NHS Information Risk Management Digital Information Policy NHS Connecting for Health January 2009
Contents Introduction Roles and Responsibilities Information Assets Information Risk Policies Links with broader Information Governance Resources and Support Appendix 1: SIRO & IAO roles Appendix 2: Developing Information Risk Policies Appendix 3: Developing Forensic Readiness Policies Appendix 4: IG Security Accreditation
Introduction This guidance is aimed at those responsible for managing information risk within NHS organisations. It reflects Government guidelines and is consistent with the Cabinet Office report on Data Handling Procedures within Government. The key requirement is for information risk to be managed in a robust way within work areas and not be seen as something that is the sole responsibility of IT or IG staff. Assurances need to be provided in a consistent manner. To achieve this, a structured approach is needed, building upon the existing information governance framework within which many parts of the NHS are already working. This structured approach relies upon the identification of information assets and assigning ownership of assets to senior accountable staff. These Information Asset Owners (IAOs) are likely to be supported within larger organisations by Information Asset Administrators (IAAs), or equivalents, who are operational staff with day to day responsibility for managing risks to their information assets. The IAOs are responsible for ensuring that information risk is managed appropriately and for providing assurances to a Board level lead termed a Senior Information Risk Owner (SIRO). The SIRO in turn provides assurances to an organisation s Accounting Officer, normally the Chief Executive. The following diagram illustrates this information risk management structure. Structural Model NHS Trust General Practice Accounting Officer Chief Executive PCT Chief Executive SIRO Board level SIRO PCT SIRO 1+ senior IAOs Department Heads Senior Partner 0+ IAAs for each IAO Operational staff responsible for one or more information assets Practice Manager
The aim is to ensure that the approach to information risk management: Takes full advantage of existing authority and responsibility structures where these are fit for this purpose; Associates tasks with appropriate management levels; Avoids unnecessary impacts on day to day business; Ensures that all the necessary activities are discharged in an efficient, effective, accountable and visible manner. Roles & Responsibilities The following high level role descriptions are supported by more detailed guidelines for SIROs and IAOs in Appendix 1. Accounting Officer SIRO IAO IAA The Accounting Officer has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. Information risks should be handled in a similar manner to other major risks such as financial, legal and reputational risks. The SIRO is an executive who is familiar with and takes ownership of the organisation s information risk policy, acts as advocate for information risk on the Board. Information Asset Owners are senior individuals involved in running the relevant business. Their role is to understand and address risks to the information assets they own and to provide assurance to the SIRO on the security and use of those assets. Information Asset Administrators ensure that policies and procedures are followed, recognise actual or potential security incidents, consult their IAO on incident management, and ensure that information asset registers are accurate and up to date. Information Assets Information assets come in many shapes and forms. Therefore, the following list can only be illustrative. It is generally sensible to group information assets in a logical manner e.g. where they all related to the same information system or business process. Tools to assist with the management of information assets are provided in the section on Resources and Support. Typical assets include:
Personal Information Content Databases and data files Back-up and archive data Audit data Paper records (patient case notes and staff records) Paper reports Other Information Content Databases and data files Back-up and archive data Audit data Paper records and reports System/Process Documentation System information and documentation Operations and support procedures Manuals and training materials Contracts and agreements Business continuity plans Software Applications and System Software Data encryption utilities Development and Maintenance tools Hardware Computing hardware including PCs, Laptops, PDA, communications devices eg. blackberry and removable media Miscellaneous Environmental services eg. power and air-conditioning People skills and experience Shared service including Networks and Printers Computer rooms and equipment Records libraries NB. Where Information Risk Management is constrained by time and resources, priority must be given to information assets that comprise or contain personal information about patients or staff. Information Risk Policies All organisations need clear information risk policies. It may be sensible for some organisations, e.g. PCTs, to develop policies which also cover their smaller business partners e.g. local independent contractors. Guidance on developing information risk policies is provided in Appendix 2. The information risk policy needs to define how the organisation and its delivery partners will manage information risk and how risk management effectiveness will be assessed and measured. The policy should support the organisation s strategic business aims and objectives and should enable staff to identify an acceptable level of risk, beyond which escalation of risk management decisions is always necessary. The information risk policy should sit within the organisation s overall business risk management framework; information risk should not be managed separately from other business risks but should be considered a fundamental component of effective NHS Information governance for all NHS organisations and be resourced accordingly. The organisation s Management Board or equivalent owns the information risk policy and its implementation. The organisation s SIRO is responsible for ensuring that the policy is developed and implemented and that it is reviewed
