Information handling policy
Contents |
Risks addressed by policy
All IT resources (including data, not just equipment) must be appropriately secured from the following risks
- Actual or potential breach confidentiality from eavesdropping or misdirection (eg plaintext email or courier services or scope of access)
- Loss or breach of confidentiality from intentional attack (eg hacking, break-in)
- Loss or breach of confidentiality from theft or loss (eg stolen laptop, mislaid USB stick)
- Loss through software or hardware failure (eg hard-disk failure)
- Loss or breach of confidentiality through malware (eg virus, key-loggers)
The above risks are removed or minimised by following best practice in information security. To ensure there are no gaps all the below best practice is mandatory policy. The Company’s procedures document in detail the procedures to follow in order to implement the policy defined herein.
Passwords and Passphrases
Risks addressed
Strong passwords – encryption only as strong as access to the relevant user’s account. Another attack risk is keyloggers; thus
- strong account passwords are needed for ALL accounts, especially administrative accounts.
- regular spyware sweeps for keyloggers are mandatory.
Password and Passphrase policy
All individuals who have been allocated network and/or system access are required to
- ensure the integrity and confidentiality of their unique user identification codes and passwords
- prevent access to unauthorized users when leaving systems unattended, including use of password protected screensavers where appropriate
- comply with all security mechanisms, such as log-on controls or firewall settings.
Encrypted disks
A successful offline attack on the login account (or another admin account that can switch user to the relevant user’s account) allows access to all the encrypted data.
Finally, EFS is only appropriate for off-line data. Such data is sent unencrypted across FTP, file shares etc.
Backups & Syncs
Weekly overall backups, more regular sync of shared folders
Physical Controls
Laptops must be kept secured and out of view when not in use. In particular they must not be left in view of windows in cars or homes.
Access to Company premises is only allowed for the purposes of company business, and is controlled via physical doorway keys and alarm codes. When leaving company premises, all access points (doors and windows) must be locked shut, and the alarm must be armed.
Within company premises, any notes, jottings, letters, or telephone messages must be either shredded immediately after use, or if required to be filed need to be scanned into secure storage and then shredded.
Staff must also ensure they are not subject to eavesdropping while performing company business, especially if either patient information or company confidential information is being discussed.
Scope of Access
Scope of both security access and data access appropriate to job function
Mobile Computing
Prohibit USB sticks or phones, or other mobile media. Laptop or nothing. Home working
Malware Sweeps
Weekly Spyware Fortnightly AV
- Any file that is downloaded must be scanned for viruses before it is run or accessed.
This includes scanning of disks brought into the Company from elsewhere or disabling the installed Anti-Virus software whether on email or desktop. All PC’s connected to the Company network must have the Company’s approved Anti-Virus and Anti-Spyware software installed and activated.
4 Technical
4.1. User IDs and passwords help maintain individual accountability for Internet resource usage. As always, users must keep that password confidential. Company policy prohibits the sharing of user IDs or passwords assigned for access to Internet sites. After use Users must log out of the PC’s or Internet Browser where they have been accessing the Internet. Users will be held responsible for misuse of the Internet facilities undertaken with their user ID and password.
