The first solution which can provide near to real-time unparalleled insight into your security posture using Microsoft Defender for Endpoint and Power Bi at an organisational or Integrated Care System (ICS) Level, providing compliance for the NHS Data Security Protection Toolkit (DSPT).
We provide dashboards aligned to the Centre for Internet Security (CIS®), The Open Web Application Security Project (OWASP), Security Technical Implementation Guides (STIG) and Microsoft Best Practice.
We enable you to amplify your team’s capabilities, elevate their efforts, and make your business more capable of withstanding cyber incidents 365 days of the year.
DSPT View
How we map to the
Data Security & Protection Toolkit
Affordable
&
Cost Affective
Near to Real-Time insight from
Microsoft Defender for Endpoint
Easy to Interpret analysis & visualizations by Microsoft Power Bi Pro
Quick to Install
(Under 4 Minutes)
Agentless & seamless
Zero Interruption to the user
Purpose Built for the Health, Integrated Care System (ICS) and public sector
Standard 1
Personal Confidential Data
DSPT View can provide and support evidence for four assertions under Standard 1
1.1.3: Your business has identified, documented and classified its hardware and software assets and assigned ownership of protection responsibilities.
1.3.5: Does your organisation operate and maintain a data security risk register (including risks from supply chain) which links to the corporate risk framework providing senior visibility?
1.3.6: What are your top three data security and protection risks?
1.3.7: Your organisation has implemented appropriate technical and organisational measures to integrate data protection into your processing activities.
Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.
All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form.
Personal confidential data is only shared for lawful and appropriate purposes.
Standard 2
Staff Responsibilities
DSPT View cannot provide any support or evidence for Standard 2.
McCormickCo Security can provide support and development in creating, reviewing and auditing the following to support this standard:
-
Induction training
-
Training Policy and Procedures
-
Standard Contract Templates
-
Data Quality
The above services are encompassed within our Cyber Security as a Service (CSaaS).
Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.
All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
Standard 4
Managing Data Access
DSPT View can provide and support evidence for three assertions under Standard 4.
We can provide information about assets, threats from multiple sources, including the NHS Digital High Severity Alerts (HSE).
4.2.3: Logs are retained for a sufficient period, managed securely, reviewed regularly and can be searched to identify malicious activity.
4.4.1: The organisation ensures that logs, including privileged account use, are kept securely and only accessible to appropriate personnel.
4.5.2: Technical controls enforce password policy and mitigate against password-guessing attacks.
For mobile devices and tablets if enrolled on to Intune we have a free compliance tool (DSPT View - Intune compliance) via Microsoft AppSource and Marketplace.
We are currently developing an additional three assertions under standard 4.
Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.
Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required.
All access to personal confidential data on IT systems can be attributed to individuals.
Standard 5
Process Reviews
DSPT View cannot provide any support or evidence for Standard 5.
As additional services we are able to provide an incident management procedure or policy, root cause analysis leading to providing any evidenced to prevent any further incidents in the future. These align to assertions 5.1.1 and 5.1.2.
Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.
Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use
workarounds which compromise data security.
Standard 6
Responding to Incidents
DSPT View can provide and support evidence for eight assertions under Standard 6.
6.2.1: Has antivirus/anti-malware software been installed on all computers that are connected to or capable of connecting to the Internet?
6.2.3: Antivirus/anti-malware is kept continually up to date.
6.2.4: Antivirus/anti-malware software scans files automatically upon access.
6.2.7: Does the organisation maintain a list of approved applications, and are users prevented from installing any application that is unsigned or has an invalid signature?
6.3.1: If you have had a data security incident, was it caused by a known vulnerability?
6.3.2: The organisation acknowledges all 'high severity' cyber alerts within 48 hours using the respond to an NHS cyber alert service.
6.3.3: The organisation has a proportionate monitoring solution to detect cyber events on systems and services.
6.3.5: Have you had any repeat data security incidents within the organisation during the past twelve months?
Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.
Cyberattacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken as soon as possible following a data breach or near miss, with a report made to senior management within 12 hours of detection.
Standard 7
Continuity Planning
DSPT View can provide and support evidence for one assertion under Standard 7.
We have various threat intelligence sources including NHS Cyber Alerts, DHS CISA Alerts and National Vulnerability Database (NVD).
Our tool allows your organisation to consume, review, analyse and action any threats.
7.1.4: You use your security awareness, e.g. threat intelligence sources, to make temporary security changes in response to new threats, e.g. a widespread outbreak of very damaging malware.
Any of the dashboards can be extracted or saved to ensure evidence is gathered.
Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.
A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as
a minimum, with a report to senior management.
Standard 8
Unsupported Systems
DSPT View can fully support and provide evidence for 16 assertions under Standard 8.
8.1.1 to 8.1.4: All software and hardware has been surveyed to understand if it is supported and up to date are patched regularly, and as a minimum in vendor support.
8.2.1 to 8.2.2: Unsupported software and hardware is categorised and documented, and data security risks are identified and managed.
8.3.1 to 8.3.7: Supported systems are kept up-to-date with the latest security patches.
8.4.1 to 8.4.3: You manage known vulnerabilities in your network and information systems to prevent disruption of the essential service
Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.
No unsupported operating systems, software or internet browsers are used within the IT estate.
Standard 9
IT Protection
DSPT View can fully support and provide evidence for 18 assertions under Standard 9.
9.1.2: All networking components have had their default passwords changed.
9.3.1 to 9.3.6: Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities
9.4.1 to 9.4.5: You have demonstrable confidence in the effectiveness of the security of your technology, people, and processes relevant to essential services
9.5.1 to 9.5.7: You securely configure the network and information systems that support the delivery of essential services
9.7.1 to 9.7.6: The organisation is protected by a well managed firewall
DSPT View has been designed specifically to provide a daily assessment of your enrolled assets to Microsoft Defender for Endpoint, Cyber Essients +,52 assertions. This provides assurance regarding your security posture.
Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.
A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.
Standard 10
Accountable Suppliers
DSPT View cannot provide any support or evidence for Standard 10.
As additional services we do provide support and development in creating, reviewing and auditing the following to support this standard:
-
Supplier Management Process or Policy
-
Map roles and responsibilities aligned to the DSP Toolkit
-
Provide assessments of supplier accreditations and certifications with detailed understanding of there scope.
-
Provide a review or tailored plan, process or policy for Data Security and Protection Incident (CIPR)
Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.
IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards.
Annual IT Penetration Scope
Assertion 9.2.1 - Penetration and Scope
Requests that an the annual IT penetration testing is scoped in negotiation between the SIRO, business and testing team including a vulnerability scan and checking that all networking components have had their default passwords changed to a high strength password.
Whilst DSPT View provides detailed information on your organisation cyber security posture, vulnerability, patching, compliance and baseline configuration it is not currently CREST UK accredited. As additional services we can lead your engagement to deliver this for your organisation.
Any annual IT penetration test should be carried out by a CREST Accredited body.
McCormickCo Limited are ISO27001:2013 Certified and an approved supplier on Crown Commercial Services (CCS) - RM3764.3.
Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.
A penetration test has been scoped and undertaken
Our Roadmap
Development Roadmap
We are currently in development of an additional 12 assertions with the overall aim to have these in-place within 2022-2023. These align to the following assertions:
-
The organisation maintains a current record of staff and their roles.
-
The organisation assures good management and maintenance of identity and access control for it's networks and information systems.
-
All staff understand that their activities on IT systems will be monitored and recorded for security purposes.
-
All staff understand that their activities on IT systems will be monitored and recorded for security purposes.
-
Known vulnerabilities are acted on based on advice from NHS Digital, and lessons are learned from previous incidents and near misses.
Source aligned to the Data Security and Protection Toolkit (NHS Digital 29th July 2021 - Version 4)
Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.
DSPT View Roadmap on upcoming feature updates.
Our Managed Audit & Compliance service goes beyond a virtual CISO, providing you with a comprehensive range of interdisciplinary expertise to achieve resilience by design.
Increased Operational Resilience
Compliance Reporting
Enchased Business Continuity
Access to Capability as needed
High-risk Assurance Prioritisation
Honest and Consistent Information Governance
Service Highlights
-
Cyber Strategy Workshop & Creation
-
Security Improvement Roadmap
-
Annual Security Risk Assessment
-
Annual Incident Response Plan
-
Annual Tabletop Exercise
-
Security Awareness Training Program
-
Compliance & Regulatory Review
-
Business Continuity Review