Академический Документы
Профессиональный Документы
Культура Документы
Application:
Application to: All PCT staff
Communication Method: Line Managers, Email, Intranet
Consequence of Non-adherence: disciplinary and legal sanctions
Approvals:
Approvals Body: Integrated Governance Board
Date approved: 21/3/2011
Implementation Date: 21/3/2011
Review Date: 21/3/2012
This document defines the Network and IT Security policy and procedures for NHS Birmingham East
and North and the other member PCTs of the Birmingham and Solihull Cluster. These are Heart of
Birmingham Teaching PCT; NHS South Birmingham, Birmingham Community Healthcare NHS Trust,
and NHS Solihull Care Trust.
NHS BEN has overall responsibility for the Birmingham and Solihull N3 Community of Interest
Network (COIN), i.e. the Network, on behalf of the other stakeholder organisations (see section 3).
The N3 COIN is a fully managed service provided by and managed by BTN3. The Shared Services
The Network and IT Security Policy is supported by the SSA ICTdepartment and applies to all business
functions and information contained on the Network (including the wireless network) and relevant
people who support the Network.
o This policy sets out the organisational policy for the protection of the confidentiality, integrity,
security and availability of the Network.
o This policy establishes the security responsibilities for Network security and provides
reference to documentation relevant to this policy.
o This policy is the main source for and incorporates Network related policies and procedures;
these being: Patch Management; Anti-Virus; Encryption; Password Management; Remote
Access; Mobile Computing Devices and Third Party Access. As such this policy will be
continuously developed to reflect changes related to the Network.
2.0 Aim
The aim of this policy is to ensure the security of functions of the Birmingham and Solihull (B & S)
N3 COIN which fall directly under the responsibility of NHS Birmingham East and North. To do
this the SSA ICT department will:
o Ensure availability of Network services to all authorised users (by managing the
service provided by BTN3);
o Preserve integrity of the Network;
o Protect the Network from unauthorised or accidental modification;
o Ensuring the accuracy and completeness of the organisation's assets;
o Preserve Confidentiality within the Network;
o Protect assets against unauthorised disclosure.
The purpose of this policy is to establish standards and procedures in regard to the security
of the COIN ICT Network and the infrastructure within which the Network operates.
In addition, it is to comply with legislative requirements, information security best practice, and
mandated security frameworks such as access to the N3 Network.
Access to the Trust’s equipment and information must be protected to ensure the availability,
integrity and confidentiality of its information. The Trust will take the necessary precautions to
protect the Network from unauthorised or accidental modification ensuring the accuracy
and completeness of the organisation’s information and Network assets and will protect these
assets against unapproved changes.
3.0 Scope
This policy applies to all users employed by or contracted to the Trust, sub- contractors and third
party companies connecting to or wishing to connect to the Network by any method. This policy
applies to all networks within and connected to the NHS BEN (COIN) Network and Network
equipment.
The section below outlines key objectives of the Network Security Policy for the Trusts listed in
section 3.0.
4.1 The Network will be available in accordance with defined service levels; must be
accessed only by legitimate users; and will contain complete and accurate information. The
Network must also be able to withstand or recover from threats to its availability, integrity and
confidentiality. To satisfy this, SSA ICT will undertake to the following:
4.1.1 Protect all hardware, software and information assets under its control. This
will be achieved by implementing a set of well-balanced technical and non-
technical measures;
4.1.2 Provide both effective and cost-effective protection that is commensurate with
the risks to its network assets;
4.1.3 Implement the Network Security Policy in a consistent, timely and cost
effective manner.
4.2. Where relevant, NHS BEN and affiliated organisations connected to the NHS BEN
Network will comply with:
‘The group of routers/switches, protocols, wireless access points and standards that allow
users to access and use an organisation’s information’.
The scope of this policy covers the Network, including the wireless network as it is
incorporated within the infrastructure which supports its activity and application for NHS BEN
business and operational functions.
6.1. SSA ICT will carry out security risk assessment(s) in relation to all the business processes
covered by this policy. These risk assessments will cover all aspects of the Network that are
used to support those business processes. The risk assessment will identify the appropriate
security countermeasures necessary to protect against possible breaches in confidentiality,
integrity and availability of the network.
6.2 Risk assessment will be conducted to determine the Information Technology Security
Evaluation Criteria (ITSEC) Assurance levels required for security barriers that protect the
network.
6.3 Formal risk assessments will be conducted to conform to ISO 270021. (This refers to
‘the preservation of confidentiality (ensuring that information is accessible only to those
authorised to have access), integrity (safeguarding the accuracy and completeness of
information and processing methods) and availability (ensuring that authorised users have
access to information and associated assets when required).)
6.4 Connecting for Health Good Practice Guidelines on Network Security will be adhered to.
See Appendix 2.
