Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Document No

advertisement 
Document No: IG10e
Version:
Name of Procedure:
Author:
Release Date:
Review Date:
1.1
Remote Access Risk Assessment
Lauren Hamill, Information Governance Officer
Version Control
Version
Release
Author/Reviewer
Date
1.0
L. Hamill
2012
1.1
L. Hamill
This document supersedes all previous issues.
Changes
(Please identify
page no.)
Change of
format.
Contents
Section
Page
1.
Introduction…………………………………………………………………………….
3
2.
Purpose……………………………………………………………………...................
3
3.
Scope …………………………………………………………………………………..
3
4.
Using the Risk Assessment Questionnaire..………………………………………
3
Appendix 1 – Remote Access Risk Assessment Questionnaire……………………….
4
1.
Introduction
Remote access is an ever increasing method of suppliers maintaining our software, systems
and equipment as well as a means of the Trust providing regulatory data to third party
organisations. It does, however, pose a number of unique security issues which must be
thoroughly addressed at the outset in order to ensure that our networks and data are secure
and used appropriately.
2.
Purpose
As part of Information Governance requirements and to ensure the security and
confidentiality of Trust data, the Trust is required to assess the risks associated with third
party access to Trust’s systems and the data stored within them as well as any related
transfers of data from those systems.
The purpose of this procedure and accompanying assessment is therefore to ensure that
such risk assessment is carried out and that remote access is only granted where
appropriate and secure to do so.
3.
Scope
The assessment at Appendix 1 should be used when engaging a new Third Party requires
remote access to Trust networks or equipment.
4.
Using the Assessment Questionnaire
It is the responsibility of the relevant IAO, Supplies or Projects (as appropriate) to ensure
that the assessment is carried out by the supplier and that any necessary data from the IT
department is collected prior to any remote access being granted.
The completed assessment questionnaire will be reviewed and approved by the Information
Governance Team and the Information Security Manager. A copy of the signed form will
then be returned to the Supplies contact, Projects contact or relevant IAO/IAA as
appropriate to confirm approval.
The Information Governance Team and/or Information Security Manager may include
comments or recommendations and may approve the assessment on the basis that any
recommendations are in place prior any remote access being granted. It is the responsibility
of the Supplies contact, Projects contact and/or relevant IAO/IAA as appropriate to ensure
that any such recommendations are met by the Third Party.
The remote access should also be logged on the relevant IAO’s Information Risk
Management Tool.
Appendix 1 – Third Party Due Diligence Assessment
Organisation Name:
Organisation
Address:
Service Provided:
Organisation
Contact:
Name:
Name:
Title:
Department
/ Location:
Telephone:
Title:
Project Manager / Department:
Supplies Contact:
Telephone:
Email
Name:
Information Asset
Owner:
(All systems/assets must have
an Information Asset Owner
(IAO). IAO’s are normally the
Assistant Divisional Managers
and report to the SIRO)
Title:
Department:
Telephone:
Email
Email
Information Asset Name:
Administrator:
Title:
(All systems / assets must
have an Information Asset
Administrator (IAA) who
reports the IAO as stated
above. IAA’s are normally
System Managers / Project
Leads)
Department:
Telephone:
Email
SECTION 1 – TO BE COMPLETED BY THE THIRD PARTY / SUPPLIER
Section
Question
1.
GENERAL
Please outline the machines/systems supplied or to be supplied to the
Trust.
Please set out the service provided or to be provided to the Trust in
relation to the above machines/systems and why remote access is
required.
SYSTEM ACCESS
Please outline how the system(s) will be accessed e.g. dial-in, using N3
connection etc.
Is open access required i.e. the ability to access the system without Trust
prior knowledge or approval (such as using a token system)?
If open access is required, please provide justification as to why such
access is required.
If open access is not required, please outline the intended control
mechanisms and procedures for access to be granted, including consent
procedures e.g. token obtained from IT
Where prior approval / consent is obtained, please confirm that evidence
of this will be kept.
1.1.
1.2.
2.
2.1.
2.2.
2.3.
2.4.
2.5.
2.6.
Who will be authorised (within the third party) to access the system(s)?
2.7.
Will the system(s) be accessed by anyone situated outside the EEA?
2.8.
If yes to 2.7, from which countries will the system(s) be accessed?
2.9.
Will the system(s) be accessed by anyone situated outside the UK (but
within the EEA)?
2.10.
Please outline the data which is required to be accessed
2.11.
3.
3.1.
3.2.
Will access be available to data which is not required e.g. ability to
access patient data when only equipment performance data is required?
If so, what?
TESTS & AUDITS
Will regular testing/auditing be carried out on the access granted (by the
Third Party) to ensure that only required data is accessed and / or
removed from Trust system(s)?
How often will such tests/audits be carried out?
Description/Comments
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
4.
Will the results of such tests/audits be provided to the Trust on a regular
basis?
REMOVAL & TRANSFER OF DATA
4.1.
Will any data be removed from Trust systems?
4.2.
If yes, please detail the data to be removed.
4.3.
Please provide justification as to why data is required to be removed.
4.4.
Will consent/prior approval be sought prior to the removal of any data?
4.5.
Please outline the intended consent procedures.
4.6.
Where prior approval / consent is obtained, please confirm that evidence
of this will be kept.
Yes
No
4.7.
Will the removed data be transferred anywhere outside the EEA?
Yes
No
4.8.
If yes to 4.8, which countries will the data be transferred to?
3.3.
4.9.
5.
5.1.
Will the removed data be accessed by anyone situated outside the EEA?
5.3.
If yes to 4.8, which countries will the data be accessed from?
5.5.
No
Yes
No
Yes
No
Will the removed data be transferred anywhere outside the UK (but within
Yes
No
the EEA)?
STORAGE & ACCESS TO REMOVED DATA (only relevant if data is to be removed from Trust systems)
Who will be authorised (within the third party) to access the removed
data?
5.2.
5.4.
Yes
Will the removed data be accessed by anyone situated outside the UK
(but within the EEA)?
Please outline how the removed data will be stored, including security
controls.
5.6.
How long will the removed data be kept for?
5.7.
How will the removed data be deleted / destroyed?
Yes
No
Yes
No
SECTION 2 – TO BE COMPLETED BY THE RELEVANT TRUST CONTACT
Section
1.
1.1.
1.2.
Question
Description/Comments
INTERNAL MONITORING
Will the third party’s access to Trust systems be audited or monitored in
anyway?
Yes
If so, please provide details and if not, please explain why not.
Form completed by:
Name:
Signature:
Information Governance Office
Approval:
Name:
Title:
Title:
Date:
Comments/Recommendations:
Signature:
Date:
Information Security Manager
Approval:
Name:
Title:
Signature:
Date:
Comments/Recommendations:
No
Related documents
Document12074339 12074339
Document12074339 12074339
Chapter 5: Human Resource Planning
Chapter 5: Human Resource Planning
Resources List
Resources List
Download
advertisement