Versions Compared

Old Version 1

changes.mady.by.user Andrew Syme

Saved on

compared with

New Version 2

changes.mady.by.user Andrew Syme

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Data Security Standard 1

Personal confidential data

Personal confidential data is only shared for lawful and appropriate purposes. Staff understand how to strike the balance between sharing and protecting information, and expertise is on hand to help them make sensible judgments. Staff are trained in the relevant pieces of legislation and periodically reminded of the consequences to patients and service users, their employer and to themselves of mishandling personal confidential data.

Staff receive annual training on their legal and professional responsibilities when handling data.

Data Security Standard 2

Staff responsibilities

All staff understand what constitutes deliberate, negligent or complacent behaviour and the implications for their employment. They are made aware that their usage of IT systems is logged and attributable to them personally. Insecure behaviours are reported without fear of recrimination and procedures which prompt insecure workarounds are reported, with action taken.

Staff receive annual training on their legal and professional responsibilities when handling data.

All system administrators sign the Charter for System Administrators Charter

We have an ISO27001 compliant incident process which is actively used by staff and reported without fear of recrimination.

Data Security Standard 3

Staff training

Our fellow colleagues can be the greatest asset in spotting data security and protection issues and incidents. Unfortunately, our colleagues can also be exploited and inadvertently assist a cyber-attack or data breach. The level of impact on the organisation can vary from relatively minor to major, which in turn can have a critical impact on staff, patients, service users and the general public. The impact can be severe whether the issue is around integrity, availability or confidentiality of data.

Training/learning needs analysis - knowing your staff (3.1.1)

Your organisation must assess the level of awareness amongst all staff of key data security and protection issues. You can do this by conducting a training (or learning) needs analysis.

You can carry out a training needs analysis (TNA)/learning needs analysis (LNA) at an organisational level to help your organisation meet its current and future needs, or alternatively you can carry out a TNA in preparation for the implementation of new internal processes, or before the launch of a new training programme.

National training for all staff (3.2.1 - 3.4.2)

The National Data Guardian data security standards designed to ensure staff are equipped to handle information appropriately and safely, according to the Caldicott Principles are listed below:

  • All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes.

  • All staff understand their responsibilities under the National Data Guardian's data security standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.

    • All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised information governance toolkit

    Informatica are an ISO27001 accredited organisation. SOP-C001 - Competence, Awareness and Training describes the processes by which staff competencies are assessed, monitored and managed to ensure they remain competent and qualified.

    Staff receive routine and ongoing training to be aware of the risks of cyber attack.

    Training needs are assessed and training is managed and delivered through SOP-C001 - Competence, Awareness and Training.

    Informatica undertake annual Data Security Awareness training and testing provided by eLearning for Healthcare.

    Data Security Standard 4

    Managing data access

    The principle of ‘least privilege’ is applied, so that users do not have access to data they have no business need to see. Staff do not accumulate system access over time.

    User privileges are proactively managed so that there is, as far as is practicable, a forensic trail back to a specific user or user group. Additionally, elevated rights are regularly reviewed to ensure a business need remains. Where necessary, organisations will look to non-technical means of recording IT usage (such as sign-in sheets, CCTV, correlation with other systems and shift rosters)

    Informatica are an ISO27001 accredited organisation. POL-G002 - Access Control Policy defines the policies controlling access to systems and information.

    Staff are only granted access to the data and functions required by their role as recorded in our Security Memberships Log.

    All access requests are reviewed by the Information Security Officer and are limited to the rights necessary to undertake their role.

    Activity is audited and the audits are reviewed.

    Data Security Standard 5

    Process reviews

    Past security breaches and near misses must be recorded, and used to inform periodic workshops to identify and manage problem processes. They also allow organisations to learn lessons and prevent future breaches.Workshops should involve looking in detail at where high risk behaviours are most commonly seen, and then considering actions to address these issues. User representation (staff within your organisation who carry out the processes) at these workshops is crucial. It is important that the impact on the user is factored into considerations of how to address these issues, as a solution which is overly taxing could result in a workaround, creating

    more security risks.  Informatica are an ISO27001 accredited organisation. We have an Incident Management process which records all security breaches (nil) or near misses and includes evaluation and lessons learnt.

    We conduct quarterly reviews of Data Security . The subject of the reviews is determined by the management team and includes:

    • Walkthroughs of past incidents or near misses to confirm lessons learnt have been identified and actioned.

