DSPT Independent Assurance and Audit 2023-24

Guidance for all NHS Trusts, ICBs, CSUs, DHSC Arms Length Bodies, Independent Providers who have been designated Operators of Essential Services and IT Suppliers to have a DSPT Audit to the required mandatory scope and framework methodology.

 

Background:

All DSPT independent assessment/audit providers must follow the guidance provided at: DSPT Independent Assessment Guides

The purpose of the guidance is to enable better assurance of DSPT submissions by increasing standardisation and harmonisation across assessments. It will also facilitate a better understanding of data security and protection risk themes across the health and care system. 

It is mandated via the NHS Standard Contract and the DSPT requirement that the following NHS organisations annually complete a DSPT audit/independent assessment following this guidance

- NHS Trusts (Acute, Foundation, Ambulance and Mental Health)

- Integrated Care Boards

- Commissioning Support Units

- DHSC Arm’s Length Bodies

- Independent Providers who have been designated Operators of Essential Service. (If you are unable to complete a DSPT Audit in 23-24 you will need to include it in your DSPT Improvement plan submitted at the time of publication).

Voluntary for 23-24

- IT Suppliers new see (Organisation Types) If IT Suppliers are unable to compelte a DSPT Audit in 23-24 you will need explain this in the Provide Audit Details Menu on the assessment screen prior to publication.

Organisational Requirements:

Organisations must ensure that their audit provider follows the mandated scope which for this year (mandatory evidence items only) is set out in the DSPT Independent Assessment Guide and detailed below:

1.1 The organisation has a framework in place to support Lawfulness, Fairness and Transparency

2.2 Staff contracts set out responsibilities for data security

3.1 Staff have appropriate understanding of information governance and cyber security, with an effective range of approaches taken to training and awareness

3.2 Your organisation engages proactively and widely to improve data security, and has an open and just culture for data security incidents

4.4 You closely manage privileged user access to networks and information systems supporting the essential service

5.1 Process reviews are held at least once per year where data security is put at risk and following DS incidents

6.2 All user devices are subject to anti-virus protections while email services benefit from spam filtering and protection deployed at the corporate gateway

7.1 Organisations have a defined, planned and communicated response to Data security incidents that impact sensitive information or key operational services

8.4 You manage known vulnerabilities in your network and information systems to prevent disruption of the essential service

9.2 A penetration test has been scoped and undertaken

9.5 You securely configure the network and information systems that support the delivery of essential services

9.6 The organisation is protected by a well-managed firewall

10.2 Basic due diligence has been undertaken against each supplier that handles personal information 

Organisational Audit provider requirement

Organisations shall ensure that their chosen audit provider is aware of the mandated framework which needs to be followed. The hallmark of the methodology is an output which includes: a risk rating against each of the 10 data security standards; an overall risk rating (based on the 10 individual ratings); and an overall confidence rating.

The example in the link below is from a previous year’s report (i.e. a different scope applies this year)

DSPT Audit Table.png

The presentation of these items can vary but it is vital that they are present, and that the framework is utilised in full

To meet the requirement, the audit functionality must be used.

 

Update 5/6/23 

 

This year 22/23 deadline 30/6/23, you should ask your external auditor to submit the independent assessment / audit information on behalf of your organisation. 

 

The enhanced functionality is now live (5/6/23) 

Auditor access 

You should give your appointed external auditor access to submit details of the independent assessment / audit information. 

You should: 

  • Speak to your auditor and instruct them to submit audit information for your organisation via the DSPT 
  • Go to the manage users page 
  • Add your external auditor an an 'Auditor' user 

You may provide audit information on behalf of your organisation but any information you submit will be considered 'unverified' and may be subject to additional validation and rectification post deadline (via the toolkit using the enhanced audit functionality) 

Audit Report not available 

If your organisation is unable to provide an independent assessment / audit report for the current toolkit year, you must provide further details (via the toolkit using the enhanced audit functionality) 

If for any reason the audit organisation has stated they will be unable to issue an audit report in time please ask that audit organisation to contact us as soon as possible. 

 

 Audit guidelines for 8.4.2.

8.4.2 - All infrastructure is running operating systems and software packages that are patched regularly, and as a minimum in vendor support. Where this is not possible, the device should be isolated and have limited connectivity to the network, and the risk assessed, documented, accepted, regularly reviewed and signed off by the SIRO.

In the Independent Assessment Framework for Category 1 organisations, the audit approach wording is as follows:

In order to test this evidence item, the testing approach for the following evidence items should be followed: 8.1.1, 8.1.4, 8.2, 8.3.1-8.3.4.

 

Explanation of approach.

8.4.2 is broad ranging evidence item that requires the elements built up in 8.1.1, 8.1.4, 8.2, 8.3.1-8.3.4 to be in place to achieve it with 8.4.2.

Explanation of approach.

8.4.2 is broad ranging evidence item that requires the elements built up in 8.1.1, 8.1.4, 8.2, 8.3.1-8.3.4 to be in place to achieve it with 8.4.2.

 

If you breakdown the requirement for 8.4.2, which the auditors are being asked to check, we are asking for:

Have they included all infrastructure (which is covered by 8.1.1)

Software packages are in support (which is covered by 8.1.4)

Does the organisation know which software in unsupported and has it been risk managed (which is covered by 8.2)

Does the organisation patch regularly and high-risk patches been applied consistently (which is covered by 8.3.1-3)

Does the organisation have an approach for identifying and deploying critical and/or high-risk security patches outside of the normal patching schedule (8.3.3)

Have the high-risk patches been applied regularly (which is covered by 8.3.4)

 

The approach of the advice in the Framework was to support consistency for the auditors so if they audited 8.4.2 they would follow the same approach if an organisation asked them to audit 8.1.1 separately by cross referencing the existing guidance they would be asked to use.

Supporting Documents