INSERT LOGO HERE Risk Assessment Form Template for General Practice IG T by nlb18946

VIEWS: 0 PAGES: 26

More Info
									                                                          INSERT LOGO HERE



                                       Risk Assessment Form

                   Template for General Practice - IG Toolkit Requirement 317

      Name & Address of Practice:             Date of Assessment:                  Assessor:




Assessing the level of risk
                                             LIKELIHOOD
    IMPACT
                    Probable      Possible    Unlikely       Rare      Negligible

Catastrophic       HIGH         HIGH         HIGH         MEDIUM       LOW
Major              HIGH         HIGH         MEDIUM       MEDIUM       LOW
Moderate           HIGH         MEDIUM       MEDIUM       LOW          VERY LOW
Minor              MEDIUM       MEDIUM       LOW          LOW          VERY LOW
Insignificant      LOW          LOW          VERY LOW VERY LOW VERY LOW


                    Section 1 - Physical Security of Premises and Equipment

    1 Is access to the outside of the building(s) restricted, i.e. by perimeter fencing?

      Yes          No

      If no, the risk is classed as              Low        Medium        High



    2 Is access to the outside of the building controlled i.e. covered by CCTV?

      Yes          No

      If no, the risk is classed as              Low        Medium        High



    3 Does the outside of the building have security lighting, floodlighting or street lighting?

      Yes          No

      If no, the risk is classed as              Low        Medium        High




                                                     1
                                                    INSERT LOGO HERE




4 Are there warnings on windows, visible alarms etc that warn potential intruders that there are
  physical security measures in place?

  Yes          No

  If no, the risk is classed as            Low          Medium     High



5 Are accessible windows suitably protected with locks?

  Yes          No

  If no, the risk is classed as            Low          Medium     High



6 Do the downstairs windows have security bars?

  Yes          No

  If no, the risk is classed as            Low          Medium     High



7 Are the windows closed and checked every evening?

  Yes          No

  If no, the risk is classed as            Low          Medium     High



8 Are blinds closed and checked every evening?

  Yes          No

  If no, the risk is classed as            Low          Medium     High



9 Are skylights suitably protected by bars and locks?

  Yes          No

  If no, the risk is classed as            Low          Medium     High




                                               2
                                                      INSERT LOGO HERE




10 Are external doors suitably protected e.g. by 5 lever locks?

   Yes          No

   If no, the risk is classed as             Low       Medium         High



11 Are all external doors solid e.g. not glass?

   Yes          No

   If no, the risk is classed as             Low       Medium         High



12 Is there a burglar alarm with intruder monitors covering all areas especially those
   containing IT equipment or records?

   Yes          No

   If no, the risk is classed as             Low       Medium         High



13 Is the alarm system connected to a police station or call response centre?

   Yes          No

   If no, the risk is classed as             Low       Medium         High



14 Are there appropriate locks or keypad access on all doors containing IT equipment
   and records?

   Yes          No

   If no, the risk is classed as             Low       Medium         High



15 Are you able to seal off separate areas of the building e.g. in reception are there
   shutters and lockable doors?

   Yes          No

   If no, the risk is classed as             Low       Medium         High




                                                  3
                                                      INSERT LOGO HERE




16 Do all consulting rooms have separate door locks?

   Yes          No

   If no, the risk is classed as             Low       Medium         High



17 When the building is not fully occupied e.g. out of hours clinic, are unused
   areas, such as administrative offices secured?

   Yes          No

   If no, the risk is classed as             Low       Medium         High



18 Are you able to ensure all keys stored on site are not obvious and any instructions
   regarding key locations or keypad codes are stored securely?

