Professional Documents
Culture Documents
POLICY (ISSP)
Information
Policy Number & Category IG 02
Governance
Version Number & Date Version 3.7 February 2009
Ratifying Committee Clinical Governance Committee
Date Approved March 2009
Next Review Date March 2011
Executive Director of Finance & Resources,
Executive Lead
Chris Tidman
Deputy Director of IM&T – IT Services,
Policy Lead
Paul Lewis
Policy Author Head of IT Operations, Alan Dodsworth
Information Quality Assurance and
Formulated Via The
Information Governance Strategy Group
Policy Statement
The Information Systems Security Policy (ISSP) has been developed to protect
the Trust and its employees from hazards and threats, to ensure business
continuity and to minimise any business damage by preventing and reducing
the impact of information systems security incidents.
The IS Security Policy has three basic components (confidentiality, integrity and
availability), intended to preserve adequate security of information systems:
• Availability: ensuring that all vital services, information and/or data systems are
available to users when required.
Table of Contents
1 INTRODUCTION 3
2 OBJECTIVES, AIM AND SCOPE 3
4 LEGISLATION AND NHS MANDATORY REQUIREMENTS 5
5 POLICY FRAMEWORK 6
6 ELECTRONIC EMAIL (EMAIL) USE 12
7 BSMHFT CORPORATE ELECTRONIC MAIL (EMAIL) DISCLAIMER
STATEMENT 14
The ISSP applies to all Trust business and covers the information,
information systems, networks, and physical environments where
information is processed or stored.
2.2 Confidentiality
• Access to data shall be confined to those with appropriate
authority.
2.3 Integrity
• Information shall be complete and accurate. All systems,
assets and networks shall operate correctly, according to
specification.
2.4 Availability
• Information shall be available and delivered to the right person,
at the time when it is needed.
• Ensuring that all members of staff are aware of and comply with
the relevant legislation as described in this and other associated
policies.
2.6 Scope
2.6.1 This policy applies to all information, information media, information
systems, networks, applications, locations in use by BSMHFT and
organisations hosted by BSMHFT or supplied under contract to it.
3.1.2 Ultimate responsibility for information security rests with the Chief
Executive of BSMHFT, but on a day-to-day basis, the Deputy Director
of IM&T – IT Services (DDIT) shall be responsible for managing and
implementing the policy and related procedures.
3.2 The responsibility for the security of an information system lies with
the “owner” of that system. Owners of information systems may
delegate their security to an individual or group but remain ultimately
accountable for that system. DDIT will advise and monitor
ownership. A detailed list of information systems and owners will be
kept by the IM&T Department and monitored by the DDIT. An
example of this file can be found in the following location:
http://intranet/ISSPDocs/Trust_Information_Assets.pdf
3.3 Line Managers are responsible for ensuring that their permanent and
temporary staff and contractors and volunteers are aware of:-
• The information security policies applicable in their work areas.
• Their personal responsibilities for information security.
• How to access advice on information security matters.
3.4 All staff shall ensure that data confidentiality and integrity is
maintained.
3.7 Each member of staff shall be responsible for the operational security
of the information systems they use in their working environment. For
example systems must be closed if work has been completed, or if
leaving the desk for a short time, PCs must be either logged off or
locked before leaving.
3.8 Each system user shall comply with the security requirements that
are currently in force, and shall also ensure that the confidentiality,
integrity and availability of the information they use are maintained to
the highest standard.
3.9.1 For further information on the Trust’s RFC process follow this link:
http://intranet/IM_&_T/ITServices/RFC/RFC.htm
4.2 In addition, the Trust will abide by the Department of Health (DoH) as
well as the NHS Connecting for Health (CfH) Codes of Practice and
Statement of Compliance.
5 Policy Framework
5.1 Management of Security
• At Trust Board level, responsibility for information security shall
reside with the Executive Director responsible for IM&T.
