NETWORK SECURITY POLICY
Version: 0.2
Committee Approved by: Audit Committee Date Approved: 15th January 2014
Author: Information Governance & Security Officer, The Health Informatics Service
Responsible Directorate Governance
Date Issued February 2014
Version Control Sheet
Document Title: Network Security Policy Version: 0.2
The table below logs the history of the steps in development of the document. See example below
Version Date Author Status Comment
0.1 Feb 2014
Draft Shared with Governance & Corporate Manager for initial comments
0.2 15th Jan 2014
1 Introduction 2 Objective
3 Scope of this policy
4 Accountability
5 Definition of terms
6 Procedure
7 Training needs analysis
8 Equality impact assessment
9 Implementation and dissemination
10 Monitoring compliance with and the effectiveness of the policy
11 References
12 Associated documentation
Appendix A Application for Remote Access
1 INTRODUCTION
1.1 This document defines the Network Security Policy for NHS North Kirklees
Commissioning Group (referred to hereafter as the CCG). This policy is adhered to and supported by The Health Informatics Service (THIS) who are hosted by
Calderdale and Huddersfield NHS Foundation Trust.
1.2 THIS provide IT support for the CCG via a contract with West & South Yorkshire & Bassetlaw Commissioning Support Unit (WSYBCSU). The requirements of this policy are consistent with the equivalent policies for neighbouring organisations that share common networks or receive services from THIS. The Network Security Policy applies to all business functions and information contained on the network, the physical environment and relevant people who support the network.
1.3 This document:
a) Sets out the CCG's policy for the protection of the confidentiality, integrity and availability of the network;
b) Establishes the security responsibilities for network security; c) Provides reference to documentation relevant to this policy.
2 AIMS & OBJECTIVES
2.1 The objective of this policy is to ensure the security of the CCG’s network. To do this the CCG will:
a) Ensure Availability
Ensure that the email system is available for users; b) Preserve Integrity
Protect the network from unauthorised or accidental modification; c) Preserve Confidentiality
Protect assets against unauthorised disclosure.
2.2 The purpose of this policy is to ensure the proper use of the CCG’s network and make users aware of what the CCG deems as acceptable and
unacceptable use of its network.
2.3 If there is evidence that any user is not adhering to the guidelines set out in this policy, this will be dealt with under the CCG’s Disciplinary Procedure.
3 SCOPE OF THIS POLICY
a) The storage, sharing and transmission of non clinical data and images; b) The storage, sharing and transmission of clinical data and images; c) Printing or scanning non clinical or clinical data or images;
d) The provision of internet systems for receiving, sending and storing non clinical or clinical data or images.
4. ACCOUNTABILITY
4.1 The Governing Body
The Governing Body is responsible for ensuring that the necessary support and resources are available for the effective implementation of this Policy.
4.2 The Audit Committee
The Audit Committee is responsible for the review and approval of this policy.
4.3 Chief Officer
The Chief Officer has organisational responsibility for all aspects of
Information Governance and is the Senior Information Risk Owner (SIRO) which includes responsibility for ensuring the CCG has appropriate systems and policies in place to ensure that the CCG has robust Network Security procedures in place
4.4 Heads of Service
Heads of Service are responsible for ensuring that they and their staff are adequately trained, and are familiar with the content of this policy.
4.6 The Health Informatics Service (THIS)
4.6.1. The Health Informatics Service’s role, as determined through agreement with WSYBCSU, will:
4.6.2. Implement an effective framework for the management of Network security in line with the CCG’ requirement.
4.6.3. Assist in the formulation of Information Network Policy and related policies and procedures.
4.6.4 Advise on the content and implementation of the relevant action plans. 4.6.5 Co-ordinate network security activities particularly those related to shared
information systems or IT infrastructures.
4.6.7 Ensure the systems, application and/or development of required policy standards and procedures in accordance with business needs, policy and guidance.
4.6.8 Ensure that access to the organisation's network is limited to those who have the necessary authority and clearance.
4.6.9. Advise on the accreditation of IT systems, applications and networks. 4.6.10 Support incident assessments, where necessary
4.8 Employees
4.8.1 All personnel or agents acting for the organisation have a duty to: 4.8.2 Safeguard hardware, software and information in their care.
4.8.3 Prevent the introduction of malicious software on the organisation's IT systems.
4.8.4 Users are responsible for ensuring their password is kept secret - passwords should not be shared.
4.8.5 Report on any suspected or actual breaches in security through the CCG’s incident reporting mechanism’s
4.8.6 If you do not have any questions the CCG presumes that you understand and are aware of the rules and guidelines in the policy and will adhere to them.
5 NETWORK DEFINITION
5.1 The network is a collection of electronic devices such as servers, computers, printers and modems, which have been connected together by cables or wireless devices. The network is created to share data, software and peripherals, such as printers, modems, fax machines, internet connections, CD-ROM and tape drives, hard disks and other data storage equipment.
6 PROCEDURE
a) Protect all hardware, software and information assets under its control. This will be achieved by implementing a set of well balanced technical and non technical measures;
b) Provide both effective and cost effective protection that is commensurate with the risks to its network assets;
c) Implement the Network Security Policy in a consistent, timely and cost effective manner;
d) Where relevant, the CCG will comply with: - Copyright, Designs & Patents Act 1988 - Access to Health Records Act 1990 - Computer Misuse Act 1990
- The Data Protection Act 1998 - The Human Rights Act 1998
- Electronic Communications Act 2000
- Regulation of Investigatory Powers Act 2000 - Freedom of Information Act 2000
- Environmental Information Regulations 2004 - Health & Social Care Act 2001
e) The CCG will comply with other laws and legislation as appropriate.
6.2 RISK ASSESSMENT
6.2.1 THIS will carry out security risk assessment(s) in relation to all the business processes covered by this policy. These risk assessments will cover all aspects of the network that are used to support those business processes. The risk assessment will identify the appropriate security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability.
6.2.2 Risk assessment will be conducted to determine the IT Security (ITSEC) Assurance levels required for security barriers that protect the network. 6.2.3 Formal risk assessments will be conducted using CRAMM and will conform
to ISO17799.
6.3 PHYSICAL AND ENVIRONMENTAL SECURITY
6.3.2 Critical or sensitive network equipment will be housed in secure areas, protected by a secure perimeter, with appropriate security barriers and entry controls.
6.3.3 Door lock codes will be changed periodically, following a compromise (or suspected compromise) of the code;
6.3.4 Critical or sensitive network equipment will be protected from power supply failures.
6.3.5 Critical or sensitive network equipment will be protected by intruder alarms and fire suppression systems.
6.3.6 Smoking, eating and drinking is forbidden in areas housing critical or sensitive network equipment.
6.3.7 All visitors to secure network areas must be authorised by the Head of Professional Services, Portfolio Manager Networks or Portfolio Manager Back Office.
6.3.8 All visitors to secure network areas must be made aware of network security requirements.
6.3.9 All visitors to secure network areas must be logged in and out. The log will contain name, organisation, purpose of visit, date, and time in and out. 6.3.10 THIS Field Support Manager will ensure that all relevant staff are made
aware of procedures for visitors.
6.3.11 Entry to secure areas housing critical or sensitive network equipment will be restricted to those whose job requires it. THIS Field Support Manager will maintain and periodically review a list of those with unsupervised access.
6.4 ACCESS CONTROL TO THE NETWORK
6.4.1 Access to the network will be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access. Remote access will be via secure two-part authentication
6.4.2 There must be a formal, documented User registration and de-registration procedure for access to the network.
6.4.3 The departmental manager and the THIS Field Support Manager (or nominated officer) must approve User access.
6.4.5 Security privileges (ie 'Super user' or network administrator rights) to the network will be allocated on the requirements of the user’s job, rather than on a status basis.
6.4.6 Users will be sent a Code of Connection agreement, which they must familiarise themselves with.
6.4.7 Access will not be granted until the THIS Field Support Manager (or nominated officer) registers a user.
6.4.8 All users to the network will have their own individual User identification and password.
6.4.9 Users are responsible for ensuring their password is kept secret (see User Responsibilities).
6.4.10 User access rights will be immediately removed or reviewed for those users who have left the CCG or changed jobs, in line with the human resources procedures
6.5 THIRD PARTY ACCESS CONTROL TO THE NETWORK
6.5.1 Third party access to the network will be based on a formal contract that satisfies all necessary NHS security conditions and, if applicable, the Statement of Compliance
6.5.2 The Network Operations Centre Manager is responsible for ensuring all third party access to the network is logged
6.6 REMOTE ACCESS
6.6.1. Remote Access refers to any technology that enables the CCG to connect users from geographically dispersed locations.
6.6.2 The Health Informatics Service’s Network Operations Centre Manager is responsible for ensuring that a formal risk assessment is conducted to assess risks and identify controls needed to reduce risks to an acceptable level.
6.6.3 The Health Informatics Service’s Service Delivery Centre Manager is responsible for providing clear authorisation mechanisms for all remote access users.
6.6.4 Departmental Managers are responsible for the authorisation of all applications for remote access and for ensuring that appropriate awareness of risks are understood by proposed Users.
6.6.6. The Health Informatics Service’s Head of Enterprise Services is responsible for ensuring that the Remote Access infrastructure is periodically reviewed, which could include but is not limited to independent third party penetration testing
6.6.7 Any person wishing to apply for remote access, must complete the form at Annex A.
6.8 EXTERNAL NETWORK CONNECTIONS
6.8.1 Ensure that all connections to external networks and systems have been documented and approved.
6.8.2 Ensure that all connections to external networks and systems conform to the NHS-wide Network Security Policy, the Statement of Compliance and supporting guidance.
6.8.3 The Network Operations Centre Manager is responsible for ensuring all connections to external networks and systems are approved before they commence operation.
6.9 MAINTENANCE CONTRACTS
6.9.1 The Head of Enterprise Service will ensure that maintenance contracts are maintained and periodically reviewed for all network equipment. All contract details will constitute part of the Information Technology Asset register.
6.10 DATA AND SOFTWARE EXCHANGE
6.10.1 Formal agreements for the exchange of data and software between organisations must be approved by the Caldicott Guardian or delegated authority.
.
6.11 FAULT LOGGING
6.11.1 The Service Delivery Centre is responsible for ensuring that a log of all faults on the network is maintained and reviewed.
6.12 NETWORK OPERATING PROCEDURES
6.12.1 Clear, documented operating procedures should be prepared for the operation of the network, to ensure its correct, secure operation. 6.12.2 Changes to operating procedures must be authorised by the Portfolio
6.12.3 THIS will implement Security Operating Procedures (SyOps) and security contingency plans that reflect the Network Security Policy.
6.13 DATA BACKUP AND RESTORATION
6.13.1 The Field Support Manager is responsible for ensuring that backup copies of switch configuration and data stored on the network are taken regularly.
6.13.2 A log should be maintained of switch configuration and data backups detailing the date of backup and whether the backup was successful.
6.13.3 Documented procedures for the backup process will be produced and communicated to all relevant staff.
6.13.4 Documented procedures for the storage of backup tapes will be produced and communicated to all relevant staff.
6.13.5 All backup tapes will be stored securely and a copy will be stored off-site. 6.13.6 Documented procedures for the safe and secure disposal of backup media
will be produced and communicated to all relevant staff.
6.13.7 Users are responsible for ensuring that they store their own data to the network server.
6.13.8 Patches and any fixes will only be applied by Technologies Service Staff, following suitable change control procedure.
6.14 MALICIOUS SOFTWARE
6.14.1 The Field Support Manager must ensure that measures are in place to detect and protect the network from viruses and other malicious software. .
6.15 UNAUTHORISED SOFTWARE
6.15.1 Use of any non-standard software1 on CCG equipment must be approved by the Health Informatics Service Desk before installation. All software used on CCG equipment must have a valid licence agreement - it is the responsibility of the Information Asset Owner or Responsible User of non-standard
software to ensure that this is the case
6.16 SECURE DISPOSAL OR RE-USE OF EQUIPMENT
6.16.1 Ensure that where equipment is being disposed of all data on the equipment (e.g. on hard disks or tapes) is securely overwritten. For advice on
assessment of re-use or destruction of equipment contact The Health Informatics Service Desk.
6.17 SYSTEM CHANGE CONTROL
6.17.1 The Service Delivery Centre is responsible for ensuring that appropriate
change management processes are in place to review changes to the network; which would include acceptance testing and authorization. The Network Operations Centre Manager is responsible for ensuring all relevant Network documentation is up to date.
