Document Sample
Title: Version: Reference Number: TITLE Reference to other policies Supersedes: ICT Use and Protection of Laptop Computers Version 1.0 97

ICT Security Policy Out Of Office Working Policies None


Description of Amendment(s)


Originated By:

PJ Hilton


IT Security & Education Manager, NHSHMR IT Division

Referred for Consultation to: Head of IT Date of Referral: Approved by: Approved Date: Date of Referral: IMT Working Group Approved by: Approved Date:

LES Webb Dec 08

Referred for approval by: Date of Referral: ICT Board Approved by: Approved Date: Author: Peter Hilton Page 1 of 9

DRAFT Laptop Policy Version 1.0

Referred for approval by: Date of Referral: Approved by: JNCC Approved Date:

Referred for approval by: Equality Impact Assessment Date of Referral: Approved by: Approved Date:

Referred for approval by: Date of Referral: Approved by: IGC Approved Date: Issue Date: Circulated by: Issued by:

Peter Hilton

20 March 2009-04-06 Chair 31 March 2009


Review Date: REVIEW Responsibility of: Designation:

March 2011 P Hilton


Circulation List: EMT / INTRANET

This document to be disseminated to all relevant staff, any required discussion or training should be detailed on the return slip.

The Policy must be posted on the intranet:

Date Posted: March 2011

DRAFT Laptop Policy Version 1.0 Page 2 of 9

Author: Peter Hilton


CONTENTS Policy Document Control Page Contents Page Section 1: Background Section 2: Aim Section 3: Management of Laptops Section 4: Non-Compliance Section 5: Ends Annex A: Return Slip Laptop Safe Use Procedures

PAGE 1-2 3 4 4 4 6 6 7 9

DRAFT Laptop Policy Version 1.0 Page 3 of 9

Author: Peter Hilton

1. BACKGROUND 1. Laptop computers taken outside secure NHS environments are subject to special security risks: they may be lost or stolen and exposed to unauthorised access or tampering. 2. Laptop loss will mean not only the loss of availability of the device and its data, but compromises patient or other sensitive information. The loss of confidentiality, and potentially integrity, is more serious than the loss of the physical asset. 3. Users of laptops and their managers should consider the following: • Traditional password protection on a laptop offers less defence against a determined attacker because the attacker has unconstrained access to the physical device once it has been stolen. Physical security controls that are possible within an NHS buildings environment are not available outside that environment; therefore if procedural and personal controls of the laptop are breached, the only effective technical measure that can be applied is cryptography.


2. AIM OF THIS POLICY 4. The aim of this policy is to protect laptops deployed by the Trust from physical theft or other untoward incident which might lead to the loss or compromise of data and subsequent harm to the reputation of the PCT

3. MANAGEMENT OF LAPTOPS 5. General Management: • • The IT Division is responsible for the procurement, configuration and engineering support and end-of-life disposal of the Trust’s laptops. No personal laptops involving the use of confidential or sensitive information should be used for PCT business without prior approval from the IT Division.

6. System Records • • All laptop computers issued to the Trust are to be recorded in the SAP system maintained by the IT Division. Individual laptop computer hardware and software configurations are to be recorded in the CMDB maintained by the IT Division.

7. Accountability and Authorisation • Responsibility for the security of the laptops held by each department or team, and the data stored on them, is the responsibility of:
Author: Peter Hilton Page 4 of 9

DRAFT Laptop Policy Version 1.0

o The nominated user who is to take all reasonable steps to ensure the security of the laptop computer whether in the office or home or whilst being carried on private or public transport o Line Managers who are to observe and enforce the provisions of this Policy. • The use of any equipment outside an NHS organisation's business premises for the processing of NHS information must be authorised by the relevant Director or Line Manager. Other PCT Policies, national guidelines and the Law also apply.

8. Management of Laptop and Data Security • The installation and configuration of laptop security functionality, including access control, encryption and tamper resistance is to be undertaken by the IT Division who are the sole authority in the PCT for the installation or modification of software and the maintenance of the laptop Laptop hard drives must be protected by encryption. No confidential or sensitive information should be placed on any laptop that has not had the appropriate level of encryption software installed. Sensitive data stored on a Trust laptop should be kept to the minimum required for effective business use, in order to minimise the risks and impacts should a breach occur. Any historical data, or data not frequently used should be deleted from the laptop as soon as is practicable. No person-identifiable detail should be stored on the laptop. Laptops must not be left in the care of an unauthorised person, left unattended or on display in public areas, or left visible in a car or on public transport.




9. Remote Access Remote access from a laptop to NHS information systems must be achieved in accordance with the ICT Out of Office Working Policies.

10. User Training and Awareness Users of laptops must be given appropriate training and instruction in the use of the laptop and its security functionality. This should include their responsibility for safeguarding the laptop and their obligation to comply with relevant security and information governance procedures of the organisation.

11. Incident Reporting Loss of a Trust laptop should be reported the first instance to the IT Service Desk on 01706 869696 and, where appropriate, to the PCT Risk Manager via the PCT incident reporting procedures.

12. Secure Disposal and Reuse of Laptops or Components
DRAFT Laptop Policy Version 1.0 Page 5 of 9 Author: Peter Hilton

• •

Data stored on Trust laptops should be securely erased before the laptop is reassigned for further service within the PCT. If the laptop is to be disposed of, then the hard drive must be removed for storage or destruction as deemed appropriate by the IT Security Manager.

4. NON COMPLIANCE All breaches of this policy are to be reported to the IT Service Desk on 01706 869696 for investigation and referral for disciplinary action where appropriate


DRAFT Laptop Policy Version 1.0 Page 6 of 9

Author: Peter Hilton

Annex A Laptop Safe Use Procedures
Physical Protection • • • • • Laptops should be secured to a desk or other appropriate point if left unattended using an appropriate locking mechanism. All removable storage drives e.g. CD-ROM or DVD drives, and floppy disk drives should be removed unless they are required for the job at hand. Do not use laptops with removable media in places where that media could easily left behind or misplaced. Ensure that laptops are not left unattended when working off-site. Do not leave laptops unattended in insecure areas, for example meeting rooms next to areas of public access, and hotel rooms where others may have access. Make use of room locks and lockable storage facilities where available. Be aware of the potential for opportunist or targeted theft of laptop bags in busy public places including airports, train stations, hotel lobbies, exhibition halls etc and on public transport e.g. buses and trains. When travelling and not in use, ensure that laptops are stored securely out of sight. For example, when travelling by car, ensure laptops are locked in the boot. Laptops left on display and unattended will inevitably attract attention and are likely to be stolen. Do not leave laptops unattended in car boots overnight. When travelling, avoid placing laptops in locations where they could be easily forgotten or left behind e.g. overhead racks and taxi boots. It is good practice to carry laptops in protective anonymous bags or cases (i.e. those without manufacturer logos on them) when not in use.. Be aware that the use of laptops in public places will likely draw the attention of those in the vicinity. It is possible that information viewed on a laptop screen could lead to the unauthorised disclosure of that information being processed. Wi-Fi, Infrared and Bluetooth interfaces should be disabled by default or their switches set to the ‘off’ position. If wireless communication is permitted the laptop should be secured by following the good practice guidelines provided by NHS Connecting for Health. Laptop computers should be configured so that they cannot be booted from external media when in normal use. Where two factor authentication is used, ensure that the token is not stored or kept with the laptop computer.
Author: Peter Hilton Page 7 of 9



• • • •


. • •

DRAFT Laptop Policy Version 1.0


Full disk encryption must be installed on laptops as laid down in national guidelines. Where this is not possible due to technical constraints, then the laptop should be upgraded or replaced.

DRAFT Laptop Policy Version 1.0 Page 8 of 9

Author: Peter Hilton

RETURN SLIP Please detach and return this slip to Corporate Services via e-mail (Insert as appropriate), or fax to: (insert as appropriate)





Signing above indicates you have received the Policy. Please indicate below where you have distributed this policy to:NAME DEPARTMENT DATE

DRAFT Laptop Policy Version 1.0 Page 9 of 9

Author: Peter Hilton