Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Remote IT Working Type: Policy Register No: 09021 Status: Public

advertisement 
Type:
Register No:
Status:
Remote IT Working
Policy
09021
Public
Developed in response to:
IG Toolkit
Best Practice
Contributes to CQC Outcome No
21
Consulted With
Post/Committee/Group
IT Operations Manager
Barry Stannard
Information Governance Manager
Liz Stewart
Health & Safety Manager
Leanne Wilson
Shaun Jeffery MBCS MCMI Acting Head
External Technical Peer
of ICT, Newham University Hospital NHS
Review
Date
22-02-2012
22-02-2012
22-02-2012
06-02-2012
Trust
01-03-2012
Professionally Approved By Kate Thompson , Head of IT
Version Number
2.0
Issuing Directorate
IT
Ratified by:
Document Ratification Group
Ratified on:
22nd March 2012
Trust ExecutiveSign Off Date
April 2011
Implementation Date
26th March 2012
Next Review Date
February 2015
Author/Contact for Information
Dave Shrimpton, IT Security Manager
Policy to be followed by (target staff)
All Trust Staff, Contractors and Affiliates
Distribution Method
Intranet, Internet
Related Trust Policies (to be read in
08088 Acceptable Use of IT Policy
conjunction with)
07011 Confidentiality Policy
Document Review History
Review No
1.0 – Added extra detail to section
4.
1.1 – Amendment to Appendix 1
2.0 – Scheduled Review
Reviewed by
D Shrimpton
Review Date
03-08-2010
D Shrimpton
D Shrimpton
11-07-2011
02-02-2012
It is the personal responsibility of the individual referring to this document to ensure that
they are viewing the latest version which will always be the document on the intranet
1
Index
1.
Purpose of Policy
2.
Policy
3.
Responsibilities
4.
Remote Working Procedure
5.
Terms & Conditions
6.
Provision of Equipment
7.
Health & Safety
8.
Monitoring
9.
Communications
10.
Contact Point
11.
References
Appendix 1 - Approval for Remote Working Application Form
Appendix 2 - Health & Safety Information
Appendix 3 – IT Security Guide
Appendix 4 – User Connection Instructions
2
1.
Purpose of Policy
1.1
Information and information systems are important corporate assets and it is
essential to take all the necessary steps to ensure that they are at all times
protected, available and accurate to support the operation and continued success
of the Trust.
1.2
The Trust acknowledges that it must demonstrate to third parties our expertise in
security technology and implementing it. To achieve this it is recognised that we
must protect our own assets as well as the environment.
1.3
To provide a secure method of promoting flexible working practices.
1.4
To define appropriate remote access and its use by authorise staff.
2.
Policy
2.1
The Trust employees and authorised third parties (e.g. supplier support) can use
remote access connections to gain access to the corporate network. Remote
access will be strictly controlled, using one-time password authentication.
2.2
It is the responsibility of employees or authorised third party individual with remote
access privileges to ensure any connection to the Trust is not used by nonemployees to gain access to the Trust’s information system resources. An
employee who is granted remote access privileges must remain constantly aware
that any connections between their location and the Trust are literal extensions of
the Trust's corporate network, and that they provide a potential path to the
company's most sensitive information. The employee and/or authorised third party
individual must take every reasonable measure to protect the Trust’s assets.
2.3
Any employee found to have violated this policy may be subject to the Trust’s
Disciplinary Policy.
2.4
The Trust will support staff who, in appropriate circumstances, wish to undertake a
part of their work either at home or from a remote location. As such, the Trust
wishes to promote flexible working practices, reduce unnecessary travel and give
staff more control over their working lives. This policy covers all aspects of
working practice for members of staff undertaking work outside their conventional
workplace.
2.5
Developments in IT systems may develop over time which may involve changes in
the equipment supplied. This policy covers all current and future equipment and
procedures.
2.6
All breaches are to be deemed as Serious Untoward Incidents and investigated
under that policy.
3
3.
