Ben Policies 1085

Policy Type: Information: Management Security, Governance, Technology
Definition: Policy and Procedures
Owner Group: BPCSSA
NETWORK AND IT SECURITY

POLICY AND PROCEDURES
Application:
Application to: All PCT staff
Communication Method: Line Managers, Email, Intranet
Consequence of Non-adherence: disciplinary and legal sanctions
Approvals:
Approvals Body: Integrated Governance Board
Date approved: 21/3/2011
Implementation Date: 21/3/2011
Review Date: 21/3/2012
Source & Version:

Version: 1
Trust Policy No: 200
Policy Owner: Director of ICT Services
Network and IT Security Policy 1

Final 2.0 March 2011
Document Control
Date Version Author Amendment History

06/12/10 0.1 T.Akhtar Draft 1
07/12/10 0.2 T.Akthar Input from SG and MC and ICB.
08/12/10 0.3 T.Akhtar TA – re-drafted v.01
10/12/10 0.4 T.Akhtar TA – incorporating feedback from SSA
and BEN ICT members
23/12/10 0.5 T.Akhtar Feedback from PDWG – comments from
GK inserted
11/1/2011 0.6 T.Akhtar Incorporation of comments from other
PCT leads and further information added
to policy by TA
21/1/2011 0.7 T. Akhtar Further references incorporated
26/1/2011 0.8 T.Akhtar Incorporation of D Littley’s comments;
1/3/2011 0.9 T.Akhtar Changed format of document
Date Version Author Amendment History

09/03/2011 1.1 T. Akhtar Start incorporating the following policies and
procedures into the original Network Security Policy
Document: Password Management; Patch
Management; Anti-Viral; Encryption and Remote
Access.
11/3/2011 1.2 T.Akhtar Editing of 1.1..
15/3/2011 1.3 T. Akhtar Reformatting of 1.1. Send out to BPSCCA ICT,
Cluster IG and ICT leads for feedback.
17/3/2011 1.4 T.Akhtar Incorporation of ICT feedback. No additional feedback
from Cluster leads.
18/3/2011 1.5 T. Akhtar Further amendments from T Gallagher
30/3/2011 1.6 T. Gallagher Final amendmentsincorporated as per Director’s
feedback.
31/3/2011 2.0 T.Akhtar Final formatting.

Contents
1. Policy Statement ……………………………………………………………………… 3
2. Aim………………………………………………………………………………………. 4
3. Scope …………………………………………………………………………………. 4
4. Policy Objectives …………………………………………………………………….. 5
5. Definition of Network………………………………………………………………….. 5
6. Risk Assessment of Network Security………………………………………………. 6
7. Procedure for Patch Management………………………………………………….. 6
8. Procedure on Anti-Virus Protection…………………………………………………… 8
9. Procedure on Encryption………………………………………………………………. 9
10. Guidance on Password Management………………………………………………. 12
11. Physical and Environmental Security……………………………………………….. 15
12. Access Control to Secure Network Areas…………………………………………… 15
13. Access Control to Network …………………………………………………………….. 16
14. Third Party Access Control to the Network…………………………………………. 16
15. Remote Access to the Network………………………………………………………. 17
16. External Network Connections……………………………………………………….. 20
17. Mobile Computing Devices……………………………………………………………. 21
18. Maintenance Contracts………………………………………………………………… 23
19. Data and Software Exchange………………………………………………………… 23
20. Fault Logging…………………………………………………………………………… 23
21. Network Operating Procedures………………………………………………………. 23
22. Data Back-up and Restoration………………………………………………………… 23
23. User Responsibilities, Awareness & Training……………………………………….. 23
24. Change Control…………………………………………………………………………. 24
25. Incident Management…………………………………………………………………… 24
26. Business Continuity and Disaster Recovery Plan…………………………………… 24
27. Audit ………………………………………………………………………………… 25
28. Accreditation of Network Systems …………………………………………………….. 25
29. Policy Compliance ………………………………………………………………………. 25
30. Review and Revision……………………………………………………………………. 25
31. References ………………………………………………………………………………. 25
Appendix 1 – Birmingham COIN overview………………………………………………… 27
Appendix 2 - Connecting for Health IG Toolkit Requirements………………………… 28
Appendix 3 – SRAS Third Party Agreement……………………………………………… 29
Appendix 4 – SSA ICT Departmental Structure……………………………………. 31
Appendix 5 – Computer Misuse Act Guidance…………………………………………… 32
Appendix 6 – Good and Bad Password Guidance………………………………………. 33
Appendix 7 – Glossary for Patch Management………………………………………….. 34
Appendix 8 – SSA ICT Authorisation for Use of Removable Media Devices………… 35
1.0 Policy Statement
This document defines the Network and IT Security policy and procedures for NHS Birmingham East
and North and the other member PCTs of the Birmingham and Solihull Cluster. These are Heart of
Birmingham Teaching PCT; NHS South Birmingham, Birmingham Community Healthcare NHS Trust,
and NHS Solihull Care Trust.
NHS BEN has overall responsibility for the Birmingham and Solihull N3 Community of Interest
Network (COIN), i.e. the Network, on behalf of the other stakeholder organisations (see section 3).
The N3 COIN is a fully managed service provided by and managed by BTN3. The Shared Services

Agency Information & Communications Technology (SSA ICT) has an oversight function with regard
to the service provided by BTN3 (or their contracted agents) on behalf of the local Trusts; this
includes any changes to the firewall configuration. All references to the Network will be based on this
understanding. (For Network mapping see Appendix 1).
The Network and IT Security Policy is supported by the SSA ICTdepartment and applies to all business
functions and information contained on the Network (including the wireless network) and relevant
people who support the Network.
o This policy sets out the organisational policy for the protection of the confidentiality, integrity,
security and availability of the Network.
o This policy establishes the security responsibilities for Network security and provides
reference to documentation relevant to this policy.
o This policy is the main source for and incorporates Network related policies and procedures;
these being: Patch Management; Anti-Virus; Encryption; Password Management; Remote
Access; Mobile Computing Devices and Third Party Access. As such this policy will be
continuously developed to reflect changes related to the Network.
2.0 Aim
The aim of this policy is to ensure the security of functions of the Birmingham and Solihull (B & S)
N3 COIN which fall directly under the responsibility of NHS Birmingham East and North. To do
this the SSA ICT department will:
o Ensure availability of Network services to all authorised users (by managing the
service provided by BTN3);
o Preserve integrity of the Network;
o Protect the Network from unauthorised or accidental modification;
o Ensuring the accuracy and completeness of the organisation's assets;
o Preserve Confidentiality within the Network;
o Protect assets against unauthorised disclosure.
The purpose of this policy is to establish standards and procedures in regard to the security
of the COIN ICT Network and the infrastructure within which the Network operates.
In addition, it is to comply with legislative requirements, information security best practice, and
mandated security frameworks such as access to the N3 Network.
Access to the Trust’s equipment and information must be protected to ensure the availability,
integrity and confidentiality of its information. The Trust will take the necessary precautions to
protect the Network from unauthorised or accidental modification ensuring the accuracy
and completeness of the organisation’s information and Network assets and will protect these
assets against unapproved changes.
3.0 Scope
This policy applies to all users employed by or contracted to the Trust, sub- contractors and third
party companies connecting to or wishing to connect to the Network by any method. This policy
applies to all networks within and connected to the NHS BEN (COIN) Network and Network
equipment.

