Transcript
Intranet and Internet Acceptable Use Policy
Printed copies should not be considered the definitive version
DOCUMENT CONTROL
POLICY NO.
78
Policy Group Author Reviewer Scope (Applicability) Status Approved By
Information Governance and Security Andrew Turner Version No. Medical Director Implementation Date Board wide Next review date Final Last review date
1.3 Aug 2013 Aug 2015 N/A
TABLE OF CONTENTS
Contents 1.
Overview
3
2.
Key Points
3
3.
Policy Aims
3
4.
Scope & Applicability
3
5.
Responsibilities
4
a)
Individual users
4
b)
eHealth department
4
6.
Exceptions
5
7.
Breaches
5
8.
EQUALITY AND DIVERSITY
5
9.
Appendix 1 – Policy Approval Checklist
6
10.
Appendix 2 - Document Status
7
11.
Appendix 3 - Action Plan for Implementation
8
Page 2 of 8 Pages
Title: Internet and Intranet Acceptable Use Policy Date August 2013 Version: 1.3 Author: Andrew Turner The only current version of this document is on the Intranet.
1. OVERVIEW a. Access to the Board Intranet and the wider Internet is provided to allow staff to undertake their normal business functions. It is important that all users of our Intranet and Internet provision understand exactly what is considered appropriate and acceptable usage. b. This paper lays out our Acceptable Use Policy for the Intranet and the external Internet. c. This policy sets out clear guidance for users on what is and is not allowed. It also sets the boundaries as to when personal use is allowed and not allowed. The overarching purpose is to ensure that appropriate access to the Intranet and Internet is available to staff with a legitimate business purpose at all times and this access is not hindered by non-business related activities. d. It demonstrates management support for, and commitment to, the provision of an internet capability through issuing this policy for user acceptance and compliance, as well as any related policies, procedures and guidelines, including user education and awareness across NHS Dumfries & Galloway. The purpose of this policy is to protect all NHS Dumfries & Galloway users from threats, internal or external, deliberate or accidental.
2. KEY POINTS
Make sure your use of the Internet does not have an impact on other business users. Use for personal use should be restricted to outwith normal business times. Do not try to access inappropriate material (see para b, sub para a) Wherever possible use the Public wifi network for personal use.
Comment [AT1]: Added after IA committee 10th July 013
3. POLICY AIMS a. This policy aims to: i. Provide guidance on the acceptable use of the Intranet and Internet whilst using the NHS Dumfries & Galloway provided networks. ii. It details the roles and responsibilities and supporting organizational monitoring arrangements for ensuring that access for normal business use is maintained. iii. It provides a framework under which NHS Dumfries & Galloway can ensure compliance with all relevant legislation and policies.
4. SCOPE & APPLICABILITY a. This policy applies to accesses to web based services as provided by NHS Dumfries & Galloway in any format and is intended to be fully consistent with the Information Security Policy and Standards of NHS Scotland. b. This policy applies to all users who undertake work for NHS Dumfries & Galloway or use any part of the IT infrastructure, whether as an employee, a student, a volunteer, rd a contractor, partner agency, external consultant or 3 party IT supplier. c. It is a management requirement that all NHS Dumfries & Galloway accesses to the Intranet and Internet for legitimate business use goes un-hindered. d. This policy does not apply to the free wifi network offered by the Board for general use.
Page 3 of 8 Pages
Title: Internet and Intranet Acceptable Use Policy Date August 2013 Version: 1.3 Author: Andrew Turner The only current version of this document is on the Intranet.
