Information Asset Owner Guidance
advertisement
Training for Information Asset Owners [IAO] North Dorset District Council T: +44(0)1344 636388 - T: +44(0)1344 626033©2013 - E:Dilys info@dilysjones.co.uk - www.dilysjones.co.uk Jones Associates Ltd • www.dilysjones.co.uk 1 Information Security Framework Dilys Jones Associates Ltd copyright 2013 2 Half day Information Asset Owners (9:30 – 12:30) Introduction and Welcome Background to the Information Assurance, the SIRO and the IAO Role and Responsibilities of Information Asset Owners (IAOs) Definitions and Terminology Key relationships and responsibilities Information Asset Administrators Examples of cases of Information misuse, risk and losses Information Security Why do we need it? How? ISO27001 Legal, technical and human aspects Records Management Business Continuity Planning ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Cases and Discussion Half day Information Asset Owners (9:30 – 12:30) continued Information Security Management System What is an ISMS Definitions and Terminology Information Assets Risks and Threats Completing and Information Log or Register Scenarios Risk Treatments/PDCA/Statement of Applicability Associated issues Forensic Readiness Data Mapping Privacy Impact Assessments Cases and Discussion ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Objectives Objectives and Learning Outcomes: • To understand the role of the Senior Information Risk Owner [SIRO], Information Asset Owner [IAO] and the Information Asset Administrator [IAA] • To review the strategic aspects for supporting the SIRO in relation to Information Risk Assessment, implementation of the ISMS and supervision of the IAAs. • To review Information Asset Registers • To review local processes and systems • To have the ability to identify assets, log them and risk assess them for their areas, and reporting to the SIRO • To plan for business continuity & associated processes in support of the IAO, the SIRO and the organisation ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk 5 Initial Introduction to Terminology • SIRO = Senior Information Risk Owner (responsible at Board/Executive Group for Information Risk) • IA = Information Asset (Information assets come in many shapes and forms related to information systems or business process. e.g. Databases and data files/ Paper records and reports/ System Software /PCs, Laptops, PDAs,/ removable media/ Contracts / Business continuity plans People skills and experience etc.) ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Initial Introduction to Terminology • IAO = Information Asset Owner [senior managers] (senior member of staff who is the nominated owner for one or more assets, by virtue of managerial position ) • IAA = Information Asset Administrator [currently Information Custodians] (provides supports to their IAO in their role) ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Components of IG Framework; there are risks in relation to each area • Data Protection & Confidentiality [personal data breaches and up to £500,000 fine/enforcement action/undertakings] • Freedom of Information and EIR [Decision Notices/Fines/imprisonment CEO or equivalent] • Information Security[personal data breaches etc/loss of corporate information] • Information and Records Management [information ‘lost’/time taken to find lost information= 10% of time/loss of business efficiency] • Information Governance Management [lack of consistency leads to poor co-ordination; lack of training leads to all of the above] • Information Quality Management[incidents which should never have happened/ poor data leads to poor planning and research/other mistakes] Dilys Jones Associates Ltd copyright 2013 8 What sort of information are we talking about? Staff Information Client and user Information Corporate Information Dilys Jones Associates Ltd copyright 2013 9 NHS and Social Care Information Formats • Paper • Electronic Different Media • e.g. Computer, I-Pad • ‘Phone, USB stick Many Purposes • Direct care • Employing staff, training • Secondary Purposes e.g. commissioning ,research Dilys Jones Associates Ltd copyright 2013 10 10 Information Governance/Assurance Frameworks • Information Governance Toolkit Social Care Delivery and Local Authority https://www.igt.hscic.gov.uk/ • Business Partner Toolkit for Private Sector and Third Sector organisations contracting with the NHS https://www.igt.hscic.gov.uk/ • Other organisations required to carry out IGT: Trusts, Qualified Provider Clinical and Non-clinical; Public Health; Dental, GP and many others. OFFERS OPPORTUNITY FOR CREATING LEVEL PLAYING FIELD ACROSS ORGANISATIONS Dilys Jones Associates Ltd copyright 2013 11 The challenges: many changes and much more interactive