NHS DSPT: Protecting Against Cyber Attacks and Data Breaches - B4 System Security

B4.a Secure by Design

‍

Key Point:
Your organisation must design security into your network and information systems to minimise vulnerabilities and ensure that a single point of failure cannot disrupt essential functions.

‍

Overview:
This outcome focuses on embedding security into the design of your systems from the outset, reducing potential vulnerabilities and making recovery from any incidents quicker and easier.

‍

How to Meet the Requirement:
Incorporate secure by design principles into the development of your systems. This involves creating strong boundary defences (e.g., firewalls and intrusion prevention systems) and ensuring that all data flows—both internal and external—are encrypted and validated. Design decisions should also support system recovery in the event of a breach or failure by implementing strategies like network segmentation and automated deployment.

‍

Protect against content-based attacks by implementing solutions that block or filter harmful content before it can enter your network.

‍

Evidence to Provide:
‍

Submit documentation such as:

• Network and data flow diagrams
• Policy documents on boundary defences and system recovery strategies
• Risk assessments detailing protections for data flows
• Security policies on monitoring and content-based attacks

‍

Ensure your evidence demonstrates how your network and systems are built to be secure by design, with protections in place for both data flows and boundary defences.

‍

Indicators of Good Practice:

• All data flows, both within your system and across the network perimeter, are protected and validated.
• Content-based attacks are mitigated through input controls, not just monitoring or perimeter defences.

‍

B4.b Secure Configuration

‍

Key Point:
Your organisation must ensure that all devices and systems are securely configured to reduce vulnerabilities and limit potential attack surfaces.

‍

Overview:
This outcome focuses on the secure configuration of your organisation’s systems and devices, ensuring they are properly set up to minimise risks from cyber threats. This includes disabling unnecessary services and implementing strong access controls.

‍

How to Meet the Requirement:
Identify and document the assets that need secure configuration, such as network devices, firewalls, and servers. Use secure platform builds for all devices, and disable unnecessary services and features to reduce the attack surface. Regularly review and approve changes to security configurations, and ensure only authorised software can be installed on devices.

‍

Evidence to Provide:
‍

Provide documents like:

• Information asset registers with configuration details
• Policies on device management, configuration, and patching
• Baseline builds for end-user devices and network components
• Documentation of changes to security configurations

‍

Ensure your evidence demonstrates robust configuration management and secure builds for devices and systems.

‍

Indicators of Good Practice:

• All assets are securely configured with only the necessary services and features enabled.
• Configuration changes are approved, documented, and monitored to ensure consistency and security.

‍

B4.c Secure Management

‍

Key Point:
You must effectively manage your organisation’s networks and systems to ensure ongoing security, including administration, malware prevention, and maintaining system integrity.

‍

Overview:
This outcome ensures that robust management practices are in place to secure your organisation’s networks and systems. This includes separating administrative activities from standard user tasks and implementing malware protection measures.

‍

How to Meet the Requirement:
Implement administration policies where privileged operations are only performed on trusted devices, separate from standard user activities. Ensure that third-party administrators follow these protocols as well. Use technical controls to prevent, detect, and remove malware, including email filtering, file scanning, and anti-malware software.

‍

Additionally, enforce acceptable use policies to educate staff on safe usage practices, and ensure physical security measures like port locks are in place.

‍

Evidence to Provide:
Submit evidence such as:

• Privileged user management policies
• Network diagrams showing administrative and standard user separation
• Anti-malware and network security policies
• Reports on malware incidents and remediation actions

‍

Ensure your documentation shows that your networks and systems are effectively managed and secured against both internal and external threats.

‍

Indicators of Good Practice:

• Privileged access is separated from normal user operations and carried out on trusted devices.
• Systems are protected from malware with a combination of technical, procedural, and physical controls.

‍

B4.d Vulnerability Management

‍

Key Point:
Your organisation must proactively identify and manage vulnerabilities in your systems to prevent potential impacts on essential functions.

‍

Overview:
This outcome ensures that your organisation has processes in place to identify, assess, and mitigate vulnerabilities in your network and systems. This includes regularly updating systems, applying patches, and conducting vulnerability testing.

‍

How to Meet the Requirement:
Implement a process for tracking publicly known vulnerabilities from software manufacturers and other trusted sources, including alerts from NHS England’s National Cyber Security Operations Centre (CSOC). Vulnerabilities should be prioritised based on risk, with patches applied promptly to address high-risk issues.

‍

In areas where vulnerabilities cannot be immediately patched, apply temporary mitigations like network isolation or enhanced monitoring. Conduct regular vulnerability testing such as penetration tests to ensure a thorough understanding of your system’s weaknesses.

‍

Evidence to Provide:
Submit documents such as:

• Vulnerability management policies
• Patch management logs and risk assessments
• Reports from penetration tests and vulnerability scans
• Improvement plans for unsupported software or unpatched vulnerabilities

‍

Ensure your documentation demonstrates that vulnerabilities are regularly identified, prioritised, and mitigated in a timely manner.

‍

Indicators of Good Practice:

• Vulnerabilities are tracked and patched promptly, particularly high-risk issues.
• Regular vulnerability testing is conducted to assess potential weaknesses in the system.

‍

Strengthen your organisation’s system security with Periculo. From secure system design and configuration to managing vulnerabilities, we can help you build a resilient cybersecurity strategy that protects your essential functions. Contact us today to secure your systems and mitigate cyber risks!