hbl ict services - east and north hertfordshire ccg · hbl ict services version 8.1 information...

HBL ICT Services

Version 8.1 Information Security Policy of 34

Information Security Policy

Document reference Title: Information Security Policy Product ID: Version Number: 8.1 Status: Live Distribution / Issue date: 12 November 2014 Author: K. Fairbrother Owner / Owning entity: HBL ICT Services Approver / Approval entity: IT Security Forum / SMT / Information Governance Committee Authoriser / Authorisation entity: SIRO / IG Leads / HBL IT Director Date of Review: December 2016

HBL ICT Services


Document control and revision history Version Revision date Details of Amendment Amended by Checked by

Draft Sept 2007 Initial Draft John Hepburn 1.0 October 2007 V1 Live John Hepburn 2.0 April 2010 V2 Review John Hepburn 3.0 May 2010 Amendments Claire Goodey 5.1 Feb 2012 Amendments Martin Wallis

5.2 March 2012 Amendments Martin Wallis IG Committee 6.0 May 2013 Amendments Martin Wallis HCT / CSU IG

Group 7.0 July 2013 Amendments Martin Wallis / Keith

Fairbrother

8.0 July 2014 Amendments Lynda Harris / Keith Fairbrother

8.0 July 2014 Amendments Ewan Robson 8.1 October 2014 Organisational Change / Formatting Keith Fairbrother 8.1 November 2014 HBL ICT SMT Approval HBL ICT SMT 8.1 January 2015 Minor amendments following ENHCCG IG

Forum David Hodson

Enclosures Enclosures

1. None.

Embedded files

1. None.

Distribution External

Action: IG Reference Groups (HCT, HPFT, ENHCCG, HVCCG, BCCG, LCCG)

Information:

Internal

Action: None

Information: None

Contents 1. Executive Summary ..................................................................................................................... 6

2. Introduction .................................................................................................................................. 7

3. Terms / Acronyms Used .............................................................................................................. 8

HBL ICT Services


4. Purpose and Scope ..................................................................................................................... 9

4.1 Purpose ................................................................................................................................. 9

4.2 Scope of the Policy ............................................................................................................... 9

4.3 Local Variation ...................................................................................................................... 9

4.4 Legal Framework ................................................................................................................ 10

5. Information and Data ................................................................................................................. 11

5.1 Ownership of data ............................................................................................................... 11

5.2 Processing of Data .............................................................................................................. 11

5.3 Personal Information ........................................................................................................... 11

6. Management of Security ........................................................................................................... 12

6.1 Chief Executive (CEO) or equivalent .................................................................................. 12

6.2 Caldicott Guardian .............................................................................................................. 12

6.3 Senior Information Risk Owner (SIRO) .............................................................................. 12

6.4 Line Managers .................................................................................................................... 12

6.5 IM&T Security Adviser role ................................................................................................. 13

7. Responsibility of all Staff ........................................................................................................... 14

7.1 General Responsibility ........................................................................................................ 14

7.2 Paper Records .................................................................................................................... 14

7.3 Information Systems and Equipment .................................................................................. 14

7.4 Portable Computers ............................................................................................................ 14

7.5 Access to Information Systems .......................................................................................... 15

7.6 Data accuracy ..................................................................................................................... 15

7.7 Software .............................................................................................................................. 15

7.8 Processing Information and Data ....................................................................................... 15

7.9 Portable Storage Devices – Electronic Media .................................................................... 16

8. Management and Control of Information Assets ....................................................................... 17

8.1 Control of assets ................................................................................................................. 17

8.1.1 Ownership of Assets .................................................................................................... 17

8.1.2 Asset Registers ............................................................................................................ 17

8.1.3 Procurement of Assets ................................................................................................. 17

8.1.4 Disposal of Assets ........................................................................................................ 17

8.2 Access Control .................................................................................................................... 18

8.2.1 Physical Access Controls ............................................................................................. 18

HBL ICT Services


8.2.2 Logical Access Controls ............................................................................................... 18

8.3 Use of Information Assets ................................................................................................... 18

8.3.1 Installation and Siting of Equipment ............................................................................. 18

8.3.2 Limitations on Use ........................................................................................................ 18

8.3.3 Data Security ................................................................................................................ 19

8.3.4 Security of Equipment Off-Premises ............................................................................ 19

8.3.5 Paper waste disposal ................................................................................................... 19

8.3.6 Security of Hard Disks .................................................................................................. 19

8.4 Passwords .......................................................................................................................... 20

8.4.1 Password Standards .................................................................................................... 20

8.5 Business Continuity ............................................................................................................ 20

8.5.1 Physical Security .......................................................................................................... 20

8.5.2 Remote Access to the Organisation’s Services by staff .............................................. 20

8.5.3 Remote Access to the organisation’s Services by suppliers ....................................... 21

8.5.4 Business Continuity Planning....................................................................................... 22

8.5.5 Password Protection .................................................................................................... 22

8.6 Databases and Application Systems .................................................................................. 22

8.6.1 Authorised Databases and Systems ............................................................................ 22

8.6.2 Acquisition of Application Systems .............................................................................. 22

8.6.3 System Acceptance ..................................................................................................... 22

8.6.4 Privacy Impact Assessment ......................................................................................... 23

8.6.5 Clinical Safety ............................................................................................................... 23

8.7 Software Protection ............................................................................................................. 24

8.7.1 Licensed Software ........................................................................................................ 24

8.7.2 Software Standards ...................................................................................................... 24

8.7.3 Virus Control ................................................................................................................. 24

8.8 Housekeeping ..................................................................................................................... 25

8.8.1 Incident Reporting ........................................................................................................ 25

8.8.2 Media Disposal ............................................................................................................. 25

9. Electronic Mail and Internet Access .......................................................................................... 26

9.1 Purpose & Ownership ......................................................................................................... 26

9.2 Use of Email and Internet Services .................................................................................... 26

Access and disclosure of electronic communications .................................................................. 26

HBL ICT Services


9.2.1 Monitoring usage .......................................................................................................... 26

9.2.2 Inspection and disclosure of communications ............................................................. 26

9.2.3 Monitoring and Disclosure Procedures ........................................................................ 26

10. Security Incident Management .............................................................................................. 27

10.1 Security Incidents ................................................................................................................ 27

10.2 Logging Security Incidents .................................................................................................. 27

11. Disciplinary Action .................................................................................................................. 28

12. Compliance ............................................................................................................................ 28

13. Reference ............................................................................................................................... 28

See Statutory Framework – Para 4.4, above ............................................................................... 28

14. Related Policies and Documents ........................................................................................... 29

15. Appendix 1 – Equality Impact Assessment Stage 1 Screening ............................................. 29

16. Appendix 2 – Privacy Impact Assessment Stage 1 Screening .............................................. 32

17. Appendix 3 – Organisational SIRO’s ..................................................................................... 34

HBL ICT Services


Executive Summary 1.

The Information Security Policy sets out the commitment of the Trust/CCG (The Organisation) to preserve the confidentiality, integrity and availability of the information and information systems and to ensure the information and systems are effectively and lawfully managed.

The Policy aims to ensure that:-

o The organisation’s information, its information systems and the supporting infrastructure are secure and are operated in accordance with NHS Guidance, to industry standards and current best practice;

o The information contained in or processed by these systems is kept secure;

o Confidentiality, integrity and availability are maintained at all times;

o Staff are aware of their responsibilities and adhere to the provisions of the policy;

o Procedures are in place to detect and resolve security breaches and to prevent a recurrence.

This policy applies to:

o All information and information storage, whether manual or electronic, information processing systems and networks used by the organisation;

o All staff employed by the organisation, contractors, seconded staff from other organisations and any other persons used by the organisation or engaged on the organisation’s business.

o Any other persons granted access to the organisation’s information, systems and networks.

o All locations and all information, information systems, computer equipment and networks.

Application of the policy will assist in the organisation’s compliance with information related legislation, NHS standards and Information Governance Standards.

For the purposes of this document, the term ICT Department generally refers to the ICT Department of the organisation’s ICT supplier, Hertfordshire, Bedfordshire and Luton ICT Shared Services (HBL). The HBL ICT Department works as the organisation’s ICT Department under the terms of a Service Level Agreement.

HBL ICT Services


Introduction 2.

o The organisation works to a framework for handling personal information in a confidential and secure manner to meet ethical and quality standards. This enables National Health Service organisations in England and individuals working within them to ensure personal information is dealt with legally, securely, effectively and efficiently to deliver the best possible care to patients and clients.

o The organisation, via the Information Governance Toolkit, provides the means by which the NHS can assess our compliance with current legislation, Government and National guidance.

o Information Governance covers: Data Protection & IT Security (including smart cards), Human Rights Act, Caldicott Principles, Common Law Duty of Confidentiality, Freedom of Information Regulations and Information Quality Assurance

HBL ICT Services


Terms / Acronyms Used 3.

DH = Department of Health

EU = European Union

HBL ICT = The ICT Shared Services provider

HSCIC = Health and Social Care Information Centre

ICT = Information and Communications Technology

IG = Information Governance

IM&T = Information Management and Technology

IP = Internet Protocol

IT = Information Technology

NHS = National Health Service

PCs = Personal Computers

PIA = Privacy Impact Assessment

RA = Registration Authority

SIRO = Senior Information Risk Owner

UPS = Uninterruptable Power Supply

UK = United Kingdom

VPN = Virtual Private Network

HBL ICT Services


Purpose and Scope 4.

4.1 Purpose

The Information Security Policy sets out the commitment of the organisation to preserving the confidentiality, integrity and availability of information and information systems and to ensure the information and information systems are effectively and lawfully managed.

