5. Appendix section

The purpose of the ITHC as part of the HSCN Compliance process is to provide evidence to NHS Digital (and to a Supplier organisation) that across the service proposed for HSCN the risk of unavailability, loss or other compromise of the service through unauthorised access and/or change are understood by senior management in the Supplier’s organisation and adequately controlled to an acceptable level through a supporting Remediation Action Plan. Any residual risk that is accepted must be signed off by a SIRO or equivalent.

One of the most important aspects in ensuring that an ITHC is comprehensively identifying risks and adequately controlling them is getting the breadth and depth of the scope of the ITHC correct. 

The ITHC scope should be based on PSN guidance for ITHC. 

However, this is generic guidance intended for all aspects of PSN compliance, not solely network infrastructure.

Further guidance on maximising the value of penetration testing from the NCSC is available. 

For HSCN, the most important aspect is that NHS Digital is assured that the breadth and depth of the ITHC covers the full scope of the services which a Supplier proposes to provide as the HSCN service or services, both in breadth and depth of the ITHC.

This includes not just the core network devices (for example, routers, switches, firewall devices, including premise or customer premise equipment where these are supplied and managed as part of the HSCN service), but also management infrastructure, such as management networks and services (including email and other information stores) which support the core network service, and end-user devices that are used in administrating and configuring it.  The scope of the HSCN service proposed is as stated in the High-Level Design (HLD) submitted as part of a Supplier’s submission at Stage 1 of the HSCN Compliance application. For subsequent ITHCs, it is important that the scope of the ITHC is updated according to changes to the design of the service or services.

Where the HSCN service is made up of one or more existing services, it is important that the scope covers all variants and segments, and their interconnections. This may be the case where the HSCN service is made up of more than one core networks, perhaps through acquisition or regional variation.   For Stage 1 compliance, NHS Digital recognises that the HSCN service may not have been implemented yet.  In this case, it is acceptable to provide an ITHC for an existing service which uses the same or similar components, topology and management layers as the proposed ITHC. However, for all subsequent ITHCs, the ITHC must be carried out on the actual HSCN service. This should include where possible, Customer Premise or Premise Equipment where this equipment is provided and managed as part of the service to the HSCN Consumer.

It is also important to provide representative assurance that the ITHC covers sufficient devices within each segment of the service and device type. For example, a service that comprises 1000 end user management devices, a realistic and representative test would include around 10% of those end user devices. Similarly, 10% of network devices provide a representative number of devices in the service or service segment.

The ITHC should also include authenticated and unauthenticated vulnerability scanning on internal and where appropriate external facing devices and services.  Similarly, the ITHC should include an assessment of the configuration of devices that make up the service.