Title: BT, London Local Service Provider Security Compliance Update
1BT, London LocalService Provider Security
Compliance Update
- Jeremy Wilde
- 11 September 2007
2Topics
- Recap fundamentals
- BTs compliance assurance activities
- Four Case Studies
- Trusting our people
3ISO/IEC 27001 and 27002
- The BT contract with NHS CFH requires us to
comply with international standards for
information security management, as well as NHS
standards
- These standards define a framework of best
practice measures for the protection of
information confidentiality, integrity and
availability - Based on a risk assessment, so that the measures
applied from the standard are appropriate to
mitigate the impacts that may occur - Defined in a Statement of Applicability (SoA),
which in our case is the Service Security Policy
4ISMS (Information Security Management System)
Organisation
Asset Classification and Control
Business Continuity
BT Service Security Policy
Personnel
Compliance
Physical and Environment
System Development and Maintenance
Comms and Operations
Access Control
5Topics
- Recap fundamentals
- BTs compliance assurance activities
- Four Case Studies
- Trusting our people
6BTs Compliance
- So how do we measure this compliance?
- Independent BT auditing, with even more
independent CFH scrutiny.
7Monthly compliance report to CFH
8Monthly compliance report to CFH
9Topics
- Recap fundamentals
- BTs compliance assurance activities
- Four Case Studies
- Trusting our people
10Four Case Studies
- audit of Information Security measures
- incident monitoring
- a specific incident
- active security management
- RISK CONTEXT
-
- DEFENSIVE STRATEGY
- BTs approach to dealing with the risk context,
managing the risk - PROTECTIVE MONITORING
- How BT monitors the risk situation
- ISSUES
- Issues arising from the particular case
11Case Study audit of Information Security measures
- RISK CONTEXT
- Business Continuity of data centre operations
- DEFENSIVE STRATEGY
- Comply with CFH IG requirements (BS7799 control
items 112-115) and contractual Service Levels - PROTECTIVE MONITORING
- BT Health independent audit review of compliance
with the ISMS based on the BT SSP items
11.1.1-11.1.5 - ISSUES
- Auditors are not confident that the business
continuity measures fully support BTs
contractual service level agreements - BC documentation is getting out of date and
should be reviewed/revised - BC Plans not tested for fear of disrupting Live
Service CFH and Trust requirements can not
allow the service outages required for BC/DR
testing - This gives rise to a risk of service interruption
and BT risks having to pay Service Credits to CFH
12Case Study incident monitoring
- RISK CONTEXT
- Security of information managed by the BT
Helpdesk - DEFENSIVE STRATEGY
- Avoid information that is more sensitive than BT
IN CONFIDENCE - Hosted in normal BT corporate environment
- User access normal BT corporate identification
and authentication - PROTECTIVE MONITORING
- Accounting and audit in line with BT corporate
policy - Network monitoring is a standard BT activity
- ISSUES
- Helpdesk users are being sent triage reports that
include information that identifies patients and
their medical circumstances (exceeds IN
CONFIDENCE) - Each time this happens, systems have to be
cleansed to remove all traces of patient data - Trusts must (continue to) be informed that their
users are compromising patient confidentiality by
including confidential data in triage reports
13Case Study a specific incident
- RISK CONTEXT
- Day to day BT Service support activities
- DEFENSIVE STRATEGY
- BT staff and contractors are informed of required
security procedures, acceptable and prohibited
behaviours - PROTECTIVE MONITORING
- BT staff and contractors are expected to be aware
of what is going on and to report any breaches of
security, including apparent breaches and
perceived security weaknesses - ISSUES
- An alert member of staff noticed that a screen
shot that was emailed by BT to one of our
subcontractors (during normal system development
work) contained a password, in clear text. - Our IT Security Team immediately assessed the
impact of the password being compromised. It was
found that the password could not be exploited
externally. - The password was reset. All recipients of the
email were advised to delete and not forward the
information, and all were reminded of the
Security Policy that had been breached, to
prevent a recurrence.
14Case Study active security management
- RISK CONTEXT
- PICIS product for Theatres
- DEFENSIVE STRATEGY
- Hosted in BT Data Centres
- User access web access via firewalls with
layered application architecture - Management access through firewalls via
Terminal Servers on a management DMZ, not
directly connected to the service delivery
network (with direct access on site in case of
emergency) - PROTECTIVE MONITORING
- Applications record user activity in accounting
logs - Network IDS monitoring for unusual activity
- ISSUES
- IDS agent appeared to affect performance
adversely - Testing with reduced configuration of the IDS
agent was found to cure the poor performance
further study reveals that the next release of
the IDS product is going to correct this problem - Risk assessment indicates no unacceptable
security risks arises from the reduced IDS
configuration while we await the new product
release
15Topics
- Recap fundamentals
- BTs compliance assurance activities
- Four Case Studies
- Trusting our people
16BT Health Standing Procedures for Reliability
Checks
- Basic Recruitment Check
- For all staff, checks are required for identity
and nationality (birth certificate, passport,
driving licence etc), address (utility bills
etc), skills, experience and qualifications
(business, employment or other character
references), and a criminal record declaration. - Audit
- Periodic audits are carried out by the Service
Security team to ensure all staff have been
checked to a level appropriate for their role.
- Criminal Records Bureau Check
- For staff in roles involving unescorted access to
locations where persons are in receipt of NHS
services, a CRB disclosure must be obtained.
- Security Check
- For staff whose primary responsibilities involve
access to patient clinical data or stop-noted
patient demographic data, a formal HMG SC
clearance is required. - Relevant staff include database administrators
(but not those who have incidental access to
patient clinical data such as users examining
logs and message queues), software experts with
security manager, administrator or super-user
access to applications that store/process
clinical or personal demographic data. - A non-UK national may alternatively be vetted to
a non-UK equivalent of SC.
17Summary of staff checked above Basic level
- Service Desk (48 people)Team leaders and
selected team members working on the Service Desk
are SC-cleared because of their potential access
to sensitive personal medical data. - Application and Technical Support Groups (40
people)In these teams, it is the people whose
primary responsibilities may involve then in
access to patient clinical data or stop-noted
patient demographic data (as specified by the CFH
requirement), who are SC-cleared. -
- London Systems Admin Team (4 people)All the
members of this team, which includes database
administrators, are SC-cleared because of their
ability to access sensitive personal medical
data. - SC Clearance AuditOur BT Health Security
Clearance Survey tool gives team leaders and
managers an effective method of recording and
managing clearance level information of people
for whom they are responsible. This information
is automatically collated and reports generated
for review by IT Security, who gauge levels of
compliance, target areas for improvement and
provide assistance and guidance where required.
18(No Transcript)