Data Network Security Policy

abusivetrainerΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

93 εμφανίσεις

Data Network Security Policy
Page
1 of 10
















Data Network Security Policy













Authors: Mike Smith Rod Makosch
Network Manager Data Security Officer
IM&T IM&T



Version No : 1

Approval Date: March 2005

Approved by : John Aird
Director of IM&T

Review Date : 1 April 2006

Trust Ref: C7/2005





Data Network Security Policy
Page
2 of 10





Data Network Security Policy
Page
3 of 10




Index



1. Introduction..................................................................................................4
1.1. UHL Network Policy Statement.........................................................................4
2. Structure of the DN......................................................................................4
2.1 Responsibilities....................................................................................................5
2.3 Network documentation.......................................................................................5
2.4. The NHS Code of Connection............................................................................5
3. Access to the IM&T Data Network...............................................................5
3.1 Methods of access to the DN...............................................................................5
3.1.1 Access via network port................................................................................5
3.1.2 RAS Access..................................................................................................5
3.1.3 Access via modem........................................................................................6
3.1.4. Access via GPRS & broadband...................................................................6
3.1.5 Wireless access.............................................................................................6
3.1.6 Access granted to other NHS bodies............................................................6
3.1.7 External connections.....................................................................................6
3.2 Account access to the DN...................................................................................7
3.2.1 Administrator Access....................................................................................7
3.2.2 User Access...................................................................................................7
3.2.3 Third Party Access........................................................................................8
4. Physical security of DN components............................................................8
4.1. Cores & Switches................................................................................................8
4.2. Hubs....................................................................................................................8
4.3. Fibre & Copper Cabling and other transport media............................................8
4.4. DN Component Maintenance.............................................................................9
5. Electronic security of DN components.........................................................9
5.1. Anti Virus............................................................................................................9
5.2 Firewalls...............................................................................................................9
5.3 Security Logging................................................................................................10
6 Resilience and capacity management........................................................10
















Data Network Security Policy
Page
4 of 10




1. Introduction

The IT Data Network (DN) is a vital component of the smooth running of most
IT systems within the UHL, allowing users to access both clinical systems
(e.g. HISS and PACS) and non clinical systems (e.g. email and finance) It is
therefore essential that a robust framework is developed to ensure a secure
network infrastructure throughout the UHL.

This policy covers the following areas:-

• Access to the DN
• Physical security of DN components
• Electronic security of DN components
• Resilience and capacity management


Reference is made, within this policy, to detailed procedural documentation
for IM&T Technical Operations. Where such a reference is made, a link to the
procedure will be incorporated.
1.1. UHL Network Policy Statement


All wide and local area networks will be managed to accepted security
standards. These will, as a minimum, meet the requirements set out in the
NHSNet Code of Connection and BS7799.
1



UHL signs the NHS Code of Connection

2. Structure of the DN

The DN consists of

a. The WAN, fibre cabling connecting the three hospital sites, backed up
by a microwave link.
b. Three LANs, a mixture of fibre and copper cabling within the hospital
sites.
c. A number of network hardware devices, cores, switches and hubs on
each site.


1
Information Security Policy A10/2003
Data Network Security Policy
Page
5 of 10




2.1 Responsibilities

All components of the DN are under the control of the Directorate of IM&T,
and specifically the Network Administration section of the Technical
Operations Department.
2.3 Network documentation

The Network Administration section must maintain current network diagrams
detailing the configuration of the DN itself and all the major network
components on it. These diagrams are to be kept, securely, within IM&T and
copies must be lodged with the company supplying external support for the
DN.
2.4. The NHS Code of Connection

All connections to the DN must
comply with the current NHSNet
Security Operating Procedures.
(Currently available at:-http://nww.nhsia.nhs.uk/security/pages/syops
)

3. Access to the IM&T Data Network
3.1 Methods of access to the DN

There are a number of methods used to access the DN, these are:-

• Access via a network port
• RAS (Remote Access Server) access
• Access via a modem
• Access via GPRS & Broadband
• Wireless (WiFi) access
3.1.1 Access via network port

Access via a network port within the UHL is the most common form of access
to the DN. Only devices authorised and administered by IT (or in certain
circumstances named officers of the UHL acting on behalf of IT) are allowed
to be attached to the DN.
3.1.2 RAS Access

RAS access is a system allowing for users to connect to the DN over the
public telephone network. Users using this form of access from UHL laptops
must have the laptop set up with two profiles, one disabling the network card
and the other disabling the modem. Users accessing the DN by this method
Data Network Security Policy
Page
6 of 10



must agree to comply with the Policy on Mobile Computing (currently under
development) and must have completed the appropriate documentation. A
register of all users granted access via the RAS system is kept by IM&T.
3.1.3 Access via modem

Access via a modem is allowed only for certain third party support companies,
a register of these companies, incorporating details of the systems supported
and contacts is maintained by IM&T. All modem access activity must be
logged and monitored. Modems must be switched off and disconnected from
the network when not in use. Efforts must be made to discourage this form of
access.
3.1.4. Access via GPRS & broadband

Access via GPRS or broadband offer alternative methods of accessing the
DN via the public telephone system (see 1.2 above). These are supplied by
third party VPN secure gateways from BT and Cable and Wireless. Users
accessing the DN by this method must agree to comply with the Policy on
Mobile Computing (currently under development) and must have completed
the appropriate documentation. A register of all users granted access via
GPRS or broadband is kept by IM&T.
3.1.5 Wireless access

The UHL has a number of wireless access points. Configuration of these
must comply with the relevant section of the NHSnet System Operating
Procedures see:
http://nww.nhsia.nhs.uk/security/pages/syops/docs/wirelesslan.asp

A full risk assessment will be completed for all requested wireless access
points and details of these are kept with the network documentation (See 2.3
above).
3.1.6 Access granted to other NHS bodies

Access, to the DN, is granted to local NHS bodies as a part of reciprocal
arrangements covering rights to use various systems.
3.1.7 External connections

All external connections must be established by IM&T.

