• No results found

INFORMATION GOVERNANCE POLICY: NETWORK SECURITY

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "INFORMATION GOVERNANCE POLICY: NETWORK SECURITY"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

Policy Name: Network Security

Author: Carol Mitchell, Information Governance Manager Version: 1.2

INFORMATION GOVERNANCE POLICY:

NETWORK SECURITY

Original Approved by: Policy and Procedure Ratification Sub-group on 23 October 2007 Version 1.2 Approved by: Information Governance Group

Approval Date: 16 December 2009 Review Date: 16 December 2011

Responsible Person: Steve Ingleson, Director of Performance Management

Circumstances may arise or there may be a change in guidance (e.g. NICE or Employment Law) where changes may be required to the Policy before the planned review date. Staff are responsible to identify this to the Policy Group via their Line Manager who will then put in place a policy review process.

NOTE: All policies remain extant until notification of an amended policy is placed on the intranet.

(2)
(3)

Version Control Sheet:

Version Date Author Status Comment

1.1 Sept 07 C Mitchell Approved

(4)

BRADFORD AND AIREDALE TEACHING PRIMARY CARE TRUST

4.2 NETWORK SECURITY

Introduction

This policy is in place to enable access to and assure the security of the data communications network of the tPCT. It establishes the responsibilities of IT Services in managing the network and users’ responsibilities in using it. Additionally it provides information in taking action to foresee, detect, prevent or rectify security risks which threaten the activities of the tPCT and its staff.

Supporting Procedures

None

Risk Management

The risks identified under this policy include unauthorised access to information, loss of information, loss of availability to information.

1.0 Purpose

As a key part of its role, IT Services is responsible for the ownership, development, installation, operation and maintenance of the data communications network on behalf of the tPCT and its staff. With this responsibility comes the authority to take action necessary to safeguard the security of the network to minimise and contain potential risks to the tPCT and its staff, both operational and legal, from the consequences of network-related security violations and misuse. In this context, the purpose of this policy is to state clearly both IT Services responsibility and authority for the tPCT’s network infrastructure and devices

connected to that infrastructure, and users’ responsibilities in using such devices.

2.0 Scope

The coverage of this policy includes:

a. The tPCT’s data communications network and devices connected to it.

b. All users of such devices.

c. External connections from the network to N3.

d. Trust WAN links to other NHS organisations such as: • Skipton Hospital

(5)

• Others

e. The protection, detection and action against threats, including but not restricted to:

• Virus attacks

• Denial of service attacks

• Hacking internally or from external sources

• Downloads and uploads of unacceptable material (as defined by the tPCT’s Surf Control Server policy)

• Unacceptable content of outgoing email • Unsolicited bulk email

• Theft, corruption or loss of data or software from external sources • Theft of bandwidth

f. Unauthorised connection of devices to the network

3.0 Responsible Authorities

The term ‘Designated I.T. Services Authority’ used in this guidance means the Head of IT or their authorised delegate. This policy is issued under the authority of the Head of IT who is responsible for enforcing sanctions where necessary to safeguard the tPCT and its members. The IT Infrastructure is managed by the IT Services Manager who is responsible for the prevention and detection of IT misuse. This policy is managed by the Head of IT who is responsible for investigating

incidents of IT misuse.

4.0 Policy Statements

The tPCT’s Network Security guidance addresses the following:

• Who can and cannot make use of the tPCT’s data communications network.

• Who can and cannot extend, remove or change the cabling or fibres that constitute the tPCT’s data communications network either within or between Trust buildings.

• What connections or changes can or cannot be made to the network.

• What devices can and cannot be attached to the network. • Who can and cannot attach such devices.

• What they can and cannot use it for.

• How IT Services manages the control of the network and the

(6)

• How IT Services is able to foresee, detect, or prevent security

threats and rectify the consequences of those threats to the network. • What sanctions are available to IT Services when threats and

misuse are encountered, to deter further misuse of the network.

5.0 Network Controls

5.1 Users of the Network

As defined by the NHS Statement of Compliance, only registered users (i.e. those holding a valid username and password) or those given permission by the Head of IT are permitted to use the tPCT’s data network.

The tPCT’s data network may be used for any purpose that is in accordance with the aims and policies of the tPCT and for no other purpose.

5.2 Modifiers of the Network

Only IT Services and tPCT approved data communications contractors are permitted to modify the network infrastructure.

5.3 Network Devices

Network devices are defined as active equipment required to connect and operate the tPCT’s data network. Examples are switches, routers and firewalls. Only IT Services and tPCT approved data

communications contractors are permitted to install such devices which will be solely managed by IT Services. These devices will be located in designated Communications Cabinets/Racks.

5.4 User Devices

Any device, other than network devices defined above, is defined as a user device. User devices fall into two categories – user and non-user equipment. A non-user device e.g. a server, is defined as equipment which provides a service to one or more users. tPCT owned non-user devices may be connected to the network by competent users once it has been given an I.T. asset tag. The recognised owner of the

equipment should then abide by this policy at all times.

Client devices are defined as equipment generally used by one person. Examples are PCs or PDAs. Network connectivity is achieved by either plugging this equipment directly into an activated data point on the tPCT network or indirectly by connection via the public Internet.

Trust owned client devices may be connected to the network by any member of staff of the tPCT provided the equipment is used in

(7)

accordance with the aims and policies of the tPCT and for no other purpose.

Users should note that they are not allowed to connect their own equipment as this breaches the NHS Statement of Compliance (Previously NHS Code of Connection).

6.0 Network Security Management (ISO 17799 - 10.6.1 Network

controls & 10.6.2 Security of network services)

6.1 IT Services are responsible for managing and being accountable for access to the N3 Network by the PCT’s users. Staff should complete a network access form in order to gain access to the tPCT’s network. 6.2 IT Services are also responsible for managing the risks of any network

device connected to the network and implementing any necessary security measures to protect the network.

6.3 IT Services manages the provision of IP addresses; protection via a central firewall and access lists; user registration; authorisation and authentication; and data point activation. Any approved tPCT owned device may be connected to the tPCT network and will be automatically assigned an IP address which gives access to internal resources. External resources can only be accessed through the Internet filter appliance firewall. Exceptions must be authorised by the Head of IT. 6.4 IT Services holds sole authority and responsibility for the connections of

networking equipment to the network e.g. hubs, switches and routers. 6.5 Traffic entering and leaving the tPCT’s network will be monitored and

managed by the IT Services.

6.6 IT Services are responsible for any equipment connected to the network to ensure that the latest level of anti-virus software and security patches are installed.

6.7 The management of remote network equipment should only be conducted by authorised IT Services staff. All network equipment, where available, should have a username and password set to access the device. Where possible only determined clients should be

configured to access network equipment remotely.

6.8 The confidentiality and integrity of data passing over public networks should be maintained using industry standard security protocols such as IPSec.

6.9 Disruption to the network should be kept to a minimum. Procedures are in place to arrange for network ‘downtime’ to include notification to end users in advance of scheduled maintenance. Change control

documentation will be used on network equipment to ensure that only approved work is conducted and that work is logged.

(8)

6.10 When a new device is required to connect to the tPCT’s network IT Services should be contacted. They will then patch an existing LAN point or create a proposal for a new network point.

7. IT Services powers of detection, prevention and restitution

IT Services proactively monitor the data network for performance issues, abnormal loading, port and IP scanning. The consequences of these are counter measured by regularly updating firmware and

configuration files of firewalls and routers, and adding security patches and anti-virus updates when necessary.

8. Sanctions

IT Services are responsible for investigating, containing and resolving breaches of security and may disconnect, block traffic to / from,

impound, or log information about any machine using the data network. Under tPCT disciplinary procedures, IT Services are authorised to initiate investigations of users who abuse this policy. Such

investigations may result in IT Services banning users without prior notice, pending resolution of the incident and dependent upon the nature of the offence may involve the Police.

9. References

N3 –Network details can be viewed on

http://www.connectingforhealth.nhs.uk/delivery/programmes/n3/ NHS Statement of Compliance (Previously NHS Code of Connection) details can be viewed onhttp://www.connectingforhealth.nhs.uk/soc/

References

Download now ( PDF - 8 Page - 54.96 KB )

Related documents

Assessing the Impact of Biodiversity Conservation in the Management of Maize Stalk Borer (Busseola f  

Field experiments were conducted at Ebonyi State University Research Farm during 2009 and 2010 farming seasons to evaluate the effect of intercropping maize with

Proprietary Schools Licensed in Louisiana

Proprietary Schools are referred to as those classified nonpublic, which sell or offer for sale mostly post- secondary instruction which leads to an occupation..

We Have Sinned: When Churches Say we are Sorry and the Politics of Apology and Reconciliation

This essay asserts that to effectively degrade and ultimately destroy the Islamic State of Iraq and Syria (ISIS), and to topple the Bashar al-Assad’s regime, the international

Evaluation of Antidepressant and Antinociceptive Activity of Escitalopram

In this present study, antidepressant activity and antinociceptive effects of escitalopram (ESC, 40 mg/kg) have been studied in forced swim test, tail suspension test, hot plate

TECHNICAL AND VOCATIONAL EDUCATION AND TRAINING (TVET) SYSTEM\ IN INDIA FOR SUSTAINABLE DEVELOPMENT

National Conference on Technical Vocational Education, Training and Skills Development: A Roadmap for Empowerment (Dec. 2008): Ministry of Human Resource Development, Department

Langmans Medical Embryology test bank questions

The corona radiata consists of one or more layers of follicular cells that surround the zona pellucida, the polar body, and the secondary oocyte.. The corona radiata is dispersed

Medicine Shelf Stuff

○ If BP elevated, think primary aldosteronism, Cushing’s, renal artery stenosis, ○ If BP normal, think hypomagnesemia, severe hypoK, Bartter’s, NaHCO3,

A functional specification of effects

Having defined the Hoare state monad, we can now write a different ver- sion of the relabelling function that more closely resembles the original Haskell definition.. There are