INTERNET & N3 USAGE POLICY

brickborderΑσφάλεια

3 Νοε 2013 (πριν από 4 χρόνια και 11 μέρες)

133 εμφανίσεις

ICT Internet and N3 Usage Policy

Version 3. Issued: DD May 2011 (review date May 2013)

Page
1

of
8









INTERNET & N
3

USAGE POLICY









Version

3

Name of responsible (ratifying) committee

Information Governance Steering Group

Date ratified

May 2011

Document Manager (job title)

ICT
Senior
Security Specialist

Date issued

May 2011

Review date

Ma
y

201
3

Electronic location

Management Policies

Related Procedural Documents

Trust

ICT Security Policy

Trust Portable Computing
and Storage
Devices Policy

Trust E
-
Mail Policy

Trust Confidentiality: Staff Code of Conduct

Trust Professional Behaviour Guidan
ce

Trust information Governance Strategy

Key Words (to aid with searching)

ICT security, virus, ICT, security, computer, network, software,
hardware, data, information, media, anti
-
virus, malicious software,
inappropriate use, connections, TIA, profiles,
email, internet,
portable devices, workstation, laptop, tablet, USB, encryption,
information assurance, confidentiality, integrity, availability,
incidents, a
pproved access, System Security Policy (SSP),
portables, notebook, Security Operating Procedures
(SyOps),
portable computing devices, network connection, Person
Identifiable Data (PID), personal information, patient identifiable,
staff identifiable,
N3, offensive material, illegal material,
transmission, personal data, file download, web site, monitor
ing,
web blocking, filtering, newsgroup, web.


ICT Internet & N3
Usage Policy

Version 3. Issued: DD May 2011 (review date May 2013)

Page
2

of
8

CONTENTS


1.

INTRODUCTION
................................
................................
................................
...............................

4

2.

PURPOSE
................................
................................
................................
................................
.........

4

3.

SCOPE

................................
................................
................................
................................
..............

4

4.

DEFINITIONS

................................
................................
................................
................................
...

4

5.

DUTIES AND RESPONSIBILITIES

................................
................................
................................
..

4

6.

PROCESS
................................
................................
................................
................................
.........

5

7.

TRAINING REQUIREMENTS
................................
................................
................................
...........

7

8.

REFERENCES AND ASSOCIATED DOCUMENTATION
................................
...............................

8

9.

MONITORING COMPLIANCE WITH, AND THE EFFECTIVENESS OF, PROCEDURAL
DOCUMENTS

................................
................................
................................
................................
...

8


ICT Internet & N3
Usage Policy

Version 3. Issued: DD May 2011 (review date May 2013)

Page
3

of
8

QUICK REFERENCE GUIDE


For quick reference the guide below is a summary of actions required. This does n
ot negate the need
for the document author and others involved in the process to be aware of and follow the detail of this
policy.


1.


Connections to the internet/N3 will only be implemented by the ICT department and users
must not install/configure any conn
ections to Trust IT equipment without first consulting ICT.


2.

Users must not use Trust IT equipment and/or its connections to the
internet/N3 for
unacceptable,
inappropriate
or illegal
behaviour

as defined in this policy.


3.


Trust facilities are primarily pr
ovided for Trust business; limited private use is at the discretion
of line managers and any such use must not be allowed to impact on Trust business.


4.

Trust Email addresses may only be disclosed to newsgroups/Web discussion boards when
used in relation to

Trust business.


5.

It is strictly forbidden for users to download software via the internet to any Trust IT equipment
without first obtaining authorisation from the ICT department.


6.


Personal identifiable data must not be transmitted across the Internet /
N3, unless via a route
that has been approved as secure by the ICT Department
.



7.


All use of Trust IT equipment is monitored and is routinely audited; suspicious, inappropriate
or illegal activities may be investigated.
































ICT Internet & N3
Usage Policy

Version 3. Issued: DD May 2011 (review date May 2013)

Page
4

of
8

1.

INT
RODUCTION


1.1.

Portsmouth Hospitals NHS Trust (“the Trust”) is increasingly dependent upon its usage of the
Internet and
N3

as key tools for managing and delivering health care services and for
communicating with its care partners. However, the same features
that make the Internet and
N3

useful (speed, ease
-
of
-
use, widespread access to information, ease of capture and storage of
information, etc.) also present risks, which must be managed to protect the Trust, its staff and
patients.


2.

PURPOSE


2.1.

This policy seek
s to ensure that the Trust and its staff are able to make best use of the
facilities offered by the Internet and
N3
, but do so in a way that is secure, complies with the law and
is in the best interests of the Trust, its staff and patients.


2.2.

This policy sh
ould be read in conjunction with the Trust’s other information and
communication technologies (ICT) policies and procedures

(see list on front sheet
.
)


3.

SCOPE


3.1.

This policy applies to anyone granted access to the Internet or
N3

via Trust equipment
,
referred
to t
hroughout the remainder of this policy
as

“users
.



3.2.

In the event of an infection outbreak, flu pandemic or major incident, the Trust recognises that
it may not be possible to adhere to all aspects of this document. In such circumstances, staff should

take advice from their manager and all possible action must be taken to maintain ongoing patient
and staff safety
.


4.

DEFINITIONS


4.1.

“N3”
,

previously known as NHSNet, is the secure data network provided for usage by NHS
organisations. It is funded by the Depa
rtment of Health and supplied by BT. It has a gateway to the
Internet and is the main route for accessing the Internet for NHS organisations. All nhs.uk web
-
sites are hosted within N3, as is NHSmail.



4.2.

“Illegal material
” refers to any text or images, the

creation, possession or transmission of which
is in breach of United Kingdom or international law.


4.3.

“Offensive material”

is any material which is pornographic or obscene; involves threats or
violence; promotes illegal acts, racial or religious hatred or u
nfair discrimination.


4.4.


“Transmission”

here is used to include the knowing access to, or downloading of, material from
web sites outside the Trust as well as
on
ward transmission of material.


4.5.

“Software”

means any executable or potentially executable progra
m, including screensavers,
games, desktop enhancements, Windows utilities, self
-
extracting compressed files and software
program patches.


5.

DUTIES AND RESPONSIBILITIES


5.1.

Ultimately, responsibility for Internet / N3 security rests with the Chief Executive. R
outinely,
the ICT Department is responsible for developing, managing and implementing ICT security
policies.


5.2.

The
ICT Department

must:



provide advice to staff on Internet and
N3

usage as requested;

ICT Internet & N3
Usage Policy

Version 3. Issued: DD May 2011 (review date May 2013)

Page
5

of
8



ensure
data on Internet / N3

usage
is captured and investi
gate
instances of
inappropriate web
-
site access

in accordance with the ICT Security Policy
.


5.3.

Line managers

must:



ensure that all staff
and

external users of
Internet / N3
-
connected PCs under their
management, are aware of
, and comply with,
this and associa
ted policies & procedures;



ensure account set
-
up forms for new staff and account deletion forms for all staff who
leave the Trust are submitted to the ICT Department in a timely manner;



take disciplinary action as appropriate against any member of staff i
n breach of this
policy; and



notify any suspected breaches of this policy to the ICT Department.


5.4.

All Trust staff
, without exception, must:



abide by this and associated policies & procedures; and



report any suspected breaches of this policy to their line m
anager or the ICT
Department


Failure to do so may result in disciplinary action.


6.

PROCESS


6.1.

Internet Connection


6.1.1.

Connections to the Internet / N3 will only be implemented by the ICT Department.
Users
must not install any connection to the Internet,
N3

or
Trust network without first consulting the ICT
Department
, who may refuse to permit a connection where it introduces a security risk or incurs
unnecessary expenditure.


6.2.

Unacceptable Use


6.2.1.

Users must not use the Internet /
N3

for any of the following:



The cr
eation, use or transmission of any offensive, obscene or indecent images, data or
other material, or any data capable of being resolved into obscene or indecent images or
material (see 6.3 for exceptions);



The creation or transmission of defamatory materia
l;



The creation, copying or transmission of material that infringes copyright;



Deliberate unauthorised access to facilities or services accessible via the Internet /
N3
;



Deliberate activities with any of the following characteristics:



wasting staff effort
or networked resources, including time on end systems
accessible via the Trust’s network, the Internet or
N3

and the effort of staff
involved in the support of those systems;



corrupting or destroying other users’ data;



violating the privacy of other users;



disrupting the work of other users;



using the Trust’s network, the Internet or
N3

in a way that denies service to
other users;



introducing unauthorised software or hardware;



continuing to use an item of software or hardware after the ICT Department
has re
quested that use to cease; and



other misuse of the Trust’s network, the Internet or
N3
, such as the introduction
of viruses.



