1 Appendix 1 - OPERATIONAL SYSTEM
1 Appendix 1 - OPERATIONAL SYSTEM
1.1 Confidentiality of Information Systems
Only authorised staff shall have access to information systems and that access is restricted to the information required for the authorised person’s recorded job function on a need to know basis.
Updating and other activities that could affect the integrity of information must be restricted to authorised staff needing to do so as part of their job functions, in line with Caldicott principles on confidential information access.
Where multiple numbers of staff share an Information system, each staff member shall have a unique and verifiable identity. All transactions on such systems must be attributable to the individual who initiated them.
Passwords must be defined in line with NHS Fife policies and kept confidential at all times.
Access to NHS Fife systems from external networks or via dial-up communication lines will only be permitted where authorised by a departmental manager. Any such connections shall be subject to an additional layer of security, in line with national standards and NHS regulations.
NHS Fife will control and monitor internal access to external networks and reserves the right to disconnect immediately, and if necessary, permanently, any user or organisation attempting to breach this policy.
Confidentiality will be risk assessed as part of change and incident management.
1.2 Integrity of Information Systems
All system assets shall operate correctly according to their specification and in the way staff expect it to be functioning. Information needs to be accurate and complete.
Integrity will be risk assessed as part of change and incident management.
1.3 Availability of Information Systems
Regular backups shall be taken of all centrally hosted Information systems and stored in a secure manner. Endpoint backup (e.g. information locally stored in desktop and laptop computers) is not carried out nor is it supported.
Backups shall be tested periodically to ensure that systems/files can be restored if and when required.
Disaster recovery plans will be created for each critical Information system.
Contingency plans must ensure that critical systems are available and operable in a timescale that prevents significant impact on NHS Fife’s critical services.
Availability will be risk assessed as part of change and incident management.
1.4 Mobile Computing
The principles of this policy apply in situations where NHS Fife deploys mobile computing devices. NHS Fife will provide Standards, Policies and Guidelines to address any special issues that arise from the use of such devices.
1.5 System Development
Staff who authorise the development or purchase of information systems will be responsible for ensuring that the specification conforms to the purpose for which the systems are required. Developers or procurers of information systems, including service providers, will be responsible for ensuring that systems produce results as specified and provide adequate means of information security.
New applications under development on behalf of NHS Fife must include adequate security measures that are clearly documented in the Business Case and defined in the requirements specification. The regulatory framework of the NHS, including Data Protection legislation and recommendations of the Caldicott Report must be adhered to, both in the requirement and design phases.
The testing of all applications must be documented and attention paid to all aspects of security. Configuration Management must be used for each system - specifically, all initialisation files, data and test results files and system files must be identified and preserved with appropriate security and accountability. Under no circumstances will operational data be provided for use in application development or testing outside of NHS Fife’s own secure environment.
All new critical systems must have an Operational Support Guide (OSG). The OSG must address the different aspects of:
· physical, personnel and document security principles;
· communications security;
· hardware and software security measures;
· administrative and procedural security rules;
· business continuity processes and procedures;
· risk management;
1.6 Compliance
NHS Fife will comply with all relevant legislation and give consideration to advisory instructions from NHS Scotland and Central Government bodies. A list of the principal legislation and formal administrative guidance on Information Security with which NHS bodies must currently comply is provided in Appendix 1.
NHS Fife will respect the licence conditions and intellectual property rights of software manufacturers. It will maintain records of the procurement, disposition and disposal of media and licences.
NHS Fife will proactively discourage the unauthorised introduction of software and unauthorised use or copying of licensed software.
NHS Fife is required to make arrangements for adequate levels of audit to be undertaken.
The NHS Fife Internal Audit function (FTF Audit Services) will review and report at defined intervals upon controls and security levels which operate at a general and application level. Specifically, Internal Audit will report upon the compliance of NHS Fife with this policy.
1.7 Data Classification
NHS Fife will operate a data classification scheme to enable the identification of critical and sensitive information systems:
· critical information systems are those, which either have a direct impact on patient care or make a substantial contribution towards the successful running of NHS Fife;
· sensitive information systems are those that require high levels of protection from unauthorised modification or disclosure. N.B. All person identifiable information systems are considered sensitive. However, within these systems, there are some that are considered to be highly sensitive.
Critical and sensitive information systems must be formally identified in accordance with the definitions contained within the Information Security Standards, and documented as such in an Information Asset Register.
1.8 Physical Protection
NHS Fife will ensure that physical controls will be in place to minimise and reduce losses from theft, damage, or inappropriate disposal of information systems and electronic and paper held information.
· Procedures will ensure that buildings are physically secured and monitored such that the movements of staff and visitors are restricted to authorised areas.
· Particularly sensitive areas must be identified so that they can be provided with additional access control security.
· Areas containing critical computer or communications equipment will be provided with environmental controls to reduce the risk of damage or loss from fire, flood, power loss and other threats to continued operations.
· Information will be stored and, where necessary, disposed of in a secure and ethical manner.
· Staff should, where possible, operate a ‘clear desk’ policy in relation to person identifiable information.
· Incidents involving loss, theft or damage to equipment should be reported in line with the incident reporting requirements of each department. The Loss, Theft and Damage form (LTD/1) shall also be completed, refer to the Financial Operating Procedures for this document and further details.
· All critical systems will have access to server room resources providing higher levels of physical protection.
1.9 Education of Staff
Security education, as part of NHS Fife’s training programme, will ensure that all managers and staff are aware of potential security threats and their own responsibilities for applying good security practices to minimise these threats. This should be included in the Personal Development Plans of staff:
· The person undertaking the Lead Information Security role will receive training, in accordance with their Personal Development Plan, to enable them to advise management and staff on risk and the appropriate security countermeasures.
· All management and staff must comply with the security policies of NHS Fife.
2 Related Publications
· GP/I5 - Information Security Policy - EQIA
3 Related Policies
· GP/B2 - eHealth Remote Access Policy
· GP/C9 - Confidentiality Policy
· GP/D3 - Data Protection Policy
· GP/E6 - Email Policy
· GP/I3 - Internet Policy
· C-02 - NHS Fife Policy For Access to Fife Council On-Line Child Protection Register By NHS Fife Staff
· GP/E7 - Non NHS Fife Equipment
· GP/O2 - Online Communications
· GP/P2 - Password Policy
· GP/P3 - Picture Archiving and Communications System (PACS) Policy
· GP/P3-1 - Picture Archiving and Communications System (PACS) Procedure
· GP/O2-5 - Use of Staff Intranet Discussion Forums
NHS Fife is committed to the provision of a service that is fair, accessible and meets the needs of all individuals
Policy No.GP/I5 Review Date: 01/05/2016 Page 3 of 4