Introduction to Data Handling - PowerPoint PPT Presentation
1 / 18
Title: Introduction to Data Handling
1
Introduction to Data Handling
- Mark Brett
- Programme Manager Socitm Performance Management
Group
2
Socitms Top 10 tips for Data Handling
- Ensure you understand which legislation affects
your business area. - Ensure a named individual in the business owns
the risk, not ICT. - Ensure there is an effective incident reporting
mechanism in place - Regularly monitor, measure and audit your
processes and procedures - Implement a Corporate Information Governance
group. - Ensure all staff are trained, update and aware of
their responsibilities - Undertake regular risk reviews of all processes
and procedures. - Ensure all key Information assets are classified
and are resilient - How robust risk driven processes in place for
ad Hoc situations. - Have documented policy driven processes and
procedures in place
3
1 Ensure you understand which legislation affects
your business area.
- Secondary specialist legislation
- Children's Act / Council Tax / Housing Benefits
- Many Acts bring about specific requirements for
information handling. - Data Protection Act
- Computer Misuse Act
- Freedom of Information Act
- When did you last consider what legislation
affects you?
4
2 Ensure a named individual in the business owns
the risk, not ICT.
- The IT generally owns the service delivery
aspects of technology and data handling. - The risk ownership is clearly with the business.
- Each business process requires a risk profile and
a risk owner. - The risk profiles should be subject to audit and
monitoring.
5
3 Ensure there is an effective incident reporting
mechanism in place
- Requirement of ISO 27001
- Requirement for Government Connect Code of
Connection. - Helps with Information Governance
- Part of ITIL requirements
- Generally awareness raising of Incident reporting
is proven to improve processes and improve the
culture of security in an organisation. - Heightened awareness reduces incidents.
6
4 Regularly monitor, measure and audit your
processes and procedures
- Auditing is a health check.
- Auditing and monitoring gives you a dashboard
- When did you last check?
- Would you feel safe driving a car without an MOT?
- If there were data handling speed cameras, would
you slow down or just wait for the ticket to
arrive in the post? - How many points would your authority have on its
licence?
7
5 Implement a Corporate Information Governance
Group (CIGG)
- Unless you have top level leadership Information
Governance will fail. - Unless there is a group of people to drive
Information Governance forward it will not
happen. - Unless there is a CIGG, no one is checking your
strategy, policies and procedures. - The CIGG should also look at all procurement to
ensure security is part of the system baked in - Do you have a CIGG?
8
6 Ensure all staff are trained, update and aware
of their responsibilities
- Training and awareness should be part of the
staff induction process. - Use Team briefings and if necessary extra time
during staff appraisals to get messages through. - Make training and awareness a corporate
performance indicator. - Again part of ISO27001 and the Government Connect
Code of Connection.
9
7 Undertake regular risk reviews of all processes
and procedures
- Risk reviews are needed each time something
changes. - Regardless of changes, risk processes should be
reviewed on an annual basis. - Risk processes need to be aware of data inputs
and outputs. - There are well established Government processes
to deal with risk. - Joining a WARP (Warning, Advice and Reporting
Point) www.nlawarp.gov.uk
10
8 Ensure all key Information assets are
classified and are resilient
- It is impossible to effectively manage, monitor
and control information systems, if you havent
first evaluated the requirements for - Confidentiality, Integrity and Availability
- We now suggest Liability is also taken into
account. - Aggregation also needs to be taken into account.
- A single record could be impact level 2
- The entire file could be impact level 4
11
9 How robust risk driven processes in place for
ad Hoc situations.
- Many systems have a baseline risk assessment in
place. - The problems come when something different is
required. - Any ad hoc processes must have a risk assessment
carried out. - Each stage should be documented and monitored.
- Aggregation must be taken into account.
12
10 Have documented policy driven processes and
procedures in place
- Organisations should have a Corporate Governance
Group. - The corporate Governance Group should ensure
policies exist. - The policies themselves will require processes
and procedures which have been fully risk
assessed. - Auditing, monitoring and security testing is
critical. - Ensure you have top level leadership.
13
The big picture (CSIA IG framework)
14
This table sets out the HMG Impact Table
definitions for IL0 through IL3, reproducing the
segments of the Impact table that are most
commonly relevant to service provision.
Business Impact Level This standard assesses the
Business Impact Level on a seven-point scale of
Impact Levels. The table should be the basis
with which judgements are made on the Impact
Level appropriate to each of the properties of
Information Security (Confidentiality, Integrity
and Availability). It maybe that a definition
from more than one category apply. In these
cases the risk assessor will need to make a
judgement as to which Impact Level is most
appropriate in the environment in questions. The
general rule should be to apply the worst case
any exception to this should be fully documented
and accepted as part of the accredited risk
assessment process. In the event that the impact
is greater than outlined within this table then
the risk assessor should work with the
Information Security Management Group to
determine which Impact Level IL4 through IL6 is
relevant. (NB. this is unlikely for the Council
in most cases).
15
(No Transcript)
16
(No Transcript)
17
(No Transcript)
18
Risk Treatment Minimum Assurance Requirements vs
Business Impact
