Hardware and Software

Security
Good Practice Guide
Author: A Heathcote
Date: 22/05/2017
Version: 1.0

Copyright © 2017 Health and Social Care Information Centre.

The Health and Social Care Information Centre is a non-departmental body created by statute, also known as NHS Digital.
Hardware and Software Security

Contents
1 Purpose 3
2 Scope 3
3 Applicability 3
4 Guidance 3
4.1 General Approach and Applicability 3
4.2 Hardware Security 4
4.2.1 Definition of Hardware and Hardware Security 4
4.2.2 Hardware Configuration Management 5
4.2.3 Hardware Security Management 7
4.3 Software Security 7
4.3.1 Definition of Software and Software Security 7
4.3.2 Software Configuration Management 8
4.3.3 Software Security Management 10

5 Further Reading and Advice 10

6 Key Words 11

Copyright ©2017 NHS Digital Page 2 of 11

Hardware and Software Security

1 Purpose
The purpose of the Hardware and Software Security Good Practice Guide (GPG) is to
provide guidance on how IT systems (hardware and software) should be configured and
managed to maximise the protection of the confidentiality, integrity and availability of data
processed. This guidance will enable the organisation to have mechanisms and processes
to:
• Control the configuration of hardware and software.
• Account for and manage hardware and software.
• Maintain the security integrity of hardware and software.

2 Scope
The Hardware and Software Security GPG relates to all IT systems storing, processing and
transmitting NHS and other UK Government information.

3 Applicability
The Hardware and Security GPG is applicable to and designed for use by any NHS, Health
& Social Care or associated organisations that use or have access to NHS systems and/or
information at any level.

4 Guidance
The Hardware and Software Security GPG supplements the Example Policy on producing a
Hardware and Software Security Policy and provides greater detail on how the policy
requirements can be achieved. It is not prescriptive and it is realised that different
organisations will require different levels of management. This GPG provides the minimum
that should be considered. It is recommended that it is utilised in tandem with the GPGs on
network Security and Secure Configuration as there is considerable overlap and
commonality. The guidance provided should be scaled according to the size of the
organisation. For smaller organisations the GPG may be used to drive contractual
requirements or to work with any third party provider to ensure the provided IT systems’
hardware and software are configured and managed as required to maximise the protection
of the data and information.

4.1 General Approach and Applicability

• The secure configuration, accountability and management of the hardware and software
utilised by an organisation is a fundamental element of a sound information security
management process. If the hardware or software is not securely configured, identified and
controlled (using an asset register) and managed (patched, updated, procured, etc.)
correctly it leaves the organisation open to having unmanaged vulnerabilities and poor
processes that could lead to:
• Compromise of the data’s/information’s confidentiality – information/data breaches,
unauthorised disclosures, loss of data or unauthorised viewing.
• Compromise of the data’s/information’s integrity – unauthorised modification of the
information/data.

Copyright © 2017 Health and Social Care Information Centre. 3

Hardware and Software Security

• Compromise of the data’s/information’s availability – disruption and denial of service

attacks.
• Reputational damage – loss of public confidence in the NHS or health and social care’s
ability to secure patient information.
• The secure configuration of hardware and software is covered in more detail in the NHS
Secure Configuration GPG and the information asset registration process is covered in the
NHS Asset Management GPG. This GPG will touch both of these elements but the core of
this GPG will cover:
• What hardware and software is.
• Hardware and Software Configuration records.
• Management of hardware and software security – patches, updates, registration,
checks, securing of, contract arrangements, etc.
• This GPG provides guidance and, where applicable, examples on hardware and software
security but should be used in tandem with the NHS GPGs for secure configuration,
network security and asset management.

4.2 Hardware Security

• This section will cover:
• Definition and examples of hardware and hardware security.
• Hardware configuration management and recording.
• Management of hardware security, including for contracts.
4.2.1 Definition of Hardware and Hardware Security
• Hardware is the physical aspect of computers, telecommunications, and other devices. The
term arose as a way to distinguish the ’box’ and the electronic circuitry and components of a
computer from the programme that is ‘put on it’ to make it do things.
• Hardware examples include, but are not limited to:
• Servers.
• Workstations.
• Laptops.
• Tablets.
• Switches Routers.
• Hard disk drives (HDDs).
• Solid state drives (SSD).
• Graphic cards.
• Sound cards.
• Random accessible memory (RAM).
• Motherboards.
• Power supplies.

Copyright © 2017 Health and Social Care Information Centre. 4

Hardware and Software Security

• Hardware security can be defined as vulnerability protection that comes in the form of a
physical device rather than software that is installed on the hardware of a computer or IT
system.
• Hardware security can be considered to be the protection of both the actual hardware (e.g.
the server) and also hardware devices used to protect the network, such as firewalls,
routers, switches, etc. through to bespoke security devices such as crypto-processors and
hardware security modules (HSMs).
4.2.2 Hardware Configuration Management
• An integral part of hardware security (both in the protection of the individual hardware
components and the use of hardware to provide security to the network architecture) is the
secure configuration (the processes for secure configuration are in the NHS Secure
Configuration GPG) of all the hardware with the recording and management of this
configuration. This management is best achieved through the use of a Hardware
Configuration Record (HCR) for each IT system/network within the organisation.
• The actual process for maintaining the integrity of the security of the hardware through the
implementation of patches and updates is outlined in the GPGs for Secure Configuration
and Network Security. It is therefore not repeated here; however, outlined below, with an
example overleaf, is a proposed methodology for maintaining a HCR.
• IT Managers should maintain the HCR to capture and maintain an inventory of all
configurable hardware. This may form a sub part of the information asset register or be
managed as a separate record; whichever process is used the serial or identification
numbering of the hardware should be easy to refer to between the two records. The
HCR should, as a minimum, cover the items below:
• Type of hardware and Vendor.
• Unique ID or Reference Number (a unique identifying label should be placed on the
item if no identifier is available).
• Owner of hardware.
• Record of updates/changes – including date, update/change reference from vendor
or the organisation’s IT Service Operations and person who completed the change).
• Record of when checked – a full inventory should be completed at least annually.
[Note: Where the IT service is provided by an outsourced third party provider the requirement
for the HCR should be part of the contract between the NHS or health and social care
organisation and the IT service provider.]

Copyright © 2017 Health and Social Care Information Centre. 5

Hardware and Software Security

4.2.2.1 Exemplar Hardware Configuration Record

Information Asset
Type of Hardware

Inventory Checks
(Summary and
Business Unit
Reference No

(Date and By
Unique ID or

Location or

Record of
Serial No

Updates
Vendor

Whom)
Owner

Date)
A serial This is either a unique This should be from a This should identify the This should be a This should be the role This column is likely to This column is likely to
number if number on the asset or set agreed list of vendor who provided, or physical location and the and named individual in need to have several need to have several
required preferably an asset hardware. This list could if changed, who currently business or department that role that the ‘internal rows’ as each ‘internal rows’ as each
numbering sequence be: supports the hardware; that ‘hosts or uses’ the organisation has update/patch or time there is an inventory
(code) designed and for example: hardware. determined owns the maintenance is recorded check the result with the
produced by the Database server hardware. If the with a summary of the date of the check and by
organisation. The code Proxy Server Dell organisation is large the patch/update or who should be inserted.
can be used to identify Web Mail Server Cisco IAO may have delegated maintenance record
which department owns Router HP the management and number and the date it
the asset. Switch Apple control of the hardware was completed, and if
Firewall etc. asset – if this is the case possible by whom.
etc. this column should state
the role and named
individual in the role.

Below is an illustrative example

27 NHS/FIN/003 Database server Dell PowerEdge T430 -
Xeon E5-2620V4 2.1
GHz - 8 GB - 300 GB
Tower Server
Finance Dept Finance Officer Patch 153/2016 on 18 Confirmed on full muster
Aug 16 by IT Services 1 Sep 16 by Mr/Mrs/Miss
Office X Mr/Mrs/Miss ??????? (Mr/Mrs/Miss ? ?????) ? ??????
Server Room Y
Update Release 04/2016
Address on 4 Nov 16 by IT
Services (Mr/Mrs/Miss ?
??????)

Copyright ©2017 NHS Digital Page 6 of 11

Hardware and Software Security

4.2.3 Hardware Security Management

• In the implementation of the patches and updates identified above and for the overall
security management of hardware the following approach should be taken:
• Only hardware that is supported by an approved vendor procured and used.
• Full support contracts arranged with the hardware vendor for through life support.
• No modifications made to the hardware without confirmation that the vendor can
continue to provide support.
• Updates or configuration changes issued or required by the vendor implemented as
soon as practicable.
• Ports and connections for removable media deactivated (physically or logically) if they
are not required for business processes.
• Network hardware (e.g. servers, blades, RAIDS, switches, routers, etc.) secured in
lockable racks to which access is controlled and limited to authorised personnel only.
• Workstations, laptops and tablets have tamper proof seals installed to enable any
unauthorised interference to be identified.
• Tamper proof seals required to be checked by the user daily. If it has been tampered
with then the issue raised as an information security incident.
• Network hardware inspected regularly to determine if it has been tampered with; this
should be at least annually.

4.3 Software Security

• This section will cover:
• Definition and examples of software and software security.
• Software configuration management and recording.
• Management of software security, including for contracts.
4.3.1 Definition of Software and Software Security
• Software can be defined as organised information in the form of operating systems, utilities,
programs, and applications that enable computers to work. Software consists of carefully-
organised instructions and code written by programmers in any of various special computer
languages. Software is divided commonly into two main categories:
• System software - controls the basic (and invisible to the user) functions of a computer
and comes usually preinstalled with the machine. (BIOS and Operating System.)
• Application software - handles multitudes of common and specialised tasks a user wants
to perform, such as accounting, communicating, data processing and word processing.
• Software examples include:
• Operating systems – Mac OS X 10, Windows 7, Windows 10, etc.
• Applications – Internet browsers such as Firefox, Google Chrome, Internet Explorer,
Safari; Outlook; Word; Excel; Adobe; Windows Media Player; etc.
• Software security can be defined as any software that provides security for a computer or
network.

Copyright ©2017 NHS Digital Page 7 of 11

Hardware and Software Security

• Software security can be considered to be the protection of both the actual software (e.g.
the operating system through lockdown or hardening of it) and also software that is used to
protect the network, such as anti-virus, intrusion detection systems (IDS) and security
incident event management (SIEM) programmes.
4.3.2 Software Configuration Management
• An integral part of software security (both in the protection of the software for daily business
(operating systems and applications) and the use of software to provide security to the
network architecture (such as anti-virus and IDS)) is the secure configuration (the
processes for secure configuration are in the NHS Secure Configuration GPG) of all the
software with the recording and management of this configuration. This management is
best achieved through the use of a Software Configuration Record (SCR) for each IT
system/network within the organisation.
• The actual process for maintaining the integrity of the security of the software through the
implementation of patches and updates is outlined in the GPGs for Secure Configuration
and Network Security. It is therefore not repeated here; however, outlined below, with an
example overleaf, is a proposed methodology for maintaining a SCR.
• IT Managers should maintain the SCR to capture and maintain an inventory of all
configurable software. This may form a sub part of the information asset register or be
managed as a separate record; whichever process is used the serial or identification
numbering of the software should be easy to refer to between the two records. The SCR
should, as a minimum, cover the items below:
• Software vendor and item identifier.
• Version number and licence details of the software.
• Serial number.
• Date first installed and date of changes with details of person responsible for
change/update. (Items such as anti-virus where automatic signature updates have been
configured do not need to be recorded here.)
• Record of when checked – a full inventory should be completed at least annually.
• [Note: Where the IT service is provided by an outsourced third party provider the
requirement for the SCR should be part of the contract between the NHS or health and
social care organisation and the IT service provider.]

Copyright ©2017 NHS Digital Page 8 of 11

Hardware and Software Security

4.3.2.1 Exemplar Software Configuration Record

Information Asset

Inventory Checks
Type of Software

Licence Number

(and By Whom)

(Summary and
Business Unit
Date Installed
Reference No

or Reference

(Date and By
Unique ID or

Location or

Record of
Serial No

Updates
Vendor

Whom)
Owner

Date)
A serial This is either a This can be as This should identify This should be the This should be the This should be a This should be the This column is This column is
number if unique number simple as the vendor who licence number (or date of first physical location role and named likely to need to likely to need to
required from the software operating system provided, or if series/batch of installation and by and the business individual in that have several have several
the asset or and application or changed, who licence numbers if whom. or department that role that the ‘internal rows’ as ‘internal rows’ as
preferably an asset if many different currently supports multiple) for that ‘hosts or uses’ the organisation has each update/patch each time there is
numbering types of the software; for software that is software. It may determined owns or maintenance is an inventory check
sequence (code) applications are example: installed. be that the IT the software. If the recorded with a the result with the
designed and used a sub list can Services organisation is summary of the date of the check
produced by the be used – e.g. Microsoft department owns large the IAO may patch/update or and by who should
organisation. The SAGE for finance, Apple the software or it have delegated the maintenance be inserted.
code can be used SQL Database for Oracle may be by management and record number and
to identify which patient records etc. VMWare department; such control of the the date it was
department Symantec as SAGE for software asset – if completed, and if
owns/utilises the etc. finance or SQL this is the case this possible by whom.
software. Database by HR column should
for staff records. state the role and
named individual in
the role.

Below is an illustrative example

14 Ports-Trust/HR/011 Application – Oracle Orc/148654/16 – 14 Aug 2016 (Mr Human Resources HR Manager Patch Orc/04/2016 Confirmed on full
Oracle Database covers 50 users /Mrs/Miss ? ?????) Dept on 23 Nov 16 by IT muster all 50 user
Mr/Mrs/Miss ? Services licences utilised
Office X ?????? (Mr/Miss/Mrs ? and no more - 1
Server Room Y ?????) Dec 16 by
Mr/Mrs/Miss ?
Address ??????

Copyright ©2017 NHS Digital Page 9 of 11

Hardware and Software Security

4.3.3 Software Security Management

• In the implementation of the patches and updates identified above and for the overall
security management of software the following approach should be taken
• Only software that is supported by an approved vendor procured and used.
• Full support contracts arranged with the software vendor for through life support.
• No modifications made to the software without confirmation that the vendor can
continue to provide support.
• Updates, patches and configuration changes issued by the vendor implemented as
soon as practicable.
• Workstations, laptops and tablets configured so that unauthorised software cannot
be downloaded.
• Access to operating system, application configurations and IT management tools
restricted to authorised personnel only; i.e. least privilege.
• A full review of software and licences completed at least annually. Any anomalies
shall be reported to senior management.

5 Further Reading and Advice

• In addition to the documents listed under Related References, Links and Documents
further details and advice on protective monitoring can be found
at https://www.ncsc.gov.uk/. This GPG does not list the particular references as these
change on a frequent basis, however, searches under the following headings will help
to locate the current applicable HMG policy and standard or an assured provider or
technology that may be required:
• Least Privilege.
• Secure configuration.
• Hardware lockdown or hardening.
• Operating system lockdown or hardening.
• Hardware security.
• Software security.
• Patching.
• Updates.
• Asset management.
• This GPG is supported by other GPGs, which should be used in tandem. This
includes, but is not limited to:
• Application Security
• Asset Management
• Hardware and Software Security
• Network Security
• Secure Configuration

Copyright ©2017 NHS Digital

Hardware and Software Security

6 Key Words
Application, Configuration, Hardware, Hardware Configuration Record (HCR),
Operating System, Patches, Software, Software Configuration Record (SCR),
Tamper Proof Seals, Updates, Vendor

Copyright ©2017 NHS Digital