Who should I talk to about Security in the NHSBSA?

‘Security’ is a wide ranging topic, and the NHSBSA have a number of different roles to support us build and deliver our services securely.

Information Security

Information Security are responsible for:

• Handling security incidents
  • Raise a security incident
  • Report a phishing attempt
• Security assurance
  • NHSBSA security policies, standards and guidance
  • Request security assurance
  • Find out about our secure data transfer service, EGRESS
• Business continuity

Information Governance

Information Governance (IG) are responsible for

• Data protection / GDPR requirements
• Data Protection Impact Assessments
  • Find out about DPIAs

Security Operations

Security Operations (SecOps) are responsible for:

• IT Health Checks
• Security architecture

• Secure development

  REVIEW

  Security is everyone’s responsibility

  1 October 2024

• Coding with personal data

  1 July 2022

• Application patching

  Keeping our software up to date with the latest versions of dependant libraries and runtimes

  13 January 2024

• Secrets detection

  REVIEW

  Avoid committing ‘secrets’ such as API keys into source control

  13 January 2024

• Rewriting Git history

  REVIEW

  Removing sensitive data such as non-revokable secrets or contributor identities from Git

  13 January 2024

• Security headers

  REVIEW

  Use HTTP headers to protect our users

  13 January 2024

• Content Security Policy

  REVIEW

  Use CSP as the modern approach to securing our web applications

  13 January 2024

---

Improve the playbook

If you spot anything factually incorrect with this page or have ideas for improvement, please share your suggestions.

Before you start, you will need a GitHub account. Github is an open forum where we collect feedback.