Before allowing third party access a risk assessment will be conducted to
identify risks and appropriate counter measures.

Arrangements for third party access must be based on a formal contract
containing, or referring to, all the necessary security conditions to ensure that
the organisation can satisfy NHS information security requirements. Contracts
Data Network Security Policy
Page
7 of 10



may include agreement for the Trust to audit the security arrangements the
third party has in place. Details of these connections are kept with the
network documentation (See 2.3 above).
3.2 Account access to the DN

Access is split into three distinct areas:

• Administrator access – this is the access granted to the members of
the Network Administration Section of the Technical Operations
Department within IM&T and to any external supplier contracted to
provide support for the network. Individual officers having this level
of access are granted the rights to configure network devices and
monitor network traffic. A register of users having this level of
access is maintained by the Deputy Operations Programme
Manager.

• User access – this is the access granted to the majority of staff
within the UHL. Individuals who have this level of access are
granted the rights to log on to the DN and use facilities on it
appropriate to their requirements.

• Third Party access – this is the access granted to organisations
outside the UHL who require access to the DN in order to support
applications or other systems. A register of organisations having
this level of access is maintained by the Deputy Operations
Programme Manager.
3.2.1 Administrator Access

UHL officers granted this level of access are responsible for the maintenance
of network availability as detailed in section 6 (see below). They are also
responsible for the maintenance of the network diagrams.
3.2.2 User Access

UHL officers granted this level of access are responsible for their account
details are kept secure and must report, to IM&T, any incidence, whether
actual or suspected, where this security may have been compromised.

User access to the IM&T Data Network will only be granted to individuals
upon receipt of a properly completed application form. Access will only be
granted on the understanding that the user granted access will comply with
the relevant policies on use of the network, email and the internet.
Data Network Security Policy
Page
8 of 10




3.2.3 Third Party Access

Companies offering third party support for systems within the UHL will only be
granted sufficient access to the DN to allow them to fulfil their support
function.

4. Physical security of DN components

No equipment is to be attached to the IM&T Data Network without the prior
agreement of the Director of IT. (Note – this authorisation authority can be
delegated to any officer within the IT Directorate).

Formal change control procedures will be instigated for all significant
modifications to the DN (patching of individual ports is not regarded as
significant). The change control register is maintained by the Network
Administration Section.

DN components must be sited so as to avoid interference from other potential
sources of electromagnetic interference.
4.1. Cores & Switches

These devices form a major component of the DN and, as such, must be kept
in an appropriately secure environment. Only members of the Network
Administration Section; authenticated officers of the external network support
company or authenticated officers of am approved cabling company are
allowed access to this equipment. Any other individual requiring access to
this equipment must be supervised by a member of the Network
Administration Section.
4.2. Hubs

Risk assessments must be completed for all hubs and security afforded them
dependant upon the effect on business continuity of their loss. Access to hub
rooms and cabinets must be restricted, where possible, to IT staff and, where
hubs are situated in shared accommodation, the hub cabinets (closets) must
be kept locked.
4.3. Fibre & Copper Cabling and other transport media

All cabling, fibre or copper, used on the DN must be of an approved standard
and laid, where possible, in appropriate containment.
Data Network Security Policy
Page
9 of 10




4.4. DN Component Maintenance

Key components within the DN must be connected to essential power
supplies, backed up by UPS.

Remote environmental monitoring of key components within the DN must be
carried out to ensure that they remain within the manufacturers
recommendations.

Suitable spares must be held available on-site for failures of access layer
components. Core components must be available from the third party support
company within an agreed time.

5. Electronic security of DN components

Network access to DN components must be restricted to members of the
Network Administration Section.

Administrator login credentials for DN components must be changed from the
manufacturer’s defaults on installation and must subsequently be changed at
a minimum of every 90 days.

Passwords for accounts with administrator access to the DN will be a
minimum of 8 characters and require both alpha and numeric digits.
5.1. Anti Virus

The DN must be protected by suitable anti virus software being loaded and
run, as appropriate, on devices connected to it. The anti virus software must
be kept up to date with patched supplied by the provider of the software and
an automatic update policy applied to all attached equipment.
5.2 Firewalls

The DN must be protected by suitable firewalls. There firewalls must all be
configured to prevent all inappropriate access from outside the UHL to the
DN. To ensure consistency, all firewalls must be configured in the same way.
Firewall logs must be scrutinised regularly to check for problems, evidence of
this scrutiny must be recorded in a register maintained by the Network
Administration Section.


Data Network Security Policy
Page
10 of 10



5.3 Security Logging

All computers, servers, workstations and routers on the network will have
logging of security relevant events enabled in circumstances where those logs
can be reviewed, so that an audit trail of incidents will be available.

6 Resilience and capacity management

Appropriate risk assessments must be completed annually on the major
components of the DN. From these risk assessments, adequate resilience
must be planned and built into the DN to avoid loss of service resulting from a
malfunction in one component.

The effect on the DN must be incorporated into the planning on any project
involving the use of IT equipment and, where necessary, allowance must be
made within the project plan for additional capacity on the DN.

Regular monitoring of traffic on the DN must be completed, by the Network
Administration Section, to identify problems and enable timely and appropriate
upgrades to be made to the system.