regularly to ensure that it remains appropriate to the organisation s core business objectives and its operational risk environment. The information risk policy should be documented and communicated in a manner that is relevant, accessible and understandable to all staff and contractors of the organisation including external delivery partners and support organisations. Links with broader Information Governance Information risk management is a component of information governance but the introduction of an accountable hierarchy that sits with business managers rather than specialist staff requires a new approach. IAOs and SIROs need to be effectively supported to identify and mitigate information risk. Caldicott Guardians, information security experts, data protection staff, information governance generalists, can all contribute to ensure that IAOs and SIROs receive this support. Key contributions will be the provision of staff training and support, inputting to and advising on the IAO s quarterly and annual information risk reviews, assisting with the delivery of mitigating actions and ensuring that the organisation s approach to managing information risk is accurately reflected in the Information Governance Toolkit assessment.
Resources and support Detailed guidance on the SIRO and IAO roles is provided in Appendix 1. Guidance on the development of an Information Risk Policy is provided in Appendix 2. Guidance on the development of a Forensic Readiness Policy is provided in Appendix 3. Guidance on IG security accreditation is provided in Appendix 4. Additional Resources Example job descriptions Information classification guidelines Training materials for SIROs and IAOs Example policy documents Senior Information Risk Owner www.connectingforhealth.nhs.uk/systemsandservices/infogov/security/nhsinforisk management/sirojd.doc Information Asset Owner www.connectingforhealth.nhs.uk/systemsandservices/infogov/security/nhsinforisk management/iaojd.doc www.connectingforhealth.nhs.uk/systemsandservices/infogov/security/nhsinforisk management/infoclassifications.doc PowerPoint presentation www.connectingforhealth.nhs.uk/systemsandservices/infogov/security/nhsinforisk management/trainingriskmgt.ppt Information Risk Policy www.connectingforhealth.nhs.uk/systemsandservices/infogov/security/nhsinforisk management/inforiskpolicy.doc Forensic Readiness Policy www.connectingforhealth.nhs.uk/systemsandservices/infogov/security/nhsinforisk management/forensicspolicy.doc Information Asset Register Tool Information Asset Register Tool www.connectingforhealth.nhs.uk/systemsandservices/infogov/security/nhsinforisk management/assetregtool/ Information Asset Register Tool: Guidance www.connectingforhealth.nhs.uk/systemsandservices/infogov/security/nhsinforisk management/assetregtoolguide.doc
Appendix 1 Guidance for NHS Senior Information Risk Owners Background The establishment of the role, Senior Information Risk Owner (SIRO) within NHS organisations is one of several NHS Information Governance (IG) measures needed to strengthen information assurance controls for NHS information assets. These new arrangements are consistent with requirements introduced by Cabinet Office for Departments resulting from the data handling review in Government. Role The NHS SIRO should be a member of the Trust Board, or of an equivalent level within NHS organisations without Boards, who has allocated lead responsibility to ensure organisational information risk is properly identified, managed and that appropriate assurance mechanisms exist. Responsibilities of the SIRO may be in addition to other job responsibilities and to avoid confusion should be identified clearly within the role-holder s job description. The SIRO s responsibilities can be summarised as: Leading and fostering a culture that values, protects and uses information for the success of the organisation and benefit of its customers Owning the organisation s overall information risk policy and risk assessment processes and ensuring they are implemented consistently by IAOs Advising the Chief Executive or relevant accounting officer on the information risk aspects of his/her statement on internal controls Owning the organisation s information incident management framework NHS organisations should ensure their appointed SIRO possesses the necessary knowledge and skills to undertake their role effectively and to provide periodic evidenced statements of information assurance to their organisation s accounting officer for the annual Statement of Internal Control. The SIRO should undertake information risk management training at least annually to be able to demonstrate their skills and capabilities are up to date and relevant to the needs of the organisation. The following table explores the functions and responsibilities that are appropriate to all NHS SIROs in greater detail.
Lead and foster a culture that values, protects and uses information for the success of the organisation and benefit of its customers Responsibilities: to ensure the Organisation has a plan to achieve and monitor the right NHS IG culture, across the Organisation and with its business partners to take visible steps to support and participate in that plan (including completing own training) to maintain sufficient knowledge and experience of the organisation s business goals with particular emphasis on the use of and dependency upon internal and external information assets to ensure the Organisation has Information Asset Owners (IAOs) who understand their roles and are supported by the information risk management specialists that they need to initiate and oversee an information risk awareness / training programme of work to communicate importance and maintain impetus to ensure that good information governance assurance practice is shared within the organisation and to learn from good practice developed and practiced within other NHS organisations locally and nationally Own the organisation s overall information risk policy and risk assessment processes and ensure they are implemented consistently by IAOs. Responsibilities: to act as the focal point for information risk management in the organisation including resolution of any pan-organisation or other escalated risk issues raised by Information Asset Owners, Information Security Officers, Auditors etc to develop and implement an IG Information Risk Policy that is appropriate to all departments of the organisation and their uses of information setting out how compliance will be monitored to initiate and oversee a comprehensive programme of work that identifies, prioritises and addresses NHS IG risk and systems accreditation for all parts of the organisation, with particular regard to information systems that process personal data to ensure that Privacy Impact Assessments are carried out on all new projects when required in accordance with the guidance provided by the Information Commissioner to review all key information risks of the organisation on a quarterly basis and ensure that mitigation plans are robust to ensure that NHS IG Policy, information risk management method and standards are documented, applied and maintained consistently throughout the organisation s information governance risk assessment and management framework to ensure that information risk assessment is completed on a quarterly basis taking account of extant NHS Information Governance guidance to understand the information risks faced by the organisation and its business partners ensuring that they are addressed, and that they inform investment decisions including outsourcing to ensure that information risk assessment and mitigating actions taken benefit from an adequate level of independent scrutiny Advise the accounting officer on the management of information risk and provide assurance Responsibilities: to ensure routine meetings are established with the organisation s Chief Executive or Accounting Officer to brief, discuss or report upon matters on
information governance risk assurance and information risk culture affecting the organisation, including input to the annual NHS IG reporting processes to sign off an annual assessment of performance, including material from the IAOs and specialists, covering NHS Information Governance reporting requirements Own the organisation s information incident management framework Responsibilities: to ensure that the organisation has implemented an effective information incident management and response capability that supports the sharing of lessons learned to ensure that there is a considered and agreed IG incident response and communications plan available, including the reporting of perceived or actual Information Governance Serious Untoward Incidents (IG SUIs). to ensure that the organisation s management, investigation and reporting of IG SUIs conforms to national guidance and does not conflict with the organisation s policies and procedures for non-ig SUIs (e.g. clinical incidents)
Guidance for NHS Information Asset Owners Background Information Asset Owners (IAO) have been required for a number of years for those organisations that have been working with the NHS Information Governance Toolkit (IGT). This guidance builds upon the existing guidance on the management of information assets provided in the IGT in order to strengthen information assurance controls for NHS information assets. These arrangements are consistent with requirements introduced by Cabinet Office for Departments resulting from the data handling review in Government. Role Information Asset Owners are directly accountable to the SIRO and must provide assurance that information risk is being managed effectively in respect of the information assets that they own. It is important to distinguish IAOs from those staff who have been assigned responsibility for day to day management of information risk on behalf of the IAOs, but are not directly accountable to the SIRO. The SIRO/IAO hierarchy identifies accountability and authority to effect change where required to mitigate identified risk. IAOs are responsible for: Leading and fostering a culture that values, protects and uses information for the success of the organisation and benefit of its customers Knowing what information comprises or is associated with the asset, and understands the nature and justification of information flows to and from the asset Knowing who has access to the asset and why, whether it be system or information to ensure access is monitored and compliant with policy Understanding and addressing risks to the asset, and providing assurance to the SIRO NHS organisations need to ensure that their IAOs possess the necessary support, knowledge and skills to undertake their role effectively and to provide periodic evidenced statements of information assurance to their SIRO. The IAO should undertake information risk management training at least annually to be able to demonstrate their skills and capabilities are up to date and relevant to the needs of the organisation. The following table explores the functions and responsibilities that are appropriate to all NHS IAOs in greater detail.
Aspect of IAO Role Lead and foster a culture that values, protects and uses information for the success of the organisation and benefit of its customers Knows what information the asset holds, and what enters and leaves it and why Knows who has access and why, and ensures their use is monitored and compliant with policy Understands and addresses risks to the asset, and provides assurance to the SIRO Responsibilities to understand the Organisation s plans to achieve and monitor the right NHS IG culture, across the Organisation and with its business partners; to take visible steps to support and participate in that plan (including completing own training) to ensure that staff understand the importance of effective information governance and receive appropriate education and training to consider whether better use of any information held is possible, within applicable information governance rules, or where information is no longer required to maintain an understanding of owned assets and how they are used to approve and minimise information transfers while achieving business purposes to approve arrangements where it is necessary for information to be put onto portable or removable media like laptops and CD-Rom and ensure information is effectively protected to NHS information governance standards to approve the information disposal mechanisms for the asset to understand the organisation s policies on the use of information and the management of information risk to ensure decisions on access to information assets are taken in accordance with NHS information governance good practice and the policies of the organisation to ensure that access provided to an asset is the minimum necessary to satisfy business objectives to ensure that the use of the asset is checked regularly and that use remains in line with policy to seek advice from information governance subject matter experts when reviewing information risk to conduct Privacy Impact Assessments for all new projects that meet the criteria specified by the Information Commissioner to undertake quarterly risk assessment reviews for all owned information assets in accordance with NHS Information Governance guidance and report to the SIRO, ensuring that information risks are identified, documented and addressed to escalate risks to the SIRO where appropriate and to make the case where necessary for new investment to secure owned assets to provide an annual written assessment to the SIRO for all assets owned by them
Appendix 2 Developing Information Risk Policies 1. This guidance is based on and extends existing NHS Information Governance guidance materials and is compliant with the NHS adopted ISO/IEC27001 and ISO/IEC27002 information security management standards. It is aimed to provide NHS consistency with those requirements identified in the final report on Data Handling Procedures in Government to protect information, including personal data. Information Risk Policy Purpose 2. The organisation s information risk policy will define how the organisation and its delivery partners will manage information risk and how risk management effectiveness may be assessed and measured. In so doing, the information risk policy supports the organisation s strategic business aims and objectives and should enable employees throughout the delivery chain to identify an acceptable level of risk, beyond which escalation of risk management decisions is always necessary. 3. The intent set out within the organisation s information risk policy should be sufficiently generic to be applicable across the organisation and its delivery partners, whilst providing sufficient detail to ensure consistency across a range of business environments, and for actions necessary by Information Asset Owners (IAOs) of the organisation. 4. The information risk policy therefore fits within the NHS organisation s overall business risk management framework; information risk should not be managed separately from other business risks but should be considered a fundamental component of effective NHS Information governance for all NHS organisations. Information Risk Policy - Ownership and Responsibilities 5. The organisation s Management Board or equivalent owns the information risk policy and its implementation. The organisation s SIRO is responsible for developing and implementing this policy and for reviewing it regularly to ensure that it remains appropriate to the organisation s core business objectives and its operational risk environment. 6. The information risk policy should be documented and communicated in a manner that is relevant, accessible and understandable to all staff and contractors of the organisation including external delivery partners and support organisations.
