Information Security Policy
WERARE Information Security Policy | ||
| ||
| ||
Policy Descriptor Guidance for staff on the safe user and storage if information | ||
|
| |
If you require this document in a different format or language please speak to a Murat Keskin | ||
| ||
If you would like to provide feedback about our services write to | ||
| ||
Document Control | ||
Date issued: | 21 September 2021 | |
|
|
|
Contents
Appendix A - Information Security Policy Staff Guidance. 8
Appendix B - Information Security Incident Reporting. 10
Appendix C - Access To The Internet For People Who Use Our Services. 11
Appendix D - Access To The Internet: Agreement For People Using WERARE Services 12
Appendix E - Information Governance Standards In Contracts. 13
Introduction
1.1. This top-level information security policy is a key component of WERARE’s overall information security management framework and should be considered alongside more detailed information security documentation including, system level security policies, security guidance and protocols or procedures. Where applicable this policy applies to information in both paper and digital formats.
1.2. WERARE SERVICES information may be needed to:
· support patient care and continuity of care
· support day-to-day business processes that underpin the delivery of care
· support evidence-based clinical practice
· support public health promotion and communicate emergency guidance
· support sound administrative and managerial decision making, as part of the knowledge base for the WERARE SERVICES
· meet legal requirements, including requests from patients under the provisions of the Data Protection Act or the Freedom of Information Act
· assist clinical or other types of audit
· support improvements in clinical effectiveness through research
· support archival functions by taking account of the historical importance of information
· support patient choice and control over treatment and services designed around patients.
Purpose
2.1. Objectives – The objectives of WERARE Information Security Policy are to preserve:
· Confidentiality – Access to Data shall be confined to those with appropriate authority.
· Integrity – Information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification.
· Availability – Information shall be available and delivered to the right person, at the time when it is needed.
2.2. Policy aim – The aim of this policy is to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by the WERARE by:
· Ensuring that all members of staff are aware of and fully comply with the relevant legislation as described in this and other policies.
· Describing the principals of security and explaining how they shall be implemented in the organisation.
· Introducing a consistent approach to security, ensuring that all members of staff fully understand their own responsibilities.
· Creating and maintaining within the organisation a level of awareness of the need for Information Security as an integral part of the day to day business.
· Protecting information assets under the control of the organisation.
2.3. Scope – This policy applies to all information, information systems, networks, applications, locations and users of the WERARE or supplied under contract to it.
2.4. Staff employed by other organisations but working under the management of the WERARE may find that in some areas they are covered by the local policies of their employing organisation. However they will still be expected to follow the recommended practice set out in this document.
2.5. WERARE employees who work in areas that are led by other organisations under a partnership agreement (for example, Learning Disabilities) are still bound by this policy unless otherwise stated.
2.6. People who use our services may, in certain circumstances, use dedicated IT equipment provided by the WERARE. This includes the provision of internet access. Such use is covered in Appendix C.
Duties
3.1. Ultimate responsibility for information security rests with the Chief Executive of the WERARE, but on a day-to-day basis the Chief Information Officer shall be responsible for managing and implementing the policy and related procedures.
3.2. Line Managers are responsible for ensuring that their permanent and temporary staff and contractors are aware of:
· the information security policies applicable in their work areas
· their personal responsibilities for information security
· how to access advice on information security matters.
3.3. All staff shall comply with information security procedures including the maintenance of data confidentiality and data integrity. Failure to do so may result in disciplinary action which could result in summary dismissal or legal action.
3.4. The Information Security Policy shall be maintained, reviewed and updated by the Digital Strategy Board. This review shall take place biennially or whenever major changes to policy are required.
3.5. WERARE Information Asset Owners (IAOs) are responsible for understanding and addressing risks to the information assets they ‘own’ and for providing assurance to the Senior Information Risk Officer (SIRO) on the security and use of those assets.
3.6. IAOs of key information systems are responsible for the development of system level security policies
3.7. Line managers shall be individually responsible for the security of their physical environments where information is processed or stored.
3.8. Each member of staff shall be responsible for the operational security of the information systems they use.
3.9. Each system user shall comply with the security requirements that are currently in force, and shall also ensure that the confidentiality, integrity and availability of the information they use is maintained to the highest standard.
3.10. Contracts with external contractors that allow access to the organisation’s information including access to any information system shall be in operation before access is allowed. These contracts shall ensure that the staff or sub-contractors of the external organisation shall comply with all appropriate security policies.(See appendix E)
3.11. The systems approval process shall be followed in the case of any new systems or changes to existing systems or processes. A Privacy Impact Assessment will be considered in relation to any projects or changes of use of personal information.
Legislation
4.1. The WERARE is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of the WERARE, who may be held personally accountable for any breaches of information security for which they may be held responsible. The WERARE shall comply with the following legislation and other legislation as appropriate:
· The Data Protection Act (1998)
· The Data Protection (Processing of Sensitive Personal Data) Order 2000
· The Copyright, Designs and Patents Act (1988)
· The Computer Misuse Act (1990)
· The Health and Safety at Work Act (1974)
· Human Rights Act (1998)
· Regulation of Investigatory Powers Act 2000
· Freedom of Information Act 2000
· Health & Social Care Act 2001
Policy Framework
5.1. Management of Security
· At board level, responsibility for Information Security shall reside with the Medical Director as Caldicott Guardian.
· The Chief Information Officer shall be responsible for implementing, monitoring, documenting and communicating security requirements for the organisation.
5.2. Information Security Awareness Training
· Information security awareness training shall be included as part of the compulsory Information Governance Training.
· Ongoing awareness activity shall be established and maintained in order to ensure that staff awareness is refreshed and updated as necessary.
5.3. Contracts of Employment
· Staff security requirements shall be addressed at the recruitment stage and all contracts of employment shall contain a confidentiality clause.
· Information security expectations of staff shall be included within appropriate job definitions.
5.4. Security Control of Assets – Each IT asset, (hardware, software, application or data) shall have a named custodian who shall be responsible for the information security of that asset.
5.5. Access Controls – Only authorised personnel who have a justified and approved business need shall be given access to restricted areas containing information systems or stored data.
5.6. User Access Controls – Access to information shall be restricted to authorised users who have a bona-fide business need to access the information. Accounts that have not been used for agreed periods of non-activity will be disabled to maintain appropriate user access controls.
5.7. Computer Access Control – Access to computer facilities shall be restricted to authorised users who have business need to use the facilities.
5.8. Application Access Control – Access to data, system utilities and program source libraries shall be controlled and restricted to those authorised users who have a legitimate business need e.g. systems or database administrators. Authorisation to use an application shall depend on the availability of a licence from the supplier.
5.9. Equipment Security – In order to minimise loss of, or damage to, all assets, equipment shall be physically protected from threats and environmental hazards.
5.10. Computer and Network Procedures – Management of computers and networks shall be controlled through standard documented procedures that have been authorised by the Digital Strategy Board or the local operational management group of the IT service provider.
5.11. Information Risk Assessment – Once identified, information security risks shall be managed on a formal basis. They shall be recorded within a baseline risk register and action plans shall be put in place to effectively manage those risks. The risk register and all associated actions shall be reviewed at regular intervals by the Digital Strategy Board. Significant risks will also be recorded on the WERARE’s Corporate Risk Register. Any implemented information security arrangements shall also be a regularly reviewed feature of the WERARE’s risk management programme. These reviews shall help identify areas of continuing best practice and possible weakness, as well as potential risks that may have arisen since the last review was completed.
5.12. Information security events and weaknesses – All information security events and suspected weaknesses are to be reported as part of the WERARE’s standard incident reporting process. All information security events shall be investigated to establish their cause and impacts with a view to avoiding similar events.
5.13. Protection from Malicious Software – The organisation shall use software countermeasures and management procedures to protect itself against the threat of malicious software. All staff shall be expected to co-operate fully with this policy. Users shall not install software on the organisation’s property without. Users breaching this requirement may be subject to disciplinary action.
5.14. System Backups - The WERARE shall undertake regular backups of IT services and systems which are hosted on the WERARE’s internal network. Backups of internal systems will be retained for a maximum of 90 days in line with GDPR Principle 5 E, which is storage limitation to hold data for no longer than is necessary.
IT services which are hosted externally must be backed up the service provider. The backup schedule and retention period should be defined within the service contract.
5.15. User media – Removable media of all types that contain software or data from external sources, or that have been used on external equipment, must be fully virus checked before being used on the organisation’s equipment. Users breaching this requirement may be subject to disciplinary action.
5.15.1. All portable media must be encrypted. Care must be taken to ensure that email communications containing Personal Identifiable Data are secure.
5.16. Monitoring System Access and Use – An audit trail of system access and data use by staff shall be maintained and reviewed on a regular basis.
5.16.1. The WERARE has in place routines to regularly audit compliance with this and other policies. In addition it reserves the right monitor activity where it suspects that there has been a breach of policy. The Regulation of Investigatory Powers Act (2000) permits monitoring and recording of employees’ electronic communications (including telephone communications) for the following reasons:
· Establishing the existence of facts
· Investigating or detecting unauthorised use of the system
· Preventing or detecting crime
· Ascertaining or demonstrating standards which are achieved or ought to be achieved by persons using the system (quality control and training)
· In the interests of national security
· Ascertaining compliance with regulatory or self-regulatory practices or procedures
· Ensuring the effective operation of the system.
5.16.2. Any monitoring will be undertaken in accordance with the above act and the Human Rights Act
5.17. Intellectual Property Rights – The organisation shall ensure that all information products are properly licensed and approved. Users shall not install software on the organisation’s property without permission from their local IM&T provider. Users breaching this requirement may be subject to disciplinary action.
5.18. Business Continuity and Disaster Recovery Plans – The organisation shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks.
5.19. Reporting - The CIO shall keep the Information Governance Group informed of the information security status of the organisation by means of regular reports and presentations.
5.20. Disposal of Equipment – All equipment should be disposed of by the WERARE. Individuals should not seek to re-use or re-cycle equipment themselves but should log a call with the IT Help Desk. The WERARE will have an appropriate arrangement is in place to ensure that all equipment is securely disposed of in line with WERARE SERVICES and WEEE guidelines.
Appendix A - Information Security Policy Staff Guidance
This guide is written to provide practical help and examples to ensure that the information in the Information Security Policy is understood and acted upon by all staff. It has been kept deliberately brief to aid dissemination.
Email is provided for work purposes. Personal use of email is not prohibited but should be used sparingly during work hours. Your email use may be monitored and emails cannot be guaranteed to be private.
Emails sent between WERARE services.net email accounts are considered secure. For information on sending sensitive information to non WERARE services.net addresses please see the further guidance on the Intranet.
Emails and texts containing sensitive information can only be sent to people using WERARE services (or those authorised to act on their behalf) if you have their recorded, informed consent.
Do not use your personal email for work purposes.
Staff are reminded that emails are documents and as such are governed by the Data Protection Act (1998) and the Freedom of Information Act (2000). This means that information contained within emails could be disclosed under those Acts. It also means that we should take the same care with regard to confidentiality and data protection as we would with any other document.
Social Networking Sites (Facebook, Twitter etc.)
You must not use any social networking sites or other public internet fora to discuss WERARE business in general or client information unless you have specific permission to do so.
Internet
Staff may use the Internet for personal use outside of their working hours.
Staff must not access web sites containing racist, violent or pornographic[1] material. It is difficult to categorize exactly which web sites are inappropriate but staff are advised to exercise restraint and caution and have consideration for their co-workers. If in doubt consult your line manager or the HR Department.
Inappropriate use of the Internet is detected and will result in disciplinary action.
Faxing
If available you should scan and email documents rather than faxing as this is more secure. If you do need to fax confidential information you should use the WERARE fax template, check with the recipient that they are available to receive the fax in person and ask for acknowledgement of receipt.
Security of Information & Equipment
Unauthorised access to any computer system (which includes looking at documents or records that you are not entitled to see) is a criminal offence. Our information systems contain sensitive information and are regularly monitored. Both monitoring and random spot-checks of activity are performed and you will be asked to account for your use of the system. Inappropriate access may lead to disciplinary action or referral to the police.
Do not divulge your personal account IDs or passwords to anyone else. This constitutes a major breach of network security and is viewed very seriously. If you need to share access to files or email accounts with a colleague there are legitimate ways in which this can be done. Please contact your local IT Department for information on how to do this. You are responsible for any activity undertaken under your account – this includes inappropriate Internet use.
Do not write passwords or usernames down. Do not leave your PC or Smartcard logged in and unattended.
All information must be stored on a network drive, not on your local PC. This protects our information in the event of equipment being stolen or damaged.
Do not store work information on any unencrypted device – this includes data sticks and personal equipment such as smartphones, PCs, or tablets. It is acceptable to access WERARE SERVICES Mail from personal devices only if they comply with the security measures set out by WERARE SERVICES Mail and available from their web site. It is your responsibility to ensure that any personal devices that you choose to use are secure.
USB data sticks are a convenient way of transferring data but they are also prone to being lost. You must use an encrypted data stick, the data should only be on there for the minimum possible amount of time and, to minimise the risk of loss, the data stick should be attached to something such as your key ring.
You must not install software onto your computer either from portable media or the internet. If you need software installing, please contact your IT Help Desk.
Care should be taken when transporting laptops. Take the laptop with you rather than leaving it in the car. If you must leave it in the car keep it out of sight, preferably in a locked boot. Do not leave equipment in your car overnight.
All IT equipment must be purchased through the IT Office. Do not bring equipment from home or purchased from the High Street.
If WERARE equipment or information has been lost or compromised you must report this to your manager & the WERARE Incident Reporting System.
Appendix B - Information Security Incident Reporting
An incident can generally be described as an event which has or could lead to a breach of policy, security, confidentiality or legislation or regulation. It also embraces the day-to-day problems encountered by users such as faults etc.
In summary these can be described thus:-
Operational Day to day operational issues which are traditionally channeled through Help Desks such as user queries etc.
Policy Represents any failure to comply with the WERARE’s Information Governance Policy and its supporting standards.
Security These generally fall into one of three areas:-
Confidentiality – that is, incidents related to accidental or intentional leakage of confidential data, passwords and the like to unauthorised persons and organizations.
Integrity – that is, accidental or intentional damage to or inaccuracies in data.
Availability – that is, accidental or deliberate, disruption or absence of information and information services i.e. systems being “down”,
Incident Reporting
Individuals may become aware of actual or potential “incidents” through a variety of means, e.g. a system malfunction, a system being down or general observations regarding working practices. In all instances, it is the individual’s responsibility to ensure such incidents are reported through the appropriate channels and that such reports are directed to the most appropriate officers for investigation and resolution.
Appendix C - Access to the Internet for people who use our services
Introduction
The purpose of this policy is two-fold in providing staff of WERARE with an awareness of their responsibilities whilst supervising people the Internet and that people who use out services are aware of their limitations and responsibilities whist accessing the Internet.
Best Practice
The policy aims apply to all facilities identified and owned or provided by WERARE. This includes people using WERARE services who are accessing the Internet with their own equipment via WERARE connections.
People using WERARE services will be required to sign a form (Appendix D) agreeing to abide by this policy which will be uploaded to their care record for audit purposes.
People using WERARE services may be supervised whilst accessing the Internet. The appropriate level of supervision will be determined by the staff member in charge of the facility.
Staff must not use computers and devices belonging to people who use WERARE services to access the Internet for their own use.
Forms of Access
The nature of internet access for people using WERARE services will vary dependent on the clinical setting and the circumstances of each person. It is envisaged that most access will be in an inpatient environment but this policy applies equally to community settings.
People who use our services may access the Internet in WERARE facilities in one of the following ways:
· Using their own device (i.e. laptop, tablet or smartphone) and their own connection.
· Using their own device on the ‘guest’ network provided by the WERARE.
· Using a dedicated PC provided by the WERARE for a person using WERARE services.
Under no circumstances should people who use our services use ‘staff’ WERARE laptops or computers. Personal computers are not supported by the WERARE but all equipment provided by the WERARE for people using WERARE services use is fully supported via the Help Desk.
It is a local clinical decision as to whether access to the internet is appropriate for an individual and any restrictions or supervision that may be required. The internet connection that is available is similar to that found in Internet Cafés, it is not restricted.
Appendix D - Access to the Internet: Agreement for People using WERARE Services
Name: ...............................................................................................................
Date: ................................................................................................................
I have received and read/ had explained to me a copy of WERARE’s “Access to the Internet for people who use our services”.
I understand the terms and conditions and agree to abide by them.
I understand that any abuse of the Internet would lead to suspension of my access
until my next Clinical Team Meeting where it would be reviewed.
Signed: ...........................................................................................................................
Authorised by:
Name: .............................................................................................................................
Ward/Area: .....................................................................................................................
Signature: .......................................................................................................................
Appendix E - Information Governance standards in contracts
The WERARE needs to ensure where any work is conducted by others on its behalf all appropriate Information Governance Standards are met. This is particularly important where the information is about identifiable individuals.
This includes all contracts but note in particular:
· Access to systems or information for partnership working with other organisations such as other WERAREs, charities or social enterprises.
· Arrangements with other organizations providing specific services such as auditors, management consultants, maintenance contractors etc.
A risk assessment should be carried out prior to any proposed agreement with a third party. In considering the level of risk you should take into account:
· The types of information the third party is likely to access.
· Do they have adequate security controls, policies and training?
· Are staff screened prior to commencing employment
You should also consider:
· How monitoring of the third party’s compliance with the information governance controls will be carried out.
· How any incidents will be reported and managed
· Ensure the third party is aware of the possible impact of the Freedom of Information Act 200 on the documentation connected with the contract.
However, in situations where this is not possible/appropriate contracts must contain key components as follows:
· the contract must be explicit about the types of information and how the information will be shared or accessed
· Contracts should make specific reference to data protection and security issues, such as:
o notification;
o limitations on disclosure and use of data;
o obligations to comply with limits set by the organisation;
o the security and data protection standards that apply to both parties;
o the restrictions placed upon the data processor to act only on instructions from the organisation (the data controller).
o cyber security and business continuity planning
· Specific reference should be made to Freedom of Information issues, such as:
o duty to disclose;
o exemption from disclosure provisions;
o records management structure;
o responsibility for freedom of information applications.
· Additionally:
o penalties for breach of the contract and a provision to indemnify the organisation against breaches by the third party;
o responsibilities for any costs,
o specific reference to other relevant legal obligations, e.g. common law duty of confidence, Computer Misuse Act 1990, intellectual property rights and copyright;
o duty to provide reports on the effectiveness of information governance controls that the third party has implemented;
o measures that will be taken if the third party is no longer able to perform their role under the contract.
o Incident reporting mechanisms.
[1] The definition of pornography as used by the HR Department in disciplinary cases of this nature is “printed or visual material intended to stimulate sexual excitement”.