NHS Fife. 2015/16 Audit Computer Service Review Follow Up

Similar documents
Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

Audit Report. The Prince s Trust. 27 September 2017

REPORT 2015/010 INTERNAL AUDIT DIVISION

REPORT 2015/149 INTERNAL AUDIT DIVISION

ROLE DESCRIPTION IT SPECIALIST

AUDIT OF ICT STRATEGY IMPLEMENTATION

How we do ehealth in NHS Scotland

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

REPORT 2015/186 INTERNAL AUDIT DIVISION

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

INTERNAL AUDIT SERVICES REPORT REF No 2016/ Loch Lomond & The Trossachs National Park Authority General ICT Controls

The ehealth Annual Report aims to highlight the activities within the teams that make up the ehealth Department.

Figure 1: Summary Status of Actions Recommended in June 2016 Committee Report. Status of Actions Recommended # of Actions Recommended

WHO-ITU National ehealth Strategy Toolkit

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

WHO SHOULD ATTEND? ITIL Foundation is suitable for anyone working in IT services requiring more information about the ITIL best practice framework.

Management s Response to the Auditor General s Review of Management and Oversight of the Integrated Business Management System (IBMS)

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

Audit Report. Scottish Bakers. 30 March 2015

Information Security Strategy

HSCIC Audit of Data Sharing Activities:

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Critical Cyber Asset Identification Security Management Controls

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

Manchester Metropolitan University Information Security Strategy

The Defence Nuclear Enterprise: a landscape review

Level Access Information Security Policy

Marine Institute Job Description

NATIONAL INFRASTRUCTURE COMMISSION CORPORATE PLAN TO

Practitioner Certificate in Business Continuity Management (PCBCM) Course Description. 10 th December, 2015 Version 2.0

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Audit Report. Mineral Products Qualifications Council (MPQC) 31 March 2014

Follow-up to Information Technology Security Audit

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Ministry of Government and Consumer Services. ServiceOntario. Figure 1: Summary Status of Actions Recommended in June 2016 Committee Report

Manager, Infrastructure Services. Position Number Community Division/Region Yellowknife Technology Service Centre

Nottinghamshire Office of the Police & Crime Commissioner & Nottinghamshire Chief Constable

Security and Privacy Governance Program Guidelines

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

What is BS 7799? BS 7799 is the most influential, globally recognised standard for information security management.

Audit Report. Association of Chartered Certified Accountants (ACCA)

Business Continuity Management Standards A Side-by-Side Comparison

CABINET PLANNING SYSTEM PROCUREMENT

Director, Major Projects and Resilience. To: Planning and Performance Committee 6 November 2014

ISO : Competence Requirements Clause 7

FOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY

ISO/ IEC (ITSM) Certification Roadmap

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

PECB Certified ISO Lead Auditor. Master the Audit of Occupational Health and Safety Management System (OHSMS) based on ISO 45001

Business Continuity and Disaster Recovery

STRATEGIC PLAN. USF Emergency Management

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

COBIT 5 With COSO 2013

Uptime and Proactive Support Services

ISSC is invited to consider the attached report and to support the proposal to change the priority order for the migration UEA web services.

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

Chartered Membership: Professional Standards Framework

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Business Continuity Policy

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

The IDN Variant TLD Program: Updated Program Plan 23 August 2012

NHS Scotland Cyber Attack: NSS Evidence to Scottish Parliament Health & Sport Committee (Jun 17)

FIRE REDUCTION STRATEGY. Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017

Accelerate Your Enterprise Private Cloud Initiative

Superannuation Transaction Network

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

LEADERSHIP GROUP LG (2017) Paper October 2017 RESILIENCE BOARD

Provider Monitoring Report. City and Guilds

Cyber Security Standards Drafting Team Update

CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION

Data Sheet The PCI DSS

New Zealand Customs Service: Managing Trade Assurance capability risks

An Overview of ISO/IEC family of Information Security Management System Standards

Audit Report. City & Guilds

Revision of standards ISO 9001:2015 and ISO 14001:2015

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

INTERNAL AUDIT DIVISION REPORT 2017/138

AUTHORITY FOR ELECTRICITY REGULATION

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

Jenny Marra MSP Convenor Public Audit and Post-legislative Scrutiny Committee Scottish Parliament.

Business Continuity Planning

WHO/ITU National ehealth Strategy Toolkit. Joan Dzenowagis

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

Audit Report. Chartered Management Institute (CMI)

Certification Body Audit Resources

Scheme Document SD 003

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Global Statement of Business Continuity

Todmorden High School Job Description

BOARD OF DIRECTORS (OPEN) Meeting Date: 14 th November 2018

PROTERRA CERTIFICATION PROTOCOL V2.2

INFORMATION TECHNOLOGY NETWORK ADMINISTRATOR ANALYST Series Specification Information Technology Network Administrator Analyst II

General Information Technology Controls Follow-up Review

ICT Mentors e-learning portfolio provides our delegates with materials for study at the comfort of their homes, work place etc.

Audit and Compliance Committee - Agenda

Transcription:

NHS Fife 2015/16 Audit Computer Service Review Follow Up Prepared for NHS Fife April 2016

Audit Scotland is a statutory body set up in April 2000 under the Public Finance and Accountability (Scotland) Act 2000. We help the Auditor General for Scotland and the Accounts Commission check that organisations spending public money use it properly, efficiently and effectively.

Contents Introduction... 4 Background... 4 Audit scope and objectives... 4 Risk identification... 4 Overall conclusions... 4 Management Action... 4 Acknowledgements... 5 Findings... 6 Appendix A - Action Plan... 7 NHS Fife Page 3

Introduction Introduction Background 1. As part of our 2014/15 audit we carried out a computer service review in which we considered whether NHS Fife has an adequate control framework to manage the computer service and the systems and infrastructure providing support to the user departments. We reported our findings from the review in June 2015. As part of our 2015/16 audit we have followed up the action taken following the 2014/15 report. Audit scope and objectives 2. Audit Scotland s Code of Audit Practice requires us to assess the systems of internal control put in place by management and it is good practice to follow-up on our findings. In carrying out these follow-up reviews, we seek to gain assurance that NHS Fife has made progress in implementing actions aimed at reducing the board s risk exposure. Risk identification 3. Risk exists in all organisations which are committed to continuous improvement and, inevitably, is higher in those undergoing significant change. The objective is to be risk aware with sound processes of risk management in place rather than adopting risk averse strategies. 4. This follow-up review has focused on measuring the progress made on the risks identified at that time and not necessarily, therefore, all the risk areas that may exist. It remains the responsibility of management to determine the extent of risk control appropriate to NHS Fife. We would stress, however, that an effective internal control system is an essential part of the efficient management of any organisation. Overall conclusions 5. Management has addressed three of the four areas identified in the action plan. Although work had been done on the fourth area, service level agreements, the actions taken have not addressed the risk relating to appropriate ehealth service provision highlighted in our previous report. Management Action 6. Progress against each of the agreed actions is detailed in Appendix A to this report. One outstanding action remains from last year and the planned action, responsibilities and timescales for action in response to the identified risk exposure has been provided by management. Page 4 NHS Fife

Introduction Acknowledgements 7. The contents of this report have been discussed with the ehealth ICT Manager to confirm factual accuracy. The assistance and co-operation we received during the course of our audit is gratefully acknowledged. NHS Fife Page 5

Findings Findings 8. The 2014/15 Computer Services Review highlighted four areas of risk relating to: service level agreements development and maintenance of skills ehealth funding disaster recovery testing. 9. Although the board has made progress in improving their ehealth service levels to above the target levels specified in the service level agreements, they have not formally considered if the service levels defined in the service level agreement are appropriate to support the front line services. Since the ehealth service levels were defined in 2013 the board's front line service delivery reliance on technology has increased substantially and this reliance will continue to grow with the local implementation of the ehealth strategy. The risk remains that the ehealth service provision may be insufficient to support front line services. Refer update action plan, no.1 10. Progress has been made in relation to the remaiming three areas as follows: development and maintenance of skills: we are pleased to note that the ICT staff had been trained in project management and ICT service management and support. ehealth funding: the board has raised the non-recurring nature of ICT funding with the Scottish Government Health department and although this has not changed, continue with their local ehealth plan implementation. disaster recovery testing: the ehealth department has now conducted a disaster recovery test and scheduled further such exercises. Page 6 NHS Fife

