Portsmouth Hospitals Procedural ument template by jolinmilioncherie

VIEWS: 2 PAGES: 20

									    ICT PORTABLE COMPUTING & DATA STORAGE DEVICES
                       POLICY




Reference Number                             8.4

Version                                      2

Name of responsible (ratifying) committee    Information Governance Steering Group

Date ratified                                01 June 2011

Document Manager (job title)                 Senior ICT Security Specialist - IPHIS

Date issued                                  March 2007

Review date                                  June 2013

Electronic location                          Management Policies
                                             Trust ICT Security Policy
                                             Trust E-Mail Policy
Related Procedural Documents                 Trust Internet & N3 Usage Policy
                                             Trust Confidentiality: Staff Code of Conduct
                                             Trust Professional Behaviour Guidance
                                             ICT security, disposal of media and equipment, virus, ICT,
                                             security, computer, network, software, hardware, data,
                                             information, media, anti-virus, malicious software, inappropriate
                                             use, back-up, storage, connections, TIA, profiles, email, internet,
                                             portable devices, workstation, laptop, tablet, USB, encryption,
                                             McAfee, SafeBoot, information assurance, confidentiality,
                                             integrity, availability, business continuity, disaster recovery,
                                             incidents, approved access, System Security Policy (SSP),
Key Words (to aid with searching)            portables, notebook, Personal Digital Assistant, (PDA),
                                             handhelds, Security Operating Procedures (SyOps), smart phone,
                                             CD Re-Writer, CD Reader, network connection, Person
                                             Identifiable Data (PID), personal information, patient identifiable,
                                             staff identifiable, anonymised, pseudonymised, Blackberry,
                                             Portablel Computing Devices (PCDs),Passwords, PINs,
                                             removable media, memory devices, PID, Sensitive Electronic
                                             data (SED), WEP, Wireless Protected Access (WPA), WPA2,
                                             WiFi.



ICT Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD May 2011 (review date May 2013)                                Page 1 of 20
CONTENTS

1. INTRODUCTION.......................................................................................................................... 4
2. PURPOSE ................................................................................................................................... 4
3. SCOPE ........................................................................................................................................ 4
4. DEFINITIONS .............................................................................................................................. 4
5. DUTIES AND RESPONSIBILITIES .............................................................................................. 6
6. PROCESS ................................................................................................................................... 7
7. TRAINING REQUIREMENTS .................................................................................................... 11
8. REFERENCES AND ASSOCIATED DOCUMENTATION .......................................................... 11
9. MONITORING COMPLIANCE WITH, AND THE EFFECTIVENESS OF, PROCEDURAL
   DOCUMENTS ............................................................................................................................ 12
Security Operating Procedures ......................................................................................................... 13
APPENDIX B: Portable Computing Devices - Matrix ........................................................................ 15
APPENDIX C: Permissible Devices and Media Connection types for - Personal & Non-Personal
   Information - Protection Levels for Media ................................................................................... 16




ICT Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD May 2011 (review date May 2013)                                                          Page 2 of 20
QUICK REFERENCE GUIDE

For quick reference the guide below is a summary of actions required. This does not negate the
need for the document author and others involved in the process to be aware of and follow the detail
of this policy.

   1. Information stored in Trust computer systems together with the various applications provided
    by these systems are an increasingly valuable corporate asset and it is therefore essential that
    the Confidentiality, Integrity and Availability of all information stored and processed on Trust
    Information Systems together with the services provided by these systems remains protected
    against known and emerging threats.

   2.    Trust IT equipment is provided for Trust ‘business’ use, exceptionally, some limited private
    use may be permitted although this will require specific authorisation and will not include
    personal private commercial use.

   3. Portable Computing and Data Storage Devices are easily misplaced and attractive items to
    thieves those responsible for them must take all necessary precautions to avoid loss, theft or
    damage to them.

   4. To access most IT devices and applications users will be issued with individual user
    credentials (typically username and password); these are issued for their sole use and must not
    be shared with other users. All passwords and PIN must be changed regularly and are to
    protected from disclosure at all times.

   5. All data should normally be stored on network drives to ensure that it is protected from
    accidental deletion by inclusion in the Trusts information back up procedures.

   6. There are specific requirements to protect the electronic transmission of Sensitive Electronic
    Data (including Person Identifiable Data (PID)) which in most cases include the requirement to
    encrypt the data.

   7. Laptops will, by default, be encrypted to protect against inappropriate access to any SED
    they may hold.

   8. The use of Trust Email and Internet/N3 functionality are covered in separate complimentary
    policies available on the Trust Intranet; Email Usage Policy and the Internet and N3 Usage
    Policy.

    9. The use of Portable Computing & Data Storage Devices are subject to both the requirements
    of this policy and the additional requirements contained in the ICT Security Policy.

    10. Disposal of redundant equipment is the responsibility of the ICT Dept and anyone wishing
    to dispose of redundant computer equipment such as, monitors, workstations, keyboards,
    printers, laptops, removable media etc, must contact the ICT service desk to arrange for
    collection and disposal.

   11. Requests for reports or investigations of user activity on Trust IT equipment must only be
    completed by the ICT Security team and will only be undertaken were there is just cause and
    appropriate authority.

      12.      ICT security related incidents are to be reported to the ICT service desk in the first
       instance and, where appropriate, in accordance with the Trust Risk management Process
       including the raising of an Adverse Incident Report.



ICT Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD May 2011 (review date May 2013)                        Page 3 of 20
 1. INTRODUCTION

     Information stored in Trust computer systems together with the various applications provided
     by these systems are an increasingly valuable corporate asset and it is therefore essential that
     the Confidentiality, Integrity and Availability of all information stored and processed on Trust
     Information Systems together with the services provided by these systems remains protected
     against known and emerging threats. The Trust’s provision of healthcare must not be
     jeopardised through any breach, loss, or unavailability of our Information Systems.
     Compliancy with the legal and regulatory framework is mandatory and to fulfil its obligations,
     the Trust must ensure that it preserves the confidentiality and integrity of the information
     entrusted to it whilst enabling effective and appropriate use.

