IT Infrastructure & Device Checks
Version: 3
Ratified by: Finance & Risk Committee
Date Ratified: 14/04/2021
Job Title of Author: IT Operations Manager Assistant Director of IT & Systems
Reviewed by Sub Group or Expert Group: Technology Programme Board
Related Procedural Documents: ITPOL007 Disaster Recovery Policy
Review Date: March 2024
It is the responsibility of users to ensure that you are using the most up to date document template – ie obtained via the intranet.
In developing/reviewing this procedure Provide Community has had regard to the principles of the NHS Constitution.
Version Control Sheet
Version Date Author Status Comment
FINAL 24/04/2017 Head of IT & Data Approved by TPB on 24/04/2017
1.0 03/05/2017 Head of IT & Data Ratified by FRC
2.0 01/08/2019 Assistant Director IT & Systems Approved by TPB on 13/08/2019
3 16/03/2021 Assistant Director IT & Systems Approved by TPB on 13/04/2021
Addition of new checks and responsibilities. Updates to job titles.
Addition of new Device checks.
1. Introduction and Purpose
Provide recognises that technology systems are increasingly critical to its business and that any loss of key systems could have a detrimental effect on patient care and operational process. Provide has therefore ensured that appropriate and reasonable measures are in place to be able to restore IT facilities to maintain business activities in the event of any major failure, adverse event, loss or disaster to its technology systems.
Despite all necessary precautions being taken, Provide acknowledges that there is the potential of some form of disaster occurring and needs to have detailed plans and procedures in place to contain the impact of such events on its core business through tested disaster recovery plans.
An essential part of the Disaster Recovery Plan is backup power, completion of the checks in this document will allow faults or shortcomings to be identified and resolved in a controlled way so that the related elements of the Disaster Recovery Plan can be implemented without issue should the need ever arise.
2. Scope
This process is for Provide’s Headquarters at 900 The Crescent, Colchester, CO4 9YQ unless specifically stated otherwise.
3. Duties
Assistant Director IT & Systems
Ensuring this process is reviewed every three years or sooner should significant changes be made to the IT infrastructure, generator or Disaster Recovery Policy or plan.
IT Operations Manager
• Ensuring the process is followed
• Ensuring staff receive appropriate training to undertake this process
• Undertaking regular spot checks of the process
• Supports the Technology Service Desk Manager to resolve any issues that are escalated following investigation.
Technology Service Desk Manager
• Ensuring that all devices are adequately encrypted.
• Ensure that all devices are patched within 90 days, escalating to the IT Operations Manager or Assistant Director for IT & Systems (as appropriate) if devices exceed this timescale.
• Ensuring that there is monitoring in place for vulnerable software and that this is remedied on a monthly basis or reported to the escalating to the IT Operations Manager or Assistant Director for IT & Systems (as appropriate) if this timescale is exceeded.
• Ensuring all devices have Anti-virus protection and that the anti-virus software is active and that any issues in relation to this are resolved or escalated to the IT Operations Manager
Technology Infrastructure Staff
Will undertake the daily and monthly checks, including the recording of completion, results and saving of completed sheets
Technology Programme Board
Will review any reporting covered by this procedure, this may be done by exception reporting.
4. Weekly Checks
Each working day that a member of the Technology Infrastructure Team is on-site at HQ and no less frequent than weekly, they will perform a number of daily checks. These include, but are not limited to the following.
• Check each individual cabinet within the HQ Server Room for any failures or alarms that have occurred and have not been flagged by the automated monitoring systems. These could include failed hardware or other associated errors.
• Check the power distribution board located in the Server Room for any tripped Magnetic Circuit Breakers (MCBs).
On a weekly basis the generator fuel levels and run time will be checked.
In the event of an alarm or failure occurring, an incident will be raised in the Service Desk Infrastructure queue for further investigation and resolution.
Once the checks have been completed the sheet attached to the server room door will be completed with the appropriate details and the initials of the individual who completed the checks.
5. Monthly Checks
The Infrastructure Team will make the following checks:
Generator - On a monthly basis, the backup generator will be manually started and run off-load for a duration of up to 30 minutes with the results recorded on the daily checks sheet attached to the server room door.
In the event that there is a failure of any kind or the generator does not perform as expected, remedial actions will be taken and once compete the test will be re-run. This cycle will be repeated until the test is successfully completed.
End of Support Software – This will be monitored via the ‘End of Support’ information in the IT Health Dashboard. End of support announcements will be monitored on a monthly basis and used to support the planning for future software updates. Where software becomes out of support, this should be upgraded within one month or a plan put in place for a future upgrade as long as there is no known vulnerability associated with the software. And decision not to upgrade must be agreed with the Assistant Director for IT & Systems.
The Service Desk or Engineer Team will make the following checks: Encryption – Compliance of Provide devices with Provide’s encryption policy will be checked at least monthly and results submitted, along with any required remediation
plans to the Technology Programme Board. To ensure full adherence, reports will be generated in IT Health and Vulnerability manager Plus before being cross referenced Identifying devices that are out of compliance either in status or by cypher standard used. Any devices that our out of compliance will be remediated as soon as possible by the IT service Desk. This will be completed no later than the following Technology Programme Board.
Missing Microsoft Patches – These will be monitored via the ‘Windows Update Trends’ information in the IT Health Dashboard in the first instance Vulnerability Manager Plus will be used to verify the patch status of said devices. This will be monitored on an ongoing basis with devices reaching 60+ days out of date being investigated with the aim of preventing them reaching 90+ days out of date. Should a device reach 90+ days out of date, further reasonable attempts to contact the user to resolve this will be made before the device is disabled. Where a device is not correctly updating and is out of warranty, this should be replaced and efforts not spent on trying to update the device.
Vulnerable Software - This will be monitored via the ‘Software Vulnerability’ information in the IT Health Dashboard and Vulnerability Manager Plus Dashboard. This will be monitored on a monthly basis with devices appearing in the monthly check being resolved by the following monthly check. Where there is no update available that resolves the vulnerability, this must be escalated to the IT Operations Manager who may choose to accept the risk and add this to the corporate Risk Register.
6. Bi-Annual Checks
Every 6 months, in accordance with the generator maintenance schedule, the generator will be serviced and a full system test run whereby the incoming electrical supply to the areas powered by the generator is powered off to test the generator auto-start process and run on-load for at least 30 minutes.
In the event that there is a generator or switch-over related failure of any kind or the generator does not perform as expected, remedial actions will be taken and once compete the test will be re-run. This cycle will be repeated until the test is successfully completed.
During the on-load test, equipment that is being supported by UPS should be switched on so that any failure of the UPS is identified. In such an event, this should be reported to the Technology Service Desk to be resolved and re-tested, this will not requirea new generator test as loss of power to the UPS can be replicated in other ways.
7. Monitoring
New alerts generated by the current infrastructure monitoring tool will automatically raise tickets in FreshService. These tickets will be investigated by the infrastructure team before being processed. Once resolved the ticket will be closed and may be accessed later for audit or reference purposes.
The IT Operations Manager will make regular spot checks to ensure processes are followed.