Mobile Computing and Remote Access Policy

wirelessguideΚινητά – Ασύρματες Τεχνολογίες

24 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

74 εμφανίσεις

Version
2.0

Page
1

of
13

Mobile Computing and Remote Access Policy



June

20
11















Mobile Computing

and Remote Access
Policy





Version

2.0

Status

Approved

Author/Lead

Information Governance & Data Protection Officer


Head of Governance & Compla
ints

Directorate

Chief Executive Office

Ratified By

EMT 22 June 2011

Implementation Date

June

2011

Date of Last Review Date

June

201
1

Date of Next Review

June

201
2

Target Audience

All Staff



To be read
w
ith:



Acceptable Use of Information Systems Po
licy



Acceptable Use of E
-
mail Policy



Bulk Transfer of (Electronic) Patient Records Policy



Confidentiality and Data Protection Policy



Information Security Policy



Safe Haven Policy



User Accounts Policy



Incident
Reporting and Management Policy



Serious Untowar
d Incident Policy



Performance and Conduct Policy




“The
PCT

incorporates and support the human rights of the individual as set out in
the European Convention on Human Rights and the Human Rights Act 1998”

Version
2.0

Page
2

of
13

Mobile Computing and Remote Access Policy



June

20
11


Version Control Record


Version

Description of
C
hange(s)

Reason for
Change

Author

Date

1.0

Initial Draft

N/A

Assistant Director
for Health
Informatics

14/05/2007

2.0

Bring policy in line
with Policy
Development
Policy
.


Incorporated
Remote Access
Policy


Encrypted USB
Referenced

Annual Review and
to t
ake into account
the Provider/

Commissioning
split.

Information
Governance & Data
Protection Officer

20/
0
6
/201
1




Version
2.0

Page
3

of
13

Mobile Computing and Remote Access Policy



June

20
11


Table of
Contents



1.

Introduction

................................
................................
................................
...............

4

2.

Purpose

................................
................................
................................
.....................

4

3.

Scope

................................
................................
................................
........................

4

4.

General Principles

................................
................................
................................
.....

5

5.

Risks

................................
................................
................................
.........................

5

6.

Responsibilities

................................
................................
................................
.........

6

7.

Disciplinary Procedures

................................
................................
............................

8

8.

Monitoring and

Review

................................
................................
..............................

8

Appendix 1
-

Equality Impact Assessment Tool

................................
................................
...

9

Appendix 2
-

Audit Tool For The Mobile Computing and Remote Access Policy

...............

11

Appendix 3
-

Assurance Form

................................
................................
...........................

12

Appendix 4
-

Policy Ratification and Publication

................................
................................

13




Version
2.0

Page
4

of
13

Mobile Computing and Remote Access Policy



June

20
11


1.

Introduction


1.1

This Mobile Computing and Remote Access Policy forms part of the overall
Information Security Policy.



2.

Purpose


2
.
1

This

document outlines the arrangements which promote the use of mobile
and remote access computing in a secure manner.



3.

Scope


3.1

This policy
applies to
all
employees of

NHS Brent and
NHS Harrow
,
including contracted and temporary staff.


3.
2

Mobile
computi
ng

includes
, but is not limited to

laptops, tablets, Per
sonal
Digital Assistants (PDAs), smart phones, USB memory sticks

(i.e. IronKey)
.


3.3



Remote Access

includes
, but is not limited to

Remote Access

Tokens
,


NHSmail, Microsoft Outlook Web App.


3.4



For the
purpose of this policy, “The PCT


refers to NHS Brent & NHS



Harrow



Version
2.0

Page
5

of
13

Mobile Computing and Remote Access Policy



June

20
11


4.

General Principles


4
.1

Mobile and remote access computing

offers the potential for enhanced
productivity at low risk if used correctly.


4.2

Remote
where issued
enables users to ga
in access to the PCT Network and
other work related services. Remote access must be authenticated using
Remote Access Solution (RAS) token.

Alternatively staff may access their
PCT e
-
mail account using the Microsoft Outlook Web App.

In the near future,
a
ll Harrow users will on the new email system and the Outlook Web Access
(OWA) will be the same.


4.3

Mobile devices will be issued to staff in accordance with clinical / business
needs, and subject to availability of budget as authorised by line manager.


4.4

All mobile devices must be authorised by the
ICT

Department before a
connection to a work computer or network can occur.


4.
5

Any loss of damage to a mobile device attributable to the negligence of its
user will be the personal responsibility of the in
dividual.



5.

Risks


5
.1

Risks particularly associated with mobile

and remote access
computing
include:



Loss of data without any backup.



Theft, loss or damage to equipment.



Unauthorised access to, or disclosure of, data.



The introduction of malicious softwar
e and unauthorised code.



Unavailability of network or

systems
.



Version
2.0

Page
6

of
13

Mobile Computing and Remote Access Policy



June

20
11


6.

Responsibilities


6.
1

Staff


6.1.1

M
obile
devices
:

S
taff
must
:




Take good care of the mobile devices and take all reasonable

precautions to ensure that the device is not damaged, lost or st
olen.



M
ake sure that
mobile

devices are kept with you or locked away
when not in use
.



N
ot leave your
mobile
device visible in an unattended vehicle, even
for a short time, and make sure it is out of site while in transit
.



Ensure that password protection is

enabled.



Should only use devices

for work related purposes
.



Store p
atient / person identifiable data obtained through work on
mobile devices that are the property of the Trust and are therefore
subject to the policies and procedures of the Trust.



Minimise

the amount of data that you hold on your mobile device.
Ensure data is limited to what you require to do your job. Not only is
information on mobile devices at risk of unauthorised disclosure,
there is a risk of complete loss and business disruption if th
e device
is not backed up to the PCT network.



Report t
he loss
or
suspected loss
, theft or unauthorised
access/disclosure
of a mobile device particularly if it is holding
confidential / person identifiable data to line management and ICT
Service Desk as soo
n as possible, with the PCT’s Incident Report
procedures being used. In the case of theft, it must also be reported
to the police.



Keep
p
atient / person identifiable data
stored
on a mobile device
t
o a
minimum to reduce the risk of a breach of confidentia
lity should the
device be lost or stolen.



Store p
atient / person identifiable data on an encrypted device.



Return all mobile devices when requested or when no longer
needed.



Return all mobile devices when you cease to be employed by the
organisation to the

ICT Service Desk or your Line Manager.



Version
2.0

Page
7

of
13

Mobile Computing and Remote Access Policy



June

20
11


6.1.2

M
obile devices
: S
taff
must not
:




Leave a mobile computer logged on and unattended. If a computer
is left logged on and unprotected, another person can use functions
of the computer in your name. Another p
erson may also be able to

see confidential information.



Use them

as a permanent or long term store of data. Data and files
must be regularly moved to the Trust network.



Never leave m
obile devices and/or data unattended in cars or other
easily accessible p
laces due to the risk of opportunistic theft. If
possible devices should be kept under lock and key when not in use.



N
ot load software on to the device without the express written
permission of the ICT Department.



W
rite down and leave your
User ID and / o
r P
assword with your
mobile device.



Allow the mobile computer to be used by anyone other than yourself.
This includes family members and friends.



Display
p
atient / person identifiable data
or other confidential
information in a public place
.



Use USB memory

sticks that have not been issued by the PCT. The
PCT uses USB memory sticks that use encryption technology that
meets NHS standards.


6.1.3

Remote Access:

S
taff
must
:




Have up
-
to
-
date anti
-
malware (i.e. Anti
-
virus, Anti
-
spyware) installed
on the machine
that they are using to remotely access the PCT
network.


6.1.4

Remote Access: S
taff
must not
:




Not upload software onto the PCT network using the Remote
Access Solution.



Provide your remote access login credentials to anyone, not even
family members.



Use p
ersonal computers, which do not belong to the NHS, for
processing and storing
person identifiable

information.



Write down and leave your User ID and / or Password with your
remote access token
.


6.2

Line Management




Confirm that a member of staff is author
ised for the use of mobile
and / or remote access
computing.



Ensure that staff allocated using mobile computers
and remote
access
understand and abide by this
policy
.



Monitor the ongoing availability of mobile computers.



Ensure that mobile computers
and re
mote access tokens
are
handed back to the PCT when a member of staff leaves.


Version
2.0

Page
8

of
13

Mobile Computing and Remote Access Policy



June

20
11


6.3

ICT Management




Ensure that all PCT
-
owned mobile computing equipment have an
asset label, which carries enough information to enable the device to
be returned to
the PCT

if

lost.



Ensure that all PCT
-
owned mobile computing equipment is
encrypted.



Ensure that records are kept of
mobile devices and
users in
ICT’s

asset register.



Ensure that a register is maintained of remote
access
users.



Ensure that processes are in place for
the issuing and monitoring of
remote access and mobile devices,



To investigate alleged breaches and support line management
where disciplinary action is appropriate.



Ensure that all mobile devices recovered from staff are cleared and
purged before being al
located to other staff, except in cases where
there is a handover of responsibilities.



7.

Disciplinary Procedures


7
.1

All suspected breaches of this policy will be investigated and may be subject

to the Trust's formal disciplinary procedures. Serious brea
ches may result in
immediate suspension and/or termination of contract,

under the PCT
Performance and Conduct
Policy and the Serious Incident Policy.



8.

Monitoring and Review


8
.1

This policy will be reviewed once a year by
EMT
.

Auditing of this document
s
hould be done at least every two years based on monitoring the
effectiveness of the policy in line with legislation and guidelines etc. An Audit
Tool (Appendix 2) will be used for monitoring purposes. The document
Assurance Form (Appendix 3) will be used

by Managers to document
embedding of policies.


Version
2.0

Page
9

of
13

Mobile Computing and Remote Access Policy



June

20
11

Appendix 1
-

Equality Impact Assessment Tool


To be completed and attached to any procedural document when submitted to the
appropriate committee for consideration and approval.


[a] what is the likely impa
ct [whether intended or unintended, positive or negative] of the


initiative on individual users or on the public at large?

None

[b] Is there likely to be differential impact on any group? If yes, please state if this impact


may be adverse and
give further details [e.g. which specific groups are affected, in


what way, and why you believe this to be the case]



[i] Grounds of race, ethnicity,


colour, nationality or


national origin



Please tick box

Y
es



N
o



Please tick box

Adverse?



Please give


further details

[ii] Grounds of sex or marital


Status Women and Men

Y
es



N
o



Adverse?



Please give


further details

[iii] Grounds of gender
:


Transgender or


Transsexual People

Y
es



N
o



Adverse?




Pl
ease give


further details

[iv] Grounds of religion or


belief:


Religious /faith or other


Groups with a recognised


belief syst
em

Y
es



N
o



Adverse?



Please give


further details

[v] Grounds of disability

Y
es



N
o



Adverse?



Please give


further details

[vi] Grounds of age:


Older people, children


and Y
oung people

Y
es



N
o



Adverse?



Please give


further details

[vii] Grounds of sexual


orientation:


Lesbian, gay, bisexual

Y
es



N
o



Adverse?



Please give


further details

[viii] Grounds of carers:


Older relatives, children

Y
es



N
o



Adverse?



Please give


further details

[ix] Grounds of human rights



Y
es



N
o



Adverse?



Please give


further details

Is the policy directly
discriminatory?



Yes


No



Is the policy indirectly discriminatory?


Yes


No



If you said yes, is this objectively justifiable
or proportionate in meeting a legitimate aim


Yes


No


Is the policy intended to increase e
quality
of opportunity by permitting positive action
or action to redress disadvantage


Yes


No



Please give details.


Version
2.0

Page
10

of
13

Mobile Computing and Remote Access Policy



June

20
11

Summary

Document Author

Information Governance & Data Protection Officer

Directorate

Finance and Performance

Name of Document / Policy / Strat
egy
/ Procedure

Mobile Computing

and Remote Access
Policy

Document Status

New Document




Existing Document



Associated Policies, Strategies or
Procedures



Acceptable Use of Information Systems Policy



Acceptable Use of E
-
mail Policy



Bulk Transfer of (Electronic) Patient Records Policy



Confidentiality and Data Protection Policy



Information S
ecurity Policy



Safe Haven Policy



User Accounts Policy



Incident Reporting and Management Policy



Serious Untoward Incident Policy



Performance and Conduct Policy

Date



Aim/Status

[a] What is the aim/purpose of the policy/strategy/procedure?



