TAVISTOCK & PORTMAN NHS TRUST
INFORMATION SECURITY POLICY
A.l. Introduction
A.1.1 The need for a security policy
Data stored in computer systems represents
an increasingly valuable asset to the Trust as systems proliferate and increased
reliance is placed on them.
The Trust seeks to protect its computer
systems from misuse and to minimise the impact of service breaks by developing a Security
Policy and procedures to manage and enforce it.
Key issues addressed by the Security Policy
are:-
·
Confidentiality - data
access is confined to those with specified authority to view the data
·
Integrity - all system
assets are operating correctly according to specification and in the way the
current user believes them to be operating
·
Availability - information
is delivered to the right person when it is needed
The Trust also has legal obligations to
maintain security and confidentially notably under the Data Protection Act
(1984), Copyright Patents and Designs Act (1988) and Computer Misuse Act (1990).
A.1.2 Scope of security policy
The Trust's policy aims to ensure that:-
·
its computer systems
are properly assessed for security confidentiality, integrity and availability
are maintained
·
staff are aware of
their responsibilities, roles and accountability
·
procedures to detect
and resolve security breaches are in place.
This
policy covers:
·
The Trust Local Area Network (LAN)
(including networking equipment, infrastructure and equipment connected to
the network but excluding non-Trust maintained items;
·
Personal Computers
·
Laptops
It
does not cover any paper based systems
A.2. Security management
A.2.1 Objective
To establish the management structure for
computer systems security within the organisation.
A.2.2 Organisation management
The Information Security Officer for the
Trust is responsible for the implementation and enforcement of the Information
Security Policy. The Information Security
Officer will:
·
monitor and report
to the Chief Executive on the state of IM&T security within the Trust
·
ensure that the Information
Security Policy is implemented throughout the organisation, to at least the
level laid out in the IM&T Security Manual
·
maintain a current
copy of the Trust's IM&T Security Manual and make copies available to
any member of staff who needs to read it
·
in conjunction with
the Head of Information Services, develop and enforce detailed procedures
to maintain security throughout the Trust
·
ensure compliance with
relevant legislation including the Data Protection
Act (1984) 1999?and any amendments
·
ensure that all Trust
staff are aware of their responsibilities and accountability for IM&T
security
·
monitor for actual
or potential IM&T security breaches
·
ensure that all staff are aware
of their security responsibilities and that IM&T security awareness training
is provided for all IM&T users within the Trust.
Whilst
the Information and Security Officer is ultimately responsible for the security
of the IT systems, individual users are made aware of general policies in
place and the specific security responsibilities of their job and within the
Trust as a whole.
A.2.3 National management
The NHS Executive's Security and Data Protection
Programme has responsibility for ensuring that the NHS is able to effectively
manage risks associated with the use of computer systems and networks.
A.2.4 NHSnet
The process of connection to NHSnet is co-ordinated
through NHS Telecommunications Branch. When connected, the Trust will be required to adhere to the NHSnet
Data Security Policy and sign an associated Code of Connection. This may require
the implementation of specific security measures. Such security measures will apply to all systems
and users connected to the Trust's local area network.
A.2.5 Auditors
The Trust's policy, its implementation and
systems will be subject to periodic review by both internal and external auditors,
the recommendations from which will normally be implemented unless specific
dispensation is given at organisation management level. Any major security incident is liable to be
referred to the auditors for investigation.
A.3 Security
responsibilities
A-3.1 Objective
To ensure that the Trust's staff are aware
of security risks and their responsibilities to minimise the threats.
A-3.2 Management responsibilities
2.
The Information Services
department and Directorate of Personnel will ensure that all their staff using
computer systems/media are trained in their use.
3.
The Information Services
department will ensure that no unauthorised staff are allowed to access any
of the organisation's computer systems as such access could compromise data
integrity.
4.
Department managers,
department chairs and the Information Services Department will determine which
individuals are to be given authority to access specific computer systems.
5.
The level of access
to specific systems will be based on job function need, independent of status.
6.
The Directors' Group
will ensure that the Trust's exposure to fraud/theft/disruption of its systems
is minimised by implementing measures such as segregation of duties/dual control/staff
rotation in critical susceptible areas.
7.
The Directorate of
Personnel and the Information Services department will ensure that current
documentation is always maintained for all critical job functions to ensure
continuity in the event of individual unavailability.
8.
The Directorate of
Personnel will ensure that all staff sign confidentiality (non-disclosure)
undertakings as part of their contract of employment.
9.
Department managers
will ensure that the relevant systems managers are advised immediately about
staff changes affecting computer access (e.g., job function changes/leaving
department or organisation) so that passwords may be withdrawn/deleted.
[A1]
A.3.3 Staff responsibilities
Each employee is personally responsible
for ensuring that no breaches of computer security result from their actions.
System Managers
1.
Job descriptions for
system managers should include specific reference to the security role and
responsibility of the post.
2.
All of the Trust's
systems should have at least 2 individuals with the expertise to administer
the particular system.
3.
All of the Trust's
critical computer systems should have at least 3 individuals with the expertise
to manage or administer such a system.
A.4 Risk management
A.4.1 Objective
To identify and counter possible threats
to the security policy and standards.
A.4.2 Methodology
All systems will be subject to periodic
security reviews by systems managers. The
depth of a review will be determined by the importance and size of the particular
system.
Individual systems will be reviewed at least
once every three years.
Reviews will include:-
·
identification of assets
of the system
·
evaluation of potential
threats
·
assessment of likelihood
of threats occurring
·
identification of practical
cost effective counter measures
·
implementation programme
for counter measures
Systems are liable to independent reviews
by internal and external auditors.
A.4.3 Reporting
Each system review will include a formal
report to the Trust's management group containing findings and recommendations.
A.5 Equipment
security
A-5.1 Objective
To protect IM&T equipment against loss
or damage and avoid interruption to business activity.
A-5.2 Equipment siting and protection
IM&T equipment will always be installed
and sited in accordance with the manufacturer's specification. Environmental
controls are installed to protect key equipment which is housed in the duct
room. Such controls will trigger alarms
if environmental problems occur. In such cases only authorised entry will be permitted.
Smoking, drinking and eating is not allowed
in areas housing the servers and the door to the server room will be kept
locked when not in use.
A.5.3 Power supplies
Critical computer equipment is fitted with
battery back-up (UPS) to ensure that it would not be affected in the event
of a power failure. Such battery power
will suffice for at least 30 minutes at normal usage.
Critical computer sites have their own mains
circuits not subject to power surges from other parts of the organisation.
A.5.4 Cable routing
All cabling (electricity and communications)
between buildings is via underground conduit not accessible to unauthorised
people.
All cabling within buildings is in conduits
if surface mounted otherwise, within the framework of the building.
A-5.5 Equipment maintenance
All central processing equipment, including
file servers, is covered by third party maintenance agreements. All personal computers, terminals and printers
are covered by maintenance agreements with third parties for repair of out
of warranty equipment provided it is cost effective (each case will be judged
on its merits). All such repairs will
only be made on approval by the Information Services department.
All such third parties will be required
to sign confidentiality agreements.
Records of all faults/suspected faults will
be maintained by the Information Services department.
A.5.6 Remote diagnostic services
Suppliers of central systems/software expect
to have dial up access to such systems on request to investigate/fix faults.
The organisation will permit such access subject to it being initiated
by the computer system and all activity monitored.
Each supplier requiring remote access will
be required to commit to maintaining confidentiality of data and information
and only using qualified representatives.
Each request for dial up access will be
authorised by approved Information Services staff, who will only make the
connection when satisfied of the need. The
connection will be physically broken when the fault is fixed/supplier ends
his or her session.
Modem links will NOT be connected except
in response to authenticated supplier request to prevent the possibility of
unauthorised access.
Enhanced modem security incorporating strong
authentication measures should be introduced as soon as practicable for additional
security.