6.5Risks to the integrity, security and confidentiality of networks will be reduced by SSA ICT
using the following:
o Patch Management
o Anti-Virus software
o Use of Encrypted Software for Remote Access
o Use and Management of Passwords
o Log-On Authentication
o Firewalls
o Network access protection
o No access to network equipment
o Controlled access physically/remotely
o Unified threat management
o Locked cabinets
7.1 The goal of patch management is to support the integrity and security of the Network by
ensuring all installed components on the Networkare up to date with the latest patches and
updates applied. The Network components covered in patch management may include:
• Computers
• Servers
• Software
• Peripherals
1
The Information Security standard published by the International Organisation for Standards (ISO)
and The International Electrotechnical Commission (IEC) which provides best practice for information
security management.
2
Patch Management procedures developed by Sue Field, SSA, ICT Department.
7.2 Security vulnerabilities are inherent in computing systems, network hardware and
applications. Patch management is an important tool to ensure that the network and its
components continue to be secure and available to the end user by ensuring the centralised
timely and tested distribution of applications’ patches.
7.3Regardless of the operating system or criticality, all patch releases will follow a defined
process for patch deployment that includes assessing the risk, testing, approval, installing
and verifying.
7.4The SSA ICT Technical Services Team will monitor security mailing lists, review vendor
notifications and websites and research specific public websites for the release of new
patches. Monitoring will include, but not be limited to, the following:
• Network scanning to identify known vulnerabilities to Network security.
• Identifying and communicating known vulnerabilities and/or security breaches to the
SSA ICT Senior Management Team.
• Any security breaches discovered will immediately be reported to Information
Governance.
7.5Once a new patch has been identified, the SSA ICT Technical Services Team will
categorise its criticality relevant to each platform according to the following:
• Emergency: an imminent threat to the network
• Critical: targets a security vulnerability
• Not critical: a standard patch release update
• Not applicable
7.6Authorisation
The testing, deployment and distribution of patches on the shared infrastructure remains the
responsibility of SSA ICT.
• The Change Management Review Board must approve the schedule prior to
implementation.
• A record of the decision should be kept in the Patch Management Log.
• Also, a recorded entry into the Change Management Log of the intended action,
date/time, roll back plan and responsibilities of the intended patch to be deployed into
production.
Introduction
8.1 A virus is a piece of potentially malicious programming code that will cause some
unexpected or undesirable event. This could have security implications for the integrity,
confidentiality and availability of the Network and its data.Viruses can be transmitted in a
number of ways such as via e-mail or instant messaging attachments, downloadable Internet
files, diskettes, and CDs. Viruses are usually disguised as something else, and so their
presence is not always obvious to the computer user. A virus infection can be very costly to
the Trust in terms of data loss or breach, lost staff productivity, and/or lost reputation.
Policy Statement:
8.2 This procedure applies to all computers, servers and mobile devices such as laptops that
are connected to the SSA ICTNetwork via a standard network connection, wireless
connection, modem connection, or virtual private network connection. This includes
company-owned computers attached to the SSA ICT Network.
8.3 The definition of computers includes desktop workstations, laptop computers, handheld
computing devices, and servers. SSA ICT is committed to provide a computing network that
is virus-free
8.4 All computers attached to the SSA ICTNetwork must have SSA ICT- approved vendor-
supported anti-virus software installed. This software must be active, be scheduled to
perform virus checks at regular intervals, and have its virus definition files kept up to date.
8.5 Any activities with the intention to create and/or distribute malicious programs onto the
SSA ICTNetwork (e.g. viruses, worms, Trojan horses, e-mail bombs, etc.) are strictly
prohibitedand will be subject to disciplinary action.
8.6 If an employee receives what they believe to be a virus, or suspects that a computer is
infected with a virus, it must be reported to the SSA ICT Helpdesk immediately on 0121 465
1111 or via help.desk@bpcssa.nhs.uk.
8.7 No employee should attempt to destroy or remove a virus, or any evidence of that virus,
without direction from the SSA ICT department.
8.8 Any virus-infected computer will be disconnected/removed from the Network until it is
verified by SSA ICTas virus-free.
8.9.1 SSA ICT is responsible for maintaining and updating the Anti-Virus procedure.
This procedure will be part of the Network Policy and may be subject to review and
updated on a continual basis.
8.9.2 SSA ICT will keep the anti-virus product up-to-date, currently via the use of a
4hr schedule with automatic ‘push out’ tosystems’ applications.
3
Anti-Virus Protection procedure developed by Iqbal Mahal, BPCSSA, IT Department.
8.9.4 SSA ICT will take appropriate action to contain, remove, and assist in recovery
from virus infections. In order to do so, SSA ICT may be required to disconnect a
suspect computer from the network or disconnect an entire segment of the network.