This policy can be used as a principle document for Network Security for the following Cluster PCTS:
Birmingham East and North (NHSBEN); Heart of Birmingham Teaching PCT; NHS South
Birmingham, Birmingham Community Healthcare NHS Trust, and NHS Solihull Care Trust.
4.0 Policy Objectives
The section below outlines key objectives of the Network Security Policy for the Trusts listed in
section 3.0.
4.1 The Network will be available in accordance with defined service levels; must be
accessed only by legitimate users; and will contain complete and accurate information. The
Network must also be able to withstand or recover from threats to its availability, integrity and
confidentiality. To satisfy this, SSA ICT will undertake to the following:
4.1.1 Protect all hardware, software and information assets under its control. This
will be achieved by implementing a set of well-balanced technical and non-
technical measures;
4.1.2 Provide both effective and cost-effective protection that is commensurate with
the risks to its network assets;
4.1.3 Implement the Network Security Policy in a consistent, timely and cost
effective manner.
4.2. Where relevant, NHS BEN and affiliated organisations connected to the NHS BEN
Network will comply with:
o Copyright, Designs & Patents Act 1988

o Access to Health Records Act 1990
o Computer Misuse Act 1990
o The Data Protection Act 1998
o The Human Rights Act 1998
o Electronic Communications Act 2000
o Regulation of Investigatory Powers Act 2000
o Freedom of Information Act 2000
5.0 Definition of Network
‘Network’, for the purposes of this policy, can be defined as follows:
‘The group of routers/switches, protocols, wireless access points and standards that allow
users to access and use an organisation’s information’.
The scope of this policy covers the Network, including the wireless network as it is
incorporated within the infrastructure which supports its activity and application for NHS BEN
business and operational functions.

6.0 Risk Assessment of Network Security
6.1. SSA ICT will carry out security risk assessment(s) in relation to all the business processes
covered by this policy. These risk assessments will cover all aspects of the Network that are
used to support those business processes. The risk assessment will identify the appropriate
security countermeasures necessary to protect against possible breaches in confidentiality,
integrity and availability of the network.
6.2 Risk assessment will be conducted to determine the Information Technology Security
Evaluation Criteria (ITSEC) Assurance levels required for security barriers that protect the
network.
6.3 Formal risk assessments will be conducted to conform to ISO 270021. (This refers to
‘the preservation of confidentiality (ensuring that information is accessible only to those
authorised to have access), integrity (safeguarding the accuracy and completeness of
information and processing methods) and availability (ensuring that authorised users have
access to information and associated assets when required).)
6.4 Connecting for Health Good Practice Guidelines on Network Security will be adhered to.
See Appendix 2.
6.5Risks to the integrity, security and confidentiality of networks will be reduced by SSA ICT
using the following:
o Patch Management
o Anti-Virus software
o Use of Encrypted Software for Remote Access
o Use and Management of Passwords
o Log-On Authentication
o Firewalls
o Network access protection
o No access to network equipment
o Controlled access physically/remotely
o Unified threat management
o Locked cabinets
7.0 Procedure for Patch Management2
7.1 The goal of patch management is to support the integrity and security of the Network by
ensuring all installed components on the Networkare up to date with the latest patches and
updates applied. The Network components covered in patch management may include:
• Computers
• Servers
• Software
• Peripherals
1
The Information Security standard published by the International Organisation for Standards (ISO)
and The International Electrotechnical Commission (IEC) which provides best practice for information
security management.
2
Patch Management procedures developed by Sue Field, SSA, ICT Department.

• Cabling
• Routers and switches
• Services such as messaging, databases, MIS and file storage
For Glossary see Appendix 7.
7.2 Security vulnerabilities are inherent in computing systems, network hardware and
applications. Patch management is an important tool to ensure that the network and its
components continue to be secure and available to the end user by ensuring the centralised
timely and tested distribution of applications’ patches.
7.3Regardless of the operating system or criticality, all patch releases will follow a defined
process for patch deployment that includes assessing the risk, testing, approval, installing
and verifying.
7.4The SSA ICT Technical Services Team will monitor security mailing lists, review vendor
notifications and websites and research specific public websites for the release of new
patches. Monitoring will include, but not be limited to, the following:
• Network scanning to identify known vulnerabilities to Network security.
• Identifying and communicating known vulnerabilities and/or security breaches to the
SSA ICT Senior Management Team.
• Any security breaches discovered will immediately be reported to Information
Governance.
7.5Once a new patch has been identified, the SSA ICT Technical Services Team will
categorise its criticality relevant to each platform according to the following:
• Emergency: an imminent threat to the network
• Critical: targets a security vulnerability
• Not critical: a standard patch release update
• Not applicable
7.6Authorisation
The testing, deployment and distribution of patches on the shared infrastructure remains the
responsibility of SSA ICT.
• The Change Management Review Board must approve the schedule prior to
implementation.
• A record of the decision should be kept in the Patch Management Log.
• Also, a recorded entry into the Change Management Log of the intended action,
date/time, roll back plan and responsibilities of the intended patch to be deployed into
production.

8.0 Procedure on Anti-Virus Protection3
Introduction
8.1 A virus is a piece of potentially malicious programming code that will cause some
unexpected or undesirable event. This could have security implications for the integrity,
confidentiality and availability of the Network and its data.Viruses can be transmitted in a
number of ways such as via e-mail or instant messaging attachments, downloadable Internet
files, diskettes, and CDs. Viruses are usually disguised as something else, and so their
presence is not always obvious to the computer user. A virus infection can be very costly to
the Trust in terms of data loss or breach, lost staff productivity, and/or lost reputation.
Policy Statement:
8.2 This procedure applies to all computers, servers and mobile devices such as laptops that
are connected to the SSA ICTNetwork via a standard network connection, wireless
connection, modem connection, or virtual private network connection. This includes
company-owned computers attached to the SSA ICT Network.
8.3 The definition of computers includes desktop workstations, laptop computers, handheld
computing devices, and servers. SSA ICT is committed to provide a computing network that
is virus-free
8.4 All computers attached to the SSA ICTNetwork must have SSA ICT- approved vendor-
supported anti-virus software installed. This software must be active, be scheduled to
perform virus checks at regular intervals, and have its virus definition files kept up to date.
8.5 Any activities with the intention to create and/or distribute malicious programs onto the
SSA ICTNetwork (e.g. viruses, worms, Trojan horses, e-mail bombs, etc.) are strictly
prohibitedand will be subject to disciplinary action.
8.6 If an employee receives what they believe to be a virus, or suspects that a computer is
infected with a virus, it must be reported to the SSA ICT Helpdesk immediately on 0121 465
1111 or via help.desk@bpcssa.nhs.uk.
8.7 No employee should attempt to destroy or remove a virus, or any evidence of that virus,
without direction from the SSA ICT department.
8.8 Any virus-infected computer will be disconnected/removed from the Network until it is
verified by SSA ICTas virus-free.
SSA ICT Procedural Responsibilities
8.9 The following activities are the responsibility of SSA ICT:
8.9.1 SSA ICT is responsible for maintaining and updating the Anti-Virus procedure.
This procedure will be part of the Network Policy and may be subject to review and
updated on a continual basis.
8.9.2 SSA ICT will keep the anti-virus product up-to-date, currently via the use of a
4hr schedule with automatic ‘push out’ tosystems’ applications.
3
Anti-Virus Protection procedure developed by Iqbal Mahal, BPCSSA, IT Department.

