ISO Information Security Management Services (Lot 4)

Transcription

1 ISO Information Security Management Services (Lot 4)

2 CONTENTS 1. WHY LEICESTERSHIRE HEALTH INFORMATICS SERVICE? LHIS TECHNICAL ASSURANCE SERVICES SERVICE OVERVIEW EXPERIENCE PRE ISO OUR PEOPLE ORDERING AND INVOICING PROCESS FURTHER INFORMATION... 8 Author: Colin Swift Product Manager colin.swift@leics-his.nhs.uk Prepared for: The Health Informatics Service is provided by Leicestershire Partnership NHS Trust on behalf of the Leicester, Leicestershire and Rutland Health Community Page 2 of 9

3 1. Why Leicestershire Health Informatics Service? Leicestershire Health Informatics Service (LHIS) is hosted by the Leicestershire Partnership NHS Trust. The Trust serves a population of one million people across Leicester, Leicestershire and Rutland and has a budget in excess of 250 million and employs over 5,000 staff in a wide variety of roles. This hosting arrangement provides LHIS with a sound financial and organisation platform from which to operate along sound business practices. LHIS provides a vast range of IT products, services and solutions to its clients. LHIS delivers these solutions nationwide to all sectors of the Healthcare market and beyond including primary care NHS Trusts, Clinical Commissioning Groups (CCG s), Commissioning Support Units (CSU), care homes, hospices and General Practices, Acute Hospital Trusts, arm s length bodies and Any Qualified Providers (AQP s). LHIS has approximately 130 highly qualified IT staff including dedicated teams of project managers, change managers, web developers, application developers, content editors, I.T trainers, service desk analysts, business intelligence and data warehousing staff, network engineers, desktop and enterprise support. As an NHS organisation LHIS has extensive experience of NHS standards, clinical systems security, NHS procedures, information governance and risk management. LHIS has passed its Health Informatics Standards Accreditation (HISA); this has been developed by the HSCIC to allow commissioners of IM&T services within the NHS to build this as a quality standard that they should look for when considering future supply. The LHIS client base has grown through word of mouth recommendations based on LHIS s excellent track record of service and delivery to include non NHS public sector organisations such as Councils, Charities, Schools and Colleges. 2. LHIS Technical Assurance Services LHIS Technical Assurance Services works with a wide range of public and private sector bodies including: Arm s Length Bodies Acute, Mental Health and Community NHS Trusts Blue light services Central Government e.g. The Cabinet Office Clinical Commissioning Groups (CCG s) Commissioning Support Units (CSU s) District and Borough Councils General Practices (GPs) Hospices and other 3 rd Sector organisations Universities, Schools & Academy chains LHIS is accredited under the Cyber Essentials and IASME schemes and is currently working towards CREST membership with a view to being members shortly after the framework commences. Page 3 of 9

4 3. Service overview LHIS ISO services enable organisations to comply with and if required gain ISO27001 certification. The standard has many benefits for organisations moving to Cloud based services or with Cloud services implemented. The controls contained within ISO address data availability, confidentiality, integrity and privacy all areas that need to be addressed with Cloud based services. The development of Risk Management allows the organisation to understand the level of risk to ensure the risk is consummate with the organisational tolerances. LHIS is used to working closely with public sector customers and colleagues to provide contextually appropriate advice and guidance. Our Technical Assurance Services routinely work on-site at customer locations and have regular contact with customers via phone and . In terms of onsite working and support LHIS is based in Leicester which is centrally located to provide support at any UK office location. 4. Experience LHIS has supported large public sector organisations with ISO accreditation. This includes some of the biggest and busiest NHS trusts and public sector organisations in the country. A recent example employs more than 12,000 staff providing a range of services primarily for over one million residents of Leicester, Leicestershire and Rutland. LHIS was selected by the outsourced ICT service provider to provide services to the organisation with its ISO accreditation. This support has been so successful that LHIS has been asked to increase the scope of its support to cover the full ISO framework. On a smaller scale LHIS also has experience of: Development of Information Security Management Systems (ISMS)* Feedback and validation on project deliverables to ensure they align with ISO On-site mini assignments and attendance at meetings as required Providing internal mock audits prior to certification The provision of advice based on previous successful ISO certification assignments Responding to ad-hoc and telephone requests to provide guidance and advice *ISMS are a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector keep information assets secure. Page 4 of 9

