Assurance (9.4.4 - 9.4.5)

You will have a variety of assurance mechanisms available to you, knowing what they are and which to apply and how, is critical.

Ranging from the DSPT assurance to onsite assessments, automated assurance, such as vulnerability scanners and bespoke interventions.

It can also involve certification, particularly CE+ and ISO 27001, peer reviews and surveying your staff.

Having assurance in depth is just as important as its defence counterpart. No single assurance method is king and having a mix of assurance methods is the best option.

Examples of assurance in depth

People

• survey
• forums
• spot tests

Process

• onsite assessment
• CE+
• DSPT audit
• ISO 27001

Technology

• scanners
• survey tools
• simulations

Regardless of the assurance method you select, you should be able to demonstrate your confidence in security at least annually.

For NHS organisations this will generally be the uptake of relevant services from NHS England Cyber Security Services, particularly the onsite assessment.

For local authorities, this can be PSN IA, for others ISO 27001 and CE+.

You should respond to and treat NHS cyber alerts and treat the route security deficiencies post an incident. You should also triage and treat discovered deficiencies during assurance activities in the same way.

The important factor is what you do post an assurance activity not just undertaking the activity itself.

Discovered deficiencies should be triaged and remediated depending on their risk. Some may need to be remediated very quickly, such as discovering a server that has not been remediated following a high severity cyber alert, or some more long-term item featured in a data security improvement plan.

Some you may not be able to remediate at all, such as with a legacy system which must be retained, and these should be recorded and the Senior Information Risk Owner (SIRO) informed.

As well as managing the outputs of your assurance activities you should intermittently look at how effective your assurance posture is.

This can take several forms:

• looking at your suppliers, testing the market
• horizon scanning not just today’s environment but what assurance is required in future
• a review of your methods looking at effectiveness
• looking at your local healthcare economy partners to see their approach
• being prepared to drop or change ineffective assurance activities

The DSPT independent guidance enables better assurance of DSPT submissions by standardising assessments. It will also help to give a better understanding of data security and protection risk themes across the health and care system.

This is mandated for NHS organisations:

• NHS Trusts (acute, foundation, ambulance and mental health)
• Integrated Care Boards (ICBs)
• Commissioning Support Units (CSUs)
• arm’s length bodies
• IT suppliers

It is important that organisations assure themselves that audit providers follow the mandated scope which for this year is:

1.1 The organisation has a framework in place to support Lawfulness, Fairness and Transparency

2.2 Staff contracts set out responsibilities for data security

3.1 Staff have appropriate understanding of information governance and cyber security, with an effective range of approaches taken to training and awareness

3.2 Your organisation engages proactively and widely to improve data security, and has an open and just culture for data security incidents

4.4 You closely manage privileged user access to networks and information systems supporting the essential service

5.1 Process reviews are held at least once per year where data security is put at risk and following DS incidents

6.2 All user devices are subject to anti-virus protections while email services benefit from spam filtering and protection deployed at the corporate gateway

7.1 Organisations have a defined, planned and communicated response to Data security incidents that impact sensitive information or key operational services

8.4 You manage known vulnerabilities in your network and information systems to prevent disruption of the essential service

9.2 A penetration test has been scoped and undertaken

9.5 You securely configure the network and information systems that support the delivery of essential services

9.6 The organisation is protected by a well-managed firewall

10.2 Basic due diligence has been undertaken against each supplier that handles personal information

It is also important that organisations assure themselves that their chosen audit provider is aware of the mandated framework which needs to be followed.

The hallmark of the methodology is an output with a risk rating against of the 10 data security standards, an overall risk rating, based on the 10 individual ratings, and a confidence rating.

This process should be viewed as a continuous cycle of improvement.

It should follow a Plan, Do, Check, Act model as follows:

• scope the plan
• SIRO approves scope
• data planned and stakeholders informed
• SIRO reviews results
• remediation 

The SIRO should have an active role in the scoping process, including approval of the scope of the plan, particularly any penetration testing including OWASP tests.