The Government has restated its commitment to delivering pensions dashboards in a written statement.

Skip to content
Pensions dashboards programme logo
  1. Home
  2. How to connect

Submit new IT Health Check (ITHC) or penetration test

Contents
Overview
What you need to do in this step
What happens next
Support

Overview

Purpose

To security test the integrated service provider (ISP) or third party’s connection to the ecosystem, expose any security vulnerabilities and review plans to mitigate identified issues.

Who completes this step?

  • security lead

Read the full list of roles and responsibilities.

When you need to carry out an ITHC

You need to conduct an ITHC or penetration test:

  • annually, 12 months after the previous test
  • whenever the PDP security authority (PDPSA) asks for one (as per CoCo 1.2.7)

PDP will give you 3 months’ notice of your deadline to carry out a new ITHC. You will receive this notice by email. You must submit the results within 28 calendar days of this deadline. The ITHC must comply with the PDP code of connection to maintain security and integrity of the ecosystem.

You need to engage a CHECK- or CREST-accredited supplier to conduct an IT Health Check or penetration test.

Back to top

What you need to do in this step

1. In the connection portal, under ‘Home’, click on ‘Request IT health check’.

Previous IT Health Check results

2. You will see the results of your previous submission. If you have remediated all medium, high and critical findings, select ‘Yes’. Otherwise, select ‘No’. You will need to explain why these findings have not been remediated.

New IT Health Check

3. Enter details of your ITHC or penetration test provider as it appears with CHECK or CREST.

4. Enter ITHC results.

5. Provide the date of your next ITHC and confirm whether you have remediation plans in place.

  • If you select ‘Yes’, you will need to confirm these remediation plans for medium, high and critical findings and the security policies you have in place.
  • If you select ‘No’, you will need to confirm the security policies you have in place.

6. You can add an email address for receiving security notifications, if you did not previously provide one, or edit or remove a previous email address if you did.

7. Check your answers before submitting the ITHC. You can change your answers on this page.

You will not be able to change your answers once you have submitted your ITHC.

Back to top

What happens next

PDP will email you, the security lead, to confirm that we have received your submission. PDP will review your submission within 5 working days. If you do not hear back within 5 working days, contact support.

You can check the progress of your submission in the connection portal, under ‘Home’.

You will be invited to a meeting with the PDP Security Authority (PDPSA). This is where you will present your ITHC and any associated remediation plans. The invitation will tell you who needs to attend, but you will find it helpful to include the person responsible for your information security management.

Preparing for your meeting with the PDPSA

You need to prepare:

  • a summary table containing:
    • all of the ITHC or penetration test findings
    • the CVSS score
    • the remediation plan, which must cover medium, high and critical findings, its owner and the expected remediation date
  • documents or diagrams that explain the scope of your ITHC or penetration test, including descriptions of systems and assets in scope, such as network diagrams, data flows and an asset list
  • the latest ITHC or penetration test document to discuss all submitted findings
  • a remediation plan to address any critical, high and medium issues – these must have owners and completion dates
  • your incident management policy (security) which covers how you would escalate relevant incidents to PDPSA
  • your protective monitoring policy and security operations procedures for monitoring systems and assets in scope, such as list of assets being monitored and Security Information and Event Management (SIEM) / Security Operations Centre (SOC) screenshot
  • any relevant security certifications, such as ISO27001 or Cyber essentials
  • any other documents that help with your submission

You should include a summary of these items in a PowerPoint presentation or other suitable format, although the PDPSA may request to see any original documents/evidence during the meeting.

Meeting agenda

The meeting agenda will comprise:

  • list of attendees
  • introductions
  • purpose of the meeting:
    • the scope of the ITHC / penetration tests
    • the previous ITHC / penetration testing report with all findings
    • the new ITHC / penetration testing report with all findings
    • the remediation plan for critical, high, and medium findings
    • security incident management plan
    • protective monitoring policy/security operations procedures relevant to the systems and assets in scope
  • any other business
  • next steps:
    • internal PDPSA review
    • decision to approve or reject by the Money and Pensions Service
    • feedback on approval or rejection decisions

The meeting should not last longer than 2 hours.

Next steps

You will be notified of the outcome by email. This should be within 2 weeks.

If your submission is approved, you and the primary business contact will be notified.

If your submission is rejected, the PDPSA will notify you and provide reasons for rejection and the next steps. You should follow their recommendations and then resubmit. This could include but is not limited to:

  • a testing/retest of a missing component in scope
  • lack of remediation plans for critical, high and medium findings with owners and timeline for fixes
  • having no protective monitoring policy in place
  • having no incident management policy in place
Back to top

Support

Find answers to common queries about pensions dashboards, give feedback or get technical support.

Get support

Back to top