NORTH EAST STRATEGIC HEALTH AUTHORITY

POLICY AND PROCEDURE

Information Communication and Technology Security Policy

Version control reference Approved by Date approved Date to be reviewed Author/owner Communication plan Accessibility checklist completed

Version 1.1 Directors Meeting 29th March 2010 29th March 2011 Information Governance Working Group Inform, SHA intranet Yes

The content of this document may be disclosed in response to a request for access under the Freedom of Information Act.

v1.1

NE SHA ICT Security Policy Unrestricted

Page 1 of 38

Contents
1 2 3 4 5 6 7 8 9 10 Policy Statement ...................................................................................4 Introduction............................................................................................4 Purpose .................................................................................................5 Scope ....................................................................................................5 Links with the North East Vision ............................................................5 National Context....................................................................................6 Legal Responsibilities............................................................................6 Definitions .............................................................................................7 Related Documents...............................................................................9 Roles and Responsibilities ....................................................................9 10.1 All Staff ........................................................................................10 10.2 Line Managers.............................................................................12 10.3 Human Resources.......................................................................14 ICT Security Roles ..............................................................................14 Assets .................................................................................................16 12.1 Information assets .......................................................................16 12.2 Asset register ..............................................................................16 Hardware & Software ..........................................................................16 13.1 Authorised hardware and software..............................................16 13.2 Use of private equipment.............................................................17 13.3 Information storage and backup ..................................................18 Equipment Security .............................................................................18 14.1 Siting of equipment......................................................................18 14.2 Power supply...............................................................................18 14.3 Equipment maintenance..............................................................18 14.4 Remote diagnostics.....................................................................19 14.5 Security of equipment off premises .............................................19 14.6 Disposal of equipment .................................................................19 14.7 Building alterations ......................................................................19 Incident and Risks ...............................................................................20 15.1 Risk Assessment.........................................................................20 Access control .....................................................................................21 16.1 Access control to secure areas ...................................................21 16.2 User access management...........................................................21 16.3 Person Identifiable Information....................................................22 16.4 Log on Procedures ......................................................................23 16.5 Password Control ........................................................................23 16.6 Unattended Equipment................................................................24 16.7 Data backup ................................................................................25 16.8 Access to other staff members email and folders........................25 16.9 Wireless Access ..........................................................................25 Acceptable use of Email and Internet..................................................26
NE SHA ICT Security Policy Unrestricted Page 2 of 38

11 12

13

14

15

16

17
v1.1

18 19 20

Remote Access ...................................................................................26 Exchanges of Information....................................................................26 The NHS Network requirements ........................................................27 20.1Computer and network operations ...............................................27 Systems Development and Maintenance ............................................28 21.1 Security Requirements of Systems .............................................28 Control of Virus and Malware ..............................................................29 22.1 The need for Anti-Virus and Malware controls.............................29 22.2 Anti-Virus Policy .........................................................................30 22.3 E-mail and internet ......................................................................30 22.4 Anti-Virus Controls .....................................................................31 22.5 Dealing with a potential virus......................................................32 22.6 Hoax Viruses ...............................................................................32 Acting outside of this policy .................................................................33 Document Consultation, Approval & Ratification .................................33 24.1 Consultation ................................................................................33 24.2 Document Development ..............................................................34 Training, Distribution & Implementation...............................................34 25.1 Training .......................................................................................34 25.2 Distribution ..................................................................................34 25.3 Implementation............................................................................35 Monitoring Compliance........................................................................35 26.1 Standards and Key Performance Indicators ................................35 26.2 Monitoring Compliance................................................................35 26.3Audit trails.....................................................................................36 26.4Network audit ...............................................................................36

21

22

23 24

25

26

Useful Contacts ...................................................................................37 27 Appendix A ....................................................................................................38

v1.1

NE SHA ICT Security Policy Unrestricted

Page 3 of 38

Policy Statement

The Strategic Health Authority (SHA) has made a firm commitment to monitor and protect all confidential NHS information. This may be person identifiable information relating to patients or staff members or it may be documents of a commercially confidential or sensitive nature. It has therefore become a fundamental principle of the SHAs to have an effective and consistent Information Communication and Technology (ICT) Security Policy in place.

This document sets out the general principles of the ICT Security Policy for the North East SHA and is supported by a number of procedures which provide more detailed guidance.

Introduction

It is essential that all of the SHA systems are protected to an adequate level from business risks. Such risks include accidental data change or release, malicious user damage, fraud, theft, failure and natural disaster. It is important that a consistent approach is adopted to safeguard the SHAs information in the same way that other more tangible assets are secured, with due regard to the highly sensitive nature of some information held on both electronic and manual systems.

The SHA has legal obligations to maintain security and confidentiality, notably under the Data Protection Act 1998, the Copyright, Designs and Patents Act 1988 and the Computer Misuse Act 1990. In addition, staff are under a common law obligation to preserve the confidentiality of personal information. It is the duty of the SHA and its staff members to meet these legislative and regulatory requirements in relation to ICT Security. These include the Connecting for Health Information Governance Toolkit, the NHS network (N3) and Statement of Compliance 1 .

Connecting for Health: https://www.igt.connectingforhealth.nhs.uk/

v1.1

NE SHA ICT Security Policy Unrestricted

Page 4 of 38

Purpose

This policy sets out the procedures to be followed by all North East SHA staff to ensure that the SHAs IT assets hardware, software and data are protected and that the SHAs right to use the NHS network is not compromised. It is aimed at ensuring:

Confidentiality data access is confined to those with specified authority to view the data; Integrity - all system assets are operating correctly according to specification and in the way the current user believes them to be operating; Availability information is delivered to the right person, when it is needed. This policy sets out specific responsibilities for IT and for nominated System Owners. There are, however, responsibilities for every member of staff as detailed in section 10. More detailed procedures on protecting the confidentiality of information and on Data Protection appear in the SHAs Data Confidentiality Code of Conduct. Procedures on protecting confidentiality apply not just to computerised systems, but also to any process involving person identifiable data held as manual records.

Scope

This policy applies to all SHA staff (both permanent and non-permanent) and contractors or staff employed by other organisations but working on behalf of the SHA.

This policy supersedes the previous ICT Security Policy.

Links with the North East Vision

The SHAs development of an ICT Security Policy is a positive step towards achieving the North East Vision. By reducing the risk of data loss incidents the

v1.1

NE SHA ICT Security Policy Unrestricted

Page 5 of 38

SHA is avoiding potential unnecessary suffering to patients and staff, thus improving healthcare services.

National Context

Following a number of high profile breaches of confidentiality of person identifiable information in 2007, the Department of Health implemented an extensive review of information transfers and security of such data held in organisations across the NHS (the Information Governance Assurance Programme). The aim was to assess and improve procedures for the use and storage of data in Government 2 .

All NHS organisations have a responsibility to meet a number of national requirements in relation to Information Governance through the Information Governance toolkit 3 . The ICT Security Policy is just one policy amongst many that reflect guidelines contained in the IG Toolkit and related legislation.

Legal Responsibilities

The SHA has an obligation to abide by all relevant UK and European Union legislation in relation to information security and ensure that all of its information systems adhere to this legislation. It must also ensure that individual responsibilities for meeting these requirements are clearly defined in local system documentation.

The SHA has a comprehensive range of policies supporting the Information Governance agenda and the following legislation;
2

The Data Protection Act 1998 The Data Protection (Processing of Sensitive Personal Data) The Copyright, Designs and Patents Act 1988 The Computer Misuse Act 1990

Data Handling Procedures within Government; http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/security 3 https://www.igt.connectingforhealth.nhs.uk/ v1.1 NE SHA ICT Security Policy Unrestricted Page 6 of 38

The Health and Safety at Work Act 1974 Human Rights Act 1998 Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000 National Health Service Act 2006 Fraud Act 2006 North East Information Sharing Guidelines

Definitions

Encryption is the process of converting information into a form unintelligible to anyone except holders of a specific key or password.

External Hard Drive sits outside the main computer in its own enclosure. This portable encasement allows the user to store information on a hard drive that is not part of the computer, but is connected via a high-speed interface cable normally a USB or firewire.

Hardware in information technology, is a physical device such as a VDU or printer.

Patches are updates to computer programs, such as anti-virus, to keep the program up to date or to fix a bug within a program.

Person identifiable information can be described as factual information or expressions of opinion which relate to an individual who can be identified from that information or in conjunction with any other information coming into possession of the data holder. This also includes information gleaned from a professional opinion, which may rely on other information obtained. Personal information includes name, address, date of birth or any other unique identifiers such as NHS Number, Hospital Number, National Insurance Number, etc. It also includes information which, when presented in combination, may identify an individual e.g. postcode, and date of birth etc.

v1.1

NE SHA ICT Security Policy Unrestricted

Page 7 of 38

Personal computer is defined as any of the following desktop computer, laptop computer, table computer and any other mobile device capable of executing and/or running software.

PDA, Personal Digital Assistant, refers to a handheld device that has several features including an address book, contacts list, calendar and memo and note pad e.g. Palm, Blackberry.

Removable Media is a term used to describe any kind of portable data storage device that can be connected to and removed from a computer e.g. floppy discs, CDs/DVDs, USB flash memory sticks or pens, PDAs. For further detail on different types of removable media see the Removable/Portable Media Procedure.

Smartcard is any plastic card (like a credit card) with an embedded microchip for storing information. The NHS smartcard is used to control security access to electronic patient records.

Smart phone is a device that lets you make telephone calls, but also adds in features that you might find on a personal digital assistant or a computer-such as the ability to send and receive e-mail and edit Office documents.

Software is programs that run on a computer e.g. word-processing software, spreadsheets.

System Specific Security Policy (SSSP) is a document detailing the IT security arrangements for a specific IT system.

USB, Universal Serial Bus or Port connection that is universally compatible with many types of device such as wireless printers, memory sticks.

USB Memory sticks are devices with flash memory card formats. These devices come in many sizes and are generally used for the storage of data.

v1.1

NE SHA ICT Security Policy Unrestricted

Page 8 of 38

Virus is a self-replicating piece of software which may cause damage to the operating system of the computer, the storage devices and any data and/or software stored on them.

Vulnerable PC is any unencrypted computer or laptop used by staff to store data on the local drive and those situated in a publicly accessible area.

