ITPOL11 Access Control Policy by Provide Community

Access Control Policy

Version: V3

Ratified by: Finance and Risk Committee

Date ratified: 27/04/2022

Job Title of author:

This Policy has been drafted by SBC Solutions in conjunction with the Technology Team as part of the ISO27001 engagement

Reviewed by Committee or Expert Group Technology Programme Group

Equality Impact Assessed by: IG and IT Projects Manager

1. Introduction

The objective of this Policy is to protect the confidentiality, integrity and availability of the Provide Group’s information by controlling access to its IT and paper-based systems.

2. Responsibilities

1. All staff are responsible for ensuring that this Policy is complied with.

2. Overall responsibility for the security of the Provide Group’s networks rests with the Assistant Director for IT & Systems, who may delegate day-to-day technical issues regarding access control.

3. Physical building security is the responsibility of the Assistant Director for Estates and Facilities.

4. All of the Group’s employees are responsible for controlling access to Group information in accordance with this Policy at all times.

5. All of the Group’s employees are responsible for maintaining password security in accordance with this Policy in all of their activities carried out on behalf of the Group.

6. Any employee who has temporary or permanent knowledge or use of a password relating to any part of the IT system for which they do not normally have access, should identify this to the Provide Technology Department immediately, so that the situation can be rectified. Any deliberate or negligent breach of this rule has a high probability of being regarded as gross misconduct and may result in immediate dismissal.

3. Network and Access

The following instructions apply to all users of the Group’s IT systems:

1. Access to the Group’s network is controlled by means of individual user logins and passwords. Login names are allocated by the Provide Technology Service Desk, who also issues the initial password for each user.

2. Immediately upon receiving a login and password, the user must change the Password to one that they have created in accordance with the Password Policy, the Technology Team will configure systems to enforce this. Thereafter, the operating system automatically prompts for a password change at intervals controlled by the Technology Service Desk.

3. Access to the computer network and associated systems is controlled by means of login and password, or Smartcard access for certain systems. This information

is given only to users who need to work with the respective packages, and their level of access is controlled by permissions allocated to the various login identities. The Technology Team may allow users to additionally have the option of using biometrics to validate their identity and login.

4. Principle of Least Privilege – Access controls must be allocated on the basis of business need and ‘Least Privilege’. Users must only be provided with the absolute minimum access rights, permissions to systems, services, information and resources that they need to fulfil their business role.

5. Logins and passwords are not to be revealed to anyone, even a colleague, supervisor or manager. The exception to this rule is set out in the Password Policy.

6. Users may access the network and their own files by logging on to any PC on the system. However, access to network objects is limited by individual logins that are authorised on the basis of operational requirements.

7. User rights are decided by the Technology Service Desk or Line Manager only and are not to be changed. This instruction is reviewed at the ISMS Management Review meetings. Smart card access user rights are controlled by the RA team in consultation with the service lead and reviewed by the PBAC committee.

8. User rights are kept to the minimum necessary for efficient working. Anyone who feels that they would work more efficiently with increased user rights must justify this to the Line Manager or Folder Owner.

9. Users must not allow other users to access any systems via their login, either by logging in deliberately on the other’s behalf or by logging in and leaving the PC unattended. Monitoring is implemented on all systems to record login attempts and failures, successful logins, duplicate logins and all changes made.

10. Remote access to the Group’s systems is subject to particularly careful control. This is addressed in the Mobile Computing Devices Policy that is set out in this Manual.

11. Currently no third party (other than those requiring access for support purposes, as approved by the ISMS Committee) has any access rights to the Group’s networks.

12. Anyone who suspects there may have been a breach of network access rules must report it immediately to the Information Governance Manager and raise the concern via the terms of the Incident Reporting and Management Policy.

4. Access to Online Information

1. Information stored on the server can be made available to all users, certain defined users, or to the creator only. This is determined by the selection of the appropriate directory and access rights using the Active Directory Account Creation process.

2. Data stored in SharePoint will be permissioned to the same standards as file shares but will be done via the Office365 Management Portal.

3. Sensitive information that is required to be kept on the network but is not currently required is to be protected by the removal of all access permissions, except where required for support purposes.

4. Should a hacker gain access to the network, every password that stands in their way will offer some protection to sensitive data. Therefore, directories and documents containing such data are not to be named in such a way as to make them easily identifiable. Names indicating Confidential, Top Secret etc. are not to be used.

