Add to collection(s) Add to saved
  1. Science
  2. Health Science

ISB 1596 Secure Email Specification Amendment History

advertisement 
Title
ISB 1596 Secure Email Specification
Document ID
ISB 1596 Amd 34/2012
Director
Mark Reynolds
Status
Draft
Owner
Jon Calpin
Version
0.4
Author
Mark Reynolds
Version Date
25/11/2013
ISB 1596 Secure Email Specification
© Open Government Licence 2013
ISB 1596 Secure Email Specification
25/11/2013 Draft v0.4
Amendment History:
Version
Date
Amendment History
0.2
09/09/2013
0.3
11/11/2013
Incorporates comments from ISB quality checks.
0.4
25/11/2013
Incorporates comments from ISB quality checks.
Approvals:
Name
Title / Responsibility
Dr Simon Eccles SRO – NHSmail 2
Date
Version
25/11/2013
0.4
Glossary of Terms:
Term
Acronym
Definition
Business Impact
Level
B-IL
A B-IL is a level from 1 to 6 that indicates the security risk of
an IT system. It is defined by CESG guidance.
CESG
CESG protects the vital interests of the UK by providing policy
and assistance on the security of communications and
electronic data, working in partnership with industry and
academia. It is the UK Government's National Technical
Authority for Information Assurance (IA).
CESG Listed
Adviser Scheme
CLAS
Department of
Health
DH
Health & Social
Care Information
Centre
HSCIC
Information
Commissioner’s
Office
ICO
The UK’s independent authority set up to uphold information
rights in the public interest, promoting openness by public
bodies and data privacy for individuals.
Information
Security
Management
System
ISMS
An information security management system (ISMS) is a set of
policies concerned with information security management or
IT related risks. The idioms arose primarily out of BS 7799.
The governing principle behind an ISMS is that an
organization should design, implement and maintain a
coherent set of policies, processes and systems to manage
risks to its information assets, thus ensuring acceptable levels
of information security risk.
© Open Government Licence 2013
Page 2 of 18
ISB 1596 Secure Email Specification
25/11/2013 Draft v0.4
Contents
1
2
3
4
5
6
7
Overview .............................................................................................................4
1.1
Summary ....................................................................................................... 4
1.2
Controlled Documents ................................................................................... 4
1.3
Guidance ....................................................................................................... 4
1.4
Related Standards ......................................................................................... 4
Introduction..........................................................................................................6
2.1
Purpose ......................................................................................................... 6
2.2
Scope ............................................................................................................ 6
2.3
Customer Need ............................................................................................. 6
Health and Care Organisations ...........................................................................7
3.1
Overview ....................................................................................................... 7
3.2
Requirements ................................................................................................ 7
3.3
Conformance ................................................................................................. 8
IT Systems Suppliers...........................................................................................9
4.1
Overview ....................................................................................................... 9
4.2
Requirements ................................................................................................ 9
4.3
Conformance ............................................................................................... 10
Technical Guidance ...........................................................................................11
5.1
Information Security .................................................................................... 11
5.2
Clinical Safety.............................................................................................. 11
5.3
Interoperability ............................................................................................. 11
User Guidance ..................................................................................................12
6.1
Emailing Patients ......................................................................................... 12
6.2
Secure Communications ............................................................................. 12
6.3
Professional Record-keeping ...................................................................... 12
6.4
Data Protection & Freedom of Information .................................................. 12
6.5
GP Practice Staff ......................................................................................... 12
Appendix 1 – Example Risk Log ........................................................................14
7.1
Overview ..................................................................................................... 14
7.2
Hazard Log .................................................................................................. 15
© Open Government Licence 2013
Page 3 of 18
ISB 1596 Secure Email Specification
25/11/2013 Draft 0.3
1 Overview
1.1 Summary
Standard
Standard Number
ISB 1596
Secure Email
Title
Type
Fundamental
Description
This standard defines the minimum non-functional requirements for a
secure email service, covering the storage and transmission of email. This
is the basic level for the storage and transmission of patient identifiable
data by an email system.
It excludes security standards for document archives.
Applies to

Health, public health and social care organisations.

