Information Risk Policy

Transcription

1 Information Risk Policy Version 1_0 Responsible Person Information Governance Manager Lead Director Director of Performance and Corporate Services Consultation Route Information Governance Steering Group Approval Route HSCB Senior Management Team and Governance Committee Applies To All HSCB Staff, Contractors and Relevant Third Parties Approval Date Senior Management Team 08/09/15 Governance Committee 24/09/15 Review Date September 2018

2 Amendment / Change Control Version Date Author Reason / Comments Review Date V0.1 June 2015 K Moore New Policy Information Governance requirements September 2018 V0.2 August 2015 K Moore Following IGSG Meeting added in section on the role of the PDG and job title of current SIRO. September

3 Contents Table of Contents 1.0 Introduction Purpose Roles & Responsibilities Information Risk Management Process Information Assets Information Asset Register Information Risk Assessments Treatment Plans Privacy Impact Assessments (PIAs) Information Risk Training Monitoring Compliance Assurance Review and Revision Arrangements Policy Distribution... 9 Appendix One

4 1.0 Introduction This policy lays the framework for a formal information risk management programme in the HSCB by establishing responsibility for information risk, identification and analysis, planning for information risk mitigation and information risk management. The HSCB and its management team are required to assure the formal introduction and embedding of information risk management into key controls and approval processes for all the functions of the HSCB. Information risk is inherent in all administrative and business activities and everyone working for or on behalf of the HSCB continuously manages information risk. Information risk management is an essential element of broader information governance and is an integral part of good management practice. 2.0 Purpose The purpose of this Information Risk Policy is to: Protect the HSCB from information risks where the likelihood of occurrence and the consequences are significant; Provide a consistent risk management framework in which information risks will be identified, considered and addressed in key approval, review and control processes; Provide assistance to and improve the quality of decision making throughout the HSCB; Meet legal and statutory requirements; Assist in safeguarding the HSCB Information Assets; Integrate information risk as a key part of the risk management process. 3.0 Roles & Responsibilities The following are the reporting arrangements: Chief Executive The Chief Executive has overall responsibility for the management of the HSCB and for ensuring appropriate mechanisms are in place to minimise information risks. Personal Data Guardian (PDG) - The PDG (Director of Integrated Care) has responsibility for ensuring that HSCB processes satisfy the highest practical standards for handling personal data. The PDG is the 4

5 conscience of the organization in respect of patient information, and will also promote a culture that respects and protects personal data. The PDG works closely with the SIRO and Information Asset Owners where appropriate, especially where information risk reviews are conducted for assets which comprise or contain patient/service user information. Senior Information Risk Officer (SIRO) The SIRO (Director of Performance and Corporate Services) is responsible for coordinating the development and maintenance of information risk policies, procedures and standards for the HSCB. It is their role to: Ensure the organisation s overall information risk policy and risk assessment processes are implemented consistently by IAOs. Review and agree actions in respect of identified information risks. Provide a focal point for the resolution and/or discussion of information risk issues. Advise the Chief Executive or relevant accounting officer on the content of their annual governance statement in regard to information risk. Information Asset Owners (IAO) The IAO is a senior member of staff who is the nominated owner for one or more identified information assets within their Directorate. Information Asset Owners will be required to: Identify their information assets and where appropriate appoint for each asset an Information Asset Administrator (IAA). With the assistance of the Information Governance Team ensure that risk assessments are performed at the inception of any new assets. Understand what information is held and in what form, how it is added and removed, who has access to it and why. Will ensure that information risk management is embedded into the key controls and approval processes of all major business processes and functions. Responsible for risk assessment, reduction and prevention for their information assets including ongoing evaluation and risk management. IAO s are asked to provide annual assurance to the Senior Information Risk Owner (SIRO) that information risks identified for Information Assets within their Directorate are being appropriately managed. 5