     The Trust aims to continue to take advantage of the many benefits offered by portable
     computing technology. However, this technology presents additional risks which must be
     managed to protect the Trust, its staff, patients and the services and data on which they rely.
     Any user of a portable computing device and/or media (and the devices themselves), storing
     and processing Trust information shall comply with this policy in addition to the more general
     ICT Security Policy.

 2. PURPOSE

     This policy provides specific and detailed instructions that must be followed whilst using,
     transporting and acting as custodian of any Trust procured portable computing and/or data
     storage device, or any other portable computing and/or data storage device approved by the
     ICT Department for use within the Trust business environment. It describes what information
     can be stored and processed on portable computing and data storage devices/media and how
     Personal and Non-personal information must be protected physically and/or electronically.

 3. SCOPE

     This policy applies to all Trust employees who are entrusted with a Trust supplied portable
     computing and data storage device or who use any other portable computing and data storage
     devices for purposes connected with the work of the Trust. This includes voluntary workers
     employed under special contracts and employees of organisations contracted to the Trust. It
     also applies to anyone granted use of any Trust procured portable computing device. All such
     individuals are to read and agree to comply with the Security Operating Procedures contained
     in Appendix A.

     ‘In the event of an infection outbreak, flu pandemic or major incident, the Trust recognises
     that it may not be possible to adhere to all aspects of this document. In such
     circumstances, staff should take advice from the ICT Security Team and all possible action
     must be taken to maintain the confidentiality, integrity and availability of information and IT
     systems whilst maintaining ongoing patient and staff safety’

 4. DEFINITIONS

     Relevant definitions are replicated for ease of reference:




ICT Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD May 2011 (review date May 2013)                          Page 4 of 20
     4.1. Computer Virus. This is a malicious computer program, able to self generate and spread
     prompting a virus attack, which can be launched against one or many machines. A
     characteristic of a computer virus is the “payload” that is usually part of the virus and may be
     activated under certain conditions. Payloads vary from total destruction of all data stored on
     the machine to innocuous “messages”.

     4.2. Portable Computing & Data Storage Devices (PCDs). Technology continues to evolve
     and thus this is not intended to be an exhaustive definition/list however, it includes all battery
     powered and mains adapted personal computing and storage devices such as:

           4.2.1. Laptop;

           4.2.2. Notebook;

           4.2.3. Personal Digital Assistants (PDAs);

           4.2.4. iPODs or other similar devices capable of connecting (whether by a ‘wired’ or
           ‘wireless’ connection) to a computing devices and storing information;

           4.2.5. external portable Hard Disk Drives (HDDs);

           4.2.6. ‘smart’ mobile telephones capable of storing more than a basic ‘phone’ book’ of
           contacts;

           4.2.7. USB Memory or ‘Flash’ Sticks and memory cards, capable of storing information;

           4.2.8. Solid state memory cards capable of storing information and being connected to
           Trust computing devices either by themselves or via another device.

           4.2.9. Media – Supporting storage including:

                  4.2.9.1. Floppy disks;

                  4.2.9.2. CD Disks, both Recordable (CDR*) and Re-Writable (CDRW*),

                  4.2.9.3. DVD/Blueray disks, both Recordable (DVDR*) and Re-Writable
                  (DVDRW*);

                  4.2.9.4. paper output from printers

                  4.2.9.5. Zip Disks and other magnetic tapes capable of recording and storing

                  Note: * CD/DVD RW and CD/DVD R devices store information, typically in optical
                  disk format (CD/DVD/Blueray disk). CD/DVD RW information can be overwritten,
                  but using CD/DVD R storage the information cannot be overwritten or replaced.

     4.3. “Owner” and “Temporary Ownership”. The term “owner” refers to an individual that has
     approval to manage the use and security of a Trust loaned device and/or media. The term
     “owner” does not mean that the person has any property rights to the ICT asset or can lay
     claim to the device. The owner has “Temporary Ownership” of the asset and must return it to
     the Trust issuing authority when the loan period is terminated.




ICT Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD May 2011 (review date May 2013)                         Page 5 of 20
     4.4. Proprietary Computer Anti-Virus Software. This is computer anti-virus software with
     defined support that includes a regular update of virus signature files and which provides an
     electronic defence mechanism against a computing device being infected with a computer
     virus.

     4.5. Sensitive Electronic Data (SED). Is either personal identifiable data or confidential
     business data, the unauthorised disclosure of which could cause the Trust and its employees
     to be in breach of the law and/or cause embarrassment to the Trust, staff and/or patients.

 5. DUTIES AND RESPONSIBILITIES

     Ultimately, responsibility for ICT Security rests with the Chief Executive who has delegated
     this much of this responsibility to the Senior Information Risk Officer. Routinely, the ICT
     Security Team is responsible for developing, managing and implementing ICT Security
     policies/processes on a daily basis. In addition to those responsibilities outlined in the Trust
     ICT Security Policy:

     5.1. The ICT Department will:

           5.1.1. ensure that PCDs issued to users are encrypted as a matter of course unless an
           exceptional case for not doing so has been approved;

           5.1.2. provide advice on implementation of this policy as requested;

           5.1.3. ensure that User access rights are correctly implemented;


     5.2. Line Managers are responsible for ensuring that:

           5.2.1. staff sign to confirm they have received the Trust owned device(s) loaned to
           them;

           5.2.2. staff are issued with, and sign to confirm they have read and understood, the
           relevant Security Operating Procedures;

           5.2.3. staff comply with this policy and associated procedures;

           5.2.4. they take disciplinary action as appropriate against any member of staff in breach
           of this policy;

           5.2.5. notify any suspected breaches of this policy to the ICT Department;

           5.2.6. all Trust devices and supporting media are returned by owners leaving the Trust
           or no longer requiring them;

     5.3. Trust Staff, without exception, must;

           5.3.1. abide by this and associated policies & procedures;

           5.3.2. report any suspected breaches of this policy to their line manager or the ICT
           Department;

           5.3.3. understand that failure to comply with the rules and regulations contained in this
           policy may result in disciplinary action;



ICT Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD May 2011 (review date May 2013)                         Page 6 of 20
 6. PROCESS

     6.1. Issuing of Devices. During the issue of the device, the owner will be instructed to read,
     acknowledge and sign the declaration of compliancy with the Security Operating Procedures at
     Appendix A. A copy of these procedures, including owner’s signature, is to be handed to the
     owner. The signed original must be retained by the line manager for a member of Trust staff,
     and/or the relevant commissioning manager for any other person. In addition, issuing
     procedures, contained in the Trust “Standards of Business Conduct” must be followed.

