Part of Cloud security – good practice guide
3. Step 1 - understand
The first step is to understand the data that you're dealing with:
1. List all the data fields/attributes that will be stored or processed by the system.
2. Quantify how much data is under consideration.
3. Consider how long the data will be held in the system.
4. Understand the Service Classification of the system (bronze, silver, gold, platinum). This relates to the availability SLAs and will be used to determine the cloud security approach for availability and integrity. The service classification is normally agreed between the owning programme and service management.
5. Carefully assess the data fields/attributes and decide which data type(s) this relates to.
6. Armed with this information, use the NHS England Data Risk Model to calculate the risk classification of the data.
7. Ensure that you document the outputs of the above, specifically:
a. Retain the list of data types/attributes.
b. Record the rationale for selecting the data type(s).
c. Retain the completed risk model.
The Health and Social Care Cloud Risk Framework document lists the different data types, scale and persistency along with descriptions and examples. This will help you with steps 1 to 5 above.
The NHS England Data Risk Profile Tool calculates a score based on the type of data, the amount of data and for how long the data is held. This score is then translated into a risk classification and will be used in the next steps of the process.
The risk classification is used to help you understand:
- the risk profile and the associated governance that we would expect you to undertake
- the controls that are needed to be put in place to mitigate the risk
Last edited: 8 January 2025 11:41 am