Document Title Information Security Policy
Reference Number CNTW(O)35
Lead Officer
Lisa Quinn
Executive Director of Commissioning and Quality Assurance
Author(s)
(name and designation)
Jon Gair
Head of Informatics - Infrastructure
Ratified by Business Delivery Group
Date ratified March 2019
Implementation Date March 2019
Date of full implementation
March 2019
Review Date March 2022
Version number V05.1
Review and
Amendment Log
Version Type of Change
Date Description of Change
V05 Review Mar 19
V05.1 Review Oct 19 Governance changes
This policy supersedes the following document which must now be destroyed:
Document Number Title
CNTW(O)35 - V05 Information Security Policy
CNTW(O)35
2
Information Security Policy
Section Contents Page No.
1 Introduction 1
2 Purpose 1
3 Duties, Accountability and Responsibilities 1
4 Definition of Terms 2
5 Procedure / Process 3
6 Identification of Stakeholders 21
7 Training 21
8 Implementation 21
9 Fair Blame 22
10 Fraud, Bribery and Corruption 22
11 Monitoring Compliance 22
12 Associated Documents 22
13 References 23
Standard Appendices – attached to Policy
A Equality Analysis Screening Toolkit 24
B Training Checklist and Training Needs Analysis 26
C Audit Monitoring Tool 28
D Policy Notification Record Sheet - click here
Practice Guidance Note – Listed separate to Policy
PGN No: Description
ISEC-PGN- 01 Disposal and Destruction of Sensitive Data and Information Assets
CNTW(O)35
1
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
1 Introduction 1.1 Cumbria Northumberland Tyne & Wear NHS Foundation Trust (the Trust)
recognises the importance of its information and information systems used for the transference, manipulation and storage of information to ensure business continuity. The security of all information held by the Trust is paramount to the business function.
1.2 Through this Policy, government laws and legislations the Trust will identify and
adopt structured security procedures for the Trusts information systems, in accordance with the principles of ISO / IEC 27002:2005, as follows:
To ensure the availability: that is, ensure that assets are available as and when required adhering to the Trusts business objectives
To preserve integrity: that is, protect assets from unauthorised or accidental modification ensuring the accuracy and completeness of the Trust’s assets
To preserve confidentiality: that is, protecting information from unauthorised access and disclosure.
1.3 Trust Staff are bound by the confidentiality and security policies set by the NHS,
the Trust, UK legislation, and by the common law duty to maintain confidentiality of the information held and used as part of everyday working practice.
2 Purpose
2.1 The Trust recognises the importance of a structured, coherent and secure
information system and associated systems used to manipulate, communicate and store information to enable the Trust to conduct its business in a structured and secure manner and in accordance with legal requirements and national and local policies.
2.2 The purpose of this Policy is to prevent unauthorised disclosure, modification,
removal or destruction of information held by the Trust, to ensure adherence with UK law, NHS policy and guidelines, and disruption to NHS business activities and potentially distressing consequences of the loss of sensitive information.
3 Duties, Accountability and Responsibilities
Responsibility for implementation and compliance to this Policy lies with the Chief Executive
The Senior Information Risk Owner (SIRO) has delegated responsibility from the Chief Executive. The SIRO is the Executive Director of Commissioning and Quality & Assurance
All staff, including agency, temporary, voluntary, support staff and contractors must apply the Information Security Policy in accordance with NHS Information Governance Guidelines;
CNTW(O)35
2
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
The Director of Informatics is responsible for ensuring that the Trust has appropriate technical capabilities in order to protect data that is processed;
The Caldicott and Health Informatics Group have responsibility for overseeing day to day compliance with this Policy and for investigating breaches;
Failure to comply with this Policy may endanger the information services of the Trust and may result in disciplinary or criminal action.
4 Definition of Terms
4.1 Information Security is the preservation of Confidentiality, Integrity and
Availability of information.
Confidentiality - ensuring that information is accessible only to those authorised to have access and to prevent unauthorised disclosure.
Integrity - safeguarding the accuracy and completeness of information and
information processing.
Availability - ensuring that authorised users have access to information and associated assets when required.
4G: Mobile data technology
BMP: Bitmap / Picture Files
CLOUD: Internet or externally hosted services
CDA: Compact Disk Audio / Music File
DSPT Data Security and Protection Toolkit
Encryption: Process of securing data using technology
FTP: File Transport Protocol
GIF: Picture File
JPEG: Picture File
LAN: Local Area Network
MP3: Moving Picture Experts Group Layer-3 Audio / Video
OFFICE 365: Secure Microsoft On Line Collaboration services available on the Internet
N3/HSCN: NHS backbone network now called Health and Social Care Network.