5 Scope of the service Gap analysis This involves assessing current practice and identifying the gaps and areas of weakness that require attention in order to achieve ISO27001 compliance / certification. Risk assessment for ISO starts with identifying all the information assets within the environment to be certified. Each asset is assessed to determine the worst case impact of a loss of confidentiality. This prioritises the assets to focus the next step of the risk assessment. Risk assessment Threats and vulnerabilities associated with the assets are then identified and documented. The prioritisation form the previous step provides both an order to address the risks in and also provides a measure of the impact of each threat or vulnerability. The probability each threats or vulnerabilities materialising is then established to provide an overall risk score (impact and probability combined). Risk mitigation Once risk assessment is complete risks that are above the organisational tolerances level are then reviewed to establish controls to mitigate the possibility of a risk materialising as an issue. Policy development Organisation policies are a crucial tool for protecting data and systems. LHIS offers a review and development service. This typically includes the following stages: Thorough review of current policies and procedures Identification of gaps or weaknesses. Documentation of remedial action to align with best practice. Reporting of the review process. Staff awareness training LHIS is able to offer staff training to increase organisational understanding and awareness of the ISO standard. The workshops can be tailored to the audience and typically might cover the following areas: Best Practice. Regulations and Legalities. Page 5 of 9

6 Management of Incidents. Risks assessment and management. Security trends. Case studies. Management responsibility. Management briefings Similar to the staff training but aimed at different audience. This service offers briefings at a senior or executive level to provide an outline of the ISO standard and its associated benefits to an organisation. Statement of Applicability SOA Also known as an SOA the statement of applicability is a document which identifies the controls chosen for an environment. The document the goes on to explain how and why they are appropriate. Derived from the risk assessment and mitigation plans. The SOA relates back to the original risks to demonstrate that mitigations are in place to facilitate ISO compliance. LHIS is able to assist in the selection of controls. Routine internal audits of key controls As part of ISO27001 accreditation, there is a requirement to conduct routine internal audits of the key controls. Many organisations have a phased programme of audits over two/three years that cover all controls. LHIS can provide this service as a discrete entity in support of an organisation that has already acquired the accreditation. LHIS performs a ISO mock audit which provides the following benefits: Pre-certification audits to ISO27001 Provides a chance to establish any areas of weakness prior to the full audit. Allows the organisation to understand the audit processes for real. Ensure staff understand what is required in terms of documentation and evidence to support auditing. Page 6 of 9

7 5. Pre ISO LHIS has passed its Cyber essentials and IASME certification which is aimed at SME s. The Cyber Essentials scheme has been set up by the UK Government to help any organisation attain a level of security that should reduce the risk of a malicious attack from the internet. Whilst IASME is essentially a subset or bite sized version of the ISO/IEC standard aimed primarily at SMEs. These certifications are effective first steps towards demonstrating organisational cyber security and can form part of the journey to ISO/IEC certification. LHIS is working towards becoming qualified assessors for both schemes which will mean that LHIS will be authorised to carry out Cyber Essentials and IASME assessments nationwide to support SME customer organisations with their Security and Information Assurance Frameworks. 6. Our people Our ICT Security personnel have a range of qualifications including: ISO Lead Auditor Certified Forensic Investigation Analyst - Distinction NHS Local Security Management Specialist ISEB Information Security Management Distinction EC-Council Computer Hacking Forensic Investigator Prince 2 Foundation Tiger Scheme Qualified Security Team Certified Information Systems Auditor EC-Council Certified Ethical Hacker Microsoft Certified Professional Page 7 of 9

8 Certified Security Testing Professional Degrees in Computer Science Many are also members of professional bodies such as The British Computer Society (BCS). 7. Ordering and invoicing process Call us on option 7 crmteam@leics-his.nhs.uk LHIS will provide assistance with completing the G-Cloud call-off contract, which will include an order form. 8. Further Information If you have any queries, questions, wish to request further information please contact (quoting G-Cloud V enquiry ) as follows crmteam@leics-his.nhs.uk option 7 More LHIS information can also be found at: Page 8 of 9

9 Page 9 of 9