6.17.2 The Project Board and/or the Information Asset Owners are responsible for ensuring that selected hardware and software meets agreed security standards. Testing facilities will be used for all new network systems. Development and operational facilities will be separated.
6.18 SECURITY MONITORING
6.18.1 The Network Operations Centre Manager is responsible for ensuring that the network is monitored for potential security breaches. All monitoring will comply with current legislation
6.19 REPORTING DATA SECURITY BREACHES & WEAKNESSES
6.19.1 Data Security Breaches and weaknesses, such as the loss of data or the theft of a laptop, must be reported in accordance with the requirements of the CCG incident reporting procedure
.
6.20 SYSTEM CONFIGURATION MANAGEMENT
6.20.1 The Network Operations Centre Manager will ensure that there is an effective configuration management process for the network..
6.21 DISASTER RECOVERY PLANS
6.21.1 The Health Informatics Service will ensure that disaster recovery plans are produced for the network and that these are tested on a regular basis.
6.22 UNATTENDED EQUIPMENT AND CLEAR SCREEN
6.22.1 Users must ensure that they protect the network from unauthorised access. They must log off the network when finished working.
6.22.2 The CCG operates a clear screen policy that means that users must ensure that any equipment logged on to the network must be protected if they leave it unattended, even for a short time. Workstations must be locked or a screensaver password activated if a workstation is left unattended for a short time.
6.22.2 Users of terminals, which do not have the facility to lock, must log out when not using the terminal.
7 TRAINING NEEDS ANALYSIS
7.1 The CCG will provide basic Information Governance training through induction and/or mandatory training. All training throughout the CCG is recorded by WSYBCSU Workforce and Development Team.
8. Equality impact assessment
8.1. CCG aims to design and implement services, policies and measures that meet the diverse needs of our service, population and workforce, ensuring that none are placed at a disadvantage over others.
9. Implementation and dissemination
9.1. Following ratification by the Audit Committee this policy will be disseminated to staff via the CCG’s intranet and in house communication mechanisms.
9.2. This Policy will be reviewed every two years or in line with changes to relevant legislation or national guidance.
10. Monitoring compliance with and the effectiveness of the policy
10.1. An assessment of compliance with requirements, within the Information Governance Toolkit (IGT), will be undertaken each year. Annual reports and proposed work programme will be presented to the Audit Committee for approval.
11. References
Freedom of Information Act 2000 Data Protection Act 1998
Human Rights Act 1998
Common Law Duty of Confidence
12 ASSOCIATED DOCUMENTS
(Policies, protocols and procedures)
Information Security Policy
Information Governance Policy and Framework Internet Policy
Disciplinary Procedure
Annex A
APPLICATION FOR REMOTE ACCESS
JOB NO _________To be completed by HealthInformatics
To ensure that your application is actioned correctly, it is important that all details are completed fully and accurately. If you have any queries please contact The Health Informatics Service Desk 0845 1272600, [email protected]
1. TYPE OF ACCESS REQUIRED
Please see point 10 for description, system requirements and costs.
Please indicate by a √
Standard (Webmail Access from any Computer)
Advanced (Installed only on a CCG Laptop with Broadband Access from
Home)*
2. APPLICANT DETAILS
First Name(s) Last Name Work Tel Number inc
STD
Job Title
Department
3. EMPLOYER DETAILS Who employs you? Please indicate by
a √
Calderdale & Huddersfield NHS Foundation Trust Calderdale CCG
Greater Huddersfield CCG North Kirklees CCG Wakefield CCG Social Services
Other – please state who employs you 4. LOCATION DETAILS
5. DECLARATION
I have read and understand the terms and conditions of the Policy attached and agree to abide by it.
Signed Date
6. AUTHORISED BY (applicant’s Line Manager)
First Name(s) Last Name Work Tel Number inc
STD
Job Title
Signed Date
7. BUDGET HOLDERS DETAILS AND AUTHORITY
I authorise recharging of the costs detailed in section 10 to the following budget code Budget Code
First Name(s) Last Name Work Tel Number inc
STD
8. ON COMPLETION OF FORM
Please check that this form has been completed fully and accurately. Incomplete/incorrect forms will be returned to you and will result in a delay in providing services.
