Physical and Environment IT Security Standards

(1)

The Trust is committed to promoting an environment that values diversity. All staff are responsible for ensuring that all patients and their carers are treated equally and fairly and not discriminated against on the grounds of race, sex, disability, religion, age, sexual orientation or any other unjustifiable reason in the application of this Policy, and recognising the need to work in partnership with and seek Guidance from other agencies and services to ensure that special needs are met.

Author’s Name: Jo Brown

Author’s Job Title: Head of Technical Services

Division: Corporate

Department: Technical Services

Version Number: 1.0

Ratifying Committee: IIGG

Ratified Date: 16th April 2009

Review Date: April 2010

Name of manager responsible for review: Jo Brown

Job title of manager responsible for review: Head of Technical Services Email address of this manager: [email protected] Source of Evidence (if applicable):

Level of Evidence indicated:

(2)

F:\Admin\JB\Working Docs\Information Security Policies\Physical Security\Physical and Environmental IT Security Standards v1-0.doc

Page 2 of 14

(3)

Page 3 of 14 Information Governance

(4)

Page 4 of 14 Table of Contents 1. Introduction ...5 1.1. Purpose... 5 1.2. Applicability ... 5 2. Responsibilities...5 2.1. User’s responsibilities... 5 2.2. Manager’s responsibilities ... 5

3. Physical Protection Standard...7

4. Physical Access Standard ...8

5. Hazard Protection Standard...10

6. Power Supplies Standard ...12

7. Document Review...13

8. Definition of Terms...13

9. References ...13

(5)

Page 5 of 14 1. Introduction

1.1. Purpose

This document describes the Trust’s Physical and Environment Security Standards for Critical IT installations, in support of the Information Security Policy. The Trust’s Information Security Policy and a full list of Supporting Policies can be found in the Policy Database on the Trust Intranet.

1.2. Applicability

The standards define in this document apply to any location housing IT facilities, which are critical to the running of the Trusts business and/or clinical functions such as, but not limited to, data centres, computer rooms, subsidiary server rooms, rooms containing data communications equipment and IT equipment stores.

These standards are primarily aimed at system owners and those individuals who are responsible for the design of, day to day operation of and/or

maintenance of critical IT facilities. Applicability naturally extends to anyone else who undertakes activities governed by this document.

2. Responsibilities

2.1. User’s responsibilities

• Anyone who may access information-holding assets either directly or indirectly is responsible for following all appropriate procedures that relate to that asset

• Users are responsible for their actions and should not take any action, which is outside the law or in breach of Trust policies, procedures, guidelines or codes of conduct

2.2. Manager’s responsibilities

• To ensure that the physical and environmental controls deployed are proportionate to the sensitivity of the information-holding assets being accessed;

• To implement and monitor these standards within their areas of

responsibility and for ensuring that those for whom they are responsible, including visitors and contractors, are aware of and comply with these standards and any associated procedures/guidelines.

(6)

Page 6 of 14 • To ensure that only authorised users are granted access to

information-holding assets under their area of responsibility and for the adherence to relevant security policies by all users

• To ensure that all future building plans for both new buildings and renovations should take account of these standards.

• To ensure that all users are appropriately educated so that when accessing / using information-holding assets appropriate security measures are carried out

• To record and report all breaches of this policy using the Trust Incident reporting procedures.

(7)

Page 7 of 14 3. Physical Protection Standard

Principle: All locations that house critical IT facilities, sensitive material and

other important assets should be physically protected against accident or attack.

Objective: To restrict physical access to authorised individuals and ensure that

critical IT facilities processing important information, sensitive material and other important assets are available when required.

IT equipment vital to the running of the Trust IT administrative and clinical services must be placed in dedicated rooms that have physical security and environmental controls.

Buildings that house critical IT facilities should be protected against unauthorised access by:

• providing locks, bolts (or equivalent) on vulnerable doors and windows • installing closed-circuit television (CCTV), or equivalent, should be

considered where appropriate.

Important papers and removable storage media (e.g. CDs, DVDs, tapes and USB memory sticks) containing sensitive or confidential information should be protected against theft, copying or unauthorised viewing by:

• storing sensitive physical material in locked cabinets (or similar) when not in use (e.g. by enforcing a ‘clear desk’ policy)

• locating equipment used for sensitive printed material in secure physical areas.

• restricting physical access to important post / fax points

Critical equipment and facilities should be protected by locating them away from public access or approach and keeping details about them confidential by using discreet signs and excluding details from directories or telephone books.

(8)

Page 8 of 14 4. Physical Access Standard

Principle: Physical access to critical IT installation facilities should be restricted

to authorised individuals.

Objective: To prevent services being disrupted by loss of or damage to

equipment or facilities.

Physical access to locations that house critical IT facilities (i.e. data centres, computer rooms, subsidiary server rooms, rooms containing data communications

equipment and IT stores) must be controlled and restricted to authorised individuals by:

• installing locks activated by key pads, swipe cards or equivalent; • locking doors / windows when the environment is vacated; • ensuring all individuals wear visible means of identification; • challenging strangers.

Authorisation to gain physical access to these installations should be:

• granted based upon the individual’s role /designated duties and not an individual’s seniority or position in the Trust. A list of those who have been granted authorised access should be maintained by the System Owner;

• reviewed regularly, to ensure that only appropriate individuals are allowed access;

• revoked promptly when no longer needed. Within these locations:

• easily-portable computers and components (e.g. laptop computers, wireless access points, external hard disk drives, USB memory sticks and printers) should be protected against theft by asset tagging

vulnerable equipment and fastening computers to desks or equipment stands where appropriate);

(9)

Page 9 of 14 • Individuals must obtain written approval before leaving the environment

with computer equipment (e.g. servers, workstations, network devices and printers) or equivalent.

Visitors to these installations must be:

• permitted access only for defined and authorised purposes

• monitored by recording arrival and departure times and be supervised at all times - System owners should maintain sign-in logs for a minimum of one year

IT Asset tags must be attached to all IT equipment owned by the Trust (e.g. desktop computers, laptop computers, hand-held computing devices such as Blackberries and network devices such as wireless access points).

(10)

Page 10 of 14 5. Hazard Protection Standard

Principle: All locations that house critical IT facilities, sensitive material and

other important assets should be protected against fire, flood, environmental and other natural hazards.

Objective: To prevent services being disrupted by damage to computer

equipment or facilities caused by fire, flood and other types of hazard.

Rooms housing critical IT facilities must be located in a safe environment (e.g. in an area with low risk of fire, flood, explosion, civil unrest, damage from

neighbouring activities or natural disasters) and in rooms protected from natural hazards.

As a minimum such rooms must be:

• free from intrinsic fire hazards (such as paper or chemicals);

• fitted with fire detection and suppression systems. These should be under a maintenance agreement and be regularly serviced in accordance with manufacturer specifications;

• protected against the spread of fire (e.g. by using fire resistant doors); • fitted with temperature and humidity controls capable of maintaining the

climate in accordance with IT equipment manufacturer

recommendations. These should be under a maintenance agreement and be regularly serviced in accordance with manufacturer

specifications;

• fitted with anti-static flooring material.

The following additional measures to the above should be considered where a risk assessment indicates these are appropriate:

• fitting a fire suppression system. These should be under a maintenance agreement and be regularly serviced in accordance with manufacturer specifications;

• fitting humidity controls capable of maintaining the climate in accordance with IT equipment manufacturer recommendations. These should be

(11)

Page 11 of 14 under a maintenance agreement and be regularly serviced in accordance with manufacturer specifications.

Fire alarms should be monitored continuously, tested regularly and serviced in accordance with manufacturer specifications.

The impact of hazards should be minimised by:

• locating hand-held fire extinguishers so that minor incidents can be tackled without delay;

• training staff in the use of fire extinguishers and other emergency / safety equipment, and in emergency evacuation procedures;

• ensuring no eating or drinking is permitted in area’s that house IT equipment.

(12)

Page 12 of 14 6. Power Supplies Standard

Principle: Critical IT equipment and facilities should be protected against power

outages.

Objective: To prevent services provided by the computer installation from being

disrupted through loss of power.

Power cables within the computer installation should be protected by:

• segregating them from communications cables to prevent interference; • concealed installation;

• locked inspection / termination points; • alternative feeds or routing;

• avoidance of routes through public areas.

The power supply to critical computer equipment should be protected by:

• using uninterruptible Power Supply (UPS) devices and surge protection equipment. Such a UPS should provide a minimum of 10-minutes emergency power;

• connecting to the mains electrical supplies that are supported by the Trust generator backup in case of extended power failure;

• installing emergency power-off switches to facilitate rapid power-down in case of an emergency.

Emergency equipment (e.g. UPS equipment, back-up generators and lighting) should be serviced in accordance with manufacturer recommendations and tested regularly.

(13)

Page 13 of 14 7. Document Review

The Trust will undertake to review the content of the Information Security Policy and supporting policies/standards on an annual basis or in response to an actual or perceived increase of IM&T risk.

8. Definition of Terms

IIGG Information Implementation Governance Group

System Owner The individual responsible for establishing the rules for appropriate use and protection of the data/information within a system. The system owner retains that responsibility even when the data/information is shared with other

organisations.

9. References

Cabinet Office Security Policy, http://www.cabinetoffice.gov.uk/spf/sp5_ps.aspx IT Policies and Procedures, GEE Thomson, 2008

The Standard of Good Practise for Information Security Standards, ISF, 2008

10. Revision History

(14)

Page 14 of 14 End Page