IGtoolkit Assessments PDF

12/08/2020 Details
OPEN MEDICAL LTD (8JP47)

Organisation search (/OrganisationSearch) News (/News) Help (/Help)
Assessment (/Assessment)
Report an Incident (/Incidents)
Admin
 Publications (/Assessment/Publications)
19/20 Standards Met

Assessment - 12/08/2020
14:51
Published by: harry lykostratis
Published as: OPEN MEDICAL LTD (8JP47)
Organisation Profile
Primary Sector
Company
Caldicott Guardian
Michael Shenouda
Medical Director
michael@openmedical.co.uk
07751223033
SIRO
Harry Lykostratis
https://www.dsptoolkit.nhs.uk/Publication/Publication/52471?HidePublishSectionOnReturn=True 1/41
12/08/2020 Details
Managing Director
hlykos@openmedical.co.uk
07879356979
IG Lead
Harry Lykostratis
Managing Director
hlykos@openmedical.co.uk
07879356979
Data Protection Officer

Dorota Naumiuk
Operations Director
dorota@openmedical.co.uk
07880232402
Mail System
Is NHS Mail the only email system used by your organisation?
No
Does your organisation have Cyber Essentials PLUS Certification with

a scope covering all health and care data processing awarded during
the last 12 months?
No
Cyber Essentials PLUS award date

Not Provided
12/08/2020 Details
Cyber Essentials PLUS Certificate

Not Provided
Does your organisation have current valid ISO 27001 Certification?

No
ISO 27001 award/audit date

Not Provided
ISO 27001 Certificate

Not Provided
Assessment
1. Personal Confidential Data
2. Staff Responsibilities
3. Training
4. Managing Data Access
5. Process Reviews
6. Responding to Incidents
7. Continuity Planning
8. Unsupported Systems
9. IT Protection
10. Accountable Suppliers
1.
Personal Confidential Data