This document

outlines the arrangements which promote the use of mobile and remote access computing
in a secure manner.

[b] Who is intended to benefit from this policy/strategy/procedure and in what way?


All staff who use remote Access and mobile computing



[c] How

have they been involved in the development of this policy/strategy/procedure?


Policy consulted on

[d] How does it fit into the broader corporate aims?

In line with Trust objectives to improve quality of services

[e] What outcomes are intended from this

policy/strategy/procedure?

Staff adhere to policy

[f] What resource implications are linked to this policy/strategy/procedure?

None

Impacts


If you have identified a potential discriminatory impact of this procedural document, please
refer it to
the Equ
ality & Diversity Manager
together with any suggestions as to the action
required to avoid/reduce this impact.

For advice in respect of answering the above questions, please contact
the
Equality &
Diversity Manager.

If the policy is unlawfully discriminatory it must go to a full impact assessment

(please

Contact the Equality, Diversity & Human
Rights Advisor


Human Resources Directorate)

Persons conducting E
q
IA


Bridget Pratt

Signed


Date
: 26/04/11

Version
2.0

Page
11

of
13

Mobile Computing and Remote Access Policy



June

20
11


Appendix
2

-

Audit Tool For The
Mobile

Computing

and Remote Access
Policy


The following are five questions to assess your understanding and implementation of this
policy


(Score yourself
-

Yes or No)


Do you understand the different definition of documents within the
policy?

Yes / No

Do you
understand the requirement for the main body of a
document?

Yes / No

Do you understand the Ratification Process for documents?

Yes / No

Do you understand the Guidance on the Checklist required for
writing documents?

Yes / No

Do you understand the proces
s for reviewing / Archiving /
consultation and version control?

Yes / No




If you score No for any of the questions, please re
-
read the relevant section of the policy. If
you are still unclear please contact the author / service for clarification


A copy

of this
should

be kept in your personal file and may be used as part of a
continuous profession development folder
.




Signed
………………………………………….
Role
……………………………..



Date
…………………………………………………….





Version
2.0

Page
12

of
13

Mobile Computing and Remote Access Policy



June

20
11



Appendix
3

-

Assurance Form


Mobile Computing

and Remote
Access

Policy


Directorate:


Department
:



I have read and understood the above document and agree to abide by its content
.


Name

Signature

Date











































































Version
2.0

Page
13

of
13

Mobile Computing and Remote Access Policy



June

20
11


Ap
pendix
4

-

Policy Ratification and Publication

Policy
Title
(including version)

Date

Mobile Computing

and Remote Access
Policy
2.0

20/06
/201
1

Reason

for Submission
(Please Tick)

Scheduled Review





New Policy




Urgent Amendments





Other





(Please
specify)






Purpose of Policy

This document outlines the arrangements which promote the use of mobile and remote access computing
in a secure manner.

Supporting Evidence

Please state list of reviewers/stakeholders and their job title (use a separate s
heet
if required) along with evidence of their participation in the review/creation of the policy.

Reviewers:



Head of ICT



Business Systems Manager



Information Governance & Data Protection Officer



Head of Information (NHS Brent)



Head of Governance (BCS)

N
ew Policy:

(Please reference sources of Best Practice used, and list applicable legislation)

N/A

Reviewed/Amended Policy:

(Please provide full details of changes made, reference sources of Best Practice used, and list applicable
legislation)

Sources of
Best Practice Used:



Policy Development Policy



Connecting for Health Model Remote Access Policy



Connecting for Health Mobile Computing Good Practice Guide



NHSnet Portable Computer Security Policy

Amendments:



Policy Development Policy format.



Remote Access i
ncorporated.



Disciplinary section added.

Policy Equality Impact assessed

TBC

Policy
Approval

Name:

Rob Larkman

Signature:


Date:

22 June 2011 EMT

Policy
Publication

Date policy is uploaded on the intranet via the Communications Department

20 Jul
y 2011

Policy to be
e
-
mailed to Heads of Services to d
iscuss at team meetings

and s
taff

Via internet
-

20 July 2011

Policy to be audited annually

July 2012
-