Information Security Policy · HBL ICT Shared Service Information Security Policy Approved 1 Oct...

Hertfordshire, Bedfordshire and Luton ICT Shared Services is hosted by

NHS East & North Hertfordshire CCG

Information Security

Policy

Document Control

Document Owner Alex McLaren Approved by Phil Turnock

Document Author(s)

Keith Fairbrother, Metaish Parmar, Alex McLaren

Date of Approval 1/102018

Version 11.1.1 Date for Review 30/9/2019

HBL ICT Shared Service

Information Security Policy Approved 1 Oct 2018.docx Uncontrolled if Printed Template 1.0

of 30

Version Control

Version Status Commentary Date Author

Draft Initial Draft 09/2007 J Hepburn

1.0 Live 10/2007 J Hepburn

2.0 V2 Review 04/2010 J Hepburn

3.0 V3 Live Amendments 05/2010 C Goodey

5.1 V5.1 Live Amendments 02/2012 M Wallis



7.0 V7.0 Live Amendments 07/2013 M Wallis / K Fairbrother

8.0 V8.0 Draft Amendments 07/2014 L Harris / K Fairbrother

8.0 V8.0 Live Amendments 07/2014 E Robson

8.1 V8.1 Draft Organisational Change/Formatting 10/2014 K Fairbrother

8.1 V8.1 Live HBL ICT SMT Approval 11/2014 HBL ICT SMT

8.2 V8.2 Live HBL ICT SMT Approval. Format

change.

10/2015 HBL ICT SMT

8.2.1 Draft Moved to new format, ready for

annual review

8/2016 A McLaren

8.2.2 Draft Updates from SMT, Linda Whiteley

ready for Review by Partners. Amend

Trust for Partner. Amend Job Titles,

Meeting titles, Clinical Safety

8/2016 A McLaren

9.0 Live Distribution core Policy to Partners 9/2016 A McLaren

9.1 Live Update to 6.3 to clarify change of

Factory set passwords, remove

section 11 as detailed in imp. Plan

12/2016 A McLaren

9.2 Live Update section 7.2.3 CSA Policy 21/04/2017 M Parmar

9.2.1 Draft Annual update, inclusion of GDPR

elements

Significant changes: Inclusion of

DPO, IAO, SRO, TA, CISO. Update

to Personal Information, Software,

Data classification,

Other: Job Role titles existing;

streamline removal of duplicate

paragraphs

No change to policy (BYOD) from

NHSMail2 as this is already in place –

ie no change

31/10/2017 A McLaren

10.0.0 Live Approved by SMT 22/11/2017 A McLaren

10.0.1 Draft Reference -Addition of associated 17/08/2018 M Parmar



of 30

papers NIS, DSPT, 10 Data Security

Standards

6.4.2 - Password standards update, ,

7.1, 7.2.1, 7.2.3 updated

10.0.2 Draft 4.12, 4.8 Role Titles Architect, IT

Security Manager

Purpose and Scope - Remove

duplicate paragraph Legal Framework

7.1, 7.2.1, 7.2.3 update following

move to NHSMail, separating Email to

Internet


11.0.0 Live Confirmed by SMT 24/9/2018 A McLaren

11.1.0 Live Amend to Appendix, SIRO for HPFT

is Director of Innovation and

Transformation. Confirmed by P

Turnock

1/10/2018 A McLaren

11.1.1 Draft Update for ENHCCG IG Forum

Amends:

Legislation update DPA 2018, NIS

acronym, 6.5.5 addition re CareCERT.

Removal of Distribution as covered

within Dissemination; 6.12 clarification

Information Assets where Information

Asset Owner HBL ICT. 6.2.3

providing updates to CSA for movers,

joiners, leavers promptly to HBL ICT

to ensure access accurate.


Implementation Plan

Development and Consultation

IG within Partner organisations

Hertfordshire, Bedfordshire and Luton ICT Shared Services (HBL ICT) is committed to the fair treatment of all, regardless of age, colour, disability, ethnicity, gender, gender reassignment, nationality, race, religion or belief, responsibility for dependents, sexual orientation, trade union membership or non-membership, working patterns or any other personal characteristic This policy / procedure will be implemented consistently regardless of any such factors and all will be treated with dignity and respect. To this end, an equality impact assessment has been completed on this policy.

Dissemination Staff can access this policy via the Intranet and will be notified of new/ revised versions via the staff briefing.

This policy will be included in the CCGs Publication Scheme in compliance with the Freedom of Information Act (FOI) 2000

This document is issued to the Partners for authorisation, local amends and dissemination.



of 30

Training All staff members are required to carry out the mandatory IG training through the online NHS Information and Governance Training Tool.

Monitoring 3rd

Party Audit, IG Toolkit, spot check

Review The policy will be reviewed annually

Equality, Diversity and Privacy

The PIA and EIA are completed separately



of 30

References

External : Legislation, Guidance and Standards

Statutory Frameworks (see section 3.4)

UK and EU legislation, including :

Data Protection Act (2018) and GDPR

Freedom of Information Act (2000);

Human Rights Act (1998)

Bribery Act 2010

The Computer Misuse Act 1990,

Regulation of Investigatory Powers Act (2000)

Copyright, Designs and Patents Act (1988)

Health and Social Care Act 2012

Caldicott 2 Review

Care Act 2014

NIS

Department of Health and NHS Regulations and Guidance, including :

Guide to Confidentiality in Health and Social Care

NHS IM&T Security Manual,

NHS Information Governance Standards

NHS Statement of Compliance

HSCIC_Data_Destruction_Standard_v3.2

Destruction and Disposal of Sensitive Data - Good Practice Guidelines

DSPT

10 Data Security Standards

Standards for Information Security Management ISO27001 and ISO27002

SCCI 0129 & SCCI 0160

Policies and procedures including:

Policies, procedure and guidance on the management of patient/client records.

Gartner Toolkit: Software Asset Management Policy Template Feb 15

NHS Digital Information Security Example Policy v1.0

Internal : Related Documentation

Management of Records Policy and Procedure

Standing Financial Instructions

Data Quality Policy

Acceptable Use Policy

Information Governance Framework

Mobile Devices Security Policy

Incident Policy

Confidentiality Policy

Data Centre and Policy Procedures doc

Guidance on Portable Computers

Disposal of Assets Policy

Records Policy

Non-Standard Equipment Standards

Risk Management Policy

RA Policy

Enclosures none



of 30

Contents

1 Executive Summary ............................................................................................ 11

2 Introduction ......................................................................................................... 11

3 Purpose and Scope ............................................................................................. 12

Purpose ................................................................................................................ 12 3.1

Scope ................................................................................................................... 12 3.2

Local Variation .................................................................................................... 12 3.3

4 Information and Data .......................................................................................... 12

Ownership of Data / Data Controller .................................................................. 12 4.1

Processing of Data/ Data Processor ................................................................. 13 4.2

Personal Information .......................................................................................... 13 4.3

Chief Executive (CEO)/Managing Director (MD) - or equivalent ...................... 13 4.4

Caldicott Guardian .............................................................................................. 13 4.5

Senior Information Risk Owner (SIRO) ............................................................. 13 4.6

Line Managers ..................................................................................................... 13 4.7

IM&T Security Adviser Role ............................................................................... 14 4.8

Data Protection Officer ....................................................................................... 14 4.9

Information Asset Owners.................................................................................. 15 4.10

Senior Responsible Owners ............................................................................... 15 4.11

Solutions Architect ............................................................................................. 15 4.12

5 Responsibility of all Staff ................................................................................... 15

General Responsibility ....................................................................................... 15 5.1

Paper Records ..................................................................................................... 16 5.2

5.2.1 Paper Waste Disposal....................................................................................................... 16

Information Systems and Equipment ................................................................ 16 5.3

Mobile Devices .................................................................................................... 16 5.4

Access to Information Systems ......................................................................... 17 5.5

Data Accuracy ..................................................................................................... 17 5.6

Processing Information and Data ...................................................................... 17 5.7



of 30

Portable Storage Devices - Electronic Media ................................................... 17 5.8

6 Management and Control of Information Assets ............................................. 18

Control of Assets ................................................................................................ 18 6.1

6.1.1 Ownership of Assets ......................................................................................................... 18

6.1.2 Asset Registers ................................................................................................................. 18

6.1.3 Procurement of Assets ...................................................................................................... 18

6.1.4 Disposal of Assets............................................................................................................. 18

6.1.5 Media Disposal.................................................................................................................. 19

Access Control .................................................................................................... 19 6.2

6.2.1 Physical Access Controls .................................................................................................. 19

6.2.2 Logical Access Controls .................................................................................................... 19

6.2.3 Computer System Access Controls .................................................................................. 19

Use of Information Assets .................................................................................. 20 6.3

6.3.1 Installation and Siting of Equipment .................................................................................. 20

6.3.2 Limitations on Use............................................................................................................. 20

6.3.3 Data Security .................................................................................................................... 20

6.3.4 Security of Equipment Off-Premises ................................................................................. 20

6.3.5 Security of Hard Disks ....................................................................................................... 21

Passwords ........................................................................................................... 21 6.4

6.4.1 Password Protection ......................................................................................................... 21

6.4.2 Password Standards ......................................................................................................... 21

Business Continuity ........................................................................................... 22 6.5

6.5.1 Physical Security ............................................................................................................... 22

6.5.2 Remote Access to the Organisation’s Services ................................................................ 22

6.5.3 Remote Access to the Organisation’s Services by Staff ................................................... 22

6.5.4 Remote Access to the Organisation’s Services by Suppliers ........................................... 23

6.5.5 Business Continuity Planning............................................................................................ 23

Databases and Application Systems ................................................................. 23 6.6

6.6.1 Authorised Databases and Systems ................................................................................. 23

6.6.2 Acquisition of Application Systems ................................................................................... 23

6.6.3 System Acceptance .......................................................................................................... 24

6.6.4 Privacy Impact Assessment (PIA) / Data Protection Impact Assessment (DPIA) ............. 24

6.6.5 Clinical Safety ................................................................................................................... 24



of 30

Software Protection ............................................................................................ 25 6.7

6.7.1 Licensed Software............................................................................................................. 25

6.7.2 Software Standards........................................................................................................... 25

6.7.3 Virus Control ..................................................................................................................... 25

7 Electronic Mail and Internet Access .................................................................. 26

Purpose and Ownership ..................................................................................... 26 7.1

Access and Disclosure of Electronic Communications .................................. 26 7.2

7.2.1 Monitoring Usage .............................................................................................................. 26

7.2.2 Inspection and Disclosure of Communications ................................................................. 26

7.2.3 Monitoring and Disclosure Procedures ............................................................................. 27

8 Security Incident Management .......................................................................... 27

Personal Data Breach ......................................................................................... 27 8.1

Security Incidents ............................................................................................... 27 8.2

8.2.1 Logging Security Incidents ................................................................................................ 27

9 Disciplinary Action .............................................................................................. 28

Appendix A. Organisational SIROs ............................................................................. 29

Appendix B. Comment Form ....................................................................................... 30



of 30

Terms and Acronyms

Term Definition

ICT Information and Communications Technology

IM&T Information Management and Technology

IP Internet Protocol

PIA / DPIA Privacy Impact Assessment

Data Protection Impact Assessment (term for PIA within GDPR)

SIRO Senior Information Risk Owner

UPS Uninterruptable Power Supply

VPN Virtual Private Network

Data Owner / Data Processor

Under DPA, the following Terms are identified in Section 1.1 “data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed “Data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. “processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including— a) organisation, adaptation or alteration of the information or data, b) retrieval, consultation or use of the information or data, c) disclosure of the information or data by transmission, dissemination or otherwise making available, or d) alignment, combination, blocking, erasure or destruction of the information or data The ICO states that “The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.”

CSA Computer System Access

DPO Data Protection Officer

EUD End User Devices (EUD) 51. The EUD programme anticipates that any OFFICIAL information (including information handled with the OFFICIAL-SENSITIVE caveat) can be managed on a single device that conforms to the security principles defined in the End User Device Strategy: Security Framework and Controls, (March 2013). Note that the assurance required (including compliance with relevant legislation such as Freedom of Information Act (FoI) and DPA), means that EUDs will normally be owned, managed and controlled by the organisation. Any stated residual risks must be managed in line with local risk appetites. (Taken from Government Security Classification v1.0 Oct 2013 NHSMail2 solution is accredited to government Official status for sharing patient identifiable and sensitive information, meaning it meets a set of information security controls that offer an appropriate level of protection against loss or inappropriate access

HBL ICT Hertfordshire, Bedfordshire and Luton ICT Shared Services

Personal Data and Sensitive Personal Data – under GDPR

Personal data

Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide



of 30

range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.

For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.

Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

Sensitive personal data

The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9). These categories are broadly the same as those in the DPA, but there are some minor changes.

For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.

Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).

Personal Data and Sensitive Personal Data – under DPA

Personal data means data which relate to a living individual who can be identified –

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Sensitive personal data means personal data consisting of information as to -

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c ) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Patient Confidential Data

Patient’s personal information given or received in confidence for one purpose. This may not be used for a different purpose or passed to anyone else without the consent of the provider of the information

ICT Department For the purposes of this document, the term ICT Department refers to HBL ICT

DSPT Data Security and Protection Toolkit.

This is the replacement IG Toolkit within NHS Digital

NIS Network and Information Systems EU Directive came into force on 10th May 2018. All

organisations deemed to be Operators of Essentials Services are in scope. Network and information systems and the essential services they support play a vital role in society, from ensuring the supply of electricity and water, to the provision of healthcare and passenger and freight transport. Their reliability and security are essential to everyday activities.



of 30

1 Executive Summary

The Information Security Policy sets out the commitment of the organisation to preserve

the confidentiality, integrity and availability of the information and information systems and

to ensure the information and systems are effectively and lawfully managed.

The Policy aims to ensure that:-

The organisation’s information, its information systems and the supporting

infrastructure are secure and are operated in accordance with NHS Guidance, to

industry standards and current best practice;

The information contained in or processed by these systems is kept secure;

Confidentiality, integrity and availability are maintained at all times;

Staff are aware of their responsibilities and adhere to the provisions of the policy;

Procedures are in place to detect and resolve security breaches and to prevent a

recurrence.

This policy applies to:

All information and information storage, whether manual or electronic, information

processing systems and networks used by the organisation;

All staff employed by the organisation, contractors, seconded staff from other

organisations and any other persons used by the organisation or engaged on the

organisation’s business.

Any other persons granted access to the organisation’s information, systems and

networks.

All locations, all information, information systems, computer equipment and networks.

Application of the policy will assist in the organisation’s compliance with information

related legislation, NHS standards and Information Governance Standards.

2 Introduction

The organisation works to a framework for handling personal information in a

confidential and secure manner to meet ethical and quality standards. This enables

National Health Service organisations in England and individuals working within them

to ensure personal information is dealt with legally, securely, effectively and efficiently

to deliver the best possible care to patients and clients.

The organisation, via the Information Governance Toolkit (DSPT), provides the means

by which the NHS can assess our compliance with current legislation, Government

and National guidance.

Information Governance covers: Data Protection and IT Security (including smart

cards), Human Rights Act, Caldicott Principles, Common Law Duty of Confidentiality,

Freedom of Information Regulations, Information Quality Assurance and Fraud and

Bribery Policy.



of 30

3 Purpose and Scope

Purpose 3.1

The Information Security Policy sets out the commitment of the organisation to preserving

the confidentiality, integrity and availability of information and information systems and to

ensure the information and information systems are effectively and lawfully managed.

The Policy aims to ensure that:

The organisation’s information, its information systems and the supporting

infrastructure are secure and are operated in accordance with NHS Guidance, to

industry standards and current best practice;

The information contained in or processed by these systems is kept secure;

Confidentiality, integrity and availability are maintained at all times;

Staff are aware of their responsibilities and adhere to the provisions of the policy;

Procedures are in place to detect and resolve security breaches and to prevent a

recurrence.

Scope 3.2

This policy applies to:

All information and information storage, whether manual or electronic, information

processing systems and networks used by the organisation;

All staff employed by the organisation, contractors, seconded staff from other

organisations and any other persons used by the organisation or engaged on the

organisation’s business.

Any other persons granted access to the organisation’s information, systems and

networks;

All locations and all information, information systems, computer equipment or network

used by staff.

Local Variation 3.3

Variation to some parts of the policy may be allowed where local conditions do not permit

full implementation. Applications for such variation must be made to the Head of

Technical Services and must be approved by the ICT Department’s Director or Associate

Director and Head of Governance and Compliance and, should the assessed level of risk

warrant it, the Stakeholder Board before being introduced.

4 Information and Data

Ownership of Data / Data Controller 4.1

The organisation is the legal owner of all data held in its Records, Information systems

and equipment. All of the organisation’s staff must ensure the data is accurate, up-to-date

and secure from unauthorised access or disclosure.



of 30

Processing of Data/ Data Processor 4.2

The organisation’s data must be processed only by systems and equipment owned or

authorised by the organisation.

Data must not be transferred to or processed on any equipment that is not owned by the

organisation without the prior authority of the appropriate Service Manager or the Caldicott

Guardian.

Processing of all data must be legal and must comply with other organisational policies;

eg Records Management Policy.

Personal Information 4.3

Personal information is subject to the provisions of the Data Protection Act and from 25

May 2018, GDPR. Additionally, information about patients is subject to the Guide to

Confidentiality in Health and Social Care

Under both the Data Protection Act and GDPR the organisation is obliged to notify the

Information Commissioner of the personal information it processes and for what purposes.

Processing of all personal information must be consistent with this notification. Privacy

Impact Assessments must be carried out and submitted to the IG Manager before new

systems or significant changes to existing systems are implemented as part of GDPR,

these assessments will be called Data Protection Impact Assessments DPIA – see

Section Privacy Impact Assessments. Management of Information Security

Chief Executive (CEO)/Managing Director (MD) - or equivalent 4.4

The CEO/MD of the organisation has overall responsibility for all matters relating to

information security.

Caldicott Guardian 4.5

The organisation’s Caldicott Guardian will ensure that information about patient and

service information is used legally ethically and appropriately

Senior Information Risk Owner (SIRO) 4.6

The SIRO is responsible for user access into systems and is responsible for information

risk across the organisation

Line Managers 4.7

Line Managers are individually responsible for ensuring that information security is applied

and practiced within their area of responsibility.

Specifically, Line Managers will ensure that:

All staff are appropriately instructed/trained in their security responsibilities;

All staff sign confidentiality undertakings as part of their contract of employment;

All staff are appropriately trained in any procedures, systems, services and equipment

they are required to use;

Untrained staff are not allowed access to confidential information or to computer

systems and equipment;



of 30

Staff are appropriately authorised to access information systems in accordance with

their job function and relationship with patients, specifically that they do not share their

login credentials;

Staff are authorised to access equipment, systems, services and media appropriate to

their job function;

Information quality standards are maintained by their staff and that information

recorded is accurate and up-to-date;

All critical job functions are adequately documented to maintain continuity of service;

Procedures are implemented to minimise disruption to systems and services and

exposure to fraud/theft. These may include segregating duties, implementing dual

control and staff rotation where appropriate;

Appropriate disciplinary action is taken for breaches of policies, standing instructions

and legislation.

IM&T Security Adviser Role 4.8

The IT Security Manager within the ICT Department is the IM&T Security Advisor and so

will provide advice and guidance on confidentiality and security of information and

information systems.

Specifically, the Security Adviser will:

Develop and maintain confidentiality and information security policies and assist with

the implementation of these policies;

Provide advice on compliance with legislation, NHS Policies and guidelines relating to

confidentiality and information security;

Ensure that breaches of information security are investigated and reported

appropriately;

Advise and assist in implementing security improvement programmes consistent with

NHS, DH and industry best practice.

Data Protection Officer 4.9

The Data Protection Officer is responsible for ensuring that the organisation and its

constituent business areas remain compliant at all times with Data Protection, Privacy and

Electronic Communications Regulations, Freedom of Information Act and the

Environmental Information Regulations. The Data Protection Officer shall lead on the

provision of expert advice to the organisation on all matters concerning the Data Protection

Act, compliance, best practice and setting and maintaining standards

The DPOs within the organisation will:

Inform and advise the organisation and its employees about their obligations to comply

with the GDPR and other data protection laws.

To monitor compliance with the GDPR and other data protection laws, including

managing internal data protection activities, advise on data protection impact

assessments; train staff and conduct internal audits.

To be the first point of contact for supervisory authorities and for individuals whose

data is processed (employees, customers etc).



of 30

Information Asset Owners 4.10

The Information Asset Owners (IAOs) are senior/responsible individuals involved in running

the business area and shall be responsible for:

Understanding what information is held

Knowing what is added and what is removed

Understanding how information is moved

Knowing who has access and why

Senior Responsible Owners 4.11

All Senior Managers, Heads of Department, Information Risk Owners and Directors,

defined as Senior Responsible Owners (SROs) are individually responsible for ensuring

that this policy and information security principles shall be implemented managed and

maintained in their business area. This includes:

Appointment of Information Asset Owners (IAO) to be responsible for Information

Assets in their areas of responsibility

Awareness of information security risks, threats and possible vulnerabilities within the

business area and complying with relevant policies and procedures to monitor and

manage such risks

Supporting personal accountability of users within the business area(s) for Information

Security

Ensuring that all staff under their management have access to the information required

to perform their job function within the boundaries of this policy and associated policies

and procedures.

Solutions Architect 4.12

Within the ICT Department the Solutions Architect will ensure that solutions are created that

meet the business requirements and will comply with the Information Security agenda

The Solutions Architect will attend the Technical Design Authority meetings to ensure

review of all solutions prior to delivery

5 Responsibility of all Staff

General Responsibility 5.1

Information Security and the appropriate protection of information assets is the

responsibility of all users and individuals are expected at all times to act in a professional

and responsible manner whilst conducting business on behalf of the organisation. All staff

are responsible for information security and remain accountable for their actions in relation

to NHS and other UK Government information and information systems.

Staff shall ensure that they understand their role and responsibilities and that failure to

comply with this policy may result in disciplinary action. This will be reinforced by yearly

mandatory training.



of 30

All members of staff are responsible for ensuring that no breaches of information security

result from their actions. Members of staff are required to:

Comply with the Information Security Policy and the Guide to Confidentiality in Health

and Social Care,

Raise any concern regarding information security with their manager and/or the ICT

Department Service Desk;

Comply with any relevant legislation, regulations, codes of conduct, any other policies

and procedures and any instructions which may be issued from time to time;

Ensure they are familiar with security measures, such as access controls and anti-

virus software, and use or operate them correctly.

Paper Records 5.2

All paper records must be stored in the appropriate manual filing system when not in use.

Records containing personal information must be kept secure from unauthorised access

at all times. Records are to be stored in line with the Partner records policy

5.2.1 Paper Waste Disposal

Any reports or printouts containing personal and/or patient information must be treated as

confidential, and stored and disposed of accordingly. For example, in cross shredder

machines or confidential waste sacks/bins. Further guidance can be found in the Partners

Confidentiality Policy.

Information Systems and Equipment 5.3

Information systems and associated equipment - computers, printers, etc. - are provided

for the conduct of official organisational business. They must not be used for any

commercial purposes or for personal gain. Limited personal use may be permitted at the

discretion of the appropriate Senior Manager.

All equipment and information must be adequately protected at all times. Any default

accounts must be disabled or removed and any factory set passwords changed prior to

issue for use.

Fixed assets eg printers, scanners, PCs must not be removed from premises or relocated

without permission. All requests for movement of equipment must be notified to the ICT

Department Service Desk

Mobile Devices 5.4

Portable computers must only be used in accordance with the organisation’s Mobile

Device Security Policy. All portable devices must be encrypted to DH standards. They

must be secured at all times and must not be left in view when unattended. Any portable

computer taken off premises must not be used or left in an insecure location. They must

be used only by authorised persons and password protection must be in place



of 30

Access to Information Systems 5.5

Authorised staff will be given a username and/or a smartcard and a password to access

the systems they are authorised to use. These will identify the user to the system; all

actions by the user are recorded by the systems.

Smartcards must be kept safe and secure and must not be used by any other person.

Users of smartcards must also comply with the RA01 Short Form Conditions which they

signed when the card was issued. Further guidance can be found in the RA policy.

Passwords must be kept secret and not divulged to any other person, even Personal

Assistants or Secretaries. Passwords must be changed frequently as prompted by the

system or in accordance with standards and instructions for the system.

Computers must be locked or switched off when unattended.

The authorised user is responsible for any action associated with their identity. Any

suspected misuse should be reported to the ICT Department Service Desk

Data Accuracy 5.6

Members of staff are responsible for the accuracy of the data they record and use. It is

paramount that patient related data is accurate and up-to-date as inaccurate data could

threaten patient safety. Administrative data must also be as accurate as possible to

ensure effective management and decision making.

Processing Information and Data 5.7

The organisation’s information and data must only be processed or stored on NHS

equipment and using authorised systems and databases. Staff must not acquire or

develop systems or databases without the prior approval in writing of the relevant

Information Governance Group in each organisation.

Personal equipment or non-NHS equipment must not be used to process the

organisation’s information unless authorised in writing by the appropriate Information

Governance Group. Where such authorisation is given, it is the responsibility of the

member of staff to make adequate provision to safeguard the security, integrity and

confidentiality of the data. Written advice must be sought from the ICT Department.

Portable Storage Devices - Electronic Media 5.8

Portable Storage devices include smartphones, BlackBerrys, disks, memory sticks,

portable hard drives and any other device that can store information, e.g. cameras,

Dictaphones, etc. These devices must only be used in accordance with the organisation’s

Mobile Devices Security Policy.

Portable storage devices must be encrypted in accordance with DH standards. Only

approved, authorised devices owned by the organisation can be used for storing the

organisation’s information and data. Where a type of device needs to be used but its

storage cannot be encrypted, such as cameras, local procedures must be created and

signed off by the Information Governance Manager before such devices are used.



of 30

The approval of the appropriate Information Governance Group must be obtained prior to

copying any personal data onto a portable storage device. For patient data this will be the

Caldicott Guardian.

Portable storage devices must not be used for storing the primary copy of any of the

organisation’s information. The primary copy must be stored on the appropriate shared

drive or server area.

Portable storage devices must be kept secure at all times and stored safely when not in

use.

Loss, or suspected loss, of any portable storage device must be reported to the ICT

Department Service Desk and IG Manager immediately.

All redundant or non-functioning portable storage devices must be returned to the ICT

Department for re-use, recycling or secure disposal as appropriate

6 Management and Control of Information Assets

Control of Assets 6.1

6.1.1 Ownership of Assets

All information assets owned by the organisation will be identified, and will have a named

custodian responsible for the security of that asset.

6.1.2 Asset Registers

The ICT Department will maintain asset registers on behalf of customers in line with SLAs.

This includes:

Physical Assets (all computer equipment and hardware);

Software Assets;

Information Assets it (HBL ICT) owns (application systems and databases).

Information asset owners are responsible for ensuring that their information repository

(database, spreadsheets, etc.,) are maintained with details of all their Information Assets.

The partner is responsible for informing HBL ICT on the movement and transfer requests

for IT Assets.

6.1.3 Procurement of Assets

All electronic information assets will be procured by ICT Department in line with SLAs.

Requests for PC’s, printers and other equipment such as cameras, Dictaphones, etc.,

must be made through the ICT Department Service Desk.

6.1.4 Disposal of Assets

All information assets must be maintained until the end of their useful life and then must

be disposed of safely and without risk to the organisation, or the organisation’s patients,

clients and staff.



of 30

All computer equipment will be disposed of by the ICT Department in accordance with

NHS standing instructions, EU and UK environmental and health and safety regulations.

A record of all disposals will be maintained.

Computer equipment must not be sold, removed or disposed of outside of the agreed

policy without the prior permission of the Director of IT and the SIRO.

6.1.5 Media Disposal

All redundant removable media must be treated as confidential waste and unconditionally

formatted before disposal. Wiping the media must be done in accordance with current

Government policy and standards via the ICT Department (do not attempt to do this

yourself; the data will probably still be recoverable). If reformatting is not possible, the

media must be destroyed.

Access Control 6.2

6.2.1 Physical Access Controls

All information servers, network control equipment, etc., will be installed in designated

controlled areas secured by physical access controls.

Access to controlled areas will be restricted to authorised ICT Department staff whose job

function requires access to that particular area.

The Director of IT may grant access privileges to other staff in the organisation to allow

them to perform agreed specific tasks in the controlled areas.

The ICT Department may authorise authenticated representatives of third party support

suppliers and agencies to access controlled areas. The representatives will be

accompanied at all times in the controlled areas.

All personnel are required to wear their identity badges at all times in controlled areas and

are obliged to challenge all unrecognised or unaccompanied visitors.

A record of all accesses to controlled areas will be maintained.

All staff with access to the Data Centres must abide by the Data Centre Policy and

Procedures document.

6.2.2 Logical Access Controls

Access to all information and application systems will be restricted to staff who have a

business need and have been authorised by their Line Manager.

Logical access to all information assets will be by means of passwords, key-tokens

(smartcards) or a combination of both.

