SlideShare une entreprise Scribd logo

Information Asset Management...Comply for less!!

Télécharger en tant que DOCX, PDF
G
Geoff Broome

Introducing IAM making data flow mapping easy and turning compliance into a useful resource....

Santé & MédecineBusinessÉconomie & finance
1  sur  17
January 2014 Information Asset Manager Release 2013.1 System Overview Author:David Birkinshaw © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 1 of 17
January 2014 Table of Contents TABLE OF CONTENTS .......................................................................................................................................................2 TABLE OF FIGURES ...........................................................................................................................................................2 INTRODUCTION ...............................................................................................................................................................3 Information Governance Toolkit ..................................................................................................................................... 4 Roles and Responsibilities ............................................................................................................................................... 4 DEFINITION OF INFORMATION ASSETS ............................................................................................................................5 Primary Assets ................................................................................................................................................................ 5 Supporting Assets ........................................................................................................................................................... 5 USER PROFILES AND THE ORGANISATIONAL HIERARCHY ................................................................................................7 RECORDING ASSETS AND DATA FLOWS IN IAM ...............................................................................................................9 INFORMATION FLOWS .............................................................................................................................................................. 9 INFORMATION ASSETS ..................................................................................................................................................11 REPORTING ...................................................................................................................................................................12 CREATING YOUR INFORMATION MANAGER SYSTEM ....................................................................................................13 INITIATION ........................................................................................................................................................................... 13 START-UP ............................................................................................................................................................................ 13 DEPLOYMENT ....................................................................................................................................................................... 13 GLOSSARY .....................................................................................................................................................................14 DOCUMENT HISTORY ....................................................................................................................................................16 DOCUMENT PROPERTIES ......................................................................................................................................................... 16 VERSION HISTORY ................................................................................................................................................................. 16 APPENDIX A ISO27005 INFORMATION ASSETS DEFINITION ...........................................................................................17 Table of Figures FIGURE 1. DASHBOARD ............................................................................................................................................ 3 FIGURE 2. MAPPING ASSETS AND BUSINESS PROCESSES ........................................................................................... 6 FIGURE 3. INFORMATION ASSET MANAGER – USER RESPONSIBILITIES ....................................................................... 7 FIGURE 4. ORGANISATION HIERARCHY IN IAM ........................................................................................................... 8 FIGURE 5.PICKING LISTS IN THE SYSTEM ................................................................................................................... 8 FIGURE 6. CREATING AN INFORMATION FLOW IN IAM ................................................................................................. 9 FIGURE 7. PROCESS OF INFORMATION FLOW CREATION AND AUTHORISATION............................................................ 10 FIGURE 8. INFORMATION FLOW SCREEN SHOWING RISK SCORES............................................................................... 10 FIGURE 9. ASSET CREATION SCREEN IN IAM ........................................................................................................... 11 FIGURE 10. ASSET CREATION PROCESS .................................................................................................................. 11 FIGURE 11. IAM REPORTING MODULE ..................................................................................................................... 12 © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 2 of 17
January 2014 Introduction Health organisations collate, use and transfer probably the largest volumes of Personal Confidential Data (PCD) in the country, and do so within the legal regimes of the Data Protection Act 1998, Freedom of Information Act 2000, Access to Health Records Act 1990, Common Law Duty of Confidentiality, to name but a few. Many will be aware of the risk to losing data in the form of fines from the Information Commissioner. Coupled with NHS Policy on risk management and the requirements of the Information Governance Toolkit, the challenge is immense. In response to the legal and policy requirements on the NHS, all assets and transfers of information must be risk assessed to ensure they are safe and properly protected. Apira Information Asset Manager (IAM) has been to designed in response to that challenge and to customer demand for a system which answers those key questions; where is my information?, is it properly managed?, who has access to it?, where do I send it? and am I transferring it safely and securely? IAM allows organisations to record those information assets it holds, record the information flowing around the organisation and as a key function, provide a risk score against the information and flows. Included is a dashboard and reporting function that allows the Senior Information Risk Owner (SIRO) to be confident that information risk is being managed throughout the organisation. Figure 1. Dashboard © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 3 of 17
January 2014 Information Governance Toolkit The Information Governance Toolkit (IGT) is the required standard for all NHS organisations in information governance. IAM is centred around two key areas of the toolkit; 308 – Data Flow Mapping and 301 Information Asset Management Because IAM covers many of the operational requirements of information risk management, the following requirements are also greatly informed: 308 – Data flow mapping 303/304/305 – Access Control 110 – Contracts with third parties 309/310 – Buisness Continuity and Disaster Recovery 202 – Appropriate use of patient data 311 – Virus Protection 206 – Confidentiality Audit 313- Network Security 207 – Information Sharing Agreements are in place 313 – Mobil, home and remote working security 209 – Information is shared outside the EU only with proper protections 324 – Information is pseudonymised or anonymised where required 301 – Risk Assessment programme in place for all assets 404 – Multi-professional records audit 307 – A risk register of assets is in place 506 – coding audit programme 323 – appropriate technical measures are in place to protect all assets 507 – completeness and validity audit 406 – Availability of records audit 505 – internal and external coding audit 604 – information lifecycle audit Roles and Responsibilities The Accounting Officer is accountable for the assets belonging to the organisation – the Chief Executive. The Senior Information Risk Owner (SIRO) for the organisation is required to assure the board that all information assets are accounted for and that proper controls are in place to manage the information – A Director on the Board. Information Asset Owners (IAOs) (assisted by Information Asset Administrators – IAAs) are responsible for the day to day information risk management of each information asset and reporting to the SIRO – Directors (IAOs) and Senior Managers (IAAs). © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 4 of 17
January 2014 Definition of Information Assets An important concept in managing information assets using the Apira IAM system is the definition of an asset and the data flowing in and out of it (covered in more detail in our Information Assets information sheet). Apira Information Asset Manager uses the ISO27005 definition of an Information Asset. ISO27005 defines information assets as follows: Primary Assets Information at rest – A patient database, staff database or any collection (grouping) of personal confidential information stored (at rest) in any medium – recorded in the Assets section of the system 1 Business Processes – Data Flow Items (see 11-308 of the information governance toolkit) which are ‘sub-sets’ of the information held in the information at rest, e.g. appointment lists, patient letters and move about the organisation and externally, recorded in the Data Flows section of the system. Supporting Assets Supporting Assets are recorded as a subset of the Assets recording module of IAM, and more closely defined in the metadata management section of the system. Examples include: Hardware – PCs, Servers, Laptops, Filing Cabinets, Printer, Disk Drive, USB Memory Stick Software – Operating System, Office Software, Email software, Clinical System Software Network – Ethernet, ADSL lines, WiFi equipment, Switches, Fibre Optic, Routers, Bridges Personnel – Information Asset Owner, Information Asset Administrator, person with technical expertise, (e.g. a network manager) Site – Physical requirements for operations to continue (as related to the information asset), gas supply, electricity supply, water supply, cooling equipment (e.g. airconditioning for server rooms) Organisation Structure – maintenance contracts for support of the information asset (e.g. third party maintenance contracts, software support and SLA contracts but also can include project support for the information asset. See Appendix A for the ISO270005 definition of Information Assets with an example. IAM allows Primary Information Assets at rest to be recorded.Users can then recordbusiness processes or the flows of subsets of those assets (in the form of letters, discharge notifications, appointment lists etc.) around the organisation or even to record flows coming from or going to external organisations such as GPs. For example, a PAS database is a static collection of information (information at rest) which can have subsets of data moved in and out of it (a data flow item - clinic letter) which is sent to a patient (a flow). The risks to the information in the database might be the siting of servers (environmental such as flood, electricity supply) and the risk to the clinic letter as it ‘flows’ might be lack of encrypted email or insecure post. Figure 2 is a diagrammatical representation of mapping assets at rest and business processes (data flows): 1 IGT 11-308 https://www.igt.hscic.gov.uk/RequirementQuestionNew.aspx?tk=415313635414503&lnv=2&cb=6040cf47-dc1b-4218a7cd-03837ae623f5&sViewOrgType=2&reqid=2420 © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 5 of 17
