Document No: IG10d Version: 1.1 Name of Procedure: Third Party Due Diligence Assessment Author: Release Date: Review Date: Lauren Hamill, Information Governance Officer Version Control Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L. Hamill 2012 1.1 L. Hamill Full content review. Change of format and name. This document supersedes all previous issues.
Contents Section Page 1. Introduction. 3 2. Purpose... 3 3. Scope.. 3 4. Using the Assessment Questionnaire... 3 Appendix 1 Third Party Due Diligence Questionnaire. 4
1. Introduction Information is an important asset for the Trust in order to provide high quality services to patients and service users. In addition to this the requirement to ensure the confidentiality and security of both staff and patient information under the Data Protection Act 1998 necessitates that the Trust secures personal data to a high level. The Trust is committed to ensuring the security and confidentiality of all personal and confidential information that it holds. So that the Trust is able to do this and to comply with the necessary legal and regulatory requirements it is essential that we are assured that third party contractors have the necessary processes in place to secure this data. 2. Purpose The purpose of this procedure and accompanying assessment is to ensure that the Trust consistently meets its Information Governance requirements in relation to third party contracts (both clinical and non-clinical). 3. Scope The assessment at Appendix 1 should be used when engaging a new Third Party to provide services to the Trust which will involve the transfer of Trust data to the Third Party s premises. 4. Using the Assessment Questionnaire The assessment questionnaire should be provided to the Third Party for completion by Supplies, Projects or the relevant IAO/IAA who should ensure that it is completed and approved prior to the transfer of any Trust data. The completed assessment questionnaire will be reviewed and approved by the Information Governance Team and the Information Security Manager. A copy of the signed form will then be returned to the Supplies contact, Projects contact or relevant IAO/IAA as appropriate to confirm approval. The Information Governance Team and/or Information Security Manager may include comments or recommendations and may approve the assessment on the basis that any recommendations are in place prior to the transfer of Trust data. It is the responsibility of the Supplies contact, Projects contact and/or relevant IAO/IAA as appropriate to ensure that any such recommendations are met by the Third Party. The Third Party access/agreement should also be logged on the relevant IAO s Information Risk Management Tool.
Appendix 1 Third Party Due Diligence Assessment Organisation Name: Organisation Address: Service Provided: Organisation Contact: Information Asset Owner: (All systems/assets must have an Information Asset Owner (IAO). IAO s are normally the Assistant Divisional Managers and report to the SIRO) Name: Name: Title: Title: Department Project Manager / Department: / Location: Supplies Contact: Telephone: Telephone: Email Email Name: Information Asset Name: Title: Administrator: Title: (All systems / assets must have an Information Asset Administrator (IAA) who reports the IAO as stated above. IAA s are normally System Managers / Project Leads) Department: Department: Telephone: Telephone: Email Email
1. INFORMATION PROCESSED ON BEHALF OF THE TRUST Section Question Description/Comments 1.1. GENERAL 1.1.1. Please describe the data processed by the organisation on behalf of the Trust. 1.1.2. Does the data consist of sensitive data as per the Data Protection Act? Yes No 1.2. TRANSFER OF DATA TO ORGANISATION 1.2.1. How is Trust data transferred to the organisation? Electronic Hardcopy Both Please provide details of how Trust data is transferred e.g. email, fax, 1.2.2. courier, removable media etc. Please provide details of the security measures in place in relation to the 1.2.3. transfer e.g. encrypted email/removable media, safe haven fax, recorded courier and contracted service etc. 1.3. STORAGE OF TRUST DATA 1.3.1. How is Trust data stored? Electronic Hardcopy Both If stored electronically, please name the systems on which the data is 1.3.2. stored. Please provide details of the security measures in place in relation to the 1.3.3. storage of Trust data e.g. locked filing cabinet, network and system security controls etc. 1.4. OUTSOURCING AND OVERSEAS TRANSFERS Is any activity involving Trust data or information assets outsourced to 1.4.1. another third party? If so, please provide details including the relationship type (e.g. Data Controller Data Processor). Are any Trust data or information assets transferred outside of the EEA? 1.4.2. If so, what, where and to whom? 1.4.3. Are any Trust data or information assets transferred outside of the UK? If so, what, where and to whom? Yes No Yes No Yes No
2. INFORMATION SECURITY GOVERNANCE Section Question Yes/No/NA Description/Comments 2.1. GENERAL GOVERNANCE 2.1.1. Does the organisation have a dedicated Information Security Policy? 2.1.2. If so, how are all staff made aware of the Information Security Policy? 2.1.3. 2.1.4. Does the organisation have a dedicated Information Security Officer, department, or similar? Does the organisation hold any certificates or awards gained for quality, security or business continuity? E.g. BS 9000/9001, BS 7799/ISO 27001, BS 25999. 2.1.5. If so, please provide the scope statement for any certificates. 2.1.6. If a non-nhs organisation, is the organisation registered with the Care Quality Commission (CQC)? 2.1.7. If an NHS organisation or registered with CQC, please provide details of IG Toolkit compliance level where relevant. 2.2. DPA AND TRAINING & AWARENESS 2.2.1. Is the organisation registered with the ICO under the Data Protection Act? If so, what is the notification number? Do all relevant staff undertake Data Protection and Confidentiality 2.2.2. awareness training during induction and at least on annual basis? If so, please describe. 2.2.3. Do all relevant staff undertake Information Security awareness training during induction and at least on annual basis? If so, please describe. 2.2.4. Are staff in the organisation made aware of the Computer Misuse Act? 2.2.5. 2.2.6. Does the organisation maintain a register of breaches/incidents (including data protection) and if so, how frequently is the analysed? Is a response process in place to deal with breaches/incidents? (please describe) 2.2.7. Has the organisation been subject to any action by the Information Commissioner s Office (including complaints)? If so, please provide details. 2.3. AUDIT 2.3.1. Is there an internal audit function within the organisation?