CNTW(O)35
3
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
PDA: Personal Digital Assistant
PID: Patient Identifiable Information
Secure Token: Device that Creates a Secure Password
VPN: Virtual Private Network
WAN: Wide Area Network
WMA: Windows Media Audio / Video Audio File
5 Procedure / Process 5.1 This Policy must be read in conjunction with the following Trust Policies,
which include detailed Policy statements:
Data Protection Policy CNTW(O)36
Freedom of Information Act Policy CNTW(O)43
Records Management Policy - CNTW(O)09
Confidentiality Policy CNTW(O)29
Removable Media Data Encryption Policy CNTW(O)30
Information Risk Policy CNTW(O)62
IT Procurement Policy CNTW(O)63
Visual Imaging and Audio Policy CNTW(O)45
Acceptable Use of Email Policy CNTW(O)44
Registration Authority Policy CNTW(O)57
Safe Fax Guidelines
Trust Incident Reporting Policy CNTW(O)05
Acceptable Use of Intranet and Internet Policy CNTW(O)65 5.2 Definition of Information:
5.2.1 The term Information can be defined as “a collection of facts or data” and for the
purpose of this Policy information includes:
Digitally stored information
CNTW(O)35
4
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
Transmitted across networks
Information that is retrieved, accessed, transmitted to / received from other organisations using the following mediums
Technical equipment and devices used to store and process information
Fax machines and any other communications media
Printed out or written on paper
Stored on disk, tape or any other electronic, optical and portable media
Images and Recordings on CD, DVD, USB devices, Video and Audio tape
Cloud or any externally hosted services 5.2.2 Appropriate protection is required for all forms of information and devices used
to store process and transmit data to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations.
5.3 Legal and Regulatory Framework and Guidelines:
5.3.1 The Trust must comply with the following legislation and guidelines. list is not exhaustive:
This
Data Protection Act 2018
Environmental Data Protection Regulation 2016
The Freedom of information Act 2000
The Computer Misuse Act 1990
The Caldicott Guidelines
Confidentiality NHS Code of Practice
Access to Health Records Act 1990
Electronic Communications Act 2000
5.4 End User Responsibility:
5.4.1 Confidentiality and Document Management:
CNTW(O)35
5
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
Trust staff have a contractual obligation to keep all confidential information secure, use it only for the purposes intended and not disclose it to any unauthorised third party and other staff
Staff must always save data to their network drives, allocated Office 365 areas or My Documents folders. Data stored on the C:\ drive (local hard drive) or external storage areas will not be automatically backed up
If a document is highly confidential or sensitive in nature, it can be stored in a password protected directory on a shared drive by the management team and there should be an agreed process in place to ensure the appropriate persons can gain access. In all other cases where a manager or individual member of staff wishes to store documentation of this type then they should do so on their individual account.
It should be noted that documents in common directories can be accessed by other employees. Such information should not be saved to external storage devices or hard drives unless it is essential to do so and these devices are encrypted.
Any documents containing any PID (patient identifiable information) must not be saved to the local hard drive (“C” drive), or to USB devices, CD or any other external storage devices, unless they have been encrypted (See Removable Media Data Encryption Policy CNTW(O)30)
Copies of confidential information should only be printed out as necessary, retrieved from the printer immediately and stored or destroyed in an appropriate manner by shredding and / or use of the confidential waste collection system
Documents containing Trust patient / staff information must not be left open on any unattended computer screen. When possible the PC should be positioned to prevent being overlooked
Staff must always logout or lockout their PC when leaving their desk
Under no circumstances must Trust staff copy any personal or multimedia files i.e. MP3, CDA, WMA, GIF, BMP or JPEG files that are not Trusts related to any local or network drive. If files are found on Trust staffs accounts or shared drives, this will be classed as computer misuse and may be subject to the Trusts disciplinary process
Only Trust owned IT equipment purchased through the Informatics Department is allowed on the Trust network. Under no circumstances must non Trust owned IT equipment be used on the Trust network or premises unless directed to via the Informatics Department.
Under no circumstances must Trust staff send sensitive or confidential information to personal e-mail accounts. Sensitive or confidential information can be sent between Trust e-mail accounts (i.e. @CNTW.nhs.uk to
CNTW(O)35
6
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
@CNTW.nhs.uk). Only NHSmail (@nhs.net) accounts can be used when sending sensitive or confidential information outside of the organisation (i.e. @nhs.net to @nhs.net). Where information needs to be sent and there is no secure transmission method, then a strong password (upper, lower case, numerical and symbols) must be applied to protect a document with no sensitive or confidential information within the subject or body of the e-mail.
Trust staff must not use personal/other organisation cloud based storage services such as Drop Box, personal OneDrive or Google Drive to store or share sensitive or confidential information. Only Trust provided cloud based storage services should be used.
5.4.2 Network Access:
5.4.2.1 Secure network access is of paramount importance to the Trust and as such
the Informatics Department controls the following through network security.
Network account Password protection
Network account password change will be requested every 120 days
Screen saver password protection
Password protected screen savers will be activated if the computer is idle for 15 minutes
Virus Protection and Threat Protection software. The Virus protection systems employed by the Trust will automatically update while the computer is attached the Trust network and additional layers of protection will be deployed to provide more proactive protection against security threats.
5.4.3 Password Management:
5.4.3.1 Passwords are confidential information and must be treated as such.
5.4.3.2 A password is only as secure as the person who knows it and as such the
following standards must be adhered to:
Keep your passwords safe
Do not disclose them to anyone
You will be forced to change your passwords from time to time for security purposes and in line with NHS Guidelines
5.4.4 Network passwords must be a minimum of 8 characters and must be classed as ‘complex’ which means passwords must contain at least three of the following
character types :
Uppercase
Lowercase
CNTW(O)35
7
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
Numeric (0-9)
Non-alphanumeric character (special characters such as # or &) To support this requirement and make it easier to remember, it is recommended that three random words are joined together which includes at least one number and an upper and lower case letter (e.g. Coffeetrainfish2). Further information and advice is available on the Trust Intranet.
