Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Portable Device Removable Media and Remote Access Policy

advertisement 
Informatics Policy
Information Governance
Portable Device, Removable Media and Remote Access
Policy
(Combined Portable Device Policy, Removable Media
Policy and Remote Access Policy)
Document Control
Author/Contact
Pauline Nordoff-Tate, Information Assurance
Manager
Document Reference
4663
Document Impact Assessed
Yes/No
Version
3
Status
Approved
Publication Date
25/03/13
Review Date
25/03/15
Approved by
James Norman, Director Date: 25/03/13
of IM&T
Ratified by
Information Governance
Group
Date: 28/10/11
Date: 25/03/13
Distribution:
Royal Liverpool and Broadgreen University hospitals NHS Trust-intranet using
Sharepoint which will maintain the policy document in conjunction with each
document author.
Please note that the Intranet version of this document is the only version that is
maintained.
Any printed copies should therefore be viewed as “uncontrolled” and as such,
may not necessarily contain the latest updates and amendments.
Royal Liverpool and Broadgreen University Hospitals NHS Trust
Table of Contents
Heading
Page Number
1. 0 Introduction
1
2. 0 Objective
1
3.0 Scope of Policy
1
4.0 Policy
4.1 Management of Portable Computer Devices - authorisation
4.2Equipment
4.3Operational Risks
4.4 Portable Device System Configuration - passwords
4.5 Encryption
4.6 Antivirus Software
4.7 Asset Tags
4.8 Disposal of Portable Device
4.9 Operation of Portable Devices
4.10 Guidance on the Use of Portable Devices outside of the Trust
4.11 Management of Remote Access - authorisation
4.12 Equipment
4.13 Access Control – authentication and connections
4.14 UAG
4.15Connection
2
2
2
3
3
3
3
3
4
4
4
4
5
5
6
8
5.0 Roles and Responsibilities
8
6.0 Associated documents and references
8
7. 0 Training & Resources
9
8.0 Monitoring and Audit
8.1 Recording and Monitoring
10
10
9.0 Equality and Diversity
9.1 Recording and Monitoring of Equality & Diversity
10
11
Appendix 1 – Glossary of terms used in the policy
Appendix 2 – Supply of equipment declaration
Appendix 3 – Document History and Version Control
12
13
14
_____________________________________________________________________________________________
Portable Device, Removable Media and Remote Access Policy
Information Assurance Manager
Royal Liverpool and Broadgreen University Hospitals NHS Trust
1. 0
Introduction
This document details the requirements for the use of portable mobile
devices and removable media within the Trust environment, and details
the requirements that must be in place for the secure operation of such
devices.
The Trust recognises the advantages inherent in the utilisation of
portable devices and other handheld devices provided for staff during
the performance of their daily duties. As such, this document provides
guidance on the use of such devices within the Trust environment.
It is also recognised that Remote Access is a valuable method for
employees of the Trust to connect to the Trust’s Network resources,
when geographically removed from the Hospital site.
This document covers the use of all portable computing storage
devices and remote access within the Trust.
This Policy forms part of staff members contractual obligations and
code of conduct.
2. 0
Objective
This document ensures that any use of a portable device, mobile
communications or remote access working adheres to the following
principles:

To provide secure access to the Trust’s information systems

To preserve the integrity, availability and confidentiality of the
Trust’s information and information systems

To manage the risk of serious financial loss, loss of patient and
public confidence or other serious business impact which may
result from a failure in security.

In order to comply with all relevant regulatory and legislative
requirements (including Data Protection laws) and to ensure that
the Trust is adequately protected under computer misuse
legislation.

To enable staff to access Trust Network Facilities and any
required System from a remote location securely and safely.
As part of the provision of Information Management and Technology
services (IM&T) to staff within the Trust, portable computing equipment
may be purchased and used by staff. As such, it is essential that such
devices are covered by appropriate security controls in compliance with
Principle 7 of the Data Protection Act 1998 and ISO27001: Code of
Practice for Information Security.
3.0
Scope of Policy
This policy applies to all staff employed by Royal Liverpool and
Broadgreen University Hospitals NHS Trust, including bank, agency
and locum staff, students, voluntary staff, contractors and trainees on
Portable Device, Removable Media and Remote Access Policy
Information Assurance Manager
1
Royal Liverpool and Broadgreen University Hospitals NHS Trust
temporary placement, those holding honorary contracts or subject to
the joint working authority with the Liverpool Heart and Chest Hospital.
4.0
Policy
For the purpose of this document, a Portable Device is defined as any
device that may synchronise with another computer, and may be any of
the following items:

