DSPT 2024-25 live: New question on Multi-Factor Authentication 

September 3rd 2024

The Data Security and Protection Toolkit (DSPT) for 2024-25 is now live and ready to use. There’s one new mandatory question on multi-factor authentication which providers need to answer to reach Standards Met. 

Every year, the DSPT – the self-assessment tool on data protection and cyber security – is reviewed and updated to ensure it covers the issues that are essential to protecting information. 

The DSPT for 2024-25 is now live. If you’ve already added information to the toolkit, don’t worry, all the data you entered will still be held within the updated one. 

If you’re updating and republishing your DSPT you will be prompted to answer an additional mandatory question on multi-factory authentication (MFA). 

If you’re publishing for the first time and want to get to Standards Met – which is what you should aim for, you’ll need to answer this new question on MFA as well. 

What is MFA and why is it important? 

MFA is a security measure that adds an extra layer of protection to your online accounts by requiring more than just a password to log in. This could involve receiving a text message or email with a code, using a fingerprint scan, or employing an authenticator app. You’ve likely already encountered MFA when using online banking or logging into social media accounts. 

The goal of MFA is to ensure that only authorised users can access sensitive systems, such as your digital social care record or any cloud-based services. By implementing MFA, organisations can significantly reduce the risk of data breaches and keep their information secure. 

It’s going to become increasingly important, so care providers need to get arrangements in place. 

What’s in the DSPT about MFA? 

The new question – which is mandatory to reach Standards Met or Standards Exceeded – asks you to confirm that:

4.5.3 Multi-factor authentication is enforced on all remotely accessible user accounts on all systems, with exceptions only as approved by your board or equivalent senior management.

We’ve written a short guide to help you to consider this question and implement MFA. It includes four key steps: 

1. Review your current systems: What is accessible from the internet and can you implement MFA to those systems?
2. Identify potential issues: What challenges might arise with the implementation of MFA? Are there specific systems where MFA may not be appropriate? 
3. Balance security and usability: Enhancing security is important but could adding too many layers of authentication lead to problematic workarounds?  How sensitive is the data held in those systems and what level of risk are you willing and able to take?
4. Document exceptions: If you decide not to implement MFA on certain systems, this decision must be taken at senior level and documented, including a clear rationale. 

For more information and detailed guidance on implementing MFA, see our guide here. 

If you’ve got any questions, contact our helpline, or a local support organisation.

Login to the DSPT 2024-25 here.