Report for January 2020

Report Date

January 2020

Key Achievements in the Last Period

Successfully achieved ISO27001 certification. Huge achievement from the project team.

Project Manager starts 17th February. Substantial re-planning based on estimations and prioritisation required to map out project for 2020.

Next Phase Tasks.

Implement Data at Rest Encryption.

We committed to doing this by end of first Qtr 2020 in the ISO27001 audit and it’s a requirement for NHS Lothian to give us Data. I'd say this looks very unlikely without Project management.

Implement ISO Audit Recommendations

We were given a list of recommendations from trhe ISO audit that will need done. Again, these will need managed as will the Risk Treatment plan and Improvement log. These shoul dbe managed by the Security Working Group which will probably stop.

Patching and Maintenance. Agree policy and strategy.

This is critical if we want to get data from NHS Lothian. The policy and processes we put in place for ISO27001 arent achievable with the current reource levels. We need to arrange for third part vendors to come in an assist with some of the components. This needs Management. Without changing  the Policy there is no way we can currently get data off NHS Lothian. I believe NHS Digital are also heading in this direction (as per CJD audit documentation). This is currently a massive black whole that needs agreement and management now that were past the ISO Audits.

TSL 1.1 to 1.2 Upgrade

Again this is a key requirement for NHS Lothian and and an ISO27001 commitment that we will be audited on. We currently have no plan to put this in place although Stehen has begun the investigation process.

Further SEIM / Splunk Delivery.

The initial Splunk delivery was build around achieving ISO27001 Centification which was targeted at Security Monotoring and Alerting, specifically GPG13. We have little or no Alerting in place for actual platform monitoring and alerting, your basic standard stuff. This is actually where we would gain the most benefit from Splunk and was always seen as the next phase.

Annual Penetration Test.

We committed to an annual Penetration Test as part of our ISO Scope. As this ws our first year, its wasnt raised as an Incnformity that we hadnt done one for over a year. It still needs done though and urgently.

Internal ISO27001 Audit (1)  Feb.

This will need to be agreed and planned as it was unclear who would be carrying these out going forward. Alisair Fenemore took an action to clarify if UoE Internal audit should have a role to play in this. There is an agenda and meeting planned. Internal audit involvement needs to be clarified beforehand.

Internal ISO27001 Audit (2)  Aug.

As above.

Internal management Review

Not planned but should be ASAP as this is our only Inconformity. we should really get right on top of this one.

Issues & Risks

Milestones