NHS DSPT: Protecting Against Cyber Attacks and Data Breaches - B2 Identity and Access Control

B2.a Identity Verification, Authentication, and Authorisation

Key Point:
Your organisation must robustly verify, authenticate, and authorise staff access to information, systems, and networks essential to your operations.

Overview:
This outcome ensures that your organisation has strong cybersecurity and information governance (IG) controls for managing user access to critical information. Ensuring that only authorised staff have access helps prevent unauthorised access and data breaches.

How to Meet the Requirement:

• Before granting access, conduct thorough pre-employment checks to verify identity, especially for sensitive or privileged access roles.

• Authentication must be tied to individual, unique credentials, so every access point can be traced to a specific person.

• Apply Role-Based Access Control (RBAC) to ensure that staff only have access to what they need, following the principle of least privilege.

• All accounts with remote or administrative access must be protected with Multi-Factor Authentication (MFA).

• Temporary or emergency use of shared credentials must be avoided wherever possible; if unavoidable, they must be strictly time-limited, documented, and monitored.

Evidence to Provide:

• Policies for identity verification and access control.

• Records of authorised user accounts and their access levels.

• Audit reports on user accounts and access rights.

• Logs of security incidents related to access breaches and the remediation steps taken.

Indicators of Good Practice:

• Strong processes for initial identity verification before granting access.

• No shared accounts except in exceptional, controlled circumstances.

• Access reviews carried out at least quarterly.

B2.b Device Management

Key Point:
Your organisation must maintain full visibility and trust in the devices that access your critical systems and information.

Overview:
This outcome ensures that devices used to access your information and systems are secure and managed properly. It applies to both corporately-owned and Bring Your Own Device (BYOD) or third-party devices.

How to Meet the Requirement:

• Corporately owned and managed devices must be securely configured in line with baseline standards (e.g., NCSC/CIS benchmarks).

• The number of BYOD or third-party devices must be minimised.

• If BYOD/third-party devices are permitted, enforce robust security controls, including device encryption, malware scanning, patch management, and network segmentation.

• Devices used for privileged or administrative access must meet the highest security standards and must not be shared.

Evidence to Provide:

• Network security policies related to device management.

• Reports from asset discovery tools showing all connected devices.

• BYOD/third-party device assessment protocols.

• Logs of privileged user device activity.

Indicators of Good Practice:

• Only corporately owned, fully managed devices access essential systems.

• Privileged operations are performed only on dedicated, hardened devices.

B2.c Privileged User Management

Key Point:
Privileged access to systems must be closely managed, ensuring that only authorised and authenticated individuals have elevated access rights.

Overview:
Privileged user accounts (administrators, root accounts, domain admins, etc.) must be properly authenticated, monitored, and managed. Their activity must be logged and reviewed to detect suspicious behaviour.

How to Meet the Requirement:

• Maintain an up-to-date register of privileged accounts and review it regularly.

• Access must be revoked immediately when no longer required.

• Apply MFA to all privileged accounts.

• Privileged users must only perform administrative actions from dedicated, trusted devices.

• Log all privileged user actions, and review those logs regularly.

• Dormant accounts must be disabled or removed promptly.

Evidence to Provide:

• Privileged user account logs and audit reports.

• Policies on privileged account management.

• Reports on dormant accounts and access revocations.

Indicators of Good Practice:

• All privileged user activity is logged, reviewed, and audited.

• Strong MFA is enforced for all privileged access.

• Privileged accounts are time-bound or Just-in-Time (JIT) where possible.

B2 Identity and Access Control: Key Considerations

• Initial Identity Verification: All staff must undergo pre-employment identity checks, scaled to the sensitivity of their role.

• Role-Based Access Control (RBAC): Apply RBAC to limit access according to job roles, applying the least privilege principle. Access rights should be reviewed quarterly.

• Device Security: Minimise BYOD and third-party device access. Devices used for privileged access must meet NHS and NCSC guidance for secure configuration.

• Privileged Identity Management (PIM): Where possible, use PIM or PAM tools to provide just-in-time elevated access rather than standing privileges.

Strong identity and access controls are essential to protecting critical systems. By enforcing MFA, restricting device access, and closely managing privileged accounts, organisations significantly reduce the risk of unauthorised access and insider threats.

Need help? Periculo can support your organisation in designing robust access control protocols, managing privileged users, and securing device access.