    • Reviews of new processes to ensure they meet all requirements.

    • Tests of high impact events to ensure we are prepared.

    Data Security Standard 6

    Responding to incidents

    All staff are trained in how to report an incident, and appreciation is expressed when incidents are reported. Sitting on an incident, rather than reporting it promptly, faces harsh sanctions.

    The Board understands that it's ultimately accountable for the impact of security incidents, and bears the responsibility for making staff aware of their responsibilities to report upwards. Basic safeguards are in place to prevent users from unsafe internet use.

    Anti-virus, anti-spam filters and basic firewall protections are deployed to protect users from basic internet-borne threats.

    Informatica are an ISO27001 accredited organisation. POL-011 - Incident and Problem Management Policy defines the Policies and reporting time limits for Incidents and problems.

    The following SOP define the procedures associated with Incident Management

    • SOP-E011 - Incident Management

    • SOP-H001 - Service Problem Management

    This includes requirements for external reporting to the ICO or MHRA as appropriate.

    POL-G007 - Data Protection and Confidentiality Policy states "Informatica staff and sub-contractors compliance with this policy is mandatory and any breach of this policy may result in disciplinary action up to and including dismissal. "

    SOP-G006 - Network and Network Services Management, POL-G014 - Management of Technical Vulnerabilities Policy and POL-G018 - Protection from Malware Policy require networks and staff IT to include appropriate technical security measures such as Anti-virus, anti-spam filters and firewalls.

    Data Security Standard 7

    Continuity planning

    A business continuity exercise is run every year as a minimum, with guidance and templates available from the toolkit.

    Those in key roles will receive dedicated training, so as to make judicious use of the available materials, ensuring that planning is modelled around the needs of their own business.

    There should be a clear focus on enabling senior management to make good decisions, and this requires genuine understanding of the topic, as well as the good use of plain English.

    We conduct annual Business Continuity tests, with additional testing run as deemed necessary. The subject of the testing is determined by the management team and includes:

    • Walkthroughs of past BC events to confirm lessons learnt have been identified and actioned.

    • Tests of high impact BC events to ensure we are prepared.

    Each service we provide has a documented

    • Business Continuity Recovery Time Objective

    • Business Continuity Owner

    • Continuity Risk

    • Initial Continuity Response

    • Continuity Action

    • Redundancy

    • Recovery Action

    Data Security Standard 8

    unsupported systems

    Guidance and support is available from NHS Digital to ensure risk owners understand how to prioritise their vulnerabilities.  

    There is a clear recognition that not all unsupported systems can be upgraded, and that financial and other constraints should drive intelligent discussion around priorities.

    Value for money is of utmost importance, as is the need to understand the risks posed by those systems which cannot be upgraded. It’s about demonstrating that analysis has been done and informed decisions were made.

    Informatica are an ISO27001 and Cyber Essentials Plus accredited organisation. Systems are routinely updated, with auto-update enforced where available.

    Where patches can not be applied in a timely manner then a risk is raised and the upgrade path is managed on a risk based approach.

    Data Security Standard 9

    IT protection

    NHS Digital assists risk owners in understanding which national frameworks do what, and which components are intended to achieve which outcomes.

    There is a clear understanding that organisations can tackle the NDG Standards in whichever order they choose, and that the emphasis is on progress from their own starting points.

    Skyline is built and managed in line with all appropriate NHS and National Standards.

    Annual external penetration testing is undertaken by an independent organisation.

    Data Security Standard 10

    Accountable suppliers

    IT suppliers understand their obligations as data processors under the UK General Data Protection Regulation (UK GDPR), and the necessity to educate and inform customers, working with them to combine security and usability in systems. 

    IT suppliers typically service large numbers of similar organisations and as such represent a large proportion of the overall ‘attack surface’. Consequently, their duty to robust risk management is vital and should be built into contracts as a matter of course. 

    It's the responsibility of suppliers of all IT systems to ensure their software runs on supported operating systems and is compatible with supported internet browsers and plugins.

    Informatica are fully compliant with GDPR and require all suppliers to be GDPR compliant.

    All suppliers are reviewed via a risk based approach prior to services being contracted.

    Skyline runs on AWS infrasturcture and is assured to work with Chrome and Edge internet browsers.