| 1 |
Some requirements in the Access Control policy were different to the technical controls observed and being enforced through the group policy. Some of the settings in the Access Control policy and the HES System Level Security Policy (SLSP) should also be reviewed to ensure they are appropriate. |
Access control |
The Access Control policy and group policies have been amended so that they now align. There is also a new SLSP, v4.8 dated 2 July 2021.
A copy of the updated Access Control policy, v1.9 dated 2 July 2021, was supplied to the Audit Team and the latest group policies were displayed during the video conferencing call.
|
Agreement nonconformity |
Closed |
| 2 |
Some of the changes required to the SLSP by the DSA special conditions have not yet been made, though a new version of the SLSP is being drafted to accompany the move to the cloud. |
Operational management |
The updated SLSP now covers all the elements requested in the DSA special conditions. A copy of the SLSP was supplied to the Audit Team. |
Observation |
Closed |
| 3 |
The Destruction Policy contains insufficient details as to the disposal of different device types. |
Data destruction |
A new Secure Deletion Process, v1.1 dated 25 June 2021, has been written to expand upon the steps to be taken to delete data, and also to take into account cloud hosted data. |
Observation |
Closed |
| 4 |
CSL should finalise and implement its proposed approach to track review dates of its key documents to ensure that the company’s annual review requirement is maintained. |
Operational management |
A team workflow platform is used by the Information Security Management Team (ISMT) to track revision dates of key documents. This platform shows the last reviewed date and the next review date for each document along with the person responsible for its revision. No document is currently outside of its required review date. The platform was shown to the Audit Team. |
Opportunity for Improvement |
Closed |
| 5 |
The HES Raw File Management document should be updated to recognise the additional steps currently being undertaken. |
Operational management |
The additional steps have been added to the Raw File Management document. The Raw File Management document, v1.1 dated 15 January 2021 was supplied to the Audit Team. |
Opportunity for Improvement |
Closed |
| 6 |
CSL should risk assess the use of freeware products in the destruction of data. |
Data destruction |
An entry regarding freeware products has been added to the risk register. The Operational Security policy has also been updated to define requirements that such products need to meet before being installed and used.
The risk assessment was shared with the Audit Team along with the latest Operational Security policy, v2.0 dated 13 January 2021.
|
Opportunity for Improvement |
Closed |
| 7 |
Additional text could be added to the Access Control policy to recognise that its requirements could be superseded by those defined in an SLSP. |
Access control |
An additional section has been added to the Access Control policy to allow for a SLSP to override the main policy if the protection granted is at least as good. A copy of the Access Control policy, v1.9 dated 2 July 2021, was supplied to the Audit Team. |
Opportunity for Improvement |
Closed |
| 8 |
The HES Training document should be updated to reflect current practice. |
Operational management |
The HES training document has been updated to reflect current practice and data. A copy of the document, v1.6 dated 13 May 2021, was supplied to the Audit Team. |
Opportunity for Improvement |
Closed |
| 9 |
CSL may wish to add SLAs covering the service being provided when the contract with the IT support provider is next updated. |
Operational management |
A new Service Specification for Managed Services was signed with the IT support provider on 21 May 2021. This specification includes a number of Service Level Agreements (SLA). |
Opportunity for Improvement |
Closed |
| 10 |
CSL should review what logs are being retained and whether these should be proactively reviewed. |
Access control |
CSL reported logs from key systems are now retained and reviewed as part of its monthly ISMT meetings. A copy of the minutes from 21 April 2021 was shown to the Audit Team. |
Opportunity for Improvement |
Closed |
| 11 |
CSL should consider the creation of a roles and responsibilities document or make the existing training material more accessible. |
Access control |
The training materials have been added to a network folder. The availability of training materials was presented at an internal communications meeting on 18 January 2021. A screenshot of the presentation was provided to the Audit Team. |
Opportunity for Improvement |
Closed |
| 12 |
In accordance with the special conditions in the DSA, CSL is about to move to the cloud. As part of the post audit review the Audit Team will examine:
- the revised DPIA covering the cloud platform
- results of the penetration testing conducted of the new platform prior to data being uploaded
- the process around data transfer
- the evidence supporting the destruction of data from the existing platform
- the revised SLSP.
|
Operational management |
CSL described the approach it had taken to moving the data supplied by NHS Digital to the cloud. As part of this discussion, the following documentation was shown to the Audit Team:
- the revised DPIA, approved 17 June 2021
- the revised SLSP, v4.8 dated 2 July 2021
- the results of the vulnerability scans and penetration test undertaken prior to the data being moved
- a spreadsheet being used to track the deletion of data from the on-premises data bearing assets and an example of a report from the data deletion software.
|
Follow-up
|
Closed |