Laptop and notebook and tablet computers

Personal Digital Assistants (PDA’s)

Mobile phones and any other mobile system that may fall into
this category, including Blackberry’s

Voicera Badges

Wireless Bluetooth Headsets

Webcams

Personal Radios (used buy the Security Team and ISS)

Computer on Wheels – used in Ward environments (COWs)

Floppy disks, USB memory sticks, MP3 players (including
iPods), CD’s, DVD’s and any other item that may be utilised to
store or transport data.
This list is not to be considered exhaustive.
Further guidance may be obtained from the Data Protection Office in
relation to what is defined as a portable media device.
4.1
Management of Portable Computer Devices - authorisation
In order to obtain a Portable Device, a request should be made to the
I.T. Department who will then be able to assist the requestor
accordingly.
4.2
Equipment
All devices used for the storage or transportation of data, must be
procured through the I.T. department. This ensures that the Security
Architecture implemented by the Trust is not circumvented and that
Trust security practices may be enforced. The use of privately owned,
unauthorised devices is strictly prohibited.
Any equipment supplied is owned by the Trust and must not be utilised
for any other purpose other than work related tasks. Staff must sign
and agree a contract on receipt of a device as detailed in Appendix B.
Under no circumstances should person identifiable information or other
confidential data should be stored on portable media devices not
owned by the Trust. All devices used to store person identifiable
information or other confidential data will be encrypted. Failure to
comply with this policy may result in disciplinary action being taken.
Portable Device, Removable Media and Remote Access Policy
Information Assurance Manager
2
Royal Liverpool and Broadgreen University Hospitals NHS Trust
Furthermore, under no circumstances should non Trust owned portable
devices be connected to or synchronised to the Trust network.
4.3
Operational Risks
It is accepted that the use of portable devices within the Trust are faced
with a number of operational risks:
 Theft or loss of either the entire device or of a removable
memory device

Interception of information during the “synchronisation” process
with hosts systems if wireless or infrared links are used

Inadvertent transfer of material of a higher protective
classification than intended (data leakage)

Loss of availability from flat batteries

Accidental damage
This list is intended as a representative sample of the risks faced by
portable devices and should not be considered exhaustive.
4.4
Portable Device System Configuration - passwords
All portable devices utilised on RLBUHT business irrespective of
ownership must, where possible, have password authentication.
Passwords must conform to the Trust’s Network Account and
Password Management Policy.
4.5
Encryption
All portable devices must be encrypted to Trust standard, any mobile
devices must be password protected, laptops must be encrypted (they
can be returned via IT helpdesk for this to be completed) and any data
on a DVD, CD or USB memory stick must be encrypted. Any user
owned device utilised to access trust systems remotely must be
encrypted.
Please contact the Information Security Officer on extension 3671 for
further information.
4.6
Antivirus Software
Where possible, all portable devices must have the Trust antivirus
software installed. Where this is not possible (due to device limitations),
the PC to which the device synchronises must be owned and
maintained by the Trust in order to ensure that the required antivirus
software is present.
4.7
Asset Tags
All portable devices, where possible, must have an asset tag in order to
ensure that accurate monitoring of the device is possible and that, if
mislaid, the device may be returned to the Trust.
Portable Device, Removable Media and Remote Access Policy
Information Assurance Manager
3
Royal Liverpool and Broadgreen University Hospitals NHS Trust
4.8
Disposal of Portable Device
All trust owned portable devices must be returned to the Trust for
secure disposal. A call should be logged with the IT Service desk who
will co-ordinate the request. The portable device, including all
removable memory/media devices, will be securely disposed in
accordance with the Trust Policy requirements.
4.9
Operation of Portable Devices
Only portable devices approved by the Trust may be utilised within the
work environment. The use of personal equipment is not permitted and
any breach of this policy may result in disciplinary action.
All portable devices must be operated in accordance with the Trust’s
policies relating to confidentiality and information security. If it is
essential to have patient/person identifiable information stored within
the device and the device is intended to be removed from Trust
premises, then the Information Security Officer must be consulted prior
to removal to ensure that appropriate security is in place. A member of
the IT Department must authorise and install all software on a portable
device. The installation of unauthorised software is strictly prohibited.
When not in use, the portable device and media should be stored
securely.
All staff utilising portable devices must ensure that any data stored on
the device be backed up onto a Trust network resource to ensure, in
the advent of such incidents as hardware failure, that no data is lost.
This should be performed on each occasion that the device returns to
the Trust. Disk copies and/or backups of data should only be
performed on Trust premises and the copies stored in a secure
location.
4.10
Guidance on the Use of Portable Devices outside of the Trust
When operating a device outside of the Trust environment, the
following guidelines must be adhered to:
 The device should never be left unattended at any time
 The device should be stored in a secure location during transit
 The device should be stored in a secure location when not in
use and on Trust premises
 All data should be stored in an encrypted format
This list is not exhaustive and all staff is expected to ensure that
appropriate measures are taken to secure both the data and devices.
Further guidance may be obtained from the Information Security Officer
on 3671.
4.11
Management of Remote Access - authorisation
In order to obtain remote access capabilities, authorisation must be
obtained from the Directorate Manager and raised with the IT Service
Desk.
Portable Device, Removable Media and Remote Access Policy
Information Assurance Manager
4
Royal Liverpool and Broadgreen University Hospitals NHS Trust
The relevant Department/Directorate must purchase any equipment
and services e.g. Internet Access to be used for remote access as well
as the security token through the IT Service desk, which may require
an annual fee to be paid.
4.12
Equipment
Access will only be granted through the use of equipment that is owned
and maintained by the Trust or approved personally-owned computers
that meet the access criteria. Any devices (Trust and personal) which
do not have adequate security in place will have limited or in some
cases no access to remote working. This ensures that the security
architecture implemented by the Trust is not circumvented and that the
Trust’s security practices can be enforced. Remote access must NOT
be initiated from ANY machine that is not Trust owned and maintained.
Any equipment supplied is owned by the Trust and must NOT be used
for any other purpose than that of remote access and any other normal
work related function e.g. Microsoft Office applications and any other
legitimate software installed by IT Support Staff. No software may be
installed upon the machine unless a member of the IT Support Team
performs the install. All staff must complete documentation (Appendix
A) to agree to use the Trust devices in an appropriate way, and must
return the devices on the termination of their contract.
4.13
Access Control – authentication and connections
Any remote access to the Trust Infrastructure will be via a secure
Virtual Private Network (VPN) and the use of a security token.
This will be further supported by the use of User Name and Password
authentication to gain access to network resources.
The Trust accepts that connections of this type may introduce risks that
may have a serious business impact; the following are some examples
of the potential consequences faced (the list is not exhaustive):

Unavailability of network, systems or target information

Degraded performance of remote connections

Loss or corruption of sensitive data

Breach of confidentiality

Loss of or damage to equipment

Breach of legislation or non-compliance with regulatory or ethical
standards.
The equipment utilised for remote access will be configured so that
only the Trust’s network may be accessed. This will be achieved
through the standard network logon prompt that must be entered
before being able to access the machine.
Portable Device, Removable Media and Remote Access Policy
Information Assurance Manager
5
Royal Liverpool and Broadgreen University Hospitals NHS Trust
4.14 UAG
Connection can be made via UAG which is:
 Employees will use secure remote access procedures. This will be
enforced through UAG’s pin code access system. Each user will get
a pin unique to them which will only work with their Trust user name
and password. Employees agree to never disclose their passwords
or pin to anyone, particularly to family members if business work is
conducted from home.

Any new remote connection outside of N3 that is configured to
access RLBUHT resources via UAG must adhere to the
authentication requirements of RLBUHT’s IT department. In
addition, all hardware security configurations which are Trust owned
must be approved by RLBUHT’s IT department. Any personal
devices used to gain remote access via UAG will not go through an
approval process but it is expected that the user will employ
reasonable security measures when doing so.

Employees, contractors, and temporary staff with remote access
privileges must ensure that their computers are not connected to
any other network while connected to RLBUHT’s network via
remote access, with the obvious exception of Internet connectivity.

