1.0 unauthorized access toShaukat khanum Memorial Cancer

1.0   
Executive Summary

The use of
computer systems and the exchange of information Online have increased rapidly
in the area of healthcare mostly in Hospitals. Within the Shaukat khanum
Memorial Cancer Hospital & Research Centre there is a growing reliance on
computer systems to aid treatment, expand communications, and improve
management and control. This growing dependence comes at a time when the number
of threats and actual attacks on these computer systems is constantly
increasing.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

Information is one of our most
important assets and each one of us has a responsibility to ensure the security
of this information. Accurate, timely, relevant and properly protected
information is essential to the successful operation of theShaukat khanum
Memorial Cancer Hospital & Research Centre in the provision of services to
our customers.

The purpose of this Information
Technology (I.T) Security Policy and its supporting policies, standards and
guidelines is to define the security controls necessary to safeguard Shaukat
khanum Memorial Cancer Hospital & Research Centre information systems and
ensure the security, confidentiality, availability and integrity of the
information held therein.

This policy is mandatory and by
accessing any information or Information Technology (IT) resources which are owned
by theShaukat khanum Memorial Cancer Hospital & Research Centre, users are
agreeing to accept by the terms of this policy.

2.0 INTRODUCTION

The
Board of Directors are in integral part of the Shaukat khanum Memorial Cancer
Hospital & Research Centre activities along. The application of Lab &
Data in the Shaukat khanum Memorial Cancer Hospital & Research
Centre
facilitates integration of support systems. The use of IT is subject to rapid
technological changes leading to rapid turnover in hardware and software as
well as subject to abuse in terms of unauthorized access toShaukat
khanum Memorial Cancer Hospital & Research Centreinformation. In order to guide the development
and deployment of IT in theShaukat khanum Memorial Cancer Hospital &
Research Centre to
guarantee the efficient and effective use of the IT systems.

 The approach adopted by Shaukat khanum
Memorial Cancer Hospital & Research Centre aimed to ensure maximum level of protection of
the IT systems.TheShaukat khanum Memorial Cancer Hospital & Research
Centre Board of Directors is operating in such a way that unauthorized
staff is not allowed to access SKHMC Hospital & Research Centre network system.
This IT Policy is the set of procedures reflecting management’s guidance and
directions of controls over information systems and related controls.

3.0          
Information Security Policy

This policy is
authorized by Shaukat khanum Memorial Cancer Hospital & Research Centre Senior
Management Team and representsShaukat khanum Memorial Cancer Hospital &
Research Centre’s national position.

3.1 Objective
This policy is authorized by Shaukat khanum Memorial Cancer Hospital
& Research Centre Senior Management Team and representsShaukat khanum
Memorial Cancer Hospital & Research Centre’s national position.

This policy applies to all
Shaukat khanum Memorial Cancer Hospital & Research Centre staff, students,
contractors, sub-contractors, and agency staff and authorized third party
commercial service providers that use the organizations I.T resources or
process information on behalf of theShaukat khanum Memorial Cancer Hospital
& Research Centre.

The
Information Security Policy provides guidelines to protect data integrity based
on data classification and secure the organization’s information systems.

3.2
Network Organization

This
section covers key definitions that are used in this policy and describes the
departmental structure relating to PCs and LANs.

Ø  Department
should have its own Network Security Officer to perform above duties however,
Network Security Officer could be arrange for maintenance of WAN.

3.3 Compliance with Policy

The
Heads of the department are responsible for ensuring that their employees
comply with the policy. The IT Manager is responsible for reporting to the
network administrator any support needs or concerns, except security. Security
concerns will be communicated to the network security officer.

4.0Security
Strategy

Ø  Various methods like access control,
authentication, monitoring and review will be used to ensure data security in
the organization.

Ø   Security reviews of servers, firewalls,
routers and monitoring systems must be conducted on a regular basis. These
reviews should include monitoring of access logs and intrusion detection
software logs.

Ø   Appropriate training must be provided to data
owners, data users, and network & system administrators to ensure data
security.

5.0    
Security Goals

It is the policy of theShaukat khanum
Memorial Cancer Hospital & Research Centre to:-

ü Implement
human, organizational, and technological security controls to preserve the
confidentiality, availability and integrity of its information systems and the
information held there in.

