Device EncryptionPolicy

Document History

Document Name / Device Encryption Policy
Location / Susi Policy Library
Consultation / PDIAG
Approved by: / PDIAG / Date: / 16.3.16
Supersedes: / Initial SLCSU Policy
Description: / The SECSU Device Encryption Policy describes the encryption requirements and standards for use on SECSU owned and managed end user devices
Audience: / All CSU staff
Contact Details: / Senior Partner, ICT

Amendments

Version / Date / Author / Approver / Reason
0.1 / 11/06/2013 / Initial draft
0.4 / 19/08/2013 / Formatting and amendments
1.0 / 20/08/2013 / Final
1.1 / 29/10/2013 / Information Governance review
2.0 / 29/10/2013 / Approval by Policy Advisory Group
2.1 / 23/02/2015 / SECSU rebrand
3.0 / 22/04/2015 / Updated to reflect organisations changes
4.0 / 16/03/2016 / Bruce Wright / PDIAG / Periodic review and updates to reflect organisational structure changes, compliance information and extended review period.

1.0Introduction

2.0Objectives

3.0Scope

4.0Equality Analysis

5.0Roles and Responsibilities

6.0Legislation and NHS Policy/Best Practice

7.0Encryption Requirements

8.0Support and Escalation of Breaches

9.0Storage on SECSU Devices

10.0Monitoring of policy compliance

11.0Review

12.0Implementation

1.0Introduction

1.1This Device Encryption Policy applies to all staff working directly for, or on the behalf of, or whose organisation has entered into agreement for the provision of ICT services by, the South East Commissioning Support Unit (SECSU).

1.2 This Device Encryption Policy supersedes all pre-existing Device Encryption Policies.

1.3The majority of staff to which this policy applieswill require use of mobile devices to perform their duties or to undertake research and investigations. It is therefore essential that the SECSU’s standards of acceptable use are clearly identified and understood by all parties.

1.4SECSUrecognises the necessity of mobile working for the organisations and members of staff that it supports. However, it also recognises the accompanying significant risk this poses of the loss of personal or otherwise confidential data.

1.5Encryption is one measure mitigating this risk and that complements other standards set by the SECSU ICT Policy Framework; including access and acceptable use of the network, applications and internet and also the SECSU’s user account management.

1.6Encryption techniques deployed by the SECSU aim to enhance the confidentiality, integrity and availability of data held and thereby preventing unauthorised disclosure of information assets and disruption to normal business.

2.0Objectives

2.1Theobjectives ofthis policyare:

To ensure that the risk of loss, theft or otherwise inappropriate access to data held on SECSU devices is mitigated through robust encryption
To identify the responsibilities of key members of staff in relation to the enforcement of this Policy and associated Protocols and Procedures
  • To meet all legislative requirements and best practice guidelines regarding the encryption of the SECSU’s devices

3.0Scope

3.1This Policy defines the SECSU’s required standards for device encryption.

3.2The Device Encryption Policy covers all devices owned by or connected to the SECSUICT Network at any site owned or leased by the organisation or from any site from which the SECSU provides these services.

3.3The scope of this Policy covers standards for:

  • Devices and services that must meet the SECSU’s encryption standards
  • Encryption level to which all such software used must achieve
  • Support and escalation process in the event of a breach
  • Roles and responsibilities to ensure the above standards are consistently met within the SECSU and those employees it supports

3.4This policy applies to:

  • Permanent staff
  • Voluntary staff
  • Other NHS and healthcare related organisations
  • Third party/contracted staff

3.5This Policy does not apply to:

Employees with no access to the organisation’s network, applications or the internet (via the organisation’s network)

4.0Equality Analysis

This document demonstrates the organisation’s commitment to create a positive culture of respect for all individuals, including staff, patients, their families and carers as well as community partners. The intention is, as required by the Equality Act 2010, to identify, remove or minimise discriminatory practice in the nine named protected characteristics of age, disability, sex, gender reassignment, pregnancy and maternity, race, sexual orientation, religion or belief, and marriage and civil partnership. It is also intended to use the Human Rights Act 1998 and to promote positive practice and value the diversity of all individuals and communities.

5.0Roles and Responsibilities

5.1Senior Partner of ICT

Is responsible for ensuring that:

  • The ICT service has a policy for device encryption as defined within this Policy
  • Appropriate capacity and capability is put in place to manage and monitor this Policy
  • Setting out the overall Policy framework within which this Policy sits

5.2ICT Security Manager

Is responsible for ensuring that:

  • Associated protocols and procedures are in place to allow support staff to manage access according to definition, roles and responsibilities as set out in this Policy
  • Providing regular ICT Security Incident and monitoring update reports to the Information Governance Manager and SIRO relating to breach or weaknesses identified in encryption processes, in line with this policy
  • Risks and issues in this area are reported and escalated to the Senior Partner in Charge of ICT
  1. The Head of Operations

Is responsible for ensuring that:

  • Operational ICT teams are aware of and adhere to this Policy
  • Ensuring that this policy framework is implemented by the Desktop team and that compliance to its standards is met for all those mobile devices connected to the SECSU ICT network
  • Providing regular ICT Security Incident and monitoring update reports to the Information Governance Manager and SIRO relating to breach or weaknesses identified in encryption processes, in line with this policy
  • Risks and issues in this area are reported and escalated to the Senior Partner in Charge of ICT
  1. Line Manager

The Line Manager is responsible for:

  • Ensuring that their staff are made aware of their responsibilities in relation to this Policy and its associated Protocols and Procedures (including undertaking any mandatory training)
  1. All staff

All staff working or acting for the SECSU must:

  • Read, understand and comply with the Device Encryption Policy
  • Report any instances of breaches whether accidental or deliberate, risks and incidents
  • Be aware of their own responsibility to maintain an awareness of changes to the SECSU’s Device Encryption Policy

6.0Legislation and NHS Policy/Best Practice

SECSU is required to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of the SECSU, who may be held personally accountable for any breaches of this policy. The SECSU shall comply with the following legislation and other legislation as appropriate:

  • Health and Social Care Act (2012)
  • Employment Practices Code Part 3 – Monitoring at Work
  • The Data Protection Act (1998)
  • The Data Protection (Processing of Sensitive Personal Data) Order (2000)
  • The Copyright, Designs and Patents Act (1988)
  • The Computer Misuse Act (1990)
  • The Health and Safety at Work Act (1974)
  • Human Rights Act (1998)
  • Regulation of Investigatory Powers (RIPA) Act (2000)
  • Freedom of Information Act (2000)
  • The Code of Confidentiality
  • Disciplinary Policy
  • Communications Act (2003)
  • Equality and Diversity policies
  • Privacy at Work
  • ICT Security Incident Management Protocol
  • Anti-Fraud and Corruption Policy
  • Records Management: NHS Code of Practice
  • NHS Code of Conduct
  • N3 Statement of Compliance
  • Equality Act 2010

7.0Encryption Requirements

7.1In the following Policy, key terms are defined as follows:

  • Encryption: The process of converting information using an algorithm to make it unreadable to anyone except those possessing special knowledge (i.e. a password).
  • Personal Confidential Information: Data which relates to an individual who can be identified from that data as defined in the Data Protection Act 1998 and further protected through the Health and Social Care Act 2012 and supporting regulations and guidance.
  • Business Critical Information: Where the loss of data would have significant impact on the performance, reputation and operational effectiveness of the organisation; including particularly financial, personal or major project information.

7.2Acceptable Use is defined as:

  • Authorised use for research, professional development or to support SECSUbusiness activities.
  • Unacceptable Use is defined as:
  • Downloading data or programs without prior consent from a senior ICT manager or otherwise causing damage to the ICT Infrastructure (increases the risk of data loss and viruses being brought into the SECSU network).

