Velindre NHS Trust Anti-Virus Policy
Trustwide Policy Policy Lead: D Morrey
VELINDRE NHS TRUST
REF: BLACK 84
Trust Policy
ANTI-VIRUS POLICY
Policy Lead: D Morrey, Director of IM&T
ANTI-VIRUS POLICY
For the purpose of this Policy, all forms of malicious software created with the specific intent of disrupting the operation of a computer system or computer controlled equipment, will be referred to as software viruses.
Software viruses are like human viruses in that they can spread form one computer to others and in the worst case all machines networked to an infected machine can be very quickly affected. The effects can be obvious in that the machine stops working properly but also the effects can be partially hidden where the virus causes the computer to send sensitive information out of the Trust or to disrupt other computers over the network. The “jargon” sometimes used for these effects are: spyware, worms , denial of service attacks, etc.
This can mean that the operation of the Trust is put in jeopardy and also the rest of NHS Wales through interconnected networks.
This policy is aimed at raising awareness amongst staff; and by complying with the policy and associated anti-virus procedures, we can minimise the risks to the Trust and to the rest of NHS Wales.
Therefore the scope is:
All Trust computers (PCs and servers)
All Trust staff (outside personnel under Trust staff guidance are the responsibility of that staff member e.g. students, visiting colleagues, engineers etc.)
All staff of Velindre hosted organisations
All Trust Honorary Contract holders.
Infection by software viruses on computers is a very real risk. Local IT staff will implement technical counter measures including installing anti-virus software and updating the necessary virus definition files in an effort to catch-up with the ever-increasing distributors of viruses. However, all the routes of infection also involve actions by users of computers, hence this anti-virus policy. The main routes of infection are listed below:
Downloading unauthorised software from the Internet.
Viruses hidden in e-mail attachments from un-trusted sources or unexpected sources (the email sender can sometimes be impersonated or “spoofed”).
Using non-NHS internet based e-mail systems without approval of your local IT helpdesk (as this is prohibited in the Email Policy under normal circumstances).
Insertion of removable media, that may have been used outside the Trust, into a Trust computer without checking for viruses (e.g., CDs, DVDs, memory sticks/USB memory devices, floppy disks and any other removable media capable of carrying data or programs ).
Connecting a laptop or PC (that does not have anti-virus software with up to date virus definition files) to the trust’s network.
All machines networked to an infected machine can also be very quickly infected.
The Software, E-mail and Internet Policies provide a little more detail on the risks and guidance to reduce those risks.
The effects of viruses can vary from minor (just one PC stops working) to major where many machines are inoperative or an information security breach is caused.
Any unusual behaviour of the computer may be due to a virus and should be reported to the local IT helpdesk.
Failure to comply with this policy and associated local IT anti-virus procedures may result in disciplinary action.
To make all staff aware of the dangers of computer viruses and of their responsibilities to minimise the risks to the trust and NHS Wales.
To protect our corporate reputation.
To comply with the Information Security policy.
To increase control of software resources.
Ensure ALL staff are aware of this policy and that they comply with it.
Ensure this policy is part of the Trust Divisions’ generic induction process.
Ensure the IT Security Officers in the Trust have the resources to purchase and deploy anti-virus software and to train staff to use the software.
Ensure appropriate local Trust Division anti-virus procedures are in place and updated according to new threats and risks.
Ensure that Anti-virus software is reviewed for efficacy and re-licensed annually.
Comply with local anti-virus procedures and in particular:
Deploy the anti-virus software appropriately including each new release of the software from the software supplier.
Set-up facilities to automatically update virus definition files for all computers on the network.
Ensure portable computers etc. are brought back to, or connected to, base for regular updates of virus definition files.
Ensure Users are kept aware of the recognition and danger of viruses and anti-virus procedures by regular briefings and publicity.
Record occurrences of viruses according to local information security incident procedures. (Management must be made aware that if a major outbreak occurs all computer facilities may be shut down)
Check Third Party machines for appropriate anti-virus software before connection to the network
Comply with local anti-virus procedures and in particular:
All suspected occurrences of a Virus detected by any means MUST be reported. to your local IT helpdesk, and the computer not used until helpdesk personnel have carried out action according to the local anti-virus procedure and given that computer the all-clear.
Unauthorised software from whatever source (e.g. screen savers; internet; memory sticks, floppy disks, CD-ROMs, or web sites, etc.) must not be used on Trust computers without approval of your local IT helpdesk. (see the Trust Software Policy)
All removable media or downloaded files from outside the Trust must be processed in accordance with local anti-virus procedures before being accessed.
Comply with the Trust e-mail and internet policies to minimise risks from these sources.
Users must follow local IT helpdesk procedures to ensure PCs and laptops and other portable computing devices get regular updates of their virus definition files (e.g. PCs left on overnight and portables returned to base at least weekly).
Users must not allow Third party IT hardware to be connected to the network without approval from their local IT Help Desk who will ensure appropriate anti-virus software is installed and operational on the IT hardware.
____________________________________________________________________________________
Ref:
Black 84 Page
Approved by: Exec Board Approval Date: Jan 2006
Next review Date: January 2009 Issue no: 3
Tags: policy trustwide, this policy, policy, velindre, trust, antivirus, trustwide