Please return the completed form to The Health Informatics Service Desk, Oak House
Woodvale Office park Woodvale Road Brighouse HD6 4AB
5 9. WHAT HAPPENS NEXT
The processing of this form will create a request to the Health informatics Service and a job no will be allocated
For Standard service (Webmail only Access) you will be notified that the service is activated
For Advanced service (Broadband Access) You will be contacted by Service Delivery Staff to make an appointment to configure your Laptop and provide you with training on the use of the Broadband Remote Access software.
10. SYSTEM REQUIREMENTS AND COSTS
TYPE REQUIREMENTS COSTS
Standard Computer at Home with Internet Access
Internet Explorer
FOC
Advanced Broadband Access at Home CCG supported laptop with
Windows 2000/XP, CD ROM drive, Networked
Installation, client software and USB token FOC
The Health Informatics Service will not provide support for users personal computer equipment.
The Health Informatics Service will provide training on the use of the Remote Access Client
The Provision of a broadband service to your home address is the sole responsibility of the applicant.
The user is responsible for configuring and the set up of any home networking requirement please note some ISP do not support VPN.
PLEASE RETAIN THESE TERMS OF USE
Network, Internet and Email
Terms of Use 6 INTRODUCTION
The CCG gives an assurance that it meets various information security criteria through signing up to the NHS Connecting for Health’s ‘Statement of Compliance’ and yearly mandatory self assessment against the Information Governance Toolkit. We expect all users of the network, internet and email to use these services responsibly.
It is essential, therefore, that as a user of the organisation’s network, internet and email services you understand and follow the Terms of Use to ensure that the security, integrity and performance of the systems are not compromised.
Breaches of security, abuse of services or non-compliance with these Terms of Use may result in the withdrawal of internet/email services from the user and could result in disciplinary action.
7
YOUR RESPONSIBILTIES
You should ensure that you have read and understood the Internet Use Policy and the Email Policy (please speak to your manager to obtain a copy)
You must only access internet/email services via an individual login provided specifically for you.
You must never share or divulge your individual login and/or password to others for access to the organisation’s systems. Do not write passwords down.
You may use the internet and email services to access research material and other information relevant to your work, provided that it does not interfere with the performance of the network or systems.
You may access internet sites and webmail accounts for personal use in
accordance with the Internet and Email Use Policies. Please note - individual staff members and their line managers are responsible for ensuring that personal use does not interfere with the performance of work duties. Any personal use that has a negative impact on the performance of the network or systems may result in access to those sites/services being withdrawn.
Illicit or illegal material must not be viewed/downloaded or obtained via e-mail or the Internet*
You must not download unauthorised content/programmes onto the organisation’s supported PCs/Laptops or electronic file storage areas**
All authorised downloaded material must be virus checked at the time of downloading
Be aware that use of internet/e-mail is monitored and that activity logs are kept that show the content of accessed material and any impact on the capacity and performance of the network or systems.
You may be required to make IT equipment/systems (that you use) available at any time for audit by the organisation
Lock your workstation if you are leaving it [CTRL+ALT+DEL] or shut down or log off. Do not allow anyone else access whilst you are logged in to the computer. Avoid keeping confidential information on the hard drive. Ensure that work is
saved to the network where possible, preferably within your departmental shared drive (if you need further advice about this ring The Service Desk on 0845
1272600)
Do not divulge confidential information held on the computer to someone who has no right or permission to that information.
Do not attempt to access any part of the system for which you do not have authorisation, or use information from the system inappropriately e.g. to find a colleague’s birthday or address.
Email is an insecure system. If you have a requirement to transfer sensitive electronic personal information (i.e. that relating to identifiable individuals) please refer to the E-mail policy or The Service Desk on 0845 1272600 for advice.
Internet services are subject to unforeseen failure from time to time and cannot be guaranteed. The Health Informatics Service will maintain the network up to connection to the NHS Wide Network. BT maintains the network service up to the connection to the Internet. Any faults with individual external sites or services cannot be supported.
* Advice:Please refer to the Internet user Policy for what constitutes illicit or illegal material or contact The Service Desk on 0845 1272600.
** For advice on authorised and unauthorised computer content/programmes please contact The Service Desk (Health Informatics) at