The Policy aims to ensure that:-

The organisation’s information, its information systems and the supporting infrastructure are secure and are operated in accordance with NHS Guidance, to industry standards and current best practice;

The information contained in or processed by these systems is kept secure;

Confidentiality, integrity and availability are maintained at all times;

Staff are aware of their responsibilities and adhere to the provisions of the policy;

Procedures are in place to detect and resolve security breaches and to prevent a recurrence.

4.2 Scope of the Policy

This policy applies to:

All information and information storage, whether manual or electronic, information processing systems and networks used by the organisation;

All staff employed by the organisation, contractors, seconded staff from other organisations and any other persons used by the organisation or engaged on the organisation’s business.

Any other persons granted access to the organisation’s information, systems and networks.

All locations and all information, information systems, computer equipment or network.

4.3 Local Variation

Variation to some parts of the policy may be allowed where local conditions do not permit full implementation. Applications for such variation must be made to the ICT Infrastructure Manager and must be approved by the Director of HBL ICT Shared Services (To ensure the security of shared infrastructure and to ensure meeting Information Security requirements) and, should the assessed level of risk warrant it, the Information Governance Sub Committee before being introduced.

HBL ICT Services


4.4 Legal Framework

This policy is compliant with relevant legislation, Department of Health and NHS regulations and guidance and the policies and procedures of partner organisations; principally:-

UK and EU legislation, including :

Data Protection Act (1998),

Freedom of Information Act (2000);

Human Rights Act (1998)

the Computer Misuse Act 1990,

Regulation of Investigatory Powers Act (2000)

Copyright, Designs and Patents Act (1988)

Health and Social Care Act 2012

Caldicott 2 Review

Care Act 2014

Department of Health and NHS Regulations and Guidance, including :

Guide to Confidentiality in Health and Social Care

NHS IM&T Security Manual,

NHS Information Governance Standards

NHS Statement of Compliance

Standards for Information Security Management ISO27001 & ISO27002

Policies and procedures including:

Policies, procedure & guidance on the management of patient/client records

HBL ICT Services


Information and Data 5.

5.1 Ownership of data

The organisation is the legal owner of all data held in its Records, Information systems and equipment. All of the organisation’s staff must ensure the data is accurate, up-to-date and secure from unauthorised access or disclosure

5.2 Processing of Data

The organisation’s data must be processed only by systems and equipment owned or authorised by the organisation.

Data must not be transferred to or processed on any equipment that is not owned or authorised by the organisation without the prior authority of the appropriate Service Manager or the Caldicott Guardian.

Processing of all data must be legal and must comply with other organisational policies; Records Management Policy, for example.

5.3 Personal Information

Personal information is subject to the provisions of the Data Protection Act (1998). Additionally, information about patients is subject to the Guide to Confidentiality in Health and Social Care.

Under the Data Protection Act (1998), the organisation is obliged to notify the Information Commissioner1 of the personal information it processes and for what purposes. Processing of all personal information must be consistent with this notification.

Privacy Impact Assessments must be carried out and submitted to the Manager responsible for Information Governance before new systems or significant changes to existing systems are implemented.

1 The Information Commissioner is an official appointed by the Department of Constitutional Affairs to ensure that organisations comply with the Data Protection Act (1998) and the Freedom of Information Act (2000)

HBL ICT Services


Management of Security 6.

6.1 Chief Executive (CEO) or equivalent

The CEO/MD of the organisation has overall responsibility for all matters relating to information security.

6.2 Caldicott Guardian

The organisation’s Caldicott Guardian will ensure that published guidance and statutory legislation regarding access to patient information is upheld and implemented in everyday practice.

6.3 Senior Information Risk Owner (SIRO)

The SIRO is responsible for the organisation’s information risk management, acting as an advocate for information risk on the Board and providing written advice to the Accounting Officer on the content of their Annual Governance Statement in regard to information risk.

See Appendix 3 for details

6.4 Line Managers

Line Managers are individually responsible for ensuring that information security is applied and practiced within their area of responsibility.

Specifically, Line Managers will ensure that:

All staff are properly instructed/trained in their security responsibilities;

All staff sign confidentiality undertakings as part of their contract of employment;

All staff are properly trained in any procedures, systems, services and equipment they are required to use.

Untrained staff are not allowed access to confidential information or to computer systems and equipment;

Staff are properly authorised to access information systems in accordance with their job function and relationship with patients, specifically that they do not share their login credentials;

Staff are authorised to access equipment, systems, services and media appropriate to their job function;

Information quality standards are maintained by their staff and that information recorded is accurate and up-to-date;

HBL ICT Services


All critical job functions are adequately documented to maintain continuity of service;

Procedures are implemented to minimise disruption to systems and services and exposure to fraud/theft. These may include segregating duties, implementing dual control and staff rotation where appropriate;

Appropriate disciplinary action is taken for breaches of policies, standing instructions and legislation.

6.5 IM&T Security Adviser role

The Head of Infrastructure within HBL ICT currently undertakes the role of IM&T Security Advisor and so will provide advice and guidance on confidentiality and security of information and information systems.

Specifically, the IM&T Security Adviser will:

Develop and maintain confidentiality and information security policies and assist with the implementation of these policies;

Provide advice on compliance with legislation, NHS Policies and guidelines relating to confidentiality and information security;

Ensure that breaches of information security are investigated and reported appropriately;

Advise and assist in implementing security improvement programmes consistent with NHS, DH and industry best practice.

HBL ICT Services


Responsibility of all Staff 7.

7.1 General Responsibility

All members of staff are responsible for ensuring that no breaches of information security result from their actions. Members of staff are required to:

Comply with the Information Security Policy and the Guide to Confidentiality in Health and Social Care,

Raise any concern regarding information security with their manager and/or the ICT Service Desk,

Comply with any relevant legislation, regulations, codes of conduct, any other policies and procedures and any instructions which may be issued from time to time;

Ensure they are familiar with security measures, such as access controls and anti-virus software, and use or operate them correctly.

7.2 Paper Records

All paper records must be stored in the appropriate manual filing system when not in use.

Records containing personal information must be kept secure from unauthorised access at all times.

7.3 Information Systems and Equipment

Information systems and associated equipment – computers, printers, etc. – are provided for the conduct of official organisational business. They must not be used for any commercial purposes or for personal gain. Limited personal use may be permitted at the discretion of the appropriate senior manager.

All equipment and information must be adequately protected at all times.

Equipment must not be removed from premises or relocated without permission. All requests for movement of equipment must be notified to the ICT Service Desk.

7.4 Portable Computers

Portable computers must only be used in accordance with the organisation’s Guidance on the use of Portable Computers. All portable computers must be encrypted to DH standards. They must be secured at all times and must not be left in view when unattended. Any portable computer taken off premises must not be used or left in an insecure location. They must be used only by authorised persons and password control must be strictly maintained – see Paragraph 8.4.

HBL ICT Services


7.5 Access to Information Systems

Authorised staff will be given a username and/or a smartcard and a password to access the systems they are authorised to use. These will identify the user to the system; all actions by the user are recorded by the systems.

Smartcards must be kept safe and secure and must not be used by any other person. Users of smartcards must also comply with the RA01 Short Form Conditions which they signed when the card was issued. Further guidance can be found in the RA policy.

Passwords must be kept secret and not divulged to any other person, even Personal Assistants or Secretaries. Passwords must be changed frequently as prompted by the system or in accordance with standards and instructions for the system.

Computers must be locked or switched off when unattended.

The authorised user is responsible for any action associated with their identity. Any suspected misuse should be reported to the ICT Service Desk.

7.6 Data accuracy

Members of staff are responsible for the accuracy of the data they record and use. It is paramount that patient related data is accurate and up-to-date as inaccurate data could threaten patient safety. Administrative data must also be as accurate as possible to ensure effective management and decision making.

7.7 Software

All software must be properly licensed, used only for the purpose it is provided and in accordance with training and instructions.

Any required software will be procured and installed by the organisation’s ICT Department. Staff must not install any software on any of the organisation’s computers unless given prior permission to do so by the IM&T Security Advisor

7.8 Processing Information and Data

The organisation’s information and data must only be processed or stored on NHS equipment and using authorised systems and databases. Staff must not acquire or develop systems or databases without the prior approval in writing of the relevant Information Governance Group in each organisation.

Personal equipment or non-NHS equipment must not be used to process the organisation’s information unless authorised in writing by the appropriate Information Governance Group.. Where such authorisation is given, it is the responsibility of the member of staff to make adequate provision to safeguard the security, integrity and confidentiality of the data. Written advice must be sought from the ICT Department.

HBL ICT Services


Data must not be stored on the local hard drive (the C:\ drive) of a PC.

7.9 Portable Storage Devices – Electronic Media

Portable Storage devices include disks, memory sticks, portable hard drives and any other device that can store information, e.g. cameras, Dictaphones, tablets etc. These devices must only be used in accordance with the organisation’s Mobile Device Security Policy.

Portable storage devices must be encrypted in accordance with DH standards. Only approved, authorised devices can be used for storing the organisation’s information and data. Where a type of device needs to be used but its storage cannot be encrypted, such as cameras, local procedures must be created and signed off by the Information Governance Manager before such devices are used.

The approval of the appropriate IG Group must be obtained prior to copying any personal data onto a portable storage device. For patient data this will be the Caldicott Guardian.

Portable storage devices must not be used for storing the primary copy of any of the organisation’s information. The primary copy must be stored on the appropriate shared drive or server area.

Portable storage devices must be kept secure at all times and stored safely when not in use.

Loss, or suspected loss, of any portable storage device must be reported to the ICT Service Desk and IG Manager immediately.

All redundant or non-functioning portable storage devices must be returned to the ICT Department for re-use, recycling or secure disposal as appropriate.

HBL ICT Services


Management and Control of Information Assets 8.

8.1 Control of assets

8.1.1 Ownership of Assets

All information assets owned by the organisation will be identified and will have a named custodian responsible for the security of that asset.

8.1.2 Asset Registers

The ICT Department will maintain asset registers on behalf of customers in line with SLAs. This includes::

Physical Assets (all computer equipment and hardware)

Software Asset ;

Information Assets it (the organisation) owns (application systems and databases).

Information asset owners are responsible for ensuring that their information repository (database, spreadsheets, etc.,) are recorded as an Information Asset.

8.1.3 Procurement of Assets

All electronic information assets will be procured by the ICT Department inline with SLAs. Requests for PC’s, printers and other equipment such as cameras, Dictaphones, etc., must be made through the ICT Service Desk.

8.1.4 Disposal of Assets

All information assets must be maintained until the end of their useful life and then must be disposed of safely and without risk to the organisation, or the organisation’s patients, clients and staff.

All computer equipment will be disposed of by the ICT Department in accordance with NHS standing instructions, EU and UK environmental and health and safety regulations. A record of all disposals will be maintained.

Computer equipment must not be sold, removed or disposed of outside of the agreed policy without the prior permission of the Director HBL ICT Services and the SIRO.

HBL ICT Services


8.2 Access Control

8.2.1 Physical Access Controls

All information servers, network control equipment, etc., will be installed in designated controlled areas secured by physical access controls.

Access to controlled areas will be restricted to authorised ICT staff whose job function requires access to that particular area.

The Director HBL ICT Services may grant access privileges to other staff in the organisation to allow them to perform agreed specific tasks in the controlled areas.

The ICT Department may authorise authenticated representatives of third party support suppliers and agencies to access controlled areas. The representatives will be accompanied at all times in the controlled areas.

All personnel are required to wear their identity badges at all times in controlled areas and are obliged to challenge all unrecognised or unaccompanied visitors.

A record of all accesses to controlled areas will be maintained.

All staff with access to the Data Centres must abide by the Data Centre Policy and Procedures document.

8.2.2 Logical Access Controls

Access to all information and application systems will be restricted to staff who have a business need and have been authorised by their Line Manager.

Logical access to all information assets will be by means of passwords, key-tokens (smartcards) or a combination of both.

8.3 Use of Information Assets

8.3.1 Installation and Siting of Equipment

All equipment must be sited and installed in accordance with current environmental and health and safety regulations. Initial installation will be made by the ICT Department. Equipment must not be moved without first informing the ICT Department.

8.3.2 Limitations on Use

Equipment must only be used for the purpose it was supplied and in accordance with the manufacturer’s/supplier’s instructions.

Equipment must not be modified without the permission of the ICT Department. This includes the attachment of additional equipment and/or peripherals or the loading of additional software.

HBL ICT Services


Unauthorised connection or attempted connection to the communications network, e.g. by means of a personal laptop, will be treated as serious misconduct.

8.3.3 Data Security

All electronic data files must be stored in the appropriate area on the network fileservers. This will ensure that all files reside in a secure, virus free area and are automatically backed up on a regular basis.

All confidential data will be stored in secure personal and workgroup areas. Creation and access to these areas will be managed by the ICT Department on the authority of the appropriate senior manager.

The local hard disk on desktop PC’s must not be used for the storage of files.

Removable media or portable storage devices must not be used for the archiving of data or transferring data unless specifically authorised, in which case the device must be encrypted. All data archive and transfers will be done via the organisation’s network.

8.3.4 Security of Equipment Off-Premises

Equipment and data must not be taken off site without formal authorisation from the appropriate Senior Manager or person with delegated authority.

Where equipment is located in an insecure environment or public access area, additional physical and logical security measures will be implemented in the form of locks, additional passwords, etc.

Users are responsible for the security of laptop computers and must follow good security practices in accordance with the Guidance on Portable Computers.

8.3.5 Paper waste disposal

Any reports or printouts containing personal and/or patient information must be treated as confidential, and stored and disposed of accordingly. For example, in cross shredder machines or confidential waste sacks/bins. Further guidance can be found in the CCGs Confidentiality Code of Conduct.

8.3.6 Security of Hard Disks

The hard disks on any computer may contain sensitive or confidential data, possibly in temporary files.

Theft or removal off-site of such disks is a potential threat to the security of the organisation’s information and could risk a breach of confidentiality.

Hard disks sent offsite for data recovery must only be sent to approved contractors who have signed a confidentiality agreement. If encrypted they must be sent via a recorded delivery

HBL ICT Services


system. If unencrypted they must either be collected by the recovery firm or delivered personally by a member of the organisation’s staff or HBL ICT staff.

Hard Disks that are no longer required will have all data physically removed or will be destroyed prior to disposal. This process will be controlled by the ICT Department in line with SLAs

8.4 Passwords

8.4.1 Password Standards

Passwords will be a minimum of 8 alphanumeric characters and contain at least 1 alphabetic and 1 numeric character. Staff will be responsible for maintaining the secrecy of their passwords.

Passwords must be changed frequently. Enforced password changing will be implemented using password ageing where the systems permit. The change cycle will be 30 to 90 days depending on the system.

Passwords must not be re-used for a specified number of instances. This will vary between 4 and 12 depending on the system.

All systems should be configured to record unsuccessful login attempts and accounts will be locked after a number of failed attempts, normally 3, depending on the system.

8.5 Business Continuity

8.5.1 Physical Security

All servers (virtual and physical) and data communications equipment will be located in secure controlled areas with physical entry controls restricting access to authorised personnel only.

Local data communications equipment and/or file servers will always be located in secure areas and/or lockable cabinets.

8.5.2 Remote Access to the Organisation’s Services by staff

Controlled virtual private network (VPN) access via the internet may be given to members of staff who can demonstrate a genuine need to access network resources remotely. Access will be conditional on:

The completion by an authorised manager of the appropriate Computer System Access form.

Acceptance that passwords or tokens issued to enable remote access are for use only by the person they are issued to.

The user taking care to ensure any sensitive data displayed on screen is not visible to others

HBL ICT Services


No attempt is made to connect to any wireless local area network that fails to meet at least the WPA-2 standard, e.g. wireless hotspots.

Use of domestic wireless local area networks is acceptable provided the wireless access point (sometimes known as a wireless hub or router) is configured to at least WPA-2 standards. Refer to the device manual or its supplier for information on how it should be configured.

Even when using a wired connection in a domestic setting, if a wireless access point is connected to the network it must be configured to at least the WPA-2 standard.

In addition to strong authentication, audit trails and events logs will record remote access activity with particular emphasis on failed login attempts or attempted intrusions to the local area network.

Security breaches (actual and suspected) will be reported immediately to the ICT Service Desk and manager responsible for IG where it will be recorded as a security incident. All security incidents will be promptly investigated and treated very seriously.

Connection of a modem (or other unauthorised communications equipment) to the ICT Department’s managed network other than through an authenticating server, is a breach of the NHSNet Statement of Compliance and may lead to disciplinary action being taken against that individual.

8.5.3 Remote Access to the organisation’s Services by suppliers

Controlled virtual private network (VPN) access via the internet may be given to support organisations who can demonstrate a genuine need to access network resources remotely. Access will be conditional on:

An agreement being signed restricting the access for use only by qualified persons for specified purposes and that no information will be disclosed to unauthorised persons.

Each request for dial up or VPN access being logged and approved by an authorised person in the ICT Department.

Passwords or tokens issued to enable remote access are for use only by the person they are issued to.

In addition to strong authentication, audit trails and events logs will record remote access activity with particular emphasis on failed login attempts or attempted intrusions to the local area network.

Security breaches (actual and suspected) will be reported immediately to the Service Desk where it will be recorded as a security incident. All security incidents will be promptly investigated and treated very seriously.

Connection of a modem (or other unauthorised communications equipment) to the ICT Department’s managed network other than through an authenticating server, is a breach of the

HBL ICT Services


NHSNet Statement of Compliance and may lead to disciplinary action being taken against that individual.

8.5.4 Business Continuity Planning

All critical systems will have a disaster recovery plan in the event of system or data loss. These will be agreed between the ICT Department and representatives of the organisation. Criticality of systems will be established as part of the implementation of this policy. Plans will be reviewed and be tested regularly.

8.5.5 Password Protection

Access to all information systems and the network operating system will be granted on a need to know basis and restricted by password facilities controlled by the system managers.

All systems will, where possible, be configured to record unsuccessful login attempts. Accounts will be frozen after three unsuccessful attempts.

User sessions will, where possible, be de-activated or logged out if inactive for 15 mins.

8.6 Databases and Application Systems

8.6.1 Authorised Databases and Systems

A list of authorised databases and applications will be maintained by the ICT Department. The organisation’s information and data must only be stored and processed in applications or databases on the list. Where members of staff develop systems in Access such databases must not be used for storing any organisation related information or data without referral to the ICT Department. Support for such systems will only be provided on a reasonable endeavours basis.

8.6.2 Acquisition of Application Systems

Acquisition of all application systems whether by procurement or development must follow the current Information Governance standards and NHS procurement procedures and guidelines. The ICT department must be approached as early as possible in such a process.

Security requirements to ensure compliance with this policy must be incorporated in the business requirements used for the development or procurement process. The security requirements must be approved by the Head of Infrastructure before the start of any procurement or development

Prospective suppliers must formally commit to meeting or exceeding the required level of security.

8.6.3 System Acceptance

Application systems will not be connected to, or accessed from, the managed network until the Head of Infrastructure is satisfied that security has been comprehensively addressed.

HBL ICT Services


The Project Team responsible for the new system will devise formal acceptance test plans and demonstrate that the security requirements of the system have been tested satisfactorily. These tests must include witness testing the strength of the security features in a controlled environment.

8.6.4 Privacy Impact Assessment

A Privacy Impact Assessment (PIA) must be completed for all application systems. This will be completed before new applications are accepted. The PIA must be revised when any changes to functionality or usage are made.

