MD Catalogue, etc.

TODO.md

@@ -2,7 +2,7 @@
 
 ## Needs adding
 
-* MFA requirements
+* MFA requirements (started)
 
 * API standards. Swagger/OpenAPI. See: https://docs.microsoft.com/en-us/azure/architecture/best-practices/api-design, https://nordicapis.com/how-to-manage-1000-specs-at-scale/, https://openapi.tools/, https://www.techtarget.com/searchapparchitecture/tip/How-to-improve-API-documentation-with-Swagger-and-OpenAPI, https://swagger.io/
 

euc/desktop-software.md

@@ -4,7 +4,7 @@ description: >
    Selection and deployment processes for authorised desktop software
 stage: 3. Development Stage
 created: 2021-05-04 15:53:00
-lastUpdated: 2022-06-24 10:40:40
+lastUpdated: 2023-01-27 11:39:34
 ---
 
 For standard users, only two mechanisms exist for delivery of desktop software to a users desktop:
@@ -16,29 +16,31 @@ Standard users may not install or run arbitary desktop software.
 It should be noted that **ALL** EUC devices issued by NHS England are subject to ongoing operational and security monitoring.
 Compromised devices may be remotely locked and/or wiped.
 
-## Power/Developer Users
+## Specific User Classes
 
-Power/Developer users are able to also install their own desktop software. However, no service desk support is given for such applications,
-and desktop issues arising from local installations may result in the users desktop being completely reset back to factory fresh.
+### "Power" Users
 
-In addition, such users agree to take responsibility for the security of their desktop and the security and safety of the information
-they deal with.
+It is recognised that some users require more capabilities from their laptop. The NHS England Modern Desktop already accommodates most of these needs unlike the legacy builds. Power users will no longer be given local administration rights to their laptop in order to protect the integrity of the corporate devices and service.
 
-Specifically, such users **MUST NOT** reduce the security of their desktops by removing the approved security software, leaving drives
-unencrypted or reducing/removing login security. Breach of this agreement will at least result in removal of the power/developer status and
-might result in HR involvement.
+Where local administrative access is required for specific reasons (such as a sponsored university course), a remote desktop environment can be provisioned.
 
-## Legacy Service
+Where users believe that they need a higher-than-average powered device, they can put in a request via the service management portal. However, they will be required to demonstrate a genuine need which will be reviewed by the Technical Design Authority (TDA). If approved, there will be a charge-back to the users local cost code for the additional cost.
 
-For the legacy managed desktop services, all software either has to be formally packaged and tested by our service providers 
-**or** is manually installed by out service providers to an individual users desktop. Note that there is a cost for each
-of these services even if the software has a free license. All new applications must be approved by the appropriate Technical Design Authority
-and may need to be approved by the security board.
+### Data Scientists and Analysts
+
+Many of the tools used have now been made available to all users via the NHS England Modern Desktop. Some specialist tools will not be made available on Modern Desktop and users will need to use a suitable remote desktop environment.
+
+### Developers
+
+Many developer tools have now been made available to all users via the NHS England Modern Desktop. However, there are some tools that are not compatible with a managed enterprise desktop. Most notably the full version of Microsoft Visual Studio. In those cases, users will need to use a suitable remote desktop environment.
+
+## Legacy Services
+
+Changes to any of the legacy managed desktops are no longer accepted except in a critical emergency.
 
 ## Modern Desktop Service
 
-For the Modern Desktop, there are three tiers of application management, each of which carries a different level of cost and adminsitrative
-overhead to the business while allowing maximum flexibility:
+For the Modern Desktop, there are three tiers of application management, each of which carries a different level of cost and administrative overhead to the business while allowing maximum flexibility. The definitive list of Windows desktop applications is available in the [Modern Desktop Applications Catalogue](https://nhsengland.sharepoint.com/sites/ICTArchitectureDesign/SitePages/Modern-Desktop-Apps.aspx) which is available to all NHS England and related organisation staff and key partner vendors.
 
 1) **Fully tested**
 
@@ -62,7 +64,7 @@ overhead to the business while allowing maximum flexibility:
 
    Minimally tested applications must still go through the request and triage process and be approved.
 
-   Once approved however, they will only be given and abreviated packaging and cursory testing before being released to a self-service portal.
+   Once approved however, they will only be given and abbreviated packaging and cursory testing before being released to a self-service portal.
 
    Software updates will follow our standards which is that security patches will be rapidly applied but other updates will be kept at the minimum
    to keep the software in a currently supported version.
@@ -95,9 +97,13 @@ overhead to the business while allowing maximum flexibility:
 
 Many desktop applications connect to external 3rd-party cloud services. Such applications MUST NOT be used without prior approval from both CISW and IG. Specifically, IT Security checks and Privacy checks will be required.
 
+Local administrative elevated rights are no longer permitted on NHS England devices other than for approved administrators. This is to help ensure that the corporate services and users are protected. Alternative provisions are provided for the few exceptions.
+
+NHS England actively monitor corporate end-user devices and services. This includes but is not limited to monitoring what applications have been used and what Internet endpoints people have accessed. Except for specifically identified threats and legal requests, this monitoring is mostly automated with threats and alerts surfaced in our Security Operations Centre and Service Management tools.
+
 ## Open Source & Free Software
 
-It is UK Government policy that open source applications should be considered wherever feasible.
+It is UK Government and NHS policy that open source applications should be considered wherever feasible.
 
 However, the following things should be considered:
 

security/acceptable-cloud-tools.md

@@ -5,7 +5,7 @@ description: >
 stage: 5. Live
 reviewDate: 2022-07-30
 created: 2021-06-30 17:49:16
-lastUpdated: 2022-06-24 12:41:26
+lastUpdated: 2023-01-27 11:09:58
 author: Julian Knight
 ---
 
@@ -92,14 +92,16 @@ The bottom line is:
 
 ## Accessibility
 
-All tools in use in NHS England MUST be accessible to all. This is both a legal and moral requirement.
+**All tools in use in NHS England MUST be accessible to all**. This is both a legal and moral requirement.
 
 Please see the [accessibility document in the development section](application-development/common-dev/accessibility) for more information regarding standards that must be met.
 
 ## Corporate tools
 
 These are the preferred corporate tools for communications and collaboration. These should always be used by preference. They are secured to NHS and UK Government approved levels, have audit capabilities, backup and retention data policies and are generally centrally funded.
 
+!> Note that the [catalogue of Modern Desktop applications](https://nhsengland.sharepoint.com/sites/ICTArchitectureDesign/SitePages/Modern-Desktop-Apps.aspx) which is available to NHS England staff, related organisations and key vendors not only lists all of the available Windows applications but is being used to also list both acceptable and unacceptable web services. That is a work-in-progress, however it should be considered definitive. These lists are indicitive.
+
 <!-- Editors Note: Tables are best edited in Typora or an equivalent WYSIWYG tool -->
 
 |Tool name|Tool type|Notes|Accessing /installing tool|Audience|
@@ -130,14 +132,14 @@ The following tools are known to be in use and have at least tacit approval *wit
 |Google Meet \(was Google Hangouts\)|Communication tool: Video and/or voice|Approved for business use **only** if you have a G-Suite ***Enterprise*** license (Was NHSX but now being DEPRECATED).<br />Otherwise, avoid personal or sensitive data| Web browser. Smartphone App (personal Apple ID required)   |External|
 |Miro|Collaboration tool: Whiteboarding|Avoid personal or sensitive data<br />*Please consider using Mural instead which has some corporate support and licensing.*|Web browser|Internal/External|
 |~~Skype for Business~~|*Communication tool: Video and/or voice*| *No longer needed for any purpose. Use Microsoft Teams instead* |--|--|
-|Slack|Text messaging, Voice/Video calls, etc.|Avoid personal or sensitive data| Web browser                                                  |Internal/External|
+|Slack|Text messaging, Voice/Video calls, etc.|Avoid personal or sensitive data<br />For most use-cases, Microsoft Teams should be used, not Slack. All NHSE staff are fully licensed already for Teams.| Web browser                                                  |Internal/External|
 |Slido|Q&A tool during presentations|Avoid personal or sensitive data.<br />*Avoid for corporate use, Menti is available instead.*|Web browser|Internal|
 |Twitter|Text Messaging, Video transmission|There is an official NHS England Twitter account.<br />Using a personal account to comment on work related issues is fine as long as you follow the NHS England Social Media and [Standards of Business Conduct](https://www.england.nhs.uk/publication/standards-of-business-conduct-policy/) Policies.|Web browser, Smartphone App (personal Apple ID required)|Internal/External|
-|Trello|Web-based, Kanban-style, list-making|Not cleared for OFFICIAL use. Avoid personal or sensitive data.<br />Data is based in USA.<br />**WARNINGS**: <br />1) Tools from Atlassian including Trello may track a lot of personal data which may be passed to 3rd-party advertisers and trackers. <br />2) Vendor admins have access to the data you put into Trello.<br />3) The use of "Power-Ups" may transfer data to other parties with different privacy statements.|Web browser<br />Some paid accounts available to Transformation Directorate users however its use is being DEPRECATED.|Internal/External|
+|Trello|Web-based, Kanban-style, list-making|Not cleared for OFFICIAL use. Avoid personal or sensitive data.<br />Data is based in USA.<br />**Microsoft Planner should be used for most use-cases.**<br />**WARNINGS**: <br />1) Tools from Atlassian including Trello may track a lot of personal data which may be passed to 3rd-party advertisers and trackers. <br />2) Vendor admins have access to the data you put into Trello.<br />3) The use of "Power-Ups" may transfer data to other parties with different privacy statements.|Web browser<br />Some paid accounts available to Transformation Directorate users however its use is being DEPRECATED.|Internal/External|
 |WeTransfer|File Sharing|May be used for transfer of non-sensitive information to/from 3rd-parties.<br />**DO NOT transfer sensitive information without strong pre-encryption.**<br />Must not be used for file storage, only as a temporary method of information transfer.|Web Browser|External|
 |WhatsApp|Text messaging, Voice/Video calls|Avoid personal or sensitive data.<br />*Should not be used for official business since there is no audit capability or records management.*<br />**Recommend** using Signal rather than WhatsApp.|Web browser, Smartphone App (personal Apple ID required)<br />Recommend using the business version of the app to help keep personal and official use separate.|Internal/External|
 |YouTube|Video sharing tool: Video, streaming and chat|Avoid personal or sensitive data.<br />*Uploading of official videos must go through the Corporate Communications team.*|Web browser based use.|Internal/External|
-|Zoom|Communication tool: Video, voice and chat|Avoid personal or sensitive data.<br />Zoom may be used to participate in meetings arranged by other organisations but *it must not be used to facilitate meetings by NHS England*, Teams must be used for that.|Web browser based use. *The Zoom client is not generally available on corporate PC's.*|External meetings|
+|Zoom|Communication tool: Video, voice and chat|Avoid personal or sensitive data.<br />Zoom may be used to participate in meetings arranged by other organisations but *it **must not be used to facilitate meetings by NHS England***, Teams must be used for that.|Web browser based use. *The Zoom client is not generally available on corporate PC's.*|External meetings|
 
 ## Unapproved tools