Information handling policy
(Created page with " ===Risks addressed by policy=== All IT resources (including data, not just equipment) must be appropriately secured from the following risks * Actual or potential breach conf...") |
(→Policy statements) |
||
| (29 intermediate revisions by one user not shown) | |||
| Line 1: | Line 1: | ||
| + | [[Category:Policies]] | ||
| + | [[Category:IG]] | ||
===Risks addressed by policy=== | ===Risks addressed by policy=== | ||
| Line 14: | Line 16: | ||
Strong passwords – encryption only as strong as access to the relevant user’s account. Another attack risk is keyloggers; thus | Strong passwords – encryption only as strong as access to the relevant user’s account. Another attack risk is keyloggers; thus | ||
* strong account passwords are needed for ALL accounts, especially administrative accounts. | * strong account passwords are needed for ALL accounts, especially administrative accounts. | ||
| − | * regular [[ | + | * regular [[Information handling policy#Malware Sweeps|malware sweeps]] for keyloggers are mandatory. |
| − | ==== | + | ====Policy statements==== |
All individuals who have been allocated network and/or system access are required to | All individuals who have been allocated network and/or system access are required to | ||
| − | * ensure the integrity and confidentiality of their | + | * ensure the integrity and confidentiality of their passwords, passphrases & PINs |
| + | * use ''strong'' passwords and passphrases according to [[Distributor:Password procedures|password procedure]] | ||
* prevent access to unauthorized users when leaving systems unattended, including use of password protected screensavers where appropriate | * prevent access to unauthorized users when leaving systems unattended, including use of password protected screensavers where appropriate | ||
| − | * comply with all security mechanisms, such as log-on controls | + | * comply with all security mechanisms, such as firewall restrictions, log-on/log-off controls and record-keeping |
| − | === | + | ===Use of encrypted disks=== |
| − | A successful | + | ====Risks addressed==== |
| + | A successful attack on the login account, and/or direct disk access such as of a lost, stolen, or improperly disposed of hard-disk enables access to all unencrypted data. Thus use of encrypted disks provide a second layer of defence against these risks. Whole-disk encryption in addition to encrypted disks defends against data leakage via swapfiles, temporary files etc | ||
| + | |||
| + | ====Policy statements==== | ||
| + | * Whole-disk encryption must enabled on all PCs and other devices capable of supporting it | ||
| + | * [[TrueCrypt encrypted file container|Strong-encrypted disks]] must be used for ''all data'', whether sensitive company, patient data or [[What is sensitive information?#Non-sensitive information|non-sensitive data]]. | ||
| + | |||
| + | ===Use of encrypted transfers=== | ||
| + | |||
| + | * Thunderbird (or other email client) must be set to SSL/TLS for both send and receive (SMTP+POP) | ||
| + | * Any and all transfers from customer sites must encrypted with AES256 prior to transfer. | ||
| + | ** To mitigate the risk of misjudgment, this applies to all files/data, even those without patient data. | ||
| + | ** To mitigate the risk of misjudgment, this applies to all transfers, whether from customer sites or our own remote infrastructure | ||
| + | |||
| + | ===Patient identifiable information=== | ||
| + | Irrespective of access or otherwise, staff are only permitted to handle [[What is sensitive information?#Sensitive information#Patient Information|patient-identifiable data]] to the extent required to perform their job. In particular, browsing of patient-identifiable data is specifically prohibited. | ||
| − | + | Patient identifiable information must be handled according to [[Distributor:Patient identifiable data handling procedures|specific procedures]] at all times. | |
===Backups & Syncs=== | ===Backups & Syncs=== | ||
| − | Weekly overall backups, more regular sync of shared folders | + | Weekly overall backups, and more regular sync of shared folders, as per [[Syncing procedure]] and [[Dropbox policy]] |
===Physical Controls=== | ===Physical Controls=== | ||
| + | Patient-identifiable information must not be transferred outside of the UK. | ||
| + | |||
| + | Person-identifiable information must not be transferred outside of the EEA or [http://ec.europa.eu/justice/data-protection/document/international-transfers/adequacy/index_en.htm approved countries]. | ||
| + | |||
Laptops must be kept secured and out of view when not in use. In particular they must not be left in view of windows in cars or homes. | Laptops must be kept secured and out of view when not in use. In particular they must not be left in view of windows in cars or homes. | ||