1.1
There is senior ownership of data security and protection
within the organisation.
12/08/2020 Details
1.1.1
Has responsibility for data security been assigned?
Yes
Completed by: Dorota Naumiuk
1.1.2
Who are your staff with responsibility for data protection and / or security.
Harry Lykostratis - Managing Director Dorota Naumiuk - Operations Manager
Comments:
Harry Lykostratis - SIRO Dorota Naumiuk - DPO
1.1.3
Is data security direction set at management level and translated into
effective organisational practices?
Yes
Comments:
Management have clear responsibilities on data security. Organisational
practices include regular data security training, Q&A sessions on data security
as part of regular meetings agenda, spot checks and regular monitoring of all
staff practices related to data security.
Completed by: harry lykostratis
Assertion confirmed by: Dorota Naumiuk
1.2
There are clear data security and protection policies in
place and these are understood by staff and available to the
public.
1.2.1
Are there approved data security and protection policies in place that
follow relevant guidance?
12/08/2020 Details
Yes
Comments:
Yes, all necessary and up to date documentation is maintained. List of
policies: IG Secure Data Transfer Procedure IG Subject Access Request
(SAR) Policy & Procedure IG Recruitment and Contracting Policy IG
Pseudonymisation Policy Patients Privacy Notice IG Pathpoint System Level
Security IG Pathpoint Process Mapping Pathpoint IG Pathpoint Data Flow
Mapping IG Overview IG Network & Mobile Security Policy IG Information
Security Policy IG Information Risk Policy IG Data Protection Policy IG
Change Management Pathpoint Interoperability SNOMED CT / HL7 FHIR
Emergency Plan | Business Continuity and Disaster Recovery IG Cyber
Attack Guidance and Process Complaints Policy
1.2.2
When were each of the data security and protection policies last updated?
02/03/2020 and 02/06/2020
Comments:
IG Secure Data Transfer Procedure 02/03/2020 IG Subject Access Request
(SAR) Policy & Procedure 02/03/2020 IG Recruitment and Contracting Policy
02/03/2020 IG Pseudonymisation Policy 02/03/2020 Patients Privacy Notice
08/06/2020 IG Pathpoint System Level Security 02/03/2020 IG Pathpoint
Process Mapping 02/03/2020 Pathpoint IG Pathpoint Data Flow Mapping
02/03/2020 IG Overview 02/03/2020 IG Network & Mobile Security Policy
02/03/2020 IG Information Security Policy 02/03/2020 IG Information Risk
Policy 02/03/2020 IG Data Protection Policy 02/03/2020 IG Change
Management 02/03/2020 Pathpoint Interoperability SNOMED CT / HL7 FHIR
02/03/2020 Emergency Plan | Business Continuity and Disaster Recovery
02/03/2020 IG Cyber Attack Guidance and Process 02/03/2020 IG Subject
Access Request (SAR) Policy & Procedure IG Recruitment and Contracting
Policy IG Pseudonymisation Policy Patients Privacy Notice IG Pathpoint
System Level Security IG Pathpoint Process Mapping Pathpoint IG Pathpoint
Data Flow Mapping IG Overview IG Network & Mobile Security Policy IG
Information Security Policy IG Information Risk Policy IG Data Protection
Policy IG Change Management Pathpoint Interoperability SNOMED CT /
HL7 FHIR Emergency Plan | Business Continuity and Disaster Recovery IG
Cyber Attack Guidance and Process
12/08/2020 Details
1.2.3
How are data security and protection policies available to the public?
OM IG - Data Protection Policy [2.6].pdf (/Publication/ViewUpload?
AttachmentId=145460)
OM IG - Information Security Policy [2.6].pdf (/Publication/ViewUpload?
OM IG - Patients Privacy Notice [1.5] (2).pdf (/Publication/ViewUpload?
Comments:
Patients Privacy Notice Policy is available to all clinicians using the platform
via direct link in pdf format that can be easily printed.
1.3
Individuals’ rights are respected and supported (GDPR
Article 12-22)
1.3.1
What is your ICO Registration Number?
ZA238664
1.3.2
How is transparency information (e.g. your Privacy Notice) published and
available to the public?
https://openmedical.co.uk/privacy (https://openmedical.co.uk/privacy)
12/08/2020 Details
Comments:
via direct link in pdf format that can be easily printed. Website privacy notice
available via direct link provided above.
1.3.3
How have Individuals been informed about their rights and how to exercise
them?
OM IG - SAR Policy & Procedure [2.2] (1).pdf (/Publication/ViewUpload?
https://openmedical.co.uk/privacy (https://openmedical.co.uk/privacy)
Comments:
via direct link in pdf format that can be easily printed. Website privacy notice
available via direct link provided above
1.3.4
Provide details of how access to information requests have been complied
with during the last twelve months.
There have been no Subject Access Requests received so far.
1.3.5
Have there been any ICO actions taken against the organisation in the last
12 months, such as fines, enforcement notices or decision notices?
None
12/08/2020 Details
1.4
Records of processing activities are documented for all
uses and flows of personal information (GDPR Article 30
and DPA 18 Schedule 1 Part 4)
1.4.1
Provide details of the record or register that details each use or sharing of
personal information.
A separate registry for each organisation enabling data processing is held in
the Implementation folder in the shared drive alongside the DPIA for that
organisation
1.4.2
When was the record or register of information flows approved by the
Management team or equivalent?
02 March 2020
Comments:
A separate registry for each organisation enabling data processing is held in
the Implementation folder in the shared drive alongside the DPIA for that
organisation
1.4.3
Provide a list of all systems/information assets holding or sharing personal
information.
Data Security and Protection Compliance - Spot Checks (3).pdf
(/Publication/ViewUpload?AttachmentId=145470)
1.4.4
Is your organisation compliant with the national data opt-out policy?
OM IG - Patients Privacy Notice [1.4] (2) (1).pdf (/Publication/ViewUpload?
12/08/2020 Details
Comments:
Patients Privacy Notice includes statement on the national opt-out policy:
''The recently introduced national data opt-out programme allows a patient to
choose if they do not want their confidential patient information to be used for
purposes beyond their individual care and treatment i.e for research and
planning. You can set your own opt-out choice which will be recorded by the
Provider and passed on to Open Medical who will take actions to respect that
choice.''
1.5
Personal information is used and shared lawfully.
1.5.1
Is there approved staff guidance on confidentiality and data protection
issues?
Yes
Comments:
Yes, policies and standard operating procedures are in place for staff
guidance.
1.5.2
What actions have been taken following Confidentiality and Data
Protection monitoring/spot checks during the last year?
Data Protection Monitoring.pdf (/Publication/ViewUpload?
Comments:
All staff has set up two factor authentication to access all systems and
company documents as an extra level of security. Password policy has been
enforced across all staff to reduce the risk of of brute-force attacks from cyber
12/08/2020 Details
criminals and unauthorised access incidents. Secure data transfer policy has
been updated to strengthen security and give clear guidance to staff involved
in handling secure data.
1.6
The use of personal information is subject to data
protection by design and by default
1.6.1
There is an approved procedure that sets out the organisation’s approach
to data protection by design and by default, which includes
pseudonymisation requirements.
Yes
1.6.2
There are technical controls that prevent information from being
inappropriately copied or downloaded.
Granular role based access with 2-factor-authentication
Comments:
Password policy enforcement on internal systems, MDM across all staff
devices with remote tracking, locking and wiping, centralised control of
access.
1.6.3
There are physical controls that prevent unauthorised access to buildings
and locations where personal data are stored or processed.
Lockable doors, Non-opening windows, 24/7 security and sign-in door officer,
lockable drawers in office, automatic after-hours locking of all doors. Magnetic
12/08/2020 Details
card access monitoring.

1.6.5
There is a staff procedure, agreed by the person with responsibility for
data security, on carrying out a Data Protection Impact Assessment that
follows relevant ICO guidance.
Yes
1.6.6
Is a Data Protection Impact Assessment carried out before high risk
processing commences?
Yes
1.6.7
Have any unmitigated risks been identified through the Data Protection
Impact Assessment process and notified to the ICO?
No
1.6.8
Data Protection Impact Assessments are published and available as part
of the organisation’s transparency materials.
Held in the implementation folder for each processing inside the IG subfolder.
The DPIAs are shared directly with the organisation concerned.
1.7
12/08/2020 Details
Effective data quality controls are in placeand records are

maintained appropriately
1.7.1
There is a policy and staff guidance on data quality.
Yes
1.7.4
Has a records retention schedule been produced?
Yes
1.7.5
Provide details of when personal data disposal contracts were last
reviewed/updated.
All data are being processed by the organisation and subject to Records
Management Code of Practice for Health and Social Care 2016 strictly
followed internally. Any data processing on behalf of other organisations is
governed by the specific commercial contracts, Service Level Agreement, or
Data Processing Agreements.
1.8
There is a clear understanding and management of the
identified and significant risks to sensitive information and
services
1.8.3
What are your top three data security and protection risks?
12/08/2020 Details
1. Complete incapacity of engineering team 2. Loss of data centre 3. Loss of

