Network Security Policy - (East Cheshire NHS Trust) · Network Security Policy - (East Cheshire NHS...
Transcript of Network Security Policy - (East Cheshire NHS Trust) · Network Security Policy - (East Cheshire NHS...
Network Security Policy -
(East Cheshire NHS Trust)
Version V1.0
Ratified By Information Governance & Records Management Meeting
Date Ratified May 2017
Date of Issue via Intranet June 2017
Date of Review
May 2019
Lead Officer Frank Woodall
Midlands & Lancashire Commissioning Support Unit Network Security Policy – (East Cheshire NHS Trust)
Document Number: CA_0001 Issue/Approval Date: Version Number: 00.01
Status: Draft Next Review Date: Page 2 of 20
Contents
Contents Information Reader Box ........................................................................................................... 3
Introduction................................................................................................................................. 5
Policy Statement........................................................................................................................ 6
Aim: 6
Scope 7
Officers within the Scope of this Document .......................................................................... 7
Officers Not Covered by this Document ................................................................................ 7
Physical & Environmental Security......................................................................................... 7
Access Control to the Network ................................................................................................ 8
Third Party Access Control to the Network ........................................................................... 8
Maintenance Contracts ............................................................................................................ 9
Data and Software Exchange.................................................................................................. 9
Fault Logging ............................................................................................................................. 9
Data Backup and Restoration ................................................................................................. 9
User Responsibilities, Awareness & Training ....................................................................... 9
Malicious Software .................................................................................................................... 9
Secure Disposal or Re-use of Equipment ............................................................................. 9
System Change Control ......................................................................................................... 10
Reporting Security Incidents & Weaknesses ...................................................................... 10
System Configuration Management ..................................................................................... 10
Business Continuity & Disaster Recovery Plans ................................................................ 10
Training Plan ............................................................................................................................ 10
Risk Assessment ..................................................................................................................... 10
Monitoring ................................................................................................................................. 10
Compliance .............................................................................................................................. 11
Equality Impact Assessment ................................................................................................. 11
Associated Documentation .................................................................................................... 12
Version Control Tracker ......................................................................................................... 13
Appendix 1 ECT Network Diagram (Redacted) ............................................................. 14
Midlands & Lancashire Commissioning Support Unit Network Security Policy – (East Cheshire NHS Trust)
Document Number: CA_0001 Issue/Approval Date: Version Number: 00.01
Status: Draft Next Review Date: Page 3 of 20
Appendix 2 – Firewall Configuration ................................................................................ 14
Appendix 3 Firewall Restrictions....................................................................................... 14
Appendix 4 Change Management – Normal Change ................................................... 15
Information Reader Box
Directorate
Communications & Engagement Information Technology
Continuing Healthcare Corporate Affairs
Contract Management Business Intelligence
Finance Human Resources
Publications Gateway Reference xx
Document Purpose Policy
Document Name Network Security Policy – (East Cheshire NHS Trust)
Author Cyber Security Manager
Publication Date May 2017
Target Audience All East Cheshire Trust Employees
Additional Circulation List n/a
Description Network Security Policy
Cross Reference
Superseded Document n/a
Action Required n/a
Contact Details
(for further information)
Frank Woodall, Cyber Security Manager
Clark House, Hulley Road, Macclesfield, Cheshire, SK10 2LU
Tel: 0844 800 9982
Document Status
This is a controlled document. Whilst this document may be printed, the electronic version posted on
Midlands & Lancashire Commissioning Support Unit Network Security Policy – (East Cheshire NHS Trust)
Document Number: CA_0001 Issue/Approval Date: Version Number: 00.01
Status: Draft Next Review Date: Page 4 of 20
the intranet is the controlled copy. Any printed copies of this document are not controlled.
As a controlled document, this document should not be saved onto local or network drives but should
always be accessed from the intranet.
Midlands & Lancashire Commissioning Support Unit Network Security Policy – (East Cheshire NHS Trust)
Document Number: CA_0001 Issue/Approval Date: Version Number: 00.01
Status: Draft Next Review Date: Page 5 of 20
Introduction
The overall Network Security Policy for MLCSU – (East Cheshire NHS Trust) is described below:
The MLCSU – (East Cheshire NHS Trust) information network will be available when needed, can be
accessed only by legitimate users and will contain complete and accurate information. The network
must also be able to withstand or recover from threats to its availability, integrity and confidentiality. To
satisfy this, MLCSU will undertake to the following.
Protect all hardware, software and information assets under its control. This will be achieved by
implementing a set of well-balanced technical and non-technical measures.