Email service providers.
Release
Release Number
Amd 34/2012
Title
Initial Standard
Description
30th June 2016
Implementation
Completion Date
1.2 Controlled Documents
Ref no
A
Title
Version
ISB 1596 Secure Email Baseline Control Set
1.3 Guidance
Ref no
Title
Version
1
Information: To Share Or Not To Share? The Information Governance
Review
2
CIO Council Offshoring Position
1.0
3
CESG IS1 Technical Risk Assessment
3.51
4
The Good Practice Guidelines for GP electronic patient records
4
5
General Medical Council Good Medical Practice
2013
1.4 Related Standards
Reference
Title
ISB 0086
Information Governance Toolkit
© Open Government Licence 2013
Page 4 of 18
ISB 1596 Secure Email Specification
25/11/2013 Draft 0.3
ISB 0160
Clinical Risk Management: its Application in the Deployment and Use of Health IT
Systems
ISB 0129
Clinical Risk Management: its Application in the Manufacture of Health IT Systems
BS ISO/IEC
27001: 2013
Information technology -- Security techniques -- Information security management
systems -- Requirements
BS ISO/IEC
27002: 2013
Information technology. Security techniques. Code of practice for information
security controls
IS1
HMG Impact Assessment Standards including CESG IS1 Technical Risk
Assessment
© Open Government Licence 2013
Page 5 of 18
ISB 1596 Secure Email Specification
25/11/2013 Draft 0.3
2 Introduction
2.1 Purpose
This standard establishes the minimum requirements for email systems in health,
public health and social care. The intention is not to impose significant requirements
on organisations but instead to establish the minimum acceptable level. Where
possible they will refer to health and care, Government and international standards
(e.g. BS ISO/IEC 27001 – see related standards).
2.2 Scope
The standard defines how email systems used for sensitive data (e.g. patient
identifiable data) should manage:




The information security of the email service.
Transfer of sensitive information over non-secure channels.
Accessing information from the Internet or mobile devices.
Exchange of information outside the controlled boundary of the secure email
system:
o to other email systems compliant with this standard.
o to other email systems not compliant with this standard.
2.3 Customer Need
Health and care email is now a rich source of patient/service user information. There
is a clear need to ensure that it is held securely and used appropriately. The power of
information: putting all of us in control of the health and care information we need
paragraph 3.51 specifies (our bold text):
All e-mail communication about our care must be appropriately secure
and protected. Work will continue to improve access to and use of NHSmail
within the NHS, and social enterprises and other qualified providers of care
services, as part of their commissioning contracts with the NHS, will be given
access to a limited number of NHSmail accounts. Similar incentives for social
care will be made available that make the process and cost of connecting
social care providers, local authorities and other care providers via secure
electronic communication easier, cheaper and less bureaucratic.
The standard will ensure that health, public health and adult social care organisations
have a recognisable baseline which they can conform to.
© Open Government Licence 2013
Page 6 of 18
ISB 1596 Secure Email Specification
25/11/2013 Draft 0.3
3 Health and Care Organisations
3.1 Overview
ISB 0086 Information Governance Toolkit IGT (as an already approved information
standard) provides the strategic assurance tool for use by health and care
organisations and other business partners / suppliers. It has a series of requirements
that all health and care organisations must meet, with the information security
requirements being particularly applicable. This standard describes how health and
care organisations can comply with the IG Toolkit with respect to email services.
Of particular note are:
Num
Description
10-300
The Information Governance agenda is supported by adequate information security skills,
knowledge and experience which meet the organisation’s assessed needs
10-305
Operating and application information systems (under the organisation’s control) support
appropriate access control functionality and documented and managed access rights are in
place for all users of these systems
10-308
All transfers of hardcopy and digital person identifiable and sensitive information have been
identified, mapped and risk assessed; technical and organisational measures adequately
secure these transfers
10-313
Policy and procedures are in place to ensure that Information Communication Technology
(ICT) networks operate securely
10-314
Policy and procedures ensure that mobile computing and teleworking are secure
10-323
All information assets that hold, or are, personal data are protected by appropriate
organisational and technical measures
3.2 Requirements
#
Description
Information Security
1
Health and care organisations MUST perform a security risk assessment when procuring or
delivering an email service internally.
2
Health and care organisations MUST operate their email service to a level appropriate to the
security risk assessment, and at minimum BS ISO/IEC 27001.
3
Health and care organisations MUST ensure their email service meets the baseline control
set specific in Section 5.1 for Personal Data if the service contains patient identifiable or
sensitive data.
4
Health and care organisations SHOULD set policies and procedures for the use of secure
email using mobile devices and ensure the email service enforces them.
© Open Government Licence 2013
Page 7 of 18
ISB 1596 Secure Email Specification
25/11/2013 Draft 0.3
Safety
5
Health and care organisations SHOULD comply with the provisions of ISB 0160 Clinical Risk
Management: its Application in the Deployment and Use of Health IT Systems.
Interoperability
6
Health and care organisations SHOULD provide updates to the NHSmail white pages
directory service of their directory information.
7
Health and care organisations MUST ensure there are appropriate policies in place for the
user of email, including correspondence with insecure email systems, including those used
by patients.
3.3 Conformance
Conformance to the security requirements shall be measured by having:


An auditable information security management system in relation to the email
service that conforms to BS ISO/IEC 27001.
Evidence their email service either has:
o Non-Personal data - a BS ISO/IEC 27001 conformance certificate with
the appropriate scope of applicability and baseline control set for the
service or pan-government or government departmental (e.g.
Department of Health) to business impact level (B-IL) 2 or above.
o Personal Data – pan government or government departmental (e.g.
Department of Health) accreditation to business impact level (B-IL) 3.
Conformance to the clinical safety requirements shall be met as per ISB 0160 Clinical
Risk Management: its Application in the Deployment and Use of Health IT Systems.
Health and care organisations shall self-certify to the interoperability requirements.
© Open Government Licence 2013
Page 8 of 18
ISB 1596 Secure Email Specification
25/11/2013 Draft 0.3
4 IT Systems Suppliers
4.1 Overview
IT systems suppliers need to ensure that their email service meets the needs of
health and care, especially when it is used for the transmission of patient identifiable
data. Email systems are not normally sector specific (i.e. just for healthcare) so IT
suppliers will normally demonstrate this through adherence to cross-public sector, UK
or international standards.
4.2 Requirements
#
Requirement
Information Security
1
Each Supplier MUST at all times maintain a secure service.
2
Each Supplier MUST maintain an Information Security Management System (ISMS) that
conforms to the BS ISO/IEC 27001: 2013 Information Security Management Systems
baseline control set and BS ISO/IEC 27002: 2013 Information technology. Security
techniques. Code of practice for information security controls.
Conformance may be evidenced by appropriate certification.
3
Each Supplier MUST maintain a security policy which sets out the security measures to be
implemented and maintained in accordance with BS ISO/IEC 27001, BS ISO/IEC 27002 and
the Information Security Management System.
The security policy MUST be reviewed and updated in a timely fashion and will be reviewed
on an annual basis.
4
Each Supplier MUST ensure their email service meets the baseline control set specific in
Section 5.1 for Personal Data if the service contains patient identifiable or sensitive data.
5
Each Supplier MUST conduct tests of the security policy in accordance with the provisions of
the Suppliers Security Policy relating to security testing. The tests must be independently
audited by either an accredited 3rd party or representatives of the customer.
6
Either party (Supplier and customer) MUST notify the other immediately upon becoming
aware of any breach of security, including an actual, potential or attempted breach of, or
threat to, the security policy and/or the security of the services or the systems used to provide
the services.
7
Each supplier MUST provide protection against malicious content for their services such as
virus checking when onboarding data.
8
The email service MUST provide anti-virus and anti-spam filtering. In addition to commodity
content management such as attachment blocking, virus/spam filtering capabilities and data
leakage prevention e.g. encrypt protectively marked email destined for the Internet. The
service SHOULD also provide for the management of spoofed/forged email and items that
cannot be checked such as S/MIME encrypted or password protected attachments.
9
All patient identifiable and sensitive data MUST at all times remain in the UK.
10
The Supplier MUST ensure that mobile devices are appropriately secured when accessing
the email service. This could include:

Functions to allow/deny/quarantine by device type, organisation or groups of users.

Remove device, expire password, and wipe any data associated with the service.

Reporting functions/ capabilities.
© Open Government Licence 2013
Page 9 of 18
ISB 1596 Secure Email Specification

11
25/11/2013 Draft 0.3
Detect and block rooted (i.e. jail broken) devices.
Each Supplier SHOULD provide eDiscovery tools to support the administration of the service,
especially with respect of the Data Protection Act 1998 and Freedom of Information Act 2000.
Safety
12
Suppliers SHOULD comply with the provisions of ISB 0129 Clinical Risk Management: its
Application in the Manufacture of Health IT Systems.
Interoperability
13
Each Supplier SHOUD comply with the open standards policy:
14
Each supplier SHOULD interface with the NHSmail white pages directory service and provide
regular updates of NHS directory information.
4.3 Conformance
Conformance to the security requirements shall be measured by:


An independently audited information security management system in relation
to the email service. This shall be evidenced by either a BS ISO/IEC 27001
conformance certificate for the service with the appropriate scope of
applicability. BS ISO/IEC 27001 conformance certificates shall be issued from
a body accredited by an appropriate National Authority. In the UK this is the
United Kingdom Accreditation Service (UKAS).
Evidence their email service either has:
o Non-Personal data - a BS ISO/IEC 27001 conformance certificate with
the appropriate scope of applicability and baseline control set for the
service or pan-government or government departmental (e.g. DH or
HSCIC) to business impact level (B-IL) 2 or above.
o Personal Data – pan government or government departmental (e.g. DH
or HSCIC) accreditation to business impact level (B-IL) 3.
Conformance to the clinical safety requirements shall be met as per ISB 0129 Clinical
Risk Management: its Application in the Manufacture of Health IT Systems.
IT systems suppliers shall self-certify to the interoperability requirements.
© Open Government Licence 2013
Page 10 of 18
ISB 1596 Secure Email Specification
25/11/2013 Draft 0.3
5 Technical Guidance
5.1 Information Security
BS ISO/IEC 27001 sets out the requirements for an Information Security
Management System (ISMS). This is a structured means of managing information
security risk within an organisation.
The CESG IS1/IS2 baseline control set provides the minimum baseline controls
organisations and their IT systems must comply with. It is divided into different areas
of security controls with three levels for each – DETER, DETECT AND RESIST and
DEFEND. Further guidance is available on the CESG website or an appropriately
accredited (CLAS) security professional.
The spread sheet (A) ISB 1596 Secure Email Baseline Control Set provides the
baseline control set for email services using Personal Data and non-Personal Data.
5.2 Clinical Safety
Any IT system used for clinical purposes should follow the clinical safety information
standards. An example risk log is provided in section 7.
5.3 Interoperability
Systems should conform to open standard for interoperability, normally promulgated
by the W3C. Government open standards are published on data.gov.uk.
Systems should populate national directory services. Details of how to populate the
NHSmail directory are available from feedback@nhs.net.
© Open Government Licence 2013
Page 11 of 18
ISB 1596 Secure Email Specification
25/11/2013 Draft 0.3
6 User Guidance
6.1 Emailing Patients
The (1) Caldicott 2 review noted the belief that email could not be used to
communicate with patients as it is not secure. The review report noted:
“The Review Panel concludes that personal confidential data can be shared
with individuals via email when the individual has explicitly consented and they
have been informed of any potential risk.”
Health and care organisations should develop guidelines for health and care
professionals to support and encourage the use of email with patients. The (5) The
Good Practice Guidelines for GP electronic patient records describe the use of email
for patient consultations.
6.2 Secure Communications
NHS information security guidelines require that patient identifiable or sensitive data
is handled appropriately. For routine communication this should be within a secure
email service, or sent in a secure manner, for example encrypted attachments that
comply with the NHS encryption requirements.
Note that security should not be used as a reason for providing poor care. The onus
is to provide appropriate systems and so share information, not inhibit it.
6.3 Professional Record-keeping
In (5) Good Medical Practice (2013), the General Medical Council (GMC) states that
“19. Documents you make (including clinical records) to formally record your work
must be clear, accurate and legible. You should make records at the same time as
the events you are recording or as soon as possible afterwards.
20. You must keep records that contain personal information about patients,
colleagues or others securely, and in line with any data protection requirements”
Although ephemeral in nature, emails can form part of the clinical record. Good
practice is to ensure that emails are copied into the patient’s medical record. See the
Medical Protection Society Good Records advice for further information.
6.4 Data Protection & Freedom of Information
Information stored in an email service is subject to data protection and freedom of
information requests. All health and care professionals must be aware of this
obligation and support such requests.
6.5 GP Practice Staff
The (5) The Good Practice Guidelines for GP electronic patient records describe the
use of email in practice, noting that.
© Open Government Licence 2013
Page 12 of 18
ISB 1596 Secure Email Specification
25/11/2013 Draft 0.3
“Unless practices have the technical expertise to set up and maintain a local mail
server, and ensure that it is secure within the practice network boundaries, the
recommended approach is to use NHSmail for this purpose. NHSmail is available in
Scotland and England.
© Open Government Licence 2013
Page 13 of 18
ISB 1596 Secure Email Specification
25/11/2013 Draft 0.3
7 Appendix 1 – Example Risk Log
7.1 Overview
The example risk log has been derived from secure email clinical risk assurance
undertaken by the HSCIC. A fishbone diagram providing an overview is given below.
Secure Email
Hazard Overview
Attachments






Assurance
IT Operations

File size
Number of
simultaneous
attachments
Incorrect Format
Viruses
Corruption
Notification Failure






Inadequate Backup/
Archive
Inadequate failover
process
Inadequate rollback
process
Disk space
Security
Receipt failure
Delay in transit



Insufficient testing
timeframe
Inadequate regression
testing
Lack of assurance
within test strategy
Deployment



Secure email system

Desktop/Client





Poorly configured
infrastructure
Old/Legacy systems
Incompatible
Operating Systems
Set up/Migration
done incorrectly
Exceed local desktop
session limit
© Open Government Licence 2013
Miss-use






IG non-compliance
Consent
Hacking
Internal fraud
Browsing
Unauthorised access
Network issues
LAN issues
Firewall/Routing
issues
Interoperability
Training

