Information Security Management System (ISMS) Central London CCG West London CCG Hammersmith & Fulham CCG Hillingdon CCG Hounslow CCG Ealing CCG Brent CCG Harrow CCG V1.0 September 2020
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Information Security Management System (ISMS)
Central London CCG West London CCG
Hammersmith & Fulham CCG Hillingdon CCG Hounslow CCG
Ealing CCG Brent CCG
Harrow CCG
V1.0 September 2020
Amendment History: Version
Date Amendment History
0.1 10 Mar 2015 First draft for comment 0.1.1 04 Dec 2015 Second draft for comment
0.1.2 08 Sep 2016 Final draft for comment
0.1.3 02 Feb 2017 Amendments
0.1.4 11 Jun 2017 Amendments Riordan Hill
0.1.5 16 Nov 2017 Addition of Forensic Readiness
0.1.6 Dec 2018 Amendments
1.0 30 June 2020
Amendments GDPR, Annual review
Reviewers: This document must be reviewed by the following: Name Signature Title / Responsibility Date Version Dr. Ernest Norman Williams
Data Protection Officer 07 Mar 2019 0.1.3
Abhilash Abraham
IT Security & Cyber Security Lead
07 Mar 2019 0.1.6
Felicia Ayo-Ajala Dr. Ernest Norman-Williams
Data Protection Officer (Corporate) Data Protection Officer (GPs)
30 Jun 2020 30 Jun 2020
1.0 1.0
Approvals: This document must be approved by the following: Name Signatur
Title / Responsibility Date Version
Victoria Medhurst Head of Governance/ Company Secretary & SIRO
August 2020 1.0
Diane Jones Caldicott Guardian 1.0
NWL CCGs Governing Bodies
--------- NWL CCGs Governing Bodies Sept 2020 1.0
V1.0 September 2020
Distribution: Collabor8 Document Status: Electronic version is the controlled document.
Related Documents: These documents will provide additional information. Ref no Document Organisation Title Version 1 NHS Brent CCG IM&T Security Policy 1.0 2 NHS Brent CCG Information Governance Policy 2.0 3 NHS Brent CCG Integrated Risk Management
1.0
4
5 6 7
Glossary of Terms: List any new terms created in this document. Mail the Security team ([email protected]) to have these included in the master glossary above [1]. Document Changes
Date
Version Author
March 2015 0.1 Abhilash Abraham Initial Draft version
December 2015 0.1.1 Hakan Akozek Amended Draft December
0.1.6 Altaf Suleman Amended Draft
June 2020 1.0 Felicia Ayo-Ajala & Dr. Ernest Norman-Williams
Amended policy
V1.0 September 2020
Relevant Definitions in this policy
• Central London, West London, Hammersmith & Fulham, Hillingdon CCG, Hounslow, Ealing, Brent and Harrow Clinical Commissioning Group (CCG) may be referred to as NW London CCG’s throughout this document.
• Availability means the capacity of information systems to be accessible and useable when required and to be able to resist attacks and recover from failures.
• Default to deny means the setting of the norm to denying access so that specific instruction must be provided to allow access.
• Confidentiality means the principle of protecting information and preventing its disclosure to anybody other than those who have a right and need to know.
• Integrity means a standard of performance that guarantees information is created, amended or deleted only by the intended authorised means.
• Least Privilege means the principle that each subject be granted the most restrictive set of privileges needed for the performance of authorised tasks.
• Device means any piece of network equipment that contains a Network Interface Card (NIC) commonly known as an Ethernet card.
V1.0 September 2020
Table of Contents VERSION 0.1.7 ..................................................................................................... ERROR! BOOKMARK NOT DEFINED. VERSION 0.1.6 ..................................................................................................... ERROR! BOOKMARK NOT DEFINED.
1. INFORMATION SECURITY POLICY STATEMENT ........................................................................................ 8
2. INTRODUCTION ....................................................................................................................................... 9
2.1 PURPOSE .................................................................................................................................................. 9 2.2 COMPONENTS ......................................................................................................................................... 10 2.3 SCOPE .................................................................................................................................................... 10 2.4 MONITORING, REPORTING AND AUDIT ......................................................................................................... 10 2.5 EXEMPTIONS ........................................................................................................................................... 11
3. INFORMATION SECURITY MANAGEMENT ............................................................................................. 11
3.1 MANAGEMENT ........................................................................................................................................ 11 3.2 RESPONSIBILITIES FOR SECURITY MANAGEMENT ............................................................................................. 12
4. INCIDENT MANAGEMENT ...................................................................................................................... 14
5. DATA CLASSIFICATION, PROTECTION AND RETENTION.......................................................................... 14
5.1 DATA CONFIDENTIALITY ............................................................................................................................. 14 5.2 GOVERNMENT DATA SECURITY CLASSIFICATION ............................................................................................. 15 5.3 DATA PROTECTION MEASURES ................................................................................................................... 16 5.4 NOTIFICATION TO THE INFORMATION COMMISSIONERS OFFICE ......................................................................... 19 5.5 DATA PROTECTION PRINCIPLES ................................................................................................................... 19 5.6 DATA PROCESSING ................................................................................................................................... 20 5.7 PRIVACY NOTICES ..................................................................................................................................... 20 5.8 RESPONSIBILITIES OF DATA USERS ............................................................................................................... 21 5.9 ACCURACY OF DATA ................................................................................................................................. 22 5.10 SENSITIVE PERSONAL DATA ........................................................................................................................ 23 5.11 DATA SECURITY AND DISCLOSURE ................................................................................................................ 23 5.12 DATA SUBJECTS’ CONSENT ......................................................................................................................... 24 5.13 RIGHT OF ACCESS TO PERSONAL DATA ......................................................................................................... 24 5.14 PATIENTS RIGHT OF ACCESS TO MEDICAL AND CONFIDENTIAL HOSPITAL RECORDS ................................................ 25 5.15 RIGHT OF ACCESS TO PERSONAL DATA BY ELECTED REPRESENTATIVES ................................................................ 25 5.16 RETENTION OF DATA ................................................................................................................................. 27 5.17 PRIVACY ................................................................................................................................................. 27 5.18 ACCEPTABLE USER POLICY .......................................................................................................................... 28
6. CONFIDENTIALITY CODE OF CONDUCT .................................................................................................. 31
6.1 PURPOSE ................................................................................................................................................ 31 6.3 ACCOUNTABILITY AND RESPONSIBILITY ......................................................................................................... 32
7. OWNERSHIP OF INTELLECTUAL PROPERTY ............................................................................................ 34
7.1 OWNERSHIP OF INTELLECTUAL PROPERTY ...................................................................................................... 34
8. LOGICAL ACCESS CONTROL .................................................................................................................... 35
8.1 AUTHORISATION AND ACCESS RIGHTS .......................................................................................................... 35 8.2 USER IDENTIFICATION PRINCIPLES ................................................................................................................ 36 8.3 PASSWORD STANDARDS. ........................................................................................................................... 37
V1.0 September 2020
8.4 LOGON PRINCIPLES ................................................................................................................................... 38 8.5 LOGON PRINCIPLES ................................................................................................................................... 39 8.6 RECORDING AND REVIEW OF LOGICAL ACCESS ............................................................................................... 40 8.7 REMOVAL OF SYSTEM ACCESS ..................................................................................................................... 41 8.8 REMOTE ACCESS ...................................................................................................................................... 42 8.9 SYSTEM UTILITIES ..................................................................................................................................... 43 8.10 EMERGENCY ACCESS ................................................................................................................................. 44 8.11 SEGREGATION OF DUTIES ........................................................................................................................... 44
9. PHYSICAL AND ENVIRONMENTAL CONTROLS ........................................................................................ 45
9.1 PHYSICAL ACCESS AUTHORISATION .............................................................................................................. 46 9.2 PHYSICAL ACCESS REVOCATION ................................................................................................................... 46 9.3 ENVIRONMENTAL SECURITY ........................................................................................................................ 47 9.4 CLOSED CIRCUIT TELEVISION (CCTV) ........................................................................................................... 48 9.5 HARDWARE MAINTENANCE PRINCIPLES ......................................................................................................... 49
10. SYSTEM DEVELOPMENT AND MAINTENANCE ................................................................................... 50
10.1 DEVELOPMENT OF SOFTWARE ..................................................................................................................... 50 10.2 MAINTENANCE OF SOFTWARE .................................................................................................................... 51 10.3 SOFTWARE TESTING .................................................................................................................................. 52 10.4 ACCESS TO SOFTWARE ............................................................................................................................... 53 10.5 DATABASE MANAGEMENT SYSTEMS ............................................................................................................ 53
11. BACKUP AND RECOVERY ................................................................................................................... 54
10.1 SECURITY SYSTEM SOFTWARE ..................................................................................................................... 54 11.2 OTHER SOFTWARE, DATA AND INFORMATION ................................................................................................ 55
12. DISASTER RECOVERY PLAN ................................................................................................................ 56
12.1 DISASTER RECOVERY PLAN AND PROGRAMME ............................................................................................... 57
13. NETWORK COMMUNICATIONS ......................................................................................................... 59
13.1 PHYSICAL NETWORK COMMUNICATION ........................................................................................................ 59 13.2 MODEM COMMUNICATION ........................................................................................................................ 59 13.3 COMMUNICATION FACILITIES ...................................................................................................................... 60 13.4 TELEPHONE & VOICE MAIL ........................................................................................................................ 60 14. SERVER SECURITY ..................................................................................................................................... 63
15. VULNERABILITY MANAGEMENT ........................................................................................................ 64
15.1 VULNERABILITY MANAGEMENT ................................................................................................................... 64
16. TRANSFER OF NW LONDON CCG’S INFORMATION ............................................................................ 66
16.1 AUTHORISATION OF TRANSFER .................................................................................................................... 66 16.2 DISCLOSURE OUTSIDE OF THE UNITED KINGDOM OR EUROPEAN ECONOMIC AREAS .............................................. 66 16.3 UPLOADING AND DOWNLOADING ................................................................................................................ 67
17. PERIMETER AND INTERNET SECURITY ............................................................................................... 68
17.1 INTERNET ACCESS ..................................................................................................................................... 68 17.2 PERIMETER SECURITY ................................................................................................................................ 69 17.3 FIREWALL SECURITY .................................................................................................................................. 71
18 ELECTRONIC COMMERCE SECURITY ........................................................................................................ 72
V1.0 September 2020
19 WIRELESS COMMUNICATIONS .......................................................................................................... 74
20 WORKSTATIONS AND END USER DEVICES ............................................................................................. 75
20.1 IDENTIFICATION OF HARDWARE ................................................................................................................... 75 20.2 DEVICE MANAGEMENT INCLUDING BRING YOUR OWN DEVICE (BYOD)/MOBILE DEVICES .................................... 76 20.3 PORTABLE EQUIPMENT .............................................................................................................................. 76
21 HARDWARE AND SOFTWARE PURCHASING/LICENSING/COPYRIGHT .................................................... 77
21.1 PURCHASING ........................................................................................................................................... 78 21.2 LICENSING ............................................................................................................................................... 78 21.3 COPYRIGHT ............................................................................................................................................. 79
22. DESTRUCTION OF INFORMATION AND SOFTWARE UPON ................................................................. 80
DISPOSAL OF EQUIPMENT ............................................................................................................................. 80
23 MALICIOUS CODE (VIRUS) CONTROLS ............................................................................................... 81
24 EMAIL STANDARD ............................................................................................................................. 81
25 SECURITY AWARENESS ...................................................................................................................... 83
25.1 SECURITY AWARENESS ............................................................................................................................... 83
26 ENCRYPTION OF SENSITIVE INFORMATION .......................................................................................... 84
26.1 ENCRYPTING SENSITIVE INFORMATION .......................................................................................................... 84 26.2 ENCRYPTION STRENGTH ............................................................................................................................. 85 26.3 KEY MANAGEMENT .................................................................................................................................. 85
27 OUTSOURCING/THIRD PARTIES ......................................................................................................... 86
27.1 OUTSOURCING ......................................................................................................................................... 87 27.2 OFFSHORING AND CLOUD .......................................................................................................................... 87
28 FORENSIC READINESS ........................................................................................................................ 88
28.1 FORENSIC READINESS ................................................................................................................................ 88 28.2 RESPONSIBILITIES ..................................................................................................................................... 90
29 APPENDIX A – GLOSSARY OF TERMS ...................................................................................................... 91
29 APPENDIX B – EUROPEAN ECONOMIC AREA (EEA) COUNTRIES ..................................................... 99
30 APPENDIX C – REQUEST FOR STAFF PERSONAL RECORDS .................................................................... 100
31 APPENDIX D – EQUALITY IMPACT ASSESSMENT .......................................................................................... 2
EQUALITY IMPACT ASSESSMENT TOOL (EQUALITY ANALYSIS) ......................................................................... 2
V1.0 September 2020
1. Information Security Policy Statement
North West London Clinical Commissioning Group’s (NW London CCG’s) Risk Management Policy Statement requires management to adopt a rigorous approach to managing risk throughout the Group. This includes information security risk. Please refer NHS Brent CCG policy on Integrated Risk Management Framework.
Sound Information Security Management is critical to the CCGs to:
• Ensure the reliability (accuracy, completeness and availability) of information used in business decisions that drive the organisation to have a clear view of the risks affecting each area of its activity, how those risks are being managed, the likelihood of occurrence and their potential impact on the successful achievement of the CCG’s objectives.
• Prevent any impairment to the strategic and intrinsic value of the CCG’s Information assets: and
• Protect the privacy of customer, third party and employee information held by the CCG
The CCG aims to protect its information assets against all material threats whether internal, external, malicious or accidental. The security of information requires the commitment of all the CCG’s staff and particularly those involved in the management and support of our information systems and infrastructure.
Information security is specifically managed across multiple disciplines, including
• Design and implementation of Information Security Frameworks and Standards,
• Technology planning and execution; and
• Corporate security, including building security.
Four information security principles are fundamental to the protection of the CCG’s information assets, being;
1. Confidentiality: Protection of information against unauthorised access, limiting access to that required for the job function, and using information only for the purpose for which access has been authorised or the purpose it has been provided to the CCG.
2. Integrity: Protection against unauthorised modification to provide assurance as to the accuracy, consistency and reliability of information assets.
3. Availability: Design and maintenance of information systems and data provides effective resilience to attack or failure, backed by reliable business operation continuity and recovery capability.
V1.0 September 2020
4. Accountability: Responsibility for actions regarding information assets can be appropriately attributed.
This policy extends to all the CCG’s employees and its representatives and contractors who receive or process information about the CCG or its customers and business partners.
It is the responsibility of every employee of the CCG to be diligent in managing Information Security risk, to maintain the confidentiality of information and to only use information for approved purposes. Staffs are made aware of their responsibilities through appropriate training and compliance programmes, including training in the acceptable usage of the CCG’s information technology facilities.
Information security is pro-actively managed throughout the CCG’s, including the establishment of governance oversight and effective management structure, information security planning, design and implementation, monitoring and assurance, reporting and staff awareness.
Appropriate information security practices, disciplines and measures exist to manage the risks to the CCG’s business processes, support service delivery and ensure customer and business partner confidence in the CCG’s protection of its information. Information security risk reviews are undertaken to identify current and emerging security threats and commensurate with the risk, appropriate investment is made in effective treatments. Reviews of information security controls are performed regularly to assess the appropriateness of design, including compliance with related the CCG’s, legal and regulatory standards, and to ensure their continued effective operation.
The Governing Bodies supports a consistent approach to information security management throughout the CCG.
The CCG maintain comprehensive information security standards that support these principles which are consistent with national standards. These standards are documented and approved by management and accessible to all staff on local intranets or in printed forms.
This policy will be amended as circumstances require.
2. Introduction
2.1 Purpose The purpose of this document is to define the standards to be applied throughout the CCG to maintain the confidentiality, integrity and availability of the information technology supporting its business processes. Compliance with these standards is expected to ensure the CCG exercises appropriate duty of care for its business information and information systems supporting business processes.
V1.0 September 2020
The standards contained within this document are based on internationally accepted principles from Information Security. These principles are embodied in the international standard ISO 270001 and the OECD Guidelines for the Security of Information Systems.
The standards are intended to complement legislative requirements in the UK and the Information Security standards required of the NHS to meet the CCG’s legal responsibilities for protecting information assets.
2.2 Components
Policies
Policies are statements of principle or intent and describe required security objectives.
Standards
Standards describe the detailed measures and controls which are required to be in place in order to achieve compliance with the policy.
As such, compliance with the standards contained within this document is mandatory for all users, owners and administrators of the CCG’s Information system resources.
Any exemptions must be documented and approved in a similar manner to that described in 2.5 below.
2.3 Scope The Information Security Standards are designed to safeguard and maintain all the CCG’s information technology assets. This includes all information, data, software, hardware and communications equipment and networks owned or operated by or for the CCG.
