Directorate / Programme
Infrastructure
Security
Status
Approved
Owner
James Wood
Version
4.1
Author
Daryl Kayes
Version issue date
21/04/2015
Logical Connection Architecture
About this Document

This document is used to provide a coherent, comprehensive and concise description of
the security controls which will protect access to N3 and personal data.

It is completed by all non NHS organisations that require a connection to the N3 network
as part of the Information Governance Statement of Compliance (IGSoC) process, or that
have an existing connection to N3 which they wish to modify (including changes to the
local network).

Applicants should read the introductory notes on page 4 before completing the
form as it contains important information regarding the IGSoC process, N3
connectivity and responsibilities of the applying organisation.
Copyright ©2015 Health and Social Care Information Centre
Document Management
Revision History
Version
3.1
Date
19/10/2011
Summary of Changes
Published on the CFH website
4.0
30/03/2015
Revised and updated in line with the HSCIC standards.
4.1
21/04/2015
Minor formatting updates.
Reviewers
This document must be reviewed by the following people:
Reviewer name
Title / Responsibility
Operation Security
Team Deputy Lead
Matt Wyatt
Operational Security
Team
Adam Goodwin
Date
Version
26/02/2015
4.0
26/02/2015
4.0
Approved by
This document must be approved by the following people:
Name
Signature
James Wood
James Wood
Title
Head of Infrastructure
Security
Date
Version
21/04/2015
4.1
Glossary of Terms
Term / Abbreviation
What it stands for
Document Control:
The controlled copy of this document is maintained in the HSCIC corporate network. Any
copies of this document held outside of that area, in whatever format (e.g. paper, email
attachment), are considered to have passed out of control and should be checked for
currency and validity.
Page 2 of 22
Copyright ©2015 Health and Social Care Information Centre
Contents
Introduction
4
Scope
4
Objective
4
Intended Audience
4
Limitations of Connection
5
Responsibility for Data Security
5
Logical Connection Architecture
6
1
Background
6
2
Location of N3 Connection
6
3
Person Identifiable Data (PID)
8
4
LAN Segregation
12
5
Access Control
13
6
Remote Access
14
7
Wireless Networks
17
8
Access to/from External Networks (Including Internet)
18
9
Patching Regime
19
10
Network Topology
20
11
Security Policy
20
Appendix A - Network Topology
21
Appendix B – Security Policy
22
Page 3 of 22
Copyright ©2015 Health and Social Care Information Centre
Introduction
The Logical Connection Architecture (LCA) document is used by non-NHS organisations to provide a coherent,
comprehensive, concise and accurate description of the network security controls which will protect access to
the NHS National Network (N3) and Person Identifiable Data (PID).
It forms part of the Health and Social Care Information Centre (HSCIC) IGSoC process that non-NHS
organisations wishing to connect to N3 are required to complete.
N3 faces numerous threats to security as a result of improperly protected partner networks or connections to
uncontrolled external networks such as the internet. These threats are continually evolving in both strength and
frequency; ongoing vigilance against these threats and the maintenance of strict security standards are
essential to the continuing success of N3. The LCA and the IGSoC process as a whole are intended to enforce
a minimum standard of security for organisations wishing to connect to N3.
The HSCIC maintains a range of Good Practice Guidelines, providing advice on specific areas of Information
Security and its Governance. Copies can be obtained from the HSCIC Infrastructure Security Team website:

http://systems.hscic.gov.uk/infogov/security/infrasec/gpg
Scope
Non-NHS organisations who wish to directly connect to N3 are required to complete and submit an LCA that
accounts for each connection they’re applying for. A revised version of this document is required whenever
additional connectivity is required, or where it is proposed to change the local infrastructure that is connected to
N3. Note that a revised document is not required where organisations simply require an increase in N3
bandwidth, unless a new circuit is to be installed.
Objective
The objective of the LCA is to establish the agreed architecture and associated security controls of the local
network that the non-NHS organisation wishes to connect to N3. The HSCIC will review the LCA to determine
whether it meets the network security requirements for connection to N3.
Once approved, the agreed architecture and security around it will form the baseline for any audit by the HSCIC
or its designated auditors. Changes to the agreed architecture and/or security around it need to be notified to
the HSCIC IGSoC team, by means of an updated LCA document e-mailed to exeter.helpdesk@hscic.gov.uk
Intended Audience
This document assumes a general familiarity with the fundamentals of Information Security, including the use of
Firewalls, Encryption, Access Control, Wired and Wireless networks.
Persons completing the LCA should have a good understanding of these principles and of issues of
confidentiality surrounding Person Identifiable Data (PID). If the applying organisation does not have suitable in
house expertise they should consider using the services of a specialist consultancy. Note that the HSCIC are
not able to provide consultancy, advice or guidance in these areas, and are only able to assist with queries
relating to the overall process.
Page 4 of 22
Copyright ©2015 Health and Social Care Information Centre
Limitations of Connection
Connection to N3 is typically provided through a dedicated line connected to a router at the applying
organisation’s site. Connection and router are both supplied and managed by the N3 Service Provider (N3SP).
Note that this router is not under the applying organisations control and will be provided with a fully open
inbound Access Control List. It is therefore strongly recommended that that applying organisation
purchases their own compliant firewall to be used at the N3 ingress point as the HSCIC cannot
guarantee the type or volume of traffic originating from N3 that may be destined for the organisation.
N3 connections for non-NHS organisations provide connectivity to a restricted number of sites and services on
the N3 network only. They do NOT provide general Internet access. Organisations wishing to access the
Internet must do so via their own Internet gateway.
Responsibility for Data Security
N3 is a private Wide Area Network (WAN). Connection is strictly limited to authorised endpoints. All
organisations wishing to connect to N3 are responsible for ensuring that their connectivity does not compromise
its security.
Information is unencrypted when transmitted within N3, except for encryption applied by specific applications.
Confidentiality of sensitive information in transit over N3 is not assured, and Department of Health (DH)
guidelines stipulate that PID must be kept confidential. It is therefore the data owners’ responsibility to ensure
appropriate controls are in place to secure data in transit, which in general terms means applying appropriate
encryption.
Approval under the IGSoC process (including the LCA) in no way obviates the responsibility of NHS
organisations, wishing to exchange data with the applying non-NHS organisation, from performing due
diligence prior to allowing end-to-end connectivity with the applying organisation.
Page 5 of 22
Copyright ©2015 Health and Social Care Information Centre
Logical Connection Architecture
For completion by the applicant. All questions MUST be answered or marked N/A.
Organisation
ODS (formerly NACS) Code
Version
Date
Author
Description
1 Background
1.1
Reason for LCA submission
Notes
Reasons for requiring an LCA may be either:

A new connection at a location not
previously connected.

A change to an existing connection where
there has been a change to the
infrastructure or security associated with it.
Type of N3 access being requested
Response
Or
1.2
Notes
Type of N3 access may be either:

Response
A physical connection
Or
 N3 Remote Access token
1.3
Description of products or services being delivered
Notes
Response
This should include details of





What products or services will be delivered by
the applying organisation
How they will be delivered
How the N3 connection will be used to support
this delivery
Other NHS systems used
Whether the systems used are locally hosted
or remotely accessed
It is best to explain using general terms for those
unfamiliar with your organisation, products and
services.
Page 6 of 22
Copyright ©2015 Health and Social Care Information Centre
2 Location of N3 Connection
2.1
Enter full postal address of the location where the N3 link(s) will be installed. Include
the full name, telephone number and e-mail address of the applicant’s principle contact
for completion of the IGSoC Process.
Notes
Response
Please state

The full postal address of the location where
the N3 link(s) will be installed

The key contact within the organisation:
o name
o telephone number
o email address

Who owns and manages the location
It must be clear if the location is owned / managed
by the applying organisation or another
organisation. It is acceptable for the connection to
be hosted by a third party but this must be made
clear and the third party must not be permitted
physical or logical access to the N3 circuit being
purchased.
___
For N3 Remote Access tokens the response
should be the main site where the tokens will be
used or the head office of the organisation.
Confirm that there will be one N3 Remote Access
token per user (not device).
Page 7 of 22
Copyright ©2015 Health and Social Care Information Centre
3 Person Identifiable Data (PID)
PID is defined as any data that can identify an individual because of the way in which the information
has been collated, the context in which it is or may be used, or as a result of other information held.
This term represents a combination of Patient Identifiable Data and Personal Data (Data Protection
Act 1998). Examples (not exhaustive) include name, address, date of birth, age, occupation, place of
residence, NHS number, specific medical conditions, etc.
3.1
State whether PID is to be digitally viewed, stored, processed or transmitted by the
organisation.
Notes
Response (Yes/No plus brief explanation)
Viewed:
Please answer Yes or No to each along with a brief
explanation for each.
If ANY response is Yes, the additional questions in
this section MUST be answered.
Viewed means the viewing of PID in human
readable form either on screen or in printed form.
Stored:
Processed:
Stored means the holding of PID in any form of
storage mechanism, even if only temporarily.
Transmitted:
Processed means the manipulation of PID in order
to extract, modify, or delete information contained
within it or to change its format in order to present it
in an alternative form.
Transmitted means the sending of PID between
two or more devices. Note: this includes transfer of
PID on backup tapes and other removable media.
Page 8 of 22
Copyright ©2015 Health and Social Care Information Centre
3.2
State the level of encryption employed to maintain confidentiality whilst PID is in
transit, and (if applicable) stored at the applicant’s site.
Notes
Response
You must provide details of the encryption
standard used for PID transmitted/viewed over N3
and stored at the applicant’s site (if applicable).
Include the type and strength of the encryption
algorithm (with any applicable key size), for
example AES 256, Triple DES (168 bit), etc.
It may be best to identify all flows of PID and
provide encryption details for each type of transfer
and storage. Consider:






PID viewed/transmitted over N3
PID viewed/transmitted over the internet
PID stored on desktops, laptops, tablets, etc.
PID stored on servers and databases
PID stored on removable storage and backups
PID transferred to paper or other media
If encryption is determined by a system out of your
control, this must be identified in the explanation.
NHS encryption guidance for the protection of
sensitive information can be found at


NHS Encryption Guidance
HSCIC Approved Cryptographic Algorithms
Where other methods are employed in secure
areas, you must provide as much detail as possible
to show they provide at least equivalent levels of
protection to an encryption solution.
Note: It is not sufficient to say you will comply with
any required standards. You must specify the type
and strength of encryption to be used. If this is
dependent on the encryption used by the NHS
organisation being supported then you should
establish the requirements with them and include
them here.
Page 9 of 22
Copyright ©2015 Health and Social Care Information Centre
Describe how PID (if displayed on the applying organisation’s PCs or in the
organisation’s premises) will be secured from oversight by unauthorised parties.
Notes
Response
3.3
This section covers prevention of PID being viewed
by those not authorised to see it. It includes
prevention of ‘Shoulder Surfing’ and unauthorised
physical access to equipment capable of displaying
PID.
Consider the physical access controls, such as:







Staff access controls to buildings
Staff access controls to rooms with PID
Visitor access to buildings and rooms
Patient access to buildings and rooms
Position of computer screens
Use of privacy screens
Controls at locations used for remote access
Identify specific references to the policy statements
in the organisation’s policy documents which
support the response. For example:
- document <doc>, page z, section x.y <title>
3.4
Describe the policy and controls in place to prevent the unnecessary printing of PID.
Notes
Response
The HSCIC recognises that there may be
occasions when PID is required to be printed, such
as letters to patients.
You should briefly outline your organisation’s policy
on printing PID and include this in your overall
security policy.
Also
 Identify specific references to the policy
statements in the organisation’s policy
documents. For example:
- document <doc>, page z, section x.y <title>
 Describe any technical controls in place to
enforce the policy
 Explain how they are implemented
Page 10 of 22
Copyright ©2015 Health and Social Care Information Centre
3.5
Describe the policy and controls in place to prevent the unnecessary copying of PID to
removable media.
Notes
Response
The HSCIC recognises that there may be
occasions when PID is required to be transferred to
removable media, such as back-ups of data.
You should briefly outline your organisation’s policy
on copying of PID and include this in your overall
security policy.
Also
 Identify specific references to the policy
statements in the organisation’s policy
documents. For example:
- document <doc>, page z, section x.y <title>
 Describe any technical controls in place to
enforce the policy
 Explain how they are implemented
Note that Department of Health Policy dictates that
any PID stored on removable media MUST be
encrypted. The implementation of this encryption
must be described in Section 3.2.
3.6
Will PID be Viewed, Stored, Processed or Transmitted outside England?
Notes
Response (Yes/No)
Current restrictions on the viewing, transport and
storage of PID mean that it is not ordinarily
permitted for connecting organisations to allow
viewing or storage of PID outside of England. This
includes remote viewing via services such as RDP
by support staff. Organisations answering YES to
this question MUST complete the ‘Offshore
Support Requirements’ and ‘Information Security
Management System (ISMS) template’ documents,
available from the HSCIC website:
The HSCIC IGSoC Offshore policy documents
If you are required to complete these documents,
your N3 connection will NOT be approved until you
have done so, and they have been reviewed and
assessed by the HSCIC, regardless of the outcome
of your LCA submission.
Page 11 of 22
Copyright ©2015 Health and Social Care Information Centre
4 LAN Segregation
4.1
Describe the method by which the local network that will be connected to N3 is to be
protected from N3 and segregated from any wider (Corporate) network.
Notes
Response
The applying organisation must describe the
method of segregation used to restrict user and
device access to N3 / HSCIC digital services to
those authorised devices or users that are
authorised to access them.
It is the applying organisation’s responsibility to
protect their network from unwanted traffic from N3.
The HSCIC does not provide any assurance as to
the volume or nature of traffic originating from or
within N3. The HSCIC recommends that the
applying organisation have a suitably configured
firewall in place that is at least ITSEC E3 or
Common Criteria EAL4 compliant. This firewall
MUST be used solely for the applicant’s N3
connection.
Common Criteria compliant devices can be found
here:
http://www.commoncriteriaportal.org/products/
ITSEC certified products can be found here:
http://www.cesg.gov.uk/finda/Pages/
CCITSECResults.aspx
Where a patch release of a vendor’s compliant
product has not yet been approved it is acceptable
to use the most recent version of that product
pending its compliance status being confirmed.
There are a number of methods available for
ensuring adequate segregation between the N3connected LAN and the wider corporate
environment including the use of Firewalls, VLANS
or complete physical separation. In considering
their approach to segregation applicants should
also consider the physical security controls
required to restrict access to N3 connected
systems in conjunction with the requirements in
sections 3 and 6.
___
For N3 Remote Access tokens the response can
be limited to a compliant local firewall, such as the
software firewall on a laptop/desktop.
Page 12 of 22
Copyright ©2015 Health and Social Care Information Centre
5 Access Control
Describe the method of access control within the applicant’s network that will prevent
unauthorised users accessing N3. In all cases a user must be required to undergo
local authentication before gaining access to local and remote services (including N3).
Notes
Response
5.1
All access to N3 services must be restricted to
authorised persons only. The applicant must
describe how this authorisation will be enforced
and how users will be authenticated on the N3
connected network prior to gaining access to N3
services.
This can include the use of Active Directory or
other directory services, membership of user
groups or use of software or hardware tokens
among other means.
A step by step analysis may be best to identify
each type of access and authentication available.
For each stage, please describe