Section Question Yes/No/NA Description/Comments 2.3.2. Does the organisation engage external auditors? 2.3.3. Are information security audits performed to measure compliance with policy? If so, please specify whether these are internal or external audits. 3. PHYSICAL & ENVIRONMENTAL SECURITY Section Question Yes/No/NA Description/Comments 3.1. GENERAL 3.1.1. Is the building wholly owned / occupied by the organisation? 3.2. ACCESS TO PREMISES SECURITY 3.2.1. Is there a formal reception area? 3.2.2. Are there any other access controls in place? If so, what? 3.2.3. Is the building manned 24 hours a day, 365 days a year? 3.2.4. Are the premises protected by security guards? 3.2.5. Do the security guards man the reception area? 3.2.6. Do the security guards monitor alarms and CCTV? 3.2.7. Do the security guards perform night time patrols? 3.2.8. Do the security guard patrols include the interior of the premises as well as the exterior? 3.3. VISITORS 3.3.1. Are all visitors required to sign in and out and issued with a visitor s pass during their visit? 3.3.2. Are all visitors accompanied when in sensitive areas? 3.4. ACCESS CARDS & PIN CODES 3.4.1. Are access cards issued to all staff? 3.4.2. Is access restricted according to job role or function?
Section Question Yes/No/NA Description/Comments 3.4.3. Do cards trigger a log entry when used? 3.4.4. Are any doors protected by PIN codes (without access cards)? 3.5. CLEAR DESK AND SECURE STORAGE 3.5.1. Does the organisation have a Clear Desk and Screen Policy? 3.5.2. If so, are regular checks in place to ensure compliance? 3.5.3. Are all documents containing Trust, personal or other confidential information locked away when unattended? If the organisation is processing large volumes of documents containing 3.5.4. Trust, personal or other confidential information, are additional measures in place in the areas where this activity takes place? (please describe) 3.6. CCTV 3.6.1. Is the building monitored continuously by CCTV both internally and externally? 3.6.2. Are access points to computer/server rooms monitored by CCTV? 3.6.3. Is CCTV footage backed up? 3.7. INTRUDER ALARMS 3.7.1. Do the premises have an intruder alarm system? 3.7.2. Is the alarm system regularly tested and maintained? 3.7.3. Is the alarm system linked to an Alarm Receiving Centre (ARC) or automatically inform the Police? 3.7.4. Are all ground access points alarmed (e.g. doors, windows, etc)? 3.8. FIRE ALARMS 3.8.1. Do the premises have fire detection and alarm system? 3.8.2. Is the fire detection and alarm system regularly tested and maintained? 3.8.3. Is the fire detection and alarm system linked to emergency services, security organisation or similar? 3.8.4. Have fire meeting points and fire marshals been established for the premises?
Section Question Yes/No/NA Description/Comments 3.9. COMPUTER / SERVER ROOM ACCESS & ENVIRONMENTAL CONTROLS 3.9.1. Is access to computer / server rooms restricted to named authorised personnel and is all access logged? 3.9.2. Are computer / server room access privileges reviewed / checked periodically? 3.9.3. Are access points to computer / server rooms adequately secured? (please describe). 3.9.4. Are all servers and other IT equipment housed in cabinets? If the computer / server room is shared, are all cabinets locked? 3.9.5. Is computer / server room equipment protected by UPS devices? 3.9.6. Are UPS devices subject to regular testing and maintenance? 3.9.7. Have generators been installed? 3.9.8. Are generators subject to regular testing and maintenance? 3.9.9. Does the room have dedicated temperature control and air cooling? 3.9.10. Does the room have a fire detection and suppression system installed? 3.9.11. If gas suppression is installed, has the integrity of the room been tested? 4. HUMAN RESOURCES SECURITY Section Question Yes/No/NA Description/Comments 4.1. RECRUITMENT & VETTING 4.1.1. Does the organisation follow a formal recruitment and vetting procedure for all applicants? 4.1.2. Does the process include CRB checks for staff processing personal / sensitive information? 4.1.3. Are previous employment references obtained for all staff? 4.1.4. Are employee qualifications independently verified? 4.1.5. Are all such checks completed prior to commencement of employment?
Section Question Yes/No/NA Description/Comments 4.1.6. Is evidence obtained to justify any gaps in employment history of more than 3 months? 4.1.7. Have all staff signed contracts which cover confidentiality? Are the same checks conducted for temporary staff, bank/agency staff 4.1.8. and employees of third parties working on behalf of the organisation? Is there a process in place to carry out periodic follow-up checks on 4.1.9. individuals working in high risk areas / processing personal or sensitive information? Does the organisation have procedures in place for revoking access 4.1.10. (both physical and electronic) following termination or changes to employment? 4.2. DISCIPLINARY PROCESSES 4.2.1. Do you have a formal documented disciplinary policy and procedure? 4.3. CLEANERS 4.3.1. Are cleaners directly employed by the organisation? 4.3.2. Is cleaning carried out during business hours? 4.3.3. Are cleaners prevented from accessing secure areas unless accompanied? 5. LOGICAL ACCESS CONTROLS Section Question Yes/No/NA Description/Comments 5.1. DESKTOP FACILITIES 5.1.1. Is there a desktop timeout (password protected screensaver) policy? 5.1.2. Are users required to lock their workstations before leaving them unattended and is this monitored? 5.2. USER IDs AND PASSWORDS 5.2.1. Is there a dedicated team/person responsible for user access management? 5.2.2. Are access controls in place to restrict access to certain information e.g. access levels for particular levels, RBAC (role based access controls)? 5.2.3. Are unique system credentials i.e. user IDs and passwords used to gain access to the network and other systems?
Section Question Yes/No/NA Description/Comments 5.2.4. If so, can access be traced back to an individual and are such logs checked? 5.2.5. Are parameters in place to enforce strong passwords (i.e. password length and regular changing of passwords)? 5.2.6. Are passwords issued / disclosed securely to ensure adequate privacy? 5.2.7. How often are access reviews carried out? 5.3. INTERNET & EMAIL ACCESS 5.3.1. Is there an Internet and Email Acceptable Usage Policy in place? 5.3.2. Is the internet restricted or monitored? 5.3.3. Are staff prevented from downloading non-work related content from the internet (e.g. games, screensavers and personal emails)? 5.4. REMOTE ACCESS 5.4.1. Is remote access restricted? 5.4.2. Is remote access encrypted? 5.5. FIREWALLS & ANTIVIRUS 5.5.1. Are firewalls in place? 5.5.2. Are firewalls monitored? 5.5.3. Are appropriate antivirus software measures in place? 5.5.4. Are they routinely monitored and updated? 5.5.5. Has penetration testing been carried out within the last 12 months? If so, was this conducted internally or by a third party? 5.5.6. Have any weaknesses identified by penetration testing been addressed? 6. DATA AND INFORMATION SECURITY Section Question Yes/No/NA Description/Comments 6.1. INCIDENT MANAGEMENT 6.1.1. Is there an incident management procedure for reporting, logging and investigating incidents? 6.1.2. Is there an established procedure to inform customers (including the Trust) of any incidents?
6.2. STORED DATA 6.2.1. Is/would Trust data be segregated from that of the organisation and other clients? 6.2.2. Has/would access to Trust data be restricted to only authorised individuals with a specific need to access the data? 6.2.3. Is/would administration access to any data environment be restricted or controlled? 7. BUSINESS CONTINUITY & DISASTER RECOVERY Section Question Yes/No/NA Description/Comments 7.1. BACKUPS 7.1.1. How often are backups performed? 7.1.2. What is the retention period for backups? 7.1.3. Are backup tapes stored in a separate fire zone or off-site to production data? 7.1.4. Is backup data protected to the same level as production data? 7.1.5. Are backups encrypted? 7.2. BUSINESS CONTINUITY & DISASTER RECOVERY CAPABILITY 7.2.1. Are there formal Business Continuity and Disaster Recovery Plans in place? 7.2.2. Have the plans been tested successfully within the last 12 months? 7.3. WEBSITE SECURITY (This section only applies if a website or web service is used in connection with the service provided to the Trust) 7.3.1. Is a DMZ used to secure the service? 7.3.2. Has intrusion detection software been installed? 7.3.3. Has application firewall technology been installed? 7.3.4. Is the website/service monitored for availability? 7.3.5. Are documented change-control procedures in place? 7.3.6. Does the site use SSL certificates? 7.3.7. Has penetration testing been carried out within the last 12 months and since any material change? 7.3.8. Have all weaknesses identified by penetration testing been addressed?
Form completed by: Name: Title: Signature: Date: Information Governance Office Approval: Comments/Recommendations: Name: Title: Signature: Date: Information Security Manager Approval: Comments/Recommendations: Name: Title: Signature: Date: