• No results found

Data Network Security Policy

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Data Network Security Policy"

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

Data Network Security Policy

Data Network Security Policy

Authors: Mike Smith Rod Makosch

Network Manager Data Security Officer IM&T IM&T

Version No : 1

Approval Date: March 2005 Approved by : John Aird

Director of IM&T Review Date : 1 April 2006

(2)
(3)

Data Network Security Policy

Index

1. Introduction ...4

1.1. UHL Network Policy Statement ...4

2. Structure of the DN ...4

2.1 Responsibilities ...5

2.3 Network documentation...5

2.4. The NHS Code of Connection ...5

3. Access to the IM&T Data Network ...5

3.1 Methods of access to the DN ...5

3.1.1 Access via network port...5

3.1.2 RAS Access ...5

3.1.3 Access via modem ...6

3.1.4. Access via GPRS & broadband ...6

3.1.5 Wireless access ...6

3.1.6 Access granted to other NHS bodies ...6

3.1.7 External connections...6

3.2 Account access to the DN ...7

3.2.1 Administrator Access...7

3.2.2 User Access...7

3.2.3 Third Party Access...8

4. Physical security of DN components...8

4.1. Cores & Switches...8

4.2. Hubs ...8

4.3. Fibre & Copper Cabling and other transport media...8

4.4. DN Component Maintenance ...9

5. Electronic security of DN components ...9

5.1. Anti Virus...9

5.2 Firewalls...9

5.3 Security Logging...10

(4)

Data Network Security Policy

1. Introduction

The IT Data Network (DN) is a vital component of the smooth running of most IT systems within the UHL, allowing users to access both clinical systems (e.g. HISS and PACS) and non clinical systems (e.g. email and finance) It is therefore essential that a robust framework is developed to ensure a secure network infrastructure throughout the UHL.

This policy covers the following areas:- • Access to the DN

• Physical security of DN components • Electronic security of DN components • Resilience and capacity management

Reference is made, within this policy, to detailed procedural documentation for IM&T Technical Operations. Where such a reference is made, a link to the procedure will be incorporated.

1.1. UHL Network Policy Statement

All wide and local area networks will be managed to accepted security standards. These will, as a minimum, meet the requirements set out in the NHSNet Code of Connection and BS7799.1

UHL signs the NHS Code of Connection

2. Structure of the DN

The DN consists of

a. The WAN, fibre cabling connecting the three hospital sites, backed up by a microwave link.

b. Three LANs, a mixture of fibre and copper cabling within the hospital sites.

c. A number of network hardware devices, cores, switches and hubs on each site.

1

(5)

Data Network Security Policy

2.1 Responsibilities

All components of the DN are under the control of the Directorate of IM&T, and specifically the Network Administration section of the Technical

Operations Department.

2.3 Network documentation

The Network Administration section must maintain current network diagrams detailing the configuration of the DN itself and all the major network

components on it. These diagrams are to be kept, securely, within IM&T and copies must be lodged with the company supplying external support for the DN.

2.4. The NHS Code of Connection

All connections to the DN must comply with the current NHSNet Security Operating Procedures.

(Currently available at:-http://nww.nhsia.nhs.uk/security/pages/syops)

3. Access to the IM&T Data Network

3.1 Methods of access to the DN

There are a number of methods used to access the DN, these are:- • Access via a network port

• RAS (Remote Access Server) access • Access via a modem

• Access via GPRS & Broadband • Wireless (WiFi) access

3.1.1 Access via network port

Access via a network port within the UHL is the most common form of access to the DN. Only devices authorised and administered by IT (or in certain circumstances named officers of the UHL acting on behalf of IT) are allowed to be attached to the DN.

3.1.2 RAS Access

(6)

Data Network Security Policy

must agree to comply with the Policy on Mobile Computing (currently under development) and must have completed the appropriate documentation. A register of all users granted access via the RAS system is kept by IM&T.

3.1.3 Access via modem

Access via a modem is allowed only for certain third party support companies, a register of these companies, incorporating details of the systems supported and contacts is maintained by IM&T. All modem access activity must be logged and monitored. Modems must be switched off and disconnected from the network when not in use. Efforts must be made to discourage this form of access.

3.1.4. Access via GPRS & broadband

Access via GPRS or broadband offer alternative methods of accessing the DN via the public telephone system (see 1.2 above). These are supplied by third party VPN secure gateways from BT and Cable and Wireless. Users accessing the DN by this method must agree to comply with the Policy on Mobile Computing (currently under development) and must have completed the appropriate documentation. A register of all users granted access via GPRS or broadband is kept by IM&T.

