Policy Date: 3rd June 2020
Review Required: 1 year from last update
1. The Purpose of the Policy
1.1. This policy has been put together to ensure that good IT practices are being met within Care Academy.
1.1. This policy is further in place to ensure that Care Academy meets Cyber Essentials security criteria.
2. Policy Scope
2.1. All staff members of Care Academy are required to follow this policy.
2.2. The Head of Training and Education is responsible for ensuring that this policy is kept up-to-date, in accordance with ongoing changes in clinical practices and legislation.
2.3. Individual staff members are responsible for following this policy; seeking advice from their managers if they are unsure of an aspect of the policy. It is the responsibility for all employees to assume their own responsibility in adhering to this policy.
3. Office Firewalls and Internet Gateways
3.1. Firewalls should be enabled, where able.
3.2. Internet router/hardware firewall devices should be changed from their default password. Only those who need to know the changed password will be informed of it.
3.3. The new password should be secure, and at least 8 characters long.
3.4. Passwords of firewalls/internet gateways should be changed if there is a concern that passwords have been compromised.
3.5. If services are enabled on a firewall, they must be disabled when no longer required/in use.
3.6. Internet routers or hardware firewall devices should be blocked from being advertised on the internet.
3.7. Internet routers or hardware firewalls should only be configured to allow access to their configuration settings over the internet where there is a justifiable reason, i.e. IT support.
3.8. Where able, two-factor authentication, or only allowing trusted IP addresses to access settings, should be enabled.
3.9. Software firewalls should be in place and enabled on all computers and laptops.
4. Secure Configuration
4.1. Where able to, software which is not used should be disabled or removed.
4.2. All laptops, computers, servers, tablets and mobile devices should only contain necessary user accounts that are regularly used for the purpose of Care Academy.
4.3. Default passwords for accounts must be changed as soon as possible, and unless otherwise required by the account, be at least 8 characters long. Passwords should be difficult to guess, contain numbers and letters. Symbols can be used to further improve password security. Passwords should not be shared.
4.4. If there is a concern that passwords have been compromised, they must be changed immediately.
4.5. Where able, attempted logins should be limited to either no more than 10 attempts in 5 minutes, or lock the user out after 10 or more incorrect attempts.
4.6. Auto-run/auto-play should be disabled on all systems when DVD or memory sticks are inserted into the device.
5. Software Patching
5.1. All operating systems and firmware on Care Academy devices must be supported by a supplier which provides regular fixes for any security problems.
5.2. Software which is licensed must be licensed in accordance with the publisher’s recommendations.
5.3. All staff are responsible for ensuring that software updates for operating systems and firmware on the devices which they use are installed within 14 days of the update being released.
5.4. All staff are responsible for ensuring that software updates for all high-risk or critical security updates must be installed within 14 days of the update being released.
5.5. All staff are responsible for ensuring that they remove any applications on devices which they use which are no longer supported/no longer receive regular fixes for security problems.
5.6. Any member of staff with queries, concerns or requiring help about software patching must refer to the Head of Training and Education in the first instance.
6. User Accounts
6.1. Users must only be granted access to an individual user account once they have been employed by Care Academy, read and agreed to this policy, and completed Data Protection training.
6.2. Users of individual accounts must enter a unique password, at least 8 characters long (unless system requires otherwise), which must not be shared except for in exceptional circumstances
6.3. User accounts must not have passwords disabled, allowing access to anyone
6.4. When a staff member leaves Care Academy, they must return all devices to Care Academy on their last day of employment, unless requested otherwise. Management are responsible for ensuring that login accounts are disabled, either by deleting accounts for the staff member leaving, or changing passwords to prevent further access from the individual staff member.
6.5. Only those staff members who require access to software, documents, programmes (either in their entirety or just part of) will be granted access to what they require.
6.6. When a staff member changes role, access to software, documents and programmes is to be reviewed to ensure that access remains appropriate.
7. Administrative Accounts
7.1. Only those who require access to administrative accounts will be granted access.
7.1. Examples of those who may require access include management and IT support.
7.2. Anyone accessing administration accounts must have a justifiable reason for doing so.
7.3. Those who have access to administrative accounts should be reviewed regularly.
7.4. Where relevant, and software supports, two-factor authentication should be enabled.
7.5. Should administrative access be required, the Head of Training and Education must grant this access.
8. Malware Protection
8.1. Where relevant and able, laptops, tablets and mobile phones should have anti-malware software installed.
8.2. Where anti-malware software is installed, this software should be set to update daily and automatically scan files upon access.
8.3. Where anti-malware software is installed, the software should be set to scan web pages which are visited to warn the user about accessing malicious websites.