Principle B2: Identity and access control

The organisation understands, documents and manages access to information, systems and networks supporting the operation of essential functions. Individuals (or automated functions) that can access data or systems are appropriately verified, authenticated and authorised.

Description

You robustly verify, authenticate and authorise access to the information, systems and networks supporting your essential function(s).

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework. 

The approach and documentation list described below provide guidance on how to conduct testing but should be adapted depending upon evidence provided by NHS providers to show how they meet the outcomes.

MFA policy

Through a combination of testing samples of user access to systems, inspecting relevant documentation and asking to see assurances the organisation has acquired from suppliers, depending on what is practical for the area being assessed, verify that the organisation has enforced multi-factor authentication (MFA) on all remote user access to all systems, all privileged user access to externally-hosted systems, and all privileged user access to all other systems, each subject to exceptions permitted in the NHS England MFA policy.

Verify that any reliance on permitted specific exceptions follows the requirements set out in the MFA policy, namely that the organisation:

1. Understands, documents, risk-assesses, and internally approves (at board level or as delegated) all exceptions, with annual review.
2. Has and is actively pursuing plans to minimise or eliminate completely the exceptions; and
3. Retains documentary evidence for audit purposes, and provides a summary within its DSPT submission.

1. MFA policy

Through a combination of testing samples of user access to systems, inspecting relevant documentation and asking to see assurances the organisation has acquired from suppliers (depending on what is practical for the area being assessed) verify that the organisation has enforced multi-factor authentication (MFA) on: 

1. all remote user access to all systems, subject to exceptions permitted in the NHS England MFA policy 
2. all privileged user access to externally-hosted systems, subject to exceptions permitted in the NHS England MFA policy 
3. all privileged user access to all other systems, subject to fully assessing the implications of any alternative course of action, and subject to the exceptions permitted in the NHS England MFA policy 

2. Permitted exceptions

Verify that any reliance on permitted specific exceptions follows the requirements set out in the MFA policy, namely that the organisation: 

1. understands, documents, risk-assesses, and internally approves (at board level or as delegated) all exceptions, with annual review 
2. has and is actively pursuing plans to minimise or eliminate completely the exceptions; and 
3. retains documentary evidence for audit purposes, and provides a summary within its Data Security and Protection Toolkit (DSPT) submission 

1. Identity verification - Ascertain the organisation’s process for verifying the identity of employees before they are allowed access to physical or electronic information. The process should include: 

1. pre-employment checks to appropriately identify individuals (PA#1)
2. a minimum level of identity verification for all staff members such as the NHS Employment Check or Baseline Personnel Security Standards (PA#1)
3. consideration of the level of access they will have to physical or electronic information before allowing access (PA#1)
4. consideration of specific roles which may require more stringent background checks or security clearances, such as those with more sensitive or privileged access such as an information technology (IT) admin role (PA#1)

2. Verification of temporary staff members - If applicable, verify that the organisation has obtained assurances from any external staffing agencies it uses that temporary staff members’ identities are verified before deployment. (PA#1)

3. User authentication - Verify that the organisation has robust processes for authenticating users. This process should include ensuring the verified user identity is authenticated through an appropriate authentication method such as a password, biometrics data, etc. This could include password complexity requirements, number of attempts allowed and whether a large number of failed attempts is flagged to the IT team. It should also include any additional security required for admin-level users, and may also include additional security such as MFA. Obtain logs to verify that the process is adequately implemented. (PA#2) 

4. Limiting user access - Obtain the list of user groups with access to information and systems supporting the essential function, and assess whether their level of access is appropriate based upon their role. Verify that the organisation has established specific business cases for different levels of access, and that new users are assessed against business cases prior to access being granted. (PA#3, A#3)

5. Multi-Factor Authentication - Obtain evidence that additional authentication mechanisms, such as MFA, is used for privileged access to all network and information systems that operate or support essential functions, in line with NHS England MFA policy. Verify the implementation of this control, for example by checking in-person or via screenshare with a privileged user that MFA is required when they try to log in. Request a sample of privileged users to test that MFA is required for access. (PA#4)

