Digital Security and Protection (DSP) is a key priority for any NHS organisation or any business that wants to do business with the NHS. The DSP Toolkit is a rich set of requirements to ensure all organisations that may have access to private or confidential data have good protections in place.
Clearly, it's been particularly challenging for NHS agencies to complete their assessments this year and it will soon be time to complete the assessments for 2021. Importantly, some DSPT requirements have changed for 2021. In particular, DSPT version 3 (required for new assessments) makes Cyber Essentials a mandatory requirement for all relevant organisations.
It's a good recommendation. Previously, the requirement was that all relevant agencies move towards Cyber Essentials Plus compliance as a result of the investigations into the WannaCry attacks. With DSPT V3, Cyber Essentials is now mandatory. Osirium recently published a free whitepaper on reducing the effort to achieve Cyber Essentials compliance.
Privileged account management is at the core of the Cyber Essentials requirements and DSPT. Indeed, it's fundamental to all security strategies; if you can't control access to the security tools, then those tools are vulnerable. In DSPT, section 4 is most directly relevant as it includes requirements such as "The organisation does not allow users with wide ranging or extensive system privilege to use their highly privileged accounts for high-risk functions, in particular reading email and web browsing" and "You record and store all privileged user sessions for offline analysis and investigation." How could you monitor, manage, and (importantly) prove compliance with such requirements?
In a very stretched environment with these increased requirements, all data security and IT operations managers should be working on how to reduce the effort required to complete the DSPT assessment and produce the required evidence items as easily as possible.
The whitepaper mentioned above highlights how many of the key requirements can be automated using modern privileged access management (PAM) and automation (for Osirium, that means Privileged Process Automation - PPA).
It's not just about complying with regulations (although, that's clearly important). Good privileged access management can be a positive gain for productivity.
That's just a few examples. PPA is so flexible it can help solve many challenges in IT and across the organisation. It's limited only by your imagination.
If you'd like to discuss how your next DSPT assessment can be simplified, please get in touch.