Appendix A - Action Plan Appendix A - Action Plan No. Issue, Risk & Recommendation Management Response & Proposed Action Progress and status as at April 2016 Updated action plan 1 Defined service levels are not Refresh of SLAs ongoing. Service levels reported for both ehealth GP Update on proposed appropriate to support the level of support and for ehealth general service action: dependence and reliance that the board places on their ehealth services. Risk: The ehealth service provision may be insufficient to support front line services. Recommendation: The board should refresh their service level agreements with due consideration to the level of dependence and reliance on the service at present and the further changes planned for the future. Alan Young, ICT Manager March 2016 support shows improvement over the six months to February 2016 and has brought the incident resolution rate to above the 80% target from December 2015 for GP support and from August 2015 for general service support. The ehealth department has combined the GP support team with the general support team to create a single support team for the board. The team leaders and support teams now focus on improving the performance. Management intends to further improve service delivery by strengthening the server support team by August 2016. ICT Management carried out a SLA situation report in March 2015. This report made a similar recommendation but a decision was made to focus on improving performance against the current SLAs and continue the rollout of Windows 7 to frontline services. A review will take place in March 2017 when Windows 7 is fully However, the board has not formally embedded. considered if the service levels defined in the service level agreement is appropriate to support the front line services as the board's reliance on technology for their front line service delivery increases. Responsible officer: Allan Young Action date: March 2017 NHS Fife Page 7

Appendix A - Action Plan No. Issue, Risk & Recommendation Management Response & Proposed Action Progress and status as at April 2016 Updated action plan 2 The skills and expertise required to Each Senior Manager will The key skills gaps identified was in service Complete. deliver the ehealth service has not ensure skills are in place for management and project delivery and 21 been defined. their respective strands. This ehealth staff members attended project Risk: Key skills required to deliver the ehealth service might not be available which could impact on the range and effectiveness of the ehealth service. Recommendation: The board should formally define the skills required to provide their ehealth will be delivered at an individual level / department level but will contribute to Directorate training plan. Prince 2 was treated "globally" as it was a recognised gap identified collectively by senior management training. 23 Members of staff attended service management training, with 16 obtaining formal certificates recognising that they have mastered the training material at foundation level. The focus on project delivery has contributed to the completion of projects that were in the implementation phase for a long time. service, match these to the skills management within ehealth. available within the department and develop a resourcing strategy to fill any identified gaps. William Edwards, Head of ehealth December 2015 3 The board relies on non-recurring NHS Fife recognises the non- Board management has raised the non- Complete. funding for the provision of ehealth recurring status of our annual recurring nature of funding with the Scottish services. Non-recurring funding is ehealth funding alloction. Government Health Department and has currently available until 2017. Discussions have taken place gained a better understanding of the board's Risk: The ehealth service may not be sustainable without recurring funding. with the Scottish Government ehealth Directorate to transfer this to recurring fund. We will ehealth budget, which has enabled them to continue with the local ehealth plan implementation. Page 8 NHS Fife

Appendix A - Action Plan No. Issue, Risk & Recommendation Management Response & Proposed Action Progress and status as at April 2016 Updated action plan Recommendation: The board continue to try and rectify this. should ensure that their ehealth service is fully supported by recurring funding and that nonrecurring funding is used solely for Chris Bowring, Director of Finance the development of new services. Ongoing 4 The ehealth department has tested We will develop a plan for a A 'desktop based' network test was Complete (subject to their disaster recovery procedures in disaster recovery testing conducted in January 2016 and a further further ISO 27001 the past, but a schedule to ensure programme, with a view to exercise is planned during the first half of exercise). frequent and comprehensive testing having one scenario/test per 2016 to comply with the ISO 27001 is not in place. year. certification. Risk: Staff may not be fully conversant with recovery procedures or procedures might have become outdated. William Edwards, Head of ehealth / Alan Young, ICT Manager Recommendation: Disaster recovery procedures should be tested on a rotational basis that November 2015 ensures the all aspects are included, the procedures are effective and that staff are fully conversant with the procedures and can implement them in a variety of disaster scenarios. NHS Fife Page 9

Appendix A - Action Plan Page 10 NHS Fife

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback