This document provides guidance to users of the computer systems of this practice. Implementation of the policies herein will ensure adequate security for all information collected, processed, transmitted, stored, or disseminated as part of the Practice systems and major applications. These security policies are consistent with the Government legislation of the EU.
This security policy addresses the following areas of concern:
- General security policy and standards
- Security organization
- Personnel security and training
- Physical security
- Computer systems access control
- Security in system life cycle management
- Computer integrity and incident reporting
- Malicious software
- Business continuity management
- Compliance
The Practice Security Officer will periodically review this document and will be responsible for any modifications deemed necessary. Any feedback and suggested amendments in respect of this document should be provided in writing to the Practice Security Officer.
The Practice Manager will be responsible for approving security policy amendments.
To establish and maintain adequate and effective information security safeguards for users to ensure that the confidentiality, integrity and operational availability of Practice information is not compromised.
Sensitive information must be safeguarded against unauthorised disclosure, modification, access, use, destruction, or delay in service.
Each user has a duty and responsibility to other practice staff members to comply with the information protection policies and procedures detailed in this document.
The standard and quality of the information security controls implemented at this Practice will be verified through periodic reviews to ensure compliance.
Most information is collected in a situation of confidence and trust, is generally highly sensitive and may include particularly sensitive details.
Any information provided on the Practice computer system that is sensitive for other reasons; such as commercial information, staff related information or any other information which may be considered sensitive.
A management framework is required so that all those involved in the use or maintenance of the Practice computer systems can initiate, coordinate and control the implementation of information security effectively.
The Practice Manager has a number of responsibilities with respect to the security of information, including:
- establishing and approving information security policies and procedures,
- agreeing on specific methodologies and processes for information security, e.g. risk assessment, security classification, etc.,
- determining acceptable levels of security risks,
- monitoring major information security threats and incidents,
- approving major initiatives to enhance information security,
- ensuring that formal audits are performed as necessary,
- reviewing audit reports where security problems exist,
- appointing the Practice Security Officer,
- acting as the Authorized Signatory in respect to the issuance of digital certificates.
The Practice Security Officer is appointed by the Practice Manager and is responsible for the coordination of security issues that affect the Practice. In particular, the Practice Security Officer is responsible for:
- advising Practice staff on security matters,
- informing the Practice Manager of any major security incidents,
- developing and reviewing security policies and plans to be approved by the Practice Manager,
- maintaining a list of all persons authorized to have access to the Practice premises, and to Practice computer systems,
- reporting security incidents, and the status thereof, to the Practice Manager,
Any security system relies on the users of the system to follow the procedures necessary for upholding security policies. Practice employees are therefore expected to:
- uphold security procedures and policies,
- protect their user identification and passwords,
- inform the Practice Security Officer of any security issues, problems or concerns,
- assist the Practice Security Officer in resolving security issues,
- ensure that all computer systems used in support of Practice functions are backed-up in a manner that mitigates both the risk of loss and costs of recovery,
- be especially aware of the vulnerabilities presented by remote access and be aware of their obligation to report intrusions, misuse, or abuse to the Practice Security Officer,
- be aware of their obligations in the event that they are storing, securing, transmitting and disposing of information to protect the privacy of our clients .
A formal risk assessment will be undertaken by the Practice Security Officer no less often than at two yearly intervals.
It is not possible to eliminate all business risk, rather appropriate techniques should be applied to identify and manage the risks to minimize any harmful effects.
Security requirements will be identified by a methodical assessment of security risks. Expenditure on mitigating controls is to be balanced against the harm to the practice that is likely to result from security failures.
Risk assessment is the systematic consideration of:
- the harm likely to result from a security failure, taking into account the potential consequences of a loss of integrity, confidentiality, and availability of the information and other assets;
- the realistic likelihood of such a failure occurring in the light of the prevailing threats and vulnerabilities, and the controls currently implemented.
The results of this assessment will assist in the determination of the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against those risks.
As a matter of course, security policies will be reviewed for currency and appropriateness following any assessment of risks.
All major information assets should be accounted for and have a nominated owner.
Accountability for assets helps to ensure that appropriate protection is maintained. Owners are to be identified for each major asset, and the responsibility for the maintenance of appropriate controls is to be assigned.
Inventories of assets help ensure that effective asset protection takes place, and will also be useful for other business purposes
Information is to be classified to indicate the need, priorities, and degree of protection.
Information has varying degrees of sensitivity and criticality. Some items may require an additional level of protection or special handling.
An information classification system will enable the definition of an appropriate set of protection levels, and communicate the need for special handling processes.
The responsibility for defining the classification of an item of information, e.g., for a document, data file or diskette, and for periodically reviewing that classification, is to be rest with the originator or nominated owner of the information.
Handling procedures are to be defined to cover:
- copying,
- storage,
- transmission by post, fax and electronic mail,
- transmission by spoken word, including mobile phone, voicemail, answering machines, and
- destruction.
To ensure that employees are aware of information security threats and concerns, and are equipped to support the Practice of information protection policies and procedures in the course of their daily work.
Security related roles and responsibilities are to be documented where appropriate in specific job descriptions.
All employees involved in the collection, use, and disclosure of information must sign a non-disclosure information and security agreement.
Contract staff and outside organizations not already covered by an existing contract (containing the confidentiality agreement) are required to sign a confidentiality agreement prior to accessing Practice facilities.
Computer users must receive appropriate training before using computer facilities and applications used by this practice.
All employees of the Practice are to receive appropriate training and regular updates in practice policies and procedures, including security requirements, legal responsibilities and business controls.
An appropriate disciplinary process is to be in place to cover both employees and contractors who may knowingly disregard a particular policy requirement.
All hardware, software, documentation, commercial information held by the Practice is to be protected from disclosure, modification, or destruction. This is especially true if access may reveal information that can be used to eliminate, bypass, or otherwise render security safeguards ineffective or enable the disclosure of information.
Where identifiable sensitive information is stored, processed, or transmitted, physical access to that information is to be restricted to authorized individuals.
Areas in which information is stored are to be physically secure and access restricted to authorized personnel only. Access to documentation in respect to computer systems is also to be restricted to authorized personnel.
All persons, other than employees, who are granted access to Practice premises must be accompanied, and their access restricted to those areas necessary for them to complete their tasks.
Work areas are, as far as conveniently possible, to be kept clear of papers and removable storage media in order to reduce the possibility of unauthorized access, loss of, and damage to information during and outside normal working hours.
Similarly, screen savers are to be activated on all Practice computers.
Sensitive and critical practice information, including computer media, is to be locked away when not required.
All items of equipment are to be sited or protected to minimize the risks from environmental threats and hazards, and opportunities for unauthorized access.
The impact of a disaster occurring in or around nearby premises is to be considered.
Security controls are to be in place to ensure authorized operations and that sensitive information is properly protected.
Computers used to process information from remote locations must meet practice security requirements and have authorization from the Practice Security Officer.
Practice information stored on computer systems must be regularly backed-up so that it can be restored if or when necessary.
All care and responsibility must be taken in the destruction of sensitive information.
Both paper and electronic information relating to administrative and commercial information must be disposed of securely.
Practice information can be compromised through careless disposal of equipment. Accordingly, all sensitive information must be erased from computer storage media prior to disposal.
Similarly, no computer equipment that is sent or taken off-site for repair, should contain sensitive information.
Damaged storage devices such as hard disks may contain sensitive information that if disclosed could cause considerable embarrassment. Consideration should be given to not having a device repaired if information cannot be erased.
Access to computer services and information should be controlled on the basis of Practice requirements.
Access control responsibilities are as follows:
- Will determine and support the Practice access control strategy.
- Will ensure the satisfactory resolution of problems relating to the provision of user access when, in response to the concerns expressed by the Practice Security Officer, significant changes are deemed necessary.
- Will ensure policies and standards address all Practice requirements.
- Will ensure that login and system access procedures meet defined requirements.
- Will ensure that data and applications are safe in project development environments.
- Will assist users in their day-to-day use of Practice computer systems by performing basic account administration functions, including the unlocking of locked accounts, resetting passwords, providing user instruction.