8.9.3 SSA ICT will install anti-virus software on all SSA ICT-owned and installed
desktop workstations, laptops, and servers.
8.9.4 SSA ICT will take appropriate action to contain, remove, and assist in recovery
from virus infections. In order to do so, SSA ICT may be required to disconnect a
suspect computer from the network or disconnect an entire segment of the network.
8.9.5 SSA ICT will perform regular anti-virus sweeps of file and applications data.
8.9.6 SSA ICT will attempt to notify users of SSA systems of any credible virus
threats via e-mail, telephone messages and/or Intranet. Virus reports will not be
acted upon until validatedby SSA ICT. Employees/users should not forward these or
any virus warning messages in order to keep network traffic to a minimum.
PCT Departmental and Individual Procedural Responsibilities
8.10 The following activities are the responsibility of NHS Trust departments and
employees:
8.10.1 Those departmentswith departmentally-managed computers e.g. Oaktree Lane,

Dental Hospital, must ensure that all such computers have up-to-date virus protection as
provided by the SSA ICT department.
8.10.2 All employees are responsible for taking reasonable measures to protect against
virus infection. Please follow this advice:
o Never copy, download, or install files from unknown, suspicious, or untrustworthy

sources or from non-SSA ICT removable media.
o Never open any files or macros attached to an e-mail from a known source (even a
co-worker) if you were not expecting a specific attachment from that source.
o Never open any files or macros attached to an e-mail from an unknown, suspicious,
or untrustworthy source.
o Always use SSA ICT-recommended Encrypted Memory sticks
o Be suspicious of e-mail messages containing links to unknown Web sites. It is
possible that the link is a malicious executable (.exe) file disguised as a link. Do not
click on a link sent to you if you were not expecting a specific link.
8.10.3 Employees must not attempt to either alter or disable anti-virus software installed
on any computer attached to the SSA network without the express consent of the IT
department.
8.10.4Any employee who is found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.
9.0 Procedure on Encryption4
Introduction
9.1 SSA ICT have a duty to ensure that data held electronically is adequately protected from
loss and inappropriate access (deliberate or accidental). The Data Protection Act
4
Encryption procedure developed by Denis Cooper, SSA ICT Department.

1998requires all personal data controllers/processors to ensure that appropriate policies and
procedures that ensure the efficient and safe storage of data are in place.
Policy statement
9.2Encryption is the process of converting information using an algorithm (a cipher) to render

the information unreadable to anyone except those possessing the decryption (decipher)
password or key.
9.3 To reduce the risk of unathorised access, the Trust has established a comprehensive
procedure ondata encryption which covers data stored on:
• Desktops, laptops, handheld computers

• Servers
• Hand held devices such as Blackberry
• Portable storage devices such as memory sticks
• Removable media such as floppy disks, DVD’s, CD’s and backup tapes
Encryption Standards
9.4Good practice guidance from NHS Connecting for Health specifies encryptionstandards
and recommended device/data encryption software;SSA ICT adhere to this guidance and
areimplementing encryption on all laptops and removable media.
9.5 All data stored on equipment leaving Trust premises (i.e. laptops, removable media) will
be encrypted using a minimum of AES 256bit encryption, as per Connecting for Health and
public sector standards. Software and systems to support this are being/will be in place.
9.6To reduce risk of information security breaches and to ensure the confidentiality and
integrity of information the following guidance should be followed:
o Users must understand their responsibilities to protect data at all times

o SSA ICT will ensure that users are supported in this by the use of encryption tools
and services to achieve this;
o The use of personal and non-Trust purchased equipment is strictly prohibited as it is
unlikely that the necessary safeguards are in place to protect Trust data in line with
national guidance and local security policies and standards;
o All data systems which cannot be encrypted will have physical (secure environment)
and electronic (user authentication) safeguards in place to prevent unauthorised
access and use
9.7All laptops will be encrypted via full disk encryption software to ensure that all
programmes including the boot system on a laptop’s hard drive is protected.
9.8Encrypted removable media only will be provided by SSA ICT and PCT ICT departments.
Any non-encrypted device is prohibited from use on any SSAICT/PCT equipment.
9.9 For removable media such as writable CDs and DVDs however, encryption will be
applied by prompting the user for a password.
9.10 Desktop PCs will not be supplied with writeable CD or DVD drives.
9.11SSA ICT plans to have all server storage tape backups encrypted using hardware
encryption, and is moving towards this from software encryption.

9.12 The above encryption measures mean that document-specific passwords will not be
used or required.
9.13 Currently the only approved handheld device is the Blackberry. These are encrypted by
default and the user is forced to set a password on the device. Any other handheld devices,
including Personal Digital Assistants (PDA) and Dictaphones etc. will need to be individually
approved and risk assessed by SSA ICT before being allowed access to the Network. If a
handheld device cannot be encrypted:
o It must not be used to store person identifiable data;

o It must not be connected to any other Trust system, whether by a physical
(cable) or wireless connection.
9.14Where a device cannot be encrypted it should, if possible, be replaced. In a small

number of cases it is possible that a device used for clinical purposes may not be capable of
encryption but cannot readily be replaced. Where this is the case a detailed description of
the device and its application must be provided so thatSSA ICT can assess the risk and
reach a decision on how to proceed.
9.15 Passwords& keys
9.15.1 In general, passwords or encryption keyswill be the means to decrypt encrypted

content. Passwords must be kept confidential and not shared with any other person.
9.15.2 If a device will be used to share / transport information, i.e. a memory stick being
delivered to another organisation, the password must be sent separately and at different
times.
9.16 Responsibilities
o Staff and contractors who under this policy are permitted to use removable devices in
the performance of their duties must ensure that data is encrypted in accordance with
NHS Guidance.
o The Information Governance Manager and SSA ICT Service Manager are
responsible for ensuring the Trust has appropriate data encryption capabilities in
order to protect the data it holds.
o The SSA ICT Service Manager is responsible for assuring that the data encryption
functionality and procedures used by the PCT have been implemented correctly and
are of appropriate strength and fit for purpose.
o Line managers are responsible for the day to day management of their staff to
ensure that policies and procedures are being implemented appropriately.
9.17 Monitoring Complianceof removable media encryption
o Distribution and maintenance of encryption software will be managed bySSA ICT;

o Non-compliant devices e.g. unencrypted personal laptops and memory sticks, will be
detected and disabled without notice using software installed for this purpose;
o Regular monitoring checks will be undertaken to ensure compliance with the criteria
set out above;
o All incidents must be reported through the Trusts’ Incident Reporting systems;
o All problems related to encryption must reported to the SSA ICT Helpdesk on 0121
465111 or via help.desk@bpcssa.nhs.uk

10.0 Guidance on Password Management
Introduction
10.1 Password controls enable the SSA ICT to protect and monitor systems against
unacceptable use; to prevent crime; protect confidential information and to ensure the
security of information contained within these systems. Refer to guidance from The
Computer Misuse Act1990 (See Appendix 5).
10.2 Passwords are an essential first line of security for protecting systems from
unauthorised access and are most effective when they are hard to guess.
10.3System Managers, Systems Administrators, ICT Staff, and Users are obliged to use
passwords in a responsible, secure and lawful manner. It is important that staff are aware of
the consequences and legal risks of password and computer misuse.
10.4 If any System Manager, Systems Administrator, ICT Staff or End User disregards the
rules set out in this procedure, they may be legally liable and may face prosecution and/or
disciplinary action depending upon the severity of the incident.
10.5Users (whether contractor or staff) will be held liable and subject to disciplinary and/or
legal action if a computer on the SSA ICT network is used to hack into another computer.
10.6 If computer material is modified in any way that constitutes misuse of access i.e.
unauthorised modification, deletion, addition or replication of information the user will be held
responsible. Such actions may lead to a disciplinary and/or legal action.
Password Controlled Systems
10.7All connection and access to the SSA ICT Network and other national NHS Systemsare
controlled by a process of secure password management.
10.8 Following a User’s manager’s application to request access to the Network, the
Network Manager will ensure that only the folders/files relevant to their work role and
department will be made available to the User. Folder access will not be by password but by
the use of access controls’ software.
10.9 Access to the Network will be gained upon a User having an ID/Login name and
associated password.
Password Requirements
10.10SSA ICT use minimum password standards, based on Department of Health

requirements, which mean that passwords must:
o NOT be proper names and have no connections to the user;

o be changed regularly and are not related to previous passwords;
o NOT be written down, are kept secret and not divulged to anyone, even SSA/PCT ICT
Staff;

o NOT be easily guessed, e.g. pets names, family member names, favourite
actor/actress or dictionary words (they should be a combination of letters, numbers
and special characters)
o NOT be shared with any other individual.
Effective password complexity can be achieved through a series of actions that prove
impossible for another to guess but remains memorable to the user; see Appendix 6.
10.11 The minimum password requirement for access to the SSA ICT Network is seven
characters that isan enforced mixture of both lower and uppercase letters with a min of one
character and one number. Special characters can also be used in replacement of a letter
i.e. $ £!*% as this will strengthen the password by increasing its complexity.
10.12 It is the responsibility of SSA ICT system administrators to ensure strong password
management, with access denied to a User unless the supplied password contains agreed
character mix
10.13 Temporary passwords used before an enforced password change must also comply
with the password strength defined within this policy; see Appendix 6.
User Guidance for Password Controlled Accounts
10.14 This guidance aims to protect the account holder from any attempt by a third party
(work colleague, contractor, patient, member of the public) to use their account to modify or
reproduce material contained within the system. Unauthorised modification or replication
constitutes a criminal offence and may lead to legal proceedings or disciplinary action. (see
Appendix 5)
10.15 Account hijacking also constitutes a criminal offence. Therefore this guidance ensures
passwords (including those on smartcards) are restricted to use by a single member of staff
which limits risks of breaching information security. This is necessary for compliance with the
Data Protection Act 1998 and the Computer Misuse Act 1990.
10.15.1 Do’s
o If a member of staff suspects their username/login ID or password has

beencompromised e.g. lost, used by another user, it should be reported immediately
to SSA ICT Helpdesk who can coordinatea response to re-establish security on the
account. The individualshould also complete an incident form to document the
event. It is importantthe event is well documented and includes details of dates, time
and locations incase there has been any misuse on the account during that period.
o Always lock or logout of the computer (Ctrl-Alt-Del together or Windows key &
‘L’together) when not in use and remove any smart card from the reader. Never leave
a computer you have logged into unattended. Staff arelegally responsible for any
activity on their unlocked computer.
o Ensure all workstations are positioned away from unauthorised viewing (see Clear
Desk Policy).
10.15.2Don’ts
o Do not record passwords in any form where the password could be compromised.
i.e. post it notes left under keyboards, scraps of paper, notes in drawers, filing

cabinets, diaries. Do not record passwords electronically i.e. in Outlook, Word or
Excel software as it is not secure.
o Do not program passwords into Function keys on the computer keyboard.
o Do not allow the computer to save User Name and password when prompted as this
is not secure; other Users can access that computer through a previous User’s log in
details.
Password Security
10.16 Any of the following breaches could lead to disciplinary or legal action:
o Attemptingto use or using another person’s username and password;

o Attempting to ascertain another person’s password;
o Using another person’s username and password with their consent but without
correct authorisation;
o Giving their or anyone else username and password to a third party;
o Using software designed to ascertain passwords without prior written authorisation by
the SSA ICT Manager.
Resetting passwords
10.17 To reset Login IDs and passwords Users are advised to use Password Manager
software to reset their passwords (prompt box on log on screen). Password Manager allows
users to securely reset their passwords through a series of security questions. Registration
with password manager is compulsory for all Users on the SSA ICT network. Contact SSA
ICT Helpdesk on 0121 465 1111 for assistance.
Staff Leaving - Guidance for Line Managers
10.18 When a User leaves any of the SSA ICT-supported Trusts, their account should be
deactivated immediately, in line with the User Lifecycle Management Policy & Procedures.
Failure to do so increases the risk to information security integrity.
10.19 System managers or administrators should not record user’s passwords and should
not access accounts unless there is a valid reason i.e. business critical need. See Access to
H drives and Email Accounts: Guidance for Managers.
Auditing
10.20 System access logons (failed and successful) are recorded in the network event logs.
These logs are maintained for a period of time and failed attempts are noted and monitored.
These logs can be used to ascertain breaches in security and to determine the person
responsible.
10.21 SSA ICT will audit access to the network, internet and email systems.Connecting for
Health (CfH) systems will be monitored by the Information Governance departments through
the Enhanced Reporting System.
10.22 Any breach of patient or staff confidentiality will be escalated to the relevant Caldicott
Guardian.

10.23 All systems will have user auditing mechanisms in place to identify any information
and technical security breaches. Such breaches will be reported to Information Governance
via the Trusts’ incident logging systemwho will decide on escalation depending upon the
severity of the security breach.
11.0 Physical and Environmental Security
11.1. Network computer equipment will be housed in a controlled and secure environment.
11.2. Critical or sensitive network equipment will be housed in secure areas with appropriate
security barriers and entry controls.
11.3. The Asset Owner is responsible for ensuring that door lock codes are changed
periodically if there is a risk of compromise of the code or if the code has been
compromised.
11.4. Critical or sensitive network equipment will be protected from power supply failures by
fitting uninterrupted power supply (UPS) apparatus.
11.5. Critical or sensitive network equipment will be protected by intruder alarms and fire
extinguisher systems.
11.6. Smoking, eating and drinking is forbidden in areas housing critical or sensitive network
equipment.
11.7. All visitors to secure network areas must be authorised or accompanied by an

appropriate member of the SSA ICT.
11.8. All visitors to secure network areas must be made aware of network security
requirements.
11.9. All visitors to secure network areas must be logged in and out. The log will contain
name, organisation, purpose of visit, date, and time in and out and this must be authorised
by an SSA ICT senior manager.
11.10. During projects, the project lead will ensure that all relevant staff are made aware of
procedures for visitors and that visitors are escorted, when necessary.
12.0 Access Control to Secure Network Areas
12.1. Entry to secure areas housing critical or sensitive network equipment will be restricted
to those whose job requires it. The Technical Services Manager will maintain and
periodically review a list of those with approved access.
12.2 The following security methods exist to prevent any unauthorised access to secure
network areas:
o Lockable cabinets
o Password controlled access
o Door passes

o CCTV
o Environmental checks
13.0 Access Control to the Network
13.1. Network access will only be provided to all new Trust employees following initial
induction.
13.2. There is a formal, documented user registration (by using the New User form) and de-
registration procedure for access to the network.
13.3. Access to the Network will be via a secure log-on procedure and Users must log-on
using the Ctrl Alt Del keys and have to agree to the Information Management and
Technology Policy by clicking ’OK’. This is followed by the use of an allocated user-name
and a complex password of a mixture of 7 characters with at least one capital letter, one digit
and one symbol as stated in section 10 on Password Management.
14.0 Third Party Access Control to the Network5
14.1 It is important to have robust procedures in place to ensure Third Party Access is
secure. This supports the overall security of the SSA ICT infrastructure and ensures control
and auditing of third party organisations accessing Birmingham East and North PCT and
SSA ICT systems.
14.2 For the purposes of this policy a Third Party Organisation can be:
o A NHS Trust not linked professionally to the PCT;

o A Third Party company providing remote support for end user applications;
o A Government body that needs access to SSA ICT systems i.e. Birmingham
City Council.
14.3 Third party access to the Network will be based on a formal contract that satisfies all
necessary NHS security conditions. See Appendix 3.
14.4 All third party access to the Network must be logged in the ‘remote access’ log which
maintains a record of the (administration) user.
14.5 Third parties must not use ad hoc connections to the Network on any site.
14.6 It is the responsibility of the Network Manager to authorise access to a third party to the
PCT Network.
14.7 All third parties requiring remote access to systems will agree to the legislation listed in
section 4.2.
14.8 Third parties will only be authorised and granted access rights to the servers and
applications they are supporting.
5
Third Party Access Procedures prepared by Daniel Littley, BPCSSA ICT Department.