working with e.g. health, housing associations • Change • Current financial climate • IG review led by Dame Fiona Caldicott: government’s formal response September 12th 2013 • Requirements for Information Assurance ↑ • New technology e.g. RFID chips • Need to assure RBAC; pseudonymisation etc • Reputational and financial risk • More fines for data losses • Crime Dilys Jones Associates Ltd copyright 2013 12 Memorandum of Understanding • Health and Social Care Information Centre, Department of Health, Care Quality Commission; Developing Memorandum of Understanding with Information Commissioner’s Office re sharing intelligence on data breaches • See also the new Tool for Reporting Data Breaches • If you are a Council which works with health and/or which has adult social care data, you must do IGT and report data breaches at level 2 and above Corporate Governance Issues Information Governance Governance Financial Governance £ ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk KEY ISSUES FOR SIROs O’Donnell Review - SIRO/IAO/IA A Framework -Information Security Managemen t System Compliance Contract Clauses Privacy Secure with Penetration Information Impact Disposal Policies testing and Encryption and of Assessm Risk Policy Audit Trails Mandatory Equipment ent Training Dilys Jones Associates Ltd copyright 2013 15 Legal Framework • • • • • • Data Protection Act 1998 Freedom of Information Act 2000 Environmental Information Regulations 2004 Human Rights Act 1998 Computer Misuse Act 1990 …..and approximately 70 other pieces! ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Cost of the worst data breach: Price Waterhouse Coopers ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk ICO Data Incidents Dilys Jones Associates Ltd©2012 Numbers of Cases Dilys Jones Associates Ltd©2012 SIRO/IAO/IAA Framework Advisory to SIRO: Caldicott Guardian IG Manager IT and IS FOI, DPA and EIR Records Manager Chief Executive Senior Information Risk Owner Information Asset Owner Information Asset Owner Information Asset Administrator Information Asset Administrator USERS Board Level/Executive Group Information Asset Administrator USERS Information Asset Administrator USERS Information Asset Administrator USERS Information Asset Owner Information Asset Administrator USERS Dilys Jones Associates Ltd©2013 Information Asset Administrator USERS Information Asset Administrator USERS Information Asset Administrator The Senior Information Risk Owner (SIRO): The SIRO has to: • take ownership of the organisations’ information risk policy, • acts as advocate for information risk on the Board and should provide written advice to the accounting officer on the content of their Statement of Internal Control in regard to information risk. Dilys Jones Associates Ltd copyright 2013 21 The Senior Information Risk Owner: Key Responsibilities • • • • • Policy and process Incident Management Leadership Own Training See Information Asset Policy Dilys Jones Associates Ltd copyright 2013 22 What are Information Assets? • Information: databases, data files, contracts and agreements, system documentation, research information, user manuals, training materials, operational/support procedure, business continuity plans, back up plans, audit trails, archived information • Software assets • Physical assets, computer equipment, communication equipment, removable media, other equipment • Services • People: qualifications, skills, experience • Other: e.g. reputation, credibility of the organisation Dilys Jones Associates Lt©d ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Identify Information Assets Audit The Responsibilities of the SIRO/IAO/IAA Identify and Mitigate Risk Carry Out Risk assessment Includes Business Continuity, DFM Dilys Jones Associates Ltd copyright 2013 24 IAO The IAO is expected to understand the overall business goals of the organisation and how the information assets they own contribute to and affect these goals. The IAO will therefore document, understand and monitor: • • • • What information assets are held, and for what purposes; How information is created, amended or added to over time; Who has access to the information and why. The IAO shall receive training as necessary to ensure they remain effective in their role as an Information Asset Owner Dilys Jones Associates Ltd copyright 2013 25 Information Asset Owner • IAOs will work closely with any other IAOs of the organisation to ensure there is comprehensive asset ownership and clear understanding of responsibilities and accountabilities. • This is especially important where information assets are shared by multiple parts of the organisation. • IAOs will support the organisation’s SIRO in their overall information risk management function as defined