1 |
Validation testing of required security controls has been conducted on an infrequent basis with some aspects of testing not carried out. |
Access control |
DSFC, Schedule 2, Section A, Clause 1.1 |
Agreement nonconformity |
|
2 |
A security appliance did not contain the latest patches. |
Access control |
DSFC, Schedule 2, Section A, Clause 1.1 |
Agreement nonconformity |
|
3 |
The ECSG should review its approach to risk management and ensure that it is consistent with the UoY Risk Management Policy. |
Risk management |
UoY, Risk Management Policy, Section 7.3 |
Organisation nonconformity |
|
4 |
The ECSG should take appropriate action to resolve the vulnerability identified in the vulnerability scan conducted in June 2021. |
Access control |
DSFC, Schedule 2, Section A, Clause 1.1 |
Observation |
|
5 |
The ECSG should consider updating section 2 of the DSA and declare the full processing and storage addresses. It should be noted that these locations have been declared in section 5b of the DSA. |
Operational management |
|
Opportunity for improvement |
|
6 |
The UoY should consider providing risk management training, to ensure that all relevant staff are aware of the processes for raising, recording and monitoring risks. |
Risk management |
|
Opportunity for improvement |
|
7 |
The ECSG information asset register (IAR) should be developed to be in line with the UoY IAR. The IAR should also be updated to reference specific datasets, data sensitivity classification, Information Asset Owner (IAO), Information Asset Administrator(s), download date, deletion date and details of any joint Controllers. The IAR should also take into account requirements from the research and governance section of the UoY Health Sciences data security policy. |
Operational management |
|
Opportunity for improvement |
|
8 |
The UoY should consider including details of the next review date on policies and procedures as part of its document management control. |
Operational management |
|
Opportunity for improvement |
|
9 |
The ECSG should review the Data Protection Impact Assessment (DPIA) annually, or when a change is made. The document should also be subject to document version control. |
Operational management |
|
Opportunity for improvement |
|
10 |
The ECSG System Level Security Policy (SLSP) should be subject to document version control. |
Operational management |
|
Opportunity for improvement |
|
11 |
The ECSG should consider implementing further technical controls to identify changes to Active Directory (AD) administration groups. |
Access control |
|
Opportunity for improvement |
|
12 |
The ECSG should reassess its use of built-in administrator accounts. |
Access control |
|
Opportunity for improvement |
|
13 |
The UoY should expand its current data destruction policy to include physical equipment destruction. |
Data destruction |
|
Opportunity for improvement |
|
14 |
The UoY should develop a vulnerability assessment policy. The policy should specify the frequency of vulnerability scans and penetration tests to be performed. |
Access control |
|
Opportunity for improvement |
|
15 |
The UoY should consider including further information within its Patching Policy regarding application-level patching. |
Access control |
|
Opportunity for improvement |
|
16 |
The ECSG should consider a periodic independent review to ensure that ECSG systems and infrastructure are in compliance with both local and corporate level policies/ procedures. The findings from any review should be shared with the IAO. |
Operational management |
|
Opportunity for improvement |
|
17 |
At the post audit review, the Audit Team will review the Record of Processing Activities (ROPA), which is currently being drafted by the UoY. |
Operational management |
|
Follow-up |
|
18 |
At the post audit review, the Audit Team will review:
- the joint Controller agreement between the UoY and HUTH, currently in draft, to confirm it has been finalised
- the DPIA has been completed by HUTH
- HUTH’s IAR includes an entry for NHS Digital data assets supplied under the DSA as a joint Controller of the NHS Digital data.
|
Operational management |
|
Follow-up |
|