Related Documents

Related policies, procedures and guidelines include: Transfer of Personal Information Policy Records Management Policy Records Retention and Disposal Policy Access to Personnel Files Policy Data Confidentiality Code of Conduct Email: Procedure for the Management and Creation Disposal and Destruction of Sensitive Data Information Governance & Information Risk Policy Removable Media and Encryption Policy IT Security Incident Reporting Procedure Disciplinary Policy NHS Code of Practice 4 Code of Conduct for NHS Managers 5

10

Roles and Responsibilities

All staff (both permanent and non-permanent) are required to adhere to this ICT Security Policy and related policy and procedures. Only so much can be accomplished with technical measures and the sections below specify responsibilities for all staff and specific staff groups.
4

Confidentiality: NHS Code of Practice: http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4 069253 5 Code of Conduct for NHS Managers: http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4 005410

v1.1

NE SHA ICT Security Policy Unrestricted

Page 9 of 38

10.1 All Staff All members of staff have a responsibility to: General ensure that no breach of ICT security results from their actions bring to their managers attention areas of concern regarding information security abide by Information Governance Policies thereby providing compliance with the relevant legislation relating to ICT Security. ensure that the use of information assets are restricted to activities approved by the owner(s) of those assets, but in any case shall not be used for the distribution of obscene, racist or otherwise offensive material; use all proprietary software in accordance with the terms and conditions of the associated licence(s); comply with all legal, regulatory and compliance requirements and regulations that apply to the SHAs information assets; use data, computer equipment, software and communications facilities in a manner that ensures appropriate security of those assets; ensure their password(s) or other means of authentication for access to computer systems are not compromised and are changed on a regular basisreport any incidents or information indicating a breach or suspected breach of security to their immediate supervisor and the Information Governance Lead at the earliest opportunity; ensure that the security policy is observed, by themselves and their staff. Equipment disposal ensure the ICT Service Desk are informed of any ICT equipment in need of disposal. Under no circumstances must staff pass on, take home or dispose of equipment themselves

v1.1

NE SHA ICT Security Policy Unrestricted

Page 10 of 38

to guard against unauthorised access, staff must pass on any removable media which currently contains or used to contain personal data for destruction to the ICT Team. If possible the personal data must be deleted before sending to the ICT Team

Physical security ensure doors and windows are locked and secured when the area is left unattended in areas where ICT equipment is situated ensure all removable media and laptops are secured when not in use do not leave removable media, laptops or data, either paper or electronic, unattended when travelling. If it is absolutely necessary to leave equipment or data for a short time then it must be locked in a briefcase or if in a car then placed out of sight in the boot. if working from home do not leave data unattended, allowing it to be viewed by unauthorised individuals ensure when working in a public area e.g. train, that you do not work on personal identifiable data that potentially could be viewed by an unauthorised individual in case of theft do not leave removable media, e.g. CDs, DVDs, inside laptops when travelling ensure that unattended PCs/laptops have appropriate protection e.g. log-off, lock screens or use password-protected screen saver ensure that any smartcard, token or other device used to gain remote access to the SHA network is not stored in the same place as the computer equipment Information security when leaving the building at the end of the day or upon completion of a shift staff must logoff and shutdown equipment do not unnecessarily store personal or sensitive information

v1.1

NE SHA ICT Security Policy Unrestricted

Page 11 of 38

copies of original data stored locally that are not required should be removed store information on networked drives that are subject to authorisation and access controls, and not on the C: drives (local drives) where there is no alternative but to store data on vulnerable computers ensure (before the data is placed on the vulnerable computer) that appropriate security measures, including encryption, is in place to protect the information held

ensure that all personal information is transferred in line with the standards set out in the Transfer of Personal Information Policy

10.2 Line Managers Have a responsibility to: General ensure that all current, new and temporary staff, including contract staff, are instructed in their security responsibilities and work in a manner consistent with the ICT Security Policy ensure that all their staff using computer systems/media are appropriately trained in their use ensure that all staff, including temporary staff members and contractors, sign the ICT Security Policy and Data Confidentiality Policy investigate and take relevant action on any potential breaches of this policy, supported by the Information Governance Lead and ICT, in line with existing information governance and risk management procedures periodically review all systems for which they are responsible in order to identify potential threats to the system, and the likelihood of those threats occurring implement cost effective controls that are consistent with the business risks and are fit for purpose, to protect information assets from any misuse which could act to the detriment of the SHA

v1.1

NE SHA ICT Security Policy Unrestricted

Page 12 of 38

in certain circumstances support Equality and Diversity by considering the individual requirements of staff in order to support them in complying with this policy

Information security ensure that the ICT Service Desk are notified of new staff, staff moving jobs and staff leaving the SHA to allow access rights to be appropriately established from the appropriate effective start date and for network access to be changed/revoked from the change of role date or date staff leave the SHA, and appropriate equipment to be provided / returned. ensure that non-SHA employed staff e.g. contractors/students, have signed the Data Confidentiality Code of Conduct and if access is required to SHA IT systems, have signed the ICT Security Policy before access is permitted. determine which individuals are to be given authority to access specific information: levels of access to specific systems should be based on job function, independent of status ensure that removable media is only used within the confines of the Removable Media and Encryption Policy ensure that all staff are made aware not to copy personal or sensitive data onto non SHA owned computers, laptops, smart phones, or removable media ensure staff know when to use secure email by following the Transfer of Personal Information Policy for sending of confidential, sensitive or personal information advise staff to follow Information Governance Policies and Procedures to ensure that the recipient of any sensitive or personal information is authorised to receive that information advise staff to follow Information Governance Policies and Procedures to ensure that a contract is in place containing an approved confidentiality clause before 3rd party transfer of personal identifiable information is allowed
v1.1 NE SHA ICT Security Policy Unrestricted Page 13 of 38

contact the IG Team if in doubt as to the validity or necessity of a 3rd party transfer of personal data or if any doubt as to the capacity of the 3rd party to maintain the security of the data when sent

10.3 Human Resources Have a responsibility to: support ICT in ensuring they are aware with sufficient notice of new starters and leavers ensure appropriate personnel checks are carried out to ensure the integrity of the staff that have access to the data being protected.

11

ICT Security Roles

The Medical Director is the Caldicott Guardian and is responsible for overseeing all procedures affecting access to person identifiable health data.

The SHAs Information Governance Lead is the Information Governance Lead and IT Programme Manager who is responsible for implementing, monitoring, documenting and communicating IT Security within the organisation, in compliance with all UK legislation and national policy and guidance.

The SHAs Data Protection Officer is the Information Governance and IT Programme Manager who is responsible for compliance with the Data Protection Act. Executive Directors retain corporate accountability for the Data Protection Act.

The SHAs IT Security Officer is the IT Security Officer for Gateshead Healthcare Foundation Trust who works with the IG Lead and the ICT Team to ensure the appropriate security of each individual system used within the SHA. This includes all personal computers, printers, network services, servers, and hardware i.e. hubs, routers etc. In addition, they will ensure that

v1.1

NE SHA ICT Security Policy Unrestricted

Page 14 of 38

all networked systems and their use are assessed for compliance with the ICT Security Policy and the NHS Net Code of Connection.

The Senior Information Risk Owner (SIRO) is the Director of Nursing and Patient Safety who is responsible for overseeing the management of information risk for the SHA.

v1.1

NE SHA ICT Security Policy Unrestricted

Page 15 of 38

12

Assets

12.1 Information assets There are six major categories of information assets including information, software, physical (including hardware), services, people and other fewer tangible assets such as reputation and image of the SHA. The key assets that this policy applies to are information assets and hardware and software. 12.2 Asset register A complete ICT asset register exists which includes key assets such as:

Physical Assets Servers (and any Uninterruptable Power Supply (UPS) provided to protect the servers) Software Assets Applications programs Information Assets Databases Procurement of any new assets must be recorded in the asset register and allocated an appropriate owner. Disposal of assets or the reassignment of assets must be recorded in the asset register.

In all cases the asset register should be kept up to date in line with SHA standard equipment procedures.

13

Hardware & Software

13.1 Authorised hardware and software Staff requiring equipment to carry out authorised tasks must, in agreement with their line manager, put in a request via the IT Service Desk in line with the Procedure for the Purchase of ICT Equipment on the SHA intranet. Any

v1.1

NE SHA ICT Security Policy Unrestricted

Page 16 of 38

non-standard equipment must be ordered by ICT. This ensures that equipment purchased is compatible with existing systems. The ICT team maintains an inventory of all hardware and software assets and will ensure that the legality of software licensing is met. The hardware inventory covers location, user, type (item, make, model), serial number, date of purchase, purchase order number, and length of warranty. The software inventory covers software name, version number, number of licenses, details of where copies are installed. Any copies of software must be kept in locked storage.

Only SHA software can be installed on SHA hardware and must be authorised by ICT. Therefore, personal software must not be installed on SHA hardware which includes personal computers, laptops, blackberries and encrypted memory sticks.Staff must not install games on the SHAs hardware. To ensure the legality of shareware programs, the ICT team holds licenses for any shareware products used on the SHAs computers. Any unauthorised software found will be removed. Unauthorised services or staff will not modify the equipment. Such modifications that are required to ensure the efficiency of the PC will be provided and installed by ICT staff (within budgetary constraints). Modifications include: software installations hardware and software upgrades 13.2 Use of private equipment Private equipment will not be used for the purpose of carrying out SHAs business. Encryption controls will impact on the use of private equipment, any private equipment could be permanently damaged by the encryption software if any attempt is made to connect the equipment to the computer or laptop. This private equipment may include PDAs, smart phones, laptops, memory sticks and external hard drives.

v1.1

NE SHA ICT Security Policy Unrestricted

Page 17 of 38

Staff based at home or temporarily working from home must adhere to the Remote Access Procedure (see section 18). 13.3 Information storage and backup Staff are responsible for ensuring their information is saved appropriately. Where a staff member has network access, all information must be saved to their network drive which is automatically backed up by ICT.

Staff are advised that the authorised encrypted memory stick is only for the transfer of information and the original content must be saved to the network.

14

Equipment Security

14.1 Siting of equipment All hardware supporting core systems will be located in a hub room. No food or drink is allowed in the hub room.

Only designated staff will be given access to the hub rooms in line with their roles.

Care should be taken to ensure that computer screens and papers or printouts cannot be seen by visitors.

14.2 Power supply All hardware supporting core systems will have an uninterruptable power supply. 14.3 Equipment maintenance All hardware supporting core systems will be subject to a third party maintenance agreement. Any faults with equipment in the hub rooms will be recorded in the incident log.

v1.1

NE SHA ICT Security Policy Unrestricted

Page 18 of 38

A System Specific Security Policy for each core system will state whether the hard disc may be taken off site for repair. All staff must take care not to damage IT equipment allocated for their use. All IT equipment will be checked annually for electrical safety. 14.4 Remote diagnostics Remote access to SHA systems for diagnostics and support will only take place via PSTN or ISDN using strong authentication or via the NHS Network where the supplier has signed the 3rd Party Secure Code of Connection. 3rd Party secure NHS Network connections may also be subject to strong authentication.

14.5 Security of equipment off premises Other than laptops, portable printers and authorised blackberries, IT equipment must not be relocated or taken off the premises other than with the permission of the ICT Team.

Users of laptops must take care not to leave them unattended in a public place e.g. on a train or in a parked car.

14.6 Disposal of equipment On disposal of hard discs, the ICT Team will ensure these are overwritten with random characters or degaussed.

Floppy discs and memory sticks, which have held personal or confidential information, must not be reused or put in the waste bin. Staff should hand these to the ICT team who will ensure that they are physically destroyed.

