The objective of this requirement is to ensure there is appropriate protection for systems hosted and information communicated over local networks, and for the protection of the supporting infrastructure components (including wireless networks).
IAO's or equivalent responsible for ICT networks have reviewed Information Security risks. Responsibility for network security has been assigned to an IAO (or equivalent) who undertakes reviews of information security risks. Mitigating procedures, controls and responsibilities are identified and documented.
A network security policy has been produced for each ICT network and approved by the SIRO or equivalent.
Documented network security policy
Approval of network security policy
Information Asset Owners (or equivalent) responsible for information communication technology (ICT) networks, undertake reviews of information security risk in relation to those networks, and the controls and procedures required to mitigate these risks in accordance with the Network Security Policy.
OHC does not operate any computer networks on which patient confidential data is stored
Network security controls and procedures that mitigate against risks are approved by the Senior Information Risk Owner (SIRO) or equivalent senior manager or committee.
OHC does not operate any computer networks on which patient confidential data is stored
The identified controls and procedures have been implemented in respect of all ICT networks in accordance with policy.
OHC does not operate any computer networks on which patient confidential data is stored
The documented and approved procedures and controls have been made available at appropriate points in the organisation and all relevant staff have been informed of their responsibilities to maintain network security by complying with them. Informing staff might be done through team meetings, staff briefings, awareness sessions and by IT user induction training.
OHC does not operate any computer networks on which patient confidential data is stored
Compliance with the network security policy is monitored and where necessary, prompt remedial or improvement is action taken.
OHC does not operate any computer networks on which patient confidential data is stored
Regular security risk reviews and assurance reports are provided to the SIRO (or equivalent).
OHC does not operate any computer networks on which patient confidential data is stored