¶ DSPT Standard 9: IT Protection — Compliance Summary
Category: DSPT Evidence Checklist
Platform: gp_booking_app — Multi-tenant GP Booking Platform
Date: 14 May 2026
This page documents all work carried out to satisfy DSPT Standard 9 (IT Protection) requirements. It covers two key evidence requirements:
- Firewalls and boundary protection — network perimeter and application-level multi-tenant isolation
- Software patching — vulnerability scanning, patch automation, and DefectDojo tracking
Firewalls and boundary protection are in place
Evidence: IT supplier statement confirming firewall configuration, or network diagram
| Action |
Detail |
Status |
| Default inbound policy |
Deny all |
Active |
| Allowed ports |
22 (SSH), 80 (HTTP), 443 (HTTPS) |
Active |
| Allowed subnets |
172.16.0.0/12, 172.17.0.0/16, 172.18.0.0/16, 172.20.0.0/16 (Docker) |
Active |
| Verification |
ufw status verbose confirmed active |
✅ |
| Action |
Detail |
Status |
| Installation |
apt-get install fail2ban |
Installed |
| SSH jail |
Active, monitoring auth logs |
Active |
| Verification |
fail2ban-client status shows sshd jail |
✅ |
| Action |
Detail |
Status |
| Setting |
DEBUG=True → DEBUG=False in config/secrets/env.production |
Applied |
| Verification |
settings.DEBUG confirmed False after container restart |
✅ |
| Action |
Files Modified |
Detail |
| Added scoping helper |
appointments/views.py |
get_practice_scoped_appointments() function filters by StaffRoleRecord → Practice → Clinic chain |
| Updated 4 views |
appointments/views.py |
AppointmentListView, AppointmentDetailView, AppointmentCancelView, AppointmentResendNotificationView |
| Audit logging |
appointments/views.py |
_log_practice_boundary_check() logs PRACTICE_BOUNDARY events to AuditLog |
| Action |
Files Modified |
Detail |
| Permission class |
dental/api/views.py |
BelongsToDentalSector — rejects non-dental roles |
| 6 ViewSets scoped |
dental/api/views.py |
DentalPractice, DentalProvider, DentalAppointment, DentalClinicalNote, DentalTransaction, DentalRecallRule |
| User-to-practice lookup |
dental/api/views.py |
get_user_dental_practice() via DentalProvider.user |
| Action |
Files Modified |
Detail |
| Context manager |
tenancy/utils.py |
with_tenant() — sets thread-local tenant for Celery/non-HTTP code |
| Action |
Files Modified |
Detail |
| Reusable mixin |
core/mixins.py (extended) |
PracticeScopedQuerySetMixin — get_practice_scoped_queryset() with practice_fk_path support |
| Action |
Detail |
Status |
| Review |
Compose files only use expose (not ports); external port mappings from other containers blocked by UFW |
Complete |
| Action |
Files Modified |
Detail |
| RBAC violation logging |
core/middleware.py |
_log_boundary_violation() creates AuditLog with BOUNDARY_VIOLATION event type |
| Practice boundary logging |
appointments/views.py |
PRACTICE_BOUNDARY events with user, practice count, clinic count |
- Firewall assessment:
/tasks/dspt-firewall-boundary-assessment
- IT supplier statement:
/tasks/dspt-evidence-statement (includes network diagram)
Software is kept up to date with security patches
Evidence: Patching schedule or IT supplier confirmation of automatic patching
| Component |
Status |
| OS |
Ubuntu 24.04.4 LTS (Noble) — active LTS support until 2029 |
| unattended-upgrades |
Active — daily security patch auto-install |
| Kernel |
6.8.0-107 running, 6.8.0-111 installed (reboot pending) |
| Pending updates |
14 packages (docker-ce, snapd, rsyslog, etc.) |
| Docker images |
Varying ages — nginx 1.25 (2yr), Directus 11.6.1 (13mo) |
| Vulnerability scanning |
Trivy (weekly), Nmap (weekly), pushed to DefectDojo |
| Patching schedule |
❌ None documented |
| Patching log |
❌ None |
| Detail |
Value |
| Packages updated |
14 (including docker-ce, docker-buildx, snapd, rsyslog) |
| Docker service |
Restarted cleanly |
| Kernel |
6.8.0-111 available — reboot still required |
| Issue |
Fix |
| Engagements not created |
JSON date values missing quotes in defectdojo_push.sh |
| Push script response parsing |
Updated to handle JSON response properly |
| Verification |
459 findings imported for nginx:1.25 scan |
| Component |
Detail |
| Script |
/opt/security-scanner-scripts/patch_monthly.sh |
| Location |
/etc/cron.monthly/patch_monthly |
| Dry-run default |
Use --apply to install updates, --reboot to schedule reboot |
| Scans |
Trivy filesystem + Docker image scans |
| Reporting |
Results pushed to DefectDojo (Product ID 5: VPS Infrastructure) |
| Logging |
/var/log/patching/patch_YYYY-MM-DD.log + summary at /var/log/patching/summary.log |
| Image |
Action |
ghcr.io/requarks/wiki:latest |
Pulled latest |
redis:7-alpine |
Pulled latest |
postgres:15 |
Pulled latest |
- Patching assessment:
/tasks/dspt-patching-assessment
- Patching logs:
/var/log/patching/
- DefectDojo:
https://security.veripath.co.uk (VPS Infrastructure product)
| Type |
Schedule |
Location |
Retention |
| PostgreSQL dump |
Daily 02:00 |
/backups/wiki/wikijs_db_YYYY-MM-DD.sql.gz |
30 days |
| Git sync (Forgejo) |
Daily 02:00 |
ssh://git@172.20.0.2:2222/matthew/wiki_backup.git |
Full history |
| Script |
— |
/opt/security-scanner-scripts/backup_wiki.sh |
— |
| Cron |
— |
/etc/cron.d/wiki-backup |
— |
| Cadence |
Scope |
Method |
Evidence |
| Daily |
OS security patches |
unattended-upgrades (automatic) |
/var/log/unattended-upgrades/ |
| Weekly |
Vulnerability scan |
Trivy + Nmap → DefectDojo |
DefectDojo dashboard |
| Monthly |
Full OS update |
patch_monthly.sh --apply |
/var/log/patching/ + DefectDojo |
| Monthly |
Reboot check |
ls /var/run/reboot-required |
Script log |
| Quarterly |
Docker image refresh |
Pull latest + recreate containers |
Audit trail |
| Quarterly |
Full review |
Document all changes |
Wiki page update |
| File |
Change |
appointments/views.py |
Practice-scoped querysets + boundary audit logging |
dental/api/views.py |
Tenant-scoped DRF views + custom permission |
core/middleware.py |
RBAC boundary violation audit logging |
core/mixins.py |
PracticeScopedQuerySetMixin |
tenancy/utils.py |
with_tenant() Celery context manager |
config/secrets/env.production |
DEBUG=False |
/opt/security-scanner-scripts/defectdojo_push.sh |
Fixed JSON date quoting |
/opt/security-scanner-scripts/patch_monthly.sh |
Monthly patching automation |
/opt/security-scanner-scripts/backup_wiki.sh |
Wiki.js daily backup |
/etc/cron.monthly/patch_monthly |
Monthly cron job |
/etc/cron.d/wiki-backup |
Daily backup cron job |
This document was prepared on 14 May 2026 as part of the DSPT compliance evidence package. All modifications have been tested and verified. Links to supporting wiki pages provide further detail on each area.