Provide both effective and cost-effective protection that is commensurate with the risks to its
network assets.
Implement the Network Security Policy in a consistent, timely and cost effective manner.
Where relevant, MLCSU will comply with:
- Access to Health Records Act 1990
- Computer Misuse Act 1990
- The Data Protection Act 1998
- MLCSU will comply with other laws and legislation as appropriate
Midlands & Lancashire Commissioning Support Unit Network Security Policy – (East Cheshire NHS Trust)
Document Number: CA_0001 Issue/Approval Date: Version Number: 00.01
Status: Draft Next Review Date: Page 6 of 20
Policy Statement
This document defines the Network Security Policy for Midlands and Lancashire CSU (East Cheshire
NHS Trust). The Network Security Policy applies to all business functions and information contained on
the network, the physical environment and relevant people who support the network.
This document sets out the organisation's policy for the protection of the confidentiality, integrity and
availability of the network, establishes the security responsibilities for network security and provides
reference to documentation relevant to this policy.
Aim:
The aim of this policy is to ensure the security of MLCSU's (East Cheshire Trust) network. To do this
the MLCSU will:
Ensure Availability
Ensure that the network is for users
Preserve Integrity
Protect the network from unauthorised or accidental modification ensuring the accuracy and
completeness of the organisation's assets, preserve Confidentiality and protect assets against
unauthorised disclosure.
Midlands & Lancashire Commissioning Support Unit
Network Security Policy – (East Cheshire NHS Trust)
Document Number: CA_0001 Issue/Approval Date: Version Number: 00.01
Status: Draft Next Review Date: Page 7 of 20
Scope
This policy applies to all networks within MLCSU (East Cheshire NHS Trust) used for:
The storage, sharing and transmission of non-clinical data and images
The storage, sharing and transmission of clinical data and images
Printing or scanning non-clinical or clinical data or images
The provision of Internet systems for receiving, sending and storing non-clinical or clinical data
or images
Officers within the Scope of this Document
Officers of the following Midlands & Lancashire CSU areas are within the scope of this
document:
East Cheshire Trust Officers;
Officers Not Covered by this Document
There are no Officers of Midlands & Lancashire CSU not covered by this document.
There are no Officers of East Cheshire Trust not covered by this document.
Physical & Environmental Security
Network computer equipment will be housed in a controlled and secure environment. Critical or
sensitive network equipment will be housed in an environment that is monitored power supply quality
and protected from power supply failures.
The MLCSU are responsible for ensuring that door lock codes are changed and swipe card
access is reviewed periodically (MLCSU locations).
Smoking, eating and drinking is forbidden in areas housing critical or sensitive network
equipment.
All visitors to secure network areas must be authorised by MLCSU.
All visitors to secure network areas must be made aware of network security requirements.
Midlands & Lancashire Commissioning Support Unit
Network Security Policy – (East Cheshire NHS Trust)
Document Number: CA_0001 Issue/Approval Date: Version Number: 00.01
Status: Draft Next Review Date: Page 8 of 20
Access Control to the Network
Access to the network will be via a secure log-on procedure, designed to minimise the opportunity for
unauthorised access. Remote access to the network will conform to the MLCSU’s Remote Access
Policy.
There must be a formal, documented user registration and de-registration procedure for access to the
network.
Line Managers and must approve user access.
Access rights to the network will be allocated on the requirements of the user's job, rather than
on a status basis.
Security privileges (e.g. 'superuser' or network administrator rights) to the network will be
allocated on the requirements of the user's job, rather than on a status basis.
Access will not be granted until MLCSU registers a user following the receipt of a ‘New User
Account Setup’ form completed by the user’s Line Manager.
All users to the network will have a user identification and password.
Users are responsible for ensuring their password is kept secret (see User Responsibilities).
User access rights will be immediately removed or reviewed for those users who have left the
organisation. Line Managers must complete a ‘Leavers Form’ and send to the HR / ICT
Department as soon as a user has resigned their position.
Third Party Access Control to the Network
Third party access to the network will be based on a formal contract that satisfies all necessary
organisation security conditions.
All contractors requiring third party access to the network must have signed either a MLCSU or
East Cheshire NHS Trust contract containing relevant confidentiality clauses.
Midlands & Lancashire Commissioning Support Unit
Network Security Policy – (East Cheshire NHS Trust)
Document Number: CA_0001 Issue/Approval Date: Version Number: 00.01
Status: Draft Next Review Date: Page 9 of 20
Maintenance Contracts
MLCSU will ensure that maintenance contracts are maintained and periodically reviewed for all network
equipment. All contract details will constitute part of the IT Department's Contract register.
Data and Software Exchange
Formal agreements for the exchange of data and software between organisations must be established
and approved by the organisation’s Caldicott Guardian or SIRO and MLCSU.
Fault Logging
MLCSU is responsible for ensuring that a log of all faults on the network is maintained and reviewed.
Data Backup and Restoration
MLCSU is responsible for ensuring that backup copies of network configuration and all organisation
data are taken on a regular basis.
Documented procedures for the backup process and storage of backup media will be produced and
communicated to all relevant staff.
All backup tapes will be stored securely.
MLCSU will ensure the safe and secure disposal of backup media.
User Responsibilities, Awareness & Training
The organisation will ensure that all users of the network are provided with the necessary
security guidance, awareness and where appropriate training to discharge their security
responsibilities.
All users of the network must be made aware of the contents and implications of the Network with
irresponsible or improper actions by users may result in disciplinary action.
Malicious Software
MLCSU will ensure that measures are in place to detect and protect the network from viruses
and other malicious software.
Secure Disposal or Re-use of Equipment
Ensure that where equipment is being disposed of, MLCSU staff must ensure that all
equipment is securely stored whilst awaiting collection by the specialist recycler where a
certificate of destruction will be received.
Midlands & Lancashire Commissioning Support Unit
Network Security Policy – (East Cheshire NHS Trust)
Document Number: CA_0001 Issue/Approval Date: Version Number: 00.01
Status: Draft Next Review Date: Page 10 of 20
System Change Control
MLCSU will ensure that all changes to the network follow the change management process. MLCSU
are responsible for updating all relevant Network Security Policies and security operating procedures.
MLCSU are responsible for ensuring that selected hardware or software meets agreed security
standards.
Reporting Security Incidents & Weaknesses
All potential security breaches will be investigated by MLCSU and where appropriate reported to the
organisation. Security incidents and weaknesses must be reported in accordance with the requirements
of the MLCSU’s incident reporting procedure.
System Configuration Management
MLCSU will ensure that there is an effective configuration management system for the network.
Business Continuity & Disaster Recovery Plans
MLCSU will ensure that network is covered in business continuity plans and disaster recovery plans are
produced for the network.
Training Plan
A training needs analysis will be undertaken with Officers affected by this document.
Based on the findings of that analysis appropriate training will be provided to Officers as necessary.
Risk Assessment
MLCSU will carry out security risk assessment in relation to all the business processes covered by this
policy. These risk assessments will cover all aspects of the network that are used to support those
business processes. The risk assessment will identify the appropriate security countermeasures
necessary to protect against possible breaches in confidentiality, integrity and availability.
Monitoring
An audit trail of system access and data use by staff (where available) shall be maintained and reviewed on a regular basis. The Trust has in place routines to regularly audit compliance with this and other policies. In addition it reserves the right monitor activity where it suspects that there has been a breach of policy. The Regulation of Investigatory Powers Act (2000) permits monitoring and recording of employees’ electronic communications (including telephone communications) for the following reasons:
Establishing the existence of facts
Investigating or detecting unauthorised use of the system
Preventing or detecting crime
Ascertaining or demonstrating standards which are achieved or ought to be achieved by persons using the system (quality control and training)
Midlands & Lancashire Commissioning Support Unit
Network Security Policy – (East Cheshire NHS Trust)
Document Number: CA_0001 Issue/Approval Date: Version Number: 00.01
Status: Draft Next Review Date: Page 11 of 20
In the interests of national security
Ascertaining compliance with regulatory or self-regulatory practices or procedures
Ensuring the effective operation of the system. Any monitoring will be undertaken in accordance with the above act and the Human Rights Act
Compliance
Compliance with the policy and procedures laid down in this document will be monitored by MLCSU,
together with independent reviews by both Internal Audit and East Cheshire NHS Trust on a periodic
basis.
The MLCSU’s Assistant CIO, in conjunction with the Cyber Security Manager, is responsible for the
monitoring, revision and updating of this document.
Equality Impact Assessment
This document forms part of Midlands & Lancashire CSU’s commitment to create a positive culture of
respect for all staff and service users. The intention is to identify, remove or minimise discriminatory
practice in relation to the protected characteristics (race, disability, gender, sexual orientation, age,
religious or other belief, marriage and civil partnership, gender reassignment and pregnancy and
maternity), as well as to promote positive practice and value the diversity of all individuals and
communities.
As part of its development this document and its impact on equality has been analysed and no
detriment identified.
