Information Security Assurance - NHS Business Partners
Guidance
Requirement 307Has the NHSBP established a register of all its information assets and assigned responsibility or ‘ownership’ for each asset?
Objective: To achieve and maintain appropriate protection of all organisation information assets.
All information assets of the NHSBP should be identified and have a nominated Information Asset Owner (IAO). Accountability for assets helps to ensure that appropriate protection is maintained. Senior Information Risk Owners should ensure owners are identified for all Information Assets with responsibility for managing the risks to those assets. Whilst responsibility for implementing and managing Information Asset controls may be delegated to Information Asset Administrators or equivalent, accountability should remain with the nominated owner of the asset.
This requirement addresses ISO/IEC 27002 : 2005 controls ref 7.1
Information Assets
Information Assets (IA) are identifiable and definable assets owned or contracted by an organisation which are ‘valuable’ to the business of that organisation. Information assets will likely include the computer systems and network hardware, software and supporting utilities and staff that are required to achieve processing of this data. Non-computerised records systems should also have an asset register containing relevant file identifications and storage locations.
There are many possible Information Assets. These include;
o Information: Databases, system documents and procedures, archive media/data etc.
o Software: Application programs, system, development tools and utilities.
o Physical: Infrastructure, equipment, furniture and accommodation used for data processing.
o Services: Computing and communications, heating, lighting, power, air-conditioning used for data processing.
o People: Their qualifications, skills and experience in use of information systems.
o Others less tangible: For example, public confidence in the organisations ability to ensure the Confidentiality, Integrity and Availability of their personal data.
As these categories suggest Information Assets are not necessarily objects. Business processes and activities, applications and data should all be considered as Information Assets; however, their importance to the NHSBP may vary.
Information Asset Owners (IAO)
The word ‘owner’, when used in this requirement, is taken from the ISO 27002 Information Security Management standard. It should not be confused with the term ‘data owner’, as used by the Data Protection Act 1998. The standard defines an owner as a member of staff senior enough to make decisions concerning the asset at the highest level.
The IAO can assign day to day responsibility for each Information Asset to an Information Asset Administrator (IAA) or other manager, and this should be formalised in job descriptions. The role of the Information Asset Owner is to understand what information is held, what is added and what is removed, how information is moved, who has access and why. As a result they should be able to understand and address risks to the information and to ensure that information is fully used within the law for the public good. The Information Asset Owner will also be responsible for providing or informing regular written reports to the Senior Information Risk Officer (SIRO), a minimum of annually on the assurance and usage of their asset.
It is important that “ownership” of Information Assets is linked to a post, as opposed to a designated individual, to ensure that responsibilities for the asset are passed on, should the individual leave the NHSBP or change jobs within it.
Information Asset Register
It is vital that all NHS organisations establish programmes that ensure their IAs are identified and assigned to an IAO. The SIRO should oversee a review of the asset register to ensure it is complete and robust.
Information Assets should be documented in an organisation asset register. In practice, a number of NHSBP asset registers may exist (e.g. departmental, Freedom of Information Act), and many will be ad hoc. In order to establish corporate coherence it should be possible for a single asset register to be created for the NHSBP. As a priority, it is essential that all critical Information Assets are identified and included in this asset register, together with details of the “Information Asset Owner” and risk reviews undertaken or planned. To improve its useability and maintainability, the Information Asset register may be service, rather than location, based.
The best type of asset register will link all the categories listed above. It makes good risk management sense to group all of the components that relate to the same information asset or business process together. For example, you might put an IT system, its system documentation, the data held within it and the skills of staff who administer it into one IA category.
Details of a business process, such as a particular employment position, should be seen as an asset, with job description, location in organisational structure, qualification/experience necessary for the position, employee development plan, etc. all linked to the asset.
Each Information Asset Owner should be aware of what information is held, and the nature and justification of information flows to and from the assets they are responsible for.
Improvement plans
· Level 1
The NHSBP SIRO should ensure Information Asset Owner roles and responsibilities are assigned. IAO responsibility will include contribution to and implementation of an action plan to ensure a comprehensive Information Asset register is developed that includes all Information Assets of the NHSBP.
· Level 2
The NHSBP SIRO and IAOs should ensure all Information Assets are included in the NHSBP’s Information Asset register, which identifies each recorded asset’s ownership, components, key dependencies and risk assessment and management history etc.
· Level 3
The NHSBP’s SIRO and IAOs should ensure the Information Asset register is routinely reviewed and its content checked for accuracy and completeness, and is updated under change control as necessary. The NHSBP should also undertake regular consistency audits of recorded assets to physical assets and vice versa.
Requirement checklist
IS_NHSBP_307_V7_Checklist 09-02-11.doc
Key Guidance Document(s):
DH: Information Security NHS Code of Practice
The Code is a guide to the methods and required standards of practice in the management of information security for those who work within or under contract to, or in business partnership with NHS organisations in England. It is based on current legal requirements, relevant standards and professional best practice and replaces HSG 1996/15 – NHS Information Management and Technology Security Manual.
BS ISO/IEC 27000 series of information security standards
Note that only NHS Information Governance Toolkit (IGT) administrators may download a copy of the standards for their organisation. The administrator must be logged on to download the standards.
NHS Information Risk Management: Good Practice Guidance
This guidance, published in January 2009, set out the role and responsibilities of Senior Information Risk Owners and Information Asset Owners. It includes sections dealing with Information Risk Policy, Forensic Readiness Policy and Information Security Accreditation that are all relevant to the role of the Information Security Officer.
System Level Security Policy (SLSP)
A template for defining system level security arrangements. This template is relevant to the Good Practice Guide above. It should be read in conjunction with the section specifically addressing security policy.
Exemplar materials:
The following are not model publications but examples of real documents in use by organisations that represent elements of good practice. They have been made available for organisations to adapt, use and improve on as they see fit.
Walton Centre for Neurology and Neurosurgery NHS Trust
Asset management Standard
This document is part of a BS7799 certified Information Security management System (International version ISO 17799 now known as ISO 27002). The full ISMS, suitably desensitised, is available here.
Critical Applications Review
Leavers Checklist
Page 1 of 4