Minimum requirements for information system access control are:
- valid individual user identifications and passwords for all computer access,
- successful and unsuccessful system accesses are to be recorded,
- the last time a user was logged on is to be recorded or displayed,
- user account details are to be issued at a formal training session,
- new user accounts are to be initially configured so as to force a change of the password upon first logging on.
Access to Practice computer facilities are to be via a secure login process. The relative login procedure will:
- not display system or application prompts until the login process has been successfully completed,
- not provide help messages during login procedures,
- validate the login information only on completion of all input data,
- allow only three unsuccessful login attempts before:
- recording the unsuccessful attempt,
- forcing a time delay before further login attempts are allowed,
- suspending a user account to prevent repeated invalid access attempts,
- disconnecting and giving no assistance after a rejected attempt to login,
- limit the time allowed for the login procedure; if exceeded, the system should terminate the login,
- display the following information on completion of a successful login:
- date and time of the previous successful login,
- details of any unsuccessful login attempts since the last successful login.
This allows the user to check whether it was that he/she who was last logged on. If not, the incident should be reported and appropriate action taken.
The following password standards are to be adhered to ensure compliance with the basic principles of logical security:
- the use of individual passwords is to be enforced to maintain accountability. Sharing of passwords is not permitted,
- users should be able to select and change their own password and be required to provide a confirmation to account for typing errors,
- a password is to have a minimum length of eight characters,
- passwords are not to be based on any of the following:
- months of the year, days of the week or any other aspect of the date,
- family names, initials or car registration numbers,
- company names, identifiers or references,
- telephone numbers or similar all-number groups,
- user identification, user name, group identification or other system identifier
- more than two consecutive identical characters,
- all-numeric or all-alphabetic groups,
- any word contained in a dictionary, either English or another language.
- maximum password lifetime is to be 90 days for normal user accounts and 60 days for system administrator accounts,
- users are to be forced to change temporary (initial) passwords at the first login,
- passwords are not to be displayed while being entered,
- password files should be stored separately from the main application system data, and any access restricted to the system administrator,
- password files are to be stored in encrypted form, using a one-way encryption algorithm,
- default vendor userIds and passwords are to be deleted or altered following installation of software.
Inactive user accounts that are no longer required are to be disabled and identified as pending deletion.
The Practice Security Officer is to approve the continued availability of a particular inactive user account.
As electronic mail (e-mail) is a business resource, Practice personnel are to note that:
- personal use of e-mail is to be kept to a minimum,
- the e-mail system is inherently insecure and individuals other than the intended recipients may be able to read messages,
- nothing should be included in an e-mail message that would not be printed on Practice letterhead,
- the information contained in e-mail messages forms part of Practice business records,
- no sensitive information should be sent as part of, or attached to, an e-mail message unless the information is encrypted,
- e-mail attachments are a common source of malicious software and particular care is to be taken before opening any attachments, especially if the message is not from a trusted source,
- management reserves the right to monitor the content of e-mail messages.
All personnel should be aware of the security risks created by electronic mail including the vulnerability of messages and any legal considerations.
Connections to other networks, including the World Wide Web, are to be protected through a firewall.
Firewalls must be properly configured so as to ensure the required level of security is achieved.
Default settings in network servers are to be changed so as to minimise the possibility of unauthorised access.
No software, or other material, is to be downloaded from the World Wide Web without the prior knowledge of the Practice Security Officer.
The Practice Security Officer is to approve all software prior to it being installed.
Vendor supplied software used in operational systems is to be maintained at a level supported by the supplier.
Software patches that help to remove or reduce security weaknesses are always to be applied in a timely manner and with appropriate consideration for the seriousness of the risk an unpatched vulnerability poses.
Hardware and software maintenance activities are not to affect the integrity of existing safeguards or permit the introduction of security exposures (computer viruses, logic bombs, malicious code, etc.) into the Practice computer systems.
Automated dial-up diagnostic maintenance of sensitive applications by software vendors via remote communications is only to be undertaken under the direction of the Practice Security Officer.
All personnel are to comply with the software integrity procedures outlined in this document especially in respect to the following:
- security violations and software malfunctions reporting
- virus prevention and monitoring
A security incident is an event and/or condition that has the potential to impact on security or privacy and may result from either intentional or inadvertent action.
All employees, and others likely to be involved, are to be made aware of the procedures for reporting incidents that might have an impact on the security of Practice assets and information.
A security violation is an event that may result in disclosure of sensitive or otherwise classified information to unauthorized individuals, or in unauthorized modification or destruction of system data, loss of computer system processing capability, loss, or theft of any computer system resources.
If a security violation occurs as a consequence of a user’s access, that user and any like users are to be provided with guidance by the Practice Security Officer to ensure that the violation does not re-occur.
Systems should be monitored to detect deviation from access control policy and record events to provide evidence in case of security incidents. System monitoring allows the effectiveness of adopted controls to be checked and conformity to access policies to be verified.
Similarly, unauthorised intrusions are to be monitored.
Any security-related incidents, violations or weaknesses, are to be reported to the Practice Security Officer at the earliest possible time but by no later than the following business day.
Software and information processing facilities are vulnerable to the introduction of malicious software such as computer viruses, network worms and Trojan horses. It is therefore essential that precautions are taken to both detect and prevent the introduction of malicious software.
New viruses are being developed at regular and frequent intervals and could seriously undermine the integrity of the Practice systems unless they are prevented. Accordingly, all workstations are to have anti-virus software installed.
The Practice Security Officer is to ensure that virus signature files are updated on a regular (no less frequently than monthly) basis so as to ensure that any new viruses can be promptly identified and removed.
Each individual user must ensure that the anti-virus software is active on their workstation so that any potential viruses from external sources are identified and removed.
All users are to receive instruction as to how best to prevent the introduction of computer viruses and other malicious software.
The Practice Security Officer is to therefore ensure that:
- users are aware that e-mail attachments may contain (often unknown) viruses or other malicious software.
- users immediately report attachments with suspicious file extensions (including .vbs, .shs, .pif and .exe) to the organisation’s IT support help desk.
- users know to never launch email attachments from their e-mail systems unless received from a trusted source, and then only after due care has been taken.
Disciplinary procedures are to be brought into play in the event that a user fails to follow designated malicious software procedures.
A Practice business continuity management plan is to be implemented so as to minimise the effects of disruption caused by disasters and system failures (which may be the result of, for example, natural disasters, equipment failures, or deliberate actions) through a combination of preventative and recovery controls.
Plans are to be developed and implemented to ensure that Practice processes can be restored within the required time-scales, and are to be maintained and practised so as to become an integral part of all other management processes.
The key elements of business continuity management include:
- understanding the risks the organisation faces in terms of their likelihood and their impact, including identification and prioritisation of critical business processes,
- understanding the impact which interruptions are likely to have on the Practice,
- establishing the business objectives of information processing facilities,
- considering the purchase of suitable insurance which may form part of the business continuity process,
- formulating and documenting a business continuity strategy consistent with Practice objectives and priorities,
- formulating and documenting business continuity plans in line with agreed strategy,
- regular testing and updating of the plans and processes put in place, and
- ensuring that the responsibility for managing business continuity is clearly defined in the Practice’s processes and structure.
All conditions of a vendor’s software license are to be strictly observed.
Users are responsible for ensuring that all licensing obligations are met and maintained.
All users are to be kept aware of their general security responsibilities and be regularly updated. It is essential that users understand and adhere to procedures for managing, detecting and responding to security incidents.
The Practice Security Officer is to take responsibility for maintaining user security awareness.
All security procedures are to be subject to periodic review to ensure compliance with Practice security policies and standards.
Similarly, information systems are to be checked for compliance with security implementation standards.
Audits of operational systems are to be planned and agreed to minimize risk of disruption to Practice processes.
Where a particular policy cannot be complied with for a substantive business reason, approval for a deviation from policy is to be obtained from the Practice Manager.
Requests for authorized non-compliance must be formally submitted with details of any risks associated with the deviation.
The Practice Security Officer will maintain a record of all approved non-compliance requests.
All approved non-compliance requests will be subject to six-monthly reassessments.