Rotherham CCG Network Security Policy V2.0



Similar documents
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Network Security Policy

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Mike Casey Director of IT

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

Network Security Policy

ULH-IM&T-ISP06. Information Governance Board

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY

How To Ensure Network Security

How To Protect Decd Information From Harm

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

NHS Business Services Authority Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Governance Policy (incorporating IM&T Security)

Information security policy

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Information Security Policy

Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Information Security

Newcastle University Information Security Procedures Version 3

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

University of Liverpool

INFORMATION TECHNOLOGY SECURITY STANDARDS

ISO27001 Controls and Objectives

University of Sunderland Business Assurance Information Security Policy

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Service Children s Education

Highland Council Information Security Policy

Dublin Institute of Technology IT Security Policy

University of Aberdeen Information Security Policy

ISO Controls and Objectives

How To Ensure Information Security In Nhs.Org.Uk

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Estate Agents Authority

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

How To Write A Health Care Security Rule For A University

Physical Security Policy

University of Brighton School and Departmental Information Security Policy

ABERDARE COMMUNITY SCHOOL

INFORMATION SECURITY POLICY

HIPAA Security Alert

An Approach to Records Management Audit

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Draft Information Technology Policy

HIPAA Information Security Overview

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

Corporate Information Security Management Policy

Policy Document. Communications and Operation Management Policy

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

Information Resources Security Guidelines

Caedmon College Whitby

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

Information Security Policy

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Corporate Information Security Policy

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Information Security Management. Audit Check List

Information Security Management System (ISMS) Policy

ISO 27002:2013 Version Change Summary

Information & ICT Security Policy Framework

INFORMATION GOVERNANCE POLICY

Information Technology Security Procedures

REMOTE WORKING POLICY

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

Supplier Security Assessment Questionnaire

VMware vcloud Air HIPAA Matrix

Policy Document Control Page

Policy Document. IT Infrastructure Security Policy

Information Security Programme

06100 POLICY SECURITY AND INFORMATION ASSURANCE

Supplier Information Security Addendum for GE Restricted Data

INFORMATION SECURITY PROCEDURES

PS177 Remote Working Policy

NHS Commissioning Board: Information governance policy

Remote Working and Portable Devices Policy

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

Internet Use Policy and Code of Conduct

Transcription:

Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October 2008 V1.0 Latest Issue Date: March 2013 V2.0 Operational Date: March 2013 Review Date: 14 th September 2014 Consultation Process: IG Steering Group 27/09/12 Ratified and Approved by: SIRO 28/01/2013 Distribution: Compliance: Equality & Diversity Statement: All staff and GP members of the CCG Mandatory for all permanent & temporary employees of Rotherham CCG. Page 1 of 10 v2.0

Aim: Scope: To ensure the network is secure for Trust users All Rotherham CCG s networks and data (clinical and non clinical) availability, sharing and storage Associated documentation: Appendices: Approved by: Date: 17/11/2008 Legal Framework: The Data Protection Act (1998), Copyright Designs & Patents Act (1988), Computer Misuse Act (1990), Regulation of Investigatory Powers Act (2000), Human Rights Act (1998) Policies: Rotherham CCG Email Policy, Rotherham CCG Portable Data Security Policy. [Note any appendices here] PCT Board Review and consultation process: Responsibility for Implementation & Training: To be reviewed annually or as required Infrastructure Manager Training Dept / Network Specialist(s), Server Specialist(s) HISTORY Revisions: [Enter details of revisions below] Date: Author: Description: 24/10/07 D Stowe Initial Document Draft for approval 21/01/2008 D Stowe Second draft for approval 28/07/2008 D Stowe Global change name to NHS Rotherham. 28/07/2008 D Stowe Reviewed. No changes. 14/09/12 D Stowe Updated to reflect name change to CCG Updated to reflect IT service provider change to RFT Changed 9.10 to 90 days Removed reference to Password Manager tool in 9.10 Distribution methods: Trust Intranet, Dept Heads/Managers Page 2 of 10 v2.0

Introduction This document defines the Network Security Policy for Rotherham CCG. The Network Security Policy applies to all business functions and information contained on the network, the physical environment and relevant people who support the network. 1. This document: Sets out the organisation's policy for the protection of the confidentiality, integrity and availability of the network. Establishes the security responsibilities for network security. Provides reference to documentation relevant to this policy. 2. Aim The aim of this policy is to ensure the security of Rotherham CCG's network. To do this the Trust will: 2.1. Ensure Availability 2.2. Ensure that the network is for users. 2.3. Preserve Integrity 2.4. Protect the network from unauthorised or accidental modification ensuring the accuracy and completeness of the organisation's assets. 2.5. Preserve Confidentiality 2.6. Protect assets against unauthorised disclosure. 3. Network definition The network is a collection of communication equipment such as servers, computers, printers, routers and switches, which has been connected together by cables. The network is created to share data, software, and peripherals such as printers, modems, fax machines, Internet connections, CD-ROM and tape drives, hard disks and other data storage equipment. 4. Scope of this Policy This policy applies to all networks within Rotherham CCG used for: 4.1. The storage, sharing and transmission of non-clinical data and images 4.2. The storage, sharing and transmission of clinical data and images 4.3. Printing or scanning non-clinical or clinical data or images 4.4. The provision of Internet systems for receiving, sending and storing non-clinical or clinical data or images 4.5. The provision of Remote access to internal systems via secure access such as N3 VPN. 5. The Policy The overall Network Security Policy for Rotherham CCG is described below: The Rotherham CCG information network will be available when needed, can be accessed only by legitimate users and will contain complete and accurate information. The network must also be able to withstand or recover from threats to its availability, integrity and confidentiality. To satisfy this, Rotherham CCG will undertake to do the following. Page 3 of 10 v2.0

Rotherham CCG will: 5.1. Protect all hardware, software and information assets under its control. This will be achieved by implementing a set of well-balanced technical and non-technical measures. 5.2. Provide both effective and cost-effective protection that is commensurate with the risks to its network assets. 5.3. Implement the Network Security Policy in a consistent, timely and cost effective manner. 5.4. Where relevant, Rotherham CCG will comply with: Copyright, Designs & Patents Act 1988 Access to Health Records Act 1990 Computer Misuse Act 1990 The Data Protection Act 1998 The Human Rights Act 1998 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000 Health & Social Care Act 2001 5.5. Rotherham CCG will comply with other laws and legislation as appropriate. 5.6. The policy must be approved by the Information Security Manager (ISM). 6. Risk Assessment 6.1. Rotherham CCG will carry out security risk assessment(s) in relation to all the business processes covered by this policy. These risk assessments will cover all aspects of the network that are used to support those business processes. The risk assessment will identify the appropriate security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability. 6.2. Risk assessment will be conducted to determine the ITSEC Assurance levels required for security barriers that protect the network. 6.3. Formal risk assessments will be conducted to ensure the network conforms to ISO27001 (ISO17799). 7. Physical & Environmental Security 7.1. Network computer equipment will be housed in a controlled and secure environment. Critical or sensitive network equipment will be housed in an environment that is monitored for temperature, humidity and power supply quality. 7.2. Critical or sensitive network equipment will be housed in secure areas, protected by a secure perimeter, with appropriate security barriers and entry controls. 7.3. The ROTHERHAM CCG IT Managers are responsible for ensuring that door lock codes are changed periodically, following a compromise of the code, if s/he suspects the code has been compromised, or when required to do so by the Information Security Manager (ISM). 7.4. Critical or sensitive network equipment will be protected from power supply failures. 7.5. Critical or sensitive network equipment will be protected by intruder alarms and fire suppression systems. 7.6. Smoking, eating and drinking is strictly controlled in areas housing critical or sensitive network equipment. Page 4 of 10 v2.0

7.7. All visitors to secure network areas must be authorised by the Infrastructure Manager or Network/Server Specialists. 7.8. All visitors to secure network areas must be made aware of network security requirements. 7.9. All visitors to secure network areas must be logged in and out upon entering/leaving the building. The log will contain name, organisation, purpose of visit, date, and time in and out. 7.10. The Infrastructure Manager will ensure that all relevant staff are made aware of procedures for visitors and that visitors are escorted, when necessary. 8. Access Control to Secure Network Areas 8.1. Entry to secure areas housing critical or sensitive network equipment will be restricted to those whose job requires it. The Infrastructure Manager will maintain and periodically review a list of those with unsupervised access. 9. Access Control to the Network 9.1. Access to the network will be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access. Remote access to the network will conform to the Trust's Remote Access Policy. 9.2. User registration and de-registration procedure for access to the network is controlled directly from the Trust HR system. This ensures only valid ROTHERHAM CCG employees reside on the system. Ad-hoc accounts i.e. Contractors, are assigned an account end date when created. 9.3. Departmental managers must approve user access. 9.4. Access rights to the network will be allocated on the requirements of the user's job, rather than on a status basis. 9.5. Security privileges (i.e. 'superuser' or network administrator rights) to the network will be allocated on the requirements of the user's job, rather than on a status basis. 9.6. Access will not be granted until the HR system or an authorised administrator registers a user. 9.7. All users to the network will have their own individual user identification and password. 9.8. Users are responsible for ensuring their password is kept secret (see User Responsibilities). 9.9. User access rights will be immediately removed or reviewed for those users who have left the Trust or changed jobs. 9.10. Password changes will be forced on the user every 90 days with login denied after 3 attempts. This can be reset through the RFT Service Desk. 10. Third Party Access Control to the Network 10.1. Third party access to the network will be based on a formal contract that satisfies all necessary NHS security conditions. 10.2. All third party access to the network must be logged. 11. External Network Connections 11.1. Ensure that all connections to external networks and systems have documented and approved System Security Policies. 11.2. Ensure that all connections to external networks and systems conform to the NHS-wide Network Security Policy, Code of Connection and supporting guidance. Page 5 of 10 v2.0

11.3. The ISM must approve all connections to external networks and systems before they commence operation. 12. Maintenance Contracts 12.1. The Infrastructure Manager will ensure that maintenance contracts are maintained and periodically reviewed for all network equipment. 13. Data and Software Exchange 13.1. Formal agreements for the exchange of data and software between organisations must be established and approved by the ISM or IT Department/Section Director. 14. Fault Logging 14.1. The Infrastructure Manager is responsible for ensuring that a log of all faults on the network is maintained and reviewed. A written procedure to report faults and review countermeasures will be introduced. 15. System Specific Policies 15.1. Introduce System Specific Policies and security contingency plans that reflect the Network Security Policy. 15.2. Changes to operating procedures must be authorised by the ISM. 16. Network Operating Procedures 16.1. Documented operating procedures should be prepared for the operation of the network, to ensure its correct, secure operation. 16.2. Changes to operating procedures must be authorised by the Head of IT. 17. Data Backup and Restoration 17.1. The Infrastructure Manager is responsible for ensuring that backup copies of network configuration data are taken regularly. 17.2. Documented procedures for the backup process and storage of backup tapes will be produced and communicated to all relevant staff. 17.3. All backup tapes will be stored securely and a copy will be stored off-site. 17.4. Documented procedures for the safe and secure disposal of backup media will be produced and communicated to all relevant staff. 17.5. Users are responsible for ensuring that they backup their own data to the network server. 18. User Responsibilities, Awareness & Training 18.1. The Trust will ensure that all users of the network are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities. 18.2. All users of the network must be made aware of the contents and implications of the Network Security Policy and System Specific Policies. 18.3. Irresponsible or improper actions by users may result in disciplinary action(s). 19. Accreditation of Network Systems 19.1. Ensure that the network is approved by the ISM before it commences operation. In this role the Network Specialist(s) will support the ISM. The Network Specialist(s) is/are Page 6 of 10 v2.0

responsible for ensuring that the network does not pose an unacceptable security risk to the organisation. 20. Security Audits 20.1. The ISM and/or the Network Specialist(s) will require checks on, or an audit of, actual implementations based on approved security policies. 21. Malicious Software 21.1. Ensure that measures are in place to detect and protect the network from viruses and other malicious software. 22. Secure Disposal or Re-use of Equipment 22.1. Ensure that where equipment is being disposed of, RFT IT Department staff must ensure that all data on the equipment (e.g. on hard disks or tapes) is securely overwritten. Where this is not possible RFT IT Department staff should physically destroy the disk or tape. 22.2. Ensure that where disks are to be removed from the premises for repair, where possible, the data is securely overwritten or the equipment de-gaussed by the RFT IT Department. 23. System Change Control 23.1. Ensure that the relevant Network Specialist(s) reviews changes to the security of the network. All such changes must be reviewed and approved by the ISM. The Manager responsible for updating all relevant Network Security Policies, design documentation, security operating procedures and network operating procedures. 23.2. The ISM may require checks on, or an assessment of the actual implementation based on the proposed changes. 23.3. The ISM is responsible for ensuring that selected hardware or software meets agreed security standards. 23.4. As part of acceptance testing of all new network systems, the Network Specialist(s) will attempt to cause a security failure and document other criteria against which tests will be undertaken prior to formal acceptance. 23.5. Testing facilities will be used for all new network systems. Development and operational facilities will be separated. 24. Security Monitoring 24.1. Ensure that the network is monitored for potential security breaches. All monitoring will comply with current legislation. 25. Reporting Security Incidents & Weaknesses 25.1. All potential security breaches must be investigated and reported to the ISM. Security incidents and weaknesses must be reported in accordance with the requirements of the organisation's incident reporting procedure. Page 7 of 10 v2.0

26. System Configuration Management 26.1. Ensure that there is an effective configuration management system for the network. 27. Business Continuity & Disaster Recovery Plans 27.1. Ensure that business continuity plans and disaster recovery plans are produced for the network. 27.2. The plans must be reviewed by the ISM and tested on a regular basis. 28. Unattended Equipment and Clear Screen 28.1. Users must ensure that they protect the network from unauthorised access. They must log off the network when finished working. 28.2. The Trust operates a clear screen policy that means that users must ensure that any equipment logged on to the network must be protected if they leave it unattended, even for a short time. Workstations must be locked or a screensaver password activated if a workstation is left unattended for a short time. 28.3. Users failing to comply may be subject to disciplinary action. 29. Security Responsibilities 29.1. The Chief Executive has delegated the overall security responsibility for security, policy and implementation to the ISM. 29.2. Responsibility for implementing this policy within the context of IT systems development and use in the organisation is delegated further to the Network Specialist(s). 30. Infrastructure Manager's Responsibilities 30.1. To produce and implement effective security countermeasures. 30.2. Produce all relevant security documentation, security operating procedures and contingency plans reflecting the requirements of the Network Security Policy. 31. Information Security Manager's Responsibilities 31.1. Acting as a central point of contact on information security within the organisation, for both staff and external organisations. 31.2. Implementing an effective framework for the management of security. 31.3. Assisting in the formulation of Information Security Policy and related policies. 31.4. Advise on the content and implementation of the Information Security Programme. 31.5. Produce organisational standards, procedures and guidance on Information Security matters for approval by the Information Governance Steering Group. 31.6. Co-ordinate information security activities particularly those related to shared information systems or IT infrastructures. 31.7. Liase with external organisations on information security matters, including representing the organisation on cross-community committees. 31.8. Ensuring that appropriate Data Protection Act notifications are maintained for information stored on the network. 31.9. Dealing with enquires, from any source, in relation to the Data Protection Act and facilitating Subject Access Requests. 31.10. Advising users of information systems, applications and networks of their responsibilities under the Data Protection Act, including Subject Access. 31.11. Advising the Network Specialist(s) on breaches of the Act and recommended actions. Page 8 of 10 v2.0

31.12. Encouraging, monitoring and checking compliance with the Data Protection Act. 31.13. Liasing with external organisations regarding Data Protection Act matters. 31.14. Promoting awareness and providing guidance and advice related to the Data Protection Act as it applies within the Trust. 32. Network Specialist(s) Responsibilities 32.1. Reporting to the Information Security Manager on matters relating to IT security. 32.2. Creating, maintaining, giving guidance on and overseeing the implementation of IT Security. 32.3. Representing the organisation on internal and external committees that relate to IT security. 32.4. Ensuring that risks to IT systems are reduced to an acceptable level by applying security countermeasures identified following an assessment of the risk. 32.5. Ensuring the systems, application and/or development of required policy standards and procedures in accordance with needs, policy and guidance set centrally by the Information Security Manager. 32.6. Ensuring that access to the organisation's network is limited to those who have the necessary authority and clearance. 32.7. Providing advice and guidance to development teams to ensure that the policy is complied with. 32.8. Approving system security policies for the infrastructure and common services. 32.9. Approving tested systems and agreeing rollout plans. 32.10. Advising the Information Security Manager on the accreditation of IT systems, applications and networks. 32.11. Providing a central point of contact on IT security issues. 32.12. Providing advice and guidance on: 32.12.1. Policy Compliance 32.12.2. Incident Investigation 32.12.3. IT Security Awareness 32.12.4. IT Security Training 32.12.5. IT Systems Accreditation 32.12.6. Security of External Service Provision 32.12.7. Contingency Planning for IT systems 32.13. Contacting the Information Security Manager when: 32.14. Incidents or alerts have been reported that may affect the organisation's systems, applications or networks. 32.15. Proposals have been made to connect the organisation's systems, applications or networks to systems, applications or networks that are operated by external organisations. 32.16. Passing on the advice of external sources/authorities on IT security matters. 33. Line Manager's Responsibilities 33.1. Ensuring the security of the network, that is information, hardware and software used by staff and, where appropriate, by third parties is consistent with legal and management requirements and obligations. 33.2. Ensuring that their staff are made aware of their security responsibilities. 33.3. Ensuring that their staff have had suitable security training. Page 9 of 10 v2.0

34. General Responsibilities 34.1. All personnel or agents acting for the organisation have a duty to: 34.2. Safeguard hardware, software and information in their care. 34.3. Prevent the introduction of malicious software on the organisation's IT systems. 34.4. Report on any suspected or actual breaches in security. 35. Guidelines 35.1. Detailed advice on how to determine and implement an appropriate level of security is available from the ISM and Network Specialist(s). 36. Validity of this Policy 36.1. This policy should be reviewed annually under the authority of the Chief Executive. Associated information security standards should be subject to an ongoing development and review programme. 37. Date of Next Policy Review: Aug 2009. 38. Acronyms ISM. Information Security Manager. Page 10 of 10 v2.0

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information