Secure Requirement Submission



Similar documents
Information Management Policy

Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance

Information governance strategy

The Gateway Review Process

Informatics: The future. An organisational summary

Information Governance Plan

Policy: D9 Data Quality Policy

Offshore and Internet Connection Addendum to the. Data Sharing Agreement. Version 1.3

A Question of Balance

ediscovery G-Cloud V Service Definition Lot 4 SCS Contact us: Danielle Pratt Tel: G-Cloud@esynergy-solutions.co.

Digital Continuity in ICT Services Procurement and Contract Management

Information Governance Strategy :

Network Rail Infrastructure Projects Joint Relationship Management Plan

Information Governance Support Pack

NHS Business Partners miniguide. Introductory guidance for NHS-commissioned healthcare providers from the independent and third sectors

SCCI SUPPORTING. SCCI2036 Palliative Care Clinical Data Set. Implementation Strategy. Project: SCCI2036 Palliative Care Clinical Data Set

Policy. VBA Enterprise Risk Management. Governance Unit

Shropshire Community Health Service NHS Trust Policies, Procedures, Guidelines and Protocols

Corporate Policy and Strategy Committee

Request for feedback on the revised Code of Governance for NHS Foundation Trusts

Security Overview. A guide to data security at AIMES Data Centres. TEL: enquiries@aimes.

IAAS Recommendation Report

Clinical Risk Management: its Application in the Manufacture of Health IT Systems - Implementation Guidance

A. Reference information. A0. G-Cloud Programme unique ID number for the service and version number of this scoping template

Policy Document Control Page

Hertsmere Borough Council. Data Quality Strategy. December

Use and verification of the NHS number for all active patients.

N3 Protecting the Network through Information Governance and Assurance

Information Governance Standards in Relation to Third Party Suppliers and Contractors

Summary of the role and operation of NHS Research Management Offices in England

Victorian Government Information and Communication Technology (ICT) Governance

Councillor David Chambers Date of Decision/Referral to O & S REPORT OF: STRATEGIC DIRECTOR (CORPORATE) SDC/08/37

Data Protection Breach Reporting Procedure

Information Commissioner's Office

National Approach to Information Assurance

Information Governance Strategy Includes Information risk & incident management methodology

ISO 14001:2004 Environmental Management System Manual

Lancashire County Council Information Governance Framework

Information Governance Policy

How to gain accreditation for a G-Cloud Service

Good Practice Guide: the internal audit role in information assurance

Which MPA Assurance Review?

INFORMATION SECURITY: UNDERSTANDING BS BS 7799 is the most influential, globally recognised standard for information security management.

Service Definition Document

Records management policy. Document author Assured by Review cycle. Audit and Risk Commitee. 1. Introduction Purpose or aim Scope...

DORSET & WILTSHIRE FIRE AND RESCUE AUTHORITY Performance, Risk and Business Continuity Management Policy

Information Governance Strategy Includes Information risk & incident management methodology

CABINET. 24 March 2015

Home Page. Title Page. Contents. UK Government open source policy. Sebastian Rahtz January 14th Page 1 of 15. Go Back. Full Screen. Close.

OGC. OGC Gateway Review 4 Readiness for service. FINAL REPORT Programme Title: New National Network (N3) OGC Gateway Number: 339

NHS Hardwick Clinical Commissioning Group. Business Continuity Policy

Quality Management Standard BS EN ISO 9001:

SUBJECT ACCESS REQUEST PROCEDURE

GPG13 Protective Monitoring. Service Definition

Draft Guidance: Non-economic Regulators: Duty to Have Regard to Growth

An Overview of ISO/IEC family of Information Security Management System Standards

Independent Pricing and Regulatory Tribunal. Customer engagement on prices for monopoly services