   Yes          No

   If no, the risk is classed as             Low       Medium         High



19 Are staff aware of the procedure for challenging unidentified visitors in controlled areas?

   Yes          No

   If no, the risk is classed as             Low       Medium         High



20 Are keypad codes are changed regularly?

   Yes          No

   If no, the risk is classed as             Low       Medium         High



21 Are alarm codes are changed regularly?

   Yes          No

   If no, the risk is classed as             Low       Medium         High




                                                 4
                                                      INSERT LOGO HERE




22 Are identity passes/cards worn by all staff at all times?

   Yes          No

   If no, the risk is classed as             Low         Medium       High



23 Are identity passes/cards worn by all visitors at all times?

   Yes          No

   If no, the risk is classed as             Low         Medium       High



24 Are visitors escorted at all times in secure areas?

   Yes          No

   If no, the risk is classed as             Low         Medium       High



25 Is a log of visitors maintained?

   Yes          No

   If no, the risk is classed as             Low         Medium       High



26 Is IT equipment situated where it cannot be viewed by visitors or the public from outside the
   premises?

   Yes          No

   If no, the risk is classed as             Low         Medium       High



27 Are deliveries to and collections from the practice, supervised?

   Yes          No

   If no, the risk is classed as             Low         Medium       High




                                                 5
                                                     INSERT LOGO HERE




28 Is new equipment stored securely prior to installation?

   Yes          No

   If no, the risk is classed as            Low       Medium        High



29 Is the movement of IT equipment out of the Practice subject to authorisation and control?
   i.e. laptops and portable equipment used off site

   Yes          No

   If no, the risk is classed as            Low       Medium        High



30 Are lock down devices used to secure IT equipment?

   Yes          No

   If no, the risk is classed as            Low       Medium        High



31 Are laptops and other portable equipment stored securely overnight?

   Yes          No

   If no, the risk is classed as            Low       Medium        High



32 Is IT equipment asset marked?

   Yes          No

   If no, the risk is classed as            Low       Medium        High



33 Do assets have visible ID markings?

   Yes          No

   If no, the risk is classed as            Low       Medium        High




                                                6
                                                    INSERT LOGO HERE




34 Are assets UV marked with the practice post code?

   Yes          No

   If no, the risk is classed as           Low       Medium        High



35 Is all IT equipment recorded with serial numbers on an asset register?

   Yes          No

   If no, the risk is classed as           Low       Medium        High




                                               7
                                                    INSERT LOGO HERE


                             Section 2 - Environmental Security

1 Is the server protected by UPS (uninterrupted power supply)?

  Yes          No

  If no, the risk is classed as            Low        Medium         High



2 Is the battery checked on a regular basis i.e. weekly / monthly?

  Yes          No

  If no, the risk is classed as            Low        Medium         High



3 Are the wiring plugs PAT checked annually?

  Yes          No

  If no, the risk is classed as            Low        Medium         High



4 Is there a 'Fireproof' safe available for back-up tapes and other sensitive media or a
  documented 'off site' back-up system in place?

  Yes          No

  If no, the risk is classed as            Low        Medium         High



5 Is the server stored in a lockable room or lockable cupboard and at an
  appropriate temperature?

  Yes          No

  If no, the risk is classed as            Low        Medium         High



6 Is the server secured in a cage or locked down with a cable?

  Yes          No

  If no, the risk is classed as            Low        Medium         High




                                               8
                                                    INSERT LOGO HERE




 7 Is the server sited above ground floor?

   Yes          No

   If no, the risk is classed as             Low      Medium        High



 8 Are server room windows protected?

   Yes          No

   If no, the risk is classed as             Low      Medium        High



 9 Are there Co2 fire extinguishers available and are they serviced by contract?

   Yes          No

   If no, the risk is classed as             Low      Medium        High



10 Are you able to ensure that paper is not stacked on top or near PC's?

   Yes          No

   If no, the risk is classed as             Low      Medium        High



11 Are you able to ensure that PC ventilators are kept clear?

   Yes          No

   If no, the risk is classed as             Low      Medium        High



12 Is electronic equipment stored away from the risk of burst water pipes?

   Yes          No

   If no, the risk is classed as             Low      Medium        High




                                                9
                                                     INSERT LOGO HERE




13 Is electronic equipment stored away from the risk of splashing from taps or sinks?

   Yes          No

   If no, the risk is classed as            Low       Medium         High



14 Is electronic equipment stored away from risk of water running from windows or
   condensation?

   Yes          No

   If no, the risk is classed as            Low       Medium         High



                            Section 3 - Unauthorised Access Risk

 1 Is data entry restricted to trained and authorised personnel (including locums)?

   Yes          No

   If no, the risk is classed as            Low       Medium         High



 2 Do all users have a unique ID and Password?

   Yes          No

   If no, the risk is classed as            Low       Medium         High



 3 Are all staff aware that passwords should not be divulged for any reason and that smartcards
   should be used ONLY by the registered user?

   Yes          No

   If no, the risk is classed as            Low       Medium         High



 4 Are passwords changed at regular intervals?

   Yes          No

   If no, the risk is classed as            Low       Medium         High



                                               10
                                                        INSERT LOGO HERE




 5 Are staff advised to log out at all times if leaving the workstation?

   Yes          No

   If no, the risk is classed as              Low        Medium        High



 6 Are there automatic (3 minute) screen savers in place?

   Yes          No

   If no, the risk is classed as              Low        Medium        High



 7 Do you have a 'who', 'what', 'when' full audit trail in place?

   Yes          No

   If no, the risk is classed as              Low        Medium        High



 8 Is the anti-virus software updated daily? (PC's on the tPCT network are updated daily)

   Yes          No

   If no, the risk is classed as              Low        Medium        High



 9 Do the staff know how to check that the update has taken place?

   Yes          No

   If no, the risk is classed as              Low        Medium        High



10 Do staff use the anti-virus software installed for checking external sources?

   Yes          No

   If no, the risk is classed as              Low        Medium        High




                                                  11
                                                     INSERT LOGO HERE




11 Are there maintenance contracts with guaranteed response times for Non tPCT equipment?

   Yes          No

   If no, the risk is classed as           Low        Medium       High



12 Are back-ups taken daily and stored adequately?

   Yes          No

   If no, the risk is classed as           Low        Medium       High



13 Is there a procedure for checking that back-ups work ?

   Yes          No

   If no, the risk is classed as           Low        Medium       High



14 Is there a senior member of staff who is responsible for Health and Safety issues?

   Yes          No

   If no, the risk is classed as           Low        Medium       High



15 Are all workstations connected to a LAN (Local Area Network)?

   Yes          No

   If no, the risk is classed as           Low        Medium       High



16 Are all external communications connected to the organisations LAN, authorised?



   Yes          No

   If no, the risk is classed as           Low        Medium       High




                                               12
                                                               INSERT LOGO HERE




        17 Does the disaster recovery plan/BCP allow for full running 'off site' in the event that the
           building is unusable (i.e. hard and software and data)?

           Yes          No

           If no, the risk is classed as             Low        Medium         High

         Level 2

Having identified any areas of risk, the Practice should weigh the risks against the likelihood of the
threatened risk actually occurring. For example, the assessment may identify a risk of burglary, the
question to be asked is whether this a high risk, a medium risk or a low risk.


Where the risk of a breach in security is likely, the Practice should develop an action plan and allocate
the necessary resources to increase the physical security of those assets. For example this may
require the Practice to minimise the risk of a break-in by installing security grilles on ground floor
windows.


Where the perceived risk is low, the Practice may decide that action is unnecessary at this time;
however, this should be documented and that area kept under regular review.

The Practice should implement its action plan by beginning to make the improvements necessary to
secure the Practice’s property, and by developing procedures to ensure that the security mechanisms
put in place are complied with by all Practice staff.

         Level 3

The Practice has taken all reasonable steps to ensure its property is physically secured. This will
include informing staff members of the procedures and processes they must follow in order that the
risk of a security breach, either through deliberate or accidental means, is minimised.


Physical security should be subject to regular risk assessment and updated guidance/ procedures
issued to reflect new risks to the Practice due to new ways of working or the purchase of new
equipment. The Practice should check that staff members comply with the procedures, e.g. by review
of burglar alarm logs, the wearing of ID badges. Awareness and training should be provided to all new
staff as part of their induction to the Practice, and existing staff should be provided with regular
updates as necessary.




                                                         13
                                                                                                                  INSERT LOGO HERE



          Name & Address of Practice:              Date of Assessment:                          Assessor:




                                          Risk Assessment Action Plan

                                          Section 1 - Physical Security of Premises and Equipment

1   Low         Medium         High               Recommendation & Actions:   Is access to the outside of the building(s) restricted, i.e by perimeter fencing?
           0             0            0




2 Low          Medium        High                 Recommendation & Actions:   Is access to the outside of the building controlled i.e covered by CCTV?
           0             0            0




3 Low          Medium        High                 Recommendation & Actions:   Does the outside of the building have security lighting, floodlighting or street lighting?
           0             0            0



                                                                              Are there warnings on windows, visible alarms etc that warn potential intruders that there are
4 Low          Medium        High                 Recommendation & Actions:   physical security measures in place?