5.4.4.1 Each user is responsible for maintaining the security of their individual login and password. To this end:
Staff must not share their user name or password with anyone
Passwords must not be written down
If Staff suspect that their password has been compromised they must change their password immediately and contact the Informatics Servicedesk for further advice.
Each user is responsible for maintaining the security of their individual login and password. If a breach of security is recorded under your login the burden of proof will be with you to show t h a t you are not responsible for the breach.
5.4.4.2 All passwords must be changed at regular intervals when requested by the
system, at 120 day intervals. 5.4.4.3 If a password is forgotten, self-service options are available as directed by the
Informatics department. The servicedesk are available where self-service automated processes are not possible.
5.4.5 Email:
5.4.5.1 The Trust employs the use of Electronic Mail (e-mail) to facilitate its business
objectives. Detailed terms of use can be found in the Acceptable Use of Email, Intranet and Internet Policy CNTW (O) 44).
5.4.5.2 The use of Internet email such as Hotmail, Gmail etc is not permitted for
business purposes. 5.4.5.3 When communicating patient related data the minimum amount of patient
identifiable information necessary must be used. It is good practice to use the NHS Number to identify the patient. All staff must seek advice from the Information Governance Department for advice on sending confidential information via e-mail.
5.4.5.4 Staff should be aware that both private and business use of e-mail will
be subject to monitoring
CNTW(O)35
8
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
5.4.6 Viruses: 5.4.6.1 Infection by software viruses on computers is a very real risk. IT staff will
implement technical counter measures including installing anti-virus software and updating the necessary virus definition files in an effort to catch-up with the ever-increasing distributors of viruses. However, all the routes of infection also involve actions by users of computers. The main routes of infection are listed below:
Downloading unauthorised software from the Internet
Viruses hidden in e-mail attachments from un-trusted sources or unexpected sources (the email sender can sometimes be impersonated or “spoofed”)
Personal webmail accounts
Insertion of removable media, that may have been used outside the Trust, into a Trust computer without checking for viruses (e.g., CDs, DVDs, memory
sticks / USB memory devices and any other removable media capable of carrying data or programs)
Connecting a laptop or PC (that does not have anti-virus software with up to date virus definition files) to the Trust’s network
5.4.6.2 The Trust network is protected against viruses and other malware via a
commercial anti malware product. 5.4.6.3 The Trust will:
Deploy the anti-virus software appropriately including each new release of the software from the supplier
Set-up facilities to automatically update virus definition files for all computers on the network.
Ensure portable computers etc. are brought back to, or connected to, base for regular updates of virus definition files
Ensure Users are kept aware of the recognition and danger of viruses and anti-virus procedures by regular briefings and publicity
Record occurrences of viruses which result in data loss according the Trust Incident Policy and Procedures. (Management must be made aware that if a major outbreak occurs all computer facilities may be shut down)
5.4.6.4 Computer viruses, Trojan horses and worms are collectively known as
malware. Although the network is protected staff still have a duty to be vigilant especially when opening email from unknown sources, and not attempt to alter or circumvent virus checking or procedures.
CNTW(O)35
9
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
5.4.6.5 Staff will:
Not attach personal equipment to the network
Report a suspected attack immediately to the Informatics Servicedesk
5.4.6.6 To ensure that all equipment is adequately protected, the network will be monitored by the Informatics Department.
5.4.7 Internet:
5.4.7.1 The Trust employs the use of the internet as a communications medium to
facilitate its business function. Access to the internet is controlled through network security, including login ID and password. Limited personal use is allowed for staff. Full terms and conditions of use can be found in the Acceptable Use of Intranet and Internet Policy CNTW (O) 65.
5.4.7.2 Staff should be aware that Internet access will be subject to monitoring
5.4.7.3 Any person or persons accessing the Internet via the Trusts network will be
considered to have read, understood and accepted the Information Security Policy.
5.4.7.4 Service Users are not permitted to access the Trust network, other than through
a member of staff who will be responsible. The Trust provides facilities such as Keep In Touch (KiT) for in-patient areas and Free WiFi to support the safe use of the Internet by service users in community waiting areas.
5.4.7.5 The Internet is not a secure transport medium for information. Under no
circumstances must Trust carer / user identifiable information be sent via the Internet unless advice has been requested and permission given from the Information Governance Department.
5.4.8 Clear Desk \ Clear Screen Policy:
5.4.8.1 All information, electronic or paper, and other valuable resources must be
secured appropriately when staff are absent from their workplace and at the end of each working day if not working within a 24 hour environment.
5.4.8.2 Whilst at work, staff must not leave patient notes, personal files or any other
confidential records unattended on or around the work area. This includes handwritten telephone numbers, names etc. In particular, adhesive type notes (post its) with telephone numbers should not be left attached to the machine, or the work area.
5.4.8.3 Desks must be cleared at the end of each working day (excludes 24hr
environments) of any confidential or person identifiable information. Medical records must be locked securely in desks, filing cabinets or rooms at all times, unless they are currently in use.
5.4.8.4 Personal items (i.e. keys, handbags, wallets etc) should be locked away safely
CNTW(O)35
10
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
in the interests of security. It is the responsibility of the owner to ensure all security precautions are taken.
5.4.8.5 All paper and computer media should be stored in suitable locked cupboards
when not in use. It is not sufficient to use a portable locking box for computer media.
