BT, London Local Service Provider Security Compliance Update - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

BT, London Local Service Provider Security Compliance Update

Description:

Based on a risk assessment, so that the measures applied from the standard are ... Independent BT auditing, with even more independent CFH scrutiny. ... – PowerPoint PPT presentation

Number of Views:59
Avg rating:3.0/5.0
Slides: 19
Provided by: etdeventsC
Category:

less

Transcript and Presenter's Notes

Title: BT, London Local Service Provider Security Compliance Update


1
BT, London LocalService Provider Security
Compliance Update
  • Jeremy Wilde
  • 11 September 2007

2
Topics
  • Recap fundamentals
  • BTs compliance assurance activities
  • Four Case Studies
  • Trusting our people

3
ISO/IEC 27001 and 27002
  • The BT contract with NHS CFH requires us to
    comply with international standards for
    information security management, as well as NHS
    standards
  • These standards define a framework of best
    practice measures for the protection of
    information confidentiality, integrity and
    availability
  • Based on a risk assessment, so that the measures
    applied from the standard are appropriate to
    mitigate the impacts that may occur
  • Defined in a Statement of Applicability (SoA),
    which in our case is the Service Security Policy

4
ISMS (Information Security Management System)
Organisation
Asset Classification and Control
Business Continuity
BT Service Security Policy
Personnel
Compliance
Physical and Environment
System Development and Maintenance
Comms and Operations
Access Control
5
Topics
  • Recap fundamentals
  • BTs compliance assurance activities
  • Four Case Studies
  • Trusting our people

6
BTs Compliance
  • So how do we measure this compliance?
  • Independent BT auditing, with even more
    independent CFH scrutiny.

7
Monthly compliance report to CFH
8
Monthly compliance report to CFH
9
Topics
  • Recap fundamentals
  • BTs compliance assurance activities
  • Four Case Studies
  • Trusting our people

10
Four Case Studies
  • audit of Information Security measures
  • incident monitoring
  • a specific incident
  • active security management
  • RISK CONTEXT
  • DEFENSIVE STRATEGY
  • BTs approach to dealing with the risk context,
    managing the risk
  • PROTECTIVE MONITORING
  • How BT monitors the risk situation
  • ISSUES
  • Issues arising from the particular case

11
Case Study audit of Information Security measures
  • RISK CONTEXT
  • Business Continuity of data centre operations
  • DEFENSIVE STRATEGY
  • Comply with CFH IG requirements (BS7799 control
    items 112-115) and contractual Service Levels
  • PROTECTIVE MONITORING
  • BT Health independent audit review of compliance
    with the ISMS based on the BT SSP items
    11.1.1-11.1.5
  • ISSUES
  • Auditors are not confident that the business
    continuity measures fully support BTs
    contractual service level agreements
  • BC documentation is getting out of date and
    should be reviewed/revised
  • BC Plans not tested for fear of disrupting Live
    Service CFH and Trust requirements can not
    allow the service outages required for BC/DR
    testing
  • This gives rise to a risk of service interruption
    and BT risks having to pay Service Credits to CFH

12
Case Study incident monitoring
  • RISK CONTEXT
  • Security of information managed by the BT
    Helpdesk
  • DEFENSIVE STRATEGY
  • Avoid information that is more sensitive than BT
    IN CONFIDENCE
  • Hosted in normal BT corporate environment
  • User access normal BT corporate identification
    and authentication
  • PROTECTIVE MONITORING
  • Accounting and audit in line with BT corporate
    policy
  • Network monitoring is a standard BT activity
  • ISSUES
  • Helpdesk users are being sent triage reports that
    include information that identifies patients and
    their medical circumstances (exceeds IN
    CONFIDENCE)
  • Each time this happens, systems have to be
    cleansed to remove all traces of patient data
  • Trusts must (continue to) be informed that their
    users are compromising patient confidentiality by
    including confidential data in triage reports

13
Case Study a specific incident
  • RISK CONTEXT
  • Day to day BT Service support activities
  • DEFENSIVE STRATEGY
  • BT staff and contractors are informed of required
    security procedures, acceptable and prohibited
    behaviours
  • PROTECTIVE MONITORING
  • BT staff and contractors are expected to be aware
    of what is going on and to report any breaches of
    security, including apparent breaches and
    perceived security weaknesses
  • ISSUES
  • An alert member of staff noticed that a screen
    shot that was emailed by BT to one of our
    subcontractors (during normal system development
    work) contained a password, in clear text.
  • Our IT Security Team immediately assessed the
    impact of the password being compromised. It was
    found that the password could not be exploited
    externally.
  • The password was reset. All recipients of the
    email were advised to delete and not forward the
    information, and all were reminded of the
    Security Policy that had been breached, to
    prevent a recurrence.

14
Case Study active security management
  • RISK CONTEXT
  • PICIS product for Theatres
  • DEFENSIVE STRATEGY
  • Hosted in BT Data Centres
  • User access web access via firewalls with
    layered application architecture
  • Management access through firewalls via
    Terminal Servers on a management DMZ, not
    directly connected to the service delivery
    network (with direct access on site in case of
    emergency)
  • PROTECTIVE MONITORING
  • Applications record user activity in accounting
    logs
  • Network IDS monitoring for unusual activity
  • ISSUES
  • IDS agent appeared to affect performance
    adversely
  • Testing with reduced configuration of the IDS
    agent was found to cure the poor performance
    further study reveals that the next release of
    the IDS product is going to correct this problem
  • Risk assessment indicates no unacceptable
    security risks arises from the reduced IDS
    configuration while we await the new product
    release

15
Topics
  • Recap fundamentals
  • BTs compliance assurance activities
  • Four Case Studies
  • Trusting our people

16
BT Health Standing Procedures for Reliability
Checks
  • Basic Recruitment Check
  • For all staff, checks are required for identity
    and nationality (birth certificate, passport,
    driving licence etc), address (utility bills
    etc), skills, experience and qualifications
    (business, employment or other character
    references), and a criminal record declaration.
  • Audit
  • Periodic audits are carried out by the Service
    Security team to ensure all staff have been
    checked to a level appropriate for their role.
  • Criminal Records Bureau Check
  • For staff in roles involving unescorted access to
    locations where persons are in receipt of NHS
    services, a CRB disclosure must be obtained.
  • Security Check
  • For staff whose primary responsibilities involve
    access to patient clinical data or stop-noted
    patient demographic data, a formal HMG SC
    clearance is required.
  • Relevant staff include database administrators
    (but not those who have incidental access to
    patient clinical data such as users examining
    logs and message queues), software experts with
    security manager, administrator or super-user
    access to applications that store/process
    clinical or personal demographic data.
  • A non-UK national may alternatively be vetted to
    a non-UK equivalent of SC.

17
Summary of staff checked above Basic level
  • Service Desk (48 people)Team leaders and
    selected team members working on the Service Desk
    are SC-cleared because of their potential access
    to sensitive personal medical data.
  • Application and Technical Support Groups (40
    people)In these teams, it is the people whose
    primary responsibilities may involve then in
    access to patient clinical data or stop-noted
    patient demographic data (as specified by the CFH
    requirement), who are SC-cleared.
  • London Systems Admin Team (4 people)All the
    members of this team, which includes database
    administrators, are SC-cleared because of their
    ability to access sensitive personal medical
    data.
  • SC Clearance AuditOur BT Health Security
    Clearance Survey tool gives team leaders and
    managers an effective method of recording and
    managing clearance level information of people
    for whom they are responsible. This information
    is automatically collated and reports generated
    for review by IT Security, who gauge levels of
    compliance, target areas for improvement and
    provide assistance and guidance where required.

18
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com