6 Information Asset Administrators (IAA) Working in conjunction with the IAO an Information Asset Administrator (IAA) may be assigned to: Ensure policies and procedures are followed to help minimise risk. Recognise potential security incidents. Consult with the IAO on incident management. Ensure that information asset registers are up to date. An example of an IAA could be an existing systems administrator. All Staff Everyone has a role in the effective management of information risk. All staff will actively participate in identifying potential information risks in their areas and contribute to the implementation of appropriate treatment actions. 4.0 Information Risk Management Process 4.1 Information Assets An Information Asset is any set of records or information that is held by the HSCB, in any format, in support of a business function. The information held in an Information Asset can originate from any number of sources such as information from other organisations/individuals to information produced by the HSCB. Refer to Appendix A for more information on Information Assets and Guidance Notes. 4.2 Information Asset Register The Information Governance Team will lead on and ensure that an Information Asset Register (IAR) is set up for each Directorate. The register will: Allow the HSCB to understand what information it holds and how that information is being used; Ensure Information Assets are appropriately managed which will in turn reduce the risks to that information; Be maintained by each IAO with assistance from the identified IAA s. Be managed by the Information Governance Team who will ensure that all registers are regularly updated. Click here to view the Information Asset Register template. 4.3 Information Risk Assessments 6

7 An information risk assessment will be performed for all identified information assets. Information risk assessments will: Be conducted by the Information Governance Team in conjunction with the IAO / IAA. Be carried out using the HSCB s existing risk assessment procedure i.e. Data Flow and Information Security questionnaire, which will map the flow of information into and out of each asset and enable assessment of risks. Quantify the level of risk associated to each asset, the HSC Grading Matrix five by five will be utilised to rate the level of risk. Click here to view the HSC Risk Assessment tools. Ensure all threats, vulnerabilities and impacts are identified and if necessary included within the HSCB wide risk register. Information risk assessments will occur at the following times: At the inception of new systems / applications or anything that constitutes an information asset as outlined in Appendix A. At least annually to provide assurance to the SIRO on the agreed management of risks, this should be appropriately managed in line with HSCB policies and procedures. Before enhancements, upgrades and conversions associated with critical systems or applications. 4.4 Treatment Plans Treatment Plans will be developed based on the outcome of the risk assessment. Treatment options will involve one or a combination of the following four strategies: Avoid the risk Reduce the likelihood of occurrence Reduce the consequences of occurrence Retain/accept the risk Where applicable, mitigation plans shall include specific recommendations, to reduce information risk, alongside realistic completion dates. These will be communicated to the relevant IAO s for information / action. 7

8 4.5 Privacy Impact Assessments (PIAs) As a further element of good practice a Privacy Impact Assessment (PIA) will be considered for all major projects for example new systems, new services, etc. within an IAO s area of responsibility. Where the overview of the project identifies that a PIA is required to be undertaken this will be conducted in accordance with the criteria specified by the Information Commissioners Office. If required, the Information Governance Team will provide support during this process. 4.6 Information Risk Training Relevant training will be made available to all IAO s / IAA s and it is the responsibility of individuals to avail of the training. All HSCB staff complete Information Governance Training and Risk Management E- Learning every 3 years as part of mandatory induction training. If staff require additional or tailored training in this area, this can be arranged via contacting Ken.Moore@hscni.net. 5.0 Monitoring Compliance Monitoring of the policy will be informed by the number of reported Information Governance complaints and incidents. 6.0 Assurance Indicators for audit may include: The existence of an identified IAO for each Directorate. The existence of an Information Asset Register for each Directorate. The existence of a HSCB Risk Register. Annual assurance to the SIRO from each IAO. An annual review will be carried out by the Information Governance Team on behalf of the SIRO and reported to the Information Governance Steering Group (IGSG). Overall responsibility for action plans will lie with the SIRO but will be completed by relevant IAO and reported to and monitored by IGSG. 7.0 Review and Revision Arrangements 8

9 The HSCB is committed to ensuring that all policies are kept under review to ensure that they remain compliant with relevant legislation. This policy will be reviewed by the Information Governance Steering Group every 3 years. However, it will be reviewed when affected by major internal or external changes such as: Legislation Practice change or change in system/technology Changing methodology 8.0 Policy Distribution This Policy will be made available to all HSCB staff via the HSCB s Intranet site. 9

10 Appendix One Identification of Information Assets Every business function conducted by the HSCB is dependent on information in one format or another. Information is therefore recognised as having a value to the organisation and as such it needs to be treated and managed as an asset. The purpose of this piece of work is to develop a register of Information Assets as a first step in addressing risks to the information held by the HSCB. Each Directorate is therefore asked to complete the attached template and establish an Information Asset Register for their Directorate. What is an Information Asset? An Information Asset is any set of records or information that is held by the HSCB, in any format, in support of a business function. The information held in an Information Asset can originate from any number of sources such as information from other organisations/individuals to information produced by the HSCB. For this exercise we only wish to record details of Information Assets which hold more than fifty records. Information Assets primarily hold either/or both Electronic Records and Hard Copy Records however other forms exist such as recordings, backup tapes etc. Common examples of Information Assets are: Dedicated systems such as: Finance (General Ledger), HR (Human Resources Management System), Complaints (Datix), Intranets (HSCB Intranet, Primary Care Intranet) Websites. Spreadsheets and Databases developed either in-house or bought in. Systems, Electronic Document and Records Management System (Meridio), Network Drive Folders, Portable Hard Drives, 10

