Copyright 2017 Health and Social Care Information Centre.1

Copyright © 2017 Health and Social Care Information Centre.1

Audit

Contents

1Purpose

2Scope

3Applicability

4Guidance

Terminology

Policy

General Requirements

Technical Requirements

5Key Words

1Purpose

The purpose of thisAudit Example Policy is to provide exemplar guidance in line with HMG and private sector best practicefor the implementation of an Audit Policy. This is in order to allow the reader to produce the necessary policies and guidance for their business area and to ensure that the applicable and relevant security controls are set in place in line with the Department for Health, the wider NHS, health and social care and HMG requirements.

2Scope

The drafting of any policy governing the Audit processes and procedures for NHS systems, devices or applications deployed in support of NHS or health and social care business function.

3Applicability

This Example Policy is applicable to and designed for use by any NHS, health and social care or associated organisations that use or have access to NHS systems and/or information at any level.

4Guidance

This Example Policy provides guidance on the production of an Audit Policy.The Example Policy is in italics with areas for insertion shown as > and the rationale for each paragraph or section, where required, in [….].

Terminology

Term / Meaning/Application
SHALL / This term is used to state a Mandatory requirement of this policy
SHOULD / This term is used to state a Recommended requirement of this policy
MAY / This term is used to state an Optional requirement

Policy

General Requirements

• System audit schedules shall be prepared that consider the status and importance of the processes being performed and the results of previous audits.
• The scope of system audits shall be clearly definedby the SIRO with advice from the CISO.
• Documentation shall be maintained to record the outcome of system audits and to provide an audit trail.
• System audits shall be reviewed to verify that corrective actions have been taken and also the effectiveness of the action.
• Results of system audits shall be presented to senior management for review to ensure that recurring issues may be addressed.
• <Insert name of organisation> shall implement formal change control procedures for addressing changes identified as necessary from audit findings.
• Comprehensive audit trails shall be used to control versions of old programs.

[Information technology audits are used to ensure that the necessary security controls are in place to guard an organisation's information, to evaluate the organisation's ability to protect its information assets and to provide warning of potential security vulnerabilities and security breaches.]

Technical Requirements

• <Insert name of organisation>shall implement auditing for all business-critical transactions that create, update or delete data on the System in audit tables which will be available for analysis. Where available this shall include:

• User name.
• Date.
• Transaction Start Time.
• Transaction End Time.
• Satisfactory completion of transactions which have a financial implication to include:
• Batch run identifier.
• Workstation ID.
• Access to and alteration of critical or security data.
• Instances when processes are halted because of security or privilege breaches.

• <Insert name of organisation> business-critical system audit logs shall be sized appropriately and their contents reviewed regularly by trained staff, with discrepancies being reported to <insert name of organisation> Management and the relevant Information Asset Owner (IAO).

[The information collected by technical means for system audits should be tailored to meet the requirements and capabilities of the organisation. Too little information may mean that actual or potential breaches and vulnerabilities are missed, too much information may mean that they are lost in a sea of background noise.]

• <Insert name of organisation> system audit logs and any associated customer data that is collected, shall be safeguarded using a combination of technical access controls and robust procedures, with all changes supported by logging and internal audit controls.

[It is essential that audit logs and any collected data are protected in accordance with the information to which they refer. Audit logs should also be protected in order to ensure that they cannot be deleted, altered or tampered with.]

• The activities of <insert name of organisation> system administrators and the use of powerful system utility tools should be audited by independent internal auditors on a regular basis.

[A process should be established to independently audit and verify the audit processes. This will add a further level of security control against the alteration or deletion of audit records or the misuse of the audit process.]

• All critical <insert name of organisation> system clocks shall be synchronised daily from a single time source, in particular between the various processing platforms within the IT infrastructure.
• 'System time' in any system shall not be manipulated, since it could invalidate log contents, which might compromise the investigation of security incidents.

5Key Words

Access, Audit, Change, Clock, Controls, Data, Information, Infrastructure, Logging, Logs, System, Time

Copyright © 2017 Health and Social Care Information Centre.1