| − | Access to Company premises is only allowed for the purposes of company business, and is controlled via physical doorway keys | + | Access to Company premises is only allowed for the purposes of company business, and is controlled via physical doorway keys. When leaving company premises, all access points (doors and windows) must be locked shut, and the alarm must be armed. |
Within company premises, any notes, jottings, letters, or telephone messages must be either shredded immediately after use, or if required to be filed need to be scanned into secure storage and then shredded. | Within company premises, any notes, jottings, letters, or telephone messages must be either shredded immediately after use, or if required to be filed need to be scanned into secure storage and then shredded. | ||
| Line 41: | Line 63: | ||
===Scope of Access=== | ===Scope of Access=== | ||
| − | + | Clear segregation of duties must be observed, including scope of security access and data access appropriate to job function | |
| − | + | This is achieved by separating shared folders that document access and data between the following roles: | |
| − | + | * system admin | |
| − | + | ** has root access, can create new users, can see patient data where appropriate for support | |
| + | * developer access | ||
| + | ** can modify code, can see dev data, cannot see patient data, cannot use patient data | ||
| + | * company admin | ||
| + | ** can see and create banking entries, bookkeeping entries, customer payments. cannot see patient data at all | ||
| + | * company management | ||
| + | ** can see and authorise banking entries, edit bookkeeping, customer payments and refunds. cannot see patient data at all | ||
| − | + | Patient identifiable information: | |
| − | + | Patient identifiable information must only be accessible to and accessed by those requiring it. Irrespecitve of such access controls, staff are only permitted to handle patient-identifiable data to the extent required by the their role and the current tasks. In particular, browsing of patient-identifiable data is specificially prohibited and [[Distributor:Patient identifiable data handling procedures|special procedures]] apply to handling of patient identifiable data. | |
| − | + | ||
| − | + | ||
| + | ===Remote Access=== | ||
| + | ====Policy statements==== | ||
| + | Strong encryption is mandatory at ''all'' times. | ||
| + | : Such encryption may be via end-to-end VPN or SSH tunnel, or over strong-encrypted remote access such as modern RDP. | ||
| + | In addition to strong encryption, [[Distributor:Remote access management#Setup Duo Mobile to mandate 2FA over RDP|two-factor authentication (2FA)]] is ''mandatory'' for | ||
| + | * ''any'' access to patient-identiable data | ||
| + | * ''any'' access to N3 | ||
| + | * ''any'' remote support to clients (as this is most likely to have exposure to patient-identifiable data) | ||
| + | * ''any'' remote support to core services (as this is a plausible route to further intrusion) | ||
| + | ** this also means pure VNC is not acceptable; must be VNC over SSH | ||
| + | ** this means SSH password-only is not acceptable; SSH must be via private key and password | ||
| + | Refer to [[Remote working policy]] for other policy items applicable to remote working. | ||
| − | + | ===Mobile Computing=== | |
| + | USB sticks or phones, or other mobile media are prohibited. Cypher IT-supplied laptop and Cypher-supplied backup USB HDD or nothing. | ||
| − | + | ===Malware Sweeps=== | |
| − | + | Weekly Spyware | |
| − | + | Fortnightly AV | |
| + | * Any file that is downloaded or from other external source must be scanned for viruses before it is run or accessed. | ||
| + | * All PCs connected to the Company network must have the Company’s approved Anti-Virus and Anti-Spyware software installed and activated. | ||
Latest revision as of 11:28, 8 January 2020
Contents |
Risks addressed by policy
All IT resources (including data, not just equipment) must be appropriately secured from the following risks
- Actual or potential breach confidentiality from eavesdropping or misdirection (eg plaintext email or courier services or scope of access)
- Loss or breach of confidentiality from intentional attack (eg hacking, break-in)
- Loss or breach of confidentiality from theft or loss (eg stolen laptop, mislaid USB stick)
- Loss through software or hardware failure (eg hard-disk failure)
- Loss or breach of confidentiality through malware (eg virus, key-loggers)
The above risks are removed or minimised by following best practice in information security. To ensure there are no gaps all the below best practice is mandatory policy. The Company’s procedures document in detail the procedures to follow in order to implement the policy defined herein.
Passwords and Passphrases
Risks addressed
Strong passwords – encryption only as strong as access to the relevant user’s account. Another attack risk is keyloggers; thus
- strong account passwords are needed for ALL accounts, especially administrative accounts.
- regular malware sweeps for keyloggers are mandatory.
Policy statements
All individuals who have been allocated network and/or system access are required to
- ensure the integrity and confidentiality of their passwords, passphrases & PINs
- use strong passwords and passphrases according to password procedure
- prevent access to unauthorized users when leaving systems unattended, including use of password protected screensavers where appropriate
- comply with all security mechanisms, such as firewall restrictions, log-on/log-off controls and record-keeping
Use of encrypted disks
Risks addressed
A successful attack on the login account, and/or direct disk access such as of a lost, stolen, or improperly disposed of hard-disk enables access to all unencrypted data. Thus use of encrypted disks provide a second layer of defence against these risks. Whole-disk encryption in addition to encrypted disks defends against data leakage via swapfiles, temporary files etc
Policy statements
- Whole-disk encryption must enabled on all PCs and other devices capable of supporting it
- Strong-encrypted disks must be used for all data, whether sensitive company, patient data or non-sensitive data.
Use of encrypted transfers
- Thunderbird (or other email client) must be set to SSL/TLS for both send and receive (SMTP+POP)
- Any and all transfers from customer sites must encrypted with AES256 prior to transfer.
- To mitigate the risk of misjudgment, this applies to all files/data, even those without patient data.
- To mitigate the risk of misjudgment, this applies to all transfers, whether from customer sites or our own remote infrastructure
Patient identifiable information
Irrespective of access or otherwise, staff are only permitted to handle patient-identifiable data to the extent required to perform their job. In particular, browsing of patient-identifiable data is specifically prohibited.
Patient identifiable information must be handled according to specific procedures at all times.
Backups & Syncs
Weekly overall backups, and more regular sync of shared folders, as per Syncing procedure and Dropbox policy
Physical Controls
Patient-identifiable information must not be transferred outside of the UK.
Person-identifiable information must not be transferred outside of the EEA or approved countries.
Laptops must be kept secured and out of view when not in use. In particular they must not be left in view of windows in cars or homes.
Access to Company premises is only allowed for the purposes of company business, and is controlled via physical doorway keys. When leaving company premises, all access points (doors and windows) must be locked shut, and the alarm must be armed.
Within company premises, any notes, jottings, letters, or telephone messages must be either shredded immediately after use, or if required to be filed need to be scanned into secure storage and then shredded.
Staff must also ensure they are not subject to eavesdropping while performing company business, especially if either patient information or company confidential information is being discussed.
Scope of Access
Clear segregation of duties must be observed, including scope of security access and data access appropriate to job function
This is achieved by separating shared folders that document access and data between the following roles:
- system admin
- has root access, can create new users, can see patient data where appropriate for support
- developer access
- can modify code, can see dev data, cannot see patient data, cannot use patient data
- company admin
- can see and create banking entries, bookkeeping entries, customer payments. cannot see patient data at all
- company management
- can see and authorise banking entries, edit bookkeeping, customer payments and refunds. cannot see patient data at all
Patient identifiable information: Patient identifiable information must only be accessible to and accessed by those requiring it. Irrespecitve of such access controls, staff are only permitted to handle patient-identifiable data to the extent required by the their role and the current tasks. In particular, browsing of patient-identifiable data is specificially prohibited and special procedures apply to handling of patient identifiable data.
Remote Access
Policy statements
Strong encryption is mandatory at all times.
- Such encryption may be via end-to-end VPN or SSH tunnel, or over strong-encrypted remote access such as modern RDP.
In addition to strong encryption, two-factor authentication (2FA) is mandatory for
- any access to patient-identiable data
- any access to N3
- any remote support to clients (as this is most likely to have exposure to patient-identifiable data)
- any remote support to core services (as this is a plausible route to further intrusion)
- this also means pure VNC is not acceptable; must be VNC over SSH
- this means SSH password-only is not acceptable; SSH must be via private key and password
Refer to Remote working policy for other policy items applicable to remote working.
Mobile Computing
USB sticks or phones, or other mobile media are prohibited. Cypher IT-supplied laptop and Cypher-supplied backup USB HDD or nothing.
Malware Sweeps
Weekly Spyware Fortnightly AV
- Any file that is downloaded or from other external source must be scanned for viruses before it is run or accessed.
- All PCs connected to the Company network must have the Company’s approved Anti-Virus and Anti-Spyware software installed and activated.
