Principle B3: Data security

Data stored or transmitted electronically is protected from actions such as unauthorised access, modification, or deletion that may cause an adverse impact on essential functions. Such protection extends to the means by which authorised users, devices and systems access critical data necessary for the operation of essential functions. It also covers information that would assist an attacker, such as design details of network and information systems.

Description

You have a good understanding of data important to the operation of your essential function(s), where it is stored, where it travels and how unavailability or unauthorised access, modification or deletion would adversely impact the essential function(s). This also applies to third parties storing or accessing data important to the operation of your essential function(s).

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework. 

The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

1. ROPA and IAR - Obtain and inspect the organisation’s record of processing activities (ROPA) and an information asset register (IAR), and assess whether they contain appropriate information, and whether they are updated whenever significant changes occur. Obtain examples of updates taking place after significant changes occur.

1. As per ICO guidance, the ROPA should include as a minimum the organisation’s name and contact details, whether it is a controller or processor, the purposes of processing, description of the categories of individual and personal data, categories of recipient of personal data, details of transfers to third countries, including a record of the transfer mechanism safeguards, retention schedules and description of the technical and organisational security measures in place. (PA#1, A#1)
2. As per ICO guidance, the IAR should include as a minimum the software and hardware assets of the organisation, asset owners, asset location, retention periods and security measures deployed. (PA#1, A#1)  
3. From the ROPA and IAR, and through discussion with management, assess whether information asset owners and information asset administrators have been appointed. (PA#7, A#10)

2. Other data important to essential functions - Assess whether, either as an addition to the IAR or as a separate document, the organisation has catalogued, documented and maintained up-to-date information about the location and security arrangements of other data supporting the essential functions, including: 

1. Operational data (such as finance data) (PA#1, A#1)
2. Technical data (PA#1, A#1)
3. Security impacting data (such as network and system designs) (PA#1, A#1)

3. Access to data - In documents provided for steps 1 and 2, assess whether individuals or staff groups with access to this data are identified and catalogued. (PA#2, A#2)

4. Data reviews - Obtain evidence to show that, where it is practical and appropriate to do so, the data identified in documents provided for steps 1 and 2 is monitored, with scheduled or efficiently reactive reviews taking place to verify the location, transmission, quantity and quality of the data. (PA#3)

5. Mobile devices and media - In documents provided for steps 1 and 2, assess whether mobile devices and media that hold data important to the operation of the essential functions have been identified. (PA#4, A#5)

6. Scenario impact on essential functions - Establish whether impacts on the essential functions of unauthorised data access, modification or deletion have been documented for data assets catalogued in steps 1 and 2. (PA#5, A#8)

7. Validating impact - Obtain evidence that reviews have taken place at suitable intervals to confirm whether the scenario impacts identified by the organisation in step 5 remain valid, and that updates have been made where scenario impacts were found to be inaccurate. (PA#6)

1. ROPA and IAR reviews - In addition to the approach to testing in step 1 of Partially achieved, verify that the ROPA and IAR are reviewed on a regular basis, and obtain evidence of such reviews. (A#1)

2. Understanding of the location, quantity and quality of data - In addition to the controls assessed in step 4 of Partially achieved, verify that the organisation’s reviews are systematic and ongoing, such that any changes to location, transmission, quantity and quality of data are quickly identified and updates made to associated documentation. (A#3)

3. Copies and historic data - Establish how the organisation monitors the existence of copies and historic data, and assess this process to identify any gaps. Obtain evidence that this process includes removing or minimising unnecessary copies or unneeded historic data, and obtain evidence that this activity takes place regularly. (A#4)

4. Data links - Establish how the organisation monitors the data links used to transmit data that is important to essential functions, and assess whether the process has controls in place to be warned of changes in the data links, supporting the maintenance of a current understanding of those links. (A#6)

5. Context, limitations and dependencies of important data - Assess whether the documentation provided by the organisation for steps 1 and 2 of Partially achieved identifies dependencies of all catalogued data, and gives adequate context of how the data supports the organisation’s essential functions. Verify that the organisation has identified the areas of documents provided for steps 1 and 2 of Partially achieved where there are limitations to the data, for example where the organisation has indicated on an appropriate register that it holds network schematics, but also documents that it knows these schematics to be out of date due to a recent office move. (A#7)

