Key Point:
Your organisation must fully understand the data critical to its essential functions, including where it is stored, how it is transferred, and the impacts of unauthorised access, modification, or deletion.
Overview:
This outcome focuses on identifying and understanding the data supporting your organisation’s essential functions, assessing the risks of compromise or loss, and ensuring proper protection for both personal and non-personal data.
How to Meet the Requirement:
Begin by cataloguing all critical data—both personal data (e.g., patient or staff information) and non-personal data (e.g., operational or technical data). Use tools such as a Record of Processing Activities (ROPA) and Information Asset Register (IAR) to document where the data is stored, how it is used, and who is responsible for it. Also, understand which staff members need access to specific types of data.
You must assess the potential impacts of unauthorised access, modification, deletion, or unavailability of this data on essential functions, and incorporate these assessments into your risk management and business continuity planning.
Evidence to Provide:
Submit documents such as:
- Information asset registers and processing activity records
- Data inventories for technical or operational data
- Business continuity plans
- Risk assessments detailing the impact of data loss
Ensure the documentation shows how you manage data risks, and its importance to essential operations.
Indicators of Good Practice:
- A complete and regularly updated cataloguing of essential data, including both personal and operational data.
- Clear documentation of the impacts of data compromise on business and clinical operations.
B3.b Data in Transit
Key Point:
Your organisation must protect the transmission of critical data, both electronically and physically, to prevent unauthorised access or interception.
Overview:
This outcome ensures that data flows within and outside of your organisation are secure. You must identify all critical data transfers—whether through email, network connections, or physical transport—and protect them using appropriate security measures.
How to Meet the Requirement:
Identify key data flows that are critical to your operations. For electronic data, use encryption, secure email standards, and network protection mechanisms to safeguard data in transit. For physical data, ensure secure handling through trusted mail services, proper packaging, and other controls to prevent data breaches.
Document your data flows using diagrams, registers, or control documents that clearly show how data is transferred and protected.
Evidence to Provide:
Submit documentation such as:
- Data flow diagrams
- Secure email compliance documentation (e.g., DCB1596)
- Policies for handling physical data in transit
- Encryption and network security policies
Ensure your evidence demonstrates robust protections for both electronic and physical data transfers.
Indicators of Good Practice:
- All critical data flows are identified and protected using appropriate technical and procedural controls.
- Regular reviews and assessments are conducted to ensure continued data flow security.
B3.c Stored Data
Key Point:
You must ensure that both electronic and physical data critical to your essential functions is protected from unauthorised access, modification, or deletion.
Overview:
This outcome addresses the protection of data that is stored, whether electronically or in physical form. Organisations must safeguard this data by applying security measures that prevent it from being accessed or compromised by unauthorised individuals.
How to Meet the Requirement:
For electronic data, use encryption, access controls, and regular backups to ensure data integrity and security. For physical data, such as paper records or ID cards, secure it in locked storage, restrict access, and follow appropriate disposal procedures. Both types of data should be catalogued and regularly reviewed to ensure they remain protected.
Evidence to Provide:
Submit documentation such as:
- Information asset registers and backup policies
- Data encryption and access control policies
- Physical data protection policies (e.g., locked storage)
- Data destruction certificates
Ensure that your evidence demonstrates secure storage practices for both electronic and physical data.
Indicators of Good Practice:
- All stored data is protected using appropriate physical and technical controls.
- Regular reviews are conducted to ensure stored data remains secure and accessible when needed.
B3.d Mobile Data
Key Point:
Your organisation must ensure that data critical to your essential functions, stored or accessed on mobile devices, is fully protected.
Overview:
This outcome ensures that mobile devices used within your organisation, such as smartphones, tablets, or laptops, are secure and that any critical data they hold or access is protected. This applies to both organisation-owned and personal devices used for work (BYOD).
How to Meet the Requirement:
Use mobile device management (MDM) systems to track devices and ensure they are configured with encryption and access controls. Limit the data stored on these devices to the minimum necessary for business purposes, and ensure that data is erased when no longer needed.
Catalogue all mobile devices in your asset register and ensure that they follow best practices for security configuration.
Evidence to Provide:
Submit documents such as:
- Asset registers with mobile device information
- Mobile device management reports
- Policies for mobile device security and BYOD
- Encryption policies for mobile devices
Ensure your documentation demonstrates secure management and protection of mobile data.
Indicators of Good Practice:
- All mobile devices are catalogued and secured with encryption and access controls.
- Only necessary data is stored on mobile devices, and it is erased when no longer needed.
B3.e Media and Equipment Sanitisation
Key Point:
Your organisation must securely sanitise all devices, equipment, and media containing critical data before reuse or disposal.
Overview:
This outcome ensures that when devices, media, or equipment are no longer in use, they are securely sanitised to prevent unauthorised recovery of data. This applies to both internal reuse and external disposal, and it includes data on items like hard drives, USBs, and physical devices.
How to Meet the Requirement:
Implement procedures to securely erase data from devices before reuse, disposal, or destruction. Use verified methods such as software sanitisation, physical destruction, or services certified by recognised standards (e.g., NCSC’s Assured Service (Sanitisation) scheme). Ensure that devices and media are tracked and accounted for until disposal is confirmed.
Contracts with third-party disposal services should include provisions for auditing their sanitisation procedures to ensure they meet security standards.
Evidence to Provide:
Submit documentation such as:
- Media sanitisation and equipment disposal policies
- Data destruction certificates
- Contracts and audit reports from third-party disposal services
- Asset and equipment tracking logs
Ensure that your evidence shows proper sanitisation and disposal procedures for all data-holding devices.
Indicators of Good Practice:
- All devices containing critical data are sanitised or destroyed before reuse or disposal.
- Contracts with third-party disposal services include provisions for auditing their sanitisation processes.
Protect your organisation’s data across all stages—from understanding and cataloguing to securely storing, transmitting, and disposing of it. Need assistance implementing robust data security policies? Periculo can help you ensure that your data remains secure at every step. Contact us today to safeguard your essential functions from data breaches and unauthorised access!
