ISB 1586 Statement of Conformance for: NHSmail Date: May 2014 Background This document states how NHSmail conforms to the ISB 1596 Secure Email information standard. For further information please contact [email protected]. Health and Care Organisations # Description Statement of Conformance Information Security 1 Health and care organisations MUST perform a security risk assessment when procuring an email service or delivering an email service internally. HSCIC on behalf of all Organisations that use NHSmail conducts an annual formal risk assessment to HM Government Security Policy Framework standards and the Department of Health Contract held with the Supplier. 2 Either party (Service Provider and customer) MUST notify the other immediately upon becoming aware of any breach of security, including an actual, potential or attempted breach of, or threat to, the security policy and/or the security of the services or the systems used to provide the services. Schedule 1.7 of the Contract HSCIC has with the NHSmail service provider and the HMG accreditation contractually obliges the service provider to report any actual, potential or attempted breach of, or threat to, the security policy and/or the security of the services or the systems used to provide the services. 3 Health and care organisations MUST operate their email service to a level appropriate to the security risk assessment, and at minimum BS ISO/IEC 27001. The NHSmail programme only authorises NHSmail access to organisations that are either IGSoC or IGT compliant which is based around ISO 27001. The NHSmail service provider is ISO27001 compliant (see service provider section for more detail). 4 Health and care organisations MUST ensure their email service meets Section Error! Reference source not found. for Personal Data in the The NHSmail service meets each aspect of the baseline control set and is certified for the use of patient identifiable data. This is independently © Open Government Licence 2014 Page 1 of 6 baseline control set if the service contains patient identifiable or sensitive data. 5 verified by a CESG listed advisor. Health and care organisations SHOULD set policies and procedures for the Policies and procedures are published on the www.nhs.net portal and use of secure email using mobile devices and ensure the email service enforced through an acceptable use policy. The NHSmail service enforces them. requires that mobile devices are only connected when locally authorised by the employing organisation and enforce a security profile allowing them to be remotely wiped. User organisations require encryption on mobile devices as detailed here. Safety 5 Health and care organisations SHOULD comply with the provisions of ISB The NHSmail service complies with the provision of the standard. There 0160 Clinical Risk Management: its Application in the Deployment and Use is an approved safety case for the service and a clinical authority to of Health IT Systems. deploy letter has been issued by the HSCIC Clinical Safety Officer. 6 Health and care organisations SHOULD set policies and procedures for Policies and procedures are published on the www.nhs.net portal and staff who use the secure email service to ensure that they understand how enforced through the acceptable use policy. to use it appropriately and safely. Interoperability 7 Health and care organisations MUST ensure there are appropriate policies Policies and procedures are published on the www.nhs.net portal and in place for the use of email, including correspondence with insecure email enforced through the acceptable use policy. Correspondence with systems such as those used by patients. insecure email services using personal or sensitive data is not currently permitted unless that data is encrypted. The NHSmail service supports encrypted attachments and is piloting an encryption solution in May 2014. © Open Government Licence 2014 Page 2 of 6 Specific required evidence of conformance for ISB 1596 assessors: # Requirement Evidence submitted 1 Evidence of a security risk assessment for the email service NHSmail 2014 HMG OFFICIAL-SENSITIVE accreditation pack (May 2014 Risk Management Accreditation Documentation Set parts 1 - 4) 2 One of: Information Governance Toolkit compliance An approved PSN code of connection An ISO 27001 information security management system for the email service externally audited/validated HSCIC Information Governance Compliance Statement 3 Clinical safety approval for the email service (ISB 0160) Clinical Authority to Release certificate 4 Published policies for the use of email with secure and insecure systems NHSmail Guidance on emailing sensitive and patient identifiable information across the NHS and to non-NHS recipients 5 Any additional relevant evidence NHSmail end user policies and procedure published on the www.nhs.net portal including access policy, acceptable use policy, data protection statement, data retention policy, secure use of mobile devices and how to communicate securely and safely. NHSmail contract with Vodafone © Open Government Licence 2014 Page 3 of 6 IT Service Provider - Vodafone # Requirement Information Security 1 Each Service Provider MUST at all times maintain a secure service, even when the service is unavailable to users. NHSmail is maintained as a secure service in accordance with its OFFICIAL-SENSITIVE security accreditation. It is reviewed annually by a CESG listed advisor and the HSCIC security team. The NHSmail service provider is contractually obliged to maintain a secure service backed by significant financial penalties. 2 Each Service Provider MUST maintain an Information Security Management System (ISMS) that conforms to the BS ISO/IEC 27001: 2005 or 2013, Information Security Management Systems baseline control set and BS ISO/IEC 27002: 2005 or 2013 Information technology Security techniques. Code of practice for information security controls. Conformance may be evidenced by appropriate certification. The NHSmail service maintains an ISMS that operates to B-IL 3 and in some areas B-IL 4. It is accredited to OFFICIAL-SENSITIVE and has a suitably scoped ISO 27001 accreditation and full compliance with the baseline control set. HSCIC has evidenced the ISO certificates and signed off the OFFICIAL-SENSITIVE accreditation. 3 Each Service Provider MUST maintain a security policy which sets out the security measures to be implemented and maintained in accordance with BS ISO/IEC 27001, BS ISO/IEC 27002 and the Information Security Management System. The security policy MUST be reviewed and updated by the Service Provider in a timely fashion and will be reviewed on an annual basis. The NHSmail service maintains a security policy that operates to OFFICIAL-SENSITIVE and is accredited by HSCIC. The security policy was thoroughly reviewed in May 2014 by HSCIC. 4 Each Service Provider MUST ensure their email service meets the baseline control set for Personal Data if the service contains patient identifiable or sensitive data. The NHSmail service contains personal data. It meets the baseline control set as evidenced by the OFFICIAL-SENSITIVE accreditation. 5 Each Service Provider MUST conduct tests of the security policy in accordance with the provisions of the Service Providers Security Policy relating to security testing. The tests must be independently audited by either an accredited 3rd party or representatives of the customer. The service is annually audited by a CESG approved company. This was last undertaken in May 2014 and the results reviewed by the NHSmail service provider and HSCIC. 6 Either party (Service Provider and customer) MUST notify the other immediately upon becoming aware of any breach of security, including an actual, potential or attempted breach of, or threat to, the security policy and/or the security of the services or the systems used to provide the services. Schedule 1.7 of the Contract HSCIC has with the NHSmail service provider and the HMG accreditation contractually obliges the service provider to report any actual, potential or attempted breach of, or threat to, the security policy and/or the security of the services or the systems used to provide the services. 7 Each Service Provider MUST provide protection against malicious content The service operates CESG approved intrusion detection systems and © Open Government Licence 2014 Page 4 of 6 for their services such as virus checking when onboarding data. uses industry leading mail hygiene products. All bespoke code is subject to a code review by a CESG approved company. 8 The email service MUST provide anti-virus and anti-spam filtering, in addition to commodity content management such as attachment blocking, virus/spam filtering capabilities and data leakage prevention e.g. encrypt protectively marked email destined for the Internet. The service SHOULD also provide for the management of spoofed email and items that cannot be checked such as S/MIME encrypted or password protected attachments. The NHSmail service provides Anti-Virus Anti-Spam (AVAS) services at the point of entry for email to the service. Spoofed email detection services run and insert warnings into messages that originate from the Internet that pretend to come from an NHSmail email address. Where content cannot be checked a warning message is provided to the recipient. 9 All patient identifiable and sensitive data MUST be maintained in accordance with the Government’s offshoring policy (https://www.gov.uk/government/publications/government-ict-offshoringinternational-sourcing-guidance) and Department of Health policy. All NHSmail data is held within the UK (England). 10 The Service Provider MUST provide tools to ensure that mobile devices are appropriately secured when accessing the email service. This could include: Policies and procedures are published on the www.nhs.net portal and enforced through an acceptable use policy. The NHSmail service requires that mobile devices are only connected when locally authorised by the employing organisation and enforce a security profile allowing them to be remotely wiped. User organisations require encryption on mobile devices as detailed here. All mobile devices on connection receive a policy request to encrypt the device, set a lock password that expires every 90 days, locks after 20 minutes and self wipes if the password is put in wrong 8 times. Organisations receive a monthly report listing the mobile devices by user that have been connected to the service. This enables organisations to check users are only using authorised devices that meet their local policy. 11 Functions to allow/deny/quarantine by device type, organisation or groups of users. Remove device, expire password, and wipe any data associated with the service. Reporting functions/ capabilities. Detect and block rooted (i.e. jail broken) devices. Each Service Provider SHOULD provide eDiscovery tools to support the administration of the service, especially with respect to the Data Protection Act 1998 and Freedom of Information Act 2000. The NHSmail Service provides eDiscovery tools to support the administration of the service by the HSCIC. User organisations can request access to eDiscovery by contacting the NHSmail helpdesk as detailed here in line with the Data Protection and acceptable use statements. Safety 12 Service Providers SHOULD comply with the provisions of ISB 0129 Clinical Risk Management: its Application in the Manufacture of Health IT Systems. © Open Government Licence 2014 The NHSmail service complies with the provision of the standard. There is an approved safety case for the service and a clinical authority to deploy has been issued by the HSCIC Clinical Safety Officer. Page 5 of 6 Interoperability 13 Each Service Provider SHOULD comply with the open standards policy. NHSmail is based on Exchange 2007 which complies with a number of email interoperability standards as detailed in the supporting evidence. For users accessing the service they can access it using web (http) and email client (IMAP, POP, SMTP and LDAP) standard protocols with additional Microsoft proprietary protocols supported for richer functionality/clients. The web interface is WCAG AA compliant. Specific required evidence of conformance for ISB 1596 assessors: # Requirement Evidence submitted 1 An independently audited information security management system in relation to the email service HSCIC contract with Vodafone Vodafone BS ISO/IEC 27001:2005 certificate and scope of applicability NHSmail 2014 HMG OFFICIAL-SENSITIVE accreditation pack (May 2014 Risk Management Accreditation Documentation Set parts 1 - 4) 2 Conformance to the baseline control set HMG OFFICIAL-SENSITIVE or if prior to April 2014 RESTRICTED accreditation (Pan government or departmental) NHSmail conformance to the baseline control set NHSmail 2014 HMG OFFICIAL-SENSITIVE accreditation pack (May 2014 Risk Management Accreditation Documentation Set parts 1 - 4) 3 Clinical safety approval for the email service (ISB 0160) Clinical Authority to Release certificate 4 Conformance to the email interoperability standards Email standards statements from Microsoft Interoperability to GSi and NHSmail2 NHSmail is connected to the GSi service and when procured NHSmail2 will also be interconnected to support co-existence. 5 Any additional relevant evidence © Open Government Licence 2014 Page 6 of 6
© Copyright 2024 ExpyDoc
