Professional Documents
Culture Documents
HW and SW Guideline
HW and SW Guideline
Security
Good Practice Guide
Author: A Heathcote
Date: 22/05/2017
Version: 1.0
Contents
1 Purpose 3
2 Scope 3
3 Applicability 3
4 Guidance 3
4.1 General Approach and Applicability 3
4.2 Hardware Security 4
4.2.1 Definition of Hardware and Hardware Security 4
4.2.2 Hardware Configuration Management 5
4.2.3 Hardware Security Management 7
4.3 Software Security 7
4.3.1 Definition of Software and Software Security 7
4.3.2 Software Configuration Management 8
4.3.3 Software Security Management 10
1 Purpose
The purpose of the Hardware and Software Security Good Practice Guide (GPG) is to
provide guidance on how IT systems (hardware and software) should be configured and
managed to maximise the protection of the confidentiality, integrity and availability of data
processed. This guidance will enable the organisation to have mechanisms and processes
to:
• Control the configuration of hardware and software.
• Account for and manage hardware and software.
• Maintain the security integrity of hardware and software.
2 Scope
The Hardware and Software Security GPG relates to all IT systems storing, processing and
transmitting NHS and other UK Government information.
3 Applicability
The Hardware and Security GPG is applicable to and designed for use by any NHS, Health
& Social Care or associated organisations that use or have access to NHS systems and/or
information at any level.
4 Guidance
The Hardware and Software Security GPG supplements the Example Policy on producing a
Hardware and Software Security Policy and provides greater detail on how the policy
requirements can be achieved. It is not prescriptive and it is realised that different
organisations will require different levels of management. This GPG provides the minimum
that should be considered. It is recommended that it is utilised in tandem with the GPGs on
network Security and Secure Configuration as there is considerable overlap and
commonality. The guidance provided should be scaled according to the size of the
organisation. For smaller organisations the GPG may be used to drive contractual
requirements or to work with any third party provider to ensure the provided IT systems’
hardware and software are configured and managed as required to maximise the protection
of the data and information.
• Hardware security can be defined as vulnerability protection that comes in the form of a
physical device rather than software that is installed on the hardware of a computer or IT
system.
• Hardware security can be considered to be the protection of both the actual hardware (e.g.
the server) and also hardware devices used to protect the network, such as firewalls,
routers, switches, etc. through to bespoke security devices such as crypto-processors and
hardware security modules (HSMs).
4.2.2 Hardware Configuration Management
• An integral part of hardware security (both in the protection of the individual hardware
components and the use of hardware to provide security to the network architecture) is the
secure configuration (the processes for secure configuration are in the NHS Secure
Configuration GPG) of all the hardware with the recording and management of this
configuration. This management is best achieved through the use of a Hardware
Configuration Record (HCR) for each IT system/network within the organisation.
• The actual process for maintaining the integrity of the security of the hardware through the
implementation of patches and updates is outlined in the GPGs for Secure Configuration
and Network Security. It is therefore not repeated here; however, outlined below, with an
example overleaf, is a proposed methodology for maintaining a HCR.
• IT Managers should maintain the HCR to capture and maintain an inventory of all
configurable hardware. This may form a sub part of the information asset register or be
managed as a separate record; whichever process is used the serial or identification
numbering of the hardware should be easy to refer to between the two records. The
HCR should, as a minimum, cover the items below:
• Type of hardware and Vendor.
• Unique ID or Reference Number (a unique identifying label should be placed on the
item if no identifier is available).
• Owner of hardware.
• Record of updates/changes – including date, update/change reference from vendor
or the organisation’s IT Service Operations and person who completed the change).
• Record of when checked – a full inventory should be completed at least annually.
[Note: Where the IT service is provided by an outsourced third party provider the requirement
for the HCR should be part of the contract between the NHS or health and social care
organisation and the IT service provider.]
Information Asset
Type of Hardware
Inventory Checks
(Summary and
Business Unit
Reference No
(Date and By
Unique ID or
Location or
Record of
Serial No
Updates
Vendor
Whom)
Owner
Date)
A serial This is either a unique This should be from a This should identify the This should be a This should be the role This column is likely to This column is likely to
number if number on the asset or set agreed list of vendor who provided, or physical location and the and named individual in need to have several need to have several
required preferably an asset hardware. This list could if changed, who currently business or department that role that the ‘internal rows’ as each ‘internal rows’ as each
numbering sequence be: supports the hardware; that ‘hosts or uses’ the organisation has update/patch or time there is an inventory
(code) designed and for example: hardware. determined owns the maintenance is recorded check the result with the
produced by the Database server hardware. If the with a summary of the date of the check and by
organisation. The code Proxy Server Dell organisation is large the patch/update or who should be inserted.
can be used to identify Web Mail Server Cisco IAO may have delegated maintenance record
which department owns Router HP the management and number and the date it
the asset. Switch Apple control of the hardware was completed, and if
Firewall etc. asset – if this is the case possible by whom.
etc. this column should state
the role and named
individual in the role.
27 NHS/FIN/003 Database server Dell PowerEdge T430 - Finance Dept Finance Officer Patch 153/2016 on 18 Confirmed on full muster
Xeon E5-2620V4 2.1 Aug 16 by IT Services 1 Sep 16 by Mr/Mrs/Miss
GHz - 8 GB - 300 GB Office X Mr/Mrs/Miss ??????? (Mr/Mrs/Miss ? ?????) ? ??????
Tower Server Server Room Y
Update Release 04/2016
Address on 4 Nov 16 by IT
Services (Mr/Mrs/Miss ?
??????)
• Software security can be considered to be the protection of both the actual software (e.g.
the operating system through lockdown or hardening of it) and also software that is used to
protect the network, such as anti-virus, intrusion detection systems (IDS) and security
incident event management (SIEM) programmes.
4.3.2 Software Configuration Management
• An integral part of software security (both in the protection of the software for daily business
(operating systems and applications) and the use of software to provide security to the
network architecture (such as anti-virus and IDS)) is the secure configuration (the
processes for secure configuration are in the NHS Secure Configuration GPG) of all the
software with the recording and management of this configuration. This management is
best achieved through the use of a Software Configuration Record (SCR) for each IT
system/network within the organisation.
• The actual process for maintaining the integrity of the security of the software through the
implementation of patches and updates is outlined in the GPGs for Secure Configuration
and Network Security. It is therefore not repeated here; however, outlined below, with an
example overleaf, is a proposed methodology for maintaining a SCR.
• IT Managers should maintain the SCR to capture and maintain an inventory of all
configurable software. This may form a sub part of the information asset register or be
managed as a separate record; whichever process is used the serial or identification
numbering of the software should be easy to refer to between the two records. The SCR
should, as a minimum, cover the items below:
• Software vendor and item identifier.
• Version number and licence details of the software.
• Serial number.
• Date first installed and date of changes with details of person responsible for
change/update. (Items such as anti-virus where automatic signature updates have been
configured do not need to be recorded here.)
• Record of when checked – a full inventory should be completed at least annually.
• [Note: Where the IT service is provided by an outsourced third party provider the
requirement for the SCR should be part of the contract between the NHS or health and
social care organisation and the IT service provider.]
Information Asset
Inventory Checks
Type of Software
Licence Number
(and By Whom)
(Summary and
Business Unit
Date Installed
Reference No
or Reference
(Date and By
Unique ID or
Location or
Record of
Serial No
Updates
Vendor
Whom)
Owner
Date)
A serial This is either a This can be as This should identify This should be the This should be the This should be a This should be the This column is This column is
number if unique number simple as the vendor who licence number (or date of first physical location role and named likely to need to likely to need to
required from the software operating system provided, or if series/batch of installation and by and the business individual in that have several have several
the asset or and application or changed, who licence numbers if whom. or department that role that the ‘internal rows’ as ‘internal rows’ as
preferably an asset if many different currently supports multiple) for that ‘hosts or uses’ the organisation has each update/patch each time there is
numbering types of the software; for software that is software. It may determined owns or maintenance is an inventory check
sequence (code) applications are example: installed. be that the IT the software. If the recorded with a the result with the
designed and used a sub list can Services organisation is summary of the date of the check
produced by the be used – e.g. Microsoft department owns large the IAO may patch/update or and by who should
organisation. The SAGE for finance, Apple the software or it have delegated the maintenance be inserted.
code can be used SQL Database for Oracle may be by management and record number and
to identify which patient records etc. VMWare department; such control of the the date it was
department Symantec as SAGE for software asset – if completed, and if
owns/utilises the etc. finance or SQL this is the case this possible by whom.
software. Database by HR column should
for staff records. state the role and
named individual in
the role.
14 Ports-Trust/HR/011 Application – Oracle Orc/148654/16 – 14 Aug 2016 (Mr Human Resources HR Manager Patch Orc/04/2016 Confirmed on full
Oracle Database covers 50 users /Mrs/Miss ? ?????) Dept on 23 Nov 16 by IT muster all 50 user
Mr/Mrs/Miss ? Services licences utilised
Office X ?????? (Mr/Miss/Mrs ? and no more - 1
Server Room Y ?????) Dec 16 by
Mr/Mrs/Miss ?
Address ??????
6 Key Words
Application, Configuration, Hardware, Hardware Configuration Record (HCR),
Operating System, Patches, Software, Software Configuration Record (SCR),
Tamper Proof Seals, Updates, Vendor