January 2014 Figure 2. Mapping assets and business processes Risk is therefore inherent and calculated by IAM in the attributes of: The data at rest (Primary Asset) The data flow (Business Process) © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 6 of 17
January 2014 User Profiles and the Organisational Hierarchy IAM uses a role based approach to managing Assets and Flows in the system. The SIRO Role – has full access to view all primary information assets recorded in the system and all flows of data, with a dashboard displaying the resulting risk scores for those items (the Caldicott Guardian can also be given this role to fulfil key recommendations of the Caldicott Information Governance review). The SIRO Administrator Role – has the above functions, and also acts as the System Administrator, being able to create users and manage the metadata and risk scoring attributes of the system (this can be the Information Governance Manager or system owner). The Risk Owner and Risk Administrator Roles – have access to view and manage information assets they are responsible for, and their associated flows. It is also possible to make ROs and RAs administrators for the system for their work areas, meaning they can manage users of the system. The Flow User Role – has access only to the management of the flows of information in their team or area of work. This can be expressed in the diagram below: Figure 3. Information Asset Manager – User Responsibilities © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 7 of 17
January 2014 The organisation hierarchy is represented in the system in the form of three tiers: Figure 4. Organisation hierarchy in IAM As the picking lists in the system are configurable, these can be renamed to the organisation’s preferred terms. Each user is assigned to an area of the hierarchy, which is shown below as an example: Figure 5.Picking lists in the system © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 8 of 17
January 2014 Recording Assets and Data Flows in IAM Information Flows All users can record a flow of information between their area of work and any other area of the organisation, as well as to external agencies such as GPs, Social Care and other care providers. The flow records what data item is moving, what it contains, how it gets there and any protection or ‘controls’ which are in place when it is transferred. Figure 6. Creating an information flow in IAM A flow is recorded by the flow user and authorised by the Information Asset Owner/Administrator or SIRO roles, creating a risk score for that flow and fulfilling the key recommendation of the new Caldicott Information Governance Review, that information transfers are reviewed and authorised by Caldicott Guardians and SIROs. As flows can be internal, the user or team on the receiving end of the information flow can accept the flow, ensuring that it is appropriate and exists to them. If not, they can reject it and enter a reason so that the originator can remove it. The process of information flow creation and authorisation can be expressed as below: © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 9 of 17
January 2014 Figure 7. Process of information flow creation and authorisation Risk scores are displayed in aggregate on the dashboard and in full on the information flow screens: Figure 8. Information flow screen showing risk scores © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 10 of 17
January 2014 Information Assets Information Asset Owners and Administrators are able to create and record the assets they are responsible for in the system for flow users to map their flows against. They record who are the Information Asset Owner and Administrator for the asset are, what the asset is called, what it contains, what the supporting assets are, and what data flow items (e.g. clinic letters) can be transferred to or from the asset. Figure 9. Asset creation screen in IAM A key function of the system is that should a flow user be unable to see the information asset they use, they can create it ‘on the fly’ as an unassigned or temporary information asset. This is essential in identifying information assets that the organisation may have previously been unaware of, thus enabling them to be accounted for and risk managed once approved. The process of creating an asset is described below: Figure 10. Asset creation process Risk scores are displayed on the dashboard and in the SIRO/IAO/IAA information asset screens. © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 11 of 17
January 2014 Reporting The SIRO, IAO and IAA user roles are all able to ‘drill down’ from the dashboard to specific information assets and flows by directorate, department or team as required (see Figure 1). Every information flow and information asset list can be exported in the form ofPDF, MS Excel or MS Word documents. Additionally, a reports module is included which provides standard bespoke system reports, all of which can be exported in the above document formats. Figure 11. IAM reporting module © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 12 of 17
January 2014 Creatingyour Information Manager System The IAM system is a framework on which you can reflect your organisation’s risk appetite and strategy. All picking lists in the system are configurable, and any item on that picking list that contributes to a risk score is individually score-able. Risks are calculated on the options entered by the user and may be presented to the user in a number of ways(depending on the user profile): The dashboard Information asset screen Information flow screen Reports. Apira can support the rollout process with training for administrators and users of the system, as well as project management support in the early stages. Organisations may find the following approach beneficial in thinking about deployment of the system: Initiation Agree organisation hierarchy for use of the system Agree picking lists, key assets and data flow items Agree user profiles and user list Create training plan Training for system admins. Start-Up Implement training plan Input picking lists, key assets and data flow items Test flows in one department or area. Deployment Continue training plan Rollout to main user base Monitoring of system use and balancing of risk scoring mechanism (metadata) . © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 13 of 17
January 2014 Glossary Information Governance (IG) terminology: Term Data Definition 1. Facts and statistics collected together for reference or analysis. 2. Things known or assumed as facts, making the basis of reasoning or calculation Record A collection of data related to a common origin, source, or subject, i.e. a person Data set A number of records from a common origin or source comprising common or linked data component Information Data that (1) has been verified to be accurate and timely, (2) is specific and organized for a purpose, (3) is presented within a context that gives it meaning and relevance, and (4) that can lead to an increase in understanding and decrease in uncertainty. The value of information lies solely in its ability to affect a behaviour, decision, or outcome. A piece of information is considered valueless if, after receiving it, things remain unchanged. Knowledge Data, information, and skills acquired by a person through experience or education; the theoretical or practical understanding of a subject. A person with knowledge can apply this to data for it to become information and to determine actions arising. Information Asset A dataset in any media. TheInformation Assetmay comprise patient information, person information (as defined by the Data Protection Act), or corporate information. ‘Information Asset’ refers to the data, not the media in which it is held. This distinction is similar to the definition in ISO27005 between primary assets and secondary assets. Risk The likelihood and impact of an adverse event Information Risk The total subjective value of risk attributed only to Information Assetsheld by an organisation. Related to an overview of risk related to that Information Asset, who is accountable for that Information Asset (the Information Asset Owner) and who has operational responsibility for that Information Asset. Risk Assessment The process and results of determining likelihood and impact of an adverse event occurring Residual Risk Dependency The amount of risk remaining after risk mitigating controls have been implemented following a risk assessment The gross class of elements on which an Information Asset depends for storage, transport and operation. In ISO 27005, this is referred to as a secondary asset. Attribute A single characteristic of a dependency. Some attributesincrease or © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 14 of 17
January 2014 Risk Attribute decrease the informationrisk to the dependentInformation Asset (see risk attribute).Attributes that raise or lower information risk are a sub-set of attributes called risk attributes. These risk attributes have values attached to them. These are called Meta Values. A characteristic of a dependency that increases or decreases the risk to the Information Asset and from which the Information Asset’s risk can be calculated. Risk Attributes have a pre-defined sub-range of valued characteristics – Meta Values. Meta Value The subjective value allocated to aRisk Attribute which, multiplied together generate the Risk Assessmentof an Information Flow and Information Asset. Information Flow A set of attributes that are the characteristics of an Information Asset when transported/in transit Information Flow Mapping The process of identifying Information Flows emanating or terminating in an Information Asset, i.e. in transit, and its beginning or end state, i.e. at rest. Information Asset Register A presentation of Information Assets held by an organisation which displays a limited range of Attributes, especially to the SIRO, IAO and IAA. Data Collection Template A form comprising data fields for the collection of Attributes related to a Dependency type or Information Asset Meta Data Collection Template A form comprising data fields for the collection and valuation of attributes that appear as linked fields in DCTs when entering data. The MDCT. Role-based Access Control A range of controls that allow Super Administrators to determine which roles are allocated to which users and to what functionality that user type will have access. © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 15 of 17
January 2014 Document History Document Properties Item Title Author Created Last Updated Published Details System Overview David Birkinshaw 20/09/13 28/01/14 [Publish Date] Version History Version 0.1 Description First draft 0.2 Second draft 0.3 Third draft 0.4 Fourth Draft 0.5 Fifth Draft 1.0 Justification Final version © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Date September 2013 th 9 September 013 th 20 September 2013 st 1 October 2013 th 24 October2013 rd 23 December 2013 Page 16 of 17
January 2014 Appendix A ISO27005 Information Assets Definition ISO27005 Definition of Information Assets with an Example Primary Information Asset Information (at rest) Patient Administration Database (PAS) – the patient information contained in the database Business Processes (Information in motion, Data Flow Items) Appointment Lists Ward Bed Occupancy Lists Discharge Notifications Letters to patients Patient Reports Clinic Letters Supporting Assets Hardware – Server, PC, Laptop etc. which must be used to access the PAS database Software – Operating Systems and software on which the information asset relies, such as PAS software, Windows server operating system software, Windows PC operating system software, Java Software Network – Hub, Switch, Ethernet cable used to access the PAS database Personnel –expertise in the organisation to manage and properly run the database, eg technical developers, system admins Site – the risks at the physical location of the database or servers on which it relies – gas, water, electricity, air conditioning system, flood Organisation structure – agreed supplier maintenance agreement, SLA, project management of upgrades to system, back up regime in place IAO assigned, IAA assigned © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 17 of 17