8.9.5 SSA ICT will perform regular anti-virus sweeps of file and applications data.
8.9.6 SSA ICT will attempt to notify users of SSA systems of any credible virus
threats via e-mail, telephone messages and/or Intranet. Virus reports will not be
acted upon until validatedby SSA ICT. Employees/users should not forward these or
any virus warning messages in order to keep network traffic to a minimum.
8.10 The following activities are the responsibility of NHS Trust departments and
employees:
8.10.2 All employees are responsible for taking reasonable measures to protect against
virus infection. Please follow this advice:
8.10.3 Employees must not attempt to either alter or disable anti-virus software installed
on any computer attached to the SSA network without the express consent of the IT
department.
8.10.4Any employee who is found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.
Introduction
9.1 SSA ICT have a duty to ensure that data held electronically is adequately protected from
loss and inappropriate access (deliberate or accidental). The Data Protection Act
4
Encryption procedure developed by Denis Cooper, SSA ICT Department.
Policy statement
9.3 To reduce the risk of unathorised access, the Trust has established a comprehensive
procedure ondata encryption which covers data stored on:
Encryption Standards
9.4Good practice guidance from NHS Connecting for Health specifies encryptionstandards
and recommended device/data encryption software;SSA ICT adhere to this guidance and
areimplementing encryption on all laptops and removable media.
9.5 All data stored on equipment leaving Trust premises (i.e. laptops, removable media) will
be encrypted using a minimum of AES 256bit encryption, as per Connecting for Health and
public sector standards. Software and systems to support this are being/will be in place.
9.6To reduce risk of information security breaches and to ensure the confidentiality and
integrity of information the following guidance should be followed:
9.7All laptops will be encrypted via full disk encryption software to ensure that all
programmes including the boot system on a laptop’s hard drive is protected.
9.8Encrypted removable media only will be provided by SSA ICT and PCT ICT departments.
Any non-encrypted device is prohibited from use on any SSAICT/PCT equipment.
9.9 For removable media such as writable CDs and DVDs however, encryption will be
applied by prompting the user for a password.
9.10 Desktop PCs will not be supplied with writeable CD or DVD drives.
9.11SSA ICT plans to have all server storage tape backups encrypted using hardware
encryption, and is moving towards this from software encryption.
9.13 Currently the only approved handheld device is the Blackberry. These are encrypted by
default and the user is forced to set a password on the device. Any other handheld devices,
including Personal Digital Assistants (PDA) and Dictaphones etc. will need to be individually
approved and risk assessed by SSA ICT before being allowed access to the Network. If a
handheld device cannot be encrypted:
9.15.2 If a device will be used to share / transport information, i.e. a memory stick being
delivered to another organisation, the password must be sent separately and at different
times.
9.16 Responsibilities
o Staff and contractors who under this policy are permitted to use removable devices in
the performance of their duties must ensure that data is encrypted in accordance with
NHS Guidance.
o The Information Governance Manager and SSA ICT Service Manager are
responsible for ensuring the Trust has appropriate data encryption capabilities in
order to protect the data it holds.
o The SSA ICT Service Manager is responsible for assuring that the data encryption
functionality and procedures used by the PCT have been implemented correctly and
are of appropriate strength and fit for purpose.
o Line managers are responsible for the day to day management of their staff to
ensure that policies and procedures are being implemented appropriately.
Introduction
10.1 Password controls enable the SSA ICT to protect and monitor systems against
unacceptable use; to prevent crime; protect confidential information and to ensure the
security of information contained within these systems. Refer to guidance from The
Computer Misuse Act1990 (See Appendix 5).
10.2 Passwords are an essential first line of security for protecting systems from
unauthorised access and are most effective when they are hard to guess.
10.3System Managers, Systems Administrators, ICT Staff, and Users are obliged to use
passwords in a responsible, secure and lawful manner. It is important that staff are aware of
the consequences and legal risks of password and computer misuse.
10.4 If any System Manager, Systems Administrator, ICT Staff or End User disregards the
rules set out in this procedure, they may be legally liable and may face prosecution and/or
disciplinary action depending upon the severity of the incident.
10.5Users (whether contractor or staff) will be held liable and subject to disciplinary and/or
legal action if a computer on the SSA ICT network is used to hack into another computer.
10.6 If computer material is modified in any way that constitutes misuse of access i.e.
unauthorised modification, deletion, addition or replication of information the user will be held
responsible. Such actions may lead to a disciplinary and/or legal action.
10.7All connection and access to the SSA ICT Network and other national NHS Systemsare
controlled by a process of secure password management.
10.8 Following a User’s manager’s application to request access to the Network, the
Network Manager will ensure that only the folders/files relevant to their work role and
department will be made available to the User. Folder access will not be by password but by
the use of access controls’ software.
10.9 Access to the Network will be gained upon a User having an ID/Login name and
associated password.
Password Requirements
Effective password complexity can be achieved through a series of actions that prove
impossible for another to guess but remains memorable to the user; see Appendix 6.
10.11 The minimum password requirement for access to the SSA ICT Network is seven
characters that isan enforced mixture of both lower and uppercase letters with a min of one
character and one number. Special characters can also be used in replacement of a letter
i.e. $ £!*% as this will strengthen the password by increasing its complexity.
10.12 It is the responsibility of SSA ICT system administrators to ensure strong password
management, with access denied to a User unless the supplied password contains agreed
character mix
10.13 Temporary passwords used before an enforced password change must also comply
with the password strength defined within this policy; see Appendix 6.
10.14 This guidance aims to protect the account holder from any attempt by a third party
(work colleague, contractor, patient, member of the public) to use their account to modify or
reproduce material contained within the system. Unauthorised modification or replication
constitutes a criminal offence and may lead to legal proceedings or disciplinary action. (see
Appendix 5)
10.15 Account hijacking also constitutes a criminal offence. Therefore this guidance ensures
passwords (including those on smartcards) are restricted to use by a single member of staff
which limits risks of breaching information security. This is necessary for compliance with the
Data Protection Act 1998 and the Computer Misuse Act 1990.
10.15.1 Do’s
10.15.2Don’ts
o Do not record passwords in any form where the password could be compromised.
i.e. post it notes left under keyboards, scraps of paper, notes in drawers, filing
Password Security
10.16 Any of the following breaches could lead to disciplinary or legal action:
Resetting passwords
10.17 To reset Login IDs and passwords Users are advised to use Password Manager
software to reset their passwords (prompt box on log on screen). Password Manager allows
users to securely reset their passwords through a series of security questions. Registration
with password manager is compulsory for all Users on the SSA ICT network. Contact SSA
ICT Helpdesk on 0121 465 1111 for assistance.
10.18 When a User leaves any of the SSA ICT-supported Trusts, their account should be
deactivated immediately, in line with the User Lifecycle Management Policy & Procedures.
Failure to do so increases the risk to information security integrity.
10.19 System managers or administrators should not record user’s passwords and should
not access accounts unless there is a valid reason i.e. business critical need. See Access to
H drives and Email Accounts: Guidance for Managers.
Auditing
10.20 System access logons (failed and successful) are recorded in the network event logs.
These logs are maintained for a period of time and failed attempts are noted and monitored.
These logs can be used to ascertain breaches in security and to determine the person
responsible.
10.21 SSA ICT will audit access to the network, internet and email systems.Connecting for
Health (CfH) systems will be monitored by the Information Governance departments through
the Enhanced Reporting System.
10.22 Any breach of patient or staff confidentiality will be escalated to the relevant Caldicott
Guardian.
11.1. Network computer equipment will be housed in a controlled and secure environment.
11.2. Critical or sensitive network equipment will be housed in secure areas with appropriate
security barriers and entry controls.
11.3. The Asset Owner is responsible for ensuring that door lock codes are changed
periodically if there is a risk of compromise of the code or if the code has been
compromised.
11.4. Critical or sensitive network equipment will be protected from power supply failures by
fitting uninterrupted power supply (UPS) apparatus.
11.5. Critical or sensitive network equipment will be protected by intruder alarms and fire
extinguisher systems.
11.6. Smoking, eating and drinking is forbidden in areas housing critical or sensitive network
equipment.
11.8. All visitors to secure network areas must be made aware of network security
requirements.
11.9. All visitors to secure network areas must be logged in and out. The log will contain
name, organisation, purpose of visit, date, and time in and out and this must be authorised
by an SSA ICT senior manager.
11.10. During projects, the project lead will ensure that all relevant staff are made aware of
procedures for visitors and that visitors are escorted, when necessary.
12.1. Entry to secure areas housing critical or sensitive network equipment will be restricted
to those whose job requires it. The Technical Services Manager will maintain and
periodically review a list of those with approved access.
12.2 The following security methods exist to prevent any unauthorised access to secure
network areas:
o Lockable cabinets
o Password controlled access
o Door passes
13.1. Network access will only be provided to all new Trust employees following initial
induction.
13.2. There is a formal, documented user registration (by using the New User form) and de-
registration procedure for access to the network.
13.3. Access to the Network will be via a secure log-on procedure and Users must log-on
using the Ctrl Alt Del keys and have to agree to the Information Management and
Technology Policy by clicking ’OK’. This is followed by the use of an allocated user-name
and a complex password of a mixture of 7 characters with at least one capital letter, one digit
and one symbol as stated in section 10 on Password Management.
14.1 It is important to have robust procedures in place to ensure Third Party Access is
secure. This supports the overall security of the SSA ICT infrastructure and ensures control
and auditing of third party organisations accessing Birmingham East and North PCT and
SSA ICT systems.
14.2 For the purposes of this policy a Third Party Organisation can be:
14.3 Third party access to the Network will be based on a formal contract that satisfies all
necessary NHS security conditions. See Appendix 3.
14.4 All third party access to the Network must be logged in the ‘remote access’ log which
maintains a record of the (administration) user.
14.5 Third parties must not use ad hoc connections to the Network on any site.
14.6 It is the responsibility of the Network Manager to authorise access to a third party to the
PCT Network.
14.7 All third parties requiring remote access to systems will agree to the legislation listed in
section 4.2.
14.8 Third parties will only be authorised and granted access rights to the servers and
applications they are supporting.
5
Third Party Access Procedures prepared by Daniel Littley, BPCSSA ICT Department.
14.10 Devices used by the third party to access the trust systems to provide support will
have up to date Anti-virus software installed and an operating system firewall enabled. In
addition all the latest security patches for the operating system must be used. See Section
7.
14.11 Third parties must use an encrypted method to Connecting for Health (CfH) standards
to gain access to the PCT network or a BTN3 connection. For procedure on Encryption see
Section 9.
14.12 All third parties must sign the BPCSSA Secure Remote Access Service - Third Party
Application Form. See Appendix 3.
14.13 It is the Network Manager’s responsibility to ensure a log is kept of when third parties
have accessed PCT systems.
14.14 Any incurred costs to gain access will be covered by the trust owner of the service, as
outlined in the Secure Remote Access Service – Third Party Application Form. Appendix 3.
The objectives of the Network Security Policy and Procedures in relation to Remote Access
are as follows:
o To provide secure and resilient remote access to the Trust’s Network and information
systems;
o To maintain the security of organisational information processing facilities and
information assets, when accessed by third parties.
o To preserve the integrity, availability and confidentiality of the Trust’s information and
information systems;
o To manage the risk of serious financial loss, loss of stakeholder confidence or other
serious business impact which may result from a failure in security;
o To comply with all relevant regulatory and legislative requirements (including Data
Protection laws) and to ensure that the Trust is adequately protected under
Computer Misuse legislation.
15.1 Remote Access refers to any technology that enables you to connect users in
geographically dispersed locations. This access is typically over some kind of remote
connection, although it can include WAN connections.
15.2 All staff who are permitted to use equipment of the organisation at home or who may
use their personal computing resources to connect to networked services of the organisation
are subject to this policy.
15.3 This policy covers all types of remote access whether fixed or ‘roving’ including:
o Travelling Users (staff working across site, are temporarily based at other
locations or work in the community);
o Home Workers (IT Support, Corporate Managers, IT development staff,
Clinicians, etc.,);
o Non NHS Staff (Social Services, Contractors and other Third Party
Organisations).
15.4 Remote access enables users to gain access to the PCT Network and other work
related services. Remote access must be authenticated using an approved and
authentication method through a VPN token.
15.5 For advice on how to obtain remote access to the PCT Network and other work related
services, approval must be given from your line manager via the SSA ICT webform who will
then contact the SSA ICT department helpdesk as the first point of contact.
15.6 The SSA ICT Network Manager is responsible for the local definition of network,
infrastructure and PC information security requirements and for the supply and configuration
of all computing equipment provided by the organisation. This will include network
connectivity and support for approved services.
15.7 Where the proposed working arrangements involve the use of personal or shared
computing resources, it must be noted that the Information Governance risks of doing so
may outweigh any operational advantage.
For all scenarios, consideration of risks must be made and should take account of the
potential to:
15.8 To ensure the most comprehensive level of protection possible, every network should
include security components that address the following:
o All remote users must be authorised by the relevant organisations SSA ICT lead.
User identity will be confirmed by User ID and password authentication.
o The IT Service Provider (currently BT N3) must maintain a log of all attempted
authentications and must ensure a log is maintained of all remote access via the
firewalls.
Perimeter Security
o The IT Service Provider will be responsible for ensuring perimeter security devices
are in place and operating properly. Perimeter security solutions control access to
critical network applications, data, and services so that only legitimate users and
information can pass through the network.
Secure Connectivity
o Users should not store any personal identifiable information unless authorised to do
so by the Caldicott Guardian or Information Governance Manager;
o Users must never disclose their network user name, password or personal PIN
number to anyone or provide their VPN remote access login credentials to anyone,
including family members;
o Users should be vigilant when entering their personal PIN and password in a public
place;
o Users must treat the Remote Access system as though they were using trust
systems from their desktop. Users must be particularly careful when accessing
sensitive information in public places (e.g. a library) and in particular: -
o Users should use an appropriate carry case when transporting the mobile computer;
o Users must not use personal computers, which do not belong to the NHS, for
processing and storing NHS information;
o Users must not allow the mobile computer or PDA to be used or accessed by
unauthorised individuals. This includes family members and friends.
o Users must not leave a mobile computer in a docking station overnight; either take it
with you or make sure it is locked away.
o When using a laptop in an open plan office, users must ensure they apply a
Kensington Lock (a security cable with a key code) which will physically keep the
laptop secure, if/when the user is away from his/her desk.
o User’s must not leave a laptop visible in a car. When transporting a laptop in a car, it
should be kept in the boot.
o The SSA ICT Department is not responsible for the support of non-Trust ICT
equipment - e.g. PCs, Broadband routers, Broadband Telephone lines and can only
offer advice. The SSA ICT Help Desk will not be able to assist with any technical
issues relating to staff’s own, or another organisation’s equipment, network or
internet connections.
o Up to date anti-virus software and a personal firewall must be installed on all Host
PC’s to allow full access to the system. The SSA ICT department does not supply AV
software for non-Trust purchased equipment.