In order to avoid confusing official company business with personal
communications, employees, contractors, and temporary staff with
remote access privileges must never use non-company e-mail
accounts (e.g. Hotmail, Yahoo, etc.) to conduct RLBUHT business.

No employee is to use Internet access through company networks
via remote connection for the purpose of illegal transactions,
harassment, competitor interests, or obscene behaviour, in
accordance with other existing employee policies.

All remote access connections must include a “time-out” system. In
accordance with RLBUHT’s security policies, remote access
sessions will time out after 20 minutes of inactivity. Time-outs will
require the user to reconnect and re-authenticate in order to reenter company networks. Should a remote user’s account be
inactive for a period of 6 months, access account privileges will be
suspended until the IT department is notified.

If a personally- or company-owned computer or related equipment
used for remote access is damaged, lost, or stolen, the authorised
user will be responsible for notifying their manager and RLBUHT’s
IT department immediately. The RLBUHT IT department will not be
responsible for loss/damage/theft of personal devices under any
circumstances.

The remote access user also agrees to immediately report to their
manager and RLBUHT’s IT department any incident or suspected
Portable Device, Removable Media and Remote Access Policy
Information Assurance Manager
6
Royal Liverpool and Broadgreen University Hospitals NHS Trust
incidents of unauthorised access and/or disclosure of company
resources, databases, networks, etc.

The remote access user also agrees to and accepts that his or her
access and/or connection to RLBUHT’s networks may be monitored
to record dates, times, duration of access, etc., in order to identify
unusual usage patterns or other suspicious activity. As with inhouse computers, this is done in order to identify
accounts/computers that may have been compromised by external
parties.

Supported Technology - All remote access will be centrally
managed by RLBUHT’s IT department and will utilise encryption
and strong authentication measures.
The following table outlines RLBUHT’s minimum system requirements
for Trust devices. Those who do not meet these requirements must
upgrade their machines, or face being denied remote access privileges.
Personal devices may be used but will not be supported by RLBUHT’s
IT department if they do not function correctly. Only Trust devices will
be supported by the IT Servicedesk.
Operating
System
CPU
RAM
PC and PC-Compliant
Computers
Windows 7
Intel Dual core
2 Gig
Eligible Users - All employees requiring the use of remote access for
business purposes must go through an application process that clearly
outlines why the access is required and what level of service the
employee needs should his/her application be accepted.
This form can be located at:
http://staffintranet/departments_and_services/corporate_services/it/IT_
user_forms.aspx
Application forms must be completed fully and submitted to the IT
Servicedesk by the requestors Ward manager, supervisor, or department
head. The person submitting must be a budget holder.
The form needs to be submitted using the following form:
http://servicedesk-contact-us/
Employees may use privately owned connections for business purposes.
However, the company’s IT department cannot and will not technically support
Portable Device, Removable Media and Remote Access Policy
Information Assurance Manager
7
Royal Liverpool and Broadgreen University Hospitals NHS Trust
a third-party ISP connection or hotspot wireless ISP connection. Financial
reimbursement for remote access is not the responsibility of the IT
department.
4.15
Connection
In order for remote access capability, the member of staff must have a
compatible internet connection, which MUST be purchased by either
the Individual Staff Member or by the relevant Department/Directorate.
Connection will be through the use of a secure VPN, connecting to N3.
A connection to the Trust network will then be established with all traffic
passing through the Trust Firewall.
5.0
Roles and Responsibilities
This policy is the responsibility of the Chief Executive who has
delegated responsibility to the Information Assurance Manager.
It is the responsibility of all Divisional and Directorate Managers to
ensure the policy is disseminated to all staff, and that staff have read
and understood the policy.
The IT Department will be responsible for the support and maintenance
of all IT approved portable devices.
All equipment issued by the IT Department will be subject to the normal
Computer administration tools e.g. SMS that are utilised by the IT
Service desk.
All portable device users are responsible for complying with this policy
and associated standards.
Staff must safeguard corporate equipment and information resources
and notify the Trust immediately of any security incidents, loss or theft
of equipment and breaches.
Users must return all relevant equipment on completion of position or
termination of contract to their direct manager who will contact the IT
Security Department on 3671 to arrange collection and re-use of the
device.
6.0
Associated documents and references
ISO27001: The Code of Practice for Information Security Management
Section 11.7.1 states:“…A formal policy shall be in place and appropriate controls shall be
adopted to protect against the risks of working with mobile computing
facilities, in particular in unprotected environments….”
The Data Protection Act 1998
The Seventh Principle states: “…Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental
loss or destruction of, or damage to, personal data.
And
Portable Device, Removable Media and Remote Access Policy
Information Assurance Manager
8
Royal Liverpool and Broadgreen University Hospitals NHS Trust
Having regard to the state of technological development and the cost of
implementing any measures, the measures must ensure a level of security
appropriate to(a) the harm that might result from such unauthorised or unlawful
processing or accidental loss, destruction or damage as are mentioned
in the seventh principle, and
(b) the nature of the data to be protected.
The data controller must take reasonable steps to ensure the reliability of any
employees of his who have access to the personal data.
Where processing of personal data is carried out by a data processor on
behalf of a data controller, the data controller must in order to comply with the
seventh principle(a) choose a data processor providing sufficient guarantees in respect of the
technical and organisational security measures governing the processing
to be carried out, and
(b) take reasonable steps to ensure compliance with those measures.
Where processing of personal data is carried out by a data processor on
behalf of a data controller, the data controller is not to be regarded as
complying with the seventh principle unless(a) the processing is carried out under a contract(i) which is made or evidenced in writing, and
(ii) under which the data processor is to act only on instructions from the
data controller, and
(b) the contract requires the data processor to comply with obligations
equivalent to those imposed on a data controller by the seventh
principle….”
The Data Protection Act Legal Guidance Seventh Principle further states:
“(i) Taking into account the state of technological development at any time and
the cost of implementing any measures, the measures must ensure a level
of security appropriate to:
(a)
the harm that might result from a breach of security; and
(b)
the nature of the data to be protected.
(ii) The data controller must take reasonable steps to ensure the reliability of
staff having access to the personal data….”
7. 0
Training & Resources
The implementation of policies in this area will be carried out across the
Trust by all involved staff and will be lead by the Information
Governance Manager at the Trust and the Information Security
Manager at the HIS.
Reference will be made to this policy during the Data Protection and
Information Security Training. Managers will issue the policy to staff as
Portable Device, Removable Media and Remote Access Policy
Information Assurance Manager
9
Royal Liverpool and Broadgreen University Hospitals NHS Trust
portable device equipment is ordered and ensure they are kept
updated at least annually.
8.0
Monitoring and Audit
The Information Governance Group is the Trust Committee with
responsibility for the formulation of information governance policies and
approval of work programmes. This group has senior level
representation from all appropriate areas to ensure the Trust steers this
agenda appropriately.
The Information Governance Toolkit (IGT) will be used by the Trust to
conduct baseline audit and construct action plans for future compliance
with this agenda.
8.1
Recording and Monitoring
The IGT will be used by the Trust to conduct baseline audit and 9work
programs in the individual areas will be created by adherence to the
IGT standards and to the national standards appropriate to the
individual field of activity.
Minimum
requirement to
be monitored
Process
for
monitoring,
e.g audit
Relevance
of policy to
Trust needs
Audit /
Review
9.0
Responsible
individual /
group/
committee
IGG
Frequency of
monitoring
Annually
Responsible
individual /
group /
committee for
review of
results
IGG
Responsible
individual / group/
committee for
development of
action plan
Responsible
individual / group /
committee for
monitoring of
action plan and
implementation
IGG
IGG
Equality and Diversity
The Trust is committed to an environment that promotes equality and
embraces diversity in its performance as an employer and service
provider. It will adhere to legal and performance requirements and will
mainstream equality and diversity principles through its policies,
procedures and processes. This policy should be implemented with
due regard to this commitment.
To ensure that the implementation of this policy does not have an
adverse impact in response to the requirements of the Equality Act
2010 this policy has been screened for relevance during the policy
development process and a full Equality Impact Analysis conducted
where necessary prior to consultation. The Trust will take remedial
action when necessary to address any unexpected or unwarranted
disparities and monitor practice to ensure that this policy is fairly
implemented.
This policy and procedure can be made available in alternative formats
on request including large print, Braille, moon, audio, and different
Portable Device, Removable Media and Remote Access Policy
Information Assurance Manager
10
Royal Liverpool and Broadgreen University Hospitals NHS Trust
languages. To arrange this please refer to the Trust translation and
interpretation policy in the first instance.
The Trust will endeavour to make reasonable adjustments to
accommodate any employee/patient with particular equality and
diversity requirements in implementing this policy and procedure. This
may include accessibility of meeting/appointment venues, providing
translation, arranging an interpreter to attend appointments/meetings,
extending policy timeframes to enable translation to be undertaken, or
assistance with formulating any written statements.
9.1
Recording and Monitoring of Equality & Diversity
The Trust understands the business case for equality and diversity and
will make sure that this is translated into practice. Accordingly, all
policies and procedures will be monitored to ensure their effectiveness.
Monitoring information will be collated, analysed and published on an
annual basis as part of Equality Delivery System. The monitoring will
cover all strands of equality legislation and will meet statutory
employment duties under the Equality Act 2010. Where adverse
impact is identified through the monitoring process the Trust will
investigate and take corrective action to mitigate and prevent any
negative impact.
The information collected for monitoring and reporting purposes will be
treated as confidential and it will not be used for any other purpose.
Portable Device, Removable Media and Remote Access Policy
Information Assurance Manager
11
Royal Liverpool and Broadgreen University Hospitals NHS Trust
Appendix 1 – Glossary of terms used in the policy
ISS – Information System Support
UAG – Unified Access Gateway
VPN – Virtual Private Network
Portable Device, Removable Media and Remote Access Policy
Information Assurance Manager
12
Royal Liverpool and Broadgreen University Hospitals NHS Trust
Appendix 2 – Supply of equipment declaration
Date: …………………………………………………………………………………
Name: ………………………………………………………………………………..
Contact number/bleep: …………………………………………………………….
Signature: ……………………………………………………………………………
I can confirm that I have today been supplied with an
Encrypted USB stick (or any other device)
device that is the property of the Royal Liverpool and Broadgreen NHST
(RLBUHT) which I will use for work purposes only. I have also been provided
with a copy of the Portable device, removeable media and remote access
policy which I will read and adhere to whilst in the employment of RLBUHT.
On completion of my employment with the RLBUHT, I will return the above
device to the Trust to my direct manager who will contact the IT Security
Department on 3671 to arrange collection and re-use of the device.
Portable Device, Removable Media and Remote Access Policy
Information Assurance Manager
13
Royal Liverpool and Broadgreen University Hospitals NHS Trust
Appendix 3 – Document History and Version Control
Document History
Version
Date
1
23/04/2009
1
2
2
3
Comments
This Policy combines the
previous Portable Device,
Removable Media and
the Remote Access
Policy
08/12/2010 Minor amendment –
appendix A included
30/09/2011 Policy reviewed and set
to Trust standard
26/10/11
4.0 include
Blackberry’s,4.8 and 5.0
reference to IT Service
desk, 4.12 reference to
HIS taken out, Appendix
A included in S6 and new
Appendix A added
25/03/2013 Amendments to Sections
4.4,4.5,4.8,4.12 and
added UAG information
Author
S Buxton
Information Assurance
Manager
Joanne Fitzpatrick
Pauline Nordoff-Tate
Information Assurance
Manager/IT Security
Manager
Review Process Prior to Ratification:
Name of Group/Department/Committee
Information Governance Group (virtual meeting)
Information Governance Group
Portable Device, Removable Media and Remote Access Policy
Information Assurance Manager
Date
31/10/11
25/03/13
14
Related documents
OUR LADY OF GUADALUPE CHURCH
OUR LADY OF GUADALUPE CHURCH
Clinical Attachment Application Form
Clinical Attachment Application Form
COMPREHENSIVE TECHNOLOGY PLAN
COMPREHENSIVE TECHNOLOGY PLAN
OMJC Signal, INC INVITES APPLICATIONS FOR THE POSITON OF
OMJC Signal, INC INVITES APPLICATIONS FOR THE POSITON OF
Attachment A – Item Categories
Attachment A – Item Categories
Thermobotics Presentation
Thermobotics Presentation
Download
advertisement