5.1 Procurement for External Assessment ref Cyber Position
The CTTO presented on the assessment frameworks that have been applied in external reviews of the HSE’s Cyber position to date. This discussion was requested by the Committee at its meeting of 19 January 2023.
The CTTO advised that in June 2021 the HSE commissioned PwC to complete an Independent Post Incident Review (PIR) of the Conti cyber-attack on the HSE. As part of PwC’s review of the HSE’s preparedness to manage cyber risks they used a Cybersecurity Framework for the HSE which was based on the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) and the Information Systems Audit and Control Association (ISACA) Control Objectives for Information and Related Technologies (COBIT).
The CTTO confirmed that both NIST CSF and COBIT are internationally recognised standards that organisations frequently use to assess their information security capabilities and IT governance processes. The Committee supported the use of these frameworks for further proposed procurement processes.
5.2 Discussion on development of Technology dashboard
The CTTO presented the December 2022 eHealth Detailed Report to the Committee which facilitated a discussion on the draft technology dashboard.
The Committee discussed the wording used in the draft technology dashboard, particularly focusing what should be meant by transformation and how this will be clearly defined and measured. The Committee suggested the key headings Protect, Operate, Transform and Sustain. The Committee emphasised the need to have a high-level dashboard that can show clear progress, but also emphasised the need to ensure that sustain is represented.
It was agreed that the CTTO would incorporate Committee feedback and present again at the next meeting.
5.3 Threats and Mitigations monthly meeting
The CISO briefed the Committee on the HSE cyber security ecosystem. This focus was requested at the Committee meeting of 19 January 2023. The HSE cyber threat dashboard for January 2023 was also presented. The CISO focused in particular on prime threats as highlighted by ENISA 2022, key enabling areas for cyber, types of cyber-attacks, and the prioritised 2023 funding ask.
The Committee discussed the metrics highlighted and thanked the CISO for his presentation. IT was agreed that an amended version of this presentation should be brought to the Board for the upcoming cyber education session.
CIO, CTTO and CISO left the meeting.