6. Remote login - Obtain and inspect the remote login process, and assess whether users are required to authenticate before accessing the organisation’s network. Assess the authentication method in use for remote login and verify that is it at least as strong as on-site login. Obtain evidence that remote authentication is in place or all users. (PA#5)

7. Access rights review - Obtain and inspect the list of users and systems with access to information, systems and networks supporting and delivering the essential functions. Obtain a sample of these and verify that their access rights have been reviewed in the last year. (PA#6)

8. Alignment to best practices - Obtain the authentication policy (or equivalent) and verify that it is aligned to best practices, for example Open Web Application Security Project (OWASP) and National Institute of Standards and Technology (NIST). (PA#7, A#6)

1. Identity verification - In addition to the controls assessed in step 1 of Partially achieved approach to testing, obtain documentation which outlines the different roles which require higher levels of verification for example user admins. Test a sample of anonymised privileged users which should meet higher verification standards and test if they have undertaken them. (A#1)

2. Physical security - Obtain the physical security policy (or equivalent) and assess the controls in place to ensure the security of the systems and information on which essential services rely. This should include limiting access to buildings and rooms that contain servers and endpoints which could be used to access the organisation’s network, but also authenticating access to those buildings and rooms, ensuring that clear accountability is given for any activity taking place. While on-site, verify the implementation of these security controls. (A#2) 

3. Multi-Factor Authentication - Obtain the cyber security policy (or equivalent), and assess whether the use of MFA is mandated for all users across the organisation, including remote access, to all network and information systems that operate or support essential function(s). The organisation must meet the requirements of the NHS England MFA Policy and be able to evidence this through the following:  

1. Organisations must enforce MFA on all remote user access to all systems. This can be evidenced though testing a sample of remote user access for a sample of systems. (A#4)
2. Organisations must enforce MFA on all privileged user access to externally-hosted systems. This can be evidenced though testing a sample of privileged user access to a sample of externally hosted systems. This should include organisational and third-party privileged access. (A#4)
3. Organisations should enforce MFA on all privileged user access to all other systems. This can be evidenced though testing a sample of privileged user access for a sample of systems. (A#4)
4. Permitted exceptions to these requirements are detailed in the NHS England MFA policy. Review document exceptions to the policy which have been approved by an appropriate body and in line with the NHS England MFA Policy exemption guidance. (A#4)
5. Verify that this control has been implemented by obtaining a list of users and verifying their access to network and information systems that operate or support essential function(s). (A#4)

4. Access rights review - Obtain and inspect the list of users and systems with access to information, systems and networks supporting and delivering the essential functions. Obtain a sample of these and verify that their access rights have been reviewed in the last 6 months. (A#5)

Suggested documentation – Mandatory policy requirement

Suggested documentation includes:

• evidence of authentication controls in place for user access to systems  
• procedures for application of MFA 
• assurances from suppliers  
• documentation of permitted exceptions  
• action plans for minimising and eliminating permitted specific exceptions 

Suggested documentation - Partially achieved

Suggested documentation includes:

• procedures and third-party assurances for identity verification
• authentication policy (or equivalent documentation showing user authentication processes are in place)
• list of user groups with access to information, systems and networks that essential functions depend on
• business cases for new users
• evidence of MFA for privileged users
• remote login documentation
• evidence of remote authentication
• evidence of access rights review for users and systems with access to information, systems and networks supporting and delivering the essential functions

Additional documentation includes:

• list of anonymised privileged users
• physical security policy (or equivalent)
• evidence of MFA for all users

Description

You fully know and have trust in the devices that are used to access your information, systems and networks that support your essential function(s).

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework. 

