Part of Objective B - Protecting against cyber-attack and data breaches
Principle B6: Staff awareness
Staff have appropriate awareness, knowledge and skills to carry out their organisational roles effectively in relation to information, systems and networks supporting the operation of essential functions.
B6.a Culture
Description
You develop and maintain a positive culture around information assurance.
The expectation for this contributing outcome is Partially achieved.
Indicators of good practice (IGP) achievement levels
Expand the achievement levels to find out the requirements needed to meet each level.
As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.
The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.
Suggested approach to testing – Partially achieved
1. Culture - obtain evidence of how the organisation’s executive management communicates the importance of a positive culture around information assurance, for example, through campaigns they have sponsored, initiatives they have supported and communications they have issued. Assess whether the organisation’s methods of promotion ensure that all levels of staff are made aware of these information assurance endorsements. (PA#1)
2. Staff contribution - discuss with a sample of staff members what things they need to do and be aware of in their role in order to keep information safe, and whether they understand the contribution they make to securing and protecting patient information, including appropriate use of IT systems. This understanding could come from training for information governance and security, communication from management, clauses in their contracts or policies detailing their responsibilities. (PA#2)
3. Raising a security issue - discuss with the organisation their process for raising a security issue, including potential incidents, near misses or general concerns.
- Verify that this process is documented. (PA#3)
- Establish whether this process is widely shared with staff, for example through official communication, training or as part of a new joiner pack of policies. (PA#3)
4. Accessing important information - assess what methods the organisation uses to make clear to staff members:
- Where they can locate important information relating to cyber security and IG procedures. For example, a procedural document telling them how to securely send information to external organisations and patients. (PA#3)
- Who they can speak to when they are unsure about cyber security and IG procedures. For example, details of the organisation’s IT team or Data Protection Officer. (PA#3)
Additional approach to testing – Achieved
1. Priorities and objectives for information assurance - in addition to step 1 of Partially achieved, obtain evidence that:
- Priorities and objectives for information assurance have been defined and documented (A#1)
- Positive security and governance attitudes, behaviours and expectations are displayed by executive management and the organisation, for example through championing of information governance and cyber security achievements and encouraging a culture of improvement (A#1, A#4).
2. Positive treatment of staff raising incidents and issues - discuss with the organisation how they encourage positive treatment of people who raise concerns about potential security or data protection incidents. Ask a sample of staff members whether they feel they would be treated positively if they raised a concern about a potential security or data protection incident. (A#2)
3. Process for reporting concerns or issues - discuss with management the process for staff to report concerns or issues about information assurance, and obtain evidence that it is followed appropriately. Assess whether the process is sufficient to ensure that:
- Concerns or issues are investigated and acted on quickly, and communication takes place with the person that raised the alert initially. (A#3, A#5)
- The person raising the alert is recognised for their contribution to keeping the organisation and its information secure. (A#3)
- Staff are protected from retaliation or negative treatment for raising an issue or concern. (A#2, A#3)
4. Activities to improve information assurance - discuss with the organisation the opportunities available for staff to participate in activities to improve information assurance, for example lunch-and-learns, official training and blogs. Obtain evidence that those activities are not just an occasional one-off, and are attended by all levels of staff. (A#6)
Suggested documentation – Partially achieved
Suggested documentation includes:
- evidence of executive management endorsements and communications promoting the importance of a positive culture around information assurance
- list of all staff members and the relevant training, communications and procedures they have access to
- procedures for raising security issues
- procedures for informing staff where to find important cyber security and IG-related information and contacts
Additional documentation – Achieved
Additional documentation includes:
- documentation showing information governance priorities and objectives
- evidence of campaigns and initiatives showing positive security governance attitudes, behaviours and expectations from executive management
- evidence of encouragement of positive staff treatment following reports of security issues
- evidence of concerns being taken seriously, recognition of positive behaviours and protection from retaliations being incorporated into procedures for raising concerns
- evidence of activities to promote information assurance awareness
B6.b Training
Description
The people who support the operation of your essential function(s) are appropriately trained in information assurance. A range of approaches to information assurance training, awareness and communications are employed.
The expectation for this contributing outcome is Achieved.
Indicators of good practice (IGP) achievement levels
Expand the achievement levels to find out the requirements needed to meet each level.
As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.
The approach and documentation list described below provide guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.
Suggested approach to testing – Partially achieved
1. Information assurance training and awareness - assess whether appropriate training and awareness activities have been defined for each role, or groups of roles, based on their activities and responsibilities within the organisation. (PA#1)
2. Range of teaching and communication - obtain evidence that the organisation has, as part the development of the training needs analysis, ensured its methods of training and raising awareness are appropriate for the staff groups they need to reach. Where specific methods have been chosen, for example digital modules, activity-based training or certified courses, verify that the organisation understands its rationale for their effectiveness which takes into account the roles and responsibilities of the target audience. (PA#2)
3. Obtaining information assurance information - verify whether the organisation has made it easy for staff to find relevant cyber security and IG information, such as by having a centrally accessible repository or an easily navigable intranet hub with signposting to relevant topics. (PA#3)
Additional approach to testing – Achieved
1. Staff training paths - in addition to step 1 in Partially achieved, verify that skills and knowledge are identified for staff to achieve over time as part of undertaking the training activities designated by the organisation. (A#1)
2. Tracking of training completion - obtain evidence that the organisation has a way of tracking which training has been undertaken by which staff members, and alerting those staff members to refresh their training at suitable intervals. (A#2)
3. Evaluating effectiveness of training - discuss with the organisation the process for evaluating the effectiveness of training and awareness activities, which can be scheduled or efficiently reactive. For example, evaluations could be informed by staff feedback, new national requirements or changes in the technology used by the organisation. Obtain the results of the latest evaluation process and verify that actions resulting from the evaluation were assigned to an owner and are being progressed. (A#3)
4. Availability and use of information and good practice guidance - in addition to step 3 of Partially achieved, through discussions with the organisation, assess whether they have made good practice guidance available on topics identified as being important for staff members to understand for good data security and protection. Verify that the organisation is able to give examples it is aware of where these resources have been referenced or used by colleagues. (A#4)
Suggested documentation – Partially achieved
Suggested documentation includes:
- documented training and awareness activities for all staff roles
- procedures for considering and approving training methods
- evidence of easily available information assurance information
Additional documentation – Achieved
Additional documentation includes:
- evidence of specific training goals, skills, knowledge being identified
- procedures for tracking and refreshing individuals’ training cycles
- procedures for evaluating effectiveness of training and awareness activities
- evidence of good practice guidance being made available on key topics and used by staff members
Last edited: 2 January 2025 12:33 pm