Part of Overview of the CAF-aligned DSPT
Key terminology
The Cyber Assessment Framework (CAF)-aligned Data Security and Protection Toolkit (DSPT) framework introduces new terminology which you need to understand to correctly approach the assessment. Key terms are identified and defined here, with accompanying explanations to prevent gaps in interpretation.
'Must', 'should' and 'may'
The purpose of the CAF-aligned DSPT guidance is to help users understand toolkit requirements, bridge gaps in interpretation and inform their practical judgments. The guidance does not introduce regulatory requirements in and of itself, and only seeks to explain requirements already established by the underlying CAF-aligned DSPT information standard.
For this reason, words such as 'must', 'should' and 'may' have only their normal English meanings in the guidance. They should not be interpreted to signify specific CAF-aligned DSPT requirement levels.
'Essential functions'
The 24-25 DSPT makes frequent references to 'essential functions'.
A1b. Roles and responsibilities
A#1 Key roles and responsibilities for the security and governance of information, systems and networks supporting your essential function(s) have been identified. These are reviewed regularly to ensure they remain fit for purpose.
Your essential functions should be identified in a scoping exercise which you carry out before beginning your DSPT submission. The same exercise should identify all the information, systems and networks which support your essential functions.
For more information, see guidance on scoping essential functions .
'Information, systems and networks'
The 24-25 DSPT refers to 'information, systems and networks'.
B2.a Identity verification, authentication and authorisation
PA#2 All authorised users and systems with access to information, systems and networks on which your essential function(s) depends are individually identified and authenticated.
Under the Network and Information Systems (NIS) Regulations 2018, ‘networks and information systems’ can be understood as:
- electronic communications networks
- devices or groups of interconnected devices that automatically process digital data, or
- digital data stored, processed, received or transmitted by either of the above, for the purposes of their operation, use, protection and maintenance
The term used in the health and care CAF overlay - information, systems and networks - aims to capture everything included in the definition given above, whilst also covering physical information, such as paper records.
'Information assurance'
For the purposes of the CAF-aligned DSPT, the phrase 'information assurance' should be interpreted as a collective term that encompasses both cyber security and information governance (IG) disciplines.
B6.a Culture
PA#1 Your executive management understand and widely communicate the importance of a positive culture around information assurance. Positive attitudes, behaviours and expectations are described for your organisation.
In the above example, 'a positive culture around information assurance' means 'a positive culture around cyber security and IG'.
Last edited: 12 September 2024 9:24 am