewhere on the system, e.g. in workgroups. The OurSpace document library system shall provide records management functionality to allow for the retrieval of previous versions of policy documents for audit purposes. 11. References Supplier Remote Access - Acceptable Use Policy Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 7 of 9

12. Appendices Supplier Remote Access Policy 12.1 Form SRA1 Supplier Remote Access Request Where remote access to an information asset is required by a third party the Information Asset Owner (IAO) should copy, completed and then email this form to the AWP IT Service Desk (itservicedesk.awp@nhs.net). System Name Who requires access? See live asset register on Ourspace Name of the third party requiring access, This can be a specific organisation or individual Reason for access? Why does this organisation or person require access Please supply the contact details of the person at third party organisation who should be contacted by AWP IT to arrange the technical and administrative elements of setting up remote access. Name Address Job Title Email Phone Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 8 of 9

Version History Version Date Revision description Editor Status 0.1 13 January 2014 0.2 18 November 2015 1.0 22 January 2016 Initial draft ISTAM Draft Version for approval RB Draft Approved by Finance and Planning Committee HD Approved Supplier Remote Access Policy Review date: 22/01/2016 Version No: 1.0 Page 9 of 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information