Role Description Vendor Relationship Manager ICT

FREEDOM OF INFORMATION (SCOTLAND) ACT 2002 CODE OF PRACTICE ON RECORDS MANAGEMENT

Data Communications Company (DCC) price control guidance: process and procedures

Records Management - Department of Health

Monitoring Highways England The monitoring framework

Information Governance Strategy. Version No 2.1

Emergency Care Weekly Situation Report Standard Specification

TERMS OF REFERENCE: REVIEW OF THE INFORMATION GOVERNANCE TOOLKIT

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

SCCI Development Framework

NHS Commissioning Board: Information governance policy

The NHS Foundation Trust Code of Governance

JOB DESCRIPTION. T&T Security and Resilience Manager. Technology and Telecommunications. Bedford, Chelmsford or Norwich

INFORMATION GOVERNANCE POLICY

Business Continuity Management

LONDON BOROUGH OF WALTHAM FOREST

Subject Access Request (SAR) Procedure

Scotland s Commissioner for Children and Young People Records Management Policy

Securing excellence in IT Services. Operating model for offender health care

INTERNAL AUDIT FINAL REPORT CNES FINANCE AND CORPORATE RESOURCES DEPARTMENT CLOUD IT SYSTEMS AND THE CRM SYSTEM OFFICIAL OFFICIAL

Proposed withdrawal of the Charities SORP (FRSSE) and other matters impacting on charity accounts RESPONSE FROM ICAS TO THE CHARITIES SORP-MAKING BODY

Data Governance Policy. Version October 2015

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

REPORT OF: DIRECTOR OF DEMOCRATIC AND LEGAL SERVICES 13/358 WARDS AFFECTED: ALL

Risk management systems of responsible entities: Further proposals

Asset Management Policy March 2014

Procurement Strategy Delivering Social Value for our Community

IT Governance Charter

MANAGING DIGITAL CONTINUITY

JOB PROFILE. Collaborate and work effectively with team members within the section and the rest of the Transformation Service.

Joint Steering Committee for Development of RDA. Subject: Statement of policy and procedures for JSC

Project Charter. Project Sponsor: Prepared By: S. Vassilatos

Locking Stumps Community Primary School. School Business Manager Job Description

Application Guidance CCP Penetration Tester Role, Practitioner Level

7 Directorate Performance Managers. 7 Performance Reporting and Data Quality Officer. 8 Responsible Officers

Quality Management System Manual

Digital Continuity to Support Forensic Readiness

Digital Continuity Plan

Information Security Assurance Plan 2015/16

Information Security and Governance Policy

A joint plan to foster a healthy and vibrant Healthcare IT market. Intellect & DH Informatics Directorate. Initial Issue

Essex County Council Policy for Information Management and Security

Transcription:

Title Secure Email Requirement Submission Document ID ISB 1596 Amd 34/2012 Director Mark Reynolds Status Final Owner Jon Calpin Version 1.1 Author Mark Reynolds Version Date 03/12/2012 Secure Email Requirement Submission Open Government Licence 2012

Amendment History: Version Date Amendment History 1.0 09/11/2012 Initial Release 1.1 03/12/2012 Incorporated comments from appraisers. Approvals: Name Title / Responsibility Date Version Chris Wilber Technical Director 09/11/2012 V1.0 James Wood NHS CFH Head of Information Security 25/10/2012 V0.1 Related Documents: These documents will provide additional information. Ref no Doc Reference Number Title Version 1 NHSmail 2 Privacy Impact Assessment 1.1 2 NHSmail 2 Communications and Stakeholder Engagement Strategy 1.1 Glossary of Terms: Term Acronym Definition Risk Potential Assessment Information Commissioners Office RPA ICO CESG CESG protects the vital interests of the UK by providing policy and assistance on the security of communications and electronic data, working in partnership with industry and academia. It is the UK Government's National Technical Authority for Information Assurance (IA). Open Government Licence 2012 Page 2 of 11

