information security policy - bdct

of 33

Information Security Policy

The 4 key messages the reader should note about this document are:

1. It supports confidentiality, integrity and availability of all information and data

2. It covers all types of information, including structured paper and electronic systems, transmission of information via fax, e-mail, post and telephone Keep data secure

3. The Foundation Trust has a Senior Information Risk Owner (SIRO) and a Data Protection Officer (DPO)

4. Each Information Asset is required to have a named Information Asset Owner (IAO) responsible for its security

5. Workers must report all information security breaches

You & Your Care

of 33

This document has been approved and ratified. Circumstances may arise where staff become aware that changes in national policy or statutory or other guidance (e.g. National Institute for Health and Care Excellence (NICE) guidance and Employment Law) may affect the contents of this document. It is the duty of the staff member concerned to ensure that the document author is made aware of such changes so that the matter can be dealt with through the document review process.

NOTE: All approved and ratified policies and procedures remain extant until notification of an amended policy or procedure via Trust-wide notification, e.g. through the weekly e-Update publication or global e-mail and posting on the Intranet (Connect).

Procedural Document Title: Information Security Policy

Version: 5-03 Final

Name and Title of Responsible Director:

Tim Rycroft, Associate Director of Informatics/CIO/SIRO

Name and Title of Responsible Deputy Director:

Delphine Fitouri, Head of Informatics

Name and Title of Responsible Senior Manager:

Gaynor Toczek – Information Governance and Records Manager/DPO

Name and Title of Author: Gaynor Toczek – Information Governance and Records Manager/DPO

Title of Responsible Committee / Group (or Trust Board):

Information Governance Group

Persons/Groups/Committees consulted:

Information Governance Group members

Service User, Patient and Carer consultation:

No

Procedural Document Compliance Checklist adhered to:

Yes

Target Audience: All staff

Approved by: Information Governance Group

Date Approved: 27/07/2018

Ratified by: Executive Management Team (EMT)

Date Ratified: 07/08/2018

Date Issued: 10/08/2018

of 33

Review Date: 31/05/2020

(No later than May 2020)

Frequency of Review: 2 yearly

Minor review annually (ICO audit action) and internal review following cyber security internal audits/penetration testing

Responsible for Dissemination: Information Governance and Records Manager/DPO

Copies available from: Intranet - Connect

Where is previous copy archived

(if applicable):

Trust Network

Amendment Summary: Minor amendments as per below

Amendment detail:

Amendment number

Page Subject

1 10 Section 3.9 –includes requirements for information security certification from supplier

2 11 Section 3.11 includes Section 3.12 from the previous version, and includes some additions around regular test back up restores and documentation of process

3 15 Section 3.20 added on GDPR

4 20 Section on Duties updated to includes Data Protection Officer (DPO) role and responsibilities

5 37 Appendix B added

of 33

Contents

1 INTRODUCTION .......................................................................................................... 7

2 SCOPE ......................................................................................................................... 7

3 INFORMATION SECURITY ......................................................................................... 7

3.1 Delivering Robust Information Security ................................................................... 8

3.2 Establishing an Information Security Framework .................................................... 9

3.3 NHS Information Governance Toolkit Statement of Compliance ............................ 9

3.4 Allocation of Information Security Responsibilities.................................................. 9

3.5 Authorisation Process for Information Processing Facilities ................................... 9

3.6 Co-operation between Organisations ..................................................................... 9

3.7 Independent Review of Information Security ........................................................ 10

3.8 Security of Third Party Access .............................................................................. 10

3.9 Outsourcing .......................................................................................................... 10

3.10 Risk Management and Business Continuity ...................................................... 10

3.11 Protection against malicious software procedures ............................................ 11

3.12 Data Back-up and Restore procedures ............................................................. 12

3.13 User Access Control .......................................................................................... 12

3.13.1 User Access Management .......................................................................... 13

3.13.2 User Responsibilities .................................................................................. 13

3.13.3 Network Access Control .............................................................................. 13

3.13.4 Operating System Access Control .............................................................. 13

3.13.5 Application Access Control ......................................................................... 14

3.13.6 Monitoring System Access and Use ........................................................... 14

3.14 Criminal Justice Act ........................................................................................... 14

3.15 Requirement for NHS organisations to report all incidents relating to information breaches ............................................................................................................ 14

3.16 The Data Protection Act 1998 (DPA) and the Confidentiality and Data Protection Policy ................................................................................................................. 15

3.17 Confidentiality: NHS Code of Practice ............................................................... 15

3.18 Information Security Management: NHS Code of Practice ................................ 16

of 33

3.19 The Freedom of Information Act 2000 (FOIA) and the Freedom of Information policy ................................................................................................................. 16

3.20 General Data Protection Regulation (GDPR) .................................................... 16

3.21 The Incident Management Policy ...................................................................... 16

3.22 The Computer Misuse Act 1990 ........................................................................ 17

3.23 The Trust’s Health and Safety Policies including: the Security Policy, Lone Working, Working in the Community, and Site Safety ....................................... 17

3.24 Records Management Standards and the Trust’s Records Management policy ... .......................................................................................................................... 17

3.25 The Registration Authority Policy ...................................................................... 18

3.26 The Clinical Information System Policy ............................................................. 18

3.27 DUTIES ............................................................................................................. 19

3.27.1 Trust Board ................................................................................................. 19

3.27.2 Chief Information Officer (CIO) ................................................................... 19

3.27.3 Directors/Deputy Directors, Heads of Service and Managers ..................... 19

3.27.4 All Workers ................................................................................................. 19

3.27.5 Specialist Information Security Advice ........................................................ 20

3.27.6 Information Governance Group................................................................... 20

3.27.7 Information Governance and Records Manager\DPO ................................ 20

3.27.8 Human Resources (HR) .............................................................................. 21

3.27.9 Caldicott Guardian ...................................................................................... 21

3.27.10 Senior Information Risk Owner (SIRO): ...................................................... 21

3.27.11 Information Asset Owners (IAOs) ............................................................... 22

3.27.12 Information and Communication Technology (ICT) Manager ..................... 22

4 DEFINITIONS ............................................................................................................. 23

4.1 Confidentiality ....................................................................................................... 23

4.2 Integrity ................................................................................................................. 23

4.3 Availability ............................................................................................................. 23

4.4 Information Asset: ................................................................................................. 23

4.5 Information Security Incident: ............................................................................... 23

4.6 Personal Data: ...................................................................................................... 23

of 33

5 EQUALITY IMPACT ASSESSMENT .......................................................................... 23

6 TRAINING NEEDS ANALYSIS ................................................................................... 24

7 MONITORING COMPLIANCE AND EFFECTIVENESS ............................................. 24

8 REFERENCES TO EXTERNAL DOCUMENTS ......................................................... 26

9 ASSOCIATED INTERNAL DOCUMENTATION ......................................................... 27

10 APPENDIX A: EQUALITY IMPACT ASSESSMENT (EQIA) ....................................... 28

11 APPENDIX B: ADDITIONAL INFORMATION SUPPORTING THE INFORMATION SECURITY POLICY ................................................................................................... 29

11.1 Password Policy ................................................................................................ 29

11.2 How to choose a strong password and avoid choosing weak passwords ......... 29

11.3 Log Retention Policy .......................................................................................... 31

11.4 Server Log Retention ......................................................................................... 31

11.5 Security Patching policy .................................................................................... 32

11.6 Third Party administrators ................................................................................. 33

of 33

1 INTRODUCTION

Information Governance is the framework that enables the Foundation Trust to handle

personal and corporate information legally and securely in the most efficient and effective

way to deliver patient care.

Bradford District Care Foundation Trust (BDCFT) recognises the value of the data within

its information systems. The Foundation Trust also recognises its responsibility to ensure

the appropriate use, security, reliability, and integrity of this data; to safeguard it from

accidental or unauthorised access, modification, disclosure, use, removal, or destruction;

and to comply with relevant legislation.

This policy provides the framework to manage and secure data in all Trust physical and

electronic information systems.

This policy is supplemented by the Information Governance Strategy which details how the

Trust will implement this policy.

2 SCOPE

This policy supports the confidentiality, integrity and availability of all information and data

the Trust holds in physical and electronic Information Assets. It relates to all electronic and

manual data and information held by the Trust, this may be held in any format eg. paper,

electronic, audio or visual.

This information will relate to patients, staff and others: service users, employees,

customers, suppliers, contractors, agents, elected members, volunteers, charitable groups,

partners and other business contacts.

This policy covers all types of information, including structured paper and electronic

systems, transmission of information via fax, e-mail, post and telephone.

This policy also covers all data and information held in systems purchased, developed and

managed by, or on behalf of the Trust and any individual directly employed or otherwise by

the Trust.

The policy applies to all employees of the Trust, contractors, agents, elected members,

volunteers, charitable groups, partners and other business contacts.

Penalties could be imposed upon the Foundation Trust and its employees for non-

compliance with this legislation.

3 INFORMATION SECURITY

Information is critical in supporting the Foundation Trust to deliver care and carry out its

activities. Effective data and information security is vital to ensure the confidentiality,

integrity and availability of information. The objectives of this policy are to establish and

of 33

maintain the security and confidentiality of information, information systems, applications

and networks owned, operated and or managed by the Trust.

3.1 Delivering Robust Information Security

The purposes of this Information Security policy and related procedures are:

• To ensure that necessary controls are in place to effectively manage information and

ensure its security within the organisation.

• To protect the information assets of the Trust and provide assurance to our customers

that the Trust takes a proactive approach to protecting all the information it holds.

• To protect BDCFT’s information assets from all threats, whether internal or external,

deliberate or accidental. The Foundation Trust will ensure:

• Information will be protected against unauthorised access

• Confidentiality of information

• Integrity of information will be maintained

• Information will be supported by the highest quality data

• Regulatory and legislative requirements will be met

• Business continuity plans will be produced, maintained and tested regularly

• Information security training will be available to all staff

• All breaches of information security, actual or suspected, will be reported to, and

investigated by the Information Governance Manager

• New facilities should have appropriate user management approval, authorising

their purpose and use

• To ensure all staff including subcontractors and agency staff acting on behalf of the

Trust are aware of and adhere to the law of informational privacy and the Data

Protection Act and all other information security related national requirements and

standards as well as the Trusts Information Governance related policies. Staff will be

aided in this by the Trust:

• To produce a framework of related information management and security

procedural documents, guidance and leaflets to underpin this policy

• To delivere robust mandatory training and awareness at the Trust’s central

induction which all employed staff attend on appointment to the Trust.

• To deliver robust mandatory refresher training and awareness to all staff

The following requirements, legislation and national standards govern this policy. There

are also a number of supporting policies and procedures which relate to specific aspect of

information management and/or security.

of 33

3.2 Establishing an Information Security Framework

The Trust has developed a framework for its Information Security Policy. This is supported

by a set of Information Governance policies and procedures and guidance to cover all

aspects of Information Security. The Policy framework encompasses the following

legislation, national standards and requirements and corporate policies:

3.3 NHS Information Governance Toolkit Statement of Compliance

BDCFT has a signed NHS Information Governance Statement of Compliance with NHS

requirements including compliance with the NHS IG Toolkit, replaced from April 2018 with

the Data Security and Protection Toolkit, which is regularly reviewed to ensure that its

working practices are conducted in a safe, secure and confidential manner.

3.4 Allocation of Information Security Responsibilities

The Trust recognises the value of the information it holds and its responsibility to ensure

the appropriate use, security, reliability, and integrity of that information; to safeguard it

from accidental or unauthorised access, modification, disclosure, use, removal, or

destruction; and to comply with relevant legislation. Each manager and data owner is

responsible for the assets allocated to them and these responsibilities are clearly stated

and the following must be in place:

• For each information asset security processes will be clearly defined and documented

• A manager will be responsible for each information asset or security process and the

details of that responsibility will be documented

• Authorisation levels, for access to systems, data and information will be clearly defined

and documented

3.5 Authorisation Process for Information Processing Facilities

A management authorisation process for new information processing facilities is

established and includes the following:

• New facilities should have appropriate user management approval, authorising their

purpose and use. Approval should also be obtained from the manager responsible for

maintaining the local information system security environment to ensure that all

relevant security policies and requirements are met

• Hardware and software should be checked to ensure that it is compatible with other

system components

• The use of personal information processing facilities for processing business

information and any necessary controls should be authorised.

• The use of personal information processing facilities in the workplace may cause new

vulnerabilities and should therefore be assessed and authorised

3.6 Co-operation between Organisations

The Trust will ensure appropriate contacts with law enforcement authorities, regulatory

bodies, information service providers and telecommunications operators are maintained, to

of 33

enable quick action and advice in the event of a security incident.

The Informatics department will also ensure regular contact with the local CCGs, Acute

Hospitals Trust’s Information Governance Steering Committees and Information

Governance staff to co-operate on addressing emerging issues efficiently and in a timely

manner

3.7 Independent Review of Information Security

An independent review will be undertaken to provide assurance that organisational

practices properly reflect the policy and that it is feasible and effective.

3.8 Security of Third Party Access

Access to the Trusts information processing facilities by third parties will be controlled (see

Appendix B). Where there is a need for such third party access, a risk assessment will be

undertaken to determine security implications and control requirements.

Formal contracts will be produced for third party access; this should refer to all security

requirements for compliance with the organisations security policy and standards.

Access to information and information processing facilities by third parties will not be

provided until the appropriate controls have been implemented and a contract has been

signed defining the terms for the connection or access.

A non-disclosure agreement will be included in all contracts with third parties.

3.9 Outsourcing

The Trust will ensure that a contract has been agreed, the contract should address:

• how the legal requirements are to be met, e.g. data protection legislation;

• what arrangements will be in place to ensure that all parties involved in the

outsourcing, including subcontractors, are aware of their security responsibilities

and can prove these with a security accreditation (e.g. Cyber Essential Plus,

ISO/IEC 27001);

• how the integrity and confidentiality of the organisation’s business assets are to be

maintained and tested;

• what physical and logical controls will be used to restrict and limit the access to the

organisations sensitive business information to authorised users;

• how the availability of services is to be maintained in the event of a disaster;

• what levels of physical security are to be provided for outsourced equipment;

• the right of audit

3.10 Risk Management and Business Continuity

Business continuity management is an ongoing process of risk assessment and

management with the purpose of ensuring that the business can continue if risks

materialise. It is put in place to counteract interruptions to business activities and to protect

critical business processes from the effects of major failures or disasters.

The Trust has a managed process in place to develop and maintain business continuity for

of 33

the organisation. The following key areas are part of the business continuity process and

are carried out on the Trusts business critical information systems:

• Identify the risks that could affect the organisation

• Identify and prioritise critical business processes

• Understand the impact and consequences, should anyone or combination of events

occur within the organisation

• Ensure that the business continuity strategy is formulated and documented and is

consistent with the agreed objective and priorities of the organisation

• Develop and document business continuity plans in line with the agreed strategy

• Regular testing and updating of the plans and processes put in place

• Responsibility for co-ordinating the business continuity management process is

assigned at an appropriate level within the organisation

3.11 Protection against malicious software procedures

The Trust has a responsibility to ensure that the necessary controls are in place to prevent

and detect the introduction of malicious software which may cause damage and misuse of

the Organisation’s systems, data and information. This Policy is compliant with the

recognised Information Security Standard ISO 27000 series.

In order for the Trust to illicit confidence in its users, staff, customers and commissioners it

must ensure computer software within the Trust is kept safe and secure and to establish

any dangers or threats that may come about during daily activity.

The Trust has a responsibility in ensuring the correct software and precautions are in place

to protect against malicious software.

It is the responsibility of the individual employee to ensure they are using the computer

correctly and safely to minimise any damage that may come through to the Trust.

All staff must refer to all removable media procedures, advice and guidance when working

with portable devices.

The Trust has a responsibility to ensure:

• Staff Awareness

• Users must be briefed in induction training about the dangers of malicious software.

• Users must be aware of the reporting procedure when a virus is detected or

suspected.

• Users will receive regular reminders of potential cyber-attack strategies to reduce

the risks of malicious emails

• Detection and Reporting processes are in place:

• Any files on electronic media of uncertain or unauthorised origin or files

received over un-trusted networks must be checked for viruses before use.

of 33

• Procedures must be established for when a data security incident, such as a

virus, is detected / suspected and investigated accordingly. Emergency changes

may take place subject to approval from a senior informatics manager.

• Staff and contractors must be aware of reporting procedures, including the

loss or theft of IT corporate equipment.

• A record must be maintained of data security incidents

• Procedures should be developed for review / follow up of a malicious software

attack and must include:

• disciplinary procedures as appropriate

• review the virus protection procedures

• report to management

• Recovery processes are in place:

• Adequate backups must be available to recover from a malicious software

attack. These would have been tested on a regular basis, see Section 3.12

• Master copies of software must be stored securely and keep up to date with

the latest patches to reduce any potential threats

• Computer media should be write-protected where possible.

• Restore procedures must be documented and kept up to date.

• An appropriate business continuity plan and a more detailed incident

response plan for recovering from a virus attack should be established

3.12 Data Back-up and Restore procedures

The Trust is committed to ensuring the correct procedures are in place to maintain the

integrity and availability of information, processing and communication services. This

standard is to ensure that necessary controls are in place to protect data in the event of

a hardware failure, accidental deletion or unauthorised changes. Effective controls are

critical to ensuring the Trust can continue with its business critical services, these

controls are:

• Data and software backups are taken on an agreed appropriate timely basis.

• The number of copies must be adequate i.e. daily, weekly. At least three

generations/ cycles must be kept for important business applications.

• Backup copies of data will be taken prior to any new software or changes being

installed e.g. software fixes, upgrades, new releases.

• The backup database will be included in the backup process.

• Alternative backup arrangements should be available.

3.13 User Access Control

In order to ensure that information is protected against unauthorised access the Trust has

robust access control processes and procedures in place which set out both its and the

of 33

users responsibilities. These restrictions aide the Trust to ensure that information is

available to authorised users only and aides the detection of unauthorised activities.

Key responsibilities are defined as follows:

3.13.1 User Access Management

• A formal user registration and de-registration procedure for granting access to

information systems will be established and documented for each system.

• The allocation and use of privileges will be restricted and controlled

• The allocation of passwords will be controlled

• The use of authentication methods e.g. biometrics and hardware tokens for user

identification and authentication will be controlled

• Access rights will be reviewed on a regular basis

3.13.2 User Responsibilities

• Guidelines will be issued to all users for good security practices in the selection and

use of passwords – See Appendix B

• Users will ensure that unattended equipment has adequate protection to prevent

rogue access to information

3.13.3 Network Access Control

• The network path from the user terminal to the provided IT services will be controlled

and maintained

• External connections will be tightly controlled via strong authentication

• Where dial up access is permitted strong authentication must be used which may

include cryptographic techniques, authentication challenge (CHAPS), dedicated private

lines

• Where external connections are allowed to the Trust’s network, enforced pathways

must be used e.g. firewall controls and policies must restrict the external access only to

the authorised areas

• Connections to remote computers must be authenticated

• Access to diagnostic ports will be securely controlled

• Controls will be in place to segregate groups of information services, users and

information systems

• Network connection controls will be implemented to restrict the connection capability of

users e.g. network gateways that filter traffic by a method of predefined tables or rules

• Network routing controls will be implemented to ensure that computer connections and

information flows are controlled

• Network services will be provided by secure and monitored gateways

3.13.4 Operating System Access Control

• The computer log on procedure will be adequately controlled

• All users will be given a unique user ID. Where access to shared resources is required

a shared network drive or email account will be created. Approval by management will

of 33

be documented for such cases. Additional controls may be required to maintain

accountability

• Inactive computers in high risk locations, e.g. public areas, will shut down or activate a

screen saver with a password login after a period of inactivity to prevent unauthorised

access

3.13.5 Application Access Control

• User access to information and application system functions will be controlled in

accordance with a defined business access control procedures e.g. providing menus to

control access to applications, controlling access rights of users

• When possible, access control will be enable and managed centrally through Active

Directory

3.13.6 Monitoring System Access and Use

• Responsibility for security monitoring will be clearly allocated

• Audit logs will be produced and kept for an agreed period and will include:

• user Ids, dates and times of log and log off

• terminal ID or location (where possible)

• records of successful and rejected system access attempts

• records of successful and rejected data and other resource attempts.

