introducing...information asset manager
TRANSCRIPT
Information Asset Manager
David BirkinshawHead of Information Governance
Apira Limited07920 747 627
Data Flow Mapping & Information Asset Management
• Information Governance Toolkit – 11-308
“All transfers of hardcopy and digital person identifiable and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers”
• Information Governance Toolkit – 11-301
“A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed”
Data Flow
Mapping
Confidentiality Audit
ContractsInformation
Sharing Agreements
Pseudony-misation
Data Shared Outside EEA
Information Asset Manager – The Information Asset Register
Managing Information Assets (IAs)
IA registration, characteristics and risk assessment
• 301: Risk assessment programme
• 307: Risk register• 323: Risk assessment• 303/304/305: Access control• 309/310: Business Continuity
and Disaster Recovery• 311: Virus protection• 313: Network security• 314: Mobile, home and
remote working security
Audit of IAs• 206: Confidentiality Audit• 404: Multi-professional
records audit• 406: availability of records
audit• 505: Internal and external
coding audit• 506: Coding audit programme• 507: Completeness and
Validity Audit• 604: Information lifecycle
audit
Information Asset Manager• Web based user approach to flow mapping• Each user has their own list of flows• Data Flows are mapped against assets and between
assets• Data Flows can be mapped internally to the
organisation or externally to the organisation• The web based approach • reduces the impact on teams trying to keep up
to date with new flows• Reduces management time in collating and
managing risk to information
Information Asset Manager• Dashboarding for Adminstrator, SIRO and
IAOs/IAAs, allowing ‘instant’ risk monitoring
• Meaningful reporting to identify where the greatest risks reside, by Directorate, Department, Team, Asset or Flow
• Fully configurable metadata including scoring and start/stop dates
Information Assets (ISO27005)
Primary assets• Business processes &
activities– Information in transit
• Information– Information at rest
Secondary assets• Hardware• Software• Network• Personnel• Site• Organization’s structure
– Risks and mitigations
Mapping Assets at Rest and Business Processes (Data Flow Items)
Data at Rest(Information Asset) – eg
Patient Database
Data Flow Item(Subset of Information Asset - what) – eg Patient letter sent
from patient database
Data Flow(Who, why, when and how) –
eg, secure email, post,
Data at Rest(Information
Asset) – at other end eg Paper copy, archive,
external organisation
Information Asset Manager – Organisational Hierarchy
Level 1
• Directorate• Clinical, HR etc
Level 2
• Department• Oncology, Paediatrics etc
Level 3
• Team• Ward 1, Ward 2
Information Asset Manager – User Responsibilities
Add/Accept/Reject Flows
View Own Flows
Create/accept assets in own hierarchy
Authorise/Edit all flows
SIROIAO/IAAUser
View/edit flows in own hierarchy
Authorise/Edit all assets
IAO/IAA Admin
SIRO/SIROAdmin
Create/edit user accounts in own hierarchy
Full System Administration
Flow Entered
Internal or External Flow Flow accepted
by receiving user
Flow approved by IAO, IAA or SIRO/Administrator
Flow rejected by receiving
user
Flow deleted/ changed by originating
user
Internal but rejected
Internal
Standard User Workflow
Some Key System Definitions• Asset – a ‘blob’ of information at rest • Eg. PAS database, Personnel Records
• Data Flow Items – information flowing out of an Asset moving from A to B• A subset of an asset, eg. Clinic letter, patient letter
• Supporting Assets – eg. Network equipment, servers
• Temporary Assets – an asset not already in the system picking list
• Unassigned Data Flow Items – information moving from A to B that is not in the system picking list