Skip to main content

Cyber Assurance Service

We offer centrally funded assessments to help NHS organisations identify vulnerabilities and understand and overcome areas of high risk. This will help your organisation to achieve Data Security and Protection Toolkit (DSPT) standards.

About the assessments  

The assessment will measure your performance in cyber and data security standards, by completing an IT Health Check and assessing your adherence to key DSPT assertions relating to cyber security.

Reports completed after the assessment will detail where improvement is needed, also considering the urgency to correct.

These assessments are for NHS trusts and commissioning support units (CSUs).


Benefits




What the assessment involves 

The work is delivered by our specialist supplier, Dionach. The intention is to keep your involvement to a minimum to make it easy as possible.

Our specialist supplier will carry out an IT Health Check and complete a detailed technical review of your organisations IT setup, structure and working practices.  The IT Health Check will cover:

  • network protection assessment 
  • security review for patient administration system (PAS)
  • file testing
  • active directory, central security and mobile device review
  • asset security review
  • wireless security review

Some data collected as part of the IT Health Check will be used to assess the key DSPT assertions, although some will require additional information form you to complete. The DSPT aspect will cover:

  • accountability and governance
  • access management
  • password protection
  • software and email anti-virus protection
  • business continuity disaster recovery
  • system updates and patch management 
  • vulnerability management
  • network configuration
  • firewall management
     

After the assessment

You will receive a detailed report within 10 working days of the assessment, outlining the highest risks and critical areas. This report will include suggested actions to remediate.


Register for a cyber assessment

To find out more or to request this service, raise a call to the helpdesk by registering on the portal, clicking ‘Request Something’ searching for ‘Cyber Assurance Service’.

Our internal teams and supplier will then be in touch to arrange your assessment. 


How this service aligns with the Cyber Assessment Framework

Open the expanders below to find out how this service aligns to the principles and outcomes of the Cyber Assessment Framework (CAF).

Objective A: Managing security risk

A1.a You have effective organisational security management led at board level and articulated clearly in corresponding policies.

A2.a Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.

A2.b You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to essential functions.

A3.a Everything required to deliver, maintain or support networks and information systems necessary for the operation of essential functions is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling).

A4.a The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.

Objective B: Defending systems against cyber attack

B1.b You have successfully implemented your security policies and processes and can demonstrate the security benefits achieved.

B2.a You robustly verify, authenticate and authorise access to the networks and information systems supporting your essential function.

B2.b You fully know and have trust in the devices that are used to access your networks, information systems and data that support your essential function.

B2.c You closely manage privileged user access to networks and information systems supporting the essential function.

B2.d You closely manage and maintain identity and access control for users, devices and systems accessing the networks and information systems supporting the essential function.

B3.b You have protected the transit of data important to the operation of the essential function. This includes the transfer of data to third parties.

B3.c You have protected stored soft and hard copy data important to the operation of the essential function.

B3.d You have protected data important to the operation of the essential function on mobile devices.

B4.a You design security into the network and information systems that support the operation of essential functions. You minimise their attack surface and ensure that the operation of the essential function should not be impacted by the exploitation of any single vulnerability.

B4.c You manage your organisation's network and information systems that support the operation of essential functions to enable and maintain security.

B4.d You manage known vulnerabilities in your network and information systems to prevent adverse impact on the essential function.

B5.b You design the network and information systems supporting your essential function to be resilient to cyber security incidents. Systems are appropriately segregated and resource limitations are mitigated.

Last edited: 16 November 2023 7:45 am