Network Security

Policy

Document Control
Document Owner Keith Fairbrother Approved by SMT
Document Keith Fairbrother, Alex Date of Approval 7 September 2020
Author(s) McLaren
Version 3.2.0 Date for Review 12 months

Hertfordshire, Bedfordshire and Luton ICT Shared Services is hosted by

NHS East & North Hertfordshire CCG
 HBL ICT Shared Service

Version Control
Version Status Commentary Date Author
Draft Initial Draft 11/2016 K Fairbrother
Draft 1.1 Updated VPN Policy and Hardware 01/2017 M Guttadauro
support
Draft 1.1.1 Format, update enclosures section, 03/2017 A McLaren
amend to dissemination and
implementation plan
Live 2.0 Authorized by Phil Turnock 30/3/2017 A McLaren
Live 2.1 Updated Section 7 05/04/2017 M Parmar
Live 3.0.0 Annual Review, Amend to DPA and 26/11/2018 A McLaren
GDPR, DSPT;
Remove embedded links to HBL ICT
location documents
Sections 4 and 5; detail removed as
covered within Information Security
Policy
Removal of Sections which are
duplicated from existing policies:
Acceptable Use and Email and
Internet removed as replaced by
separate Acceptable Use Policy.
Mobile Device Policy; Cabling
Standards

Authorized by SMT
Draft 3.0.1 Updates following amendment to July A McLaren
Password Policy, with removal of this
section, which is now in the
Information Security Policy
Update table of policies pg 8
Updates to reference, capitalisation,
replace “Trust” with “Partner”
Live 3.1.0 Authorized by S Carey 18/8/2019 A McLaren
Draft 3.1.1 Annual review Aug 2020 A McLaren
Update DSPT from IG Toolkit
Replace “Partner” with “Organisation”
, replace “Head of Technical Services”
with “Associate Director of Technical
Services”
Live 3.2 Authorized by SMT 7/9/2020 A McLaren

Uncontrolled if Printed
Page 2 of 13
 HBL ICT Shared Service

Implementation Plan
Development and Technical Services HBL ICT
Consultation
Hertfordshire, Bedfordshire and Luton ICT Shared Services (HBL ICT) is
committed to the fair treatment of all, regardless of age, colour, disability,
ethnicity, gender, gender reassignment, nationality, race, religion or belief,
responsibility for dependents, sexual orientation, trade union membership or
non-membership, working patterns or any other personal characteristic This
policy / procedure will be implemented consistently regardless of any such
factors and all will be treated with dignity and respect. To this end, an equality
impact assessment has been completed on this policy.

Dissemination The document is shared with staff within HBL ICT

This policy contains network security details which may be omitted in responses
to FOI.
Training All staff members are required to carry out the mandatory IG training through
the online NHS Information and Governance Training Tool.
No specific training for network policy
rd
Monitoring 3 Party Audit, IG Toolkit, spot check
Review The policy will be reviewed annually
Equality, Diversity DPIA and EIA completed separately
and Privacy

References
External : Legislation,  All applicable UK and EU legislation including :
Guidance and o Data Protection Act (2018) and GDPR (2018)
Standards o Freedom of Information Act (2000)
o Computer Misuse Act (1990)
o Health and Social Care (Safety & Quality) Act (2015)
o NIS Directive (2016)
o
o Human Rights Act (1998)
o Bribery Act (2010)
o Regulation of Investigatory Powers Act (2000)
o Copyright, Designs and Patents Act (1988)
o Health and Social Care Act (2012)
o Care Act (2014)
 Department of Health and NHS Regulations and Guidance,
including :
o NHS Statement of Compliance v6.0
o
o Caldicott 2 Review
o Guide to Confidentiality in Health and Social Care
o NHS Information Governance Standards
o Information Security Management: NHS Code of Practice
(2007)
 Standards for Information Security Management ISO27001 and
ISO27002
 SCCI 0129 & SCCI 0160
 Policies and procedures including:
o Policies, procedure and guidance on the management of
patient/client records.

Uncontrolled if Printed
Page 3 of 13
 HBL ICT Shared Service

Internal : Related  Mobile Devices Security Policy

Documentation  Firewall Standards and Controls
 Remote Access VPN Policy
 WiFi Policy
 WAN Policy
 LAN Policy
 Compute / Storage Policy
 Data Centre Procedures
 Physical and Environmental Controls
 Data Cabling Standards
 Patch Management Policy
 Third Party Access Requests
 Standard and Supported Hardware and Software
 Backup Policy
 Acceptable Use Policy
 Computer Systems Access Process


 Management of Records Policy and Procedure

 Standing Financial Instructions
 Data Quality Policy
 Information Governance Framework
 Incident Policy
 Confidentiality Policy
 Data Centre and Policy Procedures doc
 Guidance on Portable Computers
 Disposal of Assets Policy
 Non-Standard Equipment Standards
 Server Standards
 MEVPN Documentation
Enclosures 3rd Party Access Requests: Visio Bomgar Connection Request; Visio
Bomgar 3rd Party Access Setup: New Thirst Party Support Setup1; Third
Party Access Process 2; Third Party Access Request Form2, 3rdParty
Access1

Uncontrolled if Printed
Page 4 of 13
 HBL ICT Shared Service

Contents
1 Executive Summary .............................................................................................. 6
2 Introduction ........................................................................................................... 6
3 Purpose and Scope............................................................................................... 7
3.1 Scope ..................................................................................................................... 7
3.2 Scope of the Policy ............................................................................................... 7
3.3 Local Variation ...................................................................................................... 7
3.4 Legal Framework................................................................................................... 7
4 Information and Data ............................................................................................ 7
5 Management of Security and Responsibility of all Staff .................................... 8
6 Network Security Policy ....................................................................................... 8
7 Firewall Standards and Controls ......................................................................... 9
8 Remote Access VPN Policy.................................................................................. 9
9 Wi-Fi Policy .......................................................................................................... 10
10 Local Area Network (LAN) Standards ............................................................... 10
11 Wide Area Network (WAN) Standards ............................................................... 11
12 Physical & Environmental Controls .................................................................. 11
13 Third Party Access Requests............................................................................. 11
14 Standard & Supported Hardware & Software ................................................... 12
Appendix A. Comment Form ....................................................................................... 13

Terms and Acronyms

Term Definition
HBL ICT Hertfordshire, Bedfordshire and Luton ICT Shared
ICT Information and Communications Technology
IM&T Information Management and Technology
ICT Department For the purposes of this document, the term ICT Department refers to HBL ICT
IP Internet Protocol
DPIA Data Privacy Impact Assessment
UPS Uninterruptable Power Supply
VPN Virtual Private Network
AUP Acceptable Use Policy
DSTP Data Security and Protection Toolkit (replaces the Information Governance Toolkit)

Uncontrolled if Printed
Page 5 of 13
 HBL ICT Shared Service

1 Executive Summary
The Network Security Policy sets out the commitment of the organisation to preserve the
confidentiality, integrity and availability of the information and information systems and to
ensure the information and systems are effectively and lawfully managed.
The Policy aims to ensure that:-
 The organisation’s information, its information systems and the supporting
infrastructure are secure and are operated in accordance with NHS Guidance, to
industry standards and current best practice;
 The information contained in or processed by these systems is kept secure;
 Confidentiality, integrity and availability are maintained at all times;
 Staff are aware of their responsibilities and adhere to the provisions of the policy;
 Procedures are in place to detect and resolve security breaches and to prevent a
recurrence.
This policy applies to:
 All information and information storage, whether manual or electronic, information
processing systems and networks used by the organisation;
 All staff employed by the organisation, contractors, seconded staff from other
organisations and any other persons used by the organisation or engaged on the
organisation’s business.
 Any other persons granted access to the organisation’s information, systems and
networks.
 All locations, all information, information systems, computer equipment and networks.
Application of the policy will assist in the organisation’s compliance with information
related legislation, NHS standards and Information Governance Standards.
For the purposes of this document, the term ICT Department generally refers to the ICT
Department of the organisation’s ICT supplier, Hertfordshire, Bedfordshire and Luton ICT
Shared Services (HBL ICT Shared Services). HBL ICT Shared services works as the
organisation’s ICT Department under the terms of a Service Level Agreement.