Recommandé

Training Information Asset Owners
Training Information Asset OwnersTraining Information Asset Owners
Training Information Asset OwnersTommy Vandepitte
 
Managing Information Asset Register
Managing Information Asset RegisterManaging Information Asset Register
Managing Information Asset RegisterBen Omoakin Oguntala, developingafrica(dot)net
 
System audit questionnaire
System audit questionnaireSystem audit questionnaire
System audit questionnaireNicholas Kaptingei
 
POPI Act compliance presentation
POPI Act compliance presentationPOPI Act compliance presentation
POPI Act compliance presentationOvationsGroup
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
Security audit
Security auditSecurity audit
Security auditRosaria Dee
 
Risk Assessment and Management
Risk Assessment and ManagementRisk Assessment and Management
Risk Assessment and ManagementHaythem A. El-Wassif
 

Recommandé

Training Information Asset Owners
Training Information Asset OwnersTraining Information Asset Owners
Training Information Asset OwnersTommy Vandepitte
 
Managing Information Asset Register
Managing Information Asset RegisterManaging Information Asset Register
Managing Information Asset RegisterBen Omoakin Oguntala, developingafrica(dot)net
 
System audit questionnaire
System audit questionnaireSystem audit questionnaire
System audit questionnaireNicholas Kaptingei
 
POPI Act compliance presentation
POPI Act compliance presentationPOPI Act compliance presentation
POPI Act compliance presentationOvationsGroup
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
Security audit
Security auditSecurity audit
Security auditRosaria Dee
 
Risk Assessment and Management
Risk Assessment and ManagementRisk Assessment and Management
Risk Assessment and ManagementHaythem A. El-Wassif
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
Risk Assessment vs. Risk Management in Manufacturing
Risk Assessment vs. Risk Management in ManufacturingRisk Assessment vs. Risk Management in Manufacturing
Risk Assessment vs. Risk Management in ManufacturingContentAssets
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Managementjiricejka
 
Regulatory Reporting - Best Practices
Regulatory Reporting - Best Practices Regulatory Reporting - Best Practices
Regulatory Reporting - Best Practices RPS Recovery Portfolio Services Ltd.
 
