6.Identifying, Recording Information Assets and Risk Controls

Information Asset Management Procedure:
Guidance and Handbook for Information Asset Owners and Information Asset Administrator Staff

CONTROL RECORD
Title / Information Asset Management Procedure: Guidance and Handbook for Information Asset Owners and Information Asset Administrator Staff
Purpose / To ensure a robust process for the management of the organisation’s Information Assets.
Audience / All staff within the CCG with particular focus on nominated Information Asset Owners.
Version / Version 3 / Issue Date / 23rd September 2016
Status / Approved / Review Date / September 2018
Owner / Chief Officer
Author / Head of Information Governance
Development group / Information Governance Leads
Superseded Documents / Information Asset Register Procedure
(Developed by Greater East Midlands Commissioning Support Unit)
Associated Documents / Information Governance Management Framework
Information Security Policy
Approved by / Information Governance Management & Technology Committee / Date / 23rd September 2016
Distribution list / All staff
Distribution Method / Internet  Other 

Contents

1.Introduction

2.Scope

3.Purpose

4.Roles and Responsibilities

5.Management of Information Assets

6.Identifying, Recording Information Assets and Risk Controls

7.Dates of Review (of the information asset)

8.Dates of Audit (of the information asset or departmental processes)

9.Monitoring (of this guidance)

Appendix 1

Information Asset Risk Reporting Template to SIRO

Appendix 2

Information Asset Template for New Information Assets

Appendix 3- Risk Assessment Matrix

1

1. Introduction

1.1This policy applies to Nottinghamshire Clinical Commissioning Groups (CCGs), subsequently referred to in this document as the CCGs. They include:

NHS Mansfield and Ashfield CCG

NHS Newark and Sherwood CCG

NHS Nottingham North and East CCG

NHS Nottingham West CCG

NHS Rushcliffe CCG

CCGs are separate independent statutory organisations.

1.1The key requirement from the Department of Health is for information risk to be managed in a robust way within work areas and not be seen as something that is the sole responsibility of IT or Information Governance (IG) staff.

1.2Assurances need to be provided to the Senior Information Risk Owner (SIRO) in a consistent manner. To achieve this, a structured approach to the management of information assets is needed, building upon the existing Information Governance ManagementFramework.

1.3This structured approach relies upon the identification of information assets, the collation of assets on an asset register and assigning ‘ownership’ of assets to Assistant Directors (or equivalents).

1.4Senior Information Risk Owner

1.5The SIRO provides assurances regarding information management and risk to an organisation’s Accounting Officer, normally the Chief Officer.

1.6Information Asset Owners

1.7Information Asset Owners are senior individuals at Assistant Director level (or equivalent)involved in running of day to day CCG business activities. Their role is to understand and address risks to the information assets they ‘own’ and are responsible for ensuring that information risk is managed appropriately and assurances are providedroutinely to the SIRO.

1.8Information Asset Owners (IAOs) are likely to be supported by staff within their area or Directorate who ensure that policies and procedures are followed, recognise actual or potential security incidents, consult their IAO on incident management, and ensure that information asset registers are accurate and up to date.

1.9The key link for management of information assets within the CCG is between the IAO’sand SIRO.

1. Scope

2.1This guidance relates to all employees and appointees of the CCG and others working within the organisation in a temporary capacity, regardless of where they carry out theirduties. These are collectively referred to as ‘individuals’ hereafter.

1. Purpose

3.1 To ensure a robust process for the management of the organisation’s Information Assets.

1. Roles and Responsibilities

4.1Senior Information Risk Owner (SIRO)

4.2The SIRO is a Governing Body member responsible for ensuring that organisational information risk is properly identified, managed and that appropriate assurance mechanisms exist to support the role of SIRO.