Obtaining unauthorised access to the Trust or another organisation’s IT facilities

(hacking)
;



Using
social networking

or similar se
rvices not in direct relation to the users work;



Playing games;



Expressing personal views which could be misinterpreted as those of the Trust;



Committing the Trust to purchasing or acquiring goods or services without proper
authorisation; and

ICT Internet & N3
Usage Policy

Version 3. Issued: DD May 2011 (review date May 2013)

Page
6

of
8



Downloading c
opyrighted or confidential information without proper authorisation.


6.2.2.

This is not an exhaustive list but is an indication of the types of misuse that may be
regarded as serious misconduct. More information about specific types of misuse is detailed in the
sections below.


6.2.3.

A good test is whether you could justify your use of the
Internet / N3

and the time spent on
this to a Trust senior manager.


6.3.

Accessing Offensive
or

Illegal Material


6.3.1.

Only members of the ICT Department specifically authorised to do so may

access
offensive web
-
sites as part of investig
ations into suspected abuse of I
CT policies. At all other times
the provisions of this policy apply to ICT Department staff in the same way as they do to all other
users


6.3.2.

If illegal material is accessed on th
e Internet, or sent or received by e
-
mail, the Trust may
inform the police and criminal prosecution may follow.


6.3.3.

Any user accidentally accessing offensive or illegal material on the Internet must inform
his/her line manager and the ICT
Service Desk
. Accide
ntal access will not result in disciplinary
action, but failure to report it may do so.


6.4.

Use
of

Facilities
for

Purposes Not Related To Work


6.4.1.

Trust
Internet / N3

facilities should primarily be used for Trust business. However, the
Trust wishes to encourage

the appropriate use of
Internet / N3

facilities by staff to increase their
competence and understanding of its potential. Consequently, staff may make
limited

use of Trust
facilities to access the
Internet / N3

for purposes not related to work at the disc
retion of their
managers, provided that:




They have first obtained the consent of their line managers;



It does not interfere with Trust work;



It is not related to a private business interest or to employment with another employer
(unless explicitly permitt
ed by their line manager);



It is not used for personal commercial purposes, including the sale or purchase of goods
and services;



It makes no reference to
the

Trust;



It does not involve the use of
social networking site

or similar services; and



It complies

with this policy, including its provisions regarding misuse.


6.4.2.

Disciplinary procedures may be invoked if a user exceeds an acceptable level of non
-
business use without specific authorisation from their line manager.


6.4.3.

Trust e
-
mail addresses must only be dis
closed to newsgroups/Web discussion boards
when used in relation to Trust business. If staff register with
services

for personal matters, they
must not give their Trust e
-
mail address
in

postings.


6.4.4.

Children and young people under the age of 18 will not
no
rmally
be allowed access to the
Internet/N3 via the Trust’s network. All requests to provide Internet connection to children and
young people and to patients of any age must be submitted via the ICT Department. Where
deemed appropriate to provide such ac
cess (e.g. education support whilst in ho
spital) the ICT
Department will ensure that such access is provided via

software that restricts web
-
access to
appropriate sites only. Staff working in areas where such Internet access is provided will be
responsibl
e for supervising users to prevent inappropriate access or usage.


6.5.

Web Blocking / Filtering


ICT Internet & N3
Usage Policy

Version 3. Issued: DD May 2011 (review date May 2013)

Page
7

of
8

6.5.1.

To reduce the risk of users accessing inappropriate web
-
sites, the ICT Department will
implement and maintain software that will block or restrict access to undesi
rable web
-
sites. Due to
the vast quantity of web
-
sites on the Internet such software necessarily takes a broad approach to
web
-
site classification and users may find some legitimate web
-
sites are blocked. If they need to
access a blocked web
-
site for work

purposes users should contact the ICT
Service D
esk.
Authorised ICT staff will verify the content of the web
-
site and, if appropriate,
either obtain the users
line management approval (if required) or
arrange for it to be unblocked and the user notified.


6.6.

E
-
mail


6.6.1.

The use of electronic mail facilities is dealt with in a separate policy. [See E
-
Mail Usage
Policy & Code
of

Practice]


6.7.

File Downloads


6.7.1.