6.2.3 Computer System Access Controls

Computer system access (CSA) control is managed and controlled through a defined

process. CSA requests are normally made via the customer portal of the Service

Management tool where the relevant CSA form is completed. Access to the forms is

restricted and can only be completed by an authorised member of staff. Staff with access

are responsible for providing correct information and are liable for any discrepancies. This

form includes a Disclaimer, and in order to process the request, this must be ticked.



of 30

CSA requests for movers, leavers,joiners including maternity, secondments or extended

leave are to be completed promptly and sent to HBL ICT in order to ensure appropriate

access is maintained

Additionally for agreed student intake or rotation these are managed from a bulk provided

list of main base and job title with end date. Email address is provided but not shared

drive access. If shared drive access is deemed necessary then this is logged as an

additional access by the line manager or mentor or person/persons with the appropriate

authority.

Use of Information Assets 6.3

6.3.1 Installation and Siting of Equipment

All equipment must be sited and installed in accordance with current environmental and

health and safety regulations. Initial installation will be made by the ICT Department.

Equipment must not be moved without first informing the ICT Department.

6.3.2 Limitations on Use

Equipment must only be used for the purpose it was supplied and in accordance with the

manufacturer’s/supplier’s instructions.

Equipment must not be modified without the permission of the ICT Department. This

includes the attachment of additional equipment and/or peripherals or the loading of

additional software.

Unauthorised connection or attempted connection to the communications network, e.g. by

means of a personal laptop, will be treated as serious misconduct.

6.3.3 Data Security

All electronic data files must be stored in the appropriate area on the network fileservers.

This will ensure that all files reside in a secure, virus free area and are automatically

backed up on a regular basis.

All confidential data will be stored in secure personal and workgroup areas. Creation and

access to these areas will be managed by the ICT Department on the authority of the

appropriate senior manager

The local hard disk on desktop PC’s must not be used for the storage of files. Where a

local copy has been taken (eg during a network failure), the files must be moved to shared

areas promptly

Removable media or portable storage devices must not be used for the archiving of data

or transferring data unless specifically authorised, in which case the device must be

encrypted. All data archive and transfers will be done via the organisation’s network. See

also section Portable Storage Devices – Electronic Media

6.3.4 Security of Equipment Off-Premises

Equipment and data must not be taken off site without formal authorisation from the

appropriate Senior Manager or person with delegated authority.



of 30

Where equipment is located in an insecure environment or public access area, additional

physical and logical security measures will be implemented in the form of locks, additional

passwords, etc.

Users are responsible for the security of laptop computers and must follow good security

practices in accordance with the Mobile Device Security Policy.

6.3.5 Security of Hard Disks

The hard disks on any computer may contain sensitive or confidential data, possibly in

temporary files.

Theft or removal off-site of such disks is a potential threat to the security of the

organisation’s information and could risk a breach of confidentiality.

Hard disks sent offsite for data recovery are therefore to be treated as Portable Storage

Devices (see section), and must only be sent to approved contractors who have signed a

confidentiality agreement. If encrypted they must be sent via a recorded delivery system.

If unencrypted they must either be collected by the recovery firm or delivered personally

by a member of the organisation’s staff or ICT Department staff.

Hard Disks that are no longer required will have all data physically removed or will be

destroyed prior to disposal. This process will be controlled by the ICT Department in line

with SLAs, see Disposal of Assets section.

Passwords 6.4

6.4.1 Password Protection

Access to all information systems and the network operating system will be granted on a

need to know basis and restricted by password facilities controlled by the system

managers.

All systems will, where possible, be configured to record unsuccessful login attempts.

Accounts will be frozen after three (3) unsuccessful attempts.

User sessions will, where possible, be de-activated or logged out if inactive for 15 mins.

6.4.2 Password Standards

Passwords will be a minimum of eight (8) alphanumeric characters and contain at least

one (1) alphabetic and one (1) numeric character. Staff will be responsible for maintaining

the secrecy of their passwords.

Passwords must be changed frequently. Enforced password changing will be

implemented using password ageing where the systems permit. The change cycle will be

30 to 90 days depending on the system.

Passwords must not be re-used for a specified number of instances. This will vary

between four (4) and 12 depending on the system.

Generic passwords will be a minimum of ten (10) alphanumeric characters and contain at

least one (1) alphabetic and one (1) numeric character, contains at least one (1)

uppercase letter and at least one (1) lower case letter and at least one (1) special

character. Staff will be responsible for maintaining the secrecy of their passwords.



of 30

Privileged Domain Accounts will be a minimum of sixteen (16) alphanumeric characters

and contains at least one (1) alphabetic and one (1) numeric character, contains at least

one (1) uppercase letter and at least one (1) lower case letter and at least one (1) special

character. Staff will be responsible for maintaining the secrecy of their passwords.

All systems should be configured to record unsuccessful login attempts and accounts will

be locked after a number of failed attempts, normally three (3), depending on the system.

Business Continuity 6.5

6.5.1 Physical Security

All servers (virtual and physical) and data communications equipment will be located in

secure controlled areas with physical entry controls restricting access to authorised

personnel only.

Local data communications equipment and/or file servers will always be located in secure

areas and/or lockable cabinets.

6.5.2 Remote Access to the Organisation’s Services

In addition to strong authentication, audit trails and events logs will record remote access

activity with particular emphasis on failed login attempts or attempted intrusions to the

local area network.

Security breaches (actual and suspected) will be reported immediately to the ICT

Department Service Desk and IG manager where it will be recorded as a security incident.

All security incidents will be promptly investigated and treated very seriously.

Connection of a modem (or other unauthorised communications equipment) to the ICT

Department’s managed network other than through an authenticating server, is a breach

of the NHSNet Statement of Compliance and may lead to disciplinary action being taken

against that individual.

6.5.3 Remote Access to the Organisation’s Services by Staff

Controlled virtual private network (VPN) access via the internet may be given to members

of staff who can demonstrate a genuine need to access network resources remotely.

Access will be conditional on:

The completion by an authorised manager of the appropriate Computer System

Access form;

Acceptance that passwords or tokens issued to enable remote access are for use only

by the person they are issued to;

The user taking care to ensure any sensitive data displayed on screen is not visible to

others;

No attempt is made to connect to any wireless local area network that fails to meet at

least the WPA-2 standard, e.g. wireless hotspots. Where you believe you will need to

use wireless hotspots, request must be authorized by your line manager and SIRO

Use of domestic wireless local area networks is acceptable provided the wireless access

point (sometimes known as a wireless hub or router) is configured to at least WPA-2



of 30

standards. Refer to the device manual or its supplier for information on how it should be

configured.

Even when using a wired connection in a domestic setting, if a wireless access point is

connected to the network it must be configured to at least the WPA-2 standard.

6.5.4 Remote Access to the Organisation’s Services by Suppliers

Controlled virtual private network (VPN) access via the internet may be given to support

organisations who can demonstrate a genuine need to access network resources

remotely. Access will be conditional on:

An agreement being signed restricting the access for use only by qualified persons for

specified purposes and that no information will be disclosed to unauthorised persons.

Each request for dial up or VPN access being logged and approved by an authorised

person in the ICT Department.

Passwords or tokens issued to enable remote access are for use only by the person

they are issued to.

6.5.5 Business Continuity Planning

All critical systems will have a disaster recovery plan in the event of system or data loss.

These will be agreed between the ICT Department and representatives of the

organisation. Criticality of systems will be established as part of the implementation of this

policy. Plans will be reviewed and be tested regularly.

NHS Digital provide CareCERT advice and guidance to organisations to respond

effectively and safely to cyber security threats.

Databases and Application Systems 6.6

6.6.1 Authorised Databases and Systems

A list of authorised databases and applications will be maintained by the ICT Department.

The organisation’s information and data must only be stored and processed in

applications or databases on the list. Where members of staff develop systems in Access

such databases must not be used for storing any organisation related information or data

without referral to the ICT Department. Support for such systems will only be provided on

a reasonable endeavours basis.

6.6.2 Acquisition of Application Systems

Acquisition of all application systems whether by procurement or development must follow

the current Information Governance standards and NHS procurement procedures and

guidelines. The ICT Department must be approached as early as possible in such a

process.

Security requirements to ensure compliance with this policy must be incorporated in the

business requirements used for the development or procurement process. The security

requirements must be approved by Head of Technical Services before the start of any

procurement or development

Prospective suppliers must formally commit to meeting or exceeding the required level of

security.



of 30

6.6.3 System Acceptance

Application systems will not be connected to, or accessed from, the managed network

until the ICT Department Head of Technical Services; is satisfied that security has been

comprehensively addressed.

The Project Team responsible for the new system will devise formal acceptance test plans

and demonstrate that the security requirements of the system have been tested

satisfactorily. These tests must include witness testing the strength of the security

features in a controlled environment.

6.6.4 Privacy Impact Assessment (PIA) / Data Protection Impact Assessment

(DPIA)

A PIA/DPIA must be completed for all application systems. This will be completed before

new applications are accepted. The PIA/DPIA must be revised when any changes to

functionality or usage are made.

A PIA/DPIA must also be completed in respect of any data being transferred between the

organisation and third parties along with all other appropriate documents.

The DPIA/PIA must contain the following information:

A description of the processing operations and the purposes, including, where

applicable, the legitimate interests pursued by the controller.

An assessment of the necessity and proportionality of the processing in relation to the

purpose.

An assessment of the risks to individuals.

The measures in place to address risk, including security and to demonstrate that you

comply.

6.6.5 Clinical Safety

The provision and deployment of Health IT Systems within the National Health Service

(NHS) can deliver substantial benefits to NHS patients through the timely provision of

complete and correct information to those healthcare professionals that are responsible

for delivering care. However, it has to be recognised that failure or incorrect use of such

systems has the potential to cause harm to those patients that the system is intending to

benefit.

To ensure that Health IT Systems do not introduce risks to NHS patients, all Health IT

systems must now comply with the following National Information Standards

SCCI 0129 – Clinical Risk Management: its Application in the Manufacture of Health

IT Systems

SCCI 0160 – Clinical Risk Management: its Application in the Deployment and Use of

Health Software

These two standards provide manufacturers of Health IT systems and software and

Health Organisations responsible for deploying these systems with a set of mandated

requirements to ensure that they are well designed and do not impact on patient safety.

SCCI 0129 outlines the safety management requirements for system suppliers during

system production and handover to healthcare organisations including system changes



of 30

and upgrades. This requires suppliers to produce formal documentation of their clinical

safety assessment and approval process, identification of any risk and mitigation

proposal.

SCCI 0160 requires healthcare organisations to ensure appropriate systems are in place

to assess patient safety risks during procurement, implementation, use and

decommissioning of Health IT Systems. These processes should build upon or clarify

existing safety processes, project governance and other clinical risk management

arrangements. This requires suppliers to produce formal documentation of their clinical

safety assessment and approval process, identification of any risk and mitigation

proposal.

Software Protection 6.7

6.7.1 Licensed Software

Only licensed and supported software will be installed on organisation owned equipment.

All installed software must comply with ICT Department standards. All software must be

used only for the purpose it is provided and in accordance with training and instructions.

Any required software will be procured and installed by the organisation’s ICT

Department. Records of entitlement data, including contracts, purchase records and other

media to support proof of software subscription use rights must be maintained. Staff must

not install any software on any of the organisation’s computers without the express written

consent of Partner IG and ICT Department’s Governance and Compliance Manager.

Users who require additional software must submit a request to their Department

Manager.

6.7.2 Software Standards

The organisation has standardised on the Microsoft Office suite of applications, Microsoft

Outlook E-mail for office applications and Microsoft Internet Explorer for web browsing.

Alternative products are not supported and must not be installed.

Software used must be reviewed by ICT Department to ensure it is fit for purpose and

does not have a negative impact on other business applications.

