• No results found

Remote Network Access Procedure

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Remote Network Access Procedure"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

Remote Network Access Procedure

Version:

1.1

Bodies consulted:

-

Approved by:

PASC

Date Approved:

20.8.13

Lead Manager:

Ade Sulaiman

Responsible Director:

Simon Young

Date issued:

Aug 13

Review date:

Jul 16

Is this policy current? Check the intranet

to find the latest version!

(2)

Remote Network Access Procedure

1 Introduction ... 3

2 Purpose ... 3

3 Scope ... 3

4 Definitions ... 3

5 Duties and responsibilities ... 4

6 Procedures ... 5

7 Training Requirements ... 7

8 Process for monitoring compliance with this Procedure ... 7

9 References ... 7

10 Associated documents ... 7

(3)

Remote Network Access Procedure

1

Introduction

Remote Access refers to any technology that enables users to connect to the Trust’s network from any location. This access is typically over some kind of dial-up connection, although it can include WAN connections.

The Remote Access system employed by the Trust uses secure token technology to allow authorised staff access to Trust systems. This includes Intranet, email, Personal and Shared folders and, where appropriate, to bespoke departmental systems such as RiO. The authorised user requires in an internet connection and appropriate passwords

2

Purpose

This document sets out the Procedure for control of remote access and includes a set of security controls, which can be applied to reduce the risks associated with remote access.

3

Scope

This Procedure applies to staff, students and contractors.

This Procedure covers staff use of all types of remote access, whether fixed or ‘roving’ including:

 Remote users (e.g. Staff working at one or more sites or who are work at locations other than the Tavistock Centre or Portman Clinic)

 Home working Non-NHS staff (e.g. Social Services, contractors and other 3rd party organisations)

Wilful and/or negligent disregard of this Procedure will be investigated and may be treated as a disciplinary offence.

4

Definitions

Remote Access - Remote access by staff and other non-NHS organisations is a

method of accessing files and systems that is becoming more common in the NHS. For example, our contracting processes rely on staff having access to

(4)

our PAS (Patient Administration Systems) regardless of their location. In practice, the benefits of securing remote access are considerable – business can be conducted remotely with confidence and sensitive corporate information remains confidential

Dial Up Connection - A term used to describe the method for connection to a

network

WAN - Wide area Network, a term used to describe a network which

connects terminals/sites over a wide geographical area.

Firewall - provides a barrier to traffic crossing a network's "perimeter" and

permits only authorised traffic to pass, according to a predefined security policy

Router - is a networking device whose software and hardware are usually

tailored to the tasks of routing and forwarding information. For example, on the Internet, information is directed to various paths by routers.

Switch - is a networking device that joins multiple computers together

within one local area network (LAN).

Virus Scanners (or Anti Virus solutions) – is a software solution that tries to

prevent and remove computer viruses, including worms and trojan horses form the host machine. Such programs may also detect and remove adware, spyware, and other forms of malware.

Content Filters - software designed and optimized for controlling what

content is permitted to a reader, especially when it is used to restrict material delivered via the Web. Basically determines which websites a user can access.

5

Duties and responsibilities

In relation to developing and managing policies within the Trust the following key duties have been identified:

5.1 Chief Executive: has ultimate responsibility for ensuring that the Trust has

systems in place for the full implementation and monitoring of this Procedure.

5.2 Governance Manager: will monitor compliance via incident reporting and

make reports to the Information Governance Work Stream meetings.

5.3 IT Manager: has responsibility for providing clear guidance and authorisation

to all remote access users and for managing the level of access provided, ensuring user profiles and logical access controls are implemented to deliver secure access. Will also ensure procedures for authorisation are in place and maintained to auditable standard.

(5)

5.4 Directors have the responsibility to ensure arrangements are in place in their

Directorates for the dissemination and implementation of new and updated polices

5.5

Line managers are responsible for nominating staff for access by completing

the user access authorisation form.

5.6 All Remote Access Users: are responsible for complying with this Procedure

and associated policies and procedures.

6

Procedures

Remote Access Principles

In providing remote access to staff, the following high-level principles will be applied:

6.1. The IT manager will be appointed to have overall responsibility for each remote access connection to ensure that the Trust’s Procedure and standards are applied.

6.2. A formal risk analysis process will be conducted by the IT Manger for each application to which remote access is granted to assess risks and identify controls needed to reduce risks to an acceptable level.

6.3 Remote users will be restricted to the minimum services and functions necessary to carry out their role.

Eligibility

6.4 Trust staff may apply for Remote Access by completing a Remote Access Request Form if they satisfy the following conditions:

 They have a contract of employment

 Staff have a valid network username, password and email account

 A request form is completed, and approval by the relevant manager.

 Staff have read and acknowledged the relevant policies and agree to be bound by those policies by signing an undertaking.

6.5 Contractors and other support/service staff (i.e. system proprietors) who may require access in the course of providing system support and maintenance can be granted access once they have signed the Confidentiality Agreement for Contractors.

6.6 That access will be restricted to the minimum necessary for the user to be able to safely carry out their duties.

(6)

Registration

6.7 All remote users must be registered and authorised by the IT Manager. User identity will be confirmed by strong authentication and User ID and password authentication. The Trust’s Network Manager is responsible for ensuring a log is kept of all users Remote Access.

6.8 It is the responsibility of the IT Manager to ensure that robust administration and filing procedures are in place so that user access is strictly controlled and that this can stand up to detailed audit.

Security Technologies

To ensure comprehensive protection, every network will include components that address the following 5 aspects of network security:-

6.9 User identity will be confirmed by strong authentication and User ID and password authentication. The Network Manager is responsible for ensuring a log is kept of all user remote access.

6.10 Perimeter Security - The IT Manager is responsible for ensuring perimeter

security devices are in place and operating properly. Perimeter security solutions control access to critical network applications, data, and services so that only legitimate users and information can pass through the network. Routers and switches handle this access control with access control lists and by dedicated firewall appliances. Remote Access Systems with strong authentication software control remote dial in users to the network. Complementary tools, including virus scanners and content filters, also help control network perimeters. Firewalls are generally the first security products that organisations deploy to improve their security postures.

6.11 Secure Connectivity - The Trust will protect confidential information from

eavesdropping or tampering during transmission.

6.12 Security Monitoring - Network vulnerability scanners will be used to identify

areas of weakness, and intrusion detection systems to monitor and reactively respond to security events as they occur.

6.13 Remote diagnostic services and 3rd parties

 Suppliers of central systems/software expect to have dial up access to such systems on request to investigate/fix faults. The Trust will permit such access subject to it being initiated by the computer system and all activity monitored.

 Each supplier or Trust user requiring remote access will be required to commit to maintaining confidentiality of data and information and only using qualified representatives.

(7)

 Each request for dial up access will be authorised by approved computer services staff, who will only make the connection when satisfied of the need. The connection will be physically broken when the fault is fixed/supplier ends his session.

 User Responsibilities, Awareness & Training - The Trust will ensure that all users of information systems, applications and the networks are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities. Irresponsible or improper actions may result in disciplinary action(s).

 Reporting Incidents & Weaknesses - All security weaknesses and incidents must be recorded and reported via the Trust Risk Management Procedures for assessment, with action taken as appropriate.

7

Training Requirements

Na

8

Process for monitoring compliance with this Procedure

The IT Manager will provide assurance reports to the SIRO to show that that periodic checks have been undertaken

The Information Governance Work Stream will consider, by exception, (via incident reporting) incidents relating to remote access

9

References

-

10

Associated documents

1

-

1

(8)

Appendix A

:

Equality Impact Assessment

1. Does this Procedure, function or service development affect patients, staff and/or the public?

YES

2. Is there reason to believe that the Procedure, function or service development could have an adverse impact on a particular group or groups?

NO

3. If you answered YES in section 2, how have you reached that conclusion? (Please refer to the information you collected e.g., relevant research and reports, local monitoring data, results of consultations exercises, demographic data, professional knowledge and experience)

4. Based on the initial screening process, now rate the level of impact on equality groups of the Procedure, function or service development:

Negative / Adverse impact: Low…….

Positive impact: Medium….…..

May have positive effect for disaled people who could work from home

Date completed 22.8.13 Name Jonathan McKee

References

Download now ( PDF - 8 Page - 410.47 KB )

Related documents

How To Secure Your Business

Orange Business Services proposed a two-pronged remote access solution: highly secure IPSec remote access for users with corporate devices and secure, web-based remote access with

Secure remote access

Both Gartner and IDC have named Citrix a leader in app and desktop virtualization because Citrix is the only vendor with an array of virtualization technologies to suit any use case,

Remote Access Security

Obviously the primary concern of remote access security is ensuring that no unauthorized users gain access to the network and internal resources.. However, it is also critical

Managing Remote Access

Policies control different aspects of the virtual machine, including network quarantine, encryption, and access to devices.. The network quarantine policy restricts the access of

Deployment Guide Sept-2014 rev. a. Array Networks Deployment Guide: AG Series and DesktopDirect with VMware Horizon View 5.2

Array AG Series secure access gateways integrate SSL VPN, remote desktop access (DesktopDirect) and secure mobile access to deliver scalable and flexible secure access for both

PassTest. Bessere Qualität, bessere Dienstleistungen!

A remote user using Junos Pulse logs in to the Junos Pulse Secure Access Service; the Junos Pulse Secure Access Service provisions a remote access session for that user.. The

Secure Remote Access Give users in office remote access anytime, anywhere

Our newest product line – the WatchGuard SSL – makes secure remote access easy and affordable, regardless of the size of your network. All products are backed by LiveSecurity

Capital District Vulnerability Assessment

Remote access configuration vulnerabilities may allow unauthorized users to bypass access controls, and could allow attackers to gain network access to retrieve information,