Part of Data Security Standard 6 - Responding to incidents
Repeat data security incidents (6.3.5)
An multiple incident can occur when a vulnerability is exploited a number of times.
For example, if your trusts has an incident where the compromised credentials of an account of a previous employee are used by an attacker to access hospital systems.
Despite this compromise, the Leavers process is not reviewed, and then within 3 months another compromise occurs where another Leavers account which hasn’t been de-activated is again exploited by a threat actor.
If your trust intranet server has had a data security incident featuring the back door and the same/similar incident (similar in that it used the same back door) occurs within 3 months on the same server this qualifies under this item.
If the same back door is exploited on another server again within the 3 months leading to an incident this also qualifies.
This obviously points to practice where possible remediating vulnerabilities across your estate before they are exploited. Where they have been exploited ensuring the same vulnerability is treated estate wide and not just on the affected system.
Last edited: 28 September 2022 10:22 am