A. 5.7 Security of hard disks
Hard disks on any machine may contain sensitive/confidential
data. Removal off site of such disks
represents a potential threat to the Trust. Each such case will be judged on its merits
balancing the need versus the risk of breach of confidentiality and then only
to approved repairers who will have signed confidentiality agreements. Whenever possible the data and information
will be overwritten or the equipment degaussed.
A-5.8 Security of equipment off premises
Equipment and data will not be taken off
site without formal signed approval, other than to transport it from one of
the organisation's sites to another.
Portable PCs are very vulnerable to theft,
loss or unauthorised access. Strong
security measures will be introduced as soon as practicable, especially where
such PCs have network access capability.
To preserve the integrity of data, frequent
transfers should be made to system computers. They should be maintained regularly and batteries
kept charged to preserve their availability.
A.5.9 Disposal of equipment
Computer hardware disposal can only be authorised
by the Information Services department. They will ensure that data storage devices are purged of sensitive
data before disposal or securely destroyed, The procedures for disposal must
be documented.
Unusable computer media will be destroyed
(e.g. floppy disks, magnetic tapes, CD-ROMS).
A.6 Access controls
A.6.1 Objectives
·
To identify the location
of the Trust's computer assets
·
To identify and authorise
the use to which such assets are put
·
To manage capital charges
on physical assets
A.6.2 Physical assets
An up to date register of acquisitions and
disposals of physical computer assets is maintained. This includes the value, location, serial number
and system manager primarily responsible for the maintenance of the asset.
This register is maintained by Information Services.
All
computer hardware is clearly marked for security.
A.6.3 Software
An up to date register of all proprietary
software is maintained to ensure that the Trust is aware of its assets and
that licence conditions are followed. This
register is maintained by Information Services.
A.6.4 System "ownership"
Each of the organisation's systems will
be the responsibility of a specified system manager whose responsibilities
will include ensuring compliance with the organisation's Information Security
Policy, ensuring the appropriate use of the equipment, troubleshooting and
maintenance.
A.7 Access control
to secure areas
A-7.1 Objective
To minimise the threat to the Trust's computer
systems through damage or interference.
A.7.2 Physical security
All central processors/networked file servers/central
network equipment will always be located in secure areas with restricted access.
The organisation's central computer suite
is a high security area housing its most important on site computers. An entry restriction and detection system is
incorporated to protect the suite.
Local network equipment/file servers and
NHSnet terminating equipment will always be located in secure areas and/or
in lockable cabinets.
A.7.3 Entry controls
Unrestricted access to the central computer
facilities will be confined to designated staff, whose job function requires
access to that particular area/equipment, Restricted access may be given to
other staff by the Information Security Officer where there is a specific
job function need for such access.
Authenticated representatives of third party
support agencies will only be given access through specific authorisation
from the Information Security Officer.
A.8 Security
of third party access
A.8.1 Objective
To enable the Trust to control external
access to its systems,
A.8.2 Access control
No external agency (NHS or not) will be
given access to any of the Trust's networks unless that body has been formally
authorised to have access. All non
NHS agencies will be required to sign security and confidentiality agreements
with the Trust.
External agencies will only be allowed access
to their hardware/systems.
The Trust will control all external agencies
access to its systems by enabling/disabling modem connections for each approved
access requirement.
A.8.3 NHSnet requirements
Strong authentication procedures/technology
must be introduced for ALL dial up connections to the Trust's computer systems
where concurrent connection to the NHSnet is possible.
Organisations should request that third
parties providing remote support do so over NHSnet.
NHS Telecommunications Branch will be approached
for advice prior to allowing access by third parties to the Trust's system.
A.8.4 Facilities management (FM)
FM agencies should conform to both organisation
and NHS Executive security requirements.
A.9 User access
control
A.9.1 Objective
To control individuals' access to systems
to that required by their job function.
A.9.2 Registering users
Formal procedures will be used to control
access to systems.
Each application for access should be countersigned
by an authorised manager.
Access privileges will be modified or removed
as appropriate when an individual changes job or leaves.
Access to the Tavistock & Portman NHS Trust network
is restricted to authorised users who will be given a user name and a confidential
password. Once a user receives a user
name and password to be used to access the systems, they are solely responsible
for all actions taken under that user name.
