Introduction to Data Handling

1
Introduction to Data Handling

• Mark Brett
• Programme Manager Socitm Performance Management
  Group

2
Socitms Top 10 tips for Data Handling

• Ensure you understand which legislation affects
  your business area.
• Ensure a named individual in the business owns
  the risk, not ICT.
• Ensure there is an effective incident reporting
  mechanism in place
• Regularly monitor, measure and audit your
  processes and procedures
• Implement a Corporate Information Governance
  group.
• Ensure all staff are trained, update and aware of
  their responsibilities
• Undertake regular risk reviews of all processes
  and procedures.
• Ensure all key Information assets are classified
  and are resilient
• How robust risk driven processes in place for
  ad Hoc situations.
• Have documented policy driven processes and
  procedures in place

3
1 Ensure you understand which legislation affects
your business area.

• Secondary specialist legislation
• Children's Act / Council Tax / Housing Benefits
• Many Acts bring about specific requirements for
  information handling.
• Data Protection Act
• Computer Misuse Act
• Freedom of Information Act
• When did you last consider what legislation
  affects you?

4
2 Ensure a named individual in the business owns
the risk, not ICT.

• The IT generally owns the service delivery
  aspects of technology and data handling.
• The risk ownership is clearly with the business.
• Each business process requires a risk profile and
  a risk owner.
• The risk profiles should be subject to audit and
  monitoring.

5
3 Ensure there is an effective incident reporting
mechanism in place

• Requirement of ISO 27001
• Requirement for Government Connect Code of
  Connection.
• Helps with Information Governance
• Part of ITIL requirements
• Generally awareness raising of Incident reporting
  is proven to improve processes and improve the
  culture of security in an organisation.
• Heightened awareness reduces incidents.

6
4 Regularly monitor, measure and audit your
processes and procedures

• Auditing is a health check.
• Auditing and monitoring gives you a dashboard
• When did you last check?
• Would you feel safe driving a car without an MOT?
• If there were data handling speed cameras, would
  you slow down or just wait for the ticket to
  arrive in the post?
• How many points would your authority have on its
  licence?

7
5 Implement a Corporate Information Governance
Group (CIGG)

• Unless you have top level leadership Information
  Governance will fail.
• Unless there is a group of people to drive
  Information Governance forward it will not
  happen.
• Unless there is a CIGG, no one is checking your
  strategy, policies and procedures.
• The CIGG should also look at all procurement to
  ensure security is part of the system baked in
• Do you have a CIGG?

8
6 Ensure all staff are trained, update and aware
of their responsibilities

• Training and awareness should be part of the
  staff induction process.
• Use Team briefings and if necessary extra time
  during staff appraisals to get messages through.
• Make training and awareness a corporate
  performance indicator.
• Again part of ISO27001 and the Government Connect
  Code of Connection.

9
7 Undertake regular risk reviews of all processes
and procedures

• Risk reviews are needed each time something
  changes.
• Regardless of changes, risk processes should be
  reviewed on an annual basis.
• Risk processes need to be aware of data inputs
  and outputs.
• There are well established Government processes
  to deal with risk.
• Joining a WARP (Warning, Advice and Reporting
  Point) www.nlawarp.gov.uk

10
8 Ensure all key Information assets are
classified and are resilient

• It is impossible to effectively manage, monitor
  and control information systems, if you havent
  first evaluated the requirements for
• Confidentiality, Integrity and Availability
• We now suggest Liability is also taken into
  account.
• Aggregation also needs to be taken into account.
• A single record could be impact level 2
• The entire file could be impact level 4

11
9 How robust risk driven processes in place for
ad Hoc situations.

• Many systems have a baseline risk assessment in
  place.
• The problems come when something different is
  required.
• Any ad hoc processes must have a risk assessment
  carried out.
• Each stage should be documented and monitored.
• Aggregation must be taken into account.

12
10 Have documented policy driven processes and
procedures in place

• Organisations should have a Corporate Governance
  Group.
• The corporate Governance Group should ensure
  policies exist.
• The policies themselves will require processes
  and procedures which have been fully risk
  assessed.
• Auditing, monitoring and security testing is
  critical.
• Ensure you have top level leadership.

13
The big picture (CSIA IG framework)
14
This table sets out the HMG Impact Table
definitions for IL0 through IL3, reproducing the
segments of the Impact table that are most
commonly relevant to service provision.
Business Impact Level This standard assesses the
Business Impact Level on a seven-point scale of
Impact Levels. The table should be the basis
with which judgements are made on the Impact
Level appropriate to each of the properties of
Information Security (Confidentiality, Integrity
and Availability). It maybe that a definition
from more than one category apply. In these
cases the risk assessor will need to make a
judgement as to which Impact Level is most
appropriate in the environment in questions. The
general rule should be to apply the worst case
any exception to this should be fully documented
and accepted as part of the accredited risk
assessment process. In the event that the impact
is greater than outlined within this table then
the risk assessor should work with the
Information Security Management Group to
determine which Impact Level IL4 through IL6 is
relevant. (NB. this is unlikely for the Council
in most cases).
15
(No Transcript)
16
(No Transcript)
17
(No Transcript)
18
Risk Treatment Minimum Assurance Requirements vs
Business Impact