Midlands & Lancashire Commissioning Support Unit
Network Security Policy – (East Cheshire NHS Trust)
Document Number: CA_0001 Issue/Approval Date: Version Number: 00.01
Status: Draft Next Review Date: Page 12 of 20
Associated Documentation
This policy should be read in conjunction with the following policies:-
MLCSU IT Policies
East Cheshire Information Security Policy
East Cheshire HR Disciplinary Policy
Midlands & Lancashire Commissioning Support Unit
Network Security Policy – (East Cheshire NHS Trust)
Document Number: CA_0001 Issue/Approval Date: Version Number: 00.01
Status: Draft Next Review Date: Page 13 of 20
Version Control Tracker
Version
Number Date Author Title Status
Comment/Reason for Issue/Approving
Body
0.1 May 2017 Cyber Security
Manager Draft
Appendix 1 ECT Network Diagram (Redacted)
MDGH N3 and DMZ Connectivity Overview v3 redacted.vsd
– Firewall Configuration
Not included, but available to view onsite upon request
Appendix 3 Firewall Restrictions
Equality Analysis (Impact assessment)
Please START this assessment BEFORE writing your policy, procedure, proposal, strategy or service so that
you can identify any adverse impacts and include action to mitigate these in your finished policy, procedure,
proposal, strategy or service. Use it to help you develop fair and equal services.
Eg. If there is an impact on Deaf people, then include in the policy how Deaf people will have equal access.
1. What is being assessed?
Network Security Policy
Details of person responsible for completing the assessment:
Frank Woodall
Cyber Security Manager MLCSU IT
State main purpose or aim of the policy, procedure, proposal, strategy or service:
(usually the first paragraph of what you are writing. Also include details of legislation, guidance,
regulations etc which have shaped or informed the document)
This document defines the Network Security Policy for Midlands and Lancashire CSU (East Cheshire NHS
Trust). The Network Security Policy applies to all business functions and information contained on the
network, the physical environment and relevant people who support the network.
This document sets out the organisation's policy for the protection of the confidentiality, integrity and
availability of the network, establishes the security responsibilities for network security and provides
reference to documentation relevant to this policy.
2. Consideration of Data and Research
To carry out the equality analysis you will need to consider information about the people who use the
service and the staff that provide it. Think about the information below – how does this apply to your
policy, procedure, proposal, strategy or service
2.1 Give details of RELEVANT information available that gives you an understanding of who will be
affected by this document
Cheshire East (CE) covers Eastern Cheshire CCG and South Cheshire CCG. Cheshire West & Chester (CWAC)
covers Vale Royal CCG and Cheshire West CCG. In 2011, 370,100 people resided in CE and 329,608 people
resided in CWAC.
Age: East Cheshire and South Cheshire CCG’s serve a predominantly older population than the national
average, with 19.3% aged over 65 (71,400 people) and 2.6% aged over 85 (9,700 people).
Vale Royal CCGs registered population in general has a younger age profile compared to the CWAC average,
with 14% aged over 65 (14,561 people) and 2% aged over 85 (2,111 people).
Since the 2001 census the number of over 65s has increased by 26% compared with 20% nationally. The
number of over 85s has increased by 35% compared with 24% nationally.
Race:
In 2011, 93.6% of CE residents, and 94.7% of CWAC residents were White British 5.1% of CE residents, and 4.9% of CWAC residents were born outside the UK – Poland and India being
the most common
3% of CE households have members for whom English is not the main language (11,103 people) and 1.2% of CWAC households have no people for whom English is their main language.
Gypsies & travellers – estimated 18,600 in England in 2011.
Gender: In 2011, c. 49% of the population in both CE and CWAC were male and 51% female. For CE, the
assumption from national figures is that 20 per 100,000 are likely to be transgender and for CWAC 1,500
transgender people will be living in the CWAC area.
Disability:
In 2011, 7.9% of the population in CE and 8.7% in CWAC had a long term health problem or disability In CE, there are c.4500 people aged 65+ with dementia, and c.1430 aged 65+ with dementia in CWAC.
1 in 20 people over 65 has a form of dementia
Over 10 million (c. 1 in 6) people in the UK have a degree of hearing impairment or deafness.
C. 2 million people in the UK have visual impairment, of these around 365,000 are registered as blind or partially sighted.
In CE, it is estimated that around 7000 people have learning disabilities and 6500 people in CWAC.
Mental health – 1 in 4 will have mental health problems at some time in their lives.
Sexual Orientation:
CE - In 2011, the lesbian, gay, bisexual and transgender (LGBT) population in CE was estimated at18,700, based on assumptions that 5-7% of the population are likely to be lesbian, gay or bisexual and 20 per 100,000 are likely to be transgender (The Lesbian & Gay Foundation).