The CCG’s Information Technology assets may be owned, leased, hired, developed in-house or purchased, and includes all computing facilities along with interconnecting networks.
The Information Security Standards Cover Information Services which are contracted out or outsourced to other parties but which are operated for the CCG.
The Information Security Standards applies to all personnel working for/with the CCG who have been authorised to access the CCG’s information assets which includes all management, employees, contractors, consultants, temporary staff, third parties, auditors, financial advisers, brokers and agents engaged by or for the CCG. Refer to Section 3 for responsibilities relating to the CCG’s personnel.
2.4 Monitoring, Reporting and Audit Compliance with the standards is monitored half yearly by management, with gaps identified reported to the CCG’s Head of ICT and Cyber Security.
V1.0 September 2020
Internal Audit will refer to the Standards, as modified by UK legislation, NHS regulations or approved exemptions, as the basis of audits covering the confidentiality, integrity and availability of the information technology supporting the CCG’s business processes.
2.5 Exemptions In general, these standards describe a baseline level of security which must be met in all situations. It is recognised that there may be instances where the security objective described in each section can be met without complying with every standard listed there under. An alternative but equivalent control may be used to meet the objective.
Where management decides that a particular standard is not required, in all or part of its business, it may be specifically exempted.
Exemptions to these standards must be approved by the Information Asset Owner or Senior Information Risk Officer that is directly accountable for the risk and must also be reported to the Head of ICT and Cyber Security.
The Information Security Manager will maintain and publish a register of exemptions, including results to an Internal Audit. These exemptions will be determined on the basis of the audit and independent assessment.
Exemptions will only be granted where a risk assessment establishes information assets will not be unduly put at risk and/or costs of compliance cannot be warranted.
3. Information Security Management
3.1 Management
Standard
3.1.1 Managment will enseure that there are clearly defined responsibilities for all aspects of Information Security Management (Refer 3.2).
3.1.2 Within each department, management will appoint a designated person who will have overall responsibility for ensuring appropriate security infrastructure and practices are in place as required by these standards. The designated person may perform this function exclusively or security responsibilities will be included as part of their other duties.
3.1.3 A source or sources of specialist information security advice must be established particularly for operations which do not retain dedicated skilled and trained security specialists.
Objective:
To ensure information security responsibilities are clear and appropriately managed
V1.0 September 2020
3.2 Responsibilities for Security Management
All Personnel
Note : For the purposes of this document the term personnel refers to all staff of the CCG’s, contractors, temporary staff, third parties, auditors, financial advisers, brokers and agents who have access to the CCG’s data and information.
Any person or company processing the CCG’s data has a responsibility for safeguarding all information assets. the CCG reserves the right to inspect, without notice, any data on their computing facilities. All personnel are to ensure that:
• They are aware of their responsibilities. • They comply with the requirements of these standards and; • Violations or suspected violations of these standards are reported to appropriate
authorities on a timely basis.
All Managers
All Managers are responsible for ensuring personnel reporting to them are aware of the need to comply with the CCG’s Security Standards. Managers are to ensure that:
• New personnel receive Security Awareness Training • All personnel receive on-going training at least once per calendar year at a
minimum. • Personnel are only granted the minimum access rights required to perform their
job function. • Access rights are amended and reviewed in line with changes in job functions. • Access rights are removed when no longer required • Security access to network resources and data is audited regularly. • Security incidents are reported and investigated.
Group Management - (the list of IAOs are managed by Information Governance)
Please find Appendix “A” to this policy for the list of personnel who have the overall responsibility for:
• Formulating and maintaining the CCG’s group-wide Information Security policies and standards (on behalf of the Chief Accountable Officer of the CCG’s)
• Acting upon any security requirements arising from legal, regulatory and industry setting bodies:
Objective:
To ensure information security responsibilities are clearly defined and that all personnel are aware of what their responsibilities are:
V1.0 September 2020
• Monitoring overall compliance of the Divisions with the security standards on a Group Wide Basis.
• Reporting significant Information Security issues (e.g., violations, exposures, and trends) to the Senior Information Risk Owner.
Information Asset Owners
Information Asset Owners have responsibility for specified information assets, and for the maintenance of appropriate security measures applicable to that system. While the owners may delegate any tasks, accountability cannot be delegated. Tasks may be delegated to the Chief Information Officer, Infrastructure and Operations Management or Information Security Management for example to act in a custodial role on behalf of the Information Asset Owners. Specific tasks include:
• Determining levels of data classification and sensitivity • Ensuring that adequate security controls have been implemented to ensure the
appropriate security of all the CCG’s data • Authorising the use of systems to specified users. This includes determining the
appropriate level of access. • Periodically reviewing the appropriateness of access rights assigned to users and
administrators. • Identifying sensitive data and ensuring staff are made aware of any specific
legislative or regulatory requirements in relation to this • Ensuring that access is revoked on a timely basis from users no longer having
legitimate need for system access and • Approving persons to have Access Administrator Authority.
Information Asset Administrators
The Privileged Access Administrators (usually IT Administrators) have responsibility for physically adding, changing and deleting access privileges as authorised by Information Asset Owners or Information Asset Owners’ delegate. Their duties also include assisting Information Asset Owners to periodically review assignment of privileged access rights.
Physical Access Administrator
The Physical Access Administrators have responsibility for physical aspects of security concerning access to buildings, computer facilities, data centres etc.
V1.0 September 2020
4. Incident Management
Standard
4.1.1 Management must ensure that there is appropriate preparation, responsibility and process to manage security incidents.
4.1.2 IT Security incident management should include documentation and reporting of the incident, containing the incident, restoring system availability, guidance on collection and preservation of evidence and preparation of a post incident report.
4.1.3 Incidents which have (or have the potential to have) a serious or material impact on the CCG’s should be reported to the Collaboration’s Information Security Lead or CCG’s respective Security Lead at the earliest opportunity.
5. Data Classification, Protection and Retention
5.1 Data Confidentiality
Standard
5.1.1. All personnel must maintain the CCG’s data and information confidentiality. On appointment the CCG’s personnel are required to agree to and sign a confidentiality agreement. This may be encapsulated in a letter of offer.
5.1.2. Personnel shall not disclose restricted or confidential data and information in any way without specific authorisations from the Information Asset Owners or designate.
5.1.3. Personnel are responsible for ensuring data under their control is stored appropriately having regard to its confidentiality or sensitivity.
Objective:
To ensure the CCG’s security incidents are well managed with regard to restoration of business services, investigation of causes and prevention of further occurrences.
Objective:
To ensure the CCG’s personnel maintain confidentiality of information
V1.0 September 2020
5.1.4 Data stored on public network drives which has not been accessed for 12 months must be deleted or archived by automated means where practical.
5.1.5 Data which requires more permanent sharing is to be stored in a specific directory (e.g. Department or Business Unit level) to limit unnecessary availability of information.
5.1.6 Restricted or confidential information should not be stored on public network drives.
5.2 Data Security Classification Restricted
• This category refers to information of a highly sensitive nature that is only to be accessed by specific, trusted individuals.
• Unauthorised or public disclosure of this type of information could cause damage to the CCG’s reputation, brand, market value or ability to undertake Group strategies.
• Examples of this category would include information about possible merger and acquisition activity or
• Information about the CCG’s annual results prior to public disclosure.
Special Handling
Information in this category must be encrypted or protected by effective compensating controls (e.g. strong restricted access rights or file activity monitoring) whenever it is stored. It must be encrypted when being transmitted over an external network.
Confidential
• This category refers to information about the CCG’s business or customers that is only to be accessed by individuals who have been authorised to do so.
• Unauthorised or public disclosure of this information could cause embarrassment or financial loss to the CCG or its customers. It may lead to legal action being taken against the CCG.
• Examples of this category would include information about customers financial or health situation. It would also include information about the CCG’s business strategies, operating plans etc.
Special Handling
V1.0 September 2020
Information in this category must be encrypted when being transmitted over an untrusted network e.g. the Internet or non-secure email system.
Internal Use Only
This category refers to information about the CCG’s business or customers that is only to be accessed by individuals who have been authorised to do so.
• Information that could be provided to any of the CCG’s employee without significant breach of confidentiality.
• Data being used by CCG staff as a part of their daily job responsibilities (e.g. phone books, procedure manuals etc.)
Unclassified
• Generally, information that could be released to anyone, including the public without significant breach of confidentiality.
• This category refers to all other data, which is either already released to the public domain or cannot be considered confidential in any way.
Note: No additional labelling requirements are needed for any of the classification levels defined.
5.3 Data Protection Measures
Standard
5.3.1 In addition to the minimum standards defined elsewhere in this document, the following specific controls must be applied according to the data type as indicated in the table below :
Objective:
To ensure the appropriate electronic data protection methods are applied for the data types shown below: the CCG exercises its moral, ethical and legal obligations in regards to privacy of information:
V1.0 September 2020
SECURITY CONTROLS
Personally identifiable information/Data (PID) Includes health information
Business Sensitive, M&A financial results pre-publication
Encryption (External transmission and storage)
Encryption (Internal Storage)
Encryption (desktop/mobile devices)
Encryption (internal transmission)
Data Masking for non-production systems
N/A
Application activity logging
N/A
V1.0 September 2020
5.3.2 Like all NHS organisations, the CCG holds and process information about its employees, patients and other individuals for various purposes (for example, the effective provision of healthcare services or to operate the payroll and to enable correspondence and communications). To comply with the Data Protection Act 2018 (the DPA), information must be collected and used fairly, stored safely and not disclosed to any unauthorised person. The DPA applies to both manual and electronically held data.
5.3.3 The lawful and correct treatment of personal information is vital to the successful operation of, and maintaining confidence within, the CCG and the individuals with whom it deals. Therefore, the CCG will, through appropriate management and strict application of criteria and controls:
• fully observe the conditions regarding the fair collection and use of information; • meet its legal obligations to specify the purposes for which information is used; • collect and process appropriate information, and only to the extent that it is needed to
fulfil operational needs or to comply with any legal requirements; • ensure the quality of information used; • apply strict checks to determine the length of time information is held; • ensure that the rights of people, about whom information is held, can be fully
exercised under the Act; these include: • the right to be informed that processing is being undertaken; • the right of access to one's personal information. Individuals can make a
subject access request verbally or in writing; • the right to erasure. Also known as the right to be forgotten: The right is not
absolute and only applies in certain circumstances; • the right to rectification: This is a right to have inaccurate personal data
rectified, or completed if it is incomplete. • the right to restrict processing in certain circumstances; • right to data portability; • the right to object; and • rights related to automated decision making and profiling;
• take appropriate technical and organisational security measures to safeguard personal information; and
• ensure that personal information is not transferred abroad without suitable safeguards.
V1.0 September 2020
5.4 Notification to the Information Commissioners Office
Standard
5.4.1 The CCG has an obligation as a Data Controller to notify the Information Commissioner’s Office (ICO) of the purposes for which it processes personal data. Notification monitoring, within the CCG, is carried out by the Data Protection Officer. Individual data subjects can obtain full details of the CCG's data protection registration/notification with the ICO from the Information Governance team or from the ICO’s website.
5.4.2 All queries about this CCG policy should be directed to the Data Protection Officer.
5.4.3 Requests for a full subject access request should be made to the Data Protection Officer. CCG staff requiring personnel record information can should complete the form shown in Appendix B and send it through to the Data Protection Officer. Subject access request can be either verbal or in writing.
5.5 Data Protection Principles
Standard
The CCGs, as Data Controllers, must comply with the Six key Data Protection Principles and Accountability set out in the Act. In summary, these state that personal data shall: 5.5.1 Be processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’)
5.5.2 Be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘Purpose limitation’)
5.5.3 Be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)
Objective:
Obligation as data controller and data protection responsibilities.
Objective:
The NW London CCG’s, as a data controller, must comply with the Six data protection principles & Accountability set out in the act.
V1.0 September 2020
5.5.4 Be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
5.5.5 Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’)
5.5.6 Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
5.5.7 The Controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)
5.6 Data Processing
5.6.1 ‘Processing’, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
• Organisation, adaptation or alteration of the information or data;
• Disclosure of the information or data by transmission, dissemination or otherwise making available; or
• Alignment, combination, blocking, erasure or destruction of the information or data.
5.7 Privacy Notices
5.7.1 Sometimes called a Fair Processing Notice, any collection of personal data must satisfy the requirements of the fair processing condition set out in the first Data Protection Principle. This includes paper or electronic application forms, telephone calls, and surveys. You must ensure an appropriate Privacy Notice is included wherever personal data is collected. This particularly applies to patient consent forms: it may be that current forms need to be amended to include a statement about data protection.
V1.0 September 2020
5.7.2 The purpose of a Privacy Notice is to explain to the individual:
• The identity of the organisation collecting his or her data • How the personal information colleting his or her data • any other information which the individual should be told in order to ensure the
processing of his or her information is fair, for example: • a description of any other organisations the information may be shared with or
disclosed to; whether the information will be transferred outside the UK; • the fact that the individual can object to the use of his or her information for
marketing; and • the fact that an individual can obtain a copy of his or her information
5.7.3 Ensure that the Privacy Notice is in a prominent position whenever used. Transparency is Key.
5.7.4 An example form of words for a Privacy Notice might be:
“Your personal data will be used only in accordance with the Central London, West London, Hammersmith & Fulham, Hounslow and Ealing Clinical Commissioning Groups (the CCG) notification under the GDPR and Data Protection Act 2018 and in compliance with the Freedom of Information Act 2000. The CCG will not disclose any personal information to any other third parties, except where there is a legal justification or required by law, without your express consent.
Further details in relation to the use of personal data will be published on the CCG’s websites:
http://www.centrallondonccg.nhs.uk/
http://www.westlondonccg.nhs.uk/
http://www.hammersmithfulhamccg.nhs.uk/
http://www.hounslowccg.nhs.uk/
http://www.ealingccg.nhs.uk/
Any queries concerning Data Protection should be addressed to the Data Protection Officer and queries concerning Freedom of Information should be addressed to the Freedom of Information Manager.
5.8 Responsibilities of Data Users
V1.0 September 2020
5.8.1 All employees of the CCG who record and/or process personal data in any form (called "Data Users" in this policy) must ensure that they comply with:
• the requirements of the Data Protection Act 2018 (including the Data Protection Principles); and
• the CCG's Data Protection Policy, including any procedures and guidelines which may be issued from time to time.
A breach of the DPA and/or the CCG's Data Protection Policy may result in disciplinary action.
5.8.2 Consideration should be given towards contacting the Data Protection Officer for data protection advice concerning the following:
• when developing a new computer system for processing personal data - it may also be necessary to comply with the CCG's Information Asset Policy;
• when using an existing computer system for processing personal data for a new purpose as it may be necessary to notify an amendment to an existing registration in the CCG's Database Management Policy;
• when creating a new manual filing system containing personal data; and • when using an existing manual filing system containing personal data for a new
purpose.
5.9 Accuracy of Data
5.9.1 In accordance with their job descriptions, staff members who have responsibility for handling any patient, staff or other individual's information, must ensure that it is accurate and as up to date as possible.
5.9.2 All staff members are responsible for checking that any personal information they provide to the CCG, in connection with their employment, is accurate and up to date e.g. change of address or name. The CCG cannot be held responsible for any errors unless the member of staff has informed the CCG about them.
V1.0 September 2020
5.10 Special Categories of Data
5.10.1 The CCG (or alternative IT Provider on our behalf) may from time to time process ‘sensitive personal data’ relating to staff, patients and other individuals. This sensitive personal data may include information which has incidentally come into the possession of the CCG; this type of information will not be routinely sought by the CCG.
5.10.2 In exceptional circumstances, the CCG may need to process information regarding criminal convictions or alleged offences in connection, for example, with any disciplinary proceedings or other legal obligations.
5.10.3 In circumstances where sensitive personal data is to be held or processed, the CCG will seek the explicit consent, of the individual in question, unless one of the limited exemptions provided in the DPA applies (such as to perform a legal duty regarding employees or to protect the data subject's or a third party's vital interests).
5.11 Data Security and Disclosure
5.11.1 All staffs within the CCG are responsible for ensuring that:
• any personal data which they hold is kept securely; and • personal data is not disclosed (either orally or in writing or otherwise) to any
unauthorised third party, and that every reasonable effort will be made to see that data is not disclosed accidentally.
5.11.2 Unauthorised disclosure is a disciplinary matter and may be considered gross misconduct. If in any doubt consult your line manager, the Data Protection Officer or Human Resources. Personal data must be kept securely and examples of how this may be done will include:
• keeping the data locked in a filing cabinet, drawer or room; or, if the data is computerised, ensuring that the data is password-protected; or
• any other appropriate security measures which are detailed in the CCG’s Information Governance policies.
