Category: Regulatory Compliance and GDPR

NHS DSP Toolkit Standards Exceeded

OASIS Group are a proud partner of the NHS and are pleased to announce the recent completion of our annual assessment of the NHS Data Security and Protection Toolkit with Standards Exceeded. 

All organisations in England that access NHS patient data must certify and operate in accordance with the NHS Data Security and Protection Toolkit or more commonly known as the NHS DSP Toolkit.  The NHS DSP Toolkit was introduced in 2018 replacing the NHS Information Governance Toolkit (NHS IG Toolkit).  The revised toolkit is based on the 10 security standards as established by the National Data Guardian.

The 10 security standards of the National Data Guardian are split into three groupings called ‘Leadership Obligations’.  These Leadership Obligations are;

  • Leadership Obligation 1: People: ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.
  • Leadership Obligation 2: Process: ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.
  • Leadership Obligation 3: Technology: ensure technology is secure and up-to-date.

More information can be found by visiting the National Data Guardian by clicking here.

There are three levels of status for organisations registered with the NHS DSP Toolkit, these are Approaching Standards, Standards Met and Standards Exceeded.  As previously stated OASIS Group (Offsite Archive Storage and Integrated Services (UK) Ltd) have attained Standards Exceeded status.  This level of certification demonstrates that evidence was submitted of compliance to the 10 security standards and accompanied with current Cyber Essentials PLUS certification.

Find out more about Cyber Essentials here.

To find out more about our DSPT status or compliance to other accreditations please contact compliance@oasisgroup.com.

Building Resilience in the Hybrid World

What can we all do to embed & improve awareness of Business Continuity in this new workplace reality? 

This week (16 – 20 May 2022) is Business Continuity Awareness week. 

BCAW (Business Continuity Awareness Week) is a global campaign to raise awareness of the importance of business continuity, its basic and essential best practices, and how to instil it within the organisational culture. 

In the last 24 months life changed for us all and in some ways forever, including how we all work.  The pandemic was a real test to our resilience both as human beings and businesses. As we start to come out of the pandemic and move into the recovery phase of our Business Continuity Plans, it is important that we stay flexible and keep reviewing, updating and exercising our Business Continuity Plans.

In this new work environment, companies all need to rethink the way that they embed, validate and raise awareness of their Business Continuity Plans. That is why the theme of this year’s Business Continuity Awareness week is Building Resilience in the Hybrid World.  

We have compiled a list of our Compliance’s top tips to support you with your business continuity plans and activities.

Tip 1: Update your BIAs and Business Continuity Plans. When did you last update them and do they reflect your most recent ways of working, including hybrid working? 

Focus on your purpose 

Ultimately, you need to understand which internal and external activities, including your clients’ are most critical and timebound.  This starts with your Business Impact Analysis (BIAs). BIAs should be focused on your clients and end users, their SLAs and the critical services, resources and suppliers that are required to deliver these. Business Continuity Plans should tell you how you will deliver these most critical services in the event of an incident.  

Tip 2: Embrace BC incidents. Think of them as an opportunity to collaborate, learn new skills and improve client satisfaction.  

Spell out the benefits and opportunities of Business Continuity to your Team Members 

Business Continuity is an opportunity for us all to grow and become more resilient both as individuals and as a business. Business Continuity events often present opportunities for us to work with other teams and expand our skills because we have to think on our feet and adapt to the given situation. Sometimes it forces us to be more creative with how and when we deliver products and services with the least amount of disruption. When your clients know that you can deliver in the most difficult and unexpected circumstances, this increases their trust in you and improves client satisfaction.  

Tip 3: Improving Business Continuity awareness is not about just about attending a training course You know it’s been successfully embedded when it is thought about in every aspect of your services and supply chain and every Team Member is aware of the part that they play in keeping the business running in the event of an incident.  

Improve Business Continuity awareness and training 

Promote thinking about Business Continuity in every aspect of your processes. This might include the next time you select a new supplier (what would happen if they were no longer around?) or how you train your team and ensure that knowledge is shared. Get your team involved in exercising your plans. Share lessons learned and successes from any incidents.

Tip 4: Expect the unexpected. Engage the relevant stakeholders before a situation becomes an incident. Sometimes a situation can become a major incident within minutes or hours. It will be much easier to stand down a team if the worst does not happen, than to create one and scale it up if it does. Raise the alarm early and be better prepared and better able to react more quickly if the worst happens. 

Be prepared before an incident arises 

If there is potential for a situation to become a Business Continuity incident or crisis, engage your line manager and your Compliance team at the earliest opportunity. Your Compliance team will then decide whether it is necessary to put the crisis management team on alert or to invoke an incident.  

A new year’s resolution or evolution?

New Year, new you?

How many times have you decided that the first day of January is when you will go on a diet, start an exercise plan, give up something that you enjoy because it is ‘bad’ for you or make a big change in your life?

And more importantly, how many times have you stuck to it and achieved your goals? New year, new you! Sound familiar?

But why does 1 January have to be different to the day, month or year before? If something needs changing or improving, don’t wait for that arbitrary date in the diary, set yourself realistic and achievable goals and get started straight away!

So how do you stick to your new year’s resolution?

Here’s the secret, don’t make one in the first place!

At OASIS Group, information security and data protection is in our DNA. The date on the calendar is completely irrelevant. It is embedded into our strategies, goals, plans, policies and procedures and these remain under constant review. We don’t need a new year’s resolution to ensure that the data in our custody is protected and secure and compliant with data protection laws and other relevant regulations.

We recognise that data protection risks and threats can never be truly avoided and we also know that regulations, legislation, technology and, client requirements, are ever changing. The secret is to acknowledge this, carry out regular risk assessments and horizon scanning activities to help you prepare for those risks, threats and changes insofar as possible. Of course, no one has a crystal ball, and the unexpected will sometimes happen. The important thing is being ready and able to adapt quickly to any changes and evolve with them.

Evolutions not resolutions.

Here are a few things you can do to start your data protection evolution

  1. Know your data
    • Do you have a Record of Processing Activities?
    ‘Well, of course I do, that is the law!’
    Ok, but when was the last time you reviewed and updated it. Did you remember to include that new system you just purchased and all the personal data that it is collecting? Or what about that process you just changed?
    • If you don’t know what data you have, where it is stored, who has access to it, how can you ensure that it is fully secure and protected? If you have a data breach, how will you know that you have fully contained it and accounted for all of the compromised data?
  2. Set small and achievable data protection goals with a clear purpose
    • Keep the data subject and their rights and freedoms at the heart of your goals.
    • Have you checked that your goals are aligned with reducing your top risks and threats to personal and confidential information?
  3. Ensure you have the right tools in the box
    • Do you have the necessary tools and resources to manage your personal data?
    • Do manual processes create duplication or introduce the risk of error?
    • Here at OASIS, we have award-winning solutions to help you stay compliant with data protection laws, keep your data secure, manage retention periods and securely delete and destroy your data. Speak to one of our Account Managers or visit our website for further details.
  4. Data protection by design and default
    • Is data protection built into any new projects, products, processes? Are all stakeholders involved?
    • Are you completing data protection impact assessments (DPIAs) and considering data subject needs before you start a new project?
  5. Out of sight, but not out of mind
    • Regularly review information security and device policies and procedures for homeworkers. Ensure they are trained in these and that all devices are receiving the latest security updates.
    • Ensure that your homeworkers can securely destroy confidential waste. Here at OASIS, we can offer door to door confidential shredding and destruction services for paper and media
  6. Be ‘incident’ ready
    • Have you written and kept up-to-date incident and cyber response plans?
    • Do you have sufficient resources to deal with an incident? Do you have a dedicated incident response team?
    • When did you last test them?
  7. Data retention
    • Do you have a data retention policy which is communicated across your organisation?
    • Are you checking that data is deleted when the retention period has been reached?
  8. Training and awareness
    • Do your Team Members receive regular training covering all relevant data protection and information security policies and procedures?
    Do you record this and check their understanding?
  9. Covid-19 data
    • Avoid collecting and recording this data
    • If that is not possible, only collect and record data that is absolutely necessary and for which you have a specific, lawful purpose
    • Restrict access to the data to only those who absolutely need it and ensure retention periods are closely followed
    • Ensure your privacy notices are up to date and available for all data subjects to access

Although today marks Data Protection Day throughout Europe, here at OASIS, it is Data Protection Day everyday! For us, this is not a new year’s resolution that might not last or something we look at once a year, but rather an evolution, where we constantly review, innovate and adapt how we operate and protect personal information to ensure that it stays secure and compliant in an ever-changing legal, regulatory, political and technological landscape.

