Part of Data Security Standard 9 - IT protection
Know your boundaries (9.2.1 - 9.2.2)
Understand the boundaries of your digital estate and do not overstep them.
Boundaries can occur at many levels such as multiple networks and tenancy in a single building, between your local network and Health and Social Care Network (HSCN) and between wide area networks on the same estate.
Ultimately, you should know where your responsibilities end and another organisation’s begin. Consequently, you should not scan or try to update assets that are beyond your boundary.
Under no circumstances should you scan over HSCN without consulting NHS England prior to doing so. Some vulnerability scanners (dependent on how aggressively or passively they are being used) can cause a false positive (where you think you have a specific vulnerability in your program but in fact you do not) and maybe indistinguishable from a cyber-attack, with the same tools being used by hackers.
Cyber security support model onsite assessments
If your organisation has received a data security onsite assessment within the fiscal year, this may count as the penetration test or contribute towards it.
The security assessment should include the following 2 mandatory items:
- webservers
- default password network components
If it does not include the mandatory elements, it is acceptable to have a commercial or in-house or partner penetration test to just cover these elements, provided the Senior Information Risk Owner (SIRO) signs off the scope of the data security onsite assessment.
Alerting interested parties
Before any test, there should be sufficient time to inform interested parties of the test. Interested parties include, but are not limited to:
- system managers or information asset owners
- service desk(s)
- server and network teams
- third parties who support systems or networks
Last edited: 4 August 2023 8:40 am