Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible committee: Information Governance Board Andrew Stocks Michael Humber Date issued: 1 Oct 09 Information Governance Board Review date: 1 Oct 2011 Referenced Documents: Information Security Policy Computer Acceptable Use Policy Mobile Computing and Home Working Policy Network Access Protocol Relevant Legislation: Data protection Act (1988) Computer Misuse Act (1990) Human Rights Act (1988) Freedom of Information Act (2000) Telecommunications Regulations (2000) Investigatory Powers Act (2000) Relevant Standards: Caldicott Report (1988) ISO 27001 IG Toolkit CfH N3 Code of Connection Policy Number: ULH-IM&T-ISP06 Version 2.0 Page 1 of 10
Contents Section Page 1 Introduction 3 2 Policy Principles 5 3 Physical & Environmental Security 5 4 Access Control to Secure Network Areas 5 5 Access Control Network Services 6 6 Third Party Access Control to the Network 6 7 External Network Connections 8 8 Maintenance Contracts 7 9 Data and Software Exchange 7 10 Fault Logging 7 11 Network Security Operating Procedures (SyOps) 7 12 Data Backup and Restoration 8 13 User Responsibilities, Awareness & Training 8 14 Security Audits 8 15 Malicious Software 8 16 Secure Disposal or Re-use of Network Services Equipment 8 17 System Change Control 9 18 Security Monitoring 9 19 Reporting Security Incidents & Weaknesses 9 20 System Configuration Management 9 21 Disaster Recovery Plans 9 22 Unattended Equipment and Clear Screen 10 23 Security Responsibilities 10 24 Security Accreditation Conditions 10 Policy Number: ULH-IM&T-ISP06 Version 2.0 Page 2 of 10
1. Introduction 1.1. Purpose: This document defines the Network Security Policy for the United Lincolnshire Hospitals Trust; Sets out the organisation's policy for the protection of the confidentiality, integrity and availability of the network; establishes the security responsibilities for network security and provides reference to documentation relevant to this policy. 1.2. Objectives: The objectives of the policy are: To ensure the security of The Trusts network. To preserve the Confidentiality of data. To preserve the Integrity of data. To ensure Availability of network services for users. To protect the network from unauthorised, accidental or deliberately malicious modification ensuring the accuracy and completeness of the organisation's assets. To protect assets against unauthorised disclosure. 1.3. Scope: The Network Security Policy applies to: All business functions carried out by the network management team. The physical environment to include: o Wired Cabling (copper & Fibre) o Wireless equipment (subject to additional requirements in the WiFi Policy) o Cabling and Equipment Closet/Racks o Server rooms The delivery of data. Network access control. The physical security of data and application servers. 1.4. Network Definition: The ULHT network is a Metropolitan Area Network (MAN) which comprises multiple site-to-site links forming a ring topology with Local Area Network infrastructure present at each node which includes routers, switches, servers and Wireless technology. The network is created to allow authorised personnel to share data, access both data and application servers, peripheral equipment such as printers and provides an external connection to NHS applications and the internet via the N3 network managed by Connecting for Health (CfH). 1.4.1. Community (Primary & Mental Health Care) LAN: The ULHT LAN is directly connected to the Lincolnshire Healthy Community LAN. Policy Number: ULH-IM&T-ISP06 Version 2.0 Page 3 of 10
1.4.2. Humber Net: The ULHT LAN is directly connected to the Humber network which is managed by North Lincolnshire and Goole NHS Trust 1.4.3. Wireless networking: The Trust network has been developed to include an element of wireless networking. The security requirements are defined in a separate policy. 1.4.4. Network Services Equipment: This policy applies to all equipment using the ULHT network backbone including Data and Application servers. 1.5. Any use of the Trust network in breach of this policy may result in disciplinary action and, in serious cases, could constitute gross misconduct. 2. Policy Principles 2.1. The United Lincolnshire Hospitals Trusts information network will be available when needed, can be accessed only by legitimate users and will transfer complete and accurate information. 2.2. The network must also be able to withstand or recover from threats to its availability, integrity and confidentiality. To satisfy this, The Trust will: 2.2.1. Protect all hardware, software and information assets under its control. This will be achieved by implementing a set of well-balanced technical and non-technical measures. 2.2.2. Provide both effective and cost-effective protection that is commensurate with the risks to its network assets. 2.2.3. Implement the Network Security Policy in a consistent, timely and cost effective manner. 2.2.4. Where relevant, The Trust will comply with all appropriate laws and regulations including: Copyright, Designs & Patents Act 1988 Access to Health Records Act 1990 Computer Misuse Act 1990 The Data Protection Act 1998 The Human Rights Act 1998 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000 Health & Social Care Act 2001 2.2.5. Risk Assessment: Appropriate security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability will be identified following a risk assessment (RA). The RA will be carried out in relation to all the business processes covered by this Policy Number: ULH-IM&T-ISP06 Version 2.0 Page 4 of 10
