This Policy supersedes the following Policy, which must now be destroyed:

Transcription

1 Document Title Reference Number Lead Officer Author(s) (name and designation) Ratified by Forensic Readiness Policy NTW(O)56 Lisa Quinn Executive Director of Performance and Assurance Sue Proud Information Governance Manager Trust-wide Policy Group Date ratified January 2015 Implementation Date January 2015 Date of full implementation January 2015 Review Date January 2018 Version number V05 Review and Amendment Log Version V05 Type of Change Annual Review Date Jan 15 Description of Change Annual Review This Policy supersedes the following Policy, which must now be destroyed: Document Number Title NTW(O)56 V04 Forensic Readiness Policy

2 Forensic Readiness Policy Section Contents Page No. 1 Introduction 1 2 Purpose 1 3 Duties, Accountability and Responsibilities 1 4 Definition of Terms Used 2 5 Procedure / Process 2 6 Identification of Stakeholders 4 7 Training 4 8 Implementation 4 9 Fair Blame 4 10 Fraud, Bribery and Corruption 4 11 Monitoring Compliance 5 12 Associated Documents 5 13 References 5 Standard Appendices attached to Policy A Equality Analysis Screening Toolkit 6 B Training Checklist and Training Needs Analysis 8 C Audit Monitoring Tool 10 D Policy Notification Record Sheet - click here

3 1 Introduction 1.1 A forensic investigation of digital evidence is commonly employed as a post-event response to a serious information security incident. In fact, there are many circumstances where an organisation may benefit from an ability to gather and preserve digital evidence before an incident occurs. 1.2 Forensic Readiness is defined as the ability of an organisation to maximise its potential to use digital evidence whilst minimising the costs of an investigation. The costs and benefits of such an approach are outlined. Preparation to use digital evidence may involve enhanced system and staff monitoring, technical, physical and procedural means to secure data to evidential standards of admissibility, processes and procedures to ensure that staff recognise the importance and legal sensitivities of evidence, and appropriate legal advice and interfacing with law enforcement. 1.3 The Northumberland Tyne and Wear NHS Foundation Trust Board (the Trust / NTW) has approved the introduction of Information Governance (IG) Forensic Readiness into the business processes and functions of the Trust. This should maximise its potential to use digital evidence whilst minimising the costs of investigation. This decision reflects the high level of importance placed upon minimising the impacts of information security events and safeguarding the interests of patients, staff and the Trust itself. 2 Purpose 2.1 This Policy has been created to: Protect the Trust, its staff and its patients through the availability of reliable digital evidence gathered from its systems and processes; Allow consistent, rapid investigation of major events or incidents with minimum disruption to Trust business; Enable the pro-active and comprehensive planning, gathering and storage of evidence in advance of that evidence actually being required; Demonstrate due diligence and good governance of the Trust s information assets. 3 Duties, Accountability and Responsibilities Responsibility for implementation and compliance to this Policy lies with the Chief Executive; 1

4 The Trust Senior Information Risk Owner (SIRO) is responsible for co-ordinating the development and maintenance of IG Forensic Policy, Procedures and standards for the Trust; The SIRO is responsible for the ongoing development and day-to-day management of the IG forensic policy within the Trust s overall Risk Management Programme; Trust Information Asset Owners (IAO s) shall ensure that IG forensic standards are applied in their own areas of responsibility; Operational Directors must ensure ownership for implementation throughout their respective Directorates; The Director of Informatics shall ensure that technical and operational measures and tools are in place to support this Policy; This Policy is applicable to all areas of the Trust and adherence should be included in all contracts for outsourced or shared services. There are no exclusions. 4 Definition of Terms Used IG Forensic Readiness: The ability of an organisation to make use of digital evidence when required. Its aim is to maximise the organisation s ability to gather and use digital evidence whilst minimising disruption or cost. IG Forensic Readiness Planning: Proactive planning for a digital investigation through the identification of scenarios, sources of admissible evidence related monitoring and collection processes and capabilities, storage requirements and costs. 5 Procedure / Process 5.1 The Trust Board recognises that the aim of IG Forensics is to provide a systematic, standardised and legal basis for the admissibility of digital evidence that may be required for formal dispute or legal process. In this context, IG Forensics may include evidence in the form of log files, s, back-up data, removable media, portable computers, and network and telephone records, amongst others that may be collected in advance of an event or dispute occurring. 2

