Docstoc

CDDFT Anti Virus Procedure - Download as DOC

Document Sample
CDDFT Anti Virus Procedure - Download as DOC Powered By Docstoc
					                   Procedure Information Sheet
                         CDDFT Anti Virus Procedure
Reference Number                     PROC/HIG/0004

Title                                CDDFT Anti Virus Procedure

Version number                       9.0

Document Type                        Procedure

Original Policy Date                 December 2004

Date approved                        January 2011

Effective date                       February 2011

Approving body                       Information Governance Steering Group

Originating Directorate              Health Informatics Directorate

Scope                                Trust Wide

Last review date                     January 2011

Next review date                     October 2013

Reviewing body                       Information Governance Steering Group

Document Owner                       Head of Information Governance and IT Security

Equality impact assessed             Yes – January 2011

Date superseded                      October 2008 rev 9.0

Status                               Approved

Confidentiality                      Staff in Confidence

Keywords                             Anti Virus; procedure




Approval
Signature of Chairman of Approving Body
Name / job title of Chairman of approving Body:                   Sue Jacques Chief Operating
                                                                  Officer Marketing and Service
                                                                  Development Committee
Signed paper copy held at (location):                             IG DMH Office



C:\Docstoc\Working\pdf\8f1d57d6-f7c4-4293-a0a1-24dfba4f5530.doc
Rev 9.0 Jan 11                                         1                                    9/26/2011
Table of Contents

1.          Introduction .............................................................................................................3
2.          Procedure Statement ..............................................................................................3
3.          Purpose ..................................................................................................................3
4.          Responsibilities .......................................................................................................3
5.          Use Of E-mail And The Internet ..............................................................................4
6.          Virus Controls .........................................................................................................4
7.          Software controls ....................................................................................................5
8.          Avoiding virus infection ...........................................................................................5
9.          What To Do If A Virus Is Found or Suspected .........................................................5
10.         The responsibilities of the IT department are: .........................................................6
11.         Hoax Viruses ..........................................................................................................6
12.         Protection................................................................................................................6
13.         Misuse ....................................................................................................................7
14.         Data Protection Act 1998 ........................................................................................7
15.         Legal Requirements ................................................................................................7

Version Control

 Version Control Table
 Date                                     Version                                      State
 December 2004                            4.0                                          Approved
 December 2005                            5.0                                          Draft
 June 07                                  6.0                                          Draft
 November 2007                            7.0                                          Approved
 October 08                               8.0                                          Approved
 February 09                              9.0                                          Approved



 Table of Revision
 Date             Section                            Author                                    State
 June 07          All                                HOIG                                      Draft
 October 08       All                                HOIG                                      Approved
 February         Added appendix 1 how               HOIG                                      Approved
 09               to manual virus check
 Jan 11           all                                HOIG                                      Approved


Document Owner: Head of Information Governance and IT Security

Document Location and Availability
All Information Management procedures will be held in a central library available on the
Trust‟s Intranet pages.
This document is only valid on the day it was printed. Please contact the Document
Controller/owner for location details or printing problems. This is a controlled document.

Compliance
1.1.1. BS7799 : ISO27001
1.1.2. IG Toolkit




C:\Docstoc\Working\pdf\8f1d57d6-f7c4-4293-a0a1-24dfba4f5530.doc
Rev 9.0 Jan 11                                         2                                                              9/26/2011
1.       Introduction

The software and hardware that make up the networks are essential resources and are
critical items within the County Durham and Darlington Foundation Trust (CDDFT)
communication systems. They aid staff in carrying out their everyday duties and without
them the communication systems would not exist.

The risks imposed by viruses are that they can cause systems to run erratically, cause total
loss of information, and information can become corrupted. They can prevent access to the
information that hasn‟t become lost or corrupted, and the cost of productivity for the Trust can
be affected. The purpose of this procedure is to give guidance and direction on preventing a
virus infection, and what to do if the Trust does become infected.

2.       Procedure Statement

2.1      It is the policy of the Trust, that Trust systems are protected from viruses and
         malicious code.
         Ref: CDDFT IT Security Policy

2.2      This procedure applies to all employees and contractors of the Trust who have
         access to Trust information systems, or who use stand alone computers.

