RSS042 - Data Safe Haven ISO27001

Report Date

June 2019

Achievements in the last Period.

Secure Configuration Procedures

This is basically the patching requirement. We have defined a high level policy and are trying to identify the actions required to get us to that point and maintain it ongoing. This will require third party support on-going (from Comms-Care to patch VMWare) and we’ll need to purchase a couple of tools to help us iteratively patch our hardware and Operating systems. We’re trying to fully define these at the moment.

Business Continuity

Neil Kell to draft initial process and Templates. We have a workshop booked to review and expand on this on the 6th of May. This is seen as a big gap in our processes at the moment and it requires priority.

Incident Management Process

Incident Management process received from Cuna. Neil to review and feedback. We’ll aim to review with Cuna first week of June with the DPIA and Data Protection.

Operational Security Procedures

•  We have procedures for Firewalls.

 • SOPs for Web proxy need rewritten.

• Encryptions isn’t implemented yet so we don’t have procedures.

• Splunk is in delivery and Procedures will follow.

Encryption of Data at Rest.

Encryption appliances have been delivered however we still don't have a date we can implement the appliances at the ACF. These may be able to go in with the Infrastructure refresh node order in July.  

SIEM (Splunk)

We have developed our Splunk instance pretty much to a point that would satisfy ISO27001. We are proceeding beyond this as we have requirements that cover more that just security monitoring (platform monitoring etc). We have a new Spunk Engineer working with us to complete this and I'm confident this will be delivered within project tolerances.

Security and Awareness Training.

Need to clarify what procedures we already have for this as part of the on boarding process and if they satisfy this requirement.

Data Protection Procedures

Initial DPIA received from Cuna. This will need reviewed and completed. Will arrange review on Neil’s Next visit.

Access management Procedures

• Jen to define the User audit process.

• Jen to clarify the Password management documentation with Cuna.

• Related SOPs need signed off by Robin.

Asset Management Procedures

We have completed the Asset Management procedures to support the UoE standard and have the Asset Management Register (device 42) fully populated.

DSH Physical Security Procedures

Minimal requirement of a site survey for the Admin Area (Argyle House) has still to be carried out. This is seen as low risk low effort though.

Third Party Procedures.

Neil Kell to draft SOPs by end of June. They will need reviewed and signed off.

DSH Change (CAB) process.

This has been drafted. Needs reviewed, signed off and implement.

NTP (Time) server This will be implemented over the next couple of weeks.

HR And Vetting Process

Neil to review and come back with comments. Again, will review on Neil’s next visit.

Issues

Key Tasks For Next Period

The key task for the next period will be to reassess what is outstanding and clarify where the line is and to re plan the Initial Internal audit and from that, the certification audit. We believe we are in a position to significantly bring these dates forward and hope to be able to communicate these dates over the next couple of weeks.

Milestones