policy and will conform to the requirements of ISO 27001. 3. Physical & Environmental Security 3.1. All network computer equipment will be housed in a controlled and secure environment. 3.2. All network cabling will be situated in appropriate trunking or ducting and hidden form view. 3.3. Critical or sensitive network equipment and all data/application servers will be housed in secure computer rooms/areas which will be: Sited behind a secure perimeter where possible. Have appropriate security barriers and entry controls. Environmentally controlled i.e. monitored for temperature, humidity and power supply quality. Have intruder alarms and fire suppression systems where appropriate and practical. 3.4. The ICT Operations Manager is responsible for ensuring that door lock codes to all secure computing areas are changed: periodically, following a compromise of the code, if it is suspected that the code has been compromised, or when required to do so by the Information Governance Manager. 3.5. Smoking, eating and drinking is forbidden in areas housing critical or sensitive computer equipment. 4. Access Control to Secure Network Areas 4.1. Entry to secure areas housing critical or sensitive network equipment will be restricted to those whose job requires it. 4.2. All visitors to secure network areas must be authorised by a member of ICT Operations Management. 4.3. All visitors to secure network areas will be made aware of network security requirements. 4.4. All visitors to secure network areas will be logged in and out. The log will contain name, organisation, purpose of visit, date, and time in and out. 4.5. ICT Operations Management will ensure that all relevant staff are made aware of procedures for visitors and that visitors are escorted, when necessary. Policy Number: ULH-IM&T-ISP06 Version 2.0 Page 5 of 10
5. Access Control Network Services 5.1. Before access is granted to any systems or data/application servers managed by the Trust (either internal or NPfIT), users are required to be appropriately authorised, sponsored and registered with a unique user ID. 5.2. Access by all ULHT employees is deemed to be a requirement of their employment and will be granted automatically following confirmation of their employment and identity. However, access to all subsequent systems and Application and Data Servers will be on the grounds of sponsorship and in line with each systems specific security policy where applicable. 5.3. Access to the network will be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access. Two factor authentication will be used which will consist of either a username and password or a smartcard and PIN number. 5.4. Only authorised equipment, either Trust owned or Trust managed, will be allowed to connect to the Trust LAN. 5.5. Remote access to the network will conform to the Trust Mobile Computing and Home Working Policy. 5.6. Access rights to the network will be allocated strictly on the requirements of the Trust business cases which is defined in the Computer Acceptable Use policy. 5.7. All system administrators will have additional security privileges to network services and will only be allocated with the approval of the ICT Operations Manager. 5.8. Access to the network is not granted until a new user registration form has been completed and signed by the user. 5.9. Users are responsible for ensuring their password is kept secure and is not shared (see Computer Acceptable Use Policy). 5.10. User access rights will be removed or reviewed for those users who have left the Trust or changed jobs. 6. Third Party Access Control to the Network 6.1. Third party organisations requiring access, will be required to sign a third party confidentiality agreement before they are given access. In addition organisations will only be allowed access on the basis of a sound business case and following the approval of the Information Security Manager. 6.2. All third party access to the network must be maintained by firewall logs. 6.3. Access by all external users requiring access to ULHT network services will be in accordance with the ULHT Network Access Protocol (ULH-IM&T-IGPR08). All Policy Number: ULH-IM&T-ISP06 Version 2.0 Page 6 of 10
users will be required to be sponsored by a ULHT department and the individual user will also be required to sign the confidentiality agreement on the form before access is granted. 7. External Network Connections 7.1. Before allowing any approved external networks to be connected to the ULHT LAN the Network Manger will: Ensure they have appropriate documented and approved System Security Policies. Ensure that all connections to external networks and systems conform to the NHS-wide Network Security Policies, Statement of Compliance and supporting guidance. 7.2. The Information Security Manager must approve all third party connections to networks and systems before they commence operation. 7.3. All external entry and exit points to the network will be managed by an appropriately configured Firewall. Access points which are deemed to be internal for the purpose of this policy will have risk based security barriers installed which as a minimum will be an appropriately configured router. 8. Maintenance Contracts 8.1. The ICT Operations Manager will ensure that maintenance contracts are maintained and periodically reviewed for all network equipment. All contract details will constitute part of the ICT Operations department Asset register. 9. Data and Software Exchange 9.1. Formal agreements for the exchange of data and software between organisations must be established and approved by the Information Security Manager. 10. Fault Logging 10.1. The Technical Services Manager is responsible for ensuring that a log of all faults on the network is maintained and reviewed. A written procedure to report faults and review countermeasures will be produced. 11. Network Security Operating Procedures (SyOps) 11.1. Documented operating procedures should be prepared for the operation of the network, to ensure its correct and secure operation. 11.2. Changes to operating procedures must be authorised by the ICT Operations Manager. Policy Number: ULH-IM&T-ISP06 Version 2.0 Page 7 of 10
