Hi
Hope you are well. I work for NHS England and I have been asked to conduct a security review of R, I am unable to locate information around the security posture of R. Would someone please be able to direct me to the correct page or alternatively answer the questions below: * When was the application last updated? * How often is it updated? * Are there any guidance that is followed such as OWASP Application Security Verification Standards? * Do you conform with a recognised security standard? (e.g., SOC1/2/3, ISO27001) * Do you have an Information Security Policy with supporting Standards and Procedures? Please provide details (or provide a copy of the policy). * Do you have formal change control and release management processes to manage code changes? Please provide details (or provide a copy of the documented process). * Is the source code anywhere? If so where is and is it secure? * Do you follow secure development processes? How is this achieved? * Are there any common vulnerabilities? * Is there a reporting process for reporting vulnerabilities and remediation processes? Please provide details/a copy of the documented process * Do you undertake audits or other reviews to ensure that security controls are being implemented and operating effectively? How is this done? Can you provide details of this? * Do you undertake regular penetration testing (or similar technical security testing, code review or vulnerability assessment); and are you able to provide a summary of results/findings? * Do your employees (e.g., developers or system administrators) have access to customer data? How is this access controlled and monitored? * Are all personnel required to sign Non-Disclosure Agreement (NDA) or Confidentiality Agreements (CA) as a condition of employment to protect customer information? * Do you have Business Continuity and/or Disaster Recovery Plans? If Yes, please provide details including backup and redundancy mechanisms. * Is there a dedicated security team? * Is there a contact for security issues? * Has a vulnerability disclosure program? * Is there a bug bounty program? * Does R require third party authorization/connections? Thank you Regards Ayesha Majid Cyber Security Advisor | Cyber Operations Transformation Directorate NHS England Mobile: 07842323170 Email: ayesha.ma...@nhs.net<mailto:ayesha.ma...@nhs.net> Website: www.england.nhs.uk<http://www.england.nhs.uk/> NHS England and NHS Digital have merged. Learn more <https://digital.nhs.uk/about-nhs-digital/nhs-digital-merger-with-nhs-england> Address: Head Office, 5th Floor, 7 & 8 Wellington Place, Leeds, West Yorkshire, LS1 4AP Pronouns: she/her This email is intended only for use by the named addressee. It may contain confidential and/or privileged information. If you are not the intended recipient, you should contact us immediately and should not disclose, use or rely on this email. We do not accept any liability arising from a third party taking action, or refraining from taking action, on the basis of information contained in this email. Thank you. ************************************************************************************** ****************************** This message may contain confidential information. If yo...{{dropped:22}} ______________________________________________ R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
