1 |
The database holding data supplied by NHS Digital has not been patched for some time. |
Access control |
The SAHSU installed the patches available for the database following the audit.
A screenshot of the patching details was supplied to the Audit Team.
|
Agreement nonconformity |
Closed |
2 |
Data in transit between the primary datacentre and the backup sites is not fully encrypted as required by the DSFC. |
Information transfer |
ICL has completed a risk assessment which assesses the threats and the vulnerabilities of the un-encrypted connection and identifies the mitigating controls in place. The assessment was approved by the ICL Chief Information Security Officer and submitted to the Data Access Request Service (DARS) team.
A copy of the risk assessment was supplied to the Audit Team.
|
Agreement nonconformity |
Closed |
3 |
Vulnerability scans have not been conducted on elements of the infrastructure. |
Access control |
The SAHSU is now running a regular scan on the missing elements identified during the audit.
A copy of the vulnerability scan report from November 2021 was supplied to the Audit Team.
|
Agreement nonconformity |
Closed |
4 |
Findings from validation testing have not been cleared within a reasonable timescale and no formal remediation plan has been established. |
Access control |
A validation report from September 2021 and supporting remediation plan was supplied to the Audit Team.
Further documentation to support action taken to address those issues identified, was seen during a video call.
|
Agreement nonconformity |
Closed |
5 |
ICL has not carried out a formal risk assessment of the physical controls at ICL’s data centres. |
Access control |
ICL has completed a formal risk assessment of each of its data centres and two risk reports were supplied to the Audit Team. |
Agreement nonconformity |
Closed |
6 |
Two master students had been given access to data supplied by NHS Digital, which is not permitted by the DSA.
During the audit access to the data by the master students was suspended by SAHSU, and a request was made to DARS to update the DSA.
|
Use and benefits |
ICL has updated the DSA to allow ICL registered students (including PhD and Masters students) to access the data. The updated DSA has been approved by the DARS team.
A copy of the updated DSA (DARS-NIC-204903-P1J7Q-v4.6) signed in October 2021 was supplied to the Audit Team.
|
Agreement nonconformity |
Closed |
7 |
The data supplied by NHS Digital has not been classified in line with SAHSU Information Classification Policy. |
Operational management |
The data has been classified in line with the Information Classification, Labelling and Handling Procedure v1.3 and the assigned classification has been recorded in the data asset register.
Copies of the procedure and the data asset register were supplied to the Audit Team.
|
Organisation nonconformity |
Closed |
8 |
Although the DSA requires all PhD students to have substantive contracts in place with Imperial College London, no such contracts could be provided for any of the PhD students in the Unit. |
Use and benefits |
ICL has drafted a data access contract which has been approved by the DARS team. The contract, in place of a substantive employment contract, allows registered students (including PhD and Masters students) to access the data.
Copies of the template contract, the approval by the DARS team and a signed copy of the contract were seen by the Audit Team.
|
Observation |
Closed |
9 |
Anti-virus alerts for the servers holding data supplied by NHS Digital are only forwarded to a single IT contact. If the contact was unavailable, then no action would be taken against the alerts. It was, however, stated that SAHSU plan to utilise the anti-virus solution used by the rest of ICL, where events would be captured in a log management tool and alerts issued to a group email address. |
Access control |
Antivirus alerts are now being sent to a number of key personnel within ICL.
A copy of the email alerts and a list of the recipients of the emails were seen by the Audit Team.
|
Observation |
Closed |
10 |
SAHSU should consider developing procedures or enhancing existing documentation to cover the following:
- the local storage of Active Directory (AD) administrator account passwords
- firewall management, for example, responsibilities, rule changes and configuration changes
- assessing security incidents and informing NHS Digital where appropriate
- electronic destruction of data supplied by NHS Digital
|
Operational management |
The SAHSU has enhanced its documentation for the management of administrator passwords, firewall management, NHS Digital incident reporting and electronic destruction of data.
Documentation to support the above processes was seen by the Audit Team.
|
Opportunity for improvement |
Closed |
11 |
SAHSU should proactively monitor the database logs. |
Operational management |
The database logs now feed into a log management tool and alerts are generated to inform key staff of certain events.
An example of an alert was supplied to the Audit Team.
|
Opportunity for improvement |
Closed |
12 |
The Information Asset Owner (IAO) should consider completing specialist IAO training. |
Operational management |
The IAO has completed specialist IAO training.
An email confirming when the training was completed, and the associated training material were supplied to the Audit Team.
|
Opportunity for improvement |
Closed |
13 |
SAHSU should consider adding appropriate document management information to its Data Protection Impact Assessment (DPIA). |
Operational management |
ICL stated that the current documentation management system retains version history.
A copy of the updated DPIA which includes documentation management information was seen by the Audit Team.
|
Opportunity for improvement |
Closed |
14 |
SAHSU should consider deactivating user accounts that have not been accessed for more than six months. |
Access control |
The SAHSU has developed a process to deactivate user accounts not being accessed over a defined period of time.
The process was explained to the Audit Team and supporting evidence was provided.
|
Opportunity for improvement |
Closed |
15 |
SAHSU risk management process could be improved by regular review of the risk register at a group meeting, including the IAO. SAHSU should also consider formal risk management training. |
Risk management |
The SAHSU confirmed that key members of staff from the unit have completed risk management training and will be leading risk activities going forward. This includes reviewing and updating the risk register.
Risk management is now also part of the agenda at monthly meetings and includes bi-annual review of the risk register.
The Audit Team was supplied with relevant training records and examples of meeting agendas.
Minutes that showed risk assessments were being reviewed, were seen during a video call.
|
Opportunity for improvement |
Closed |
16 |
SAHSU should consider automatically blocking remote connections in certain circumstances. |
Access control |
The SAHSU is using a new system to block remote connections in certain circumstances. Screenshots to demonstrate how it worked were supplied to the Audit Team.
|
Opportunity for improvement |
Closed |
17 |
ICL should consider proactive review of swipe card access to the datacentre as currently this is only done when users join or leave the organisation. |
Access control |
The ICT Data Centre Policy has been updated and reviews of swipe card access are taking place on a regular basis at its datacentres. Further work is required for the other datacentres, which is in progress.
A copy of the updated ICT Data Centre Policy, version 2.8, and an example to support the reviews being conducted, were seen by the Audit Team during a video call.
|
Opportunity for improvement |
Closed |
18 |
SAHSU should consider carrying out a risk assessment on the statistical server as it may store temporary files if there is any abnormal shutdown of the statistical tools. |
Risk management |
The SASHU has carried out an informal risk assessment and additional mitigating controls have been implemented.
Evidence was supplied to the Audit Team which showed temporary files are automatically deleted at a frequent interval.
|
Opportunity for improvement |
Closed |
19 |
At the time of audit, ‘old’ servers had not been destroyed but still contained data supplied by NHS Digital. At the post audit review, the Audit Team will review the data destruction process and view a completed certificate of destruction. |
Data destruction |
The SASHU confirmed that the data on the old servers had been wiped using specialist data deletion software.
The SASHU has completed NHS Digital’s certificate of destruction. This certificate together with the erasure report generated by the specialist data deletion software were sent to NHS Digital in August 2021.
|
Follow-up |
Closed |