- The Model Context Protocol: Simplifying Building AI apps with Anthropic Claude Desktop and Docker | Docker
- This robot vacuum and mop performs as well as some flagship models - but at half the price
- Finally, a ThinkPad model that checks all the boxes for me as a working professional
- Why I recommend this Android phone for kids over a cheap Samsung or Motorola model
- My favorite USB-C accessory of all time scores a magnetic upgrade
Transitioning to Cyber Assessment Framework with ServiceNow
This post will examine how ServiceNow can support NHS trusts transition to the Cyber Assessment Framework (CAF). Many NHS organisations already use ServiceNow to manage and minimise risk, while also protecting their services and proactively detecting issues. We will look at how many of these practices align with the CAF Indicators of Good Practice (IGP).
The CAF, developed by the National Cyber Security Centre (NCSC) aims to help organisations achieve and demonstrate an appropriate level of cyber resilience, in relation to their specified functions. NHS England, in conjunction with the National Data Guardian (NDG), announced the adoption of the CAF as its underpinning assessment mechanism. As such, the Data Security and Protection Toolkit (DSPT) will gradually transition from using the NDG’s 10 data security standards to the CAF.
Initially, the change impacts large organisations; that’s NHS trusts, Commissioning Support Units (CSUs), Arms-Length Bodies (ALBs), and Integrated Care Boards (ICBs). Other NHS organisations and suppliers or partners will be transitioned separately.
The DSPT in its previous form had been relatively effective in ensuring good visibility of cyber security, not withstanding the common IT challenges within the NHS. As more paper-based services are digitised and the threat landscape has expanded, there is a need for an outcome and evidence-based assessment that allows NHS organisations to apply important context and shape their cyber security roadmap.
The NCSC-built CAF includes 4 objectives, with each containing a set of top-level outcomes describing Indicators of Good Practice. NHS England have developed a health and care overlay that amends some terminology and adds a further objective (E):
- Objective A – managing risk
- Objective B – protecting against cyber attacks and data breaches
- Objective C – detecting cyber security events
- Objective D – minimising the impact of incidents
- Objective E – using and sharing information appropriately
Each IGP includes statements to help an organisation assess whether they have achieved, partially achieved, or not achieved the IGP. It needs to be highlighted that IGPs are not a checklist, but instead are intended to help inform expert judgement. The CAF in general is not an assessment that a NHS organisation is expected to have completely achieved. Furthermore, not all the principles in each objective will be relevant to every trust or function.
The CAF provides an opportunity for organisations to build a roadmap of security improvements, and emphasises good decision-making and improvements over compliance boxes. The change has been introduced inline with the Department of Health and Social Care’s (DHSC) Cyber Security Strategy for Health and Social Care 2023-2030. With this in mind, the topic should be reviewed fully using the official guidance on the NHS England website.
Introduction to ServiceNow
ServiceNow is a powerful platform that helps NHS organisations, and anyone they interact with internally or externally, to efficiently manage their work or interactions. It brings together tasks and data into one place, to prevent people from having to switch between different systems or keep track of things manually. As IT is fundamentally digital, IT departments adopt technologies like ServiceNow to manage system outages (incidents), investigations (problems), and fixes or updates (changes). Without these processes, services provided by IT would suffer; degrading patient experience and slowing down or preventing clinicians from working.
The reality is that IT is only a small part of what the NHS does, and it’s only a small part of what the ServiceNow platform can do. The same benefits in automating workflows in IT can be applied to other areas of a business. In the NHS, here are some examples:
- Workforce Management – a popular and successful use case in the NHS is to integrate all steps and systems in a joiners, movers, and leavers process; removing the need for paper-based or manual tasks that are often missed due to the number of internal teams involved in staff changes. As well as ensuring accuracy and enhanced employee experience; visibility, reporting, security, and automation are all improved too. Cost savings can be made on things like reduction in overpayments, return of equipment, and reduction in hours spent on manual tasks.
- Community Care Coordination – ServiceNow’s tailored virtual wards solution creates a unified platform for care teams to manage home visits, remote monitoring, and follow-ups; streamlining care outside hospital settings. Patients benefit from an ‘Uber-like’ experience, where they can see who will be visiting them and when, increasing comfort levels and personal security.
- Vaccination Management – ServiceNow’s external patient/citizen facing services facilitate large-scale vaccination efforts for scheduling appointments, locating vaccination centres, managing inventory, and providing reports. This capability was previously proven and rolled out to around 2.5 million citizens in the UK. Other external use cases include patient feedback and complaint management, and patient information or Freedom of Information requests.
How is ServiceNow Relevant to the CAF?
The NHS is constantly being targeted by bad actors; it’s a political target for malicious state-sponsored activity, it’s a monetary target due to the value placed on medical data, and it’s also perceived as a soft target, with known resource constraints and legacy systems. When a cyber breach happens, the results are potentially life-threatening. IT systems are critical for the safe and optimal delivery of care, be that despatching ambulances, accessing medical records, or carrying out surgery Furthermore, there are less obvious operational and logistical impacts which still impact patients, like monetary loss, staff morale, and reputational damage.
