network security policy - (east cheshire nhs trust) · network security policy - (east cheshire nhs...

Network Security Policy -

(East Cheshire NHS Trust)

Version V1.0

Ratified By Information Governance & Records Management Meeting

Date Ratified May 2017

Date of Issue via Intranet June 2017

Date of Review

May 2019

Lead Officer Frank Woodall

Midlands & Lancashire Commissioning Support Unit Network Security Policy – (East Cheshire NHS Trust)

Document Number: CA_0001 Issue/Approval Date: Version Number: 00.01

Status: Draft Next Review Date: of 20

Contents

Contents Information Reader Box ........................................................................................................... 3

Introduction................................................................................................................................. 5

Policy Statement........................................................................................................................ 6

Aim: 6

Scope 7

Officers within the Scope of this Document .......................................................................... 7

Officers Not Covered by this Document ................................................................................ 7

Physical & Environmental Security......................................................................................... 7

Access Control to the Network ................................................................................................ 8

Third Party Access Control to the Network ........................................................................... 8

Maintenance Contracts ............................................................................................................ 9

Data and Software Exchange.................................................................................................. 9

Fault Logging ............................................................................................................................. 9

Data Backup and Restoration ................................................................................................. 9

User Responsibilities, Awareness & Training ....................................................................... 9

Malicious Software .................................................................................................................... 9

Secure Disposal or Re-use of Equipment ............................................................................. 9

System Change Control ......................................................................................................... 10

Reporting Security Incidents & Weaknesses ...................................................................... 10

System Configuration Management ..................................................................................... 10

Business Continuity & Disaster Recovery Plans ................................................................ 10

Training Plan ............................................................................................................................ 10

Risk Assessment ..................................................................................................................... 10

Monitoring ................................................................................................................................. 10

Compliance .............................................................................................................................. 11

Equality Impact Assessment ................................................................................................. 11

Associated Documentation .................................................................................................... 12

Version Control Tracker ......................................................................................................... 13

Appendix 1 ECT Network Diagram (Redacted) ............................................................. 14




Appendix 2 – Firewall Configuration ................................................................................ 14

Appendix 3 Firewall Restrictions....................................................................................... 14

Appendix 4 Change Management – Normal Change ................................................... 15

Information Reader Box

Directorate

Communications & Engagement Information Technology

Continuing Healthcare Corporate Affairs

Contract Management Business Intelligence

Finance Human Resources

Publications Gateway Reference xx

Document Purpose Policy

Document Name Network Security Policy – (East Cheshire NHS Trust)

Author Cyber Security Manager

Publication Date May 2017

Target Audience All East Cheshire Trust Employees

Additional Circulation List n/a

Description Network Security Policy

Cross Reference

Superseded Document n/a

Action Required n/a

Contact Details

(for further information)

Frank Woodall, Cyber Security Manager

Clark House, Hulley Road, Macclesfield, Cheshire, SK10 2LU

Tel: 0844 800 9982

[email protected]

Document Status

This is a controlled document. Whilst this document may be printed, the electronic version posted on

mailto:[email protected]




the intranet is the controlled copy. Any printed copies of this document are not controlled.

As a controlled document, this document should not be saved onto local or network drives but should

always be accessed from the intranet.




Introduction

The overall Network Security Policy for MLCSU – (East Cheshire NHS Trust) is described below:

The MLCSU – (East Cheshire NHS Trust) information network will be available when needed, can be

accessed only by legitimate users and will contain complete and accurate information. The network

must also be able to withstand or recover from threats to its availability, integrity and confidentiality. To

satisfy this, MLCSU will undertake to the following.

Protect all hardware, software and information assets under its control. This will be achieved by

implementing a set of well-balanced technical and non-technical measures.

Provide both effective and cost-effective protection that is commensurate with the risks to its

network assets.

Implement the Network Security Policy in a consistent, timely and cost effective manner.

