1 |
The database holding data supplied by NHS Digital has not been patched for some time. |
Access control |
DSFC Part 2, Schedule 2, Section A, clause 1.1 |
Agreement nonconformity |
|
2 |
Data in transit between the primary datacentre and the backup sites is not fully encrypted as required by the DSFC. |
Information transfer |
DSFC, Schedule 2, Section A, clause 4.6 |
Agreement nonconformity |
|
3 |
Vulnerability scans have not been conducted on elements of the infrastructure. |
Access control |
DSFC Part 2, Schedule 2, Section A, clause 1.1 |
Agreement nonconformity |
|
4 |
Findings from validation testing have not been cleared within a reasonable timescale and no formal remediation plan has been established. |
Access control |
DSFC Part 2, Schedule 2, Section A, clause 1.1 |
Agreement nonconformity |
|
5 |
ICL has not carried out a formal risk assessment of the physical controls at ICL’s data centres. |
Access control |
DSFC, Part 2,Schedule 2, Section A, Clause 3 |
Agreement nonconformity |
|
6 |
Two master students had been given access to data supplied by NHS Digital, which is not permitted by the DSA.
During the audit access to the data by the master students was suspended by SAHSU, and a request was made to DARS to update the DSA.
|
Use and benefits |
DSA, Annex A, Section 5b |
Agreement nonconformity |
|
7 |
The data supplied by NHS Digital has not been classified in line with SAHSU Information Classification Policy. |
Operational management |
SAHSU Information Classification Policy |
Organisation nonconformity |
|
8 |
Although the DSA requires all PhD students to have substantive contracts in place with Imperial College London, no such contracts could be provided for any of the PhD students in the Unit. |
Use and benefits |
DSA, Annex A, Section 5b |
Observation |
|
9 |
Anti-virus alerts for the servers holding data supplied by NHS Digital are only forwarded to a single IT contact. If the contact was unavailable, then no action would be taken against the alerts. It was, however, stated that SAHSU plan to utilise the anti-virus solution used by the rest of ICL, where events would be captured in a log management tool and alerts issued to a group email address. |
Access control |
DSFC Part 2, Schedule 2, Section A, clause 1.1 |
Observation |
|
10 |
SAHSU should consider developing procedures or enhancing existing documentation to cover the following:
- the local storage of Active Directory (AD) administrator account passwords
- firewall management, for example, responsibilities, rule changes and configuration changes
- assessing security incidents and informing NHS Digital where appropriate
- electronic destruction of data supplied by NHS Digital
|
Operational management |
|
Opportunity for improvement |
|
11 |
SAHSU should proactively monitor the database logs. |
Operational management |
|
Opportunity for improvement |
|
12 |
The Information Asset Owner (IAO) should consider completing specialist IAO training. |
Operational management |
|
Opportunity for improvement |
|
13 |
SAHSU should consider adding appropriate document management information to its Data Protection Impact Assessment (DPIA). |
Operational management |
|
Opportunity for improvement |
|
14 |
SAHSU should consider deactivating user accounts that have not been accessed for more than six months. |
Access control |
|
Opportunity for improvement |
|
15 |
SAHSU risk management process could be improved by regular review of the risk register at a group meeting, including the IAO. SAHSU should also consider formal risk management training. |
Risk management |
|
Opportunity for improvement |
|
16 |
SAHSU should consider automatically blocking remote connections in certain circumstances. |
Access control |
|
Opportunity for improvement |
|
17 |
ICL should consider proactive review of swipe card access to the datacentre as currently this is only done when users join or leave the organisation. |
Access control |
|
Opportunity for improvement |
|
18 |
SAHSU should consider carrying out a risk assessment on the statistical server as it may store temporary files if there is any abnormal shutdown of the statistical tools. |
Risk management |
|
Opportunity for improvement |
|
19 |
At the time of audit, ‘old’ servers had not been destroyed but still contained data supplied by NHS Digital. At the post audit review, the Audit Team will review the data destruction process and view a completed certificate of destruction. |
Data destruction |
|
Follow-up |
|