Document Title Information Security Policy CNTW(O)35 Assurance… · 2020-03-31 · Document Title Information Security Policy Reference Number CNTW(O)35 Lead Officer Lisa Quinn Executive

Document Title Information Security Policy

Reference Number CNTW(O)35

Lead Officer

Lisa Quinn

Executive Director of Commissioning and Quality Assurance

Author(s)

(name and designation)

Jon Gair

Head of Informatics - Infrastructure

Ratified by Business Delivery Group

Date ratified March 2019

Implementation Date March 2019

Date of full implementation

March 2019

Review Date March 2022

Version number V05.1

Review and

Amendment Log

Version Type of Change

Date Description of Change

V05 Review Mar 19

V05.1 Review Oct 19 Governance changes

This policy supersedes the following document which must now be destroyed:

Document Number Title

CNTW(O)35 - V05 Information Security Policy

CNTW(O)35

2

Information Security Policy

Section Contents Page No.

1 Introduction 1

2 Purpose 1

3 Duties, Accountability and Responsibilities 1

4 Definition of Terms 2

5 Procedure / Process 3

6 Identification of Stakeholders 21

7 Training 21

8 Implementation 21

9 Fair Blame 22

10 Fraud, Bribery and Corruption 22

11 Monitoring Compliance 22

12 Associated Documents 22

13 References 23

Standard Appendices – attached to Policy

A Equality Analysis Screening Toolkit 24

B Training Checklist and Training Needs Analysis 26

C Audit Monitoring Tool 28

D Policy Notification Record Sheet - click here

Practice Guidance Note – Listed separate to Policy

PGN No: Description

ISEC-PGN- 01 Disposal and Destruction of Sensitive Data and Information Assets

https://www.cntw.nhs.uk/about/policies/appendix-d-policy-notification-record-sheet/

CNTW(O)35

1

Cumbria Northumberland, Tyne and Wear NHS Foundation Trust CNTW(O)35 Information Security Policy – V05.1 Oct 19

1 Introduction 1.1 Cumbria Northumberland Tyne & Wear NHS Foundation Trust (the Trust)

recognises the importance of its information and information systems used for the transference, manipulation and storage of information to ensure business continuity. The security of all information held by the Trust is paramount to the business function.

1.2 Through this Policy, government laws and legislations the Trust will identify and

adopt structured security procedures for the Trusts information systems, in accordance with the principles of ISO / IEC 27002:2005, as follows:

To ensure the availability: that is, ensure that assets are available as and when required adhering to the Trusts business objectives

To preserve integrity: that is, protect assets from unauthorised or accidental modification ensuring the accuracy and completeness of the Trust’s assets

To preserve confidentiality: that is, protecting information from unauthorised access and disclosure.

1.3 Trust Staff are bound by the confidentiality and security policies set by the NHS,

the Trust, UK legislation, and by the common law duty to maintain confidentiality of the information held and used as part of everyday working practice.

2 Purpose

2.1 The Trust recognises the importance of a structured, coherent and secure

information system and associated systems used to manipulate, communicate and store information to enable the Trust to conduct its business in a structured and secure manner and in accordance with legal requirements and national and local policies.

2.2 The purpose of this Policy is to prevent unauthorised disclosure, modification,

removal or destruction of information held by the Trust, to ensure adherence with UK law, NHS policy and guidelines, and disruption to NHS business activities and potentially distressing consequences of the loss of sensitive information.

3 Duties, Accountability and Responsibilities

Responsibility for implementation and compliance to this Policy lies with the Chief Executive

The Senior Information Risk Owner (SIRO) has delegated responsibility from the Chief Executive. The SIRO is the Executive Director of Commissioning and Quality & Assurance

All staff, including agency, temporary, voluntary, support staff and contractors must apply the Information Security Policy in accordance with NHS Information Governance Guidelines;

CNTW(O)35

2


The Director of Informatics is responsible for ensuring that the Trust has appropriate technical capabilities in order to protect data that is processed;

The Caldicott and Health Informatics Group have responsibility for overseeing day to day compliance with this Policy and for investigating breaches;

Failure to comply with this Policy may endanger the information services of the Trust and may result in disciplinary or criminal action.

4 Definition of Terms

4.1 Information Security is the preservation of Confidentiality, Integrity and

Availability of information.

Confidentiality - ensuring that information is accessible only to those authorised to have access and to prevent unauthorised disclosure.

Integrity - safeguarding the accuracy and completeness of information and

information processing.

Availability - ensuring that authorised users have access to information and associated assets when required.

4G: Mobile data technology

BMP: Bitmap / Picture Files

CLOUD: Internet or externally hosted services

CDA: Compact Disk Audio / Music File

DSPT Data Security and Protection Toolkit

Encryption: Process of securing data using technology

FTP: File Transport Protocol

GIF: Picture File

JPEG: Picture File

LAN: Local Area Network

MP3: Moving Picture Experts Group Layer-3 Audio / Video

OFFICE 365: Secure Microsoft On Line Collaboration services available on the Internet

N3/HSCN: NHS backbone network now called Health and Social Care Network.