Responsibilities
3.1
Head of IT
Ensure availability of appropriate equipment
Has the authority to remove any remote working facility from any member of staff
who is not adhering to policies and is putting the Trust IT facilities at risk
•
•
3.2
IT Security Manager
•
•
•
3.3
Divisional and Service Leads
•
3.4
Identify and authorise the staff who require this facility
Line Managers
•
•
•
•
•
•
3.5
Ensure that remote working is appropriate
Ensure that all staff working remotely have signed a Health & Safety declaration in
relation to the environment that they are working in
Ensure that all remote workers have read and understood the 08088 Acceptable
Use of IT Policy
Ensure that all remote workers have read and understood the 07011
Confidentiality Policy
Are responsible for ensuring that all equipment is returned when staff leave the
Trust
Are responsible for notifying helpdesk of all leavers with remote working access so
that accounts can be closed
All Staff
•
•
•
•
3.6
Abide by all the applicable IT and Information Governance Policies, particularly
those relating to Acceptable Use of IT and the Trust’s Confidentiality Policy
Staff must identify themselves to the network by using their own logon credentials
Maintain a safe working environment and sign the Health & Safety Declaration
Return all equipment provided when ceasing to undertake remote working for the
Trust
Contractors – Third Party Support
•
3.7
Provide up to date advice to Head of IT on the most appropriate and secure
methods of home working
Has the authority to remove any remote working facility from any member of staff
who is not adhering to policies and is putting the Trust IT facilities at risk
Keep Remote Working policies and procedures current and up to date
Abide by all the applicable IT and Information Governance Policies, particularly
those relating to Acceptable Use of IT and the Trust’s Confidentiality Policy
Information Governance Group
Receive and consider all breaches of this policy
4
4.
Remote Working Procedure
4.1
This section outlines the control procedures in place for remote working.
•
•
•
•
Remote working must be approved by the employee’s line manager
Connection will only be made to the Trust network via secure broadband access
Connectivity may be gained by a single entry point that will control access to the
network, e.g. firewall and secure ID Token. Users must authenticate to the
network, by using two-factor authentication, i.e. Secure Token across a broadband
line and Trust network user credentials (User name and password)
Or by using a Trust owned and supplied laptop with IAG installed. Again users
must use their trust supplied logon credentials
5.
Terms and Conditions
5.1
Two-factor credentials must be kept confidential at all times.
5.2
Lost tokens must be reported immediately so accounts can be disabled, this would
be documented as a security incident.
5.3
Any agreement on remote working is not permanent and may be brought to an
end at any time by the member of staff or the Trust. An authorisation will be
based on the needs of the Trust, the job, and the department.
5.4
The authorisation is based on full, written agreement to the Trust's policy on
remote working, see Appendix 1 and completion of a satisfactory health and
safety risk assessment which must take into account all foreseeable risk arising
from the work activity, and at the remote workplace. See Appendix 2.
5.5
The Trust monitors who logs into the network and can monitor which Internet and
NHSnet sites are visited by any one user. Access to the remote access server is
provided on the understanding that this is understood and accepted.
5.6
Any hardware or software provided by the Trust remains the property of the Trust
and shall be returned at the end of the remote working arrangement. Products,
documents and other records used and/or developed while working remotely
remain the property of and will be available to the Trust. This information is
subject to Trust policies regarding confidentiality and access, including the
Caldicott recommendations.
5.7
Trust owned software may not be duplicated. Staff working remotely using Trust
software must adhere to the manufacturer's licensing agreements.
5.8
The member of staff working remotely is responsible for setting up and
maintaining an adequate workspace at the remote workplace and for ensuring that
it is maintained to the same standards as apply to the conventional workplace.
5.9
Purchasing and maintenance of appropriate personal office furniture or equipment
e.g. desks, filing .cabinets, answering devices, etc, is the responsibility of the
member of staff working remotely.
5
5.10
Remember: You are bound by the “NHS Confidentiality Code of Practice”.
Ensure you do nothing which would breach this guideline. E.g. displaying
confidential/sensitive material in a public place. Examples – on a train, in a coffee
shop etc.
6.
Provision of Equipment
6.1
The Trust will not provide or maintain a home PC or broadband connection, but
will provide the necessary additional equipment to enable remote connection to
the Trust's network if necessary and required. This equipment could include:
•
An active Token, synchronised to the network to provide once only passwords for
secure login. This may be a “Smartcard” or “RSA” token.
6.2
Laptops are not primarily for home working but for staff who need to regularly
move from one workplace to another in the course of their normal work
6.3
The Trust is not liable or responsible for the support of home equipment except in
respect of the equipment and software detailed above and directly relevant to
remote access the Trust's systems.
7.
Health and Safety
7.1
The Trust has a duty to ensure that the Display Screen Equipment (DSE) which
the Trust owns or uses, is constructed, operated and maintained in a manner
which ensures the safety of its operatives.