5. Access to Paper-based Information

1. Sensitive information on paper, such as personal or financial data, is accessible only to authorised persons.

2. Access must be controlled by means of locked cabinets and a locked door and consideration should be given to the use of a key register as a way of tracking access to these records.

3. Sensitive information is not to be left lying on desks overnight.

4. All wastepaper containing business information is shredded.

Paper records should be maintained in exceptional circumstances only.

6. Premises Security

Physical access to the Group’s Headquarters and thus to the information systems is controlled as follows:

1. Access to the building is by means of an intelligent electronic key card system on the front door. The front door is staffed by the reception area during working hours; during periods where the building is closed, the front doors are key locked and alarmed. Main reception to the building is situated in the front lobby and all visitors are required to sign in and out.

2. Access to the IT Offices on the ground floor is protected by the same type of intelligent electronic key card system. There is also a physical key locking system on each door.

3. The intelligent electronic key card system is programmable to restrict access to specific areas of the Group’s working space.

4. Access to the server equipment is controlled at all times by means of restricted access using the intelligent electronic key card system. Servers are also in locked cabinets and the keys are stored in a locked key safe with pin code access. External staff accessing the server room must be supervised at all times.

5. Filing cabinets or cupboards are locked using keys and the keys are also locked in the key safe.

6. All windows should be kept closed and, if possible locked, out of office hours.

7. Any person who is seen on the premises without an ID badge should be challenged.

7. Further Measures to Prevent Unauthorised Access to Information

Apart from the measures outlines above, access to the Group’s premises, information systems and information is further limited by the following general instructions:

1. No employee who is entrusted with an electronic intelligent key, combination code or a Password of any kind is to reveal or share this with a fellow employee

2. In the case of equipment destined for repair or disposal, information stored on hard disk or other storage media is to be protected as follows:

a) No devices containing hard disks sent off site for repair unless encrypted.

b) Any storage media containing Group information, including hard disks, tape cartridges, CD disks etc. that are faulty or no longer required are destroyed by a specialist third party secure disposal company under contract.

c) Disposal of computer equipment is to be carried out by a reputable specialist disposal firm and disposal records are kept for both Information Security and Environmental reasons.

d) Should data be required to be sent or transmitted from the Group’s premises then information stored on hard disk or any other medium is to be protected by the following means:

I. No unassigned computer equipment is to leave the Group’s premises unless specific permission has been obtained from the Technology Operations Manager.

II. The exception to the above is the Mobile Computing Facilities The Mobile Computing Devices Policy covers this.

III. Transportation is only undertaken by reputable contracted carriers or by the Organisation’s employees.

IV. The Organisation’s employees who are transporting computer equipment or storage media take precautions to protect such items from theft, as detailed by the ISMS Manager.

3. When employees leave the Organisation, the following action is taken:

a) The employee’s access rights to all IT systems are revoked. To support timely removal of access, automated process should be in place wherever possible and additionally, line managers should notify the Technology Service Desk in advance of the leavers leave date. Late notification presents a serious security risk to the Provide Group.

b) The relevant e-mail account is disabled or, if transferring to another NHS organisation the account will be re-assigned.

c) Employees are required to return all intelligent keys to doors entrusted to them except patient data access Smartcards which are kept by the employee if they are remaining within the NHS and access from Provide is revoked.

d) All keys for cupboards and cabinets are kept in the key safe. If a person who has knowledge of the key safe pin codes leaves the organisation the pin code must be changed.

The responsibility for arranging thesemeasures lies with the Line Manager coordinated with the HR Department.

8. Password Control

Password Management

Password

Creation

The objective is to create a strong password that will withstand attempts to ‘crack’ it, at least for a reasonable length of time. For example, any word in the dictionary can be cracked within seconds by widely available password breaking programs, whereas a really well constructed password can take a day or more to crack and should deter all but the most determined hackers.

Strong passwords are created using the following rules:

1. Passwords must be Fourteen characters or greater.

2. The use of capitals, numbers and symbols will not be mandatory in line with NCSC guidance and Cyber Essentials Plus standard. Users, however, will be encouraged to use three random words to create a strong and memorable password (e.g. ‘coffeetrainfish’ or ‘wallstinshirts’) Administrator passwords will follow the same rules but will require additional complexity including capitals, numbers and special characters.

3. Passwords must not contain all or part of the user’s name or job function, or any term (like a birthday, a partner’s name or a street address) that could be easily guessed or researched.

4. Staff will be unable to use terms such as “Provide” or “Password”. To maintain a high level of security we will use tools to check for and reject commonly used passwords (including local words such Provide, NHS, Ward etc) and compromised passwords.

5. Simple substitutions (such as 1 for i, 0 for O, 5 for s etc.) in recognisable words –i.e. words found in a dictionary – afford no real protection and must not be relied on.

6. Similarly, commonly used or easy to guess combinations or series such as 1234abcd, A5DFghJK, $taRwaRr$, 1passw*d etc. must not be used.

7. The same password cannot be used for the next 22 times of change of password on the system.

To enhance security further, accounts for active directory will lockout after 3 attempts of entering an incorrect password

Password Precautions

All relevant employees of the Group have been made aware of the following rules, requirements and guidelines with regard to all passwords and PIN numbers for accessing doors etc:

1. Always follow the rules for strong passwords every time one is created or changed.

2. Protect passwords by making sure nobody is looking over your shoulder when you enter them.

3. Keep your passwords strictly to yourself and avoid revealing them to anyone at all, including colleagues or supervisors.

4. Be aware of ‘social engineering’, when a potential intruder will attempt to get you to reveal a password by pretending, for instance, to need urgent help getting onto the system. If you are in possession of a password allowing access to a customer’s system, you must exercise extreme caution on this point.

5. Do not say your password out loud, or hint at how you constructed it.

6. Do not e-mail or write down or otherwise communicate your password to anyone.

7. Do not keep a note of your password online or anywhere around your workplace.

8. Change a password if you have reason to believe that someone else knows it. If you believe that your password has become compromised or become aware of the breach of the requirements of this Policy, immediately contact the Information Governance Manager for further instructions. Do not try to cover up the incident or ignore it. Information security is a vital factor in the continued success and survival of the Group and by ignoring a breach of these requirements it could put jobs at risk.

On leaving the Group you will be required to reveal all passwords protecting any files or directories on any drive owned by the Group. Your acceptance of these policies within your Contract of Employment confirms your explicit agreement to do this – even after you have left the Group.

9. General

Although the Group has taken reasonable technical and material precautions to prevent unauthorised access to its information systems, every individual employee can make a decisive contribution to the Group’s security. Access control of all kinds depends to a great extent on the employee’s active participation, watchfulness and consistent compliance with the spirit of this Policy.

10.Premises Security (Building Survey)

Provide HQ (Colchester)

Doors and Entry Points Access card control on front door. Fire doors push bar for exit. Windows Fitted with locks. Instruction to close all windows out of hours.

Fire Exits In place

Shutters Not used

Door lock types

Main doors electronic lock with smartcards. Mortice lock on office doors.

Bio Metric entry Not used.

Fire Extinguishers In place.

Fire Alarms In place. Monitored.

Smoke Alarms In place.

Gas suppression Server room has a gas suppression system

Lighting Fluorescent. Motion activated.

Air extraction Air con in main office area, not in IT area. Server rooms are air conditioned.

Burglar alarms Alarmed out of hours and monitored.

Alarm monitoring Monitored by reception during office hours. Out of hours by a third party.

Visitors signing in In place

Visitors accompanied In place

Electrical Wiring

Modern wiring

Equipment PAT tests Completed

Network cabling type CAT 5 in standard ducting

Car park Around the main building and CCTV monitored

Security perimeter Combination of fencing and hedging

Fences Wire

Gates No gates

CCTV In place bot externally and internally. Monitored as per policy.

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 1: ‘Screening’

Name of project/policy/strategy (hereafter referred to as “initiative”):

ITPOL11 Access Control Policy

Provide a brief summary (bullet points) of the aims of the initiative and main activities: The objective of this Policy is to protect the confidentiality, integrity and availability of the Group’s information by controlling access to its IT and paper-based systems.

Project/Policy Manager: Assistant Director for IT and Systems Date: 21/02/2022

This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently.

Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group.

Q2. Is there likely to be an adverse impact on one or more minority/under-represented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”?

Neutral

Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies.

Neutral

Guidelines: Things to consider

Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.

The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.

Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this – e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.

Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan.

Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this?

It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that data-gathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.

It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2:

(To be used where the ‘screening phase has identified a substantial problem/concern)

This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.

Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps?

N/A

Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on?

Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women?

Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.

Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be taken into account?

Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required.

Guidelines: Things to consider

An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised. It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative.

The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action.

If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.

Further information:

Useful Websites www.equalityhumanrights.com Website for new Equality agency www.employers-forum.co.uk – Employers forum on disability www.disabilitynow.org.uk – online disability related newspaper www.efa.org.uk – Employers forum on age

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage One: ‘Screening’