Network Security Policy



Similar documents
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Rotherham CCG Network Security Policy V2.0

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

Mike Casey Director of IT

ULH-IM&T-ISP06. Information Governance Board

Network Security Policy

NETWORK SECURITY POLICY

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

How To Ensure Network Security

NETWORK SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

How To Protect Decd Information From Harm

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Information Security

Information Security Policy

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Newcastle University Information Security Procedures Version 3

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25

University of Liverpool

ISO27001 Controls and Objectives

Information Governance Policy (incorporating IM&T Security)

INFORMATION TECHNOLOGY SECURITY STANDARDS

University of Sunderland Business Assurance Information Security Policy

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

ISO Controls and Objectives

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Service Children s Education

HIPAA Security Alert

NHS Business Services Authority Information Security Policy

Policy Document. Communications and Operation Management Policy

Information security policy

Dublin Institute of Technology IT Security Policy

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

University of Aberdeen Information Security Policy

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Information Resources Security Guidelines

ABERDARE COMMUNITY SCHOOL

ISO 27002:2013 Version Change Summary

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Physical Security Policy

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

VMware vcloud Air HIPAA Matrix

Policy Document. IT Infrastructure Security Policy

Information Security Management. Audit Check List

Supplier Security Assessment Questionnaire

ISO IEC ( ) INFORMATION SECURITY AUDIT TOOL

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

Highland Council Information Security Policy

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Information Security Policies. Version 6.1

IT - General Controls Questionnaire

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

Information Security Policy

HIPAA Information Security Overview

University of Brighton School and Departmental Information Security Policy

Music Recording Studio Security Program Security Assessment Version 1.1

Draft Information Technology Policy

Caedmon College Whitby

How To Ensure Information Security In Nhs.Org.Uk

INFORMATION SECURITY PROCEDURES

Information & ICT Security Policy Framework

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

An Approach to Records Management Audit

Data Access Request Service

Corporate Information Security Management Policy

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY

Information Technology Security Procedures

How To Write A Health Care Security Rule For A University

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Internet Use Policy and Code of Conduct

Supplier Information Security Addendum for GE Restricted Data

Information Security Programme

Protection of Computer Data and Software

Estate Agents Authority

TECHNICAL SECURITY AND DATA BACKUP POLICY

OECD SERIES ON PRINCIPLES OF GOOD LABORATORY PRACTICE AND COMPLIANCE MONITORING NUMBER 10 GLP CONSENSUS DOCUMENT

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

Transcription:

IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service Policy Category: Technical Author (post-holder and Subject Matter Expert): Dean Fletcher Sponsor (Director): Eddie Olla, Director of NHIS CONTENT SECTION DESCRIPTION PAGE Introduction 3 1 This Document 3 2 Aim 3 3 Network Definition 3 4 Scope of Policy 3 5 The Policy 3 6 Risk Assessment 4 7 Physical & Environmental Security 4 8 Access Control to Secure Network Areas 5 9 Access Control to the Network 5 10 Third Party Access Control to the Network 5 11 External Network Connections 5 Connection of Non NHIS Supplied Devices to the 12 Network 6 13 Maintenance Contracts 6 14 Data and Software Exchange 6 Page 1 of 9

15 Fault Logging 6 16 Security Operating Procedures (SyOps) 6 17 Network Operating Procedures 6 18 Data Backup and Restoration 6 19 User Responsibilities, Awareness & Training 7 20 Accreditation of Network System 7 21 Security Audits 7 22 Malicious Software 7 23 Secure Disposal or Re-use of Equipment 7 24 System Change Control 7 25 Security Monitoring 8 26 Reporting Security Incidents & Weaknesses 8 27 System Configuration Management 8 28 Business Continuity & Disaster Recovery Plans 8 29 Unattended Equipment and Clear Screen 8 30 Validity of this Policy 8 31 Acronyms 8 32 Policy approved by 9 The issue of this page is the overall issue of this procedure. The current issue of individual pages are as follows: PAGE 1 2 3 4 5 6 7 8 9 ISSUE 1 1 1 1 1 1 1 1 1 DATE 24/02/15 24/02/15 24/02/15 24/02/15 24/02/15 24/02/15 24/02/15 24/02/15 24/02/15 Page 2 of 9

INTRODUCTION This document defines the Network Security Policy for Nottinghamshire Health Informatics Service. The Network Security Policy applies to all business functions and information contained on the network, the physical environment and relevant people who support the network. 1. THIS DOCUMENT: Sets out the organisation's policy for the protection of the confidentiality, integrity and availability of the network. Establishes the security responsibilities for network security. Provides reference to documentation relevant to this policy. 2. AIM The aim of this policy is to ensure the security of Nottinghamshire Health Informatics Service's network. To do this the Trust will: 2.1. Ensure Availability 2.2. Ensure that the network is for users. 2.3. Preserve Integrity 2.4. Protect the network from unauthorised or accidental modification ensuring the accuracy and completeness of the organisation's assets. 2.5. Preserve Confidentiality 2.6. Protect assets against unauthorised disclosure. 3. NETWORK DEFINITION The network is a collection of communication equipment such as servers, computers, smart devices, printers, and modems, which has been connected together either by cables or associated Wireless Equipment. The network is created to share data, software, and peripherals such as printers, modems, fax machines, Internet connections, CD-ROM and tape drives, hard disks and other data storage equipment. 4. SCOPE OF THIS POLICY This policy applies to all networks supported by Nottinghamshire Health Informatics Service used for: 4.1. The storage, sharing and transmission of non-clinical data and images 4.2. The storage, sharing and transmission of clinical data and images 4.3. Printing or scanning non-clinical or clinical data or images 4.4. The provision of Internet systems for receiving, sending and storing non-clinical or clinical data or images 5. THE POLICY The overall Network Security Policy for Nottinghamshire Health Informatics Service is described below: The Nottinghamshire Health Informatics Service information network will be available when needed subject to the agreed SLA/KPI agreements, can be accessed only by legitimate users and will contain complete and accurate information. The network must also be able to withstand or recover from threats to its availability, integrity and confidentiality. To satisfy this, Nottinghamshire Page 3 of 9

Health Informatics Service will undertake to the following. Nottinghamshire Health Informatics Service will: 5.1. Protect all hardware, software and information assets under its control. This will be achieved by implementing a set of well-balanced technical and non-technical measures. 5.2. Provide both effective and cost-effective protection that is commensurate with the risks to its network assets. 5.3. Implement the Network Security Policy in a consistent, timely and cost effective manner. 5.4. Where relevant, Nottinghamshire Health Informatics Service will comply with: Copyright, Designs & Patents Act 1988 Access to Health Records Act 1990 Computer Misuse Act 1990 The Data Protection Act 1998 The Human Rights Act 1998 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000 Health & Social Care Act 2012 5.5. Nottinghamshire Health Informatics Service will comply with other laws and legislation as appropriate. 5.6. The policy must be approved by the HIS Strategic Board (HSB) 6. RISK ASSESSMENT 6.1. Nottinghamshire Health Informatics Service will carry out security risk assessment(s) in relation to all the business processes covered by this policy. These risk assessments will cover all aspects of the network that are used to support those business processes. The risk assessment will identify the appropriate security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability. 6.2. Risk assessment will be conducted to determine the appropriate assurance levels required for security barriers that protect the network. 6.3. Formal risk assessments will be conducted using appropriate industry recognised standard methodologies. 7. PHYSICAL & ENVIRONMENTAL SECURITY 7.1. Network computer equipment will be housed in a controlled and secure environment. Critical or sensitive network equipment will be housed in an environment that is monitored for temperature, humidity and power supply quality. 7.2. Critical or sensitive network equipment will be housed in secure areas, protected by a secure perimeter, with appropriate security barriers and entry controls. 7.3. The relevant Service Support Manager is responsible for ensuring that door lock codes are changed periodically, following a compromise of the code, if s/he suspects the code has been compromised, or when required to do so by the HIS Strategic Board (HSB). Page 4 of 9

7.4. Critical or sensitive network equipment will be protected from power supply failures. 7.5. Critical or sensitive network equipment will be protected by intruder alarms and fire suppression systems. 7.6. Smoking, eating and drinking is forbidden in areas housing critical or sensitive network equipment. 7.7. All visitors to dedicated secure network areas must be authorised by the Service Support Manager. 7.8. All visitors to secure network areas must be made aware of network security requirements. 7.9. All visitors to secure network areas must be logged in and out. The log will contain name, organisation, purpose of visit, date, and time in and out. 7.10. The Service Support Manager will ensure that all relevant staff are made aware of procedures for visitors and that visitors are escorted, when necessary. 7.11. All authorised staff working in secure network areas must be logged in and out. The log will contain name, purpose of visit, date, and time in and out. 8. ACCESS CONTROL TO SECURE NETWORK AREAS 8.1. Entry to secure areas housing critical or sensitive network equipment will be restricted to those whose job requires it. The Service Support Manager will maintain and periodically review a list of those with unsupervised access. 9. ACCESS CONTROL TO THE NETWORK 9.1. Access to the network will be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access. Remote access to the network will conform to the Trust's Remote Access Policy. 9.2. There must be a formal, documented user registration and de-registration procedure for access to the network. 9.3. Departmental managers must approve user access. 9.4. Access rights to the network will be allocated on the requirements of the user's job, rather than on a status basis. 9.5. Security privileges (i.e. 'super user' or network administrator rights) to the network will be allocated on the requirements of the user's job, rather than on a status basis. 9.6. All users to the network will have their own individual user identification and password. 9.7. Users are responsible for ensuring their password is kept secret (see User Responsibilities). 9.8. User access rights will be immediately removed or reviewed for those users who have left the Trust or changed jobs upon Nottinghamshire Health Informatics Service being notified of those changes. 10. THIRD PARTY ACCESS CONTROL TO THE NETWORK 10.1. Third party access to the network will be based on a formal contract that satisfies all necessary NHS security conditions. 10.2. All third party access to the network must be logged. 11. EXTERNAL NETWORK CONNECTIONS 11.1. Ensure that all connections to external networks and systems have documented and approved System Security Policies. Page 5 of 9

11.2. Ensure that all connections to external networks and systems conform to the NHS-wide Network Security Policy, Code of Connection and supporting guidance. 11.3. The Service Support Manager must approve all connections to external networks and systems before they commence operation. 12. CONNECTION OF NON NHIS SUPPLIED DEVICES TO THE NETWORK 12.1. In the event of a customer wishing to connect a device which has not been supplied by NHIS to the supported network the relevant NHIS 3 rd Party Device form must be completed by the customer and returned to NHIS for approval. 12.2. All such devices will be required to comply with the agreed Anti-Virus and other Security Measures including all Code Of Connection requirements which are in force at the time. 13. MAINTENANCE CONTRACTS 13.1. The Service Support Manager will ensure that maintenance contracts are maintained and periodically reviewed for all network equipment where such support is deemed to be required. All contract details will constitute part of Nottinghamshire Health Informatics Service s Asset register. 14. DATA AND SOFTWARE EXCHANGE 14.1. Formal agreements for the exchange of data and software between organisations must be established and approved by the relevant data controller and the NHIS Corporate Governance Manager. 15. FAULT LOGGING 15.1. The Service Support Manager is responsible for ensuring that a log of all faults on the network is maintained and reviewed. A written procedure to report faults and review countermeasures will be produced. 16. SECURITY OPERATING PROCEDURES (SYOPS) 16.1. Produce Security Operating Procedures (SyOps) and security contingency plans that reflect the Network Security Policy. 16.2. Changes to operating procedures must be authorised by the Service Support Manager. 17. NETWORK OPERATING PROCEDURES 17.1. Documented operating procedures should be prepared for the operation of the network, to ensure its correct, secure operation. 17.2. Changes to operating procedures must be authorised by the Service Support Manager. 18. DATA BACKUP AND RESTORATION 18.1. The Service Support Manager is responsible for ensuring that backup copies of network configuration data are taken regularly. 18.2. Documented procedures for NHIS managed backup processes and storage of backup tapes (if used) will be produced and communicated to all relevant staff. 18.3. All backup tapes (if used) will be stored securely and when appropriate will be stored off-site. Page 6 of 9

18.4. Documented procedures for the safe and secure disposal of NHIS managed backup media will be produced and communicated to all relevant staff. 18.5. Users are responsible for ensuring that they backup their own corporate data to the network server. 19. USER RESPONSIBILITIES, AWARENESS & TRAINING 19.1. The Trust will ensure that all users of the network are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities. 19.2. All users of the network must be made aware of the contents and implications of the Network Security Policy and SyOps. 19.3. Irresponsible or improper actions by users may result in disciplinary action(s). 20. ACCREDITATION OF NETWORK SYSTEMS 20.1. Ensure that the network is approved by the Service Support Manager before it commences operation. The Service Support Manager is responsible for ensuring that the network does not pose an unacceptable security risk to the organisation. 21. SECURITY AUDITS 21.1. The Head of Technical Solutions and/or the Service Support Manager will require checks on, or an audit of, actual implementations based on approved security policies. 22. MALICIOUS SOFTWARE 22.1. Ensure that measures are in place to detect and protect the network from viruses and other malicious software. 23. SECURE DISPOSAL OR RE-USE OF EQUIPMENT 23.1. Ensure that where equipment is being disposed of, Health Informatics Service staff must ensure that all data on the equipment (e.g. on hard disks or tapes) is securely overwritten. Where this is not possible Health Informatics Service staff should ensure that the disk or tape is physically destroyed. 23.2. Ensure that where disks are to be removed from the premises for repair, where possible, the data is securely overwritten or the equipment de-gaussed by the Health Informatics Service. 24. SYSTEM CHANGE CONTROL 24.1. Ensure that the Service Support Manager reviews changes to the security of the network. All such changes must be reviewed and approved by the Head of Technical Solutions. The Service Support Manager is responsible for updating all relevant Network Security Policies, design documentation, security operating procedures and network operating procedures. 24.2. The Head of Technical Solutions may require checks on, or an assessment of the actual implementation based on the proposed changes. 24.3. The Service Support Manager is responsible for ensuring that selected hardware or software meets agreed security standards. Page 7 of 9

24.4. As part of acceptance testing of all new network systems, the Service Support Manager will attempt to cause a security failure and document other criteria against which tests will be undertaken prior to formal acceptance. 24.5. Testing facilities will be used for all new network systems. Development and operational facilities will be separated. 25. SECURITY MONITORING 25.1. Ensure that the network is monitored for potential security breaches. All monitoring will comply with current legislation. 26. REPORTING SECURITY INCIDENTS & WEAKNESSES 26.1. All potential security breaches must be investigated and reported to the Compliance Risk and Assurance Management Group (CRAM). Security incidents and weaknesses must be reported in accordance with the requirements of the organisation's incident reporting procedure. 27. SYSTEM CONFIGURATION MANAGEMENT 27.1. Ensure that there is an effective configuration management system for the network. 28. BUSINESS CONTINUITY & DISASTER RECOVERY PLANS 28.1. Ensure that business continuity plans and disaster recovery plans are produced for the network. 28.2. The plans must be reviewed by the Service Support Manager and tested on a regular basis. 29. UNATTENDED EQUIPMENT AND CLEAR SCREEN 29.1. Users must ensure that they protect the network from unauthorised access. They must log off the network when finished working. 29.2. The Trust operates a clear screen policy that means that users must ensure that any equipment logged on to the network must be protected if they leave it unattended, even for a short time. Workstations must be locked or a screensaver password activated if a workstation is left unattended for a short time. 29.3. Users failing to comply will be subject to disciplinary action. 30. VALIDITY OF THIS POLICY 30.1. This policy should be reviewed annually under the authority of the Director of Health Informatics. Associated information security standards should be subject to an ongoing development and review programme. 30.2. Date of Next Policy Review: 20/02/16. 31. ACRONYMS CRAMM. Central Computer and Telecommunications Agency Risk Analysis and Management Method. ISM. Information Security Manager. Page 8 of 9

ISO. Information Security Officer. SyOps. Security Operating Systems CRAM. Compliance Risk and Assurance Management Group HSB. HIS Strategic Board SBU Strategic Business Unit 32. AUTHOR & REVIEW DETAILS Date issued: February 2015 Date to be reviewed by: February 2016 To be reviewed by: Executive Sponsor: Corporate Governance Manager, NHIS Director of Health Informatics Page 9 of 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information