Insufficient Training –
inappropriate usage
Page 14 of 18
ISB 1596 Secure Email Specification
25/11/2013 Draft 0.3
7.2 Hazard Log
Area
Hazard Name
Description
Effect
Rating
File attachment issues
File attachments exceed mail system
specified limits.
File attachments exceed mail system
specified attachment quantity limits.
Incorrect file formats used when attached to
email.
Delay to email transmission.
Potential system error resulting from oversize file
attachments.
Failure to transmit / receive email successfully
including potential loss of data.
Potential system error resulting from large quantities
of file attachments.
Low
Email notifications fail
to arrive
Failure to receive email notification of error
message.
The sender does not receive notification of email
failure.
Potential delay in treatment by way of failure to
receive / send email.
Low
File Attachments Corrupt file
attachments
File attachment contains corrupt data
undetected at source.
Inadequate validation on corrupt data files or email
content results in loss of data or potential corruption
of recipient systems.
Low
File Attachments - files
contain software virus
File attachment or email content contains
virus.
Potential partial or complete system failure.
Loss of data at source or recipient systems.
Potential loss of service.
Low
Loss or inadequate backup and / or
archiving processes/systems.
Failure to run backup process.
Potential loss of service resulting from erroneous
recovery points.
Lack of recovery position leads to loss of data.
Low
IT operations
IT Operations Inadequate Backup /
Archive Process /
System
Insufficient IT operational procedures
covering failover and recovery positions.
System does not failover into a known stable state.
Potential loss of service and data resultant.
Low
IT operations
IT Operations Inadequate Failover
procedures
Inadequate process / system configuration
to allow secure email solution to recover to
a known stable system state.
At the point of error the email system cannot rollback
to baseline configuration leading to potential unstable
state, loss of service/data.
Low
IT operations
IT Operations Inadequate Rollback
process
IT Operations Insufficient Disk Space
Lack of hardware storage used at any point
within the secure email system where
temporary or permanent data is required.
Email system performance issues due to inefficient
storage loads.
Low
Attachment
Attachment
Attachment
Attachment
IT operations
© Open Government Licence 2013
Page 15 of 18
ISB 1596 Secure Email Specification
Area
25/11/2013 Draft 0.3
Hazard Name
Description
Effect
Document Archive
Chosen mail solution used as a document
archive at Local Level.
Potential loss of service and / or data due to
inadequate storage facilities.
Security procedures and / or configuration
is not fit for purpose of email system
proposed usage.
Low
IT operations
Potential security breaches leading to unauthorised
access to personal identifiable data, and
commercially sensitive information.
System is vulnerable to security attacks variable in
nature - causing system failure, loss of data, and
other business critical failures.
IT Operations - Email
Receipt notification
fails to arrive
Secure mail system fails to provide receipt
during email transmission process.
Low
IT operations
Failure to receive receipt notifications could lead to
resubmissions throughout the email transmission
process.
This would in turn increase messaging volumes and
increase the potential for delays in system
performance.
IT Operations - Delays
in end to end
processing of email
Email system and / or performance issues
lead to significant delays in transmission at
any point within the email pathway to
recipient.
Deployment
Network Issues on
deployment
Deployment of secure email results in
network failures / issues at local or national
levels, local network, or LAN performance
and / or availability issues.
Deployment
Deployment of email
system - Leading to
Firewall / Routing
issues
Deployment and configuration of firewall /
routing infrastructure fails to complete
successfully.
Deployment
Deployment of email
system - Leading to
'Clash' of Software
Tools
Deployment of email system leads to
conflicts with existing system software.
Potential performance issues with conflicting
systems.
Low
Desktop/Client
Desktop / Client -
Inadequate / poorly configured desktop and
Inability to standardise and deploy email system.
Low
IT Operations Insufficient Security
compliance
IT operations
© Open Government Licence 2013
Potential loss / delay of service.
Potential loss of data.
Network availability restrictions result in limited
business functionality.
Potential issues leading to the mail solution impacting
user base day to day system performance and
availability.
Restriction in messaging routing.