It is
strictly forbidden

for users to download software via the
Internet / N3

onto Trust PCs
or servers without

first obtaining authorisation from the ICT Department.


6.7.2.

Users may download document files (.doc or .pdf) or spreadsheets (.xls) from the
Internet /
N3
.

These will be automatically scanned for viruses by the Trust’s network. Where they cannot be
scanne
d or identified they will be automatically withheld from users.


6.8.

Personal Data


6.8.1.

P
ersonal
i
dentifiable
data must not be transmitted across the
Internet / N3
, unless via a
route that has been approved as secure by the ICT Department
.

For further guidance

see the ICT
Security Policy
.


6.9.

Web Site Creation


6.9.1.

Users must not set up web
-
sites on the Internet or
N3

relating to the Trust or its services
without the prior authorisation of the
ICT Department and/or
Trust’s Communications Manager.


6.10.

Monitoring Usage


6.10.1.

The Trust
will

monitor
Internet / N3

usage
irrespective of whether
it is for Trust or private
use
.

For further details see the ICT Security Policy
.


6.11.

Goods and Services


6.11.1.

Goods and services must
only

be procured over the Internet on behalf of the Trust
in
a
ccordance with Trust
Financial and Supplies regulations.


6.11.2.

If users wish to access sites on the Internet which are chargeable

for work purposes
, they
must procure this service via the Supplies Department on a non
-
stock requisition.


7.

TRAINING REQUIREMENTS


7.1.

I
CT
Department

staff will be trained to understand and support implementation of this policy.


7.2.

The ICT Department will raise general awareness of the policy and procedures throughout
the Trust by publishing
occasional
articles in the staff newsletter.


7.3.

The
Associate

Director of Workforce
will ensure relevant Human Resources and training
staff are aware of the policy and
Internet/N3 Usage Policy compliance is incorporated in the
Information Security element of the Trust induction training programme.


ICT Internet & N3
Usage Policy

Version 3. Issued: DD May 2011 (review date May 2013)

Page
8

of
8

8.

REFERENC
ES AND ASSOCIATED DOCUMENTATION


The Data Protection Act 1998
.
http://www.opsi.gov.uk/Acts/Acts1998/ukpga_19980029_en_1



The Computer Misuse Act 1990
.
http://www.opsi.gov.uk/acts/acts1990/UKpga_19900018_en_1.htm


Wireless Telegraphy Act 1949.
http://www.legislation.gov.uk/ukpga/
Geo6/12
-
13
-
14/54/contents



Public Records Act 1958 and 1967.
http://www.legislation.gov.uk/ukpga/1967/44



Civil Evidence Act 1968.
http://www.opsi.gov.uk/ACTS/acts1995/Ukpga_19950038_en_1.htm



Human rights Act 1998.
http://www.opsi.gov.uk/acts/acts1998/19980042.htm



Freedom of Information Act 2000.
http://www.legislation.gov.uk/ukpga/2000/36/contents



The Telecommunications (Lawful business Practice) (Interception of Communications)
Regulations 2000.
http://www.opsi.gov.uk/acts/acts2006/20060011.htm



The Privacy and Electronic Communications (EC Directive) Regulations 2003
.
http://www.legislat
ion.gov.uk/uksi/2003/2426/contents/made



The Communications Act 2003.
http://www.opsi.gov.uk/acts/acts2003/20030021.htm



Police and Criminal Justice Act 2006.
http://www.opsi.gov.uk/acts/acts2006/20060048.htm



Regulation of Investigatory Powers Act 2007.
http://www.opsi.gov.uk/Acts/acts2000/20000023.htm



ISO/IEC 27001:2005


Information technology
--

Security techniques
--

Specification for an
Information Security Management System
.



9.

MONITORING COMPLIANCE WITH, AND THE EFFECTIVENESS OF,
PROCEDURAL DOCUMENTS


9.1.

The policy will be reviewed
biennially

by
the
IC
T
Department.


9.2.

ICT Service Desk will log all incidences of breaches of this policy notified to them and
report on these to the ICT Security
Team

at regular intervals
.



9.3.

I
f a trend becomes apparent,
t
he

ICT Security
Team

will develop appropriate action pla
ns
and will monitor the action plans for compliance on a quarterly basis.


9.4.

Significant trends of breaches will be included in ICT Department reports to the Trust
Information Management Strategy Committee and Trust Board
.