Welcome and Introduction

Welcome to Marie Curie's Cyber Assessment Framework (CAF)

Marie Curie is a diverse and dynamic organisation. It has a vision for change that is the heart of our strategy and that we repeat here:

Everyone will be affected by dying, death and bereavement – that can't be avoided. But what can be helped is whether they get the best possible experience, reflecting what's most important to them.

This is the vision that reflects the management and security of Information. The best possible experience for those affected by dying, death and bereavement means that we insure the Confidentially, Integrity, and Availability of the information we hold about them.

We assess our systems and processes against the CAF to self-certify our compliance with the Network and Information Systems Regulations 2018. As we are a OES (Operator of Essential Services) provider, we use the NHS DSPT as a means to self-certify. The objectives and principles of the NIS are shown below.

Fig 1. Objectives of the NIS

Security Services goes beyond simple compliance to further to map these requirements to our processes and provide ongoing evidence through the MCSS portal.

We do this for the purposes of showing ongoing compliance beyond healthcare provision and to establish a baseline for service maturity. As the majority of NIS objectives are oriented towards cyber-security we take a strategic cyber-security approach to organisational health.

This is undertaken separately from the annual NSPT exercise, which does not draw on strategic planning in cybersecurity, but represents where we stand at a single point in time. The MCSS CAF is intended to inform and enable the parties who submit the annual NSPT and make their access to the current status of our estate easier to determine.

1. How we track our status.

Traditionally, a working group gathers annually, assembles the needed information and based on the consensus of all present, a representation is made in good faith asserting our compliance. This however is based on a reasonable belief of the key stakeholders present at the time. It may not reflect our actual status as reflected in tickets or services that are unknown to us. Our goal is to ensure that a declaration of compliance is made with high confidence, in the event that the CA chooses to audit us.

At present, while MCSS cybersecurity does not challenge the good faith attestation made for NIS purposes, there is a low level of confidence that the attestation would survive external independent audit. This is mainly as internal audit reveals unexplained inconsistencies that may not be apparent to the signatories of the NSPT declaration. This is a hazard of self-assessment - it may provide false comfort.

MCSS exists to act as a public-facing front end for cyber services and information security. We provide our dashboards and reporting to ensure that our status is well understood. We use OneTrust in the background to to apply the frameworks for ISO, NIST and the NHS - this tools actively links policies and processes to practice and indicates with clarity if we are in compliance or not. This will provide certainty and resurrance to the SIRO that a declaration made to the governing bodies are supported by evidence on an ongoing basis, instead of a single point.

Fig 2.Marie Curie's Cyber Assessment Framework (open in new tab to enlarge).

As indicated in the chart above, we fulfil each objective by undertaking the activities (what we do). How we do it is down to the service or practice we engage in. These may overlap but collectively we use a combination of defined services, tracking of those services and external audit to ensure that we secure data throughout our operations.

4. Document owner and approval

A current version of this document is available to all members of staff on MCSS It does not contain confidential information and can be released to relevant external parties.

This document was approved by the Head of Cybersecurity on 31.07.22 and is issued on a version-controlled basis using the GSD knowledge base approval process. The submission and approval logs shall serve as proof of signature.

7. Change history record

Issue

Description of change

Approval

Date of issue

Initial issue

Brian Lake

31.07.22

8. Classification

This document is classified as Public - no restrictions, can be shared outside Marie Curie