At OCC we have been building and hosting software that deals with sensitive public sector data for over a decade. But where do you start if you are embarking on a project/business that has sensitive data at its heart?
The basic standard you need to look at for a company in this sector is ISO 27001:2013. You can purchase a copy of this standard online. If you go along this path the one thing I will say is that it’s easy to misunderstand what its purpose is and hence go overboard; do more than you need to. It is a standard that outlines a number of things you have to think about, it’s not a list of what you have to do. It is perfectly acceptable to say that you have risk assessed something and decided it’s not worth it, providing you can justify it. The standard is designed to make it clear to others what it is you do and to have assurance (via audits) that you have thought about it and that you do what you say.
As a start up a number of things can be radically simplified and make it more complex as you grow. You can get consultants to help you with this but it is feasible to do it yourself. To get this you need to create a series of policies and practices, a Statement of Applicability (which relates the standard back to the policies) and get audited by a registered body, we use SGS but there are many others.
N3 & PSN
If you want to connect to systems within the NHS network, there is also the N3 connectivity. This will be important if you need to support your system running inside the N3 network or if you need a connection to it.
For N3 I only know the basics: that is you complete a code of connection, which is a bit like ISO 27001 only more thorough and prescriptive, i.e. there are things you have to have, like two factor authentication and a certain grade of security devices.
For non-health organisations there is also the PSN or Public Services Network for which the same principles apply but just not quite as strict. This is the one we are currently working on for OCC, and we hope to go live with by the end of the year.
The other thing you cannot do without in the current climate, is to get your system externally penetration tested by a company that is CHECK or CREST registered and ask for a statement of opinion you can show (potential) customers. This seems pretty much expected as standard among our customers now.
These companies can cost anywhere between £800-1200 per day and we usually have to buy about 3 or 4 days for a system. How often you do this will depend on how often you change the system.
Where to find help
It is a bit of a mountain to climb but it’s not as bad once you get into it; take it in chunks and keep it in perspective (you will find purists that will easily go over the top). There are a number of consultants that can help in this area – many auditors have a side business of their own that they to sell consultancy and training services and the good ones will tell you what you don’t need as well as what you do. My auditors have nearly all given pointers during the audits as well.
In addition there are hosting companies that have experience connecting to PSN/N3 networks and systems that hold sensitive data. They are able to provide you with advice and, if handled correctly, can be useful free resource if there is a contract in it for them. Just keep an eye on the costs of the eventual contract you have with them.
We’ve covered the standards most relevant to the public sector, but of course there may be others related to your industry. The PCI DSS (Payment Card Industry Data Security Standard) is an obvious example, for those handling payment information. You should seek advice on other standards that apply to your business.
The other thing to remember is the landscape in this area continually changes, the levels of security and the type of things that were acceptable when we first started hosting systems are no longer acceptable and we’ve had to adapt and migrate to stay on top of the changes. So you are never truly done!