The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

1. Device access to network and information systems - Assess what procedural and technical controls the organisation has in place to ensure that only corporately owned and managed devices can access essential functions networks and information systems. (PA#1)

2. Privileged operations - Verify that 'privileged operations' have been appropriately defined in the context of activities performed on the organisation’s systems and networks, and that technical and procedural controls have been implemented to ensure these are only performed from corporately owned and managed devices. Obtain evidence that these devices have been configured and protected for privileged operations. (PA#2)

3. Third-party devices - Discuss with the organisation what security checks they perform on third-party devices before they are allowed to connect to the organisation’s network. Verify that the checks are sufficient to minimise the risks associated with those third-party devices identified by the organisation. (PA#3)

4. Physical connections - Discuss with management whether there are technical controls in place to ensure that physical connections, for example via network port or cable, do not grant access to any systems, and require additional authentication for access to be granted. Obtain evidence that those controls are implemented as part of the default build of devices. (PA#4)

5. Investigation of unknown devices - Verify that the organisation is able to detect unknown devices on its network, such as through network scanning, and deploys this capability where it identifies a need. (PA#5, A#4)

1. Highly trusted devices – In addition to the controls assessed in step 2 of Partially achieved, check that the organisation has satisfied that the privileged devices should not be used for any other activity outside the privileged operations they are protected and configured for. Assess that appropriate technical and physical security controls secure those devices to ensure that only privileged users are able to access and use them. Test a sample of those controls to ensure they give appropriate security assurance. (A#1)

2. Independent or professional assurance - Assess whether the organisation obtains independent and professional assurance of the security of third-party devices or networks before they connect to the organisation’s network and information systems, and obtain the latest assurance documentation. Alternatively, assess what technical and procedural controls are in place to ensure that the only third-party devices that are able to connect to the organisation’s network are ones used for specifically designated functions supporting networks and information systems and nothing else. Verify that the controls are appropriate. (A#2)

3. Certificate-based identity - Discuss with the organisation whether they have implemented certificate-based identity management, and assess their encryption methods to ensure that it is robust and tamper-proof. (A#3)

4. Regular network scanning - Discuss with management whether network scans take place regularly. Obtain evidence of such scans, and verify that investigations of unknown devices take place. (A#4)

Suggested documentation includes:

• procedural and technical controls for limiting network and system access to corporate devices
• procedures for privileged operations
• approach to validating the security properties of third-party devices
• evidence of risk assessment of third-party devices
• evidence of technical controls in place to ensure that physical connections do not grant access to any systems
• evidence of network scans identifying unknown devices and investigation of the unknown device

Additional documentation includes:

• latest independent or professional assurance documentation
• procedural and technical controls for limiting network and system third-party device access to those dedicated to specific functions
• evidence of certificate-based identity management implementation
• procedures for regular network scanning

Description

You closely manage privileged user access to networks and information systems supporting your essential function(s).

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.

The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

1. Strong authentication - Assess whether the organisation has implemented multi-factor authentication, or another form of strong authentication such as hardware token or biometric tools, for privileged user access to network and information systems supporting essential functions. Obtain evidence of the implementation of this technology. (PA#1)

2. Identities of privileged users - Assess the methodology for identifying privileged users with access to networks and information systems supporting essential functions, including third-parties. Verify that the organisation’s procedures, and agreements with suppliers where appropriate, prevent anyone having privileged access without being individually identified. (PA#2)

3. Review of privileged user activity - Verify that 'privileged user activity' has been appropriately defined in the context of activities performed on the organisation’s systems and networks. Discuss with management whether there is a process in place for reviewing privileged user activity, and assess whether this process includes all privileged users, whether the frequency of reviews is clearly defined, and whether suspicious activity is investigated. Obtain evidence that this process is followed, and investigation of suspicious activity takes place. (PA#3)

4. Privileged access rights process - Assess the process for granting privileged access rights to users. Verify that the organisation can determine which specific privileged access rights are needed for which privileged roles and functions based on business need. Obtain evidence of privileged access requests and assess whether they were adequately reviewed and approved according to the process. (PA#4)

1. Dedicated account for privileged activity - Assess whether privileged users are required to use a dedicated separate account to access network and information systems supporting essential functions. Obtain evidence to show that these accounts are closely monitored and managed. (A#1)

2. Time -bound rights - Assess whether the organisation has reasonably defined scenarios where time-bound rights for privileged access should be granted over permanent rights. Assess whether there are procedural and technical controls in place that ensure these rights are issued in scenarios that meet the criteria. Obtain a list of privileged user and third-parties that have met the criteria and pick a sample to test whether these controls are effectively implemented. (A#2)

3. Joiners, movers, leavers - Discuss the joiners, movers, leavers process with management and assess whether privileged user access is reviewed and updated when a user joins, moves or leaves the organisation. Obtain a list of privileged users and verify that any change in circumstances triggers a review of access rights. (A#3)

4. Analysis of privileged user activity – In addition to the controls assessed in step 3 of Partially achieved, assess the organisation’s procedures for monitoring, reviewing and validating privileged user activity should cover all privileged user activity and happen on an ongoing basis, allowing any suspicious actions to be quickly identified and investigated regardless of when they occur. Obtain evidence of how the organisation achieves this. (A#4)

Suggested documentation includes:

• evidence of implementation of multi-factor authentication, or another form of strong authentication
• procedures to identify and manage privileged user identities
• evidence of reviews of privileged user activity, including investigation of suspicious activity
• procedures for segmenting privileged access rights by individual roles and business need

Additional documentation includes:

• evidence of dedicated accounts for privileged operations which are closely monitored and managed
• procedure for issuing temporary, time-bound privileged access rights
• joiners, movers, leavers process
• evidence of ongoing review and validation of privileged user activity, including investigation of suspicious activity

Description

You closely manage and maintain identity and access control for users, devices and systems accessing the network and information systems supporting your essential function(s).

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework. 

The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

1. Minimum required access rights - Assess whether the organisation has defined minimum required access rights for different user groups. Ascertain whether there is a procedure in place to verify each new user’s identity and issue them with minimum access rights according to their role. Obtain evidence that the procedure is implemented and followed. (PA#1)

2. User access right review - Assess whether user access rights are reviewed regularly, with the expected frequency of review being clearly documented, and also when users change roles via the joiners, leavers and movers process. Obtain evidence that user access rights are reviewed regularly and when users change roles, and that access rights are updated as required. (PA#2, PA#3, A#2)

3. Logging of user, device and system access - Assess the organisation’s capability to log all user, device and system access to the systems supporting the essential functions. Obtain evidence that the log is monitored regularly, with suspicious activity being investigated. (PA#4, A#3)

4. Resolution of access issues - Discuss with the organisation the process for raising and resolving issues about staff not having appropriate access to information (either too much access, or too little access), and whether this process includes a target timeframe for resolving the issue. Obtain the list of tickets that have been raised about staff not having appropriate access to information, and inspect a sample to verify whether the target timeframe was met. (PA#5, A#6)

1. Auditing of minimum access rights – In addition to the controls assessed in step 1 of Partially achieved, assess whether the procedure approach to testing is regularly audited by the organisation, and obtain evidence of this audit taking place, with resulting actions being implemented. (A#1)

2. Correlation of log data - Assess whether user, device and system access logs are correlated with log data for their other activities on the system. Obtain evidence of this correlation and analysis taking place. (A#4)

3. Unauthorised access alert and investigation - Discuss with management if there are monitoring tools in place to alert the organisation of attempts by unauthorised users, devices or systems to connect to the systems supporting the essential functions. Obtain the list of alerts generated by this tool and use a sample to assess whether those alerts are promptly assessed by the organisation and investigated. For alerts that resulted in a true positive, obtain evidence of actions being agreed and implemented to remove and/or block access of unauthorised user. (A#5)

Suggested documentation includes:

• documentation of minimum access rights for different user groups
• procedures for verifying user identities
• evidence that user access rights are reviewed and updated regularly and when users change roles
• evidence of user, device and system access being logged, monitored regularly and investigated where appropriate
• procedures for raising and resolving issues relating to staff having inappropriate access to information

Additional documentation includes:

• procedures for auditing application of minimum access rights
• evidence of review of access logs against expected activity
• list of unauthorised access alerts generated by the monitoring tool
• evidence of actions being agreed and implemented following unauthorised access alerts