           0             0            0
                                                                                                   INSERT LOGO HERE



 5 Low       Medium       High       Recommendation & Actions:   Are accessible windows suitably protected with locks?
         0            0          0




 6 Low       Medium       High       Recommendation & Actions:   Do the downstairs windows have security bars?
         0            0          0




 7 Low       Medium       High       Recommendation & Actions:   Are the windows closed and checked every evening?
         0            0          0




 8 Low       Medium       High       Recommendation & Actions:   Are blinds closed and checked every evening?
         0            0          0




 9 Low       Medium       High       Recommendation & Actions:   Are skylights suitably protected by bars and locks?
         0            0          0




10 Low       Medium       High       Recommendation & Actions:   Are external doors suitably protected e.g. by 5 lever locks?
         0            0          0
                                                                                                        INSERT LOGO HERE



11 Low       Medium       High       Recommendation & Actions:       Are all external doors solid e.g. not glass?
         0            0          0




                                                                Is there a burglar alarm with intruder monitors covering all areas especially those containing IT
12 Low       Medium       High        Recommendation & Actions: equipment or records?
         0            0          0




13 Low       Medium       High        Recommendation & Actions: Is the alarm system connected to a police station or call response centre?
         0            0          0




14 Low       Medium       High        Recommendation & Actions: Are there appropriate locks or keypad access on all doors containing IT equipment and records?
         0            0          0




                                                                Are you able to seal off separate areas of the building e.g. in reception are there shutters and
15 Low       Medium       High        Recommendation & Actions: lockable doors?
         0            0          0
                                                                                                     INSERT LOGO HERE



16 Low       Medium       High       Recommendation & Actions: Do all consulting rooms have separate door locks?
         0            0          0




                                                               When the building is not fully occupied e.g. out of hours clinic, are unused areas, such as
17 Low       Medium       High       Recommendation & Actions: administrative offices secured?
         0            0          0




                                                               Are you able to ensure all keys stored on site are not obvious and any instructions regarding key
18 Low       Medium       High       Recommendation & Actions: instructions or keypad codes are stored securely?
         0            0          0




19 Low       Medium       High       Recommendation & Actions: Are staff aware of the procedure for challenging unidentified visitors in controlled areas?
         0            0          0




20 Low       Medium       High       Recommendation & Actions: Are keypad codes are changed regularly?
         0            0          0




21 Low       Medium       High       Recommendation & Actions: Are alarm codes are changed regularly?
         0            0          0
                                                                                                    INSERT LOGO HERE




22 Low       Medium       High       Recommendation & Actions: Are identity passes/cards worn by all staff at all times?
         0            0          0




23 Low       Medium       High       Recommendation & Actions: Are identity passes/cards worn by all visitors at all times?
         0            0          0




24 Low       Medium       High       Recommendation & Actions: Are visitors escorted at all times in secure areas?
         0            0          0




25 Low       Medium       High       Recommendation & Actions: Is a log of visitors maintained?
         0            0          0




                                                               Is IT equipment situated where it cannot be viewed by visitors or the public from outside the
26 Low       Medium       High       Recommendation & Actions: premises?
         0            0          0




27 Low       Medium       High       Recommendation & Actions: Are deliveries to and collections from the practice, supervised?
         0            0          0
                                                                                                    INSERT LOGO HERE




28 Low       Medium       High       Recommendation & Actions: Is new equipment stored securely prior to installation?
         0            0          0



                                                               Is the movement of IT equipment out of the Practice subject to authorisation and control? i.e use of
29 Low       Medium       High       Recommendation & Actions: laptops and portable equipment off site.
         0            0          0




30 Low       Medium       High       Recommendation & Actions: Are lock down devices used to secure IT equipment?
         0            0          0




31 Low       Medium       High       Recommendation & Actions: Are laptops and other portable equipment stored securely overnight?
         0            0          0




32 Low       Medium       High       Recommendation & Actions: Is IT equipment asset marked?
         0            0          0




33 Low       Medium       High       Recommendation & Actions: Do assets have visible ID markings?
         0            0          0
                                                                                                   INSERT LOGO HERE




34 Low       Medium       High       Recommendation & Actions: Are assets UV marked with the practice post code?
         0            0          0




35 Low       Medium       High       Recommendation & Actions: Is all IT equipment recorded with serial numbers on an asset register?
         0            0          0




                                       Section 2 - Environmental Security

 1 Low       Medium       High       Recommendation & Actions: Is the server protected by UPS (uninterrupted power supply)?
         0            0          0




 2 Low       Medium       High       Recommendation & Actions: Is the battery checked on a regular basis i.e weekly / monthly?
         0            0          0




 3 Low       Medium       High       Recommendation & Actions: Are the wiring plugs PAT checked annually?
         0            0          0
                                                                                                   INSERT LOGO HERE


                                                              Is there a 'Fireproof' safe available for back-up tapes and other sensitive media or a documented
4 Low       Medium       High       Recommendation & Actions: 'off-site' back up system in place?
        0            0          0




5 Low       Medium       High       Recommendation & Actions: Is the server stored in a lockable room or lockable cupboard and at an appropriate temperature?
        0            0          0




6 Low       Medium       High       Recommendation & Actions: Is the server secured in a cage or locked down with a cable?
        0            0          0




7 Low       Medium       High       Recommendation & Actions: Is the server sited above ground floor?
        0            0          0




8 Low       Medium       High       Recommendation & Actions: Are server room windows protected?
        0            0          0




9 Low       Medium       High       Recommendation & Actions: Are there Co2 fire extinguishers available and are they serviced by contract?
        0            0          0
                                                                                                   INSERT LOGO HERE




10 Low       Medium       High       Recommendation & Actions: Are you able to ensure that paper is not stacked on top or near PC's?
         0            0          0




11 Low       Medium       High       Recommendation & Actions: Are you able to ensure that PC ventilators are kept clear?
         0            0          0




12 Low       Medium       High       Recommendation & Actions: Is electronic equipment stored away from the risk of burst water pipes?
         0            0          0




13 Low       Medium       High       Recommendation & Actions: Is electronic equipment stored away from the risk of splashing from taps or sinks?
         0            0          0




14 Low       Medium       High       Recommendation & Actions: Is electronic equipment stored away from risk of water running from windows or condensation?
         0            0          0
                                                                                                    INSERT LOGO HERE



                                    Section 3 - Unauthorised Access Risk

1 Low       Medium       High       Recommendation & Actions: Is data entry restricted to trained and authorised personnel (including locums)?
        0            0          0




2 Low       Medium       High       Recommendation & Actions: Do all users have a unique ID and Password?
        0            0          0




                                                              Are all staff aware that passwords should not be divulged for any reason and that smartcards
3 Low       Medium       High       Recommendation & Actions: should be used ONLY by the registered user?
        0            0          0




4 Low       Medium       High       Recommendation & Actions: Are passwords changed at regular intervals?
        0            0          0




5 Low       Medium       High       Recommendation & Actions: Are staff advised to log out at all times if leaving the workstation?
        0            0          0
                                                                                                     INSERT LOGO HERE




 6 Low       Medium       High       Recommendation & Actions: Are there automatic (3 minute) screen savers in place?
         0            0          0




 7 Low       Medium       High       Recommendation & Actions: Do you have a 'who', 'what', 'when' full audit trail in place?
         0            0          0




 8 Low       Medium       High       Recommendation & Actions: Is the anti-virus software updated daily? (PC's on the tPCT network are updated daily)
         0            0          0




 9 Low       Medium       High       Recommendation & Actions: Do the staff know how to check that the update has taken place?
         0            0          0




10 Low       Medium       High       Recommendation & Actions: Do staff use the anti-virus software installed for checking external sources?
         0            0          0




11 Low       Medium       High       Recommendation & Actions: Are there maintenance contacts with guaranteed response times for Non tPCT equipment?
         0            0          0
                                                                                                       INSERT LOGO HERE




12 Low       Medium       High       Recommendation & Actions: Are back-ups taken daily and stored adequately?
         0            0          0




13 Low       Medium       High       Recommendation & Actions: Is there a procedure for checking that back-ups work ?
         0            0          0




14 Low       Medium       High       Recommendation & Actions: Is there a senior member of staff who is responsible for Health and Safety issues?
         0            0          0




15 Low       Medium       High       Recommendation & Actions: Are all workstations connected to a LAN (Local Area Network)?
         0            0          0




16 Low       Medium       High       Recommendation & Actions: Are all external communications connected to the organisations LAN authorised?
         0            0          0




                                                               Does the disaster recovery plan/BCP allow for full running 'off site' in the event that the building is
17 Low       Medium       High       Recommendation & Actions: unusable (i.e hard and software and data)?

         0            0          0
INSERT LOGO HERE

								
To top