Information Risk Policy Content 7. The following table identifies the various elements that need to be included in an information risk policy. An example policy is also provided. The information risk policy should include: A definition of information risk and the importance of managing information risks A statement of intent by management including situations where the organisation can only influence its delivery and support partners A description of the information risk management structure within the organisation with specific roles and responsibilities The strategic approach to information risk management (including the organisation s approach to risk appetite, risk tolerance and the sharing of data) including details of the adopted information risk assessment methodology The applicable legal and regulatory requirements, NHS Information Governance Codes of Practice and other policies and guidance to be used in the management of NHS information risk covering physical, procedural, personal and technical measures An outline of risk escalation and reporting procedures and the organisation s policy for information risk management decisions A plan to introduce the necessary changes in culture to ensure that information, in paper or digital form, is valued, protected and used for the good of patients and staff Requirements for staff awareness and training including the corporate and individual consequences of failure to apply the organisation s policies and practices The description and location of HR policies associated with failure to adopt expected procedures on handling confidential or sensitive data A threat assessment (or reference to an alternative source where it is inappropriate to publish such information in its totality) Minimum requirements for risk inspections, reviews, monitoring and audit External accountability and status or progress reporting Incident or abnormal event reporting, recovery and contingency policy and procedures Minimum requirements for system accreditation and events or conditions that must trigger review and re-accreditation
Appendix 3 Forensic Readiness policy 1. This guidance is based on and extends existing NHS Information Governance materials and is compliant with the NHS adopted IS0/IEC27001 and ISO/IEC27002 information security management standards. It is aimed to provide NHS consistency with those requirements identified in the final report on Data Handling Procedures in Government to protect information, including personal data. Purpose 2. Forensic readiness is a key component in the management of NHS information risk. This document explains what forensic readiness is and how it can assist information risk management within NHS organisations. It then provides guidance on what NHS organisations should use forensic readiness for and how to go about it. 3. Forensic readiness is the capability of an organisation to use digital evidence in a forensic investigation. Any investigation involving Information and Communications Technology (ICT) systems is likely to involve digital evidence and will therefore involve forensic investigation and benefit from forensic readiness. If digital evidence is to be recovered and analysed as part of an investigation then it should be done in a manner that is systematic, standardised and legal in order to ensure the admissibility of that evidence in case it has to be produced in a legal case or disciplinary hearing. Why is Forensic Readiness Needed? 4. The requirement for forensic readiness arises from the universal use of ICT systems in organisations. Digital evidence is therefore likely to feature in a wide range of investigations or disputes involving NHS organisations, including (but not confined to): Patient Confidentiality breaches and complaints requiring investigation; Security incidents: unauthorised access to, tampering with or use of ICT systems, electronic attack, including denial of service and malicious software ( malware ) attacks (viruses, worms, Trojan horses); Criminal activities: fraud, deception, money laundering, threats, blackmail, extortion, harassment, stalking; Commercial disputes: intellectual property rights;
Disciplinary issues: accidents, negligence, malpractice, abuse of acceptable use policy, grievance procedures; Privacy issues: identity theft, invasions of privacy, compliance with the Data Protection Act and other relevant legislation. 5. These scenarios all present risks to NHS organisations information assets (information and information systems). Without adequate mitigation, these risks could damage the business and/or undermine the reputation of the organisation, potentially resulting in substantial added costs, disruption to NHS services and corporate embarrassment. Forensic readiness should be considered by all NHS organisations for these reasons. The Business Context 6. Forensic readiness can be used to help manage the information risks to NHS organisations and their services listed above. The risk of any of the scenarios listed occurring will vary between organisations. NHS organisations processing large volumes of patient data and large sums of money are likely to be subject to higher threats/risks, including possible attraction to criminals seeking to perpetrate identity theft and/or fraud. However, all NHS organisations have staff, contractors and suppliers, and forensic readiness may yield business benefits in the event of a dispute involving any of them. 7. Forensic readiness can be used to support an organisation in either pursuing or defending itself against legal action. For example, forensic readiness may enable an organisation and its staff to demonstrate that due care/due diligence was followed in patient care processes. Forensic readiness should also deter some illegal/unauthorised actions in the first place because of the greater likelihood that they will be detected and/or unsuccessful and the perpetrators subjected to legal or disciplinary measures. 