16.1. Ensure that all user connections to external networks and systems have agreed to the
Network and IT Security Policy and Procedures, the Information Security Policy, the ICT
Acceptable Use (Email and Internet) Policy and other related policies, (e.g. BTN3 and
Connecting for Health).
16.2. Ensure that all connections to external networks and systems conform to the NHS wide
Network and IT Security Policy, Code of Connection and supporting guidance.
16.3. The Network Manager and Technical Services Manager must approve all connections
to external networks and systems before they commence operation.
17.1 Mobile computers are portable computers owned by the Trust ICT departments and
supplied for business use to an individual. Mobile computers are defined as laptops,
notebooks, palmtops, hand held computers, Blackberries, Personal Digital Assistants
(PDA’s), memory Sticks (pen drives), mobile phones capable of storing and processing
information and any ‘other’ portable device used for storing and processing information.
o Handhelds running the Palm OS, Microsoft Windows CE, Pocket PC or Windows
Mobile, Symbian, or Mobile Linux operating systems.
o Mobile devices that are standalone (i.e. connectible using wired sync cables and/or
cradles.)
o Devices that have integrated wireless capability. This capability may include, but is
not limited to, Wi-Fi, Bluetooth, and IR.
o Smartphones that include PDA functionality.
o Any related components of [company name]’s technology infrastructure used to
provide connectivity to the above.
o Any third-party hardware, software, processes, or services used to provide
connectivity to the above.
Under requirements introduced by the Department of Health all portable media must be
encrypted to NHS CfHstandards.
All laptops purchased by the Trust must have Safeboot or other Trust approved full disk
encryption software applied as standard. The Trust has introduced a standard secure USB
memory stick for use on Trust PCs and laptops. This device is available via the SSA ICT
ordering form on the Trust Intranet. These sticks are issued with guidance but essentially
they will allow staff to transfer (not store) information. Confidential and/or sensitive person
identifiable or business sensitive information must not be stored or transferred on removable
media devices of any type.
No USB Memory Sticks other than the BENPCT standard secure memory stick can be
used with BENPCT IT equipment.
17.3 Registration
All employees requiring the use of PDAs for business purposes must go through an
application process that clearly outlines why the access is required and what level of service
the employee needs should his/her application be accepted. Application forms must be
approved and signed by the employee’s line manager, supervisor, or department head
before submission to the SSA ICT department. See Appendix 8.
17.4 All remote users must be registered and authorised by the SSA ICT Network Manager.
User identity will be confirmed by strong authentication and User ID and password
authentication. The Trust’s Network Manager is responsible for ensuring a log is kept of all
users requiring remote access.
o Hand in all mobile computers or PDAs when requested or when no longer needed
and ensure this is logged with the SSA ICT department’s Asset Register.
o Hand in all mobile computers or PDAs when you cease to be employed by the Trust
and ensure this is logged with the SSA ICT department’s Asset Register.
Report any loss or theft immediately to the SSA ICT and IG departments using the
Trust’s Incident Reporting process.
- VPN token has the 6 digit code that enables logon to your laptop remotely. If you
lose this token you must inform the SSA ICT Helpdesk immediately so your VPN
token can be disabled.
- End users must memorise their PIN code (four digit code that is something you
know). End users must not under any circumstances keep the four digit code with
laptop or VPN token.
Users of the system should not download and save any person identifiable, sensitive, or
confidential information to any local drive of ANY PC/laptop or non-encrypted removable
media device. Person-identifiable, confidential or sensitive data should not be saved on any
non-Trust device. Any non-sensitivedocuments can be saved to a local hard drive for the
purposes of modification and then saved back to a secure Trust drive .
The Remote Access system is configured so that it does not accept connections from PCs
without up-to-date anti-virus software installed. You may therefore be unable to use the
system if the PC you are using does not have an approved and up-to-date anti-virus product
installed. There can be no exceptions to this rule, as one unprotected PC gaining access to
the network could put the whole Trust at risk of virus infection.
Any staff member accessing the network via remote access does so on the condition that
they do not share their login with another individual. It is a disciplinary offence to allow
someone else to use your login.
The sharing of VPN tokens is also forbidden as access could be given to person-identifiable,
confidential and sensitive data to unauthorised personnel.
