Using AWS In The Context Of UK Healthcare IG SoC Process

2y ago
54 Views
2 Downloads
693.20 KB
24 Pages
Last View : 21d ago
Last Download : 2m ago
Upload by : Genevieve Webb
Transcription

Using AWS in the context of UKHealthcare IG SoC processMay 2016This paper has been archived.deFor the latest technical guidance, ih

Amazon Web Services – Using AWS in the context of UK Healthcare IG SoC processMay 2016 2016, Amazon Web Services, Inc. or its affiliates. All rights reserved.NoticesThis document is provided for informational purposes only. It represents AWS’s current product offeringsand practices as of the date of issue of this document, which are subject to change without notice. Customersare responsible for making their own independent assessment of the information in this document and anyuse of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whetherexpress or implied. This document does not create any warranties, representations, contractualcommitments, conditions or assurances from AWS, its affiliates, suppliers or licensors. The responsibilitiesand liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of,nor does it modify, any agreement between AWS and its customers.vihdecrAPage 2 of 24

Amazon Web Services – Using AWS in the context of UK Healthcare IG SoC processMay 2016Table of ContentsAbstract . 4Introduction. 4Government Security Classifications in context of UK Healthcare workloads . 5Cloud Security Principles and IG SoC . 5G-Cloud framework and GOV.UK Digital Marketplace . 5Shared Responsibility Environment . 6IG Toolkit requirements for a Commercial Third Party Version 13 . 7deInformation Governance Management. 8Confidentiality and Data Protection . 10Information Security . 14Healthcare Reference Architecture . 21vihArchitecture Overview . 21AWS Security Implementation . 22Identity and Access Management . 22Protecting Data at Rest. 22crAProtecting Data in Transit . 22Amazon Virtual Private Cloud (VPC) . 23Elastic Load Balancing . 23Conclusion. 23Additional Resources . 24Document Revisions . 24Page 3 of 24

Amazon Web Services – Using AWS in the context of UK Healthcare IG SoC processMay 2016AbstractThis whitepaper is intended to assist organisations using Amazon Web Services (AWS) for UnitedKingdom (UK) National Health Service (NHS) workloads. UK’s Department of Health sponsors theHealth and Social Care Information Centre (HSCIC) to provide information, data and IT systems forcommissioners, analysts and clinicians in health and social care. As part of this role, HSCIC publishesguidance and requirements on Information Governance (IG). IG Statement of Compliance (IG SoC) isa process by which organisations enter into an agreement with HSCIC for access to HSCIC’s services,including the NHS National Network (N3), in order to preserve the integrity of those services.Currently, AWS does not directly access services provided by HSCIC including the NHS N3. However,AWS Partners or customers may have or require access to HSCIC services and hence, require them tocomply with the IG SoC process. This document aims to help the reader understand: deThe role that the customer and/or partner and AWS play in ownership, management and security of thecontent stored on AWSA reference architecture that demonstrates shared responsibility model to meet IG SoC requirementsHow AWS aligns with each of the 17 requirements for a Commercial Third Party within HSCIC’s IGToolkit requirementsIntroductionvihcrAAll organisations that wish to use HSCIC services, including the N3 network, must complete the IGSoC process. The IG SoC process set out a range of security related requirements that must besatisfied in order for an organisation to provide assurances with respect to safeguarding the N3network and information assets that may be accessed.The IG Toolkit is part of the IG SoC process, in that organisations must carry out an annualassessment, evidence their compliance with the requirements and accept the IG Assurance Statement,which confirms the organisation’s commitment to meeting and maintaining the required standards ofinformation governance.For organisations that need to complete the IG SoC process, a 3-step process must be followed asdescribed on the ‘IG SoC for Non-NHS Organisations’ website. Key steps of this process are describedbelow:Step 1 Complete and submit the application form, which includes details of an NHS sponsor.Additional documentation: Logical Connection Architecture (only if you are connecting DIRECTLY toN3), Offshoring policy and ISMS document.Step 2 Review the IG Toolkit assessment for the organisation-type. Complete and publish the IG Toolkit assessment annually.Page 4 of 24

Amazon Web Services – Using AWS in the context of UK Healthcare IG SoC processMay 2016Step 3 ‘Authority to Proceed’ notification provided through British Telecom (BT) N3 team. BT N3 team will contact applicant to proceed.Government Security Classifications in context of UKHealthcare workloadsUnder the UK Government Security Classifications, HM Government information assets can beclassified into three types: OFFICIAL, SECRET and TOP SECRET. Each classification attracts abaseline set of security controls providing appropriate protection against typical threats. AWScustomers and partners will be required to follow the HSCIC guidance when managing informationassets, which may or may not include patient data. HSCIC offers guidance on looking afterinformation according to the principles of good Information Governance.devihCloud Security Principles and IG SoCFor UK government organisations to use cloud services for OFFICIAL-marked systems, CESG CloudSecurity Guidance includes a risk management approach to using cloud services, a summary of theCloud Security Principles, and guidance on implementation of the Cloud Security Principles.crAOur Cloud Security Principles whitepaper provides guidance on how AWS aligns with Cloud SecurityPrinciples and the objectives of the principles as part of CESG’s Cloud Security Guidance.For our customers and partners using AWS for UK healthcare information assets marked asOFFICIAL, we have mapped each IG SoC requirement with the appropriate Cloud Security Principlein this whitepaper. For architectures managing OFFICIAL-marked information assets and for moreinformation on using AWS in the context of Cloud Security Principles, we recommend referring to ourCloud Security Principles whitepaper.G-Cloud framework and GOV.UK Digital MarketplaceThe G-Cloud framework is a compliant route to market for UK public sector organisations to sourcecommoditised cloud-based IT services on a direct award basis. The framework supports a more timeand cost effective procurement process for buyers and suppliers. The UK Digital Marketplace listsrelated security questions based on the Cloud Security Principles, and responses for 12 AWS services.These services are listed below, with links to service description and digital marketplace:1234567Amazon Elastic Compute Cloud (Amazon EC2)Auto ScalingElastic Load BalancingAmazon Virtual Private Cloud (Amazon VPC)AWS Direct ConnectAmazon Simple Storage Service (Amazon S3)Amazon GlacierPage 5 of 24Digital Marketplace linkDigital Marketplace linkDigital Marketplace linkDigital Marketplace linkDigital Marketplace linkDigital Marketplace linkDigital Marketplace link

Amazon Web Services – Using AWS in the context of UK Healthcare IG SoC process89101112Amazon Elastic Block Store (Amazon EBS)Amazon Relational Database Service (AmazonRDS)AWS Identity and Access Management (IAM)Amazon CloudWatchAWS Enterprise SupportMay 2016Digital Marketplace linkDigital Marketplace linkDigital Marketplace linkDigital Marketplace linkDigital Marketplace linkShared Responsibility EnvironmentWhen using AWS services, customers maintain complete control over their content and areresponsible for managing critical content security requirements, including: deWhat content they choose to store on AWSWhich AWS services are used with the contentIn what country that content is storedThe format and structure of that content and whether it is masked, anonymised or encryptedWho has access to that content and how those access rights are granted, managed andrevoked.vihBecause AWS customers retain control over their data, they also retain responsibilities relating tothat content as part of the AWS “shared responsibility” model. This shared responsibility model isfundamental to understanding the respective roles of the customer and AWS in the context of theCloud Security Principles.crAUnder the shared responsibility model, AWS operates, manages, and controls the components fromthe host operating system and virtualization layer down to the physical security of the facilities inwhich the services operate. In turn, customers assume responsibility for and management of theiroperating system (including updates and security patches), other associated application software, aswell as the configuration of the AWS-provided security group firewall. Customers should carefullyconsider the services they choose, as their responsibilities vary depending on the services they use, theintegration of those services into their IT environments, and applicable laws and regulations. It ispossible to enhance security and/or meet more stringent compliance requirements by leveragingtechnology such as host-based firewalls, host-based intrusion detection/ prevention, and encryption.AWS provides tools and information to assist customers in their efforts to account for and validatethat controls are operating effectively in their extended IT environment. More information can befound on the AWS Compliance center at http://aws.amazon.com/compliance.Page 6 of 24