5 5.2 The Board acknowledges that IG Forensics provide a means to help prevent and manage the impact of important business risks. IG evidence can support a legal defence, it can verify and may show that due care was taken in a particular transaction or process, and may be important for internal disciplinary actions. 5.3 Forensic Readiness has two objectives: Maximising the usefulness of incident evidence data; Minimising the cost of forensics during an incident response 5.4 The Informatics Department will ensure that appropriate functionality is inherent in IT Systems, and that specialist tools / staff are available to support admissibility of forensic evidence namely: Event Logs; Intrusion Detection Systems (IDS); Forensic Acquisition; Evidence Handling; Gathering of admissible evidence legally and without interfering with business processes; Allow an investigation to proceed at a cost in proportion to the incident; Minimise interruption to the business from any investigation; Ensure that evidence makes a positive impact on the outcome of any legal action, in order to continue core business functions of all Business Stakeholders in the event of a major incident. 5.5 Trust Information Asset Owners (IAO s) shall ensure that IG Forensic Readiness Planning is adequately considered and documented for all information assets for which they have ownership. 5.6 IAO s shall submit their plans for IG Forensic Readiness, to the SIRO for review along with details of any planning assumptions or external dependencies. Forensic Readiness Plans shall include specific actions with expected completion dates. 5.7 The SIRO shall advise the Chief Executive and the Trust Board on Forensic Readiness Planning and provide periodic reports and briefings on progress. 3

6 6 Identification of Stakeholders 6.1 This is an existing Policy which has only minor changes that do not relate to operational and / or clinical practice therefore did not require a full consultation process. 7 Training 7.1 Training for this Policy is delivered where necessary by the Information Governance Team to the IAO s and IAA s. 7.2 Through consultation including Trust-wide CHIG and Group Business Meeting it has been ensured that: Full consideration has been given any training needs that have been identified during the development of a Policy; A full Trust-wide Training Needs Analysis has been undertaken, including who this will effect what level of training is required, how often training should be undertaken and any resource implication. 8 Implementation 8.1 Taking into consideration all the implications associated with this Policy, it is considered that a target date of January, 2015 is achievable for the contents to be implemented across the Trust. 8.2 This will be monitored by the Trust-wide Policy Group during the review process. If at any stage there is an indication that the target date cannot be met, then the Group will consider the implementation of an action plan. 9 Fair Blame 9.1 The Trust is committed to developing an open learning culture. It has endorsed the view that, wherever possible, disciplinary action will not be taken against members of staff who report near misses and adverse incidents, although there may be clearly defined occasions where disciplinary action will be taken. 10 Fraud, Bribery and Corruption 10.1 In accordance with the Trust s Policy NTW(O)23 Fraud, Bribery and Corruption Policy, all suspected cases of fraud and corruption should be reported immediately to the Trust s Local Counter Fraud Specialist or to the Executive Director of Finance. 4

7 11 Monitoring Compliance 11.1 Responsibility for monitoring compliance with this Policy lies with the SIRO and the IAO s The Information Governance Team will monitor compliance with this Policy through observation, spot checks and through incident management in line with the Trust Incident reporting process Any compliance issues will be reported to the line managers concerned and may be handled through staff disciplinary processes or contractual arrangements Incident Reporting All incidents involving electronic data must be advised immediately to the Information Governance Department and dealt with in accordance with the Trust Incident Reporting Procedure NTW(O)05. (See Trust Incident Reporting Policy and Procedures). 12 Associated Documents NTW(O)05 - Incident Policy, (including the management of Serious Untoward Incidents and associated Practice Guidance Notes (PGNs)); NTW(O)09 - Management of Records Policy (and associated PGNs); NTW(O)33 - Risk Management Policy; NTW(O)35 - Information Security Policy; NTW(O)45 - Acceptable Use of , Intranet and Internet Policy (and associated PGN); NTW(O)55 - Information Risk Policy. 13 References 5

8 Appendix A Names of Individuals involved in Review Equality Analysis Screening Toolkit Date of Initial Screening Review Date Sue Proud August 2009 November 2014 Trust-wide Service Area / Directorate Policy to be analysed NTW(O)56 Forensic Readiness Policy Is this policy new or existing? Existing What are the intended outcomes of this work? Include outline of objectives and function aims The Policy has been created to: Protect the Trust, its staff and its patients through the availability of reliable digital evidence gathered from its systems and processes; Allow consistent, rapid investigation of major events or incidents with minimum disruption to Trust business; Enable the pro-active and comprehensive planning, gathering and storage of evidence in advance of that evidence actually being required; Demonstrate due diligence and good governance of the Trust s information assets; Who will be affected? e.g. staff, service users, carers, wider public etc Staff, service users, carers and the wider public. Protected Characteristics under the Equality Act The following characteristics have protection under the Act and therefore require further analysis of the potential impact that the policy may have upon them Disability Sex Race Age Gender reassignment (including transgender) Sexual orientation. Religion or belief Marriage and Civil Partnership Pregnancy and maternity Carers Other identified groups 6

9 How have you engaged stakeholders in gathering evidence or testing the evidence available? Though standard Policy consultation mechanisms. How have you engaged stakeholders in testing the policy or programme proposals? Though standard Policy consultation mechanisms. For each engagement activity, please state who was involved, how and when they were engaged, and the key outputs: Though standard Policy consultation mechanisms. Summary of Analysis Considering the evidence and engagement activity you listed above please summarise the impact of your work. Consider whether the evidence shows potential for differential impact, if so state whether adverse or positive and for which groups. How you will mitigate any negative impacts. How you will include certain protected groups in services or expand their participation in public life. Now consider and detail below how the proposals impact on elimination of discrimination, harassment and victimisation, advance the equality of opportunity and promote good relations between groups. Where there is evidence, address each protected characteristic Eliminate discrimination, harassment and victimisation Advance equality of opportunity Promote good relations between groups What is the overall impact? Addressing the impact on equalities From the outcome of this Screening, have negative impacts been identified for any protected characteristics as defined by the Equality Act 2010? No If yes, has a Full Impact Assessment been recommended? If not, why not? Manager s signature: Sue Proud Date: November

10 Appendix B Communication and Training Check List for Policies Key Questions for the accountable committees designing, reviewing or agreeing a new Trust Policy Is this a new policy with new training requirements or a change to an existing policy? If it is a change to an existing policy are there changes to the existing model of training delivery? If yes specify below. Are the awareness/training needs required to deliver the changes by law, national or local standards or best practice? Please give specific evidence that identifies the training need, e.g. National Guidance, CQC, NHSLA etc. Please identify the risks if training does not occur. No this is an existing Policy In order to comply with Data Protection Legislation and Caldicott requirements, a directive has been issued by the NHS nationally, which includes the requirement for all NHS organisations to have in place a forensic readiness policy and associated procedures to support this Please specify which staff groups need to undertake this awareness/training. Please be specific. It may well be the case that certain groups will require different levels e.g. staff group A requires awareness and staff group B requires training. Is there a staff group that should be prioritised for this training / awareness? Trust-wide It is essential that all staff groups working with data which may be relied on in the even of an incident are made aware of the contents of this Policy Please outline how the training will be delivered. Include who will deliver it and by what method. The following may be useful to consider: Team brief/e bulletin of summary Management cascade Newsletter/leaflets/payslip attachment Focus groups for those concerned Local Induction Training Awareness sessions for those affected by the new policy Local demonstrations of techniques/equipment with reference documentation Staff Handbook Summary for easy reference Taught Session E Learning Please identify a link person who will liaise with the training department to arrange details for the Trust Training Prospectus, Administration needs Team Brief, CEO Bulletin, Intranet, face to face training Director of Informatics 8

11 Appendix B continued Training Needs Analysis Staff/Professional Group Type of Training Duration of Training Frequency of Training Information Governance Team Specialist training provided by external organisation Various Initial and Refresher SIRO,IAO s, IAA Specialist training provided by IG Department where required Various As required All General awareness of securing forensic data and evidence 1 hour Annual Copy of completed form to be sent to: Training and Development Department, St. Nicholas Hospital Should any advice be required, please contact: (internal 32216) 9

12 Appendix C Monitoring Tool Statement The Trust is working towards effective clinical governance and governance systems. To demonstrate effective care delivery and compliance, Policy authors are required to include how monitoring of this Policy is linked to Auditable Standards / Key Performance Indicators will be undertaken using this framework. NTW(O)56 Forensic Readiness Policy - Monitoring Framework Auditable Standard / Key Performance Indicators 1. Where an incident occurs the Trust should ensure that the correct procedure for reporting is followed as stipulated under NTW(O)05 Frequency / Method / Person Responsible IG Highlight Report to Bi-Monthly Caldicott and Health Informatics Group (CHIG) Meeting includes the reporting of incidents. This would include any incidents in relation to inappropriate access to the Trust s Information Assets Inappropriate access to the internet would be dealt with directly through the disciplinary process and not reported through a governance group Where Results & Any Associate Action Plan Will Be Reported To and Monitored; (this will usually be via the relevant Governance Group) Caldicott and Health Informatics Group The Author(s) of each Policy is required to complete this monitoring template and ensure that these results are taken to the appropriate reporting governance group as above in line with the frequency set out. 10