Principle B1: Policies, processes and procedures

The organisation defines, implements, communicates and enforces appropriate policies, processes and procedures that direct its overall approach to securing information, systems and data that support operation of essential functions.

Description

You have developed and continue to improve a set of information assurance and resilience policies, processes and procedures that manage and mitigate the risk of adverse impact on your essential function(s).

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

1. Policies, procedures and processes - Obtain the policies, processes and procedures relevant to security governance, risk management, technical security and regulatory compliance, and assess whether:

1. The organisation has undergone a process (such as reviewing its suite of policies, processes and procedures against the outcomes of the CAF-aligned DSPT) to ensure all necessary areas are covered to reasonably mitigate known security and information risk. The organisation should be able to justify how it has reached its conclusion. (PA#1)
2. The contents are appropriate for the type of organisation, and include key elements such as roles and responsibilities, laws and regulations to follow and the risk appetite of the organisation. (PA#1)
3. The organisation has aligned its policies, processes and procedures to national policies (such as the National Data Opt Out) and legal frameworks (such as the National Data Opt Out). The organisation should be able to demonstrate how it has identified relevant national policies and legal frameworks and appropriately incorporated them. (PA#3, A#7)

2. Update following major incidents and data breaches - Discuss with management the process for identifying changes required to policies, procedures and processes following major cyber security incidents and data breaches, and the process for getting those changes approved and implemented. Obtain evidence from the last major cyber security incidents and/or data breach and assess whether the process was followed. (PA#2, A#4)

1. Policies, procedures and processes - Obtain the overarching security governance and risk management approach, technical security practice and specific regulatory compliance documentation. In addition to the controls assessed in step 1 of Partially achieved, assess whether:

1. The organisation has identified a set of key information governance principles (for example accountability, transparency) and cyber security principles (such as least privilege, application security), and has undergone a process to ensure its policies, processes and procedures reflect the best practical ways of fulfilling these principles. The organisation should be able to justify how it has reached its conclusion. (A#1)
2. Policies, processes and procedures are mapped to relevant essential functions and technologies. The organisation has a scheduled or efficiently reactive review process when new technologies are implemented to identify and remediate areas where confusion may arise as to how the policies, processes and procedures would be practically applied. (A#2)
3. The organisation can explain which policies, procedures and processes are relevant to which staff groups, and has developed them to be practical, appropriate and achievable with the behaviours of those staff groups in mind. (A#3)

2. Key performance indicators - Discuss how the organisation has derived key performance indicators for relevant policies, processes and procedures (for example from security incidents, technical measurements, surveys, patient feedback). Verify whether these indicators are reported to executive management. (A#1)

3. Regular document review - Obtain and inspect evidence of the organisation’s policies, processes and procedures being reviewed on a regular basis. Verify that the organisation has a justified rationale for the review intervals they have chosen. (A#4)

4. Review following a change in circumstances - Obtain and inspect evidence showing that documents are reviewed following any changes to the essential functions, or changes to the threats faced by those functions. (A#5)

5. Failsafe measures - Discuss with the organisation what failsafe measures they have implemented to ensure systems remain secure in scenarios where policies, procedures and processes are not followed. Obtain evidence of the design and implementation of those failsafes. (A#6)

Suggested documentation includes:

• policies, processes and procedures relevant to security governance, risk management, technical security and regulatory compliance
• evidence of policies, processes and procedures being updated following major cyber security incidents and data breaches

Additional documentation includes:

• evidence of key information governance and cyber security principles being considered
• evidence of mapping policies, processes and procedures to essential functions and technologies
• evidence of assessing applicability of policies, processes and procedures to staff groups
• evidence of key performance indicator (KPI) reporting to executive management
• evidence of regular review of documentation
• evidence of review of documentation following any changes to the essential functions, or changes to the threats faced by those functions
• evidence of design and implementation of failsafe measures

Description

You have successfully implemented your information assurance policies, processes and procedures and can demonstrate the benefits achieved.

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.

The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

1. Monitoring of the application of policies, processes and procedures - Ascertain what activities the organisation performs, such as spot checks and/or KPIs, to monitor the application of their policies, processes and procedures. Verify that the organisation has appropriate assurance that most are being followed. (PA#1)

2. Policies, processes and procedures integration - Discuss with the organisation how it has ensured its policies, processes and procedures related to information assurance are aligned with those from separate disciplines such as HR. Obtain and inspect documents to confirm that, where appropriate, they are cross-referenced and aligned in terms of their content. (PA#2, A#2)

3. Staff awareness - Discuss with the organisation how it makes all staff aware of their responsibilities under the organisation’s policies, processes and procedures. (IGP PA#3)

4. Investigation of breaches - Discuss with management the investigation process for breaches of policies, processes and procedures with the potential to adversely impact the essential functions, and obtain evidence that this process is followed adequately. (PA#4)

5. Breach tracking and remediation - Assess the process for tracking and assessing other breaches of policies, processes and procedures that do not have the potential to adversely impact the essential functions, and verify that action is taken to address the risk created by those breaches. Obtain evidence that this process is followed adequately. (PA#4)

1. Evaluating the application of policies, processes and procedures – In additional to the checks outlined in step 1 of Partially achieved, verify that the organisation has assurance that all policies, processes and procedures are being followed. Also obtain evidence that the organisation uses its monitoring activities to make its policies, processes and procedures more effective. (A#1)

2. Communication to staff - Verify that the organisation has considered which policies, processes and procedures apply to which staff groups, and tailored their approach to effectively communicate the associated responsibilities to each group. Obtain evidence to show that staff at all levels of the organisation are aware of their responsibilities, for example by meeting with a sample of staff and enquiring of their understanding of their responsibilities. (A#3)

3. Remediation of aggregated breaches - In addition to the checks outlined in steps 4 and 5 of Partially achieved, verify that the organisation has a scheduled or efficiently reactive process for reviewing sets of policy, process and procedure violations with a view to identifying patterns and acting upon its findings. (A#4)

Suggested documentation includes:

• evidence of monitoring of the application of policies, processes and procedures
• evidence of integration between the policies, processes and procedures of different teams and departments
• evidence showing how staff are made aware of policies, processes and procedures
• investigation process for breaches of policies, processes and procedures, and evidence that the process is followed
• process for tracking and assessing breaches of policies, processes and procedures, and evidence that the process is followed

Additional documentation includes:

• evidence of monitoring activities being used to improve policies, processes and procedures
• evidence of successful segmented communication approach to staff members
• evidence of analysis and remediation of aggregated breaches