2 Introduction
 The organisation works to a framework for handling personal information in a
confidential and secure manner to meet ethical and quality standards. This enables
National Health Service organisations in England and individuals working within them
to ensure personal information is dealt with legally, securely, effectively and efficiently
to deliver the best possible care to patients and clients.
 The organisation, via the Data Security and Protection Toolkit (DSPT), provides the
means by which the NHS can assess our compliance with current legislation,
Government and National guidance.
 Information Governance covers: Data Protection and IT Security (including smart
cards), Human Rights Act, Caldicott Principles, Common Law Duty of Confidentiality,
Freedom of Information Regulations, Information Quality Assurance and Fraud and
Bribery Policy.

Uncontrolled if Printed
Page 6 of 13
 HBL ICT Shared Service

3 Purpose and Scope

3.1 Scope
The Network Security Policy sets out the commitment of the organisation to preserving the
confidentiality, integrity and availability of information and information systems and to
ensure the information and information systems are effectively and lawfully managed.
The Policy aims to ensure that:
 The organisation’s information, its information systems and the supporting
infrastructure are secure and are operated in accordance with NHS Guidance, to
industry standards and current best practice;
 The information contained in or processed by these systems is kept secure;
 Confidentiality, integrity and availability are maintained at all times;
 Staff are aware of their responsibilities and adhere to the provisions of the policy;
 Procedures are in place to detect and resolve security breaches and to prevent a
recurrence.

3.2 Scope of the Policy

This policy applies to:
 All information and information storage, whether manual or electronic, information
processing systems and networks used by the organisation;
 All staff employed by the organisation, contractors, seconded staff from other
organisations and any other persons used by the organisation or engaged on the
organisation’s business.
 Any other persons granted access to the organisation’s information, systems and
networks;
 All locations and all information, information systems, computer equipment or network.

3.3 Local Variation

Variation to some parts of the policy may be allowed where local conditions do not permit
full implementation. Applications for such variation must be made to the Associate
Director of Technical Services and must be approved by the ICT Department’s Associate
Director and Governance and Compliance Manager and, should the assessed level of risk
warrant it, the Stakeholder Board before being introduced.

3.4 Legal Framework

This policy is compliant with relevant legislation, Department of Health and NHS
regulations and guidance and the policies and procedures of the organisation; See
Reference section.

4 Information and Data

See Information Security Policy for details

Uncontrolled if Printed
Page 7 of 13
 HBL ICT Shared Service

5 Management of Security and Responsibility of all Staff

See Information Security Policy for details

6 Network Security Policy

The following outlines the policies and procedures together with key summaries which
define the standards, controls, processes and procedures which must be adhered to when
using trust owned IT equipment and systems. This is to preserve the confidentiality,
integrity and availability of all IT systems including but not limited to; End User Computing,
Networks, Servers, Applications, Telecommunications equipment.

Policy Name Operational Owner

Acceptable Use Policy Technical Services – Build & Release Team

Computer Systems Access Process Technical Services – Systems Operations Team

Email & Internet Policy Within NHSMail policy

Password Policy (within Information Security Technical Services – Core Services Team
Policy)

Mobile Device Security Policy Technical Services – Core Services Team / Build &
Release Team

Firewall Standards and Controls Technical Services – Core Services Team

Remote Access VPN Policy Technical Services – Core Services Team

Wi-Fi Policy Technical Services – Core Services Team

Local Area Network (LAN) Policy Technical Services – Core Services Team

Wide Area Network (WAN) Policy Technical Services – Core Services Team

Compute/Storage Policy Technical Services – Core Services Team

Data Centre Procedures Technical Services – Technical Operations Team

Physical & Environmental Controls Technical Services – Core Services Team

Data Cabling Standards Technical Services – Core Services Team

Backup Policy Technical Services – Core Services Team

Third Party Access Requests Technical Services – Build & Release Team

Standard & Supported Hardware/Software Technical Services – Build & Release Team

Patch Management Policy Technical Services – Core Services Team / Build &
Release Team

HBL ICT block all external access (inbound/outbound) to the servers via the firewalls as an
additional layer of defence to prevent any unauthorised access to the estate. Servers that do

Uncontrolled if Printed
Page 8 of 13
 HBL ICT Shared Service

require internet connection or external access will be part of the exception list which is managed by
HBL ICT

7 Firewall Standards and Controls

 Firewalls are implemented for the purposes of securing all infrastructure assets
and end-user computing platforms from each other as well as from external
threats.
 Firewalls will be implemented on all egress access points within the corporate
network. This will be any internet facing service as well as any ‘untrusted’ 3rd party
networks.
 Any modification to the firewall configuration can only be undertaken by HBL ICT
or approved 3rd party vendor engineers.
 Any modification to firewall configurations must be reviewed as part of HBL ICT
Change Management process.
 Any firewall must conform to FIPS 140-2 compliance. Any device that does not
meet this specification will be removed from the network.
 Firewall implementations will adopt a ‘least privilege’ and ‘deny all’ rule-set.
 Configurations will be periodically reviewed to ensure they meet requirements and
security best practice.
 All configurations will be backed up frequently to an off-site storage facility.
 Firewall logs will be actively monitored and any breach or suspicious behaviour
investigated.
 Firewalls will be proactively monitored through HBL ICTs network management
tool.
 All internet facing interfaces will also have Intrusion Prevention Systems in place to
enhance the level of security across the network.
 Any system or service which is to be made available ‘externally’ will need to be
independently assured by a 3rd party in the form of a penetration test before go-
live.
 All externally facing web services will be configured through a proxy service to
ensure additional levels of security.
 All clear text administrative interfaces are disabled (telnet,http).
 RADIUS level authentication is required on all administrative access (ssh,https)
 Where ever practically possible ports will be secured using SSL/TLS
(https,ssh,sftp)
 Where ever practically possible access to servers/services will be locked down to
specific ports/protocols and avoid ‘any’ rules

8 Remote Access VPN Policy

See Information Security Policy for details of current VPN access

Uncontrolled if Printed
Page 9 of 13
 HBL ICT Shared Service

9 Wi-Fi Policy
 All clear text administrative interfaces are disabled (telnet,HTTP).
 RADIUS level authentication is required on all administrative access (ssh,https)
 All access points must be configured to use SNMP v3 for management purposes
 All network equipment will have synchronised time via an NTP server.
 All access points must be configured with WPA2 and AES encryption
 Clients are authenticated using EAP.
 Corporate SSIDs are set to not broadcast
 Key management authentication utilises 802.1x
 Corporate devices (laptop) must only connect to the corporate Wi-Fi as configured
on end user devices.
 Corporate devices (smartphone, tablet) must only connect to the corporate Wi-Fi
as configured on the end user devices.
 Personal/Guest devices must not be connected to any corporate Wi-Fi. Any
personal device which is audited as being connected to corporate Wi-Fi will
immediately be blocked and reported to the Organisation’s IG group.
 Guest Wi-Fi services (where available) are available to use at the discretion of the
nominated Organisation’s administrator or equivalent.
 Guest Wi-Fi services are used at the end users own risk, HBL ICT accepts no
liability for any client based configurations or management of non-Organisaiton
end points.
 Guest Wi-Fi services are not encrypted across the wireless spectrum.
 The current standard is the Cisco range of Wireless access points
 Any non-standard network equipment which needs to use the wireless
Infrastructure (outside of the Guest network) must follow the processes defined in
the HBL ICT non-standard equipment standards policy
 Tethering of any mobile device whilst connected to any corporate Wi-Fi or wired
network is strictly prohibited.

