Information Security Self-Assessment

Introduction

Most public health organisations must collect, process, store and/or transmit confidential health data to meet their functions.

The general public have a reasonable expectation that their privacy will be protected by organisations who handle their confidential health data.

Employees similarly expect their personal data to remain secure.

Health data is often regarded as Sensitive Personal Data in the national regulations of different countries: https://iclg.com/practice-areas/data-protection-laws-and-regulations/

The risks of handling health or other personal data include:

• loss or corruption of data, with an adverse impact on public health functions
• inappropriate access, modification, destruction or use of health data by unauthorised third parties, with adverse consequences for individuals or organisations

Individuals whose confidential data is compromised face risks including identity theft, fraud and blackmail.

Health data can be as desirable to cybercriminals as credit card or identity card data.

Organisations who fail to protect the security of sensitive personal data face risks including legal, financial and/or other consequences such as loss of reputation or public trust.

E.g.

• https://saharareporters.com/2022/01/10/exclusive-hacker-breaks-nimc-server-steals-over-three-million-national-identity-numbers
• https://securityaffairs.co/77847/cyber-crime/pakistani-banks-data-breach.html
• https://www.wired.com/story/nigeria-cybersecurity-issues/

Information security can be defined as the measures taken to protect against these risks while maintaining the availability of the data for use.

Information security risks can be typically broken into three broad groups:

• Those related to the practices of data users (people)
• Those related to the processes that the organisation adopts
• Those related to the technologies that are used by the organisation

Sensitive information can be stored in a number of formats, including in electronic systems or on paper, and can be transferred in a number of ways, including via email or verbally.

There are numerous ways in which sensitive information can be compromised.

Organisations should take all available measures to protect sensitive information.

A comprehensive approach to information security would address each of the risk areas and each of the ways information is stored or transmitted.

Examples of information security measures:

• information security awareness training to minimise risks from users
• enforcement of appropriate organisational policies to minimise risks from organisational data handling processes
• appropriate cybersecurity measures to minimise risks from use of technology
• physical security measures to minimise the risk of loss or theft of documents or computer hardware
• use of secure email/messaging services and encryption to minimise risks of accidental disclosure of sensitive information

Risks to information security are constantly evolving.

The growth of digital health platforms and the increasing complexity of information management solutions necessitate a continuous improvement approach to information security.

Technology can only partly reduce risks to information security caused by the behaviour of data users; information security is everybody’s business.

The aims of this document are:

• to outline existing information security measures
• to identify areas of future collaborative working to strengthen information security measures

It comprises a series of open questions considering a broad range of information security risks and existing protective measures.

It is intended as a guide to future discussion rather than a comprehensive information security risk assessment.

Please give examples where possible.

It is not necessary to provide exhaustive or repetitive descriptions of the information security arrangements for every data asset or information system, but it is important that the examples described reflect the variety of arrangements.

Please do not include any sensitive or privileged information in your responses.

Please provide one single joint response on behalf of the organisation.

Names, job titles and email addresses of persons completing or contributing to this:

Information security risks: People

1. Does your organisation have an information security awareness training policy or strategy?

2. Does your organisation provide information security awareness training to all staff?

3. Does your organisation provide information security awareness training to new employees at induction?

4. Does your organisation provide regular refresher training on information security to all staff?

5. Does information security training provided cover the following?

   • Office security and managing access to premises
   • Physical security of documents and equipment
   • Clear desk policy; use of screen locks and/or privacy screen protectors
   • Security classifications for files and documents
   • Password policy and use of multi-factor authentication (MFA) or biometrics
   • Operating system and application updates
   • Installation of software
   • Use of mobile devices/phones and storage media (e.g. USB drives)
   • Use of personal devices/equipment/email accounts
   • Use of social networking
   • Phishing, social engineering or other deceptive practices involving e.g. SMS/text messages or telephone calls
   • Data sharing and confidentiality
   • Information security when travelling or remote working
   • What to do in the event of data breach or attempted cybercrime

6. Are staff under a contractual obligation to maintain confidentiality of personal data?

Information security risks: Processes

1. Which roles or structures in your organisation have overall responsibility for information risk management? e.g. CIO, CISO, data protection officers, data controllers/processors

2. Which roles or structures in your organisation have overall responsibility for cybersecurity?

3. Has your organisation undertaken security assessments for compliance with national data protection regulations?

4. Has your organisation undertaken security assessments for compliance with international standards such as https://www.iso.org/standard/62777.html?

