160 likes | 313 Views
The Information Governance Toolkit Version 7 A critical overview using Control 307 as an exemplar. Peter Wilson Information Governance & Caldicott Support Manager Sheffield Teaching Hospitals FT 14 th August 2009.
E N D
The Information Governance Toolkit Version 7A critical overview using Control 307 as an exemplar Peter Wilson Information Governance &Caldicott Support Manager Sheffield Teaching Hospitals FT 14th August 2009
“They sentenced me to twenty years of boredom,For trying to change the system from within …….. Leonard Cohen First We Take Manhattan
307 Control Statements version 6 Has the Trust established a register of all its major information assets and assigned responsibility or ‘ownership’ for each? Level 0 The Trust has not yet established documented processes to identify and record all of its information assets. Level 1 The Trust has documented and established processes to identify and record all of its major information assets. Level 2 The Trust has a fully populated register of its major information assets and has identified / defined ownership of these assets, key dependencies and maintenance history etc. Level 3 Through its network of local 'owners' of information/data sets, the Trust ensures the continued existence of major information assets and it undertakes regular audits of recorded assets to physical assets and vice versa.
307 Control Statements version 7 Has the Trust established a register of all its major information assets and assigned responsibility or ‘ownership’ for each? Level 0 The Trust has not established a register of all its major information assets and assigned responsibility or ‘ownership’ for each. Level 1 The Trust SIRO has assigned Information Asset Owner roles and responsibilities. IAO(s) are contributing to and implementing an action plan to ensure a comprehensive Information Asset register is developed that includes all Information Assets of the Trust. Level 2 The Trust SIRO and IAOs have ensured all Information Assets are included in the Trust’s Information Asset register, which identifies each recorded asset’s ownership, components, key dependencies and risk assessment and management history etc. Level 3 The Trust SIRO and IAOs ensure the Information Asset register is routinely reviewed and its content checked for accuracy and completeness, and is updated under change control as necessary. The Trust undertakes regular consistency audits of recorded assets to physical assets and vice versa.
307 Supporting evidence version 6 Has the Trust established a register of all its major information assets and assigned responsibility or ‘ownership’ for each? Level 1 1. Evidence of assignment of responsibility. 2. Documented action plan. Level 2 1. Evidence of assignment of responsibility. 2. Documented action plan. 3. Existence of asset register. 4. Documented procedures for updating/amending asset register. 5. Documented local ownership for key assets. Level 3 . Evidence of assignment of responsibility. 2. Documented action plan. 3. Existence of asset register. 4. Documented procedures for updating/amending asset register. 5. Documented local ownership for key assets. 6. Documented review and recommendations.
307 Supporting evidence version 7 Has the Trust established a register of all its major information assets and assigned responsibility or ‘ownership’ for each? Level 1 1. Evidence of assignment of responsibility. 2. Documented action plan. Level 2 1. Evidence of assignment of responsibility. 2. Documented action plan. 3. Existence of asset register. 4. Documented procedures for updating/amending asset register. 5. Documented local ownership for key assets. Level 3 . Evidence of assignment of responsibility. 2. Documented action plan. 3. Existence of asset register. 4. Documented procedures for updating/amending asset register. 5. Documented local ownership for key assets. 6. Documented audit. .
307 Improvement/maintenance plan v.6 Has the Trust established a register of all its major information assets and assigned responsibility or ‘ownership’ for each? Level 0 1. Develop an action plan to implement a comprehensive asset register that includes major information assets. 2. Assign roles and responsibilities for developing and implementing the action plan. Level 1 1. The Trust should include all major information assets in an asset register. 2. The Trust should assign ownership for major information assets. Level 2 1. The Trust should ensure the asset register and ownership of assets are regularly reviewed and amended when necessary. Level 3 1. Asset registers are fully updated with the results. 2. Review ownership of information assets to ensure details are correct.
