3.1 High-level briefing on the Report on the independent Reassessment of the HSE’s NIST Capability Maturity Model Integration (CMMI)
P Moran and W O’Brien joined the meeting P Moran presented the HSE NIST Cybersecurity Maturity Reassessment which was requested by the Committee at its meetings on 19 January and 3 February 2023. PwC were engaged to conduct an independent reassessment of the cybersecurity maturity levels at the HSE, using NIST CSF (National Institute of Security & Technology Cybersecurity Framework) and the governance aspects of ISACA COBIT (Information Systems Audit and Control Association Control Objectives for Information and Related Technologies) which were deployed as part of the Conti Post Incident Review (“PIR") in 2021.
The review sought to: reassess the cybersecurity maturity levels of the HSE, following the initial PIR assessment that took place in 2021, to identify areas for improvement, maturity uplift, and further areas of enhancement; and to provide detailed recommendations to assist the HSE in achieving desired maturity levels.
The HSE’s CMMI Maturity Control Rating across the five NIST domains was discussed by the Committee, noting that the HSE has made progress with regards the cybersecurity maturity uplift since the cyber incident in 2021.
The Committee queried the target maturity levels and the timeline presented as the target for achieving these targets was placed at 2030. It was agreed the Chair would discuss these ratings with Board at its meeting on 29 September and request that the Board consider if it is satisfied with risk acceptance of these targets.
The Committee discussed the role of third parties in achieving the targets and queried the HSE mechanism for assessing and managing third party risk under the remit of both operational reliance and technology. It was agreed that a request would be made of the CRO to report on this topic at the Committee’s next meeting on 6 October and the Chair would also discuss further with the Chair of the Audit and Risk Committee. In relation to areas of enhancement for sustained maturity uplift, the importance of business continuity management was outlined and the HSE Operational Clinical Resilience (OCR) Programme highlighted in particular. The Committee requested that a status update focusing on technical aspects of the programme be provided for the October meeting. The Chair agreed to raise this further with the Chair of the Planning and Performance Committee.
W O’Brien highlighted the governance of cyber resilience in the HSE as a key element of improvement required, particularly in relation to compliance with regulatory bodies such as the National Cyber Security Centre (NCSC) and compliance with the EU Network and Information Security Directive (NISD). The Committee discussed the structure of this governance in relation to the upcoming implementation of the new Health Regions and queried the process being put in place with regards to a national/whole system monitoring and governance approach. The Committee requested that the CIO/CTTO provide a briefing including setting out the process that are being considered and the approach to providing assurance to the Committee that a structured approach to drive ICT compliance and implementation of recommendations with regards to PIR at the October meeting.
Committee requested that the conclusions as presented by PwC be reviewed to reflect the need for assessment of progress and outline specific actions and then be brought to the attention of the Board.
CTTO joined the meeting at 10:58
The Committee discussed with the CTTO the PwC presentation and particularly the culture around governance of cyber security and IT more widely in the HSE. The CTTO advised that challenges of a programme of this nature can be visible in other large organisations and that transparency in governance should be the focus. The CTTO advised that robust governance had been put in place for the programme which can be evidenced through the recent reassessment.
The Committee thanked PwC for the work completed and presentation.
P Moran and W O’Brien left the meeting.