6. Regularly validating impact - In addition to activities outlined in step 7 of Partially achieved, verify that scenario impacts are validated on an annual basis at minimum. (A#9)

Suggested documentation includes:

• record of processing activities (ROPA) and an information asset register (IAR)
• evidence of updates to the ROPA and IAR after significant changes
• documentation cataloguing other data important to essential functions (held as part of the IAR or separately)
• evidence of individuals or staff groups with access to essential functions data being identified
• evidence of essential functions data being monitored to verify location, transmission, quantity and quality
• evidence of mobile devices and media being identified in essential functions data
• documentation of scenario impacts of unauthorised data access, modification or deletion on essential functions
• evidence of occasional reviews to validate scenario impacts

Additional documentation includes:

• evidence of regular review of the ROPA and IAR
• evidence of essential functions data being monitored on a systematic and ongoing basis to verify location, transmission, quantity and quality
• evidence of monitoring of copies and historical data, followed by minimisation and removal where appropriate
• procedures for monitoring data links
• evidence of context, limitations and dependencies of essential functions data being identified and understood
• evidence of regular reviews to validate scenario impacts

Description

You have protected the transit of data important to the operation of your essential function(s). This includes the transfer of data to third parties.

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework. 

The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

1. Identification of data links – Verify that the organisation has identified all the data links that carry data important to the operation of essential functions. These should include:

1. Physical communications (such as sending confidential patient information by mail) (PA#1, A#1)
2. Electronic information transfers (such as email and automated transmissions) (PA#1, A#1)
3. Network traffic between end user devices, infrastructure devices and servers (PA#1, A#1)

2. Protecting data links - Assess whether proportionate security measures have been implemented and documented for each data link identified in step 1. Obtain evidence to show that these security measures are effective. (PA#1, A#1)

3. Non-trusted or openly accessible carriers - Establish with the organisation whether it has identified the data flows that travel over non-trusted or openly accessible carriers, and whether it has implemented appropriate technical means (for example cryptography for electronic information, securely packaging post for physical information) to protect this data. (PA#2)

1. Testing technical measures - In addition to the controls assessed in step 2 of Partially achieved, obtain evidence that the organisation has tested its technical measures for protecting data that travels over non-trusted or openly accessible carriers, and assess the confidence that the organisation has in their robustness. (A#2)

2. Alternative transmission paths - Establish with management whether it has identified and assessed the risk of resource limitation on important data flows, and whether it has put in place suitable alternative transmission paths where a significant risk of impact on the operation of essential functions was identified. (A#3)

Suggested documentation includes:

• documentation identifying important data links and security measures to protect them
• documentation identifying data flows that travel over non-trusted or openly accessible carriers
• evidence of technical measures to protect data that travels over non-trusted or openly accessible carriers

Additional documentation includes:

• evidence of testing technical measures for protecting data that travels over non-trusted or openly accessible carriers
• documentation identifying critical transmission paths, dependencies and suitable alternatives

Description

You have protected stored soft and hard copy data important to the operation of your essential function(s).

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework. 

The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

1. Documenting stored data - Verify that the organisation has documented data it holds (both physical and electronic) which supports the operation of its essential functions. Where the same data is held in multiple locations or on multiple systems, establish whether the organisation has a legitimate business need for doing so. (PA#1, A#1)

2. Data on less secure systems - Verify the organisation has defined reasonable criteria for designating less secure systems, and identified systems which fall under this category. If any of these systems store data which is important to the operation of essential functions, obtain evidence of procedural or technical controls in place to ensure the data is provided with limited detail or as read-only copies. Test a sample of data on less secure systems to check the controls are effectively implemented. (PA#1, A#1)

3. Protecting data - Establish with the organisation what physical and technical controls are in place to protect stored data identified in step 1 from unauthorised access, modification or deletion. Assess whether the controls are suitable and proportionate. (PA#2, A#2)

4. Cryptographic protections - Establish whether cryptographic protections are used for data identified in step 1 and obtain evidence that they have been technically and procedurally applied in a suitable way to protect the data. (PA#3)

5. Backup copies of data - Discuss with the organisation whether they have backups of data to allow the operation of essential functions to continue should the original data not be available, which may include offline or segregated backups, or appropriate alternative forms of the data such as paper copies. Assess the suitability of the backup copies of data, and security measures to ensure these would be operational in the event that original data copies were compromised. (PA#4, A#4)

