DSPT View©

The worlds first CIS Certified PowerBi App

Introducing DSPT View

The first solution which can provide near to real-time unparalleled insight into your security posture using Microsoft Defender for Endpoint and Power Bi at an organisational or Integrated Care System (ICS) Level, providing compliance for the NHS Data Security Protection Toolkit (DSPT).

We provide dashboards aligned to the Centre for Internet Security (CIS®), The Open Web Application Security Project (OWASP), Security Technical Implementation Guides (STIG) and Microsoft Best Practice.

Focusing on the detail of controls, our solution supports and provides evidence for 52 of the DSP Toolkit assertions:

42 Mandatory Assertions
10 Non-Mandatory Assertions

We enable you to amplify your team’s capabilities, elevate their efforts, and make your business more capable of withstanding attacks 365 days of the year.

What to Know More?

How we map to the
Data Security & Protection Toolkit

Standard 1

Personal Confidential Data

DSPT View can provide and support evidence for four assertions under Standard 1

1.1.3: Your business has identified, documented and classified its hardware and software assets and assigned ownership of protection responsibilities.

1.3.5: Does your organisation operate and maintain a data security risk register (including risks from supply chain) which links to the corporate risk framework providing senior visibility?

1.3.6: What are your top three data security and protection risks?

1.3.7: Your organisation has implemented appropriate technical and organisational measures to integrate data protection into your processing activities.

Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.

All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form.

Personal confidential data is only shared for lawful and appropriate purposes.

Standard 2

Staff Responsibilities

DSPT View cannot provide any support or evidence for Standard 2.

McCormickCo Security can provide support and development in creating, reviewing and auditing the following to support this standard:

Induction training
Training Policy and Procedures
Standard Contract Templates
Data Quality

The above services are encompassed within our Cyber Security as a Service (CSaaS).

Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.

All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.

Standard 3

Training

DSPT View can provide and support evidence for one assertion under Standard 3.

DSPT View has been developed to allow any staff to have visibility of the organisation's security and risk posture. As the tool is supported and maintained it qualifies as a cyber service.

3.3.2: The organisation has appropriately-qualified technical cyber security specialist staff and/or service.

Whilst DSPT View does not provide any support for assertion 3.2.1 "Have at least 95% of all staff, completed their annual Data Security Awareness Training?"

We do offer a range of data quality exercises which compare your Electronic Staff Record (ESR), Active Directory, and process and policy to understand any shortfalls you may have.

Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.

All staff complete appropriate annual data security training and pass a mandatory test, provided linked to the revised Information Governance Toolkit.

All staff complete an annual security module, linked to ‘CareCERT Assurance’.

Standard 4

Managing Data Access

DSPT View can provide and support evidence for three assertions under Standard 4.

We can provide information about assets, threats from multiple sources, including the NHS Digital High Severity Alerts (HSE).

4.2.3: Logs are retained for a sufficient period, managed securely, reviewed regularly and can be searched to identify malicious activity.

4.4.1: The organisation ensures that logs, including privileged account use, are kept securely and only accessible to appropriate personnel.

4.5.2: Technical controls enforce password policy and mitigate against password-guessing attacks.

For mobile devices and tablets if enrolled on to Intune we have a free compliance tool (DSPT View - Intune compliance) via Microsoft AppSource and Marketplace.

We are currently developing an additional three assertions under standard 4.

Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.

Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required.

All access to personal confidential data on IT systems can be attributed to individuals.

Standard 5

Process Reviews

DSPT View cannot provide any support or evidence for Standard 5.

As additional services we are able to provide an incident management procedure or policy, root cause analysis leading to providing any evidenced to prevent any further incidents in the future. These align to assertions 5.1.1 and 5.1.2.

Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.

Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use
workarounds which compromise data security.

Standard 6

Responding to Incidents

DSPT View can provide and support evidence for eight assertions under Standard 6.

6.2.1: Has antivirus/anti-malware software been installed on all computers that are connected to or capable of connecting to the Internet?

6.2.3: Antivirus/anti-malware is kept continually up to date.

6.2.4: Antivirus/anti-malware software scans files automatically upon access.

6.2.7: Does the organisation maintain a list of approved applications, and are users prevented from installing any application that is unsigned or has an invalid signature?

6.3.1: If you have had a data security incident, was it caused by a known vulnerability?

6.3.2: The organisation acknowledges all 'high severity' cyber alerts within 48 hours using the respond to an NHS cyber alert service.

6.3.3: The organisation has a proportionate monitoring solution to detect cyber events on systems and services.

6.3.5: Have you had any repeat data security incidents within the organisation during the past twelve months?

Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.

Cyberattacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken as soon as possible following a data breach or near miss, with a report made to senior management within 12 hours of detection.

Standard 7

Continuity Planning

DSPT View can provide and support evidence for one assertion under Standard 7.

We have various threat intelligence sources including NHS Cyber Alerts, DHS CISA Alerts and National Vulnerability Database (NVD).

Our tool allows your organisation to consume, review, analyse and action any threats.

7.1.4: You use your security awareness, e.g. threat intelligence sources, to make temporary security changes in response to new threats, e.g. a widespread outbreak of very damaging malware.

Any of the dashboards can be extracted or saved to ensure evidence is gathered.

Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.

A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as
a minimum, with a report to senior management.

Standard 8

Unsupported Systems

DSPT View can fully support and provide evidence for 16 assertions under Standard 8.

8.1.1 to 8.1.4: All software and hardware has been surveyed to understand if it is supported and up to date are patched regularly, and as a minimum in vendor support.

8.2.1 to 8.2.2: Unsupported software and hardware is categorised and documented, and data security risks are identified and managed.

8.3.1 to 8.3.7: Supported systems are kept up-to-date with the latest security patches.

8.4.1 to 8.4.3: You manage known vulnerabilities in your network and information systems to prevent disruption of the essential service

Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.

No unsupported operating systems, software or internet browsers are used within the IT estate.

Standard 9

IT Protection

DSPT View can fully support and provide evidence for 18 assertions under Standard 9.

9.1.2: All networking components have had their default passwords changed.

9.3.1 to 9.3.6: Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities

9.4.1 to 9.4.5: You have demonstrable confidence in the effectiveness of the security of your technology, people, and processes relevant to essential services

9.5.1 to 9.5.7: You securely configure the network and information systems that support the delivery of essential services

9.7.1 to 9.7.6: The organisation is protected by a well managed firewall

DSPT View has been designed specifically to provide a daily assessment of your enrolled assets to Microsoft Defender for Endpoint, Cyber Essients +,52 assertions. This provides assurance regarding your security posture.

Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.

A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.

Standard 10

Accountable Suppliers

DSPT View cannot provide any support or evidence for Standard 10.

As additional services we do provide support and development in creating, reviewing and auditing the following to support this standard:

Supplier Management Process or Policy
Map roles and responsibilities aligned to the DSP Toolkit
Provide assessments of supplier accreditations and certifications with detailed understanding of there scope.
Provide a review or tailored plan, process or policy for Data Security and Protection Incident (CIPR)

Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.

IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards.

Annual IT Penetration Scope

Assertion 9.2.1 - Penetration and Scope

Requests that an the annual IT penetration testing is scoped in negotiation between the SIRO, business and testing team including a vulnerability scan and checking that all networking components have had their default passwords changed to a high strength password.

Whilst DSPT View provides detailed information on your organisation cyber security posture, vulnerability, patching, compliance and baseline configuration it is not currently CREST UK accredited. As additional services we can lead your engagement to deliver this for your organisation.

Any annual IT penetration test should be carried out by a CREST Accredited body.

McCormickCo Limited are ISO27001:2013 Certified and an approved supplier on Crown Commercial Services (CCS) - RM3764.3.

Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.

A penetration test has been scoped and undertaken

Our Roadmap

Development Roadmap

We are currently in development of an additional 12 assertions with the overall aim to have these in-place within 2022-2023. These align to the following assertions:

The organisation maintains a current record of staff and their roles.
The organisation assures good management and maintenance of identity and access control for it's networks and information systems.
All staff understand that their activities on IT systems will be monitored and recorded for security purposes.
All staff understand that their activities on IT systems will be monitored and recorded for security purposes.
Known vulnerabilities are acted on based on advice from NHS Digital, and lessons are learned from previous incidents and near misses.

Source aligned to the Data Security and Protection Toolkit (NHS Digital 29th July 2021 - Version 4)

Avenir Light is a clean and stylish font favored by designers. It's easy on the eyes and a great go-to font for titles, paragraphs & more.

DSPT View Roadmap on upcoming feature updates.

Affordable
&
Cost Affective

Near to Real-Time insight from
Microsoft Defender for Endpoint

Easy to Interpret analysis & visualizations by Microsoft Power Bi Pro

Quick to Install
(Under 4 Minutes)

Agentless & seamless
Zero Interruption to the user

Purpose Built for the Health, Integrated Care System (ICS) and public sector

Within one year you could save

23

Days of reporting time

2

Months of Remediation time

Maintain a clear and near to real-time view of:

Your key weaknesses and vulnerabilities

Every Microsoft Defender alert across your estate

Recommended security controls to strengthen your foundations

Your alignment to the NCSC for Cyber Essentials

Your security posture and risks within your critical assets

Your performance according to the Secure Configuration Assessment

Your performance according to the Secure Configuration View (Microsoft)

Common weakness enumeration (CWE) and Common vulnerabilities and exposures (CVE)

The Evolving Threat Horizon

The number of data breaches is increasing rapidly year on year, and as a result, every business is subject to a range of regulations in order to keep themselves safe and protect the other companies that they work with.

The healthcare industry is no different – particularly given its hyper appeal to cybercriminals.

Regulation Headache

The Data Security and Protection Toolkit (DSPT), an annual online self-assessment, is the cornerstone of standards for healthcare organisations and their associates, designed to clarify what is required of them to keep information safe.

While important for both avoiding fines and winning contracts, the annual submission requires a great deal of Trusts’ time and resources to follow and complete. So much so, that in 2020-2021, over 100 organisations failed to meet the standard. And of those that do pass, resources are so stretched that standards are often not maintained throughout the year.

Cybercriminals do not stop

Standards may drop but cybercriminal activity does not and new vulnerabilities are being identified every minute. When the WannaCry attack in 2017 brought the NHS to a standstill for several days, the vulnerability was well known, the patch was available but many organisations simply hadn’t applied it in time. IT security teams need to be aware, ready, and able to act, regardless of their size or capability.

We’re empowering CISOs and CIOs and their teams to strive for more. Your limited resources, time and budget don't need to be barriers; you can still be a worthy opponent against a cybercriminal with us Security by your side.

Contact us for a DSPT View demo.

Get in Touch

DSPT View©

Introducing DSPT View

How we map to the Data Security & Protection Toolkit

Standard 1 Personal Confidential Data

All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes.

Benefits

Affordable & Cost Affective

Near to Real-Time insight from Microsoft Defender for Endpoint

Easy to Interpret analysis & visualizations by Microsoft Power Bi Pro

Quick to Install (Under 4 Minutes)

Agentless & seamless Zero Interruption to the user

Purpose Built for the Health, Integrated Care System (ICS) and public sector

Within one year you could save

23

2

Maintain a clear and near to real-time view of:

Your key weaknesses and vulnerabilities

Every Microsoft Defender alert across your estate

Recommended security controls to strengthen your foundations

Your alignment to the NCSC for Cyber Essentials

Your security posture and risks within your critical assets

Your performance according to the Secure Configuration Assessment

Your performance according to the Secure Configuration View (Microsoft)

Common weakness enumeration (CWE) and Common vulnerabilities and exposures (CVE)

The Evolving Threat Horizon

Regulation Headache

Cybercriminals do not stop

We’re empowering CISOs and CIOs and their teams to strive for more. Your limited resources, time and budget don't need to be barriers; you can still be a worthy opponent against a cybercriminal with us Security by your side. Contact us for a DSPT View demo.

How we map to the
Data Security & Protection Toolkit

Standard 1

Personal Confidential Data

All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form.

Personal confidential data is only shared for lawful and appropriate purposes.

Affordable
&
Cost Affective

Near to Real-Time insight from
Microsoft Defender for Endpoint

Quick to Install
(Under 4 Minutes)

Agentless & seamless
Zero Interruption to the user

We’re empowering CISOs and CIOs and their teams to strive for more. Your limited resources, time and budget don't need to be barriers; you can still be a worthy opponent against a cybercriminal with us Security by your side.

Contact us for a DSPT View demo.