Contenu connexe
Similaire à Information Asset Management...Comply for less!! (20)
Information Asset Management...Comply for less!!
- 1. January 2014
Information Asset Manager
Release 2013.1
System Overview
Author:David Birkinshaw
© Apira
Unauthorised reproduction, adaptation, translation or display is strictly prohibited.
Page 1 of 17
- 2. January 2014
Table of Contents
TABLE OF CONTENTS .......................................................................................................................................................2
TABLE OF FIGURES ...........................................................................................................................................................2
INTRODUCTION ...............................................................................................................................................................3
Information Governance Toolkit ..................................................................................................................................... 4
Roles and Responsibilities ............................................................................................................................................... 4
DEFINITION OF INFORMATION ASSETS ............................................................................................................................5
Primary Assets ................................................................................................................................................................ 5
Supporting Assets ........................................................................................................................................................... 5
USER PROFILES AND THE ORGANISATIONAL HIERARCHY ................................................................................................7
RECORDING ASSETS AND DATA FLOWS IN IAM ...............................................................................................................9
INFORMATION FLOWS .............................................................................................................................................................. 9
INFORMATION ASSETS ..................................................................................................................................................11
REPORTING ...................................................................................................................................................................12
CREATING YOUR INFORMATION MANAGER SYSTEM ....................................................................................................13
INITIATION ........................................................................................................................................................................... 13
START-UP ............................................................................................................................................................................ 13
DEPLOYMENT ....................................................................................................................................................................... 13
GLOSSARY .....................................................................................................................................................................14
DOCUMENT HISTORY ....................................................................................................................................................16
DOCUMENT PROPERTIES ......................................................................................................................................................... 16
VERSION HISTORY ................................................................................................................................................................. 16
APPENDIX A ISO27005 INFORMATION ASSETS DEFINITION ...........................................................................................17
Table of Figures
FIGURE 1. DASHBOARD ............................................................................................................................................ 3
FIGURE 2. MAPPING ASSETS AND BUSINESS PROCESSES ........................................................................................... 6
FIGURE 3. INFORMATION ASSET MANAGER – USER RESPONSIBILITIES ....................................................................... 7
FIGURE 4. ORGANISATION HIERARCHY IN IAM ........................................................................................................... 8
FIGURE 5.PICKING LISTS IN THE SYSTEM ................................................................................................................... 8
FIGURE 6. CREATING AN INFORMATION FLOW IN IAM ................................................................................................. 9
FIGURE 7. PROCESS OF INFORMATION FLOW CREATION AND AUTHORISATION............................................................ 10
FIGURE 8. INFORMATION FLOW SCREEN SHOWING RISK SCORES............................................................................... 10
FIGURE 9. ASSET CREATION SCREEN IN IAM ........................................................................................................... 11
FIGURE 10. ASSET CREATION PROCESS .................................................................................................................. 11
FIGURE 11. IAM REPORTING MODULE ..................................................................................................................... 12
© Apira
Unauthorised reproduction, adaptation, translation or display is strictly prohibited.
Page 2 of 17
- 3. January 2014
Introduction
Health organisations collate, use and transfer probably the largest volumes of Personal Confidential Data
(PCD) in the country, and do so within the legal regimes of the Data Protection Act 1998, Freedom of
Information Act 2000, Access to Health Records Act 1990, Common Law Duty of Confidentiality, to name but a
few. Many will be aware of the risk to losing data in the form of fines from the Information Commissioner.
Coupled with NHS Policy on risk management and the requirements of the Information Governance Toolkit, the
challenge is immense.
In response to the legal and policy requirements on the NHS, all assets and transfers of information must be
risk assessed to ensure they are safe and properly protected.
Apira Information Asset Manager (IAM) has been to designed in response to that challenge and to customer
demand for a system which answers those key questions; where is my information?, is it properly managed?,
who has access to it?, where do I send it? and am I transferring it safely and securely?
IAM allows organisations to record those information assets it holds, record the information flowing around the
organisation and as a key function, provide a risk score against the information and flows. Included is a
dashboard and reporting function that allows the Senior Information Risk Owner (SIRO) to be confident that
information risk is being managed throughout the organisation.
Figure 1. Dashboard
© Apira
Unauthorised reproduction, adaptation, translation or display is strictly prohibited.
Page 3 of 17
- 4. January 2014
Information Governance Toolkit
The Information Governance Toolkit (IGT) is the required standard for all NHS organisations in information
governance. IAM is centred around two key areas of the toolkit; 308 – Data Flow Mapping and 301 Information Asset Management Because IAM covers many of the operational requirements of information risk
management, the following requirements are also greatly informed:
308 – Data flow mapping
303/304/305 – Access Control
110 – Contracts with third parties
309/310 – Buisness Continuity
and Disaster Recovery
202 – Appropriate use of patient
data
311 – Virus Protection
206 – Confidentiality Audit
313- Network Security
207 – Information Sharing
Agreements are in place
313 – Mobil, home and remote
working security
209 – Information is shared
outside the EU only with proper
protections
324 – Information is
pseudonymised or anonymised
where required
301 – Risk Assessment
programme in place for all assets
404 – Multi-professional records
audit
307 – A risk register of assets is in
place
506 – coding audit programme
323 – appropriate technical
measures are in place to protect
all assets
507 – completeness and validity
audit
406 – Availability of records
audit
505 – internal and external
coding audit
604 – information lifecycle audit
Roles and Responsibilities
The Accounting Officer is accountable for the assets belonging to the organisation – the Chief Executive.
The Senior Information Risk Owner (SIRO) for the organisation is required to assure the board that all
information assets are accounted for and that proper controls are in place to manage the information – A
Director on the Board.
Information Asset Owners (IAOs) (assisted by Information Asset Administrators – IAAs) are responsible for the
day to day information risk management of each information asset and reporting to the SIRO – Directors
(IAOs) and Senior Managers (IAAs).
© Apira
Unauthorised reproduction, adaptation, translation or display is strictly prohibited.
Page 4 of 17
- 5. January 2014
Definition of Information Assets
An important concept in managing information assets using the Apira IAM system is the definition of an asset
and the data flowing in and out of it (covered in more detail in our Information Assets information sheet).
Apira Information Asset Manager uses the ISO27005 definition of an Information Asset. ISO27005 defines
information assets as follows:
Primary Assets
Information at rest – A patient database, staff database or any collection (grouping) of personal
confidential information stored (at rest) in any medium – recorded in the Assets section of the system
1
Business Processes – Data Flow Items (see 11-308 of the information governance toolkit) which are
‘sub-sets’ of the information held in the information at rest, e.g. appointment lists, patient letters and
move about the organisation and externally, recorded in the Data Flows section of the system.
Supporting Assets
Supporting Assets are recorded as a subset of the Assets recording module of IAM, and more closely defined
in the metadata management section of the system. Examples include:
Hardware – PCs, Servers, Laptops, Filing Cabinets, Printer, Disk Drive, USB Memory Stick
Software – Operating System, Office Software, Email software, Clinical System Software
Network – Ethernet, ADSL lines, WiFi equipment, Switches, Fibre Optic, Routers, Bridges
Personnel – Information Asset Owner, Information Asset Administrator, person with technical
expertise, (e.g. a network manager)
Site – Physical requirements for operations to continue (as related to the information asset), gas
supply, electricity supply, water supply, cooling equipment (e.g. airconditioning for server rooms)
Organisation Structure – maintenance contracts for support of the information asset (e.g. third party
maintenance contracts, software support and SLA contracts but also can include project support for the
information asset.
See Appendix A for the ISO270005 definition of Information Assets with an example.
IAM allows Primary Information Assets at rest to be recorded.Users can then recordbusiness processes or the
flows of subsets of those assets (in the form of letters, discharge notifications, appointment lists etc.) around
the organisation or even to record flows coming from or going to external organisations such as GPs.
For example, a PAS database is a static collection of information (information at rest) which can have subsets
of data moved in and out of it (a data flow item - clinic letter) which is sent to a patient (a flow). The risks to the
information in the database might be the siting of servers (environmental such as flood, electricity supply) and
the risk to the clinic letter as it ‘flows’ might be lack of encrypted email or insecure post.
Figure 2 is a diagrammatical representation of mapping assets at rest and business processes (data flows):
1
IGT 11-308 https://www.igt.hscic.gov.uk/RequirementQuestionNew.aspx?tk=415313635414503&lnv=2&cb=6040cf47-dc1b-4218a7cd-03837ae623f5&sViewOrgType=2&reqid=2420
© Apira
Unauthorised reproduction, adaptation, translation or display is strictly prohibited.
Page 5 of 17
- 6. January 2014
Figure 2. Mapping assets and business processes
Risk is therefore inherent and calculated by IAM in the attributes of:
The data at rest (Primary Asset)
The data flow (Business Process)
© Apira
Unauthorised reproduction, adaptation, translation or display is strictly prohibited.
Page 6 of 17
- 7. January 2014
User Profiles and the Organisational Hierarchy
IAM uses a role based approach to managing Assets and Flows in the system.
The SIRO Role – has full access to view all primary information assets recorded in the system and all flows of
data, with a dashboard displaying the resulting risk scores for those items (the Caldicott Guardian can also be
given this role to fulfil key recommendations of the Caldicott Information Governance review).
The SIRO Administrator Role – has the above functions, and also acts as the System Administrator, being
able to create users and manage the metadata and risk scoring attributes of the system (this can be the
Information Governance Manager or system owner).
The Risk Owner and Risk Administrator Roles – have access to view and manage information assets they
are responsible for, and their associated flows. It is also possible to make ROs and RAs administrators for the
system for their work areas, meaning they can manage users of the system.
The Flow User Role – has access only to the management of the flows of information in their team or area of
work.
This can be expressed in the diagram below:
Figure 3. Information Asset Manager – User Responsibilities
© Apira
Unauthorised reproduction, adaptation, translation or display is strictly prohibited.
Page 7 of 17
- 8. January 2014
The organisation hierarchy is represented in the system in the form of three tiers:
Figure 4. Organisation hierarchy in IAM
As the picking lists in the system are configurable, these can be renamed to the organisation’s preferred terms.
Each user is assigned to an area of the hierarchy, which is shown below as an example:
Figure 5.Picking lists in the system
© Apira
Unauthorised reproduction, adaptation, translation or display is strictly prohibited.
Page 8 of 17
- 9. January 2014
Recording Assets and Data Flows in IAM
Information Flows
All users can record a flow of information between their area of work and any other area of the organisation, as
well as to external agencies such as GPs, Social Care and other care providers. The flow records what data
item is moving, what it contains, how it gets there and any protection or ‘controls’ which are in place when it is
transferred.
Figure 6. Creating an information flow in IAM
A flow is recorded by the flow user and authorised by the Information Asset Owner/Administrator or SIRO roles,
creating a risk score for that flow and fulfilling the key recommendation of the new Caldicott Information
Governance Review, that information transfers are reviewed and authorised by Caldicott Guardians and
SIROs.
As flows can be internal, the user or team on the receiving end of the information flow can accept the flow,
ensuring that it is appropriate and exists to them. If not, they can reject it and enter a reason so that the
originator can remove it.
The process of information flow creation and authorisation can be expressed as below:
© Apira
Unauthorised reproduction, adaptation, translation or display is strictly prohibited.
Page 9 of 17
- 10. January 2014
Figure 7. Process of information flow creation and authorisation
Risk scores are displayed in aggregate on the dashboard and in full on the information flow screens:
Figure 8. Information flow screen showing risk scores
© Apira
Unauthorised reproduction, adaptation, translation or display is strictly prohibited.
Page 10 of 17
- 11. January 2014
Information Assets
Information Asset Owners and Administrators are able to create and record the assets they are responsible for
in the system for flow users to map their flows against. They record who are the Information Asset Owner and
Administrator for the asset are, what the asset is called, what it contains, what the supporting assets are, and
what data flow items (e.g. clinic letters) can be transferred to or from the asset.
Figure 9. Asset creation screen in IAM
A key function of the system is that should a flow user be unable to see the information asset they use, they
can create it ‘on the fly’ as an unassigned or temporary information asset. This is essential in identifying
information assets that the organisation may have previously been unaware of, thus enabling them to be
accounted for and risk managed once approved. The process of creating an asset is described below:
Figure 10. Asset creation process
Risk scores are displayed on the dashboard and in the SIRO/IAO/IAA information asset screens.
© Apira
Unauthorised reproduction, adaptation, translation or display is strictly prohibited.
Page 11 of 17
- 12. January 2014
Reporting
The SIRO, IAO and IAA user roles are all able to ‘drill down’ from the dashboard to specific information assets
and flows by directorate, department or team as required (see Figure 1).
Every information flow and information asset list can be exported in the form ofPDF, MS Excel or MS Word
documents.
Additionally, a reports module is included which provides standard bespoke system reports, all of which can be
exported in the above document formats.
Figure 11. IAM reporting module
© Apira
Unauthorised reproduction, adaptation, translation or display is strictly prohibited.
Page 12 of 17
- 13. January 2014
Creatingyour Information Manager System
The IAM system is a framework on which you can reflect your organisation’s risk appetite and strategy.
All picking lists in the system are configurable, and any item on that picking list that contributes to a risk score
is individually score-able. Risks are calculated on the options entered by the user and may be presented to the
user in a number of ways(depending on the user profile):
The dashboard
Information asset screen
Information flow screen
Reports.
Apira can support the rollout process with training for administrators and users of the system, as well as project
management support in the early stages.
Organisations may find the following approach beneficial in thinking about deployment of the system:
Initiation
Agree organisation hierarchy for use of the system
Agree picking lists, key assets and data flow items
Agree user profiles and user list
Create training plan
Training for system admins.
Start-Up
Implement training plan
Input picking lists, key assets and data flow items
Test flows in one department or area.
Deployment
Continue training plan
Rollout to main user base
Monitoring of system use and balancing of risk scoring mechanism (metadata) .
© Apira
Unauthorised reproduction, adaptation, translation or display is strictly prohibited.
Page 13 of 17
- 14. January 2014
Glossary
Information Governance (IG) terminology:
Term
Data
Definition
1. Facts and statistics collected together for reference or analysis.
2. Things known or assumed as facts, making the basis of reasoning or
calculation
Record
A collection of data related to a common origin, source, or subject, i.e. a
person
Data set
A number of records from a common origin or source comprising
common or linked data component
Information
Data that (1) has been verified to be accurate and timely, (2) is specific
and organized for a purpose, (3) is presented within a context that gives
it meaning and relevance, and (4) that can lead to an increase in
understanding and decrease in uncertainty.
The value of information lies solely in its ability to affect a behaviour,
decision, or outcome. A piece of information is considered valueless if,
after receiving it, things remain unchanged.
Knowledge
Data, information, and skills acquired by a person through experience
or education; the theoretical or practical understanding of a subject.
A person with knowledge can apply this to data for it to become
information and to determine actions arising.
Information Asset
A dataset in any media. TheInformation Assetmay comprise patient
information, person information (as defined by the Data Protection Act),
or corporate information.
‘Information Asset’ refers to the data, not the media in which it is held.
This distinction is similar to the definition in ISO27005 between primary
assets and secondary assets.
Risk
The likelihood and impact of an adverse event
Information Risk
The total subjective value of risk attributed only to Information
Assetsheld by an organisation.
Related to an overview of risk related to that Information Asset, who is
accountable for that Information Asset (the Information Asset Owner)
and who has operational responsibility for that Information Asset.
Risk Assessment
The process and results of determining likelihood and impact of an
adverse event occurring
Residual Risk
Dependency
The amount of risk remaining after risk mitigating controls have been
implemented following a risk assessment
The gross class of elements on which an Information Asset depends for
storage, transport and operation.
In ISO 27005, this is referred to as a secondary asset.
Attribute
A single characteristic of a dependency. Some attributesincrease or
© Apira
Unauthorised reproduction, adaptation, translation or display is strictly prohibited.
Page 14 of 17
- 15. January 2014
Risk Attribute
decrease the informationrisk to the dependentInformation Asset (see
risk attribute).Attributes that raise or lower information risk are a sub-set
of attributes called risk attributes. These risk attributes have values
attached to them. These are called Meta Values.
A characteristic of a dependency that increases or decreases the risk to
the Information Asset and from which the Information Asset’s risk can
be calculated. Risk Attributes have a pre-defined sub-range of valued
characteristics – Meta Values.
Meta Value
The subjective value allocated to aRisk Attribute which, multiplied
together generate the Risk Assessmentof an Information Flow and
Information Asset.
Information Flow
A set of attributes that are the characteristics of an Information Asset
when transported/in transit
Information Flow
Mapping
The process of identifying Information Flows emanating or terminating
in an Information Asset, i.e. in transit, and its beginning or end state, i.e.
at rest.
Information Asset
Register
A presentation of Information Assets held by an organisation which
displays a limited range of Attributes, especially to the SIRO, IAO and
IAA.
Data Collection
Template
A form comprising data fields for the collection of Attributes related to a
Dependency type or Information Asset
Meta Data
Collection
Template
A form comprising data fields for the collection and valuation of
attributes that appear as linked fields in DCTs when entering data. The
MDCT.
Role-based Access
Control
A range of controls that allow Super Administrators to determine which
roles are allocated to which users and to what functionality that user
type will have access.
© Apira
Unauthorised reproduction, adaptation, translation or display is strictly prohibited.
Page 15 of 17
- 16. January 2014
Document History
Document Properties
Item
Title
Author
Created
Last Updated
Published
Details
System Overview
David Birkinshaw
20/09/13
28/01/14
[Publish Date]
Version History
Version
0.1
Description
First draft
0.2
Second draft
0.3
Third draft
0.4
Fourth Draft
0.5
Fifth Draft
1.0
Justification
Final version
© Apira
Unauthorised reproduction, adaptation, translation or display is strictly prohibited.
Date
September
2013
th
9 September
013
th
20 September
2013
st
1 October
2013
th
24
October2013
rd
23 December
2013
Page 16 of 17
- 17. January 2014
Appendix A ISO27005 Information Assets Definition
ISO27005 Definition of Information Assets with an
Example
Primary Information Asset
Information (at rest)
Patient Administration
Database (PAS) – the
patient information
contained in the database
Business Processes
(Information in motion,
Data Flow Items)
Appointment Lists
Ward Bed Occupancy Lists
Discharge Notifications
Letters to patients
Patient Reports
Clinic Letters
Supporting Assets
Hardware – Server, PC,
Laptop etc. which must be
used to access the PAS
database
Software – Operating
Systems and software on
which the information asset
relies, such as PAS software,
Windows server operating
system software, Windows PC
operating system software,
Java Software
Network – Hub, Switch,
Ethernet cable used to access
the PAS database
Personnel –expertise in the
organisation to manage and
properly run the database, eg
technical developers, system
admins
Site – the risks at the physical
location of the database or
servers on which it relies –
gas, water, electricity, air
conditioning system, flood
Organisation structure –
agreed supplier maintenance
agreement, SLA, project
management of upgrades to
system, back up regime in
place
IAO assigned, IAA assigned
© Apira
Unauthorised reproduction, adaptation, translation or display is strictly prohibited.
Page 17 of 17