1. Testing of cryptographic protections – In addition to the controls assessed in step 4 of Partially achieved, obtain evidence to show that the cryptographic protections have been tested, giving the organisation justified confidence in the robustness of the protection applied. (A#3)

2. Archive storage - Assess how necessary historic or archive data is stored, and whether suitable security measures are implemented, for example, off-site storage. Obtain evidence of those security measures. (A#5)

Suggested documentation includes:

• documentation identifying stored data (both physical and electronic)
• identification of a business need where the same data is stored in more than one location or system
• documentation identifying the organisation’s less secure systems
• evidence of data being held with limited detail or in read-only form on less secure systems
• physical and technical controls to protect important stored data from unauthorised access, modification or deletion
• evidence of cryptographical protections and their procedural and technical application
• evidence of suitable back-up copies of important data

Additional documentation includes:

• evidence of testing of cryptographic protections
• evidence of historic or archive data being securely stored

Description

You have protected data important to the operation of your essential function(s) on mobile devices.

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework. 

The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

1. Data held in mobile devices - Verify that the organisation has documented which mobile devices (or groups of devices) hold data important to the operation of essential functions. (PA#1)

2. Security requirements for mobile data - Verify that the organisation has established procedures for ensuring that before important data is accessed or stored via mobile devices, the mobile devices must have met the standard of the organisation’s overarching security policies. Obtain evidence of how this procedure is practically applied. (PA#2)

3. Technical security - Establish with the organisation whether there are a minimum set of technical security controls which must be applied to all mobile devices before important data can be accessed or stored on them. Obtain a sample of mobile devices and verify that the controls have been applied. (PA#3)

1. Management of mobile devices – In addition to the controls assessed in step 1 of Partially achieved, verify that all mobile devices holding important data are corporately owned or managed. (A#1)

2. Configuration, policies and procedures - Obtain evidence of the configurations applied to different categories of mobile devices holding important data, and verify the criteria the organisation has used to determine that the configurations represent best practice for each respective mobile device platform. Verify that the configurations are bolstered by technical and procedural policies to further protect mobile data. (A#1)

3. Remote wiping - Establish whether the organisation can remotely wipe any mobile device holding data important to the operation of essential functions if it is lost. Obtain evidence that this capability is effectively used following staff reports of lost mobile devices. (A#2)

4. Minimising mobile data - Verify that the organisation has agreed and documented principles to minimise the amount of data being held on each category of mobile devices. Assess whether the organisation’s technical and procedural controls for mobile devices effectively enforce the agreed principles to ensure that the minimal amount of data is accessible or stored on a mobile device, which may include automatic deletion of data where appropriate. (A#3)

Suggested documentation includes:

• documentation of mobile devices holding data important to the operation of essential functions
• procedures for ensuring mobile devices meet security policy standards ahead of accessing or storing important data
• evidence of a minimum set of technical security controls being applied to mobile devices

Additional documentation includes:

• evidence of all mobile devices holding important data being corporately owned or managed
• evidence of configurations and policies for protecting mobile data on different platforms
• procedures for performing remote wiping of mobile devices
• procedures for minimising data on mobile devices

Description

Before re-use and/or disposal you appropriately sanitise devices, equipment and removable media holding data important to the operation of your essential function(s).

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.

The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Data removal - Establish whether there are established procedures for sanitising all devices, equipment and removable media holding essential functions data before reuse and/or disposal. Obtain evidence that the procedures are followed by the organisation. (PA#1)

1. Identifying and documenting devices - Verify that the organisation has identified and documented all devices that contain data important to the operation of essential functions, including removable media assets. Assess whether the documentation includes key information such as the owner of the device, its location and the type of data contained on the device. (A#1)

2. Assured data removal – In addition to the activities detailed in step 1 of Partially achieved, obtain evidence that the pre activities undertaken are carried out by an assured product or service. (A#2)

Suggested documentation includes procedures for sanitising all devices, equipment and removable media holding essential functions data before reuse and/or disposal.

Additional documentation includes:

• documentation identifying all devices, including storage devices, holding essential functions data
• evidence of the use of an assured product or service for media sanitisation