CWAC - In 2011, the LGBT population in CWAC is unknown, but in 2010 there were c. 20,000 LGB people in the area and as many as 1,500 transgender people residing in CWAC.
Religion/Belief:
The proportion of CE people classing themselves as Christian has fallen from 80.3% in 2001 to 68.9% In 2011
and in CWAC a similar picture from 80.7% to 70.1%, the proportion saying they had no religion doubled in
both areas from around 11%-22%.
Christian: 68.9% of Cheshire East and 70.1% of Cheshire West & Chester Sikh: 0.07% of Cheshire East and 0.1% of Cheshire West & Chester
Buddhist: 0.24% of Cheshire East and 0.2% of Cheshire West & Chester
Hindu: 0.36% of Cheshire East and 0.2% of Cheshire West & Chester Jewish: 0.16% of Cheshire East and 0.1% of Cheshire West & Chester
Muslim: 0.66% of Cheshire East and 0.5% of Cheshire West & Chester
Other: 0.29% of Cheshire East and 0.3% of Cheshire West & Chester None: 22.69%of Cheshire East and 22.0% of Cheshire West & Chester
Not stated: 6.66% of Cheshire East and 6.5% of Cheshire West & Chester
Carers: In 2011, nearly 11% (40,000) of the population in CE are unpaid carers and just over 11% (37,000) of
the population in CWAC.
2.2 Evidence of complaints on grounds of discrimination: (Are there any complaints or concerns raised
either from patients or staff (grievance) relating to the policy, procedure, proposal, strategy or service or
its effects on different groups?)
None
2.3 Does the information gathered from 2.1 – 2.3 indicate any negative impact as a result of this document?
No
3. Assessment of Impact
Now that you have looked at the purpose, etc. of the policy, procedure, proposal, strategy or service (part
1) and looked at the data and research you have (part 2), this section asks you to assess the impact of the
policy, procedure, proposal, strategy or service on each of the strands listed below.
RACE:
From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the
potential to affect, racial groups differently? Yes No X
Explain your response:
Policy applies to all staff, no impacts identified
____________________________________________________________________________________
GENDER (INCLUDING TRANSGENDER):
From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the
potential to affect, different gender groups differently? Yes No X
Explain your response:
Policy applies to all staff, no impacts identified
DISABILITY
From the evidence available does the policy, procedure, proposal, strategy or service affect, or have
the potential to affect, disabled people differently? Yes No X
Explain your response:
Policy applies to all staff, no impacts identified
_____________________________________________________________________________________
AGE:
From the evidence available does the policy, procedure, proposal, strategy or service, affect, or have the
potential to affect, age groups differently? Yes No X
Explain your response:
Policy applies to all staff, no impacts identified
LESBIAN, GAY, BISEXUAL:
From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the
potential to affect, lesbian, gay or bisexual groups differently? Yes No X
Explain your response:
Policy applies to all staff, no impacts identified
_______________________________________________________________________________
RELIGION/BELIEF:
From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the
potential to affect, religious belief groups differently? Yes No X
Explain your response:
Policy applied to all staff
_____________________________________________________________________________________
CARERS:
From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the
potential to affect, carers differently? Yes No X
Explain your response:
Policy applies to all staff, no impacts identified
_____________________________________________________________________________________
OTHER: EG Pregnant women, people in civil partnerships, human rights issues.
From the evidence available does the policy, procedure, proposal, strategy or service affect, or have the
potential to affect any other groups differently? Yes No X
Policy applies to all staff, no impacts identified
Explain your response:
_____________________________________________________________________________________
4. Safeguarding Assessment - CHILDREN
a. Is there a direct or indirect impact upon children? Yes No X
b. If yes please describe the nature and level of the impact (consideration to be given to all children; children in a
specific group or area, or individual children. As well as consideration of impact now or in the future; competing
/ conflicting impact between different groups of children and young people:
c. If no please describe why there is considered to be no impact / significant impact on children
Policy applies to staff who are adult
5. Relevant consultation
Having identified key groups, how have you consulted with them to find out their views and that the made
sure that the policy, procedure, proposal, strategy or service will affect them in the way that you intend?
Have you spoken to staff groups, charities, national organisations etc?
None required
6. Date completed: 13 June 2017 Review Date: June 2019
7. Any actions identified: Have you identified any work which you will need to do in the future to
ensure that the document has no adverse impact?
Action Lead Date to be Achieved
8. Approval – At this point, you should forward the template to the Trust Equality and Diversity
Lead [email protected]
Approved by Trust Equality and Diversity Lead:
Date:15.6.17