What are your data protection ‘evolutions’?

We would love to hear from you.

An update on the Apache Log4j vulnerability CVE-2021-44228

OASIS Group, along with IT service providers across the globe, actively responded to the recent reported remote execution (RCE) vulnerability in the Apache Log4j Java library.

The vulnerability, which was made public on 9th December 2021, has been categorised with the CVSS score of 10.0. This means that the threat has been calculated as critical.

We have taken immediate action to detect any associated threats and mitigate against vulnerabilities related to CVE-2021-44228. We would like to assure our clients that we have not found any active exploitation of this vulnerability in our systems.”

Steve Townley, CIO of OASIS Group

Apache Software released an upgrade to Log4j 2.15.0 to patch the vulnerability and this has, where necessary, been implemented across the OASIS Group systems. A further update 2.16.0 has since been released and is bing implemented by our IT specialists.

We have taken immediate action to detect any associated threats and mitigate against vulnerabilities related to CVE-2021-44228. We would like to assure our clients that we have not found any active exploitation of this vulnerability in our systems.”

Steve Townley, CIO of OASIS Group

What actions do clients need to take?

There are no actions required for clients using OASIS systems, we have already made the necessary upgrades and continue to monitor for threats as usual. As mentioned above Log4j is widely used across many IT applications and we recommend that you check with your inhouse IT department or other suppliers.

Some other useful information:

What is a CVSS score?

CVSS stands for the Common Vulnerability Scoring System. It is an industry standard that provides a numerical (0-10, 120 being the highest) representation of the severity of security vulnerabilities in software.

What is a remote code execution (RCE)?

Remote code execution (RCE) is a cyber-attack that allows an attacker to remotely access and control someone else’s device or system without the need for a username or password. This can be done remotely from anywhere in the world.

What is Log4j?

Almost all software keeps a record of errors and other important events. Log4j is one of the most common logging packages used around the globe.

How have OASIS mitigated against the vulnerability?

OASIS’ team of inhouse IT professionals, including IT Software Engineering and IT Infrastructure Security Specialists, among others, were alerted to the vulnerability. The teams immediately worked to upgrade, where necessary, Log5j to version 2.15.0 which was released to address CVE-2021-44228.

A further update 2.16.0 has since been released and is bing implemented by our IT specialists.

We have also, where possible, added additional Java configurations and increased security protections via our firewalls and other security software.

Crown Commercial Services Records Information Management Framework

OASIS Group has been named as a supplier on Crown Commercial Services (CCS) and Yorkshire Purchasing Organisation (YPO), Framework for Records Information Management, Digital Solutions and Associated Services.

Crown Commercial Service (CCS) supports the public sector to achieve maximum commercial value when procuring common goods and services. In 2020/21 CCS helped the public sector to achieve commercial benefits equal to £2.04bn – supporting world-class public services that offer best value for taxpayers.

YPO’s vision is that every single public organisation achieves the best possible value for money when procuring its goods and services.

OASIS have been supporting the information management needs of clients across the public sector for decades. Through these relationships we understand the drive for procurement efficiencies and are committed to helping our clients achieve this through the RM6175 framework.”

Nick Knight, Chief Commercial Officer at OASIS Group

OASIS Group are registered as suppliers on four of the lots of RM6175 Records Information Management, Digital Solutions and Associated Services Framework agreement. 

Detailed below you can see the services available under each lot,

  • Lot 1 Records Information Management Services.

Off Site Records Information Management Services.

Off Site Storage of Inactive Records.

On and/or Off Site Secure Shredding, Destruction and Disposal Services.

On and/or Off Site Combined Records Information Management Services.

Off and/or On Site Scanning Services.

  • Lot 2 Digital Workflow, Cloud Based Hosting Solutions.

Digital Workflow Solutions.

Cloud Based Hosting Services.

Scanning Services.

Interim Technical Resources.

  • Lot 3 Full Management of National Health Service (NHS) Patient Records (off site).

Clinic Preparation and Management of NHS Patient Records.

Digitisation (Scanning) of Patient Records.

Off Site Storage of Patient Records at Supplier’s site(s).

Third Party Interim Resources.

On Site Managed Services.

Shredding, Destruction and Disposal (On and/or Off site).

  • Lot 4 Specialist Records Management Services.

Listing.

Cataloguing.

Appraisal and Selection.

Sensitivity Review.

Record Preparation Services.

Notes to Editors.

Crown Commercial Service (CCS) is an Executive Agency of the Cabinet Office, supporting the public sector to achieve maximum commercial value when procuring common goods and services.

To find out more about CCS, visit: www.crowncommercial.gov.uk

Follow CCS on Twitter: @gov_procurement

LinkedIn: www.linkedin.com/company/2827044

OASIS Group are Cyber Essentials Plus Certified

OASIS Group are pleased to announce that we have been formally certified to the UK Government supported Cyber Essentials scheme.  While we have held the standard level for Cyber Essentials for several years, we can now confirm that we have completed all requirements for the Cyber Essentials Plus certification.

As mentioned above the Cyber Essentials scheme is separated into two different tiers. Firstly, the self-assessment tier ‘Cyber Essentials’, and then a more in-depth tier called ‘Cyber Essentials Plus’.  Cyber Essentials Plus requires an independent assessment which includes a hands-on technical survey and verification of an organisation’s processes and policies.  The scheme was created to protect organisations against the most common cyber attacks and for them to be able to demonstrate their commitment to cyber security.

The Cyber Essentials scheme is based upon 5 main cornerstones of cyber security:

  • Secure your internet connection.
  • Secure your devices and software.
  • Control access to your data and services.
  • Protect against viruses and other malware. Keep your devices and software up to date.

Promoting confidence.

Cyber Essentials provides our clients, partners and Team Members with the confidence that our processes and operations are compliant to the highest standards. This also goes hand in hand with the international standard for Information Security Management ISO/IEC 27001, to which OASIS Group are both compliant and certified.   

Explore further.

If you would like to find out more about Cyber Essentials you can visit the National Cyber Security Centre’s website by clicking here, or by exploring the Cyber Essentials Readiness Toolkit.  Alternatively, you can learn more about all of OASIS Group’s quality standards by clicking here.

If you would like to speak with one of our specialist team to find out more about the services we provide, please complete our online quotation form.

How your business can make workflow automation work for you

Over the last few years more and more businesses are being encouraged to utilise automated workflow solutions to streamline processes across their organisations. Whilst the theory behind workflow automation is clear to understand, ‘to make the flow of documents, information or tasks perform independently in accordance with defined business rules’, it can be unclear where to start.

“Workflow is for big business”

Something we hear quite a lot is that “workflow is for big business”, this absolutely is not true. Whether your business has 1 employee, 1 thousand employees or 1 million employees there will always be efficiencies gained by automating certain processes.

Think about your personal life, automation is increasing on a daily basis. You likely have an automated reminder to wake-up, maybe you have an automated coffee at a set time in the morning, ice on demand or a direct debit to pay a bill. These are all examples of automation.

Automation in our personal lives lets us focus on more family time, why not let business automation allow you to focus more time on clients, employees or revenue generating activities.

How will Workflow automation work for me?

Automating workflow offers a large number of benefits to businesses, below are just a few high-level examples of how you can make workflow automation work for your business:

Reduce administration errors

By eliminating the manual process of inputting data, workflow automation reduces administrative errors. This is especially important for business-critical processes and matching data against legal or regulatory requirements.

Increase productivity

Generally, the number one reason clients contact us about implementing workflow automation is to increase productivity. For instance, using automated workflow to match and verify a PO number against an invoice will automatically trigger the next task in the process.

