RSS042 - Data Safe Haven ISO27001
- Report Date
- October 2019
Audit and Review Planning.
Part 1 of the ISO27001 audit was completed last week with three minor inconformity's. All three will be closed in time fro part 2 which is next week and thus far we believe we are on target to pass.
We will find out on the last day. (Thursday 7th).
Document Management
As per plan, we have all our documents in the Subversion repository. Reviewed and signed off.
SIEM (Splunk)
We have progressed our Splunk development to a point where we believe we have more than satisfied the ISO27001 requirement. We will probably continue to expand on its use next year. But for the time being its complete.
DSH Change (CAB) process.
This has been drafted and reviewed and implemented.
Secure Configuration (Patching).
We have all the required processes in place and are patching. The backlog is huge though are we don't believe we'll get on top of this with current resource levels.
DSH Physical Security Procedures
This is complete and ready for the audit.
Cryptography
Encryption appliances have been racked, stacked and power up. We will now re engage with the vendor and agree a plan to implement encryption. This will not be done by the October audit which, we are told, shouldn’t be an issue as its planned. Stephen Giles has documented how Data Safe Haven meets University Encryption standards. We have an ongoing requirement to upgrade the encryption level from TLS1.1 to TLS1.2. Stephen Giles is investigating this at the moment. This is an NHS Lothian Requirement as well as being required to meet the UoE Defined Standard.
Issues & Risks
Key Tasks For Next Period
Part 2 of the audit and get certified.
Milestones
| Stage | Milestone | Due Date | Complete | |
|---|---|---|---|---|
| Deliver | Internal Audit - Part 2 | 05-Nov-2019 | No | |
| Deliver | Cryptography and Key management | 27-Dec-2019 | No | |
| Close | Close Project | 31-Dec-2019 | No |