LAPTOP SECURITY POLICY_1_

Document Sample
LAPTOP SECURITY POLICY_1_ Powered By Docstoc
					                                                                     Hartlepool
                                                                 Middlesbrough
                                                           Redcar and Cleveland
                                                              Stockton on Tees
                       Middlesbrough and Redcar & Cleveland Community Services



                        TRUST POLICY
                HARTLEPOOL PRIMARY CARE TRUST
              MIDDLESBROUGH PRIMARY CARE TRUST
       MIDDLESBROUGH AND REDCAR & CLEVELAND COMMUNITY
                           SERVICES
            REDCAR & CLEVELAND PRIMARY CARE TRUST
         STOCKTON ON TEES TEACHING PRIMARY CARE TRUST

                             POLICY REF: IG T23

                LAPTOP/MOBILE COMPUTING POLICY

    SUMMARY                                       This policy outlines the process for
                                                  ensuring information and assets are
                                                  protected.
    AUTHOR(S)/FURTHER                             L Cotterill, Information Governance
    INFORMATION                                   Manager (PCT) & T Best, Information
                                                  Governance Manager (MRCCS)
    NAME OF LEAD DIRECTOR                         Hilary Hall (PCT) & Lisa Tempest
                                                  (MRCCS)
    VERSION                                       3
    APPLIES TO                                    All staff in the Tees PCTs, MRCCS, and
                                                  Prison Health
    STATUS (Final/Draft)                          Final
    APPROVING COMMITTEE(S) AND                    Tees Information Governance Sub
    DATE                                          Committee, Governance Committee PCT
    THIS DOCUMENT REPLACES                        Version 2
    RELATED DOCUMENTS                             Information Security Policy (IGT18), Home
                                                  Working Policy (IGT ), PC Security Policy
                                                  (IGT 7)
    FINANCIAL IMPLICATIONS                        None
    DISTRIBUTION                                  All policy holders, Intranet
    REVIEW DUE DATE                               Nov 10
                      This policy has been subject to a full equality impact assessment

November 2009                       NHS HARTLEPOOL
                                   NHS MIDDLESBROUGH
                                 NHS REDCAR & CLEVELAND
                                  NHS STOCKTON ON TEES
                 MIDDLESBROUGH AND REDCAR & CLEVELAND COMMUNITY SERVICES
                                                                Page 1 of 10
Table of Contents

1.         Introduction .................................................................................................................. 3

2.         Definitions .................................................................................................................... 3

     2.1       ISO/IEC 27002 ......................................................................................................... 3

3       Roles and Responsibilities .............................................................................................. 4

     3.1       The Chief Executive/Managing Director.................................................................. 4
     3.2       Directors/MRCCS Assistant Directors ..................................................................... 4
     3.3       Assistant Directors ................................................................................................... 4
     3.4       Operational Clinical Leads/Managers ..................................................................... 5
     3.5       Information Governance Manager ........................................................................... 5
     3.6       Technical Security Manager .................................................................................... 5
     3.7       Head of ICT Support ................................................................................................ 6
     3.8       All Staff ..................................................................................................................... 7

4.       Baseline Information Security Standards ...................................................................... 7

     APPENDIX A ..................................................................................................................... 10




November 2009                                     NHS HARTLEPOOL
                                                 NHS MIDDLESBROUGH
                                               NHS REDCAR & CLEVELAND
                                                NHS STOCKTON ON TEES
                               MIDDLESBROUGH AND REDCAR & CLEVELAND COMMUNITY SERVICES
                                                                                     Page 2 of 10
1.     Introduction

1.1   The requirements outlined below are designed to ensure that the information and
      assets owned by the Trust and used outside the office environment are protected
      with similar levels of protection as within the office environment. This also extends
      to work related information processed within a member of staff’s home.

1.2   Laptop / portable devices taken outside NHS environments are subject to greater
      risks: they may be lost, stolen, exposed to unauthorised access or modification.

1.3   Laptop / portable device loss will mean not only the loss of availability of the device
      and its data, but may also lead to the disclosure of patient or other sensitive
      information. This loss of confidentiality will often be considered more serious than
      the loss of the physical asset itself.

1.4   Traditional password protection on mobile devices offers limited defence against a
      determined hacker, as this individual has unconstrained access to the physical
      device.

1.5   Technical and physical security controls used within NHS environments are
      unavailable outside of the NHS; therefore if procedural and personal controls of the
      laptop are breached the only effective technical measure that can be applied is
      encryption. It is Trust policy that all laptops and USB sticks are encrypted.

1.7   Unauthorised access to and tampering with a laptop, particularly if the laptop is left
      unattended may present repeated opportunities for unauthorised access, which may:

               lead to continuing (and undetected) compromise of information on the laptop
                itself;
               Undermine security measures including the encryption; intended to protect
                information on the laptop / portable devices, in the event of loss or theft. May
                compromise systems, to which the laptop is connected, such as the Trust’s
                network, networked systems and shared drives.
               The impact of a breach of laptop / portable devices security may therefore
                extend far more widely than the laptop / portable devices themselves.



2.     Definitions

2.1    ISO/IEC 27002

2.1.1 The ISO/IEC 27002 is the Code of Practice for Information Security Management.
       The relevant section that apply to laptop protection are:

2.1.2 ISO/IEC 27002, 9.2.5. (Security of equipment off-premises)

November 2009                            NHS HARTLEPOOL
                                        NHS MIDDLESBROUGH
                                      NHS REDCAR & CLEVELAND
                                       NHS STOCKTON ON TEES
                      MIDDLESBROUGH AND REDCAR & CLEVELAND COMMUNITY SERVICES
                                                         Page 3 of 10
                Security should be applied to off-site equipment taking into account the
                 different risks of working outside the organisation's premises;
                Regardless of ownership, the use of any information processing equipment
                 outside the organisation's premises should be authorised by management;
                Security risks, e.g. of damage, theft or eavesdropping, may vary considerably
                 between locations and should be taken into account in determining the most
                 appropriate controls.

2.1.3 ISO/IEC 27002, 11.7.1. (Mobile computing and communications)

                 A formal policy is in place, and appropriate security measures should be
                  adopted to protect against the risks of using mobile computing and
                  communication facilities. All staff using laptops must understand their
                  responsibilities.
                 Special care should be taken to ensure that business information is not
                  compromised.
                 The mobile computing policy includes the requirements for physical
                  protection, access controls, cryptographic/encryption techniques, back-ups,
                  and virus protection. This policy also offers guidance on connecting mobile
                  facilities to networks and advice on the use of these facilities in public
                  places.


3      Roles and Responsibilities

3.1    The Chief Executive/Managing Director

3.1.1 The Chief Executive/Managing Director will maintain ultimate accountability for the
      implementation of this policy, although specific responsibilities will be delegated to
      others within the Trust. The Chief Executive/Managing Director will seek assurance
      of its effective implementation through the Trust’s Governance Committees


3.2    Directors/MRCCS Assistant Directors

3.2.1 Directors will ensure that adequate resources are available and appropriate people
      are identified within their Directorate to ensure effective implementation of this
      policy.


3.3    Assistant Directors

3.3.1 Assistant Directors will support and enable the Operational Clinical Leads and
      Managers to fulfil their responsibilities and ensure the effective implementation of
      this policy within their specialty.


November 2009                             NHS HARTLEPOOL
                                         NHS MIDDLESBROUGH
                                       NHS REDCAR & CLEVELAND
                                        NHS STOCKTON ON TEES
                       MIDDLESBROUGH AND REDCAR & CLEVELAND COMMUNITY SERVICES
                                                          Page 4 of 10
3.4    Operational Clinical Leads/Managers

Operational Clinical Leads/Managers must ensure that –

3.4.1 Staff within their responsibility apply for the ability to home work and provide all
      appropriate information within the documentation required. Further information and
      copies of appropriate forms can be found in appendix...

3.4.2 Where staff work from home Line Manager should ensure that a home working
      agreement has been completed and approved. Refer to Home Working Policy for
      details about this process.

3.4.3 Staff complete their requirements in terms of attending Information Governance
      Mandatory Training within the timescales as set out in the Training Matrix. Further
      information can be provided by the HR Training Department

3.4.4 All Information Governance incidents are investigated appropriately and the
      information is shared with the relevant services within the Trust where required.

3.4.5 Copies of all appropriate documentation relating to home working are kept in the
      individual’s personal file for reference.

3.4.6 When a staff member leaves the organisation, the necessary steps are taken to
      retrieve any equipment and that this is returned to IT.

3.3.2 The use of any equipment outside the Trust’s premises for the processing of NHS
      information is authorised. Where the processing of NHS patient information is
      proposed on laptop devices additional authorisation must be obtained from the
      organisation’s Caldicott Guardian.


3.5    Information Governance Manager

The Information Governance Manager will ensure that –

3.5.1 They provide information, support and advice on information security and home
      working in conjunction with IT

3.5.2 They provide incident investigation advice where requested

3.5.3 Users of laptops are given appropriate training and instruction in the use of the
      laptop and its security functionality. This should include their responsibility for
      safeguarding the laptop / portable devices and their obligation to comply with
      relevant Information Governance security procedures of the organisation.


3.6    Technical Security Manager

The Technical Security Manager will –
November 2009                         NHS HARTLEPOOL
                                     NHS MIDDLESBROUGH
                                   NHS REDCAR & CLEVELAND
                                    NHS STOCKTON ON TEES
                   MIDDLESBROUGH AND REDCAR & CLEVELAND COMMUNITY SERVICES
                                                      Page 5 of 10
3.6.1 Issue guidance to support the implementation of and compliance with this policy.

3.6.2 Ensure that training materials are kept up to date.

3.6.3 Report performance standards to the Information Governance Sub Committee.

3.6.4 Regularly review in conjunction with IT the Trust laptops/portable devices to ensure
      that they continue to meet security accreditation requirements and that the residual
      level of risk from their use is acceptable.


3.7    Head of ICT Support

The Head of ICT Support will –

3.7.1 Be responsible for assisting the Technical Security Manager in the safeguarding of
      all Trust data and the management arrangements in respect of the Trusts electronic
      data processing assets.

3.7.2 Ensure where appropriate, software and upgrades to Trust and home PC
      equipment is provided to ensure the equipment meets all security requirements.

3.7.3 Ensure appropriate training is given to the individual on how to use the equipment
      provided to them.

3.7.4 Ensure that the Asset Register is kept up to date with information on which staff
      members have laptops/mobile devices so that records can be updated and assets
      can be monitored.

3.7.5 Ensure that all laptops used for NHS business or holding NHS information are
      uniquely identified: with the following information:

3.7.6 Recorded on the IT asset register (Serial, make, model, asset number, OS, spec)
            o Identifying the date, the device was encrypted
            o Type of information held
            o User responsible for the laptop
            o Base / site of storage

3.7.7 Be responsible for the security of the Trust’s registered laptops and for assigning
      Trust registered laptops to individuals/teams.

3.7.8 Ensure that the installation and configuration of laptop security functionality,
      including access control, encryption and tamper resistance is undertaken by
      appropriately trained staff.

3.7.9 Be responsible for maintaining consistent standards of physical and procedural
      protection for all laptops/portable devices to ensure continuity of availability.

November 2009                         NHS HARTLEPOOL
                                     NHS MIDDLESBROUGH
                                   NHS REDCAR & CLEVELAND
                                    NHS STOCKTON ON TEES
                   MIDDLESBROUGH AND REDCAR & CLEVELAND COMMUNITY SERVICES
                                                      Page 6 of 10
 3.7.10 Ensure that any data stored on laptops/portable devices is deleted before the
        device is reassigned for another purpose. Where the device is redundant and
        requires disposal this will be carried out as per Trust procedure.


 3.8     All Staff

 All staff will ensure that –

 3.8.1 Whilst using laptop/mobile devices, they abide by all appropriate Information
       Governance policies and procedures specifically within the PC Security Policy and
       Home Working Policy.

 3.8.2 They attend all necessary Information Governance Training as set out in the
       Training Matrix within the set timescales. Further information can be obtained from
       the HR Training Department.

3.8.3    All Information Governance incidents must be reported via the Trust’s Incident
         Reporting Policy.

 4.4.4 Laptops are connected to the Trust’s network on a monthly basis, to ensure anti
       virus definitions, Microsoft security patches and the Safeboot encryption certificates
       are renewed and backed up centrally. Failure to connect to the Trust’s network
       may render the laptop useless, unusable and access to information within the
       device unavailable.


 4.      Baseline Information Security Standards

 4.4.1 The following Information Governance principles and policy should be followed
       when using laptop/mobile devices:

 4.4.2 It is recommended that laptops / portable devices, even when protected by disk
       encryption, should not be left in the care of any person who is not appropriately
       trained to protect the information it contains.

 4.4.3   Where laptops/portable devices are to be used remotely using a remote
         connection i.e. VPN, users should refer to the Home Working Policy for further
         guidance.

 4.4.5 Person identifiable information must not be stored on laptops/portable devices
       unless authorisation has been granted by the service.

 4.4.6 All Information Governance incidents including loss or theft of laptops/portable
       devices should be reported in accordance with the Incident Reporting and
       Investigation Policy (G3)

 4.4.7 Laptops should be stored securely if left unattended.

 November 2009                           NHS HARTLEPOOL
                                        NHS MIDDLESBROUGH
                                      NHS REDCAR & CLEVELAND
                                       NHS STOCKTON ON TEES
                      MIDDLESBROUGH AND REDCAR & CLEVELAND COMMUNITY SERVICES
                                                         Page 7 of 10
4.4.8 All removable media such as CD/DVD-ROM and floppy disk drives should be
      removed unless absolutely necessary

4.4.9 Ensure that laptops are not left unattended when working off-site.

4.4.10 When travelling and not in use, ensure that laptops are stored securely out of sight.
       For example, when travelling by car, ensure laptops are locked in the boot. Laptops
       left on display and unattended will inevitably attract attention and are likely to be
       stolen.

4.4.11 Do not leave laptops unattended in car boots overnight. Always ensure laptops
       and portable media devices are held in a secure, locked enclosure when not in use.

4.4.12 Users who tamper or modify laptops/portable devices hardware or software
       configurations must not be modified without authorisation. Use that do this will face
       disciplinary action and have the devices withdrawn from use.

4.4.13 Where laptops/mobile devices are to be used to connect to the internet, this sh ould
       be done so in accordance with the Internet Policy.

4.4.14 Where there is a requirement to use a RAS token for VPN access users must
       ensure that this is not stored or kept with the mobile device.

4.4.15 Ensure that laptops are fully powered down when not in use (not just suspended).
       Remember to lock all laptops away when you return them to the office.

4.4.16 Patient Identifiable information must not be sent via portable devices such as
       Blackberries as this method is not secure. Any transition of such information will be
       classified as a breach of security and a disciplinary may follow. Further guidance
       on the secure transfer of electronic personal identifiable information can be found in
       the Email Policy. Blackberries must be protected/locked with a PIN.

4.4.17 When using the laptop/mobile device to access the internet via an Internet Service
       Provider e.g. AOL, Virgin, BT Internet users must ensure that this is done so in
       accordance with the Home Working Policy.

4.4.18 When returning a laptop/mobile device to IT you must ensure that all information
       stored on the device is deleted.

4.4.19 Users must not disable any element of the standard laptop or mobile device
       configuration, including data encryption, screen-saver password and anti-virus
       software.




November 2009                         NHS HARTLEPOOL
                                     NHS MIDDLESBROUGH
                                   NHS REDCAR & CLEVELAND
                                    NHS STOCKTON ON TEES
                   MIDDLESBROUGH AND REDCAR & CLEVELAND COMMUNITY SERVICES
                                                      Page 8 of 10
5.     STANDARDS/KEY PERFORMANCE INDICATORS

       Monitoring of this policy will be achieved through audits (internal/external), external
       assessments and feedback given to the Tees Information Governance Sub-
       Committee and working groups.

       Procedures will also be subject to internal and external audit.


6.     REFERENCES

       NHS Information Security Code of Practice
       NHS Information Governance Toolkit
       ISO/IEC 27001
       ISO/IEC 27002




November 2009                         NHS HARTLEPOOL
                                     NHS MIDDLESBROUGH
                                   NHS REDCAR & CLEVELAND
                                    NHS STOCKTON ON TEES
                   MIDDLESBROUGH AND REDCAR & CLEVELAND COMMUNITY SERVICES
                                                       Page 9 of 10
APPENDIX A

Good Practice Security Requirements

   o It is good practice to carry laptops in protective anonymous bags or cases (i.e.
     those without manufacturer logos on them) when not in use.
   o Do not leave laptops unattended in insecure areas, for example meeting rooms
     next to areas of public access, and hotel rooms where others may have access.
   o Be aware of the potential for opportunist or targeted theft of laptop bags in busy
     public places including airports, train stations, hotel lobbies, exhibition halls etc and
     on public transport eg. buses and trains
   o Do not leave laptops/mobile devices unattended
   o When travelling, avoid placing laptops in locations where they could be easily
     forgotten or left behind eg. overhead racks and taxi boots
   o Be aware that the use of laptops in public places will likely draw the attention of
     those in the vicinity. It is possible that information viewed on a laptop screen could
     lead to the unauthorised disclosure of that information being processed
   o If you use your laptop/device to communicate by email or fax remember that
     information must be transmitted in accordance with the Internet Policy and Email
     Policy
   o Ensure that laptops are fully powered down when not in use (not just suspended)
   o All users must take good care of laptops, mobile devices and PCs to prevent
     accidental damage, e.g. from rough handling, accidentally spilling drinks on the
     equipment, or being in close proximity to a heat source




November 2009                         NHS HARTLEPOOL
                                     NHS MIDDLESBROUGH
                                   NHS REDCAR & CLEVELAND
                                    NHS STOCKTON ON TEES
                   MIDDLESBROUGH AND REDCAR & CLEVELAND COMMUNITY SERVICES
                                                       Page 10 of 10
EQUALITY IMPACT ASSESSMENT TOOL
To be completed and attached to any procedural document when submitted to the
appropriate committee for consideration and approval.
                                                             Yes/No               Comments

 1.    Does the policy/guidance affect one group less or
       more favourably than another on the basis of:

        Race                                                 NO

        Ethnic origins       (including   gypsies    and     NO
         travellers)

        Nationality                                          NO

        Gender                                               NO

        Culture                                              NO

        Religion or belief                                   NO

        Sexual orientation including lesbian, gay            NO
         and bisexual people

        Age                                                  NO

        Disability - learning disabilities, physical         NO
         disability, sensory impairment and mental
         health problems
 2.    Is there any evidence that some groups are             NO
       affected differently?
 3.    If you have identified potential discrimination,       NO
       are any exceptions valid, legal and/or justifiable?
 4.    Is the impact of the policy/guidance likely to be      NO
       negative?
 5.    If so can the impact be avoided?                       N/A
 6.    What alternatives are there to achieving the           N/A
       policy/guidance without the impact?
 7.    Can we reduce the impact by taking different           N/A
       action?

If you have identified a potential discriminatory impact of this procedural document, please refer it to The
Governance Team, together with any suggestions as to the action required to avoid/reduce this impact. For
advice in respect of answering the above questions, please contact:
Governance Team, Riverside House, Riverside Park, High Force Road, Middlesbrough, TS2 1RH




November 2009                             NHS HARTLEPOOL
                                         NHS MIDDLESBROUGH
                                       NHS REDCAR & CLEVELAND
                                        NHS STOCKTON ON TEES
                       MIDDLESBROUGH AND REDCAR & CLEVELAND COMMUNITY SERVICES
                                                                 Page 11 of 10
IMPLEMENTATION PLAN

        What                  How              Person               By When       Resources
                                             Responsible                           Required

   Policy should be
   sent to
                        Corporate Office
   nominated                               Office Services
                        to disseminate                            Ongoing        None
   binder holders                          Administrator
                        the policy
   and placed on
   the intranet

                        Raise
   Binder holders
                        awareness at
   to make all staff
                        team meetings
   aware of the
                        and through        Managers               Ongoing        None
   revised policy
                        normal
   and its contents
                        communication
                        mechanisms
   Ensure all staff
   have received        Ensure staff
                                           Managers
   relevant training    attend all
   and are aware        relevant records
                                                                  Ongoing        None
   of the policy and    management
   the associated       training
   local procedures




November 2009                             NHS HARTLEPOOL
                                         NHS MIDDLESBROUGH
                                       NHS REDCAR & CLEVELAND
                                        NHS STOCKTON ON TEES
                       MIDDLESBROUGH AND REDCAR & CLEVELAND COMMUNITY SERVICES
                                                             Page 12 of 10

				
DOCUMENT INFO