Collaboration and team working

An often-overlooked benefit of workflow automation is the collaboration opportunities it provides to organisations of all sizes. One such example of this is the use of workflow automation to manage mailroom processes. Mail can be routed to individuals or teams to take action, based on business rules, and comments can be attributed to specific documents to aid processing by other departments as well as providing an audit trail of who has viewed or taken action.

Real-time reporting

Workflow automation, and business process automation (BPA) in general, provides business leaders with real-time access to the status of business tasks, including opportunities for process improvements. With more precise data and projections business leaders can understand current and future business needs and income.

Identifying the need for Workflow automation

In preparation for developing workflow automation for your business there are some important steps to take:

  1. Identify the areas of the business where workflow automation can be used to perform business tasks.
  2. Audit your business processes to ensure they are still fit for purpose.
  3. Involve your employees that currently perform manual tasks.
  4. Review your business goals and objectives against potential process automations.
  5. Decide on a pilot project. You may have identified 3, 5, 10 or 50 potential areas suitable for workflow automation but like with any project choose one area to define the process.

How do I choose the solution that works for my business?

Not all software solutions offering automated workflow will offer the same benefits or features, so it is important to consider the complexities of your current business processes.

Are you using legacy systems? If yes, does data need to be migrated or integrated with the new solution?

Do you want the ability to create your own workflows? Or are you looking for a fully managed solution with ongoing IT set-up work?

There are many complexities to automation, so make sure to choose a partner that understands your objectives and can add value to your business.

Get in touch

Are you thinking of automating your business workflow? Get in touch via our online form. Our workflow automation will send your message directly to one of our specialist advisors who will be in touch to discuss your workflow automation needs.

GDPR and the Home Office

Following the two year anniversary of the General Data Protection Regulations (GDPR), we find ourselves in a very different environment than May 2018. The recent pandemic has caused an unprecedented shift in our working environments, resulting in the highest number of people working from home in history.  

As we learn to navigate our new environments, the timing of the GDPR anniversary is a reminder for us all to review our new working practices against GDPR articles and best practice. Organisations appear more vulnerable than ever before with data breach exposure. Rightly so, focus over the last two months has been on Team Members (employees), infrastructure and survival. And Internet criminals use the current situation to collect sensitive data. This makes it necessary to give information security a top priority.

The creation of access to data to support the new remote working infrastructure has also increased the risk of a breach of data. Paper documents and digital data leave the building undisturbed. Consider, for example, taking data on a USB stick that is not encrypted.

Organisations now have an increased lack of control and have a consistent struggle with the challenge of protecting sensitive data. So where are the immediate current dangers?

Personal Devices 

In the panic of the lockdown, many organisations did not have the time or capacity to set their Team Members up with company-owned devices. Many are working off personal laptops & tablets.

Personal devices are often not properly secured and data is often not encrypted. Ask yourself:

  • Who has access to these devices?
  • Is there protection against malware?
  • When was the last operating system update run on the device?
  • What levels of password security are in place?
  • Are employees encrypting or pseudonymising data before it is transferred?

Working Hours 

With Team Members working remotely while juggling families more and more will be working flexible hours, many of these will not be the regular office hours. These irregular hours must be supported. Ask yourself:

  • Do you have an emergency response to a data breach that can be accessed 24 hours a day, seven days a week?
  • How is your organisation notified of a data breach that occurs at 11 pm or 2 am?
  • How do you shut down a network with so many remote workers?

Data protection policy & training 

It is advisable to find out whether the data protection policy should be adapted to the new working environment. Ask yourself:

  • How are you relaying these changes to Team Members and additionally has each Team Member had training in the new data protection policy changes?
  • Is your working from home policy in line with your data protection policy?
  • Are you investing time in boosting your employees GDPR expertise?
  • How are you handling IT security training within the remote community of your organisation?

Next week the OASIS Group will be publishing an updated GDPR toolkit for the new working environment. A checklist to help your organisation visit issues raised above and place together an overview of where you are at in the evolution of GDPR in our new working environment.