V1.0 September 2020
5.12 Data Subjects’ Consent
5.12.1 Although the CCG will not normally collect and process personal information, where it does, it is the CCG’s policy to seek and obtain explicit consent whenever practicable from individual data subjects for the main ways in which the CCG may hold and process personal data concerning them. This is to allow individuals an opportunity to raise any objections to any intended processing of their personal data. The CCG will consider any such objections but reserves the right to process personal data in order to carry out its functions as permitted by law. Legally however, certain types of personal data may be processed for particular purposes without the consent of individual data subjects. Where this takes place, the CCG will ensure that individuals processing that data are required to justify their reasons for doing so in line with the DPA and the guidelines issued by the ICO.
5.13 Right of Access to Personal Data
5.13.1 Staff, patients and other individuals have the right under the DPA to access any personal data that is being held about them either in an ‘automatically processable form’ (mainly computer records) or in a ‘relevant filing system’ (i.e. any set of information structured in such a way that specific information relating to a particular individual is readily accessible).They also have the right to request the correction of such data where they are incorrect.
V1.0 September 2020
5.14 Patients Right of Access to Medical Records
5.14.1 The CCG will only exceptionally hold identifiable data about patients but must have a process for managing subject access requests in respect of it. An individual who wishes to exercise his/her right of subject access can be asked to formally request this information in writing to the Data Protection Officer. However, please note that this is optional as a subject access request can also be a verbal request that must be honoured.
5.14.2 Any inaccuracies in data disclosed in this way should be communicated immediately to the responsible Manager who shall take appropriate steps to make the necessary amendments. Requests made under the DPA will be subject to the following set fees:
5.14.3 The CCG will seek to respond to the request for access to personal data within the 30 calendar days (including bank holidays and weekends) of the request. The calendar starts on the date the request was received or the date of receipt of Identification documents.
5.15 Right of Access to Personal Data by Elected Representatives
5.15.1 The Data Protection Act 2018 under schedule 1, Part 2, Paragraphs 23 and 24, Under the Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002, Members of Parliament/Members of Scottish Parliament can make a request for (sensitive) personal information about someone in an official capacity (e.g. an MP asking about a constituent), and to be able to expect the information to be provided without the CCG receiving explicit consent from the data subject in question.
5.15.2 It has become practice in the NHS, that when an MP makes an approach to an organisation on a constituent’s behalf it can be assumed that the constituent’s consent has been given (implied consent). The CCG fully accepts that effective communication with MPs, amongst others, is necessary and in our patients/service users interests, subject to checks or knowledge of the bona fides of the representative. There is no policy intention to prevent efficient and effective working relationships between MPs, their constituents and the CCG. Failure to adequately assist MPs may result in them writing to Secretary of State complaining that CCG is being obstructive and impugning the integrity of MPs.
V1.0 September 2020
5.15.3 In general, when an MP writes to the CCG on behalf of a constituent, it is safe to assume that the constituent has given consent for the approach to be made i.e. we have the implied (if not explicit) consent of the constituent. In such circumstances, information about the individual can be passed to the MP in order to respond to a specific enquiry. However, the guidance from the ICO makes it clear that Data Controllers should ensure that consent from the data subject is obtained satisfactorily, and this is especially the case in relation to sensitive personal information. It would be quite appropriate for the Data Controller to approach the Data Subject in relation to this, prior to disclosure to the MP.
5.15.4 Where someone other than the constituent approaches the MP, for example relatives or friends intervening, perhaps inadvertently against the wishes of the individual concerned, it is acceptable to clarify the situation with the MP and to obtain consent before answering the enquiry. However, such cases should be rare and guidance must be sought from the Caldicott Guardian and/or the Information Governance Manager before any response is made to the MP.
5.15.5 In the case of constituency workers or Parliamentary Secretaries, an element of common sense must be applied. MPs are unable to personally handle every aspect of a constituent's case. For example it is highly unlikely that the MP personally typed the letter and it is equally unlikely (although possible) that the constituent would believe this to be the case.
5.15.6 There is little problem in advising a constituency worker of the progress of a particular request. This does not mean however that the constituency worker should be given detailed confidential information about the constituent unless it is clear that it is both appropriate to do so and preferably with the direct knowledge and consent of the constituent. In response to an MP, the Secretary of State stated that implied consent "would not normally be automatically” extended to constituency workers.
5.15.7 Requests from public bodies and law enforcement agencies
The Data Protection Act outlines the circumstances in which some public bodies have statutory powers that enable them to request access to personal information. NWL Collaboration of 8 CCGs as a data controller will be extremely careful when releasing personal data to such parties and will, following receipt of a request, check that the organisation requesting the disclosure is acting within its powers by asking the applicant to quote the authority on which its power is based.
NWL Collaboration of 8 CCGs will only accept the request if it is made in writing and it is able to verify the source of the request and any necessary test of prejudice carried out prior to releasing any personal data through its legal channels if necessary.
V1.0 September 2020
Law enforcement agencies can request patient information on behalf of and where written consent has been obtained from the individual. If members of staff come across any such requests, they must inform the Head of Information Governance immediately.
The CCG regards all identifiable personal information as confidential. Confidential information will not be disclosed without appropriate consent or other Legal basis as required by (Articles 6(1) for confidential Information and Articles 9(2) for “Special Categories of data”, unless national policy requires otherwise, or where this is requested by legal authorities. Where Law enforcement requests confidential information, the request must be from a police rank of Inspector and above. The CCG reserves the right not to release confidential information without appropriate authorisation such as a power of attorney or court order
5.16 Retention of Data
5.16.1 The CCG will hold different types of information for differing lengths of time, depending on legal and operational requirements, following which it will either be archived or destroyed. This will be done in accordance with the retention periods detailed in the CCG's Records Management Policy which is compliant with the Department of Health's Records Management: NHS Code of Practice, parts one & two (January 2009), and the Code of Practice for the Management of Records, Section 46, Freedom of Information Act (2000) (revised 2009).
5.16.2 Any CCG local retention policies will use the timescales detailed in the NHS Code of Practice as a minimum. All data retention will comply with the Fifth- Principle of the DPA.
5.17 Privacy
Standard
Objective:
To ensure the CCG exercises its moral, ethical and legal obligations in regards to privacy of information:
V1.0 September 2020
5.17.1 Personnel are required to comply with the principles contained in the Data Protection Act (2018), General Data Protection Regulation (GDPR) and Official Secrets Act (1911 and 1989) that regulates the use of information gathered by, and on behalf of NW London CCG’s
5.17.2 All access to information must only be granted after suitable authorisation and only when in compliance with applicable privacy legislation, policy and business practices
5.17.3 For data access and transmissions within the CCG, compliance with HM Government legislation for both the transmitting and receiving countries is to be maintained.
5.17.4 The monitoring and reporting of an individual employee’s communications sent and/or received via company-owned systems requires the approval of HR in consultation with senior management. Employees may or may not be notified of the monitoring/reporting activity. Request for monitoring is to be made to the Information Security Manager.
5.18 Acceptable User Policy
Standard
Objective:
To ensure users are aware of their responsibilities in the use of the CCG’s information systems and information. In addition refer to the stand alone Acceptable Use Policy.
V1.0 September 2020
5.18.1 ensure users are aware of their responsibilities in the use of the CCG’s information systems and information;
5.18.2 ensure the CCG’s legal and statutory requirements are met; and
5.18.3 minimise risk of inadvertent, accidental or deliberate unauthorised access or disclosure of information.
5.18.4 All data and information, residing on the CCGs’ information systems, remains the property of the CCG at all times, unless otherwise stated.
5.18.5 Users accept that personal use of the CCG’s information systems is not a right and must be exercised with discretion and moderation. Users further accept the CCG will not accept any liability, in part or whole, for any liability for claims arising out of personal use of the CCG’s information systems or information.
The CCG retains the right to:
• monitor the use of its information systems for the purpose of protecting its’ legitimate concerns; and
• prohibit personal use of information systems, without warning or consultation, where evidence points to a risk to the CCG and/or constituent businesses, or individually where evidence points to a breach of this or any other CCG policy.
• Users are not permitted to access, attempt to access, circumvent, attempt or cause to circumvent, established security mechanisms or controls to view, modify, delete or transmit information and/or information systems to which they have not been given explicit access or authorisation.
• All data and information, residing on the the CCGs’ information systems, remains the property of the CCG at all times, unless otherwise stated.
5.18.6 Users accept that personal use of the CCG’s information systems is not a right and must be exercised with discretion and moderation. Users further accept the CCG will not accept any liability, in part or whole, for any liability for claims arising out of personal use of the CCG’s information systems or information.
5.18.7 Users are not permitted to share their, or others, usernames or passwords to gain access to the CCG’s information systems and/or information to which they have not been given explicit authorised access.
5.18.8 Users must follow established procedures for password changes and are not permitted to disclose or write down their passwords.
5.18.9 Users are strictly prohibited from installing software on their CCG supplied device.
V1.0 September 2020
5.18.10 It is mandatory for all users to lock their terminals, workstations, laptops, by pressing ctrl/alt/del, iPads and/or Smartphones when not using the device, even if for a short period.
5.18.11 Authorised staff and IT users will be permitted to use their personal devices to connect to the CCG’s network. In doing so, they must abide by all policies, standards, processes and procedures.
5.18.11 Illegal download, copying and/or storage of copyrighted content onto the CCG’s information systems are strictly prohibited.
5.18.12 All users must follow the CCG’s Health and Safety guidelines when using information systems.
5.18.13 Users will adhere to management guidelines and information encryption policy when sharing, or sending the CCG’s information internally or externally.
5.18.14 Users are strictly prohibited from using the CCG’s information systems and information in a manner that will:
• Break the law and/or have legal implications or liability to the CCGs;
• Cause damage or disruption to the CCG’s information systems;
• Violate any provision set out in this or any other policy, or contravene the CCG’s Code of Conduct; and
• Waste time, decrease productivity or prevent the user from performing their primary responsibilities for the CCGs.
5.18.15 Usage of the CCG’s internet is primarily for business use. Occasional and reasonable personal use is permitted, e.g. during lunch breaks, provided that such use does not interfere with performance of duties, and does not conflict with the CCG’s policies, procedures and contracts of employment.
5.18.16 User must, at all times, comply with Copyright, Design and Patent Laws, when downloading material from internet sites.
5.18.17 The CCG prohibits access to websites deemed inappropriate, and monitors access and usage. The monitoring information may be used to support disciplinary action. Sites deemed inappropriate are those with material that is defamatory, pornographic, sexist, racist, on-line gambling, terrorism and/or such sites whose publication is illegal or risks causing offence. Users must not circumvent, cause to circumvent or use tools to circumvent prohibited website controls. If a user inadvertently accesses an inappropriate website, the user must immediately inform their line manager or the IT Service Desk.
V1.0 September 2020
5.18.18 Financial transactions are not permitted on websites requiring software to be downloaded prior to the transaction being executed. The CCG accepts no responsibility for any charges and/or losses incurred in relation to personal purchases or personal transactions using the CCG’s information systems regardless of cause. Users are prohibited from having personal items delivered to the CCG’s premises.
5.18.19 The use of the CCG’s information systems to conduct on-line selling is strictly prohibited.
5.18.20 The CCG’s approved standard and supported software for web conferencing and collaborative working is WebEx. The use of telephony conferencing software on the CCG’s network, such as Skype and/or web-conferencing such as ‘Go To Meetings’ is strictly prohibited.
6. Confidentiality Code of Conduct
Standard
6.1 Purpose All employees working in or for the NHS are bound by a legal duty of confidence to protect personal information they may come into contact with during the course of their work. As well as a requirement of their contractual responsibilities it is also a requirement within the GDPR and Data Protection Act 2018 and, in addition, for health and other professionals through their own professions Code/s of Conduct.
6.2.1 This means that employees are obliged to keep any personal information strictly confidential. A breach of Confidentiality is regarded as a serious offence (gross misconduct) and could lead to summary dismissal even for a first offence.
This Code has been written to meet the requirements of:
• General Data Protection Regulation 2016 • The Human Rights Act 1998 • The Computer Misuse Act 1990 • The Copyright Designs and Patents Act • The Caldicott Guardian Manual 2006 • Confidentiality NHS Code of Practice • Caldicott 3 Recommendations
Objective:
To clearly establish the CCG’s need to have a lawful basis for processing patient confidential information unless the service user has given their explicit consent.
V1.0 September 2020
• Data Protection Act 2018
The organisation has also issued policies and procedures to be read in conjunction with this Code:
• Confidentiality Policy • Information Security Policy • Records Management Policy
This code has been produced to protect staff by making them aware of the correct procedures so that they do not inadvertently breach any of these requirements.
6.3 Accountability and Responsibility
6.3.1 Confidentiality and Information All employees are responsible for maintaining the confidentiality of information gained during their employment by the organisation. In hours and after hours audits will be carried out to ensure staff have understood their responsibilities for keeping confidential information securely, i.e. no confidential information is left out on desks/tables but is safely locked away.
6.3.2 Definition of Confidential Information Confidential or personal information can be anything that relates to service users, staff (including non-contract, volunteers, agency staff, locums, and student placements), their family or friends, however stored.
Personal information is anything that directly or indirectly identifies an individual, e.g. name, address, postcode, date of birth, NHS number, National Insurance number etc., even a photograph is sufficient to identify an individual. It includes information stored on portable devices such as laptops, palmtops, mobile phones and digital cameras.
Certain categories of information are legally defined as particularly sensitive (special category data) and are protected by additional requirements stated in legislation i.e.
• Race or ethnic origin • Political opinions • Religious or other beliefs of a similar nature • Trade union membership • Physical or mental health • Sex life • Commission of offences • Criminal proceedings or convictions
V1.0 September 2020
During your duty of work you should consider all information to be confidential, even a service user’s or member of staff’s name and address.
6.3.2 Request for Confidential Information • never give out confidential information on service users or staff to persons who do
not “need to know”.
• all requests for confidential information must be with a justified need and some may also need to be agreed by the Caldicott Guardian (for medical information)
6.3.3 Telephone Enquiries
If a request for confidential information is made by telephone, always satisfy yourself as to the identity of the caller.
6.3.4 Blagging
Some people attempt to gain information from organisations illegally by deception. This practice is known as “blagging” and is part of an illegal trade in personal information. An individual with a legitimate request will be open about their activity and will not need to resort to blagging.
You should not disclose any information unless you are sure they are the person they say they are and need access to the information as part of their job role. If in any doubt, do not disclose the information but speak to you manager or contact the Caldicott Guardian.
6.3.5 Request for Confidential information by the Police and media
Police - requests for information from the Police must always be referred to the SIRO
Media - only Communications are authorised to give information to the media. If you receive any request from the media refer the person to Communications
Disclosure of Confidential Information to Other Employees of the organisation
In line with the Caldicott Principles (see Annex B) personal information should only be released on a need-to-know basis.
• always check the member of staff is who they say they are
• check whether they are entitled to the confidential information
V1.0 September 2020
7. Ownership of Intellectual Property
7.1 Ownership of Intellectual Property
Standard
7.1.1 All data, information, design, and software code produced by or on behalf of the CCG regardless of format, are owned by the CCG unless otherwise specified by a valid third party agreement.
7.1.2 Software developed by or on behalf of the CCG will remain the property of the CCG and shall in no way be sold, copied, or in any other way used without the express permission of the CCG or authorised designate.
7.1.3 Contracts with third parties, including contract personnel must define the ownership of software’s.
7.1.4 Design and development of information technology will be done using only properly acquired and authorised software and equipment (i.e. purchased, leased, licensed, public domain or software developed by the CCG)
7.1.5 Software either developed and/or purchased on behalf of the CCG is to have protections and provisions in place to ensure the CCG’s ability to further manage and support vendor provided software in the event that the vendor is no longer able to and/or willing to continue and maintain support themselves. Such protections could include escrow for product code and/or software releases as well as all supporting documentation.
Objective:
To clearly establish the CCG’s ownership of its intellectual property and how that ownership is to be exercised.
V1.0 September 2020
8. Logical Access Control
8.1 Authorisation and Access Rights
Standard
Procedures for the authorisation of access to information must meet the following requirements:
8.1.1 All logical system access must be authorised by the Information Asset Owners or Delegate.
8.1.2 To obtain or alter access to the CCG’s resources, prior authorisation must be obtained from the appropriate CCG’s person who is authorised to grant access to the relevant system.
8.1.3 All authorisations shall be provided on a User Access Request form or equivalent that is maintained by the Access Administrator.
8.1.4 All authorisations shall be verified. Verification means checking of signatures or in the case of electronic forms, relying on authentication processes present in the system where request is generated or a Change Management Suite which records the authorisation and approval process.
8.1.5 Access to information assets shall be restricted to the minimum necessary to perform the users’ functions.
8.1.6 Privileged access permissions or authorities may only be used for legitimate business purposes for which they were granted.
8.1.7 Specific access rights are to be based on user profiles aligned to the role of the user, which have been pre-defined and authorised by the Information Asset Owners or delegate.
