Data Security Standard 9 IT protection The bigger picture and how the standard fits in

Transcription

1 Data Security Standard 9 IT protection The bigger picture and how the standard fits in 2018 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body created by statute, also known as NHS Digital.

2 Contents Overview 3 Network components 4 Definition and scope 4 Password complexity 5 Remote locations 5 Managed estates 5 OWASP top 10 vulnerabilities 6 Penetration testing 7 Definition 7 Scoping the test 7 Commercially sourced or in house or partner 8 Selecting a commercial organisation 9 Active / passive 9 Know your boundaries 10 CareCert security assessments 10 Alerting interested parties 10 Risks 11 Data security plan 12 An improving picture 12 SIRO involvement 12 Frameworks that can help 14 Cyber Essentials / + 14 Scope 14 ISO What is an ISMS? 15 Assurance framework 15 Certification to ISO/IEC Appendix 1-17 Table of Data Security Level 8 Assertions 17 Appendix 2-19 Useful resources 19 Appendix 3 20 The National Data Guardian Reports 20 Copyright 2017 Health and Social Care Information Centre. 2

3 Overview The NDG s review data standard 9 states that: A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually. NHS Digital assists risk owners in understanding which national frameworks do what, and which components are intended to achieve which outcomes. There is a clear understanding that organisations can tackle the NDG Standards in whichever order they choose, and that the emphasis is on progress from their own starting points. Copyright 2017 Health and Social Care Information Centre. 3

4 Network components Definition and scope Networking components are physical devices which are required for communication and interaction between devices on a computer network they include (but are not limited to): firewalls switches and hubs bridges routers wireless access devices. Out of the box network devices may ship with same username and password for that specific type of device or even be the same for all that providers devices. Consequently, the login details are available on the internet and this makes the devices very vulnerable to misuse. All network components need to have their default passwords changed. It should be noted that some network components (particularly those provided by internet service providers for home or small business use) can have a unique username and password out of the box. So, it can be acceptable to not change those ISP provided devices, subject to confirmation and the device itself not having a label attached in a public setting with the login details. Similarly, to scanning software in Data Standard 8 big picture guide, it is important to know the boundaries of your estate and not go beyond them and attempt to change a password on a device not managed by your organisation. Data security incidents, such as the May 2017 global ransomware attack which affected NHS services, as well as other public services and private companies in many other countries, have highlighted the potential for cyberattacks to disrupt services by having a direct impact on the availability of care for patients and service users. Your Data: Better Security, Better Choice, Better Care Government Response All networking components have had their default passwords changed. Data Security Standard 9.1 Copyright 2017 Health and Social Care Information Centre. 4

5 Password complexity The type of password used for changing a default network component, should as minimum follow the following: a minimum of eight characters long not contain a dictionary word of more than four characters contain at least two uppercase letters contain at least two lower case letters contain at least two numbers contain at least two special characters or non-alphanumeric characters, such as:! $ % & tip: try to use phrases to help make a complex, secure password: Number 27 bus stops at my Street can become N27bs@mS by using the first letter of each word. Remote locations Where your organisation has remote locations, it will generally fall into one of the categories below: a) your organisation manages the whole remote site network infrastructure b) another organisation (such as the main organisation at the remote site) manages the network infrastructure. For scenario a) you are responsible for changing the network components default password. For scenario b) you will require co-operation with the remote site organisation, assurance from them that the password, i.e. the equipment is covered in their toolkit. Managed estates Where your organisation network infrastructure is managed by another party you will require a degree of cooperation with your supplier. Generally, it will be expected that your supplier changes the default passwords. The third party would then provide confirmation that this has taken place. Copyright 2017 Health and Social Care Information Centre. 5

6 OWASP Top 10 vulnerabilities The primary aim of the Open Web Application Security Project (OWASP) Top 10 is to educate developers, designers, architects, managers, and organisations about the consequences of the most common and most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high-risk problem areas and provides guidance on where to go from here. The Top 10n list is revisited and renewed over time. OWASP publish a number of release candidates until they have a final release. For example, at the time of writing, there have been two release candidate versions (RC) of the OWASP Top , however the last official OWASP Top 10 release was Only the official release of this Top 10 should be followed as part of the toolkit. Web applications owned by the organisation are secured against OWASP Top 10 vulnerabilities. Data Security Standard 9.2 The OWASP Top 10 is quite technical and will require liaising with your web site developers to assure compliance. You will also need to ensure that all your web servers or sites are covered by a penetration test. Copyright 2017 Health and Social Care Information Centre. 6

7 Penetration testing Definition There a few definitions of what constitutes a penetration test and the difference between it and vulnerability scanning. The differences are mostly around intent with vulnerability scanning producing a list of items requiring updating or patching and penetration testing having a defined goal, e.g. getting access to a share or an elevated account etc. Many of tools available on the internet market most are completely legitimate, however some can be utilised for less legitimate purpose for cybercrime. Ensure you have sufficient capability before downloading and using any tools. Consider a penetration test like a dental check-up which occurs at least annually and vulnerability scanning like cleaning your teeth which should occur more often. For the data standard, the terms are interchangeable. Scoping the test A penetration test should be undertaken (at least annually). The penetration test must include the following elements: all webservers the organisation utilises checking that the default password of network components has been changed. There is an expectation that the penetration test would cover all the organisation critical network structure such as server farms. All organisations receive a penetration test annually, whether commercially sourced or in-house. The scope of the pen-test is articulated to the SIRO and signed by them. Data Security Standard 9.3 Copyright 2017 Health and Social Care Information Centre. 7

8 Commercially sourced or in house or partner The options are to either to: outsource to commercial specialist alternatively, if you have the relevant capability and capacity o perform in house o partner buddy up with another care organisation and perform each other tests. Advantages Commercial Independent Cost With right supplier more, experience and expertise. Reduced burden on existing staff Disadvantages Lack of knowledge of your network and dependencies In-house Cheaper Requires inhouse staff to have capabilities and capacity Health and care partner Knowledge of network and decencies Independent Cheaper Understanding dependencies on health and care systems Lack of segregation of duties Cost of tools and upkeep. Sole responsibility Network knowledge would generally may not be site specific. Requires both parties to have a similar level of capability and capacity. Copyright 2017 Health and Social Care Information Centre. 8

9 Selecting a commercial organisation Although we do not endorse any supplier there are several indicators that may assist your choice. CREST UK Approved Member Company CREST or Tiger Scheme, qualified testers and / or CHECK Team Leaders ISO and / or 9001 certified A Digital Marketplace seller (see Appendix 2). Active / passive Penetration testing can have a varying degree of aggression between active and passive (or combinations). Active penertration exploiting vulnerabilities for a goal Producing a list of vulnernabilities for assets Copyright 2017 Health and Social Care Information Centre. 9

10 Know your boundaries Understand the boundaries of your digital estate and do not over step them. Boundaries can occur at many levels you may such as multiple network and tenancy in a single building, between your local network and HSCN and between wide area networks on the same estate. Ultimately, you should know where your responsibilities end and another organisation s begin. Consequently, you shouldn t scan or try to update assets that are beyond your boundary. Under no circumstances should you scan over HSCN without consulting NHS Digital prior to doing so. Some vulnerability scanners (dependent on how aggressively or passively they are being used) can cause a false positive by being indistinguishable from a cyber-attack, with the same tools being used by hackers. CareCert security assessments If your organisation has received a data security onsite assessment within the fiscal year, this may count as the penetration test or contribute towards it. The security assessment should include the two mandatory items (webservers and default password network components). If it does not include the mandatory elements, it is acceptable to have a commercial / inhouse / partner penetration test to just cover these elements, provided the SIRO signs off the scope of the data security onsite assessment. Alerting interested parties Prior to any test there should be sufficient time to inform interested parties of the test. Interested parties include (but not limited to): system managers / information asset owners service desk(s) server and network teams third parties who support systems / networks. Copyright 2017 Health and Social Care Information Centre. 10

11 Risks There are a couple of general risks involved in undertaking a test: a) The test may be mistaken for the reconnaissance or delivery stage of a cyber attack. As many of the tools and techniques used for penetration testing are the same ones as used by hackers. This can be mitigated by informing all the interested parties and knowing and keeping to your boundaries. b) The test may have an adverse effect on the asset(s) being scanned. Depending on the aggressiveness of the test and the vintage of the asset, could result in an adverse effect (such as service unavailability requiring a reboot). Copyright 2017 Health and Social Care Information Centre. 11

12 Data security plan An improving picture Testing should be viewed as a continuous cycle of improvement following a PDCA (Plan Do Check Act) model. Remediation Scope a penertration test SIRO Reviews Results SIRO approves scope Date planned & stakeholders informed. SIRO involvement The SIRO should be an active role in the process. They need to approve the scope of any penetration testing including OWASP tests and once complete and the actions from the penetration testing are complete or ongoing (with reasons for non-completion including OWASP). A data security improvement plan has been put in place on the basis of the assessment and has been approved by the SIRO. Data Security Standard 9.4 Copyright 2017 Health and Social Care Information Centre. 12

13 What are your top data security and protection risks? As part of your improvement plan, you should holistically analysis what are your top risks are, as well as the underlying causes for them. For example, a risk of not being able to recruit and retain data security and protection staff. The underlying cause may be issues with a lower salary range in a large urban conurbation, with a number of nearby large private enterprises paying significantly more. Another example may be an inability to replace all legacy unsupported operating systems. This may be caused by complications with some being classified as medical devices, an IT estate not fully controlled by one group, or a lack resources either financial or staff. Whatever your Top three risks are, they should be discussed by the leaders of your organisation and improvements planned. Evidence that your board has discussed your top three data security and protection risks and what is being done about them? Data Security Standard Copyright 2017 Health and Social Care Information Centre. 13

14 Frameworks that can help There are several frameworks that help in both achieving and demonstrating a managed data security plan most notably Cyber Essentials, Cyber Essentials + and ISO Cyber Essentials / PLUS Scope The Cyber Essentials Scheme covers the basics of cyber security in an organisation s enterprise or corporate IT system. Implementation of these controls can significantly reduce the risk of prevalent but unskilled cyber-attack. For many organisations, especially those with significant information assets or who are exposed to a wider range of threats, Cyber Essentials will become a practical component of a wider ranging cyber security posture for example, as described in the Government s 10 Steps to Cyber Security and Cyber Security: what small businesses need to know. The Scheme Requirements document focuses on internet-originated attacks against an organisation s IT system. Many organisations will have particular additional services, e.g. web applications, that will require additional and specific controls beyond those provided by Cyber Essentials. Cyber Essentials concentrates on five key controls. These are: 1. Boundary firewalls and internet gateways - these are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective. 2. Secure configuration ensuring that systems are configured in the most secure way for the needs of the organisation. 3. Access control ensuring only those who should have access to systems to have access and at the appropriate level. 4. Malware protection ensuring that virus and malware protection is installed and is it up to date. Copyright 2017 Health and Social Care Information Centre. 14

15 5. Patch management ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor been applied. Assurance framework As stories of organisations exposing customers information to cyber threats continue to create headlines in the media, it is becoming increasingly important for organisations to not only maintain a robust cyber security stance but also demonstrate this to clients. The assurance framework is designed to provide a simple means for third parties to distinguish between organisations that are implementing basic cyber security controls from those that are not. This can be used in a number of ways: an organisation may undergo certification to mark them out from their competitors; they may require certification from partners where contractual relationships expose them to wider cyber risk (for example where information is shared); and insurers, investors and auditors may take certification into account when assessing an organisation s risk profile. The two levels of certification, Cyber Essentials, and Cyber Essentials PLUS, are set out in the diagram. ISO The ISO/IEC is part of a family of standards helps organisations keep information assets secure. Using this family of standards will help your organisation manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties. ISO/IEC is the best-known standard in the family providing requirements for an information security management system (ISMS). What is an ISMS? An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector keep information assets secure. Copyright 2017 Health and Social Care Information Centre. 15

16 Certification to ISO/IEC Like other ISO management system standards, certification to ISO/IEC is possible but not obligatory. Some organisations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed. ISO does not perform certification. Copyright 2017 Health and Social Care Information Centre. 16

17 Appendix 1 - Table of Data Security Level 8 Assertions Assertion Applicable Sub assertion Evidence 9.1 All networking components have had their default passwords changed. 9.2 Web applications owned by the organisation are secured against OWASP Top 10 vulnerabilities. 9.3 All organisations receive a penetration test annually, whether commercially sourced or inhouse. The scope of the pen-test is articulated to the SIRO and signed. 9.4 A data security improvement plan has been put in place on the basis of the assessment and has been approved by the SIRO. Large Small GP Large Small Large Small Large Small GP The Head of IT, or equivalent role, confirms all networking components have had their default passwords changed A penetration test has been conducted in the last 12 months, which confirmed that all networking components have had their default passwords changed A penetration test has been conducted in the last 12 months, which confirmed web applications were not vulnerable to the Open Web Application Security Project (OWASP) Top 10 vulnerabilities The SIRO or equivalent senior role has reviewed the results of latest penetration testing, with action plan against outstanding OWASP findings The annual IT penetration testing is scoped in negotiation between the business and the testing team and uploaded The SIRO confirms the scope of the annual IT penetration testing is adequate, and that actions from the previous penetration testing are complete or ongoing (with reasons for noncompletion) The date the penetration test was undertaken The SIRO or equivalent senior role confirms the organisation has a data security improvement plan What are your top three data security and protection risks? Evidence that your board has discussed your top three data security and protection risks and what is being done about them? Copyright 2017 Health and Social Care Information Centre. 17

18 9.4.4 Date for full implementation of the data security improvement plan SIRO has agreed actions have been completed. Copyright 2017 Health and Social Care Information Centre. 18

19 Appendix 2 - Useful resources Network security guidance for health and care organisations: NHS Digital good practice guide Guidance for organisations on putting in place proper network security to ensure that networks and the systems and data on them are protected. Penetration Testing: National Cyber Security Centre Advice on how to get the most from penetration testing: Passwords guidance for health and care organisations: NHS Digital good practice guide Guidance on using passwords to make sure data and systems are protected from unauthorised access. Vulnerability management: National Cyber Security Centre Guidance to help organisations assess and prioritise vulnerabilities. Vulnerability Scanning: NHS Digital good practice guide A guide to use of vulnerability scanners: Copyright 2017 Health and Social Care Information Centre. 19

20 Appendix 3 The National Data Guardian Reports The NDG Report Recommendations to improve security of health and care information and ensure people can make informed choices about how their data is used. Review of Data Security, Consent and Opt-Outs The government response Your Data: Better Security, Better Choice, Better Care is the government s response to: the National Data Guardian for Health and Care s Review of Data Security, Consent and Opt-Outs the public consultation on that review the Care Quality Commission s Review Safe Data, Safe Care. It sets out that the government accepts the recommendations in both the National Data Guardian review and the Care Quality Commission review. It also reflects on what we heard through consultation to set out immediate and longer-term action for implementation. Your Data: Better Security, Better Choice, Better Care Copyright 2017 Health and Social Care Information Centre. 20