Log in to Skyline

10 National Data Guardian (NDG) standards for data security

 

 

 

 

 

 

Data Security Standard 1

Personal confidential data

Personal confidential data is only shared for lawful and appropriate purposes. Staff understand how to strike the balance between sharing and protecting information, and expertise is on hand to help them make sensible judgments. Staff are trained in the relevant pieces of legislation and periodically reminded of the consequences to patients and service users, their employer and to themselves of mishandling personal confidential data.

Staff receive annual training on their legal and professional responsibilities when handling data.

Data Security Standard 2

Staff responsibilities

All staff understand what constitutes deliberate, negligent or complacent behaviour and the implications for their employment. They are made aware that their usage of IT systems is logged and attributable to them personally. Insecure behaviours are reported without fear of recrimination and procedures which prompt insecure workarounds are reported, with action taken.

Staff receive annual training on their legal and professional responsibilities when handling data.

All system administrators sign the Charter for System Administrators

We have an ISO27001 compliant incident process which is actively used by staff and reported without fear of recrimination.

Data Security Standard 3

Staff training

Our fellow colleagues can be the greatest asset in spotting data security and protection issues and incidents. Unfortunately, our colleagues can also be exploited and inadvertently assist a cyber-attack or data breach. The level of impact on the organisation can vary from relatively minor to major, which in turn can have a critical impact on staff, patients, service users and the general public. The impact can be severe whether the issue is around integrity, availability or confidentiality of data.

Informatica are an ISO27001 accredited organisation. SOP-C001 - Competence, Awareness and Training describes the processes by which staff competencies are assessed, monitored and managed to ensure they remain competent and qualified.

Staff receive routine and ongoing training to be aware of the risks of cyber attack.

Training needs are assessed and training is managed and delivered through SOP-C001 - Competence, Awareness and Training.

Informatica undertake annual Data Security Awareness training and testing provided by eLearning for Healthcare.

Data Security Standard 4

Managing data access

The principle of ‘least privilege’ is applied, so that users do not have access to data they have no business need to see. Staff do not accumulate system access over time.

User privileges are proactively managed so that there is, as far as is practicable, a forensic trail back to a specific user or user group. Additionally, elevated rights are regularly reviewed to ensure a business need remains.

Informatica are an ISO27001 accredited organisation. POL-G002 - Access Control Policy defines the policies controlling access to systems and information.

Staff are only granted access to the data and functions required by their role as recorded in our Security Memberships Log.

All access requests are reviewed by the Information Security Officer and are limited to the rights necessary to undertake their role.

Activity is audited and the audits are reviewed.

Data Security Standard 5

Process reviews

Past security breaches and near misses must be recorded, and used to inform periodic workshops to identify and manage problem processes. They also allow organisations to learn lessons and prevent future breaches.

Informatica are an ISO27001 accredited organisation. We have an Incident Management process which records all security breaches (nil) or near misses and includes evaluation and lessons learnt.

We conduct quarterly reviews of Data Security . The subject of the reviews is determined by the management team and includes:

  • Walkthroughs of past incidents or near misses to confirm lessons learnt have been identified and actioned.

  • Reviews of new processes to ensure they meet all requirements.

  • Tests of high impact events to ensure we are prepared.

Data Security Standard 6

Responding to incidents

All staff are trained in how to report an incident, and appreciation is expressed when incidents are reported. Sitting on an incident, rather than reporting it promptly, faces harsh sanctions.

The Board understands that it's ultimately accountable for the impact of security incidents, and bears the responsibility for making staff aware of their responsibilities to report upwards. Basic safeguards are in place to prevent users from unsafe internet use.

Anti-virus, anti-spam filters and basic firewall protections are deployed to protect users from basic internet-borne threats.

Informatica are an ISO27001 accredited organisation. POL-011 - Incident and Problem Management Policy defines the Policies and reporting time limits for Incidents and problems.

The following SOP define the procedures associated with Incident Management

  • SOP-E011 - Incident Management

  • SOP-H001 - Service Problem Management

This includes requirements for external reporting to the ICO or MHRA as appropriate.

POL-G007 - Data Protection and Confidentiality Policy states "Informatica staff and sub-contractors compliance with this policy is mandatory and any breach of this policy may result in disciplinary action up to and including dismissal. "

SOP-G006 - Network and Network Services Management, POL-G014 - Management of Technical Vulnerabilities Policy and POL-G018 - Protection from Malware Policy require networks and staff IT to include appropriate technical security measures such as Anti-virus, anti-spam filters and firewalls.

Data Security Standard 7

Continuity planning

A business continuity exercise is run every year as a minimum, with guidance and templates available from the toolkit.

Those in key roles will receive dedicated training, so as to make judicious use of the available materials, ensuring that planning is modelled around the needs of their own business.

We conduct annual Business Continuity tests, with additional testing run as deemed necessary. The subject of the testing is determined by the management team and includes:

  • Walkthroughs of past BC events to confirm lessons learnt have been identified and actioned.

  • Tests of high impact BC events to ensure we are prepared.

Each service we provide has a documented

  • Business Continuity Recovery Time Objective

  • Business Continuity Owner

  • Continuity Risk

  • Initial Continuity Response

  • Continuity Action

  • Redundancy

  • Recovery Action

Data Security Standard 8

unsupported systems

Guidance and support is available from NHS Digital to ensure risk owners understand how to prioritise their vulnerabilities.  

There is a clear recognition that not all unsupported systems can be upgraded, and that financial and other constraints should drive intelligent discussion around priorities.

Value for money is of utmost importance, as is the need to understand the risks posed by those systems which cannot be upgraded. It’s about demonstrating that analysis has been done and informed decisions were made.

Informatica are an ISO27001 and Cyber Essentials Plus accredited organisation. Systems are routinely updated, with auto-update enforced where available.

Where patches can not be applied in a timely manner then a risk is raised and the upgrade path is managed on a risk based approach.

Data Security Standard 9

IT protection

NHS Digital assists risk owners in understanding which national frameworks do what, and which components are intended to achieve which outcomes.

There is a clear understanding that organisations can tackle the NDG Standards in whichever order they choose, and that the emphasis is on progress from their own starting points.

Skyline is built and managed in line with all appropriate NHS and National Standards.

Annual external penetration testing is undertaken by an independent organisation.

Data Security Standard 10

Accountable suppliers

IT suppliers understand their obligations as data processors under the UK General Data Protection Regulation (UK GDPR), and the necessity to educate and inform customers, working with them to combine security and usability in systems. 

IT suppliers typically service large numbers of similar organisations and as such represent a large proportion of the overall ‘attack surface’. Consequently, their duty to robust risk management is vital and should be built into contracts as a matter of course. 

It's the responsibility of suppliers of all IT systems to ensure their software runs on supported operating systems and is compatible with supported internet browsers and plugins.

Informatica are fully compliant with GDPR and require all suppliers to be GDPR compliant.

All suppliers are reviewed via a risk based approach prior to services being contracted.

Skyline runs on AWS infrasturcture and is assured to work with Chrome and Edge internet browsers.

Skyline is designed and developed by Informatica