NHS Data Security and Protection Toolkit (DSPT) and the Cyber Assessment Frameworks (CAF)
Most blogs we have seen have looked at the changes to the NHS DSPT from the point of view of modifying your approach to meet the requirements of the NCSC CAF approach, but I have not seen anyone look at it from a CAF point of view and explained where the CAF comes from and why it has the approach it does.
Cyber Security Partners have worked with the CAF since its inception, working with critical infrastructure both inside and outside of government, so are well placed to provide some guidance on the approach to completing the document.
Cyber Assessment Framework has been in place for “critical services” across both the public and private sector for 6 years. Initially prototyped with the Ministry of Justice in the public sector and energy companies in the private sector.? The approach was to offer central government an overview of the risks to critical services from cyber related issues, be they deliberate or accidental. It came out of the understanding that key systems must have a higher level of resilience than the default position of most commercial systems. In later iterations of the standard, it also became obvious that it needed to address the dependencies many of these systems had, such as third parties.
With the growing use of cloud based and SaaS services, this became every more critical that all dependencies were included in these reviews. This led to the expansion of the services that were defined as critical, such as internet service providers and more recently data centres.
So why modify the DSPT to align with the CAF? The CAF has become the cornerstone of the National Cyber Strategy, at least for the security element of it. It is how the government can measure the security of critical services and, hopefully, identify where more assistance is required.
First things first, the CAF is not a pass or fail. Yes, there are levels which should be achieved, but the main purpose for it is to identify where there are weaknesses and help implement a treatment plan to correct or mitigate the risks discovered. It takes the approach of providing a statement and you justifying if it is correct, partially correct or false for your organisation. For example, your organisation knows all the processes it would need to recover from a system’s failure to a minimum function level, and the skills to implement it within the required timescale. If you can do that then you support the “True” statement with justification such as a Business Continuity Plan (BCP) with identified skills and resources to allow you to recover.
What can be more difficult is with the partially achieved or not achieved responses. How do you justify why you have not achieved something? The key here is to provide further information as to what is needed to achieve the required result. In doing that, you can start to understand what the missing elements are and the reasons are why they are missing. It may be that policies are not aligned across multiple service providers, or that an element of the critical system is not fully implemented yet, therefore you have not tested the resilience or the backup and recovery procedures for it yet.
If you take the stance of treating the CAF as a report to yourself as an honest review of the status of the critical system, you will find it a lot easier to answer.
Need help completing the DSPT? Cyber Security Partners have helped to complete the toolkit for multiple clients, in both the public and private organisations of the health sector. Get in touch for a no obligations chat to see how we can help.