• Procedures for monitoring use of information processing facilities will be established.

The level of monitoring required will be determined by a risk assessment

• Procedures will be in place to ensure that computer clocks are set accurately for

recording.

3.14 Criminal Justice Act

The Criminal Justice Act came into force in November 2008. The Act provides for fines of

up to £500,000 to be imposed on organisations and individuals who are aware of

information risks but have not taken reasonable and appropriate steps to reduce those

risks.

3.15 Requirement for NHS organisations to report all incidents relating to information breaches

All incidents that involve a breach of information security must be reported through the

normal incident management reporting procedures and the IG Toolkit/Data Security and

Protection Toolkit serious incident (SIRI) procedure. Examples of breaches include

missing patient records, unauthorised access to clinical systems, loss or theft of equipment

holding personal data such as lap tops and memory sticks, cyber security attacks.

An announcement by the Cabinet Office in May 2008 has changed the classification of all

breaches in data security to a Serious Incidents (SI):

“There is no simple definition of a Serious Incident (SI) in relation to Personal Identifiable Data (PID). As a guide, any incident involving the actual or potential loss of personal information that could lead to identity fraud or have other significant impact on an individual should be considered as serious.”

of 33

Bulk data transfers, requires that all bulk data transfers i.e. of 5 or more items are

controlled. These transfers will also shall be approved by the Caldicott Guardian and

conducted in accordance with the measures set out in supporting policies such as the

Removable Media Procedure, Data Encryption procedures and the Use of Secure Courier

Services procedures.

3.16 The Data Protection Act 1998 (DPA) and the Confidentiality and Data Protection Policy

BDCFT needs to obtain and retain personal information about the people it serves and

others in order to provide its services and carry out its business. Such people include

patients, employees (present, past and prospective), suppliers, contractors and other

business contacts. The information includes private/confidential personal information and

other sensitive information. In addition, we may occasionally be required to collect and use

certain types of personal information to comply with the requirements of the law.

No matter how it is collected, recorded and used (e.g. on a computer or on paper) this

personal information must be dealt with properly to ensure compliance with the Data

Protection Act 1998.

The Data Protection policy gives more information about how the DPA affects BDCFT and

how the Trust complies with the eight principles of the Act which are summarised below:

• Personal data shall be processed fairly and lawfully.

• Personal data shall be obtained/processed for specific lawful purposes.

• Personal data held must be adequate, relevant and not excessive.

• Personal data must be accurate and kept up to date.

• Personal data shall not be kept for longer than necessary.

• Personal data shall be processed in accordance with rights of data subjects.

• Personal data must be kept secure.

• Personal data shall not be transferred outside the European Economic Area (EEA) unless there is adequate protection.

3.17 Confidentiality: NHS Code of Practice

The NHS Confidentiality Code of Practice was approved by the Department of Health in

November 2003. This code is a guide to required practice for those who work within or

under contract to NHS organisations concerning confidentiality and patients’ consent to the

use of their health records. All parts of the NHS need to establish working practices that

effectively deliver the patient confidentiality that is required by law, ethics and policy. The

NHS is committed to the delivery of a first class confidential service. This means ensuring

that all patient information is processed fairly, lawfully and as transparently as possible so

that the public:

• understand the reasons for processing personal information;

• give their consent for the disclosure and use of their personal information;

• gain trust in the way the NHS handles information and;

• understand their rights to access information held about them.

of 33

3.18 Information Security Management: NHS Code of Practice

The Information Security Management NHS Code of Practice was approved by the

Department of Health in April 2007. This code is a guide to the methods and required

standards of practice in the management of information security for those who work within

or under contract to, or in business partnership with NHS organisations in England. It is

based on current legal requirements, relevant standards and professional best practice.

The Code provides a key component of Information Governance arrangements for the

NHS. NHS organisations need robust information security management arrangements for

the protection of their patient records and key information services, to meet the statutory

requirements set out within the Data Protection Act 1998 and to satisfy their obligations

under the Civil Contingencies Act 2004.

3.19 The Freedom of Information Act 2000 (FOIA) and the Freedom of Information policy

The Freedom of Information (FOIA) gives a general right of access to all types of recorded

information held by public authorities. The Act sets out exemptions to that right but

requires public authorities to actively publish certain categories of information.

BDCFT’s Freedom of Information policy and related procedures include guidance on the

actions that should be taken when a FOI request is received by the Trust.

3.20 General Data Protection Regulation (GDPR)

GDPR which applies from May 2018 enhance the DPA and confidentiality principles. The right to data portability is new. It only applies:

• to personal data an individual has provided to a controller;

• where the processing is based on the individual’s consent or for theperformance of a contract; and

• when processing is carried out by automated means.

BDCFT rely on individuals’ consent to process their data in some parts of the business. Arrangements are in place to make sure it meets the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.

The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals.Data Protection Impact Assessments (DPIAs) becomes mandatory in certain circumstances. A DPIA is required in situations where data processing is likely to result in high risk to individuals, and is required where a new technology is being deployed.

3.21 The Incident Management Policy

BDCFT is committed to a philosophy of improvement and learning, believing that no

person should be harmed or disadvantaged due to failure of its services or by actions or

omissions of its employees. BDCFT is committed to ensuring that incidents are managed

so that the impact of such incidents is minimised and that harm to service users,

employees and visitors is contained. This will be achieved through an open, honest and

of 33

transparent process whereby safety is a key factor of service delivery, and an

acknowledgement that safety must not be compromised by any conflicting pressures. This

process should ensure that the Trust learns from these incidents and near-misses in each

case how to reduce the risk of them happening again.

The effective management of incidents is the cornerstone of service user safety,

fundamental to the facilitation of Trust wide learning, thereby continuously strengthening

the safety culture and contributing to improved safer systems of working. Incorrectly

managed incidents could result in a loss of public confidence in the Trust and a loss of

assets.

3.22 The Computer Misuse Act 1990

This Act was created to criminalize unauthorized access to computer systems and to deter

offenders from using computers to assist in the commission of a criminal offence or from

impairing or hindering access to data stored in a computer. The basic offence is to attempt

or achieve access to a computer or the data it stores by inducing a computer to perform

any function with intent to secure access.

3.23 The Trust’s Health and Safety Policies including: the Security Policy, Lone Working, Working in the Community, and Site Safety

These policies are aimed at creating a deep awareness and responsibility for the

assessment and management of all security risks at all levels in the organisation through

individual practices and in management arrangements. These responsibilities include the

awareness of risks to the security of Trust assets, data and personal information.

Awareness of these policies will help to deter those who may be minded to breach

security. The purpose of these policies is to prevent security incidents or breaches from

occurring, detect security incidents or breaches, investigate security incidents or breaches,

and to apply sanctions against those responsible for security incidents or breaches.

Guidance includes risks to information security and to Trust assets.

3.24 Records Management Standards and the Trust’s Records Management policy

Records Management is a discipline which utilises an administrative system to direct and

control the creation, version control, distribution, filing, retention, storage and disposal of

records, in a way that is administratively and legally sound, whilst at the same time serving

the operational needs of the Trust and preserving an appropriate historical record. The key

components of records management are:

• record creation;

• record keeping;

• record maintenance (including tracking of record movements);

• access and disclosure;

• closure and transfer;

• appraisal;

• archiving; and

http://en.wikipedia.org/wiki/Attempt

of 33

• disposal.

Information is a corporate asset. The Trust’s records are important sources of

administrative, evidential and historical information. They are vital to the Trust to support

its current and future operations (including meeting the requirements of Freedom of

Information legislation), for the purpose of accountability, and for an awareness and

understanding of its history and procedures.

The Records Management policy applies to all records created by BDCFT including:

• Paper Records

• Electronic Records

• Micro Records (both Form and Fiche)

• Audio Records

• Visual Records

• Leaflets and other similar promotional material created by BDCFT.

3.25 The Registration Authority Policy

The Electronic Patient Record (EPR) system is being introduced throughout the NHS. This

system is a key element of the NHS reform process and will transform the way in which

health care records are accessed and managed. Electronic records will give authorised

healthcare professionals faster, easier access to accurate patient information and protect

patient confidentiality. Centrally stored information will be accessible from any healthcare

provider location in England. Ultimately well managed electronic records will lead to

improvements in the quality of patient care and the patient experience.

3.26 The Clinical Information System Policy

BDCFT recognises the importance of a good quality Clinical Information System especially

in giving staff the appropriate access and training to allow them to carry out their duties. As

a Mental Health care provider it is necessary for the Trust to obtain and process large

quantities of information in order to operate and deliver care effectively. Without adequate

staff training and support the vital information needed to offer complex health services will

not be available. Good record keeping enables the Trust to rely on information for clinical

decision making. Good quality information enables the Trust to rely confidently on reports

and analysis produced from systems for the management of the organisation, the planning

of services and the provision of care to patients.

The Trust aims to raise levels of expertise in data handling and the awareness of the need

for confidentiality for all staff, including permanent, temporary and agency staff.

This will have the direct benefit of improving both quality and efficiency of work undertaken

within the Clinical Information system, this will ensure that staff meet current compliance

requirements set out for Connecting for Health and the current Laws within the UK.

of 33

3.27 DUTIES

3.27.1 Trust Board

The Trust Board is committed to ensure this policy and procedure is fully implemented

and:

• The Chief Executive has Board level responsibility for ensuring an effective policy for

Information Security is in place within the Trust.

• Has overall responsibility for effective Information Security within the Trust, and to

ensure that the Trust complies with its statutory obligations.

• Is accountable for Information management and security with responsibility to seek

assurance that adequate processes are in place exercised through the Information

Governance Group.

• Will provide clear lines of report and supervision for compliance with data protection.

3.27.2 Chief Information Officer (CIO)

The CIO is responsible for:

• Acting as the Trust’s senior information security officer to ensure that there are in place

fit for purpose information systems underpinned by effective information governance

arrangements

• Ensuring the adoption of all mandated knowledge, information and data standards and

any appropriate best practice and learning from health and any other industry

• Overseeing the completion and submission of the IG Toolkit/Data Security and

Protection Toolkit and the NHSi 2017/18 Data Security Protection standards

• Contributing Informatics evidence as required for national benchmarking initiatives

• Developing and maintaining an appropriate inventory of all Informatics systems and

ensure appropriate security, disaster recovery and replacement plans are in place for

each

• Ensuring the Trust has in place robust clinical information systems with a technical

infrastructure which complies with established best practice, including system security,

confidentiality, data protection and disaster recovery

• Developing close working relationships with clinicians and users of Trust systems to

ensure engagement with the adoption of technologies and systems to make the

delivery of patient care as effective as possible

3.27.3 Directors/Deputy Directors, Heads of Service and Managers

Directors, Deputy Directors, Heads of Services and Managers are responsibly for:

• Ensuring dissemination and compliance of this policy within their areas of responsibility

• Ensuring any breach of this policy are dealt with appropriately

3.27.4 All Workers

It is the responsibility of each worker to adhere to the Policy.

The policies, procedures and guidelines produced to support the Information Governance

Policy apply to BDCFT, and all its employees, Governors, agency staff, seconded staff,

volunteers and contactors.

of 33

3.27.5 Specialist Information Security Advice

Independent, external, specialist security advice and assistance is retained by the Trust.

This is to ensure consistency and provide help/advise/guidance in security decision

making. And to provide access to specialist advice outside the Trusts own knowledge and

experience.

3.27.6 Information Governance Group

A mature information governance structure is in place, the Information Governance Group

meets every 2 months to discuss, agree and monitor governance issues and

arrangements within the Trust. Membership is as follows:

• Medical Director (Caldicott Guardian)

• Senior Information Risk Owner (SIRO)

• Heads of Service

• Information Governance and Records Manager\DPO (IG&RM)

• Risk Manager

• ICT Manager

• All Major Information Asset Owners

3.27.7 Information Governance and Records Manager\DPO

The Information Governance and Records Manager\DPO is responsible for:

• Under the DPO remit, take responsibility for data protection compliance

• Managing the IG processes across the Trust

• Providing leadership and guidance on IG matters in line with the law national guidance

and local implementation as required

• Ensuring that all IG breaches are reported in accordance with the IG Toolkit/Data

Security and Protection Toolkit

• Ensuring that all IG training programmes and materials are kept up to date

• Attending at least once per year all locality/directorate/corporate team meetings to

reappraise teams of their responsibilities and duties in connection with IG

• Reviewing and maintaining all relevant policies

• The management of annual security audits.

• Ensuring the Records Policy for the Trust is in line with national guidance and

standards.

• Developing clear operational policies and training programmes for implementing the

Records Policy

• Establishing the necessary reporting structure to ensure that effective governance is

maintained

• Working closely with the Trust’s Governance and Service Improvement groups to

improve the quality of records

• Ensuring high standards in records keeping by promoting quality control policies and

standards

• Conducting service audits as required

• Ensuring delivery of a professional records service

of 33

• Act as the Information Asset Owner for the Trust’s health record archive and will be

responsible for its security

3.27.8 Human Resources (HR)

HR responsibilities are:

• The director of HR will act as the Information Asset Owner in relation to HR records

• Ensuring data held by them is protected from unauthorised or unlawful access, loss or

disclosure

• Providing advice and support, in relation to the development and amendment of HR

Policies, in relation to Information management and security and in particular the

Disciplinary policies and procedures, and the operation of the RA process for User

Identity Management

• Ensuring that all contracts of employment encompass the requirements of the Data

Protection Act

3.27.9 Caldicott Guardian

The Trusts Caldicott Guardian:

• Will act as the ‘conscience’ of the Trust

• Will ensure that the Trust satisfy the highest practical standards for handling patient

identifiable information

• Will facilitate and enable information sharing and advise on options for lawful and

ethical processing of information

• Will represent and champion confidentiality and information security requirements and

issues at Board level

• Will develop a knowledge of confidentiality and data protection matters

• Will ensure that confidentiality issues are appropriately reflected in organisational

strategies, policies and working procedures for staff

• Will oversee all arrangements, protocols and procedures where confidential patient

information may be shared with external bodies both within, and outside, the NHS

3.27.10 Senior Information Risk Owner (SIRO):

The SIRO:

• Will be an Executive Director or Senior Management Board Member

• Will take overall ownership of the Organisation’s Information Risks

• Will act as champion for information risk on the Board and provide written advice to the

Accounting Officer on the content of the Organisation’s Statement of Internal Control in

regard to information risk.

