Standard Operating Procedure 3 (SOP 3) Identity Management

Transcription

1 Standard Operating Procedure 3 (SOP 3) Why we have a procedure? Identity Management The need for authorised access by employees, contractors and partners to information, at anytime from anywhere, creates huge pressures on ICT for effective, efficient and secure management. Failure to effectively manage access rights not only decreases user productivity but also compromises security. The purpose of this standard operating procedure is to clearly define the process for creation of staff Active Directory and accounts and associated access to other Trust resources for Black Country Partnership NHS Foundation Trust. The Trust Information Security Policy alludes to the responsibility for account management but is not prescriptive enough for our purpose; hence this document seeks to enhance the guidelines set out in the referenced policy. The objective of this SOP is to outline the responsibilities of the requesting authority (Manager) and Human Resources, as to what information is required and responsibilities of the ICT department in maintaining documentary evidence of access to specific resource. The Trust has an obligation to account for Information Security, Governance and accountability to maintain and needs to be able to answer any queries on: Who our users are? Who has access to what? Who approved that access? How that access is being used? What overarching policy the procedure links to? ICT Security Policy Which services of the trust does this apply to? Where is it in operation? Group Inpatients Community Locations Mental Health Services all Learning Disabilities Services all Children and Young People Services all Who does the procedure apply to? All Trust Staff, contractors, and other agents, who utilise trust equipment and access the organisation s data and networks All ICT Staff Identity Management Page 1 of 8 Version 1.0 October 2016

2 When should the procedure be applied? When creation of staff Active Directory, accounts and associated access to other Trust resources for the Trust is required. How to carry out this procedure Details Required for Account Creation All Managers must supply the following information as a minimum when requesting that an account be set up for a prospective employee: Forename Initial(s) Surname Title (Ms, Miss, Mrs, Mr, Dr) Job Title Specify whether Temporary Staff or Permanent (1) Manager (minimum acceptable is house manager) Location (Site & department/office) Contact telephone extension number Group(s)/Distribution list(s) to be added to (If required) Shared Drive(s) to be added to (If required) To have an account created, there is a form to be filled in. The User Account Form form is available on the Intranet in the Trust forms directory in the Document Library. A manager must complete and submit this form electronically to the ICT department. Revocation of Rights and Removal from Site Any suspension of staff must comply with the Trust Disciplinary Procedure, which can be found on both the Trust Intranet and Internet sites, the latter as part of the Trust commitment to the Freedom of Information Act Under extreme circumstances it may be necessary to remove a member of the administrative user group from site, physically, as explained by some of the examples in previous sections. Given this situation, a Director must be made aware of the circumstances and associated risks and the decision must be made by the Director as to whether the allegations constitute revocation of access rights and suspension of duty. If the decision is that the risks are too high to retain the member of the administrative group on site, they will be informed of the decision and asked to leave Trust premises. Their login account(s) and any other service logins that they have access to internally will be suspended. The affected member of staff must be informed that they should not attempt to login to Trust owned ICT equipment at any site or if they have home working, their access must be denied to the corporate network and any equipment collected as soon as is convenient. Due to the sensitive nature of the information that some of the administrative group have access to, senior managers throughout the Trust will be informed of the Identity Management Page 2 of 8 Version 1.0 October 2016

3 suspension and will be asked to pass on a message to their staff that the affected person should not be given physical access to any Trust PC or server by proxy. Point applies to any home working equipment that the suspended person may have access to, through family, or friends employed by the Trust. Where access is to be denied for a third party support company, account passwords for access to all relevant servers and remote access will be changed immediately. Where the affected person is a contractor, their login will be disabled and the system password changed on the specific server that they had access to. Roles and Responsibilities Managers Managers (1) are the first people in the Trust to know that a new employee will be starting and when. They are responsible for the interview process and sending starter forms that go to Human Resources for processing employment. When all the required paperwork is completed and Human Resources advise the manager that everything is present and correct, the manager can then specify a start date for the employee. This is when the manager must complete a User Account Form and send it to the ICT department outlining the account details and associated access requests. See above for details that are required to be sent. ICT must be informed of any change of circumstance that could possibly affect information security or access to restricted resource i.e.; change of role or change of job or outcome of disciplinary, restricting access to specific resource e.g.; Internet access disabled due to misuse etc. When an employee leaves the Trust, it is the responsibility of the manager to inform ICT, so access to the account can be disabled from a specific date. Managers must give fair notice that accounts need to be created, modified or deleted. Nominally five working days notice will suffice but emergency situations can be catered for on an ad-hoc basis. (1) The minimum acceptable status of a manager to request account set-ups through ICT, should be a house manager or business support manager and must be delegated with the appropriate form received into ICT. Human Resources Human Resources are informed by local managers of new starters and process relevant documentation enabling employment. HR also have control of the Electronic Staff Record for the Trust, which lists all Trust employees and associated personal and personnel information. HR runs reports from ESR on a monthly basis, which lists starters and leavers. This document must be sent to ICT to verify information that should be received from managers. Identity Management Page 3 of 8 Version 1.0 October 2016