The Network Manager will ensure that maintenance contracts are maintained and
periodically reviewed for all network equipment. All contract details will constitute part of all
PCTs Information Department's Asset registers.
19.1 Formal agreements for the exchange of data and software between organisations must
be established and approved by the Technical Services Manager and the Information
Governance Manager. Please refer to the Information Sharing Protocol.
20.1 The Network Manager is responsible for ensuring that a log of all faults on the network
is maintained and reviewed. A written procedure to report faults and review
countermeasures will be produced. These are:
o Maintaining a log
o Root Cause Analysis
21.1. Documented operating procedures should be prepared for the operation of the network
to ensure its correct technological operation.
21.2. Changes to operating procedures must be authorised by the Director of SSA ICT.
22.1. The Network Manager is responsible for ensuring that backup copies of Network
configuration data are taken regularly.
22.2. Documented procedures for the backup process, back up location for configuration
network files, and storage of encrypted backup tapes is the responsibility of the person who
is responsible for the back- ups.
23.1. The Trust will ensure that all users of the Network are provided with the necessary
security guidance, awareness and where appropriate training to discharge their security
responsibilities.
23.2. All users of the Network must be made aware of the contents and implications of the
Network and IT Security Policy and Procedures.
23.5 All personnel or agents acting for the organisation have a duty to:
24.0Change Control
24.1 All significant changes to the main Network need to be assessed for their impact on
information security as part of the standard risk assessment.
24.2 The Technical Services Manager may require checks on, or an assessment of the
actual implementation of any change based on the proposed changes. As part of
acceptance testing of any new network system, the Technical Services Manager will arrange
for adequate security vulnerability assessments to take place and will co-ordinate the
production of documentation which baselines the accepted technical IT security standards
for that system.
24.3 All changes to the N3 COIN must be approved by the Change Board and will be
processed by BTN3 according to their change management processes. The firewall will be
managed by BTN3 in the same way.
25.1 All security incidents and weaknesses are to be reported to the risk management
function within the Trust using the Trust Incident form and reporting process. This will then
be cascaded to the appropriate department for resolution. All security incidents will be
investigated to establish their cause, operational impact, and business outcome. (see
relevant Risk and Incident Management Trust polices in References)
26.1 The B & S N3 COIN has in-built resilience as each site has 2 network connections
(primary and backup). The firewalls also operate in a resilient manner with multiple devices
in the Birmingham BT site and a further firewall in the Wolverhampton backup site. The SSA
ICT Business Continuity and Disaster Recovery Plans provide further detail on the
processes and procedures to be followed in the event of a problem with the COIN or other
parts of the IT infrastructure.
27.0 Audit
27.1 A regular audit of information and technical security arrangements should be carried out
to provide an independent appraisal and recommend security improvements where
necessary. The following SSA ICT products are used as auditing tools:
To fulfil the Connecting for Health IG Toolkit requirements, it will be necessary to have
regular security risk reviews and assurance reports. 6
28.1 The Trust will ensure that all network systems and components are properly licensed
and approved by the SSA ICT Department.
28.2 All networks will be approved by the Network Manager and Technical Services
Manager before it commences operation. The NetworkManager and Technical Services
Manager are responsible for ensuring that the Network does not pose an unacceptable risk
to the organisation.
29.1 If any user is found to have breached this policy, they may be subject to NHS
Birmingham East and North’s Disciplinary procedures. If a criminal offence is considered to
have been committed further action may be taken to assist in the prosecution of the
offender(s).
If you do not understand the implications of this policy or how it may apply to you, seek
advice from the Information Governance Manager.
30.1 This policy will be reviewed as it is deemed appropriate, but no less frequently than
every 12 months.
31.0 References
The following NHS Birmingham East and North policy documents are directly relevant to this
policy and should be read in conjunction with this policy. Copies of these can be found on
the PCT Intranet:
6
To attain Level 3 for the 8-313 requirement, evidence of compliance with this policy will be through
spot checks, monitoring software, technical and non-technical audits, penetration testing and checks
of system documentation and functionality.
Source: www.connectingforhealth.nhs.uk/igtrainingtool
Professional Standards
NHS Standards:
8-313: ‘Policy and procedures are in place to ensure that Information Communication Technology
(ICT) networks operate securely.’
This requirement is to ensure there is appropriate protection for information communicated over
local networks and for the protection of the supporting infrastructure (including wireless networks).
8-314: ‘Policy and procedures ensure that mobile computing and teleworking are secure’
8-323: ‘All information assets that hold, or are, personal data are protected by appropriate
organisational and technical measures’
‘The security of NHS websites has a particular importance and visibility given the intended access to and use of
these assets via the internet and/or the NHS network (N3). When assessing the security protection needs of an
NHS website it is important that the risks to the website, including potential impacts to the organisation, its
patients and other business disruptions are considered. Such risks can include the effects of hacking,
defacement, content alteration and denial of service.