11 Memory Sticks Blackberry Mobile Phones Information Assets also include manual records - Filing Cabinets, Times Two Units, Closed Record Stores (basements, registries etc), Off-Site Storage Basically - any set of 50 or more records retained for a business process. What is not an Information Asset? Information Assets must have a value to the organisation, typical examples of what isn t classed as an Information Asset are: Extra copies of reports; s which do not form part of a master file; Information retained for personal reasons; Spreadsheets and Databases personally developed by individuals to assist them alone in their work; Why do we need an Information Asset Register? There are a number of reasons why the Board needs to compile an Information Asset Register: To allow the HSCB to understand what information it holds and how that information is being used; To ensure Information Assets are appropriately managed which will in turn reduce the risks to that information; To meet DHSSPS requirements in respect of Information Risk; To meet Audit recommendations in respect of Information Risk. Who can I speak to for assistance? Each Directorate within the HSCB has one or more nominated Information Asset Owners (IAO s) - See Appendix 1 for details. It is 11

12 unlikely these individuals will have a working knowledge of all the Assets within their Directorate therefore Information Asset Administrators (IAA s) will need to be identified for each Asset - These are individuals who perhaps head up a team or are responsible for a particular business process and have a working knowledge of the Information Asset. The Information Governance Team is also available for support on this project. Should you require any assistance please contact your Information Asset Owner in the first instance or a member of the Information Governance Team: Ken.moore@hscni.net Peter.Moran@hscni.net Claire.donnelly@hscni.net How do I compile an Information Asset Register? List the key business processes undertaken by your Directorate, each one will have one or more Information Assets associated with it. Complete the attached register template completing a row for each Asset. What Happens when the exercise is complete? When each Directorate completes their Register they will forward it to the Information Governance Team who will combine all Directorate registers into one Corporate Information Asset Register for the HSCB. This will become an important document which will be maintained and updated on a regular basis. Each Information Asset Owner will be asked to provide assurances to the Board s Senior Information Risk Owner at least annually that all Information Assets have been recorded and are being managed appropriately. Following completion of the Registers the Information Governance Team will analyse the information and establish which Information Assets hold personally identifiable information or business sensitive information. With the assistance of the IAA s a further exercise to map the flow of information into and out of these Assets will be completed. This will allow risks to be identified and evaluated. Action can then be taken to eliminate or reduce any risks to an acceptable level. 12

13 Step by Step Guide: Identifying and Recording Information Assets Step One: IAO s to identify Business Processes and Key Systems used within Directorate. Bear in mind this is all Teams in all HSCB Offices. Step Two: For each Business Process identify an Information Asset Administrator (IAA). Step Three: Circulate this paper and the Information Asset Register template to each IAA asking them to fill out the template for each Information Asset they identify. Set an appropriate timescale for completion. Step Four: Pull all the completed templates into one Information Asset Register per Directorate. If helpful you can maintain each Team on a separate sheet within the spreadsheet. the completed Register to Ken.Moore@hscni.net (IG Manager). Step Five: The Information Governance Team will check the completed Registers and where personal information or business sensitive information is held contact will be made with the IAA s to assist with the Data Flow Analysis. Step Six: Following the Data Flow Analysis the Information Governance team will help identify potential risks and advise both IAO s and IAA s as to appropriate treatment. 13

14 Senior Information Risk Owner (SIRO): Mr Michael Bloomfield - Head of Corporate Services Information Asset Owners (IAO s): Finance Mr Simon Christie Commissioning - Ms Cara Anderson Integrated Care - Ms Linda McIlroy PMSI - Mr Stephen McDowell Social Care and Children s - Mr Tony Rodgers, Mr Aidan Murray and Mr Kevin Keenan Transforming Your Care - Ms Lynn Campbell E-Health & External Collaboration Mr Des O Loan Corporate Services - Mr Ken Moore 14