Comment [AT2]: Added after IA committee 10th July 013
5. RESPONSIBILITIES a) Individual users a. The Board trusts you to use the internet sensibly. Bear in mind at all times that, when visiting a website, information identifying your PC may be logged. Therefore any activity you engage in via the internet may affect NHS Dumfries & Galloway. b. We recognise the need for individuals to have to carry out some personal tasks during working hours, e.g. for internet banking or online shopping, and this is permitted subject to the same rules as are set out below: c. You must ensure that your personal use of the Intranet and Internet: i. does not interfere with the performance of your duties; ii. should not be undertaken during your working day when you are “at work” as opposed to pre or post work periods or lunch/tea breaks. iii. is minimal and limited to taking place substantially outside of normal working hours (i.e. during any breaks which you are entitled to or before or after your normal hours of work); iv. does not cause any expense or liability to be incurred by NHS Dumfries & Galloway; v. does not have a negative impact on NHS Dumfries & Galloway in any way; and vi. is lawful and complies with this policy. d. If your activities require additional software to be installed onto your PC (e.g. flash, pdf readers, Webex etc) then you should submit a request to IT Support who may be able to arrange this for you. e. You are strongly discouraged from providing your NHS Dumfries & Galloway email address when using public websites for non-business purposes, such as online shopping. This must be kept to a minimum and done only where necessary, as it results in you and NHS Dumfries & Galloway receiving substantial amounts of unwanted email. f. Access to certain websites is blocked during normal working hours. If you have a particular business need to access such sites, please contact the IM&T Help Desk. You must not: i. introduce packet-sniffing, key loggers or password-detecting software; ii. seek to gain access to restricted areas of NHS Dumfries & Galloway’s network; iii. access or try to access data which you know or ought to know is confidential; iv. intentionally or recklessly introduce any form of spyware, computer virus or other potentially malicious software; nor v. carry out any hacking activities vi. use NHS Dumfries & Galloway’s systems to use the internet in any way which will breach the Social Media Policy (available on the Intranet).
b) eHealth department a. The eHealth department will maintain web filtering tools which will prevent and protect users from accessing web sites according to the categories as identified below. Broadly these fall into the following types of material:a. Adult Material b. Streamed material c. Drug misuse d. Entertainment, gambling and on line gaming e. Computer security, Hacking and Proxy avoidance sites f. Personal dating and g. Social networking (except in compliance with the Board Social Media Policy) h. Extreme religious and Terrorism i. Shopping j. Violence and weapons Page 4 of 8 Pages
Title: Internet and Intranet Acceptable Use Policy Date August 2013 Version: 1.3 Author: Andrew Turner The only current version of this document is on the Intranet.
Comment [AT3]: Typing error
Comment [AT4]: Changes made following IA Committee 10th July 2013
b. Logs of user accesses to the Intranet and Internet will be maintained and may be made available to Senior and General Managers and above on request to the eHealth lead. c. The eHealth department will produce full logs n request from any Senior and General Manager.
6. EXCEPTIONS a. Where a valid business reason can be identified Senior and General Managers and above may request individual users be granted access to specific web sites normally blocked to all other users. This process will be managed via a call from the SM or GM to the IM&T Help Desk.
7. BREACHES a. For your information, breach of items 1 to 5 (inclusive) above, would not only contravene the terms of this policy but could in some circumstances also amount to the commission of an offence under the Computer Misuse Act 1990, which creates the following offences: i. unauthorised access to computer material i.e. hacking; ii. unauthorised modification of computer material; and iii. unauthorised access with intent to commit or facilitate the commission of further offences. b. Penalties for this type of crime include fines and prison sentences as well as a criminal record. c. The Board will employ measures designed to protect users for reaching inappropriate material on the Internet. d. These measures are updated at very regular intervals however on occasion staff may reach a site to which they feel they should not have gained access and which may be in breach of Board policy. Should this happen staff should immediately record the web address of the site (found in the address toolbar at the top of the page) and report the breach to the eHealth support desk.
8. EQUALITY AND DIVERSITY a. NHS Dumfries and Galloway is committed to equality and diversity in respect of the six equality groups defined by age, disability, gender, race, religion/belief and sexual orientation. b. We believe, however, that equality and diversity issues are not relevant to this area of work because this policy is designed to provide everyone including NHS Dumfries and Galloway staff with a consistent approach to Information Security for the organisation to ensure good governance arrangements are in place.
Page 5 of 8 Pages
Title: Internet and Intranet Acceptable Use Policy Date August 2013 Version: 1.3 Author: Andrew Turner The only current version of this document is on the Intranet.
Comment [AT5]: Changes made following IA Committee 10th July 2013
9. APPENDIX 1 – POLICY APPROVAL CHECKLIST NHS DUMFRIES AND GALLOWAY POLICY APPROVAL CHECKLIST This checklist must be completed and forwarded with the policy to the appropriate approval group POLICY TITLE Acceptable Use of Intranet and Internet Policy POLICY NO. ……………. EXECUTIVE LEAD Dr Angus Cameron
Why has this policy been developed?
Compliance with Assurance Strategy
Board
Information
Has the policy been developed in accordance with or related to legislation? Please give details of applicable legislation. Has a risk control plan been developed? Who is the owner of the risk? Who has been involved/consulted in the development of the policy? Has the policy been assessed for equality and diversity in relation to:-
CEL 26/2012 Data Protection Act 1998 Electronic Communications Act 2000 Computer Misuse Act No Dr Cameron eHealth Lead and staff, Dr Cameron, Internal Audit, Staff side representative Has the policy been assessed for Equality and Diversity not to disadvantage the following groups:-
Race/Ethnicity Gender Age Religion/Faith Disability Sexual Orientation
Minority Ethnic Communities Women and Men Religious & Faith Groups Disabled People Young People L, G, B & T Community
Yes Yes Yes Yes Yes Yes
Yes Yes Yes Yes Yes Yes
Does the policy contain evidence of the YES Equality & Diversity Impact Assessment Process?
Is there an implementation plan?
YES When will the policy take effect? Immediate If the policy applies to partner agencies, Not applicable please explain the reasons for this and how they will be informed of their responsibilities
Page 6 of 8 Pages
Title: Internet and Intranet Acceptable Use Policy Date August 2013 Version: 1.3 Author: Andrew Turner The only current version of this document is on the Intranet.
10.
APPENDIX 2 - DOCUMENT STATUS
Title
Intranet and Internet Acceptable Use Policy
Author Approver Document reference Version number
Andrew Turner Graham Gault 1.3
Document Amendment History Version number Edited by 0.1 Pinsent Mason Solicitor 1.0 Andrew Turner 1.1 Graham Gault 1.2 Andrew Turner
Edit date Nov 2007
Topics covered Exemplar document
th
1 Draft.
th
2
th
8 August 2013
Final draft following review and amendments as recommended by Information Assurance Committee – Key Points added Final recommendation for approval by APF
Distribution Name
Version number
Responsibility
Board Secretary
1.3
Place on policy register
Communications Team Board Management Group
1.3 1.3
Place on Intranet and in ‘latest’ news’ Dissemination to all staff through management
1.3
Andrew Turner
14 June 2013 26 June 2013 11 July 2013
th
st
nd
Draft
2.0 3.0 4.0 5.0
line
Staff side representative 1.3 For comment prior to presentation to APF IM&T Department 1.3 To all staff Associated Documents ISO/IEC 27002 The Code of Practice for Information Security Management CEL26/2012 NHS Scotland Information Security Policy NHS Dumfries & Galloway Information Assurance Strategy NHS Dumfries & Galloway Information Assurance Policy NHS Dumfries & Galloway Information Security Policy NHS Dumfries & Galloway Information Systems Procurement, Development and Implementation Policy NHS Dumfries & Galloway Access to Information Policy NHS Dumfries & Galloway Mobile Devices Policy NHS Dumfries & Galloway eMail Acceptable Use Policy NHS Dumfries & Galloway Internet and Internet Acceptable Use Policy NHS Dumfries & Galloway Communications Monitoring Policy
Page 7 of 8 Pages
Title: Internet and Intranet Acceptable Use Policy Date August 2013 Version: 1.3 Author: Andrew Turner The only current version of this document is on the Intranet.
11.
APPENDIX 3 - ACTION PLAN FOR IMPLEMENTATION
Name
Responsibility
Timeframe
Place on policy register
Board Secretary
Immediate
Place in ‘latest’ news’
Communications Team
Immediate
Place on Intranet
Communications Team
Immediate
Board Management Group
Continual process
IM&T Department
Continual process
Dissemination to all through line management Routinely issue to all staff
staff
Page 8 of 8 Pages
Title: Internet and Intranet Acceptable Use Policy Date August 2013 Version: 1.3 Author: Andrew Turner The only current version of this document is on the Intranet.