7.3Devices and services that must meet the SECSU’s encryption standards

7.4All mobile devices and removable media provided or connecting to the SECSU network infrastructure shall meet the encryption standards set out in this policy. As defined by the mobile working policy, mobile devices and removable media are defined as:

  • Mobile devices include any equipment that can store information independently from the SECSU’s fixed secure network servers and transport it to any location. Typically, this includes laptops, notebooks, tablet PCs and mobile phones
  • Removable media or data storage media include any physical item that can store digital information and requires another device to access it; for example USB data sticks and hard drives
  • It is the responsibility of the user to ensure that the encryption in place for such devices is operating effectively or, where devices not provisioned by the SECSU are being used, that the encryption in place meets the standards set out in this policy.
  • All confidential information sent or received through email must be encrypted through the use of NHSmail or comparably secure government-approved email services such as GSI, XGSI, GSX, CJSM and CJX.

7.5Encryption standards

7.6All SECSU laptops shall be encrypted to AES 256bit encryption or as per current NHS standards if higher and those specified by CESG or Cabinet Office mandate.

7.7Other mobile devices, including mobile phones and tablet PCs, shall be configured with NHSmail prior to provision. NHSmail encryption will meet the standards set out in national NHSmail Policy and guidance. This ensures:

  • Encryption of all data sent and received by the device
  • Automatic timeout screen lock
  • Remote wipe capability in the event of theft or loss
  • Removable media devices, including principally USB sticks and hard drives where required, shall be encrypted by supplier to the standard of AES 128bit, AES256bit encryption or as per current NHS standards if higher.

8.0Support and Escalation of Breaches

8.1The ICT Service Desk has primary responsibility for ensuring all devices procured on behalf of SECSU members of staff or those of the organisations it supports are encrypted to the standards set out in this policy.

8.2If any staff have concerns or questions regarding the encryption of their device, they should raise a call in the first instance with the SECSU ICT Service Desk.

8.3In the case of the loss, theft or damage of a mobile device containing SECSU data, the owner should immediately escalate the issue to the Head of Service Desk or Head of Server and Security as per the details provided in the SECSU’s escalation process contained within “Management Response to a Major Incident” procedure.

8.4Any devices returned to the SECSU following a loss of theft must be reported to the ICT Service Desk and returned as instructed for checking and reconfiguration, as necessary.

9.0Storage on SECSU Devices

9.1The SECSUNetwork drives are for the storage of clinical and corporate data by authorised personnel only. No information should be stored on local drives (C:drives).

9.2No personal information, including photographs, videos, music etc. shall be stored on the SECSU Network or local drives.

10.0Monitoring of policy compliance

10.1 Compliance

Compliance with this policy will be monitored through the ICT Security Group which reports to the ICT Steering Group.

10.2Non compliance

10.2.1Failure to comply with the standards and appropriate governance of information as detailed in this policy may result in disciplinary action. All staff are reminded that this policy covers several aspects of legal compliance that as individuals they are responsible for.

10.2.2Failure to maintain these standards can result in HR disciplinary processes being followed which could result in criminal proceedings against individuals or the organisation.

11.0Review

11.1Next formal review

This Policy will be formally reviewed 3 yearsafter the approval of this Policy, in March 2016,or earlier depending on the results of monitoring, a change of law, mandate from the Department of Health or organisational change.

11.2Latest version

The audience of this document should be aware that a physical copy may not be the latest version. The latest version, which supersedes all previous versions, is available at the location indicated in the document control section of this document. Those to whom this Policy applies are responsible for familiarising themselves periodically with the latest version and for complying with Policy requirements at all times.

12.0Implementation

12.1The Device Encryption Policy will be published on the intranet and external website, publicised via team briefs and staff induction. Awareness will be carried out via the general organisation induction, mandatory update training for clinical and non-clinical staff, and local induction programmes.

12.2The date of implementation of the Policy will be 1st April 2016