CNTW(O)35

3


PDA: Personal Digital Assistant

PID: Patient Identifiable Information

Secure Token: Device that Creates a Secure Password

VPN: Virtual Private Network

WAN: Wide Area Network

WMA: Windows Media Audio / Video Audio File

5 Procedure / Process 5.1 This Policy must be read in conjunction with the following Trust Policies,

which include detailed Policy statements:

Data Protection Policy CNTW(O)36

Freedom of Information Act Policy CNTW(O)43

Records Management Policy - CNTW(O)09

Confidentiality Policy CNTW(O)29

Removable Media Data Encryption Policy CNTW(O)30

Information Risk Policy CNTW(O)62

IT Procurement Policy CNTW(O)63

Visual Imaging and Audio Policy CNTW(O)45

Acceptable Use of Email Policy CNTW(O)44

Registration Authority Policy CNTW(O)57

Safe Fax Guidelines

Trust Incident Reporting Policy CNTW(O)05

Acceptable Use of Intranet and Internet Policy CNTW(O)65 5.2 Definition of Information:

5.2.1 The term Information can be defined as “a collection of facts or data” and for the

purpose of this Policy information includes:

Digitally stored information

CNTW(O)35

4


Transmitted across networks

Information that is retrieved, accessed, transmitted to / received from other organisations using the following mediums

Technical equipment and devices used to store and process information

Fax machines and any other communications media

Printed out or written on paper

Stored on disk, tape or any other electronic, optical and portable media

Images and Recordings on CD, DVD, USB devices, Video and Audio tape

Cloud or any externally hosted services 5.2.2 Appropriate protection is required for all forms of information and devices used

to store process and transmit data to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations.

5.3 Legal and Regulatory Framework and Guidelines:

5.3.1 The Trust must comply with the following legislation and guidelines. list is not exhaustive:

This

Data Protection Act 2018

Environmental Data Protection Regulation 2016

The Freedom of information Act 2000

The Computer Misuse Act 1990

The Caldicott Guidelines

Confidentiality NHS Code of Practice

Access to Health Records Act 1990

Electronic Communications Act 2000

5.4 End User Responsibility:

5.4.1 Confidentiality and Document Management:

CNTW(O)35

5


Trust staff have a contractual obligation to keep all confidential information secure, use it only for the purposes intended and not disclose it to any unauthorised third party and other staff

Staff must always save data to their network drives, allocated Office 365 areas or My Documents folders. Data stored on the C:\ drive (local hard drive) or external storage areas will not be automatically backed up

If a document is highly confidential or sensitive in nature, it can be stored in a password protected directory on a shared drive by the management team and there should be an agreed process in place to ensure the appropriate persons can gain access. In all other cases where a manager or individual member of staff wishes to store documentation of this type then they should do so on their individual account.

It should be noted that documents in common directories can be accessed by other employees. Such information should not be saved to external storage devices or hard drives unless it is essential to do so and these devices are encrypted.

Any documents containing any PID (patient identifiable information) must not be saved to the local hard drive (“C” drive), or to USB devices, CD or any other external storage devices, unless they have been encrypted (See Removable Media Data Encryption Policy CNTW(O)30)

Copies of confidential information should only be printed out as necessary, retrieved from the printer immediately and stored or destroyed in an appropriate manner by shredding and / or use of the confidential waste collection system

Documents containing Trust patient / staff information must not be left open on any unattended computer screen. When possible the PC should be positioned to prevent being overlooked

Staff must always logout or lockout their PC when leaving their desk

Under no circumstances must Trust staff copy any personal or multimedia files i.e. MP3, CDA, WMA, GIF, BMP or JPEG files that are not Trusts related to any local or network drive. If files are found on Trust staffs accounts or shared drives, this will be classed as computer misuse and may be subject to the Trusts disciplinary process

Only Trust owned IT equipment purchased through the Informatics Department is allowed on the Trust network. Under no circumstances must non Trust owned IT equipment be used on the Trust network or premises unless directed to via the Informatics Department.

Under no circumstances must Trust staff send sensitive or confidential information to personal e-mail accounts. Sensitive or confidential information can be sent between Trust e-mail accounts (i.e. @CNTW.nhs.uk to

CNTW(O)35

6


@CNTW.nhs.uk). Only NHSmail (@nhs.net) accounts can be used when sending sensitive or confidential information outside of the organisation (i.e. @nhs.net to @nhs.net). Where information needs to be sent and there is no secure transmission method, then a strong password (upper, lower case, numerical and symbols) must be applied to protect a document with no sensitive or confidential information within the subject or body of the e-mail.

Trust staff must not use personal/other organisation cloud based storage services such as Drop Box, personal OneDrive or Google Drive to store or share sensitive or confidential information. Only Trust provided cloud based storage services should be used.

5.4.2 Network Access:

5.4.2.1 Secure network access is of paramount importance to the Trust and as such

the Informatics Department controls the following through network security.

Network account Password protection

Network account password change will be requested every 120 days

Screen saver password protection

Password protected screen savers will be activated if the computer is idle for 15 minutes

Virus Protection and Threat Protection software. The Virus protection systems employed by the Trust will automatically update while the computer is attached the Trust network and additional layers of protection will be deployed to provide more proactive protection against security threats.

5.4.3 Password Management:

5.4.3.1 Passwords are confidential information and must be treated as such.

5.4.3.2 A password is only as secure as the person who knows it and as such the

following standards must be adhered to:

Keep your passwords safe

Do not disclose them to anyone

You will be forced to change your passwords from time to time for security purposes and in line with NHS Guidelines

5.4.4 Network passwords must be a minimum of 8 characters and must be classed as ‘complex’ which means passwords must contain at least three of the following

character types :

Uppercase

Lowercase

CNTW(O)35

7


Numeric (0-9)

Non-alphanumeric character (special characters such as # or &) To support this requirement and make it easier to remember, it is recommended that three random words are joined together which includes at least one number and an upper and lower case letter (e.g. Coffeetrainfish2). Further information and advice is available on the Trust Intranet.

5.4.4.1 Each user is responsible for maintaining the security of their individual login and password. To this end:

Staff must not share their user name or password with anyone

Passwords must not be written down

If Staff suspect that their password has been compromised they must change their password immediately and contact the Informatics Servicedesk for further advice.

Each user is responsible for maintaining the security of their individual login and password. If a breach of security is recorded under your login the burden of proof will be with you to show t h a t you are not responsible for the breach.

5.4.4.2 All passwords must be changed at regular intervals when requested by the

system, at 120 day intervals. 5.4.4.3 If a password is forgotten, self-service options are available as directed by the

Informatics department. The servicedesk are available where self-service automated processes are not possible.

5.4.5 Email:

5.4.5.1 The Trust employs the use of Electronic Mail (e-mail) to facilitate its business

objectives. Detailed terms of use can be found in the Acceptable Use of Email, Intranet and Internet Policy CNTW (O) 44).

5.4.5.2 The use of Internet email such as Hotmail, Gmail etc is not permitted for

business purposes. 5.4.5.3 When communicating patient related data the minimum amount of patient

identifiable information necessary must be used. It is good practice to use the NHS Number to identify the patient. All staff must seek advice from the Information Governance Department for advice on sending confidential information via e-mail.

5.4.5.4 Staff should be aware that both private and business use of e-mail will

be subject to monitoring

CNTW(O)35

8


5.4.6 Viruses: 5.4.6.1 Infection by software viruses on computers is a very real risk. IT staff will

implement technical counter measures including installing anti-virus software and updating the necessary virus definition files in an effort to catch-up with the ever-increasing distributors of viruses. However, all the routes of infection also involve actions by users of computers. The main routes of infection are listed below:

Downloading unauthorised software from the Internet

Viruses hidden in e-mail attachments from un-trusted sources or unexpected sources (the email sender can sometimes be impersonated or “spoofed”)

Personal webmail accounts

Insertion of removable media, that may have been used outside the Trust, into a Trust computer without checking for viruses (e.g., CDs, DVDs, memory

sticks / USB memory devices and any other removable media capable of carrying data or programs)

Connecting a laptop or PC (that does not have anti-virus software with up to date virus definition files) to the Trust’s network

5.4.6.2 The Trust network is protected against viruses and other malware via a

commercial anti malware product. 5.4.6.3 The Trust will:

Deploy the anti-virus software appropriately including each new release of the software from the supplier

Set-up facilities to automatically update virus definition files for all computers on the network.

Ensure portable computers etc. are brought back to, or connected to, base for regular updates of virus definition files

Ensure Users are kept aware of the recognition and danger of viruses and anti-virus procedures by regular briefings and publicity

Record occurrences of viruses which result in data loss according the Trust Incident Policy and Procedures. (Management must be made aware that if a major outbreak occurs all computer facilities may be shut down)

5.4.6.4 Computer viruses, Trojan horses and worms are collectively known as

malware. Although the network is protected staff still have a duty to be vigilant especially when opening email from unknown sources, and not attempt to alter or circumvent virus checking or procedures.

CNTW(O)35

9


5.4.6.5 Staff will:

Not attach personal equipment to the network

Report a suspected attack immediately to the Informatics Servicedesk

5.4.6.6 To ensure that all equipment is adequately protected, the network will be monitored by the Informatics Department.

5.4.7 Internet:

5.4.7.1 The Trust employs the use of the internet as a communications medium to

facilitate its business function. Access to the internet is controlled through network security, including login ID and password. Limited personal use is allowed for staff. Full terms and conditions of use can be found in the Acceptable Use of Intranet and Internet Policy CNTW (O) 65.

5.4.7.2 Staff should be aware that Internet access will be subject to monitoring

5.4.7.3 Any person or persons accessing the Internet via the Trusts network will be

considered to have read, understood and accepted the Information Security Policy.

5.4.7.4 Service Users are not permitted to access the Trust network, other than through

a member of staff who will be responsible. The Trust provides facilities such as Keep In Touch (KiT) for in-patient areas and Free WiFi to support the safe use of the Internet by service users in community waiting areas.

5.4.7.5 The Internet is not a secure transport medium for information. Under no

circumstances must Trust carer / user identifiable information be sent via the Internet unless advice has been requested and permission given from the Information Governance Department.

5.4.8 Clear Desk \ Clear Screen Policy:

5.4.8.1 All information, electronic or paper, and other valuable resources must be

secured appropriately when staff are absent from their workplace and at the end of each working day if not working within a 24 hour environment.

5.4.8.2 Whilst at work, staff must not leave patient notes, personal files or any other

confidential records unattended on or around the work area. This includes handwritten telephone numbers, names etc. In particular, adhesive type notes (post its) with telephone numbers should not be left attached to the machine, or the work area.

5.4.8.3 Desks must be cleared at the end of each working day (excludes 24hr

environments) of any confidential or person identifiable information. Medical records must be locked securely in desks, filing cabinets or rooms at all times, unless they are currently in use.

5.4.8.4 Personal items (i.e. keys, handbags, wallets etc) should be locked away safely

CNTW(O)35

10


in the interests of security. It is the responsibility of the owner to ensure all security precautions are taken.

5.4.8.5 All paper and computer media should be stored in suitable locked cupboards

when not in use. It is not sufficient to use a portable locking box for computer media.

5.4.8.6 Electronic data and equipment will not be treated differently from manual records

and equipment, as they contain the same type of confidential and / or personal information. Computing and all other equipment containing data will therefore be treated with the same level of security as paper based resources.

5.4.8.7 Computers and laptops must not be left logged on when unattended, and must

be protected by passwords, screensavers and other controls that are available to all staff within the Trust.

5.4.8.8 Screens must be locked by the user when leaving their computer screen,

irrespective of the amount of time spent away from the unattended screen. 5.4.8.9 The screen must always be closed, minimised or locked when unauthorised

persons are in close proximity to the screen.

5.4.8.10 Sensitive items such as personal identifiers must be cleared from printers and fax machines immediately on completion. If these are no longer required the items must be shredded or sent for secure disposal.

5.5 Technical Protection:

5.5.1 Portable Media:

5.5.1.1 Full details on security of portable devices can be found in the Removable Media

Data Encryption Policy CNTW (O) 30. A summary follows: 5.5.1.2 The Trust employs the use of portable systems to facilitate the Trust business

functions. All portable systems must have adequate protection at all times. This protection must be in the form of:

Password Protection

Secure Physical Storage

Software Encryption 5.5.1.3 Portable devices include but are not limited to, laptops, PDA’s, USB memory

sticks, DVD’s, CD’s, mass storage devices, Cameras, Camcorders and Audio devices.

5.5.1.4 Use of portable hard drives and CD / DVD re-writers must be authorised by the

Information Governance Department and used in accordance with the Removable Media Data Encryption Policy.

5.5.1.5 The Trust has a standard USB Memory Stick, Camera, Camcorder and Audio

CNTW(O)35

11


Recording device which can be ordered through the Informatics on line ordering system on the Trust Intranet.

5.5.2 Mobile Communication Devices:

5.5.2.1 Full details of secure use can be found in the Issue and Use of Mobile

Communication Devices Policy CNTW (O) 58. 5.5.2.2 The Trust employs the use of smartphone devices to enable remote access

to the Trusts e-mail system. These Trust owned devices are managed via central Trust technical controls and polices managed by the Informatics Department. Secure containerised access via Personal devices may be available as directed by the Informatics Department.

5.5.2.3 Although encrypted, Smartphones must still be:

Protected by a Password or PIN which is not shared with anyone else.

Kept in a secure place when not being used

Not left unattended while in use

Any loss or theft must be reported to the Informatics Servicedesk as soon as possible

5.6 Infrastructure:

5.6.1 Server and Communications Rooms:

All Trust IT server and communications rooms must be locked at all times. This is for security and health and safety due to the fire prevention systems in use

All non-authorised IT staff, contractors and visitors must be accompanied or monitored at all times while conducting work in the server room by a member of the Informatics Department

If a member of the Informatics department leaves the Trust, any privileged accounts or door access control devices must be disabled immediately. Any generic passwords known by the individual for Internet of Things devices will need to be risk assessed and changed accordingly.

5.6.2 Network Security:

5.6.2.1 The Trust recognises the need for a secure and reliable system to transfer Trust

information. To facilitate the transference of information throughout the Trust the Trust utilises a private network infrastructure, in turn linked to N3/HSCN.

5.6.2.2 All active network equipment must comply but not limited to the following

standards

All active network equipment must be password protected

https://www.cntw.nhs.uk/content/uploads/2013/05/CNTWO58-Iss-MobCommDevices-V04.2-Oct-19-1.pdf

CNTW(O)35

12


Only members of the Informatics Department will have access to these passwords

All active network equipment must be located in a secure location

All Trust network traffic containing sensitive or confidential data should be secured by encryption in transit (such as SSL) or password protected files (using non reversible encryption technology such as AES-256)

5.6.3 Physical and Environmental Controls: 5.6.3.1 Secure Areas:

Security perimeters will be used to protect areas that contain information processing facilities

Secure areas will be protected by appropriate entry controls to ensure those only authorised personnel are allowed access

Physical security for offices, rooms and facilities will be designed and applied

Physical protection guidelines for working in secure areas will be designed and applied

5.6.4 Equipment Security:

5.6.4.1 Guidance has been produced for the sighting and protection of equipment to

reduce the risks from environmental hazards and unauthorised access

Data storage is protected from power failures where appropriate e.g. UPS. This will be monitored and tested by the Informatics Department

Security procedures and controls are used to secure equipment used outside Trust premises

All items of equipment containing storage media should be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal. This should be done via the Informatics Department

Equipment, information or software should not be taken off- site without prior

authorisation from a line manager

PC’s, printers and laptops will be asset marked and entered on an asset register by the Informatics Servicedesk

5.6.5 Environmental Controls:

5.6.5.1 Adequate fire protection and detection is provided.

CNTW(O)35

13


Adequate protection is provided to protect against the risk of water damage

Where appropriate, buildings are protected against lightning strikes

Where appropriate, protection is provided against pest damage

Heating, ventilation and air conditioning equipment is used where appropriate to control the temperature and humidity levels for key IT equipment

5.6.6 Asset Management:

An inventory will be maintained for all IT equipment by the Informatics Servicedesk

An inventory will be maintained of all software by the Informatics Servicedesk (e.g. application / system software, development tools, utilities)

All information and assets associated with information processing facilities have an Information Asset Owner IAO who is responsible for ensuring the security of that system (see Information Risk Policy CNTW(O)55). The IAO’s will report known risks to the SIRO

5.6.7 Remote Access:

5.6.7.1 It is recognised that that Trust staff need to access data at the point of patient

care which as reflected in the remote access solutions that have been provided by the organisation.

5.6.7.2 Trust approved solutions include an automatic secure connection back to the Trust network. This can be safely connected to personal or public Internet WiFi networks along with Trust provided 4G mobile connectivity built into the device.

5.6.7.3 When using this remote access technology, it is important that staff

Only use a device in a safe area where other individuals do not have view of your screen. Special care needs to be taken in any public areas such as coffee shops etc.

Be aware of 4G mobile usage and Trust devices should not be used to consume media streaming services such as Netflix which could have a considerable financial implication on network usage.

5.6.7.4 Staff must not use personally owned equipment to store and process Trust data

unless via an approved Trust solutions where technical security controls can be mandated.

5.6.8 (Third Party) Remote Access: 5.6.8.1 If third party suppliers are used to carry out functions which may give access

to Trust data, the Trust must consider:

https://www.cntw.nhs.uk/about/policies/information-risk-policy/

CNTW(O)35

14


Conducting good due diligence to assess their policies and procedures, including recruitment, security and levels of service

Understand how they will treat the data

Monitoring and supervising their access to Trust systems or data

Using secure internet links, encryption, and registered or recorded mail when

transferring data to third parties

Having the supplier complete the Third Party Supplier Data Security and Protection Toolkit (DSPT) Self-Assessment

Complete a Data Protection Impact Assessment (DPIA) and consider any third party processor agreements in collaboration with the IG Department.

Inclusion of Trust and Supplier responsibilities in the SLA/ Contract

5.6.8.2 If there is a requirement for third parties to have direct access to the Trust network to provide applications and remote software and hardware support. This access must be provided via remote access solutions managed by the Informatics Department.

5.6.9 Cloud Based Services

5.6.9.1 The Trust is more readily supporting the use of Cloud or Internet based services

in light of the government’s ‘Cloud First’ policy which allows a more dynamic and scalable approach to Trust requirements. It is important to ensure that the security of Trust data is not compromised in relation to the use of these services which is reflected in the level of due diligence. Any cloud systems must be assessed in accordance with GDPR/DSPT requirements and signed off by the SIRO/Caldicott Guardian before use.

5.6.9.2 In addition to the checks already considered in Third Party Remote Access above the following additional information needs to be considered.

Review of Data Protection Registrations held with the Information Commissioner in relation to data held along with its data.

Review any third party security accreditations such as ISO 27000 5.6.10 Access to National Application:

5.6.10.1 Access to most national applications will be via a smart card (See Registration

Authority Policy CNTW(O)57). 5.6.10.2 Smartcards will only be issued to people who have been sponsored for access

to national applications and the Trust Registration Authority have setup and issued the smartcard.

https://www.cntw.nhs.uk/content/uploads/2014/12/CNTWO57-RegAuthority-V05.2-Oct-19-1.pdf

CNTW(O)35

15


5.6.10.3 All smartcard holders must comply with but not limited to the following statements.

The issued smartcard must not be used for anything other than access to the national applications

All smartcards must be kept in a safe place at all times

Never give your smartcard password (PIN number) to any other person. 5.6.11 New IT Systems:

5.6.11.1 To aid business continuity the Trust will have to implement new systems or update

old systems. Any new IT based systems installed on the Trust network or standalone systems must be implemented as part of a recognised and structured IT project using an appropriate project management methodology.

5.6.11.2 Any IT based systems requested by any department must be in collaboration with the Informatics Department. This will ensure that the correct procedures are maintained for the integration of new systems regarding the location, protection and backup of any information produced or stored on or by the new systems. Any request should be directed to the IT Services Helpdesk in the first instance .(See IT Procurement Policy CNTW (O) 63).

5.6.11.3 A Data Protection Impact Assessment, also known as DPIA, is a tool to help identify and reduce or fix any data privacy risks before integrating new systems. This DPIA process has been designed for use within the CNTW settings and demonstrates compliance with Data Protection law. (See Data Protection Impact Assessment Practice Guidance Note- DPP-PGN-03 part of Data Protection Policy CNTW(O)36)

5.6.11.4 There is a requirement for the creation and maintenance of a system level security policy (SLSP) to ensure controls meet audit requirements. Information Governance should be contacted to assist with the completion of an SLSP.

5.6.12 Access Control:

5.6.12.1 The Trust employs many different systems to facilitate its business functions.

Most systems will have different access levels which could allow users access to different levels of confidential information or access at an administration level. The Trust reserves the right to add, remove or change access to applications or systems to facilitate the Trust’s business functions.

5.6.12.2 Access levels to Trust systems will be maintained by the Informatics through

the Informatics ServiceDesk, using a secure and structured approach. 5.6.12.3 This allows for a clear and concise audit trail of all access requests. Access to

systems outside the administrational control of the Informatics Department will be controlled by the Information Asset Administrators (IAA’s), on behalf of the

https://www.cntw.nhs.uk/about/policies/data-protection-policy/

https://www.cntw.nhs.uk/about/policies/data-protection-policy/

CNTW(O)35

16


Information Asset Owners (IAO’s) supporting these systems. Request for access or change of access must be authorised through these channels.

5.6.13 Safe Haven:

Safe Haven Faxing should be carried out in accordance with the Safe Fax Guidelines available on the Intranet

5.6.14 Disposal of IT Equipment and Media:

The Trust will dispose of its assets in a controlled and secure manner and in line with CFH guidelines document. A summary of this document is available on the Information Governance and Caldicott Guidance pages on the Intranet at the following link:

Disposal and Destruction of Sensitive Data - Information Assets

5.6.14.1 All obsolete IT equipment must be disposed of via the Informatics Department.

5.6.15 Network Account Management:

All IT network accounts will be created via Informatics Servicedesk services.

Staff should be encouraged to make use of self service solutions such as password reset where possible, updating their contact card information via the Intranet to improve the accessibility of this automated service.

Regular network audits will be conducted to check account assignments and user rights are being maintained

Informatics Services will monitor user account usage to determine dormant accounts that have not been used for 90 days and these will be disabled

The Trust employs the use of disk quotas (predefined amount of space for computer account storage)

User accounts must only have the minimum rights assigned to allow the users to conduct Trust business functions

Access to shared files must be requested by the user’s manager

5.6.16 Account Creation:

All new network accounts must be requested by the User Account Creation Tool available on the Intranet.

5.6.17 Account Deletion:

When a member of staff leaves the Trust their line manager must inform the

http://nww1.ntw.nhs.uk/services/?id=5984&p=5539&sp=5545

CNTW(O)35

17


Informatics Servicedesk. The leavers account must then be disabled immediately and all access rights removed. The disabled account will remain on the network for three months after being disabled

Line Managers on an employee leaving should discuss with the member of staff whether their remaining work should be deleted or transferred to a secure folder to enable anyone with legitimate access to retrieve it.

5.7 Risk Management:

5.7.1 The SIRO supported by the IAO’s, Trust wide Caldicott and Health Informatics

Group and Information Governance Team, will oversee information risk management across the Trust (see Information Risk Policy CNTW(O)55), including introduction and monitoring of appropriate mechanisms and controls to ensure that:

Information is protected against unauthorised access

Confidentiality of information is assured

Integrity of information is maintained

Regulatory requirements and legislation are met

Information technology systems are used in a manner that prevents the

release of information (by accident or deliberate/ criminal act), ensures their safe use and avoids damage to the specific system or any other system to which it is connected

Information that can be used to identify a person including confidential information about that person, business information and confidential business information is restricted to authorised users only

The Informatics Department will ensure that appropriate controls and technical solutions are provided to detect unauthorised information processing activities

Trust Servers will be monitored and information security events will be recorded. Operator logs and fault logging will be used to ensure problems are identified

Audit logs recording user activities, exceptions, and information security events will be produced and kept for up to one year to assist in access control monitoring

Business continuity plans are produced, maintained and tested.

5.8.1 Backup Cycle / Generation:

Data and software backups will be taken on an appropriate timely basis for on premise user data.

https://www.cntw.nhs.uk/content/uploads/2015/01/CNTWO55-InfoRiskPolicy-V06.1-Oct-19-2.pdf

CNTW(O)35

18


At least three generations / cycles must be kept for important business applications

Backup copies of data will be taken prior to any new software or changes being installed e.g. software fixes, upgrades, new releases

The backup database will be included in the backup process

Alternative backup arrangements should be available.

Data Backups will normally have a data retention of 12 months unless otherwise agreed.

5.8.2 Tape / Disk Identification:

Backup tapes /disks or virtual disk libraries will be suitably labelled to ensure that an unauthorised person cannot identify the contents.

5.8.3 Checking and Recording of Backups

5.8.3.1 The Informatics Department will maintain a record to reflect:

When the backup was taken

The serial number of the tape / disk used (if applicable)

The volume of data backed up (if applicable)

Name of person checking backups as part of daily checks

Comments as necessary e.g. errors

5.8.3.2 The backup copy will be verified against the original as part of the backup job if feature is available in the technology.

5.8.4 Secure Storage of Backups (where backup tapes are in use):

On site backup copies will be stored in a suitable location e.g. a fireproof cabinet

Fireproof cabinets used to store backups will be serviced / checked annually

Current backup copies will be stored off site at a secure location, at a sufficient distance to escape any damage from a disaster at the main site

Copies of key master software will be stored off site

Procedures will be established for emergency access to off- site storage

CNTW(O)35

19


Backup copies will be transported to off-site storage securely

Periodic audits of backup copies and storage locations will be undertaken

Long term storage will be reviewed annually where appropriate

Long term storage media will be rotated and checked for reliability and errors. 5.8.5 Restores:

Backup copies will be regularly tested where practicable to ensure that they can be relied upon for emergency use when necessary

Restore procedures will be regularly checked and tested to ensure that they are effective and that they can be completed within the time allocated in the recovery procedures

Restores will be authorised and documented.

5.9 Business Continuity: 5.9.1 Overview:

The Trust is aware that some form of disaster may occur, and as such, all directorates will implement and regularly update a business continuity management process to counteract interruptions to normal activity and to protect critical processes from the effects of failures or damage to vital services or facilities

The Informatics Department has developed Disaster Recovery Plans for all business critical systems.

Any informatics plans would be used in conjunction with the organisation wide Emergency, Preparedness and Resilience and Response Plans available on the Trust Internet –

Emergency Preparedness Resillience and Response - CNTW(O)08

https://www.cntw.nhs.uk/about/policies/emergency-preparedness-resilience-response-eprr-policy/

CNTW(O)35

20


The central component is the major incident response plan.

This plan is key as it provides the initial response to any actual or perceived incident and facilitates the quick assembly of the relevant senior staff to lead the Informatics department and supporting resources in the event of any untoward incident

The level below the major incident response plan consists of more detailed plans to support constituent systems and infrastructure components. In response to a major incident these plans may be invoked individually or collectively to provide an appropriate level of recovery

Finally, the diagram shows links to wider incident planning within the Trust (See Emergency Integrated Incident Plan) and also Business Continuity Plans which are developed within end user departments.

To access the Business Continuity Planning for critical Trust systems please use the link below:

Business Continuity Planning

6 Identification of Stakeholders 6.1 This is an existing Policy which has only minor changes that do not relate

to operational and / or clinical practice therefore did not require a full consultation process.

North Locality Care Group

Central Locality Care Group

South Locality Care Group

North Cumbria Locality Care Group

INFORMATICS

Disaster Strategy

INFORMATICS Major Incident Response Plan

Rio Clinical Information

System

ORACLE Financials

Access to office applications and

email

Electronic Staff Record (ESR)

Trust-wide network

Other supporting

systems

Trust-wide Major Incident Planning

Business Continuity Planning

Level 1

Level 2

Level 3 (System

specific plan)

Review

Testing

Level 4 End user

http://nww1.ntw.nhs.uk/services/index.php?id=4277&p=2780&sp=2824

CNTW(O)35

21


Corporate Decision Team

Business Delivery Group

Safer Care Group

Communications, Finance, IM&T

Commissioning and Quality Assurance

Workforce and Organisational Development

NTW Solutions

Local Negotiating Committee

Medical Directorate

Staff Side

Internal Audit

7 Training

7.1 Training for this Policy is incorporated into the annual Information

Governance Training mandated to all staff.

7.2 Where additional training is required it is the responsibility of both managers and staff to ensure that this is undertaken and that attendance is verified and recorded.

8 Implementation

8.1 Taking into consideration all the implications associated with this Policy, it

is considered that a target date of March 2019 is achievable for the contents to be implemented across the Trust.

9 Fair Blame

9.1 The Trust is committed to developing an open learning culture. It has

endorsed the view that, wherever possible, disciplinary action will not be taken against members of staff who report near misses and adverse incidents, although there may be clearly defined occasions where disciplinary action will be taken.

10 Fraud, Bribery and Corruption

10.1 The Fraud Act 2006 represents an entirely new way of investigating fraud.

It is no longer necessary to prove that a person has been deceived. The focus is now on the dishonest behaviour of the suspect and their intent to make a gain or cause a loss.

10.2 The Trust is committed to taking all necessary steps to counter fraud and

corruption and work closely with AuditOne, the Trusts external auditors who have local counter fraud specialists.

CNTW(O)35

22


11 Monitoring 11.1 Responsibility for monitoring compliance with this Policy locally lies with

Directors and Line Managers. 11.2 The Information Governance Team will monitor compliance with this Policy

through observation, spot checks and through incident management in line with the Trust Incident Reporting Process.

11.3 Compliance with this policy will routinely monitored through Internal and

External Audit. 11.4 Any compliance issues will be reported to the line managers concerned

and may be handled through staff disciplinary processes or contractual arrangements.

11.5 Incident Reporting

11.5.1 All incidents involving the loss of data whether encrypted or unencrypted

must be reported immediately to the Information Governance Department and dealt with in accordance with the Trust Incident Reporting Procedure (See Trust Policy, CNTW(O)05 Incident Reporting and Procedures).

12 Associated Documents

CNTW(O)05 - Incident Policy , (including the management of Serious Untoward Incidents and associated practice guidance notes (PGN’s))

CNTW(O)09 – Records Management Policy (and associated PGN’s)

CNTW(O)29 - Confidentiality Policy (and associated PGN)

CNTW(O)36 - Data Protection Policy

CNTW(O)45 - Visual Imaging and Audio Policy (and associated PGN)

CNTW(O)44 - Acceptable Use of Email Policy (and associated PGN)

CNTW(O)65 – Acceptable Use of Intranet and Internet

CNTW(O)55 - Information Risk Policy

CNTW(O)62 - Information Sharing Policy

CNTW(O)43-Freedom of Information Act Policy

CNTW(O)58-Issue and use of Mobile Communication Devices

CNTW(O)30-Removable Media Data Encryption Policy

CNTW(O)35

23


CNTW(O)63-IT Procurement Policy

CNTW(O)57- Registration Authority Policy

CNTW(O)33- Risk Management Policy

Remote Access & Webmail Guidelines

Safe Fax Guidelines 13 References

www.ico.gov.uk

Department of Health circulars on Removable Media

Confidentiality NHS Code of Practice

ISO/IEC 27002:2005

The Computer Misuse Act 1990

The Caldicott Guidelines

Copyright, Designs & Patents Act 1988

http://www.ico.gov.uk/

CNTW(O)35

24


Appendix A

Equality Analysis Screening Toolkit

Names of Individuals involved in Review

Date of Initial Screening

Review Date Service Area / Locality

Jon Gair March 2019 March 2022 Trust-wide

Policy to be analysed Is this policy new or existing?

CNTW(O)35 Information Security Policy Existing

What are the intended outcomes of this work? Include outline of objectives and function aims

The purpose of the policy is to ensure that the data held by the Trust is secure from unlawful disclosure or loss

Who will be affected? e.g. staff, service users, carers, wider public etc

Staff, service users, carers and the wider public.

Protected Characteristics under the Equality Act 2010. The following characteristics have protection under the Act and therefore require further analysis of the potential impact that the policy may have upon them

Disability N/A

Sex N/A

Race N/A

Age N/A

Gender reassignment

(including transgender)

N/A

Sexual orientation. N/A

Religion or belief N/A

Marriage and Civil Partnership

N/A

Pregnancy and maternity N/A

Carers N/A

Other identified groups N/A

How have you engaged stakeholders in gathering evidence or testing the evidence available?

Though standard policy consultation mechanisms.

How have you engaged stakeholders in testing the policy or programme proposals?

CNTW(O)35

25


Equality and Diversity Impact Assessment Screening Tool

For each engagement activity, please state who was involved, how and when they were engaged, and the key outputs:


Summary of Analysis Considering the evidence and engagement activity you listed above please summarise the impact of your work. Consider whether the evidence shows potential for differential impact, if so state whether adverse or positive and for which groups. How you will mitigate any negative impacts. How you will include certain protected groups in services or expand their participation in public life.

N/A

Now consider and detail below how the proposals impact on elimination of discrimination, harassment and victimisation, advance the equality of opportunity and promote good relations between groups. Where there is evidence, address each protected characteristic

Eliminate discrimination, harassment and victimisation

N/A

Advance equality of opportunity N/A

Promote good relations between groups N/A

What is the overall impact?

N/A

Addressing the impact on equalities

N/A

From the outcome of this Screening, have negative impacts been identified for any protected characteristics as defined by the Equality Act 2010? No

If yes, has a Full Impact Assessment been recommended? If not, why not?

Manager’s signature: Jon Gair Date: Mar 2019


CNTW(O)35

26


Appendix B Communication and Training Check List for Policies

Key Questions for the accountable committees designing, reviewing or agreeing a new Trust policy

Is this a new policy with new training requirements or a change to an existing policy?

No this is an existing Policy

If it is a change to an existing policy are there changes to the existing model of training delivery? If yes specify below.

N/A

Are the awareness/training needs required to deliver the changes by law, national or local standards or best practice?

Please give specific evidence that identifies the training need, e.g. National Guidance, CQC, NHS Resolutions etc.

Please identify the risks if training does not occur.

In order to comply with National guidance, adherence to ISO/IEC 27002:2005 and legislation listed in Policy

Please specify which staff groups need to undertake this awareness/training. Please be specific. It may well be the case that certain groups will require different levels e.g. staff group A requires awareness and staff group B requires training.

It is essential that all staff groups working with confidential / personal data are made aware of the Policy and the personal responsibilities associated with information security

Is there a staff group that should be prioritised for this training / awareness?

It is essential that all staff groups working with confidential / personal data are made aware of the Policy and the personal responsibilities associated with the national directive

Please outline how the training will be delivered. Include who will deliver it and by what method.

The following may be useful to consider: Team brief/e bulletin of summary Management cascade Newsletter/leaflets/payslip attachment Focus groups for those concerned Local Induction Training Awareness sessions for those affected by the new policy Local demonstrations of techniques/equipment with reference documentation Staff Handbook Summary for easy reference Taught Session E Learning

Team brief, Trust Bulletin, Intranet, face to face training, E learning, Staff IT Handbook

Please identify a link person who will liaise with the training department to arrange details for the Trust Training Prospectus, Administration needs

Head of Information Governance and Medico – Legal.

CNTW(O)35

27


Appendix B – continued

Training Needs Analysis

Staff/Professional Group

Type of training Duration of Training

Frequency of Training

All staff who work with person identifiable data

Training on adherence to Policy

Depends on individual member of staff

Mandated Annually

Should any advice be required, please contact: - 0191 245 6777 (Option 1)

Appendix C

CNTW(O)35

28


Statement Monitoring Tool

The Trust is working towards effective clinical governance and governance systems. To demonstrate effective care delivery and compliance, policy authors are required to include how monitoring of this policy is linked to auditable standards / key performance indicators will be undertaken using this framework.

CNTW(O)35 – Information Security Policy - Monitoring Framework

Auditable Standard /

Key Performance Indicators

Frequency / Method / Person

Responsible

Where Results & Any Associate Action Plan Will Be Reported To & Monitored; (this will usually be via the relevant Governance Group)

1. Network Security Audit

Performed annually by Internal Audit. Will be noted in Audit actions paper to CHIG and Trust wide audit committee.

Caldicott & Health Informatics Group or Trust wide audit committee.

2. The most current version of anti-virus software will be available on all Trust computers

Informatics will carry out regular reviews of anti-virus software and will supply evidence for the DSP Toolkit whose final submission is reported annually through the CHIG

DSP Toolkit / Caldicott & Health Informatics Group DSP

3. Leaver accounts must be disabled as per Trust Policy

Regular reviews of inactive accounts and leavers will be carried out by the Systems Admin team. The results of the spot checks will be used as evidence for the DSP Toolkit whose final submission is reported annually through the CHIG

DSP Toolkit / Caldicott & Health Informatics Group

4. Disposal of IT Equipment / media will be in a controlled and secure manner

The IG Team will carry out an audit to ensure that the disposal of IT equipment is carried out as per Policy. The results of this audit will be used as evidence for the DSP Toolkit whose final submission is reported annually through the CHIG

DSP Toolkit / Caldicott & Health Informatics Group

5. All incidents or breaches of Policy are reported

Daily reports generated and investigated by Information Governance, and monitored by the IG Incident Management Group.

IG IMG/Caldicott & Health Informatics Group or relevant governance group

The Author(s) of each Policy is required to complete this monitoring template and ensure that these results are taken to the appropriate reporting governance group as above in line with the frequency set out.