8. As a result of these business benefits, Senior Information Risk Owners (SIRO) and Information Asset Owners (IAO) of all NHS organisations should assess their requirement for forensic readiness, taking into account the estimated costs incurred and balancing this against the risks of not having a forensic readiness capability. For some organisations, a low level of risk may not justify the costs of acquiring a forensic readiness capability, but the organisation concerned should be able to demonstrate that it has assessed the risks and the costs and justify its decision if required to do so. Regular risk assessment should assist organisations in this process. 9. Where organisations assess that they have a requirement for forensic readiness, they should produce and maintain a forensic readiness management plan, guidance on which is provided below.
Forensic Readiness Good Practice Overall responsibility for ensuring that the organisation has assessed its requirement for forensic readiness and, where appropriate, has produced a forensic readiness management plan, rests with the SIRO, at board level. Where an organisation assesses that it requires a forensic management plan, it should identify a suitably qualified and experienced forensic readiness manager (who may also hold other information assurance or security responsibilities within the organisation). The forensic readiness manager is responsible for producing, maintaining and implementing the organisational forensic management plan and for managing forensic investigations within the organisation. Because it is essential that forensic evidence is preserved and admissible, the forensic readiness/investigation manager should have sufficient authority, or at least access to authority (ultimately the SIRO), to enable decisions concerning business-critical ICT systems to be made in a timely manner. Complex or large-scale forensic investigations may require an investigation team and necessitate the use of commercial IT forensic services. Some NHS organisations already have considerable local expertise/experience in forensic readiness, legislation, evidence gathering and investigation, while others are likely to require professional assistance. Accredited Local Counter Fraud Specialists and Internal Computer Audit Specialists are both likely to be able to assist in providing relevant forensics advice. Further specialist assistance is available from various commercial providers of IT forensic services. For details of the forensics support service offered by the NHS Counter Fraud and Security Management Service see www.cfsms.nhs.uk/doc/isd/fcu.leaflet.pdf Forensic Readiness Planning Guidance 10. The Forensic Policy and the associated plan should address the following activities, which are central to effective forensic readiness and the successful outcome of forensic investigations: Document the organisation s objectives of forensic readiness, ensuring that it is aimed at detecting and deterring major incidents; Define the organisation s business risks that require digital evidence to be collected; Identify available sources and forms of digital evidence;
Assess the requirement for collecting digital evidence; Establish a capability for securely gathering legally admissible evidence to meet the requirement; Develop a policy for the secure storage and handling of digital evidence; Specify the circumstances when a full formal investigation (which may use the digital evidence) should be launched; Staff training and awareness in forensic readiness and digital evidence, so that all those involved understand their responsibilities and the legal issues concerning digital evidence; Documenting an evidence-based case, describing the incident and its impact; Incorporate a legal review to ensure compliance with relevant legislation and facilitate action in response to the incident. 11. Further information on each of these activities is available in: NISCC Technical Note 01/2005, An Introduction to Forensic Readiness Planning, 27 th May 2005, available at: www.cpni.gov.uk/docs/re-20050621-00503.pdf ACPO Good Practice Guide for Computer based Electronic Evidence V3, available at www.acpo.police.uk/asp/policies/data/gpg_computer_based_evidence_v3. pdf