It is essential therefore that appropriate steps are taken to manage these risks and assure the website asset,
irrespective of whether the website is designed, implemented and managed locally or delivered and maintained
under agreement or contract by another party. All NHS organisations that possess or that are planning for
websites must therefore have clearly defined procedures for the secure operation of each website, including
procedures for their configuration patch and content management, business continuity and for dealing with
incidents should they occur. In addition, organisations must take appropriate steps to ensure that the web
server is not exposed to known vulnerabilities, e.g. by ensuring a regular health check review and penetration
test is made by a qualified tester. Records of tests should be made and improvement plans determined where
necessary. ‘
Definitions:
NHS network (N3) – ‘The new NHS Network is the high speed private broadband computer network network
used by the NHS and its partners.’
Denial of Service – ‘Result of any action or series of actions that prevents any part of an information system
from functioning.’
Penetration Test – ‘A penetration test is a method of evaluating the security of a computer system or network
by simulating an attack from a malicious source.’
Source: www.connectingforhealth.nhs.uk/igtrainingtool
• Staff in a third party organisation (supplier) requiring to connect remotely to the NHS
Birmingham and Solihull COIN Infrastructure to provide system support.
Please note:
• The system owner will be charged if new or additional VPN Token(s) are required for the
third party supplier.
• The system owner is responsible for liaising with the NHS Birmingham and Solihull Service
Desk and the Third Party to ensure remote access requirements are clearly defined and to
ensure appropriate system access controls are implemented during SRAS provision.
• All details including approvals must be completed before sending to the ICT Service Desk
For assistance completing, please contact the Birmingham and Solihull COIN Support Desk
on 0121 465 1111 or email: Helpdesk@bpcssa.nhs.uk
Details &
Network
Information:
IP address,
firewall
Ports, VPN
Type,
Hardware
used, etc.
• I will ensure that any known security-related patches are applied to SRAS connected devices.
• I accept that the service may be withdrawn without notice if a breach of security is
suspected
• I accept that system monitoring will occur for the purposes of maintenance and operation of
SRAS.
• I accept that upon leaving the third party employment, all VPN Tokens will be returned to
the System Owner, if applicable
• If a VPN token is damaged or lost, I will report this immediately to the System Owner and
accept there may be a replacement charge (doesn’t apply to N3 third Party end users).
Cost of Service
If you are using VPN via Trust VPN tokens the cost will be you agree to this cost by signing
the below and this cost go to the Trust Sponsor.
Name: ………………………………………………………
Directorate Tel
No:
Signature
The completed form should be returned to: helpdesk@BPCSSA.nhs.ukor FAX: 0121 465
1112
Please mark in the subject: For the attention of the Network Team THIRD PARTY
REQUEST FORM
Bad passwords
today: This is just a dictionary word that is easily discovered with hacking software.
It is also only five characters long. Passwords should be at least six characters long.
t1d2y: Here the digits 1 and 2 have been substituted for the vowels of the dictionary
word “today”. Again, hacking software is designed to look for this type of substitution.
today1: Here there is some attempt to mix letters and numbers. However, adding a
number on to the end of a dictionary word poses little problem to hackers.
Good passwords
t1o9d6a4y or t”o(d^a$y: Here the word (today) has been used and digits or special
characters have been included between each letter. The length of the password
also makes it difficult to guess or crack electronically.
1t9o6d4ay or ”t(o^d$ay: This is even more secure than the previous example since
the passwords begins with a digit or character.
Source: https://nww.igt.connectingforhealth.nhs.uk
DH, IG – User Guide to Passwords
USER DETAILS
Name:
Job Title:
Assignment
Number:
Base/Location:
Contact Number:
Blackberry
VPN remote access token
USB encrypted memory device
Personal Digital Assistant
External Hard Drive
Zip/DAT Drive
Memory Card
If the removable device you require is not listed, please contact the ICT Department on;
0121 465 1111 for advice.
NOTE: Removable Media Devices should not be used for storing or transferring any
confidential or sensitive person identifiable or business sensitive information. If any user
breaches the BPCSSA Network and IT Security Policy and Procedures he/she may be
subject to NHS Birmingham East and North’s disciplinary procedures. If any criminal offence
is considered to have been committed further action may be taken to assist in the
prosecution of the offender(s).
If you do not understand the implications of this policy or how it may apply to you, seek
advice from the Information Governance Manager.
By signing this form you will have read, and agree to adhere to the BPCSSA Network
and IT Security Policy and Procedures.
I authorise the above-named staff member to have use of the listed Removable Media
Device for the specified use. I confirm that I understand my responsibility for the day to day
management and oversight of this device in accordance with the permitted use as listed in
the Network and IT Security Policy and Procedures.
Office Use:
Asset Tag: Issued by:
Issued for: Date of
Issue: