Data Security Standards

Similar documents
Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Supporting the NHS to Improve Cyber Security. Presented by Chris Flynn Security Operations Lead NHS Digital s Data Security Centre

Data Security Standard 9 IT protection The bigger picture and how the standard fits in

falanx Cyber ISO 27001: How and why your organisation should get certified

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

HITRUST CSF: One Framework

Why you should adopt the NIST Cybersecurity Framework

BHConsulting. Your trusted cybersecurity partner

Data Protection and GDPR

ENISA s Position on the NIS Directive

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Data Sheet The PCI DSS

Exploring Emerging Cyber Attest Requirements

SCHOOL SUPPLIERS. What schools should be asking!

Information Security Strategy

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

GDPR Compliance. Clauses

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

ACCREDITATION COMMISSION FOR CONFORMITY ASSESSMENT BODIES

GDPR Update and ENISA guidelines

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

ISO/ IEC (ITSM) Certification Roadmap

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Procedure for Network and Network-related devices

Information Security Incident

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Information Technology Branch Organization of Cyber Security Technical Standard

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

SOC for cybersecurity

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

INFORMATION SECURITY AND RISK POLICY

PRIVACY NOTICE VOLUNTEER INFORMATION. Liverpool Women s NHS Foundation Trust

EU General Data Protection Regulation (GDPR) Achieving compliance

BHConsulting. Your trusted cybersecurity partner

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Business Assurance for the 21st Century

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

DETAILED POLICY STATEMENT

GENERAL PRIVACY POLICY

ISO/IEC ISO/IEC White Paper

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Google Cloud & the General Data Protection Regulation (GDPR)

Cybersecurity in Higher Ed

IQ Level 4 Award in Understanding the External Quality Assurance of Assessment Processes and Practice (QCF) Specification

10 Considerations for a Cloud Procurement. March 2017

NYDFS Cybersecurity Regulations

Altius IT Policy Collection Compliance and Standards Matrix

A Regulator s Perspective on Accountability and How to Incentivise It

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

Economic and Social Council

An Overview of ISO/IEC family of Information Security Management System Standards

Position Description. Engagement Manager UNCLASSIFIED. Outreach & Engagement Information Assurance and Cyber Security Directorate.

Cyber Risks in the Boardroom Conference

Manchester Metropolitan University Information Security Strategy

ACCREDITATION COMMISSION FOR CONFORMITY ASSESSMENT BODIES

WELCOME ISO/IEC 27001:2017 Information Briefing

INFORMATION SECURITY & ISO 27001

The Role of the Data Protection Officer

POSITION DESCRIPTION

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

Protecting vital data with NIST Framework

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

American Association for Laboratory Accreditation

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

SECURITY & PRIVACY DOCUMENTATION

Information Security Risk Strategies. By

SWIFT Customer Security Programme

Ontario Energy Board Cyber Security Framework

01.0 Policy Responsibilities and Oversight

Integrating ITIL and COBIT 5 to optimize IT Process and service delivery. Johan Muliadi Kerta

TRULY INDEPENDENT CYBER SECURITY SPECIALISTS. Cyber Major

General Data Protection Regulation (GDPR)

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

VOLUNTARY CERTIFICATION SCHEME FOR MEDICINAL PLANT PRODUCE REQUIREMENTS FOR CERTIFICATION BODIES

PRIVACY NOTICE. Privacy notice. What personal data we collect and the Legal Basis. Who are we? The personal data we would collect from/process on you

Cyber Security Strategy

INFORMATION TECHNOLOGY SECURITY POLICY

2. The Information we collect and how we use it: Individuals and Organisations: We collect and process personal data from individuals and organisation

Cloud Security Standards and Guidelines

What is BS 7799? BS 7799 is the most influential, globally recognised standard for information security management.

Cybersecurity. Securely enabling transformation and change

HSCIC Audit of Data Sharing Activities:

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

Wolfpack Cyber Academy Training Catalogue

PS Mailing Services Ltd Data Protection Policy May 2018

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Credit Card Data Compromise: Incident Response Plan

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

WHO-ITU National ehealth Strategy Toolkit

HCPC's Risk Assurance Part 1

Pathways CIC Privacy Policy. Date Issued: May Date to be Reviewed: May Issued by Yvonne Clarke

IDENTITY ASSURANCE PRINCIPLES

Transcription:

Data Security Standards Overall guide The bigger picture of where the standards fit in 2018 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body created by statute, also known as NHS Digital.

