RSS042 - Data Safe Haven ISO27001

Report Date

September 2019

Audit and Review Planning.

We are progressing toward the Part 1 of the ISO Audit on the 23rd/24th of October. The auditor, Jim Stewart from Lloyds Registry, has sent through the Audit plan for the first two days. We are working through this to ensure we are fully prepare for all the relevant Clauses  and Annexes We have a pre visit call with the Auditor this Friday. Part two of the audit is Scheduled for two weeks later on the 5th and 6th of November. Part two of the audit is primarily to drill down into the evidence required to support the procedures reviewed in part 1.

Document Management

As per the Internal Audit we have defined a Document Management process based around the Subversion repository. This is where all ISO Documentation will be version controlled and accessed by the Data Safe haven Team. We are now concentrating on getting all our procedures reviewed and signed off. Stephen will be reviewing all the technical SOPS with Stephen on Friday then David next week. Cuna is progressing the Ops SOPS with Robin.

SIEM (Splunk)

Our Splunk Consultant is progressing to plan so far. Amongst other things ,he is currently verifying all the hosts and data sources are logging to the splunk platform and completing the work required to complete the GPG13 application that satisfies the ISO27001. He is also finishing off the implementation of the Enterprise Security (SEIM) Component and we are planning a Show and Tell session for this next Thursday. In parallel Rob Davies is writing the supporting SOPs which will be reviewed and signed off in time for the (ISO) audit.

DSH Change (CAB) process.

This has been drafted and reviewed. We’re struggling to fully implement due to the volume of changes coming out of the patching process.

Secure Configuration (Patching).

We have clearly defined and reviewed processes that we believe will pass (ISO) audit and have been reviewed and accepted by NHS Lothian. However we’re struggling with the volume of patches being identified by the process alongside the amount of other work going on in the team. David Fergusson has suggested that we may need to review the components that are being patched and take a more risk based approach. This would be acceptable from an ISO perspective but may not be from an NSL Lothian. Suggest we get a meeting with NHS Lothian and ask the question?

DSH Physical Security Procedures

Neil Kell has been on site today (2nd Oct) and carried out the Argyle house site survey. This should be fully documented over the next day or two and will be reviewed and signed off for the audit. This is the final site survey completing the set (including the ACF and JCMB Data Centres).

Cryptography

Encryption appliances have been racked, stacked and power up. We will now re engage with the vendor and agree a plan to implement encryption. This will not be done by the October audit which, we are told, shouldn’t be an issue as its planned. Stephen Giles has documented how Data Safe Haven meets University Encryption standards. We have an ongoing requirement to upgrade the encryption level from TLS1.1 to TLS1.2. Stephen Giles is investigating this at the moment. This is an NHS Lothian Requirement as well as being required to meet the UoE Defined Standard.

Third Party Procedures.

Neil Kell has drafted SOPs for this. These need to be reviewed and signed off.

HR And Vetting Process

These are at a stage they need to be reviewed and signed off.

Issues & Risks

Key Tasks For Next Period

The key task for the next period will be to reassess what is outstanding and clarify where the line is and to re plan the Initial Internal audit and from that, the certification audit. We believe we are in a position to significantly bring these dates forward and hope to be able to communicate these dates over the next couple of weeks.

Milestones