Information Asset Risk Assessment Procedure

Transcription

1 Information Asset Risk Assessment Procedure UNIQUE REF NUMBER: AC/IG/012/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June P age

2 AMENDMENT HISTORY VERSION DATE AMENDMENT HISTORY V1 June 2013 Version approved by Audit Committee 19 June 2013 AC/IG/012/V1.1 December 2013 Addition of branding and formatting changes in line with Policy for Development of Policies AC/IG/012/V1.2 February 2014 Addition of unique reference number prior to publication REVIEWERS NAME DATE TITLE/RESPONSIBILITY VERSION Donna Dallaway June 2013 CSU Information Governance Manager V1 Matthew Hartland June 2013 Chief Finance Officer V1 Julia Dixon June 2013 Staff Side Representative V1 APPROVALS This document has been approved by: NAME DATE TITLE/RESPONSIBILITY VERSION CCG Audit 19 June 2013 Delegated authority from Board V1 Committee NB: The version of this policy used on the intranet must be a PDF copy of the approved version. DOCUMENT STATUS This is a controlled document. Whilst this document may be printed, the electronic version posted on the intranet is the controlled copy. Any printed copies of the document are not controlled. RELATED DOCUMENTS These documents will provide additional information: REFERENCE NUMBER AC/IG/010 AC/IG/013 AC/IG/008 GB/AC/001 AC/IG/002 DOCUMENT TITLE Data Protection Policy Information Governance Policy Pseudonymisation Policy Corporate Records Policy/Retention/Destruction Procedure Risk Management Strategy Staff Code of Conduct on Confidentiality VERSION APPLICABLE LEGISLATION Data Protection Act 1998 Caldicott: Report on the Review of Patient Identifiable Information 1997 Department of Health: Information Risk Management Good Practice Guidance GLOSSARY OF TERMS TERM ACRONYM DEFINITION Senior Information Risk Officer SIRO Takes ownership of information risk and is a key factor in successfully raising the profile of information risk and to embedding information risk management in Dudley 2 P age

3 CCG s culture. Information Asset Officer IAO Individual appointed is responsible for ensuring that specific information assets are handled and managed appropriately. This means making sure that information assets are properly protected and that their value to the organisation is fully exploited. Information Asset Administrator IAA Primary role is to support the IAO to fulfil their responsibilities. IAAs will ensure that policies and procedures are followed, recognise actual or potential security incidents, consult with their IAO on incident management and ensure that information asset registers are accurate and up to date. 3 P age

4 CONTENTS PAGE NO POLICY OVERVIEW Introduction Purpose Who this Policy applies to 5 THE POLICY Responsibilities Information Assets Risk Assessment Abnormal Occurrences 6 Appendix 1 Risk Assessment 4 P age

5 POLICY OVERVIEW 1.0 Introduction 1.1 Information and information systems are important assets to the CCG and they can be essential for the corporate identity of the CCG and for patient care. This procedure ensures that information risk is managed in a robust way within the CCG. 1.2 Risk is the threat that an event or action will adversely affect the CCG s information assets. This procedure outlines the process regarding information assets to identify risks, analyse the likelihood and impact of their occurrence and then decide what action to take to prevent, minimise, accept or transfer these risks. 1.3 All CCGs are required to:- Regularly assess the risk of all information assets Monitor access to all information assets Provide assurance to the Senior Information Risk Officer (SIRO) and Accountable Officer 1.4 The CCG must also monitor the use of personal confidential data for secondary uses. The CCG must ensure that the information assets used for secondary uses are in line with the organisation s Pseudonymisation Policy. As part of the risk assessment process the pseudonymisation solution must also be checked to ensure that the data is fully pseudonymised. 2.0 Purpose The purpose of this policy is to provide NHS Dudley CCG (Dudley CCG) staff with a framework in regards to Information Asset Risk Assessment. 3.0 Who this Policy applies to 3.1 The policy applies to any person directly employed by, contracted or volunteering with Dudley CCG. This procedure is for all Information Asset Owners (IAO) to follow when conducting a risk assessment of the information assets within their area. Dudley CCG is committed to ensuring the confidentiality and security of personal confidential data and ensures that the records management is of a high quality. This can be verified and maintained through annual risk assessments of the CCG s information assets. THE POLICY 4.0 Responsibilities 4.1 Accountable Officer The Accountable Officer for the CCG is the Chief Accountable Officer. The Accountable Officer has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. 4.2 Senior Incident Reporting Officer (SIRO) The SIRO for the CCG is the Chief Finance Officer. The SIRO is the advocate for information risk within Dudley CCG. 5 P age

6 4.3 Information Asset Owner (IAO) Information Asset Owners are senior individuals, usually Chief Officers or Heads of Services. Their role is to understand and address risks for the information assets they own and to provide assurance to the SIRO. 4.4 Information Asset Administrator (IAA) Information Asset Administrators are the deputies for the IAOs and are usually Department Managers. The IAA ensures that staff adhere to policies and procedures. The IAA must consult their IAO on any potential or actual risks to the asset and ensure that information asset registers are accurate and up to date. 5.0 Information Assets 5.1 Information assets can be an array of forms and documents. The below is a list of what may be an asset, please note that this list is not exhaustive: Databases (including excel and access files) Data files Paper records Back-up and archive data Applications System software Policies and procedures Audit information Encrypted data 6.0 Risk Assessment 6.1 The risk assessment for the assets must be standardised across the CCG. Appendix 1 provides a standard checklist for which information assets must be assessed for. 6.2 The grading and scoring of the risk must be in line with the CCG s Risk Management Policy which is available via the following link; All risk assessments undertaken will be sent to the Governance Department to be entered on to the Risk Register. The reports will be reported to the SIRO via the Audit Committee. 7.0 Abnormal Occurrences 7.1 If a member of staff has been made aware of an immediate risk due to an unusual occurrence, for example virus threat, they must inform the IAA or IAO who must take all reasonable steps to avert the risk/threat. Following this a risk assessment must be completed showing the risk and actions taken and the likelihood of a reoccurrence. 6 P age

7 Appendix 1 Risk Assessment Threat Risk Possibility Comments Actions Outcome L S L x S Unauthorised use of application Misuse of Asset Communications Interception Network Failure Server Failure Storage Capacity Pseudonymisation Technical Failure Data Quality User Error Other risks identified 7 P age