Data Access Request Service

Transcription

1 Data Access Request Service Guidance Notes on Security Version: 3.6 Date: 12/11/ Copyright 2015, Health and Social Care Information Centre.

2 Introduction This security guidance is for organisations applying for data from the Health and Social Care Information Centre (HSCIC). It provides advice on how to supply the data security information we need to process your application. Visit the HSCIC website for copies of this guidance, the data application form and a completed application example at If you have an enquiry, or would like to give us feedback on the application form, guidance or web pages, call or enquiries@hscic.gov.uk (putting DARS application in the subject field). Minimum requirements Key to good data security is having a system with multi-layered security using differing tools and techniques. That way, if one level is compromised, then others are in place to prevent further damage. It s important to remember that no one single product can be 100 per cent secure. The following guidance, standards and tools should be used to aid the development of security policies and processes: Information Governance (IG) Toolkit application and score 1 ISO 27001/2 Security Policy Information Commissioner s Office (ICO) 2 Code of Practice Data Sharing Agreements Information Commissioner s Office (ICO) Data Protection Act compliance and registration NHS Code of Practice 3 on Confidentiality Evidencing your application To support your application to the HSCIC for data you need to supply evidence of your processes and procedures for security. This can be one of the following: IG Toolkit score Or ISO certification And System Level Security Policy (SLSP) Please note that we will verify the references from IG Toolkit scores and ISO certifications. To provide SLSP evidence you need to supply a report on how your area/department will administer, secure, handle and use the requested data. You can also reference your corporate policies Copyright 2015, Health and Social Care Information Centre.

3 An SLSP report must include: heading, author, date and version number details of who created, revised and approved index to any sub-sections glossary any additional information to support your application When referring to Policies and Procedures, please reference by document name, page number and section. Elaboration on the technical controls in place to enforce your policies and procedures A Network Topology Diagram Security evidence We will be looking at your data policies and procedures for evidence of the following: Policies Physical Security Anti-Virus and Anti-Malware Intrusion Defence Access Controls Employee Awareness and Training Segmentation Information Governance policies Data Disposals Policy Multi pass wiping, degaussing, physical destruction Password Policy complex construction with duration <= 90 days Mobile Computing Policy full encryption to AES 256 Acceptable Use Policy Compliance Policy Appropriate legislation compliance Software Management Policy System Management Policy User Management policy Network Management Policy Information Handling Policy Physical Security Policy Data Protection Policy Appropriate ICO registration Remote Access policy Back and Recovery Policy Encryption of data at rest and in backup Incident Response Policy Virtual Private Network (VPN) type and level of encryption Policy Guest Access Wireless Policy Third Party Connection Policy Network Security Policy Encryption Policy type and levels of encryptions employed Confidential Data Policy Data Classification Policy Retention Policy / Records Management Policy Outsourcing Policy Network Topology 3 Copyright 2015, Health and Social Care Information Centre.

4 Physical security Data on your systems should be protected against break-ins that could mean equipment containing confidential, sensitive or personally identifiable data is stolen. Servers should be in a separate room with secure lockable doors using access codes or entry combination/cards. Back-up devices should be encrypted, never left unattended and should be locked away when not in use. Desktop and mobile devices should be fully encrypted and locked down to prevent unauthorised access. Anti-virus and anti-malware Your network should be regularly scanned by up-to-date anti-virus and/or anti-malware products to detect and prevent threats. Intrusion defence You should be using a well-configured ITSEC E3 or Common Criteria EAL4 compliant firewall to help prevent any breaches and stop them penetrating your network. Your servers and workstations should have up-to-date operating systems, be patched to manufacturers recommendations and not be de-supported in the lifetime of the agreement. A schematic of your network, workstation and peripherals should be evidenced in your application. Access controls Access to your systems should be restricted to users and sources you trust. All users must have their own username and password and these must never be shared. Hackers, cyber criminals and casual users should be prevented from accessing your Wi-Fi network and workstations by strong passwords, limited login attempts and enforced regular password changes. Passwords and other access should be cancelled as soon as a staff member leaves the organisation or if they are absent for a long period. Employee and user awareness and training Users need to be trained to recognise system threats, such as phishing s, malware and unauthorised use. Users at all levels need to be aware of what their roles and responsibilities are. Segmentation Your network components should be separate, and access between them limited, in order to prevent or limit data breaches. For example, web servers should be separate from main file servers so that any attacks on your website cannot access your central data store. Policies Well-written data policies should be integrated into your business processes. Policies should enable you to investigate, mitigate and address risks in a consistent manner. Device hardening All unused software and services should be removed from your devices. Any default passwords used by applications software or hardware should be changed as this is a wellknown route for cyber-attacks and hackers. 4 Copyright 2015, Health and Social Care Information Centre.