in the organisation’s policy. Dilys Jones Associates Ltd copyright 2013 26 Information Asset Owner • Manage incidents • Ensure policy and procedures implemented properly • Associates Business Processes • Leadership Role • Personal Development • Working with other IAOs, IAAs and other key figures Dilys Jones Associates Ltd copyright 2013 27 Information Asset Owner • The Information Asset Owner (IAO) will be a senior member of staff who is the nominated owner for one or more identified information assets of the organisation. • It is a core IG objective that all Information Assets of the organisation are identified and that the business importance of those assets is established. • There may be several IAOs within an organisation, whose departmental roles may differ. ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Information Asset Administrators[see IAO policy] Recognises potential or actual security incidents Ensure Policies and Procedures are followed Information Asset Administrator Ensure Information Asset Registers up-to-date Consult IAO on incident management Dilys Jones Associates Ltd copyright 2013 29 Some of the focus for the SIRO/IAO/IAA ICO / Crime /£ /Law /Reputation Perimeter security, receptionist, locks, firewalls Policies, procedures, systems, risk assessment, Locums, temps, staff members, volunteers, contractors; how they manage the organisation’s information Dilys Jones Associates Ltd copyright 2013 30 Key relationships for IAOs Within the Organisation: • SIRO • Corporate Services • IG Lead • Risk Managers • Information Security Manager • Other Information Asset Owners • Records Manager • Caldicott Guardian (for assets that process patient data) • Users of the Information Assets they own • Information Asset Administrators May have contact with: • Other NHS Organisations and external business partners ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Information Asset Administrators (IAA) • Information Asset Administrators ensure that policies and procedures are followed • Recognise actual or potential security incidents • Consult their IAO on incident management • and ensure that information asset registers are accurate and up to date. ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Roles: IAA Tasks • • • • • • • • • • Maintenance of Information Asset Registers; Ensuring compliance with data sharing agreements within the local area; Ensuring information handling procedures are fit for purpose and are properly applied; Under the direction of their IAO, ensuring that personal information is not unlawfully exploited Recognising new information handling requirements (e.g. a new type of information arises) and that the relevant IAO is consulted over appropriate procedures; Recognising potential or actual security incidents and consulting the IAO; Reporting to the relevant IAO on current state of local information handling; Ensuring that local information handling constraints (e.g. limits on who can have access to the assets) are applied, referring any difficulties to the relevant IAO. Act as first port of call for local managers and staff seeking advice on the handling of information; Under the direction of their IAO, ensuring that information is securely destroyed when there is no further requirement for it ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Blagging Dilys Jones Associates Ltd copyright 2013 34 Paper to electronic to paper………………….! Need to help employees remember passwords safely-controls have to support work as well as provide security Belvoir Park Hospital from Urban Explorers UK website http://www.28dayslater.co.uk/forums/showthread.php/50910-BelvoirHospital-Belfast-June-2010 36 Impact of Organisation Change on Information Assurance • HMRC-things can go wrong more often during periods of change; two organisations merging when they lost the 2 CDs • Records management- Belfast Health and Social Care Trust case; happened as six Trusts merged into Belfast H &SC T • March 2010 Trust informed trespassers had gained access to the Belvoir Park site [disused] • Photos of patient records taken posted online. • Trust inspected the site; a large quantity of patient and staff records were discovered, back to the 1950s • Trust improved security of the site but the Irish News reported that it was still possible to access the site without authorisation. • A full inspection which revealed further records, many of which were being retained in breach of the Trust’s ‘Records Retention and Disposal’ policy. • Included 100,000 paper medical records, x-rays, microfiche records • 15,000 staff records 37 Impact of Organisation Change on Information Assurance • • • • Fined £225, 000 Pictures still on the website Need to “keep eye on the knitting” during change Records management-good guidance from TNA and DH -Dissolution of Public Bodies - click here -Privatisation of Public Bodies - click here -Records Management Code of Practice Parts 1 & 2 The Code Parts 1 and 2 set out how we should manage records; including patient records. -CfH Checklist 38 Information Security “Preservation of confidentiality, integrity and availability; in addition, other properties , such as authenticity, accountability, non-repudiation, and reliability can also be involved” ISO 27001 ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Some of the focus for the SIRO/IAO/IAA Framework ICO / Crime /£ /Law /Reputation Perimeter security,, receptionist, locks, firewalls Policies, procedures, systems, risk assessment, Locums, temps, staff members, volunteers, contractors; how they manage the organisation’s information ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Why do we need a system for managing Information Security? Provides a comprehensive and coherent approach to identify the information assets of the Organisation. Enables any threats to information assets to be calculated and managed. Enables appropriate protective measures to be put in place. Ensures the business of the Organisation continues to function. Dilys Jones Associates Ltd copyright 2013 41 Threat • Threat-a potential cause of an unwanted incident, which may result in harm to a system or organisation Some Threats • Deliberate actions by people -inside ( employee downloads PID database and sell to criminals who advertise on South American websites) -outside (hacking into IT system and stealing information) • Accidental actions by people -inside (spills coffee on a computer keyboard or laptop; mis-faxing; muddling up papers at the printer) -outside (builder drills through cable) • System problems e.g. software, hardware (server breaks down) • Other events (e.g. power cuts/fire etc) ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Threat and Risk Note the Dry Cleaners Association research showed 17,000 USB sticks found in clothes’ pockets brought in for cleaning last year. ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Estimating risk • Defines risk as “the product of the amount that may be lost (the impact) and the probability of losing it (the likelihood) Dilys Jones Associates Ltd copyright 2013 44 RISK MATRIX Impact Likelihood L Rare-1 Unlikely-2 Possible-3 Likely-4 Certainty-5 Negligible-1 1 2 3 4 5 Minor-2 2 4 6 8 10 Moderate-3 3 6 9 12 15 Major-4 4 8 12 16 20 Catastrophic-5 5 10 15 20 25 LOW (1-7) MEDIUM (8-14) Dilys Jones Associates Ltd copyright 2013 HIGH (15-25) 45 Control • Means of managing risk, including policies, procedures, guidelines, practices or organisational structures, which can be of administrative, technical, management or legal nature ISO 27001 Dilys Jones Associates Ltd copyright 2013 46 Worked Example: Unencrypted laptop with >50000 data sets SPID Threat Loss or theft Potential Impact Impact Likelihood SeriousReputation loss Data loss Likely (4) Major (4) Risk Initial Thoughts HIGH (16) -Need to encrypt laptops Controls in place Action Password protection Encrypt (identify costs) -Train staff Identify training needs Needs audit Conduct audit ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk The Clinical Recording System Server Hard Copy Database Printer PC PC ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Statement of Applicability • • • • • • • • • Identify chosen security controls Justify where not selected States why controls not chosen are not relevant Relate selection of controls and reason for selection back to risk treatment plan In practice, there is a link between selection of controls to statements in ISMS policy Bridge between general policy and detailed procedures supporting policy Details control objectives, selected controls chosen to achieve those objectives and manage risks identified Provides road map for audit Training aid for certain staff ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Information Security: ISMS ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Implementing the audit cycle ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Information Security Management System (ISMS) ISMS includes: policies, procedures, structures e.g. IG Committee, measures, controls, training, awareness raising, audit, risk assessment, business continuity, everything that is included in the safe and secure management of information. Organisations should do the following: a) Define the scope and boundaries of the ISMS in terms of the characteristics of the business, the organisation, its location, assets and technology, and including details of and justification for any exclusions from the scope b) Define an ISMS policy