DSPT 2023/2024 Question Support

  • 4.3.1 Have all the administrators of your organisation’s IT system(s) signed an agreement to hold them accountable to higher standards? The people within your organisation who are IT system administrators may have access to more information than other staff. Therefore, they need to be held accountable in a formal way to higher standards of confidentiality than others. This requirement applies to IT system administrators working in external companies who support your organisation’s IT systems This formal agreement could be part of a job description or a contract with your IT support company and/or systems supplier/s.  YES

 

  • 4.4.1 The person with responsibility for IT confirms that IT administrator activities are logged and those logs are only accessible to appropriate personnel. IT Support staff typically have high level access to systems. The activities of these users should be logged and only available to appropriate personnel.  YES

 

  • 6.2.1 Do all the computers and other devices used across your organisation have antivirus/antimalware software which is kept up to date?  This applies to all servers, desktop computers, laptop computers, and tablets. Note that antivirus software and antimalware software are the same thing – they both perform the same functions. You may need to ask your IT supplier to assist with answering this question. YES (We use Panda WatchGuard Adaptive Defence 360) .

 

  • 7.3.4  Are backups routinely tested to make sure that data and information can be restored? Suitable backups of all important data and information needed to recover the essential service are made, tested documented and routinely reviewed.

 

  • 8.3.1 - How do your systems receive updates and how often? Routinely, monthly, Using KACE for deployment, and application updates when they become available.

 

  • 9.1.1 Does your organisation make sure that the passwords of all networking components, such as a Wi-Fi router, have been changed from their original passwords? Networking components include routers, switches, hubs and firewalls at all of your organisation’s locations. Your organisation may just have a Wi-Fi router. This does not apply to Wi-Fi routers for people working from home. You may need to ask your IT supplier to assist with answering this question. YES

 

  • 9.2.1  The annual IT penetration testing is scoped in negotiation between the SIRO, business and testing team including a vulnerability scan and checking that all networking components have had their default passwords changed to a high strength password. The annual IT penetration testing is scoped in negotiation between the Board/person with delegated responsibility for data security, business and testing team including a vulnerability scan and checking that all networking components have had their default passwords changed to a high strength password.("Use the comments field to state the date and outline the scope of the organisation's penetration test and redact any elements of the scope that are sensitive.) The Mitigate Cyber Internal Penetration Test Report is attached.

 

  • 9.5.2  Confirm all data are encrypted at rest on all mobile devices and removable media and you have, the ability to remotely wipe and/or revoke access from an end user device. Are all laptops and tablets or removable devices that hold or allow access to personal data, encrypted? ("Mobile computers like laptops and tablets and removable devices like memory sticks/cards/CDs are vulnerable as they can be lost or stolen. To make these devices especially difficult to get into, they can be encrypted (this protects information by converting it into unreadable code that cannot be deciphered easily by unauthorised people). Devices can be further protected, for example, by preventing the use of removable devices like memory sticks. This is called computer port control. You may need to ask your IT supplier to assist with answering this question.) All our laptops are centrally managed and are encrypted with Microsoft BitLocker, the security updates are applied to the Operating System on a regular monthly cycle. Security updates to applications managed by us like Ms Office 2016 is also applied.

 

  • 10.1.2   Contracts with all third parties that handle personal information are compliant with ICO guidance. Does your organisation have a list of its suppliers that handle personal information, the products and services they deliver, and their contact details? ("Your organisation should have a list or lists of the external suppliers that handle personal information such as IT or care planning systems suppliers, IT support, accountancy, DBS checks, HR and payroll services, showing the system or services provided.). You can find a template example of a document at the Digital Care Hubs website - https://www.digitalcarehub.co.uk/resource/template-suppliers-list/

 

  • 10.2.1 Do your organisation’s IT system suppliers have cyber security certification? YES

The attached document is the certificate for the above question.

 

Cyber Essentials Plus

Does your organisation have Cyber Essentials PLUS Certification with a scope covering all health and care data processing awarded during the last 12 Months?  NHS North West London IT , who provides the core IT support for Primary Care organisations within NWL ICB, is CE Plus certified.

 

Accessibility tools

Return to header