Overall Guide Contents Overview 3 The Standards 4 What are they? 4 The assertions and evidence 6 The Data Security and Protection Toolkit 8 Frameworks 9 ISO 27001 10 ISO 9001 11 Public Services Network (PSN) Compliance 13 Other frameworks 14 Appendix 1-15 Left Blank 15 Appendix 2-16 Useful resources 16 Appendix 3 18 Data security reports 18 Copyright 2017 Health and Social Care Information Centre. 2

Overall Guide Overview The National Data Guardian s (NDG) Data Security Standards are intended to apply to every organisation handling health and social care information, although the way that they apply will vary according to the type and size of organisation. For example, GPs may want support from their system suppliers to identify and respond to cyber alerts in the first instance, and many social care organisations will want that from their Local Authority. Commissioners should take account of the standards when commissioning services. Leaders of all health and social care organisations should commit to the following data security standards. They should demonstrate this through audit or objective assurance and ensure that audit enables inspection by the relevant regulator. Primary Care Secondary Care Commissioners National Bodies Copyright 2017 Health and Social Care Information Centre. 3

Overall Guide The Standards What are they? The National Data Guardian s Review of Data Security, Consent and Opt-Outs has set out ten data security standards clustered under three leadership obligations to address people, process and technology issues: Leadership Obligation 1: People: ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles. 1. All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes 2. All staff understand their responsibilities under the National Data Guardian s s, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches. 3. All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised Information Governance Toolkit. Leadership Obligation 2: Process: ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses. 4. Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals. 5. Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security. 6. Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection. 7. A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management. Leadership Obligation 3: Technology: ensure technology is secure and up-to-date. 8. No unsupported operating systems, software or internet browsers are used within the IT estate. Copyright 2017 Health and Social Care Information Centre. 4

Overall Guide 9. A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually. 10. IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian s Data Security Standards. Copyright 2017 Health and Social Care Information Centre. 5

Overall Guide The assertions and evidence The assertions sit under each standard and represent a specific theme related to that standard. Evidence items sit under assertions and represent specific pieces of evidence that would be an indicator of maturity in that area. For example: Data Standard 9 IT protection A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually Assertion 9.4 A data security improvement plan has been put in place on the basis of the assessment and has been approved by the SIRO. Two of the evidence items What are your top three data security and protection risks? Evidence that your board, or equivalent, has discussed your top three data security and protection risks and what is being done about them, in the last twelve months? In this example, standard 9 has multiple assertions, of which 9.4 is concerned with senior ownership and the two evidence items are concerned with identifying your top three data security and protection risks and presenting them to a high-level body. The standards and assertions are not as prescriptive as the predecessor standard contained within the information governance toolkit. In this example, to present the top three risks you would have to have the following in place: a method of capturing your risks a method of analysing your risks a method of ranking your risks a method of management and treatment of those identified risks your high-level body is engaged with data security and protection a plan to check act methodology for continuous improvement on risk issues. Copyright 2017 Health and Social Care Information Centre. 6

Overall Guide Unlike the previous information governance standard, the new standards, assertions and evidence are not intended to be a complete framework for data security and protection. The standards, assertions and evidence items are not intended to be a complete framework to manage data security and protection. They represent indicators of good practise and maturity. NHS Digital Ideally, the evidence items should fall out from your existing management arrangements. If you find yourself creating evidence just to comply with the standard, you are probably doing the wrong thing. Sometimes under the old regime, organisations created policies, processes, procedures and minutes that existed just as evidence, not connected to reality and not used to drive forward improvement. So, it is important that the frameworks you use encompass the new standards and are not separate. This guide sets out some of the frameworks that can help you. Copyright 2017 Health and Social Care Information Centre. 7

Overall Guide The Data Security and Protection Toolkit The Data Security and Protection (DSP) Toolkit is an online self-assessment tool that enables organisations to measure and publish their performance against the National Data Guardian s ten data security standards. It has been updated and improved to be more userfriendly and accessible. The DSP Toolkit will retain the general principle that organisations should demonstrate that they can be trusted with the confidentiality and security of personal information. It will also support the key requirements under the General Data Protection Regulation (GDPR), as identified in the NHS GDPR Checklist. The standards, assertions and evidence items are all contained within the DSP Toolkit, range of assertions changes dependant on your organisation type and circumstances of your processing. Copyright 2017 Health and Social Care Information Centre. 8

Overall Guide Frameworks There are many industry frameworks that may help with your data security and protection responsibilities. Some are general and some target specific areas. Even the most extensive (such as ISO 27001) will not cover all your security and protection responsibility. Not any one industry framework will cover all your data security and protection responsibilities NHS Digital The frameworks examined are: ISO 27001 ISO 9001 Cyber Essentials / Cyber Essentials + Public Services Network (PSN) Compliance other frameworks. Copyright 2017 Health and Social Care Information Centre. 9

Overall Guide ISO 27001 The ISO/IEC: 27000 series of standards are recognised internationally as an effective and comprehensive standard. Most organisations using this standard seek accreditation of their implementation as a means of demonstrating to customers, stakeholders, regulators and others that information security has been independently assessed and validated. However, having an in-date scoped certification that covers your health and care processing means you will have equiveillance with certain assertion and evidence. The diagram below offers a high-level view of equiveillance coverage and with the DSP Toolkit you are required to complete fewer items. Warning: If your certification covers your IT department and you process health and care social beyond that, you will not have coverage NHS Digital See the detailed coverage guide here 1. Personal confidential data 2. Understanding your responsibilities 3. Training 4. Managing data access 5. Process reviews 6. Responding to incidents 7. Continuity Planning 8. Managing unsupported systems 9. IT protection 10. Accountable suppliers Red little = little / no coverage Amber = Some coverage Green = Significant Coverage Copyright 2017 Health and Social Care Information Centre. 10

Overall Guide ISO 9001 The ISO/IEC: 9000 series addresses various aspects of quality management and contains some of ISO s best-known standards. The standards provide guidance and tools for companies and organisations which want to ensure that their products and services consistently meet customers requirements, and that quality is consistently improved. This standard is not data security or protection centred out-of-the-box, as it is designed to produce a quality management system. However, your quality management system could encompass a security management framework. As this standard implementation is bespoke and dependent on your defined quality management system, mapping to the data security standards is not possible. However, a quality management system in tandem with security standards should produce a wealth of evidence due to the documentary nature of the standard. ISO 9001 can also be useful in plugging the gaps from other standards to encompass the whole of the data security standards as a wrapper. Copyright 2017 Health and Social Care Information Centre. 11

Overall Guide Cyber Essentials / Cyber Essentials + Under this scheme, which is backed by Government and supported by industry, organisations can apply for certification, which recognises the achievement of governmentendorsed standards of cyber hygiene. There are two levels of certification: Cyber Essentials Badge Cyber Essentials organisations complete a self-assessment questionnaire and the responses are reviewed by an external certifying body. Cyber Essentials Plus Badge Cyber Essentials Plus tests of the organisation s systems are carried out by an external certifying body. Cyber Essentials plus will give you equivalence under the DSP Toolkit NHS Digital See the detailed coverage guide here 1. Personal confidential data 2. Understanding your responsibilities 3. Training 4. Managing data access 5. Process reviews 6. Responding to incidents 7. Continuity Planning 8. Managing unsupported systems 9. IT protection 10. Accountable suppliers Red little = little / no coverage Amber = Some coverage Green = Significant Coverage Copyright 2017 Health and Social Care Information Centre. 12

Overall Guide Public Services Network (PSN) Compliance The PSN is the government s high-performance network, which helps public sector organisations work together, reduce duplication and share resources. PSN compliance is a way to report your security arrangements. It is how you demonstrate to central government that your organisation s security arrangements, policies and controls are sufficiently rigorous for us to allow you to interact with the PSN and those connected to it. Generally, most of the organisation subject to PSN compliance interacting with the health and care system will be local authorities. The method to demonstrate assurance is through a Public Services Network (PSN) connection compliance certificate. A valid in date PSN connection compliance certificate is required to claim equivalence with the DSP Toolkit NHS Digital See the detailed coverage guide here 1. Personal confidential data 2. Understanding your responsibilities 3. Training 4. Managing data access 5. Process reviews 6. Responding to incidents 7. Continuity Planning 8. Managing unsupported systems 9. IT protection 10. Accountable suppliers Red little = little / no coverage Amber = Some coverage Green = Significant Coverage Copyright 2017 Health and Social Care Information Centre. 13