14.7 Building alterations Staff arranging for building repair or alteration work, including painting or changes to telephone lines, are responsible for ensuring that IT equipment
v1.1 NE SHA ICT Security Policy Unrestricted Page 19 of 38

including cable runs are not interfered with or damaged. Any building work affecting the hub room will require the authorisation in advance of the ICT Team.

15

Incident and Risks

All risks and incidents relating to ICT Security must be reported using the SHAs standard procedures for risk and incident reporting. The Incident reporting process provides more guidance on this process and can be found in the Information Governance and Information Risk Policy (available on the SHA intranet).

Reporting of risks and incidents is important to ensure that appropriate action is taken so that risks/incidents do not recur and to learn from them. No constructive action can be taken if the organisations are not notified when things go wrong or there is a near miss.

All staff are responsible for reporting any actual or suspected breach of security to their line manager and to the IG Lead. An IT security incident is defined as any event that results, or could result in, the loss or damage to hardware or software or the disclosure of confidential information to any unauthorised individual.

The IG Lead will ensure that all IT Security incidents are appropriately logged, investigated and reported both internally and externally as necessary. An annual report on incidents will be prepared.

15.1 Risk Assessment A risk assessment will be prepared for each core system, subject to review every 3 years. The risk assessment will cover identification of the assets of the system, evaluation of potential threats and the likelihood of these threats occurring, identification of practical counter measures and an implementation programme for counter measures.
v1.1 NE SHA ICT Security Policy Unrestricted Page 20 of 38

16

Access control

Access to business and confidential information must be controlled appropriately. All employees are entitled to use the network and office applications provided by the ICT department provided it is applicable to their particular role.

16.1 Access control to secure areas The hub room is a secure area and is kept locked at all times. Access to this room will be revoked when a member of staff with access leaves their employment with the SHA. Maintenance staff who need access to the hub rooms e.g. for the air-conditioning unit or for IT systems maintenance, should be accompanied.

16.2 User access management The SHA has formal user registration and de-registration procedures, granting and managing access to network folders and systems. All staff needing network access must have read and signed up to the ICT Security Policy and the Data Confidentiality Policy, prior to this access being given.

All employees and secondees of the SHA are entitled to use the network and office software applications (Word, Excel, Access, Outlook, etc). Access by any other person will require the written authorisation of the appropriate Manager and the IG Lead.

Access to other systems is dependent upon staff role and functional area. Access rights will be documented and recorded in the Systems Specific Security Policy.

All staff will receive a security briefing as part of their ICT induction. When staff leave the SHA or go on secondment, their network user id will be disabled on the last working day. Mailboxes will be kept for one month to
v1.1 NE SHA ICT Security Policy Unrestricted Page 21 of 38

allow departmental access in order to manage organisational records. Secondees email accounts will be kept open for one month. After one month, all files to be retained should have been moved to another area and any remaining unwanted files in the staff members H: drive will be deleted. 16.3 Person Identifiable Information All person identifiable information (see definition) must be managed in line with the Data Protection Act 1998. The data included and security processes around systems holding such information, will be defined in a System Specific Security Policy (SSSP).

Personal data must not be used for testing, training, or demonstration purposes unless it is transformed such that the identification of any individual is not possible.

Each core system will have an identified system owner who must ensure that the requirements of the Data Protection Act are met by users. The system owner must inform the Information Governance lead of any plans to change any aspect of data collection, use or disclosure so that the SHAs Data Protection registration can be amended if necessary. The Information Governance lead will check that the registration of the use of personal data is up to date on an annual basis.

The names of staff and organisations entitled to have access to personal data, either by direct access to the computer system or by reports or data produced from it will be recorded in the systems SSSP.

Person identifiable data must be transferred in line with national guidance as laid out in the Transfer of Personal Information Policy.

Users must not store person identifiable data on their hard drive as it may be vulnerable if lost or stolen and is not backed up in the same way as network drives.
v1.1 NE SHA ICT Security Policy Unrestricted Page 22 of 38

16.4 Log on Procedures All users have their own user id and access to the SHAs computer systems cannot be obtained by any other means. After 3 unsuccessful attempts to log in, the user account will be locked.

Users are responsible for logging out of computer systems and switching off PCs on leaving work. Where appropriate, each PC should have a passwordprotected screen-saver to prevent unauthorised access when PCs are left unattended, e.g. at lunchtime or when users are attending a meeting. The screen-saver should be set to come on after 5 minutes of inactivity.

Alternatively, users who do not wish to use screen savers should manually lock their PCs (by pressing Ctrl + Alt + Del and selecting Lock Computer or the windows key + L).

16.5 Password Control Sharing of passwords by both the person who shared the password and the person who received it, is a criminal offence under the Computer Misuse Act 1990. All staff must follow good security practices in the selection and use of passwords. This will include: ensuring strong passwords are used i.e. using a minimum 8 digit combination of letters, numbers and special characters (!?&%$ etc) and to ensure that consecutive passwords are not used e.g. mypassword1, mypassword2, mypassword3 etc. not writing down passwords where they can be easily found, i.e. on post-it notes next to their workstation ensuring passwords are changed when prompted changing their password immediately if they suspect it has been compromised and report the incident using the IT incident reporting procedure

v1.1

NE SHA ICT Security Policy Unrestricted

Page 23 of 38

not basing their password on anything that could be easily guessed by another, such as their own name, type of car, car registration, name of pets etc

not recycling old passwords

Passwords for core systems must be documented and kept safe. All staff are provided with their own H: drive on the network which cannot be accessed by any other person (except in the circumstances highlighted in section 16.3).

Shared directories on the network are available for use e.g. for Directorates or groups of staff working together. Access rights to these areas will be documented. The ICT team controls the creation and use of shared areas.

16.6 Unattended Equipment Computers that are non-networked are more vulnerable from data loss than those with network connections, because the data is saved to the local C drive. When such computers are left unattended the following precautions must be followed: ensure that equipment has appropriate protection. To ensure security, staff must either log-off, lock screens or use a password-protected screen saver; whichever is most appropriate to their working environment the local C drive is insecure, however staff who do not have network access who have to save to the C drive must contact the ICT Service Desk to ensure that the C drive has been encrypted prior to use. Staff must not save data to a non networked unencrypted computer. In such cases this situation must be reported to the ICT Service Desk when using a computer under these circumstances the staff member must implement an appropriate backup regime. Further guidance on how to do this can be obtained from the ICT Service Desk

v1.1

NE SHA ICT Security Policy Unrestricted

Page 24 of 38

16.7 Data backup The ICT team ensures that all data on networked systems are backed up daily using a cyclical system. All back-up media are stored in the fireproof safe with back-up media taken off-site once a week. All back-up and restore procedures are documented. Test restores are conducted monthly with full system rebuilds conducted once a year.

The arrangements for back-ups form part of each systems SSSP. Staff must not store important data on their local hard drive(s) as it is not backed up.

16.8 Access to other staff members email and folders In cases where staff folders and emails are unavailable due to sickness and secondment then appropriate permission must be sought before access can be granted to another staff member. If possible staff should be asked to provide the access to their line Manager before secondment or planned absences.

The line Manager must seek the advice of the Information Governance Team when it has not been possible to obtain the consent of the staff member.

16.9 Wireless Access A wireless network is available for SHA staff to use throughout the SHA building. The following principles apply to its use: Wireless information will be managed by a single device which allows access to be easily available and accessed by a password which is only available to SHA staff. This password will be changed on a regular basis. The wireless connection will be secured by encryption (WPA) with a single password for the organisation directly available to SHA staff

v1.1

NE SHA ICT Security Policy Unrestricted

Page 25 of 38

A separate broadband connection will exist for third party users to connect to the internet

17

Acceptable use of Email and Internet

The SHA needs to ensure that staff are protected against viewing or accessing inappropriate materials. The SHA has established processes and systems to protect both the organisation and staff which include

an email monitoring system the software protects staff from receiving inappropriate emails as well as spam an internet monitoring and filtering system which monitors how the internet is being utilised by the SHA and ensures only appropriate sites are available to staff

Detailed procedures will exist to specify what web sites can be accessed by staff and how this monitoring will take place.

18

Remote Access

Remote access occurs when an authorised member of staff logs on to the SHA network from a location where there is no direct access to the SHAs network e.g. a member of staff remotely accessing the network from home.

Separate procedures exist detailing how this remote access is granted and managed and more detail can be found in the Working out of office Data Protection guidance on the SHA intranet.

19

Exchanges of Information

It is imperative that the utmost care is exercised when transferring information, especially information of a confidential nature e.g. staff, patient or service user information. This includes transferring information by telephone (voice and text), email, fax, courier and public mail. Detailed guidance on how this should be carried out is available in the Transfer of Personal Identifiable

v1.1

NE SHA ICT Security Policy Unrestricted

Page 26 of 38

Information Policy. This policy must be read and adhered to by all staff to support ICT security and best practice.

Regular exchanges of personal identifiable information outside of the NHS must be carried out in line with the North East Information Sharing Guidelines (available on the SHA intranet).

20

The NHS Network requirements

Strong authentication procedures/technology will be introduced for all dial-up connections to the SHAs computer systems by SHA staff or by third parties. Third parties providing remote support will be requested to do so over the NHS Network, where possible.

In order to comply with code of connection to the NHS Network, unauthenticated dial-up or other un-secure connections to systems on the SHA local area network are not allowed. Remote access to SHA systems by SHA staff will only take place via PSTN or ISDN using strong authentication. There will be no access from non-NHS Networks via any means other than PSTN or ISDN. Access to SHA systems via the NHS Net by other organisations will be controlled at the firewall and may be subject to strong authentication.

20.1

Computer and network operations

The ICT Team is responsible for ensuring that all network management controls and procedures conform to the NHS-Wide network security policy and Code of Connection. To protect the SHAs computer network, a firewall router has been installed between the SHA network and the NHS network. All outbound and inbound traffic including e-mail and Internet browsing is controlled and logged at the firewall.

Dial-up network connections from computers connected to the SHA network that do not use strong authentication are forbidden under the NHS network

v1.1

NE SHA ICT Security Policy Unrestricted

Page 27 of 38

code of connection. Non-compliance with this policy could result in the removal of the NHS network services.

The ICT Team controls access to the SHAs computer networks. Anyone planning to access external systems from standalone PCs, e.g. by modem, must notify the ICT Team who will maintain a register of such users and will provide a security briefing before external access commences.

All procedures relating to management of the network and core systems are documented. Operating procedures specific to core systems will form part of the systems SSP.

The ICT Team ensures that a log of all system maintenance, engineering and upgrades, hardware and software faults is maintained. They also ensure that all systems are adequately documented and that the documentation is kept up-to-date.

The ICT Team controls the storage of system discs to ensure that software cannot be copied.

21

Systems Development and Maintenance

The SHA must ensure that security requirements are built into systems from the outset. Suitable controls must be in place to manage the purchase or development of new systems and the enhancement of existing systems, to ensure that information security is not compromised. 21.1 Security Requirements of Systems Any staff responsible for implementing or modifying systems are responsible, in collaboration with ICT for ensuring: that statements of business requirements for new systems, or enhancements to existing systems, specify the security controls required for that system. This means that a SSSP must be developed

v1.1

NE SHA ICT Security Policy Unrestricted

Page 28 of 38

that all modifications to systems are logged and that up to date documentation exists for these systems contracts with suppliers must include confidentiality and security clauses. i.e. clear procedures for access to the systems for maintenance and support

that vendor supplied software used in systems is maintained at a level supported by the supplier, if beneficial to the service. Any decision to upgrade must take into account the security of any new software

that access is only provided to suppliers for support purposes when necessary, and must be with management and ICT approval that all supplier activity on the system is monitored that copies of data must retain the same levels of security and access controls as the original data where data is to be migrated between systems, that standards included in the Transfer of Personal Information Policy are adhered to

System utilities are password protected and are held in secure directories. They are only to be used by the ICT Team.

22

Control of Virus and Malware

22.1 The need for Anti-Virus and Malware controls Computer viruses pose considerable risks to SHA systems. They can cause them to run erratically, cause loss of information, and information to become corrupted, with the consequential loss of productivity for the organisation. The Data Protection Act governs the processing of personal identifiable data, and protecting the data from loss, damage or destruction, whether accidental or deliberate. This includes having anti-virus controls in place to safeguard information and ensure the Act is complied with taking into account the harm that may result from a virus and impact on the different types of data affected.

v1.1

NE SHA ICT Security Policy Unrestricted

Page 29 of 38

22.2 Anti-Virus Policy The SHAs Policy is to ensure that: All staff are aware of their responsibilities in relation to safeguarding the confidentiality, integrity, and availability of data and software within the organisation. Best practice concerning the use of software within the organisation is identified. Instructions are provided on the prevention of virus infection, and what steps to take should a virus be found

The Anti-Virus software used by the Trust will include protection against virus, spyware and malware. 22.3 E-mail and internet E-mail is one of the main ways used to distribute computer viruses. This is due to the ease of which information can be distributed globally. Viruses can be hidden in email attachments or in material downloaded from the internet.

To help protect against viruses being distributed over the network, staff should adhere to the following:

Make sure the sender of the e-mail is genuine before opening any attachments. If suspicious in any way, contact the sender to confirm they have sent the e-mail.

If a member of staff receives an e-mail virus, or an alert from their PC to this effect, they must contact the IT Service Desk. Any form of software, screen savers, or games must not be downloaded or copied from any source. Any e-mails that suggest they have been sent to fix a problem with your machine (e.g. Emails from Microsoft) must not be actioned. Reputable vendors would never distribute software patches in this way.

v1.1

NE SHA ICT Security Policy Unrestricted

Page 30 of 38

If a member of staff has any suspicion regarding a received e-mail, they should not open it, but contact the IT Service Desk immediately.

22.4 Anti-Virus Controls Requirements: Anti-Virus software must only be installed and configured by ICT. Users must not disable or interfere with anti-virus software installed on any computer or server. ICT must ensure that automatic updates are applied to all workstations and servers on a daily basis and that all devices are up to date with the latest signature file. No computer or server may be connected to the network without adequate protection i.e. up to date anti-virus software being installed and activated. Laptops must regularly connect to the network to ensure that the antivirus software remains updated. Failure to do so could result in unnecessary virus outbreaks. Users must not change or delete any anti-virus software that is installed on the Trusts network, servers or PCs.

Software: No software programs or executable files should be downloaded from the Internet and installed onto a PC without the consent of the ICT team. Unauthorised downloading of software may breach the copyright licence, could introduce a computer virus to the system, and is a breach of the Trusts ICT Security Policy.

The unauthorised copying of software is a criminal offence under the Copyright, Design and Patents Act 1998.

v1.1

NE SHA ICT Security Policy Unrestricted

Page 31 of 38

Avoiding virus infection: Avoid the transfer of information by floppy disc, CD or USB memory sticks between computers. Staff should not introduce the above media from home onto NHS computers. Do not start up a PC with a floppy disk, CD or USB memory stick inserted unless instructed by ICT team. Where practical write protect floppy disks and USB memory sticks until the write option is required. Save data/documents etc. on a networked drive. If information is saved on a hard drive, then if infection does occur, data may not be recovered.

22.5 Dealing with a potential virus If a virus is detetcted or suspected, the following should occur:

Staff: Contact the IT Service Desk immediately. Do not use the PC until approved by the ICT Team.

ICT Staff: Check the infected PC Check any media that have been used in the infected PC Check any other PC that the media has been used with Delete or clean any infected files Check any Servers that may have been accessed during the incident Inform the IT Security Officer of any viruses detected Ensure that the incident is addressed within an appropriate timescale

22.6 Hoax Viruses Hoax emails are very common. The usual format is a warning of a virus (usually labelled as the worst yet or some other equally alarmist phrase). The

v1.1

NE SHA ICT Security Policy Unrestricted

Page 32 of 38

email will give details of a virus carried in an email with a particular subject line or attachment name then give details of how the virus will cause huge amounts of data loss. The email will then go on to tell you to send the warning to everyone you know.

Staff should ignore these emails. If there is any doubt whether the details are genuine staff should contact the IT Service Desk for advice.

23

Acting outside of this policy

It is recognised that there may be exceptional circumstances that, after a detailed risk assessment of the situation, a member of staff may need to act outside the detail of this Policy. However, this may only be done in agreement with the SHAs Information Governance Lead. Staff acting outside the requirements of this policy without this agreement, may be subject to disciplinary procedures and possible criminal charges as detailed in section 26.2.