5.4.8.6 Electronic data and equipment will not be treated differently from manual records
and equipment, as they contain the same type of confidential and / or personal information. Computing and all other equipment containing data will therefore be treated with the same level of security as paper based resources.
5.4.8.7 Computers and laptops must not be left logged on when unattended, and must
be protected by passwords, screensavers and other controls that are available to all staff within the Trust.
5.4.8.8 Screens must be locked by the user when leaving their computer screen,
irrespective of the amount of time spent away from the unattended screen. 5.4.8.9 The screen must always be closed, minimised or locked when unauthorised
persons are in close proximity to the screen.
5.4.8.10 Sensitive items such as personal identifiers must be cleared from printers and fax machines immediately on completion. If these are no longer required the items must be shredded or sent for secure disposal.
5.5 Technical Protection:
5.5.1 Portable Media:
5.5.1.1 Full details on security of portable devices can be found in the Removable Media
Data Encryption Policy CNTW (O) 30. A summary follows: 5.5.1.2 The Trust employs the use of portable systems to facilitate the Trust business
functions. All portable systems must have adequate protection at all times. This protection must be in the form of:
Password Protection
Secure Physical Storage
Software Encryption 5.5.1.3 Portable devices include but are not limited to, laptops, PDA’s, USB memory
sticks, DVD’s, CD’s, mass storage devices, Cameras, Camcorders and Audio devices.
5.5.1.4 Use of portable hard drives and CD / DVD re-writers must be authorised by the
Information Governance Department and used in accordance with the Removable Media Data Encryption Policy.
5.5.1.5 The Trust has a standard USB Memory Stick, Camera, Camcorder and Audio
CNTW(O)35
11
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
Recording device which can be ordered through the Informatics on line ordering system on the Trust Intranet.
5.5.2 Mobile Communication Devices:
5.5.2.1 Full details of secure use can be found in the Issue and Use of Mobile
Communication Devices Policy CNTW (O) 58. 5.5.2.2 The Trust employs the use of smartphone devices to enable remote access
to the Trusts e-mail system. These Trust owned devices are managed via central Trust technical controls and polices managed by the Informatics Department. Secure containerised access via Personal devices may be available as directed by the Informatics Department.
5.5.2.3 Although encrypted, Smartphones must still be:
Protected by a Password or PIN which is not shared with anyone else.
Kept in a secure place when not being used
Not left unattended while in use
Any loss or theft must be reported to the Informatics Servicedesk as soon as possible
5.6 Infrastructure:
5.6.1 Server and Communications Rooms:
All Trust IT server and communications rooms must be locked at all times. This is for security and health and safety due to the fire prevention systems in use
All non-authorised IT staff, contractors and visitors must be accompanied or monitored at all times while conducting work in the server room by a member of the Informatics Department
If a member of the Informatics department leaves the Trust, any privileged accounts or door access control devices must be disabled immediately. Any generic passwords known by the individual for Internet of Things devices will need to be risk assessed and changed accordingly.
5.6.2 Network Security:
5.6.2.1 The Trust recognises the need for a secure and reliable system to transfer Trust
information. To facilitate the transference of information throughout the Trust the Trust utilises a private network infrastructure, in turn linked to N3/HSCN.
5.6.2.2 All active network equipment must comply but not limited to the following
standards
All active network equipment must be password protected
CNTW(O)35
12
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
Only members of the Informatics Department will have access to these passwords
All active network equipment must be located in a secure location
All Trust network traffic containing sensitive or confidential data should be secured by encryption in transit (such as SSL) or password protected files (using non reversible encryption technology such as AES-256)
5.6.3 Physical and Environmental Controls: 5.6.3.1 Secure Areas:
Security perimeters will be used to protect areas that contain information processing facilities
Secure areas will be protected by appropriate entry controls to ensure those only authorised personnel are allowed access
Physical security for offices, rooms and facilities will be designed and applied
Physical protection guidelines for working in secure areas will be designed and applied
5.6.4 Equipment Security:
5.6.4.1 Guidance has been produced for the sighting and protection of equipment to
reduce the risks from environmental hazards and unauthorised access
Data storage is protected from power failures where appropriate e.g. UPS. This will be monitored and tested by the Informatics Department
Security procedures and controls are used to secure equipment used outside Trust premises
All items of equipment containing storage media should be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal. This should be done via the Informatics Department
Equipment, information or software should not be taken off- site without prior
authorisation from a line manager
PC’s, printers and laptops will be asset marked and entered on an asset register by the Informatics Servicedesk
5.6.5 Environmental Controls:
5.6.5.1 Adequate fire protection and detection is provided.
CNTW(O)35
13
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
Adequate protection is provided to protect against the risk of water damage
Where appropriate, buildings are protected against lightning strikes
Where appropriate, protection is provided against pest damage
Heating, ventilation and air conditioning equipment is used where appropriate to control the temperature and humidity levels for key IT equipment
5.6.6 Asset Management:
An inventory will be maintained for all IT equipment by the Informatics Servicedesk
An inventory will be maintained of all software by the Informatics Servicedesk (e.g. application / system software, development tools, utilities)
All information and assets associated with information processing facilities have an Information Asset Owner IAO who is responsible for ensuring the security of that system (see Information Risk Policy CNTW(O)55). The IAO’s will report known risks to the SIRO
5.6.7 Remote Access:
5.6.7.1 It is recognised that that Trust staff need to access data at the point of patient
care which as reflected in the remote access solutions that have been provided by the organisation.
