For each alert, you must first acknowledge the alert and state whether the alert is applicable to your organisations.
If you have determined that the alert is applicable, you must continue to provide regular updates and close your response in the service once you have finished your remediation work.
Acknowledge the alert
As soon as you receive a high severity alert you should access the service to acknowledge it.
For an alert that has not yet been acknowledged, you will see a button labelled ‘Provide acknowledgement’. After you click this button, choose which of your organisations you are providing an update for and then proceed to acknowledge the alert. Your status for the alert will be set to ‘in progress’.
You will be asked to provide an update on your response to the alert within 3 days. A due date for this update will automatically be set. You can change the due date for your next update in the ‘Remediation actions’ task.
Provide applicability
After you have acknowledged the alert, you should determine whether the alert is applicable to your organisation and inform appropriate colleagues. Give your response in the ‘Alert applicability’ task.
You should then provide further relevant information and create a response plan if an alert is applicable.
If an alert is applicable
If your organisation is vulnerable to the threat outlined in the alert, you should provide details of actions that are being taken, or will be taken. Use the ‘Remediation actions’ task for this. Include details of the number of systems affected by the vulnerability if this information is available.
If you are aware of any barriers that could affect your ability to remediate all your affected systems, provide details in the ‘Barriers to remediation’ task.
Provide a date for when you expect to give your next update. Also provide a target date for when you expect to complete remediation of all affected systems at your organisation.
If an alert is not applicable
If your organisation is not vulnerable to the threat outlined in the alert, provide details of why the alert is not applicable using one of the available options.
Your organisation’s response status will be changed to ‘not applicable’, and you will not need to provide any more information for this alert.
Provide regular updates
Where an alert is applicable for an organisation, you should provide regular updates until all recommended remediation steps have been completed or deemed unnecessary.
A reminder will be sent to all registered email addresses at the organisation on the day the next update is due. If an update is not provided, further reminders will be sent at regular intervals.
Update items in the task list to provide these regular updates.
The tasks you will need to update are:
- remediation actions
- barriers to remediation - where new barriers emerge or existing barriers are removed
- target date for completion - if this date changes
Formally accept residual risk
When it is not possible to fully remediate affected systems, your organisation should utilise the ‘Residual risk acceptance’ task to provide details about this. This is especially important when it is more than 14-days since an alert was issued.
Organisations should continue attempting to fully remediate its systems and provide regular updates after formally accepting any risk until they are able to close their response with a completed status.
Your organisation should use the fields provided for this task to provide the name, email address, job role or title, and date of formal risk acceptance.
To assist with assuring that any residual risk is being satisfactorily controlled you should provide:
- Details of mitigating controls that have been put in place alongside remediation.
- Timescales and plans for monitoring and reducing risk in the future.
NHS England cyber teams will assess the information provided by organisations that have formally accepted risk and may request additional information to better assess these risks have been appropriately reduced.
Close your response to the alert
Once you have completed your response to an alert, you should use the “Provide a final status” task to close your response.
If your organisation has remediated against the threat outlined in the alert, you should change your status to ‘Complete’. Do this by choosing ‘We have completed remediation’.
If your organisation has not been able to remediate your affected systems or mitigate risks through other controls, you should change your status to ‘Not able to implement’. Do this by choosing ‘We are not able to implement remediation’.