Objective:
To ensure appropriate procedures are established and maintained for authorising access to information.
V1.0 September 2020
8.1.8 The person authorising the system access is responsible to ensure, where applicable, that the access being authorised, agrees to the users current delegated authority.
8.1.9 Access to any one system is to be provided based on the “replacement principle”, i.e., all prior access is removed and replaced with the most recent authority.
8.2 User Identification Principles
Standard
8.2.1 Users are responsible for all actions, processes or activity performed with their personal user ID.
8.2.2 Each user must have a uniquely identifiable user ID.
8.2.3 Software security routines shall authenticate system users’ identities via a logon user ID and password.
8.2.4 Strong two-factor authentication is required for remote access to the CCG’s systems and data via dial up or Internet.
8.2.5 No generic system access accounts are to be used.
8.2.6 Service accounts must be controlled to the extent practical. This includes complex passwords and minimum access privileges.
8.2.7 Users must be defined only once to each system environment (other than 6.2.11)
8.2.8 User access profiles must be treated as confidential and be protected accordingly.
8.2.9 Vendor provided User ID e.g. Guest user IDs, must be disabled and or removed upon system installation where possible. Where not possible, accountability for the ID must be allocated to a uniquely identifiable user.
8.2.10 User IDs assigned to contractors includes an automatic expiration date, where possible. This expiration date must be required upon initial set up. Contractor accounts must be re-evaluated every 90 days with the contract owner.
8.2.11 Domain Administrators will use a unique User ID for activities involving elevated rights. Daily tasks, such as, email, web browsing, etc. must be done using their personal User ID.
Objective:
To ensure all users of the CCG’s systems can be held accountable for their actions.
V1.0 September 2020
8.3 Password Standards.
Standard
8.3.1 Passwords shall be a minimum length of eight characters.
8.3.2 A password must contain characters from three of the following four categories, uppercase, lowercase, numeric and special characters such as !$ # % £ etc. This is enforced by security software where possible.
8.3.3 Users must change their passwords on a regular basis to reduce risks that the password may have become known to another party. This shall be enforced by System Security wherever possible. Where this is not possible, users shall be appropriately educated to change their passwords. Frequency of password change may vary according to business requirements and the risk profile. Generally, it is expected that the frequency would be in a range of 30 to 60 days.
8.3.4 A password must be changed if there is any indication that access security has been compromised (e.g. a password becomes known to anyone other than the user). Software security routines are to provide this capability where possible. Where this is not possible, standard procedures are to be advised to all users in how to comply with these standards.
8.3.5 Software security routines shall maintain a password history of at least 13 changes to prevent the re- use of the same password. Where this is not possible users shall be educated not to re-use their old passwords.
8.3.6 Passwords will only be allocated to the owner of the user ID. Communication of the password must be kept confidential.
8.3.7 Passwords shall not be visible on the screen at any time. User entry of password is hidden to ensure passwords are not disclosed where possible.
8.3.8 Passwords will be encrypted during transmission across networks.
8.3.9 Password files shall be encrypted and protected from unauthorized access, deletion or deciphering.
6.3.10 Resetting of passwords and assignment of new passwords are to be performed only by the Access Administrator, Service Desk or designated authorized persons only after the requestor has proven their identify.
8.3.11 Where an invalid password is entered five times in a row, the security system shall terminate the current session and revoke user access rights until it is reset by the Access
Objective:
To ensure appropriate implementation and usage of password authentication.
V1.0 September 2020
Administrator. Exceptions whereby a system automatically resets the account can be granted provide that more than 15 minutes elapses between lockout and reset, and a weekly review of log files is performed to ensure no unauthorized activity is occurring.
8.3.12 Where possible all access violation attempts must be logged, reported and reviewed by Access Administrators or information Security personnel. Reviewers sign off to evidence their/review and note any action required/taken.
8.3.13 When new passwords are given to users by the Access Administrator, passwords allocated must be different, e.g., a standard default password is not granted to every new user. Initial password must be changed at first logon, enforced by the system wherever possible. Similarly, at the point of password reset, the reset password will also be forced to change when logging back in.
8.3.14 Weak passwords are not to be used. Examples of weak passwords include logon ID, blank spaces, name of user, partner’s name, sports team etc or any word found in a dictionary.
8.3.15 Users are responsible for ensuring that passwords are to be kept confidential (for example, no-one can see them key in their password and it and must not be obvious, displayed, shared or written down)
8.3.16 Users must not select software options that offer to “remember” passwords. Such options should not be offered by the CCG’s developed applications.
8.3.17 Care needs to be taken with privileged or administrator passwords to ensure strong passwords are used and that they are changed regularly, not less frequently than every 42 days, or whenever someone who knows the password leaves that position. The system passwords must be securely maintained, limiting access to only those with a need to know.
8.3.18 Due to the critical nature of key or privileged passwords it is accepted that these will need to be written down in some cases. These passwords are to be kept in a secured database with restricted and logged access or a locked safe to allow recovery by authorized personnel.
8.3.19 Do not use default passwords for any administrative accounts.
8.4 Logon Principles
Standard
Objective:
To protect against unauthorised or malicious access to unattended terminals and workstations.
V1.0 September 2020
8.4.1 User terminals/workstations that are logged in and have been inactive for 15 minutes will be automatically locked.
8.4.2 Where possible, when a user is logged on to the CCG’s Information Systems and no recorded activity (such as keystrokes, CPU time and/or I/O) has occurred for 15 minutes, the system shall lock the User ID until the user re-enters a valid password
8.4.3 Users must use available password screen savers that are set to a maximum activation time of 15 minute. Lock their workstation or log off before they leave their terminal unattended. Where possible systems should automatically enforce these principles.
8.4.5 All users must log off/turn off their terminals if access is no longer required
8.4.5 Software security routines will prevent concurrent logons where practical
8.4.6 Where possible, session timeouts will be set to require applications to lock access until the user re- enters a valid password when no recorded activity has occurred for 15 minutes
8.4.7 For mobile devices where it is not practical or technically feasible to apply the above standards, alternate standards must be approved by the Information Security Manager. The alternate standards will take into account the limited access granted to these devices (e.g. mail, calendar, contacts only) and other controls available such as remote wipe capability.
At a minimum the following are required:
• Authentication by either password or PIN
• Access to be revoked after a number of failed attempts
• Forced change of password or PIN at regular intervals.
8.5 Logon Principles
Standard
Objective:
To protect against unauthorised or malicious access to unattended terminals and workstations.
V1.0 September 2020
8.5.1 User terminals/workstations that are logged in and have been inactive for 15 minutes will be automatically locked.
8.5.2 Where possible, when a user is logged on to the CCG’s Information Systems and no recorded activity (such as keystrokes, CPU time and/or I/O) has occurred for 15 minutes, the system shall lock the User ID until the user re-enters a valid password.
8.5.3 Users must use available password screen savers that are set to a maximum activation time of 15 minute. Lock their workstation or log off before they leave their terminal unattended. Where possible systems should automatically enforce these principles
8.5.4 All users must log off/turn off their terminals if access is no longer required
8.5.5 Software security routines will prevent concurrent logons where practical
8.5.6 Where possible, session timeouts will be set to require applications to lock access until the user re- enters a valid password when no recorded activity has occurred for 15 minutes.
8.6 Recording and Review of Logical Access
Standard
8.6.1 A recording system shall operate to log all system events considered of security importance. A log shall be maintained for the following:
• All successful and unsuccessful logon attempts • All access violations to program and data files • All access and use of special system privileges and utilities • All changes to critical application system files • Access to data which is deemed to be at a high level of confidentiality and/or criticality • All modifications to security parameters and profiles • All access where special means of identification (e.g. a key or card system or electronic
signature) is required to uniquely authenticate the identity of selected users when such users are processing sensitive transactions and
• Audit system events such as system start-ups and shutdowns. (Success, failure), remote-access control activity, system errors and corrective actions taken.
Objective:
To ensure procedures are in place to detect the occurrence of unusual or suspicious activity requiring investigation and possible further action.
V1.0 September 2020
8.6.2 Such logs must be reviewed weekly at minimum by the Information Asset Owners or designated authorised persons to identify any misuse of access privileges or attempts to do so. Appropriate investigations and corrective actions in accordance with the Group Information Security Policy and Standards shall be taken.
8.6.3 Such logs and action taken must be retained based on local requirements or 90 days at minimum.
8.6.4 Logs will be protected from being altered or deleted
8.6.5 Logs will only be viewable by authorised personnel
8.6.6 The clocks of all relevant systems shall be synchronized with an agreed time source
8.7 Removal of System Access
Standard
8.7.1 Users’ access to the CCG’s Information Technology resources must be appropriate. It must be
• Revoked immediately when they leave the CCG irrespective of the reason e.g. due to termination of employment, contracts or services provided to the CCG. Access Administrator must establish a protocol to ensure terminated employees (e.g. by coordinating with Human Resources) are identified and actioned on a timely basis.
• Reviewed and, if necessary, altered when a user changes duties, divisions or departments.
8.7.2 Action shall be taken to review, change or revoke access to information assets;
• Where a user is found to have misused information assets to which access was granted. • Where a user has taken actions prejudicial to security: or • At the discretion of management • 7.7.3 Access created for specific purposes on an ad-hoc basis e.g. maintenance,
vendor support etc. are to be granted for the period of use only. These accounts are enabled subject to appropriate authorisations, given an expiration date at account creation and disabled immediately after use.
Objective:
To ensure access to information and systems is not retained unnecessarily following resignation, termination or change of job duties.
V1.0 September 2020
• 7.7.4 Any change, suspension or revocations of users’ access rights must be communicated to Access Administrators on a timely basis.
8.7.5 Information Asset Owners shall review for inactive access rights periodically (at a minimum every three months) to ensure that old and unused system access User IDs, after confirmation of redundancy, are revoked and removed respectively.
8.7.6 Access Administrators must determine system access expiry dates for temporary users. Temporary user IDs must have expiry dates on their access security profiles. Where expiry dates cannot be set on the security system then the Access Administrator shall monitor and regularly review temporary users’ access rights.
8.7.7 Access rights are to be suspended if a user does not require system access for a minimum period of 50 days (e.g. Long service leave)
8.7.8 Non-current User IDs are to be removed from the system or disabled if removal is not technically possible.
8.8 Remote Access
Standard
Objective:
To protect the CCG against attacks from points external to our network. Access to the CCG’s internal network and systems from locations outside our premises introduces higher risks of compromise. These risks require special additional measures to be implemented to safeguard the CCG’s information assets.
V1.0 September 2020
8.8.1 Remote access to the CCG’s information technology resources must only be available to authorised users.
8.8.2 All remote user access must be authenticated via user ID and password. Two factor authentications are required when accessing the internal network.
8.8.3 Remote access must be removed from all system accounts, except where explicitly authorised.
8.8.4 Where two factor authentications are not used, segregation or other compensating controls are applied and must be reviewed and approved by an Information Security Manager.
8.8.5 The carrier or service used for remote access or transmission of information shall ensure that the possibility of unauthorized access to communicated information is minimized, using encryption.
8.8.6 Where vendors are granted passwords for temporary remote maintenance of systems, where possible, their activity during access shall be logged and the account disabled immediately after the service has been provided.
8.8.7 Access Administrators shall review remote access rights granted periodically (at a minimum every three months) to ensure that obsolete and unused access is removed and revoked respectively
8.9 System Utilities
Standard
8.9.1 A risk assessment must be performed for all Dell system utilities or those that bypass the external security and are able to alter data, information or software, prior to implementation. Appropriate authorisations must be obtained from Information Asset Owners prior to use.
8.9.2 Access to system utilities must be restricted to authorised users in accordance with their responsibilities
8.9.3 The use of all sensitive utilities shall be logged and reviewed by the appropriate Access Administrator based on the data sensitivity and automated alerts will be in place wherever possible. Review is to be performed on at least a weekly basis.
Objective:
To apply appropriate levels of control and review of sensitive mainframe system
V1.0 September 2020
8.10 Emergency Access
Standard
8.10.1 All actions that bypass normal access control procedures must be approved, logged and reported for immediate review by an independent party e.g. security analyst, access administrator.
8.10.2 Systems/Data Owners or their delegates must retrospectively review and approve all emergency code changes to production systems in a timely manner. This review includes testing to ensure the validity of changes performed.
8.10.3 Information Asset Owners or their delegates take appropriate prompt measures e.g. testing, technical review by subject matter expert, etc. to confirm that any changes to data are authorised and appropriate.
8.10.4 System documentation is amended to reflect changes made if appropriate.
8.11 Segregation of Duties
Standard
Objective:
To ensure activities performed in emergency situations are subject to additional control and review. An emergency situation occurs when normal logical access controls, change control, policies and standards are bypassed in order to perform a critical function.
Objective:
To ensure that no individual has control over all aspects of a transaction or critical system change.
V1.0 September 2020
8.11.1 Adequate segregation of duties shall exist for all Information Technology functions and between personnel granted access to data and information
8.11.2 Where segregation of duties is not possible, appropriate access control and monitoring mechanisms must be implemented to ensure that integrity and security of data is maintained.
8.11.3 The relevant Information Asset Owners or authorised designate must be responsible for ensuring that incompatible duties are not assigned. Simultaneous update access to both underwriting and claims must not be given. Where this is not possible, all such cases must be individually authorised by the Information Asset Owners or authorised delegate.
8.11.4 Persons involved in writing or amending program code or system configuration data are not to be involved in the day-to-day input of data or have access to the production environment allowing them to change data
8.11.5 Data entry personnel are not to be involved in writing or amending program code.
8.11.6 Information technology personnel responsible for development of applications are not to be given update access to those systems or related program libraries in production.
8.11.7 If it is not possible to implement adequate segregation of duties due to technical reasons, lack of personnel or resources then appropriate access control and monitoring mechanisms must be established. Monitoring mechanisms include logging and review of actions performed.
9. Physical and Environmental Controls
V1.0 September 2020
9.1 Physical Access Authorisation
Standard
9.1.1 Physical access to Information Technology facilities and resources shall be granted on a “business need basis” and must be authorised by the appropriate party.
9.1.2 Any new user or changes to access rights of a user must be appropriately authorised and actioned promptly by a Physical Security Administrator.
9.1.3 All visitors shall only enter into restricted areas if authorised by the appropriate owner or authorised designate. Visitors to restricted areas must be authorised, verified and accompanied into restricted areas by authorised personnel.
9.1.4 All personnel access to restricted areas is to be via electronic key system and shall be logged and reviewed by a Physical Security Administrator on a regular basis (minimum 90 days)
9.2 Physical Access Revocation
Standard
9.2.1 In relation to personnel in their area of responsibilities, line managers or their authorised designate shall:
Objective:
To control physical access to local data centres and mission critical data centres (supporting multiple business devices
Objective:
To ensure timely removal of physical access to restricted areas when no longer required.
V1.0 September 2020
• Review access rights granted periodically (at least every 90 days) to ensure that unwarranted physical access is revoked: and
• Determine expiry dates for physical access granted.
9.2.2 A person’s physical access to the CCG’s computing facilities shall be:
• Revoked immediately when they leave the organisation.
• Reviewed and, if necessary, altered when a user changes duties, divisions or departments.
9.2.3 Action shall be taken to review, change or revoke physical access to the CCG’s computing facilities
• Where a user is found to have misused computing facilities or information assets to which access was granted.
• Where a user has taken actions prejudicial to security: and • At the discretion of management
9.2.4 When physical access rights are revoked from a user, keys and access passes must be retrieved and/or access rights must be de-programmed on the physical access system immediately.
9.3 Environmental Security
Standard
Objective:
Protection of critical computer hardware, communication networks, equipment and storage media (e.g. disk, tape, optical disks) from unauthorised access, theft, vandalism, destruction or environmental hazards.
V1.0 September 2020
9.3.1 Servers, operator consoles, network and communication equipment must reside in a room or cabinet that is secured from unauthorised access or physical damage.
9.3.2 Appropriate and feasible environmental hazards protection measures shall be implemented (such as air-conditioning, uninterruptable power supply, early warning smoke detectors, fire extinguishers or suppression systems etc.) to ensure the availability of the CCG’s facilities.
9.3.3 The location of computer rooms that house main computing facilities shall not be advertised, or be visible or identifiable from outside the premises.
9.3.4 Network cables are to be well protected in walls, false ceilings or raised floor.
9.3.5 During maintenance visits by non CCG’s personnel, all reasonable steps are to be taken to prevent the unauthorised access of information, or any activity, which may subvert the system’s operation or security.
9.3.6 Within computer rooms, eating, drinking and smoking is prohibited.
9.3.7 Security measures shall be taken to reduce the risk of the CCG’s information resources being removed by maintenance personnel or non CCG’s personnel. Examples of such information resources are failed components, diagnostic dumps, magnetic media or printed material.
9.3.8 Unnecessary combustible materials must not be taken into computer rooms. All equipment must be unpackaged in build/store rooms and the waste material disposed of appropriately.
9.3.9 Equipment used for environmental hazard protection (e.g., air-conditioning, uninterruptible power supply, smoke detectors, fire extinguishers or suppression systems) must be maintained and/or tested in accordance with the manufacturers or suppliers recommendations.
9.4 Closed Circuit Television (CCTV)
Standard
Objective:
Disclosure of images and purpose.
V1.0 September 2020
9.4.1 A number of CCTV cameras are present on the CCG sites to assist with security for staff, other individuals and their property. Disclosure of images from the CCG CCTV system will be controlled and consistent with the purpose for which the system was established. For example, it will be appropriate to disclose images to law enforcement agencies where a crime needs to be investigated, but it would not be considered appropriate to disclose images of identifiable individuals to the media for entertainment purposes or place them on the internet. Images can be released to the media for identification purposes; this should not generally be done by anyone other than a law enforcement agency. Where CCTV are in operation, the organisation must:
• put up clearly visible readable signs to ensure that anyone likely to be captured by the cameras is aware of them;
• ensure that signs include the contact details for the Data Controller. This should include the following: name of data controller and contact details, name/contact etc.
• Consider including a web address where you can provide more detailed information about the system, for example how to exercise their rights and how long you keep images for.
9.4.2 If you have any queries regarding the operation of or access to the CCTV system, please contact the CCG Security Manager. If access is required in connection with on-going disciplinary matters, permission should be sought from the Director of Human Resources or nominated deputy
9.5 Hardware maintenance principles
Standard
9.5.1 All computer hardware shall have appropriate maintenance schedules and agreements to minimize failures or provide for timely replacement of hardware in the event of failure.
9.5.2 Maintenance schedules must be confirmed with the owners of the applications or systems they support or another formally authorised authority.
9.5.3 Modifications to hardware must follow an established Change Control Process.
Objective:
To prevent failure or disruption of business services due to lack of equipment i t
V1.0 September 2020
10. System Development and Maintenance
10.1 Development of software
Standard
10.1.1 Information security requirements will be included in requirements and design specifications, manuals, procedures, standards, methodologies or other documentation developed. These requirements must include aspects relating to any privacy and/or data protection legislation. All development methodology and documentation explicitly states how security is addressed during development. Specific documents that must address security include
• System Requirements Specifications • System Design Specifications • Development Procedures • Test Documentation • Methodology documentation
10.1.2 All managers who have a responsibility to manage staff that perform developmental roles, are responsible for ensuring developers have appropriate training in secure development practices. This is particularly important for web developers who should be aware of, for example, the OWASP Top Ten which contains guidance on the most critical web application security flaws. Training standards and participation must be formally reviewed for adequacy and completeness not less than once per calendar year.
10.1.3 Restricted documents and information assets used in the development process will be protected and access restricted to authorised personnel
10.1.4 All releases of software are to be developed in accordance with a systems development methodology approved by the CCG’s Management.
Objective:
To ensure that security is designed and built into information systems during development.
V1.0 September 2020
10.1.5 Only software, which has been properly tested to a documented test plan and authorised as fit for purpose, shall be permitted for use in production.
10.1.6 Requirements and testing must include documented recovery processes, application, data controls, access controls and all specified control functions. Adequate assurance will be required to ensure that new systems do not adversely affect existing systems.
10.1.7 Development personnel (persons involved in writing or amending program code or system configuration data) do not have update access to production libraries or the production environment. If development personnel do require access due to technical limitations, access is granted only on a temporary basis and actions performed by development personnel are logged and reviewed.
10.1.8 Phase end reviews will include review of all security aspects. All new systems will have their security and access requirements approved and signed off prior to being placed into production. This approval is from the systems/data owner with support from suitably trained and qualified Information Security Personnel.
10.1.9 Documentation outlining the steps required to install, upgrade, maintain and recover a piece of software, accompany any new release. The disaster recovery plan is updated as appropriate.
10.1.10 Application installation, upgrades and patches to software currently installed in production is performed by authorised Operations professionals only
10.2 Maintenance of Software
Standard
Objective:
To ensure the integrity of the CCG’s software and information is protected when subject to maintenance using standard change control procedure.
V1.0 September 2020
10.2.1 New releases of software, supplied fixes and in-house changes to software must be fully tested by business personnel approved by the Information Asset Owners or delegate in a separate UAT/Quality environment. This occurs following appropriate system testing by the relevant development team within a separate test environment
10.2.2 New releases of software must be documented in accordance with documentation standards.
10.2.3 Migration of changes into either the UAT or production environments must be approved by the appropriate Information Asset Owners or delegate.
10.2.4 Documentation of all software releases and supplied fixes to software must be reviewed by an authorised Information Asset Owners or authorised delegate, prior to the amended version going into production. The review must ensure that the documentation accurately reflects the modified status of the system.
10.2.5 Previous versions of the software must be available to enable recovery should the new release or modification fail.
10.2.6 Written or automated procedures must exist to enable the recovery of the previous version of the software should the new release or modification fail.
10.2.7 Maintenance of software must follow the standard approved change control procedure.
10.2.8 Emergency fixes to software shall be logged, reviewed and retrospectively authorised to ensure corrections made are appropriate. (Refer Section 6.9 Emergency Access for the standard on emergency changes.)
10.3 Software Testing
Standard
Objective:
To ensure appropriate testing and quality control is carried out prior to delivering software into the production environment.
V1.0 September 2020
10.3.1 All software developed by or for the CCG will be tested prior to installation into the live environment in accordance with the divisional approved system development methodology.
10.3.2 Personnel testing software must ensure that:
• Testing is undertaken against a test plan which is developed in accordance with the CCG’s approved system development methodology: and
• It is adequately documented to allow for on-going maintenance.
10.3.3 If a copy of the production data, particularly personal and confidential information is used for testing purposes, the data must either be masked or restricted at the same level as that of live environment.
10.3.4 Refer also to 16.1.12 for requirements relating to on-going testing to ensure adequate levels of security are being maintained.
10.4 Access to Software
Standard
10.4.1 Access to development, application and system software will be restricted to authorised staff only.
10.4.2 All software must be protected from unauthorised or accidental access.
10.4.3 Access to production software libraries shall be restricted to authorised staff and logged.
10.4.4 Persons involved in writing or amending program code or system configuration data will not have access to production libraries and software.
10.5 Database Management Systems
Objective:
To ensure access to software and software libraries is provided on a restricted basis only.
Objective:
To ensure database management systems are adequately maintained and controlled.
V1.0 September 2020
Standard
10.5.1 Each Database Management System (DBMS) shall be assigned a Database Administrator.
10.5.2 Database Administration must ensure that all modifications and fixes to the DBMS are appropriate to the installation requirements.
10.5.3 The most recent security patches for database management systems must be installed as soon as practicable.
10.5.4 All modifications and fixes (e.g. changes to application or system software) to the DBMS must be tested to ensure they function properly prior to transfer to the live environment.
10.5.5 Operations and systems documentation must be updated for all changes to the DBMS.
10.5.6 Logical views of the database (e.g. subschemas) must be:
• Fully documented and kept to date: and
• Allocated such that ownership of data elements is clearly defined
10.5.7 DBMS must have logging turned on with configuration options set to log all change activities so that in the event of failure, the database can be recovered with minimal loss or corruption of data.
10.5.8 Whenever practical the DBMS access control and logon procedures must adhere to the standards defined within this document for system access and control.
11. Backup and Recovery
10.1 Security System Software
Standard
Objective:
To ensure that security access profiles and security software are recoverable in the event of corruption or computer facilities failure.
V1.0 September 2020
11.1.1 Backup procedures must be followed, and the recoverability of security software and security access profiles must be ensured in the event of system failures.
11.1.2 Backup and recovery procedures are to be exercised on a regular basis, with documented test results at least once per calendar year.
11.1.3 Adequate security measures and contingency plans will be introduced whenever recovery procedures are placed into operation following any system disruptions.
11.1.4 Standards 9.2.2 to 9.2.8 below apply equally to security system software.
11.2 Other Software, Data and Information
Standard
11.2.1 Backup and recovery procedures are to be tested on a regular basis, at least once per calendar year.
11.2.2 All the CCG’s Information system resources shall be backed-up on a regular basis. The system back- up cycles must, at a minimum:
• Be performed before and after major changes to the operating system or system software, such as an upgrade.
• Ensure application software is backed-up after each change (prior to a new release of an application software or prior to maintenance of the production software) (refer 9.2.7) and
• Ensure that all information and data is backed-up commensurate with the business criticality of the system and frequency with which it is changed. All production data and information is backed-up daily if they are changed daily.
Objective:
To ensure that all systems software, application software, information, data and associated documentation are backed-up regularly to enable the system to be recovered when required, without loss of integrity.
V1.0 September 2020
11.2.3 Backups held on-site must be stored in a secure area and only be accessible by authorised personnel.
11.2.4 A cycle of back-ups is used with at least one copy in each cycle stored off-site. Off-site is defined as a facility or building physically separate to the one in which the computer system is located and to which access would be possible even if the main facility is unavailable. Backup procedures provide for the most recent backup being removed off-site on a timely basis.
11.2.5 The off-site storage facilities must:
• Provide a safe storage environment: and
• Be restricted to authorised personnel only: and
• More than one person must have access at any one time: and
• Be tested against service level agreements at least annually.
11.2.6 Copies of all operations, application and system software and user documentation including disaster recovery plans and other business critical documentation is stored off-site.
11.2.7 Responsibility for the definition and approval of appropriate back-up cycles, including off-site storage requirements, shall rest with Information Asset Owners or their designate.
11.2.8 Information Asset Owners must ensure back-up and recovery plans are documented for all systems. It is normally expected that this task will be delegated to the relevant administrators who act as custodians for these systems.
11.2.9 Quarterly reviews of who has access to on-site backup media as well as who can recall archived media must be performed.
11.2.10 Third party software used for critical business functions requires contractual arrangements to include escrow provisions for source code.
11.2.11 The transportation of media to off-site storage facilities must ensure physical access is restricted and tapes are placed in a secured/locked container or encrypted to prevent unauthorized access.
11.2.12 An inventory control process must be in place to account for all media in transit
12. Disaster Recovery Plan
V1.0 September 2020
12.1 Disaster Recovery Plan and Programme
Standard
12.1.1 A Business Impact Analysis (BIA) must be performed by the Information Asset Owners or when significant modifications are performed to existing systems, to determine:
• Their importance to the business operations.
• The business tolerance period (recovery time objective)
• The risks which may result in disruption to processing: and
• The response to be adopted if the risk is realized
12.1.2 The BIA is signed off by the Information Asset Owners and a business tolerance period is agreed upon.
12.1.3 Information Asset Owners are responsible for ensuring their BIA is up-to-date: Information Asset Owners are responsible for ensuring the BIA can be met if the system changes or is modified.
12.1.4 A recovery strategy shall be implemented for all the CCG’s information technology. The strategy implemented will be influenced by:
• The importance of the system to business operations: and
• The ability to recover the system within the business tolerance period
Objective:
To ensure that vital business systems have alternative processing facilities, which are detailed in a documented Disaster Recovery Plan (DRP)
V1.0 September 2020
12.1.5 The DRP includes at a minimum
• The criteria to activate the plan including detection of a disaster and notification of relevant personnel.
• Procedures relating to staff relocation, alternative premises or alternative working arrangements.
• The people responsible for each aspect of the recovery process
• Procedures to revert to normal processing
• Testing procedures: and
• The person responsible for coordinating the on-going maintenance of the plan
12.1.6 Contact details and plans for communicating with IT personnel, the business and key IT suppliers/contractors.
12.1.7 The emergency procedures detailed in the DRP are to be included in the operating procedures of appropriate business areas.
12.1.8 The DRP will be exercised on a regular basis (at least once per calendar year for critical applications), reviewed after exercising and appropriately updated.
12.1.9 In the event that a Disaster Recovery Plan is activated including use of hot sites etc. it is expected that compliance with the standards contained within this document are maintained.
12.1.10 A business resumption plan is also included to take the business from a temporary recovery phase (including the user of hot/warm sites) back to a business as usual status when relocation is required.
V1.0 September 2020
13. Network Communications
13.1 Physical Network Communication
Standard
13.1.1 All additions or modifications to the physical network or network equipment must be subject to the approved change control procedures including approval by the Security Manager or other designated person.
13.1.2 All equipment that can communicate outside of the CCG’s network such as modems, firewalls, wireless systems etc. must be subject to assessment by Information Security and have configuration standards reviewed and approved.
13.1.3 Production data residing on dedicated production networks are to be logically separated from all development data and networks.
13.2 Modem Communication
Standard
13.2.1 Connecting modems to the CCG’s PCs or other network devices is only done in a controlled manner by the IT Operations Department following appropriate approvals from IT Security Manager.
Objective:
To ensure network modifications are subject to risk assessment and appropriate levels of authorisation
Objective:
To prevent unauthorised access being gained through insecure modems. Modems provide an access point to the CCG’s network and must be implemented and used in a controlled manner.
V1.0 September 2020
13.3 Communication Facilities
Standard
13.3.1 Access to physical communication facilities will be restricted to authorised personnel.
13.3.2 Communication facilities will be chosen in such a way as to minimize the risk of tapping, bugging or interference
13.3.3 Regular penetration testing of the network from both internal and external points must be performed
13.3.4 Independent (i.e. using a third party) external penetration testing of the network is to be performed at least once per calendar year.
13.4 Telephone & Voice Mail
Standard
Objective:
To ensure network communication facilities are chosen and commissioned in such a way as to avoid the risk of failures and unauthorised access
Objective:
To ensure that PABX, VoIP and voicemail systems are protected against toll fraud, theft of proprietary information and loss of revenue.
V1.0 September 2020
13.4.1 Switch rooms and distribution closets must be securely locked at all times.
13.4.2 Logs of personnel visiting switch rooms are to be maintained.
13.4.3 Default passwords for administrative accounts must not be used.
13.4.4 System output containing configuration records, call details, access codes, authorisation codes for special calling privileges and remote access numbers must be treated as confidential information.
13.4.5 Out of date confidential records must be disposed of securely (shredded or destroyed)
13.4.6 Administrative passwords must be changed on a regular basis or when an administrator or PABX contractor leaves.
13.4.7 Regularly review access rights for administrative accounts
13.4.8 Unused mailboxes, passwords and authorisation codes must be deleted or at least disabled
13.4.9 Implement password timeout features after three unsuccessful attempts at accessing administrative or Maintenance functions.
13.4.10 Restrict access to international dialling either by extension or preferably by use of authorisation codes
V1.0 September 2020
13.4.11 Block call forwarding to toll numbers, premium or “pay per minute” services. Exceptions to this require authorisation by Management
13.4.12 Block external dialling using restriction and permission tables as appropriate
13.4.13 Monitor calling patterns on phone bills for unusual incoming or outgoing calls
13.4.14 All voicemail boxes are to have PINS (passwords) assigned. Default PINS are not to be used.
13.4.15 Voicemail PINS must not be same as extension number, consecutive digits (e.g 1234) or all the same number (e.g. 5555)
13.4.16 System event and history logs are to be checked on a regular basis.
13.4.17 Regular system backups must be performed.
V1.0 September 2020
14. Server Security
Standard
14.1.1 An operational group that is responsible for system administration must own all internal servers deployed.
14.1.2 Approved server configuration standards must be established and systems maintained to those standards by the system administrators
14.1.3 Standards for security configuration must be reviewed and approved by the relevant Information Security Manager or their delegate.
14.1.4 Configuration compliance must be monitored independently from the administrators. An exception policy is tailored to an environment if appropriate.
14.1.5 Configuration changes must follow appropriate change management procedures
14.1.6 Services, accounts and applications that will not be used must be disabled where practical
14.1.7 The most recent security patches must be installed on the system as soon as practicable following appropriate testing.
14.1.8 Current virus protection must be deployed and maintained on all servers. Real-time scanning must also be enabled unless degradation of service warrants this being disabled. Then, at a minimum, nightly scans must be performed.
14.1.9 Accounts with administrative privileges must not be used for day-to-day activities such as email, internet browsing or application access.
14.1.10 Default administrator passwords must never be used. Use a strong complex password for all administrator functions.
