Specific Focus: Operational Security (Standards 4–6)
| Assertion | Evidence text - Others (Category 3) | Tool tips - Others (Category 3) |
|---|
The organisation assures good management and maintenance of identity and access control for it's networks and information systems| Provide a summary of data security incidents in the last 12 months caused by a mismatch between user role and system accesses granted.| This can be an incident either where the staff member's rights to data were too high or too low. Do not name individuals.
The organisation assures good management and maintenance of identity and access control for it's networks and information systems| Does your organisation have a reliable way of removing or amending people's access to IT systems when they leave or change roles?| When people change roles or leave your organisation, there needs to be a reliable way to amend or remove their access to your IT system(s). This could be by periodic audit to make sure that people's access rights are at the right level. It is important that leavers who had access to personal data have their access rights revoked in line with your policies and procedures. This includes access to shared email addresses.
If your organisation does not use any IT systems, then tick and write "Not applicable" in the comments box.
All staff understand that their activities on IT systems will be monitored and recorded for security purposes| Have all the administrators of your organisation's IT system(s) signed an agreement to hold them accountable to higher standards?| The people within your organisation who are IT system administrators may have access to more information than other staff. Therefore, they need to be held accountable in a formal way to higher standards of confidentiality than others.
This requirement applies to IT system administrators working in external companies who support your organisation's IT systems. This formal agreement could be part of a job description or a contract with your IT support company and/or systems supplier/s.
If your organisation does not use any IT systems, then 'tick' and write "Not applicable" in the comments box.
| Have all staff been notified that their system use could be monitored?| Staff are informed and understand that their system use can be monitored and recorded. The notification method is periodic.
You closely manage privileged user access to networks and information systems supporting the essential service| The person with responsibility for IT confirms that IT administrator activities are logged and those logs are only| IT Support staff typically have high level access to systems. The activities of these users should be logged and only available to appropriate personnel.
If your organisation does not use any IT systems, then 'tick' and write "Not applicable" in the comments box.
You ensure your passwords are suitable for the information you are protecting| Multi-factor authentication is used on all remotely accessible and privileged user accounts user accounts on all systems, with exceptions only as approved by your board or equivalent senior management.| Multi-factor authentication (MFA) is one of the most effective ways to protect data and accounts from unauthorised access.
You should consider all systems that can be accessed from the internet – such as email, clinical care systems, and any cloud-based or online systems – and either ensure that all user accounts are protected with MFA, or detail any exceptions in the text box response.
Guidance on implementing Multi-factor authentication is available.
You ensure your passwords are suitable for the information you are protecting| How does your organisation make sure that staff, directors, trustees and volunteers use good password practice?| If your organisation has any IT systems or computers, it should provide advice for setting and managing passwords. Each person should have their own password/s to access the computer, laptop or tablet that they are using and for other systems. These passwords should be 'strong' i.e. hard to guess. This could be enforced through technical controls i.e. your system(s) require a minimum number of characters or a mixture of letters and numbers in a password.
If your organisation does not use any IT systems, computers or other devices, write "Not applicable" in the text box.
Information about good password practice is available from Digital Care Hub.
Process reviews are held at least once per year where data security is put at risk following data security incidents| If your organisation has had a data breach or a near miss in the last year, has the organisation reviewed the process that may have allowed the breach to occur?| Confirm that your organisation has reviewed any processes that have caused a breach or a near miss, or which force people to use unauthorised workarounds that could compromise your organisation's data and cyber security. Workarounds could be things such as using unauthorised devices such as home computers or personal memory sticks or forwarding emails to personal email addresses. It is good practice to review processes annually even if a breach or near miss has not taken place.
If no breaches or near misses in the last 12 months then please tick and write "Not applicable" in the comments box.
Action is taken to address problem processes as a result of feedback at meetings or in year| Are the actions to address problem processes, being monitored and assurance given to the senior team?| Explain the governance around escalation of any issues and findings to the board, or equivalent, such as through reports and briefing notes, during the last twelve months.
A confidential system for reporting data security and protection breaches and near misses is in place and actively used| Does your organisation have a system in place to report data breaches?| All staff, and volunteers if you have them, are responsible for noticing and reporting data breaches and it is vital that you have a robust reporting system in your organisation. There is an incident reporting tool within this toolkit which should be used to report health and care incidents to Information Commissioner's Office ICO.
If you are not sure whether or not to inform the Information Commissioner's Office of a breach, the toolkit's incident reporting tool and guide can help you to decide.
Digital Care Hub has Staff Guidance on Data Breaches.
A confidential system for reporting data security and protection breaches and near misses is in place and actively used| If your organisation has had a data breach, were the management team notified, and did they approve the actions planned to minimise the risk of a recurrence?| In the event of a data breach the management team of your organisation, or nominated person, should be notified of the breach and any associated action plans or lessons learnt.
If no breaches in the last 12 months then please tick and write "Not applicable" in the comments box.
A confidential system for reporting data security and protection breaches and near misses is in place and actively used| If your organisation has had a data breach, were all individuals who were affected informed?| If your organisation has had a data breach that is likely to result in a high risk of adversely affecting individuals' rights and freedoms - e.g. damage to reputation, financial loss, unfair discrimination, or other significant loss - you must inform the individual(s) affected as soon as possible.
If your organisation has had no such breaches in the last 12 months then please tick and write "Not applicable" in the comments box.
More information is available from the Information Commissioner's Office.
All user devices are subject to anti-virus protections while email services benefit from spam filtering and protection deployed at the corporate gateway| Do all the computers and other devices used across your organisation have antivirus/antimalware software which is kept up to date?| This applies to all servers, desktop computers, laptop computers, and tablets. Note that antivirus software and antimalware software are the same thing - they both perform the same functions. You may need to ask your IT supplier to assist with answering this question.
If your organisation does not use any computers or other devices, then tick and write "Not applicable" in the comments box.
Further information is available from Digital Care Hub.
| Number of phishing emails reported by staff per month.| From your service desk system or service the number of reported phishing mails.
Known vulnerabilities are acted on based on advice from NHS England, and lessons are learned from previous incidents and near misses| If you have had a data security incident, was it caused by a known vulnerability?| Provide details of incidents over the reporting period (a year). If no incidents have occurred state "None".
Known vulnerabilities are acted on based on advice from NHS England, and lessons are learned from previous incidents and near misses| Have staff, directors, trustees and volunteers been advised that use of public Wi-Fi for work purposes is unsafe?| Use of public Wi-Fi (e.g. Wi-Fi freely available at cafes and train stations etc) or unsecured Wi-Fi (Wi-Fi where no password is required to access it) could be unsafe and lead to unauthorised access of personal data. Staff, directors, trustees and volunteers if you have them, should be advised of this.
If nobody uses mobile devices for work purposes out of your building/offices, then tick and write "Not applicable" in the comments box.
Known vulnerabilities are acted on based on advice from NHS England, and lessons are learned from previous incidents and near misses| Have you had any repeat data security incidents within the organisation during the past twelve months?| A repeat incident is defined as an exploitation of the same vulnerability on the same systems or different ones, that occurs within three calendar months of a previous occurrence. Provide details.
Organisations have a defined, planned and communicated response to Data security incidents that impact sensitive information or key operational services| Organisations understand the health and care services they provide.| This should cover: i. What their key operational services are, ii. What technologies and services their operational services rely on to remain available and secure, iii. What other dependencies the operational services have (power, cooling, data, people etc.), iv. The impact of loss of availability of the service.
Organisations have a defined, planned and communicated response to Data security incidents that impact sensitive information or key operational services| Does your organisation have a business continuity plan that covers data and cyber security?| Your organisation's business continuity plan should cover data and cyber security - for example what would you do to ensure continuity of service if: you had a power cut; the phone line/internet went down; you were hacked; a computer broke down; the office became unavailable (e.g. through fire).
An example business continuity plan is available from Digital Care Hub.
Organisations have a defined, planned and communicated response to Data security incidents that impact sensitive information or key operational services| You understand the resources and information that will be needed if there is a data security incident and arrangements are in place to make these resources available.|
There is an effective test of the continuity plan and disaster recovery plan for data security incidents| How does your organisation test the data and cyber security aspects of its business continuity plan?| Describe how your organisation tests these aspects of its plan and what the outcome of the exercise was the last time you did this. This should be in the last twelve months.
Guidance for testing your business continuity plan for the data and cyber security aspects is available from Digital Care Hub.
There is an effective test of the continuity plan and disaster recovery plan for data security incidents| From the business continuity exercise, explain what issues and actions were documented, with names of actionees listed against each item.| Each action should have an owner and timescale.
You have the capability to enact your incident response plan, including effective limitation of impact on your essential service. During an incident, you have access to timely information on which to base your response decisions| How does your organisation make sure that there are working backups of all important data and information?| It is important to make sure that backups are being done regularly, that they are successful and that they include the right files and systems. Briefly explain how your organisation's back up systems work and how you have tested them.
You may need to ask your IT supplier to assist with answering this question. If your organisation does not use any computers or IT systems, write "Not applicable" in the text box.
For advice about backups, see Digital Care Hub.