Yorkshire and Humber Care Record is committed to protecting the data and systems to which it is responsible. In order to measure the effectiveness of the controls and measures in place Yorkshire and Humber Care Record test against a wide range of security and data governance standards, these include:
- NHS – Data Security and Privacy Toolkit
- Cyber Essentials
- IASME Information Governance standards
- NCSC – Cyber Assurance Framework (CAF)
- NCSC – Cloud Security Principles
- NIST – Cyber Security Framework
- Internal Vulnerability Testing
- Automated External Vulnerability Testing
- CREST Accredited Pen Testing
In practise these are all interlinked and provide an efficient way of measuring the full data protection lifecycle.
NIST – Cyber Security Framework
If we look at the foundation of most standards the NIST – Cyber Security Framework provides an internationally recognised measurement tool.
This methodology is broken down into five key areas:
- Identify – The first phase is to understand what systems and services you have, assets, data, contracts, third-parties, people, data flows, etc. Think of it as a stock check, conducting a routine discovery exercise will undoubtedly uncover new or test systems, these of course also need to be considered as potential attack points for hackers or breaches etc.
- Protect – Each system or service needs to be protected in some way, but necessarily equally. There are systems that contain critical or sensitive data, and others that provide public information (e.g. websites), in this phase careful consideration must be given to provide the right level of protection in the right place. This not only provides value for money, but also ensures that the most critical ‘assets’ receive the most protection. Protecting a system extends beyond anti-malware and firewalls, for example, and include who can access it, and to what level (classed as Access Control)
- Detect – Protecting a system or service does not guarantee that they will remain safe. It’s important to know when problems or attacks take place. Therefore, when implementing protection, it is just as important to implement monitoring and alerting.
- Respond – Consideration must now be focused on if an attack or breach took place, what actions should be taken, in what order, by whom? Who needs to be legally informed? Alerts and notifications must be routinely reviewed to account for changes, or staff role changes etc.
- Recover – If the worst did happen, how can the systems or services be brought back into operation, and in which order. This can take account of geographical area’s e.g. datacentres, forensic teams, sourcing new equipment etc. Recovery can include many third-parties which all need to be synchronised within limited time frames.
NHS Data Security and Protection Toolkit
The Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.
All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.
IASME Information Governance standards & Cyber Essentials
IASME Governance certification is aligned to the Government’s Ten Steps to Cyber Security and includes Cyber Essentials certification as well as controls around people and processes. It also covers the General Data Protection Regulation (GDPR) requirements. IASME Governance is aligned to a similar set of controls to ISO 27001 but is more affordable and achievable for small and medium sized organisations to implement.
The Cyber Essentials Scheme is a Government scheme that helps organisations to guard against the most common cyber threats from the internet and demonstrate commitment to cyber security. It covers five main technical controls which will protect companies against an estimated 80% of common internet threats. The controls are:
- Secure your Internet connection (Firewalls and routers)
- Secure your devices and software (Secure configuration)
- Control access to your data and services (Access control)
- Protect from viruses and other malware (Malware protection)
- Keep your devices and software up to date (Software updates)
NCSC – Cyber Assurance Framework (CAF)
The CAF collection is aimed at helping an organisation achieve and demonstrate an appropriate level of cyber resilience in relation to certain specified essential functions performed by that organisation.
Further information can be found here: https://www.ncsc.gov.uk/collection/caf/introduction
NCSC – Cloud Security Principles
Further information can be found here: https://www.ncsc.gov.uk/collection/cloud-security
Penetration testing And Vulnerability Assessment
Yorkshire and Humber Care Record conduct a robust routine of vulnerability scanning and penetration testing of all its service offerings. This is achieved through a diverse and mixed testing portfolio ranging from in-house automated testing, manual in-house testing, and external third-party testing. Results from these tests are then fed into the Continual Service Improvement cycle in order to maintain appropriate industry-standard security protocols.