12. Data Backup and Restoration 12.1. The Technical Services Manager is responsible for ensuring that backup copies of the network configuration data are taken regularly. 12.2. Documented procedures for the backup process and storage of backup tapes will be produced and communicated to all relevant staff. 12.3. All backup tapes will be stored securely and a copy will be stored off-site. 12.4. Documented procedures for the safe and secure disposal of backup media will be produced and communicated to all relevant staff. 13. User Responsibilities, Awareness & Training 13.1. The Trust will ensure that all users of the network are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities. 13.2. All users of the network must be made aware of the contents and implications of the Network Security Policy and any relevant SyOps. 14. Security Audits 14.1. The Information Security Manager will carry out internal audits of the network periodically or when required to do so by the ICT Operations Manager. In addition and as required by the Trust, independent audits and penetration testing will be carried out by internal and/ or external auditors based on approved security policies. 15. Malicious Software 15.1. The ICT operations Manager will ensure that measures are in place to detect and protect the network from viruses and other malicious software, as required by the Trust Information Security Policy and as defined in the Trust Anti Virus Policy. 16. Secure Disposal or Re-use of Network Services Equipment 16.1. All network services equipment are to be disposed of in accordance with the Trust Computer Acceptable Use Policy and all storage media is to be wiped to an approved standard before being disposed of to ensure that all information is removed. 16.2. Storage media is never to be removed from the premises for repair or recovery without the approval of the ICT Operations Manager and then only following a risk assessment being carried out in conjunction with the Information Governance Manager, or where an approved secure process is in place for this service. Policy Number: ULH-IM&T-ISP06 Version 2.0 Page 8 of 10
17. System Change Control 17.1. The Technical Services Manager is responsible for updating all relevant Network Security Policies, design documentation, security operating procedures and network operating procedures. 17.2. Acceptance testing of all new network systems will be undertaken prior to formal acceptance and all development work will be kept separate from operational facilities. 18. Security Monitoring 18.1. The United Lincolnshire Hospital Trust reserves the right to monitor its IT systems for the purpose of safeguarding staff by ensuring standards are maintained; conducting lawful investigations; ensuring the effective operation of systems and ensuring compliance with its statutory responsibilities. Any monitoring or interception of communications will be carried out in accordance with the Regulation of Investigatory Powers Act 2000, the Data Protection Act 1998 and the Human Rights Act 1998. 18.2. The Trust will employ the following monitoring tools: Firewalls Content filtering Internet and email - Content filtering Intruder Detection Systems (IDS) Network Access Control (NACS) Network point monitoring 19. Reporting Security Incidents & Weaknesses 19.1. All potential security breaches must be reported and investigated by the Information Security Manager. 19.2. Security incidents and weaknesses must be reported in accordance with the requirements of the organisation's incident reporting procedure as defined in the Information Security Policy. 20. System Configuration Management 20.1. The ICT Operations Manager will ensure that there is an effective configuration management system for the network. 21. Disaster Recovery Plans 21.1. The Technical Services Manager must ensure that disaster recovery and business continuity plans are produced for the network. Policy Number: ULH-IM&T-ISP06 Version 2.0 Page 9 of 10
21.2. The plans must be reviewed by the Information Security Manager and tested on a regular basis and be incorporated into the Trust s overall BCP policy. 22. Unattended Equipment and Clear Screen 22.1. Users must ensure that they protect the network from unauthorised access. They must log off the network when finished working. 22.2. In accordance with the Computer Acceptable Use Policy the Trust operates a clear screen policy which means that users must ensure that any equipment logged on to the network must be protected if they leave it unattended, even for a short time. Workstations must be locked or a screensaver password activated if a workstation is left unattended for a short time. 23. Security Responsibilities 23.1. Overall responsibility for security, policy and implementation are as defined in the Information Security Policy and apply to all users. 23.2. Responsibility for implementing this policy within the context of IT systems development and use in the organisation is delegated to the Technical Services Manager. 23.3. Technical Services Manager's Responsibilities: To produce and implementing effective security countermeasures. Produce all relevant security documentation, security operating procedures and contingency plans reflecting the requirements of the Network Security Policy. 24. Security Accreditation Conditions 24.1. Modifications: All significant changes to the security profile of the network are to be approved in the first instance by the ICT Operations Manager and then authorised by the Trust Accreditation Authority. 24.2. There will be no variation from this document without the prior approval of the Trust Information Governance Board. In signing up to this document, the Trust Information Governance Board assumes that the information supplied is accurate. 24.3. Further Information: For further information, concerns or questions regarding this policy please contact the Information Governance Team. Policy Number: ULH-IM&T-ISP06 Version 2.0 Page 10 of 10