10 Local Area Network (LAN) Standards

 All clear text administrative interfaces are disabled (telnet,HTTP).
 RADIUS level authentication is required on all administrative access (ssh,https)
 All switches must be configured to use SNMP v3 for management purposes
 All network equipment will have synchronised time via an NTP server.
 The current standard is the Cisco range of L2/L3 switches
 Any non-standard network equipment which needs to use the wired Infrastructure
must follow the processes defined in the HBL ICT non-standard equipment
standards policy
 Tethering of any mobile device whilst connected to any corporate Wi-Fi or wired
network is strictly prohibited.

Uncontrolled if Printed
Page 10 of 13
 HBL ICT Shared Service

 All network equipment (LAN/WAN) will be locked in data cabinets and only
authorised HBL ICT personnel can access the cabinets.
 Unused switch ports will be administratively disabled to mitigate against
unauthorised access
 Switch ports will be configured to support standard protocols such as 802.1x /
VLAN / QOS
 Network devices such as printers, scanners, media screens, video conferencing
units must not be moved without first informing HBL ICT as these types of devices
often have specific configuration on LAN switches and moving them is likely to
stop them from functioning entirely.
 The connecting of port splitters, hubs, Wi-Fi units or other non-approved LAN
device is strictly prohibited unless approved by HBL ICT. Any equipment that is
found to be connected without prior approval will be disabled and reported to the
Organisation’s IG group.

11 Wide Area Network (WAN) Standards

 All clear text administrative interfaces are disabled (telnet,HTTP).
 RADIUS level authentication is required on all administrative access (ssh,https)
 All routers must be configured to use SNMP v3 for management purposes
 The current standard is the Cisco range of routers
 All network equipment (LAN/WAN) will be locked in data cabinets and only
authorised HBL ICT personnel can access the cabinets.
 All network equipment will have synchronised time via an NTP server.
Full details of WAN standards and configurations can be found in the MEVPN
documentation held by HBL ICT

12 Physical & Environmental Controls

Data centres have various physical and environmental controls in place to ensure the
security and optimum operating environment of the core assets. The environment is
monitored 24/7/365 with an alerting system in place (SMS/e-mail) to key personnel
including On-Call and 3rd party vendors.
Data cabling standards are in place.

13 Third Party Access Requests

The following describes the process of 3rd party access to the network

Visio-Bomgar Visio-Bomgar 3rd New Third Party Third Party Access Third Party Access
Connection Request1.pdf Support
Pary AccessSetup process for Setup1.docx Process2.docx
New Users.pdf.pdf Request Form2.docx

Uncontrolled if Printed
Page 11 of 13
 HBL ICT Shared Service

14 Standard & Supported Hardware & Software

Current listing available from HBL ICT

Uncontrolled if Printed
Page 12 of 13
 HBL ICT Shared Service

Appendix A. Comment Form

As part of HBL ICT Services Department continuous improvement regime, would you please
complete this form. Any comments or feedback on this document should be addressed to the Owner.
Please provide your name and contact details in case clarification is required.

Name
Please return to:
Address
HBL ICT Services
Charter House
Welwyn Garden City
Phone
Hertfordshire, AL8 6JL
Email

Please confirm the document you want to give response to as:

HBL ICT Network Security Policy
Please rate the document using the topics and criteria indicated below:

Very Good Good Average Fair Poor

Format and Layout

Accuracy
Clarity
Illustrations (tables, figures etc.)

When using the document, what were you looking for?

How could the document be improved?

How often do you use the document?

If you have additional comments, please include them below:

Thank you for your time

Uncontrolled if Printed
Page 13 of 13