Contents 1 Summary... 4 2 Introduction... 5 2.1 Purpose... 5 2.2 Mandate... 5 2.3 Customer Need... 5 3 Requirements... 6 3.1 Scope... 6 3.2 Requirements... 6 3.3 Related Standards... 6 4 Supporting Information... 8 4.1 Value for Money Proposition... 8 4.2 Evidence of Consultation... 8 4.3 Implementation Strategy... 8 4.4 Maintenance Strategy... 8 4.5 Risks and Issues... 10 5 Products... 11 5.1 Provided... 11 5.2 Not Provided... 11 Open Government Licence 2012 Page 3 of 11

1 Summary Standard Standard Number ISB 1596 Title Type Description Secure Email Operational This standard defines the minimum non-functional requirements for a secure email service, covering the storage and transmission of email. This is the basic level for the storage and transmission of patient identifiable data by an email system. It excludes security standards for document archives. Applies to Health, public health and social care organisations. Email service providers. Release Release Number Amd 34/2012 Title Initial Standard Description Implementation Completion Date 30 th June 2016 Open Government Licence 2012 Page 4 of 11

2 Introduction 2.1 Purpose This standard will establish the minimum requirements for email systems in health and care. The intention is not to impose significant requirements on organisations but instead to establish the minimum acceptable level. An appropriate set of controls / requirements will be created in collaboration with the suppliers, implementers and customers, rather than being dictatorially specified and mandated from the centre. Where possible they will refer to Government and international standards (e.g. ISO 27001). The current and future NHSmail services will either meet or exceed these requirements. They will offer a way of conforming to the standard. 2.2 Mandate The information standard has sponsorship from: Role Name Job Title SRO Dr Simon Eccles Medical Director, DH Informatics Directorate Business Sponsor Bill McAvoy Transition Director, Patients and Intelligence NHS Commissioning Board Technical Sponsor Alex Abbott NHS CB Chief Technology Officer The project brief for the NHSmail 2 project which includes the development of the information standard has been approved by the Informatics Directorate Portfolio Board and a portfolio number has been assigned. 2.3 Customer Need Health and care email is now a rich source of patient/service user information. There is a clear need to ensure that it is held securely and used appropriately. The Power of Information paragraph 3.51 specifies (our bold text): All e-mail communication about our care must be appropriately secure and protected. Work will continue to improve access to and use of NHSmail within the NHS, and social enterprises and other qualified providers of care services, as part of their commissioning contracts with the NHS, will be given access to a limited number of NHSmail accounts. Similar incentives for social care will be made available that make the process and cost of connecting social care providers, local authorities and other care providers via secure electronic communication easier, cheaper and less bureaucratic. The standard will ensure that health, public health and adult social care organisations have a recognisable baseline which they can conform to. Open Government Licence 2012 Page 5 of 11

3 Requirements 3.1 Scope The standard will define how email systems used for sensitive data (e.g. patient identifiable data) should manage: The information security of the email service. Transfer of sensitive information over non-secure channels. Accessing information from the Internet or mobile devices. Exchange of information outside the controlled boundary of the secure email system: o to other email systems compliant with this standard. o to other email systems not compliant with this standard. Care will be taken to ensure that the requirements are tied to specific legal and policy requirements to stop the standard becoming a wish list. 3.2 Requirements ISB 0086 Information Governance Toolkit has a series of requirements that all health and care organisations must meet, with the information security requirements being particularly applicable. The standard will specify how health and care email systems MUST, SHOULD and MAY conform to these requirements. Of particular note are: Num Description 10-300 The Information Governance agenda is supported by adequate information security skills, knowledge and experience which meet the organisation s assessed needs 10-305 Operating and application information systems (under the organisation s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems 10-308 All transfers of hardcopy and digital person identifiable and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers 10-313 Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely 10-314 Policy and procedures ensure that mobile computing and teleworking are secure 10-323 All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures The standard will give specifics to each of these requirements for email systems.. 3.3 Related Standards Reference Title Open Government Licence 2012 Page 6 of 11

ISB 0086 ISO/IEC 27001 BS ISO/IEC 27002: 2005 Information Governance Toolkit Information Security Management Systems IT. Security Techniques. Code of practice for information security management HMG Impact Assessment Standards CIO Council Offshoring Position Open Government Licence 2012 Page 7 of 11

4 Supporting Information 4.1 Value for Money Proposition This standard is predicated on defining the minimum requirements that any email system must comply with to meet policy and legislation for the security of patient identifiable data. It s therefore a necessary cost. The standard offers value for money by ensuring that email services are not over-engineered due to a lack of clarity on how to meet the Information Governance requirements. Implementation of the standard avoids costs of not complying, for example Information Commissioner Office (ICO) fines. The development and issuance of the standard is part of the wider NHSmail 2 investment. The Strategic Outline Case for the investment is expected to have DH Information Directorate approval by the end of November. 4.2 Evidence of Consultation The requirements of the Information Governance Toolkit are already well known and the underlying standards and good practice guides in wide use. The standard itself will be published at draft stage for consultation. 4.3 Implementation Strategy At the full stage an assessment will be made of which health and care organisations already meet the standard. This will inform the implementation approach. Once approved, the standard will be communicated to health and care organisations through the normal information standards routes. Health and care organisations will need to ensure that when they renew their email service that they comply with this standard. They can do this by specifying the requirements to their supplier or by moving to NHSmail or NHSmail 2. They can also do this by selecting a supplier from other procurement vehicles such as the G-Cloud catalogue that meets or exceeds the standard. Health and care organisations and their IT suppliers shall self-certify to this information standard. This shall normally be through the production of an internal assessment, which then provides evidence to support the wider IG Toolkit submission. Where an international or national standard is referenced (e.g. ISO 27001) the information standard will identify the assurance regime for it. Support shall be offered by the NHSmail 2 project and Technology Office information security team through well-established channels. 4.4 Maintenance Strategy The standard will be maintained by the NHSmail operations team who will by approval reside within the Health and Social Care Information Centre. The standard will be reviewed in accordance with the normal information standards review cycle Open Government Licence 2012 Page 8 of 11

and updated if the underlying policy and legislative drivers for securing information, the ISO standards or best practice in securing systems changes. Open Government Licence 2012 Page 9 of 11

4.5 Risks and Issues # Risk Mitigation 41 Business Impact Levels The Government using (Business) Impact Levels for its security but these are not well understood by the NHS. NHS requirements seem to fall between IL2 and IL3 but with no clear standard. This needs to be resolved. 12 Offshoring Policy Offshoring policy used to mandate that data could only be secured within England. The policy was recently changed but not communicated widely. 6 IL3 Requirement As a result of the requirement for an IL3 platform (high IG security levels), there is a risk that the number of companies able to tender for the contract is restricted, leading to the requirements not being met in a cost effective manner. 45 Changes to ISB Changes to the ISB process as a result of informatics transition result in delays to the information standard or rework. (Numbering is taken from NHSmail 2 project risk log) This standard will define the security controls for health and care, eliminating this risk. Refer to and clarify offshoring policy in standard. IL assessment being done by the NHSmail project. Monitor together with ISB. The standard is not on the project critical path. Open Government Licence 2012 Page 10 of 11

5 Products 5.1 Provided Product Requirements Value for money proposition Title Privacy impact assessment NHSmail 2 Privacy Impact Assessment v1.1 Communication strategy NHSmail Communications and Stakeholder Engagement Strategy v1.0 Evidence of consultation Implementation strategy Maintenance strategy Glossary of Terms Issues log / Risk register 5.2 Not Provided Product Safety case Justification for Absence The safety case has been deferred until the Draft stage so that it can apply to the draft standard, not the requirements. Open Government Licence 2012 Page 11 of 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information