IT Security Policy 2009

deuceincurableΑσφάλεια

13 Ιουν 2012 (πριν από 5 χρόνια και 4 μήνες)

365 εμφανίσεις



Page 1 of 23













IT SECURITY POLICY (ACCEPTABLE USAGE)























Author: Head of IT (Corporate and Provider Services)
Responsibility: All Staff
Related Documents: Information Governance Policy
Incident Reporting and Management Policy
Effective Date: March 2009
Review Date: March 2010
Reviewers: Information Governance Committee
IM&T Strategy Committee
Approved by: Trust Board / March 2009
PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 2 of 23
TABLE OF CONTENTS

1 INTRODUCTION 4
1.1 Background 4
1.2 Scope of this policy 4
1.3 Equality and Diversity Statement 5
2 MANAGEMENT OF SECURITY 5
2.1 Responsibilities of the Trust 5
2.2 Responsibilities of the Individual 5
3 GETTING STARTED 5
3.1 Recruitment & Contracts of Employment 5
3.2 Agency staff and third party users 6
3.3 Responsibilities of the Line Manager 6
3.4 Notice to All 7
4 AUTHORISATION 7
4.1 Usernames for logging on to the Trust network 7
4.2 Passwords 8
4.3 Smartcards 8
4.4 Passwords for Additional Databases or Systems 8
4.5 When a Member of Staff Leaves the Trust or Changes Role 8
5 LEGAL RESPONSIBILITIES 9
5.1 Working with Person Information 9
5.2 Software Licensing 10
5.3 Other Guidance 10
6 PROTECTION AGAINST MALICIOUS SOFTWARE VIRUSES 10
6.1 Virus Protection provided by the Trust 10
6.2 Use of Portable Media on Trust Equipment 11
6.3 Installation of Authorised Software 11
6.4 Installation of Unauthorised Software 11
6.5 Using Personal IT Equipment for Trust Purposes 12
7 SAVING YOUR WORK ELECTRONICALLY 12
7.1 When Connected to the Trust Network 12
7.2 When Disconnected from the Trust Network 12
8 EMAIL 13
8.1 Corporate email addresses 13
8.2 NHSmail email addresses 13
8.3 Auto-forwarding email to another email account 13
8.4 Email attachments 13
8.5 Use of Distribution Lists 14
8.6 Personal use of email 14
8.7 General Good Practice and Etiquette 14
8.8 Archiving and retrieval of email messages 15
9 INTERNET ACCESS 15
9.1 The Provision of Internet 15
9.2 Access for Personal Use 16
9.3 Access to Specific Websites 16
10 SEEKING ASSISTANCE 17
11 PURCHASING IT EQUIPMENT 17
12 EQUIPMENT SECURITY 17
13 REPORTING OF INCIDENTS 18
14 SECURITY INCIDENT MANAGEMENT PROCEDURES 18
PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 3 of 23
15 SYSTEM PLANNING, PROCUREMENT AND ACCEPTANCE 19
16 BUSINESS CONTINUITY PLANNING AND RISK ASSESSMENT 19
APPENDIX 1 - CONFIDENTIALITY UNDERTAKING 21
GLOSSARY OF TERMS 22
PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 4 of 23

1 Introduction
1.1 Background

Data stored in information systems represent an extremely valuable asset. The increasing
reliance of the NHS on information technology for the support and delivery of health care
makes it necessary to ensure that these systems are developed, operated and maintained
in a safe and secure environment.

IT security is governed by many pieces of legislation. The most notable UK Acts are:

 The Data Protection Act (1998)
 Copyright, Designs and Patents Act (1988)
 Computer Misuse Act (1990)
 Freedom of Information Act (2000)

Other relevant legislation includes the Access to Medical Records Act 1990.

This Acceptable Use Policy takes a general look at the responsibilities of the organisation
and of the individual when it comes to IT Security. If more technical guidance is required,
further information can be found in the Good Practice Guidelines issued by the Connecting
for Health Information Governance Security Team
(http://nww.connectingforhealth.nhs.uk/igsecurity/gpg/
- Please note, you must be
connected to the NHS network to access these guidelines.)

The purpose of this Acceptable Use Policy is to preserve:


Confidentiality data access is confined to those with specified authority to view the
data

Integrity all systems are working in the way they were intended to work

Availability information is delivered to the correct person, when it is needed.

1.2 Scope of this policy

This policy applies to the use of IT equipment and systems by all NHS Bedfordshire
(hereby referred to as “the Trust”) staff (including temporary workers and staff seconded or
contracted from other organisations) at all Trust premises throughout Bedfordshire and
Luton and also when using Trust or personal equipment when working remotely from home.

IT Equipment includes but is not limited to PCs, Laptops, Printers, Blackberry mobiles,
SmartPhones (ie mobile phones that store data or access the internet/Trust network) and
PDAs (Personal Digital Assistants).
PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 5 of 23
1.3 Equality and Diversity Statement
The Trust is committed to ensuring that, as far as is reasonably practicable, the way we
provide services to the public and the way we treat our staff reflects their individual needs
and does not discriminate against individuals or groups on the basis of their ethnic origin,
physical or mental abilities, gender, age, religious beliefs or sexual orientation.

2 Management of Security
2.1 Responsibilities of the Trust

Overall responsibility for data security currently rests with the Board Secretary. The Trust
has appointed two IT Security Officers responsible for implementing, monitoring,
documenting and communicating the Trust’s IT security policies within the organisation.

The IT Security Officers for the Trust are the Heads of IT.

The IT Security Officers will periodically:

 report to the Trust’s Executive Team the state of IT security within the organisation

 maintain a current copy of the Trust’s Acceptable Use Policy for IT security and make it
available to every member of staff

 ensure that IT security is implemented to at least the level laid out in the NHS IT
Security Manual

 ensure compliance with relevant legislation including but not restricted to the Data
Protection Act (1998), Computer Misuse Act (1990) and Access to Health Records Act
(1990)

 ensure that all staff are aware of their security responsibilities and that awareness of IT
security issues is raised periodically

 ensure that Internal Audit plans include occasional reviews of the Trust’s compliance
with local and NHS security policies.

2.2 Responsibilities of the Individual

All staff need to be aware of their legal obligations and Trust policy in respect of using IT
resources and equipment. Failure to comply with this policy may result in disciplinary action
or criminal prosecution.

PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 6 of 23
3 Getting Started
3.1 Recruitment & Contracts of Employment

The Trust will ensure that members of staff are aware of information security threats and
concerns through explicit reference in job descriptions and contracts of employment.

Induction & other training will brief staff on:

 The Trust’s IT security policy (i.e. this document);
 relevant IT legislation;
 individual accountability;
 disciplinary procedures which may be involved should a breach of security arise.

Users will sign a confidentiality undertaking (Appendix 1) as part of their contract of
employment.

3.2 Agency staff and third party users

Agency staff and third party users not already covered by an existing contract will be
required to sign a confidentiality agreement prior to connection to the Trust’s IT facilities
and be made aware of the key points within this policy.

3.3 Responsibilities of the Line Manager

Line managers and Directors must give their full backing to all the guidelines and
procedures as set out and agreed.

Line Managers will be responsible for ensuring that their permanent and temporary
members of staff are aware of this policy and its contents, and abide by it.

Certain managers, where they have responsibility for individual systems, must maintain
records of users of that system and control their access to it by the granting of access
privileges, passwords etc. via the IT department where necessary.

Line Managers must make the IT department aware of all new staff, leaving staff and
temporary staff, so that log-in rights and access privileges can be set as appropriate, at the
earliest possible opportunity. Forms for new starters and leavers can be obtained from
‘starfish’, the corporate intranet.

Where members of staff do not have sufficient knowledge to be able to use systems
efficiently and securely their managers must ensure that appropriate training is arranged
before allowing them access to the Trust’s computer systems.

Managers must also take responsibility to ensure that all members of staff:

PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 7 of 23
 are made aware of their responsibilities under the Data Protection Act (1998) and
Computer Misuse Act (1990) within one month of joining the Trust.

 are aware of the strict confidentiality of the information to which they will have
access.

 use information in an appropriate manner at all times.

 sign and return the confidentiality agreement before accessing the Trust’s computer
systems.

3.4 Notice to All

Failure by anyone working for or on behalf of the Trust (permanent or temporary) to abide
by the contents of this policy will be viewed as a serious matter and may result in
disciplinary action.

4 Authorisation

4.1 Usernames for logging on to the Trust network

Every member of staff who needs to be able to access the Trust’s network to perform their
job role must have their own individual
logon.

A request form can be obtained from Starfish. The form must be authorised by the
person’s line manager and sent to the IT Department for the attention of the IT Service
Desk.

On submission of an appropriately completed and authorised Request for Network Access
form, the IT department will issue each member of staff with a username and a password.

If a new member of staff will require access to the Trust network on their first working day,
their line manager should ensure that the request form is submitted in advance.

In all cases, staff should allow a minimum of 5 working days for the request to be
processed. Where the name of the member of staff is not known until the day that they
start work for the Trust (for example Agency Staff), the form must be completed with all
other information and submitted to the IT Service Desk with a note to say that the line
manager will contact the IT Service Desk with the remainder of the information on the given
start date. Any deviation from the above may result in a delay in the setting up of the
username and password.

The first time the user logs on to the network they will be automatically prompted to change
their password.

The individual staff member is responsible for everything accessed and actioned using their
username and password. It is therefore in the best interests of the individual staff member
PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 8 of 23
to ensure that they do not share their username and password with anyone
under any

circumstances.

Where there is a genuine business need to share an email inbox and/or calendar, the IT
Service Desk will advise the staff member how this can most affectively be achieved whilst
maintaining secure practice.

4.2 Passwords

All staff are given access rights and privileges to the various systems in accordance with
the area in which they are working and the type of data they require to do their job. All staff
will have a log-in for the network server in addition to any other systems they use.

In all cases any passwords issued to staff are for their use only. Passwords should not be
written down or shared with others under any
circumstances. Staff are personally
responsible for anything actioned using their individual username.

Passwords should be a minimum of 8 characters and, ideally, should be a mixture of letters
and numbers or special characters such as $%^&*.

Names and words that can be found in a dictionary must not be used as these are not
sufficiently secure. If a postcode or car registration number is used it must not be a current
one as this is also not sufficiently secure.

Passwords must be changed on a regular basis. The current Trust policy is for passwords
to be changed every 30 days.

4.3 Smartcards

Detailed guidance for the use of smart cards is issued to individual users along with their
card. Staff should also read the Registration Authority Policy for further information.

Smartcard users must keep their cards safe at all time and immediately report the loss of a
card or the disclosure of the PIN

The PIN should not be written down or disclosed to anyone else under any circumstances

Smartcards must only be used by the owner of the card and must not be shared.

4.4 Passwords for Additional Databases or Systems

All staff are given access rights and privileges to the various systems in accordance with
the area in which they are working and the type of data they require to do their job.

As with network usernames and passwords, the individual staff member is responsible for
all everything accessed and actioned using their username and password for the particular
system.
PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 9 of 23

4.5 When a Member of Staff Leaves the Trust or Changes Role

It is the responsibility of the line manager concerned to ensure that the IT Service Desk is
informed when a member of staff with access to the Trust network leaves or changes their
role.

5 Legal Responsibilities

5.1 Working with Person Information

We all have legal responsibilities under the Data Protection Act (1998) and the Computer
Misuse Act (1990) to ensure that unauthorised access to our data is prevented and also
that our data is accurate and kept up to date. Staff should read the Data Protection policy
for further information.

All staff must be made aware of their responsibilities under these Acts and must not be
allowed access to the Trust’s computer systems until Management is satisfied that they
understand and agree these responsibilities.

It is the policy of the Trust to restrict access to identifiable person information to those who
need to see it.

Wherever possible, person information will be fully anonymised, but where this is not
possible the number of data items which could aid identification of any individual will be
minimised.

The Trust will maintain procedures for handling requests for identifiable person information.
The Caldicott Guardian will oversee all procedures affecting access to person identifiable
health data.

Where identifiable person information is held, the Data Protection Officer will ensure
compliance with the Data Protection Act (1998) and the eight principles therein:

 ‘The information to be contained in personal data shall be obtained, and personal data
shall be processed, fairly and lawfully.’

 ‘Personal data shall be held only for one or more specified and lawful purposes.’

 ‘Personal data held for any purpose or purposes shall not be used or disclosed in any
manner incompatible with that purpose or those purposes.’

 ‘Personal data held for any purpose or purposes shall be adequate, relevant and not
excessive in relation to that purpose or those purposes.’

 ‘Personal data shall be accurate and, where necessary, kept up to date.’

PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 10 of 23
 ‘Personal data held for any purpose or purposes shall not be kept for longer than is
necessary for that purpose or those purposes.’

 ‘An individual shall be entitled, at reasonable intervals and without undue delay or
expense -

 to be informed by any data user whether he holds personal data of which that
individual is the subject; and

 to have access to any such data held by a data user; and

 where appropriate, to have such data corrected or erased.’

 ‘Appropriate security measures shall be taken against unauthorised access to, or
alteration, disclosure or destruction of, personal data and against accidental loss or
destruction of personal data.’

The Data Protection Officer will periodically review the Trust’s compliance with these eight
principles.

The IT Security Officers will be responsible for ensuring that all internal IT development
projects are undertaken in a controlled and secure manner.

All systems will be password protected.

When any change(s) to systems are required they will be reviewed by the IT Security
Officers to ensure there is no impact on security.

5.2 Software Licensing

The Trust has a legal responsibility to ensure that there are sufficient licenses for all
instances of a particular piece of software in use within the Trust. As such the IT
Department will maintain monitoring systems to ensure that all proprietary software
products on PCs and Servers are used legally.

If there needs to be more than one instance of a piece of particular piece of software, then
either multiple licenses or a license covering multiple users must be purchased.

5.3 Other Guidance

All staff must also abide by any guidelines that may be issued from time to time by NHS
and Information Security regulatory bodies.




PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 11 of 23
6 Protection Against Malicious Software Viruses

6.1 Virus Protection provided by the Trust
The Trust will provide a suitable software solution for virus checking. Responsibility for
making sure that the software is up to date lies with the IT Department.

IT equipment permanently attached to the network will be automatically updated as new
versions become available.

Responsibility for updating IT equipment that is not permanently attached to the network
(for example laptops) lies with the individual user. The update will be triggered once the
machine is logged onto the network, but the individual user must ensure that this happens
on a regular basis.

6.2 Use of Portable Media on Trust Equipment
It is the responsibility of all staff to protect the Trust’s computer systems from viruses. All
media from outside the Trust must be checked for viruses before being used on a Trust
machine.

Portable media includes floppy disks, CDs, DVDs, USB keys/memory sticks and all other
methods of storing and moving data in an electronic format.

If necessary and on request, the IT Service Desk will provide guidance on how to virus
check media on a Trust PC.

It is not permissible to run programs from USB keys/memory sticks as doing so may
present a risk to the network.

If there is a requirement to save person identifiable information to a memory stick ONLY
encrypted memory sticks should be used. These can be requested by filling in a TAG form
and returning it to the Head of IT. All staff should be aware that this should only be done in
extreme cases as it is much more secure to store person identifiable information on the
Trust servers.

6.3 Installation of Authorised Software
Authorised software must be installed by a member of the IT Department or their
designated representative. Any business software installed by anyone other than
authorised personnel will not be supported by the IT Service Desk and may be subject to
removal as part of a regular audit cycle.

If there is a legitimate business need for additional software, the senior manager of the
department must make a case for acquiring the software. Consideration must be given to
the number of users requiring the software, the training required for the efficient and
effective use of the software, and how the software will be supported and maintained. The
software will not be adopted as Authorised Software for the Trust without explicit
acceptance by the Head of IT.
PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 12 of 23

6.4 Installation of Unauthorised Software
Unauthorised software includes, but is not limited to, games software, non-standard
screensavers and wallpaper backgrounds.

Under no circumstances should unauthorised software be loaded on to Trust equipment. It
is a disciplinary offence to copy unauthorised software and may lead to prosecution for
theft.

If there is a genuine business need to have the software installed, please see Section 6.3
for advice on how to add the software to the official list of authorised and supported
software.

6.5 Using Personal IT Equipment for Trust Purposes
It is not permissible to use personal IT equipment for Trust business purposes. This
includes personal storage devices such a memory sticks or external storage drives.


7 Saving Your Work Electronically

7.1 When Connected to the Trust Network
Any document saved to the Trust network (i.e. usually a folder on G or U drive) is
automatically backed up as part of the Trust Back Up and Disaster Recovery Strategy.