5.6.7.2 Trust approved solutions include an automatic secure connection back to the Trust network. This can be safely connected to personal or public Internet WiFi networks along with Trust provided 4G mobile connectivity built into the device.
5.6.7.3 When using this remote access technology, it is important that staff
Only use a device in a safe area where other individuals do not have view of your screen. Special care needs to be taken in any public areas such as coffee shops etc.
Be aware of 4G mobile usage and Trust devices should not be used to consume media streaming services such as Netflix which could have a considerable financial implication on network usage.
5.6.7.4 Staff must not use personally owned equipment to store and process Trust data
unless via an approved Trust solutions where technical security controls can be mandated.
5.6.8 (Third Party) Remote Access: 5.6.8.1 If third party suppliers are used to carry out functions which may give access
to Trust data, the Trust must consider:
CNTW(O)35
14
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
Conducting good due diligence to assess their policies and procedures, including recruitment, security and levels of service
Understand how they will treat the data
Monitoring and supervising their access to Trust systems or data
Using secure internet links, encryption, and registered or recorded mail when
transferring data to third parties
Having the supplier complete the Third Party Supplier Data Security and Protection Toolkit (DSPT) Self-Assessment
Complete a Data Protection Impact Assessment (DPIA) and consider any third party processor agreements in collaboration with the IG Department.
Inclusion of Trust and Supplier responsibilities in the SLA/ Contract
5.6.8.2 If there is a requirement for third parties to have direct access to the Trust network to provide applications and remote software and hardware support. This access must be provided via remote access solutions managed by the Informatics Department.
5.6.9 Cloud Based Services
5.6.9.1 The Trust is more readily supporting the use of Cloud or Internet based services
in light of the government’s ‘Cloud First’ policy which allows a more dynamic and scalable approach to Trust requirements. It is important to ensure that the security of Trust data is not compromised in relation to the use of these services which is reflected in the level of due diligence. Any cloud systems must be assessed in accordance with GDPR/DSPT requirements and signed off by the SIRO/Caldicott Guardian before use.
5.6.9.2 In addition to the checks already considered in Third Party Remote Access above the following additional information needs to be considered.
Review of Data Protection Registrations held with the Information Commissioner in relation to data held along with its data.
Review any third party security accreditations such as ISO 27000 5.6.10 Access to National Application:
5.6.10.1 Access to most national applications will be via a smart card (See Registration
Authority Policy CNTW(O)57). 5.6.10.2 Smartcards will only be issued to people who have been sponsored for access
to national applications and the Trust Registration Authority have setup and issued the smartcard.
CNTW(O)35
15
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
5.6.10.3 All smartcard holders must comply with but not limited to the following statements.
The issued smartcard must not be used for anything other than access to the national applications
All smartcards must be kept in a safe place at all times
Never give your smartcard password (PIN number) to any other person. 5.6.11 New IT Systems:
5.6.11.1 To aid business continuity the Trust will have to implement new systems or update
old systems. Any new IT based systems installed on the Trust network or standalone systems must be implemented as part of a recognised and structured IT project using an appropriate project management methodology.
5.6.11.2 Any IT based systems requested by any department must be in collaboration with the Informatics Department. This will ensure that the correct procedures are maintained for the integration of new systems regarding the location, protection and backup of any information produced or stored on or by the new systems. Any request should be directed to the IT Services Helpdesk in the first instance .(See IT Procurement Policy CNTW (O) 63).
5.6.11.3 A Data Protection Impact Assessment, also known as DPIA, is a tool to help identify and reduce or fix any data privacy risks before integrating new systems. This DPIA process has been designed for use within the CNTW settings and demonstrates compliance with Data Protection law. (See Data Protection Impact Assessment Practice Guidance Note- DPP-PGN-03 part of Data Protection Policy CNTW(O)36)
5.6.11.4 There is a requirement for the creation and maintenance of a system level security policy (SLSP) to ensure controls meet audit requirements. Information Governance should be contacted to assist with the completion of an SLSP.
5.6.12 Access Control:
5.6.12.1 The Trust employs many different systems to facilitate its business functions.
Most systems will have different access levels which could allow users access to different levels of confidential information or access at an administration level. The Trust reserves the right to add, remove or change access to applications or systems to facilitate the Trust’s business functions.
5.6.12.2 Access levels to Trust systems will be maintained by the Informatics through
the Informatics ServiceDesk, using a secure and structured approach. 5.6.12.3 This allows for a clear and concise audit trail of all access requests. Access to
systems outside the administrational control of the Informatics Department will be controlled by the Information Asset Administrators (IAA’s), on behalf of the
CNTW(O)35
16
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
Information Asset Owners (IAO’s) supporting these systems. Request for access or change of access must be authorised through these channels.
5.6.13 Safe Haven:
Safe Haven Faxing should be carried out in accordance with the Safe Fax Guidelines available on the Intranet
5.6.14 Disposal of IT Equipment and Media:
The Trust will dispose of its assets in a controlled and secure manner and in line with CFH guidelines document. A summary of this document is available on the Information Governance and Caldicott Guidance pages on the Intranet at the following link:
Disposal and Destruction of Sensitive Data - Information Assets
5.6.14.1 All obsolete IT equipment must be disposed of via the Informatics Department.
5.6.15 Network Account Management:
All IT network accounts will be created via Informatics Servicedesk services.
