Dear Git I am writing to enquire about multi factor authentication on cloud hosted software. As part of our ongoing efforts to enhance cybersecurity and protect sensitive data, we are seeking information related to the NHS England Multi-Factor Authentication (MFA) Policy with regards to software products which we have from your company. Could you please provide us with the following information: • Software Name • Name of supplier • Account Manager name • Account Manager email • Account Manager Telephone number • Name of the person completing the survey • Job title of the person completing the survey • Contact number of the person completing the survey • Is the product Internet facing or HSCN facing • What is the System host type • What is the location of the data centre(s) used for the provision of the system • If the solution has 3rd party elements, what are the geographic locations of the 3rd party data centre(s) used for the provision of the system • MFA Status • Date of last status check • Planned date for implementation of MFA • Actual date of MFA functionality deployment • Do you have any alternative security mitigation functionality/plans available to address MFA gaps? (Example: Conditional access) • Date mitigation option available • Does this system have Admin/Privileged access available for 3rd or 4th parties? • How is the system provided? (Directly from your Organisation / Partly provided by our Org, but has 3rd party elements / 3rd party provided) • What is the data classification stored on the system? (Use GDPR examples) • Does your organisation hold cyber accreditation directly relevant to the provision of the service (Examples: Cyber Essentials plus, ISO27001, SOC2, DSPT, DTAC, NIST) • When is the contract expiry date with SCWCSU • Number of users / accounts / licenses supplied • When was the last time your product was part of a business continuity and disaster exercise? We appreciate your prompt response and any relevant documentation you can share. If you have any additional insights or best practices related to MFA, we would be grateful to hear them. Thank you for your cooperation. Richard Elford Business Services Manager | Digital, Data and Technology NHS South, Central and West Third Floor - 360 Bristol – Three Six Zero, Marlborough Street, Bristol, BS1 3NX The information in this email may be confidential and is intended solely for the named addressee(s). If you are not the intended recipient, any disclosure, copying or distribution is prohibited and may be unlawful. Please note that the information contained in this email /attachment(s) may be subject to Public disclosure under the Freedom of Information Act 2000. ************************************************************************************** ****************************** This message may contain confidential information. If you are not the intended recipient please: i) inform the sender that you have received the message in error before deleting it; and ii) do not disclose, copy or distribute information in this e-mail or take any action in relation to its content (to do so is strictly prohibited and may be unlawful). Thank you for your co-operation. NHSmail is the secure email, collaboration and directory service available for all NHS staff in England. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services. For more information and to find out how you can switch visit Joining NHSmail – NHSmail Support<https://support.nhs.net/article-categories/joining-nhsmail/>
