Security Requirement Best Practice

The list of requirement and expected minimum recommended best practice is available at the HAT Certification Check List. Any HAT Service Provider that is not using a HCF sertified HAT Provisioning service is required to complete the questions below. A HAT Service Provider should provide the actual technical details to the questions. An example can be found at the best practice section.

HAT Provisioning Security Checklist

Please note that where a specific standard, protocol or manufacturer program is referenced below, the HCF will consider an equivalent to that stated, however it is the responsibility of the Participating Party to demonstrate the equivalence. Should this equivalence not be satisfactorily demonstrated, the HCF reserves the right to score accordingly and may result in a sub satisfactory score.


What encryption standards are used when storing data at rest

What encryption standards are used for data in transit

Is data ever stored in an unencrypted form

Password Policy

Define what password strength policy is

What encryption is used to secure username / password login

Server and Network Management

How often are servers penetrat

How often are the servers patched

What is the firewall policy (specify all open ports)

What Intrusion Detection devices are in use

How are network and virtual machines segregated


What Antivirus solution is in place

How often are the antivirus signatures updated

Data Protection/Information Security

Data Protection Act

Please confirm that your organisation has Data Protection Registration to cover the purposes of analysis and for the classes of data requested

Please describe the content of any Data Protection training provided to your staff; how regularly it is provided and updated, and to whom it is provided

Who is the Data Protection Officer or Caldicott Guardian (if NHS)

Data Audit and Access Control

What audit logs for access and deletion of data are available

How long are audit logs kept for

What data erasure /data retention policies and procedures are in place

What information security and audit measures have been implemented to secure access to, and limit use of information within your organisation

Data Security

What physical security arrangements are in place where this data is to be processed and stored

What user privilege control is in place

What information is shared regarding data breaches and near misses

What procedures are in place for investigating security breaches

Business Continuity

What continuity plans are in place to cover loss of staff resource and expertise

What continuity plans are in place in the event of loss of, or severe disruption to/loss of premises

When was the business continuity/disaster recovery plan last tested

What data back-up procedure is in place and encryption

What are the recovery timescales

Additional Data Protection Terms

If you are being asked to respond to deliver or potentially deliver a hosted service, please state whether this is physical or Cloud provision?

Physically, where is the data kept. Is it ever located outside of the UK / EU? - INFORMATION ONLY