4 ICT must be informed of any change of circumstance that could possibly affect information security or access to restricted resource i.e.; change of role or change of job. ICT Staff The ICT department and specifically the ICT Services Manager are responsible for Information Security and Governance throughout the Trust and could be called upon to give evidence locally or nationally, should any incident occur requiring such action. ICT are responsible for: Creation, modification or deletion of accounts upon information received from managers or Human Resources Backing up account information and personal space on servers allocated to individuals Reporting any inappropriate access to resource to managers Reporting and effectively dealing with any security breach Managing Information Security and Governance Ensuring requests for information are actioned expediently Ensuring that processes and procedures are followed. Documenting who has access to which shares and resources Full daily backups are carried out on all business critical information, which can be restored within minutes or a few hours, depending on the size of restoration needed. Administrative privileges are strictly limited to those that require it, as part of their job function and description. The decision as to who gets what privilege is made on an adhoc basis by the ICT services manager, who will assess the requirements put forward case by case. It is usually only support staff that requires full or restricted administrative privilege. Not all members of the administrative group have privileges on ALL servers. See Appendix A for a list of servers and privileges assigned to those for bespoke application requirements. Only the ICT Services Manager and the ICT Support Team Leader have full administrative access to all services and all servers in the Trust. Subordinate ICT support staff have restricted access to systems and services. Where administrative privilege is required outside of the ICT department, it is limited local admin access to the specific server or service. Or PC domain admin for running an installed application on a PC. Contractors or third party suppliers are only given Local Admin privilege to those servers specifically, that they support, as part of their contract or SLA. They cannot use those privileges on any other servers or services in the Trust. The decision to allow any type of administrative access to any Trust servers, services or PCs, is the responsibility of the ICT Services Manager. Any administrative access, whether it be for servers, services, PCs, local, restricted or domain access, will be logged into a spreadsheet held by the ICT department and retained for audit and control purposes. Identity Management Page 4 of 8 Version 1.0 October 2016

5 Contractors or third party suppliers are only given Local Administrative privilege to those servers specifically, that they support, as part of their contract or SLA. Only trained or experienced users of ICT are to be provided with administrative privileges. Links to other Policies and Procedures ICT Change Control Policy ICT and Internet Acceptable Use Policy ICT Remote Access Policy ICT Portable Devices and Portable Media Security Policy ICT Telecommunications Policy ICT Priority 1 Incident Handling Policy ICT Security Policy Where do I go for further advice or information? ICT Department, Delta House, Greets Green Road, West Bromwich, B70 9PL Tel: Self-service portal: Training Staff may receive training in relation to this procedure, where it is identified in their appraisal as part of the specific development needs for their role and responsibilities. Please refer to the Trust s Mandatory & Risk Management Training Needs Analysis for further details on training requirements, target audiences and update frequencies Identity Management Page 5 of 8 Version 1.0 October 2016

6 Monitoring / Review of this Procedure In the event of planned change in the process(es) described within this document or an incident involving the described process(es) within the review cycle, this SOP will be reviewed and revised as necessary to maintain its accuracy and effectiveness. What key elements will be monitored? (measurable policy objectives) How will they be monitored? (method + sample size) Who will undertake this monitoring? How Frequently? Group/Committee that will receive and review results Group/Committee to ensure actions are completed Evidence this has happened Application Process for user accounts is working effectively Application requests submitted to ICT department ICT Department Annually Information Governance Steering Group Information Governance Steering Group Reports and Minutes of Meetings All users are able to routinely access Trust networks as they need to, to perform their duties Requests submitted to the Service Desk ICT Department Annually Information Governance Steering Group Information Governance Steering Group Reports and Minutes of Meetings All incidents relating to noncompliance and / or breaches in security arising from remote access DATIX, the Trust s electronic incident reporting system ICT Department Annually Information Governance Steering Group Information Governance Steering Group Reports and Minutes of Meetings Equality Impact Assessment Please refer to overarching policy Data Protection Act and Freedom of Information Act Please refer to overarching policy Identity Management Page 6 of 8 Version 1.0 October 2016

7 Appendix A Remote Access Permissions Server name Application Who Access Reason Oasis-App Oasis Capula Local RWS SLA & Support Oasis-Web Oasis Capula Local RWS SLA & Support Oasis-DB Oasis Capula Local RWS SLA & Support Oasis-OB Business Objects Capula, S. Clifton Local RWS SLA & Support, BO Reports BCMHFIN Sage, Analyst financial TAH L Clarke Local RWS SLA & Support Petunia Risk Datix Local RWS SLA & Support Morgana Risk Datix Local RWS SLA & Support Flamel Finance Reports Qlikview Local RWS SLA & Support MAPs Roster Allocate Local RWS SLA & Support Pince Oasis Capula Local RWS SLA & Support Piers Oasis Capula Local RWS SLA & Support Figg Oasis Capula Local RWS SLA & Support Flint Oasis Capula Local RWS SLA & Support Merlin Oasis Capula Local RWS SLA & Support Goshawk Estates Helpdesk Concept (FSI) Local RWS SLA & Support Identity Management Page 7 of 8 Version 1.0 October 2016

8 Standard Operating Procedure Details Unique Identifier for this SOP is State if SOP is New or Revised Policy Category Executive Director whose portfolio this SOP comes under Policy Lead/Author Job titles only Committee/Group Responsible for Approval of this SOP Month/year consultation process completed Month/year SOP was approved Next review due Disclosure Status BCPFT-ICT-SOP-03-3 New ICT Director of Strategy, Estates and ICT ICT Manager Information Governance Steering Group February 2016 October 2019 B can be disclosed to patients and the public Review and Amendment History Version Date Description of Change Oct 1.0 New SOP for BCPFT to support ICT Security Policy 2016 Identity Management Page 8 of 8 Version 1.0 October 2016