Market Engagement – security update 16-June 2016 Tony Beadle

Security Workstream Update Progress to date Obligation updates Outstanding actions Next dates

Progress to date - Topics discussed Web proxy malware scanning Industry standard offerings not suitable for NHS anti-malware# Netflow generation and transmission Need visibility of all HSCN WAN traffic Need detailed info on impact of netflow generation and transmission DLN-based netflow collection point requirement removed Internet firewall automated rule distribution Standard request Industry to supply preferred technical update mechanism

Progress to date - Topics discussed (cont) DNS design Central DNS to perform recursive lookups no problem [NSI] TCP/53 blocked at Internet gateways (except recursive resolvers) Supplier security compliance model Key CAS-T elements to be used Suppliers to self-assert compliance Authority to reserve right of audit (with sanctions) Connection Agreement Aggregators Keen to participate as providers, invited to sessions

Security obligations updates Updated text as per meeting: SO1, SO2, SO4, SO5, SO12 updated SO3 removed Available for review and circulation

Outstanding actions Paper on netflow impact of infrastructure Industry preferred mechanism for updating firewalls automatically [due Fri 10th Jun] Additional obligation required for FW update mechanism and SLA [to create at workshop on 30th]

Next dates June 21st – technical & security workshop Security compliance standards to be discussed June 30th – security workshop (full day) Expected to be last significant security session Obligations to be updated following this session

SO1 Old The Supplier shall generate IPFIX data from devices at the edge of the HSCN WAN (CPE) in support of the SOC Requirements for managing security across the HSCN. New The supplier shall generate IPFIX/Netflow data to describe all network traffic passing across the HSCN WAN (e.g. full netflow of the WAN interface of the CPE)

SO2 Old The supplier shall forward the IPFIX data in real-time to a DLN-based collection facility New The supplier shall forward the IPFIX/Netflow data in real-time to the HSCIC network SOC collector

SO4 Old The supplier shall perform active network monitoring to assist with the identification of traffic (such as Denial of Service attacks) that could cause availability issues over the network. Alerts of this identification shall be passed to the HSCIC SOC. New The supplier shall perform active network monitoring to assist with the identification of traffic from the Internet (such as Denial of Service attacks) that could cause availability issues over the network. Alerts of this identification shall be passed to the HSCIC SOC.

SO5 Old The supplier shall establish a two-way data flow and information sharing between their SOC and the HSCIC SOC, to provide visibility of network alerts and incidents, anomalous traffic patterns, intelligence and other incidents in progress across the HSCN estate New At a process level, the supplier shall establish a two-way data flow and information sharing between their SOC and the HSCIC SOC, to provide visibility of network alerts and incidents, anomalous traffic patterns, intelligence and other incidents in progress across the HSCN estate. Toolset integration is not expected

SO12 Old The supplier shall identify any attack on their HSCN infrastructure, and take suitable action to mitigate the attack, and inform the HSCIC SOC New The supplier shall deploy suitable controls to detect attacks on their infrastructure used to supply service to HSCN, and take suitable action to mitigate the attacks. HSCIC SOC shall be informed of successful attacks and significant unsuccessful attacks.