IMPORTANT INFORMATION

This website is no longer being updated.

NHS Sheffield Clinical Commissioning Group has been legally dissolved and from 1 July 2022 has been replaced by a new organisation: NHS South Yorkshire Integrated Care Board (SY ICB). NHS South Yorkshire ICB is now responsible for commissioning and funding of health and care services locally. Please go to our new website www.southyorkshire.icb.nhs.uk for information about the work of NHS South Yorkshire ICB and details about how to contact us.

Thank you.

Jump to content NHS Sheffield Clinical Commissioning Group
Home | About Us | FOI - Freedom of Information | Freedom of Information Disclosure Log | Disclosure Log 2019/20 (1/5) | Disclosure Log 2019/20 (5/5) | 0212FOI1920

We want you to have more care closer to your home...

0212FOI1920

FOI Ref: 0212FOI1920

26th March 2020

Freedom of Information Act 2000 – Request for Information

We are pleased to respond to your request for information and our response is set out below:

Request/ Response

In support of doctoral research with the [redacted] this is a request under the Freedom of Information Act 2000 and relates to how your organisation undertakes information and cyber security risk assessments.

Please could you tell me:

1.Does your organisation have a formal policy regarding the production of information and or cyber security risk assessments?

Yes, in that we follow NHSD guidelines and are working to achieve Data Security and Protection toolkit (DSPT) and Cyber essentials+ (CE+) accreditation this year

a. If yes, please can you provide a copy of the above policy?

Not formally written down as is part of DSPT

2.Does your organisation hold a register of Information and/or cyber security risk (outside that of the corporate risk register), and if yes?

a. Please can you list the top ten Information and/or Cyber Security Risks?   

The CCGS tests for OWASP top 10. Other risks will arise and be dealt with on a day-by day basis. Our IT provider will also hold a risk register (but these may not be present in our contracted area).

b. How many risks are there in total on the register?

Corporate risks are published when a summary is sent to Board.  March summary is at:

here

c. Please state how many risks would be categorised as the highest risk level (i.e. Critical)?

As per b

d. Please state how many risks would be categorised as the second highest risk level (i.e. Critical)

As per b

e. Please state how many risks would be categorised as the third highest risk level (i.e. Critical)?

As per b

f. How many risk levels do you have in total (i.e. 5)?

We use a risk score calculated by matrix likelihood (1-5) by consequence (1-5)

3. Do any of the identified information and or cyber security risks also exist on the corporate risk register?

a. If yes, what are those risks?

See latest published list :

here

4. When undertaking an information / cyber security risk assessment, does the authority follow a structured risk assessment process?

a. If so, what is that process?

We work to achieve CE+ accreditation as part of the NHSD requirements of all NHS organisations

5. Does your organisation follow ISO31000 when undertaking an information / cyber security risk assessment? Not formally

6. Does your organisation hold ISO27000 accreditation? No

7. Does your organisation have a policy of adhering to any information security standard or framework (i.e. ISO27000, NIST etc)? CE+

a. If yes, please provide a copy of the above policy?

8. Does the authority have the following roles within the origination: Yes SIRO

a. Chief Security Officer (CSO),

i. If yes, which role does the CSO report into?

b. Chief Information Security Officer (CISO)

i. If yes, which role does the CISO report into?

c. Head of Information Security (Hd InfoSec)

i. If yes, which role does the Hd InfoSec report into?

9. Who within your organisation who is accountable for undertaking information / cyber security risk assessments (i.e. Chief Information Security Officer, Head of Information Security, Head of Information Technology)?

Brian Hughes (SIRO) delegated to Deputy Director IT

10. Who within the authority is responsible for undertaking information / cyber security risk assessments (i.e. Chief Information Security Officer, Head of Information Security, Head of Information Technology)?

Brian Hughes (SIRO) delegated to Deputy Director IT

11. How many people within the organisation are responsible for undertaking information / cyber security risk assessments?

Deputy Director IT & Brian Hughes (SIRO) supported by contracted IT provider.

12. Does the person(s) responsible for undertaking information / cyber security risk assessment:

a. Have any formal training in this regard? Yes, provided by NHSD.

i. If so, what was it? SIRO training provided by GCHQ

 

b. Have any industry qualifications/certification in this regard?

i. If so, what are they?

13. How many people (permanent and contractors) currently work for the authority?

327

14. How many people (permanent and contractors) currently work for the authority in information technology roles?

In IT specifically 2 at this time –plus staff employed as part of the wider IT provision

15. How many people (permanent and contractors) currently work for the authority in information / cyber security roles?

Collaborative team responsibility none specific responsible for Cyber other than Deputy Director and SIRO 

NHS Sheffield Clinical Commissioning Group

Headquarters
722 Prince of Wales Road
Sheffield
S9 4EU

Logo: Facebook Logo: Twitter Logo: Youtube Logo: Pinterest