14.9 The authorised third party will not attempt to access other parts of the Network.
Attempting to do so will result in access being terminated and possible legal action.
14.10 Devices used by the third party to access the trust systems to provide support will
have up to date Anti-virus software installed and an operating system firewall enabled. In
addition all the latest security patches for the operating system must be used. See Section
7.
14.11 Third parties must use an encrypted method to Connecting for Health (CfH) standards
to gain access to the PCT network or a BTN3 connection. For procedure on Encryption see
Section 9.
14.12 All third parties must sign the BPCSSA Secure Remote Access Service - Third Party
Application Form. See Appendix 3.
14.13 It is the Network Manager’s responsibility to ensure a log is kept of when third parties
have accessed PCT systems.
14.14 Any incurred costs to gain access will be covered by the trust owner of the service, as
outlined in the Secure Remote Access Service – Third Party Application Form. Appendix 3.
14.15Standard Operating Procedure
o Third party organisations when requiring access must e-mail

helpdesk@bpcssa.nhs.uk to request access to the system. The e-mail must also
include the reason and work to be completed while remotely connected.
o Third party must include a description of work to be completed in the e-mail to the
helpdesk.
o Third party must ensure they adhere to point 10.10 under this section.
o Once access has been authorised BPCSSA Technical Services team will enable the
user account used to login for the set period of time for the support company to
provide support.
o All third party access user accounts are always set to expire.
15.0 Remote Access to the Network
The objectives of the Network Security Policy and Procedures in relation to Remote Access
are as follows:
o To provide secure and resilient remote access to the Trust’s Network and information
systems;
o To maintain the security of organisational information processing facilities and
information assets, when accessed by third parties.
o To preserve the integrity, availability and confidentiality of the Trust’s information and
information systems;
o To manage the risk of serious financial loss, loss of stakeholder confidence or other
serious business impact which may result from a failure in security;
o To comply with all relevant regulatory and legislative requirements (including Data
Protection laws) and to ensure that the Trust is adequately protected under
Computer Misuse legislation.

o To comply with the Information Security Policy, the Acceptable Use (Email and
Internet) Policy, the Confidentiality and Data Protection Policy, and other related
policies.
15.1 Remote Access refers to any technology that enables you to connect users in
geographically dispersed locations. This access is typically over some kind of remote
connection, although it can include WAN connections.
15.2 All staff who are permitted to use equipment of the organisation at home or who may
use their personal computing resources to connect to networked services of the organisation
are subject to this policy.
15.3 This policy covers all types of remote access whether fixed or ‘roving’ including:
o Travelling Users (staff working across site, are temporarily based at other
locations or work in the community);
o Home Workers (IT Support, Corporate Managers, IT development staff,
Clinicians, etc.,);
o Non NHS Staff (Social Services, Contractors and other Third Party
Organisations).
15.4 Remote access enables users to gain access to the PCT Network and other work
related services. Remote access must be authenticated using an approved and
authentication method through a VPN token.
15.5 For advice on how to obtain remote access to the PCT Network and other work related
services, approval must be given from your line manager via the SSA ICT webform who will
then contact the SSA ICT department helpdesk as the first point of contact.
15.6 The SSA ICT Network Manager is responsible for the local definition of network,
infrastructure and PC information security requirements and for the supply and configuration
of all computing equipment provided by the organisation. This will include network
connectivity and support for approved services.
15.7 Where the proposed working arrangements involve the use of personal or shared
computing resources, it must be noted that the Information Governance risks of doing so
may outweigh any operational advantage.
For all scenarios, consideration of risks must be made and should take account of the
potential to:
o accidentally breach patient confidentiality;

o disclose other sensitive data of the organisation to unauthorised individuals;
o lose or damage critical business data;
o damage the organisation’s infrastructure and e-services through spread of un-
trapped malicious code such as viruses;
o create a hacking opportunity through an unauthorised internet access point;
o misuse data through uncontrolled use of removable media such as digital memory
sticks and other media;
o cause other operational or reputational damage.
15.8 To ensure the most comprehensive level of protection possible, every network should
include security components that address the following:

User Identity
o All remote users must be authorised by the relevant organisations SSA ICT lead.
User identity will be confirmed by User ID and password authentication.
o The IT Service Provider (currently BT N3) must maintain a log of all attempted
authentications and must ensure a log is maintained of all remote access via the
firewalls.
Perimeter Security
o The IT Service Provider will be responsible for ensuring perimeter security devices
are in place and operating properly. Perimeter security solutions control access to
critical network applications, data, and services so that only legitimate users and
information can pass through the network.
Secure Connectivity
o The Trust will protect confidential information from eavesdropping or tampering

during transmission by the use of encryption.
Remote diagnostic services and 3rd parties
o Suppliers of central systems/software expect to have access to such systems on

request to investigate/fix faults. The Trust will permit such access subject to it being
initiated by the computer system and all activity monitored.
o Each supplier requiring remote access will be required to commit to maintaining
confidentiality of data and information and only using qualified representatives. SSA
ICT can provide the appropriate agreement for this purpose.
o Each request for access will be authorised by IT Service Provider who will only
approve the connection when satisfied of the need. The connection will be physically
broken when the fault is fixed/supplier ends his session.
15.9 Remote Access - User Responsibilities
o Users should not store any personal identifiable information unless authorised to do
so by the Caldicott Guardian or Information Governance Manager;
o Users must never disclose their network user name, password or personal PIN
number to anyone or provide their VPN remote access login credentials to anyone,
including family members;
o Users should be vigilant when entering their personal PIN and password in a public
place;
o Users must treat the Remote Access system as though they were using trust
systems from their desktop. Users must be particularly careful when accessing
sensitive information in public places (e.g. a library) and in particular: -
- Not allow others to view screen contents

- Not downloading person identifiable/confidential/sensitive data to local
storage or removable media.
o Users should use an appropriate carry case when transporting the mobile computer;

o Users must not download software from the internet without authorisation;
o Users must not download illegal software or software obtained illegally;
o Users must not use unauthorised or unlicensed software;
o Users must not use personal computers, which do not belong to the NHS, for
processing and storing NHS information;
o Users must not allow the mobile computer or PDA to be used or accessed by
unauthorised individuals. This includes family members and friends.
o Users must not leave a mobile computer in a docking station overnight; either take it
with you or make sure it is locked away.
o When using a laptop in an open plan office, users must ensure they apply a
Kensington Lock (a security cable with a key code) which will physically keep the
laptop secure, if/when the user is away from his/her desk.
o User’s must not leave a laptop visible in a car. When transporting a laptop in a car, it
should be kept in the boot.
o The SSA ICT Department is not responsible for the support of non-Trust ICT
equipment - e.g. PCs, Broadband routers, Broadband Telephone lines and can only
offer advice. The SSA ICT Help Desk will not be able to assist with any technical
issues relating to staff’s own, or another organisation’s equipment, network or
internet connections.
o Up to date anti-virus software and a personal firewall must be installed on all Host
PC’s to allow full access to the system. The SSA ICT department does not supply AV
software for non-Trust purchased equipment.
o It is the user’s responsibility to ensure anti-virus and personal firewall software is

installed and up to date before accessing the service. Failure to do so will result in a
restricted service or no access at all; where a device does not meet SSA ICT
standards, access will be blocked.
16.0 External Network Connections
16.1. Ensure that all user connections to external networks and systems have agreed to the
Network and IT Security Policy and Procedures, the Information Security Policy, the ICT
Acceptable Use (Email and Internet) Policy and other related policies, (e.g. BTN3 and
Connecting for Health).
16.2. Ensure that all connections to external networks and systems conform to the NHS wide
Network and IT Security Policy, Code of Connection and supporting guidance.
16.3. The Network Manager and Technical Services Manager must approve all connections
to external networks and systems before they commence operation.