• Will ensure that the appropriate risk assessment is undertaken to minimise any risks to

the delivery of the Trust’s strategic aims through information risks.

• Will implement and lead the NHS Information Governance (IG) risk assessment and

management processes within the Organisation

• Will advise the Board on the effectiveness of information risk management across the

Organisation

• Will receive training as necessary to ensure they remain effective in their role as Senior

of 33

Information Risk Officer.

3.27.11 Information Asset Owners (IAOs)

IAO’s are responsible for:

• Leading and fostering a culture that values, protects and uses information for the

success of the organisation and benefit of its customers

• Knowing what information comprises or is associated with the asset, and understands

the nature and justification of information flows to and from the asset

• Knowing who has access to the asset, whether system or information, and why, and

ensures access is monitored and compliant with policy

• Understanding and addressing risks to the asset, and providing assurance to the SIRO

by following the Trust’s risk management processes

3.27.12 Information and Communication Technology (ICT) Manager

The ICT Manager is responsible for:

• Acting as the Information Asset Owner for the ICT infrastructure with specific

accountability for computer & telephone equipment and services that are operated by

corporate & clinical work force, e.g. personal computers, laptops, personal digital

assistants and related computing devices, held as a NHS asset

• The formulation and implementation of ICT related policies and the creation of

supporting procedures, and ensuring these are embedded within the service

• Developing, implementing and managing robust ICT security arrangements in line with

best industry practice

• Effective management and security of the Trust ICT resources (e.g. infrastructure and

equipment)

• Developing and implementing a robust ICT disaster recovery plan

• Ensuring that ICT security levels required by NHS Statement of Compliance are met

• Ensuring the maintenance of all firewalls and secure access servers are in place at all

times

Patients, service users and staff will know that their records will not be disclosed

inappropriately through published guidance documents and access to policies.

The policies, procedures and guidelines produced to support this policy apply to BDCFT,

and all its employees, agency staff, seconded staff and contactors.

The Trust and its entire staff are governed by other laws & regulations including:

• The common law of confidentiality

• Human Rights Act 1998.

• Computer Misuse Act 1990

• Criminal Justice and Immigration Act 2008

• Freedom of Information Act 2000

• Access to Health Records Act 1990

• Access to Medical Reports Act 1998

of 33

• Crime and Disorder Act 1998

• To Raise the Awareness in the Trust of NHS and related Guidance:

• The Trust and its entire staff are also governed by other NHS standards and codes of

practice:

• Confidentiality: NHS Code of Practice

• Records Management: NHS Code of Practice

• Information Security: NHS Code of Practice

• The NHS Care Records

• General Data Protection Regulation (GDPR)

4 DEFINITIONS

4.1 Confidentiality

Deemed information is not disclosed to or accessed by unauthorised individuals and

processes

4.2 Integrity

Information is accurate, complete, verifiable and protected from accidental corruption and

malicious modification.

4.3 Availability

The accessibility of information that can be accessed by authorised users and processes

4.4 Information Asset:

Information or data and the media, format and systems upon which they are recorded for

which the Trust is responsible

4.5 Information Security Incident:

An event or series of events that have a significant probability of compromising business

operations and threatening information security

4.6 Personal Data:

Information relating to a living individual who can be identified from that data and other

information in the possession of the Data Controller and includes any expression of

opinion about that individual

5 EQUALITY IMPACT ASSESSMENT

The Trust has no intent to discriminate and endeavours to develop and implement policies

that meet the diverse needs of our workforce and the people we serve, ensuring that none

are placed at a disadvantage over others. Our philosophy and commitment to care goes

above and beyond our legal duty to enable us to provide high-quality services. Our

of 33

Equality Analysis and equality monitoring is a core service improvement tool which

enables the organisation to address the needs of disadvantaged groups. The aim of

Equality analysis is to remove or minimise disadvantages suffered by people because of

their protected characteristics.

An impact assessment has been undertaken to consider the need and assess the impact

of this Procedural Document and is evidenced at Appendix A.

6 TRAINING NEEDS ANALYSIS

The Trust is committed to high quality targeted training and effective communication to

support this procedural document. The Trust recognises that training capacity can

fluctuate and will depend on resources available. As such, based on an assessment of

capacity and risk, the training needs analysis will identify the high priority groups for

training. The objective is to implement this procedural document and meet the training

needs of these groups over the time frequency stated. The focus of Trust monitoring will

be on this group over the agreed period or lifetime of the procedural document.

Please refer to the Information Governance Policy for a detailed Training Needs Analysis.

7 MONITORING COMPLIANCE AND EFFECTIVENESS Criteria Evidence identified to

indicate compliance with policy

Method of monitoring, i.e. how/where will this be

gathered?

Frequency of monitoring

Lead responsible for monitoring

a. Duties Audit committee and IG Group.

Completed IR1 forms/SI forms, Investigation reports

Internal/External Audit reports,

Annual reports, Quarterly incident management reports,

Quarterly IG Surveys,

Audit Action Plans

IG and Security Audits

Records Audits

Penetration Testing Reports

Information Risk

Minutes/discussions at

meetings

Incident Management System

From investigator

Internal audit reports

IG papers

Survey Monkey website

Audit forms and reports to service managers

Reports from external companies

Annually Information Governance and Records Manager

of 33

Criteria Evidence identified to indicate compliance

with policy


gathered?



Registers

Information Asset registers

Training numbers

b. Process for assessing compliance with legislation, national requirements and standards

Information Governance Toolkit Scores: Baseline, Performance Update and Final Submission

Online submission and formal response.

Regular external audit.

3 times per year and audited

twice Annually

Information Governance and Records Manager

c. Process for reporting all incidents/near misses, involving person identifiable information – staff and patients/service users

Competed IR1 forms (Cross section involving person identifiable information – staff and patients/service users )

Quarterly incident reports

Annual reports

Completed SI forms

Monthly incident reports to IG&RM SI database Emails and faxes

Incident Management System

Incident Reports from Incident Management System

Internal Audit reports

Annual report


d. Process for testing understanding of policy

Regular Staff Surveys (at least 3 times annually)

Locality based IG Audits

Locality based Records Audits

Completed declaration forms from Information Governance Staff Handbook

Certificated IG refresher course

Survey Monkey website and reports to IG Group and Resource Committee

Audit tools, reports and action plans

Training database

3 times per year

At induction and then 3 yearly

Annually

Information Governance and Records Manager

of 33

Criteria Evidence identified to indicate compliance

with policy


gathered?



e. Process for reporting to external agencies

Completed IR1 forms

SI Alert forms

Emails and letters

Annual reports


8 REFERENCES TO EXTERNAL DOCUMENTS


• CQC National study: The right information, in the right place, at the right time. A study of how healthcare organisations manage personal data


• General Data Protection Regulation (GDPR)

• HCC Standards for Better Health (13b)

• Information Commissioners Website

• Information Security Management: NHS Code of Practice

• Information Sharing and Mental Health Guidance to Support Information Sharing by Mental Health Services

• Information Security Management: NHS Code of Practice

• Mental Capacity Act 2005

• Multi-Agency Public Protection Arrangements (MAPPA) and the duty to cooperate

• NHS Information Governance Guidance on Legal and Professional Obligations

• NHSi 2017/18 Data Security Protection - 2017/18 Data Security and Protection Requirements

• Records Management: NHS Code of Practice

• The Access to Health Records Act 1990

• The Data Protection Act 1998

• The Children Act 2004

• The Crime and Disorder Act 1998

• The Criminal justice Act 2008

• The Computer Misuse Act 1990

• The Freedom of Information Act 2000

• The Health and Safety at Work Act 1974

• The Human Rights Act 1998

• The NHS Information Governance Toolkit / Data Security and Protection Toolkit

• The Privacy and Electronic Communications (EC Directive) Regulations 2003

• The Public Records Act 1958

of 33

Email Security and Use Procedure Data Protection Procedures Informatics Business Continuity Procedures

Use of Faxes procedure Freedom of Information Procedures Informatics Disaster Recovery Procedures

Seizure of IT Equipment Procedure Records Management Procedures User Access Procedures

Internet Security Procedure RiO Audit Procedure Data Backup Procedures

Laptop Security Procedure Procedures for Dealing with Dataset Changes Data Recovery and Restore Procedures

Mobile Phone and Blackberry User Procedure Procedure for Tracing NHS Numbers Encryption Procedures

Personal Security Procedure and Statement Change Control Procedures Equipment Lockdown Procedures

Portable Media and Devices Procedure System Development and Maintenance Procedure Exchange of Information and Software Procedure

Use of Secure Courier Procedure Disposal / Destruction of Records Procedure Installing Virus Scan Procedures

Registration Authority Procedures SystmOne Procedures Protection Against Malicious Software Processes

RiO Procedures Use of persoanl Equipment Procedure

Data Quality Guidance Procedures Virus Protection Procedure

Information Governance Handbook Data Protection Guidance

Mobile Phone and Blackberry User Guidance Data Quality Procedures

Email Security and User Guidance Freedom of Information Guidance

How we Use Your Information Leaflet Records Management Guidance

Transporting Personal and Trust Information Registration Authority Guidance

Information Handling Best Practice Clinical Systems Guidance

Disclosure of Personal Information to The Police RiO Guidance

Freedom of Information Act Access to information

Information for Patients on Freedom of Information

Record Retention Guidance

Safe Haven Guidance

Confidentiality Code of Conduct

Guide for Handling Patient Information

Data Protection Act Code of Practice

Data Protection Act Advice to Managers

FAQs: Access to Records

Core Procedures and Guidance for the Whole Trust

Level 5 Useful Publications

for staff, service

users and carers

Core policies for the Whole Trust

Confidentiality and Data Protection Policy

Freedom of Information Policy

Records Management Policy

Registration Authority Policy

Clinical Systems Policy

Data Quality Policy

Level 3 Underpinning policies

Level 4 Procedures and

Guidance and

processes for

complying with the

IG Policy Framework

Informatics Procedures

level 1 Overarching IG

Policy RequirementsStatement of Compliance with the IG Toolkit

Information Governance Policy

Level 2 Overarching

Information Security

Policy Requirements

Information Security Policy

Legal or National Requirements

Level 0 Overarching Trust

Policies Connected

to IG

Social Media Policy Incident Management Policy

Health and Safety policies including Security

Policy

9 ASSOCIATED INTERNAL DOCUMENTATION

of 33

10 APPENDIX A: EQUALITY IMPACT ASSESSMENT (EQIA) Area Response

Policy/Procedure Information Security Policy

Manager Head of Informatics

Directorate Informatics

Date May 2018

Review date May 2020

Purpose of Policy To provide a policy and procedural guidance on the Trusts legal responsibilities

Associated frameworks e.g. national targets NSF’s

The Information Governance Toolkit provides a framework to enable organisations to assess their compliance with current legislation, Government directives and other national guidance. The framework also provides assurance for NHSLA and Standards for better Health. NHS organisations are mandated to assess themselves against the toolkit annually

Who does it affect All staff

Consultation process carried out

Yes

QA Approved by

Equality protected characteristic

Impact Positive

Impact Negative

Rationale for response

Age ✓ Positive impact expected outcome. There is currently no information identified through the Equality Impact Assessment that would suggest that this policy has the potential to disadvantage any individual or function if implemented and operated in a manner that is laid out within the policy statement.

Disability ✓

Gender Reassignment

✓

Race ✓

Religion or Belief

✓

Pregnancy & Maternity

✓

Sex ✓

Sexual Orientation

✓

Equality Analysis SIGN - OFF

Have any adverse impacts been identified on any equality groups which are both highly significant and illegal?

Are you satisfied that the conclusions of the EqIA Screening are accurate? The Trust will publish a summary of the impact analysis carried out to meet the duty and make this available to the public on the Trust Internet site.

Completed by Manager

Q A approved

Director approved

of 33

11 APPENDIX B: ADDITIONAL INFORMATION SUPPORTING THE INFORMATION SECURITY POLICY

11.1 Password Policy

All BDCFT users are required to have a strong password.

Your password must:

• Be at least 8 characters long

• Contain 1 uppercase character

• Contain 1 lowercase character

• Contain 1 numeric character

You will be asked to change your password every 90 days.

Strong passwords will be enforced by regular password audits of our password database.

If you are found to have a weak password you will be required to change it.

Please note: if you have any issues with your password or are locked out, please phone

01274251251 (diverted to On Call after 5pm to 8am) or email [email protected]

11.2 How to choose a strong password and avoid choosing weak passwords

What do we mean by a ‘strong’ password?

When we say a password is 'strong', we mean it's hard to guess. Hackers use computer

programmes to try millions of possible passwords until one works, so choosing a password

that is not guessable (such as those based on easily-discoverable information). is harder

than it sounds.

This advisory will help you choose a password that is strong.