3.1.5 Wireless access

The UHL has a number of wireless access points. Configuration of these must comply with the relevant section of the NHSnet System Operating Procedures see:

http://nww.nhsia.nhs.uk/security/pages/syops/docs/wirelesslan.asp A full risk assessment will be completed for all requested wireless access points and details of these are kept with the network documentation (See 2.3 above).

3.1.6 Access granted to other NHS bodies

Access, to the DN, is granted to local NHS bodies as a part of reciprocal arrangements covering rights to use various systems.

3.1.7 External connections

All external connections must be established by IM&T.

Before allowing third party access a risk assessment will be conducted to identify risks and appropriate counter measures.

(7)

Data Network Security Policy

may include agreement for the Trust to audit the security arrangements the third party has in place. Details of these connections are kept with the network documentation (See 2.3 above).

3.2 Account access to the DN

Access is split into three distinct areas:

• Administrator access – this is the access granted to the members of the Network Administration Section of the Technical Operations Department within IM&T and to any external supplier contracted to provide support for the network. Individual officers having this level of access are granted the rights to configure network devices and monitor network traffic. A register of users having this level of access is maintained by the Deputy Operations Programme Manager.

• User access – this is the access granted to the majority of staff within the UHL. Individuals who have this level of access are granted the rights to log on to the DN and use facilities on it appropriate to their requirements.

• Third Party access – this is the access granted to organisations outside the UHL who require access to the DN in order to support applications or other systems. A register of organisations having this level of access is maintained by the Deputy Operations Programme Manager.

3.2.1 Administrator Access

UHL officers granted this level of access are responsible for the maintenance of network availability as detailed in section 6 (see below). They are also responsible for the maintenance of the network diagrams.

3.2.2 User Access

(8)

Data Network Security Policy

3.2.3 Third Party Access

Companies offering third party support for systems within the UHL will only be granted sufficient access to the DN to allow them to fulfil their support

function.

4. Physical security of DN components

No equipment is to be attached to the IM&T Data Network without the prior agreement of the Director of IT. (Note – this authorisation authority can be delegated to any officer within the IT Directorate).

Formal change control procedures will be instigated for all significant modifications to the DN (patching of individual ports is not regarded as significant). The change control register is maintained by the Network Administration Section.

DN components must be sited so as to avoid interference from other potential sources of electromagnetic interference.

4.1. Cores & Switches

These devices form a major component of the DN and, as such, must be kept in an appropriately secure environment. Only members of the Network

Administration Section; authenticated officers of the external network support company or authenticated officers of am approved cabling company are allowed access to this equipment. Any other individual requiring access to this equipment must be supervised by a member of the Network

Administration Section.

4.2. Hubs

Risk assessments must be completed for all hubs and security afforded them dependant upon the effect on business continuity of their loss. Access to hub rooms and cabinets must be restricted, where possible, to IT staff and, where hubs are situated in shared accommodation, the hub cabinets (closets) must be kept locked.

4.3. Fibre & Copper Cabling and other transport media

(9)

Data Network Security Policy

4.4. DN Component Maintenance

Key components within the DN must be connected to essential power supplies, backed up by UPS.

Remote environmental monitoring of key components within the DN must be carried out to ensure that they remain within the manufacturers

recommendations.

Suitable spares must be held available on-site for failures of access layer components. Core components must be available from the third party support company within an agreed time.

5. Electronic security of DN components

Network access to DN components must be restricted to members of the Network Administration Section.

Administrator login credentials for DN components must be changed from the manufacturer’s defaults on installation and must subsequently be changed at a minimum of every 90 days.

Passwords for accounts with administrator access to the DN will be a minimum of 8 characters and require both alpha and numeric digits.

5.1. Anti Virus

The DN must be protected by suitable anti virus software being loaded and run, as appropriate, on devices connected to it. The anti virus software must be kept up to date with patched supplied by the provider of the software and an automatic update policy applied to all attached equipment.

5.2 Firewalls

The DN must be protected by suitable firewalls. There firewalls must all be configured to prevent all inappropriate access from outside the UHL to the DN. To ensure consistency, all firewalls must be configured in the same way. Firewall logs must be scrutinised regularly to check for problems, evidence of this scrutiny must be recorded in a register maintained by the Network

(10)

Data Network Security Policy

5.3 Security Logging

All computers, servers, workstations and routers on the network will have logging of security relevant events enabled in circumstances where those logs can be reviewed, so that an audit trail of incidents will be available.

6 Resilience and capacity management

Appropriate risk assessments must be completed annually on the major components of the DN. From these risk assessments, adequate resilience must be planned and built into the DN to avoid loss of service resulting from a malfunction in one component.

The effect on the DN must be incorporated into the planning on any project involving the use of IT equipment and, where necessary, allowance must be made within the project plan for additional capacity on the DN.

References

Download now ( PDF - 10 Page - 38.94 KB )

Related documents