Where relevant, MLCSU will comply with:

- Access to Health Records Act 1990

- Computer Misuse Act 1990

- The Data Protection Act 1998

- MLCSU will comply with other laws and legislation as appropriate




Policy Statement

This document defines the Network Security Policy for Midlands and Lancashire CSU (East Cheshire

NHS Trust). The Network Security Policy applies to all business functions and information contained on

the network, the physical environment and relevant people who support the network.

This document sets out the organisation's policy for the protection of the confidentiality, integrity and

availability of the network, establishes the security responsibilities for network security and provides

reference to documentation relevant to this policy.

Aim:

The aim of this policy is to ensure the security of MLCSU's (East Cheshire Trust) network. To do this

the MLCSU will:

Ensure Availability

Ensure that the network is for users

Preserve Integrity

Protect the network from unauthorised or accidental modification ensuring the accuracy and

completeness of the organisation's assets, preserve Confidentiality and protect assets against

unauthorised disclosure.

Midlands & Lancashire Commissioning Support Unit

Network Security Policy – (East Cheshire NHS Trust)



Scope

This policy applies to all networks within MLCSU (East Cheshire NHS Trust) used for:

The storage, sharing and transmission of non-clinical data and images

The storage, sharing and transmission of clinical data and images

Printing or scanning non-clinical or clinical data or images

The provision of Internet systems for receiving, sending and storing non-clinical or clinical data

or images

Officers within the Scope of this Document

Officers of the following Midlands & Lancashire CSU areas are within the scope of this

document:

East Cheshire Trust Officers;

Officers Not Covered by this Document

There are no Officers of Midlands & Lancashire CSU not covered by this document.

There are no Officers of East Cheshire Trust not covered by this document.

Physical & Environmental Security

Network computer equipment will be housed in a controlled and secure environment. Critical or

sensitive network equipment will be housed in an environment that is monitored power supply quality

and protected from power supply failures.

The MLCSU are responsible for ensuring that door lock codes are changed and swipe card

access is reviewed periodically (MLCSU locations).

Smoking, eating and drinking is forbidden in areas housing critical or sensitive network

equipment.

All visitors to secure network areas must be authorised by MLCSU.

All visitors to secure network areas must be made aware of network security requirements.





Access Control to the Network

Access to the network will be via a secure log-on procedure, designed to minimise the opportunity for

unauthorised access. Remote access to the network will conform to the MLCSU’s Remote Access

Policy.

There must be a formal, documented user registration and de-registration procedure for access to the

network.

Line Managers and must approve user access.

Access rights to the network will be allocated on the requirements of the user's job, rather than

on a status basis.

Security privileges (e.g. 'superuser' or network administrator rights) to the network will be

allocated on the requirements of the user's job, rather than on a status basis.

Access will not be granted until MLCSU registers a user following the receipt of a ‘New User

Account Setup’ form completed by the user’s Line Manager.

All users to the network will have a user identification and password.

Users are responsible for ensuring their password is kept secret (see User Responsibilities).

User access rights will be immediately removed or reviewed for those users who have left the

organisation. Line Managers must complete a ‘Leavers Form’ and send to the HR / ICT

Department as soon as a user has resigned their position.

Third Party Access Control to the Network

Third party access to the network will be based on a formal contract that satisfies all necessary

organisation security conditions.

All contractors requiring third party access to the network must have signed either a MLCSU or

East Cheshire NHS Trust contract containing relevant confidentiality clauses.





Maintenance Contracts

MLCSU will ensure that maintenance contracts are maintained and periodically reviewed for all network

equipment. All contract details will constitute part of the IT Department's Contract register.

Data and Software Exchange

Formal agreements for the exchange of data and software between organisations must be established

and approved by the organisation’s Caldicott Guardian or SIRO and MLCSU.

Fault Logging

MLCSU is responsible for ensuring that a log of all faults on the network is maintained and reviewed.

Data Backup and Restoration

MLCSU is responsible for ensuring that backup copies of network configuration and all organisation

data are taken on a regular basis.

Documented procedures for the backup process and storage of backup media will be produced and

communicated to all relevant staff.

All backup tapes will be stored securely.

MLCSU will ensure the safe and secure disposal of backup media.

User Responsibilities, Awareness & Training

The organisation will ensure that all users of the network are provided with the necessary

security guidance, awareness and where appropriate training to discharge their security

responsibilities.

All users of the network must be made aware of the contents and implications of the Network with

irresponsible or improper actions by users may result in disciplinary action.

Malicious Software

MLCSU will ensure that measures are in place to detect and protect the network from viruses

and other malicious software.

Secure Disposal or Re-use of Equipment

Ensure that where equipment is being disposed of, MLCSU staff must ensure that all

equipment is securely stored whilst awaiting collection by the specialist recycler where a

certificate of destruction will be received.





System Change Control

MLCSU will ensure that all changes to the network follow the change management process. MLCSU

are responsible for updating all relevant Network Security Policies and security operating procedures.

MLCSU are responsible for ensuring that selected hardware or software meets agreed security

standards.

Reporting Security Incidents & Weaknesses

All potential security breaches will be investigated by MLCSU and where appropriate reported to the

organisation. Security incidents and weaknesses must be reported in accordance with the requirements

of the MLCSU’s incident reporting procedure.

System Configuration Management

MLCSU will ensure that there is an effective configuration management system for the network.

Business Continuity & Disaster Recovery Plans

MLCSU will ensure that network is covered in business continuity plans and disaster recovery plans are

produced for the network.

Training Plan

A training needs analysis will be undertaken with Officers affected by this document.

Based on the findings of that analysis appropriate training will be provided to Officers as necessary.

Risk Assessment

MLCSU will carry out security risk assessment in relation to all the business processes covered by this

policy. These risk assessments will cover all aspects of the network that are used to support those

business processes. The risk assessment will identify the appropriate security countermeasures

necessary to protect against possible breaches in confidentiality, integrity and availability.

Monitoring

An audit trail of system access and data use by staff (where available) shall be maintained and reviewed on a regular basis. The Trust has in place routines to regularly audit compliance with this and other policies. In addition it reserves the right monitor activity where it suspects that there has been a breach of policy. The Regulation of Investigatory Powers Act (2000) permits monitoring and recording of employees’ electronic communications (including telephone communications) for the following reasons:

Establishing the existence of facts

Investigating or detecting unauthorised use of the system

Preventing or detecting crime

Ascertaining or demonstrating standards which are achieved or ought to be achieved by persons using the system (quality control and training)





In the interests of national security

Ascertaining compliance with regulatory or self-regulatory practices or procedures

Ensuring the effective operation of the system. Any monitoring will be undertaken in accordance with the above act and the Human Rights Act

Compliance

Compliance with the policy and procedures laid down in this document will be monitored by MLCSU,

together with independent reviews by both Internal Audit and East Cheshire NHS Trust on a periodic

basis.

The MLCSU’s Assistant CIO, in conjunction with the Cyber Security Manager, is responsible for the

monitoring, revision and updating of this document.

Equality Impact Assessment

This document forms part of Midlands & Lancashire CSU’s commitment to create a positive culture of

respect for all staff and service users. The intention is to identify, remove or minimise discriminatory

practice in relation to the protected characteristics (race, disability, gender, sexual orientation, age,

religious or other belief, marriage and civil partnership, gender reassignment and pregnancy and

maternity), as well as to promote positive practice and value the diversity of all individuals and

communities.

As part of its development this document and its impact on equality has been analysed and no

detriment identified.





Associated Documentation

This policy should be read in conjunction with the following policies:-

MLCSU IT Policies

East Cheshire Information Security Policy

East Cheshire HR Disciplinary Policy





Version Control Tracker

Version

Number Date Author Title Status

Comment/Reason for Issue/Approving

Body

0.1 May 2017 Cyber Security

Manager Draft

Appendix 1 ECT Network Diagram (Redacted)

MDGH N3 and DMZ Connectivity Overview v3 redacted.vsd

– Firewall Configuration

Not included, but available to view onsite upon request

Appendix 3 Firewall Restrictions

Appendix 4 Change Management – Normal Change

Equality Analysis (Impact assessment)

Please START this assessment BEFORE writing your policy, procedure, proposal, strategy or service so that

you can identify any adverse impacts and include action to mitigate these in your finished policy, procedure,

proposal, strategy or service. Use it to help you develop fair and equal services.

Eg. If there is an impact on Deaf people, then include in the policy how Deaf people will have equal access.

1. What is being assessed?

Network Security Policy

Details of person responsible for completing the assessment:

Frank Woodall

Cyber Security Manager MLCSU IT

State main purpose or aim of the policy, procedure, proposal, strategy or service:

(usually the first paragraph of what you are writing. Also include details of legislation, guidance,

regulations etc which have shaped or informed the document)

This document defines the Network Security Policy for Midlands and Lancashire CSU (East Cheshire NHS

Trust). The Network Security Policy applies to all business functions and information contained on the

network, the physical environment and relevant people who support the network.

This document sets out the organisation's policy for the protection of the confidentiality, integrity and

availability of the network, establishes the security responsibilities for network security and provides

reference to documentation relevant to this policy.

2. Consideration of Data and Research

To carry out the equality analysis you will need to consider information about the people who use the

service and the staff that provide it. Think about the information below – how does this apply to your

policy, procedure, proposal, strategy or service

2.1 Give details of RELEVANT information available that gives you an understanding of who will be

affected by this document

Cheshire East (CE) covers Eastern Cheshire CCG and South Cheshire CCG. Cheshire West & Chester (CWAC)

covers Vale Royal CCG and Cheshire West CCG. In 2011, 370,100 people resided in CE and 329,608 people

resided in CWAC.

Age: East Cheshire and South Cheshire CCG’s serve a predominantly older population than the national

average, with 19.3% aged over 65 (71,400 people) and 2.6% aged over 85 (9,700 people).

Vale Royal CCGs registered population in general has a younger age profile compared to the CWAC average,

with 14% aged over 65 (14,561 people) and 2% aged over 85 (2,111 people).

Since the 2001 census the number of over 65s has increased by 26% compared with 20% nationally. The

number of over 85s has increased by 35% compared with 24% nationally.

Race:

In 2011, 93.6% of CE residents, and 94.7% of CWAC residents were White British 5.1% of CE residents, and 4.9% of CWAC residents were born outside the UK – Poland and India being

the most common

3% of CE households have members for whom English is not the main language (11,103 people) and 1.2% of CWAC households have no people for whom English is their main language.

Gypsies & travellers – estimated 18,600 in England in 2011.

Gender: In 2011, c. 49% of the population in both CE and CWAC were male and 51% female. For CE, the

assumption from national figures is that 20 per 100,000 are likely to be transgender and for CWAC 1,500

transgender people will be living in the CWAC area.

Disability:

In 2011, 7.9% of the population in CE and 8.7% in CWAC had a long term health problem or disability In CE, there are c.4500 people aged 65+ with dementia, and c.1430 aged 65+ with dementia in CWAC.

1 in 20 people over 65 has a form of dementia

Over 10 million (c. 1 in 6) people in the UK have a degree of hearing impairment or deafness.

C. 2 million people in the UK have visual impairment, of these around 365,000 are registered as blind or partially sighted.

In CE, it is estimated that around 7000 people have learning disabilities and 6500 people in CWAC.

Mental health – 1 in 4 will have mental health problems at some time in their lives.

Sexual Orientation:

CE - In 2011, the lesbian, gay, bisexual and transgender (LGBT) population in CE was estimated at18,700, based on assumptions that 5-7% of the population are likely to be lesbian, gay or bisexual and 20 per 100,000 are likely to be transgender (The Lesbian & Gay Foundation).

CWAC - In 2011, the LGBT population in CWAC is unknown, but in 2010 there were c. 20,000 LGB people in the area and as many as 1,500 transgender people residing in CWAC.

Religion/Belief:

The proportion of CE people classing themselves as Christian has fallen from 80.3% in 2001 to 68.9% In 2011

and in CWAC a similar picture from 80.7% to 70.1%, the proportion saying they had no religion doubled in

both areas from around 11%-22%.

Christian: 68.9% of Cheshire East and 70.1% of Cheshire West & Chester Sikh: 0.07% of Cheshire East and 0.1% of Cheshire West & Chester

Buddhist: 0.24% of Cheshire East and 0.2% of Cheshire West & Chester

Hindu: 0.36% of Cheshire East and 0.2% of Cheshire West & Chester Jewish: 0.16% of Cheshire East and 0.1% of Cheshire West & Chester

Muslim: 0.66% of Cheshire East and 0.5% of Cheshire West & Chester

Other: 0.29% of Cheshire East and 0.3% of Cheshire West & Chester None: 22.69%of Cheshire East and 22.0% of Cheshire West & Chester

Not stated: 6.66% of Cheshire East and 6.5% of Cheshire West & Chester

Carers: In 2011, nearly 11% (40,000) of the population in CE are unpaid carers and just over 11% (37,000) of

the population in CWAC.

2.2 Evidence of complaints on grounds of discrimination: (Are there any complaints or concerns raised

either from patients or staff (grievance) relating to the policy, procedure, proposal, strategy or service or

its effects on different groups?)

None

2.3 Does the information gathered from 2.1 – 2.3 indicate any negative impact as a result of this document?

No

3. Assessment of Impact

Now that you have looked at the purpose, etc. of the policy, procedure, proposal, strategy or service (part

1) and looked at the data and research you have (part 2), this section asks you to assess the impact of the

policy, procedure, proposal, strategy or service on each of the strands listed below.

RACE:

From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the

potential to affect, racial groups differently? Yes No X

Explain your response:

Policy applies to all staff, no impacts identified

____________________________________________________________________________________

GENDER (INCLUDING TRANSGENDER):


potential to affect, different gender groups differently? Yes No X



DISABILITY

From the evidence available does the policy, procedure, proposal, strategy or service affect, or have

the potential to affect, disabled people differently? Yes No X



_____________________________________________________________________________________

AGE:

From the evidence available does the policy, procedure, proposal, strategy or service, affect, or have the

potential to affect, age groups differently? Yes No X



LESBIAN, GAY, BISEXUAL:


potential to affect, lesbian, gay or bisexual groups differently? Yes No X



_______________________________________________________________________________

RELIGION/BELIEF:


potential to affect, religious belief groups differently? Yes No X


Policy applied to all staff

_____________________________________________________________________________________

CARERS:


potential to affect, carers differently? Yes No X



_____________________________________________________________________________________

OTHER: EG Pregnant women, people in civil partnerships, human rights issues.


potential to affect any other groups differently? Yes No X



_____________________________________________________________________________________

4. Safeguarding Assessment - CHILDREN

a. Is there a direct or indirect impact upon children? Yes No X

b. If yes please describe the nature and level of the impact (consideration to be given to all children; children in a

specific group or area, or individual children. As well as consideration of impact now or in the future; competing

/ conflicting impact between different groups of children and young people:

c. If no please describe why there is considered to be no impact / significant impact on children

Policy applies to staff who are adult

5. Relevant consultation

Having identified key groups, how have you consulted with them to find out their views and that the made

sure that the policy, procedure, proposal, strategy or service will affect them in the way that you intend?

Have you spoken to staff groups, charities, national organisations etc?

None required

6. Date completed: 13 June 2017 Review Date: June 2019

7. Any actions identified: Have you identified any work which you will need to do in the future to

ensure that the document has no adverse impact?

Action Lead Date to be Achieved

8. Approval – At this point, you should forward the template to the Trust Equality and Diversity

Lead [email protected]

Approved by Trust Equality and Diversity Lead:

Date:15.6.17

mailto:[email protected]

network security policy - (east cheshire nhs trust) · network security policy - (east cheshire nhs...

Documents