1. Avoid the obvious choices

Lots of people really do choose things like ‘12345’, ‘qwerty’ or ‘password’. Or they use

the name of the town - ‘Bradford1’, for example. Don’t do this.

2. Don’t use an actual word for your password

Password cracking software can simply try every word in the dictionary until it finds

your password. So, using an actual word as your password isn’t a good idea. If you

must try using two or three words instead.

3. Avoid common passwords

When you are forced to follow rules when setting up a password, saying you must use

at least one capital letter, number and special character etc. So, you might choose the

word ‘halifax’, then make the first letter a capital H, add a couple of numbers at the end

probably a significant year so you can remember it. Halifax2018

mailto:[email protected]

of 33

You should go a step further and use a substitution, like using ‘1’ as a replacement for

‘I’, capitalise any letter other than the first character and maybe also add a special

character?

Halifax2018 (weak Password)

hAl1fax-20I8 (Strong Password)

4. Use a passphrase instead

To have a strong password that’s still memorable, try using a phrase instead of a word.

Choose a random sequence of words - like ‘suMmerroutedr0pbalm’. If you can think of

a little story or mental picture to link the words, that can help the password stick in your

mind.

If you want some extra strength in your passphrase, add more capitals, numbers and

special characters. But avoid obvious patterns, like capitalising the first letter of a word.

5. Don’t re-use your BDCFT password

These days it’s fairly common for external websites to be hacked and people’s

passwords leaked.

If you re-use our password, it only takes one website to be hacked, and we could

potentially lose Confidential information especially if you use your BDCFT email

address to sign up to the external website.

6. Don’t recycle your BDCFT password

Don’t recycle your password when you are required to change it. For example, If you

use Bradford1 this week don’t change it to Bradford2, Bradford3 and so on.

7. It’s not okay to write passwords down.

It’s a bad idea to write passwords down. Make your passwords strong, but memorable.

It is required by policy that you memorise any password that grants access to

confidential patient information. If you cannot remember your passwords please

consider the use of a password manager.

8. Use a password manager

In BDCFT you are allowed to use a password manager. But you are only allowed to

use “Enpass” password manager (https://www.enpass.io) for this purpose

9. Do not share your password

Once you’ve chosen a good password, if another BDCFT staff member asks you to use

it, do not share it. If they are meant to have access to a particular resource they should

discuss that with their manager and get the access approved using their own password

credentials.

https://www.enpass.io/

of 33

Be careful where you type your password. A common scam is to send a fake email that

looks like it’s from the BDCFT. You click a link, and are taken to a website that looks

like our webmail service, but it’s really set up to steal passwords.

YOU are responsible for information entered or accessed using your password. This

includes any activity undertaken by someone else whilst your PC is left logged in and

unattended.

Administrative privilege

Information Asset Owners are required to regularly review the number of users with admin

rights to their systems and adjust as necessary, in order to maintain service requirements

and security.

Users with Administrative privileges found to have weak passwords will have their

accounts disabled to protect access.

No standard user accounts will be granted any administrative privileges.

11.3 Log Retention Policy

BDCFT cherishes freedom of expression, the diversity of values and perspectives

inherent, the right to privacy for all members of the BDCFT community. At the same time,

BDCFT may be required by law to access and disclose information from computer and

network users' accounts or may find it necessary do so in order to protect BDCFT's legal

responsibilities, uphold contractual obligations, or comply with other applicable BDCFT

policies. BDCFT may also be required to access information to diagnose and correct

technical problems.

Log data may only be used when consistent with BDCFT’s AUP, and is not intended for

any use other than when consistent with:

1. Identifying, investigating and resolving technical, operational or security-related

issues (for example, hacked accounts or troubleshooting an IT issue);

2. In response to a legal search warrant or preservation request through approved

channels (BDCFT’s legal counsel);

3. In response to an approved request from BDCFT’s CIO to disclose the data.

Logs are to be classified, maintained and used in accordance with this policy.

11.4 Server Log Retention

This policy, and British law may specify minimum retention requirements for certain types

of logs and log data. Where applicable, those retention requirements must be followed.

The IT Security Office recognizes the need to balance the usefulness of logging

information with the concerns the BDCFT community has for protecting the privacy of our

of 33

users. To that end, maximum recommended log retention standards have been

established and outlined in BDCFT’s.

Logs must be retained for the documented amount of time 6 months, and may not be

provided to non-BDCFT personnel without prior approval from Information Governance

(IG).

11.5 Security Patching policy

Security maintenance & management

• All computers attached to the BDCFT network must have up to date security

patches made available and must be universally installed no later than 2 weeks

from when they become available.

• All identified vulnerabilities should be remediated to an acceptable level or mitigated

within 3 months of discovery, unless exempt.

• BDCFT Informatics will maintain a list of business-critical software that is exempt

from this Security Patching policy.

Microsoft operating system machines

• Patches are applied using the centrally provided service, or through local

arrangements, providing the same time frame as the centrally provided service is

met.

• We will release them on the second Wednesday of each month.

• Patches will be released early where necessary and support staff will be notified.

• Systems must be monitored and patched when found to be out of date.

• Portable computers and those that are only occasionally attached to the network

are to be patch maintained.

• Servers with Microsoft operating systems are to be patched within 1 month of

patches being released. Critical patches are to be patched within 24 hrs

• Service packs are to be deployed through the centrally provided system or under

local arrangements.

• Systems must be monitored for compliance and brought up to date where

necessary.

Non-Microsoft operating systems

• Those responsible for the maintenance of non-Microsoft systems are to keep

themselves up to date with details of vulnerabilities, exploits and patches

associated with their platforms.

• Security patches for vulnerabilities exploitable externally or without a user-id are to

be classed as critical.

• Less important machines are to be tested first, but priority must be given to

machines visible from external internet connections.

• Anyone experiencing problems with a patch should the service desk.

of 33

Routers & Switches

• We will monitor vendor notifications and appropriate websites for details of

vulnerabilities affecting our routers and switches and securely maintain its network

equipment.

• Computer support staff who operate network devices are responsible for their

security maintenance.

Network blocking of vulnerable computers

• Computers that are not kept full up to date with patches and service packs may be

blocked from the network and will not be reconnected until they become current.

11.6 Third Party administrators

At times BDCFT requires that external companies interact with our internal systems for the

purposes of support and administration. In situations like this the third party must adhere to

this policy and particularly these points

• All third parties must have current confidentiality contracts in place before any

Administrator credentials are created.

• Third parties must not perform change without a valid and current change control

number.

• All Third party changes will be subject to technical peer review by BDCFT IT

operations before they can proceed.

• Third parties will schedule change as to not impact on BDCFT operations.

• All third party changes must have a BDCFT internal sponsor.

• All third party changes must carried out with the approval of the application owner.

• If a third party change fails due to technical difficulties, all changes must be backed

out of and root cause of the failure analysed before a new change control number is

issued.

information security policy - bdct

Documents