Principle B4: System security

Network and information systems and technology critical for the operation of essential functions are protected from cyber-attack. An organisational understanding of risk to essential functions informs the use of robust and reliable protective security measures to effectively limit opportunities for attackers to compromise networks and systems.

Description

You design security into the network and information systems that support the operation of your essential function(s). You minimise their attack surface and ensure that the operation of your essential function(s) should not be impacted by the exploitation of any single vulnerability.

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework. 

The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing – Partially achieved

1. Expertise in network design - Obtain evidence of how the organisation’s network and information systems have been designed. Verify that appropriate deliberate design choices have been made, employing cyber security expertise, to make the network less vulnerable to compromise and easier to recover in the event of an incident. (PA#1, A#1)

2. Boundary defences - Obtain the network architecture documentation. Assess whether, for each point where the organisation’s networks and information systems interface with other organisations or the world at large, there is a technical solution in place (such as a firewall, authentication protocol, intrusion detection or prevention system) which blocks unapproved connections, manages access and validates message format and content. (PA#2)

3. Simple data flow - Obtain evidence that the organisation has designed data flows between its network and any external interfaces in a way which enables it to easily validate message format and content. (PA#3)

4. Complexity of recovery - Obtain evidence of deliberate design decisions the organisation has made whilst building and developing their network to simplify recovery processes. Verify that the organisation’s design decisions reasonably contribute towards simpler, faster or less resource-intensive recovery of their systems. (PA#4, A#4)

5. Boundary network protocols - In addition to step 2, verify that the organisation’s technical solutions automatically check and validate all inputs to network and information systems supporting essential functions wherever practically possible. Alternatively, assess whether monitoring is in place for content-based attacks aimed at network and information systems supporting essential functions. (PA#5)

Additional approach to testing – Achieved

1. Security zones - Obtain evidence that the organisation’s network has been designed with the segregation principle in mind, dividing their networks and systems into zones according to the security requirements of the assets within them. The organisation should have:

1. Undertaken a risk analysis to determine the criticality and security considerations of assets in each zone (A#2)
2. Implemented technical and physical solutions in each zone according to the security considerations and requirements of the assets (A#2) 
3. Deployed their most critical assets in their most secure network zones, such that if other areas of the network were impacted, those assets could continue to be secure and in operation. (A#2)

2. Simple internal data flow - In addition to step 3 of Partially achieved, verify that the organisation has designed simple data flows within and between internal systems. (A#3)

3. Content-based attacks - Assess whether the organisation has controls that effectively mitigate content-based attacks irrespective of source, and do not rely only on monitoring or control only at the network perimeter. Obtain evidence of the effectiveness of those controls. (A#5)

Suggested documentation – Partially achieved

Suggested documentation includes:

• network architecture documentation
• evidence of deliberate design choices to make the network less vulnerable to compromise and easier to recover
• evidence of boundary defences in place
• data flow mapping
• sample of monitoring report or dashboards
• evidence of deliberate design choices to simplify recovery process
• evidence of automatic checking and validation of all inputs to important networks and information systems
• evidence of monitoring in place for content-based attacks

Additional documentation – Achieved

Additional documentation includes:

• security zone risk analysis
• evidence of technical and physical solutions being applied proportionately to zone security levels
• evidence of boundary protection solutions being applied proportionately to data flow sources
• evidence of controls for mitigating content-based attacks

Description

You securely configure the network and information systems that support the operation of your essential function(s).

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.

The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing – Partially achieved

1. Asset configuration - Inspect documentation relevant to how the organisation configures its assets. Assess whether:

1. The organisation has identified the assets for which configuration profiles need to be created to maintain the security of its essential functions. (PA#1)
2. The organisation has documented appropriate configuration profiles for those assets, ensuring consistent configurations are used across similar environments. (PA#3)

2. Applying configurations to assets - Obtain a sample of the organisation’s assets and verify that the configurations profiles documented in step 1 have been correctly applied. (PA#3)

3. Secure builds - Assess whether the organisation has defined and documented a collection of secure baseline builds for different devices across its estate. From the list of platform and devices, obtain a sample to verify that the builds, though not necessarily all matching the most up-to-date build profile, match to an approved baseline build in the organisation’s documentation. (PA#2)

4. Changes and adjustments to security configurations - Assess whether the organisation has procedures to ensure that changes to security configurations are approved and documented. Obtain and inspect documentation related to configuration change approvals to verify the procedures are being followed. (PA#4)

5. Software verification - Establish whether there is a process for considering and approving software prior to permitting its installation. Obtain evidence that this process is followed. (PA#5)

6. Removal of generic accounts - Assess whether the organisation has identified and documented generic, shared, default name and built-in accounts used across its systems and networks. Obtain evidence that one of the following statements applies to each generic, shared, default name or built-in account: 

1. The account has been removed, disabled, or the password has been changed (PA#6, A#8)
2. The account is robustly restricted through technical or procedural controls, such that no staff members can access or perform meaningful actions on information, systems or networks supporting essential functions without first individually identifying themselves (PA#6, A#8)

Additional approach to testing – Achieved

1. Active configurations management - In addition to step 1 of Partially achieved, verify that:

1. The organisation has a scheduled or efficiently reactive process to ensure that configuration profiles are reviewed and updated based on changes in the organisation’s environment. Obtain evidence of such changes being identified and triggering an update to configurations. (A#3)
2. The organisation has procedures for ensuring that the latest approved configurations are applied to its assets without undue delay. (A#1)
3. The organisation is tracking the configuration status of all configurable assets. Where the latest configuration profiles have not been applied, legitimate justifications are provided and realistic plans for future implementation are documented. Obtain a sample of the organisation’s assets and verify that the configuration status of each one matches the organisation’s documentation. (A#1)

2. Secure builds - In addition to step 2 of Partially achieved, verify that the organisation has procedures for ensuring that its most up-to-date baseline builds, or the latest known good configuration version for that environment, are applied to devices and platforms without undue delay. Obtain a sample of devices or platforms to verify the builds are correctly implemented. (A#2)

3. Validation - Establish whether there is a scheduled or efficiently reactive review schedule in place to validate that network and information systems have the expected, secured settings and configuration. Obtain evidence of this review taking place. (A#4)

4. Allow list of software - Establish whether the organisation has documented a list of software that can be installed, and has implemented technical controls to disable all other software from being installed. Obtain this software list and verify that only that software can be installed, for example by asking a member of staff to try to install another software. (A#5)

5. Actions of standard users - Establish whether the organisation has appropriately defined and documented settings which would impact security or the operation of essential functions if changed by users. Review the controls in place for standard users, and verify that they are prevented from changing such settings. (A#6)

6. Automated decision-making - Enquire of management and establish whether automated decision-making technologies are in use. If yes, assess the organisation’s understanding of their operation, and verify whether decisions can be replicated. Test this replication for a sample of decisions. (A#7)

Suggested documentation – Partially achieved

Suggested documentation includes:

• documented configuration profiles for assets supporting the operation of essential functions
• evidence of operating environment being considered for configurations
• baseline builds for different devices
• procedures for approving and documenting changes to security configurations
• procedures for assessing the security of a software before deployment
• evidence of generic, shared, default name and built-in accounts being removed, disabled, password changed or robustly restricted through technical controls

Additional documentation – Achieved

Additional documentation includes:

• procedures for reviewing and updating configurations profiles based on changes in the environment
• procedures to applying latest configurations to assets
• evidence that configurations are applied to all assets, and configuration statuses tracked
• evidence of baseline builds being correctly applied to all devices
• procedures for validating application of configurations settings to devices
• software allow list
• evidence of security impacting settings changes being identified and controls implemented to prevent standard user access
• evidence of any automated decision-making technologies in use being understood and their decisions replicated

Description

You manage your organisation's network and information systems that support the operation of your essential function(s) to enable and maintain security.

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.

The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing – Partially achieved

1. Administration of systems and devices – Obtain evidence confirming that:

1. The organisation understands which systems and devices support the operation of essential functions. (PA#1)
2. The organisation holds a list of authorised privileged users who hold responsibility and unique permissions for administering and maintaining systems and devices, with an approval process for new authorisations. (PA#1)
3. Systems and devices can only be administered or maintained from devices which are sufficiently separated through technical and procedural controls from the activities of standard users. (PA#1)

2. Technical knowledge about networks and information systems - Obtain and inspect network diagrams and other documentation related to technical knowledge about networks and information systems, and assess whether those documents are regularly reviewed and updated. (PA#2, A#2)

3. Malware and unauthorised software - Assess the organisation’s technical, procedural and physical measures for identifying, investigating and removing malware or unauthorised software. Ascertain how the organisation has made their determination that the measures they have in place provide sufficient protection. (PA#3, A#3)

Additional approach to testing – Achieved

1. Privileged access workstations – In addition to step 1 of Partially achieved, establish whether there are devices in the organisation that are dedicated to the administration or maintenance of systems and devices. Assess whether those devices are appropriately secured, with only privileged users being able to access and use them, and verify that they are solely dedicated to administration or maintenance operations. (A#1)

2. Secure storage - In addition to step 2 of Partially Achieved, assess how the documentation is stored, and whether it is adequately secure. Obtain evidence of this security measures in place. (A#2)

Suggested documentation – Partially achieved

Suggested documentation includes:

• documentation identifying systems and devices supporting essential functions
• list of privileged users and procedures for authorising privileged access
• evidence of separation of devices used for system administration and maintenance
• procedures for reviewing and updating network diagrams and other technical documentation relating to networks and information systems
• procedures and defensive measures against malware and unauthorised software

Additional documentation – Achieved

Additional documentation includes:

• evidence of devices being specifically configured and dedicated solely to administration and maintenance operations
• evidence of security measures in place for stored network diagrams and other technical documentation relating to networks and information systems
   

Description

You manage known vulnerabilities in your network and information systems to prevent adverse impact on your essential function(s).

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.

The approach and documentation list described below provide guidance on how to conduct testing but should be adapted depending upon evidence provided by NHS providers to show how they meet the outcomes.

1. Implementing high severity alerts

Verify that: 

1. organisations have, and reliably apply appropriate procedures for deciding whether to follow the advice within a high severity alert, with any decisions not to follow the advice being taken at board level (or as delegated). 
2. implementation decisions are reported using the NHS England ‘Respond to an NHS cyber alert’ service within 14 days of the alert being issued 

2. Sample testing

Review a sample of high severity alerts for decisions and implementation action. Where a decision has been made not to follow the advice within an alert, verify that it was made by a person or committee with appropriate authorisation. Where a decision has been made to follow the advice, verify that appropriate activity has occurred or is planned.  Confirm that each decision has been reported to NHS England within 14 days of the alert being issued. 

Suggested approach to testing – Partially achieved

1. Threat intelligence gathering - Ascertain how the organisation gathers threat intelligence, and which sources of threat intelligence it uses. Obtain evidence that the organisation cross-checks threat intelligence it receives against its own systems to understand its exposure to publicly known vulnerabilities. (PA#1, A#1)

2. Vulnerability management process - Assess whether there is a documented process in place to:

1. Receive, track and analyse announced vulnerabilities for all software packages, network and information systems used to support essential functions. (PA#2)
2. Prioritise the vulnerabilities based on the risk they pose to the organisation. (PA#2)
3. Mitigate externally-exposed vulnerabilities within a defined timeframe, which should be based on the risk assessment in step 2.b. (PA#2)
4. Perform a risk-based assessment that dictates which severity level of vulnerabilities can have temporary mitigations applied to them, and how long those mitigations can be in place before the vulnerability must be fully remediated. (PA#3)
5. Scan the organisation’s network to identify vulnerabilities, including how frequently those scans take place. (PA#5)

3. Sample testing of vulnerabilities - Obtain the list of announced vulnerabilities that have been recorded by the organisation and sample test whether the process in step 2 is being adequately followed. (PA#2)

4. Temporary mitigations - Obtain the list of vulnerabilities and sample test whether the process for applying temporary mitigations is being adequately applied. (PA#3)

5. Migration to supported technology - Obtain and inspect the list of unsupported systems and software, and assess whether:

1. There is a plan in place to migrate the system or software to a supported technology. (PA#4)
2. Temporary mitigations have been discussed, approved and are being implemented. (PA#4)

6. Network scanning - Obtain a sample of network scans to verify if the expected frequency is followed. Assess whether the vulnerability management process includes a process for analysing and prioritising the identified vulnerabilities. (PA#5)

Additional approach to testing – Achieved

1. Vulnerability management process - In addition to the controls assessed in step 2 of the Partially achieved for the approach to testing, verify that internal vulnerabilities are also mitigated within a defined timeframe, which should be documented within the vulnerability management process. (A#2)

2. External scanning - In addition to the controls assessed in step 6 of the Partially achieved approach to testing, assess whether the vulnerability management process requires the organisation to verify its understanding with a third-party, such as the asset supplier, National Cyber Security Centre (NCSC) or auditors. (A#3)

3. Asset support - Obtain the list of networks and information systems supporting essential functions, and assess whether the end-of-life (EOL) and/or end-of-support (EOS) dates have been documented. Discuss with management whether there is a documented process in place for planning end-of-life for critical systems, for example by renewing the support contract or migrating to newer versions. If this document exists, inspect it and assess whether it includes key contact (internal and external), and how long before the EOL/EOS this process should be started. (A#4)

Suggested documentation – Mandatory policy requirement 

Suggested documentation includes:

• evidence of procedures for implementing high severity alerts issued by NHS England  
• sample of evidence of implementing high severity alerts issued by NHS England 
• sample of documented decisions for high severity alerts issued by NHS England  

Suggested documentation – Partially achieved

Suggested documentation includes:

• procedures for gathering and analysing threat intelligence
• vulnerability management process
• list of announced vulnerabilities
• evidence of temporary mitigations being applied
• list of unsupported systems and software
• evidence of plans to migrate unsupported systems or software
• sample of network scans

Additional documentation – Achieved

Additional documentation includes:

• evidence of internal vulnerabilities being remediated
• evidence of third-party testing of network and information system vulnerabilities
• process for planning end-of-life for critical systems