4.3The SIRO’s responsibilities can be summarised as:

• Leading and fostering a culture that values, protects and uses information for the success of the CCG and benefit of its population.
• Owning the CCG’s overall information risk policy and risk assessment processes, ensuring they are implemented consistently by Information Asset Owners and agreeing action in respect of any organisational risks.
• Owning the CCG’s information incident management framework, ensuring that the CCG’s approach to information risk management is effective in terms of clear lines of responsibility and accountability, resources, commitment and execution and that this approach is communicated to all staff.
• Ensuring that effective mechanisms are established and publicised for responding to and reporting perceived or actual serious IG incidents.

4.4The SIRO is required to undertake information risk management training at least annually to ensure their skills and capabilities are up to date and relevant to the needs of the CCG.

4.5The SIRO is also required to maintain sufficient knowledge and experience of the CCG’s business and goals with particular emphasis on the use of and dependency upon internal and external information assets.

4.6Information Asset Owners (IAOs)

4.7The organisation’s Assistant Directors (or equivalents) have been nominated to act as IAOs. They will:

• Lead and foster a culture that values, protects and uses information for the success of the CCG and for the benefit of its population.
• Understand the nature and justification of information flows to and from information assets, which will support ongoing work to identify flows of person identifiable information.
• Know who has logical access to the asset and why, whether it is a system or information, to ensure access is monitored and compliant with relevant legislation and guidance.
• Understand and address risks to the asset, and provide reporting and assurance to the SIRO.
• Protect and manage information. Ensuring management and operation of the asset in compliance with polices and standards
• Complete and maintain their ‘slice’ of the information asset register and regularly provide assurance to SIRO and report any risks (see template in Appendix 1).
• Complete and or attend training around information asset management and responsibilities.

4.8Information Asset Support Staff

4.9Traditionally the information asset management structure has IAO’s supported by Information Asset Administrators (IAA’s), IAA’s would ordinarily be operational staff with day to day responsibility for managing risks to their information assets.

4.10It has been agreed that due to the small number of staff within the CCG this structure of accountability would not work and therefore the key link will be between the SIRO and IAO’s. The SIRO will provide an integrated information asset management risk report to the appropriate Committee.

4.11IAO’s will in any event seek support from staff within their area with regards to the day to day management of information assets.

4.12Head of Information Governance

4.13The Information Governance functionwill be responsible for ensuring the effective management, accountability, compliance and assurance for all aspects of Information Governance.

4.14Key responsibilities include:

• Ensuring that IG targets and expectations, both internal and external, are met, specifically bringing together and prioritising work on initiatives including data protection, caldicott principles, information lifecycle management, and information security.
• Ensuring robust security of electronic resources and encryption is implemented in line with DH guidelines and relevant local policies.
• Ensuring that the organisation complies with the requirements for mapping information flows and other records management initiatives.
• Supporting the work of the Caldicott Guardian and the SIRO.
• Identifying and reporting Information Governance risks.
• Providing advice and guidance on all aspects of IG and on all matters related to the Data Protection Act and related legislation.
• Developing and maintaining comprehensive and appropriate documentation that demonstrates commitment to, and ownership of, Information Governance responsibilities, such as the Information Governance Management Framework and associated policies and procedures.
• Ensuring that appropriate training is available to all staff and delivered in line with mandatory requirements.
• Maintaining a level of expertise required in order to deliver guidance and awareness to staff.
• Ensuring (through implementation of the Information Governance Management Framework and associated Information Governance policies) that all staff employed by the CCG (including agency staff, individuals on honorary contracts, management consultants and students who use and have access to information) understand their personal responsibilities for Information Governance and comply with the law.
• Ensuring that IGT returns are completed and reported to the appropriate Committee.
• Supporting the IGMT Committee to discharge its Information Governance responsibilities.
• Providing advice and guidance to commissioning staff regarding tendering and procurement processes to ensure that all services and contracted services have robust Information Governance in place.
• Periodically reviewing the CCG’s inventory of information assets.

1. Management of Information Assets

5.1Information Asset Register

5.2It is vital that the organisation establishes an information management programme to ensure that information assets are identified and assigned to an Information Asset Owner.

5.3Information assets should be documented in the CCG’sinformation asset register. In practice, a number of CCG ‘asset’ registers may exist (e.g. departmental, finance, procurement, equipment, Freedom of Information requests), and many will be ad hoc. In order to establish organisational coherence it should be possible for a single information asset register to be created which is almost a ‘register of other registers’. As a priority, it is essential that all critical information assets are identified and included in the information asset register, together with details of:

• Name of asset and description;
• Asset/information ‘type’;
• Data which is held and or data flows (including asset/information provider);
• Location of asset;
• The ‘owner’ of the asset-IAO’s;
• Risk assessment completed/undertaken – confidentiality, integrity and availability which is recorded on the asset register;
• Appropriate safeguards/risk controls included in the asset register;
• Appropriate access controls including remote access, contracts/3rd party processing and identification of any overseas processing;
• Business continuity plans are in place;
• Planned reviews and or audits.

5.4The information asset register is not intended to replace any existing systems but as an identification tool rather than duplicating information which is already held.The SIRO should oversee a review of the asset register to ensure it is complete and robust.

5.5Details of any new information assets should be sent to the CCG Information Governance link role using the Information Asset Template (Appendix 2) to add to the overarching information asset register.

1. Identifying, Recording Information Assets and Risk Controls

6.1Identify Asset

6.2Information assets (IA) are identifiable and definable assets owned or contracted by an organisation which are ‘valuable’ to the business of that organisation.

6.3For the purpose of the initial collection of information assets:

6.4Asset = data/information.

6.5Information assets come in many shapes and forms. Therefore, the following list can only be illustrative. It is generally sensible to group information assets in a logical manner e.g. where they are all related to the same information system or business process.

Types of Information Assets / Examples
Contains (large numbers of) Patient or Personal Confidential Information / HR System (ESR)
Patient Administration Systems (Summary Care Record or SystmOne)
Data Warehouse
Statistical Spreadsheets (containing PCD)
Paper Patient Records or Notes (e.g. Continuing HealthCare, Complaints, Personal Health Budgets, and Medicines Management etc.)
Information of Value to the Organisation / Project Documentation
Tenders
Service Specifications
Organisational Structures
Business Critical Information / Performance Reports
Strategies
Financial Information
Audits and Assurances / Financial Audits
IG Toolkit Returns and Evidence
360 Assurance Reports
Independently Commissioned Reviews
Information about formal meetings/committees which your department ‘own’ / Board Minutes
Committee Minutes

6.6Confidentiality

6.7The information asset will need to be assessed in the following areas:

6.8Assessing that the information is shared only among authorised persons or organisations and that sufficient safeguards are in place to protect the information from unauthorised access or disclosure.

6.9Issues to consider: location and storage of the data, security of the system, who has access to the data, access controls, audit controls, how information is transferred, information sharing/flows, if information is backed up and how often.

6.10Examples of safeguards for confidentiality could include:

• Access controls for systems (username and password);
• Password protection of documents;
• Storage on the secure network drive (only accessible to staff through a username and password and through access to certain areas in the G:Drive);
• Access via Smartcard;
• Confidentiality agreements in place;
• Training and awareness on the system and confidentiality issues.

6.11Additional security measures will need to be in place for personal confidential data (patients and staff) and confidential corporate information.

6.12The following provides examples of information assets, dependencies and gives reasoning for risk assessment scorings (see Appendix 3 re: risk assessment matrix):

• Example 1

An access database holding a department’s staff details including personal demographic details (name, home addresses and dates of birth) or a spreadsheet of patient details including demographics and clinical details being stored within the C:Drive of a CCG computer PC.

The system holds a substantial amount of personal confidential data therefore ensuring the information is held securely is paramount to ensure confidentiality and adherence to the Data Protection Act 1998.

The likelihood of this information being lost or stolen or accessed inappropriately is high because the C: Drive is not secure. Anyone using that computer would be able to access the information and if the computer was stolen the information would also be taken.

The confidentiality risk rating for this information asset could be:

Impact = 3 (Medium)

Likelihood = 4 (Likely)

Total = 12 (A/R)

• Example 2

An organisational strategy document which is held directly on the website.

As this has been published on the website it is available to the public so there would not be any confidentiality issues.

However, it is worth noting that prior to publication, the document could be classed as confidential corporate information and therefore should be assessed for the risk to its confidentiality.

6.13Integrity

The integrity of data is not only whether the data is 'correct' and accurate, but whether it can be trusted and relied upon.

For example, making copies (by e-mailing a file) of a sensitive document, threatens both confidentiality and the integrity of the information because, by making one or more copies and this being held by more than one person, the data is then at risk of change or modification.

Issues to consider: where information is stored, security of the system, who has access to the data, access controls, audit controls, how information is transferred, if information is backed up and how often.

• Example 1

A sensitive document does not have any access controls so the information could be added, changed or deleted by anyone. In addition to this, there are no audit trails and it would be unknown if copies of the data had been made and circulated.

The integrity risk rating for this information asset could be:

Impact = 3 (Medium)

Likelihood = 4 (Likely)

Total = 12 (A/R)

• Example 2

Information held on a database, there is likely to be copies on the network or in staff personal files. Changes could be made and no audit trails are available.

The integrity risk rating for this information asset could be:

Impact = 2 (Low)

Likelihood = 3 (Possible)

Total = 6 (A/G)

6.14Availability

6.15Assessing that systems responsible for delivering, storing and processing information are accessible when needed, by those who need them.

6.16Issues to consider: System failures – are business continuity plans in place, is information backed up,remote access to the information, audit controls.

• Example 1

This information is crucial to the day to day running of the organisation and its functions.

The G:/shared drive. Information is backed up on mirrored disks at various locations so if one fails or there is an incident at the location, the information can be retrieved from the server.Effective business continuity plans have been tested and are in place.

However, access is through the internet and therefore relies on the organisational internet connection and wireless networks in the community.

The availability risk rating for this information asset could be:

Impact = 4 (High)

Likelihood = 3 (Possible)

Total = 12 (A/R)

• Example 2

The information is crucial to the running of the organisation and its services.

This is stored on the website so could be easily retrieved locally or remotely. A copy is probably also held on the network drives.

The availability risk rating for this information asset could be:

Impact = 4 (High)

Likelihood = 1 (Rare)

Total = 4 (A)

1. Dates of Review (of the information asset)

7.1The asset should be reviewed at least every 6 months or when changes have been made to the system, staff using the system or changes to organisational situations.

1. Dates of Audit (of the information asset or departmental processes)

8.1Where there is a formal audit of a system or maintenance, these should be recorded on the information asset register.

1. Monitoring (of this guidance)

9.1The Head of Information Governance will be responsible for implementing and monitoring the use of this guidance on an ongoing basis and ensuring the guidance is updated in accordance with any of the following:

• legislative changes;
• good practice guidance;
• significant incidents reported;
• near misses;
• new vulnerabilities; and
• changes to organisational infrastructure.

9.2This guidance will be reviewed by the appropriate Committee every two years.

9.3Any individual who has queries regarding the content of this guidance, or has difficulty understanding how this guidance relates to their role, should contact the CCG’s IG link role and or Head of Information Governance for advice and assistance.

Appendix 1

Information Asset Risk Reporting Template to SIRO

Information Asset Owner
Information Asset Name(s)
Asset Reference(s) as on IA register
Date:
Risk Rating(s)- Amber and Red Risks
Impact / Likelihood / Total (G,A,R)
Confidentiality
Integrity
Availability
In considering the safeguards and controls what are the residential risks
Further actions required/being taken to eliminate/mitigate risk

Appendix 2

Information Asset Template for New Information Assets

Name of Asset
Description of Asset
Information Type
Type of Data
Asset Provider
Location of Asset
Information Asset Owner
Information Asset Support Staff
Date asset created
Risk Assessment:
Impact / Likelihood / Total
Confidentiality
Integrity
Availability
Date of Review
Date of Last Audit
Date of Next Audit
Information Processed outside UK / Yes/No
3rd Party Information Processing / Yes/No
Access Controls

Office use only