ü Develop
and maintain appropriate policies, procedures and guidelines to effect a high
standard of information technology security, reflecting industry best practice.

ü Monitor,
record and log all activity on the Shaukat khanum Memorial Cancer Hospital
& Research Centre network and use of its information technology resources

ü Comprehensively
assess and manage risks to Shaukat khanum Memorial Cancer Hospital &
Research Centre information
systems and the information held there in.

ü Continuously
review and improve Shaukat khanum Memorial Cancer Hospital & Research
Centre information technology security controls, and rapidly determine the
cause of any breach of security and minimize damage to information systems
should any such incident occur.

ü Comply
with all laws and regulations governing information technology security.

ü Establish
information technology security education and awareness initiatives within
theShaukat khanum Memorial Cancer Hospital & Research Centre.

 

6.0   
Principles for Information Security

The organization classifies data into three categories:

1. High Risk:

a)It includes information assets which have legal requirements for
disclosure
and financial penalties imposed for disclosure.
b)E.g. Payroll, personnel, financial, biometric data

2. Medium Risk:

a)It includes confidential data which would not impose losses on the
organization if disclosed, but is also not publicly available.
b)E.g. Agreement documents, unpublished reports, etc.

3. Low Risk:

a)It includes information that can be freely disseminated.
b)E.g. brochures, published reports, other printed material etc.
c) Different protection strategies must be developed by the IT department
for the above three data categories. Information about the same must be Check
appropriately to all relevant departments and staff.
d) High risk data must be encrypted when transmitted over insecure
channels.
e) All data must be backed up on a regular basis as per the rules defined
by the IT Dept.

7.0Access
Control

Ø   Access
to the network, servers and systems in the organization will be achieved by individual
logins and will require authentication. Authentication includes the use of passwords,
biometrics or other recognized forms of authentication.

Ø  All users of systems which contain high or
medium risk data must have a strong password as defined in the IT Policy.

7.1  Access Control Policy

The Access Control Policyoutlines
the correct use and management of user level access controls within theShaukat
khanum Memorial Cancer Hospital & Research Centre’s. It covers the
following areas:

•        
Ownership and management ofShaukat khanum Memorial
Cancer Hospital & Research Centre’s information systems and networks.

•        
Access to Shaukat khanum Memorial Cancer Hospital &
Research Centre’s information systems and networks.

•        
Access Account privileges.

•        
Access Account registration.

•        
Access Account management.

•        
Access Account de-registration.

•        
Access Security.

•        
Monitoring and review of access account privileges.

 

Ø   Default passwords on all systems must be
changed after installation.

Ø  Where possible and financially feasible, more
than one person must have full rights to any organization-owned server storing
or transmitting high risk and medium risk data.

 

8.0Risk Management

8.1 Virus Prevention

Ø  Detection
of all major kinds of viruses- scanning inside document files, spreadsheets
(Microsoft Word, Excel), packed and archived files.

Ø  Apart from that, all servers and workstations
that connect to the network must be
protected with licensed anti-virus software recommended by the vendor. The
software must be kept up-to-date.

Ø  Whenever feasible, system network
administrators must inform users when a virus or other vulnerability has been
detected in the network or systems.

8.2 Intrusion
Detection

1. Intrusion detection must be implemented on all servers and workstations
containing high and medium risk data.

                            8.3 Email Security

Safe Email Usage:

Following
precautions must be taken to maintain email security:

Ø Do not to open emails and/or attachments from
unknown or suspicious sources
unless anticipated by you.

Ø In case of doubts about emails/ attachments
from known senders, confirm from
them about the legitimacy of the email/attachment.

Ø Use Email spam filters to filter out spam
emails.

 

8.4 Data
Protection Breach Management Policy

TheData Protection Breach Management
Policyoutlines the approved management approach to be followed
in the event of a Shaukat khanum Memorial Cancer Hospital & Research
Centre’s data protection breach. It covers the following areas:

•        
Identification and classification of a breach.

•        
Containment and recovery.

•        
Risk assessment.

•        
Notification of a breach.

•        
Evaluation and response.