14.1.11 Where possible secure channel connection (IPSec, SSH) must be used for privileged access
14.1.12 Servers are physically located in an access controlled environment
14.1.13 Servers must be physically located in a controlled environment
14.1.14 Servers must not operate from uncontrolled areas e.g workstations.
14.1.15 All security related events on critical or sensitive systems must be logged and audit trails saved based on local requirements or 90 days at minimum
Objective:
To ensure appropriate security measures are applied to the hosting and management of servers
V1.0 September 2020
14.1.16 Services and applications not for general access must be restricted by access control
14.1.17 Services and applications not required for business purposes must be disabled
15. Vulnerability Management
15.1 Vulnerability Management
V1.0 September 2020
Standard
15.1.1 All software and relevant systems are maintained with the appropriate updates, vendor patches or recommended configurations to address security. The systems subject to such updates include but are not limited to:
• Operating Systems
• Application Software
• Database Management Systems
• Network equipment
• Firmware
• Telephone and telecommunications equipment
15.1.2 Application installation, upgrades and patches to software currently installed in production is performed by Network and Operations professionals only
15.1.3 Information Asset Owners may not defer or delay an update if this action could compromise the security of other CCG’s systems
15.1.4 Approved configuration standards must address expected update and patch standards, e.g., how frequently or how quickly new updates should be applied.
15.1.5 Standards for security configuration must be reviewed and approved by the relevant Information Security Manager or their delegate
15.1.6 Configuration compliance must be monitored independently from the administrators. An exception policy may be tailored to an environment if appropriate
15.1.7 Configuration changes must follow appropriate change management procedures
Objective:
To implement and maintain configuration and patch management procedures designed to reduce risk from known and emerging threats and vulnerabilities.
V1.0 September 2020
16. Transfer of the CCG’s Information
16.1 Authorisation of transfer
Standard
16.1.1 Information assets must not be removed or transferred from the CCG in any form unless duly authorised by the Information Asset Owners.
16.1.2 Where it is unclear as to the sensitivity of the data to be transferred, the data owner must contact the Information Security Manager/Team for authorisation of the transfer of the data
16.1.3 Information received from any service organisation or any other body in the form of a tape, disk, or other media such as image, text and voice, shall at least be accorded the same level of security as provided from the CCG’s information assets or as agreed with the third party. All transfer of third party information that contain sensitive data must be masked, stripped off sensitive information or encrypted before they are transferred to third parties.
16.1.4 All third party companies that have access to the CCG’s data in the course of support services they provide must sign a non-disclosure agreement.
16.2 Disclosure Outside of the United Kingdom or European Economic Areas
Standard
16.2.1 The CCG may, from time to time, need to transfer personal data to countries or territories outside of the United Kingdom (UK) or European Economic Area (EEA) (which is the EU Member States plus the European Free Trade Association (EFTA) countries of Iceland, Liechtenstein and Norway) in accordance with purposes made known to individual data subjects. For example, the names and contact details of members of staff at the CCG on a website may constitute a transfer of personal data worldwide. If an individual wishes to raise an objection to this disclosure, then written notice should be given to the CCG's Data Protection Officer.
Objective:
To ensure information being transferred to or from the CCG is afforded the required levels of protection
V1.0 September 2020
16.2.2 Other personal data, even if it would otherwise constitute fair processing, must not, unless certain exemptions apply or protective measures taken, be disclosed or transferred outside the UK or EEA to a country or territory which does not ensure an adequate level of protection for the rights and freedoms of data subjects.
16.2.3 The European Commission has the power to determine whether a third country (i.e. not an EU member state or an EFTA country) ensures an adequate level of protection for personal data by reason of its domestic law or the international commitments it has entered into. Further information, as to the Commission’s decisions on the adequacy of the protection of personal data in third countries, can be obtained from the Commission’s website).
16.3 Uploading and Downloading
Standard
16.3.1 Data and information upload and download facilities must only be available to users who have appropriate authorisation.
16.3.2 Applications used to upload data and information must be in accordance with the CCG’s Change Control Standards and Procedures.
16.3.3 Access to all data and information that has been held for upload, or that has been downloaded, must be restricted to users who are normally granted the right to access the data and information in the original environment
16.3.4 Appropriate security access controls and adequate audit trails must secure all data and information uploaded. This may include a temporary receiving facility to verify the integrity of the information and data before releasing it to a live environment
Objective:
To ensure transfer of data and information is performed in a controlled manner with an adequate audit trail of any amendments made.
V1.0 September 2020
16.3.5 Data or transport encryption must be used for data that is not classified for public release when being transmitted over public networks.
16.3.6 Where applicable, a standard confidentiality/non-disclosure agreement is used.
16.3.6 Passwords for confidential or restricted data using transport layer encryption must be changed on a regular basis, at minimum every 90 days.
17. Perimeter and Internet Security
17.1 Internet Access
Standard
17.1.1 Employees are permitted and encouraged to utilise the Internet where such usage is for business purposes and supports the goals and objectives of the CCG
17.1.2 Personal use is permitted provided it does not impact work performance and provided it is consistent with the CCG’s standards of business conduct.
17.1.3 Use of corporate computers, networks, systems and software is subject to monitoring and a log of internet access and transactions will be maintained.
17.1.4 The distribution of information is subject to approval of the CCG, which reserves the right to determine the suitability and confidentiality of information disseminated.
17.1.5 The individual internet user is considered to be responsible for their actions and therefore may be subject to litigation, should legal transgressions occur.
17.1.6 Access to the Internet, from any CCG’s LAN attached workstations or end user device must be via a firewall
17.1.7 Staffs are educated in the contents of these standards upon appointment and sign as acknowledgment that they have read and understood it. A continued awareness program must operate for all staff.
17.1.8 The following activities are strictly prohibited whilst using the corporate Internet connection:
• Accessing, uploading or downloading, offensive/rebellious/provocative or defamatory material:
Objective:
To ensure internet access is used primarily for business purposes and consistent with the CCG’s standards of business conduct
V1.0 September 2020
• Representing personal opinions as being those of the CCG’s or other staff members:
• Uploading or downloading commercial software in violation of copyright law. Executing or downloading software or electronic files without proper approval and virus scanning of the files.
• Using alternate access channels (e.g. modems, wireless, 3G cards etc.) to bypass firewall security
• Revealing or publicizing corporate proprietary or confidential information: and
• Creating websites on public servers or registering Internet domain names, which in any way represent the CCG or its interest.
• Use of peer to peer file sharing programs including but not limited to BitTorrent, Vuze and Gnutella.
17.2 Perimeter Security
Standard
17.2.1 Appropriate security technologies must be used for the protection of the CCG’s information system resources that are connected to external networks or third parties. Typically this will mean the use of firewalls and reverse proxies or highly secure thin client web to host technology.
17.2.2 Regular penetration or vulnerability tests of the perimeter must be performed from both internal and external points.
17.2.3 Networks must be given a minimum level of classification depending on their connectivity.
Trusted • Networks that are wholly within the control and management of the CCG Carrier
networks that are exclusively for the use of the CCG
Objective:
To protect the CCG’s information assets and system resources from unauthorised access through the Internet or untrusted networks
V1.0 September 2020
Semi-Trusted
• Networks that are controlled by third parties where the CCG has a formal commercial relationship with the party and they have security policies and standards that are consistent with those of the CCG’s
• Any network or DMZ that is directly connected to an untrusted network
Untrusted
• Any public network such as the internet
• Networks belonging to parties that the CCG’s does not have a formal relationship with.
17.2.4 All network segments that are adjacent to the internet or untrusted networks must be subject to real time monitoring to detect and prevent intrusions and malicious actions which may compromise the CCG’s networks and information.
17.2.5 Internal network addresses must not be advertised or directly accessible outside of the CCG’S networks.
17.2.6 Information that is classified as Confidential or Restricted must not be permanently stored in a DMZ or network that is directly connected to an untrusted network.
V1.0 September 2020
17.3 Firewall Security
Standard
17.3.1 Any network device that has been configured to apply filtering or restrictions on access to networks or hosts will be considered a firewall
17.3.2 Firewalls must be configured on a “default deny” basis with the minimum connectivity that is needed for business and essential support purposes.
Mechanisms must exist to enforce the logical segregation of networks with different classifications according to the principles below. These must be documented and subject to formal change control.
• Any junction between a trusted, untrusted or semi-trusted network must be segregated by a stateful firewall device approved by Information Security.
• By definition, a trusted and an untrusted network may not be directly connected, but must be segregated by either a DMZ that is semi-trusted or two approved firewalls.
• Services and information offered externally to the CCG must be hosted in a DMZ that is segregated by a firewall from the CCG’s internal resources.
• The CCG’s networks must use stateful firewalls to segregate offices in different geographical divisions and countries to prevent propagation of internal threats.
17.3.3 All changes to firewalls and other perimeter devices must be independently reviewed and approved by Information Security Manger on the basis of risk prior to implementation
17.3.4 Firewalls or related access control systems must be subject to independent security review at least once per calendar year
17.3.5 Firewall logs must be archived away from the device and retained for at least 18 months.
17.3.6 Wherever practical, firewalls are to be segregated from other network or server equipment and configured with the minimum set of services possible for their core functions as a firewall. This is a mandatory requirement of firewalls connected to the Internet.
Objective:
To ensure the CCG’s information assets and system resources are protected by robust and managed equipment
V1.0 September 2020
18 Electronic Commerce Security
Standard
18.1.1 The CCG’s websites are to be hosted externally to the CCG’S network using a DMZ architecture with no direct connection to the underlying applications or data
18.1.2 The CCG’s electronic commerce applications must be protected by real time monitoring to detect and prevent intrusions and malicious actions which may cause compromise of the CCG’s networks and information.
18.1.3 Operating systems must be configured according to approved configuration standards.
18.1.4 All patches and hotfixes as recommended by the vendor must be tested and installed.
18.1.5 Services and applications not for general access must be restricted by access control lists.
18.1.6 Remote administration can only be performed using an internal IP Address over a secure channel (e.g. encrypted network connections using SSL or IPSEC)
18.1.7 All new installations must undergo standard change control procedures which will include an audit or approval process by appropriately trained and qualified personnel. All new e-commerce applications must undergo independent penetration testing prior to production deployment.
18.1.8 Security related events must be logged and audit trails saved. Security related events include but are not limited to:
• User login failures
• Failure to obtain privileged access: and
• Access policy violations
18.1.9 Transfer of confidential information over the Internet employs secure means e.g. SSL. Whenever possible, internal traffic employs secure means to protect the data. 18.1.10 All host content updates must occur over secure channels.
Objective:
The CCG’s electronic commerce activities must be protected against fraudulent activity, including unauthorised disclosure or modification of data
V1.0 September 2020
18.1.11 Regular monitoring and review of security controls is conducted to verify the adequacy of controls in place. This will include reviews of logs, vulnerability, scanning or penetration testing. All e-commerce applications are retested every two years or prior to the deployment of a major system change.
18.1.12 An application firewall that analyses and restricts input from external threats is required for all applications that provide access to credit card or health information.
V1.0 September 2020
19 Wireless Communications
Standard
19.1.1 Wireless access must be configured to require two factor or an equivalent strong authentication to be entered before access to the internal network can be granted. The authentication method must be approved by Information Security Manager.
19.1.2 Individuals who are not authenticated to the internal network are permitted Internet access only.
19.1.3 Access to the CCG’s network via unsecured wireless communication mechanisms is prohibited. Only wireless systems that meet the criteria contained in these standards will be approved for connectivity to the CCG’s networks.
19.1.4 All wireless Access Points /Base stations connected to the network must be approved and installed by appropriately skilled and qualified personnel.
19.1.5 All wireless installations must have documented security and configuration standards which have been approved by Information Security Manager. This includes encryption and conformance with security standards at least equivalent to WPA2.
19.1.6 Access Points and Base Stations will be subject to periodic penetration tests or audits, at least once per quarter.
19.1.7 Wireless networks must be logically segregated using stateful firewalling or an equivalent technology approved with their security and configuration standards.
19.1.8 Wireless workstations and notebooks must have specific wireless intrusion detection or prevention capabilities and be configured such that simultaneous connection to wired and wireless networks is not possible. This includes all types of wireless connectivity such as the IEEE 802 wireless standards.
19.1.9 The CCG’s offices and networks that use wireless technology must have appropriate systems to detect and respond to unauthorised wireless use, access points and activities.
19.1.10 All access point vendor supplied default settings must be changed based on requirements. These include access point names, SSID names, SNMP community word and all default passwords such as Admin/Console password.
Objective:
To ensure wireless access to any part of the CCG’s networks is implemented and maintained in a secure manner
V1.0 September 2020
19.1.11 All management of Access Points and other components must be performed via a wired interface. Access to management functions via wireless interfaces must be disabled.
19.1.12 The SSID will be configured so that it does not contain any identifying information about the CCG, the CCG’s Divisions, Employee Names or Product Identifier.
19.1.13 Peer to Peer connections over wireless networks are strictly prohibited (excluding authorised service based connections).
20 Workstations and end user devices
20.1 Identification of hardware
Standard
20.1.1 All devices belonging to the CCG must be physically marked with a unique identifier.
20.1.2 All devices (including handheld devices, monitors and central processing units) must be inventory controlled and accounted for in an appropriate record-keeping system. This inventory must include:
• A unique identifier;
• Physical location or location of custodian if mobile
• Custodian or owner’s name
• Relevant department /business unit
• Manufacturer and model details
• Serial number; and
• Purchase/lease date
20.1.3 The hardware details must be entered the hardware register prior to being issued and/or connected to the CCG’s Information Systems.
20.1.4 All personal computers, either desktop or portable should have port control to enable logging of data moving to removal media.
Objective:
To maintain a record of personal computer hardware and ensure accountability for its safekeeping.
V1.0 September 2020
20.2 Device Management Including Bring Your Own Device (BYOD)/Mobile Devices
Standard
20.2.1 Workstations and personal devices (BYOD) deployed within the network are to be subject to formally documented and approved configuration standards specifying an agreed set of controls.
20.2.2 The most recent security patches must be tested and installed as soon as practicable.
20.2.3 All personal computers must have port control and use of removal media or storage must be logged as a minimum.
20.2.4 Where devices are deployed within the network and owned by staff, there must be a formal agreement that the CCG may at its discretion control and configure the device, including memory wiping where applicable, and that it must be surrendered for inspection on demand.
20.2.5 The agreement must also state that staff will not attempt to subvert or modify any security controls.
20.2.6 The agreement could also include a list of authorised platforms/devices/operating systems that the security recommends to allow access to the network.
20.2.7 All Personal devices should have protection against malicious software (Anti-virus/Anti Malware) if available.
20.2.8 All Personal devices should be encrypted (Please see 25.2)
20.2.7 User password authentication to access devices is required and must conform to normal standards for passwords and user identification wherever practical. This includes lockout for failed access attempts and inactivity.
20.3 Portable equipment
Objective:
To ensure workstations and personal devices (BYOD) have an appropriate level of protection and maintenance.
Objective:
To apply extra protection measures to portable devices and their information which are more vulnerable to theft and loss.
V1.0 September 2020
Standard
20.3.1 Portable devices that do not meet the CCG’s security standards will not be allowed to connect to the network.
20.3.2 Portable devices and laptops must have an operating and well maintained personal firewall wherever it is technically feasible
20.3.3 Portable computer equipment must be secured unless it is in a private home or secure the CCG’s office. This should be affected by a security device such as securing cables, or a locked cabinet.
20.3.4 Any loss must be reported to management immediately with details of any data contained on the device.
20.3.5 Ensure that the sensitivity of any stored data is known and properly secure. User information and the CCG’s data stored on portable devices must be encrypted.
20.3.6 During travel, portable devices must not be checked in as baggage, but carried as hand luggage.
20.3.7 Data transmission traversing the Internet or other unsecured networks must be encrypted in transit in accordance with approved standards.
21 Hardware and Software Purchasing/Licensing/Copyright
V1.0 September 2020
21.1 Purchasing
Standard
21.1.1 Only software and hardware that comply with the CCG’s approved standards are purchased/leased.
21.1.2 All software and hardware must be inventory controlled and accounted for in an appropriate record- keeping system.
21.1.3 All software and hardware must be purchased only through an approved vendor.
21.2 Licensing
Objective:
To ensure that appropriate approvals and procedures are applied in the purchase of software and hardware
Objective:
The CCG must ensure that it uses software only in accordance with the licensing agreement and in accordance with any copy protection and copyright regulation or laws. Failure to do so can result in the CCG or the responsible individual incurring significant financial damages. Appropriate procedures need to be maintained to manage software licensing.
V1.0 September 2020
Standard
21.2.1 All vendor proprietary software must be used as specified in licensing agreements. Proof of purchase must be available for each serial number and licensed software product.
21.2.2 Any software licenses purchased and used must be updated in the software register.
21.2.3 Physical software licenses are to be stored in a central library where appropriate.
21.2.4 Only legally obtained software is to be used in the CCG’s computing environments (e.g. servers, laptops, desktops, PDAs etc). The use of unlicensed or pirated software on the CCG’s equipment is strictly prohibited.
21.2.5 The CCG management commits to providing sufficient quantities of licenses to meet the CCG’s usage requirements.
21.2.6 All traces of licensed software and data are to be removed from any hard disks remaining within the equipment that is to be disposed of.
21.2.7 Regular reviews must be performed to ensure that all software used is appropriately licensed and is the standard version.
