Incident Management Policy and Procedure 652.0 KB - Oxleas NHS ...

More documents

Recommendations

Info

Forensic Readiness guidanceAppendix XIntroductionThis guidance relates to securing and protecting evidence relating to incidents where illegal orfraudulent misuse of information systems is suspected.Serious incidents of this nature should be investigated using the processes described in Section B ofthe Incident Management Policy. This inquiry may be conducted alongside a disciplinary investigationor a counter-fraud investigation, depending on the circumstances. These processes are outlined inthe Disciplinary Policy, Procedure and Rules and the Fraud Policy and Response Plan.Initial actions following discovery of an incidentAs soon as the Trust becomes aware of an incident, all parties that are required to take action shouldbe involved as early as possible. Only those essential to the investigation of the incident should beinvolved, eg ICT dept, HR dept, legal representatives, Local Counter Fraud Specialist (internal audit).If media interest is anticipated, the Communications Department should be informed.Details of the incident should be kept confidential and involve only those that have a clear need toknow as the more people who are aware of the incident, the more opportunity there is for people tointerfere, hamper or compromise the investigation. This helps to ensure the suspect (if there is one)does not become aware of the investigation and does not get any access through which they might beable to delete evidence or cover tracks.Investigators should be aware of collusion as there might be more than one offender working alone.Gathering and securing evidenceComputer systems should be checked only by trained security personnel to ensure that data essentialto the investigation is not destroyed or contaminated., whether they are authorised to do so not,because even turning a machine on or off could destroy or contaminate data, which may be essentialto the outcome of the incident.It is important to ensure that people with the right expertise are used who have the ability to accessand recover potential evidence correctly. Data collection for Computer Forensics can be performed intwo ways:• Overtly : openly acquiring the equipment to be used in an investigation• Covertly:allowing the activity to continue whilst gathering evidence and identifying theconspirators.Wherever possible, covert monitoring should always be considered in cases of employee misuse inorder to ease their return to work if the allegations are unfounded.Secure access to systems and evidenceWhere the alleged perpetrator is still in on site, it is important to ensure that evidence cannot bedestroyed before any interviews as part of the disciplinary process. During this process, the ICTdepartment may be requested to secure all system access such as:• Network access• E-mail• Privileged access• Remote access• Physical access.50
System owners may also be requested to secure access to systems managed outside of IT such as:• Finance systems• Clinical systems• Local Manual and IT systemsA list of IT Systems and their owners is held as an appendix to the ICT Security Policy on the intranet.It is important to ascertain whether the employee has access to a laptop, PDA device, USB (memorystick), CDs, DAT tapes or any other media and organise their retrieval.Re-instating user access/equipment on completion of the investigationWhere the incident has proven the subject to be innocent or where no further action is to be taken, thesubject’s access to systems and services should be resumed. However, a review of access rights maybe necessary if they contributed to the incident.Where action has been taken against the subject the equipment may need to be retained as evidencepending a court case or possible appeal. For fraud cases, it is recommended that the counter-fraudservices take responsibility for secure storage. For other types of incidents (eg misuse of Trust ITequipment for accessing and storing information from the internet) the investigating department willneed to ensure that arrangements are made for secure storage of equipment, either or site, or externalto the Trust. If the police or Crown Prosecution Service (CPS) are involved, then it is likely that theywill take responsibility for secure storage of equipment51
Page 2 and 3: VERSION CONTROLDocument LocationOxl
Page 4 and 5: PART AINTRODUCTION1.1 Oxleas NHS Fo
Page 6 and 7: to the Senior Officer within HR who
Page 8 and 9: Head of Safeguarding Children and L
Page 10 and 11: 2 REPORTING AND IMMEDIATE ACTION2.1
Page 12 and 13: Immediate Within 24 Hours Within 3
Page 14 and 15: HOMICIDEHomicideNHSLondongrade 2Imm
Page 16 and 17: 2.3 Reporting to external agenciesC
Page 18 and 19: 3 INITIAL SERVICE MANAGEMENT REVIEW
Page 20 and 21: - individual factors;- task factors
Page 22 and 23: 4.1 InformationVictims, families an
Page 24 and 25: Directorate investigations reports
Page 26 and 27: Type of incident Level 1NegligibleA
Page 28 and 29: Type of incident Level 1NegligibleL
Page 31 and 32: Appendix IIIIncident report form to
Page 33 and 34: Guidance notes for completing adver
Page 35 and 36: SERIOUS INCIDENTAppendix VPRIVATE A
Page 37 and 38: Date of discharge from most recent
Page 39 and 40: • Ensure that TOR’s and timesca
Page 41 and 42: Where the LSCB TOR includes service
Page 43 and 44: Appendix VIIIOXLEAS NHS FOUNDATION
Page 45 and 46: 5. CONTENT OF THE INVESTIGATION5.1
Page 47 and 48: Guidelines on writing witness state
Page 49: The following ‘‘do’s’’ an
Page 53 and 54: Strictly ConfidentialGreenwich Crit
Page 55 and 56: Strictly ConfidentialBexley Critica
Page 57 and 58: Strictly ConfidentialBromley Critic

Incident Management Policy and Procedure 652.0 KB - Oxleas NHS ...

Create successful ePaper yourself

Delete template?

Save as template?