IT Security
LHIS Assurance Services are an experienced and technically skilled team that are here to guide you through the complex and sometimes daunting world of cyber security. Whether you are looking to audit your systems to ensure your data is safe or conduct penetration testing on a secure website, LHIS IT Assurance are here to help.
We are Tiger Scheme accredited. We also operate within the governance frameworks of other penetration and security accreditation bodies such as: Certified Ethical Hacker (EC-Council), Certified Information Systems Auditor (ISACA), Certified Security Testing Professional (CREST).
We have extensive experience of security testing web applications, both within the public sector and for other national and global organisations. We also routinely conduct such testing for central government agencies. We have experience of testing all major web application systems, including: Apache, IIS, Ngnix, Joomla, WordPress, Drupal, SQL etc. Our current IT Assurance product offering includes: IT Security Review Services, Penetration (PEN) Testing Services, Security Auditing and Assurance (ISO), Simulated Social Engineering Attacks (Phishing) Services, Cyber Essentials Consultancy, Technical Security Training, ICT Risk Management and Information Governance, Digital Forensics Support, Security Incident Response Services, Security Investigation Services, IT Security Project Support Services.
Along with our customer testimonials, our industry awards and accreditations show our professional competence and knowledge in this specialised area. It is important to us that we give assurance to our customers that we understand the industry expectations and standards governing IT assurance.
Core Services
Our core services are shown below, along with their LHIS product & service code for ease of reference. If you do not feel your requirements are met by the product listed below (SEC01 to SEC11), please speak to a member of the team who can create a tailored solution to fit your needs precisely, and in the most cost effective way.
- SEC01: IT Security Review Services
- SEC02: Penetration (PEN) Testing Services
- SEC03: Security Auditing and Assurance (ISO)
- SEC04: Simulated Social Engineering Attacks (Phishing) Services
- SEC05: Cyber Essentials Consultancy
- SEC06: Technical Security Training
- SEC07: ICT Risk Management and Information Governance
- SEC08: Digital Forensics Support
- SEC09: Security Incident Response Services
- SEC10: Security Investigation Services
- SEC11: IT Security Project Support Services
We are an official Crown Commercial Service – Digital Marketplace framework supplier (we are Supplier 93307), which means we are pre-approved for public sector procurement.
The IT Security Review Service provides day-rate based Cyberscheme certified specialist security staff to conduct comprehensive application and infrastructure security and vulnerability testing.
The LHIS technical security service is scoped individually to ensure that the specific vulnerabilities that would expose a system or organisation to attack are identified. Once identified LHIS will provide
recommendations to enable the organisation to mitigate the identified threat. LHIS security specialists have considerable experience of supporting public sector organisations including NHS Trusts, Local
Authorities, Ambulance Trusts, NHS Arms Length bodies, etc.
The LHIS Vulnerability and Penetration Testing Services provides day-rate based Cyberscheme certified specialist security and penetration testing staff to conduct comprehensive application and infrastructure penetration testing. The LHIS penetration service is scoped individually to ensure that the specific vulnerabilities that would expose a system or organisation to attack are identified.
Once identified LHIS will provide recommendations to enable the organisation to mitigate the threat. LHIS security specialists have considerable experience of supporting public sector organisations including NHS Trusts, Local Authorities, Ambulance Trusts, NHS Arms Length bodies, etc.
The LHIS Security Auditing and Assurance service provides organisations with a measurable technical assessment of a system, data centre, network, or the entire organisation, depending on the scope defined by the customer. Our IT security specialists provide feedback on areas of good practice and give visibility to any weaknesses or vulnerabilities. Once auditing is completed, a report, together with recommendations for mitigations and remedial actions, is provided.
LHIS ISO 27001 services enable organisations to comply with and if required gain ISO27001 certification.
An increasingly common mode of attack for cyber criminals is email phishing whereby an email is received by a user that appears to come from a legitimate source. If the user clicks on an embedded Internet link or opens an attachment, they are then infected with malware which can infect further areas of the organisations computer systems at a rapid rate. A particular variant of this attack is ‘ransomware’ whereby the malware encrypts computer files and the organisation has to pay a ransom to get the cryptographic keys to unlock the files.
LHIS Assurance provides a tool for evaluating an organisations risk exposure to such attacks by sending their staff a specially crafted email. Although the email is benign, we are alerted to the users’ actions on receipt of the email and whether it is identified as a phishing message. If the user clicks the embedded link or interacts with the associated web site, this indicates a significant risk exposure to the organisation and demonstrates the need for further awareness training.
We have been involved with the government backed Cyber Essentials scheme since it was created and has supported a number of organisations in achieving the detailed requirements within the standard.
We have a wide experience of providing technical security training which is targeted to the specific learning objectives of the organisation. This can include technical security controls, security incident response, digital forensics or other area where the organisation wishes to increase its skills and capabilities.
Developing an effective IT security risk management framework is a core component of a robust governance framework and is a requirement of most information governance frameworks (e.g. ISO27001).
LHIS Assurance can provide support and assistance in these areas and share our extensive knowledge and experience within large organisations. This will ensure that the risk management framework provides an overview of the organisations IT security risk profile without adding additional administrative burden.
When conducting investigations, it is imperative that digital evidence is acquired in a secure and compliant manner. This is to ensure the integrity and validity of the evidence cannot be repudiated. LHIS assurance has extensive knowledge and skills in this area and can support organisations where there is a need to acquire digital evidence in support of internal investigations.
When an IT security incident occurs, it is imperative that the processes and procedures that are used to respond are effective and prompt, to ensure the impact of the event is minimised. LHIS Assurance can provide a tried and tested service to support organisations when such events occur. This can also include other important aspects of the security response process such as ‘root cause’ and ‘lessons learned’ exercises which are intended to provide the organisation with a mechanism for reducing the frequency and impact of such events.
When conducting investigations that involve IT systems, it is important that the processes for gathering information are compliant with digital forensics standards and that the information is interpreted and presented in a structured manner. LHIS Assurance can provide expert support and guidance in this area and can deliver a support function that meets the specific objectives of the investigation being undertaken.
Most IT projects include a security component that is designed to understand and address the risks and threats to the operation of a new system or service. LHIS Assurance can support an organisation in providing services that assists in the scoping, evaluation and remediation of the identified risks. This can be conducted as part of the project management process or as a separate exercise, designed to supplement the project assurance processes.
Secure email standard
NHS Leicestershire Health Informatics Service (LHIS) are the first public body to receive the NHS Digital ISB1596 accreditation, allowing faster and secure communication between NHS organisations, local authorities and other secure government domains
LHIS has become the first public sector organisation in the country to be able connect its own local email system to NHSmail2, allowing thousands of staff across different organisations to better communicate, and share crucial information more quickly and securely. The landmark project could now help NHS organisations throughout the UK improve the secure sharing of patient information between health and social care professionals.
Cyber Essentials and Cyber Essentials Plus
The Cyber Essentials scheme has been developed by Government and industry to fulfil two functions. It provides a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats, within the context of the Government’s 10 Steps to Cyber Security. And through the Assurance Framework it offers a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions. Cyber Essentials certification is awarded on the basis of a verified self-assessment. An organisation undertakes their own assessment of their implementation of cyber Essentials control themes via a questionnaire, which is approved by a senior executive such as the CEO. This questionnaire is then verified by an independent Certification Body to assess whether an appropriate standard has been achieved, and certification can be awarded. This option offers a basic level of assurance and can be achieved at low cost. Cyber Essentials Plus offers a higher level of assurance through the external testing of the organisation’s cyber security approach. LHIS is able to offer support and guidance ranging from pre-screening of submissions to submission development on behalf of a customer organisation.
LHIS Security Top Tips
- Be very careful when clicking on email attachments or embedded web links – if it’s unexpected or suspicious DO NOT open the attachment or link – get advice or check out the website and/or attachment name on the Internet
- Use strong passwords – a dictionary word can be cracked in seconds! Don’t use the same password for multiple sites – if it’s compromised, the hacker will have access to everything!
- Make sure your devices are regularly patched and updated – this includes smartphones and tablets – and make sure you have anti-virus installed which is updated daily
- Sensitive browsing (e.g. banking, accessing business systems) should only be done on a device that belongs to you and on a network you trust – be very careful when using ‘public’ wireless networks!
- Never respond to emails or telephone calls requesting your username and password information
- 6. If you are sending confidential or sensitive information in an email, make sure you check the recipients addresses are correct before you click the ‘send’ button – and then
check again!
- Don’t leave devices unattended – if you do need leave your laptop, smartphone or tablet for any length of time, make sure they’re locked with a pin or password
- Be careful when clicking on links or responding to requests on social media sites – if you don’t know the sender, be suspicious!
- If you are carrying around USB drives containing sensitive, patient or confidential information, they MUST be encrypted
- LHIS always recommend you backup your important documents daily!