A PIA must also be completed in respect of any data being transferred between the organisation and third parties along with all other appropriate documents.

8.6.5 Clinical Safety

The provision and deployment of Health IT Systems within the National Health Service (NHS) can deliver substantial benefits to NHS patients through the timely provision of complete and correct information to those healthcare professionals that are responsible for delivering care. However, it has to be recognised that failure or incorrect use of such systems has the potential to cause harm to those patients that the system is intending to benefit.

To ensure that Health IT Systems do not introduce risks to NHS patients, all Health IT systems must now comply with the following National Information Standards

ISB 0129 - Application of Patient Safety Risk Management to the Manufacture of Health Software

ISB 0160 - Application of Patient Safety Risk Management to the Deployment and Use of Health Software

These two standards provide manufacturers of IT systems and software and Health Organisations responsible for deploying these systems with a set of mandated requirements to ensure that they are well designed and do not impact on patient safety.

ISB 0129 outlines the safety management requirements for system suppliers during system production and handover to healthcare organisations including system changes and upgrades. This requires suppliers to produce formal documentation of their clinical safety assessment and approval process, identification of any risk and mitigation proposal.

ISB 0160 requires healthcare organisations to ensure appropriate systems are in place to assess patient safety risks during procurement, implementation, use and decommissioning of Health IT Systems. These processes should build upon or clarify existing safety processes, project governance and other clinical risk management arrangements.

HBL ICT Services


8.7 Software Protection

8.7.1 Licensed Software

Only licensed software will be installed on organisation owned equipment. All software must comply with ICT Department standards.

Users are not permitted to install software without the express written consent of the Director HBL ICT Services.

Users who require additional software must submit a request to their Department Manager.

8.7.2 Software Standards

The organisation has standardised on the Microsoft Office suite of applications, Microsoft Outlook E-mail for office applications and Microsoft Internet Explorer for web browsing. Alternative products are not supported and must not be installed.

8.7.3 Virus Control

Virus protection software will be installed on all network servers and all PC’s. The virus protection software will be updated frequently to ensure adequate protection against the latest viruses. Network servers will be updated at least daily. Standalone PC’s must be updated at least weekly.

The users of portable computers are responsible for ensuring virus protection is kept up-to-date. Portable computers receive updates every time they are connected to the network and must be so connected at least once a month.

Connection (beyond the need to download updates) may be refused if any PC or laptop does not have up-to-date anti-virus software.

The ICT Department will make every effort using the technology available to protect against virus attacks. Users are also responsible for ensuring virus infections do not occur or are spread by their actions

Any suspected or actual virus infection must be reported to the ICT Service Desk by phone immediately. Any user suspecting virus activity on their PC or laptop should disconnect it from the network if they are able to do so safely.

HBL ICT Services


8.8 Housekeeping

8.8.1 Incident Reporting

All ICT related incidents should be reported to the ICT Department via the ICT Service Desk.

In addition, the organisation’s Incident recording system may be used to log untoward events. This process will record what happened, what was done, by whom, when and final resolution. Refer to the Incident Policy for details.

Disaster recovery procedures will be invoked in response to serious problems e.g. inability to recover critical live systems.

8.8.2 Media Disposal

All redundant removable media must be treated as confidential waste and unconditionally formatted before disposal. Wiping the media must be done in accordance with current Government policy and standards via the ICT Department (do not attempt to do this yourself; the data will probably still be recoverable). If reformatting is not possible, the media must be destroyed.

Computer printouts, reports, documents, etc., containing personal or confidential data must be disposed of by shredding and/or placing in a confidential waste sack.

HBL ICT Services


Electronic Mail and Internet Access 9.

9.1 Purpose & Ownership

E-mail and internet services are provided for the conduct of the organisation’s and NHS business. These systems, including the hardware, software and all data that are stored within the system - including all messages, attachments and file downloads - are the property of the organisation.

9.2 Use of Email and Internet Services

All staff must comply with the organisation’s E-Mail and Internet Policy

Access and disclosure of electronic communications

9.2.1 Monitoring usage

All electronic communications – including email and Internet - will be monitored to ensure compliance with policies, procedures and with the organisation’s statutory obligations.

The organisation may at any time, and without notice, block any incoming or outgoing communication that is considered to be not relevant to the conduct of the organisation’s or NHS business or which could damage any of the organisation’s systems or information.

9.2.2 Inspection and disclosure of communications

All electronic communication may be inspected and disclosed under the provisions of the Data Protection Act (1998) and the Freedom of Information Act (2000), subject to the safeguards contained in the legislation. This may be done without informing the sender or recipient.

Inspection and disclosure may also be done:

To discharge legal obligations and legal processes and any other obligations to staff, clients, patients, customers or any other persons;

To locate information required for the organisation’s or NHS business that is not readily available by other means;

To safeguard assets and to ensure they are used in an appropriate manner;

In the course of an investigation into alleged criminal offences, misconduct or misuse.

9.2.3 Monitoring and Disclosure Procedures

Prior approval must be obtained from the Director HBL ICT Services to gain access to the contents of electronic communications or data stores, and disclose information gained from such access.

HBL ICT Services


Security Incident Management 10.

The ICT Department will detect, investigate and resolve any suspected or actual breaches in computer security. The processes for managing security incidents will be linked with the organisation’s Incident reporting Policies and Procedures.

10.1 Security Incidents

A security incident is an event that may result in:

the integrity of any system being jeopardised

the availability of any system being jeopardised

unauthorised disclosure of information or disruption of activity

unauthorised or inappropriate use of assets and resources

financial loss or loss of resources

legal action

All suspected security incidents must be reported at once to the ICT Service Desk.

10.2 Logging Security Incidents

All actual or suspected security incidents will be formally logged, categorised by severity and action/resolution recorded by the ICT Service Desk.

HBL ICT Services


Disciplinary Action 11.

Members of staff who breach any aspect of this policy will be subject to disciplinary action in line with the current disciplinary policy. Serious breaches will be regarded as gross misconduct and may result in dismissal.

Compliance 12.

Compliance with this policy will be monitored both electronically and by means of audits and spot checks.

Reference 13.

See Statutory Framework – Para 4.4, above

HBL ICT Services


Related Policies and Documents 14.

Records Management Policy

Standing Financial Instructions

Data Quality Policy

E-mail & Internet Policy

Guidance on the use of E-mail when sending Personal Confidential Data (PCD)

Information Governance Policy

Mobile Device Security Policy

Telecommunications Policy

Incident Policy

Confidentiality Code of Conduct

HBL ICT Services


Appendix 1 – Equality Impact Assessment Stage 1 Screening 15.

1. Policy EIA Completion Details

Title: Information Security Policy Names & Titles of staff involved in completing the EIA:

David Hodson Proposed

Existing

Date of Completion:

16th February 2015

Review Date: December 2016

2. Details of the Policy. Who is likely to be affected by this policy?

Staff Patients Public

3. Impact on Groups

Probable impact on group? High, Medium or Low

Please explain your answers

Positive Adverse None

Race, ethnicity, nationality, language etc.

Gender (inc. transgender)

Disability, inc. learning difficulties, physical disability, sensory impairment etc.

Sexual Orientation

Religion or belief

Human Rights

Age

Other:

No impact on any of the groups above.

Policy applies equally to all staff

HBL ICT Services


4. Which equality legislative Act applies to the policy?

Human Rights Act 1998

Sex Discrimination Act

Race Relations Act

Disability Discrimination Act

Gender Recognition Act 2004

Mental Health Act 1983

Equality Act 2006

Mental Capacity Act 2005

Age Equality Regulations 2006

Equal Pay Act

Sexual Orientation Regulations 2003

Religion or Belief Regulations 2003

Health & Safety Regulations

Part time Employees Regulations

Civil Partnership Act 2004

5. How could the identified adverse effects be minimised or eradicated?

Not Applicable

6. How is the effect of the policy on different Impact Groups going to be monitored?

Not Applicable

HBL ICT Services


Appendix 2 – Privacy Impact Assessment Stage 1 Screening 16.

1. Policy PIA Completion Details

Title: Information Security Policy Names & Titles of staff involved in completing the PIA:

David Hodson Proposed

Existing

Date of Completion:

16th February 2015

Review Date: December 2016

2. Details of the Policy. Who is likely to be affected by this policy?

Staff Patients Public

Yes No Please explain your answers

Technology

Does the policy apply new or additional information technologies that have the potential for privacy intrusion?

(Example: use of smartcards)

Application of the policy will minimise potential for privacy intrusion.

Identity

By adhering to the policy content does it involve the use or re-use of existing identifiers, intrusive identification or authentication?

(Example: digital signatures, presentation of identity documents, biometrics etc.)

Application of the policy will ensure integrity of information.

By adhering to the policy content is there a risk of denying anonymity and de-identification or converting previously anonymous or de-identified data into identifiable formats?

Application of the policy will ensure integrity of information.

Multiple Organisations

Does the policy affect multiple organisations?

(Example: joint working initiatives with other government departments or private sector organisations)

Policy applies to organisation only. All other NHS organisations have similar policy based on the same standards.

HBL ICT Services


Data

By adhering to the policy is there likelihood that the data handling processes are changed?

(Example: this would include a more intensive processing of data than that which was originally expected)

Application of the policy will ensure integrity of information during processing.

If Yes to any of the above have the risks been assessed, can they be evidenced, has the policy content and its implications been understood and approved by the department?

HBL ICT Services


Appendix 3 – Organisational SIRO’s 17.

HCT - Director of Finance

ENHCCG - Chief Finance Officer

HVCCG - Chief Finance Officer

BCCG - Chief Finance Officer

LCCG - Chief Finance Officer

HPFT - Executive Director Quality & Medical Leadership