Security Requirements Best Practices

The list of requirement and expected minimum recommended best practice is available at the HAT Certification Check List. Any HAT Service Provider that is not using a HCF certified HAT Provisioning service is required to complete the questions below. A HAT Service Provider should provide the actual technical details to the questions. An example can be found at the best practice section.

HAT Provisioning Security Checklist

Please note that where a specific standard, protocol or manufacturer program is referenced below, the HCF will consider an equivalent to that stated, however it is the responsibility of the Participating Party to demonstrate the equivalence. Should this equivalence not be satisfactorily demonstrated, the HCF reserves the right to score accordingly and may result in a sub satisfactory score.


  • What encryption standards are used when storing data at rest
  • What encryption standards are used for data in transit
  • Is data ever stored in an unencrypted form

Password Policy

  • Define what your password strength policy is
  • What encryption is used to secure username / password login

Server and Network Management

  • How often are servers penetratation tested
  • How often are the servers patched
  • What is the firewall policy (specify all open ports)
  • What Intrusion Detection devices are in use
  • How are networks and virtual machines segregated


  • What Antivirus solution is in place
  • How often are the antivirus signatures updated

Data Protection/Information Security

Data Protection Act

  • Please confirm that your organisation has Data Protection Registration to cover the purposes of analysis and for the classes of data requested
  • Please describe the content of any Data Protection training provided to your staff; how regularly it is provided and updated, and to whom it is provided
  • Who is the Data Protection Officer or Caldicott Guardian (if NHS)

Data Audit and Access Control

  • What audit logs for access and deletion of data are available
  • How long are audit logs kept for
  • What data erasure /data retention policies and procedures are in place
  • What information security and audit measures have been implemented to secure access to, and limit use of information within your organisation

Data Security

  • What physical security arrangements are in place where this data is to be processed and stored
  • What user privilege control is in place
  • What information is shared regarding data breaches and near misses
  • What procedures are in place for investigating security breaches

Business Continuity

  • What continuity plans are in place to cover loss of staff resource and expertise
  • What continuity plans are in place in the event of loss of, or severe disruption to/loss of premises
  • When was the business continuity/disaster recovery plan last tested
  • What data back-up procedure is in place and encryption
  • What are the recovery timescales

Additional Data Protection Terms

  • If you are being asked to respond to deliver or potentially deliver a hosted service, please state whether this is physical or Cloud provision?
  • Physically, where is the data kept. Is it ever located outside of the UK / EU? - INFORMATION ONLY