Cyber Assurance Service

The assessment will help to build cyber security resilience to help keep patients and service users safe. The assessment will measure your performance by completing an IT Health Check and assessing your alignment to key DSPT standards relating to Cyber Assessment Framework (CAF) Indicators of Good Practice (IGP).

Reports completed after the assessment will detail where improvement is needed, also considering the urgency to correct.

These assessments are for NHS trusts and commissioning support units (CSUs).

Once you register for an assessment, we will confirm that you are in scope to receive an assessment. We will then pass you details to our specialist supplier, Dionach, who will deliver the assessment. The intention is to ensure that the assessment causes minimal disruption to your organisation’s day to day activities.

Dionach will arrange an initiation call with you and will advise you of the activities that will take place and the prerequisite material that will need to be provided. Once initial documentation has been filled in, our supplier will then agree and confirm dates for your assessment at a suitable time for your organisation. Depending on the volume of assessments being completed at the time, this may be a few months later. In the meantime, it is essential the prerequisite materials required before the assessment are provided to Dionach. Scoping documentation requested will need to be received by Dionach 4 weeks prior to the start of your engagement. A call will also be held 3 weeks prior to the start, to confirm scoping document is all filled in, to answer any questions and to confirm everything is ready for the start date. If documentation is not provided by the agreed deadlines, your engagement may be postponed or cancelled. The delivery of the assessment should take between 2-3 weeks.

Please note that we have a limited number of engagements we can deliver. These will be allocated on a first come first served basis. If the current allocation is full, we will place your call on hold and advise you whether further engagements become available.

Our specialist supplier will carry out an IT Health Check and complete a detailed technical review of your organisations IT setup, structure and working practices. The IT Health Check will cover:

• file share testing
• active directory, central security and mobile device management review
• asset security review
• wireless security review
• external infrastructure review
• an optional security review for patient administration system (PAS)

Some data collected as part of the IT Health Check will be used to assess the key DSPT assertions, although some will require additional information from you to complete. The DSPT aspect will cover:

• accountability and governance
• access management
• password protection
• software and email anti-virus protection
• business continuity disaster recovery
• system updates and patch management 
• vulnerability management
• policy management
• roles and responsibilities 
• understanding of risk

In receiving this assessment, you will be expected to ensure that you/your organisation:

• liaise with our supplier and organise a suitable time for the assessment to be delivered
• provide relevant information and prerequisite scoping materials pertinent to the delivery of the assessment - documents required will need to be provided at least 4 weeks before assessment is due to take place
• keep our supplier informed of any local organisational changes that may impact assessment delivery
• inform our supplier as soon as possible if you are no longer able to facilitate delivery or if you need to change delivery dates - a call will be held 4 weeks prior to the assessment to confirm scoping document is complete, whether additional support is needed and to handle any questions

You will receive a detailed report within 10 working days of the assessment, outlining the highest risks and critical areas. This report will include suggested actions your organisation can take to remediate.

To find out more or to request this service, raise a call to the helpdesk by registering on the portal, clicking ‘Request Something’ searching for ‘Cyber Assurance Service’.

Our internal teams and supplier will then be in touch to arrange your assessment. 

Open the expanders below to find out how this service aligns to the principles and outcomes of the Cyber Assessment Framework (CAF).