Example Policy
Author: R Rutherford
Date: 24/05/2017
Version: 1.0
ublished 24/05/2017
Contents
1 Purpose 3
2 Scope 3
3 Applicability 3
4 Guidance 3
Terminology 3
Policy 3
General 3
Physical Access 4
Network Access 4
Operating System Access 5
Information System Access 5
Application and Information Access 6
5 Key Words 6
1 Purpose
The purpose of this Access Control Example Policy is to provide exemplar guidance
in line with HMG and private sector best practice for the implementation of an Access
Control Policy. This is in order to allow the reader to produce the necessary policies
and guidance for their business area and to ensure that the applicable and relevant
security controls are set in place in line with the Department for Health, the wider
NHS, health and social care and HMG requirements.
2 Scope
The drafting of any policy governing physical and logical access to NHS systems,
devices or applications deployed in support of NHS or health and social care business
functions.
3 Applicability
This Example Policy is applicable to and designed for use by any NHS, health and
social care or associated organisations that use or have access to NHS systems
and/or information at any level.
4 Guidance
This Example Policy provides guidance on the production of an Access Control
Policy. The Example Policy is in italics with areas for insertion shown as <> and the
rationale for each paragraph or section, where required, in [….].
Terminology
Term Meaning/Application
Policy
General
Access shall be granted using the principle of ‘Least Privilege’. This means that
every program and every user of the system should operate using the least set of
privileges necessary to complete the job.
Each user shall be identified by a unique user identity so that users can be linked to
and made responsible for their actions.
The use of group identities shall only be permitted where they are suitable for the
work carried out (e.g. training accounts or service accounts).
During their induction to the system each user should be given a copy of guidelines
for staff on use of the system and their user login details, and should be required to
sign to indicate that they understand the conditions of access.
Records of user access may be used to provide evidence for security incident
investigations.
[The aim is to have a properly designed and documented access control regime that will
support the network administrator in the production and maintenance of access control
lists which will allow only authorised users access only to the systems and information
they require to carry out their role. This method is also referred to as ‘Least Privilege’ or
‘Need to Know’.]
Physical Access
Physical Access shall only be granted on the authority of the Data/System Owner and
shall be applied on a strict ‘Need to Know’ basis.
All NHS Data/Systems shall be physically protected in accordance with their value,
Security Classification and Privacy Marking.
Data/System Owners shall implement physical security measures in order to control
Physical Access to their data/systems, in addition to any physical access controls for
the buildings in which they are located.
The Data/System Owner should retain a log ‘date/time/name/reason’ for access to
their data/system.
Any unauthorised access shall be reported as a Security Incident.
[Securing the physical access to systems is just as important as securing the logical
access to systems. Systems should only be installed and used in areas controlled by
authorised staff.]
Network Access
All staff and contractors shall be given network access in accordance with business
access control procedures and requirements for access defined by their roles.
All staff and contractors who access <insert organisation name> networks remotely
shall only be authenticated using the approved remote access authentication
mechanism.
Diagnostic and configuration ports shall only be enabled for specified business
reasons. All other ports shall be disabled or removed.
Risk assessment shall be conducted by <insert organisation name> to determine the
requirements for the segregation of networks.
Segregation of networks shall be implemented as determined by the results of the
risk assessment.
Network administrators shall group together information services, users and
information systems as appropriate to achieve the required segregation on networks.
Network routing controls shall be implemented to support the access control policy.
[The aim in this section is to have a clear approach on the risk assessment required
which will determine the level of network access and separation required.]
5 Key Words
Access, Account, Auditing, Authorised, Control, Identities, Identity, Log-in, Network,
Password, Privilege, Segregation, User