Staff should be encouraged to make use of self service solutions such as password reset where possible, updating their contact card information via the Intranet to improve the accessibility of this automated service.
Regular network audits will be conducted to check account assignments and user rights are being maintained
Informatics Services will monitor user account usage to determine dormant accounts that have not been used for 90 days and these will be disabled
The Trust employs the use of disk quotas (predefined amount of space for computer account storage)
User accounts must only have the minimum rights assigned to allow the users to conduct Trust business functions
Access to shared files must be requested by the user’s manager
5.6.16 Account Creation:
All new network accounts must be requested by the User Account Creation Tool available on the Intranet.
5.6.17 Account Deletion:
When a member of staff leaves the Trust their line manager must inform the
CNTW(O)35
17
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
Informatics Servicedesk. The leavers account must then be disabled immediately and all access rights removed. The disabled account will remain on the network for three months after being disabled
Line Managers on an employee leaving should discuss with the member of staff whether their remaining work should be deleted or transferred to a secure folder to enable anyone with legitimate access to retrieve it.
5.7 Risk Management:
5.7.1 The SIRO supported by the IAO’s, Trust wide Caldicott and Health Informatics
Group and Information Governance Team, will oversee information risk management across the Trust (see Information Risk Policy CNTW(O)55), including introduction and monitoring of appropriate mechanisms and controls to ensure that:
Information is protected against unauthorised access
Confidentiality of information is assured
Integrity of information is maintained
Regulatory requirements and legislation are met
Information technology systems are used in a manner that prevents the
release of information (by accident or deliberate/ criminal act), ensures their safe use and avoids damage to the specific system or any other system to which it is connected
Information that can be used to identify a person including confidential information about that person, business information and confidential business information is restricted to authorised users only
The Informatics Department will ensure that appropriate controls and technical solutions are provided to detect unauthorised information processing activities
Trust Servers will be monitored and information security events will be recorded. Operator logs and fault logging will be used to ensure problems are identified
Audit logs recording user activities, exceptions, and information security events will be produced and kept for up to one year to assist in access control monitoring
Business continuity plans are produced, maintained and tested.
5.8.1 Backup Cycle / Generation:
Data and software backups will be taken on an appropriate timely basis for on premise user data.
CNTW(O)35
18
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
At least three generations / cycles must be kept for important business applications
Backup copies of data will be taken prior to any new software or changes being installed e.g. software fixes, upgrades, new releases
The backup database will be included in the backup process
Alternative backup arrangements should be available.
Data Backups will normally have a data retention of 12 months unless otherwise agreed.
5.8.2 Tape / Disk Identification:
Backup tapes /disks or virtual disk libraries will be suitably labelled to ensure that an unauthorised person cannot identify the contents.
5.8.3 Checking and Recording of Backups
5.8.3.1 The Informatics Department will maintain a record to reflect:
When the backup was taken
The serial number of the tape / disk used (if applicable)
The volume of data backed up (if applicable)
Name of person checking backups as part of daily checks
Comments as necessary e.g. errors
5.8.3.2 The backup copy will be verified against the original as part of the backup job if feature is available in the technology.
5.8.4 Secure Storage of Backups (where backup tapes are in use):
On site backup copies will be stored in a suitable location e.g. a fireproof cabinet
Fireproof cabinets used to store backups will be serviced / checked annually
Current backup copies will be stored off site at a secure location, at a sufficient distance to escape any damage from a disaster at the main site
Copies of key master software will be stored off site
Procedures will be established for emergency access to off- site storage
CNTW(O)35
19
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
Backup copies will be transported to off-site storage securely
Periodic audits of backup copies and storage locations will be undertaken
Long term storage will be reviewed annually where appropriate
Long term storage media will be rotated and checked for reliability and errors. 5.8.5 Restores:
Backup copies will be regularly tested where practicable to ensure that they can be relied upon for emergency use when necessary
Restore procedures will be regularly checked and tested to ensure that they are effective and that they can be completed within the time allocated in the recovery procedures
Restores will be authorised and documented.
5.9 Business Continuity: 5.9.1 Overview:
The Trust is aware that some form of disaster may occur, and as such, all directorates will implement and regularly update a business continuity management process to counteract interruptions to normal activity and to protect critical processes from the effects of failures or damage to vital services or facilities
The Informatics Department has developed Disaster Recovery Plans for all business critical systems.
Any informatics plans would be used in conjunction with the organisation wide Emergency, Preparedness and Resilience and Response Plans available on the Trust Internet –
Emergency Preparedness Resillience and Response - CNTW(O)08
CNTW(O)35
20
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
The central component is the major incident response plan.
This plan is key as it provides the initial response to any actual or perceived incident and facilitates the quick assembly of the relevant senior staff to lead the Informatics department and supporting resources in the event of any untoward incident
The level below the major incident response plan consists of more detailed plans to support constituent systems and infrastructure components. In response to a major incident these plans may be invoked individually or collectively to provide an appropriate level of recovery
Finally, the diagram shows links to wider incident planning within the Trust (See Emergency Integrated Incident Plan) and also Business Continuity Plans which are developed within end user departments.
