Laptop Security Policy Template - Free Download
4.8, 4399 votes
Please vote for this template if it helps you.
NHS Information Governance
LAPTOP SECURITY POLICY
This policy is recommended for adoption by NHS organisations of all types where laptop
computers are used. The policy is equally applicable to NHS contractors, services
providers and other organisations or agencies that use laptop computers to process NHS
information in the performance of their duties.
1. Laptop computers taken outside secure NHS environments are subject to special
security risks: they may be lost or stolen and may be exposed to unauthorised access
or tampering. Laptops taken abroad may also be at risk, for example confiscated by
police or customs officials.
2. Laptop loss will mean not only the loss of availability of the device and its data, but
may also lead to the disclosure of patient or other sensitive information. This loss of
confidentiality, and potentially integrity, will often be considered more serious than the
loss of the physical asset.
3. Where large quantities of NHS data are held on a single laptop (or any other storage
medium) risk assessments must consider the impacts of loss of all the data. Note that
deleted files should be assumed to persist on the laptop’s hard disk.
• Traditional password protection on a laptop offers limited defence against a
determined attacker because the attacker has unconstrained access to the physical
device. Modern complex password techniques offer more protection but are not
currently on widespread use.
• The physical security controls that are possible within an NHS buildings
environment are not available outside of that environment; therefore if procedural
and personal controls of the laptop are breached the only effective technical
measure that can be applied is cryptography. The Department of Health and NHS
Connecting for Health provide well defined guidance based upon recommendations
made by CESG and other good practice which if followed provides an adequate
level of security. This includes pointers to relevant schemes and products suitable
for protecting NHS information.
• Additional information on laptop protection and evaluated products is available
through the CESG Internet website at www.cesg.gov.uk
• Encryption products are not difficult but must be used correctly in accordance with
defined procedures, in particular the password and any token must be kept
separate from the laptop; these are effectively the encryption key. Data is therefore
only protected by encryption when the laptop is powered off and not in normal use.
4. Unauthorised access and tampering to a laptop, particularly if there are repeated
opportunities for access, may: