Version: V2
Ratified by: Finance & Risk Committee
Date Ratified: 18/08/2020
Job Title of Author: IG and IT Projects Manager
Reviewed by Sub Group or Expert Group: Technology Programme Board
Related Procedural Documents: IGPOL53 – Information Security Policy
Review Date: 18/08/2023
It is the responsibility of users to ensure that you are using the most up to date document template – ie obtained via the intranet.
In developing/reviewing this procedure Provide Community has had regard to the principles of the NHS Constitution.
Version Control Sheet
Version Date Author Status
Comment
V1 December 2017 Information Governance and IT Projects Manager Was IGPOL89
V2 July 2020 Information Governance and IT Projects Manager
Due for review. Document redefined as SOP and moved to new template
1. Introduction
Where an external party provides support for either all or part of an IT system/service it will from time to time be necessary to allow that supplier to have remote access to that service for support purposes. This can relate to production platforms and/or preproduction platforms, e.g. regarding test or development. Suppliers will often make it a requirement of the support contract that such access is provided.
2. Purpose
The purpose of this standard operating procedure is to outline the procedures that needs to be followed when providing remote access to system suppliers and external system/ service support operatives
3. Scope
The SOP applies to all IT systems and services hosted within Provide.
4. Arranging Remote Access
• The supplier and their staff must comply with the terms of the organisation’s Information Security Policy (IGPOL53) by signing and returning the compliance statement.
• If the system being supported contains information that is confidential, sensitive or of commercial value, the supplier must have signed a non-disclosure agreement (or have equivalent contractual obligations) even if it is not intended that the supplier will have access to that information
• All remote access by suppliers must be logged on the service desk (FreshService). Often a call will already have been logged as most remote access by suppliers will be as a result of an incident or a change which has been already logged. In such cases the call can be updated with the relevant information
• Data contained within an IT System or service must never be updated by the supplier without the express permission of the relevant service lead within the organisation, and a detail record must be made of all such changes and included in the call logging software
• The supplier must have good information security practices, including having virus protection on PCs, ensuring that their equipment is patched, and that they have appropriate firewalls enabled. This should be covered in the contract with the systems supplier
• The mechanisms for achieving remote access must be agreed with the technical staff of the organisation involved in its support. Ensuring the information security of the organisation must be of paramount concern when agreeing such mechanisms
• All Data Protection legislation and requirements must be compiled with
• Under normal circumstance, the supplier should not be able to access information that is confidential, sensitive, or commercially valuable; however, in the event that this proves essential the Information Governance and IT Projects Manager or delegated equivalent must have given express permission for this to occur
5. Procedure
• At the end of any implementation project any long-term remote access provided to suppliers, including access to test and development systems, must be removed.
• Unless otherwise agreed with IT and the external party and enforced through contractual requirements, all requests for remote access must be logged through the IT Service Desk.
• Technical mechanisms for providing remote access should be agreed, implemented, and tested with the supplier and the Provide IT team.
6. Systems Hosted Outside of Provide
The above procedure only applies to systems hosted within Provide. Where the system is hosted outside of Provide, the department placing the contract must ensure sufficient controls within that contract for the management of the information it contains, retaining sufficient and effective information security for the organisation’s need, and that all data protection requirements and legislation are complied with.
When ensuring sufficient and effective information security requirements it is important to consider:
• Sufficient access to the information contained in the system for the organisation and its staff, including the ability to get reports for the system and to create system to system interfaces.
• The integrity of the information contained in the system, including ensuring that it can be kept up to date, that audit trails of updates exist, and system interrogation, when appropriate, and that the security is in place to ensure that information cannot be updated incorrectly or inappropriately.
• That appropriate levels of confidentiality are maintained.