2.3      For the purpose of this procedure, a computer virus is defined as “a computer
         program that can copy itself and infect a computer without permission or knowledge
         of the user1.”

2.4      This policy applies to all computers and devices reliant on embedded computer
         systems that require connection to the Trusts computer network e.g. CT scanner

3.       Purpose

3.1      The purpose of this procedure is to ensure that all staff is aware of their individual
         responsibilities in relation to safeguarding the integrity of data and software within the
         Trust.

3.2      To identify the rules governing the use of software within the Trust.

3.3      To provide guidance on the prevention of virus infection, and what steps to take
         should a virus be found.

4.       Responsibilities

4.1      Every employee, including contractors, of the Trust is responsible for the
         implementation of this policy whilst operating any personal computer to access any of
         the Trusts systems.

4.2      Overall responsibility for the enforcement of this procedure lies with the Chief
         Executive of the Trust, or anyone identified by them as having responsibility in this
         area.

4.3      It is the responsibility of the delegated individual to implement the policy within the
         Trust, and take appropriate action where misuse is discovered.



C:\Docstoc\Working\pdf\8f1d57d6-f7c4-4293-a0a1-24dfba4f5530.doc
Rev 9.0 Jan 11                                         3                              9/26/2011
4.4      It is the responsibility of the Information Governance Steering group and Internal
         Audit to monitor the overall implementation and compliance with the procedure on
         behalf of the Trust.

4.5      It is the responsibility of the Head of Information Governance & IT Security to
         maintain the procedure, reviewing it on an annual basis, following any major
         Organisational changes, to ensure its relevance.

5.       Use of E-mail and the Internet

E-mail is one of the main tools used to distribute viruses. This is due to the ease of which
information can be distributed globally. Viruses, which are attached to e-mails, usually come
in the form of a forwarded message, which has FWD before the subject. In some
circumstances it may be forwarded to you by another member of staff or somebody that you
already know. However the majority of virus emails are unsolicited and will be from an
address you do not recognise. If you have any suspicions regarding a received e-mail, DO
NOT OPEN IT AND CONTACT THE IT HELPDESK ON X4340.
Ref: Please see the E-Mail code of practice Policy and Internet and acceptable use Policy for
further guidance here.

5.1      To help protect against viruses being distributed over the network, the following
         should be applied:

        (a)       Make sure you know who the sender of the e-mail is before opening any
                  attachments
        (b)       Where a user believes they have received an e-mail virus, warnings to other
                  users should be sent by the IT helpdesk. Please do not take to distributing
                  warning yourself and this will prevent hoax warnings being distributed.
        (c)       Many viruses now reproduce themselves via web pages and Internet relay
                  chat. As a result PC‟s must have up to date anti-virus software installed.
        (d)       Users must not knowingly download malicious software or a virus.
        (e)       Users must not download screen savers, games or any other unauthorised
                  software.

6.       Virus Controls

         6.1      Requirements

         6.1.1 No PC or embedded computer system may be connected to the Trusts
               network without adequate protection i.e. up to date anti-virus software being
               installed. Only laptops owned by the Trust may be connected to the network
               with the prior consent of the IT department, and in line with the Trusts policy
               on Access and Network Security. Where it is not possible to run anti-virus
               software for technical reasons, a risk assessment will be undertaken by
               Information Governance and IT services before the device can be connected.

         6.1.2    User training of the dangers of viruses, must include:

                  (a)      What viruses do
                  (b)      How they are reproduced
                  (c)      How to prevent virus infection

         6.1.3    A virus checker should be installed and configured to check:

C:\Docstoc\Working\pdf\8f1d57d6-f7c4-4293-a0a1-24dfba4f5530.doc
Rev 9.0 Jan 11                                         4                          9/26/2011
                   (a)     The PC‟s memory on “start up”
                   (b)     The PC‟s files on “start up”
                   (c)     Each of the files upon use
                   (d)     All drives include floppy disks and removable media
                   (e)     All files

           6.1.4    In addition, the anti-virus software must be configured to:

                    (a)    Log the details of each scan that is carried out. This should be stored
                           for a minimum of 6 months.
                    (b)    Scan emails when received

           6.1.5    Users must not change or delete any anti virus software that is stored on the
                    network.


7.         Software controls

7.1        No software, including screen savers, should be downloaded from the Internet or any
           mobile media and installed onto a Trust PC without the consent of the IT department.
           Unauthorised downloading of software may breach the copyright licence, and may
           introduce viruses to the system; this would also breach the Trust IT security Policy
           and may result in disciplinary action.

7.2        Unofficial software obtained from the Internet etc should not be used unless it has
           been obtained and authorized by the IT department for your use.

7.3        Any software, which is provided by the Trust, must not be installed onto non-Trust
           equipment. Neither should software be copied to any other Trust system(s) without
           the appropriate license.

           The unauthorised copying of software is a criminal offence under the Copyright,
           Design and Patents Act 1998.


      8.         Avoiding virus infection

     8.1         To avoid being infected by a virus:

                    (a)    Ensure that your PC has up to date anti-virus checkers installed on it.
                    (b)    Avoid the transfer of floppy disks, CD Roms and memory sticks
                           between computers.
                    (c)    Check all email attachments for viruses
                    (d)    Carry out a virus scan on all disks and mobile media before using them
                           on a Trust PC
                    (e)    Do not “start up” a PC with a floppy disk in the disk drive
                    (f)    Do not install any unofficial software onto Trust PC‟s without the prior
                           consent of the IT Department.

9.         What To Do If a Virus Is Found or Suspected

If you find or suspect a virus on your PC:

           (a)      Switch off the PC

C:\Docstoc\Working\pdf\8f1d57d6-f7c4-4293-a0a1-24dfba4f5530.doc
Rev 9.0 Jan 11                                         5                               9/26/2011
         (b)      Isolate the infected PC. If the infected PC is connected to a network, remove
                  the connections at the wall socket immediately
         (c)      Clearly mark the infected PC as being virus infected and not to be used
         (d)      Collect any mobile media that have been used in the infected PC, and mark
                  these as being virus infected. Do not use these media in any other PC.
         (e)      Contact the Trusts IT helpdesk immediately
         (f)      Do not use the PC until reuse has been approved by the IT department

10.       How to Carry out a Manual Virus Check on a PC

         (a)      Click „Start‟ button (bottom left of screen)
         (b)      Click on „All programs‟
         (c)      Click on „McAfee‟
         (d)      Click on „Virus Scan on-demand Scan
         (f)      Click Start - Scan will commence.
         (g)      If anything detected contact IT Helpdesk on X4340 immediately

11.      The responsibilities of the IT department are:

         (a)      Check the infected PC
         (b)      Check any mobile media that have been used in the infected PC
         (c)      Check any other PC that the disks have been used with
         (d)      Delete or clean any infected files
         (e)      Inform the network manager of any viruses detected on a networked PC
         (f)      Provide a report documenting the extent of the infection and the
                  documentation procedures followed to the Information Governance Team.

12.      Hoax Viruses

Normally via email (e.g. chain letters), this is an unconfirmed warning or plea with a request
that you send the message to everyone you know. If you receive any of this kind of
message; don‟t forward the message on. Either, delete the message, or pass it to the IT
department or Information Governance Team for validation. See the Trust Email and Code of
practice for more information.

13.      Protection

13.1     Adequate backups (made in accordance with the trusts backup procedure) of
         essential data and software should be taken, so if necessary, any data or software
         that is lost or corrupted due to virus infection can be recovered quickly. As a general
         rule:

        (a)       At a minimum, 3 generations of data should be kept, and where practical this
                  should be tested on a regular basis to ensure that it can be relied upon if and
                  when needed.
        (b)       A copy of essential business software should be taken and the Master copy
                  stored in the IT software library. Once the authorized copy of the software
                  should be used and not the original software.
        (c)       Both backup data and software should be kept at a safe and secure distance
                  from the main site.
        (d)       Backup data should have the same security levels as “live” data, and should
                  be adequate to provide a suitable service level and recovery time.
        (e)       If “live” data has been corrupted due to virus infection, the relevant software
                  and hardware will need to be checked before using the backup data.


C:\Docstoc\Working\pdf\8f1d57d6-f7c4-4293-a0a1-24dfba4f5530.doc
Rev 9.0 Jan 11                                         6                             9/26/2011
14.       Misuse

14.1      Failure to comply with this and related policies may result in disciplinary action being
       taken against the individual.

14.2     Any unauthorised downloading of software may result in the user having their access
         rights removed and may also lead to disciplinary action.

14.3     Any unauthorised copying of software may be reported to the relevant authorities, and
         may also lead to disciplinary action.

15.       Data Protection Act 1998

15.1     The Data Protection Act has rules governing the processing of data, and protecting
         that data from loss, damage or destruction, whether accidental or deliberate. You
         must ensure that there are sufficient security measures in place, and that reasonable
         steps are taken to ensure that the security measures are complied with.
15.2     The security measures must take into account the harm that may result from
         unauthorised or unlawful processing, loss, damage or destruction. The nature of the
         data being protected also needs to be considered.
15.3     Steps need to be taken to ensure the integrity of the staff who have access to the
         data being protected.

16.       Legal Requirements

The Data Protection Act 1998
The Computer Misuse Act 1990
The Copyright, Designs and Patents Act 1988
The Electronic Communications Act 2000

17.       Appendices

1- Process of completing manual virus check on CDDFT PC‟s and hosted pc‟s
2 – Equality impact assessment
3 – Dissemination Plan




C:\Docstoc\Working\pdf\8f1d57d6-f7c4-4293-a0a1-24dfba4f5530.doc
Rev 9.0 Jan 11                                         7                              9/26/2011
APPENDIX 1 – PROCESS OF COMPLETING A MANUAL VIRUS CHECK ON
CDDFT AND HOSTED PC’S


Removable media is anything which can hold information that can be accessed when connected to a
pc or laptop i.e. USB stick, Pen Drives, Floppy Disks, CD Roms, DVDs, PDAs, digital cameras etc.

Please follow the Trust process below every time you connect a removable drive to a Trust owned
piece of equipment.


                                    Insert media into USB hub or disk drive
                                                        
                     Click start (bottom left hand corner of the screen – green button)
                                                        
                                              Select My Computer
                                                        
       The removable media item will show under the heading „Devices with Removable Storage‟
                                                        
                                 Hover the mouse over the appropriate icon
                                                        
                                               Right Click Mouse
                                                        
                                            Select „Scan for Threats‟
                                                        
                           A Dialogue box „on demand scan progress‟ will appear
                                                        
                                     The media item will then be scanned
                                                        
            The result of the scan will be shown in the bottom left corner of the dialogue box.



                          If „nothing found‟ you can continue to use the media item

   If the scan registers a virus (even if it states that it has cleaned or quarantined it) you must
  remove the media device immediately and contact the IT Helpdesk for advice stating PC Tag
                                             number (X4340)




C:\Docstoc\Working\pdf\8f1d57d6-f7c4-4293-a0a1-24dfba4f5530.doc
Rev 9.0 Jan 11                                         8                                     9/26/2011
    APPENDIX 2 – EQUALITY ASSESSMENT TOOL
    Equality Impact Assessment



    Preliminary Assessment Form                                                                                        v1/2009
    The preliminary impact assessment is a quick and easy screening process.
    It should:
          Indentify those policies, procedures, services, functions and strategies which require a full EIA by looking
           at:
                    negative, positive or no impact on any of the equality groups
                    opportunity to promote equality for the equality groups
                    data / feedback
          prioritise if and when a full EIA should be completed
          justify reasons for why a full EIA is not going to be completed

    Division/Department                    Health Informatics


    Title of policy, procedure, function or service          CDDFT Anti virus Procedure



    Type of policy, procedure, function or service

                         Existing

                         New/proposed

                         Changed




    2.
2


    Q1 - What is the aim of your policy, procedure, project or service?