To access the Business Continuity Planning for critical Trust systems please use the link below:
Business Continuity Planning
6 Identification of Stakeholders 6.1 This is an existing Policy which has only minor changes that do not relate
to operational and / or clinical practice therefore did not require a full consultation process.
North Locality Care Group
Central Locality Care Group
South Locality Care Group
North Cumbria Locality Care Group
INFORMATICS
Disaster Strategy
INFORMATICS Major Incident Response Plan
Rio Clinical Information
System
ORACLE Financials
Access to office applications and
Electronic Staff Record (ESR)
Trust-wide network
Other supporting
systems
Trust-wide Major Incident Planning
Business Continuity Planning
Level 1
Level 2
Level 3 (System
specific plan)
Review
Testing
Level 4 End user
CNTW(O)35
21
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
Corporate Decision Team
Business Delivery Group
Safer Care Group
Communications, Finance, IM&T
Commissioning and Quality Assurance
Workforce and Organisational Development
NTW Solutions
Local Negotiating Committee
Medical Directorate
Staff Side
Internal Audit
7 Training
7.1 Training for this Policy is incorporated into the annual Information
Governance Training mandated to all staff.
7.2 Where additional training is required it is the responsibility of both managers and staff to ensure that this is undertaken and that attendance is verified and recorded.
8 Implementation
8.1 Taking into consideration all the implications associated with this Policy, it
is considered that a target date of March 2019 is achievable for the contents to be implemented across the Trust.
9 Fair Blame
9.1 The Trust is committed to developing an open learning culture. It has
endorsed the view that, wherever possible, disciplinary action will not be taken against members of staff who report near misses and adverse incidents, although there may be clearly defined occasions where disciplinary action will be taken.
10 Fraud, Bribery and Corruption
10.1 The Fraud Act 2006 represents an entirely new way of investigating fraud.
It is no longer necessary to prove that a person has been deceived. The focus is now on the dishonest behaviour of the suspect and their intent to make a gain or cause a loss.
10.2 The Trust is committed to taking all necessary steps to counter fraud and
corruption and work closely with AuditOne, the Trusts external auditors who have local counter fraud specialists.
CNTW(O)35
22
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
11 Monitoring 11.1 Responsibility for monitoring compliance with this Policy locally lies with
Directors and Line Managers. 11.2 The Information Governance Team will monitor compliance with this Policy
through observation, spot checks and through incident management in line with the Trust Incident Reporting Process.
11.3 Compliance with this policy will routinely monitored through Internal and
External Audit. 11.4 Any compliance issues will be reported to the line managers concerned
and may be handled through staff disciplinary processes or contractual arrangements.
11.5 Incident Reporting
11.5.1 All incidents involving the loss of data whether encrypted or unencrypted
must be reported immediately to the Information Governance Department and dealt with in accordance with the Trust Incident Reporting Procedure (See Trust Policy, CNTW(O)05 Incident Reporting and Procedures).
12 Associated Documents
CNTW(O)05 - Incident Policy , (including the management of Serious Untoward Incidents and associated practice guidance notes (PGN’s))
CNTW(O)09 – Records Management Policy (and associated PGN’s)
CNTW(O)29 - Confidentiality Policy (and associated PGN)
CNTW(O)36 - Data Protection Policy
CNTW(O)45 - Visual Imaging and Audio Policy (and associated PGN)
CNTW(O)44 - Acceptable Use of Email Policy (and associated PGN)
CNTW(O)65 – Acceptable Use of Intranet and Internet
CNTW(O)55 - Information Risk Policy
CNTW(O)62 - Information Sharing Policy
CNTW(O)43-Freedom of Information Act Policy
CNTW(O)58-Issue and use of Mobile Communication Devices
CNTW(O)30-Removable Media Data Encryption Policy
CNTW(O)35
23
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
CNTW(O)63-IT Procurement Policy
CNTW(O)57- Registration Authority Policy
CNTW(O)33- Risk Management Policy
Remote Access & Webmail Guidelines
Safe Fax Guidelines 13 References
www.ico.gov.uk
Department of Health circulars on Removable Media
Confidentiality NHS Code of Practice
ISO/IEC 27002:2005
The Computer Misuse Act 1990
The Caldicott Guidelines
Copyright, Designs & Patents Act 1988
CNTW(O)35
24
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
Appendix A
Equality Analysis Screening Toolkit
Names of Individuals involved in Review
Date of Initial Screening
Review Date Service Area / Locality
Jon Gair March 2019 March 2022 Trust-wide
Policy to be analysed Is this policy new or existing?
CNTW(O)35 Information Security Policy Existing
What are the intended outcomes of this work? Include outline of objectives and function aims
The purpose of the policy is to ensure that the data held by the Trust is secure from unlawful disclosure or loss
Who will be affected? e.g. staff, service users, carers, wider public etc
Staff, service users, carers and the wider public.
Protected Characteristics under the Equality Act 2010. The following characteristics have protection under the Act and therefore require further analysis of the potential impact that the policy may have upon them
Disability N/A
Sex N/A
Race N/A
Age N/A
Gender reassignment
(including transgender)
N/A
Sexual orientation. N/A
Religion or belief N/A
Marriage and Civil Partnership
N/A
Pregnancy and maternity N/A
Carers N/A
Other identified groups N/A
How have you engaged stakeholders in gathering evidence or testing the evidence available?