Chapter 15
Chapter 15Chapter 15
Chapter 15Ali Broumandnia
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSAcourses
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Information management
Information management Information management
Information management Emad Omar Sarhan
 
IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
The need for security
The need for securityThe need for security
The need for securityDhani Ahmad
 
Presentation on ERP
Presentation on ERPPresentation on ERP
Presentation on ERPShishir Rahman
 
Enterprise Content Management
Enterprise Content ManagementEnterprise Content Management
Enterprise Content ManagementAndrey Karpov
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
Itil Framework PowerPoint Presentation Slides
Itil Framework PowerPoint Presentation Slides Itil Framework PowerPoint Presentation Slides
Itil Framework PowerPoint Presentation Slides SlideTeam
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and YouSchellman & Company
 
ISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationAlvin Integrated Services [AIS]
 
1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdfChunLei(peter) Che
 
Explain the IAR document and how it should be filled__YASHODA Hospital.pptx
Explain the IAR document and how it should be filled__YASHODA Hospital.pptxExplain the IAR document and how it should be filled__YASHODA Hospital.pptx
Explain the IAR document and how it should be filled__YASHODA Hospital.pptxUndersam
 

Contenu connexe

Tendances

ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
Risk Assessment vs. Risk Management in Manufacturing
Risk Assessment vs. Risk Management in ManufacturingRisk Assessment vs. Risk Management in Manufacturing
Risk Assessment vs. Risk Management in ManufacturingContentAssets
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Managementjiricejka
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSAcourses
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
The need for security
The need for securityThe need for security
The need for securityDhani Ahmad
 
Enterprise Content Management
Enterprise Content ManagementEnterprise Content Management
Enterprise Content ManagementAndrey Karpov
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
Itil Framework PowerPoint Presentation Slides
Itil Framework PowerPoint Presentation Slides Itil Framework PowerPoint Presentation Slides
Itil Framework PowerPoint Presentation Slides SlideTeam
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
ISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationAlvin Integrated Services [AIS]
 

Tendances (20)

ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
Risk Assessment vs. Risk Management in Manufacturing
Risk Assessment vs. Risk Management in ManufacturingRisk Assessment vs. Risk Management in Manufacturing
Risk Assessment vs. Risk Management in Manufacturing
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | Infosectrain
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
 
Regulatory Reporting - Best Practices
Regulatory Reporting - Best Practices Regulatory Reporting - Best Practices
Regulatory Reporting - Best Practices
 
Chapter 15
Chapter 15Chapter 15
Chapter 15
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes Profiling
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
Information management
Information management Information management
Information management
 
IT General Controls
IT General ControlsIT General Controls
IT General Controls
 
The need for security
The need for securityThe need for security
The need for security
 
Presentation on ERP
Presentation on ERPPresentation on ERP
Presentation on ERP
 
Enterprise Content Management
Enterprise Content ManagementEnterprise Content Management
Enterprise Content Management
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
 
Itil Framework PowerPoint Presentation Slides
Itil Framework PowerPoint Presentation Slides Itil Framework PowerPoint Presentation Slides
Itil Framework PowerPoint Presentation Slides
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 
ISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and Implementation
 

Similaire à Information Asset Management...Comply for less!!

1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdfChunLei(peter) Che
 
Explain the IAR document and how it should be filled__YASHODA Hospital.pptx
Explain the IAR document and how it should be filled__YASHODA Hospital.pptxExplain the IAR document and how it should be filled__YASHODA Hospital.pptx
Explain the IAR document and how it should be filled__YASHODA Hospital.pptxUndersam
 
Bring your own device guidance
Bring your own device guidanceBring your own device guidance
Bring your own device guidanceGary Chambers
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Samuel Loomis
 
A New Approach to Healthcare Security
A New Approach to Healthcare SecurityA New Approach to Healthcare Security
A New Approach to Healthcare SecurityAngel Villar Garea
 
Effective Date August 25, 2014Chapter Information Manag.docx
Effective Date August 25, 2014Chapter Information Manag.docxEffective Date August 25, 2014Chapter Information Manag.docx
Effective Date August 25, 2014Chapter Information Manag.docxLinaCovington707
 
vmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepapervmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepaperTony Amaddio
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...padler01
 
3rd party information security assessment guideline
3rd party information security assessment guideline3rd party information security assessment guideline
3rd party information security assessment guidelinePriyanka Aash
 
SPYRUS® Enterprise Management System
SPYRUS® Enterprise Management System SPYRUS® Enterprise Management System
SPYRUS® Enterprise Management System SPYRUS
 
Risk assessment user_guide_final_3_26_2014
Risk assessment user_guide_final_3_26_2014Risk assessment user_guide_final_3_26_2014
Risk assessment user_guide_final_3_26_2014siupals
 
WEB APPLICATION FOR RISK ASSESSMENT WITH SECURITY FEATURES
WEB APPLICATION FOR RISK ASSESSMENT WITH SECURITY FEATURESWEB APPLICATION FOR RISK ASSESSMENT WITH SECURITY FEATURES
WEB APPLICATION FOR RISK ASSESSMENT WITH SECURITY FEATURESAM Publications
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfElyes ELEBRI
 
Information Technology policy
Information Technology policyInformation Technology policy
Information Technology policymarindi
 
A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage DetectionIJERA Editor
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsRd. R. Agung Trimanda
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 

Similaire à Information Asset Management...Comply for less!! (20)

1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf
 
Explain the IAR document and how it should be filled__YASHODA Hospital.pptx
Explain the IAR document and how it should be filled__YASHODA Hospital.pptxExplain the IAR document and how it should be filled__YASHODA Hospital.pptx
Explain the IAR document and how it should be filled__YASHODA Hospital.pptx
 
Bring your own device guidance
Bring your own device guidanceBring your own device guidance
Bring your own device guidance
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016
 
DR PANKAJ SIR (1).pptx
DR PANKAJ SIR (1).pptxDR PANKAJ SIR (1).pptx
DR PANKAJ SIR (1).pptx
 
A New Approach to Healthcare Security
A New Approach to Healthcare SecurityA New Approach to Healthcare Security
A New Approach to Healthcare Security
 
Effective Date August 25, 2014Chapter Information Manag.docx
Effective Date August 25, 2014Chapter Information Manag.docxEffective Date August 25, 2014Chapter Information Manag.docx
Effective Date August 25, 2014Chapter Information Manag.docx
 
vmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepapervmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepaper
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance Template
 
3rd party information security assessment guideline
3rd party information security assessment guideline3rd party information security assessment guideline
3rd party information security assessment guideline
 
SPYRUS® Enterprise Management System
SPYRUS® Enterprise Management System SPYRUS® Enterprise Management System
SPYRUS® Enterprise Management System
 
Risk assessment user_guide_final_3_26_2014
Risk assessment user_guide_final_3_26_2014Risk assessment user_guide_final_3_26_2014
Risk assessment user_guide_final_3_26_2014
 
WEB APPLICATION FOR RISK ASSESSMENT WITH SECURITY FEATURES
WEB APPLICATION FOR RISK ASSESSMENT WITH SECURITY FEATURESWEB APPLICATION FOR RISK ASSESSMENT WITH SECURITY FEATURES
WEB APPLICATION FOR RISK ASSESSMENT WITH SECURITY FEATURES
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
 
Responsible for information
Responsible for informationResponsible for information
Responsible for information
 
Information Technology policy
Information Technology policyInformation Technology policy
Information Technology policy
 
A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage Detection
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 

Dernier

Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbersBook Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbersnarwatsonia7
 
Call Girls Electronic City Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Electronic City Just Call 7001305949 Top Class Call Girl Service A...Call Girls Electronic City Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Electronic City Just Call 7001305949 Top Class Call Girl Service A...narwatsonia7
 
Glomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptxGlomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptxDr.Nusrat Tariq
 
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Availablenarwatsonia7
 
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...narwatsonia7
 
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service LucknowVIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknownarwatsonia7
 
Bangalore Call Girls Marathahalli 📞 9907093804 High Profile Service 100% Safe
Bangalore Call Girls Marathahalli 📞 9907093804 High Profile Service 100% SafeBangalore Call Girls Marathahalli 📞 9907093804 High Profile Service 100% Safe
Bangalore Call Girls Marathahalli 📞 9907093804 High Profile Service 100% Safenarwatsonia7
 
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment Booking
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment BookingCall Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment Booking
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment BookingNehru place Escorts
 
Call Girls Jp Nagar Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Jp Nagar Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Jp Nagar Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Jp Nagar Just Call 7001305949 Top Class Call Girl Service Availablenarwatsonia7
 
VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbai
VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service MumbaiVIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbai
VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbaisonalikaur4
 
Housewife Call Girls Hoskote | 7001305949 At Low Cost Cash Payment Booking
Housewife Call Girls Hoskote | 7001305949 At Low Cost Cash Payment BookingHousewife Call Girls Hoskote | 7001305949 At Low Cost Cash Payment Booking
Housewife Call Girls Hoskote | 7001305949 At Low Cost Cash Payment Bookingnarwatsonia7
 
Sonagachi Call Girls Services 9907093804 @24x7 High Class Babes Here Call Now
Sonagachi Call Girls Services 9907093804 @24x7 High Class Babes Here Call NowSonagachi Call Girls Services 9907093804 @24x7 High Class Babes Here Call Now
Sonagachi Call Girls Services 9907093804 @24x7 High Class Babes Here Call NowRiya Pathan
 
Ahmedabad Call Girls CG Road 🔝9907093804 Short 1500 💋 Night 6000
Ahmedabad Call Girls CG Road 🔝9907093804 Short 1500 💋 Night 6000Ahmedabad Call Girls CG Road 🔝9907093804 Short 1500 💋 Night 6000
Ahmedabad Call Girls CG Road 🔝9907093804 Short 1500 💋 Night 6000aliya bhat
 
VIP Call Girls Pune Vrinda 9907093804 Short 1500 Night 6000 Best call girls S...
VIP Call Girls Pune Vrinda 9907093804 Short 1500 Night 6000 Best call girls S...VIP Call Girls Pune Vrinda 9907093804 Short 1500 Night 6000 Best call girls S...
VIP Call Girls Pune Vrinda 9907093804 Short 1500 Night 6000 Best call girls S...Miss joya
 
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...Miss joya
 
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...saminamagar
 
Artifacts in Nuclear Medicine with Identifying and resolving artifacts.
Artifacts in Nuclear Medicine with Identifying and resolving artifacts.Artifacts in Nuclear Medicine with Identifying and resolving artifacts.
Artifacts in Nuclear Medicine with Identifying and resolving artifacts.MiadAlsulami
 
Call Girls Jayanagar Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Jayanagar Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Jayanagar Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Jayanagar Just Call 7001305949 Top Class Call Girl Service Availablenarwatsonia7
 
Call Girls In Andheri East Call 9920874524 Book Hot And Sexy Girls
Call Girls In Andheri East Call 9920874524 Book Hot And Sexy GirlsCall Girls In Andheri East Call 9920874524 Book Hot And Sexy Girls
Call Girls In Andheri East Call 9920874524 Book Hot And Sexy Girlsnehamumbai
 
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photos
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original PhotosBook Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photos
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photosnarwatsonia7
 

Dernier (20)

Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbersBook Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
 
Call Girls Electronic City Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Electronic City Just Call 7001305949 Top Class Call Girl Service A...Call Girls Electronic City Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Electronic City Just Call 7001305949 Top Class Call Girl Service A...
 
Glomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptxGlomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptx
 
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Available
 
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
 
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service LucknowVIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
 
Bangalore Call Girls Marathahalli 📞 9907093804 High Profile Service 100% Safe
Bangalore Call Girls Marathahalli 📞 9907093804 High Profile Service 100% SafeBangalore Call Girls Marathahalli 📞 9907093804 High Profile Service 100% Safe
Bangalore Call Girls Marathahalli 📞 9907093804 High Profile Service 100% Safe
 
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment Booking
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment BookingCall Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment Booking
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment Booking
 
Call Girls Jp Nagar Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Jp Nagar Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Jp Nagar Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Jp Nagar Just Call 7001305949 Top Class Call Girl Service Available
 
VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbai
VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service MumbaiVIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbai
VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbai
 
Housewife Call Girls Hoskote | 7001305949 At Low Cost Cash Payment Booking
Housewife Call Girls Hoskote | 7001305949 At Low Cost Cash Payment BookingHousewife Call Girls Hoskote | 7001305949 At Low Cost Cash Payment Booking
Housewife Call Girls Hoskote | 7001305949 At Low Cost Cash Payment Booking
 
Sonagachi Call Girls Services 9907093804 @24x7 High Class Babes Here Call Now
Sonagachi Call Girls Services 9907093804 @24x7 High Class Babes Here Call NowSonagachi Call Girls Services 9907093804 @24x7 High Class Babes Here Call Now
Sonagachi Call Girls Services 9907093804 @24x7 High Class Babes Here Call Now
 
Ahmedabad Call Girls CG Road 🔝9907093804 Short 1500 💋 Night 6000
Ahmedabad Call Girls CG Road 🔝9907093804 Short 1500 💋 Night 6000Ahmedabad Call Girls CG Road 🔝9907093804 Short 1500 💋 Night 6000
Ahmedabad Call Girls CG Road 🔝9907093804 Short 1500 💋 Night 6000
 
VIP Call Girls Pune Vrinda 9907093804 Short 1500 Night 6000 Best call girls S...
VIP Call Girls Pune Vrinda 9907093804 Short 1500 Night 6000 Best call girls S...VIP Call Girls Pune Vrinda 9907093804 Short 1500 Night 6000 Best call girls S...
VIP Call Girls Pune Vrinda 9907093804 Short 1500 Night 6000 Best call girls S...
 
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...
 
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
 
Artifacts in Nuclear Medicine with Identifying and resolving artifacts.
Artifacts in Nuclear Medicine with Identifying and resolving artifacts.Artifacts in Nuclear Medicine with Identifying and resolving artifacts.
Artifacts in Nuclear Medicine with Identifying and resolving artifacts.
 
Call Girls Jayanagar Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Jayanagar Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Jayanagar Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Jayanagar Just Call 7001305949 Top Class Call Girl Service Available
 
Call Girls In Andheri East Call 9920874524 Book Hot And Sexy Girls
Call Girls In Andheri East Call 9920874524 Book Hot And Sexy GirlsCall Girls In Andheri East Call 9920874524 Book Hot And Sexy Girls
Call Girls In Andheri East Call 9920874524 Book Hot And Sexy Girls
 
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photos
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original PhotosBook Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photos
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photos
 

Information Asset Management...Comply for less!!

  • 1. January 2014 Information Asset Manager Release 2013.1 System Overview Author:David Birkinshaw © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 1 of 17
  • 2. January 2014 Table of Contents TABLE OF CONTENTS .......................................................................................................................................................2 TABLE OF FIGURES ...........................................................................................................................................................2 INTRODUCTION ...............................................................................................................................................................3 Information Governance Toolkit ..................................................................................................................................... 4 Roles and Responsibilities ............................................................................................................................................... 4 DEFINITION OF INFORMATION ASSETS ............................................................................................................................5 Primary Assets ................................................................................................................................................................ 5 Supporting Assets ........................................................................................................................................................... 5 USER PROFILES AND THE ORGANISATIONAL HIERARCHY ................................................................................................7 RECORDING ASSETS AND DATA FLOWS IN IAM ...............................................................................................................9 INFORMATION FLOWS .............................................................................................................................................................. 9 INFORMATION ASSETS ..................................................................................................................................................11 REPORTING ...................................................................................................................................................................12 CREATING YOUR INFORMATION MANAGER SYSTEM ....................................................................................................13 INITIATION ........................................................................................................................................................................... 13 START-UP ............................................................................................................................................................................ 13 DEPLOYMENT ....................................................................................................................................................................... 13 GLOSSARY .....................................................................................................................................................................14 DOCUMENT HISTORY ....................................................................................................................................................16 DOCUMENT PROPERTIES ......................................................................................................................................................... 16 VERSION HISTORY ................................................................................................................................................................. 16 APPENDIX A ISO27005 INFORMATION ASSETS DEFINITION ...........................................................................................17 Table of Figures FIGURE 1. DASHBOARD ............................................................................................................................................ 3 FIGURE 2. MAPPING ASSETS AND BUSINESS PROCESSES ........................................................................................... 6 FIGURE 3. INFORMATION ASSET MANAGER – USER RESPONSIBILITIES ....................................................................... 7 FIGURE 4. ORGANISATION HIERARCHY IN IAM ........................................................................................................... 8 FIGURE 5.PICKING LISTS IN THE SYSTEM ................................................................................................................... 8 FIGURE 6. CREATING AN INFORMATION FLOW IN IAM ................................................................................................. 9 FIGURE 7. PROCESS OF INFORMATION FLOW CREATION AND AUTHORISATION............................................................ 10 FIGURE 8. INFORMATION FLOW SCREEN SHOWING RISK SCORES............................................................................... 10 FIGURE 9. ASSET CREATION SCREEN IN IAM ........................................................................................................... 11 FIGURE 10. ASSET CREATION PROCESS .................................................................................................................. 11 FIGURE 11. IAM REPORTING MODULE ..................................................................................................................... 12 © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 2 of 17
  • 3. January 2014 Introduction Health organisations collate, use and transfer probably the largest volumes of Personal Confidential Data (PCD) in the country, and do so within the legal regimes of the Data Protection Act 1998, Freedom of Information Act 2000, Access to Health Records Act 1990, Common Law Duty of Confidentiality, to name but a few. Many will be aware of the risk to losing data in the form of fines from the Information Commissioner. Coupled with NHS Policy on risk management and the requirements of the Information Governance Toolkit, the challenge is immense. In response to the legal and policy requirements on the NHS, all assets and transfers of information must be risk assessed to ensure they are safe and properly protected. Apira Information Asset Manager (IAM) has been to designed in response to that challenge and to customer demand for a system which answers those key questions; where is my information?, is it properly managed?, who has access to it?, where do I send it? and am I transferring it safely and securely? IAM allows organisations to record those information assets it holds, record the information flowing around the organisation and as a key function, provide a risk score against the information and flows. Included is a dashboard and reporting function that allows the Senior Information Risk Owner (SIRO) to be confident that information risk is being managed throughout the organisation. Figure 1. Dashboard © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 3 of 17
  • 4. January 2014 Information Governance Toolkit The Information Governance Toolkit (IGT) is the required standard for all NHS organisations in information governance. IAM is centred around two key areas of the toolkit; 308 – Data Flow Mapping and 301 Information Asset Management Because IAM covers many of the operational requirements of information risk management, the following requirements are also greatly informed: 308 – Data flow mapping 303/304/305 – Access Control 110 – Contracts with third parties 309/310 – Buisness Continuity and Disaster Recovery 202 – Appropriate use of patient data 311 – Virus Protection 206 – Confidentiality Audit 313- Network Security 207 – Information Sharing Agreements are in place 313 – Mobil, home and remote working security 209 – Information is shared outside the EU only with proper protections 324 – Information is pseudonymised or anonymised where required 301 – Risk Assessment programme in place for all assets 404 – Multi-professional records audit 307 – A risk register of assets is in place 506 – coding audit programme 323 – appropriate technical measures are in place to protect all assets 507 – completeness and validity audit 406 – Availability of records audit 505 – internal and external coding audit 604 – information lifecycle audit Roles and Responsibilities The Accounting Officer is accountable for the assets belonging to the organisation – the Chief Executive. The Senior Information Risk Owner (SIRO) for the organisation is required to assure the board that all information assets are accounted for and that proper controls are in place to manage the information – A Director on the Board. Information Asset Owners (IAOs) (assisted by Information Asset Administrators – IAAs) are responsible for the day to day information risk management of each information asset and reporting to the SIRO – Directors (IAOs) and Senior Managers (IAAs). © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 4 of 17
  • 5. January 2014 Definition of Information Assets An important concept in managing information assets using the Apira IAM system is the definition of an asset and the data flowing in and out of it (covered in more detail in our Information Assets information sheet). Apira Information Asset Manager uses the ISO27005 definition of an Information Asset. ISO27005 defines information assets as follows: Primary Assets Information at rest – A patient database, staff database or any collection (grouping) of personal confidential information stored (at rest) in any medium – recorded in the Assets section of the system 1 Business Processes – Data Flow Items (see 11-308 of the information governance toolkit) which are ‘sub-sets’ of the information held in the information at rest, e.g. appointment lists, patient letters and move about the organisation and externally, recorded in the Data Flows section of the system. Supporting Assets Supporting Assets are recorded as a subset of the Assets recording module of IAM, and more closely defined in the metadata management section of the system. Examples include: Hardware – PCs, Servers, Laptops, Filing Cabinets, Printer, Disk Drive, USB Memory Stick Software – Operating System, Office Software, Email software, Clinical System Software Network – Ethernet, ADSL lines, WiFi equipment, Switches, Fibre Optic, Routers, Bridges Personnel – Information Asset Owner, Information Asset Administrator, person with technical expertise, (e.g. a network manager) Site – Physical requirements for operations to continue (as related to the information asset), gas supply, electricity supply, water supply, cooling equipment (e.g. airconditioning for server rooms) Organisation Structure – maintenance contracts for support of the information asset (e.g. third party maintenance contracts, software support and SLA contracts but also can include project support for the information asset. See Appendix A for the ISO270005 definition of Information Assets with an example. IAM allows Primary Information Assets at rest to be recorded.Users can then recordbusiness processes or the flows of subsets of those assets (in the form of letters, discharge notifications, appointment lists etc.) around the organisation or even to record flows coming from or going to external organisations such as GPs. For example, a PAS database is a static collection of information (information at rest) which can have subsets of data moved in and out of it (a data flow item - clinic letter) which is sent to a patient (a flow). The risks to the information in the database might be the siting of servers (environmental such as flood, electricity supply) and the risk to the clinic letter as it ‘flows’ might be lack of encrypted email or insecure post. Figure 2 is a diagrammatical representation of mapping assets at rest and business processes (data flows): 1 IGT 11-308 https://www.igt.hscic.gov.uk/RequirementQuestionNew.aspx?tk=415313635414503&lnv=2&cb=6040cf47-dc1b-4218a7cd-03837ae623f5&sViewOrgType=2&reqid=2420 © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 5 of 17
  • 6. January 2014 Figure 2. Mapping assets and business processes Risk is therefore inherent and calculated by IAM in the attributes of: The data at rest (Primary Asset) The data flow (Business Process) © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 6 of 17