laptops while remotely working
2.
Staff Responsibilities
2.1
There is a clear understanding of what Personal
Confidential Information is held.
2.1.1
The organisation has identified and catalogued personal and sensitive
information it holds.
Information Asset Register .xlsx (/Publication/ViewUpload?
Comments:
Patients personal and sensitive data needed for provision of direct clinical
care. System users personal data needed to register on the system.
Company's employees personal data needed for direct employment checks
and processes.
2.1.2
When did your organisation last review the list of all systems/information
assets holding or sharing personal information?
16 March 2020
12/08/2020 Details
2.2
Staff are supported in understanding their obligations
under the National Data Guardian’s Data Security
Standards.
2.2.1
Is there a data protection and security induction in place for all new
entrants to the organisation?
Yes
2.2.2
Do all employment contracts contain data security requirements?
Yes
2.2.3
The results of Staff awareness surveys on staff understanding of data
security are reviewed to improve data security.
Yes, staff survey collected every year and acted upon accordingly
3.
Training
12/08/2020 Details
3.1
There has been an assessment of data security and
protection training needs across the organisation.
3.1.1
Has an approved organisation wide data security and protection training
needs analysis been completed after 1 April 2019?
Yes
Comments:
Yes, TNA created and executed by company DPO.
3.2
Staff pass the data security and protection mandatory test.
3.2.1
Have at least 95% of all staff, completed their annual Data Security
awareness training in the period 1 April 2019 to 30 September 2020?
Yes
Comments:
Yes, 100% of staff has completed data security awareness training.
3.2.2
What is the average mark of staff completing the Data Security Awareness
Training?
96.8%
12/08/2020 Details
3.3
Staff with specialist roles receive data security and
protection training suitable to their role.
3.3.1
Provide details of any specialist data security and protection training
undertaken.
3 additional one to one training sessions with DPO, 1 group session with
SIRO for staff with responsibility for data protection identified via TNA
3.4
Leaders and board members receive suitable data
protection and security training.
3.4.1
Have the senior people with responsibility for data security received
appropriate data security and protection training?
Yes. SIRO Harry Lykostratis has been trained appropriately for his role.
4.
12/08/2020 Details
Managing Data Access

4.1
The organisation maintains a current record of staff and
their roles.
4.1.1
Your organisation maintains a record of staff and their roles.
Yes
4.1.2
Does the organisation understand who has access to personal and
confidential data through your systems, including any systems which do
not support individual logins?
OM IG - G Suite Security and Compliance.pdf (/Publication/ViewUpload?
OM IG - Pathpoint System Level Security [2.5] (1).pdf
Data Security and Protection Compliance - Spot Checks (3).pdf
Comments:
All systems support individual logins, audit and details of staff with access is
available in real time on all systems.
4.2
12/08/2020 Details
Organisation assures good management and maintenance

of identity and access control for it's networks and
information systems.
4.2.1
When was the last audit of user accounts held?
11 March 2019
4.2.2
Provide a summary of data security incidents in the last 12 months caused
by a mismatch between user role and system accesses granted.
User data security access logs and summary audits is held internally in the IG
folder of the shared drive accessible by the SIRO and the Operations
Manager. No data security incidents are recorded in the last 12 months.
Comments:
None
4.3
All staff understand that their activities on IT systems will
be monitored and recorded for security purposes.
4.3.1
All system administrators have signed an agreement which holds them
accountable to the highest standards of use.
Yes
4.3.3
12/08/2020 Details
Is an acceptable IT usage banner displayed to all staff when logging in,