Appendix 4 Accreditation 1. This guidance is based on and extends existing NHS Information Governance materials and is compliant with the NHS adopted IS0/IEC27001 and ISO/IEC27002 information security management standards. It is aimed to provide NHS consistency with those requirements identified in the final report on Data Handling Procedures in Government to protect information, including personal data. 2. Within this accreditation guidance the term System Level Security Policy (SLSP) is used and should not be confused with the terms Corporate Security Policy (CSP) or Organisational Security Policy (OSP). Where described elsewhere CSP or OSP would define organisational aims and commitments to achieve good IG security management structure and staff working practices more generally. Accreditation Purpose 3. Accreditation is the method through which an NHS information asset can be risk assessed and assured that it complies with NHS IG security policy, standards, legal requirements and expected good working practices. Accreditation processes will also allow essential and appropriate assurance to stakeholders including the Senior Information Risk Owner (SIRO). Such accreditation assurances are: - The IG security risks to the information asset and its data have been considered and assessed on a regular basis; - The required IG security measures have been implemented correctly and cannot be bypassed; - The IG security risks arising from use of the information asset are acceptable to its provider and other stakeholders. Who is responsible for Accreditation of NHS information assets? 4. Each organisation s Information Asset Owner (IAO) is responsible for risk management and accreditation of assets under their control. In large organisations there may be multiple IAOs each with their own assigned assets to accredit. The IAO may also be supported in their accreditation processes through contribution from Information Asset Administrators (IAA), Information Security, Audit, IT and other relevant staff or contractors including external service providers. 5. The IAO should ensure that an accreditation is achieved for all assets they own. They should also consider their assets ongoing IG accreditation needs within the organisation s overall risk management and reporting framework.
6. The IAO may be supported through project management arrangements that ensure information asset accreditation is prioritised, documented, and processes are comprehensively undertaken. IG Accreditation as part of new Project Development processes 7. An initial System Level Security Policy (SLSP) should be developed as early as possible within the project lifecycle and preferably at the project initiation stage. This is important for project, security and risk management viewpoints to allow information governance requirements and specifications to be included at the earliest opportunity. This SLSP approach will ensure that information security functions are included within the proposed design of the information asset from the outset and not as potentially expensive or unworkable post-implementation add-ons. 8. The IAO, project manager, information security manager and others may collaborate to consider and produce an initial SLSP statement. It should be noted that for many smaller, low risk, local assets this initial SLSP may be all that is required for accreditation purposes. 9. Where a project proceeds beyond its investigation stage, the initial SLSP should be further developed into a full or baseline SLSP that will be used, maintained and refined throughout the project s lifecycle. This baseline SLSP should then be reviewed and refined regularly through specification, design, development, implementation and post-implementation management stages of the project. These reviews will consider technical, operational and procedural measures to ensure the asset achieves its security objectives and that perceived risks are addressed. During these reviews, contributors to the SLSP may identify and recommend new countermeasures, the withdrawal of redundant measures or the strengthening of existing security features. 10. The IAO through their judgement may decide not to implement one or more recommended security measures and accept the risks to the information asset. Where this is the case, decisions should be recorded within accreditation documentation about the asset and where appropriate within the organisation s risk register. In exceptional circumstances where there is disagreement of the acceptability of one or more risks, then the relevant issues should be escalated to the organisation s Senior Information Risk Owner (SIRO) and Risk Management Board for resolution. 11. All NHS information assets will benefit through their information governance accreditation. Streamlined processes may be implemented for those information assets that do not process confidential patient, sensitive or other business critical information and are considered low risk. 12. Information assets that are locally procured, developed or implemented without formal project management, should still be subject to information
governance accreditation and the principles described in this guidance followed. The level of accreditation required will vary with the nature of the information asset, the assessed risks and the organisation s local arrangements for information asset accreditation. Accreditation documentation 13. By its nature, information that is contained within accreditation documentation may be sensitive and such documentation will therefore require appropriate management. A protective marking of NHS CONFIDENTIAL may therefore be relevant. The initial System Level Security Policy (SLSP) 14. This accreditation document is likely to be developed by those individuals with the best knowledge of the proposed information asset, its intended purposes and operating environment. The initial SLSP will usefully contain sections dealing with the following aspects: - Introduction and basic facts about the information asset - Identified information governance responsibilities - Status of this SLSP document - Asset description and purpose - Asset components (aspects within SLSP scope) - IG security and confidentiality requirements and expected functions eg. access controls, audit trails etc The full or Baseline System Level Security Policy (SLSP) 15. The baseline SLSP will contain expanded detail over and above the initial SLSP document described above, although structured in much the same way. When available, the baseline SLSP should benefit through identified threats to the information asset, vulnerabilities and those countermeasures that mitigate perceived risks. These will be useful for regular risk assessments during the lifecycle of the information asset. Typical structure of a full SLSP might be: - Introduction and basic facts about the information asset - Asset description and purpose - Asset components (aspects within SLSP scope) - Information Governance responsibilities - IG security and confidentiality requirements and expected functions - Description of security domains within scope (including any overlaps with assets under the control of business partners) eg. the operational boundaries within which controls are possible to deploy and manage - Security functions description - Security management arrangements including references to external documentation or procedures - Assumptions and external dependencies
The above contents are illustrative and are not exhaustive of all possibilities, particularly where an information asset and its data may be shared across multiple domains or organisations. 16. It should be noted that existing information asset documentation including asset register data and any risk assessments undertaken provide much of the technical and other information required for the SLSP and will avoid duplication. External documentation may support the SLSP and may help to ensure its overall accuracy and manageability. Other accreditation issues 17. Depending upon the information asset s size and complexity, additional IG security management documentation may be necessary. This additional documentation may describe the security requirements and assurance measures applicable for interconnection between multiple domains or for special procedures. 18. Information assets and their accreditation requirements may be reprioritised, extended or altered over time, as each asset s purposes and configuration might change. The aim is therefore to achieve and sustain a comprehensive repository of reliable and re-useable accreditation documentation that underpin the organisation s approach to information risk management. Change Control 19. Accreditation documentation requires rigorous control if it is to remain up to date, useful, effective and re-usable. Change management controls that apply throughout an information asset s project lifecycle should therefore also apply to the accreditation documentation. It is recommended that an accreditation documentation review be undertaken in line with the organisation s risk management reporting requirements and at least annually. IG Assurance and Accreditation checks 20. The Senior Information Risk Owner will regularly require assurance reports that the organisation s information assets continue to satisfy those information governance requirements documented within accreditation documentation and that relevant controls remain effective. This normally means checks that: - information asset s security functions counter all relevant threats; - controls of the information asset are configured and operate correctly;
- throughout the operational lifetime of the information asset, including post-implementation changes, expected controls continue to exist or are replaced by ones providing greater effect. 21. The IAO should therefore arrange to undertake formal information assurance checks as part of their accreditation programme. These should be undertaken by suitably qualified and skilled individuals supporting the process under the IAO s direction and should: - ensure the information asset s implemented design is conformant with the security measures specified; - test the security functions for their correct effect; - test the adequacy of the asset s security functions to address perceived risks; - identify and document areas of potential weakness for possible improvement; - ensure compliance with legal obligations, and NHS IG policy and standards. Assurance reporting 22. The baseline SLSP and any related documentation should provide evidence of accreditation to the IAO, who should after any necessary checks, sign a formal note of accreditation for the asset. This note should acknowledge that the information asset has appropriate security design to address assessed risks, and operates according to its documented SLSP. 23. In some circumstances, the IAO s accreditation sign-off may be conditional and any identified dependencies or conditions should be noted. In such cases, it will be normal for a work-off plan and timeline to be agreed with the IAO for any necessary improvements. 24. When complete, information asset accreditation documentation should be stored securely by the IAO and revisited under change control when there are requirements for risk management, information assurance reporting or re-accreditation.