Networks
Access to networks and network services will be specifically authorised in accordance with Sm8rtHealth’s User Access Control procedures and NDA terms and conditions. Access to networks and network services will be controlled in accordance with business and security requirements, and access control rules defined for each network.
Network connection control
A Service Policy Table will be formulated for each service that is allowed through each firewall.
All external connections by business partners and customers will be documented and authorized in accordance with the defined “Security Change Request” procedure.
Network routing control;
Appropriate routing control methods will be deployed to restrict information flows to designated network paths within the control of Sm8rtHealth.
Network routing controls will be based on positive source and destination address checking methods.
Security of network services;
Sm8rtHealth will obtain detailed descriptions of the security attributes of any external services (if any) from external Network services providers
Security attributes descriptions will establish the confidentiality, integrity, and availability of business applications and the level of controls (if any) required to be applied by Sm8rtHealth.
Description of the security controls will be included in the agreement of services.
Operating Systems
- Automatic terminal identification
- Automatic terminal identification will be used when it is important that transactions are only initiated from a specific terminal or location.
- Terminal log-on procedures
- Terminal logon procedures will disclose a minimum amount of information about the system.
- System administrators will set the password management system to suspend the User ID after three consecutive unsuccessful attempts. A system administrator will require approval from the user’s supervisor to reset the User ID.
- A legal banner will appear on all Sm8rtHealth systems prior to login on to the system.
- The logon procedure will not identify the system or application until the logon process has been successfully completed.
- Systems will validate logon information only on completion of all input data.
- After a rejected logon attempt, logon procedures will terminate. The procedure will not explain which item of information (the User ID or password) was the reason for the logon termination.
- If an error condition occurs, systems will not indicate which item of data is correct or incorrect. The logon procedures will set a maximum time allowed for the logon process. If the time is exceeded, the system will terminate the logon process.
On successful completion of logon, the logon procedures will display the date/time of the previous successful logon, and the number and date/time of unsuccessful logon attempts since the last successful logon
User identification and authentication
- Sm8rtHealth will identify and authenticate all users before granting the appropriate system access.
- User ID naming conventions must be consistent and documented.
- User ID’s must not be shared between users.
- Use of system programs
- Access to and use of system programs will be restricted and controlled.
- Use of system programs will be limited to authorised individuals.
- All actions undertaken by an individual on system programs will be logged
- All unnecessary system utilities and software, including compiler programs, will be removed.
- Terminal time-out
- All systems will be locked after a defined time of inactivity.
Limitation of connection time
Wherever possible, all critical systems will have a defined time slots for access and connectivity. Usually this is Client directed. By default a 2 minute time-out is set for most applications.
