Secure configuration (9.5.1 - 9.5.10)

Installation of software is controlled so there is a conscious decision of who, how and what is installed.

For example, in Microsoft Windows you would not expect standard users to be members of the administrator group as they could install any software. Equally, you would expect a normal user to install approved software, where technically feasible or desirable. This could be accomplished through allow-listing, where an index of approved software applications is specified that are permitted, and an organisation app store.

You have a secure build for each of your platforms (computers, laptops and tablets with main corporate operating system), that is secure by design and standardised where possible. The build image or gold build should be updated at regular intervals to prevent a newly imaged device requiring numerous updates or running out of date software.

It is recognised that imaging tablets/mobile phones with 'phone operating systems' such as android is unrealistic and these should be managed through mobile device management solutions.

Device level encryption (such as AES 256) is applied on all mobile devices and removable media for data at rest.

Mobile devices include:

• laptops
• tablets
• mobile phones

Consider 'at risk' desktop PC’s, such as those in public areas

Removable media include:

• USB flash drives
• USB hard drives

You should also wipe or revoke access for those devices normally through a mobile device management system.

It is recognised that remote wiping of removable media is technically unachievable.

The ability to set and change security settings centrally across your entire estate and device mix is incredibly powerful. It allows you to update your security posture during times of high risk and then relax it afterwards such as turning on USB Restricted Mode to make hacking more difficult in iPhone Operating System (IOS) devices.

In Windows this would normally be accomplished by group policy setting, windows setting and the group of security settings. In mobile devices this would normally be through a mobile device management system.

Having programs autorun creates an attack vector for malicious software to be executed. Consequently, it should be switched off on all your device type where applicable.

Having the ability to easily change system and network settings is very powerful but also very dangerous. Without effective change control and system documentation even a well- intentioned change can permeate throughout your infrastructure and be difficult to reverse.

Having a baseline and snap shots, whether automated or manual, helps you return configurations to normal post an incident.

Ensuring changes are authorised, planned and have a credible reversal plan can help.

Formalising this process with a methodology such as Information Technology Infrastructure Library (ITIL) can also assist. 

As remote access opens your resources (corporate networks and web applications) potentially to the entire internet, it is important that all remote access has strong authentication.

Ideally this should be multifactor, normally 2 form, which usually takes the form of the following:

• username
• password
• hardware or soft token

These are devices that are connected to your network (but not the internet) either because they are legacy systems, medical devices or untrusted systems that cannot be patched.

It is important you protect these systems and your wider network from each other. This can be accomplished through such techniques as:

• network separation (such as VLANs)
• deny list
• virtualisation
• sandboxing
• separate firewall
• non-routable subnets

One method is to treat all of these systems as obsolete systems and, therefore, unmanaged or untrusted, as described in the Data Security Standard 9.

Emails sent to and from health and social care organisations must meet the secure email standard (DCB1596) so that everyone can be sure that sensitive and confidential information is kept secure.