    To ensure Trust is compliant with data set change notices
    Q2 - Who is the policy, procedure, project or service going to benefit?

    Full Trust Staff

    Q3 - Thinking about each group below, does, or could the policy, procedure, project or service have a
    negative impact on members of the equality groups below?

        Group                                             Yes                No           Unclear

        Age                                                           X

        Disability                                                    X

        Race                                                          X

        Gender                                                        X

        Transgender                                                   X

    C:\Docstoc\Working\pdf\8f1d57d6-f7c4-4293-a0a1-24dfba4f5530.doc
    Rev 9.0 Jan 11                                         9                                               9/26/2011
 Sexual Orientation                                               X

 Religion or belief                                               X

 Relationships between groups                                     X

 Other socially excluded groups                                   X
If the answer is “Yes” or “Unclear” you MUST complete a full EIA


Q4 – Does, or could, the policy, procedure, project or service help to promote equality for members of the
equality groups?

 Group                                              Yes                No          Unclear

 Age                                                              X

 Disability                                                       X

 Race                                                             X

 Gender                                                           X

 Transgender                                                      X

 Sexual Orientation                                               X

 Religion or belief                                               X

 Relationships between groups                                     X

 Other socially excluded groups                                   X




Q5 – Do you have any feedback data from equality groups that indicate how this policy, procedure,
project or service may impact upon these groups?

 Group                                             Yes                 Yes           No        Unclear
                                                No Impact             Impact
 Age                                                                           X

 Disability                                                                    X

 Race                                                                          X

 Gender                                                                        X

 Transgender                                                                   X

 Sexual Orientation                                                            X

 Religion or belief                                                            X

 Relationships between groups                                                  X

 Other socially excluded groups                                                X



Q6 – Using the assessments in questions 3,4 and 5 should a full assessment be carried out on this policy,
procedure, project or service?

     Yes              No       x
If you have answered “Yes” now follow the EIA toolkit and complete a full EIA form


Q7 – How have you come to this decision?

Trust must comply with data set change notices.

C:\Docstoc\Working\pdf\8f1d57d6-f7c4-4293-a0a1-24dfba4f5530.doc
Rev 9.0 Jan 11                                         10                                     9/26/2011
Q8 – What is your priority for doing the full EIA

    High         Medium           Low
                                   x


Q9 – Who was involved in the EIA, and how?
Author

This EIA has been approved by: Head of Information Governance

Date:             11/01/11           Contact number:x3085

Please ensure that this assessment is attached to the policy document to which it relates.




C:\Docstoc\Working\pdf\8f1d57d6-f7c4-4293-a0a1-24dfba4f5530.doc
Rev 9.0 Jan 11                                         11                                    9/26/2011
APPENDIX 3 – DISSEMINATION PLAN
(To be completed and attached to Policy and Guidance documents when
submitted to the Committee approving this document)

                                       Policy or Guidance (P&G) Title:
                                        CDDFT Anti Virus Procedure
             Date finalized                           Dissemination Lead (contact details)
                Feb 11                     Head of Information Governance and IT Security DMH x3085

Previous P&G already          Yes       If yes, what in what format and where?
being used?                             Intranet site IG pages


Proposed action to retrieve expired copies of P&G: delete old copy and retain. Upload new.

To be disseminated to         How will be disseminated, who will      Paper or      Comments
                              do and when?                            electronic
Full trust                    Intranet site news page                 Electronic
Full trust                    IG Intranet site                        Electronic




             Dissemination Record – to be used once Policy or Guideline Approved

                         Date uploaded onto the Trust’s Intranet 13/10/08.

 Disseminated To (either             Format (i.e.          Date         No of      Contact Details /
 directly or via meetings,            paper or         disseminated    copies        Comments
            etc)                     electronic)                        sent
              IGSG                    electronic           Jan 11        Full
                                                                      attendees




General comments:




C:\Docstoc\Working\pdf\8f1d57d6-f7c4-4293-a0a1-24dfba4f5530.doc
Rev 9.0 Jan 11                                         12                                 9/26/2011

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:8
posted:9/26/2011
language:English
pages:12