RSS042 - Data Safe Haven ISO27001

Report Date

July 2019

Secure Configuration Procedures

We have communicated our patching position with regard to ISO27001 and Cyber Essentials to NHS Lothian and are awaiting feedback. We are currently completing our supporting Procedures for this and bringing patching up to a baseline that supports our stated position.

Business Continuity

We’ve had a couple of workshops on this and its back with Neil to Complete the BIA (Business Impact Assessment). This will be complete in advance of the initial, integral audit at the end of August.

Incident Management Process

Cuna has met with the Lead Incident Manager. Once the final UoE Incident Management Process is complete, we'll need to update the Data Safe Haven specific SOPs. This should be sufficient for the initial audit.

Operational Security Procedures

• We have procedures for Firewalls.

• Encryptions isn’t implemented yet so we don’t have procedures.

• Splunk is in delivery and Procedures will follow.

Encryption of Data at Rest.

Encryption appliances have been rack, stacked and power up. We will now re engage with the vendor and agree a plan to implement encryption. I would hope we would complete this in time for the full audit end of October (provisional).

SIEM (Splunk)

We have developed our Splunk instance pretty much to a point that would satisfy ISO27001. We are proceeding beyond this as we have requirements that cover more than just security monitoring (platform monitoring etc). We have selected a new Splunk Service partner to work with to complete our Splunk delivery and beyond. We hope to have somebody on site in July.

Security and Awareness Training.

We need to write an SOP around this and create a Summary Template to cover training.

Data Protection Procedures

The DPIA is complete and signed off by Robin and Rena Gertz. This needs final verification by the SWG.

Access management Procedures

Jen has completed the User audit process. Jen hs completed the Password management documentation with Cuna. Robin is progressing the sign off of the Ops SOPS.

Asset Management Procedures

We have completed the Asset Management procedures to support the UoE standard and have the Asset Management Register (device 42) fully populated.

DSH Physical Security Procedures

Minimal requirement of a site survey for the Admin Area (Argyle House) has still to be carried out. This is seen as low risk low effort though.

Third Party Procedures.

Neil Kell has drafted SOPs for this. These need to be reviewed and signed off.

DSH Change (CAB) process.

This has been drafted. Needs reviewed, signed off and implemented.

NTP (Time) server

This now fully implemented and configured including the slave appliance at the ACF.

HR And Vetting Process

Neil to review and come back with comments. Again, will review on Neil’s next visit.

Audit and Review Planning.

• We are planning an ‘internal’ audit at the end of August.

• We are planning a full ‘mock’ certification audit for the start of September.

• We are targeting our full Certification audit for the Start of October.

Issues

Key Tasks For Next Period

The key task for the next period will be to reassess what is outstanding and clarify where the line is and to re plan the Initial Internal audit and from that, the certification audit. We believe we are in a position to significantly bring these dates forward and hope to be able to communicate these dates over the next couple of weeks.

Milestones