17.0 Mobile Computing Devices
17.1 Mobile computers are portable computers owned by the Trust ICT departments and
supplied for business use to an individual. Mobile computers are defined as laptops,
notebooks, palmtops, hand held computers, Blackberries, Personal Digital Assistants
(PDA’s), memory Sticks (pen drives), mobile phones capable of storing and processing
information and any ‘other’ portable device used for storing and processing information.
The following are examples of such devices:
o Handhelds running the Palm OS, Microsoft Windows CE, Pocket PC or Windows
Mobile, Symbian, or Mobile Linux operating systems.
o Mobile devices that are standalone (i.e. connectible using wired sync cables and/or
cradles.)
o Devices that have integrated wireless capability. This capability may include, but is
not limited to, Wi-Fi, Bluetooth, and IR.
o Smartphones that include PDA functionality.
o Any related components of [company name]’s technology infrastructure used to
provide connectivity to the above.
o Any third-party hardware, software, processes, or services used to provide
connectivity to the above.
17.2 Encryption of PDAs (refer also to section 9 on Encryption)
Under requirements introduced by the Department of Health all portable media must be
encrypted to NHS CfHstandards.
All laptops purchased by the Trust must have Safeboot or other Trust approved full disk
encryption software applied as standard. The Trust has introduced a standard secure USB
memory stick for use on Trust PCs and laptops. This device is available via the SSA ICT
ordering form on the Trust Intranet. These sticks are issued with guidance but essentially
they will allow staff to transfer (not store) information. Confidential and/or sensitive person
identifiable or business sensitive information must not be stored or transferred on removable
media devices of any type.
No USB Memory Sticks other than the BENPCT standard secure memory stick can be
used with BENPCT IT equipment.
17.3 Registration
All employees requiring the use of PDAs for business purposes must go through an
application process that clearly outlines why the access is required and what level of service
the employee needs should his/her application be accepted. Application forms must be
approved and signed by the employee’s line manager, supervisor, or department head
before submission to the SSA ICT department. See Appendix 8.
17.4 All remote users must be registered and authorised by the SSA ICT Network Manager.
User identity will be confirmed by strong authentication and User ID and password
authentication. The Trust’s Network Manager is responsible for ensuring a log is kept of all
users requiring remote access.

17.5User Responsibilities
o Hand in all mobile computers or PDAs when requested or when no longer needed
and ensure this is logged with the SSA ICT department’s Asset Register.
o Hand in all mobile computers or PDAs when you cease to be employed by the Trust
and ensure this is logged with the SSA ICT department’s Asset Register.
17.6 Loss/Theft of ICT Property.
Report any loss or theft immediately to the SSA ICT and IG departments using the
Trust’s Incident Reporting process.
o Loss/theft of VPN Token
- VPN token has the 6 digit code that enables logon to your laptop remotely. If you
lose this token you must inform the SSA ICT Helpdesk immediately so your VPN
token can be disabled.
- End users must memorise their PIN code (four digit code that is something you
know). End users must not under any circumstances keep the four digit code with
laptop or VPN token.
o Risk of ‘data leakage’ from the Trust.
Users of the system should not download and save any person identifiable, sensitive, or
confidential information to any local drive of ANY PC/laptop or non-encrypted removable
media device. Person-identifiable, confidential or sensitive data should not be saved on any
non-Trust device. Any non-sensitivedocuments can be saved to a local hard drive for the
purposes of modification and then saved back to a secure Trust drive .
o Risk of virus infection.
The Remote Access system is configured so that it does not accept connections from PCs
without up-to-date anti-virus software installed. You may therefore be unable to use the
system if the PC you are using does not have an approved and up-to-date anti-virus product
installed. There can be no exceptions to this rule, as one unprotected PC gaining access to
the network could put the whole Trust at risk of virus infection.
o Risk of Unauthorised Access.
Any staff member accessing the network via remote access does so on the condition that
they do not share their login with another individual. It is a disciplinary offence to allow
someone else to use your login.
The sharing of VPN tokens is also forbidden as access could be given to person-identifiable,
confidential and sensitive data to unauthorised personnel.

18.0 Maintenance Contracts
The Network Manager will ensure that maintenance contracts are maintained and
periodically reviewed for all network equipment. All contract details will constitute part of all
PCTs Information Department's Asset registers.
19.0 Data and Software Exchange
19.1 Formal agreements for the exchange of data and software between organisations must
be established and approved by the Technical Services Manager and the Information
Governance Manager. Please refer to the Information Sharing Protocol.
20.0 Fault Logging
20.1 The Network Manager is responsible for ensuring that a log of all faults on the network
is maintained and reviewed. A written procedure to report faults and review
countermeasures will be produced. These are:
o Maintaining a log
o Root Cause Analysis
21.0 Network Operating Procedures
21.1. Documented operating procedures should be prepared for the operation of the network
to ensure its correct technological operation.
21.2. Changes to operating procedures must be authorised by the Director of SSA ICT.
22.0 Data Backup and Restoration
22.1. The Network Manager is responsible for ensuring that backup copies of Network
configuration data are taken regularly.
22.2. Documented procedures for the backup process, back up location for configuration
network files, and storage of encrypted backup tapes is the responsibility of the person who
is responsible for the backups.
23.0 User Responsibilities, Awareness & Training
23.1. The Trust will ensure that all users of the Network are provided with the necessary
security guidance, awareness and where appropriate training to discharge their security
responsibilities.
23.2. All users of the Network must be made aware of the contents and implications of the
Network and IT Security Policy and Procedures.
23.3. Irresponsible or improper actions by users may result in disciplinary action(s).

23.4. Users on all sites must ensure that spare network points in work areas are not used by
non-authorised third parties or visitors without prior agreement from NHS BEN.
23.5 All personnel or agents acting for the organisation have a duty to:
o Safeguard hardware, software and information in their care.

o Prevent the introduction of malicious software on the organisation's IT
systems.
o Report on any suspected or actual breaches in security.
24.0Change Control
24.1 All significant changes to the main Network need to be assessed for their impact on
information security as part of the standard risk assessment.
24.2 The Technical Services Manager may require checks on, or an assessment of the
actual implementation of any change based on the proposed changes. As part of
acceptance testing of any new network system, the Technical Services Manager will arrange
for adequate security vulnerability assessments to take place and will co-ordinate the
production of documentation which baselines the accepted technical IT security standards
for that system.
24.3 All changes to the N3 COIN must be approved by the Change Board and will be
processed by BTN3 according to their change management processes. The firewall will be
managed by BTN3 in the same way.
25.0 Incident Management
25.1 All security incidents and weaknesses are to be reported to the risk management
function within the Trust using the Trust Incident form and reporting process. This will then
be cascaded to the appropriate department for resolution. All security incidents will be
investigated to establish their cause, operational impact, and business outcome. (see
relevant Risk and Incident Management Trust polices in References)
26.0 Business Continuity and Disaster Recovery Plans
26.1 The B & S N3 COIN has in-built resilience as each site has 2 network connections
(primary and backup). The firewalls also operate in a resilient manner with multiple devices
in the Birmingham BT site and a further firewall in the Wolverhampton backup site. The SSA
ICT Business Continuity and Disaster Recovery Plans provide further detail on the
processes and procedures to be followed in the event of a problem with the COIN or other
parts of the IT infrastructure.
27.0 Audit
27.1 A regular audit of information and technical security arrangements should be carried out
to provide an independent appraisal and recommend security improvements where
necessary. The following SSA ICT products are used as auditing tools:
o Quest Change Auditor

o CISCO LAN engines
To fulfil the Connecting for Health IG Toolkit requirements, it will be necessary to have
regular security risk reviews and assurance reports. 6
28.0 Accreditation of Network Systems
28.1 The Trust will ensure that all network systems and components are properly licensed
and approved by the SSA ICT Department.
28.2 All networks will be approved by the Network Manager and Technical Services
Manager before it commences operation. The NetworkManager and Technical Services
Manager are responsible for ensuring that the Network does not pose an unacceptable risk
to the organisation.
29.0 Policy Compliance
29.1 If any user is found to have breached this policy, they may be subject to NHS
Birmingham East and North’s Disciplinary procedures. If a criminal offence is considered to
have been committed further action may be taken to assist in the prosecution of the
offender(s).
If you do not understand the implications of this policy or how it may apply to you, seek
advice from the Information Governance Manager.
30.0 Review and Revision
30.1 This policy will be reviewed as it is deemed appropriate, but no less frequently than
every 12 months.
31.0 References
The following NHS Birmingham East and North policy documents are directly relevant to this
policy and should be read in conjunction with this policy. Copies of these can be found on
the PCT Intranet:
o Information Security Policy

o Records Management Policy
o Information Governance Policy
o Information Governance Strategy
o Information Risk Management Policy
o Safe Haven Policy and Procedures
o Information Life Cycle and Records Management Framework
o Risk Management Policy and Strategy
o ICT Acceptable Use (Email & Internet) Policy
6
To attain Level 3 for the 8-313 requirement, evidence of compliance with this policy will be through
spot checks, monitoring software, technical and non-technical audits, penetration testing and checks
of system documentation and functionality.
Source: www.connectingforhealth.nhs.uk/igtrainingtool

o Confidentiality and Data Protection Policy
o Disciplinary Policy and Procedure
o Guideline for Sentinel Incident Reporting
o Managing Risk Procedure
o Serious Untoward Incidents Policy and Procedure
o Disposal and Destruction of ICT Hardware Policy (pending)
This policy is based upon the following pieces of legislation:
o Copyright, Designs & Patents Act 1988

o Access to Health Records Act 1990
o Computer Misuse Act 1990
o The Data Protection Act 1998
o The Human Rights Act 1998
o Electronic Communications Act 2000
o Regulation of Investigatory Powers Act 2000
o Freedom of Information Act 2000
Professional Standards
o BS ISO/IEC 27002:2005, controls 10.6 – Network Security Management

o BS ISO/IEC 27002:2005, controls 10.1.1 – 4, 10.3, 12.1 Communication and
Operations Management (Procedures)
o ITSEC Assurance
NHS Standards:
o DH: Information Security Management NHS Code of Practice 2007

o DH: NHS Confidentiality Code of Practice 2003
o The Caldicott Principles
o Informatics Planning 2010/2011

APPENDIX 1 – Birmingham and Solihull COIN Diagram

Appendix 2 – IG Toolkit requirements and definitions
8-313: ‘Policy and procedures are in place to ensure that Information Communication Technology
(ICT) networks operate securely.’
This requirement is to ensure there is appropriate protection for information communicated over
local networks and for the protection of the supporting infrastructure (including wireless networks).
8-314: ‘Policy and procedures ensure that mobile computing and teleworking are secure’
8-323: ‘All information assets that hold, or are, personal data are protected by appropriate
organisational and technical measures’
NHS networks are referred to in section: 7 of this requirement.
‘The security of NHS websites has a particular importance and visibility given the intended access to and use of
these assets via the internet and/or the NHS network (N3). When assessing the security protection needs of an
NHS website it is important that the risks to the website, including potential impacts to the organisation, its
patients and other business disruptions are considered. Such risks can include the effects of hacking,
defacement, content alteration and denial of service.
It is essential therefore that appropriate steps are taken to manage these risks and assure the website asset,
irrespective of whether the website is designed, implemented and managed locally or delivered and maintained
under agreement or contract by another party. All NHS organisations that possess or that are planning for
websites must therefore have clearly defined procedures for the secure operation of each website, including
procedures for their configuration patch and content management, business continuity and for dealing with
incidents should they occur. In addition, organisations must take appropriate steps to ensure that the web
server is not exposed to known vulnerabilities, e.g. by ensuring a regular health check review and penetration
test is made by a qualified tester. Records of tests should be made and improvement plans determined where
necessary. ‘
Definitions:
NHS network (N3) – ‘The new NHS Network is the high speed private broadband computer network network
used by the NHS and its partners.’
Denial of Service – ‘Result of any action or series of actions that prevents any part of an information system
from functioning.’
Penetration Test – ‘A penetration test is a method of evaluating the security of a computer system or network
by simulating an attack from a malicious source.’
Source: www.connectingforhealth.nhs.uk/igtrainingtool

Appendix 3
Secure Remote Access Service (SRAS)

Third Party (Supplier) Application Form
This form should be completed by:
• Staff in a third party organisation (supplier) requiring to connect remotely to the NHS
Birmingham and Solihull COIN Infrastructure to provide system support.
• A Birmingham or Solihull system owner needing to sponsor a Third Party N3 connection to

gain access for remote support.
Please note:
• The system owner will be charged if new or additional VPN Token(s) are required for the
third party supplier.
• The system owner is responsible for liaising with the NHS Birmingham and Solihull Service
Desk and the Third Party to ensure remote access requirements are clearly defined and to
ensure appropriate system access controls are implemented during SRAS provision.
• All details including approvals must be completed before sending to the ICT Service Desk
For assistance completing, please contact the Birmingham and Solihull COIN Support Desk
on 0121 465 1111 or email: Helpdesk@bpcssa.nhs.uk
1. Third Party (Supplier) User Details (Details required relate to an individual

user of SRAS)
Full Name: Title
Company Job Title

Name
Contact No: Email
Details &

Reasons for
requiring
SRAS
Network
Information:
IP address,
firewall
Ports, VPN
Type,
Hardware
used, etc.
Third Party Agreement to Conditions of Acceptance
I agree to conform to the following policies:
• Network Security Policy

• Information Security Policy
• ICT Acceptable Usage (Email and Internet)Policy
• I will ensure that any known security-related patches are applied to SRAS connected devices.
• I accept that the service may be withdrawn without notice if a breach of security is
suspected
• I accept that system monitoring will occur for the purposes of maintenance and operation of
SRAS.
• I accept that upon leaving the third party employment, all VPN Tokens will be returned to
the System Owner, if applicable
• If a VPN token is damaged or lost, I will report this immediately to the System Owner and
accept there may be a replacement charge (doesn’t apply to N3 third Party end users).
Cost of Service
If you are using VPN via Trust VPN tokens the cost will be you agree to this cost by signing
the below and this cost go to the Trust Sponsor.
As shown in the table below, there will be Initial Cost Recurring

an initial token cost and thereafter an Revenue Yr
annual maintenance fee payable. 2
VPN Token £240 £240 pa
To be signed by Third Party System Supplier Manager
Name: ………………………………………………………

Signed: ………………………….………………………….. Date: ……………………..
THE FOLLOWING SECTION TO BE COMPLETED BY TRUST SPONSOR
Full Name Title
Directorate Tel
No:
Signature
The completed form should be returned to: helpdesk@BPCSSA.nhs.ukor FAX: 0121 465
1112
Please mark in the subject: For the attention of the Network Team THIRD PARTY
REQUEST FORM
Appendix 4: SSA ICT Departmental Structure

Appendix 5 : Computer Misuse Act 1990 – Guidance
Description Example Consequence

Unauthorised Access It is illegal to gain Guessing or This offence
to Computer Systems access to a finding carries a penalty
computer system someone’s password to gain of imprisonment
and access access to a computer up to six months
computer materials system. and/or a fine.
without Gaining access to
authorisation. a computer
This is an offence system without
even if no authorisation.
damage is done, and
no files are
deleted or changed.
Unauthorised This is one stage Guessing or This offence

access with intent further than the stealing a carries a penalty
to commit or previous offence. password, and using that to of up to five years’
facilitate The key difference is access a computer, with the imprisonment
commission of ‘intent to intent to deliberately modify and/or a fine.
further offences commit...further or delete files.
offences’
This is the act of Deleting files This offence

deliberately without carries a penalty
damaging computer authorisation. of up to five years’
material. Introducing viruses imprisonment
Unauthorised This is an offence with the intent to and/or a fine.
modification of even if the impair the
computer material offender has operation of a
authorised access computer.
to the computer Using a computer
system. to damage other
The key here is computers outside
‘intent to cause the
malicious damage to organisation. This is an
computer offence even if the computer
material’ used to do this is itself not
modified in any way.

Appendix 6 - Examples of good and bad passwords
Bad passwords
today: This is just a dictionary word that is easily discovered with hacking software.
It is also only five characters long. Passwords should be at least six characters long.
t1d2y: Here the digits 1 and 2 have been substituted for the vowels of the dictionary
word “today”. Again, hacking software is designed to look for this type of substitution.
today1: Here there is some attempt to mix letters and numbers. However, adding a
number on to the end of a dictionary word poses little problem to hackers.
Good passwords
t1o9d6a4y or t”o(d^a$y: Here the word (today) has been used and digits or special
characters have been included between each letter. The length of the password
also makes it difficult to guess or crack electronically.
1t9o6d4ay or ”t(o^d$ay: This is even more secure than the previous example since
the passwords begins with a digit or character.
Source: https://nww.igt.connectingforhealth.nhs.uk
DH, IG – User Guide to Passwords

Appendix 7 – Glossary for Patch Management
Patches: typically released to protect against known exploits in operating system or

application code or to address functionality issues or a new vulnerability.
Vulnerabilities: weaknesses in software that can be exploited by an entity to gain
elevated privileges than it is not authorised to have on a computer or system. Not all
vulnerabilities have related patches. These situations require workarounds to attempt to
mitigate “un-patched” vulnerabilities.
Threats: A circumstance, event or person with the potential to cause harm to a system
in the form of destruction, disclosure, data modification, and/or Denial of Service (DoS).
Malware: Malicious software designed to secretly access a computer system without
the owner’s consent
Spyware: a type of Malware which collects small pieces of information about users
without their knowledge

Appendix 8: SSA ICT Authorisation for Use of Removable Media Devices Form
Authorisation for Use of Removable Media Devices Form

(NHS BENPCT/BCHC/HOBtPCT/SOUTHPCT)
USER DETAILS
Name:
Job Title:
Assignment
Number:
Base/Location:
Contact Number:
REMOVABLE MEDIA DEVICE (tick box)
Blackberry
VPN remote access token
USB encrypted memory device
Personal Digital Assistant
External Hard Drive
Zip/DAT Drive
Memory Card
If the removable device you require is not listed, please contact the ICT Department on;
0121 465 1111 for advice.
Please state what the removable media will be used for:-
NOTE: Removable Media Devices should not be used for storing or transferring any
confidential or sensitive person identifiable or business sensitive information. If any user
breaches the BPCSSA Network and IT Security Policy and Procedures he/she may be
subject to NHS Birmingham East and North’s disciplinary procedures. If any criminal offence
is considered to have been committed further action may be taken to assist in the
prosecution of the offender(s).
If you do not understand the implications of this policy or how it may apply to you, seek
advice from the Information Governance Manager.
By signing this form you will have read, and agree to adhere to the BPCSSA Network
and IT Security Policy and Procedures.

Name: (please print) Signature:
Department: Date:
Line Manager Authorisation:
I authorise the above-named staff member to have use of the listed Removable Media
Device for the specified use. I confirm that I understand my responsibility for the day to day
management and oversight of this device in accordance with the permitted use as listed in
the Network and IT Security Policy and Procedures.
Name: ……………………………….(please print)

Signature: …………………………………………… Date: ………............................
Office Use:
Asset Tag: Issued by:
Issued for: Date of
Issue:


Ben Policies 1085

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Ben Policies 1085

Загружено:

Авторское право:

Доступные форматы

Policy Type: Information: Management Security, Governance, Technology

Definition: Policy and Procedures

Owner Group: BPCSSA

NETWORK AND IT SECURITY

Source & Version:

Network and IT Security Policy 1

Date Version Author Amendment History

Date Version Author Amendment History

Network and IT Security Policy 2

1.0 Policy Statement

Network and IT Security Policy 3

Network and IT Security Policy 4

4.0 Policy Objectives

o Copyright, Designs & Patents Act 1988

5.0 Definition of Network

‘Network’, for the purposes of this policy, can be defined as follows:

Network and IT Security Policy 5

7.0 Procedure for Patch Management2

Network and IT Security Policy 6

For Glossary see Appendix 7.

Network and IT Security Policy 7

SSA ICT Procedural Responsibilities

8.9 The following activities are the responsibility of SSA ICT:

Network and IT Security Policy 8

PCT Departmental and Individual Procedural Responsibilities

8.10.1 Those departmentswith departmentally-managed computers e.g. Oaktree Lane,

o Never copy, download, or install files from unknown, suspicious, or untrustworthy

9.0 Procedure on Encryption4

Network and IT Security Policy 9

9.2Encryption is the process of converting information using an algorithm (a cipher) to render

• Desktops, laptops, handheld computers

o Users must understand their responsibilities to protect data at all times

Network and IT Security Policy 10

o It must not be used to store person identifiable data;

9.14Where a device cannot be encrypted it should, if possible, be replaced. In a small

9.15 Passwords& keys

9.15.1 In general, passwords or encryption keyswill be the means to decrypt encrypted

9.17 Monitoring Complianceof removable media encryption

o Distribution and maintenance of encryption software will be managed bySSA ICT;

Network and IT Security Policy 11

Password Controlled Systems

10.10SSA ICT use minimum password standards, based on Department of Health

o NOT be proper names and have no connections to the user;

Network and IT Security Policy 12

User Guidance for Password Controlled Accounts

o If a member of staff suspects their username/login ID or password has

Network and IT Security Policy 13

o Attemptingto use or using another person’s username and password;

Staff Leaving - Guidance for Line Managers

Network and IT Security Policy 14

11.0 Physical and Environmental Security

11.7. All visitors to secure network areas must be authorised or accompanied by an

12.0 Access Control to Secure Network Areas

Network and IT Security Policy 15

13.0 Access Control to the Network

14.0 Third Party Access Control to the Network5

o A NHS Trust not linked professionally to the PCT;

Network and IT Security Policy 16

14.15Standard Operating Procedure

o Third party organisations when requiring access must e-mail

15.0 Remote Access to the Network

Network and IT Security Policy 17

o accidentally breach patient confidentiality;

Network and IT Security Policy 18