1 |
Validation testing of required security controls has been conducted on an infrequent basis with some aspects of testing not carried out. |
Access control |
The ECSG reported that it is now performing validation testing on a weekly basis. A screenshot of a report and the date it was produced were supplied to the Audit Team.
The ECSG also confirmed that a detailed validation test had been conducted in November 2021, along with a retest in March 2022.
The report for this detailed test was seen during a video call and an extract of the retest report was shared with the Audit Team in April 2022.
|
Agreement nonconformity |
Closed |
2 |
A security appliance did not contain the latest patches. |
Access control |
The UoY reported that a new security appliance has been implemented, and has the latest recommended patch installed in line with UoY policy. Any new patches are assessed against policy and installed based on business need and security.
A screenshot of the patches on the new security appliance was supplied to the Audit Team.
|
Agreement nonconformity |
Closed |
3 |
The ECSG should review its approach to risk management and ensure that it is consistent with the UoY Risk Management Policy. |
Risk management |
An online risk management presentation followed by a question-and-answer session was delivered to ECSG staff by the UoY Risk Management team in October 2021. The presentation focussed on the UoY Risk Management Policy to help ensure that the approach in ECSG is consistent with UoY corporate requirements.
The presentation slides were supplied to the Audit Team.
|
Organisation nonconformity |
Closed |
4 |
The ECSG should take appropriate action to resolve the vulnerability identified in the vulnerability scan conducted in June 2021. |
Access control |
The ECSG confirmed that the vulnerability identified in the scan conducted in June 2021 had been resolved.
A screenshot of the latest scan was supplied to the Audit Team. It indicated that no vulnerabilities were picked up apart from those classed as ‘for information’.
|
Observation |
Closed |
5 |
The ECSG should consider updating section 2 of the DSA and declare the full processing and storage addresses. It should be noted that these locations have been declared in section 5b of the DSA. |
Operational management |
The ECSG reported that it had discussed and provided the addresses to the Data Access Request Service (DARS) team. It has been agreed that the full addresses in section 2 of the DSA will be updated at the next renewal.
The ECSG supplied an email dated 28 September 2021 to support the communication with the DARS team.
|
Opportunity for improvement |
Open, but not for follow-up |
6 |
The UoY should consider providing risk management training, to ensure that all relevant staff are aware of the processes for raising, recording and monitoring risks. |
Risk management |
An online risk management presentation followed by a question-and-answer session was delivered to ECSG staff in October 2021. Further training is planned in 2022.
The slides to support the training was supplied to the Audit Team.
|
Opportunity for improvement |
Closed |
7 |
The ECSG information asset register (IAR) should be developed to be in line with the UoY IAR. The IAR should also be updated to reference specific datasets, data sensitivity classification, Information Asset Owner (IAO), Information Asset Administrator(s), download date, deletion date and details of any joint Controllers. The IAR should also take into account requirements from the research and governance section of the UoY Health Sciences data security policy. |
Operational management |
The ECSG has updated the IAR in line with the recommendations in the finding.
A copy of the ECSG Data Asset Register extract spreadsheet was supplied to the Audit Team.
|
Opportunity for improvement |
Closed |
8 |
The UoY should consider including details of the next review date on policies and procedures as part of its document management control. |
Operational management |
The UoY reported it is still considering the suggestion in the finding. |
Opportunity for improvement |
Open, but not for follow-up |
9 |
The ECSG should review the Data Protection Impact Assessment (DPIA) annually, or when a change is made. The document should also be subject to document version control. |
Operational management |
The ECSG has updated the DPIA and it now includes document version control along with an annual review date.
A copy of the DPIA version 2.0 was supplied to the Audit Team.
|
Opportunity for improvement |
Closed |
10 |
The ECSG System Level Security Policy (SLSP) should be subject to document version control. |
Operational management |
The SLSP has been updated and now includes document version control.
A screenshot of the document cover page of the SLSP Version 1.1.1 was supplied to the Audit Team.
|
Opportunity for improvement |
Closed |
11 |
The ECSG should consider implementing further technical controls to identify changes to Active Directory (AD) administration groups. |
Access control |
The ECSG reported that any new groups or changes to existing AD group memberships are now fully audited, and reports are produced.
A screenshot of the audit reports and extracts from the report were supplied to the Audit Team.
|
Opportunity for improvement |
Closed |
12 |
The ECSG should reassess its use of built-in administrator accounts. |
Access control |
The ECSG reported that it had assessed the use of built-in administrator accounts. |
Opportunity for improvement |
Closed |
13 |
The UoY should expand its current data destruction policy to include physical equipment destruction. |
Data destruction |
The UoY reported it is still considering the suggestion in the finding. |
Opportunity for improvement |
Open, but not for follow-up |
14 |
The UoY should develop a vulnerability assessment policy. The policy should specify the frequency of vulnerability scans and penetration tests to be performed. |
Access control |
The UoY reported it is still considering the suggestion in the finding. |
Opportunity for improvement |
Open, but not for follow-up |
15 |
The UoY should consider including further information within its Patching Policy regarding application-level patching. |
Access control |
The UoY reported it is still considering the suggestion in the finding. |
Opportunity for improvement |
Open, but not for follow-up |
16 |
The ECSG should consider a periodic independent review to ensure that ECSG systems and infrastructure are in compliance with both local and corporate level policies/ procedures. The findings from any review should be shared with the IAO. |
Operational management |
The ECSG reported that funding for such activities is not a permitted cost within research grants, however, should the opportunity arise, the ECSG will undertake such a review. |
Opportunity for improvement |
Open, but not for follow-up |
17 |
At the post audit review, the Audit Team will review the Record of Processing Activities (ROPA), which is currently being drafted by the UoY. |
Operational management |
A copy of the ROPA was supplied to the Audit Team. |
Follow-up |
Closed |
18 |
At the post audit review, the Audit Team will review:
- the joint Controller agreement between the UoY and HUTH, currently in draft, to confirm it has been finalised
- the DPIA has been completed by HUTH
- HUTH’s IAR includes an entry for NHS Digital data assets supplied under the DSA as a joint Controller of the NHS Digital data.
|
Operational management |
A signed agreement between the UoY and the HUTH is in place, dated 21 May 2021.
A copy of the agreement was seen by the Audit Team.
The Audit Team was informed that HUTH has also drafted its own DPIA and added NHS Digital datasets to its IAR. However, evidence to support these have not been seen by the Audit Team.
|
Follow-up |
Open but not to be followed up |