Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Caldicott - Acute Trusts Knowledge base
Document related concepts
Cyber-security regulation wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Security-focused operating system wikipedia , lookup
Wireless security wikipedia , lookup
Information privacy law wikipedia , lookup
Unix security wikipedia , lookup
Computer security wikipedia , lookup
Information security wikipedia , lookup
Link Motion Inc wikipedia , lookup
Transcript
Information Security Assurance Commercial Third Party (CTP) Organisations Guidance Requirement 14 ( Ref: 314) Does the CTP control and monitor the use of mobile computing and teleworking to ensure they are conducted in a secure manner? The security protection required should be proportionate to the risks these ways of working cause. When using mobile computing the risks of working in an unprotected environment should be considered and appropriate protection applied. In the case of teleworking the organisation should consider and apply protection to the teleworking site and ensure that acceptable arrangements are in place for this way of working. Mobile computing and remote communications The use portable devices in mobile computing is now commonplace in many organisations, with users connecting remotely to required information services through laptops, mobile phones, palmtops, Blackberry’s etc. Users are also connecting from a variety of locations – home, hotels, other NHS premises, and through internet, wireless and dial-in technologies. Therefore, it is essential that the following are considered within a risk assessment: Theft, loss or damage of equipment. Equipment in transit is at particular risk of being damaged, lost or stolen. This is especially the case of equipment used by mobile workers who are likely to connect to information systems from a number and variety of locations. Training, procedures and written guidance must be put in place for users, to cover these threats Unauthorised access to data. Unauthorised access is possible in a number of ways. Users may leave their equipment or media containing data unattended in a place where it may be seen or used by unauthorised individuals. The use of a clear screen and desk policy, together with user training, can help mitigate this risk. Secondly; unauthorised access can be gained through technical means, e.g. through ‘network sniffing’ or through guessed passwords on unattended or unprotected laptops etc. Encrypted data on media, encrypted transfer, strong access controls and user identification and authentication, and secured wireless networks should all be considered to counter opportunist technical hacking/cracking. It is recommended that ‘two factor’ authentication is used and token-based, biometric, smartcard, etc controls are implemented. Malicious and unauthorised mobile code. Care must be taken to ensure that all mobile devices and removable media have their anti-virus / anti-spyware components regularly updated to protect against these types of attacks. Data backups. Mobile devices such as laptops are best configured so that data processed on them is synchronised to the network at the end of a session. If data is merely saved to a local drive and the device is lost, so is the data. The minimum amount of data required must be carried in mobile devices to reduce the potential impacts of an unforeseen event. Mobile Working policy. The CTP should have a policy (and written procedures) that covers all aspects of mobile working. If teleworking or homeworking is allowed by the CTP then the security, management arrangements and user requirements for this must also be covered in the CTP’s policy. Teleworking and homeworking Teleworking or homeworking is distinct from mobile computing in that the location of the former is normally fixed (e.g. the staff member’s home). The criteria listed above apply to teleworking and the following should also be considered in a risk assessment: The physical security of the location. The risks of home burglary must be considered and CTPs may choose to implement a separate Teleworking/Homeworking policy. However, the information security issues may potentially be addressed through a unified Mobile working policy. Therefore, the use of additional physical security devices (e.g. Kensington locks, anchorpad encasements, etc) must be considered. The environmental conditions. CTPs have health and safety obligations to teleworkers that include assessing the environment to ensure teleworking equipment does not pose a threat to the teleworker’s property, the teleworker’s person, or to third persons. Equally, the environment should be assessed to ensure it does not pose a threat to the CTP’s equipment or business functions e.g. poor ventilation resulting in overheating and loss of access or service capability. The CTP’s Health & Safety manager (or equivalent) should ensure an environmental assessment procedure and checklist is developed and completed before teleworking commences. Equipment ownership. The CTP should ensure that it provides necessary workstations and associated equipment for business use. The use of employee-owned equipment should be avoided as other family members may access it for private purposes thus increasing risks. The CTP policy should include a provision that specifies official equipment is not to be used by unauthorised users or for unauthorised purposes and guidance issued. Employer insurance. The CTP will have to ensure that adequate insurance cover is available for teleworkers and that covers any CTP equipment on a teleworker’s premises. Cover may be available within the homeworker’s normal home contents insurance. Information for staff Basic good practice guidelines should be provided to staff to reduce the risk of theft and also to ensure that confidentiality of information is maintained as follows: Locking the machine up overnight, or removal of the hard-drive or memory card (where possible) if the machine cannot be locked away Not leaving the system unattended e.g. on the seat of a car Use of secure passwords to prevent unauthorised access to information stored on the computer How to ensure password security Reporting lost or stolen equipment promptly Improvement plans Level 1 The CTP should document an approvals and authorisation procedure for mobile working and teleworking arrangements, implement appropriate approvals and authentication procedures, and provide guidelines for staff on expected IG information security and confidentiality practice. Level 2 The CTP should ensure all mobile or teleworkers are appropriately approved and authorised. The CTP should ensure all relevant staff are effectively informed of the procedures and guidelines and have received appropriate instruction in the use of remote access solutions. The CTP should also ensure that mobile devices and removable media contain adequate information security capability, including reliable data encryption where patient information is to be processed. Level 3 The CTP should undertake regular audits of mobile and/or teleworking arrangements, ensuring that all users are approved that, all mobile device and removable media assets can be accounted for, that secure remote access is possible and used, and that any sensitive or confidential information including that relating to patients is encrypted, securely transported or stored in secure locations. Procedures and controls should be regularly tested, reviewed and amended where necessary, and monitoring should be carried out to ensure staff compliance with the expected IG procedures and controls. Where a need for improvement or non-compliance is identified this should be documented and appropriate action taken.