Complete loss of service due to incorrect
configuration of firewalls.
Page 16 of 18
Rating
Low
Low
Low
ISB 1596 Secure Email Specification
Area
25/11/2013 Draft 0.3
Hazard Name
Description
Effect
Badly Configured
client infrastructure.
Desktop / Client - "Old"
Target desktop and client systems are
outside the baseline limitations and
recommendations for email usage.
Increased volumes of helpdesk requests on non
standard hardware.
Inability to install email system on non supported
hardware.
Inadequate system performance leading to complete
system failure.
Potential loss of existing business processes.
Desktop/Client
Desktop / Client Unsuitable Windows
versions
Existing operating system is outside the
baseline supported configuration.
Inability to install email system on target hardware.
Poor configuration leading to operational issues and
increased helpdesk calls.
Potential inefficient email service levels.
Low
Desktop/Client
Desktop / Client –
Setup / Migration
wrong
Email service setup and migration fails to
complete successfully on target system.
Potential performance issues with poorly configured
systems.
Loss of data due to incorrectly setup storage and
archiving facilities.
Low
Desktop/Client
Desktop / Client Local Connectivity
Issues
Local System issues lead to inability to
connect to the email service
Potential performance issues leading to complete
loss of service.
Low
Desktop/Client
Desktop / Client - Too
many windows open
Large number of local desktop sessions
exceeds 'normal' expected operational
levels.
Email system connectivity issues and performance
issues due to increases processing constraints.
Email system used inappropriately,
contravening IG security controls / guides.
Potential breach in IG policies/controls lead to source
email information compromise.
Breaches in security protocol and local / national
policies for mail usage.
Potential to misuse system not having appropriate
access/training leading to severe email issues.
Misuse
Misuse - IG /
Unauthorised Access
Misuse
Misuse – Consent
Inappropriate use of mail system without
expressed consent of data source or
system authorities.
Potential breaches of information sharing and overall
system usage.
Misuse
Misuse – Hacking
Email system is targeted by external or
internal hacking or attempts to connect in a
manner not permitted by existing
Inappropriate access to email system data, personal
identifiable or business critical information.
Critical misuse implications if undetected - complete
© Open Government Licence 2013
Email system operation by end user who
does not have access or approval to use
the system.
Page 17 of 18
Rating
Low
Low
Low
Low
ISB 1596 Secure Email Specification
Area
Description
Effect
IG/security controls.
loss of service, data tampering, etc.
Misuse - Internal
Fraud
Existing authorised user attempts to
fraudulently operate email system
Internal Fraud covers various targets for misuse and
may lead to inappropriate email usage, authorisation
messages, and potential access to business or
personally critical systems.
Low
Misuse
Misuse – Browsing
Inappropriate use of email system resulting
in browsing of group/personal mail
accounts.
Access to information outside of normal controls for
end users.
Potential conflicts of business operation due to
inappropriate data access, security breaches, etc.
Low
Migration
Data Migration
Errors / poor quality Migration of legacy or
existing email data.
Data Migration of legacy or email records
Low
Functionality
New Functionality
Additional features of new email system /
New functionality introduce issues with
current service and / or existing functionality
provided.
Training
Inadequate Training
Poor Quality Training on the new system
leads to inappropriate email use.
Potential data loss.
Potential inappropriate email usage based on 'not
enough' or ineffective training.
Test Strategy and scope does not fully
assure the release of the new system
Potential loss / delay of service.
Potential loss of data.
Misuse
Assurance/
Testing
Hazard Name
25/11/2013 Draft 0.3
Limited Test
Assurance
Potential loss / delay of service.
Potential loss of data.
Inadequate regression test assurance of
existing / unchanged functionality.
Low
Low
Low
Insufficient Testing timeframe.
© Open Government Licence 2013
Rating
Page 18 of 18
Related documents
English Recommendation Form
English Recommendation Form
Proposal for Curriculum Development Work
Proposal for Curriculum Development Work
Early Elementary Teacher - International School of Bologna
Early Elementary Teacher - International School of Bologna
IB Diploma Chemistry teacher with mathematics
IB Diploma Chemistry teacher with mathematics
The Dow Chemical Company 2030 Dow Center Midland, Michigan
The Dow Chemical Company 2030 Dow Center Midland, Michigan
Download
advertisement