The Beginners Guide to the NHS DSP Toolkit

NHS DSP toolkit is an abbreviation for the ‘NHS Data Security and Protection Toolkit’. An online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.

The 10 standards are:

• Standard 1 - Personal Confidential Data
• Standard 2 - Staff Responsibilities
• Standard 3 – Training
• Standard 4 - Managing Data Access
• Standard 5 - Process Reviews
• Standard 6 - Responding to Incidents
• Standard 7 - Continuity Planning
• Standard 8 - Unsupported Systems
• Standard 9 - IT Protection
• Standard 10 - Accountable Suppliers

Getting Started - Register and Create a profile

Firstly, you need to register your organisation. After registration, you will then create your organisations’ profile.

When creating your profile look to the elements marked as ‘Mandatory’. These will vary depending on how your organisation is categorised, so take extra care when selecting this option. The example registration page shown is taken from the profile creation process.

Standard Levels

There are essentially 3 levels within the NHS DSP Toolkit, these are ‘Approaching Standards’, ‘Standards Met,’ and 'Standards Exceeded'.

The level of 'Standards Exceeded' should be the target for all organisations when certifying against the NHS Data Security and Protection Toolkit. It is reserved for those that achieve 'Standards Met' and hold a current Cyber Essentials PLUS certification.

A note on NHSmail

NHSmail is the national secure collaboration service for health and social care in England. As a minimum, an organisation will need to have ‘Approaching Standards’ to access NHSmail.

Standard 9, IT Protections.

Let’s take a bit of a closer look into one of the 10 Standards, specifically Standard 9, IT Protections.

The Independent Assessment Framework, for this standard states:

“A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.”

Within this standard are several assertions. These are:

Assertion 1 - All networking components have had their default passwords changed.

Assertion 2 - A penetration test has been scoped and undertaken.

Assertion 3 - Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities.

Assertion 4 - You have demonstrable confidence in the effectiveness of the security of your technology, people, and processes relevant to essential services.

Assertion 5 - You have a data security improvement plan with agreed implementation dates.

Assertion 6 - You securely configure the network and information systems that support the delivery of essential services.

One of the main motivations for the standard's creation was to ensure that the NHS's supply chains are as secure as possible. To this end the standard asks:

“Do your organisation’s IT system suppliers have cyber security certification?”

The detail supporting the question lets us know that the following are ways your IT suppliers can demonstrate this:

·      Having a Cyber Essentials certificate

·      Have an ISO27001 certificate

A Cyber Essentials certificate comes at 2 levels - Cyber Essentials and Cyber Essentials Plus.

There have been some changes to the Cyber Essentials standard in 2022. To help with the changes we have recorded a brief webinar covering everything you need to know.

The page also contains other useful information related to Cyber Essentials, including our Cyber Essentials Readiness Quiz. The quiz is a self-assessed Gap Analysis to give you an idea of how ready your organisation is for Cyber Essentials certification.

View both here: Cyber Essentials

Submissions

You should have submitted an assessment by the deadline of 30 June.

Don’t worry about having all your information to hand the first time you submit DSPT. You can skip back and forth as you work through the portal.

All of your responses in the portal will be saved so you can come back and continue later. There is also no specific order you need to follow when completing your submission, just as long as it’s completed in full. You can even involve as many people as you need to make sure it's right.

If you require assistance with any component of the DSP toolkit, please contact us.

Precursor Security is a Cyber Essentials certification body and a CREST registered company. We can assist with a variety of toolkit components, such as proof of penetration testing and vulnerability scanning.

‍