  • 7. January 2014 User Profiles and the Organisational Hierarchy IAM uses a role based approach to managing Assets and Flows in the system. The SIRO Role – has full access to view all primary information assets recorded in the system and all flows of data, with a dashboard displaying the resulting risk scores for those items (the Caldicott Guardian can also be given this role to fulfil key recommendations of the Caldicott Information Governance review). The SIRO Administrator Role – has the above functions, and also acts as the System Administrator, being able to create users and manage the metadata and risk scoring attributes of the system (this can be the Information Governance Manager or system owner). The Risk Owner and Risk Administrator Roles – have access to view and manage information assets they are responsible for, and their associated flows. It is also possible to make ROs and RAs administrators for the system for their work areas, meaning they can manage users of the system. The Flow User Role – has access only to the management of the flows of information in their team or area of work. This can be expressed in the diagram below: Figure 3. Information Asset Manager – User Responsibilities © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 7 of 17
  • 8. January 2014 The organisation hierarchy is represented in the system in the form of three tiers: Figure 4. Organisation hierarchy in IAM As the picking lists in the system are configurable, these can be renamed to the organisation’s preferred terms. Each user is assigned to an area of the hierarchy, which is shown below as an example: Figure 5.Picking lists in the system © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 8 of 17
  • 9. January 2014 Recording Assets and Data Flows in IAM Information Flows All users can record a flow of information between their area of work and any other area of the organisation, as well as to external agencies such as GPs, Social Care and other care providers. The flow records what data item is moving, what it contains, how it gets there and any protection or ‘controls’ which are in place when it is transferred. Figure 6. Creating an information flow in IAM A flow is recorded by the flow user and authorised by the Information Asset Owner/Administrator or SIRO roles, creating a risk score for that flow and fulfilling the key recommendation of the new Caldicott Information Governance Review, that information transfers are reviewed and authorised by Caldicott Guardians and SIROs. As flows can be internal, the user or team on the receiving end of the information flow can accept the flow, ensuring that it is appropriate and exists to them. If not, they can reject it and enter a reason so that the originator can remove it. The process of information flow creation and authorisation can be expressed as below: © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 9 of 17
  • 10. January 2014 Figure 7. Process of information flow creation and authorisation Risk scores are displayed in aggregate on the dashboard and in full on the information flow screens: Figure 8. Information flow screen showing risk scores © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 10 of 17
  • 11. January 2014 Information Assets Information Asset Owners and Administrators are able to create and record the assets they are responsible for in the system for flow users to map their flows against. They record who are the Information Asset Owner and Administrator for the asset are, what the asset is called, what it contains, what the supporting assets are, and what data flow items (e.g. clinic letters) can be transferred to or from the asset. Figure 9. Asset creation screen in IAM A key function of the system is that should a flow user be unable to see the information asset they use, they can create it ‘on the fly’ as an unassigned or temporary information asset. This is essential in identifying information assets that the organisation may have previously been unaware of, thus enabling them to be accounted for and risk managed once approved. The process of creating an asset is described below: Figure 10. Asset creation process Risk scores are displayed on the dashboard and in the SIRO/IAO/IAA information asset screens. © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 11 of 17
  • 12. January 2014 Reporting The SIRO, IAO and IAA user roles are all able to ‘drill down’ from the dashboard to specific information assets and flows by directorate, department or team as required (see Figure 1). Every information flow and information asset list can be exported in the form ofPDF, MS Excel or MS Word documents. Additionally, a reports module is included which provides standard bespoke system reports, all of which can be exported in the above document formats. Figure 11. IAM reporting module © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 12 of 17
  • 13. January 2014 Creatingyour Information Manager System The IAM system is a framework on which you can reflect your organisation’s risk appetite and strategy. All picking lists in the system are configurable, and any item on that picking list that contributes to a risk score is individually score-able. Risks are calculated on the options entered by the user and may be presented to the user in a number of ways(depending on the user profile): The dashboard Information asset screen Information flow screen Reports. Apira can support the rollout process with training for administrators and users of the system, as well as project management support in the early stages. Organisations may find the following approach beneficial in thinking about deployment of the system: Initiation Agree organisation hierarchy for use of the system Agree picking lists, key assets and data flow items Agree user profiles and user list Create training plan Training for system admins. Start-Up Implement training plan Input picking lists, key assets and data flow items Test flows in one department or area. Deployment Continue training plan Rollout to main user base Monitoring of system use and balancing of risk scoring mechanism (metadata) . © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 13 of 17
  • 14. January 2014 Glossary Information Governance (IG) terminology: Term Data Definition 1. Facts and statistics collected together for reference or analysis. 2. Things known or assumed as facts, making the basis of reasoning or calculation Record A collection of data related to a common origin, source, or subject, i.e. a person Data set A number of records from a common origin or source comprising common or linked data component Information Data that (1) has been verified to be accurate and timely, (2) is specific and organized for a purpose, (3) is presented within a context that gives it meaning and relevance, and (4) that can lead to an increase in understanding and decrease in uncertainty. The value of information lies solely in its ability to affect a behaviour, decision, or outcome. A piece of information is considered valueless if, after receiving it, things remain unchanged. Knowledge Data, information, and skills acquired by a person through experience or education; the theoretical or practical understanding of a subject. A person with knowledge can apply this to data for it to become information and to determine actions arising. Information Asset A dataset in any media. TheInformation Assetmay comprise patient information, person information (as defined by the Data Protection Act), or corporate information. ‘Information Asset’ refers to the data, not the media in which it is held. This distinction is similar to the definition in ISO27005 between primary assets and secondary assets. Risk The likelihood and impact of an adverse event Information Risk The total subjective value of risk attributed only to Information Assetsheld by an organisation. Related to an overview of risk related to that Information Asset, who is accountable for that Information Asset (the Information Asset Owner) and who has operational responsibility for that Information Asset. Risk Assessment The process and results of determining likelihood and impact of an adverse event occurring Residual Risk Dependency The amount of risk remaining after risk mitigating controls have been implemented following a risk assessment The gross class of elements on which an Information Asset depends for storage, transport and operation. In ISO 27005, this is referred to as a secondary asset. Attribute A single characteristic of a dependency. Some attributesincrease or © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 14 of 17
  • 15. January 2014 Risk Attribute decrease the informationrisk to the dependentInformation Asset (see risk attribute).Attributes that raise or lower information risk are a sub-set of attributes called risk attributes. These risk attributes have values attached to them. These are called Meta Values. A characteristic of a dependency that increases or decreases the risk to the Information Asset and from which the Information Asset’s risk can be calculated. Risk Attributes have a pre-defined sub-range of valued characteristics – Meta Values. Meta Value The subjective value allocated to aRisk Attribute which, multiplied together generate the Risk Assessmentof an Information Flow and Information Asset. Information Flow A set of attributes that are the characteristics of an Information Asset when transported/in transit Information Flow Mapping The process of identifying Information Flows emanating or terminating in an Information Asset, i.e. in transit, and its beginning or end state, i.e. at rest. Information Asset Register A presentation of Information Assets held by an organisation which displays a limited range of Attributes, especially to the SIRO, IAO and IAA. Data Collection Template A form comprising data fields for the collection of Attributes related to a Dependency type or Information Asset Meta Data Collection Template A form comprising data fields for the collection and valuation of attributes that appear as linked fields in DCTs when entering data. The MDCT. Role-based Access Control A range of controls that allow Super Administrators to determine which roles are allocated to which users and to what functionality that user type will have access. © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 15 of 17
  • 16. January 2014 Document History Document Properties Item Title Author Created Last Updated Published Details System Overview David Birkinshaw 20/09/13 28/01/14 [Publish Date] Version History Version 0.1 Description First draft 0.2 Second draft 0.3 Third draft 0.4 Fourth Draft 0.5 Fifth Draft 1.0 Justification Final version © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Date September 2013 th 9 September 013 th 20 September 2013 st 1 October 2013 th 24 October2013 rd 23 December 2013 Page 16 of 17
  • 17. January 2014 Appendix A ISO27005 Information Assets Definition ISO27005 Definition of Information Assets with an Example Primary Information Asset Information (at rest) Patient Administration Database (PAS) – the patient information contained in the database Business Processes (Information in motion, Data Flow Items) Appointment Lists Ward Bed Occupancy Lists Discharge Notifications Letters to patients Patient Reports Clinic Letters Supporting Assets Hardware – Server, PC, Laptop etc. which must be used to access the PAS database Software – Operating Systems and software on which the information asset relies, such as PAS software, Windows server operating system software, Windows PC operating system software, Java Software Network – Hub, Switch, Ethernet cable used to access the PAS database Personnel –expertise in the organisation to manage and properly run the database, eg technical developers, system admins Site – the risks at the physical location of the database or servers on which it relies – gas, water, electricity, air conditioning system, flood Organisation structure – agreed supplier maintenance agreement, SLA, project management of upgrades to system, back up regime in place IAO assigned, IAA assigned © Apira Unauthorised reproduction, adaptation, translation or display is strictly prohibited. Page 17 of 17