Amazon Web Services – Using AWS in the context of UK Healthcare IG SoC processMay 2016devihIG Toolkit requirements for a Commercial Third PartyVersion 13crAIG Toolkit is a Department of Health (DH) policy delivery vehicle that the HSCIC develops andmaintains. It combines the legal rules and central guidance set out by DH policy and presents them ina single standard of information governance requirements. The organisations in scope of this processare required to carry out self-assessments of their compliance against the IG requirements. ForCommercial Third Party organisations, the IG Toolkit lists 17 requirements that these organisationsmust assess within three requirement initiatives – Information Governance Management,Confidentiality and Data Protection Assurance, and Information Security Assurance.Details on the 17 requirements from the IG Toolkit and how AWS aligns with these requirements withthe related assurance approach are described below, with two notes: AWS customers and partners providing services to HSCIC should meet and maintain eachindividual requirement described below using their designated IG responsible staff under theShared Responsibility Model. The use of AWS and the AWS approach described below does notsatisfy their responsibilities for the requirement in its entirety.IG Toolkit requirements and the IG SoC process are subject to revision. AWS will attempt toupdate the guidance in this document to reflect these changes in due course following the revision,but customers should review the HSCIC guidance to confirm applicability.Page 7 of 24

Amazon Web Services – Using AWS in the context of UK Healthcare IG SoC processMay 2016Information Governance ManagementRequirementRequirement DescriptionCustomer responsibility and AWS approachCloud SecurityPrinciple mappingRequirement 13-114It is important that there is aconsistent approach toinformation handling withinthe organisation which is inline with the law, centralpolicy, contractual terms andconditions and best practiceguidance. This requires oneor more members of staff tobe assigned clearresponsibility for driving anyrequired improvements.Customers building systems connecting toHSCIC services or N3 network are required toassign Information Governance responsibilityto an appropriate member, or members, ofstaff.Principle 4:GovernanceFrameworkRequirement DetailsResponsibility forInformation Governancehas been assigned to anappropriate member, ormembers, of staff.vihcrARequirement 13-115Requirement DetailsThere is an informationgovernance policy thataddresses the overallrequirements ofinformation governance.Page 8 of 24deAWS has an established information securityorganization managed by the AWS Securityteam and is led by the AWS Chief InformationSecurity Officer (CISO). AWS Securityestablishes and maintains formal policies andprocedures to delineate the minimumstandards for logical access on the AWSplatform and infrastructure hosts. The policiesalso identify functional responsibilities for theadministration of logical access and security.The implementation of this requirement isvalidated independently in ISO 27001, PCI-DSSand SOC certifications.There is a need to ensurethat everyone working for oron behalf of the organisation(including temps, volunteers,locums and students) isaware of the organisation’soverall approach to IG andwhere underpinningprocedures and processescan be found. This can beachieved by developing anInformation Governancepolicy.Information security and governance policiesare approved and communicated across AWSto ensure the implementation of appropriatesecurity measures across the environment. Theimplementation of this requirement isvalidated independently in ISO 27001, PCI-DSSand SOC certifications.Principle 4:GovernanceFramework

Amazon Web Services – Using AWS in the context of UK Healthcare IG SoC processRequirementRequirement DescriptionRequirement 13-116One of the ways in which anorganisation can ensure itfulfills its legal and otherresponsibilities regardingconfidential information is toensure that all staff members(including temps, locums,students and volunteers) arefully informed of their ownobligations to comply withinformation governancerequirements.To maintain informationhandling standards in theorganisation staff should beprovided with appropriatetraining on informationgovernance.Requirement DetailsAll contracts (staff, contractorand third party) containclauses that clearly identifyinformation governanceresponsibilities.Requirement 13-117Requirement DetailsAll staff members areprovided with appropriatetraining on informationgovernance requirements.Page 9 of 24Customer responsibility andAWS approachAll personnel supporting AWSsystems and devices must signa non-disclosure agreementprior to being granted access.Additionally, upon hire,personnel are required toread and accept theAcceptable Use Policy and theAmazon Code of BusinessConduct and Ethics (Code ofConduct) Policy.Cloud Security Principle mappingAWS customers and partnersproviding services to HSCICshould meet and maintain thisstaff training requirementusing their designated IGresponsible staff under theShared Responsibility Model.Principle 6: Personnel SecurityPrinciple 6: Personnel SecuritydevihcrAMay 2016All personnel supporting AWSsystems and devices must signa non-disclosure agreementprior to being granted access.Additionally, upon hire,personnel are required toread and accept theAcceptable Use Policy and theAmazon Code of BusinessConduct and Ethics (Code ofConduct) Policy.AWS maintains employeetraining programs to promoteawareness of AWSinformation securityrequirements.

Amazon Web Services – Using AWS in the context of UK Healthcare IG SoC processMay 2016Confidentiality and Data ProtectionRequirementRequirement 13-202Requirement DetailsConfidential personalinformation is onlyshared and used in alawful manner andobjections to thedisclosure or use of thisinformation areappropriately respected.RequirementDescriptionThe Data Protection Act1998 providesconditions that must bemet when processingpersonal information. Inaddition, wherepersonal information isheld in confidence (e.g.details of care andtreatment), the commonlaw requires the consentof the individualconcerned or someother legal basis beforeit is used and shared.Staff must be madeaware of the right of anindividual to restricthow confidentialpersonal information isdisclosed and theprocesses that theyneed to follow to ensurethis right is respected.Customer responsibility and AWS approachAWS does not access any customer’s content except asnecessary to provide that customer with the AWS servicesit has selected. AWS does not access customers’ contentfor any other purposes. AWS does not know what contentcustomers choose to store on AWS and cannot distinguishbetween personal data and other content, so AWS treatsall customer content the same (Source: EU DataProtection Whitepaper).deThe Standard Contractual Clauses (also known as "modelclauses") are a set of standard provisions defined andapproved by the European Commission that can be usedto enable personal data to be transferred in a compliantway by a data controller to a data processor outside theEuropean Economic Area. The Article 29 Working Partyhas approved the AWS Data Processing Agreement whichincludes the Model Clauses. The Article 29 Working Partyhas found that the AWS Data Processing Agreementmeets the requirements of the Directive with respect toModel Clauses. This means that the AWS Data ProcessingAgreement is not considered “ad hoc”.vihcrAIn addition to this, alignment with ISO 27018demonstrates to customers that AWS has a system ofcontrols in place that specifically address the privacyprotection of their content. AWS' alignment with andindependent third-party assessment of thisinternationally recognized code of practice demonstratesAWS' commitment to the privacy and protection ofcustomers' content.Further information can be found ation-requests/Page 10 of 24Cloud SecurityPrinciple mappingPrinciple 9: Secureconsumermanagement

Amazon Web Services – Using AWS in the context of UK Healthcare IG SoC processRequirementRequirement Desc

Amazon Web Services – Using AWS in the context of UK Healthcare IG SoC process . May 2016 . Page 6 of 24. 8 Amazon Elastic Block Store (Amazon EBS) Digital Marketplace link 9 Amazon Relational Database Service (Amazon RDS) Digital Marketplace link 10 AWS Identity and Access Management (IAM) Digital Marketplace link

Related Documents:

May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)

Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .

4 AWS Training & Services AWS Essentials Training AWS Cloud Practitioner Essentials (CP-ESS) AWS Technical Essentials (AWSE) AWS Business Essentials (AWSBE) AWS Security Essentials (SEC-ESS) AWS System Architecture Training Architecting on AWS (AWSA) Advanced Architecting on AWS (AWSAA) Architecting on AWS - Accelerator (ARCH-AX) AWS Development Training

On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.

̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions

Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have

AWS SDK for JavaScript AWS SDK for JavaScript code examples AWS SDK for .NET AWS SDK for .NET code examples AWS SDK for PHP AWS SDK for PHP code examples AWS SDK for Python (Boto3) AWS SDK for Python (Boto3) code examples AWS SDK for Ruby AWS SDK for Ruby co

AWS Directory Amazon Aurora R5 instance Service AWS Server Migration Service AWS Snowball AWS Deep Amazon GameLift Learning AMIs AWS CodeBuild AWS CodeDeploy AWS Database Migration Service Amazon Polly 26 26 20 40 12 0 5 10 15 20 25 30 35 40 45 2018 Q1 2018 Q2 2018 Q3 2018 Q4 2019 Q1 New Services& Features on AWS