Specific Focus: Technical & Supplier Security (Standards 7–10)
| Assertion | Evidence text - Others (Category 3) | Tool tips - Others (Category 3) |
|---|---|---|
| You have the capability to enact your incident response plan, including effective limitation of impact on your essential service. During an incident, you have access to timely information on which to base your response decisions | All emergency contacts are kept securely, in hardcopy and are up-to-date. | Contacts are those needed to enact the business continuity plan that covers data and cyber security. The contacts include phone number as well as email. |
| You have the capability to enact your incident response plan, including effective limitation of impact on your essential service. During an incident, you have access to timely information on which to base your response decisions | Are backups routinely tested to make sure that data and information can be restored? | It is important that your organisation's backups are tested at least annually to make sure data and information can be restored (in the event of equipment breakdown for example). You may need to ask your IT supplier to assist with answering this question. |
If your organisation does not use any computers or IT systems, then tick and write "Not applicable" in the comments box.
You have the capability to enact your incident response plan, including effective limitation of impact on your essential service. During an incident, you have access to timely information on which to base your response decisions| Are your backups kept separate from your network ('offline'), or in a cloud service designed for this purpose?| Cloud synching services, such as OneDrive, SharePoint or Google Drive, should not be used as your only backup and stored backup should not be permanently connected to your network.
Further guidance is available from the National Cyber Security Centre.
All software and hardware has been surveyed to understand if it is supported and up to date| Does the organisation track and record all end user devices and removable media assets?| e.g. You hold an up to date list of all your end user devices and removable media.
All software and hardware has been surveyed to understand if it is supported and up to date| Are all the IT systems and the software used in your organisation still supported by the manufacturer or the risks are understood and managed?| Systems and software that are no longer supported by the manufacturer can be unsafe as they are no longer being updated to protect against viruses for example. You may need to ask your IT supplier to assist with answering this question.
Examples of unsupported software include: Windows XP, Windows Vista, Windows 7, Windows 8.1, Java or Windows Server 2008. Windows 11 is supported and is the most up to date version of Windows. This question also applies to software systems such as rostering, care planning or electronic medicine administration record (MAR) charts for example.
If your organisation does not use any IT systems or software, then tick and write "Not applicable" in the comments box. For guidance (including information on how to check which software versions you have), see Digital Care Hub.
Unsupported software and hardware is categorised and documented, and data security risks are identified and managed| If your answer to 8.1.4 (on IT systems and software being supported by the manufacturer) was that software risks are being managed, please provide a document that summarises the risk of continuing to use each unsupported item, the reasons for doing so and a summary of the action your organisation is taking to minimise the risk.| This is a conscious decision to accept and manage the associated risks of unsupported systems. This document should indicate that your board or management team have formally considered the risks of continuing to use unsupported items and have concluded that the risks are acceptable.
If your answer to the previous question was yes, write "Not applicable" in "Enter text describing document location".
Supported systems are kept up-to-date with the latest security patches| How often, in days, is automatic patching typically being pushed out to remote endpoints?| Remote endpoints being those devices or computers that are not on the core network (such as home or mobile workers). Provide the usual number of days between one wave of remote patching and the next.
| How does your organisation make sure that the latest software updates are downloaded and installed?| It is important that your organisation's IT system(s) and devices have the latest software and application updates installed. Most software can be set to apply automatic updates when they become available from the manufacturer. You may need to ask your IT supplier to assist with answering this question.
If your organisation does not use any IT systems, devices or software, write "Not applicable" in the text box.
Further information is available from Digital Care Hub.
You manage known vulnerabilities in your network and information systems to prevent disruption of the essential service| Is all your infrastructure protected from common cyber-attacks through secure configuration and patching?| Explain at a summary level. Where it is not possible to apply these measures, explain any mitigations (such as logical separation).
You manage known vulnerabilities in your network and information systems to prevent disruption of the essential service| All infrastructure is running operating systems and software packages that are patched regularly, and as a minimum in vendor support.| Covers software running on computers that are connected to or capable of connecting to the Internet.
You manage known vulnerabilities in your network and information systems to prevent disruption of the essential service| You maintain a current understanding of the exposure of your hardware and software to publicly-known vulnerabilities.|
All networking components have had their default passwords changed| Does your organisation make sure that the passwords of all networking components, such as a Wi-Fi router, have been changed from their original passwords?| Networking components include routers, switches, hubs and firewalls at all of your organisation's locations. Your organisation may just have a Wi-Fi router. This does not apply to Wi-Fi routers for people working from home. You may need to ask your IT supplier to assist with answering this question.
If your organisation does not have a network or internet access, then tick and write "Not applicable" in the comments box.