including a personal accountability reminder?
Yes
4.3.4
Provide a list of all systems to which users and administrators have an
account, plus the means of monitoring access.
All system access logs and summary audits are held within the IG folder of
the shared drive and are accessible the the SIRO and the Operations
Manager
OM systems access log (1).xlsx (/Publication/ViewUpload?
Comments:
All logs are automatically created by the G-suite platform and documented in
real time.
4.3.5
Have all staff been notified that their system use could be monitored?
Yes
4.4
You closely manage privileged user access to networks and
information systems supporting the essential service.
4.4.1
The person with responsibility for IT confirms that IT administrator
activities are logged and those logs are only accessible to appropriate
personnel.
12/08/2020 Details
Yes
4.4.2
Privileged user access is removed when no longer required or appropriate.
Yes
4.5
You ensure your passwords are suitable for the information
you are protecting
4.5.4
Passwords for highly privileged system accounts, social media accounts
and infrastructure components shall be changed from default values and
shall not be easy to guess. Passwords which would on their own grant
extensive system access, should have high strength.
All staff have been advised how to created secure password and password
policy has been enforced across the organisation.
5.
Process Reviews
12/08/2020 Details
5.1
Process reviews are held at least once per year where data
security is put at risk and following data security incidents.
5.1.2
Provide a summary of process reviews held after security breaches to
identify and manage problem processes.
No security breaches identified so far, all risks have been identified, mitigated
and resolved.
5.1.3
List of actions arising from each process review, with names of actionees.
Comment: No breached occurred.
5.1.4
You use lessons learned to improve security measures, including
updating and retesting response plans when necessary.
Yes
5.2
Participation in reviews is comprehensive, and clinicians
are actively involved.
5.2.1
Provide a scanned copy of the process review meeting registration sheet
with attendee signatures and roles held.
Not relevant - No clinical care provided

12/08/2020 Details
5.3
Action is taken to address problem processes as a result of
feedback at meetings or in year.
5.3.1
Explain how the actions to address problem processes are being
monitored and assurance given to senior management?
Any IG issues are escalated to SIRO and discussed at Board meetings at a
separate IG agenda. All outcomes and actions are recorded in the minutes.
6.
Responding to Incidents
6.1
A confidential system for reporting data security and
protection breaches and near misses is in place and
actively used.
6.1.1
A data security and protection breach reporting system is in place.
Yes
12/08/2020 Details
6.1.2
How can staff report data security and protection breaches and near
misses?
Staff can report breaches and near misses via direct communication (phone,
email) to company SIRO and Data Protection Officer or via generic email
address ig@openmedical.co.uk which will be actioned accordingly.
6.1.3
List of all notifiable data security breach reports in the last twelve months.
None
6.1.4
The person with overall responsibility for data security is notified of the
action plan for all data security breaches.
No breaches
6.1.5
Individuals affected by a breach are appropriately informed.
Yes
Comments:
No breaches
6.2
All user devices are subject to anti-virus protections while
email services benefit from spam filtering and protection
deployed at the corporate gateway.
12/08/2020 Details
6.2.1
Name of anti-virus product.
ESET NOD32 - To be used on all staff devices that are NOT chromebooks.
The organisation only supplies chromebooks to users where no local storage
is supported.
6.2.2
Number of alerts recorded by the AV tool in the last three months.
0
6.2.3
Has anti-virus or malware protection software been installed on all
computers that are connected to or capable of connecting to the Internet?
Yes
Comments:
Yes all device and service have anti-virus and malware software.
6.2.7
Name of spam email filtering product.
Google Suite Business Package - GMail
6.2.8
Number of spam emails blocked per month.
100
6.2.9
Number of phishing emails reported by staff per month.
1
12/08/2020 Details
6.3
Known vulnerabilities are acted on based on advice from
CareCERT, and lessons are learned from previous incidents
and near misses.
6.3.1
If you have had a data security incident, was it caused by a known
vulnerability?
None
6.3.6
Have you had any repeat data security incidents of the same issue within
the organisation?
No
7.
Continuity Planning
7.1
Organisations have a defined, planned and communicated
response to Data security incidents that impact sensitive
information or key operational services.
12/08/2020 Details
7.1.1
Organisations understand the health and care services they provide.
OM - Business Impact Analysis [1.9] (1).xlsx (/Publication/ViewUpload?
7.1.2
Do you have well defined processes in place to ensure the continuity of
services in the event of a data security incident, failure or compromise?
Yes
7.1.3
You understand the resources and information that will be needed if there
is a data security incident and arrangements are in place to make these
resources available.
Yes
7.2
There is an effective test of the continuity plan and disaster
recovery plan for data security incidents.
7.2.1
Explain how your data security incident response and management plan
has been tested to ensure all parties understand their roles and
responsibilities as part of the plan.
Minor concerned has been raised and IG conference call between SIRO,
Medical Director and Operations Manager was held on the same day to
discuss it. The investigation was carried out and a detailed report produced.
The responsibilities of each individual were discussed. Action plan has been
12/08/2020 Details
created and implemented to improve the data security process, internal SOP
has been created and shared with the team.
7.2.3
Scanned copy of data security business continuity exercise registration
sheet with attendee signatures and roles held.
Data Security Business Continuity - Registrations (1).pdf
OM - Emergency Plan [1.7] (1).pdf (/Publication/ViewUpload?
7.2.4
From the business continuity exercise, which issues and actions were
documented, with names of actionees listed against each item.
Data Security Business Continuity - Registrations (1).pdf
Business continuity exercise.pdf (/Publication/ViewUpload?
7.3
You have the capability to enact your incident response
plan, including effective limitation of impact on your
essential service. During an incident, you have access to
timely information on which to base your response
decisions.
7.3.2
12/08/2020 Details
All emergency contacts are kept securely, in hardcopy and are up-to-date.
Yes
7.3.4
Suitable backups of all important data and information needed to recover
the essential service are made, tested, documented and routinely
reviewed.
Vault function is used across organisation that keeps all data traffic in a
differential manner.
7.3.5
When did you last successfully restore from backup?
The back up is tested at random on daily basis but there has not been any
data corruption on production environment.
8.
Unsupported Systems
8.1
All software and hardware has been surveyed to
understand if it is supported and up to date.
8.1.1
What software do you use?
12/08/2020 Details
Data Security and Protection Compliance - Data Systems (2).pdf