Cyber security doesn’t have a silver bullet, and any solution claiming to be one is applying some questionable marketing. Security is about an ongoing and multi-step approach in accordance with the risk profile for a given service. Think of it like securing a property; you have locks on your doors and windows, maybe an alarm or camera-doorbell. One layer of protection doesn’t negate the need for the other. An art gallery where the contents are more valuable will have CCTV, security guards, and perhaps the room with the most valuable works has motion detectors. The same concept applies to your organisation, but managing and integrating these different controls comes with challenges and overheads.
ServiceNow isn’t positioned as an absolute security tool, instead it works with other tooling to converge and enhance the data and insights each specialist product can deliver. Below you’ll find several examples of how ServiceNow helps to achieve Indicators of Good Practice from the Cyber Assessment Framework. I haven’t included the entire IGP alignment by solution because it’s extensive, but for the full copy reach out to your ServiceNow representative.
Objective: Managing Risk
Example: Asset Management
Let’s use the example of asset management for this objective. An accurate and dynamic Configuration Management Database (CMDB) is essential to determining the assets relevant to your essential functions. A strong CMDB has multiple information sources with integration into additional tooling, such as endpoint managers, vulnerability scanners, and monitoring software. The more data the CMDB has available to it the more effectively you can manage risks for your physical and virtual assets. ServiceNow offers a multi-source CMDB with a built-in Identification and Reconciliation Engine (IRE) to maintain data integrity. Prepackaged connectors, known as Service Graph Connectors (SGCs) are available to ensure dynamic real-time updates to Configuration Items (CIs) from integrated data sources. ServiceNow can reconciliate, deduplicate, and prioritise these data sources alongside its own discovery capabilities that identify devices on the network through either agentless or agent-based technologies.
The CMDB is is really the first step in managing the risk associated with IT assets, many NHS organisations are already at this stage. Once the data is populated, service maps enable visualisations of CIs in relation to their dependencies and business services. Assets and services are assigned owners and priorities, ensuring accurate reporting and resource alignment. The data can now start to flow between those existing IT Service Management processes we mentioned earlier. Carrying out a change request on a particular CI? Here’s the business service it could impact if it goes wrong, here’s a single point of failure in the architecture you might not have realised, here’s the incident and change history, here’s who needs to approve and test that for you, and so on. This all contributes to increased visibility and effectively managing the risk of your assets.
The functionality above may be sufficient for some NHS organisations, but for large, mature, or complex environments, such as acute trusts, ServiceNow can efficiently manage the entire lifecycle of clinical and non-clinical assets, ensuring the availability of critical resources for patient care. These end to end capabilities are modelled for specific categories in the following areas:
- Hardware Asset Management
- Software Asset Management
- Clinical Device Management
- Enterprise Asset Management
Objective: Protecting Against Cyber Attacks and Data Breaches
Example: Vulnerability Response
For this objective, we’ll use the vulnerability management principle. ServiceNow Vulnerability Response enables NHS organisations to proactively manage and remediate IT security vulnerabilities, ensuring patient data is secured and critical systems are available. By integrating with existing security tools, and automating security workflows, Vulnerability Response provides faster identification, prioritisation, and resolution of threats to reduce the risk of cyber attacks. With real-time insights, collaborative capabilities, and clear ownership, IT teams can ensure vulnerabilities are tracked, prioritised, and mitigated.
The power of the ServiceNow platform means that we can use the data and insights from Vulnerability Response to compliment and compound value from other areas of the platform. Consider the asset management section above; by adding Vulnerability Response we can create a centralised data repository of assets updated with every vulnerability scan. Using service mapping, the business context and impact is clear for each service and CI, allowing critical vulnerabilities to be highlighted and prioritised accurately (correlated with other metrics such as severity, third-party exploit data, patch and asset type). Task assignment and change management can be automated and tracked, improving accountability and enhancing the richness of reporting data.
Objective: Minimising the Impact of Incidents
Example: Security Incident Response
ServiceNow Security Incident Response is a Security Orchestration and Automation Response (SOAR) solution, and is part of ServiceNow’s Security Operations (SecOps) suite with Vulnerability Response. Security Incident Response tracks the progress of security incidents from discovery and initial analysis, through containment, eradication, and recovery, and into the final post incident review, knowledge base management, and closure. The automation of incident management helps accelerate responses, allowing for quicker investigation and mitigation of risks. The MITRE ATT&CK framework is integrated into playbooks and analytics to identify known and possible attack patterns.
Security Incident Response frees up valuable time and resources for cyber security operations staff by removing manual effort for repetitive or basic tasks. Common workflows and actions, such as routine phishing and malware responses, or firewall block requests, can be fully automated and integrated with third-party solutions using integrations or apps available in the ServiceNow store. ServiceNow’s Artificial Intelligence (AI) can provide further time and productivity savings, by summarising incident reviews for cyber security analysts to gain contextual understanding in seconds, or generating suggested resolution notes and draft Knowledge Base Articles. The latter being important for knowledge transfer and documentation purposes.
Summary
We’ve looked at a few different areas that can directly contribute to achieving the Cyber Assessment Framework’s Indicators of Good Practice, but have still only scratched the surface. ServiceNow’s single platform, single architecture, and single data model, means that you can scale workflows as your digital maturity and CAF alignment grows.. The capabilities discussed above likely have stand-alone alternatives in different spaces, but the true value of a platform approach is joined up data and system interoperability. When new applications are added, the data enhances other areas of the platform, enabling true end-to-end automation of workflows and integration into any third-party system.