307 Improvement/maintenance plan v.7 Has the Trust established a register of all its major information assets and assigned responsibility or ‘ownership’ for each? Level 0 1.The Trust SIRO should ensure Information Asset Owner roles and responsibilities are assigned. 2. IAO responsibility will include contribution to and implementation of an action plan to ensure a comprehensive Information Asset register is developed that includes all Information Assets of the Trust. Level 1 1. The Trust SIRO and IAOs should ensure all Information Assets are included in the Trust’s Information Asset register, which identifies each recorded asset’s ownership, components, key dependencies and risk assessment and management history etc. Level 2 1. The Trust SIRO and IAOs should ensure the Information Asset register is routinely reviewed and its content checked for accuracy and completeness, and is updated under change control as necessary. 2. The Trust should also undertake regular consistency audits of recorded assets to physical assets and vice versa. Level 31. Asset registers are fully updated with the results. 2. Review ownership of information assets to ensure details are correct.
307 IGT Guidance v.7 • Information Assets (IA) are identifiable and definable assets owned or contracted by an organisation which are ‘valuable’ to the business of that organisation. Information assets will likely include the computer systems and network hardware, software and supporting utilities and staff that are required to achieve processing of this data. Non-computerised records systems should also have an asset register containing relevant file identifications and storage locations. • There are many possible Information Assets. These include; • Information: Databases, system documents and procedures, archive media/data etc. • Software: Application programs, system, development tools and utilities. • Physical: Infrastructure, equipment, furniture and accommodation used for data processing. • Services: Computing and communications, heating, lighting, power, air-conditioning used for data processing. • People: Their qualifications, skills and experience in use of information systems. • Others less tangible: For example, public confidence in the Trusts ability to ensure the Confidentiality, Integrity and Availability of their personal data. • As these categories suggest Information Assets are not necessarily objects. Business processes and activities, applications and data should all be considered as Information Assets; however, their importance to the Trust may vary.
307 IGT Guidance v.7 Information Asset Owners (IAO) The word ‘owner’, when used in this requirement, is taken from the ISO 27002 Information Security Management standard. It should not be confused with the term ‘data owner’, as used by the Data Protection Act 1998. The standard defines an owner as a member of staff senior enough to make decisions concerning the asset at the highest level. The IAO can assign day to day responsibility for each Information Asset to an Information Asset Administrator (IAA) or other manager, and this should be formalised in job descriptions. The role of the Information Asset Owner is to understand what information is held, what is added and what is removed, how information is moved, who has access and why. As a result they should be able to understand and address risks to the information and to ensure that information is fully used within the law for the public good. The Information Asset Owner will also be responsible for providing or informing regular written reports to the Senior Information Risk Officer (SIRO), a minimum of annually on the assurance and usage of their asset. It is important that “ownership” of Information Assets is linked to a post, as opposed to a designated individual, to ensure that responsibilities for the asset are passed on, should the individual leave the Trust or change jobs within it.
307 IGT ISO 27001 reality The definition of owner is an individual or an entity as detailed in Section A.7. Asset Management of ISO/IEC 27001:2005 states (with footnote) A.7.1.2 Ownership of assets Control All information and assets associated with information processing facilities shall be ‘owned’ 3 by a designated part of the organization. The footnote states: 3 Explanation: The term ‘owner’ identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets. The term ‘owner’ does not mean that the person actually has property rights to the asset. This of course sits with Section 7 of the Code of Practice ISO/IEC27002:2005 This is at odds with the DIPU CfH statement found in the guidance to control 307 which states, wrongly "The standard defines an owner as a member of staff senior enough to make decisions concerning the asset at the highest level.”
307 IGT ISO 27001 reality • DIPU CfH statement found in the guidance states, • There are many possible Information Assets. These include; • Information: Databases, system documents and procedures, archive media/data etc. • Software: Application programs, system, development tools and utilities. • Physical: Infrastructure, equipment, furniture and accommodation used for data processing. • Services: Computing and communications, heating, lighting, power, air-conditioning used for data processing. • People: Their qualifications, skills and experience in use of information systems. • Others less tangible: For example, public confidence in the Trusts ability to ensure the Confidentiality, Integrity and Availability of their personal data. • This is also incorrect as the only information asset is bullet point one: • The rest of them are assets as defined in the Standard • If this was correctly set up the whole would be scoped as a precursor to an ISMS using ISO 27001, which would determine the risk by using vulnerability, threat, likelihood, & impact analysis, and the subsequent controls determined via the statement of applicability. (Not 27002, which is the Code of Practice) • Are the IAOs supposed to do this???