in terms of the characteristics of the business, the organisation, its location, assets and technology that: 1) includes a framework for setting objectives and establishes an overall sense of direction and principles for action with regard to information security; ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Information Security Management System (ISMS) - 2 2) takes into account business and legal or regulatory requirements, and contractual security obligations; 3) aligns with the organisation's strategic risk management context in which the establishment and maintenance of the ISMS will take place; 4) establishes criteria against which risk will be evaluated; and 5) has been approved by management. Development should normally be iterative, over time and reviewed regularly ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Data Flow Mapping 1. What person identifiable data goes out of your area? What is the data? What is the purpose of the transfer? Is it bulk data? Is it sensitive data? 2. Where does it go to? Which location is it going to? Which organisation / person is it going to? Destination description (optional) 3. How? By email? By fax? By post? By text message? ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Data Flow Mapping If email: Is data emailed to & from NHSmail? Do you confirm the email address before sending? Do you request receipt of email? Do you encrypt data by recommended method? If fax: Do you phone fax recipient in advance of sending fax? Is a cover sheet used? Do you receive confirmation of fax? Is data faxed to a safe haven? If post: Is data sent on removable media? Is data encrypted by recommended method? Is data sent by courier or registered post? Is receipt of post confirmed? Is data sent in tamper-proof wallet? Is data sent to a safe haven? Dilys Jones Associates Lt©d ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk London Consortium Community Outreach Workers Patient summary (fax) Fax Post Access website Email Patient Info (fax) Summons (by hand) Within BLT GP Health Protection Agency Lawyers Sophid report Outside BLT Nhs.net Infection & Immunity Outside scope Risk areas Sexual health notes Other Hospitals Referral letter (with patient) Infection & Immunity Referral letter (fax) Email PAS (HIV Patients - Named Sexual Health Patients - Anonymous) PCT Satellite Library PCI Shared drive Patient postcode only All patient details Pathology HIV patient details A&E Clinisys Preview (HIV & Sexual Health Patients) The Haven (Sexual Assault Referral Centre) Doctors Police Doctors’ home email accounts Patient Connecting for Health Information Mapping Project ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Self-referral Post Test results (text) Email Specimens (post) Fax Summons (by hand) Patient Info (fax) Patient summary (post) Patient Info (post) Hospice Research Department Email Under 16s patient info (post) Email Social Services PRIVACY IMPACT ASSESSMENT • Two stage process • 1st stage – what are we planning; what has been done before in this area; which groups are going to be affected? Then, review the screening questions • 2nd stage – consult with the affected groups - Collect views - See if project can be amended to embrace views - Write up your findings and publish the paper - Audit the project to ensure that your findings have been taken into account in the project Dilys Jones Associates Ltd copyright 2013 57 Privacy Impact Assessment Screening the proposed project or policy- any Privacy Issues e.g: - New, additional technologies? - Does it affect many people? - Does it affect a lot of information about each person? - Are you using new identifiers? - Does it involve more than one agency? Dilys Jones Associates Ltd copyright 2013 58 Privacy Impact Assessment • New approach to be added to process for establishing new projects • See: http://www.ico.gov.uk/upload/documents/libr ary/data_protection/practical_application/pia_ final.pdf Dilys Jones Associates Ltd copyright 2013 59 Forensic Readiness • Policy • Access to expert advice • ACPO guidance ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk Implementation-what you need to do • Action Plans • Working in the Accountability Framework • Follow up to today; what you must do next ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk 61 Dilys Jones Associates Ltd • Consultancy and Learning Tools • Information Governance Training: -Freedom of Information -Confidentiality and Data Protection -Information Security -Records and Information Management -Data Flow Mapping -Privacy Impact Assessments -Senior Information Risk Officer -Caldicott Guardian The Knowledge Leader in Information Governance www.dilysjones.co.uk ©2013 Dilys Jones Associates Ltd • www.dilysjones.co.uk 62
