information security management system isms mandatory …...compliance iso 27001 review plan...

Information Security Management

System

ISMS Mandatory Clauses

Integrated Research Campus

Information Security Management System

Page 1 of

29

Version 2.1 Published 24/09/2019 Classification: IRC-Protect


Document Information

Reference ISMS 27001

Category Information Security Management System (ISMS) Documents

Title ISMS Mandatory Clauses

Purpose Defining the mandatory clauses that make up the ISO27001

Owner Information Governance Management Group (IGMG)

Author Charles Hindmarsh

Compliance ISO 27001

Review plan Annually

Related Documents University of Leeds Information Protection Policy A.5.0 Information security policies A.6.0 Organisation of information security A.7.0 Human resources security A.8.0 Asset management A.9.0 Access control A.10.0 Cryptography Controls A.11.0 Physical and environmental security A.12.0 Operations security A.13.0 Communications security A.14.0 Systems acquisition, development and maintenance A.15.0 Supplier Relationships A.16.0 Information security incident management A.17.0 Information security aspects of business continuity management A.18.0 Compliance

Version History

Version Date Update by Change description

Sign off Date

1.0 27/06/2016 Samantha Crossfield / David Batty

Initial version Barry Haynes (Chair of IGMG)

20/10/2016

2.0 28/02/2019 Charles Hindmarsh

New format of ISMS

Andy Pellow (Chair of IGMG)

22/03/2019

2.1 21/09/2019 Charles Hindmarsh

Updated 1.2, 1.4, 4.1-4.4, 5.2, 6.2, 7.3, 7.4, 8.1, 8.2.2, 10.2,

Andy Pellow (Chair of IGMG)

24/09/2019

https://leeds.service-now.com/it?id=kb_article&sys_id=6038bfbc0fae728089d7f55be1050e9d


Page 2 of

29



Contents

0.1 Introduction ..................................................................................... 5

Purpose................................................................................................................... 5

Applicability ............................................................................................................. 5

The IRC Information Security Management System ............................................... 5

1.0 Scope ............................................................................................... 6

Figure 1 .................................................................................................. 6

1.1 Zones ................................................................................................................ 7

1.2 Infrastructure ..................................................................................................... 7

1.3 People ............................................................................................................... 8

1.4 Services ............................................................................................................ 8

1.5 Information Assets ............................................................................................ 8

1.6 Scope Interplay ................................................................................................. 8

2.0 Normative References .................................................................... 9

3.0 Terms and Definitions .................................................................... 9

4.0 Context of the Organisation ........................................................... 9

4.1 Understanding the Organisation and its Context ............................................... 9

4.2 The Needs and Expectations of Interested Parties ......................................... 10

4.3 Determining the Scope of the Information Security Management System ...... 10

4.4 Information Security Management System ..................................................... 11

5.0 Leadership ..................................................................................... 12

5.1 Leadership and Commitment .......................................................................... 12

5.2 Policy .............................................................................................................. 12

5.3 Organisational Roles, Responsibilities and Authorities ................................... 13

5.3.1 Information Governance Management Group Chair ................................. 13

5.3.2 The Data Protection Officer (DPO) ........................................................... 13

5.3.3 Information Governance Manager (IGM) .................................................. 14

5.3.4 Accountability and lines of reporting ......................................................... 14

6.0 Planning......................................................................................... 14

6.1 Actions to Address Risks and Opportunities ................................................... 15

6.2 Information Security Objectives ...................................................................... 15


Page 3 of

29



7.0 Support .......................................................................................... 17

7.1 Resources ....................................................................................................... 17

7.2 Competence .................................................................................................... 17

7.3 Awareness ...................................................................................................... 17

7.4 Communication ............................................................................................... 18

7.4.1 Communication Recipients and Triggers .................................................. 18

7.4.2 Communication Scope .............................................................................. 18

7.4.3 Communication Responsibilities ............................................................... 18

7.4.4 Communication Channels ......................................................................... 19

7.4.5 Audience ................................................................................................... 19

7.4.6 Communication actions ............................................................................ 20

7.5 Documented Information ................................................................................. 20

7.5.1 General ..................................................................................................... 20

7.5.2 Creating and Updating .............................................................................. 20

7.5.3 Control of Documented Information .......................................................... 21

8.0 Operation ....................................................................................... 22

8.1 Operational Planning and Control ................................................................... 22

8.2 Information Security Risk Assessment ............................................................ 22

8.2.1 Impact Definition: ...................................................................................... 23

8.2.2 Risk assessment scope ............................................................................ 23

8.2.3 Risk log ..................................................................................................... 24

8.2.4 Frequency of risk assessment .................................................................. 24

8.3 Information Security Risk Treatment ............................................................... 24

8.3.1 Applicability ............................................................................................... 24

8.3.2 Risk treatment ........................................................................................... 24

8.3.3 Risk Treatment Options ............................................................................ 26

8.3.4 Residual risk ............................................................................................. 26

8.3.5 Risk ownership and review ....................................................................... 26

9.0 Performance Evaluation ............................................................... 26

9.1. Monitoring, Measurement Analysis and Evaluation ....................................... 26

9.2 Internal Audit ................................................................................................... 27

9.3 Management Reviews..................................................................................... 27

9.3.1 Review Initiation ........................................................................................ 28

9.3.2 Applicability ............................................................................................... 28

9.3.3 Audit Schedule .......................................................................................... 28


Page 4 of

29



10.0 Improvement ............................................................................... 29

10.1 Non-Conformity and Corrective Action .......................................................... 29

10.1.1 Reporting ................................................................................................ 29

10.1.2 Recording ............................................................................................... 29

10.1.3 Corrective Action .................................................................................... 29

10.2 Continual Improvement ................................................................................. 29


Page 5 of

29



0.1 Introduction

Purpose

The Integrated Research Campus (IRC) is a University of Leeds (UoL) IT provision.

The IRC provides secure technical infrastructure and services for research data

handling, analytics, application processing and development. This document

contains the mandatory clauses for the IRC Information Security Management

System (ISMS) and define the goals, context and scope of the IRC ISMS as well as

the ISMS objectives and requirements for information security.

Applicability

The ISMS applies to all users and providers of IRC services and infrastructure. All

users must comply with the ISMS policies. The essential requirements are released

through frequently used documents such as the IRC user agreement, the Research

Portal (Intranet), work instructions, project proposals, data management plans and

risk assessments. This document will be used by those staff who are responsible for

maintaining, reviewing and improving the ISMS.

The IRC Information Security Management System

The ISMS sets information security (IS) as a key element of the mission statement of

the IRC. The ISMS is designed to protect IRC reputation and capacity by maximising

IS throughout the data lifecycle. The ISMS defines the appropriate management,

control and treatment of risks to preserve the confidentiality, integrity and availability

of information.

An aim for the ISMS is recertification to ISO / IEC 27001:2013 and the NHS Data

Security Protection Toolkit. The certifications serve to externally validate that IS best

practice has been adopted. Previously Version 14 of the NHS IG Toolkit was

reviewed by NHS Digital (21 March 2017). Accredited certification to ISO

27001:2013 was attained on 15 May 2017 (Certification number 15331-ISN-001).


Page 6 of

29



1.0 Scope

The ISMS scope encapsulates the space that meets the organisation’s needs for

secure data handling. This corresponds to the reach of the IRC secure research

environment and the services conducted therein, regardless of location, provider or

user. The IRC’s Statement of Applicability details the controls that have been

selected to treat identified risks, and provides a justification for the inclusion of each

of the 114 controls listed in Annex A of the ISO 27001:2013 Standard. Figure 1.0.1

summarises the scope and the governance structure that the IRC resides in.

The ISMS objectives apply to all in-scope elements. There is mandatory compliance

with the ISMS within this scope. Exceptions must be handled as set out in 10.1 Non

Conformity and Corrective Actions.

Figure 1.0.1: Representation of the IRC Services (yellow), Governance (blue)

and Processes (green)

Figure 1.0.1 shows the ISMS scope and how it fits within the University and wider

legislation and standards. The ISMS scope is defined by the blue dashed line.


Page 7 of

29



1.1 Zones

IRC zones are numbered 1-5 in Figure 1.0.1 :

1. Gateway – the gateway zone between the other IRC zones and the external

environment. Data passes through here in order to move between zones or to

enter or leave the IRC.

2. Data Services – core data services are provided from this zone to users,

including access, provisioning, management and support services.

3. Safe Rooms - secure and managed rooms providing monitored access to data.

4. Virtual Research Environment (VRE) – firewalled virtual machines that are set

up for users with appropriate software, applications and data access. VREs are

remotely accessed.

5. IRC Data Storage – the zone in which research data is securely stored.

1.2 Infrastructure

1.2.1 Infrastructure in scope in Figure 1.0.1 :

1. Infrastructure in the Gateway (Zone 1) includes:

a. Interfaces, such as a secure web server for uploading data.

b. External facilities used in providing secure data services where they are

brought in scope by either :

i. Formal agreement or

ii. ‘Take-over’ of facilities as set out in A.11.2.6 security of offsite

equipment policy.

2. Infrastructure in the Data Services (Zone 2).

3. Infrastructure in the Safe Rooms (Zone 3), including thin client computers.

4. Infrastructure in the VRE (Zone 4), including the software and applications in

each virtual machine.

5. Infrastructure in the Data Storage Zone, used to deliver storage services

6. Networking / Telephony Systems supporting Zones 1 to 5.

The above zones will be referred to in all ISMS documentation as the “IRC

infrastructure”.

1.2.2 Infrastructure out of scope:

1. Systems that receive data from the IRC, such as external High Performance

Computing (HPC), web applications or the “Visualisation Suite” for graphics-

intense work.

