The primary security obligation for HSCN is equivalence to the CAS(T) certification. The HSCN Information Assurance Requirements for HSCN Suppliers are based on the CAS(T) (CESG Assured Service (Telecommunications)) requirements. CAS(T) does also cover some key service management, business continuity and disaster recovery requirements – which have been augmented to ensure that specific HSCN security and service management requirements are incorporated prior to award of stage one compliance.
These controls are taken from ISO/IEC-27001:2013 (ISO27001) and were identified in consultation with the Industry, CESG (now the National Cyber Security Centre) and the HSCN Programme Security Sub-Board and the NHS Digital Service Management function as being an appropriate control set against the risk of compromise leading to loss of availability of HSCN services.
Further information on CAS(T)
The scope of Compliance shall be the end-to-end provision of HSCN services.
The CAS(T) Annex A (which can be found in Appendix 3) sets out the minimum scope for controls required for HSCN Compliance.
If as part of that scope of service, the HSCN Supplier is providing services that are already CAS(T) certified, assurance is met by the existing certificate. Further assurance will, however, be required for those parts of the service that are not covered by existing certification.
Security and service management compliance requirements
Annex A sets out the minimum scope for information and service assurance required for the HSCN Security Compliance.
The minimum baseline set of compliance requirements to become an HSCN Supplier are:
- requirements marked as HSCN Minimum Compliance Baseline in Annex A – these set out the minimum set of security, business continuity and service management controls
- requirements marked as HSCN Minimum Compliance Baseline under the Business Continuity Planning, Configuration management, Control performance, Governance, Incident management, Operations management, Risk assessment, Scope and Supply chain assurance categories in Annex A – these complete the HSCN baseline for compliance
- carry out an ITHC scoped in accordance with guidance in Annex B – ITHC scoping
This ITHC ensures a minimum quality of security controls in place, and provides information to HSCN Consumers about the quality of a HSCN Supplier’s security controls with regard to HSCN services. An ITHC carried out as part of the CAS(T) certification will suffice as long as the minimum scope is met, and that the CAS(T) certification covers the proposed HSCN services.
Assurance of security compliance
There are three ways in which a HSCN Supplier can demonstrate Compliance with the minimum security requirements. Each HSCN Supplier must provide assurance for the HSCN services through at least one of the three methods set out below:
- Accredited - hold and maintain full (thus meeting all controls currently) current CAS(T) certification for the services provided – to the level required for the HSCN Minimum Compliance Baseline – as per the MCB filter in Annex A of the Compliance Addendum. A plan articulating how the remaining requirements marked as ‘Mandatory’ will be audited must be created for stage 1 application and available for HSCN authority review (on request).
- Audited - hold and maintain current ISO/IEC-27001:2013 certification (for the services provided) for an ISMS that includes the HSCN Minimum Compliance Baseline requirements at the point of becoming an HSCN Supplier (that is - prior to Stage 1 application) and achieve coverage for the remaining CAS(T) requirements marked as ‘Mandatory’ by 1st April 2019 at the latest. A plan articulating how the remaining requirements marked as ‘Mandatory’ will be implemented must be created for stage 1 application and available for HSCN Authority review (on request). For this tier – all ‘Critical’ and ‘Mandatory’ controls required by HSCN for the minimum compliance baseline need to be implemented and evidenced prior to stage 1 application – as per the MCB filter in Annex A of the Compliance Addendum. ISMS certification audits must be conducted by a UKAS-accredited auditor and attaining Accredited Status by 1st April 2019 at the latest
- Asserted - self-assert compliance (for the services provided) with the CAS(T) ‘Critical’ and ‘Mandatory’ requirements for the HSCN Minimum Compliance Baseline at the point of becoming an HSCN Supplier (that is - prior to Stage 1 application) and achieve coverage for the remaining CAS(T) requirements marked as ‘Mandatory’ by 1st April 2019 at the latest. Must also attain Accredited status by 1st April 2019 (or if asked to by the HSCN authority). A plan articulating how the remaining requirements marked as ‘Mandatory’ will be implemented must be created for stage 1 application and available for HSCN authority review (on request). For this tier – all ‘Critical’ and ‘Mandatory’ controls required by HSCN for the minimum compliance baseline need to be implemented and evidenced prior to stage 1 application.
The HSCN Minimum Compliance Baseline controls are outlined in Annex A of the Compliance Addendum.
In each case, HSCN Suppliers must make available a statement of residual risk available to Consumers (current and future) and the HSCN authority on request. Residual risks that must be included are:
- all un-remediated ITHC findings higher than medium
- all components that are part of the MCB (as defined within the CAS(T) security procedures referenced above) to the delivery of the services that are not assured to the correct level of availability under CAS(T)
- all components of the services that are under the Consumer’s management or out of the providers’ control (that is - wires only circuits and radio from the mast in terms of mobile respectively)
Please note: As part of the Compliance process HSCN will require that CAS(T) certification and ISO27001:2013 certification is provided by an independent provider.
How will HSCN manage cases where applicants do not hold full Compliance at the point of application?
A staged approach has been agreed, which is summarised in figure 3 below, using the Declaration and Certification options for verification. The staged approach provides for the following statuses in relation to security Compliance - Asserted, Audited and Accredited as identified above. This approach will be known as the ‘Transition period for formal assurance of Compliance’- this will be referred to as the ‘Transition period’.
Compliance with HSCN requirements for information and service assurance remains part of the overall Compliance process, while having its own transitionary approach to full Compliance. Achieving Asserted status will satisfy the HSCN minimum compliance baseline, but CAS(T) certification from a UKAS auditor must be achieved by 1 April 2019 and to attain Accredited Status.
In order to ensure full visibility of any Supplier’s progress (a Supplier that is subject to the transition period), the HSCN authority will set a number of checks against each Supplier over the Transition period. This will ensure that the HSCN authority is kept fully appraised of progress made toward full Compliance and is able to act early if it seems likely that full Compliance will not be met within the Transition period. The HSCN authority will have the right, under the terms of the CN-SP Deed, to revoke Compliance and stop a Supplier from selling any further services should they fail to achieve compliance required from the Audited or Accredited tier within the defined transition period or retain existing Audited or Accredited certification.
The CAS(T) Transition period – what must a Supplier do?
Suppliers will be able to achieve HSCN compliance during the Transition period without full (Accredited) CAS(T) certification but must:
- Be (and remain) compliant with the HSCN minimum compliance baseline from the outset.
- Provide an assurance that this baseline is implemented from the outset – therefore they must have an independent member of the CHECK scheme carry out an IT health check before selling services (and annually thereafter), and make a copy of the residual risk report available to the HSCN authority (and potential customers). The ITHC that will be required for Stage 1 is a key assurance for PSN Suppliers and is necessary for CAS(T) compliance. Please refer to Annex B of the Compliance Addendum for more information on how to conduct an ITHC.
- Achieve formal CAS(T) accredited certification within 2 years of achieving Stage 1 compliance or by 1 April 2019 (as a firm deadline) if Stage 1 compliance is achieved after 1 April 2017.
- Obtain CAS(T) accredited certification from an independent assurance body that is recognised by NCSC (for CAS(T)).
- Retain compliance and the Supplier will not be able to obtain interim HSCN Compliance on the basis of a lapsed formal certification (Note: Suppliers, holding PSN compliance, or certification with ISO/IEC-20000:2011 or ISO/IEC-22301:2012 cannot downgrade their compliance and take advantage of the transition period – that’s not what its intended for).
To further mitigate risks associated with non-independently verified Suppliers HSCN apply some conditional measures on Suppliers during the transition period. HSCN has incorporated wording in to the CN-SP Deed that:
- Makes provision for the HSCN Authority to require any Supplier (irrespective of current assurance level) to conduct a risk assessment, based on market share and taking into account geography and care settings of customers. This risk assessment shall review the risk to the availability of the HSCN service, including impact levels of all assets providing the service and be based on an agreed risk methodology. The output of that risk assessment must include any additional security controls and / or levels of assurance required, and must be satisfactory to the HSCN authority (acting reasonably) based on the risk to availability of the HSCN and impact levels of all providing services.
- If the Supplier fails to comply or reach agreement with the HSCN authority, then the ultimate sanction available to the HSCN authority is to suspend the Supplier from selling HSCN services. This means the HSCN authority monitoring the number and type of connections that each Supplier has sold against agreed criteria of what constitutes an acceptable market share to the HSCN authority/DH for Suppliers with no independent assurance of the implementation of the security controls.
Maintenance of CAS(T) compliance
Suppliers that are already CAS(T) certified will not be allowed a Transition period and must retain (and maintain) their CAS(T) certification (compliant with the HSCN minimum compliance baseline) from the point that they apply for HSCN Compliance.
Figure 3: Security compliance routes and alternatives.
The full CAS(T) control list (CAS(T) Annex) can be found in Appendix 3.
This annex lists the security controls, categories, criticality of the control, sets out additional guidance and also provides a mapping (if appropriate) to other existing ISO/IEC controls.
Please note the ‘criticality’ column outlines a status for each control in terms of the HSCN requirement to have the control and, at what point.
Suppliers must be compliant with the critical and mandatory conditions in the Governance category of the Annex as a minimum at the point of Stage 1 application.
Ultimately, in order to become a HSCN CN-SP the Supplier needs to be compliant with the HSCN minimum compliance baseline at the stage one compliance application, all the controls set out in the CAS(T) annex by 1 April 2019 and be able to demonstrate compliance through independent assurance (CAS-(T) or ISO27001)).