introduction to risk management for siros and iaos - nhs ......2017/03/28 · • the key to...
TRANSCRIPT
![Page 1: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/1.jpg)
Introduction to Risk Management for SIROs and IAOs:
presented by First name Surname,
Job Title 15pt
![Page 2: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/2.jpg)
Using this slide pack
If presenting to a group:
• You can use the notes section below the slides to assist with your script.
• You can add further information to the slides specific to your organisation.
• Don’t forget to delete this slide beforehand.
If you are reading the slides for your own learning:
• Make sure you read the notes section below the slides for further information.
• To print out the slides with the notes - go to ‘File’ > ‘Print’ menu > ‘Notes Pages’ >‘Print’ button.
2
![Page 3: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/3.jpg)
Introduction
• Information as a resource
• Managing Risk
• Review of Data Security,
Consent and Opt-Outs 2016
![Page 4: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/4.jpg)
What is information risk?
4
![Page 5: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/5.jpg)
Scenario
5
Staff members send
HIV clinic newsletter
Uses cc instead to bcc
Investigation & Fine
![Page 6: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/6.jpg)
How should information risk be approached?
![Page 7: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/7.jpg)
What is information risk management?
![Page 8: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/8.jpg)
Information risk structure
• The IRM structural model.
• The main responsibilities of the SIRO and
IAO.
• The resources available to support staff in
these roles.
![Page 9: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/9.jpg)
The IRM structural model
![Page 10: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/10.jpg)
The SIRO’s role and responsibilities
• Leading and fostering an appropriate culture
• Owning the organisation’s information risk
and incident management framework
• Owning the organisation’s overall information
risk policy and risk assessment processes
• Advising the Chief Executive or relevant
Accounting Officer on information risk
![Page 11: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/11.jpg)
IAOs role and responsibilities
• Who, compliance, seniority and working together
• Leading and fostering a culture
• What information an asset is comprised of
• Who has access to the asset
• Understanding and addressing risks to the asset
and assurance to the SIRO.
![Page 12: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/12.jpg)
Support for SIROs and IAOs
• The pyramid
• Who?
• What?
![Page 13: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/13.jpg)
Other resources and help?
![Page 14: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/14.jpg)
What is an information asset?
Which of these items do you think are IAs? Tick two or more options from the answers listed below,
then read the feedback to check your answer.
A Audit data
B Laptop
C Data encryption utilities
D The server room air conditioning, which is part of the information system
E System administrator’s skills and experience
F Business continuity and disaster recovery plans for a care records system
14
![Page 15: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/15.jpg)
EXAMPLES OF INFORMATION ASSETS
1 Personal information content
(A paper file with an ID photo attached)
Databases and data files.
Backup and archive data.
Audit data.
Paper records and reports.
Case notes.
2 Software
(Laptop showing spreadsheet)
Applications and system software.
Data encryption utilities.
Development and maintenance tools.
3 Other information content
(Laptop showing database)
Databases and data files.
Backup and archive data.
Audit data.
Paper records and reports.
4 Hardware (Smart Phone) Computing hardware including PCs, laptops, tablets, networks, printers, smart phones,
communications devices e.g. iPhone / android smart phones and USB drives.
5 System/process documentation (Document labelled
‘Contract’)
System information and documentation.
Operations and support procedures.
Manuals and training materials.
Contracts and agreements.
Business continuity and disaster recovery plans.
6 Miscellaneous (An individual) Environmental services, e.g. power and server room air conditioning. Servers are dependent
on the air-conditioning system to operative effectively and optimally.
People skills and experience.
15
![Page 16: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/16.jpg)
Categorising information assets
• Key characteristics – all information assets:
– are identifiable;
– have ‘value’;
– are not easily replaceable;
– form part of the organisation’s overall asset inventory.
• How should information assets be categorised?
– By what they are, e.g. personal information; or
– By group, e.g. IT system, its documentation, the data it
holds, and skills of staff .
16
![Page 17: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/17.jpg)
Managing information assets
• How are information assets managed?
– Establish programmes to ensure IAs are identified in an
asset register and assigned to an IAO.
– Ensure register is complete and robust.
• Which information assets should be given priority?
– Assets which comprise or contain personal information
about patients or staff
17
![Page 18: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/18.jpg)
Managing information risks
18
![Page 19: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/19.jpg)
Acceptable risks
19
• May vary for each organisation.
• A well-defined information risk
management structure and process
helps to ensure that everyone
understands the risks.
• Information Risk Management:
- Enables decisions on a fully
informed basis.
- With awareness of potential
risks.
- Allowing identification of
mitigating controls or
countermeasures.
![Page 20: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/20.jpg)
Successful information risk management
The key to successful Information Risk Management
• Embed it consistently within the structure of
organisation.
• Have an appropriate information risk management
function.
• Don’t eliminate risk altogether.
20
![Page 21: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/21.jpg)
Summary
In this section you saw that:
• Information assets are identifiable and definable assets owned or contracted by an organisation which are ‘valuable’ to the business of that organisation.
• IAs come in all shapes and sizes.
• Health and care organisations should have a SIRO and that each IA should have an assigned IAO.
• There are key factors for successful information risk management.
21
![Page 22: Introduction to Risk Management for SIROs and IAOs - NHS ......2017/03/28 · • The key to successful information risk management. @nhsdigital enquiries@nhsdigital.nhs.uk 0300 303](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fa4d747421e2c5c8c28603e/html5/thumbnails/22.jpg)
Module Summary You should understand:
• The need for information risk
management and the recommended
approach to it.
• The role and responsibilities of the
SIRO and Information Asset Owners
IAOs in providing assurance that
information risk is being managed
effectively.
• What is meant by an organisation’s
information assets and how risks to
them should be identified and
managed.
• The key to successful information risk
management.