NHS DSPT: Protecting Against Cyber Attacks and Data Breaches - B2 Identity and Access Control

B2.a Identity Verification, Authentication, and Authorisation

‍

Key Point:
Your organisation must robustly verify, authenticate, and authorise staff access to information, systems, and networks essential to your operations.

‍

Overview:
This outcome ensures that your organisation has strong cyber security and information governance (IG) controls for managing user access to critical information. Ensuring that only authorised staff have access helps prevent unauthorised access and data breaches.

‍

How to Meet the Requirement:
Before granting access, conduct thorough pre-employment checks to verify identity, especially for sensitive or privileged access roles. Authentication must be tied to individual credentials so that each access point can be traced to a specific person. Role-based access controls (RBAC) should be applied to ensure that staff only have access to the systems they need for their roles, following the principle of "least privilege."

‍

Temporary staff or emergency use of shared credentials must be controlled with additional security measures and strict monitoring.

‍

Evidence to Provide:
Submit documentation such as:

‍

• Policies for identity verification and access control
• Records of authorised user accounts and their access levels
• Audit reports on network accounts
• Logs of security incidents related to access breaches and follow-up actions

‍

Ensure your evidence demonstrates robust processes for verifying, authenticating, and authorising access to critical systems.

‍

Indicators of Good Practice:

• Strong processes for initial identity verification before granting system access.
• Individual credentials are used for all staff, with no shared access except in well-justified, controlled scenarios.

‍

B2.b Device Management

‍

Key Point:
Your organisation must maintain full visibility and trust in the devices that access your critical systems and information.

‍

Overview:
This outcome focuses on ensuring that the devices used to access your information and systems are secure and managed properly. It includes both corporately-owned devices and privately-owned (BYOD) or third-party devices connected to your network.

‍

How to Meet the Requirement:
Corporately owned and managed devices should be securely configured, and the number of BYOD or third-party devices should be minimised. If third-party devices are allowed, robust security measures, including malware scanning and network segmentation, should be in place. Devices used for privileged access, such as system administration, must meet the highest security standards.

‍

Evidence to Provide:
Submit documents such as:

‍

• Network security policies related to device management
• Reports on asset discovery and device assessments
• Third-party device evaluation protocols
• Logs showing privileged user activity

‍

Ensure your evidence demonstrates how you manage and secure the devices accessing your critical systems.

‍

Indicators of Good Practice:

• Only corporately owned devices access essential systems.
• Privileged operations are performed on dedicated, highly trusted devices.

‍

B2.c Privileged User Management

‍

Key Point:
Privileged access to systems must be closely managed, ensuring that only authorised and authenticated individuals have elevated access rights.

‍

Overview:
This outcome ensures that privileged user accounts, which have higher access rights, are properly authenticated, monitored, and managed. Privileged users must only perform necessary administrative actions from trusted devices, and their activity must be logged and reviewed to detect any suspicious behaviour.

‍

How to Meet the Requirement:
Track who has privileged access and ensure that access is immediately revoked when no longer required. Implement multi-factor authentication (MFA) for privileged accounts, and log all actions performed by these users. Review logs regularly and trigger active reviews when suspicious activity is detected.

‍

Evidence to Provide:
Provide evidence such as:

‍

• Privileged user account logs and audits
• Policies on managing privileged user access
• Logs of privileged user activity
• Reports on dormant accounts and access revocations

‍

Your documentation should show how you manage and monitor privileged users and their access rights.

‍

Indicators of Good Practice:

• Privileged user actions are logged, reviewed, and audited.
• Strong authentication (e.g., MFA) is required for all privileged access.

‍

B2 Identity and Access Control: Key Considerations

‍

Initial Identity Verification:
Ensure all staff undergo pre-employment identity checks. The level of verification should depend on the sensitivity of the access required.

‍

Role-Based Access Control (RBAC):
Implement RBAC to limit access according to job roles, applying the "least privilege" principle. Regularly review user access and ensure that rights are revoked promptly when no longer needed.

‍

Device Security:
Limit the number of BYOD and third-party devices connected to your network. Ensure that devices used for privileged access are highly secure, following NHS and NCSC guidelines.

‍

Protect your critical systems by ensuring your organisation has strong identity and access controls. Whether you need help setting up secure access protocols, managing privileged users, or evaluating device security, Periculo can help. Contact us today to strengthen your organisation’s access control strategy and prevent unauthorised access!