21.3 Copyright
Objective:
To ensure the CCG does not suffer loss or damage as a result of breach of copyright and that appropriate disciplinary action is taken against personnel engaging in copyright breaches.
V1.0 September 2020
Standard
21.3.1 The CCG will take disciplinary action against any personnel found to be engaging in unauthorised or illegal copying of software or documentation subject to copyright laws.
21.3.2 Any personnel found breaching copyright laws may be subjected to appropriate disciplinary actions including legal actions, which could result in fines under the relevant copyright law and dismissal.
21.3.3 All personnel who know of or suspect breaches of copyright must report such incidents to the CCG’s Management or the Information Technology Security Manager.
21.3.4 All software, procedures or any other material written by personnel whilst employed or under contractual agreements with NW London CCG shall remain the property of NW London CCG
22. Destruction of Information and Software Upon
Disposal of Equipment
Standard
22.1.1 Upon disposal of equipment located in data centres, computer rooms or other computer facilities, all data and software must be erased beyond readable format, from all media including tapes, memory sticks, disks, CD’s & DVD’s and any other storage media. This includes printing and copying devices that have on-board or attached storage.
22.1.2 Upon disposal of desktops and laptops all data and software must be erased beyond readable format.
22.1.3 All disposals must be authorised by an appropriate party and details regarding the disposal appropriately recorded.
Objective:
To avoid compromise or disclosure of the CCG’s information following disposal of any hardware or software asset.
V1.0 September 2020
23 Malicious Code (Virus) Controls
Standard
23.1.1 All electronic information, data or software brought into the CCG’s computing environment must be scanned for the presence of viruses, by approved and up to date virus-scanning software.
23.1.2 Approved virus scanning software must be used on all the CCG’s servers and workstations to detect the possibility of viruses.
23.1.3 Virus scanning software must also be used at all network access points
23.1.4 All disks and tapes must be scanned for viruses, using virus scanning software, prior to being used on the CCG’s computing facilities.
23.1.5 Virus scanning software must be up to date to ensure the most recent viruses are detected and removed. Where possible, virus scanning must be updated in an automated fashion.
23.1.6 Real-time scanning must be enabled on all workstations and servers where it is technically feasible.
23.1.7 A procedure must exist to facilitate the reporting and resolution of detected virus activity.
23.1.8 Approved spyware and adware prevention measures are deployed at appropriate points which may include Internet firewalls, proxies or browsers.
24 Email Standard
24.1.1 Personnel must be aware that any information sent or received via the CCG’s email system, whether personal or otherwise, are perceived to be for or on behalf of the CCG’s. The CCG reserves the right to inspect, without notice; any data on the CCG’s computing facilities.
Objective:
To protect the CCG against loss or damage arising from the infiltration of malicious code into any device or network
Objective:
To ensure usage of the CCG’s email system is primarily for business use and that personal use does not compromise the CCG’s information assets, violate any law or lead to any form of litigation against the CCG.
V1.0 September 2020
24.1.2 Emails that are not of a business nature are not sent using large internal distribution lists.
24.1.3 Email distribution lists must be appropriately restricted to prevent unauthorised personnel from using the list(s).
24.1.4 Email is not to be auto-forwarded to an external destination.
24.1.5 Users must not transmit unencrypted documents classified as “CONFIDENTIAL” or “RESTRICTED”
24.1.6 Any confidential information, particularly information relating to the CCG’s customers, must be encrypted or password protected during transmission and storage on non-company owned system.
24.1.7 Users must not disclose the contents of incorrectly addressed email, or forward email that could embarrass the sender/receiver or forward email if this is against the express wishes of the sender.
24.1.8 Sending and receiving personal emails must not be allowed to impact work performance.
24.1.9 Emails must not contain material, which is potentially offensive or questionable in nature. Users must not transmit chain mail, offensive/libellous/provocative or defamatory material, either within or outside the CCG’s email domain.
24.1.10 Users must not email any material that may be in breach of any other CCG’s policies or contrary to external regulations (e.g. EEO, sexual harassment etc.)
24.1.11 Users must not send copies of documents in violation of copyright or any other laws.
24.1.12 Users must not encourage the sending to them of inappropriate materials (particularly offensive or pornographic material) either downloaded from Internet or elsewhere.
24.1.13 Storage of inappropriate material in a mailbox is prohibited. If this material is received it is to be deleted and not forwarded on.
24.1.14 Use of external public mail providers is forbidden. Only the the CCG’s provided email system may be used within the CCG’s network. This includes “webmail” services such as Gmail, Hotmail, Yahoo mail etc. and also commercial services provided by ISPs and other parties.
24.1.15 It is permissible and appropriate for the CCG to keep records of internal communications, provided such records comply with Data Protection Principles. The appropriate use of email in the proper functioning of the CCG and the limitations can be found in the CCG’S Email Policy.
V1.0 September 2020
24.1.16 All the CCG staff should be aware that the DPA subject access right, subject to certain exceptions, applies to emails which contain personal data about individuals which are sent or received by the CCG’s staff
25 Security Awareness
25.1 Security awareness
Objective:
Personnel are to be provided with Information Security Training through a Systems Security Awareness Program
V1.0 September 2020
Standard
25.1.1 All the CCG’s personnel shall undergo Security Awareness Training at least once per calendar year, so that they understand their security responsibilities. Records demonstrating the completion of such training need to be maintained.
25.1.2 All the CCG’s personnel will be required to confirm knowledge of their responsibilities under these standards upon commencement with the CCG and at least once per calendar year thereafter.
25.1.3 All personnel must be notified of new or revised information technology security standards and procedures that relate to their information security responsibilities.
25.1.4 Access Administrators must be knowledgeable in information technology security administrations. The CCG’s management must ensure that they are given appropriate technical training to perform their responsibilities effectively.
25.1.5 Newsletter, Email and other means of communication to personnel will be used to remind personnel of their security responsibilities and maintain their awareness of Information Technology Security.
25.1.6 Agreements with all non- CCG’s parties will include a clause in relation to the third party’s responsibilities regarding their compliance with the relevant policy and standards, a copy of which will be provided to them. Awareness training may be undertaken where appropriate.
26 Encryption of Sensitive Information
26.1 Encrypting sensitive information
Objective:
To protect the CCG’S information from the increased risks which arise when data is being transported or transmitted outside our networks.
V1.0 September 2020
Standard
26.1.1 With the exception of information which is “Unclassified”, all information must be encrypted during transmission over any public communication network.
26.1.2 With the exception of information that is classified for public release, all information that leaves the CCG’s physical locations must be encrypted (e.g. laptops, FTP, PDAs etc.).
26.2 Encryption Strength
Standard
26.2.1 All encryption algorithms and products must be formally approved for use within the CCG’s by the Information Security Manager, and comply with currently available and internationally recognized standards for use by Financial Services Institutions (e.g. AES 256 bit, SSL 128 bit)
26.2.2 Only the CCG’s approved standard algorithms and products may be used.
26.3 Key Management
Objective:
To ensure adequate strength of encryption is being applied
Objective:
To ensure encrypted data cannot be compromised as a result of poor key t
V1.0 September 2020
Standard
26.3.1 Appropriate measures must be taken to prevent the unauthorised disclosure of encryption keys and digital certificates.
26.3.2 All Key Management must be overseen by an Information Security Manager. Provisions for key management may include automated encryption key management systems and/or key escrow facilities, where appropriate.
26.3.3 Encryption keys must be changed immediately if there is any suspicion that they may have been compromised.
26.3.4 Where encryption keys are transmitted over communications lines, they keys themselves must be sent in encrypted form using encryption of at least equal strength to that used to create the keys being transmitted.
27 Outsourcing/third parties
V1.0 September 2020
27.1 Outsourcing
Standard
27.1.1 Outsourcing arrangements address the risks, security controls and procedures for information systems, networks and/or desktop environments in the contract between the parties.
Contracts must:
• Cover how all relevant/applicable legal requirements are to be met
• Describe how security of the CCG’s information assets is to be maintained and tested
• Include physical and logical controls to be used to restrict access to sensitive or confidential CCG’s information.
• State how service availability is to be maintained or restored in the event of a disaster:
• Describe levels of physical security that will be provided for outsourced equipment
• Provide CCG the right to conduct independent audits of the outsourced services:
• Include a non-disclosure agreement
• Require compliance with the CCG’s Information Security Policy and Standards or an agreed equivalent.
27.2 Offshoring and Cloud
Standard
27.2.1 In addition to the standards for outsourcing given above, additional measures in respect of offshore and cloud implementations include:
Objective:
To ensure the CCG’s information under the control and management of third parties is afforded the same levels of protection as outlined in these standards.
Objective:
To ensure internet access is used primarily for business purposes and consistent with the CCG’s standards of business conduct
V1.0 September 2020
• Legal advice must be sought to ensure data sovereignty issues are adequately addressed
• The CCG to retain the ability to conduct its own forensic examinations/eDiscovery of the data including how data is being accessed by the third party.
28 Forensic Readiness
28.1 Forensic Readiness
Standard
This policy supports the objectives of the CCG’s Information Security Management Strategy and applies to all staff, contactors, locums, agency workers, volunteers and third party agents with access to ICT services provided by or on behalf of the CCG
The policy applies to all the CCG’s Information, Communication and Technology (ICT) equipment, networks, software and information assets.
Policy Intent
28.1.1 All the CCG’s assets and employees data SHOULD be fully enabled for • Collection • Preservation • Protection • Analysis of Digital Evidence
28.1.2 This directive reflects the high level of importance placed upon minimising the impacts of information security incidents and safeguarding the interests of patients, staff and the organisation.
Objective:
To ensure the CCG’s information systems are enabled for collection, preservation, protection and analysis of digital evidence for legal, disciplinary matters in any employment tribunal or in a court of law.
V1.0 September 2020
28.1.3 The aim of the forensics readiness policy is to provide a systematic, standardised and legal basis for the admissibility of digital evidence that may be required from a formal dispute or legal process. The policy may include evidence in the form of log files, emails, back up data, mobile computing, network, removable media and others that may be collected in advance of an event or dispute occurring.
28.1.3 The Forensic Readiness Policy is a part of the CCG’s Information Security Policies. It is designed to help protect the information assets of the Trust through the application of best practice in IT Forensics and to minimise the costs of an investigation.
28.1.4 IT Forensics is the ability to detect and react to types of security incidents that require the collection, storage, analysis and preparation of digital evidence that may be required in legal or disciplinary proceedings. The Forensic Readiness Policy describes the Trust’s current capability to conduct an examination in a consistent, legal fashion and to ensure the admissibility of evidence relating to an incident. It covers both the proactive forensic monitoring of targeted systems and the reactive investigation of an unforeseen incident.
28.1.5 Such incidents will include, but are not limited to:
• Inappropriate use of equipment
• Use of another users logon credentials
• Any attempt to circumnavigate existing or proposed security controls
• Any attempt to defraud the CCG or any other organisation or individual
28.1.6 The Board recognises that the aim of forensics is to provide a systematic, standardised and legal basis for the admissibility of digital evidence that may be required for formal dispute or legal process. In this context, Forensics may include evidence in the form of log files, emails, back-up data, removable media, portable computers, network and telephone records amongst others that may be collected in advance of an event or dispute occurring.
28.1.7 Digital systems and distributed computing offer the CCGs great advantages in terms of efficiencies and cost saving. However our increased reliance upon these systems has proportionally increased this risk vector, something the adoption of good practice and controls can help to reduce or eliminate. However, it is necessary, as part of incident response, to have the ability to collect and analyse data held on a variety of electronic devices or storage media that may be used as evidence in some future investigation.
V1.0 September 2020
28.1.8 Proactive forensic monitoring comprises of those systems and practices in place at the CCGs for monitoring computers, users, groups or systems. Examples of such practices include, but are not limited to: computer security logs, email logs, internet traffic monitoring and telephone exchange logs.
28.1.9 Reactive forensic investigations will normally be requested by an Executive Director, Clinical Director or Chair within the organisation and carried out in line with the Serious Incidents Requiring Investigation Policy,
28.1.10 Any tasks in a forensic investigation will be conducted by a suitably trained individual.
28.1.11 Normally, the Investigating Officer will be the ICT Security manager. However, the SIRO may in some cases choose to engage the services of a suitably qualified third party.
28.1.12 All evidence provided as part of an investigation must be recorded and securely stored in such a way as to maintain its integrity until such time as the case, any hearings and appeals have concluded.
28.1.13 Any investigation which presents a suspicion of fraud should be notified to the appropriate t Director to engage the Local Counter Fraud Team.
28.1.14 Any investigation which presents a suspicion of criminal activity should be notified to the SIRO to engage the police.
28.2 Responsibilities
28.2.1 Senior Information Risk Owner (SIRO) • Coordinating the development and maintenance of the forensic policy procedures and
standards for the CCG • Advise the Accountable Officer and the Governing Body on forensic readiness planning
and provide periodic reports and briefings on progress • Reporting suspicion of criminal activity to the police • Oversight of all investigations, ensures all incidents and investigations are reported at IG
meetings
28.2.2 Information Asset Owners (IAOs) Ensures that forensic readiness planning is adequately considered and documented for all information assets where they have been assigned ‘ownership’. Goals for forensic planning include:
• Ability to gather digital evidence without interfering with business processes; • Prioritising digital evidence gathering to those processes that may significantly impact
the CCG, its staff and its patients; • Allow investigation to proceed at a cost in proportion to the incident or event; • Minimise business disruptions to the CCG; • Ensure digital evidence makes a positive impact on the outcome of any investigation,
dispute or legal action.
V1.0 September 2020
28.2.3 Line Managers Managers are responsible for ensuring that their team and area of responsibility operates within the information governance framework of the CCG. They will ensure that
• There are effective methods for communicating information governance related issues within their team
• Staff receive relevant training, induction and mandatory updates in relation to information governance
• Staff are aware of information governance policies and encourage adherence to them • Necessary risk assessments are undertaken within their area of responsibility • Information governance issues and risks are discussed at any team meetings
28.2.4 ICT Security Manager/Cyber security Manager Responsible for the management of forensic investigations, maintaining a secure chain of evidence and ensuring appropriate external relationships are maintained, should an investigator independent of the CCG be required.
29 Appendix A – Glossary of terms
Access Administrator: One who grants systems access to individuals as authorised
Access policy violation: A breach of access policy leading to unauthorised or attempted unauthorised access.
Adware: Display of advertising while a programme is running
AES 256 bit: Advanced Encryption Standard. Strong encryption algorithm
Application Firewall: A form of firewall which controls input, output, and/or access from, to or by an application or service
Audit Trail: A record of activities or actions performed on a system.
V1.0 September 2020
Authorised: Approved or permitted
Auto Forward: The automatic forwarding of email from one address to another
Back up cycle: Schedule of daily, weekly, monthly etc. cycles for backups.
Base Station: Radio receiver/transmitter that serves as the hub of a local wireless network
Breach: Violation of security policy e.g. unauthorised access
Business Continuity Management (BCM): Management process that identifies threats to business continuity and provides a framework for building organisational resilience to those threats
Bypass: Subvert a security control Change Control: Formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner.
Combustible materials: Materials capable of igniting when exposed to heat. In this context it generally refers to paper, cardboard, wood etc.
Compensating control: An alternative control that meets the rigor and intent of the original control. Typically requires human intervention. Tactical, not strategic and usually only temporary until the required technology can be implemented.
Compromised: Breach of a security control
Concurrent Login: A single user logged on to a system multiple times. This can indicate sharing of a user id.
Confidentiality: Ensuring that information is accessible only to those authorised to have access.
Confidentiality agreement: Agreement between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish to restrict access to by third parties. Also known as a non-disclosure agreement
Configuration: Baseline settings and policies established on installation of a device and managed throughout its lifecycle.
Control: A safeguard or countermeasure to avoid, counteract or minimise security risk. A control may be preventive, detective or corrective.
Copyright: A set of exclusive legal rights granted to the creator of an original work or
V1.0 September 2020
their assignee for a limited period of time upon disclosure of the work. This includes the right to copy, distribute and adapt the work.
Database Management System (DBMS): A software package that controls the creation, maintenance, and the use of a database.
Data Entry personnel: Business personnel responsible for the input of data and transactions into an application.
Default Deny: This is where the default condition of a firewall is to deny ALL connectivity – from anywhere to anywhere. Permissions based on business needs can then be established. Default password: The password that is supplied by the vendor with a new device. Usually the same for all devices supplied worldwide and therefore a common attack vector.
Developers: Persons engaged in the development or enhancement of software applications e.g. programmers
Digital Certificate: The attachment to an electronic message used for security purposes. The common use of a digital certificate is to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply.
Disaster recovery plan (DRP): The process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organisation after a natural or human-induced disaster.
De Militarised Zone (DMZ): A physical or logical sub network that contains and exposes an organisation’s external services to a larger untrusted network, usually the internet
Domain Administrator: Person who has administrative privileges across an entire Windows Domain
Download: To import data or software from another network, e.g. Internet
Early Warning Smoke Detection: Aspirating smoke detectors are highly sensitive, and can detect smoke before it is even visible to the human eye. Constantly samples the air for presence of smoke
Electronic Commerce: The online process of developing, marketing, selling, delivering, servicing and paying for products and services over the internet.
Electronic Signatures: Evidence that the person who claims to have written a message or attempted to authenticate is the person they claim to be.
Encryption: Encoding information to prevent unauthorised access
V1.0 September 2020
Encryption algorithm: A mathematical procedure for performing encryption on data. Through the use of an algorithm, information is made into meaningless cipher text and requires the use of a key to transform the data back into its original form. Erased beyond readable format The method to securely erase data is to write over the same physical spot on the hard disk multiple times with different patterns, effectively obliterating the magnetic signatures of the data which was once there.
Escrow: The software source code is released to the licensee if the licensor files for bankruptcy or otherwise fails to maintain and update the software as promised in the software license agreement
Exemption: Permission granted to be non-compliant with policy for a given situation.
Fire suppression system: Refers to automated fire suppression systems such as inert gas (INERGEN), FM20 etc. Deployed in facilities such as data centres housing valuable and business critical infrastructure.
Firewall: A device or set of devices designed to permit or deny network transmissions based upon a set of rules and is used to protect networks from unauthorised access while permitting legitimate communications to pass
Firmware: The fixed, usually rather small, programs and/or data structures that internally control various electronic devices
Host Content: Content published and hosted on a website
Hotfix: Emergency fix to an application or service, usually a software bug
IEEE 802: Institute of Electrical and Electronics Engineers Standards Association, IEEE 802 is a working group and a collection of IEEE standards produced by the working group defining the physical layer and data link layer’s media access control (MAC) of wired Ethernet
Information Security: The protection of information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity, and availability
Intellectual property: Creations of the mind such as musical, literary, and artistic works, inventions, and symbols, names, images, and designs used in commerce, including copyrights, trademarks, patents, and related rights. Under intellectual property law, the holder of one of these abstract “properties” has certain exclusive rights to the creative work, commercial symbol, or invention by which it is covered.
Integrity: The property that sensitive data has not been modified or deleted in an unauthorised and undetected manner
V1.0 September 2020
Internal network: A network where: the establishment, maintenance, and provisioning of security controls are under the direct control of organisational employees or contractors.
Intrusion: Unauthorised act of bypassing the security mechanisms of a system
Intrusion Detection: A security management system for computers and networks. An intrusion detection system (IDS) gathers and analyses information from various areas within a computer or a network to identify possible security breaches, which include both intrusions 9attacks from outside the organisation) and misuse (attacks from within the organisation)
ISP: Internet Service Provider or Information Security Policy
ISO: ISO is the International Organisation for Standardisation.
ISO/IEC 27001: The standard which formally specifies a management system that is intended to bring information security under explicit management control
Key management: Provisions made in a cryptography system design that are related to generation, exchange, storage, safeguarding, use, vetting and replacement of keys. It includes cryptographic protocol design, key servers, user procedures and other relevant protocols.
LAN: Local Area Network
Lockout: Denial of access following a predetermined number of incorrect password attempts. Protects against password guessing
Log: Auditable record of activities performed on a system
Logical access: Being able to interact with data through access control procedures such as identification, authentication and authorisation.
Login Failure: Access is denied due to incorrect user ID/password combination.
Maintenance schedule: Schedule for maintenance of computer equipment housed within data centres or computer rooms. Masked: Data masking is a method of creating a structurally similar but inauthentic version of an organisation’s data that can be used for purposes such as application testing.
Migration: The process of moving software programme code through test environments into the production environment
Modem: A modem is a device or program that enables a computer to transmit data over a telephone line
V1.0 September 2020
Non IBM system utilities: This refers to IBM mainframes only. System utility programs are used to list or change information that is related to data sets and volumes, such as data set names, catalogue entries, and volume labels. Most functions that system utility programs can perform are performed more efficiently with other programs, such as IDCAMS, ISMF, or DFSMSrmm.
Operating System: A set of programs that manages computer hardware resources, and provides common services for application software. Examples are Windows, Unix, Apple OSX etc.
Password Timeout: After a specified period of inactivity the user is forced to re-enter their credentials before being allowed to continue.
Patches: Software changes in response to discovery of vulnerabilities
Peer to Peer: An internet network that allows users with the same program to connect with each other to share files e.g. Bitorrent
Penetration testing: Simulating the actions of an attacker to test the security resilience of a host or network
Perimeter: Refers to network perimeter. The boundary between a private network and public network e.g. internet
Personal Firewall: An application which controls network traffic to and from a single computer.
Phase end reviews: A review held at the end of each phase of a project to gain consensus that the phase is complete.
Physical communication facilities: Data Centre, computer room etc. for secure housing of critical computer and communications hardware Physical security administrator: Someone who is responsible for the granting and revoking of physical access to building facilities.
Port control: Enforce security policies regarding usage of removable devices e.g. USB flash drives etc. Prevents data loss, malware attacks and includes data encryption.
Production Libraries: Software code libraries used in actual business processes. These are the programs which run in the live environment as opposed to test environments.
Remote access: Access to a network from another network, usually a public network i.e the internet.
Remote Administration: Performance of administration activities when
V1.0 September 2020
connecting remotely.
Secure Channels: A secure channel is a way of transferring data that is resistant to interception and tampering
Security parameters: Values that are applied in configuring hardware or software e.g “password life time =90”
Segregation of duties: Also referred to as separation of duties. It is the concept of requiring more than one person to complete a task to protect against fraud or error.
Semi-Trusted: A network or network segment that is trusted although under the control of another party. Generally the trust is very specific and considered to be of low risk
Session timeout: After a specified period of inactivity the session id logged off requiring the user to present their credentials again
SNMP: Simple Network Management Protocol. Used for managing devices on IP networks
Spyware: Malware that is installed on computers without the user’s knowledge. Designed to collect personal information and information about web surfing habits etc.
SSID: Service Set Identifier, a token that identifies a wireless network.
SSL: Secure sockets layer, a protocol for transmitting private documents on the internet. Stateful Firewall: A Firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) travelling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known active connection will be allowed by the firewall, others will be rejected.
Strong password: A password of sufficient length, complexity and unpredictability which can resist guessing and brute force attacks.
Sub schemas: The schema is the physical arrangement of the data as it appears in the DBMS. The subschema is the logical view of the data as it appears to the application program.
System development methodology (SDLC): The process or methodology used to alter or create information systems. The cycle has a number of distinct phases e.g. business requirements, design, develop, test and implement.
Terminal: The device used for entering and displaying data from a computer.
V1.0 September 2020
Third party software: Software that is developed by a party external to the organisation as opposed to software developed in house.
Two Factor Authentication: A strong form of authentication requiring something you know and something you have (or are e.g. bio-metric). Designed to defeat password guessing attacks or limit the time a compromised credential can be used. Most commonly it requires entry of a password or PIN (something you know) together with entry of a one-time password generated by a token or fob key (something you have). Apart from tokens the second factor can be via a soft token, SMS or reputation based methods.
Transport Encryption: Encryption of communications over a network e.g. Internet.
Trusted: Trusted networks are defined as networks that share the same security policy or implement security controls and procedures that provide an agreed upon set of common security services. Untrusted networks are those that do not implement such a common set of security controls or where the level of security is unknown or unpredictable.
UAT/Quality Environment: User Acceptance test environment used by system developers to test newly developed software or changes to software prior to implementation.
Unauthorised: Access that has not been granted through normal authorisation procedures. Uninterruptible Power Supply (UPS): Provides instantaneous or near-instantaneous protection from input power interruptions by means of batteries or diesel generators.
Untrusted: Untrusted networks are those that do not implement such a common set of security controls or where the level of security is unknown or unpredictable.
User ID: User Identifier. Entered during logon to a system and uniquely identifies the person. Enforces accountability as activities performed can be logged against the user id.
User Profile: Collection of data pertaining to a specific user. Includes information about the person and the access they have been granted on a computer network.
Vulnerability: A flaw in a computer system that allows a malicious exploit by an attacker.
Webmail: An email service offered through a web-site (a webmail provider) such as Gmail, Hotmail etc
Wireless Access Point (WAP): A device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards. The WAP usually connects to a router (via a wired network), and can relay data between the wireless devices (such as computers or printers and wired devices on the network.
V1.0 September 2020
WPA AND WPA2: Wi-Fi Protected Access, a protocol to secure a wireless computer network, WPA replaced Wired Equivalent Privacy (WEP) due to inherent security weaknesses. WPA2 is a more secure implementation of WPA.
Workstation: A computer terminal or a PC connected to a network
29 Appendix B – European Economic Area (EEA) Countries The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third-party countries or international organisations, to ensure that the level of protection of individuals afforded by the GDPR is not undermined. Currently the EEA consists of the 27 European Union member states and three of the four member states of the European Free Trade Association (EFTA. European Union member states Austria Belgium Bulgaria Croatia Cyprus The Czech Republic Denmark Estonia Finland France Germany Greece Hungary Ireland Italy Latvia Lithuania Luxembourg Malta Netherlands Poland Portugal Romania Slovakia Slovenia Spain Sweden European Free Trade Association member states Iceland Liechtenstein Norway
V1.0 September 2020
30 Appendix C – Request for Staff Personal Records
Subject Access Request Form
Subject Access Request Form (Please note that a subject access request could be a verbal or written request)
Subject Access Request – Data Protection Act 2018 This form is used to confirm the identity of the Staff / patient, the identity and authority of the applicant (where applicable) and to assist in locating information relating to the Staff / patient requested by the applicant. Please complete it and send it to the address at the end of the form. If you need any help please email:
nwlcc gs.subjectac [email protected]
Staff/Staff / patient’s
Surname
Staff/Staff / patient’s
Forename(s) Date of
Birth
Hospital Number
Address
PLEASE READ INFORMATION SECTION (Pages 6 – 8) BEFORE COMPLETING THIS FORM
Section 1 - Who is the data subject - Staff /Staff / patient?
Country: Post Code:
V1.0 September 2020
If the Staff / patient has lived at this address for
less than 2 years please tell us their previous
address
Telephone number
Country: Post Code:
V1.0 September 2020
(a) Are you the staff/Staff / patient? Yes No
If you have answered “Yes”, go straight to Section 3 on page 3. Otherwise please provide the information below:
Your full name
Address
Telephone number E-
mail address
(b) If you are NOT the Staff / patient please tick the appropriate box below to state your relationship with them:
I am the Staff / patient’s parent (with parental responsibility) and the Staff / patient is under 16 years old and: *(is incapable of understanding the request) (has consented to my making this request) *delete as appropriate
I have been asked to act by the Staff / Staff / patient and attach the Staff / patient’s written authorisation
I am the deceased Staff / patient’s Personal Representative and attach confirmation of this
I have a claim arising from the Staff / patient’s death and wish to access information relevant to my claim and attach an explanation of the claim being considered
I have been appointed as the Mental Capacity Advocate for this Staff / patient and wish to access copies of their records. I attach confirmation of my appointment
Other? (please state):.........................................................................................................................................................................................
E-mail address
Section 2 - What are your personal details?
Country:
Post Code:
V1.0 September 2020
..........................................................................................................................................................................................................................................................
.....
What written authority have you enclosed which supports your entitlement to the information
V1.0 September 2020
(a) In order to confirm your identity, you will need to send us the original or a certified copy* of one of the documents listed below. Please tick the appropriate box to indicate which document you have enclosed:
Full valid current passport issued by a member state of the EEA (European Economic Area)
ID card issued by a member state of the EEA (European Economic Area)
Full valid driving licence issued by a member state of the EEA (European Economic Area
Birth Certificate or Certificate of Registry of Birth or Adoption Certificate Travel documents
issued by the Home Office
Certificate of Naturalisation or Registration Home Office
Standard Acknowledgement Letter
(b) You must also confirm your address by sending us the original or a certified copy* of one of the documents listed below. Please tick the appropriate box to indicate which document you have enclosed:
Gas, electricity, water or telephone bill in your name for the last quarter Council tax
demand in your name for the current financial year
Bank, building society or credit card statement in your name for the last quarter Letter addressed
to you from solicitor or social worker
Pension Book or Jobseeker’s Allowance Book
(c) If you are applying on behalf of another person, you will need to show proof of your identity as well as theirs, plus proof that you have permission to act on their behalf. We will accept one of the following as proof that you have permission to act on their behalf. Please tick the appropriate box to indicate which document you have enclosed:
A signed declaration by the Staff / patient
Section 3 - Confirming your identity and address
*A certified copy is one on which a person able to sign (e.g. Justice of the Peace, solicitor, medical doctor) has certified that it is a true copy of the original document.
V1.0 September 2020
A signed declaration by a health professional, police officer or MP confirming that the Staff
/ patient is unable to make the request themselves
A document confirming that you are the parent or guardian of the Staff / patient
V1.0 September 2020
(if this is the case and the Staff / patient is a minor)
Section 4 – What information is requested Please tick the appropriate box to indicate if you wish to access:
ALL records
or
Specific records regarding the treatment of (please state condition/illness and approximate date):
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Please tick ALL relevant boxes to indicate
which types of records you wish to access
Clinical Records (in Staff / patient & out Staff / patient)
Accident & Emergency Records
Medical records
Staff / Personal records
HR records
Please tick the appropriate box to indicate if you would you like
copies of these records or just to view them
I would like to view the records
I would like copies of the records
Section 5 - Formal Declaration
In exercise of the right granted to me under the terms of the Data Protection Act 2018 (& EU GDPR), I request that you provide me with the information I have indicated overleaf. I confirm this is all of the information to which I am requesting access. I also confirm that I am either the Staff / patient, or am acting on their behalf. I am aware that it is an offence to unlawfully obtain such information, e.g. by impersonating the Staff / patient. I certify that the information given in this form is true. I understand that it is necessary for the North West London (NWL) Collaboration of 8 Clinical Commissioning Groups (CCGs) to confirm my identity and it may be necessary to obtain more detailed information in order to confirm my identity and/or locate the correct information.
Signed
Print name
Date
1 Information Security Policy Statement | NW London CCGs
Please make sure you have: ▪ completed this form in full ▪ signed the declaration above ▪ enclosed the relevant proof of identity ▪ enclosed the relevant proof of address ▪ if applying on behalf of another person, their permission together with any
authorities to act on their behalf Send the completed form and enclosures to:
Email: [email protected]
Postal Address:
Data Protection Officer 1st Floor
15, Marylebone Road London NWL 5JD
Note: We recommend that you send your form and documents by a secure method e.g. Recorded Delivery. North West London (NWL) Collaboration of 8 Clinical Commissioning Groups (CCGs) will return all original documents as soon as possible via recorded delivery. If you deliver your documents in person we will verify these at the time of your visit, retain copies of those documents and return them to you.
If you need any help please email: [email protected]
31 Appendix D – Equality Impact Assessment Policy for the development, ratification and implementation of and related procedural documents. Equality Impact Assessment Tool (Equality Analysis) To be completed and attached to any procedural document when submitted to the appropriate committee for consideration and approval.
Yes/ No
Comments
1 Does the policy/guidance disadvantage one group or more than another on the basis of:
2 Information Security Policy Statement | NW London CCGs
Race (including colour, culture, ethnicity, nationality or national origin and the travelling community)
N
Religion or Belief N
Sex (e.g. male or female) N
Marriage or Civil Partnership N
Sexual Orientation (Lesbian, Gay, Bisexual, Heterosexual)
N
Gender reassignment (e.g. someone who ‘is proposing to undergo, is undergoing or has undergone a process (or part of a process) for the purpose of reassigning the person’s sex by changing physiological or other attributes of sex.’)
N
Disability (e.g. learning disabilities, physical disability, sensory impairment, mental health problems etc.)
N
Pregnancy and Maternity N
Age (children, young adolescent, older people etc.)
N
2 Is the policy/guidance/strategy more favourably towards one group on the basis of:
Race N
Religion or Belief N
Sex N
Marriage or Civil Partnership N
Sexual Orientation N
Gender reassignment N
Disability (e.g. learning disabilities, physical disability, sensory impairment, mental health problems etc.)
N
Pregnancy and Maternity N
Age (e.g. children, young adolescent, older people etc.)
N
3 Information Security Policy Statement | NW London CCGs
3 If you have identified potential discrimination in the policy/guidance are there any valid, legal and/or justifiable exceptions? Please list any exceptions.
N/A
4 Is the policy/guidance likely to have a negative/adverse impact on any of the above group(s)?
N/A
5 If so, how would you address the impact? Please explain.
N/A
If you have identified a potential discriminatory impact in this document, please refer to the author(s) of the policy/guidance, together with any suggestions required to address the impact.
4 Information Security Policy Statement | NW London CCGs
Related Documents