• The DDIT (identified as the as the Information Security Officer
within the Information Governance Toolkit) shall be responsible for
implementing, monitoring, documenting and communicating
security requirements for the Trust.
http://intranet/ISSPDocs/Ongoing_training_log.pdf
Staff who leave the employment of the Trust will have their access to
Information Systems revoked via the IT domain account deletion
process.
Staff should ensure that where service users are present in an area
where systems are used, they do not come into contact with any login
IDs or passwords and do not, under any circumstances use Trust
PCs other than those recognised as Internet for Service User
equipment.
http://intranet/ISSPDocs/IT21_Disposal_of_PC_Guidelines.pdf
These reviews shall help identify lessons learnt and best practice and
possible weakness, as well as potential risks that may have arisen
since the last review was completed.
Contact the Service Desk on 0121 301 5111 for further information.
Should a virus be detected on any PC, any use should cease and the
incident must be reported immediately to the IT Service Desk on ext
0121 301 5111. The I.T Department will log and action the incident
and advise when the PC can be used.
The Trust has in place routines to regularly audit compliance with this
and other policies. In addition it reserves the ri ght to monitor activity
where it suspects that there has been a breach of policy. The
Regulation of Investigatory Powers Act (2000) permits monitoring and
recording of employees’ electronic communications (including
telephone communications) for the following reasons:
Therefore all laptops purchased by the Trust since Jan 2008 have
been fitted with an encrypted hard drive as standard. Laptops
purchased before then are not encrypted and should not be used to
store any personal identifiable data. The Trust has introduced a
standard secure USB memory stick for use on Trust PCs and laptops.
This device is available via the IT Operations Team. These sticks are
issued with guidance but essentially they will allow staff to transfer
(not store) sensitive information between Trust sites and store non-
sensitive information.
No USB Memory Sticks other than the BSMHFT standard secure memory
stick can be used in BSMHFT IT Equipment.
http://intranet/IM_&_T/ITServices/Purchasing/Purchase_Request_For
m.htm
6.3 The Trust issues guidelines for the use of the corporate email system
within the Trust’s Network Access Form, which can be viewed here.
http://intranet/IM_&_T/ITServices/NetworkAccess.htm
Employees may be held liable for any deviation from the email usage
guidelines.
Further advice can be obtained from the IT Service Desk on Ext (301)
5111
It is intended solely for the addressee. If you are not the intended
recipient, please accept our apologies, do not read, use, copy,
distribute, print or disclose any of the information contained
within and inform the author immediately before deleting.
The Internet service also exposes the Trust to potential threats (e.g.
copyright violations; Infection by viruses, defamation, pornography and
sexual harassment proceedings etc).
http://Intranet/IM_&_T/ITServices/NetworkAccess.htm
Employees will be held personally liable for any deviation from this
Intranet/Internet policy and it is in the employee’s interest to adhere to
this.
Consultation summary
Date policy issued for consultation 18th December 2008
Number of versions produced for One
consultation
Committees / meetings where policy Date(s)
formally discussed
IG Strategy Group 5th February 2009
Clinical Governance Committee 3rd March 2009
Glossary
Acronyms Description
BSMHFT / 'The Trust' Birmingham and Solihull Mental
Health Foundation Trust
CAB Change Advisory Body
CfH NHS Connecting for Health
Link Description
Disposal of
http://Intranet/ISSPDocs/IT21_Disposal_of_PC_Guidelines.pdf IT
Equipment
IT Network
http://intranet/IM_&_T/ITServices/NetworkAccess.htm
Access Form
IT
http://intranet/IM_&_T/ITServices/Purchasing/Purchase_Request_Form.htm
Purchasing
IT Request
http://intranet/IM_&_T/ITServices/RFC/RFC.htm
for Change
On going
http://intranet/ISSPDocs/Ongoing_training_log.pdf awareness
Training
Risk
Risk Management Committee
Management
Information
http://intranet/ISSPDocs/Trust_Information_Assets.pdf
Assets