Overall Guide Other frameworks There are a range of other frameworks that can be used support to support a data security and protection assurance. These range from security centric ones, such as NIST SP 800 Series or Cybersecurity framework to the more general ISACA s Cobit Methodology. There is compliance framework around the payment card industry (PCI) and companies dealing with the US government with Sarbanes Oxley compliance. US based healthcare suppliers my claim HIPPA and Hitech compliance. All this framework and legislation compliance (mostly US) produces incredibly useful evidence but there is no direct equivalent to the data security standards. Copyright 2017 Health and Social Care Information Centre. 14

Overall Guide Appendix 1 - Left Blank Copyright 2017 Health and Social Care Information Centre. 15

Overall Guide Appendix 2 - Useful resources ISO/IEC 27000 family - Information security management systems: International Organisation for Standardisation A description and link to the ISO 27000 family of standards https://www.iso.org/isoiec-27001-information-security.html ISO 9000 - Quality management: International Organisation for Standardisation The ISO 9000 family addresses various aspects of quality management and contains some of ISO s best-known standards. The standards provide guidance and tools for companies and organizations who want to ensure that their products and services consistently meet customer s requirements, and that quality is consistently improved. https://www.iso.org/iso-9001-quality-management.html Cyber Essentials : National Cyber Security Centre Cyber Essentials helps you to guard against the most common cyber threats and demonstrate your commitment to cyber security https://www.cyberessentials.ncsc.gov.uk/ Public Services Network (PSN): Government Digital Service The PSN is the government s high-performance network, which helps public sector organisations work together, reduce duplication and share resources. https://www.gov.uk/government/groups/public-services-network Cybersecurity Framework: National Institute of Standards and Technology U.S. Dept of Commerce A US federal framework directed from an executive order Improving Critical Infrastructure Cybersecurity. https://www.nist.gov/framework Copyright 2017 Health and Social Care Information Centre. 16

Overall Guide NIST 800 Series: National Institute of Standards and Technology U.S. Dept of Commerce The NIST 800 Series is a set of documents that describe United States federal government computer security policies, procedures and guidelines. https://www.nist.gov/ COBIT: ISACA The COBIT 5 framework for the governance and management of enterprise IT is a leadingedge business optimisation and growth roadmap that leverages proven practices, global thought leadership and ground-breaking tools to inspire IT innovation and fuel business success. http://www.isaca.org/cobit/pages/default.aspx Payment Card Industry (PCI): The PCI Security Standards Council The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. https://www.pcisecuritystandards.org/ Sarbanes Oxley The Laws That Govern the Securities Industry: U.S. Securities and Exchange Commission Guide to the Sarbanes-Oxley Act of 2002 (US). https://www.sec.gov/answers/about-lawsshtml.html#sox2002 HIPPA (US) Health Information Privacy: U.S. Department of Health and Human Resources Guide to HIPPA rules and compliance. https://www.hhs.gov/hipaa/index.html HITECH Act: U.S. Department of Health and Human Resources US healthcare act to promote the adoption and meaningful use of health information technology. https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interimfinal-rule/index.html Copyright 2017 Health and Social Care Information Centre. 17

Overall Guide Appendix 3 Data security reports The National Data Guardian review Recommendations to improve security of health and care information and ensure people can make informed choices about how their data is used. Review of Data Security, Consent and Opt-Outs The government response Your Data: Better Security, Better Choice, Better Care is the government s response to: the National Data Guardian for Health and Care s Review of Data Security, Consent and Opt-Outs ; the public consultation on that review; the Care Quality Commission s Review Safe Data, Safe Care. It sets out that the government accepts the recommendations in both the National Data Guardian review and the Care Quality Commission review. It also reflects on what we heard through consultation to set out immediate and longer-term action for implementation. Your Data: Better Security, Better Choice, Better Care Copyright 2017 Health and Social Care Information Centre. 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback