Principle B5: Resilient networks and systems

The organisation builds resilience against cyber-attack and system failure into the design, implementation, operation and management of systems that support the operation of essential functions.

Description

You are prepared to restore the operation of your essential function(s) following adverse impact.

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework. 

The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing – Partially achieved

1. Knowledge for restoring essential functions - obtain evidence to verify that:

1. The organisation has documented all networks, information systems and underlying technologies that are necessary to restore the operation of the essential function(s). (PA#1)
2. The organisation has identified which essential functions are supported by which networks, information systems and underlying technologies. (PA#1)

2. Technical understanding for bringing systems back online - obtain evidence that the organisation understands the order in which systems within its network(s) can technically be brought back online given the interdependencies between them. (PA#2)

Additional approach to testing – Achieved

1. Business continuity and disaster recovery plans - inspect the organisation’s business continuity and disaster recovery plans. Verify that the organisation has conducted and documented testing exercises supporting the delivery of roles and responsibilities outlined in the plans. Assess whether:

1. The testing exercises conducted were sufficient to give the organisation assurances about the practicality, effectiveness and completeness of their business continuity and disaster recovery plans. (A#1)
2. The test methods used were appropriate to make a robust assessment of the duties outlined in the business continuity plan and disaster recovery plans. (A#1)

2. Heightened risk identification - establish with management the process for leveraging the organisation’s security awareness and threat intelligence sources to identify new or heightened levels of risk. Assess the reporting lines for this process to ensure that management can act quickly on new information, and assess whether the temporary security measures to be put in place have been documented for a range of scenarios. Obtain evidence from the latest identified risks showing that this process was adequately followed. (A#2)

Suggested documentation – Partially achieved

Suggested documentation includes:

• documentation identifying networks, information systems and technologies necessary for restoring the operation of essential functions
• evidence of interdependencies between essential functions and networks, systems and technologies being identified

Additional documentation – Achieved

Additional documentation includes:

• business continuity and disaster recovery plans
• evidence of testing exercises conducted related to business continuity and disaster recovery plans
• procedures for identifying heightened levels of risk and implementing mitigating actions

Description

You design the network and information systems supporting your essential function(s) to be resilient to cyber security incidents. Systems are appropriately segregated and resource limitations are mitigated.

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework. 

The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing – Partially achieved

1. Asset segregation - Obtain network architecture documentation and assess whether network and information systems supporting the operation of essential functions are logically separated from business systems, for example by locating them in a demilitarised zone (DMZ). (PA#1)

2. Access to internet services - For any network and information systems supporting essential functions with access to internet services, verify that:

1. The organisation has procedures ensuring internet services are only used where there is a ‘clear business need’ with supporting documentation covering:

i) acceptable use of the internet. (PA#1)

ii) which staff member groups have a legitimate business need to access the internet. (PA#1)

iii) how legitimate internet access is managed. (PA#1)

2. The organisation has ‘appropriate restrictions’ in place, with documented solutions to:

i) monitor and analyse incoming and outgoing internet traffic. (PA#1)

ii) block or filter out harmful content. (PA#1)

iii) block unapproved connections. (PA#1)

iv) manage internet access. (PA#1)

3. Resource limitation - Assess whether the organisation has:

1. Reviewed its network infrastructure and identified single points of failure which risk causing major disruption to the network if compromised, such as single network paths. (PA#2)
2. Documented, reviewed and accepted the associated risks. (PA#2)
3. Developed an improvement plan to upgrade networks and systems where the risk they pose exceeds the risk appetite of the organisation (PA#2)

Additional approach to testing – Achieved

1. Technical and physical segregation - Obtain network architecture documentation and assess whether the organisation has applied appropriate technical and physical means to separate its networks and systems supporting essential functions from other business and external systems, for example by locating them on a separate network with independent user administration. (A#1)

2. Remediating resource limitations - In addition to step 2 of Partially achieved, assess whether the organisation has implemented actions to remediate all single points of failure identified. (A#2)

3. Geographical constraints - Establish whether the organisation has identified, documented and mitigated geographical constraints, such as all the organisation’s servers being in the same location. Assess whether appropriate solutions have been implemented to mitigate the associated risks. (A#3)

4. Regular review of assessments - Obtain evidence to show that there is a scheduled or efficiently reactive process for reviewing and updating assessments of network dependencies, resource and geographical limitations and applied mitigations. Verify that responsible owners have reviewed and updated their assigned assessments at the appropriate intervals. (A#4)

Suggested documentation – Partially achieved

Documentation should include:

• network architecture documentation
• evidence of a clear business need and restrictions being applied to networks and systems with internet access
• documentation identifying single points of failure, associated risks and proposed mitigations

Additional documentation – Achieved

Documentation should include:

• evidence of technical and physical segregation of networks supporting essential functions
• evidence of single points of failure being remediated
• evidence of geographical constraints and mitigations
• evidence of scheduled review process for assessments relating to network resilience

Description

You hold accessible and secured current backups of data and information needed to recover operation of your essential function(s).

Indicators of good practice (IGP) achievement levels can be viewed via the Data Security Protection Toolkit.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework. 

The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing – Partially achieved

1. Backup plan - obtain and inspect the organisation’s procedures for backups. Assess whether they have planned for extreme event scenarios, such as a widespread hardware failure or cyber attack.

1. Verify that the organisation’s arrangements for backups ensure that backups are accessible to recover in those scenarios. (PA#1)
2. Assess whether, in those same scenarios, the organisation would be able to access what they need to effectively utilise their backups, including data, configuration information, software, equipment, processes and knowledge. (PA#1)

2. Backup testing - obtain evidence that backups are tested to ensure the backup process functions correctly and the backups are usable. (PA#2)

Additional approach to testing – Achieved

1. Procedures for backup - verify that the organisation’s back up procedures are comprehensive, supported by documentation, detailing frequency, ongoing security and maintenance, automated backups processes (which have been implemented in areas where appropriate), and the organisation’s testing regime. (A#1)

2. Secure sites - in addition to step 1 of Partially achieved, establish whether the organisation’s backups are secured at centrally accessible or secondary sites to recover from an extreme event. (A#1)

3. Backup test reviews - in addition to step 2 of Partially achieved, obtain evidence to show that the results of the backup tests are regularly reviewed, with issues identified resulting in remediating actions. Obtain evidence of this review process and action implementation. (A#2)

Suggested documentation – Partially achieved

Suggested documentation includes:

• procedures for accessing and deploying backups after extreme event scenarios
• backup tests

Additional documentation – Achieved

Additional documentation includes:

• documentation of comprehensive procedures for backups
• evidence of secure sites being used for backups storage
• evidence of results of backup tests being reviewed and acted upon