7.2
Knowledge of the minimum Health and Safety requirements for work with DSE is
regarded as a basic requirement for all staff employed defined as a “user” by Mid
Essex NHS Trust. This requirement is achieved by the manager responsible
ensuring that those persons receive appropriate information and guidance. DSE
guidance, applies to staff working remotely as well as when working in their
conventional workplace. Authorisation for remote working is subject to
satisfactory completion of Appendices 1 and 2.
7.3
The DSE Regulations state that “Portable DSE, such as Laptops and Notebook
computers, is subject to the DSE Regulations – if it is consider prolonged use.
“Prolonged use” shall be two hours or more in a single day or work period.
Employees who use a laptop for less than this period are not generally considered
to be at risk, though a risk assessment should be carried out to ensure this.
7.4
A laptop that is to be used for two hours or more in a single day or work period
should be positioned and used, so far as possible, in the same way as full size
equipment. The use of Docking Stations should be encouraged to allow the use of
full size equipment.
7.3
The need for a risk assessment still applies and is particularly important. For
further risk assessment details and access to the risk assessment for DSE form
please refer to the Trust DSE policy.
6
8.
Monitoring
8.1
Any breaches of the policy will be individually considered at the Information
Governance Group who will make recommendations for any amendments that
may need to be made to the policy to reduce risk.
8.2
This policy is covered by the IT Monitoring Policy.
9.
Communication
9.1
Information Governance will publish this policy on the Trust’s intranet and website
and notify all staff via Focus.
9.2
The author will notify all heads of services who will be responsible for ensuring
that the policy is cascaded throughout their work areas.
10.
Contact Points
All communications regarding Remote Working will be handled by the IT Helpdesk
initially.
11.
References
ISO/IEC 27001:2005 A.11.7.1
IG Toolkit V9, 9-314
NHS Confidentiality Code of Practice
NHS Information Security Code of Practice
7
Appendix 1
Approval for Remote Working
Form must be fully completed
The member of staff named below has received express approval to work remotely and
has read, understood and agrees to the conditions within the Trust's policy on remote
working including: Acceptable Use of Information Technology Policy and Confidentiality
Policy and IT Security Guidelines (appendix 3).
I also acknowledge the receipt of the VPN Instructions for user’s document (appendix 4)
Equipment being used
Description/Type of Equipment
……………………….....................................................................................................
.....................................................................................................................................
Asset Number ……………………………………………………………..
Name of applicant ………………………………...................
Signature ………………………………........................
Date ………………………………................................
Line Manager ………………………………..........................
Signature ………………………………...........................
Date …………………………….................................…..
An approved remote working application must be kept by the member of staff and a copy
sent to the IT Helpdesk.
8
Appendix 2
Remote Working - Health and Safety Responsibilities
The Trust cannot accept the responsibility for the health and safety of a remote working
environment:
•
If the remote site is, another Trust or facility providing a service to Mid Essex
Hospital Services NHS Trust the Health and Safety of the user will fall under the
remote site’s health and Safety guidelines
•
If the remote user is working from home it will be the individual’s responsibility to
ensure that they conduct any work for the Trust in a safe and practical manner as
they would if situated in an office environment within Mid Essex Hospital Services
NHS Trust
The following list is a guide that the Trust recommends that a remote user should follow
when working from home.
Workplace Environment
•
Try to work in an environment where temperature, noise ventilation and lighting
levels are adequate for maintaining your normal level of job performance
•
All stairs with four or more steps equipped with handrails
•
Do you have all electrical equipment free of recognised hazards that would cause
physical harm (frayed wires, bare conductors, loose wires, flexible wires running
through walls, exposed wires to the ceiling)?
•
Is the environment you have chosen, free of obstruction to permit visibility and
movement?
•
If you have, any filing cabinets and storage closets are they arranged so drawers
and doors do not open into walkways
•
Make sure that any chairs, which will be used for work purposes, have no loose
casters (wheels) and the rungs and legs of the chairs are sturdy. If possible use
adjustable chair to help with posture when working for any prolonged period of
time
•
Tidy all phone lines, electrical cords, and extension wires so that they are secured
under a desk or alongside a skirting board
9
•
Try to keep office space neat, clean and free from clutter that could become a
hazard
•
Try to keep any floor surfaces clean, dry, level and free of worn or frayed seams in
your chosen working environment and carpets are well secured to the floor and
free of frayed or worn seams?
•
Ensure you have enough lighting for reading
•
Try to have a basic first aid kit in your home
•
If you do not have one fit a smoke alarm
•
Try to use an area of the home were you can set up your computer so that the
monitor and keyboard are in the correct position for a combatable and safe
working area with plenty of space
•
Set the computer up so that you can easily read the text on the screen
•
Try to use a document holder
•
Make sure you have enough legroom at your desk or chosen working area
The Trust will however take responsibility for equipment that it provides to a remote user
and will ensure that it is in full working order when handed over to the user. The Trust
will also maintain the equipment while the remote user is under the employment of Mid
Essex Hospital Services NHS Trust.
10
Appendix 3 - IT Security Guidelines
Security is everybody’s responsibility
The following document provides a quick guide to IT Security. Please ensure that you have
read the full Information Security Policies located on the Trust’s Intranet and Internet sites.
In case of an IT Security Incident – whether actual or suspected, in the first instance please
contact the IT Helpdesk on 01245 515000 (x5000) or email support@meht.nhs.uk and
infosec@meht.nhs.uk
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Never disclose your password to anyone. Password sharing so other individuals can access
your account may lead to disciplinary action. Remember, you are responsible for network
activity under your username.
Always refuse to use another employee’s username/password if you are asked.
Ensure your password is not guessable (at least 8 characters using a combination of letters,
numbers and symbols).
Never write down your password.
When you leave your PC ensure that you ‘lock’ it by pressing Control, Alt and Delete (on the
keyboard) and select ‘Lock Computer’. You should not wait for the screen saver to start for
the PC to lock. Remember, you are responsible for network activity under your username.
Only IT Hardware purchased, supplied and supported by the Trust can be connected to the
network, e.g. you must not connect your home laptop to the network or your home PDA to the
network.
Do not save confidential files to the C: drive of any PC or unencrypted laptop. It could be
accessed by another party and will not be backed up, and if lost cannot be recovered.
Do not save confidential/sensitive files on a USB Memory stick, unless it is a Trust supplied
encrypted memory stick.
Password protection in Microsoft Applications is not secure and can easily be ‘hacked’. Do not
rely on this to protect documents.
Do not send confidential data on portable media unless it is encrypted and you have
management approval. For further advice on portable and removable storage please see
08064 Encryption Policy on the Intranet.
Do not leave laptops, Blackberry’s or PDA’s unattended in a public place and ensure that they
are secure in transit e.g. locked in the boot of your car and not on view. Do not leave the
mobile device unattended in the car – take it with you.
The security or all portable hardware is the responsibility of the user.
Only emails sent from nhs.net to nhs.net should be used for patient identifiable information, as
they are automatically encrypted and can be guaranteed safe and secure.
No sensitive or business confidential material should be sent to a public Internet address like
firstname.lastname@somewhere.com
Do not email work documents to your home email address. Do not produce/edit work
documents on your home PC. If you do have a remote working requirement you should use a
Trust supplied and encrypted work laptop and a secure access token. Please speak to your
line manager in the first instance and refer to 09021 Remote Working Policy.
Do not connect any non approved USB equipment to any Trust PC or laptop.
You are bound by the “NHS Confidentiality Code of Practice”. Ensure you do nothing
which would breach this guideline. E.g. displaying confidential/sensitive material in a public
place. Examples – on a train, in a coffee shop etc.
The Trust’s management maintains the right to monitor and review Internet use, e‐mail
communications sent or received and data stored by users as necessary.
11
Appendix 4 ‐ VPN Instructions for users.doc First you will have to turn off your Internet proxy settings to enable your internet explorer to work from your home connection ‐ 1. Under "Tools" in the browser tool bar select "Internet Options".
2. In the "Internet Options" window that pops up, click the "Connections" tab at the top.
3. Click "LAN Settings" near the bottom of the "Connections" section.
4. If the "Proxy server" checkbox is marked with a check, click it to deselect/uncheck it.
5. See image below:
(Image shown is from Internet Explorer 6)
6. Click "Ok" to close the "Local Area Network (LAN) Settings" window.
Click "Ok" to close the "Internet Options" window. Now connecting to our network. Double click on the Cisco AnyConnect icon that's on the desktop.
12
Click 'select' as per the screenshot below –
Just after this insert your Smart Card into your Smart Card reader. You will be prompted to enter your
Smart Card pin number. Click ‘Yes’ to any prompts that you may get.
You should then find that you are connected to the network as if you were in the office.
13
Related documents
NHS MEMBER INFORMATION SHEET 2016-2017 NAME:__________________________________________________
NHS MEMBER INFORMATION SHEET 2016-2017 NAME:__________________________________________________
Download
advertisement