No files or data should be saved to the c-drive of a PC (also known as the hard drive) under
any circumstance.


No personal data (ie non-work related data) should be saved onto network servers or onto
the c-drive of the PC. This includes photographs, music files, movie files and any other non-
Trust related files.

7.1.1 Use of G Drive

The folder structure on the G Drive is for all Trust documentation. Access to the folders can
be restricted where necessary, but the default is that everyone is able to see documents
saved to this drive.

7.1.2 Use of U Drive

Individual named folders on the U Drive is for personal documents. Access is restricted to
the individual whose folder it is.

The IT Service Desk can be contacted for further information on mapped drives and how to
access them.


PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 13 of 23
7.2 When Disconnected from the Trust Network
When working away from the Trust network, using a Trust laptop or tablet, it is permissible
to save documents to the ‘My Documents’ folder on the c drive. All Trust laptops and tablets
are encrypted which adds another level of security to the device. However all staff should
be aware that saving person identifiable information to a laptop or tablet should be avoided
if at all possible.

In such cases it is the sole responsibility of the individual to ensure that their work is
transferred to a suitable network drive on their return to the networked environment. The c-
drive should never be used as the primary storage of files. Staff should contact the IT
Service desk for further advice for the best way to do this.

It is important to note that c-drives and other portable media are more prone to corruption
than the larger media storage drives such as those maintained by the IT Department. In
cases where the only copy of a document is on a corrupted drive, the IT Department will
endeavour to retrieve the document on a Best Efforts basis, but cannot be held responsible
for loss of the data if retrieval is not possible.

8 Email

8.1 Corporate email addresses
Everyone requesting an individual logon to the Trust network will be also issued with an
individual corporate email address. Where possible the email address will be in the format
firstname.surname@bedfordshire.nhs.uk
.

At the time of writing, NHSmail is considered the only email system that is sufficiently
secure to allow the transfer of person identifiable information. (See section 8.2) The Trust’s
email system should not be used to transfer person identifiable information.

The Trust adds a standard confidentiality disclaimer to all emails sent to recipients outside
of the Trust.

8.2 NHSmail email addresses

All NHS employees are entitled to have an NHSmail email account (i.e. one that ends in
@nhs.net)
. An NHSmail email account is a web-based email account that can be accessed
from both within and outside of the NHS network. It has been approved by the British
Medical Association for use to transfer identifiable person identifiable information from one
NHS employee to another.

The IT Service desk can setup NHSmail addresses for staff.



PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 14 of 23
8.3 Auto-forwarding email to another email account

Auto-forwarding of emails to another email account is unsafe due to the possibility of
security breaches therefore should be avoided in any instance.

8.4 Email attachments

Internal forwarding of attachments should be unnecessary as all staff have access to the G
Drive and starfish.

Where sending an attachment is unavoidable, the type and version of the software that the
attachment was created in should be included in the body of the email (for example,
Microsoft Word, version 2003) as file extensions may be lost during transit.

Attachments that have been received from an external source should be treated with
extreme caution, especially those that are unsolicited. Before opening an unsolicited
attachment, the receiver should check with the sender the nature and purpose of the
attachment.

Viruses and other malicious software are often sent as attachments. For this reason, some
attachments may be quarantined to ensure the safety and security of the Trust network (for
example, zipped files and database files). If an individual user needs to received any file
type which may be blocked, the IT Service Desk will be able to advise on the best way of
doing this whilst maintaining security of the network.

8.5 Use of Distribution Lists

Distribution list are for official Trust purposes only.

They should not be used for circulating advertisements or warnings about virus risk or
suspect scams. Nor should they be used for circulating jokes or items for sale. Staff should
use the discussion boards on starfish for informal electronic chat.

If an individual user receives an email from an external source regarding a virus risk or
suspect scam, they should consult with the IT Service Desk to ascertain its validity. Many
such warnings are time-wasting hoaxes, but the IT Department can review the content to
ensure that the Trust is sufficiently prepared to deal with any genuine new viruses.

8.6 Personal use of email

It is permissible for staff to send and receive email at work for incidental personal purposes
provided that doing so does not involve a substantial expenditure of time, or use for profit.

A ‘substantial expenditure of time’ is one that could impact on employee time commitments.

PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 15 of 23
The circulation of jokes via email is not considered an appropriate personal use as although
they can be read and distributed quite quickly, rapid distribution across the Trust can place
unnecessary pressure on the Trust email systems in terms of volume.

The Trust has the final decision on deciding what constitutes excessive or inappropriate
use.

Staff are reminded that the Trust email system is a business tool and therefore no member
of staff should consider information sent/received through the email system as his/her
private information.

8.7 General Good Practice and Etiquette

Staff are encouraged to use the Out of Office function when they are on leave or unable to
check their email for more than one day. This enables the sender to seek an alternative
response to the message they have sent.

Great caution should be exercised when giving out your email address to third parties (for
example salespeople, websites, questionnaires, mailing lists) as once an email address is
on a Spam mailing list it is very difficult to block further unwanted incoming messages.

8.8 Archiving and retrieval of email messages

The Trust is currently implementing an email archiving and retrieval system.

This is being implemented to ensure compliance with current and forthcoming legislation
however there are also many benefits to staff.

The benefits to staff include:-

 Easy searching for emails by name, subject, date ranges
 Searching available for keywords within attachments
 No storage limit for emails
 No requirement to archive emails to pst folders
 All existing pst files will be taken back into the archive for easy retrieval and
searching
 Accidental deletion of emails does not mean they are lost. Emails can still be
retrieved by users from the archive using the search facility
 All emails, incoming and outgoing, are stored in the archive
 The process will be automatic and transparent for all staff

Email will not be actively monitored. The procedure for retrieval of emails for investigative
purposes remains unchanged.


PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 16 of 23
9 Internet Access

9.1 The Provision of Internet
Access to the internet is primarily provided for work related purposes. That is for Trust work
or for professional development and training.

Internet use takes up capacity on our network, the NHS network, and the central NHS link
to the internet. As the NHS is a 24 hours a day, seven days a week service there is no
concept of out of hours use.

The Trust reserves the right, consistent with UK law, to monitor all Internet accesses,
including but not limited to email and web access. No member of staff should consider
information sent/received through the Internet as his/her private information.

The use of the Internet is a privilege, not a right. Inappropriate use, including any violation
of this policy, may result in the withdrawal of the facility, disciplinary action including
termination of contract and/or the notification to proper authorities for criminal/civil
proceedings, dependent upon the violation. It should be emphasised that should any illegal
activity be suspected of taking place, the Trust will involve the Police as soon as reasonably
practicable.

9.2 Access for Personal Use
Reasonable incidental personal use is permitted during work breaks provided that this does
not interfere with the performance of official duties or adversely affect system performance.

Personal access to the Internet can be limited or denied by a line manager. The Trust has
the final decision on deciding what constitutes excessive use.

The Trust will not accept liability for personal legal action (e.g. Libel) resulting from staff
misuse of the internet.

As detailed above in section 9.1 should any inappropriate use be suspected this will be
investigated and may lead to disciplinary action being taken which may include termination
of employment. It is emphasised that should illegal activity be suspected the Trust will
involve the Police as soon as is appropriate.
9.3 Access to Specific Websites

The IT department reserve the right to globally ban access to any site deemed
inappropriate without warning.

The Trust provides email for your use; therefore it is not permissible to use any external
email systems such as ‘Hotmail’ or any other web-based mail provider including University
email systems. The only exception to this rule is the web-based NHSmail email system.

Unless specifically authorised, no member of staff can post messages under the Trust's
name to any newsgroup or chat room.

PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 17 of 23
Unless specifically approved by the IT Security Officer, no member of staff may publish a
web site under the name of the Trust or featuring the NHS Logo.

Access to file downloads will be restricted as necessary by the IT Department to ensure
system security. Users will not be permitted to ‘download’ any software, music, or video files
unless specifically authorised to do so by the IT Security Officer.

Unless authorised by the IT Security Officer, users may not use web streaming services
such as video or radio due to the excessive network capacity and resources these systems
take.

To intentionally introduce files which cause computer problems may be prosecutable under
the Computer Misuse Act.

No member of staff is permitted to access, display or download from Internet sites that hold
offensive material. To do so is considered a serious breach of Trust security and may
result in dismissal. Offensive material includes hostile text or images relating to gender,
ethnicity, race, sex, sexual orientation, religious or political convictions and disability. This
list is not exhaustive. Other than instances which demand criminal prosecution, the Trust is
the final arbiter on what is or is not offensive material, or what is or is not permissible
access to the Internet.

If a user unintentionally finds they are connected to a site which contains sexually explicit or
otherwise offensive material they must disconnect from the site immediately and inform the
IT Service Desk and complete the appropriate incident report form.

If there is a genuine business need to access a website that has been blocked by the IT
Department, a written application must be made to the IT Security Officer by the
department concerned. The application must outline the business and/or clinical need for
access to be granted.

The Trust reserves the right to restrict internet activity without notice to work related
purposes to ensure the continued function of Trust work.

10 Seeking Assistance

If a member of staff requires assistance on any matter relating to IT their first point of call
should always be the IT Service Desk.

The IT Service Desk can be contact on internal extension 2273, or external telephone
number 01582 700273.

11 Purchasing IT Equipment

All Trust IT equipment should be purchased in conjunction with the Head of IT (Corporate
and Provider Services) and in accordance with the Trust’s Standing Financial Instructions.

Failure to comply with the above may result in the equipment not being supported.
PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 18 of 23

12 Equipment Security

Protection of IT equipment (including that used off site) is necessary both to reduce the risk
of unauthorised access to data and to safeguard against loss or damage.

Equipment (e.g. portable PCs), data and software should not be taken off-site without the
prior authorisation of the appropriate line manager.

All members of staff taking portable PCs (or other hardware or software) off the premises
are responsible for their safekeeping. Staff will be expected to specify how long the item is
to be off-site. If the arrangement is to be semi-permanent it should be positively reviewed
every quarter. Staff should be made aware of their responsibilities (particularly regarding
data security) and provide assurances that adequate security arrangements will be made.
Portable PCs must be covered under personal household insurance.

All laptops and tablets belonging to the Trust have encryption software adding a further
level of security however staff are reminded that person identifiable information should only
be stored on the c-drive in exceptional circumstances.

Laptop and portable machines should be locked away if left unattended. When they are
taken off the premises all efforts should be made to ensure they are not left unattended in
public places. They should be kept out of sight as much as possible when not in use. On
no account should a portable computer be left in an unattended car.

13 Reporting of Incidents

All incidents which constitute a threat to NHS-wide networking services are reported to the
Connecting for Health (CfH) Information Governance (IG) Security Team as and when they
occur.

14 Security Incident Management Procedures

An IT security incident is defined as any event that has resulted or may result in:

 the disclosure of confidential information to any unauthorised individual
 the integrity of the system or data being put at risk
 the availability of the system or information being put at risk
 an adverse impact, for example

 threat to personal safety or privacy
 legal obligation or penalty
 financial loss
 disruption of the Trust’s business
 embarrassment to the Trust

PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 19 of 23
All incidents or information indicating a suspected or actual security breach should initially
be reported to the immediate line manager and the IT Security Officer, who will determine
whether an actual security breach has taken place. The majority of IT security breaches
are innocent and unintentional (e.g. user not “logging out” when leaving for the day) and
would not normally result in disciplinary action being taken.

If a breach has taken place it should be reported to the IT Security Officer and an incident
form should be completed.

The IT Security Officer should categorise the incident from insignificant to acute. The Board
Secretary (who is responsible for IT) should be informed of any significant implications for
the Trust should determine whether any disciplinary action is necessary. If the
classification is significant, major or acute, the Chief Executive should be informed
immediately.

Where the suspected security breach involves the staff members’ line manager or a
member of the IT Department, the staff members should inform their line manager’s
superior and the IT Security Officer.

If a staff member believes a security breach is the result of an action or negligence on
behalf of the IT Security Officer, the incident should be reported direct to the Chief
Executive.

15 System Planning, Procurement and Acceptance

Procurement procedures should encompass security aspects. All security requirements
should be identified at the requirements phase of a project and justified, agreed and
documented as part of the overall business case for an information system.

All hardware and software procurements should ensure that:

 hardware or software changes which may affect network management are agreed by all
parties affected

 any new IT facilities provide an adequate level of security and will not adversely affect
existing security

 mandatory and desirable security requirements are included in procurement
specifications

 the IT Security Officer is consulted to ensure that the selected hardware or software will
meet the agreed security requirement.

The procurement process should take into account the need for hardware and software
compatibility needed to support the installation’s contingency and recovery arrangements.
Project approval will be withheld until the necessary security requirements have been built
into the project plan.

PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 20 of 23
There should be formal documented user acceptance criteria against which the system can
be tested. These criteria should specifically cover security requirements that should be
approved by the IT Security Officer as part of the handover process. Where possible
testing should not be undertaken in a “live” environment.

16 Business Continuity Planning and Risk Assessment

Business continuity planning is partially though not wholly an IT issue.

A separate policy will be issued regarding business continuity planning, which will cover the
following:

 a documented assessment of how long users could manage without each major system

 a documented assessment of the criticality of each system, including the impact of the
short, medium and long term loss of each system on the Trust’s business activities

 identification and agreement of all responsibilities and emergency arrangements

 documentation of agreed procedures and processes

 an assessment of how resilience and continuity will be achieved.

The IT Security Officer will ensure that each system within the organisation is subject to
regular security risk assessments. The degree of detail of the risk assessment will depend
on the value and criticality of the assets.

Risk assessment will be broken down into the following four functions:

 identification and valuation of assets

 evaluation of the impact of an adverse event on the assets

 assessment of the likelihood of the adverse event occurring

 identification of appropriate counter measures to protect the asset and/or limit the
damage caused by an event.

The IT Security Officer will be responsible for ensuring that counter measures are
implemented sensibly, efficiently and cost effectively.


PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 21 of 23

Appendix 1 - CONFIDENTIALITY UNDERTAKING

Please return to the Head of IT (Corporate and Provider Services) at Gilbert Hitchcock House,
Bedford.


I, _____________________________________________, will not disclose any information to
external organisations outside the Trust unless specifically requested to do so by my line manager.
I undertake to comply with the requirements of the Trust IT Security Policy.

I have read the IT Security Policy and fully understand my responsibilities.



Signed: ____________________________________________
Print name: ____________________________________________
Department: ____________________________________________
Manager: ____________________________________________
Date: ____________________________________________
PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 22 of 23
Glossary of Terms

Download The ability for a user to save files from other
locations to their PC, for example, music or
video files from websites or from an email sent
from someone else.
Email Electronic Mail
Email archiving and retrieval system A system where emails older than a certain date
are archived out of the email system, but are
still available to users to access if necessary.
Hardware The physical asset EG a PC
Internet A worldwide computer network that provides
information on very many subjects and enables
users to exchange messages. The Internet
includes commercial, educational,
governmental, and other networks.
IT Information Technology
IT Assets IT systems owned and/or used by Bedfordshire
PCT
IT Security The physical and logical security of any IT asset
IT Security Officer Member(s) of staff within the Trust with
responsibility for IT Security
Logon Username and password that allows a user
access to any IT systems on the Trust’s network
Network The network connects together all IT systems
that belong to Bedfordshire PCT
Newsgroup / Chatroom An area on a computer network, especially the
Internet, devoted to the discussion of a
specified topic.
NHS Mail An email system provided centrally by the NHS
for NHS staff to use
Out of Office function Within the email system this can be setup by
the user to send an automatic reply to emails to
inform the sender that you are out of the office.
Person Identifiable Information Any information (both electronic and paper
based) that could identify a person, such as
name, address, telephone number.
PC Personal Computer
PDAs (Personal Digital Assistants Small devices that store a user’s calendar and
emails electronically.
Portable media USB keys, Compact Disks, DVDs – anything
that allows a user to save electronic information
to a small portable device.
SmartCard Card (credit card shaped) which uses Chip and
Pin technology to allow users access to
systems. The card is inserted into a slot in the
keyboard on your PC.
SmartPhones Mobile phones that store data or access the
internet/Trust network
PDF created with pdfFactory Pro trial version www.pdffactory.com


Page 23 of 23
Software Programs that run on the computer. EG
Microsoft Word
Spam Unsolicited e-mail, often of a commercial nature,
sent indiscriminately to multiple mailing lists,
individuals, or newsgroups; junk e-mail

PDF created with pdfFactory Pro trial version www.pdffactory.com