The key to good data security is defence in depth, such as, having multi-layered security using differing tools and techniques. That way, if one level is compromised, further layers are in place to minimise further damage.
The following, standards and tools can be used to aid the development of security policies and processes:
To complete the security assurance in a timely manner it is recommended that you engage with your IT and IT Governance departments. Before submitting your security assurance
The Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.
All organisations that have access to NHS patient data and systems should use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.
This is the preferred method of assurance.
The aim of the DSPT is to develop the Data Security maturity of Organisations.
Approval is based on meeting the standard see table below:
Standards Not Met (Improvement Plan Agreed)
Can be approved may include special conditions
2. International Organisation for Standardisation (ISO)
ISO27001 - Information Security Management System (ISMS)
ISO is a recognised international standard providing requirements for an information security management system (ISMS), there are more than a dozen standards in the ISO/IEC 27000 family.
Organisations using a current ISO27001 certification must confirm that the Scope and the Statement of Applicability (SOA), includes the relevant standards from the ISO27000 family and is aligned to their role in the application.
3. System Level Security Policy (SLSP)
A System Level Security Policy (SLSP) can be provided as assurance this can either be a stand-alone document or be supported by the relevant policies within the Organisation.
The SLSP should be used as a transitional assurance that enables the organisation to increase the maturity of their Data Security so that they are able to complete the preferred DSPT.
A guidance document will be available soon to help you construct an SLSP that can be used to help your organisation develop towards the preferred option of a DSPT. The SLSP needs to provide the same level of assurance that a DSPT would, to ensure that organisations are aligned to standards.
If further guidance is required please refer to:
All topics – NCSC.GOV.UK
NHS Digital follows the security guidance and best practice published by the National Cyber Security Centre (NCSC); this is aimed at assisting all types of Organisations in different sectors with Data Security concerns. The NCSC guidance should be referred for any Data Security support you may need.
In addition to the NCSC Guidance other recommended sources are:
- National Institute of Standards and Technology (NIST).
This is a valuable source of Cyber Security information and standards.
- Cloud Security Alliance (CSA)
CSA is the world’s leading organisation dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.