     6.2. Physical Security. Owners shall accept full responsibility for the security of the device,
     taking necessary precautions to avoid loss, theft or damage. In the event of loss, damage or
     theft, they must report this immediately to their line manager or commissioning manager, ICT
     Helpdesk and the police if appropriate. In particular owners must:
 .
           6.2.1. take all reasonable care to prevent the theft or loss of this device. Any PCD is an
           attractive item and must not be left unattended in a public place or left in vehicles. When
           transporting it, ensure that it is safely stowed out of sight.

           6.2.2. take extra vigilance if using any PCD during journeys on public transport to avoid
           the risk of theft of the device or unauthorised disclosure of Trust stored information by a
           third party “overlooking”.

           6.2.3. not leave the device unattended for any reason whilst working on it unless the
           session is “locked” and it is in a safe working place, not left in an unattended room for
           example. To lock the “session” use the Ctrl>Alt>Del keys and select “Lock Computer”.
           This locks the “session” preventing unauthorised access. Alternatively, Log Out or
           shutdown the device, but in any event, if it is anticipated leaving the device unattended
           for 30 minutes or more it must be ‘Logged Out’ or ‘Shutdown’ to secure the device.

           6.2.4. ensure that other ‘non’ authorised users are not given access to the device or the
           data it contains.

     6.3. Passwords & PIN Codes. Passwords are an integral part of the Access Control
     mechanisms which are enforced by the Operating System, (e.g. Windows). Enforcement
     means that passwords shall be a combination of letters and digits of a pre-determined length
     and combination of characters, typically using the lower case of the keyboard.

     Passwords and/or PINs should not normally be written down, but if unavoidable, are to be
     secured under lock and key at all times and never kept with the device or in an easily
     recognised form. Regular password changes reduce the risk of unauthorised access to the
     machine and therefore passwords must be changed at least every 90 days, but more
     frequently if required.

     6.4. Approved Use. Trust procured devices will be supplied with pre-installed software that
     has been procured by the ICT Department and approved by the Trust. Owners must not
     attempt to install any software including their own privately procured and licensed software
     onto any Trust portable device. Under no circumstances is Trust licensed software to be
     upgraded, deleted or copied by users/owners. Owners are not permitted to attach additional
     unauthorised hardware, with the exception of printers, or in any way change the original
     hardware configuration of the device, without prior approval from the ICT Department.

     6.5. Computer Anti-Virus Software. Trust procured PCDs capable of running Anti Virus
     software will be supplied with it pre-installed. It is the owner’s responsibility to ensure it is
     updated regularly; usually achieved by connecting the device to the Trust network on a regular
     basis. The pre-installed version of Anti-Virus Software is the only approved product that may


ICT Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD May 2011 (review date May 2013)                         Page 7 of 20
     be used to protect the device. Machines regularly connecting to the Trust networks will
     automatically scan and update on connecting. For those devices which are encrypted with the
     SafeBoot/McAfee product failure to connect the device to the network for 90 days will result in
     the device ‘locking’ and becoming unusable until a call is placed with the ICT Service Desk.

     6.6. Storage and Protection of Information. Rules for the storage and protection of Trust
     information are contained in the Trust Confidentiality: Staff Code of Conduct and this policy
     does not detract from it. For ease of reference, a matrix summarising the categories of
     information that can be stored and shared using the various types of devices and media is
     included at Appendix B.

     6.7.    Storage of Data. Data should not normally be saved or stored onto the local drives ie
     the C:\ drive as such storage does not provide any access to data to anyone other the owner
     or user. Data should normally be saved or transferred to network drives ie shared file storage
     areas or the user/owners ‘P:\’ drive. Where data is stored locally owners/users should
     regularly upload the data to network drives and delete data held locally.

     6.8.    Protection of Sensitive Electronic Data (SED)/Encryption. Where departments or
     individuals process, or identify a new requirement to process, SED on Portable Computing
     Devices (PCDs) or Magnetic Media they must do so in accordance with Appendix B of this
     policy and the specific encryption requirements of the relevant part of the ICT Security Policy.

     6.9.  “USB Memory” Devices. SED must not be stored or transferred using any “USB
     Memory” device without prior approval from the ICT Department. Where this usage is
     approved then the data must be protected via an appropriate encryption method. Non-
     personal information may be stored and transferred using “USB Memory” devices. See
     Appendix B and the ICT Security Policy for further requirements.

     6.10. Where it is not possible to encrypt SED the advice of the ICT Security Team is to be
     sought and, where no solution can be found, the risk is to be articulated to the Risk Assurance
     Committee via departmental risk processes and a decision sought as to whether the process
     should continue.


     6.11. The mechanism used to encrypt SED may vary according to the device(s) utilised.
     Wherever possible, built-in encryption products are to be utilised to protect SED with user input
     kept to the minimum. Where no built in encryption mechanism has been designed into the
     system/device or, in the case of existing processes, where the encryption mechanism does not
     meet the current Connecting for Health standards, the advice of the ICT security team is to be
     sought before an encryption mechanism is procured/implemented and prior to commencing
     processing.


     6.12. Where available, only Connecting for Health approved encryption products are to be
     utilised to secure SED. Where no such products exist the advice of the ICT security team is to
     be sought in all cases.


     6.13. A record is to be maintained of all instances where SED cannot be protected by
     encryption as described above. This centralised record is to detail the precise nature of the
     exception and to identify and document a migration path to a secure solution. This migration
     path is to take due regard of the age of the application and/or process and seek to incorporate
     changes to a secure solution within the shortest possible timeframe conversant with the clinical
     need and the nature of any possible solution. The record of exceptions is to be maintained by
     the Information Governance Manager (as part of the Data Flows and Asset registers) and Risk


ICT Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD May 2011 (review date May 2013)                         Page 8 of 20
     Department (where risks should have been considered and accepted by the Risk Action
     Committee)

     6.14. Back Up. In order to make sure that data can be recovered if accidentally deleted or
     corrupted it is essential to ensure that it is routinely ‘backed-up’. The safest method to “back-
     up” information is always accomplished by routinely saving work to a dedicated network area,
     e.g. in the PHT domain, the “QAH Storage Area Network.” During occasions where this is not
     possible and data has been created in a “local profile” (such as by saving it to the Hard Disk
     Drive (HDD) of the device) regular “saves” or automated “saves” are necessary to preserve
     availability of this information. Where and when it is possible, connect the device to the Trust
     network and download locally stored data to the designated Trust network storage area. It is
     advised that information transfers to Trust storage areas should not exceed 14 days. It is
     acknowledged that for registered Trust “Homeworkers” this may not be feasible and approved
     media storage could be the only alternative. For specific advice and guidance on backing- up
     and appropriate data storing, contact the ICT Service Desk.

     6.15. Privately Owned Devices and Media. Privately procured devices and media may not
     normally be used to store, process or transfer Trust information, if there appears to be no
     alternative to such action then prior approval must be sought from the ICT Department. The
     General Rules contained in Appendix A will apply as the Trust’s acceptable use of any
     privately procured portable computing device or media. For example, the device must adhere
     to the General Rules for back up procedures, run Anti Virus protection, comply with Trust
     directed audit and monitoring controls and adequately protect any PID that is processed with
     the use of suitable encryption programs. Owners of privately procured devices will be
     responsible for ensuring that:

           6.15.1. All devices and supporting media will be used in accordance with this policy, the
           Trust’s Confidentiality: Staff Code of Conduct and NHS Confidentiality: Code of Practice.

           6.15.2. Personal information (Patient or Staff identifiable), is NOT stored on any privately
           procured devices and/or media without adequate protection of the data and prior
           approval from the ICT Department.

           6.15.3. They are to be protected by proprietary Anti-Virus Software before processing
           and/or storing Trust information. The Trust Anti-Virus software will not be utilised to
           achieve this requirement.

     Any privately procured and owned device will not be supported or maintained by the ICT
     Department although the Trust reserves the right to investigate Trust business conducted on or
     with such devices.

     6.16. Monitoring Usage/Audit. The Trust may monitor the contents of files stored on Trust
     Devices, irrespective of whether they are for Trust or personal use, in order to detect any
     misuse and identify users not complying with this policy. This ensures the protection of Trust
     patients/staff, its reputation, and compliance with Caldicott and other guidelines.

     6.16. Audit and Monitoring Controls. Trust systems will be capable of logging events that
     have a relevance to potential breaches of security. The minimum retention period for all Event
     Logs is normally one year unless a different period has been agreed with the ICT security team
     and documented in the relevant System Security Policy (SSP). Events that should be logged
     (where appropriate):

             6.16.1. log-on attempts - recording User IDs, dates and times, successes/failures of
             attempts;



ICT Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD May 2011 (review date May 2013)                          Page 9 of 20
             6.16.2.   creation, amendment and deletion of data - recording User IDs, dates and
             times;

             6.16.3. access and use of IT all resources including but not limited to internet and Email
             usage and printer activities.

     6.17. Investigations/Disciplinary Proceedings. The ICT Security team are authorised to
     independently investigate all suspicious, inappropriate or illegal activity involving Trust IT
     equipment and data however it may come to their attention. No other members of staff are
     authorised to conduct such activities involving IT equipment or data unless directed by the ICT
     Security Team.

             6.17.1. In the event of a requirement to investigate user activity or disciplinary
             proceedings being conducted by the Human Resources Department, the ICT Security
             Team will gather and make available all appropriate information from various sources
             to assist the investigator(s);

             6.17.2. In the event that a line manager requests the ICT Dept to provide reports about
             user activity then these will only be completed where authorisation from an appropriate
             senior manager endorses this request. In cases of doubt such requests should be
             supported by the appropriate CSC General Manager or higher. Such requests will
             need to be supported by a clear rationale justifying the suspicions held about a users
             activity (this will be required before any request for an investigation is completed);

             6.16.1.1. Where action has been taken by the ICT Security Team to remove access to
             a user account or data then access to that computer account or data may only be
             granted if appropriate confirmation in writing is forthcoming to the ICT Security Team
             from a senior manager or equivalent (Email is considered written confirmation);

     6.18. Return of Devices. Any owner leaving the Trust or no longer requiring use of a Trust
     procured device must return the device to their line manager and/or the ICT Department. Line
     managers will be responsible for ensuring that any member of their staff having temporary
     ownership of a device has returned it to them or the ICT Department before they leave the
     Trust. All media containing Trust information must be returned for retention or appropriate
     destruction.

     6.19. Internet & Other Public Domain Connections. Trust procured devices are not to
     connect to the Internet and/or other Public Domains without prior approval from the ICT
     Department.

     6.20. Wireless & Cordless Computing Connections. Most of the latest portable devices are
     equipped with “Wireless” and other “Cordless” connection interfaces, but Trust procured
     portables are normally issued with their fitted wireless interfaces disabled. Owners wishing to
     use the wireless interface(s) must request approval from the ICT Department, and subject to
     approval, cordless interfaces will only be enabled with Trust approved protocol settings.

     6.21. When using Wireless the following precautions must be taken:

             6.21.1. Wired Equivalent Privacy (WEP) is considered wholly inadequate to protect the
             processing of Trust data in a wireless environment and must not be used.

             6.21.2. WiFi Protected Access (WPA) is more secure and may be used for processing
             Trust data in a controlled wireless environment. WiFi Protected Access 2 (WPA2) is an
             improved version of WPA incorporating stronger authentication and encryption than its
             predecessor. WPA2 (802.11i) is considered to be the “best we have” method for
             protecting WiFi environments and supporting Trust data processing.        All interface

ICT Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD May 2011 (review date May 2013)                        Page 10 of 20
             cards, wireless access points and the base stations must be configured for WPA2 if it is
             available and in preference to WPA.

             6.21.3. The use of Extensible Authentication Protocol (EAP), Lightweight Extensible
             Authentication Protocol (LEAP) and CISCO Key Integrity Protocol (CKIP) will be
             subject to approval by the ICT Department and each request will be assessed
             individually.

             6.21.4. The Service Set Identifier (SSID) is unique and identifies the type of wireless
             card(s) installed in the machine. It will automatically identify itself to the wireless access
             point and authenticate an information exchange. Microsoft Windows XP™ typically
             leaves this set at a “Broadcast” default setting, but this increases security
             vulnerabilities. To enhance security, SSID’s must be switched off. Any selected SSID
             must be entered manually on each occasion of connecting to the wireless access point.
             The “scan” for connection utility tool is not to be used and a robust password should be
             used to reinforce the authentication.

             6.21.5. Media Access Control (MAC) addresses are to be filtered by setting only those
             MAC addresses that are known and recognised within the controlled wireless
             environment.

             6.21.6. Use of a hardware firewall device is strongly recommended and must be
             properly configured at the access point.

             6.21.7. Wireless communications path must be turned off the when it is not being used.

 7.      TRAINING REQUIREMENTS

      No formal training is available specifically for Trust procured Portable computing devices
      although Induction training covers some basic elements of Information Security training and
      draws attention to relevant policies that all user are expected to read and comply with.
      Members of staff who require training for bespoke applications should request their line
      managers arrange it.

 8.      REFERENCES AND ASSOCIATED DOCUMENTATION

      The Data Protection Act 1998. http://www.opsi.gov.uk/Acts/Acts1998/ukpga_19980029_en_1

      The Computer Misuse Act 1990.
      http://www.opsi.gov.uk/acts/acts1990/UKpga_19900018_en_1.htm

      Wireless Telegraphy Act 1949. http://www.legislation.gov.uk/ukpga/Geo6/12-13-
      14/54/contents

      Public Records Act 1958 and 1967. http://www.legislation.gov.uk/ukpga/1967/44

      Civil Evidence Act 1968. http://www.opsi.gov.uk/ACTS/acts1995/Ukpga_19950038_en_1.htm

      Human rights Act 1998. http://www.opsi.gov.uk/acts/acts1998/19980042.htm

      Freedom of Information Act 2000. http://www.legislation.gov.uk/ukpga/2000/36/contents

      The Telecommunications (Lawful business Practice) (Interception of Communications)
      Regulations 2000. http://www.opsi.gov.uk/acts/acts2006/20060011.htm


ICT Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD May 2011 (review date May 2013)                           Page 11 of 20
      The Privacy and Electronic Communications (EC Directive) Regulations 2003.
      http://www.legislation.gov.uk/uksi/2003/2426/contents/made

      The Communications Act 2003. http://www.opsi.gov.uk/acts/acts2003/20030021.htm

      Police and Criminal Justice Act 2006. http://www.opsi.gov.uk/acts/acts2006/20060048.htm

      Regulation of Investigatory Powers Act 2007.
      http://www.opsi.gov.uk/Acts/acts2000/20000023.htm

      ISO/IEC 27001:2005 Information technology -- Security techniques -- Specification for an
      Information Security Management System

 9.      MONITORING COMPLIANCE                  WITH,     AND     THE     EFFECTIVENESS           OF,
         PROCEDURAL DOCUMENTS

            The ICT Department routinely audit and monitor relevant aspects of this policy.

            The ICT Security Team regularly conduct adhoc audits against aspects of this policy.

            ICT security incidents are reported via the Trusts Adverse Event Reporting system.

            The Trust SIRO will receive periodic reports on Information Assurance and associated
             issues from the ICT Security Team.

            The Information Governance Steering Group will receive periodic reports on
             Information Security Incidents and Assurance as required but no less than Bi-annually.

            The Trust internal auditors will conduct regular independent audits against the
             requirements of this policy and industry best practice and report findings appropriately.




ICT Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD May 2011 (review date May 2013)                       Page 12 of 20
            APPENDIX A: Portable Computing & Data Storage Devices –
            Security Operating Procedures
1. Introduction

These Trust Security Operating Procedures contain some of the more important Do’s and Don’ts whilst using Trust
and/or privately procured Portable Computing Devices for storing, processing and transferring Trust information. It
is your responsibility to acknowledge full compliancy with these procedures by signing the declaration below and
agreeing to be bound by them. Failure to comply with any of these procedures may result in a security breach and
disciplinary action being taken.

2.        Your Responsibilities

2.1.      To read and comply with the ICT Security and Portable Computing & Data Storage Devices Policies

2.2.      You must not share or disclose your logon or account details or a logged on session with others.

2.3.      You must not transfer ‘ownership’ of the device without informing your line manager and ICT and ensure
          that you return the device when no longer required or upon leaving employment with the Trust.

2.4.      You must not connect any personal or privately procured hardware peripherals to this device without prior
          approval from the ICT Department. Printers may be connected as a local device, such as a USB or LPT
          port device, but you are advised to seek further advice from the ICT Department.

2.5.      You must take all reasonable care to prevent the theft or loss of this device. Any Portable Computing
          Device is an attractive item and must not be left unattended in a public place or left in vehicles. When
          transporting it, ensure that it is safely stowed out of sight. Use of any device during journeys on public
          transport requires extra vigilance to avoid the risk of theft of the device or unauthorised disclosure of Trust
          stored information by “overlooking”.

2.6.     If you leave the device unattended for any reason, you must “lock” the “session” and make sure it is in a
         safe place, not left in an unattended room for example. To lock the “session” use the Ctrl>Alt>Del keys
         and select “Lock Computer” alternatively, Log Out or shutdown the device, if you anticipate leaving the
         device unattended for 30 minutes or more you must Log Out or Shutdown.

2.7.     Offensive material of a profane or indecent nature is not to be stored on your device. Access to
         pornographic websites is strictly forbidden and viewing of child pornography is against the law. If illegal
         material is stored/viewed using this device, or sent and/or received by E-Mail, the Trust is obliged to inform
         the police and prosecution may follow.

