Access Control Policy
The HSE is committed to the correct use and management of access controls throughout the organization. Insufficient access controls or unmanaged access to information could lead to the unauthorized disclosure or theft of this information, fraud and possible litigation. The purpose of this policy is to define the correct use and management access controls within the HSE.
This policy represents the HSE’s national position and takes precedence over all other relevant policies which are developed at a local level. The policy applies to:
– All information Technology (IT). Resources provided by the HSE;
– All HSE information systems and network domains;
– All users (including HSE staff, students, contractors, sub-contractors, agency staff and authorized third party commercial service providers) of the HSE’s IT resources;
– All connections to (locally or remotely) the HSE network Domains (LAN/ WAN/ WiFi);
– All connections made to external networks through the HSE network.
2.1 Account Privileges
Access rights and privileges to HSE information systems and network domains must be allocated based on the specific requirement of a users HSE role / function rather than on their status
He criteria used for granting access privileges must be based on the principle of “least privileges” whereby authorized users will only be granted access to information system and network domains which are necessary for them to carry out the responsibilities of their HSE role or function. Care must be taken to ensure that access privileges granted to users do not unknowingly or unnecessarily undermine essential segregating of duties.
The creation of user access accounts with special privileges such as administrators must be rigorously controlled and restricted to only those users who are responsible for the management or maintenance of the information system or network. Each administrator must have a specific admin level account, which is only used for system administrative purpose , and is kept separate from their standard user access account
2.2 Account Registration
2.2.1 Information System Access Accounts
Access to HSE information Systems will be controlled by the use of individual user access accounts. The use of generic / group access accounts is not permitted under any circumstances on HSE information systems.
All new request for access to information systems must be made in writing. Line managers must complete the request on behalf of a new user and send this onto the designated information owner or his / her nominee for their approval. The request must be clearly marked ‘New Access’
Information owners or their nominees must formally authorize and sign all new access request. Once a request for access has been approved, the information owner or his / her nominee must sign the HSE System Access Request Form and forward this into the system administrator for the user account to be created.
System administrators must only create new user accounts when they have received a signed HSE system Access Request Form.
2.2.2 Network Domain Access Accounts
Access to HSE network domains will generally be controlled by the use of individual user access account’s, however the use of generic / group access accounts will be permitted on nominated computer devices that meet approved criteria.
Project manager must complete the request on behalf of a new user and send this onto ICT department. The request must be clearly marked ‘New Access’.
Network administrators must only create new user accounts when they have received a signed HSE Network Domain Access Request Form.
2.2.3 Generic / Group Network Domain Access Accounts
The use of generic / group access accounts is permitted on nominated computer devices that satisfy the following criteria:
1) Computers need to remain logged onto the HSE network throughout the day to facilitate individual users gaining speedy access to clinical information systems using their own individual log on credentials (e.g computers in a hospital A&E department)
2) A single network computer is used by a number of different users throughout the day to facilitate access to clinical information systems using the users individual log on credentials (e.g. computers on a hospital ward)
Where a generic / group access account is created on a HSE network domain, the generic / group access account must have an identified designated account owner (at grade 8 level (or equivalent) or above) who is responsible for the management and use of the generic / group access account.
HSE network domain generic/ group access accounts will only have access to an agreed set of HSE information systems and will not under any circumstances have access to HSE email or internet services. Limited network resources will be granted to a local named shared folder.
2.2.4 Third Party Access Accounts
Third party access are not allowed.
2.3 Account Management
Request from users for password resets must only be performed once the user’s identity has been verified by the appropriate system administrator or network administrator (for example: a user’s identity may be verified by the provision of their HSE personnel number).
Existing user’s who require additional access privileges on an information system must obtain the written authorization of the designated information owner.
Existing users who require additional access privileges on a network domain (for example file shares etc) must make their request in writing.
The access accounts of users taking career breaks, going on maternity leave or those on long term sick leave must be suspended until such a time as they return to work. Requests for account suspensions must be made in writing by the project manager.
The access accounts of users who are about to change roles or transfer to another HSE directorate or service area, must be reviewed to ensure access account privileges that are no longer required by the user in their new role are removed. In such circumstances the user’s existing project manager must request the removal of the unnecessary account privileges.
2.4 Account De- Registration
As soon as a user leaves the employment of the HSE all his/her information systems and network access accounts must be revoked immediately. Line managers must request the deletion of a user’s access accounts as soon as they have been informed by the user that they are leaving the employment of the HSE.
System administrators and network administrators must invoke user accounts at the requested date and time after the receipt of a properly completed HSE Suspend/ Remove Access Request Form.
Access to all information systems and networks must be controlled via strong password authentication schemes.