Access to the Tavistock & Portman NHS Trust network,
may allow access other networks (and/or the computer systems attached to those
networks). Therefore:
·
Use of systems and/or networks in
attempts to gain unauthorised access to remote systems is prohibited.
·
Use of systems and/or networks to
connects to other systems, in evasion of the physical limitations of the remote
system/local, is prohibited.
·
Users may only connect to the internet
through the official Tavistock & Portman NHS Trust network.
Individual connection (via personal modems etc) is prohibited.
·
Decryption of system or user passwords
is prohibited.
·
The copying of system files is prohibited.
·
Intentional attempts to “crash”
network systems or programs are disciplinary offences.
·
Any attempts to secure a higher
level of privilege on network systems are disciplinary offences.
Further information regarding
security related to e-mail and the internet is contained in the E-mail and
Internet Access Policy document, which all members of staff are required to
read and accept prior to being allowed access to the Tavistock & Portman
NHS Trust network.
A.9.3 User password management
No individual will be given access to a
live system unless properly trained and made aware of their security responsibilities.
Passwords must not be disclosed to any person
outside the Tavistock & Portman NHS Trust.
Network passwords must be changed every
31 days. All new systems will include
password ageing to force users to change their password periodically.
Applying for a user name under false pretences is a disciplinary
offence.
Users with authorised access to more than
one system may have the same password on all systems to which they have access.
This may give different access privileges on different systems depending
on job need. However, A separate user name and password
is required for access to the Patient Administration System (PAS).
A.9.4 Data
Protection
The
Trust must take appropriate security measures to protect data from loss, corruption
or inappropriate editing or disclosure. The misuse of personal data is a punishable
offence. The Tavistock & Portman
NHS Trust is registered with the Data Protection Registrar as a whole so that
individual systems do not also need registering. Queries relating to the Data Protection Act
should be referred to the Information Services Manager.
A.9.5
Patient Confidentiality
The Trust has produced a statement on confidentiality
to protect patient identifiable information. All staff and students are required to sign
confidentiality (non-disclosure) undertakings as part of their contract of
employment.
In accordance with the Trust's email and
internet access policy, staff and students must not send or attempt to send
any patient identifiable information via email, either external or internal.
The Information Security Policy will be
updated to include the recommendations of the Trust's appointed Caldicott
Guardian as and when approved.
A. 10 Security
incident management
A.10.1 Objective
To detect, investigate and resolve any suspected/actual
computer security breach.
A.10.2 Security incidents
A security incident is an event which may
result in..-
·
degraded system integrity
·
loss of system availability
·
disclosure of confidential
information
·
disruption of activity
·
financial loss
·
legal action
·
unauthorised access
to applications
The Information Security Officer will report
incidents to the NHS Executive's Security and Data Protection Programme.
All security incidents that may have an
impact on NHSnet will be reported immediately, by the Information Security
Officer, to the Regional Telecommunications Branch Security Co-ordinator or
NHSnet Security Manager.
Security breaches may result in disciplinary
action.
A.10.3 Individual's responsibilities
Each computer user is personally responsible
for ensuring that no actual or potential security breaches occur as a result
of their actions.
Users should ensure that they do not disclose
their passwords or allow anyone else to use their password or allow another
user to work under their log on.
A.10.4 Logging security incidents
All actual security incidents will be formally
logged, categorised by severity and action/resolution recorded by the relevant
system manger and reported to the Information Security Officer.
A. 11 Housekeeping
A.11.1 Objective
To maintain the integrity and availability
of computer assets.
A.11.2 Data back-up
All central systems have daily backup regimes
which have been formalised and documented.. Such backups have a minimum of a 30 day cycle before media is overwritten.
Secure storage will be used for all backups with only the next one
to be used being on site. Such storage is geographically separate from the
system location to protect against building loss.
The viability of central systems backups
will be provided when used in contingency tests.
All PC users are advised to backup their
data regularly.
A.11.3 Incident reporting