Though standard policy consultation mechanisms.
How have you engaged stakeholders in testing the policy or programme proposals?
CNTW(O)35
25
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
Equality and Diversity Impact Assessment Screening Tool
For each engagement activity, please state who was involved, how and when they were engaged, and the key outputs:
Though standard policy consultation mechanisms.
Summary of Analysis Considering the evidence and engagement activity you listed above please summarise the impact of your work. Consider whether the evidence shows potential for differential impact, if so state whether adverse or positive and for which groups. How you will mitigate any negative impacts. How you will include certain protected groups in services or expand their participation in public life.
N/A
Now consider and detail below how the proposals impact on elimination of discrimination, harassment and victimisation, advance the equality of opportunity and promote good relations between groups. Where there is evidence, address each protected characteristic
Eliminate discrimination, harassment and victimisation
N/A
Advance equality of opportunity N/A
Promote good relations between groups N/A
What is the overall impact?
N/A
Addressing the impact on equalities
N/A
From the outcome of this Screening, have negative impacts been identified for any protected characteristics as defined by the Equality Act 2010? No
If yes, has a Full Impact Assessment been recommended? If not, why not?
Manager’s signature: Jon Gair Date: Mar 2019
Though standard policy consultation mechanisms.
CNTW(O)35
26
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
Appendix B Communication and Training Check List for Policies
Key Questions for the accountable committees designing, reviewing or agreeing a new Trust policy
Is this a new policy with new training requirements or a change to an existing policy?
No this is an existing Policy
If it is a change to an existing policy are there changes to the existing model of training delivery? If yes specify below.
N/A
Are the awareness/training needs required to deliver the changes by law, national or local standards or best practice?
Please give specific evidence that identifies the training need, e.g. National Guidance, CQC, NHS Resolutions etc.
Please identify the risks if training does not occur.
In order to comply with National guidance, adherence to ISO/IEC 27002:2005 and legislation listed in Policy
Please specify which staff groups need to undertake this awareness/training. Please be specific. It may well be the case that certain groups will require different levels e.g. staff group A requires awareness and staff group B requires training.
It is essential that all staff groups working with confidential / personal data are made aware of the Policy and the personal responsibilities associated with information security
Is there a staff group that should be prioritised for this training / awareness?
It is essential that all staff groups working with confidential / personal data are made aware of the Policy and the personal responsibilities associated with the national directive
Please outline how the training will be delivered. Include who will deliver it and by what method.
The following may be useful to consider: Team brief/e bulletin of summary Management cascade Newsletter/leaflets/payslip attachment Focus groups for those concerned Local Induction Training Awareness sessions for those affected by the new policy Local demonstrations of techniques/equipment with reference documentation Staff Handbook Summary for easy reference Taught Session E Learning
Team brief, Trust Bulletin, Intranet, face to face training, E learning, Staff IT Handbook
Please identify a link person who will liaise with the training department to arrange details for the Trust Training Prospectus, Administration needs
Head of Information Governance and Medico – Legal.
CNTW(O)35
27
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
Appendix B – continued
Training Needs Analysis
Staff/Professional Group
Type of training Duration of Training
Frequency of Training
All staff who work with person identifiable data
Training on adherence to Policy
Depends on individual member of staff
Mandated Annually
Should any advice be required, please contact: - 0191 245 6777 (Option 1)
Appendix C
CNTW(O)35
28
Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19
Statement Monitoring Tool
The Trust is working towards effective clinical governance and governance systems. To demonstrate effective care delivery and compliance, policy authors are required to include how monitoring of this policy is linked to auditable standards / key performance indicators will be undertaken using this framework.
CNTW(O)35 – Information Security Policy - Monitoring Framework
Auditable Standard /
Key Performance Indicators
Frequency / Method / Person
Responsible
Where Results & Any Associate Action Plan Will Be Reported To & Monitored; (this will usually be via the relevant Governance Group)
1. Network Security Audit
Performed annually by Internal Audit. Will be noted in Audit actions paper to CHIG and Trust wide audit committee.
Caldicott & Health Informatics Group or Trust wide audit committee.
2. The most current version of anti-virus software will be available on all Trust computers
Informatics will carry out regular reviews of anti-virus software and will supply evidence for the DSP Toolkit whose final submission is reported annually through the CHIG
DSP Toolkit / Caldicott & Health Informatics Group DSP
3. Leaver accounts must be disabled as per Trust Policy
Regular reviews of inactive accounts and leavers will be carried out by the Systems Admin team. The results of the spot checks will be used as evidence for the DSP Toolkit whose final submission is reported annually through the CHIG
DSP Toolkit / Caldicott & Health Informatics Group
4. Disposal of IT Equipment / media will be in a controlled and secure manner
The IG Team will carry out an audit to ensure that the disposal of IT equipment is carried out as per Policy. The results of this audit will be used as evidence for the DSP Toolkit whose final submission is reported annually through the CHIG
DSP Toolkit / Caldicott & Health Informatics Group
5. All incidents or breaches of Policy are reported
Daily reports generated and investigated by Information Governance, and monitored by the IG Incident Management Group.
IG IMG/Caldicott & Health Informatics Group or relevant governance group
The Author(s) of each Policy is required to complete this monitoring template and ensure that these results are taken to the appropriate reporting governance group as above in line with the frequency set out.