The method of authentication
How the access is controlled
In all cases, explicit confirmation is required from
the organisation that all users are required to
undergo local authentication prior to being able to
access local or remote services (including N3
access).
Note that where local user accounts are used, the
organisation must confirm that these accounts are
issued on a per-individual basis, are not shared
and do not have administrative privileges.
5.2
Describe the policy for adding, managing and removing access control
Notes
Response
You should briefly outline your organisation’s policy
for adding, managing and removing access control
and include this in your overall security policy.
The policy may include measures for



Designated approvers to grant access
Process for staff joining and leaving
Periodic audits of access requirements
Identify specific references to the policy statements
in the organisation’s policy documents which
support the response. For example:
- document <doc>, page z, section x.y <title>
Page 13 of 22
Copyright ©2015 Health and Social Care Information Centre
6 Remote Access
6.1
Will any remote access users have access to N3 or to the N3-connected LAN? (Yes/No)
(If the Response is YES, applicants MUST complete the additional questions in this
section)
Notes
Response (Yes/No)
Remote access is any access to N3 or to the N3connected LAN from outside of the organisation’s
network environment. This includes access via the
internet by home workers or remote support staff,
or other external gateways.
For N3 Remote Access tokens respond with Yes
6.2
Will remote access to N3 be available only to the applying organisation’s staff, using
secure hardware provided by the organisation? (Yes/No)
Notes
Response (Yes/No)
Only authorised employees of the applying
organisation are permitted to access N3 services
or systems via the organisation’s connection to N3.
Access by third parties is strictly prohibited.
Any remote access to N3 must be from secure
systems.
"Secure" means that this authorised hardware
conforms to the applicant's security policy with
regards to remote working, is under the applicant's
control, and is in the opinion of the applicant fit for
this purpose.
PID MUST NOT be cached or stored on any
remote machine, unless it is on an encrypted drive
or to an encrypted container.
6.3
Will remote access users outside of England have access to N3? (Yes/No)
Notes
Response (Yes/No)
Current restrictions on access to N3 mean that it is
not ordinarily permitted for connecting
organisation to allow access from outside of
England. This includes remote viewing via
services such as RDP by support staff.
Organisations answering YES to this question
MUST complete the ‘Offshore Support
Requirements’ and ‘Information Security
Management System (ISMS) template’ documents
available from the HSCIC website
The HSCIC IGSoC Offshore policy documents
If you are required to complete these documents
your N3 connection will NOT be approved until
you have done so, and they have been reviewed
and approved by the HSCIC, regardless of the
outcome of your LCA submission.
Page 14 of 22
Copyright ©2015 Health and Social Care Information Centre
6.4
Describe the method of remote connection employed, with the level of encryption.
Notes
Response
Applicants MUST specify the type of VPN used for
remote access to the organisation’s network. For
example IPSEC, SSL, etc.
Include the type and strength of the encryption
algorithm (with any applicable key size), for
example AES 256, Triple DES (168 bit), etc.
Detailed encryption guidance can be found at
- HSCIC Approved Cryptographic Algorithms
If some remote users will be unable to gain access
to N3 then describe


The additional controls which will prevent
access to N3
How they’re implemented
___
For N3 Remote Access tokens the response can
simply re-iterate that N3 Remote Access tokens
with two factor authentication are being used. The
encryption is controlled by N3SP.
6.5
Describe how the remote access VPN is terminated within the organisation’s network.
Notes
Response
The remote access VPN session MUST be fully
terminated within the organisation’s network
before a connection to N3 is established.
The purpose is to mitigate the risk of deliberate or
inadvertent bridging of internet (or any other
external network) traffic to N3.
___
For N3 Remote Access tokens the response can
simply re-iterate that N3 Remote Access tokens
with two factor authentication are being used. The
VPN session is terminated on the N3SP VPN
servers.
Page 15 of 22
Copyright ©2015 Health and Social Care Information Centre
6.6
Describe the remote access two-factor authentication mechanism. The HSCIC insists
that remote access users MUST undergo two-factor authentication within the
organisation’s network before accessing N3.
Notes
Response
Specify the two factors used to authenticate
remote users before onwardly connecting to N3
services.
Note, the different user authentication factors are:



Something they know
Something they possess
Something that is part of them (biometric)
___
For N3 Remote Access tokens the response can
simply re-iterate that N3 Remote Access tokens
with two factor authentication are being used.
Page 16 of 22
Copyright ©2015 Health and Social Care Information Centre
7 Wireless Networks
7.1
Are there any wireless LANs at the site requiring access to N3 or to the N3-connected
LAN? (Yes/No)
(If the Response is YES applicants MUST complete the additional questions in this
section. Where the response is NO then consideration should be given to section 7.3)
Notes
Response (Yes/No)
If the N3-connected LAN is physically separated
from the corporate network hosting the wireless
access points, and has no wireless access points
or wireless capable equipment connected to it,
then you may answer NO to this question. In all
other cases where wireless networks are present
then the answer must be YES
7.2
State the Wireless encryption and authentication standards employed.
Notes
Response
The HSCIC minimum standard is WPA2-AES
(Wi-Fi Protected Access with AES) for encryption,
and 802.1X with one of the standard Extensible
Authentication Protocol (EAP) types currently
available for authentication.
Applicants must state



The type and strength of encryption
- For example, WPA2-AES 256
The authentication standard
- For example, EAP-TLS
How the key is distributed
- For example, RADIUS or Pre-Shared Key
It is not sufficient to state that you will adhere to
any required standards. You should establish what
those standards are and detail them.
7.3
What additional controls will allow or prevent wireless users from accessing N3?
Notes
Response
Provide details of any additional technical controls
which will allow or prevent wireless users from
accessing N3. Describe


The additional controls
How they’re implemented
Identify specific references to the policy
statements in the organisation’s policy documents
which support the response. For example:
- document <doc>, page z, section x.y <title>
Page 17 of 22
Copyright ©2015 Health and Social Care Information Centre
8 Access to/from External Networks (Including Internet)
8.1
Does the proposed network architecture include any external network gateways,
including internet? (Yes/No)
(If the Response is YES applicants MUST complete the additional questions in this
section)
Notes
Response (Yes/No)
The purpose of this section is to mitigate the risk
of the inadvertent bridging of Internet (or any other
external network) traffic to N3.
Even if access to the external network is outbound
only, the Response must be YES
8.2
Give details of how the applicant proposes to secure each external network gateway
(including Internet) of the local network that will be connected to N3.
Notes
Response
Any external network gateway (including Internet)
MUST be protected as a minimum by a suitably
configured ITSEC E3 / Common Criteria EAL4
compliant firewall. This CANNOT be the same
physical firewall that is protecting the
organisation’s network from N3.
Common Criteria compliant devices can be found
here:
http://www.commoncriteriaportal.org/products/
ITSEC certified products can be found here:
http://www.cesg.gov.uk/finda/Pages/
CCITSECResults.aspx
___
For N3 Remote Access tokens this question is
limited to the internet gateway and should be
answered the same as Section 4.1.
8.3
Give details of any inbound access from any external network gateway (including
Internet)
Notes
Response
Where inbound firewall rules need to be
configured to allow access from an external
network (particularly Internet) to the N3-connected
LAN, details must be given, including




Type of allowed traffic
Allowed protocols and ports
IP address restrictions
How traffic is terminated
The HSCIC design rules dictate that any Internet
facing solution (e.g. web service) must not have a
shared N3/Internet front end. This means that
back end resources may be shared, but access
from N3 and the Internet gateway must be via
separate physical paths and separate front end
servers. The applying organisation should include
reference to these design rules within their
response and describe how they are adhered to.
Page 18 of 22
Copyright ©2015 Health and Social Care Information Centre
9 Patching Regime – for devices within the organisation’s network that will interact with N3
9.1
Please specify the proposed regularity and method of checking and updating anti-virus
and anti-spyware definition files and engines.
Notes
Response
The HSCIC requires all devices connected to N3
have anti-virus software deployed and configured
to ensure regular scans are carried out and alerts
are raised when suspicious files are found
regardless of the underlying operating system.
The HSCIC recommend that appropriate
mechanisms be in place to ensure virus definition
updates are installed as soon as available or, if
necessary, after stability testing by authorised
personnel.
Consider:
 All devices in scope – servers and clients
 Windows, Apple, Linux, Unix, etc.
 The source of the updates
 The delivery method – push or pull
Applicants should be aware that access to N3
does not provide access to the internet.
Applicants planning to use automated update
services via the internet should ensure that they
have a separate, properly protected gateway
available to facilitate this.
9.2
Please specify the proposed method and regularity of checking and applying security
and other patches to these devices.
Notes
Response
The HSCIC recommend that appropriate
mechanisms be in place to ensure security
updates, operating system and application
patches install as soon as available or, if
necessary, after stability testing by authorised
personnel.
It is particularly essential that the patching of any
server used to store PID is up to date.
Consider:
 All devices in scope – servers and clients
 Windows, Apple, Linux, Unix, etc.
 The source of the updates
 The delivery method – push or pull
Applicants should be aware that access to N3
does not provide access to the internet.
Applicants planning to use automated update
services via the internet should ensure that they
have a separate, properly protected, gateway
available to facilitate this.
Page 19 of 22
Copyright ©2015 Health and Social Care Information Centre
10 Network Topology
10.1
A diagram of the local network that is proposed to be connected to N3 must be
included.
Notes
Response
A network topology is a diagram describing the
physical and logical relationship of nodes in a
Please attached your topology diagram in
network.
Appendix A.
The following items must be present on the diagram
to determine the pattern of data flow across the
network and links connecting one or more networks:










N3 Cloud
N3SP Router
Internal N3 connected LAN
Servers or computers holding, accessing or
displaying PID
Interface to any Corporate LAN
Internet Cloud (If applicable)
Partner Networks (if applicable)
Interface to aggregated network (applicable
to aggregators only)
All firewalls
Wireless Access Points
Applicants should note we do not need large detailed
technical diagrams. For the purposes of the LCA we
are only interested in those parts of the organisation
connected to N3 and their interfaces to any wider
corporate network and other external networks. An
example diagram is included in Appendix A to
indicate the level of detail required.
11
Security Policy
Notes
A copy of the organisation’s Information Security
Policy should be included. Formatting can be
preserved by inserting or pasting as a file so that it
appears as an embedded icon.
Response
Please attach a copy of your organizations IT
Security Policy in Appendix B.
If file size restrictions mean this is not possible it may
be submitted as a separate document, clearly named
and associated with the LCA submission.
This policy should reflect the Responses given in the
LCA submission and address all policies and
procedures that the organisation and its staff follow
with regards to all aspects of IT and Information
Security. The policy should be mandated by the
applying organisation’s senior management.
Please note that the documents will be used only for
the IGSoC process by those in the HSCIC with an
operational need to know, as explained by the
IGSoC Privacy Policy.
Page 20 of 22
Copyright ©2015 Health and Social Care Information Centre
Appendix A - Network Topology
Example topology diagram for a physical N3 connection:
Example topology diagram for N3 Remote Access tokens:
Page 21 of 22
Copyright ©2015 Health and Social Care Information Centre
Appendix B – Security Policy
Page 22 of 22
Copyright ©2015 Health and Social Care Information Centre