5 General guidance Data on the move Many data security breaches arise from the theft or loss of laptops, mobile phones or USBs. The same level of security should therefore be applied to devices being used away from the office as those used in the office. Personal data must not be stored on mobile devices unless by exceptional circumstance and has been authorised by your organisation with a business case to do so. In any event, any data held on a mobile device must be secured by using data encryption (minimum AES 256) so that it cannot be accessed by unauthorised persons and must only be held temporarily on the device. You should also consider the security of data being sent by or post. Protection You should use encryption (minimum AES 256) to make sure data can only be accessed by authorised users. Typically, this means a password is required to unlock the data. Your encryption should include: full disk encryption so that all data is encrypted file encryption so that individual files can be encrypted an encryption password that is a mix of upper and lower case, numbers and special characters (i.e. #, &,!) and is kept secret (where possible) password protection should be used to stop people making changes to data You should only transfer personal data to mobile devices as a temporary measure if you actually need it and remove it when you have finished in line with your data deletion and disposal policy. Some mobile devices can be disabled or wiped remotely. If they re stolen this means you can send a signal to locate and, if necessary, securely delete all data. You will need to pre-register for this service. Always make sure you know exactly what protection you are applying to your data. Security software Computer equipment and software needs to be regularly maintained in order to keep it running smoothly and to fix any security vulnerabilities. Security software, such as anti-virus and anti-malware, needs to be regularly updated so that it continues to provide adequate protection. Attacks can go unnoticed and many people only find out they have been attacked when it is too late. To maintain data security effectively you need to ensure the following: security software is kept switched on and monitoring the files it should be software is updated regularly (most can be set to do this automatically) security software messages, control logs and other reporting systems are checked regularly 5 Copyright 2015, Health and Social Care Information Centre.

6 check what software or services are running on your network and identify if there is something there which should not be run regular vulnerability scans and penetration tests to scan your systems for known vulnerabilities and address them Review, update, mitigate Make sure you re correctly using your security systems and that people can spot when there is a problem. Make sure users and/or employees are aware of their roles and responsibilities and clear when action needs to be taken. You should also put in place plans for a data breach. To help make sure you re using your security correctly: review what personal data you currently have and what protection you have in place make sure you are compliant with any industry guidance and legal requirements document the controls you have in place and identify where you need to make improvements once any improvements are in place, continue to monitor the controls and update them where necessary consider the risks for each type of personal data you hold and how you would manage a data breach, so you can reduce the impact have an acceptable-use policy and training materials in place for staff so they know their data protection responsibilities get a security expert to review your systems and highlight where your security vulnerabilities are and how best to address them make regular encrypted back-ups, keep them secure and delete them properly when no longer required, in line with your disposals policy Third parties If you outsource IT systems to a third party you should make sure they treat your data with the same level of security as you do. To check the security of third party suppliers: ask for a security audit of the systems containing your data to identify and address any vulnerability review copies of their security assessments if appropriate, visit their premises to make sure they re as you would expect check that contracts are in writing and require your supplier to act only on your instructions and comply with certain obligations of the Data Protection Act 6 Copyright 2015, Health and Social Care Information Centre.

7 make sure you have a contract for any data to be erased and equipment disposed of, or recycled, that you receive a notice of certification for destruction that complies with your policy and that this is done adequately (you may be held responsible) ensure that you are aware and can provide evidence of the location of the processing servers, the location of any backups and evidence of any cross border data transfers that may take place Confirm and evidence their certifications if available. o CESG G-Cloud IL4 o ISO 27001:2013 o ISO 27001:2013 o ISO 27018: Copyright 2015, Health and Social Care Information Centre.