2.8.     Privately procured software is not to be installed on this device.

2.9.     You must keep the pre-installed Anti Virus, Encryption Software, Operating Systems and security patches
         up-to-date (this requires connection to the Trust network ideally at least every 14 days but no more than
         every 90 days. Failure to do so will lock encrypted devices and make them inoperable until they are
         unlocked.

2.10.    Where users wish to a non-Trust WiFi network they are to ensure that it utilises WiFi Protected Access
         (WPA) as a minimum and preferable WPA2 before processing Trust data


Declaration
        I hereby declare that I have read and understood the above Security Operating Procedures (SyOPs) and agree to comply with all of
        the schedules contained herein.

        User:

        Signature……………………………………………………………………Date……………………………………………….

        Name (in print)……………………………………………………………..Dept……………………………………………….



     ICT Portable Computing & Data Storage Devices Policy
     Version 2. Issued: DD May 2011 (review date May 2013)                                             Page 13 of 20
  Job Title…………………………………………………………………….

  Line Manager/ICT Department

  I have issued this Device to the temporary owner (above) and I am satisfied that these Security Operating Procedures (SyOPs)
  have been read and clearly understood by the User.

  Signature…………………………………………………………………..Date……………………………………………

  Name (in print)……………………………………………………………Asset No………………………………………………




ICT Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD May 2011 (review date May 2013)                                         Page 14 of 20
          APPENDIX B: Portable Computing Devices - Matrix

                                                      Categories of Personal & Non-Personal Information and their Definitions


Categories of Information                                                               Definitions for the purposes of this Matrix
                            Information referring to an individual who can be identified, such as patients, health care professionals, other staff members, suppliers and contractors
                            etc. This Person-identifiable information may be physically and/or electronically stored and includes, medical records, personnel records, video –
        Personal
                            image/audio recordings, still digital images, photographs, X-rays that identify an individual. All personal information is to be handled, stored, processed
                            and shared in accordance with the NHS Confidentiality: Code of Practice policy, and releasable on a strictly “Need to Know” basis.
                            Personal information about patients. Patient identifiable information includes patient’s name, address, full postal code, date of birth, pictures,
                            photographs, video and audio tapes, or other images of the patient. NHS number and local patient identifiable codes. In addition, anything else that may
                            be used to identify a patient directly or indirectly. E.g., rare diseases, drug treatments, or statistical analysis, which has very small numbers within a
         Patient
                            small population, may allow individuals to be identified. Such information is stored, processed and entrusted to the safekeeping of the originator and
                            releasable on a strictly “Need to Know” basis. This type of information is to be handled in accordance with the NHS Confidentiality: Code of Practice
                            policy and other associated documentation, e.g. PHT Imaging Consent Policy and Confidentiality: Staff Code of Conduct policy.
                            This type of information differs from ANONYMISED, in that the originator may retain a means of identifying individuals. This is often achieved by
                            allocation of unique codes or other references to information that can only be recognised and linked to the individual by those that hold the unique codes
     Pseudonymised          of references. PSEUDONYMISATION allows information about the same individual to be linked, and in a way that the “true” ANONYMISATION does
                            not. Normally used to share information about individuals without revealing the individual’s identity. This information is to be handled in accordance with
                            the NHS Confidentiality: Code of Practice policy and other associated documentation, e.g. PHT Confidentiality: Staff Code of Conduct.
                            Personal Information about staff. Staff identifiable information includes individual’s name, address, full postcode, date of birth, picture, and
                            photographs/digital images that directly identifies the member of staff. Additional information includes NHS number, passport, NHS identity badge etc.
                            Any details leading to the identity of a staff member is deemed as Staff identifiable. Staff information, entrusted to the safekeeping of Trust staff
          Staff
                            managers, who have a responsibility for divulging this type of information, must do so only on a strictly “Need to Know” basis. Staff identifiable
                            information requires the same level of protection as patient information and shall be handled in accordance with the NHS Confidentiality: Code of
                            Practice and other associated documentation, e.g. PHT Confidentiality: Staff Code of Conduct.
                            Information that does not identify an individual (patients or staff), and which cannot be used to determine the identity of a patient or staff member.
                            Anonymisation requires the removal of name, address, full post code, NHS number, unique/local patient identity codes, and any other combination of
      Anonymised
                            details that might support identification of the patient or staff member, Used when the removal of any identifying information is required to enable the
                            information to be stored, processed and shared as Non-personal information.
                            Business and administration information that refers directly to Trust business. Typically, administration, management, financial, logistics, but not leading
      Non-Personal          to patient or staff identity. Non-personal information is Trust private information, but released, shared, and distributed as required for business purposes,
                            on a “Need to Know” principle.




Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD MMMM 2011 (review date Apr 2013)                                    Page 15 of 20
            APPENDIX C: Permissible Devices and Media Connection types for - Personal & Non-Personal Information - Protection
            Levels for Media

         PORTABLE COMPUTING                           CATEGORIES OF INFORMATION (see Definitions)                                CONNECTION TYPES                                NOTES

                                                                                                       Non-                         Other
         Devices & Media               Patient     Pseudonymised         Staff      Anonymised                      Internet                    Trust LAN     1. This information should be
                                                                                                     Personal                       LAN*
                                                                                                                                                              encrypted and comply with
Trust Procured & Loaned Devices                                                                                                                               Connecting for Health’s standards.
Laptop & Notebook Computers           Yes, Note1      Yes, Note 1     Yes, Note 1       Yes            Yes            Yes            Yes           Yes        The ICT Department will provide
Personal Digital Assistants (PDA’s)   Yes, Note1      Yes, Note 1     Yes, Note 1       Yes            Yes            Yes            Yes           Yes        advice and guidance regarding the
USB Flash Memory Devices              Yes, Note1      Yes, Note 1     Yes, Note 1       Yes            Yes            Yes            Yes           Yes        purchase and use of approved
External Portable Hard Drives         Yes, Note1      Yes, Note 1     Yes, Note 1       Yes            Yes            Yes            Yes           Yes        products.
Mobile Telephone with data storage    Yes, Note1      Yes, Note 1     Yes, Note 1       Yes            Yes            Yes            Yes           Yes
                                                                                                                                                              2. Non-personal information remains
“Blackberry” Hand Held’s              Yes, Note1      Yes, Note 1     Yes, Note 1       Yes            Yes            Yes            Yes           Yes
                                                                                                                                                              the property of the Trust and shall be
                                                                                                                                                              afforded the level of “Privacy” that is
Trust Procured Media
                                                                                                                                                              associated with Corporate data. Any
Compact Disk (CD) – Recordable        Yes, Note1      Yes, Note 1     Yes, Note 1       Yes            Yes            N/A         Yes, Note 2      Yes
                                                                                                                                                              Non-personal information (see the
Compact Disk (CDRW) – Rewritable      Yes, Note1      Yes, Note 1     Yes, Note 1       Yes            Yes            N/A         Yes, Note 2      Yes        definitions) must be shared on a
Floppy Diskettes/ZIP Disks            Yes, Note1      Yes, Note 1     Yes, Note 1       Yes            Yes            N/A         Yes, Note 2      Yes        “Need to Know” basis, even though
USB Sticks                            Yes, Note1      Yes, Note 1     Yes, Note 1       Yes            Yes            N/A         Yes, Note 2      Yes        it may not refer to Patient or
                                                                                                                                                              Staff identifiable information.
Privately Procured Devices
Laptop & Notebook Computers           Yes, Note1      Yes, Note 1     Yes, Note 1       Yes         Yes, Note 2    Yes, Note 3    Yes, Note 3   Yes, Note 3   3. Privately procured devices and
Personal Digital Assistants (PDA’s)   Yes, Note1      Yes, Note 1     Yes, Note 1       Yes         Yes, Note 2    Yes, Note 3    Yes, Note 3   Yes, Note 3   media may be connected and used
USB Flash Memory Devices              Yes, Note1      Yes, Note 1     Yes, Note 1       Yes         Yes, Note 2    Yes, Note 3    Yes, Note 3   Yes, Note 3   within the Trust networks, but are
External Portable Hard Drives         Yes, Note1      Yes, Note 1     Yes, Note 1       Yes         Yes, Note 2    Yes, Note 3    Yes, Note 3   Yes, Note 3   subject to the rules and regulations
Mobile Telephone with data storage    Yes,Note1       Yes, Note 1     Yes, Note 1       Yes         Yes, Note 2    Yes, Note 3    Yes, Note 3   Yes, Note 3   contained in Appendix I.
“Blackberry” Hand Held’s              Yes, Note1      Yes, Note 1     Yes, Note 1       Yes         Yes, Note 2    Yes, Note 3    Yes, Note 3   Yes, Note 3
Psion Organiser Devices               Yes, Note1      Yes, Note 1     Yes, Note 1       Yes         Yes, Note 2    Yes, Note 3    Yes, Note 3   Yes, Note 3   Legend:

       Privately Procured Media                                                                                                                               Yes – permitted.
Compact Disk (CD) – Recordable        Yes, Note1      Yes, Note 1     Yes, Note 1       Yes         Yes, Note 2    Yes, Note 3    Yes, Note 3   Yes, Note 3   No – not permitted.
Compact Disk (CDRW) - Rewritable      Yes, Note1      Yes, Note 1     Yes, Note 1       Yes         Yes, Note 2    Yes, Note 3    Yes, Note 3   Yes, Note 3   N/A - Not applicable
Floppy Diskettes/ZIP Disks            Yes, Note1      Yes, Note 1     Yes, Note 1       Yes         Yes, Note 2    Yes, Note 3    Yes, Note 3   Yes, Note 3
USB Sticks                            Yes, Note1      Yes, Note 1     Yes, Note 1       Yes         Yes, Note 2    Yes, Note 3    Yes, Note 3   Yes, Note 3


         Other LAN refers to NHS organisations external to our own Trust, but governed by legal and regulatory framework such as the NHS Confidentiality: Code of Practice


Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD MMMM 2011 (review date Apr 2013)                                     Page 16 of 20
       Personal & Non-Personal Information - Protection Levels for Media



          DIGITAL IMAGING                         CATEGORIES OF INFORMATION (see Definitions)                            CONNECTION TYPES                                NOTES

                                                                                                   Non-                   Other
Devices & Media                    Patient        Pseudonymised      Staff          Anonymised                Internet                  Trust LAN
                                                                                                   Personal               LAN*                         4. Digital images must be processed
                                                                                                                                                       stored and shared with the same
Trust Procured & Loaned Devices                                                                                                                        level of protection afforded to other
Still Images – Digital Cameras      Yes, Note 4       Yes, Note 4     Yes, Note 4      Yes            Yes         No          Yes           Yes        forms of patient and staff identifiable
Camcorder – Video Recordings        Yes, Note 4       Yes, Note 4     Yes, Note 4      Yes            Yes         No          Yes           Yes        information. If transferred to any
Mobile Phone combining Camera       Yes, Note 4       Yes, Note 4     Yes, Note 4      Yes            Yes         No          Yes           Yes        Laptop/Notebook computers, PDA’s,
                                                                                                                                                       and other mobile devices or media,
                                                                                                                                                       and used outside of the Trust’s
Trust Procured Media                                                                                                                                   security perimeter, CfH encryption
Flash Memory Cards (All formats)    Yes, Note 4       Yes, Note 4     Yes, Note 4      Yes            Yes         No          Yes           Yes        standards apply. (see- Definitions).
USB Flash Memory Sticks             Yes, Note 4       Yes, Note 4     Yes, Note 4      Yes            Yes         No          Yes           Yes
Compact Disk (CDR) Recordable       Yes, Note 4       Yes, Note 4     Yes, Note 4      Yes            Yes         No          Yes           Yes
Compact Disk (CDRW) Rewritable      Yes, Note 4       Yes, Note 4     Yes, Note 4      Yes            Yes         No          Yes           Yes
Floppy Diskettes                    Yes, Note 4       Yes, Note 4     Yes, Note 4      Yes            Yes         No          Yes           Yes


Privately Procured Devices                                                                                                                             Legend:
Still Images – Digital Cameras          No                No              No            No            No         N/A           No            No
Camcorder – Video Recordings            No                No              No            No            No         N/A           No            No        Yes - Permitted.
Mobile Phone combining Camera           No                No              No            No            No         N/A           No            No        No – Not permitted
                                                                                                                                                       N/A - Not applicable

       Privately Procured Media
Flash Memory Cards (All formats)        No                No              No            No            No         N/A           No        Yes, Note 3
USB Flash Memory Sticks                 No                No              No            No            No         N/A           No        Yes, Note 3
Compact Disk (CDR) Recordable           No                No              No            No            No         N/A           No        Yes, Note 3
Compact Disk (CDRW) - Rewritable        No                No              No            No            No         N/A           No        Yes, Note 3
Floppy Diskettes                        No                No              No            No            No         N/A           No        Yes, Note 3
ZIP Disks                               No                No              No            No            No         N/A           No        Yes, Note 3



       * Other LAN refers to NHS organisations external to our own Trust, but governed by legal and regulatory framework such as the NHS Confidentiality: Code of Practice



Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD MMMM 2011 (review date Apr 2013)                                       Page 17 of 20
      APPENDIX D

         Checklist for the Review and Ratification of Procedural Documents and
                     Consultation and Proposed Implementation Plan
To be completed by the author of the document and attached when the document is submitted for ratification: a
blank template can be found on the Trust Intranet. Home page -> Policies -> Templates

                                      CHECKLIST FOR REVIEW AND RATIFICATION
                                                                              YES/NO
               TITLE OF DOCUMENT BEING REVIEWED:                                                COMMENTS
                                                                                N/A
1      Title
       Is the title clear and unambiguous?                                   Yes
       Will it enable easy searching/access/retrieval??                      Yes
       Is it clear whether the document is a policy, guideline, procedure,
                                                                             Yes
       protocol or ICP?
2      Introduction
       Are reasons for the development of the document clearly stated?       Yes
3      Content
       Is there a standard front cover?                                      Yes
       Is the document in the correct format?                                Yes
       Is the purpose of the document clear?                                 Yes
       Is the scope clearly stated?                                          Yes
       Does the scope include the paragraph relating to ability to comply,
       in the event of a infection outbreak, flu pandemic or any major       Yes
       incident?
       Are the definitions clearly explained?                                Yes
       Are the roles and responsibilities clearly explained?                 Yes
       Does it fulfill the requirements of the relevant Risk Management
       Standard? (see attached compliance statement)
       Is it written in clear, unambiguous language?                         Yes
4      Evidence Base
       Is the type of evidence to support the document explicitly
                                                                             Yes
       identified?
       Are key references cited?                                             Yes
       Are the references cited in full?                                     Yes
       Are associated documents referenced?                                  Yes
5      Approval Route
       Does the document identify which committee/group will approve it?     Yes
6      Process to Monitor Compliance and Effectiveness
       Are there measurable standards or KPIs to support the monitoring
       of compliance with the effectiveness of the document?
7      Review Date
       Is the review date identified?                                        Yes
6      Dissemination and Implementation
       Is a completed proposed implementation plan attached?                 NA
7      Equality and Diversity
       Is a completed Equality Impact Assessment attached?                   Yes



Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD MMMM 2011 (review date Apr 2013)                                 Page 18 of 20
                                                                                                          APPENDIX E

              Checklist for the Review and Ratification of Procedural Documents and
                          Consultation and Proposed Implementation Plan

                             CONSULTATION AND PROPOSED IMPLEMENTATION PLAN
Date to ratification committee
Groups /committees / individuals involved in the                   ICT Department managers
development and consultation process                               ICT Security Team
                                                                   Information Governance Manager
                                                                   Information Governance Steering Group




Is training required to support implementation?                    NA this is a review/amendment of an existing
                                                                   Policy relevant training is already in place.




If yes, outline plan to deliver training                           NA




Outline any additional activities to support                       NA
implementation




Individual Approval

If, as the author, you are happy that the document complies with Trust policy, please sign below and send the document,
with this paper, the Equality Impact Assessment and NHSLA checklist (if required) to the chair of the committee/group
where it will be ratified. To aid distribution all documentation should be sent electronically wherever possible.

Name           P Ballard                                                              Date        May 2011

Signature

Committee / Group Approval

If the committee/group is happy to ratify this document, would the chair please sign below and send the policy together with
this document, the Equality Impact Assessment, and NHSLA checklist (if required) and the relevant section of the minutes
to the Trust Policies Officer. To aid distribution all documentation should be sent electronically wherever possible.

Name                                                                                  Date      Jun 2011

Signature


If answers to any of the above questions is ‘no’, then please do not send it for ratification.



Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD MMMM 2011 (review date Apr 2013)                                       Page 19 of 20
                                                                                                 APPENDIX F

                                      EQUALITY IMPACT ASSESSMENT
To be completed by the author of the document and attached when the document is submitted for
ratification: a blank template can be found on the Trust Intranet. Home page -> Policies -> Templates

Title of document for assessment                          ICT Portable Computing and Storage Devices Policy
Date of assessment                                         May 2011
Job title of person responsible for assessment            Senior ICT Security Specialist
Division/Service                                          IPHIS/ICT



                                                     Yes/No                         Comments
Does the document affect one group less or more favourably than another on the basis of:
                                                     No
   Race
                                                     No
   Gender (including transgender)
                                                     No
   Religion or belief
                                                     No
   Sexual orientation, including lesbian, gay and
    bisexual people
                                                     No
   Age (for HR policies only)
                                                     No
   Disability – learning disabilities, physical
    disabilities, sensory impairment and mental
    health problems
Does this document affect an individual’s human      No
rights?
If you have identified potential discrimination,
are the exceptions valid, legal and/or justified?




If the answers to any of the above questions is ‘yes’ you will need to complete a full Equality Impact
Assessment (available from the Equality and Diversity website) or amend the policy such that only an
disadvantage than can be justified is included. If you require any general advice please contact staff
in the Equality and Diversity Department on 02392 288511




Portable Computing & Data Storage Devices Policy
Version 2. Issued: DD MMMM 2011 (review date Apr 2013)                                 Page 20 of 20

								
To top