User access accounts must be created in such a way that the identify of each user can be established at all times during usage.
Each user access account must be unique and consist of at least a user name and password set. All passwords created must be with approval of managing director.
2.6 Monitoring & Review
Information owners or their nominees must continually monitor access to their information systems. They must perform quarterly reviews of the systems they are responsible for to ensure.
3.0 Roles & Responsibilities
3.1 Information Owner-Each designated information owner is responsible for:
The implementation of this policy and all other relevant policies within the HSE directorate or service they manage;
The ownership, management, control and security of the information processed by their directorate or service on behalf of the HSE;
Maintaining a list of HSE information systems and applications which are managed and controlled by their directorate or service.
Making sure adequate procedures are implemented within their directorate or service to ensure compliance of this policy and all other relevant policies;
Ensuring adequate backup procedures are in place for the information system they are responsible for;
Ensuring all access requests are evaluated based on the approved criteria;
Sponsoring and approving third party access requests (local or remotely) to the HSE information system they are responsible for;
Designating system administrator(s) for the information system they are responsible for;
Furnishing the system administrator with a list of nominees who are authorized to approve and sign access requests to the information system on their behalf;
Conducting a quarterly review of the information system in accordance with the policy;
3.2 System Administrator
Each system administrator is responsible for:
Complying with the terms of this policy and all other relevant HSE policies, procedures, regulations and applicable legislation;
Taking appropriate and prompt action on receipt of requests for user registration, change of privileges, password resets and de-registration of users in accordance with this policy and the procedures for the information system;
Taking appropriate and prompt action on receipt of requests for the suspension of a user account in accordance with this policy and the procedures for the information systems;
Ensuring all passwords generated for new user accounts and password resets meet the requirements of the HSE Password Standards Policy.
Notifying users of their system account details in secure and confidential manner;
Ensuring that appropriate records of system activity, including all authorized user registrations, change of privileges and de-registration requests are maintained and made available for review to the appropriate personnel;
Conducting a quarterly review of the information system they are responsible in accordance with this policy;
3.3 ICT Personnel
Is responsible for;
The management, control, ownership, security and integrity of all HSE network domain (LAN/WAN) on behalf of the HSE;
The implementation of this policy and all other relevant policies and all other relevant policies;
Ensuring adequate procedures are in place to ensure compliance with this policy and all other relevant policies;
Designating a network administrator(s) for each HSE network domain;
Conducting a quarterly review of the networks in accordance with this policy;
Providing information owners or their nominees with quarterly audit reports and user access lists for information systems which are directly managed by the ICT Directorate.
3.4 Project Managers
Each Line Manager is responsible for:
The implementation of this policy and all other relevant HSE policies within the business areas for which they are responsible;
Ensuring that all members of staff who report to them are made aware of and are instructed to comply with this policy and all other relevant HSE policies;
Ensuring complete and timely user access requests, for both permanent and temporary staff, are forwarded to the designated system owner allowing sufficient time for the creation of the required user account prior to the users start date;
Ensuring complete and timely user network access requests, for both permanent and temporary staff, are forwarded to the ICT Directorate allowing sufficient time for the creation of the required user account prior to the users start date;
Ensuring that each user they request access fulfills all the criteria (principle of “least privilege”) for the requested information system/or network; Ensuring they make timely requests for the suspension of all user accounts belonging to members of their staff who are taking a career break, going on maternity leave or leave or those on long term sick leave;
Ensuring they make timely requests for the deletion of all user accounts belonging to members of their staff who are leaving the employment of the HSE;
Consulting with the HR Directorate in relation to the appropriate procedures to follow when a break of this policy has occurred.
Each user is responsible for:
Complying with the terms of this policy and all other relevant HSE policies, procedures, regulations and applicable legislation;
Respecting and protecting the privacy and confidentiality of the information systems and network they access, and the information processed by those systems or networks;
Ensuring they only use users access accounts and passwords which have been assigned to them;
Ensuring all passwords assigned to them are kept confidential at all times and not shared with others including their co-workers or third parties;
Changing their passwords at least every 90 days or when instructed to do so by designated system administrator, network administrators or the ICT department;
Complying with the instructions issued by designated information owners, system administrators, network administrators and/or the ICT Directorate on behalf of the HSE;
Reporting all misuse and breaches of this policy to their line manager.
The HSE reserves the right take such action as it deems appropriate against individuals who breach the conditions of this policy. HSE staff, students, contractors, sub-contractors or agency staff who break this policy may be subject.
5.0 Review & Update
This policy will be reviewed and updated annually or more frequently if necessary to ensure any changes the NEGC’ organization structure and business practices are properly reflected in the policy.