Guidance

IT Health Check (ITHC): supporting guidance

Updated 23 February 2022

© Crown copyright 2022

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/it-health-check-ithc-supporting-guidance/it-health-check-ithc-supporting-guidance

1. Purpose

Your ITHC should aim to provide assurance that your organisation’s external systems are protected from unauthorised access or change, and they do not provide an unauthorised entry point into systems that consume PSN services.

The internal systems should be tested to provide further assurance that no significant weaknesses exist on network infrastructure or individual systems that could allow one internal device to intentionally or unintentionally impact on the security of another.

2. Scope

Getting the scope of an ITHC right is one of the most important aspects in ensuring that the ITHC is a worthwhile exercise and provides you with the correct level of assurance. Your ITHC partner can assist you in setting the correct scope but as a minimum you should look to set up the following test scenarios:

2.1 External testing

This should include systems that provide services on the internet such as email servers, web servers and other systems such as the firewalls that are in place to prevent unauthorised access from the internet into your organisation.

External testing should also include any systems you have in place to allow staff to connect into your organisation remotely. These remote access solutions normally involve VPN that should be tested as part of your external assurance.

If your organisation is dependent on third-party suppliers and they have access to and from your systems from their own office locations this should also be considered as an external connection and tested.

2.2 Internal testing

Internal testing should include vulnerability scanning and manual analysis of your internal network. At a minimum it should include:

  • Desktop and server build and configuration, and network management security
  • Patching at operating system, application and firmware level
  • Configuration of remote access solutions (including solutions for managed devices and BYOD)
  • Build and Configuration of laptops and other mobile devices such as phones and tablets used for remote access
  • Internal security gateway configuration (including PSN gateway)
  • Wireless network configuration

These scans will look to provide assurance that your internal systems have been configured in a secure manner and are being properly maintained at all times.

The testing should include representative vulnerability scanning across the entire estate covering end-points (including thick and thin clients), servers, network devices and appliances. The scanning needs to include applications on devices, this is typically achieved through credentialed vulnerability scanning. In organisations with a large number of devices, you may conduct sample testing: the size of the sample must be no less than 10 per cent of your estate.

3. Output

As a minimum the output of the health check should include the following:

  • Authors should ensure that the report is readable and accessible to the customer and contain a clear summary of the number, type and severity of the issues identified. Where possible CVSS base scores should be included with CVSS version 3 or 3.1 being the preferred vulnerability categorisation standard
  • The report should provide details of the individuals involved in the ITHC
  • The report should communicate the background, scope and context of the health check in full
  • Vulnerabilities should be accurately identified and explained
  • Each identified vulnerability should be associated with a remedial solution. The remedial solution should not be seen as the sole method for reducing the risk - a short-term remedial action may be appropriate until such time that a strategic fix can be put in place. Typical short-term remediations may include a combination of network segregation, limiting access, increased monitoring and further hardening.

4. Choosing a testing partner

For central government customers the CHECK scheme, run by NCSC, is in place to guarantee quality. Organisations should ensure their chosen partner is part of this scheme.

For non-central government customers, Tiger Scheme, CREST-approved ITHC services or the Cyber Scheme can be utilised.

5. Further guidance

For further information on NCSC ITHC scheme, please see the NCSC website. For further information on CREST and Tiger Scheme, please see their respective websites. For further information on the Cyber Scheme, please see the Cyber Scheme website.

Back to top