8.1.2
Does the organisation track and record all end user devices and
removeable media assets?
Yes
8.2
Unsupported software and hardware is categorised and
documented, and data security risks are identified and
managed.
8.2.1
List of unsupported software prioritised according to business risk, with
remediation plan against each item.
Data Security and Protection Compliance - Data Systems (2).pdf
Comments:
No unsupported software is used.
8.2.2
The person with overall responsibility for data security confirms that the
risks of using unsupported systems are being treated or tolerated.
Yes
12/08/2020 Details
8.3
Supported systems are kept up-to-date with the latest
security patches.
8.3.1
How do your systems receive updates and how often?
OM IG - Pathpoint System Level Security [2.5] (1).pdf
Comments:
System updates are being applied by automatic live patching.
8.3.2
How often, in days, is automatic patching typically being pushed out to
remote endpoints?
around 7-10 days
8.3.3
What is your approach to ensuring patches for critical or high-risk
vulnerabilities are applied within 14 days of release?
Immediate application of security and vulnerabilities patches via LivePatch
from official repositories.
8.4
12/08/2020 Details
You manage known vulnerabilities in your network and

information systems to prevent disruption of the essential
service.
8.4.1
Is all your infrastructure protected from common cyber-attacks through
secure configuration and patching?
Yes, by using OpenStack firewalls and automatic security patching of the
machines.
8.4.2
All infrastructure is running operating systems and software packages
which are patched regularly, and as a minimum in vendor support.
Yes
8.4.3
You maintain a current understanding of the exposure of your hardware
and software to publicly-known vulnerabilities.
Yes
Comments:
Our engineering team is subscribing to security newsletters and 0-day
vulnerability publications.
9.
IT Protection
12/08/2020 Details
9.1
All networking components have had their default
passwords changed.
9.1.1
The Head of IT, or equivalent role confirms all networking components
have had their default passwords changed.
Yes
Comments:
Changes every 3 months by engineering team
9.2
A penetration test has been scoped and undertaken
9.2.1
The annual IT penetration testing is scoped in negotiation between
management, business and testing team including checking that all
networking components have had their default passwords changed.
[Not provided]
9.2.2
The date the penetration test was undertaken.
[Not provided]
9.2.3
Where critical and high-risk vulnerabilities have been detected, and have
not been resolved within 14 days, the risk is understood, documented, and
has been agreed by the person with responsibility for data security.
Yes
12/08/2020 Details
Comments:
No high-risk vulnerabilities detected.
9.3
Systems which handle sensitive information or key
operational services shall be protected from exploitation of
known vulnerabilities.
9.3.1
All web applications are protected and not susceptible to common security
vulnerabilities, such as described in the top ten Open Web Application
Security Project (OWASP) vulnerabilities.
Yes, all applications are protected and not susceptible to common
vulnerabilities like: injection, broken authentication, sensitive data exposure,
broken access control, security misconfiguration, insecure deserialization,
using components with known vulnerabilities, cross-site scripting, XML
external entities, insufficient logging & monitoring.
9.3.2
The person with responsibility for IT has reviewed the results of latest
penetration testing, with action plan against outstanding OWASP findings.
Data Security and Protection Compliance - Data Systems.pdf
Cyber Essentials Certificate.pdf (/Publication/ViewUpload?
fd54af2c-285d-4381-85c0-090541735c39 (1).pdf (/Publication/ViewUpload?
Comments:
12/08/2020 Details
No issues identified in the Web Software used in the organisation. Cyber

essentials penetration carried out 16/04/2020 and results acted upon.
9.3.3
The organisation uses the UK Public Sector DNS Service to resolve
internet DNS queries.
Yes
9.3.4
The organisation ensures that changes to your authoritative DNS entries
can only be made by strongly authenticated and authorised
administrators.
Yes
9.3.5
The organisation understands and records all IP ranges in use across
your organisation.
Yes
9.3.6
The organisation is protecting data in transit (including email) using well-
configured TLS v1.2 or better.
Yes
9.3.7
The organisation has registered and uses the National Cyber Security
Centre (NCSC) Web Check service for your publicly visible applications.
Yes
9.3.8
12/08/2020 Details
The organisation has suitable perimeter security device.

Open Stack firewall at all entry points including N3 network and NHS Digital
assurance.
9.4
You have demonstrable confidence in the effectiveness of
the security of your technology, people, and processes
relevant to essential services.
9.4.1
You validate that the security measures in place to protect the networks
and information systems are effective, and remain effective for the lifetime
over which they are needed.
All security measures are reviewed yearly and the system security policy
updated and re implemented. Firewall configurations are reviewed, all
firewalls rules are examined line by line, consolidated, and retested.
9.4.2
You understand the assurance methods available to you and choose
appropriate methods to gain confidence in the security of essential
services.
Yes
Comments:
Both our engineering and operations team are being kept up to date with
security standard at national and international level.
9.4.3
Your confidence in the security as it relates to your technology, people,
and processes has been demonstrated to, and verified by, a third party in
12/08/2020 Details
the last twelve months.

Yes - Cyber Essentials and upcoming penetration test.
9.4.4
Security deficiencies uncovered by assurance activities are assessed,
prioritised and remedied when necessary in a timely and effective way.
Yes all identified security deficiencies are being assured at the board meeting
by SIRO, DPO and Medical Director when the clinical risk is involved.
9.4.5
The methods used for assurance are reviewed to ensure they are working
as intended and remain the most appropriate method to use.
Yes, every method used at the company is being identified by DPO and
prioritised by SIRO prior to be selected and confirmed for implementation with
determined timelines by the board.
9.4.6
What level of assurance did the independent audit of your Data Security
and Protection Toolkit provide to your organisation?
Comment: The Data Protection Toolkit has provided a very comprehensive
overview of our policies and procedures and act as a guide to our security
and governance methods for each duration.
9.5
A data security improvement plan has been put in place on
the basis of the assessment and has been approved by the
SIRO.
9.5.1
12/08/2020 Details
What is the status of your data security improvement plan?

Completed
9.5.2
Date for full implementation of the data security improvement plan.
11 March 2020
9.6
You securely configure the network and information
systems that support the delivery of essential services.
9.6.1
All devices in your organisation have technical controls which manage the
installation of software on the device
Yes work device policy installed on all devices
9.6.2
Confirm all health and care data is encrypted at rest on all mobile devices
and removeable media.
Yes
Comments:
Both block and file level encryption (RSA256)
9.6.3
You closely and effectively manage changes in your environment,
ensuring that network and system configurations are secure and
documented.
12/08/2020 Details
By using centralised access control we manage any staff changes ad well

authorising new or retired hardware.
10.
Accountable Suppliers
10.1
The organisation can name its suppliers, the products and
services they deliver and the contract durations.
10.1.1
The organisation has a list of its suppliers that handle personal
information, the products and services they deliver, their contact details
and the contract duration.
Data Security and Protection Compliance - Data Systems (2) (3).pdf
Comments:
Only suppliers are of the cloud software used in the company with
subscription contracts.
10.1.2
Contracts with all third parties that handle personal information are
compliant with ICO guidance.
Yes
12/08/2020 Details
10.2
Basic due diligence has been undertaken against each
supplier that handles personal information in accordance
with ICO and NHS Digital guidance.
10.2.1
Organisations ensure that any supplier of IT systems that could impact on
the delivery of care, or process personal identifiable data, has the
appropriate certification
Yes, only approved suppliers are used.
10.2.5
All Suppliers that process or have access to health or care personal
confidential information have completed a Data Security and Protection
Toolkit, or equivalent.
All suppliers have contractually assured full compliance with data security
standard required.
10.3
All disputes between the organisation and its suppliers
have been recorded and any risks posed to data security
have been documented.
10.3.1
12/08/2020 Details
List of data security incidents – past or present – with current suppliers

who handle personal information.
No data security incidents with suppliers since the formation of the
organisation
Comments:
None
10.4
All instances where organisations cannot comply with the
NDG Standards because of supplier-related issues are
recorded and discussed at board
10.4.1
List of instances of suppliers who handle health and care data not
complying with National Data Guardian standards, with date discussed at
board or equivalent level.
No instances of non-compliance by suppliers
Tell us what you think of the service
Submit Feedback
12/08/2020 Details
Contact us (/Home/Contact)
Accessibility help (/Home/Accessibility)
Privacy and cookies (/Home/Privacy)
Terms and conditions (/Home/TermsAndConditions)
© 2020 NHS Digital

IGtoolkit Assessments PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IGtoolkit Assessments PDF

Uploaded by

Copyright:

Available Formats

12/08/2020 Details

OPEN MEDICAL LTD (8JP47)

19/20 Standards Met

Data Protection Officer

Does your organisation have Cyber Essentials PLUS Certification with

Cyber Essentials PLUS award date

Cyber Essentials PLUS Certificate

Does your organisation have current valid ISO 27001 Certification?

ISO 27001 award/audit date

ISO 27001 Certificate

Personal Confidential Data

Assertion confirmed by: Dorota Naumiuk

Completed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Completed by: Dorota Naumiuk

Completed by: harry lykostratis

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

card access monitoring.

Completed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Effective data quality controls are in placeand records are

Assertion confirmed by: Dorota Naumiuk

1. Complete incapacity of engineering team 2. Loss of data centre 3. Loss of

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Managing Data Access

Assertion confirmed by: Dorota Naumiuk

Organisation assures good management and maintenance

Assertion confirmed by: Dorota Naumiuk

Is an acceptable IT usage banner displayed to all staff when logging in,

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Completed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Completed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Completed by: Dorota Naumiuk

Completed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Data Security and Protection Compliance - Data Systems (2).pdf

Completed by: harry lykostratis

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

You manage known vulnerabilities in your network and

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

Assertion confirmed by: Dorota Naumiuk

No issues identified in the Web Software used in the organisation. Cyber