 

 

 

 

 

 

 

9.0     Roles
& Responsibilities

9.1  Shaukat
khanum Memorial Cancer Hospital & Research Centre’sInformation Security
Project Board (ISPB)

The ISPB Directorate is responsible for:

ü  Approving
and publishing the policy.

ü 
The annual review of policy.

ü  Approving
all changes and amendments to the policy.

9.2 Directorate

The Directorate is responsible for:

•        
The identification, implementation and management of
appropriate security controls necessary to safeguard theShaukat khanum Memorial
Cancer Hospital & Research Centre’s network (LAN/WAN) and supporting
infrastructure.

•        
The implementation of system-level security controls as
defined by the information owner or the CEO.

•        
The provision of facilities for information backups on
network file servers and other centralized information stores but excluding
backups of the hard disks on individual computers.

•        
The provision of services which enable authorized
user’s access to appropriate electronic information systems and data.

•        
Liaising with and advising the Shaukat khanum Memorial
Cancer Hospital & Research Centre management, individual users and line
managers on the appropriate actions to take in the event of an actual or
suspected breach data security.

9.3  Information
Owners

Information owners are responsible for:

•        
The ownership, management, control and security of Shaukat
khanum Memorial Cancer Hospital & Research Centre information systems used
by their directorate or service to process information on behalf of theShaukat
khanum Memorial Cancer Hospital & Research Centre.

•        
Maintaining a list of Shaukat khanum Memorial Cancer
Hospital & Research Centre information systems and applications which are
managed and controlled by their directorate or service.

 

                           9.4Managers

Managers are responsible for:

•        
The implementation of this policy and all other
relevant Shaukat khanum Memorial Cancer Hospital & Research Centre policies
within the business areas for which they are responsible.

•        
Ensuring that all Shaukat khanum Memorial Cancer
Hospital & Research Centre employees who report to them are made aware of
and are instructed to comply with this policy and all other Shaukat khanum
Memorial Cancer Hospital & Research Centre policies;

•        
Consulting with the HR Directorate in relation to the appropriate
procedures to follow when a breach of this policy has occurred;

•        
Consulting with the Consumer Affairs section and the Shaukat
khanum Memorial Cancer Hospital & Research Centre’sDirectorate in relation
to the appropriate actions to be taken when an actual or suspected breach of
data security has occurred.

                               9.5   Users

Each user is responsible for:

•        
The terms of this policy and all other relevant Shaukat
khanum Memorial Cancer Hospital & Research Centre policies, procedures,
regulations.

•        
Respecting and protecting the privacy and
confidentiality of the information they process at all times.

•        
Reporting all actual or suspected breaches of data
security to their Support Department.

 

 

 

 

10.0   INFORMATION
SECURITY REGARDING PHYSICAL CONDITIONS

 

Ø 
Protect the system from unauthorized use, loss
or damage, e.g. the door should be locked when not in the office.

Ø 
 Keep
portable equipment secure.

Ø 
 Position
monitor and printers so that others cannot see sensitive data.

Ø 
Keep hard disks and other media in a secure
place.

Ø 
Report any loss of data or accessories to the
System Administrator/in charge computer center.

Ø 
Keep the system and sensitive data secure from
outsiders.

Ø 
Get authorization before taking equipment
off-site.

Ø 
Install UPS system with adequate battery
backups to avoid any data loss or corruption due to power failure.

Ø 
System should be properly shut down before
leaving the office.

Ø 
Log-off the system if you are leaving your
seat.

Ø 
Never remove the cables when your PC is powered
ON since this can cause an electrical short circuit.

 

                               11.0 Information
Security In Connection With Users of Services 

 Email Policy

11.1 Objective
This policy provides information about acceptable usage, ownership,
confidentiality and security while using electronic messaging systems and chat
platforms provided or approved by theorganization.

11.2 General Guidelines

 

Ø  The organization reserves the right to
approve or disapprove which electronic messaging systems and chat platforms
would be used for official purposes. It is strictly advised to use the
pre-approved messaging systems and platforms for office use only.

Ø  An employee who, upon joining the
organization, is provided with an official email address should use it for
official purposes only.

Ø  Any email security breach must be notified to
the IT Dept. immediately.

Ø  Upon termination, resignation or retirement
from the organization, the organization will
deny all access to electronic messaging platforms owned/provided by the
organization.

Ø  All messages composed and/or sent using the
pre-approved messaging systems and
platforms need to comply with the company policies of acceptable communication.

Ø  Electronic mails and messages should be sent
after careful consideration since they are
inadequate in conveying the mood and context of the situation or sender and
might be
interpreted wrongly.

Ø   All
email signatures must have appropriate designations of employees and must be in
the format approved by the Management Committee.

11.3 Ownership

 

Ø  The official electronic messaging system used
by the organization is the property of the
organization and not the employee.

Ø   The
organization reserves the right to intercept, monitor, read and disclose any
messages stored, composed, sent or received using the official electronic
messaging systems.

Ø  The organization reserves the right to alter,
modify, re-route or block messages as deemed appropriate.

Ø  IT Administrator can change the email system
password and monitor email usage of anyemployee for security purposes.

 

 

12  Communications and Operations Management Use
Policy

Shaukat khanum Memorial Cancer Hospital &
Research Centre’s resources are to be used. It covers the following areas:

Ø 
The use of computer accounts and passwords.

Ø 
Confidentiality and privacy of information.

Ø 
The use of computer hardware and software.

Ø 
The use of laptop computers and other mobile
computer devices.

Ø 
The security ofShaukat khanum Memorial Cancer
Hospital & Research Centre, systems and computer devices.

Ø 
Lost, stolen and damaged computer devices.

Ø 
The use of the Shaukat khanum Memorial Cancer
Hospital & Research Centre telephone system.

Ø 
Storage of information.

Ø 
Backup of information.

Ø 
Security of information.

Ø 
Transfer and transport of information.

Ø 
Disposal of information.

Ø 
Tele-working / home-working.

Ø 
Virus & Malicious Software Protection

Ø 
The unacceptable use of Shaukat khanum Memorial
Cancer Hospital & Research Centre information technology resources

                           12.1 Electronic
Communications Policy

The Electronic Communications Policyoutlines
the correct and proper manner in which the Shaukat khanum Memorial Cancer
Hospital & Research Centre’s Email, Internet and fax facilities are to be
used. It covers the following areas:

•        
The confidentiality and privacy of email and fax
messages.

•        
The use of the Shaukat khanum Memorial Cancer Hospital &
Research Centre’semail, internet and fax facilities.

•        
The transmission of confidential or personal information
via email, internet and fax.

•        
The legal status ofShaukat khanum Memorial Cancer
Hospital & Research Centre’s email and fax messages.

•        
The use and ownership of Shaukat khanum Memorial Cancer
Hospital & Research Centre’semail accounts.

•        
The use of third party and web based email facilities.

•        
Access to restricted and blocked internet content.

•        
The installation or use of third party internet facilities.

•        
The unacceptable use ofShaukat khanum Memorial Cancer
Hospital & Research Centre’s email, internet and fax facilities.

12.2Password Standards Policy

The Password Standards Policyoutlines
the standard for the creation and use of secure passwords for use on theShaukat
khanum Memorial Cancer Hospital & Research Centre’s Information Technology
(IT) resources. It covers the following areas:

•        
The creation of secure passwords.

•        
Minimum password length.

•        
Composition and complexity of passwords.

•        
The use and security of passwords.

 

                            12.3 Encryption
Policy

The Encryption Policyoutlines
the acceptable use and management of encryption software throughout the Health
Service Executive (Shaukat khanum Memorial Cancer Hospital & Research
Centre’s). It covers the following areas:

Ø  Minimum
level of encryption;

Ø  Approved
Encryption Algorithms and Protocols.

Ø  Encryption
of computer devices.

Ø  Encryption
of storage devices.

Ø  Encryptionemail
and internet messages and traffic.

Ø 
Encryption ofwireless network traffic.

12.4 Service
Provider Confidentiality Agreement

The Service Provider Confidentiality
Agreementoutlines the obligations of commercial third party
service providers who are contracted by the Shaukat khanum Memorial Cancer
Hospital & Research Centre’sto provide data management services. It covers
the following areas:

•        
How the service providers should handle data.

•        
How the service provider should processed data.

•        
How the service provider should store data.

•        
Data Encryption.

•        
Data Transfer.

•        
International Data Transfers.

•        
The right to inspect and audit the service provider’s
data processing facilities.