24

Document Consultation, Approval & Ratification

24.1 Consultation This document has been produced by the authors on behalf of the SHAs Information Governance Working Group. In preparing the document for official ratification the ICT Development Group, Staff Partnership, HR and Counter fraud, were consulted and their comments added to the document as appropriate.

In considering the document for approval the IG Working Group also took into account the results and recommendations of the Equality Impact Assessment.

v1.1

NE SHA ICT Security Policy Unrestricted

Page 33 of 38

24.2 Document Development The SHA Information Governance Working Group are responsible for the development, review, implementation, performance management and distribution of this Policy

This Policy will be reviewed every year by the SHA Information Governance Working Group or as and when significant changes make earlier review necessary.

25

Training, Distribution & Implementation

25.1 Training All staff will be required to have appropriate information governance training which will include Information Security. Other Information Security training and awareness raising will be arranged where appropriate.

Specific security training is necessary for individuals with defined responsibilities in this area and specific information risk management training is required for the role of Information Asset Owner, Information Asset Administrator and Senior Information Risk Officer. Further guidance can be obtained from the Information Governance and Information Risk Policy (available on the SHA intranet)

A range of training methods will be considered in relation to identified needs.

25.2 Distribution This policy is available for all staff to access via the SHA intranet. Staff without computer network access should contact their Line Managers for information on how to access policies.

All staff will be notified of a new or revised document via Inform.

v1.1

NE SHA ICT Security Policy Unrestricted

Page 34 of 38

25.3 Implementation It will be the responsibility of the Information Governance Working Group to support the implementation of this policy across the SHA, through action planning, awareness raising and training.

The procedures detailed in this policy provide additional guidance to staff on ICT Security. Key ICT security issues will be highlighted on a routine basis through Inform.

Line managers have a role to play in ensuring staff are aware of this policy and its implications.

26

Monitoring Compliance

26.1 Standards and Key Performance Indicators The SHA must assess its performance in information security and other areas of information governance using the NHS Connecting for Health: Information Governance toolkit, 6 and monitor progress and improvement. 26.2 Monitoring Compliance All staff must adhere to the ICT Security Policy, Transfer of Personal Information Policy and related information governance policy and comply with applicable UK legislation and any regulatory requirements for information security as specified in section 7.

Failure to follow these policies may lead to disciplinary action being taken against the member of staff and could potentially lead to criminal investigation and potential prosecution.

As part of the monitoring process, audits of the SHAs operational systems will be undertaken on a regular basis by the SHAs internal auditors. The
6

Connecting for Health IG Toolkit: https://www.igt.connectingforhealth.nhs.uk/Home.aspx?tk=402104214976238&cb=10%3a16%3a30&l nv=28&clnav=YES

v1.1

NE SHA ICT Security Policy Unrestricted

Page 35 of 38

Internal Audit Department will agree the scope and requirements of the audit with the SHA. Different methods will be used for monitoring different aspects of ICT Security including 26.3 monitoring of internet/e-mail use audit of information flows to ensure confidential information is being transferred securely audits of smartcard use to ensure these are used in line with the smartcard terms and conditions keeping logs of system access to support monitoring processes review and investigation of information security incidents ICT security risk assessments and spot checks of security processes Audit trails The SSSP for core systems will indicate where audit trails are required and how often they should be checked. They will be used to check that users are only performing processes for which they have been explicitly authorised.

26.4

Network audit The security of the network should be audited regularly. This may include measures such as spot-checks of access control and server shares and penetration testing.

v1.1

NE SHA ICT Security Policy Unrestricted

Page 36 of 38

27

Useful Contacts

Further guidance and advice on Information Security issues can be obtained from the Information Governance Team or ICT Service Desk: Information Governance Team North East Strategic Health Authority Tel: 0191 210 6485 / 0191 210 6541 ICT Service Desk: Tel: 0191 445 23 97 Email: it.servicedesk@ghnt.nhs.uk

v1.1

NE SHA ICT Security Policy Unrestricted

Page 37 of 38

Appendix A
ICT Security Policy

Before signing this document you MUST read the ICT Security Policy.
IT and internet services will only be used for those purposes directly related to a users work or areas of legitimate research and operational services. Participation in online chat, gambling or game is forbidden. No illicit material, pornographic, violent, racist, defamatory or offensive, will be viewed / downloaded or obtained via email. Advice should be taken from the ICT Team where there is any doubt. Downloaded material may be subject to copyright and all copyright restrictions must be adhered to. Unlicensed or unauthorised software must not be downloaded or installed on any PC. It should be understood that all Internet sessions are monitored and that activity logs are kept. Summary logs may be sent to your line manager or Director. Modems must not be connected to PCs on the SHA network without express permission from the ICT Team. Breaches of security, abuse of services or non-compliance with the SHAs ICT Security Policy or the Code of Connection, may result in the withdrawal of all Internet services from the SHA. The SHAs disciplinary procedure may be invoked should abuse of this IT Secuirty Policy occur. All e-mails and files held on the SHA systems are the property of the SHA and as such may need to be viewed without the consent of the staff member for monitoring and business continuity purposes

USER ACCEPTANCE
I have read and understand the Acceptable Use Policy detailed above and agree to abide by it and all other aspects of the ICT Security Policy. PRINT NAME SIGNATURE DATE ON BEHALF OF THE SHA ICT TEAM NAME SIGNATURE DATE NB. Original of this form to be retained by ICT, Copy to be retained by user.

v1.1

NE SHA ICT Security Policy Unrestricted

Page 38 of 38