The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that allows organizations to measure their performance against the National Data Guardian’s 10 data security standards. Portnox’s cloud-native platform for zero trust access control meets and supports these critical security standards in a variety of different and interconnected ways.
Portnox delivers technical controls for the protection of personal confidential data across the network for both on-site and remote employees, as well as contractors and on-site guests. Administrators can configure and enforce network authentication and access control policies based on role, location, device type, access layer, and more. Automated network segmentation ensures that the right users have access to the critical data and resources they need to perform their jobs, while also preventing lateral movement across the network that could result in data loss and in the event of a cyber attack.
Technical controls include, but are not limited to:
|
|
|
|
As mentioned above, Portnox delivers access control policy enforcement for organizational resources across the network and to the network itself. The platform is fundamentally designed to allow access to data ONLY to those users who should have access in accordance with NHS data security standards. This is accomplished by implementing security measure across every step of the user’s digital journey:
Portnox is inherently used to close the gap on access vulnerabilities. Post-network connection, Portnox monitors every device (managed, BYOD, IoT, etc.) and continually assesses the risk posture of each device. When devices exceed an organization’s predefined risk threshold, Portnox responds to this compliance and security incident by automatically quarantining that device on the network and remediating it.
Portnox monitors risks across the following endpoint factors:
|
|
|
|
|
Portnox enables organizations to maintain transparent and secure administration of network devices such as routers, switches, and firewalls, and by centralizing user authentication, access control policy enforcement, activity audit trails, and more – all from the cloud. This is accomplished through the platform’s built-in TACACS+ server, which delivers authentication, authorization, and accounting (AAA) services.
Portnox is ISO 27001 certified. ISO 27001 is a framework that helps organizations establish, implement, operate, monitor, review, maintain and continually improve an ISMS, and is the international standard for information security. Portnox is also SOC 2 Type II certified. SOC 2 certification validates that the Portnox Cloud upholds the standards of the American Institute of Certified Public Accountants (AICPA).
In order to thwart cyber attacks, you have to go to the source. More times than not, that source is a user’s device that’s been used to breach a network. While visibility of connected devices is critical, it’s just the first step. Portnox goes deeper – monitoring the risk posture of every connected device 24/7/365. Look at the state of anti-virus, firewall, applications in use, and a variety of other common areas of vulnerability to detect and remove non-compliant devices from the network.
Data Security and Protection Toolkit
The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool developed by NHS Digital in the United Kingdom. It is designed to help organizations, particularly those in the health and social care sector, to assess and improve their data security and information governance practices.
The DSPT aims to provide organizations with a framework to demonstrate that they are meeting the required standards for the secure handling of sensitive and personal data. It covers various aspects of data security and protection, including information governance, cybersecurity, staff training, and incident management.
Organizations using the DSPT are required to complete a self-assessment questionnaire, which consists of a series of statements about their data security practices. These statements cover different areas and are categorized into various standards and criteria. Organizations are expected to assess their current practices against these statements and provide evidence to support their responses.
By completing the DSPT, organizations can identify any areas where they may have gaps or weaknesses in their data security measures. It also helps them to demonstrate compliance with the General Data Protection Regulation (GDPR) and other relevant data protection laws.
The Data Security and Protection Toolkit (DSPT) has four categories:
The category of an organisation determines which set of evidence items they must complete in the DSPT. The evidence items are designed to assess an organisation’s compliance with the 10 data security standards set out in the DSPT.
If you fail a DSPT assessment, you will be given a set of recommendations to help you improve your data security practices. You will have a set period of time to implement these recommendations, and you will be reassessed at the end of this period. If you are still not compliant, you may be subject to further action, such as a fine or a ban on processing patient data.
Here are some of the consequences of failing a DSPT assessment:
It is important to note that the consequences of failing a DSPT assessment can vary depending on the severity of the non-compliance. For example, if you fail to implement a basic security measure, such as password protection, you may be given a warning. However, if you fail to implement a more complex security measure, such as encryption, you may be subject to a fine.
If you are concerned about your data security practices, you should contact a data protection expert to help you assess your compliance with the DSPT.
The Information Commissioner’s Office (ICO) can impose fines of up to £17.5 million or 4% of your global turnover, whichever is greater, for failing to comply with the Data Security and Protection Toolkit (DSPT). The amount of the fine will depend on the severity of the non-compliance and the impact on individuals.
For example, in 2022, the ICO fined Clearview AI Inc. £7.55 million for failing to comply with the DSPT. Clearview AI is a facial recognition company that scraped billions of images from the internet without the consent of the individuals in the images. The ICO found that Clearview AI’s actions had a significant impact on individuals’ privacy, and that the company had not taken adequate steps to protect people’s data.
If you are concerned about your compliance with the DSPT, you should contact a data protection expert to help you assess your risks and take steps to improve your security practices.
Here are some additional factors that the ICO may consider when determining the amount of a fine for a failed DSPT assessment:
If you are fined by the ICO for failing to comply with the DSPT, you may be able to appeal the decision to the First-Tier Tribunal. However, it is important to note that appeals are rarely successful.
