NETWORK SECURITY POLICY

needmorebaitNetworking and Communications

Nov 20, 2013 (4 years and 1 month ago)

93 views









NETWORK
SECURITY

POLICY






Document Version:

4.0


Date:




23
rd

January 2012




Review:



31
st

March 2013




Author:



Richard Brady



Approved:



Information Governance
Steering Group





Net
work Security Policy


2



DOCUMENT CONTROL AND AMENDMENT RECORD


NOTE: This is a CONTROLLED d
ocument.
The current version of this document is
maintained and is always available electronically from SharePoint. All other
electronic or paper versions of this docume
nt sourced from any network drive, email
or other sources are uncontrolled and should be checked against the current
SharePoint version prior to use.


Draft Version Control


Version

Date

Detail

Author

Approval

0.1

March 2008

Initial Draft

G Jones
(Information
Governance
Consultant)


0.2

April 2008

Minor revisions
,

additions and
formatting changes

C Brooks


0.3

July 2008

Minor additions

P Williams


0.4

July 2008

Minor additions

and
amendments
including
Appendix

B

and also minor
amendments

following
discussion with P. Williams.
Change of author / owner to
C
Brooks

C Brooks

IG Steering
Group
17/7/08



Amendment Record


Version

Date

Detail

Author

Approval

1.0

17 Jul 2008

1
st

published version following
approval at IG Steering Group
17/7/08

C Brooks

-

2.0

13 Dec
2008

Revised document control
statement added to page 2.
Policy migrated to SharePoint
and version updated to put it in
sync with SharePoint’s version
control function.

C Brooks

-

2.1

(Draft)

23 Feb
2009

Removal of ‘…
and / or
laptops
.’
from the end of para 14.6
(
as
all PCT laptops are now
encrypted
)
.

C Brooks

IGSG
25/3/09

2.1

23
Mar

2009

Removal of ‘…
and / or laptops
.’
from the end of para 14.6 (as
all PCT laptops are now
encrypted).

C Brooks

IGSG
25/3/09

2.2

25 Nov
2009

Minor amendment
s

to para 8.1
and
Appendix A

to reflect the
C Brooks

-

Net
work Security Policy


3


Version

Date

Detail

Author

Approval

change of name of the
Trust
’s


User Access Management
Policy
’ (previously ‘
User
Access and Network
Management Policy
’)

and the
Trust’s ‘
Staff Remote
Working

Policy
’ (previously
Staff
Remote Access
Policy
)

2.3

13 Jan 2010

Update to

change PCT logo
,
include SMCS logo and re
-
branding.
Update to para
27.3.1 to reflect the changed
network password
requirements
as
agreed by the
IGSG.

C Brooks

IGSG

9 Feb 2010

3.0
DRAFT

25 Jun 2010

Updated to add wireless
networking
aspect

-

new
section 11
.

C Brooks

IGSG

8 Jul 2010

3.0

30 Jul 2010

Published version following
agreement by IGSG 8 Jul 2010

C Brooks

IGSG

8 Jul 2010

3.1

Dec 2011

Revised to align with SWL Cluster

R Brady


3.2

Jan 2012

Minor changes

G Jones


4.0

5 Jan 2012

SW London revision

R Brady

IGSG
23/01/2012


Net
work Security Policy


4


CONTENTS


1

Introduction

................................
................................
................................
..........

5

2

Objective

................................
................................
................................
..............

5

3

Network Definition

................................
................................
................................

6

4

Scope of
Policy

................................
................................
................................
....

6

5

The Policy

................................
................................
................................
............

6

6

Risk Assessment

................................
................................
................................
.

7

7

Physical and Environmental Security

................................
................................
...

8

8

Access Control to the Network
................................
................................
.............

8

9

Third Party Access Control to the Network

................................
..........................

9

10

External Network Connections

................................
................................
.........

9

11

Wireless Connectivity

................................
................................
.......................

9

12

Maintenance Contracts

................................
................................
...................

11

13

Fault

Logging

................................
................................
................................
..

11

14

Network Operating Procedures

................................
................................
......

11

15

Data Backup and Restoration

................................
................................
.........

11

16

Training and Awareness

................................
................................
.................

12

17

Security Audits

................................
................................
...............................

12

18

Malicious Software

................................
................................
.........................

12

19

Unauthorised Software

................................
................................
...................

12

20

Secur
e Disposal or Re
-
Use of Equipment

................................
......................

12

21

System Change Control

................................
................................
.................

12

22

Security Monitoring

................................
................................
.........................

13

23

Securit
y Awareness Training

................................
................................
..........

13

24

Reporting Security Incidents and Weaknesses

................................
..............

13

25

System Configuration Management

................................
...............................

13

26

Business Continuity and Disaster Recovery Plans

................................
.........

14

27

Unattended Equipment and Clear Screen Requirements

...............................

14

28

Security Responsibilities

................................
................................
.................

14

29

Guidelines

................................
................................
................................
......

15

30

References

................................
................................
................................
.....

15

31

Further Information

................................
................................
.........................

15


APPENDIX
A

-

Related Policies and Procedures


APPENDIX
B



Acronyms

Net
work Security Policy


5


1

Introduction

1.1

This document defines the Network
Security Policy for
NHS South West
London

(referred to hereafter as the
Cluster
). The Network Security Policy
applies to all
business functions and information contained on the network,
the physical

environment and relevant people who support the network.



1.2

This document:




a)

Sets out the
Cluster
’s

policy for the protection of the confidentiality,
integrity and availabilit
y of the network;



b)

Establishes the responsibilities for network security;



c)

Provides reference to documentation relevant to this policy.


1.3

This policy applies to anyone using the
Cluster

computer network including
third party contractors
and
companies

employed by the
Cluster’s
.


1.4

This policy covers all SW London (referred to a s the Cluster) IT systems and
applies to the IT environments accessed by NHS Croydon, NHS Sutton and
Merton, NHS Richmond, NHS Wandsworth and Cluster. NHS Wandsworth

COIN users work within the NHS Wandsworth Information Technology and
Security Management Framework. This policy does not apply to NHS
Kingston.



Below are details of the key role holders and contacts for this policy:


Name

Position/Role

Contact
Telephon
e
Number

E
-
mail

Richard
Brady

AD Service
Management

020 3458 5560

richard.brady@swlondon.nhs.uk

Chris
Brooks

Systems and
Security Manager /
Information
Security Manager

020 8687 4605

chris.brooks@swlondon.nhs.uk

Pete
Williams

Network Manager

020 8687
4778

pete.williams@swlondon.nhs.uk

Karen
Moore

Service Desk
Supervisor

0208 687 4567

karen.moore@swlondon.nhs.uk

NHS SWL
IT Service
Desk


020 8687 4567


servicedesk@swlondon.nhs.uk

Glyn Jones

Information
Governance
020 8251 0493


glyn.jones@swlondn.nhs.uk

Net
work Security Policy


6


Manager




2

Objective

2.1

The objective of this policy is to ensure the security of the
Cluster’
s

network.
To do this the designated
Systems and Security Manager

will:



a)

Ensure Availability



Ensure that the
Cluster’
s

computer systems are available for users;



b)

Preserve Integrity



Protect the network from unauthorised or accidental modification;



c)

Preserve Confidentiality



Protect assets against unauthorised disclosure.


2.2

The purpose of this policy is to ensure the proper use of the
Cluster
’s

network
and make users aware of what the
Cluster

deems as acceptable and
unacceptable use of its network.


2.3

If there is evidence that any user is not adhering to the guidelines set
out in
this policy, this will be dealt with under the
Cluster’s

Disciplinary Procedure.

3

Network Definition

3.1

The network is
a collection of communication equipment

such as servers,
switches,
computers
,

mobile devices

and printers
, which ha
ve

been
conne
cted together by cables

and wireless technologies
. The network is
created

in order

to share data, software and peripherals such as printers,
modems, fax machines,
internet connections
,

DVD drives,
CD
-
ROM
drives
,

tape drives, hard disks and other data stora
ge equipment.


