NHS Information Risk Management - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

NHS Information Risk Management

Description:

Alistair Donaldson & James Wood. Topics Covered. Information Risk ... 'A systematic approach to information security risk management is necessary' ... – PowerPoint PPT presentation

Number of Views:268
Avg rating:3.0/5.0
Slides: 20
Provided by: sube5
Category:

less

Transcript and Presenter's Notes

Title: NHS Information Risk Management


1
NHS Information Risk Management Assurance
Framework
  • National Information Governance Conference
  • 25th February 2009
  • Alistair Donaldson James Wood

2
Topics Covered
3
(No Transcript)
4
Information Risk Management (IRM) Overview
  • A systematic approach to information
    security risk management is necessary
  • The approach should be suitable for the
    organisations environment, and in particular
    should be aligned with overall enterprise risk
    management
  • Information security risk management should be
    a continual process
  • BS ISO/IEC 270052008

5
DH Policy
  • Information Security Management NHS Code of
    Practice
  • Threats to NHS data shall be appropriately
    identified and based upon robust risk assessment
    and management arrangements, and shall be managed
    and regularly reviewed to ensure
  • Protection against its unauthorised access or
    disclosure
  • That the integrity and evidential value of
    information shall be maintained
  • That information shall be available to properly
    authorised personnel as and when it is required
  • April 2007

6
Information Risk Issues
  • Heightened awareness of information risk
  • Increased media coverage
  • Public more aware than ever of data use and
    storage
  • Demonstrate proper information management
  • New mandatory requirements for Government
    Departments and Agencies
  • Adopting NHS IG guidance will ensure equivalence
  • Public trust and confidence
  • The NHS must now be able to prove it is managing
    data properly

7
NHS IRM Structural Model
8
Accounting Officer
  • Scope
  • Chief Executive
  • Owner of all organisational risks
  • Signatory to Statement of Internal Controls
  • Responsibilities
  • Own the organisations overall risk policy
  • Understands what information risks there are to
    the organisation and its business partners
    through its delivery chain
  • Ensures that the organisation risk policy is
    complied with at board level
  • Ensures that information risk assessment and
    mitigating actions are delegated to appropriate
    staff and reported on
  • Ensures that information risk assessment
    objectives are set and aligned with the overall
    organisational strategy

9
Senior Information Risk Owner
  • Scope
  • Executive level
  • Familiar with information risks, their
    mitigations and risk assessment methodologies
  • Responsibilities
  • Own the organisations overall information risk
    policy and risk assessment process, test its
    outcome, and ensure it is used
  • Understands what information risks there are to
    the organisation and its business partners
    through its delivery chain
  • Ensures that the organisation information risk
    policy is complete and complied with
  • Ensures that information risk assessment and
    mitigating actions taken benefit from an adequate
    level of independent scrutiny
  • Ensures that information risk assessment reviews
    are completed and reviewed on a regular basis

10
Information Asset Owner
  • Scope
  • Senior member of staff
  • Owns information risks in their area or
    department
  • Small NHS organisations may have a single IAO,
    whereas larger ones are likely to have several
  • Responsibilities
  • Own the implementation of the organisations
    overall information risk policy and risk
    assessment process
  • Understands and addresses risks to the asset, and
    provides assurance to the SIRO
  • Ensures that the organisation information risk
    policy is complied with within the area or
    department
  • Contribute to the organisations overall
    information risk assessment and management
    framework
  • Makes the case where necessary for new investment
    or action to secure owned assets
  • Provides a periodic written risk assessment to
    the SIRO for all assets owned

11
Information Asset Administrator
  • Scope
  • Operational members of staff
  • Familiar with information risks in their area or
    department
  • This role may be conducted by the IAO in small
    organisations
  • Responsibilities
  • Implement the organisations information risk
    policy and risk assessment process
  • Understand and address risks to information
    assets, and provides assurance to the IAO
  • Comply with the organisation information risk
    policy within the area or department
  • Co-ordinate and contribute to risk assessments
    and mitigation implementation
  • Provides a periodic reports to the IAO
  • Maintain Information Asset Register entries

12
IG Guidance
  • NHS Information Security Management Code of
    Practice April 2007
  • NHS Information Risk Management Good Practice
    Guidance January 2009
  • Contains
  • SIRO IAO template job descriptions
  • Reusable training presentation
  • Reusable example Information Risk Policy
  • (and more)

13
NHS IRM Model
  • Overview
  • Based on existing Good Practice
  • Defines generic roles and responsibilities
  • Scalable
  • Process
  • Auditable, Repeatable
  • Implementation can be mapped against information
    management maturity
  • Tool and methodology agnostic
  • Can be mapped against existing models

14
IRM Tools
  • Rapid Risk Assessment
  • Targeted at specific solutions or assets
  • High level risk identification
  • Used for risk triage
  • May indicate the need for further assessment
  • Formal Risk Assessment
  • Used for larger solutions or asset groups
  • Much more in depth methodologies used
  • Business and Information risk stakeholders
    involved
  • Risk Management Tools
  • Organisation and departmental tracking
  • Centralised reporting
  • Integration with other organisational systems

15
Practical Risk Strategies
  • Use of Standard Methodologies
  • CRAMM
  • IRAM
  • ISO 27005
  • Preparation is key
  • Define stakeholder list
  • Organise workshops and interviews as appropriate
  • Establish key risk areas ahead of workshops
  • Utilise existing Threat and Vulnerability lists
  • Review historical risk assessments
  • Consult primary stakeholders ahead of workshops
  • Adhere to scope
  • Validate before workshops
  • Resist extension during workshops

16
Further IRM considerations information overseas
  • Do we know exactly
  • what information is processed or stored overseas?
  • where that information will be processed or
    accessed from?
  • who has access to that information and how
    controls are managed?
  • Can we be certain who is at the other end?
  • What audit, assurance and reporting mechanisms
    exist and how will these be deployed?
  • Are the IG arrangements well defined,
    comprehensive, justified and sensible?
  • Is it worth it?

17
Essential steps
  • Risk assess the proposed outsourcing initiative
  • Implement and assure physical controls for their
    effectiveness
  • Establish effective on-ground information
    security and risk management monitoring and
    reporting
  • Ensure SIRO and risk committee remain sighted,
    appraised and able to make decisions at short
    notice
  • Ensure approval mechanisms exist for change
    proposals affecting off-shore service components
    and data
  • Ensure secure data transmission protocols exit
    and are tested
  • Minimise off shore data processing store data
    in home locations where possible
  • Perform reliability checks for all staff involved
    in service delivery or support
  • Ensure close on-site supervision of staff and
    service delivery components
  • Ensure security management as a key component
    within contract management

18
Summary
  • Information Risk Management is a critical NHS
    business issue that provides and extends
    safeguards
  • Confidentiality for Patients and Staff
  • Integrity Clinical and other NHS business data
  • Availability to ensure business Operations and
    Continuity
  • IRM must be considered in a structured way
    alongside other NHS business risk
  • All organisations should have the means to
    effectively assess and address their information
    risks
  • DH and NHS IG guidance is available and will help
  • www.dh.gov.uk
  • www.igt.connectingforhealth.nhs.uk

19
Questions ?
Contacts Alistair.donaldson_at_dh.gsi.gov.uk James.w
ood2_at_nhs.net
Write a Comment
User Comments (0)
About PowerShow.com