ISG Security Statement
The Information Sharing Gateway is a web-based system provided over an encrypted connection and hosted by AIMES on behalf of University Hospitals of Morecambe Bay NHS Foundation Trust (‘Support Service’). The provision of secure application hosting covers; hosting business applications, high performance computer processing and data storage and manipulation, servers and secure storage.
AIMES has exceptional security standards and regimes which they adhere to. These can be summarised as;
- Information Security
- Data Centre Security
- Rack Security
- Staff Security
Information Security
ISO27001 Certification is one of the most widely recognized independent global standards for security an organization can achieve. Certification to the standard involves a lengthy process whereby every facet of the business is examined from a security and process standpoint. All of AIMES business systems, technologies, processes and data centres have been carefully examined to ensure they are compliant to the highest security and management standards.
NHS IG Toolkit Compliance
AIMES meets the NHS criteria for information security and governance. AIMES (Organisation Code 8J121) completes the Department of Health’s Information Governance Toolkit on an annual basis and their version 14 submission for 2016/17 has been reviewed and classed as meeting the NHS criteria for information security and governance (Level 3). Status can be viewed on the IG Toolkit website via the IGT Reports section: http://tinyurl.com/pocrc32
Data-centre Security
AIMES is located at Liverpool Innovation Park, a designated technology park which is surrounded by secure metal fencing. There is a single point of entry, with a security lodge that is manned on a 24-hour basis. Within the security lodge guards control the external CCTV and perimeter protection cameras and carry out hourly foot patrols of the park.
Access controls include;
- Two form factor authentication & anti tailgating security lobby
- Tablet based Photo ID Access Control
- CCTV Monitoring
Rack Security
AIMES provides bespoke rack based security controls appropriate to the server requirements for the ISG.
Staff Security
To ensure the security of client data, AIMES has controls in place to deal with staff security prior to, during and after employment.
Prior to Employment: AIMES has introduced a number policies and procedures that ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
During employment: AIMES has introduced a number policies and procedures that ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support the organizational security policy.
After Employment: AIMES has introduced a number policies and procedures that ensure that employees, contractors and third party users exit our organization or change employment in an orderly manner.
Full AIMES security arrangements are detailed in the AIMES Security Overview document available from the Resources tab.
Support Operations Security
The system support is managed by the Innovation, Informatics and Information Service at University Hospitals of Morecambe Bay NHS Foundation Trust.
- Change Control - Support Services follow a strict formal change management processes. Any requested change to the production environment, system and configuration are tracked by a dedicated team.
- Audit - Audits are kept of access attempts to the system and changes to some data records within the system, these are stored to a SQL 2008 dedicated server provided by AIMES/
- Access Control - support access is limited to legitimate business need, including activities required to support clients' use of the system.