A penetration test has been scoped and undertaken| The annual IT penetration testing is scoped in negotiation between the Board/person with delegated responsibility for data security, business and testing team including a vulnerability scan and checking that all networking components have had their default passwords changed to a high strength password.| Use the comments field to state the date and outline the scope of the organisation's penetration test and redact any elements of the scope that are sensitive.
This should be in the last twelve months.
A penetration test has been scoped and undertaken| The person responsible for IT has reviewed the results of latest penetration testing, with an action plan for its findings.| Provide the action plan (with confirmation of review by the person with delegated responsibility for data security).
Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities| All web applications are protected and not susceptible to common security vulnerabilities, such as described in the top ten Open Web Application Security Project (OWASP) vulnerabilities.| Confirm that the organisation has a secure software development lifecycle (SSDLC) or equivalent software and code security approach in place, aligned to industry good practice such as OWASP, to reduce the risk of code vulnerabilities or web application vulnerabilities being exploited.
If no web applications, 'tick' yes and explain in the comments.
Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities| The organisation ensures that changes to its authoritative DNS entries can only be made by strongly authenticated and authorised administrators.|
Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities| The organisation understands and records all IP ranges in use across the organisation.| This should be reviewed regularly, the reviews can manual or automatic.
Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities| The organisation protects its data in transit (including email) using appropriate technical controls, such as encryption.| TLS, where used, should be well-configured TLS 1.2 or better.
Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities| The organisation maintains a register of medical devices connected to its network.| The register should include Vendor, maintenance arrangements and whether network access is given to supplier/maintainer.
You have demonstrable confidence in the effectiveness of the security of your technology, people, and processes relevant to essential services| Security deficiencies uncovered by assurance activities are assessed, prioritised and remedied when necessary in a timely and effective way.|
You securely configure the network and information systems that support the delivery of essential services| All devices in your organisation have technical controls that manage the installation of software on the device| Describe how this is managed across your devices with detail of any exceptions.
You securely configure the network and information systems that support the delivery of essential services| Are all laptops and tablets or removable devices that hold or allow access to personal data, encrypted?| Mobile computers like laptops and tablets and removable devices like memory sticks/cards/CDs are vulnerable as they can be lost or stolen. To make these devices especially difficult to get into, they can be encrypted (this protects information by converting it into unreadable code that cannot be deciphered easily by unauthorised people). Devices can be further protected, for example, by preventing the use of removable devices like memory sticks. This is called computer port control. You may need to ask your IT supplier to assist with answering this question.
If your organisation does not use any mobile devices, or equivalent security arrangements are in place, then tick and write "Not applicable" in the comments box.
For advice on securing mobile devices, see Digital Care Hub.
You securely configure the network and information systems that support the delivery of essential services| You closely and effectively manage changes in your environment, ensuring that network and system configurations are secure and documented.|
The organisation is protected by a well managed firewall| One or more firewalls (or similar network device) have been installed on all the boundaries of the organisation's internal network(s).|
The organisation can name its suppliers, the products and services they deliver and the contract durations| Does your organisation have a list of its suppliers that handle personal information, the products and services they deliver, and their contact details?| Your organisation should have a list or lists of the external suppliers that handle personal information such as IT or care planning systems suppliers, IT support, accountancy, DBS checks, HR and payroll services, showing the system or services provided.
If you have no such suppliers, then 'tick' and write "Not applicable" in the comments box.
A template example is available from Digital Care Hub.
Basic due diligence has been undertaken against each supplier that handles personal information| Do your organisation's IT system suppliers have cyber security certification?| Your organisation should ensure that any supplier of IT systems has cyber security certification. For example, external certification such as Cyber Essentials, or ISO27001, or by being listed on Digital marketplace, or by completing this Toolkit. An IT systems supplier would include suppliers of systems such as rostering, care planning or electronic medicine administration record (MAR) charts for example.
If your organisation does not use any IT systems, then tick and write "Not applicable" in the comments box.
Guidance is available from Digital Care Hub.
Basic due diligence has been undertaken against each supplier that handles personal information| Contracts with all third parties that handle personal information are compliant with ICO guidance.| A review of all contracts has been undertaken to ensure that they comply with the requirements set out in Article 28 of the GDPR.
If you have no such suppliers, then 'tick' and write "Not applicable" in the comments box.
Basic due diligence has been undertaken against each supplier that handles personal information| All Suppliers that process or have access to health or care personal confidential information have completed a Data Security and Protection Toolkit, or equivalent.| All suppliers have successfully completed a Data Security and Protection Toolkit or the organisation has assured itself separately that they reach a similar or higher data security standard.
All disputes between the organisation and its suppliers have been recorded and any risks posed to data security have been documented| List of data security incidents - past or present - with current suppliers who handle personal information.| All current ongoing incidents are listed and all historical incidents (up to 2 calendar rolling years). Redact any sensitive information.