5. What other information security risk assessments or audits has your organisation undertaken?

   For any assessments undertaken:

   • What threats/vulnerabilities/risks were identified?
   • What actions were recommended?
   • Are all actions complete?
   • Can any reports be shared?

6. Does your organisation have an information security management system (ISMS)?

7. What information security policies, guidelines, audit standards and/or standardised operating procedures does your organisation follow?

8. Who is responsible for writing organisational information security policies?

9. Does your organisation maintain a data catalogue, inventory or other comprehensive register of the data assets managed by your organisation?

   • If so, who does this?
   • How is it kept up-to-date?

10. Summarise the data assets held by your organisation.

    • Which contain health or other sensitive/personal data?
    • Which are paper-based and which are electronic?

11. Does each data asset have a nominated responsible officer/risk owner?

12. Does your organisation have policies for backing up data?

    • How is business critical data identified for backups?

13. Does your organisation have policies for approval of information systems or system changes?

14. Does your organisation have a security classification system for documents and electronic files?

15. Does your organisation have policies for retention and disposal of information?

16. Does your organisation have policies for secure disposal of paperwork? e.g. use of shredders

17. Does your organisation have policies for secure disposal of computer equipment?

18. Does your organisation have policies for data release or sharing with third parties? If so, please give details e.g. data sharing agreements or contracts

19. Does your organisation have a password or MFA policy? - If so, please provide details e.g. minimum password length, complexity, types of characters allowed, expiry, prevention of reuse or sharing, number of incorrect attempts before account is locked, use of password managers

20. Does your organisation have policies for procurement/management/replacement of laptops, desktops, other mobile devices or removable storage (e.g. USB drives or CDROMS)?

    • Does your organisation maintain an inventory of devices?
    • Does your organisation have policies for secure disposal of any of the above?

21. Does your organisation have policies regarding use of personal devices?

22. Does your organisation have policies regarding use of personal email or other messaging services such as WhatsApp?

23. Does your organisation have policies regarding use of social networking?

24. Does your organisation have policies determining which software can be installed on its devices?

25. Does your organisation have policies covering access to physical premises?

    • What security measures are in place? e.g. entry logs, ID/swipe cards

26. How are information security policies shared with users?

27. How are organisational policies enforced?

28. What are your policies for detecting, reporting and responding to data breaches and cybersecurity incidents?

29. Does your organisation monitor for known or exploited cybersecurity vulnerabilities, using e.g. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?

30. Does your organisation have incident response, business continuity and/or disaster recovery plans?

    • If so, have these plans been tested in an exercise?

31. Describe previous data breaches or cybersecurity incidents experienced by the organisation.

    • Has your organisation addressed lessons learned from previous data breaches or cybersecurity incidents?

Information security risks: Technology

1. Where are data assets held by your organisation? Please describe how any of the following are used to store or process sensitive personal data:

   • Laptops or desktop computers
   • Mobile devices
   • Servers on premises running e.g. databases or data warehouses; Web services e.g. intranet/extranet, SharePoint, DHIS 2, LIMS or SORMAS; file/FTP/email/other services;
   • Servers in cloud environments running e.g. databases or data warehouses; Web services e.g. intranet/extranet, SharePoint, DHIS 2, LIMS or SORMAS; file/FTP/email/other services
   • Servers elsewhere e.g. outsourced services
   • External storage devices
   • Off-site or cloud storage (e.g. backups)

2. Please describe security measures in place for laptops, desktops, other mobile devices or removable storage (e.g. USB drives or CDROMS)?

   • Does your organisation maintain an inventory of devices?
   • Does your organisation remotely manage its mobile devices?
   • Are updates to software (and firmware updates) applied automatically?
   • Do all devices have antivirus and/or antimalware software, regularly updated?
   • What BIOS/bootloader security measures are in place?
   • Are mobile devices protected e.g .by a PIN or password?
   • Are mobile devices encrypted?
   • Can mobile devices be tracked and locked or wiped remotely?

3. Please describe security measures in place for servers (including network security measures), addressing the following:

   • upgrades and patches
   • intrusion prevention and detection systems
   • remote access e.g. fail2ban (SSH)
   • system audits and server hardening measures
   • redundancy and fault tolerance
   • logging, monitoring and intrusion prevention/detection; what is monitored? e.g. login failures, network access/activity, use of privileged accounts, file integrity, system logs, available disk space
   • deactivation of unnecessary services
   • firewalls (software/hardware); management of firewall rules; monitoring of open TCP ports
   • network segmentation e.g. DMZ
   • identity and authentication management; access control e.g. SSO/LDAP/AD/Kerberos; access for administrators
   • use of encrypted protocols e.g. VPNs, TLS/HTTPS; avoidance of deprecated protocols (e.g. TLSv1.0/1.1); please refer to the results of https://www.internet.nl/ for your sites
   • encryption of files, directories, databases
   • router security (e.g. vendor default passwords, firmware updates, correct configuration)
   • wifi: protocols in use (e.g. WPA2) and monitoring e.g. of access points
   • staff access to the Internet e.g. via a proxy URL
   • DNS, DNSSEC
   • DDOS protection
   • security of IOT devices e.g. networked printers
   • security of VOIP/videoconferencing services
   • data flows between systems, e.g. data from LIMS

4. Are all users provided with a corporate email address with end-to-end encryption?

   • What security measures are in place?
   • What anti-spam/anti-phishing measures are in place? e.g. DKIM, SPF, SpamAssassin, other spam filtering

5. What are your security arrangements related to developing and/or maintaining web servers or Web apps/services (e.g. Django, Drupal, PHP)?

   • Do Web apps adhere to OWASP principles (https://owasp.org/www-project-web-security-testing-guide/v42/)?
   • Are dependencies regularly updated? e.g. JQuery, Drupal, PHP
   • Please refer to https://www.hardenize.com/ and https://www.whynopadlock.com/ for your sites
   • What internal or external penetration testing has been undertaken to identify common vulnerabilities e.g. SQL injection? What risks were identified?
   • Are web services deployed using virtual machines or containers? Are snapshots taken?

6. How is the security of data backups maintained? e.g. 3-2-1 backup strategy; frequency; encryption; malware scanning; testing backups can be restored

7. Do your systems handle financial information or billing/other e-commerce functions? Please describe related security measures.

8. What technical support contracts or other arrangements are in place for maintaining business critical services?

9. How are organisational domains handled?

   • How are expired domains/subdomains managed? Please refer to e.g. https://pentest-tools.com/information-gathering/find-subdomains-of-domain to enumerate subdomains

10. How are user accounts managed?

    • Are accounts deleted at the end of contracts?

11. How are user permissions managed?

12. Do staff work remotely? Is data accessed remotely? If so, describe relevant information security measures.

13. Please summarise the premises where data assets are held.

14. What physical security measures does your organisation have to prevent theft of computer equipment? e.g. restricted access by room locks/keypads, server cages, CCTV, burglar alarms

15. Do all staff require ID badges for access to premises? How is access for visitors and contractors managed?

16. What measures do you have in place to deal with power outages? e.g. UPS, generators

17. What measures in place to prevent, detect and/or respond to fires which may affect computer equipment or business critical processes?

18. What measures in place to prevent, detect and/or respond to weather which may affect computer equipment or business critical processes?