4

Scope
of

Policy

4.1

The policy applies to
the whole

network

throughout
the
Cluster

used for:



a)

The storage, sharing and transmission of non clinical data and images;



b)

The storage, sharing and transmission of clinical data and
images;



c)

Printing or scanning non clinical or clinical data or images;



d)

The provision of internet systems for receiving, sending and storing
non clinical or clinical data or images.

5

The Policy

5.1

The overall Network Security Policy for the
Clust
er

is described below:

Net
work Security Policy


7




The
Cluster

information network can
only
be accessed by legitimate users.
The network must also be able to withstand or recover from threats to its
availability, integrity and confidentiality. To satisfy this, the
Systems and
Security Manager
will undertake the following:



a)

Protect all hardware, software and information assets under its control.
This will be achieved by implementing a set of well balanced technical
and non technical measures;



b)

Provide both e
ffective and cost effective protection that is
commensurate with the risks to its network assets;



c)

Implement the Network Security Policy in a consistent, timely and cost
effective manner;



d)

Where relevant, comply with:




-

Copyright, Designs & Pate
nts Act 1988



-

Access to Health Records Act 1990



-

Computer Misuse Act 1990



-

The Data Protection Act 1998



-

The Human Rights Act 1998



-

Electronic Communications Act 2000



-

Regulation of Investigatory Powers Act 2000



-

Freedom of Information

A

ct 2000



-

Health & Social Care Act 2001




e)

Comply with other laws and legislation as appropriate.

6

Risk Assessment

6.1

The
Cluster

will at pre
-
determined intervals

carry out security risk
assessment(s) in relation to all the business processes covered by this policy.
These risk assessments will cover all aspects of the network that are used to
support those business processes. The risk assessment will identify the

appropriate security countermeasures necessary to protect against possible
breaches in confidentiality, integrity and availability.


6.2

Risk assessment
s

will be conducted to determine the IT Security (ITSEC)
Assurance levels required for security barrier
s that protect the network.


6.3

Formal risk assessments will be conducted using the
Cluster

Risk
Assessment Procedure and will conform to ISO17799.

Net
work Security Policy


8


7

Physical and Environmental Security

7.1

Network computer equipment will be housed in a controlled and sec
ure
environment. Critical or sensitive network equipment will be housed in an
environment that has a monitored temperature and power supply.


7.2

Critical or sensitive network equipment will be housed in secure areas,
protected by a secure perimeter, with

appropriate security barriers and entry
controls.


7.3

Door lock codes will be changed periodically

and

following a compromise (or
suspected compromise) of the code;


7.4

Critical or sensitive network equipment will be protected from power supply
failu
res.


7.5

Critical or sensitive network equipment will be protected by intruder alarms
and fire suppression systems.


7.6

Smoking, eating and drinking is forbidden in areas housing critical or sensitive
network equipment.


7.7

All visitors to secure networ
k areas must be autho
rised by the
Systems and
Security Manager
.


7.8

All visitors to secure network areas must be made aware of
the
network
security requirements.


7.9

All visitors to secure network areas must be logged in and out

and, where
considered necessary by
the
Systems and Security Manager
, be
accompanied also
. The log will contain name, organisation,
date, purpose of
visit

and time in and out
.


7.10

The
Systems and Security

Manager

will ensure that all relevant staff are
made aware of procedures for visitors entering secure network areas.



7.11

Entry to secure areas housing critical or sensitive network equipment will be
restricted to those whose job requires it. A list of those with unsupervised
access will be mainta
i
ned

and periodically reviewed
.

8

Access Control to the Network

8.1

Access to the
Cluster’s

network will only be permitted through written
managerial approval and made through a secure log
-
on procedure, designed
to minimise the opportunity for unauthorised
access. Access will be controlled
by the
Cluster
’s

User Access Management Policy
.


8.2

The User Access and Network
Management

Policy provides a formal,
documented user registration and de
-
registration procedure for access to the
network.

Net
work Security Policy


9



8.3

Access righ
ts to the network will be allocated on the requirements of the
user’s
job function
, rather than on a status basis.


8.4

All users to the network will have their own individual user identification and
password.


8.5

Users are responsible for ensuring their
password is kept secret.


8.6

Upon receipt of a notification from the Human Resources department or other
line manager respective u
ser access rights will be immediately
removed
or
reviewed for those users who have left the
Cluster’s

or changed
jobs

or roles
.


8.7

Remote access
users
will conform to the
Cluster
’s

Remote Access Policy

and
Portable Devices Policy
.

9

Third Party Access Control to the Network

9.1

Third party access to the network will be based on a formal contract that
satisfies all nec
essary NHS security conditions.


9.2

All third party access to the network must be logged by the
Systems and
Security Manager
.

All contract staff will have previously read and signed the
Confidentiality Agreement for Third Party Suppliers
.


9.3

Users are
responsible for the use of passwords used to access the network.
These passwords should be kept confidential and

must

not

be

shared with
other users.


10

External Network Connections


The
Cluster

will as part of
its

overall system security:



Ensure that
all connections to external networks and systems have
documented and approved System Security Policies.



Ensure that all connections to external networks and systems conform
to the NHS
-
wide Network Security Policy, Code of Connection and
supporting guidanc
e.



Must approve all connections to external networks and systems before
they commence operation.

11

Wireless Connectivity

11.1

The
Cluster
, headquarters
(HQ)
in Wimbledonhas a wireless network

(WLAN)
.
Wireless networking offers a great deal of flexibility

to the user
,
Net
work Security Policy


10


h
owever, this flexibility requires balancing against strong security which
protects the
Cluster
’s IT infrastructure
1
.


11.
2

This wireless network comprises both data and voice wireless network
s
. Th
e
data

network comprises access for
Cluster

s
taff who have been issued with
a
laptop
. It also incorporates a potential facility for
external
visitors
who may
wish to utilise the wireless network in order to be able to access the Internet
when on site (termed ‘guest’ access)
.

NB. ‘
guests’
would, howev
er,

have no
access to the
Cluster’s
’s main network or systems
.

(Guest access does not
require the setting up of a user account on the
Cluster
’s
main network.)

At
the
current time, however, ‘guest’ access will not be enabled.


11.3

Access to the
Cluster
’s W
LAN at its Wimbledon HQ will need to be requested
via the IT Service Desk who will arrange for the relevant laptop computer to
be configured in accordance with the agreed wireless network security
standards, as detailed below.


11.4

The wireless network security standards the
Cluster

will adhere to are as
follows:



a)

Access Layer :

i.

Users will connect to the WLAN via Access Points, which will
provide the 802.11a/b/g/n connection standard for the client
devices.

b)

Service Set Identifier (
SSID
2
)
:


i.

The
SSID
for the
Cluster

staff access will be
hidden

and not
broadcast thus reducing the pot
ential for inappropriate access.


ii.

The SSID for ‘guest’ access
to the Internet only
, if enabled in the
future,

will be broadcast so as to make it easily ava
ilable to
authorised
visitors
.


c)

Encryption
:

i.

Both the data and voice networks will utilise AES (Advanced
Encryption Standard) level of encryption. This encryption standard
is mandatory to enable the 802.11n network to be supported.



d)

Authentication
:

i.

The aut
hentication protocol selected
used is

Protected EAP
(PEAP). PEAP is an 802.1X authentication type for wireless
networks.

ii.

The laptops used by
Cluster

staff will confirm to the
WPA 2

(Wi
-
Fi
Protected Access)

standard
.




1

The ‘Wireless Networking
-

Good Practice Guidelines’ document issued by Connecting for Health
has been used as a source of reference for compliance with nationally agreed wireless networking
standards.

2

A service set identifier (
SSID
) is a sequence of characters that uniquely names a wireless local area
network (WLAN).

Net
work Security Policy


11


1
2

Maintenance Contracts

1
2
.1

The
Systems and Security Manager

will ensure that maintenance contracts
are maintained and periodically reviewed for all network equipment. All
contract details will constitute part of the asset register maintained by the
Information Security Manager.

1
3

Faul
t Logging

1
3
.1

The IT Service Desk is responsible for ensuring that a log of all faults on the
network is maintained and passed onto
the appropriate team
for review

and
action
.

1
4

Network Operating Procedures

1
4
.1

The
operational IT leads

will prepare cle
ar, documented operating procedures
for the operation of the network, to ensure its correct, secure operation.


1
4
.2

Changes to operating procedures must be authorised by
the
Systems and
Security

Manager.


13.3

The
Systems and Security Manager

will impleme
nt all good practice
guidelines detailed by the Connecting for Health Information Governance
team
and security contingency plans that
affect

the Network Security Policy
where appropriate.


1
5

Data Backup and Restoration


1
5
.1

The
Systems and Security

Manager

is responsible for ensuring that backup
copies of network configuration data are taken regularly.



1
5
.2

The details of the

backup process
are
contained

in the
IT Back
up Procedure
s
document,
which have

been

communicated to all relevant staff.


1
5
.
3

Documented procedures for the storage of backup tapes
are

also
contained

in
the
IT Backup Procedures
.



1
5
.4

All backup tapes wi
ll be stored securely and relevant copies

stored off
-
site

also, as per the
Cluster
’s

IT Backup Procedures
.


1
5
.5

Documented
procedures for the safe and secure disposal of backup media
will be produced and communicated to all relevant staff.


1
5
.6

Users are responsible for ensuring that they

do not store
any
data on
the
local
drives of their networked computers
.


1
5
.7

Software p
atches and any hot fixes will only be applied by the
Systems and
Desktop
team
s

following an approved
change control procedur
e.


Net
work Security Policy


12


1
6

Training and Awareness

1
6
.1

A
ll users of the network will be provided with the necessary security guidance,
awareness and
,

where appropriate
,

training to discharge their security
responsibilities.


1
6
.2

All users of the network must be made aware of the contents and implications
of the Network Security Policy.

1
7

Security Audits

1
7
.1

The
System and
Security Manager

will carry out the required checks on, or an
audit of, actual implementations based on approved security policies.

1
8

Malicious Software

1
8
.1

Automatic measures are in place to detect and protect the network from
viruses and other malicious software.

The
se are identified in the Securing

against Viruses, Malware and E
mail Hoaxes Policy and Procedure.

1
9

Unauthorised Software

1
9
.1

Use of any non
-
standard software on
Cluster

equipment will not be permitted
unless authorised by the
Systems and Security
Manager

prior to installation.
The
Systems and Security Manager

will backup such software and document
its use to facilitate reinstallation as required. A
ll software used on
Cluster

equipment must have a valid licence agreement
-

it is the responsibility
of the
“owner” or Responsible User of non
-
standard software to ensure that this is
the case.


20

Secure Disposal or Re
-
Use
of
Equipment


The
Primary Care Support Manager

must:



Ensure that where equipment is being disposed of all data on the
equipment (e.g
. on hard disks or tapes) is securely overwritten. Where
this is not possible the disk or tape must be physically destroyed.



Ensure that where disks are to be removed from the premises for
repair, where possible, the data is securely overwritten.

2
1

Sys
tem Change Control

2
1
.1

All such changes must be reviewed and approved by the
Systems and
Security Manager
or
other
designated
Cluster

officer.


Net
work Security Policy


13


2
1
.2

The
Systems and Security Manager
or
other
designated
Cluster

officer may
require checks on, or an assessment of the actual implementation

based on
changes implemented.


2
1
.3

The
Systems and Security Manager
or designated
Cluster

officer is
responsible for ensuring that selected hardware or software meets agreed
sec
urity standards.


2
1
.4

Testing facilities will be used for all new
IT

systems. Development and
operational facilities will be separated
.


2
1
.5

As part of acceptance testing of all new network systems, the
Systems and
Security Manager

or designated
Cluster

officer will attempt to cause a security
failure and document other criteria against which tests will be undertaken prior
to formal acceptance.

2
2

Security Monitoring

2
2
.1

The
Systems and

Security Manager

will ensure that the network is
automatical
ly monitored for potential security breaches. All monitoring will
comply with current legislation.

2
3

Security Awareness Training

2
3
.1

Security awareness training will be provided for all new staff
by
completion of
the appropriate modules of the IG
E
-
learning training programme

to ensure
that they are aware of their responsibilities for security, and the actions that
they need to undertake in order to discharge those responsibilities. Refresher
training will be provided when needs are identified.

2
4

Reporting Security Incidents and Weaknesses

2
4
.1

Any actual or suspected breaches of network security should be reported
immediately to the IT Service Desk. Depending on the nature of the incident
this may require the reporting of the breach via the
Clus
ter
’s

Adverse Incident
Reporting form. This may result in the
Systems and

Security Manager

underta
k
ing a formal investigation which will be reported to the Information
Governance Steering Group (IGSG). Any major IT incidents will be reported
to the
Assoc
iate
Director of
IT.

A major incident would constitute a loss of
function of a clinical system or breach of confidential information for one or
more individuals or a breach of information, which is likely to lead to harm to
an individual.

2
5

System Config
uration Management

2
5
.1

The
Systems and Security Manager

will ensure that there is an effective
configuration management process for the network.

Net
work Security Policy


14


2
6

Business Continuity and Disaster Recovery Plans

2
6
.1

The
Systems and Security Manager, together with the op
erational team
leaders,

will ensure that business continuity plans and disaster recovery plans
are produced for the n
etwork and server infrastructure.


2
6
.2

The plans
will

be reviewed and tested by the
Systems and Security Manager

or designated
Cluster

officer on a regular basis.

2
7

Unattended Equipment and Clear Screen

Requirements

2
7
.1

Users must ensure that they protect the network from unauthorised access.


2
7
.2

The
Cluster

operates an automatic
locked

screen
process

after 10 minute
s

of
inactivity
.

However
, staff are
advised

to log off the network if they
expect to
leave their computer

and / or network connected laptop
unattended

for a
longer period e.g.
to

attend

a meeting.


2
7
.3

Computers
and / or network connected laptop
s

must

always be shutdown
when leaving the office
either during or
at the end of the
working
day.

2
8

Security Responsibilities

2
8
.1

The

Systems and Security Manager is

responsible

for ensuring
that
appropriate s
tandards of IT and Information S
ecurity are take
n.


2
8
.2

Data Protection
Responsibilities


2
8
.2.1

T
he
Cluster
’s

Data Protection lead who will be responsible for:



Ensuring that Data Protection Act notifications are maintained.




Advising users of their responsibilities under the Data Protection Act.



Ensuring appropriate actions are undertaken where breaches of the
Act have occurred.



Promoting awareness, encouraging, monitoring, and checking
compliance with the Data Protection Act.


2
8
.3

User Responsibilities


2
8
.3.1

All
staff

or agents acting for the

organisation have a duty to:



Safeguard hardware, software and information in their care.



Prevent the introduction of malicious software on the organisation's IT
systems.


Net
work Security Policy


15



Ensure their password is kept secret
-

passwords
must

not be shared.
Passwords should be changed regularly and be such that they are not
easily guessed e.g. names of relatives or pets.
Network passwords
must:

a)

be
changed every 30 days

b)

not
contain the user's
network
account name or parts of the user's
full
name that exceed two consecutive characters

c)

be
at least 8 characters in length

d)

contain
characters from three of the following four categories:

i.

English
uppercase characters (A through Z)

ii.

English
lowercase characters (a through z)

iii.

base
10 digits (0 through 9
)

iv.

non
-
alphabetic characters (for example, !, $, #, %)


If a user suspects that their
network
password has become
compromised, they should report this to the IT Service Desk and
change their password.



Report any suspected or actual breaches in security.

2
9

Guidelines

2
9
.1

For detailed advice on how to determine and implement an appropriate level
of security users should contact the IT Service Desk.

30

References

30
.1

All r
elated documents
are listed in Appendix A
.

3
1

Further Information

31.1

Further
information regarding this policy
is available from
the
Systems and
Security Manager
.

Net
work Security Policy


16


APPENDIX A



Related Policies and Procedures


1

Confidentiality Code of Conduct


2

Safe Haven Policy and Procedures


3

Confidentiality Agreement for Third party Supplier
s


4

Registration Authority Policy and Procedures


5

Five Borough Sharing Agreement


6

Information Sharing Policy


7

Procedure for the Notification of Information and System Changes


8

User Access Management Policy


9

System Development Policy and
Procedures


10

Securing Against Viruses, Malware and E
-
mail Hoaxes Policy and Procedures


11

Policy and Procedure for Reporting Adverse Incidents


12

E
-
mail and Internet Acceptable Use Policy


13

Staff Remote
Working

Policy


14

Information Security Policy


15

IT Backup Procedures







Net
work Security Policy


17


APPENDIX B



Acronyms



Item

Description

CRAMM






Central Computer and
Telecommunications Agency Risk
Analysis and Management Method.

ITSEC

IT

Security Assurance
-

The National
Technical Authority for Information
Assurance.


ISO17799

An international standard approved by
the ISO (International Standards
Organisation) comprising an agreed set
of security controls, measures and
safeguards.





Net
work Security Policy


18


APPENDIX

1

EQUALITY IMPACT ASSESSMENT
(EIA) TEMPLATE

(Screening and Full

EIA Template)

Please use section 1 to screen your policy or activity to establish if it has any
relevance to equality and diversity. Where relevance is established, proceed to a full
impact assessment, using the template in section 2. Once the form in
section 2 has
been completed email to

the Equality Lead

1

Screening
your policy for relevance to equalities and equalities duties

(Policy in this context applies to strategies, decisions, plans, procedures, service,
informal practices or customs which are

embedded in our core functions, written
organisational policies, change management activities).


Screening must be done during the development or design of the policy and before it
goes to any group or committee for approval. If it is going to the Board
for approval,
then it is a requirement of the Board that a full EIA is carried out where the policy is
found to be relevant to equality and diversity.


Screening is a short easy process which makes use of statistics, consultation
outcomes, and results of e
thnicity monitoring, complaints, analysis of PALS, audit
reports, research information, and reviews demographic data. If there is no data,
take action to collect the evidence of likely impact and revisit the document (it could
be through PPI, research, co
nsultations, desk research/interview, public health data).
When screening a policy or undertaking a full assessment you can involve your
team, other colleagues or partners in the sector and together consider the full
implications of the policy and improve
ments to be made.


Before you start screening do the following:


Be clear about policy aims, purpose, objectives and outcomes and
beneficiaries


Use the evidence/data you have. However, if you have none or require
additional information to make an informed
decision, then put monitoring in
place/gather some data to support the process


Ask the following questions and answer using the evidence/data you have,
your knowledge, expertise, partnership input, past experiences or research
about how your policies have
affected certain groups, national information
about how some groups are affected by our activities/policies/decisions.


Questions for You to use in the Screening Process


Yes

No

Does/will the policy or activity affect the public directly or indirectly?




Have there been or likely to be any public concerns about the policy
or proposal?




Does the evidence/data show an existing or likely differential impact
for the different strands of diversity? Age, gender, disability, race,
religion, sexuality




C
ould the policy or activity affect how services, commissioning or



Net
work Security Policy


19


procurement activities are organised, provided, where and by
whom?

Could the policy or activity affect our workforce or employment
practices?




Have complaints been received from
different equality groups about
the effect of this policy, proposal or our activities in general (having
no complaints does not always mean there is no issue


always
advisable to find out)




Does the policy involve or will it have an impact upon


elimin
ating unlawful discrimination


promoting equality of opportunity


promoting good relations between diverse groups





2

5















Nil impact

process stops here. Complete and sign the screening section (see
page 2) and return to Frances Newell

Low impact
1


3 yes’s, full EIA required but not an immediate priority, you can
prioritise for later on in the year

High impact,

4


7 Yes’s, full EIA required immediately using the EIA template on
page 2, in consultation with affected groups.