6.7.3 Virus Control

Virus protection software will be installed on all network servers and all PC’s. The virus

protection software will be updated frequently to ensure adequate protection against the

latest viruses. Network servers will be updated at least daily. Standalone PC’s must be

updated at least weekly.

The users of portable computers are responsible for ensuring virus protection is kept up-

to-date. Portable computers receive updates every time they are connected to the

network and must be so connected at least once a month.

Connection (beyond the need to download updates) may be refused if any PC or laptop

does not have up-to-date anti-virus software.



of 30

The ICT Department will make every effort using the technology available to protect

against virus attacks. Users are also responsible for ensuring virus infections do not

occur or are spread by their actions.

Any suspected or actual virus infection must be reported to the ICT Department Service

Desk by phone immediately. Any user suspecting virus activity on their PC or laptop

should disconnect it from the network if they are able to do so safely.

7 Electronic Mail and Internet Access

Purpose and Ownership 7.1

E-mail and internet services are provided for the conduct of the organisation’s and NHS

business. These systems, including the hardware, software and all data that are stored

within the system – which include file downloads - are the property of the organisation.

The e-mail services is owned and managed by NHS Digital and associated policies are

available on the NHSMail Portal

All staff must comply with the organisation’s Acceptable Use Policy, and NHSMail

Policies.. The use of Internet and email resources must be related to the legitimate

business activity of the organisation. This includes authorised professional and academic

pursuits

Access and Disclosure of Electronic Communications 7.2

7.2.1 Monitoring Usage

All electronic communications - - will be monitored to ensure compliance with policies,

license use rights, procedures and with the organisation’s statutory obligations.

The organisation may at any time, and without notice, block any incoming or outgoing

communication that is considered to be not relevant to the conduct of the organisation’s or

NHS business or which could damage any of the organisation’s systems or information. It

is the user’s responsibility to check if a suspicious e-mail has been detected on their

device who in turns informs HBLICT IT Department to take the corrective measures to

have NHSMail block these e-mails.

7.2.2 Inspection and Disclosure of Communications

All electronic communication may be inspected and disclosed under the provisions of the

Data Protection Act and GDPR from 2018 and the Freedom of Information Act (2000),

subject to the safeguards contained in the legislation. This may be done without informing

the sender or recipient.

Inspection and disclosure may also be done:

To discharge legal obligations and legal processes and any other obligations to staff,

clients, patients, customers or any other persons;

To locate information required for the organisation’s or NHS business that is not

readily available by other means;

To safeguard assets and to ensure they are used in an appropriate manner;



of 30

In the course of an investigation into alleged criminal offences, misconduct or misuse.

7.2.3 Monitoring and Disclosure Procedures

Prior approval must be obtained from the appropriate Director/SIRO/Caldicott Guardian in

addition to the ICT Department’s Director or Associate Director to gain access to the

contents of electronic communications or data stores, and disclose information gained

from such access. See NHSMail policies for details relating to email

8 Security Incident Management

The ICT Department will detect, investigate and resolve any suspected or actual breaches

in computer security. The processes for managing security incidents will be linked with

the organisation’s Incident reporting Policies and Procedures.

Personal Data Breach 8.1

A personal data breach means a breach of security leading to the destruction, loss,

alteration, unauthorised disclosure of, or access to, personal data. This means that a

breach is more than just losing personal data.

All suspected breaches must be reported at once to the organisation’s DPO. The

organisation will notify the relevant supervisory authority of a breach where it is likely to

result in a risk to the rights and freedoms of individuals. A notifiable breach has to be

reported to the relevant supervisory authority within 72 hours of the organisation

becoming aware of it.

Security Incidents 8.2

A security incident is an event that may result in:

the integrity of any system being jeopardised,

the availability of any system being jeopardised,

unauthorised disclosure of information or disruption of activity,

unauthorised or inappropriate use of assets and resources,

financial loss or loss of resources,

Legal action.

All suspected security incidents must be reported at once to the ICT Department’s Service

Desk.

8.2.1 Logging Security Incidents

All ICT related incidents should be reported to the ICT Department via the Service Desk.

All actual or suspected security incidents will be formally logged, categorised by severity

and action/resolution recorded by the ICT Department’s Service Desk.

In addition, the organisation’s Incident recording system may be used to log untoward

events. This process will record what happened, what was done, by whom, when and

final resolution. Refer to the Incident Policy for details.



of 30

Disaster Recovery procedures will be invoked in response to serious problems e.g.

inability to recover critical live systems.

9 Disciplinary Action

Members of staff who breach any aspect of this policy will be subject to disciplinary action

in line with the current disciplinary policy. Serious breaches will be regarded as gross

misconduct and may result in dismissal and potential referral to the Local Counter Fraud

Service (LCFS) for further investigation.



of 30

Appendix A. Organisational SIROs

Organisation SIRO Role

BCCG Director of Finance

ENHCCG Director of Finance

HCT Director of Finance

HPFT Director of Innovation and Transformation

HVCCG Director of Finance

LCCG Director of Finance



of 30

Appendix B. Comment Form

As part of HBL ICT Services Department continuous improvement regime, would you please

complete this form. Any comments or feedback on this document should be addressed to the Owner.

Please provide your name and contact details in case clarification is required.

Name

Please return to:

HBL ICT Services

Charter House

Welwyn Garden City

Hertfordshire, AL8 6JL

Address

Phone

Email

Please confirm the document you want to give response …

Please rate the document using the topics and criteria indicated below:

Very Good Good Average Fair Poor

Format and Layout

Accuracy

Clarity

Illustrations (tables, figures etc.)

When using the document, what were you looking for?

How could the document be improved?

How often do you use the document?

If you have additional comments, please include them below:

Thank you for your time

Information Security Policy · HBL ICT Shared Service Information Security Policy Approved 1 Oct...

Documents

Transcript of Information Security Policy · HBL ICT Shared Service Information Security Policy Approved 1 Oct...