{"id":345,"date":"2023-11-03T15:36:57","date_gmt":"2023-11-03T15:36:57","guid":{"rendered":"https:\/\/xnat-repository.icr.ac.uk\/?page_id=345"},"modified":"2024-02-21T22:04:58","modified_gmt":"2024-02-21T22:04:58","slug":"for-infosec","status":"publish","type":"page","link":"https:\/\/xnat-repository.icr.ac.uk\/?page_id=345","title":{"rendered":"For infosec"},"content":{"rendered":"
\n
\n
\n
\"\"<\/picture><\/div>
<\/div><\/div><\/div>
\n <\/svg>
Christina_and_Vonnie_grey_1900x600<\/div>
<\/div><\/div><\/div> <\/div>\n <\/div>\n <\/div>\n <\/div><\/ss3-loader><\/div><\/div>
<\/div><\/div><\/ss3-force-full-width><\/div>\n\n\n

<\/p>\n\n\n\n

FAQ for information security officers<\/h2>\n\n\n\n

The following list of questions has been drawn from interactions with IT, Information Governance and Information Security officers at a number of NHS institutions over the last five years.<\/p>\n\n\n\n

What is the name and supplier of the system\/product?<\/summary>\n

eXtensible Neuroimaging Archive Toolkit (XNAT), supplied by the Flywheel LLC and the  Neuroinformatics Research Group, Washington University School of Medicine in St Louis. Software development has been funded continuously by NIH R01 grant since 2008 (and earlier via other public grant mechanisms). XNAT is an open-source product that has a long track record and is used by many of the world’s leading academic healthcare institutions for managing image data.<\/p>\n<\/details>\n\n\n\n

What exactly is XNAT and what does it do?<\/summary>\n

XNAT (www.xnat.org<\/a>) is a secure data-curation platform for images used in research projects. Its core function is to manage the import, archiving, processing, visualisation and secure distribution of image and related study data. <\/p>\n<\/details>\n\n\n\n

Who will host data? (in-house solution\/cloud, name of the provider)<\/summary>\n

Data will be hosted either by the Institute of Cancer Research (ICR) or Royal Marsden (RM) depending on the particular project.<\/p>\n\n\n\n

For projects domiciled with ICR, data are stored on ICR-owned equipment at the VIRTUS LONDON4 data centre in Slough<\/a>. LONDON4 is the home of the Jisc Shared Data Centre, comprising of approximately 25 academic and research organisations. This represents some of the UK’s most powerful supercomputers.<\/p>\n\n\n\n

Projects domiciled with RM are hosted on the RM’s Azure Cloud tenancy, with data stored only in the UK. A generalised Data Protection Impact Assessment for the use of XNAT has been approved and signed off by RM and a detailed risk assessment was undertaken as part of this.  <\/p>\n\n\n\n

What physical security measures are in place to protect hardware used to store data?<\/summary>\n

The LONDON4 site is highly secure. VIRTUS operates a ‘defence-in-depth’ approach to security. With a dedicated on-site security team 24\/7, protecting IT infrastructure is VIRTUS\u2019 highest priority.<\/p>\n\n\n\n

Microsoft provides similar guarantees regarding the physical layer that provides its UK cloud infrastructure. <\/p>\n<\/details>\n<\/details>\n\n\n\n

What servers do your systems run on? <\/summary>\n

Our current systems are Ubuntu 20.04 LTS VM servers.<\/p>\n\n\n\n

For projects stored in ICR’s jurisdiction, VMs run under a vSphere hypervisor on a resilient three-node physical cluster, and built from a hardened template supplied by IT security professionals in The Institute of Cancer Research, based on the CIS Ubuntu Linux Benchmark 1.0.0. The hardware infrastructure for the servers is located within Jisc shared data centre (part of the secure Virtus LONDON 4 data centre, physically located in Slough). Physical access procedures are tightly controlled. Topologically, all systems lie completely within the ICR’s internal network (i.e., not exposed in the DMZ) and, hence behind the ICR’s main firewall. Risk is minimised by opening only those ports that are strictly necessary for operation of the system, currently, those dedicated to the HTTPS and DICOM protocols.<\/p>\n\n\n\n

For projects stored within RM, our Azure servers are managed by the RM’s partner infrastructure company Agilisys<\/a>. The XNAT Team has hardened the VMs according to the same high standards as within the ICR on-premises estate and the XNAT Team also provides day-to-day management of applications on these servers.<\/p>\n\n\n\n

There are no end-user logins and no opportunity for end users to write data to the system other than via the XNAT application. The systems run no “end-user applications” (e.g., word processing, email clients, web browsers, etc.) so that even system administrators have little possibility to inadvertently access malware.<\/p>\n<\/details>\n\n\n\n

How do you ensure that the systems are updated? <\/summary>\n

For servers in ICR’s jurisdiction, the update system is managed by ICR Digital Services. Security patches are applied within days of becoming available. Other package updates are flagged and applied by the XNAT Team at the next suitable downtime period. <\/p>\n\n\n\n

For servers in RM’s Azure subscription, security updates and patches are applied in a timely fashion by Agilisys<\/a>, the RM’s cloud infrastructure technical partner. Other package updates are applied at the next convenient opportunity by the XNAT Team. <\/p>\n<\/details>\n\n\n\n

What security measures are in place to protect our data? (AV\/endpoint protection, Firewall, hard drive encryption standards, etc.)<\/summary>\n

For ICR servers, protection is provided via Crowdstrike Falcon endpoint protection and the main ICR firewall, with restrictive rules allowing access for external users only via ICR web proxy (HTTPS traffic) or main firewall (traffic via the DICOM protocol).<\/p>\n\n\n\n

RM servers are protected by an extremely restrictive firewall that allows access only to a small number of whitelisted external sites.<\/p>\n<\/details>\n\n\n\n

Do you encrypt data at rest? <\/summary>\n

No. Given the previously described measures taken to protect the physical hardware, this is not necessary. <\/p>\n\n\n\n

<\/p>\n<\/details>\n\n\n\n

How will you transfer the data? (transfer solutions, encryption standards, etc.)<\/summary>\n

Transfer will take place via the HTTPS protocol encrypted using the TLS1.2 standard. <\/p>\n<\/details>\n\n\n\n

What are the access control measures? (2FA, minimum password requirements, VPN, IP whitelisting, etc.)<\/summary>\n

Access to the XNAT servers on which data are stored is controlled via either the ICR or RM (as appropriate) network username, password and 2FA provision, and is available only to a handful of sysadmins. Access to the XNAT webapp is protected as follows:<\/p>\n\n\n\n