2. Devices or services used to capture data relayed to IRC infrastructure and

includes scanners, gene sequencers, websites and applications.

3. Devices used to access the IRC infrastructure (including desktops, laptops,

tablets and smart phones) and their locations.


Page 8 of

29



1.3 People

1.3.1 People in scope:

1. Members of the DST (based in Zone 2).

2. Users such as researchers, clinicians and analysts while they are using a) the

IRC infrastructure or b) an application that calls upon the IRC infrastructure. A

user agreement must define the elements of the ISMS that pertain to the user.

3. IT and support staff and contractors working on the IRC infrastructure. Contracts,

service and operating level agreements must accord with the ISMS.

4. Suppliers and data providers who enter a contractual agreement with the IRC.

1.3.2 People out of scope:

Users, IT and support staff, Human Resources (HR) and data providers while they

are not interacting with IRC infrastructure.

1.4 Services

1.4.1 Services in scope:

Services delivered on IRC infrastructure can be summarised as data capture,

process, access and storage services, including:

1. Checking and loading of data to / from the secure file transfer system, and

ensuring the transfer complies with any Data Sharing (DSA) or Data

Processing Agreements (DPA) and or Data Management Plans.

2. Development and destruction of virtual machines and access rights.

3. Data transformation, linkage and management.

4. Auditing of the use of IRC infrastructure.

5. Servers and PCs that reside on the IRC infrastructure.

6. Data held in storage or in suspension within the IRC.

1.5 Information Assets

1.5.1 Information assets in scope:

Data held on IRC infrastructure – from entry to exit via the IRC Gateway or until

deletion.

1.5.2 Information out of scope:

Data held beyond the scope of the IRC infrastructure.

1.6 Scope Interplay

Projects usually involve movement of data in and out of scope of the ISMS and

transfer must be handled according to the Information Transfer policy (A13.2).


Page 9 of

29



2.0 Normative References

1. NHS Digital Data Security and Protection Toolkit https://www.dsptoolkit.nhs.uk/

2. ISO/IEC 27001:2013 - http://www.iso.org/iso/home/standards/management-

3. General Data Protection Regulation - https://gdpr-info.eu/

4. Cyber Essentials - https://www.cyberessentials.ncsc.gov.uk/

5. The Information Commissioner’s Office - https://ico.org.uk

3.0 Terms and Definitions

For the purpose of the ISMS, the following definitions have been used:

Term Description

Information Information includes, but is not limited to, any data printed or written on paper, stored electronically, transmitted by post or by electronic means, stored on tape or video, or spoken in conversation.

Confidentiality Ensuring that information is accessible only by authorised individuals.

Integrity Safeguarding the accuracy and completeness of information and ensuring data is not modified without proper authorisation.

Availability Ensuring that authorised users have access to the relevant information whenever required.

IGMG Information Governance Management Group

LIDA Leeds Institute for Data Analytics

SMT Senior Management Team

ICO Information Commissioner’s Office

PSD Patient Specific Directions

HRC Health Research Council

MRC Medical Research Council

IRC Integrated Research Campus

DST Data Services Team (Part of IT)

IG Information Governance

VRE Virtual Research Environment (a secure server)

DPA Data Processing Agreement

DSA Data Sharing Agreement

4.0 Context of the Organisation

4.1 Understanding the Organisation and its Context

The University provides the IRC, which is secure storage and virtual computing

power for to processing confidential and highly confidential data. The IRC is

segregated from the rest of the University’s computing services and from the

internet.

LIDA and other areas within the University draws together research groups and data

scientists with external partners to undertake data-intensive research within the IRC.

https://www.dsptoolkit.nhs.uk/

http://www.iso.org/iso/home/standards/management-

https://gdpr-info.eu/

https://www.cyberessentials.ncsc.gov.uk/

https://ico.org.uk/


Page 10 of

29



Data being captured includes geographic, socio-economic, consumer, social, patient

and clinical information.

The nature and sensitivity of the data that is processed within the IRC means that

the security systems and policies and data processing actives must be secure and

robust.

4.2 The Needs and Expectations of Interested Parties

Increasing data diversity raises differing requirements for data handling in terms of

information security, governance and data protection. Our interested parties depend

on the University to deliver secure data handling services and practices that comply

with legislation and appropriate practice governance standards. The ISMS and our

practices can be scrutinised by their auditors on request.

Our interested parties include, but not limited to:

1. Information Governance Management Group (IGMG) 2. Leeds Institute for Data Analytics (LIDA) 3. Research Funders 4. Data Providers 5. Academics 6. UoL Audit & Risk Committee 7. UoL Protection Group 8. UoL Security Group 9. UoL Data Services Team (DST) 10. Information Commissioner’s Office (ICO) 11. Health Research Council (HRA) 12. Users of the IRC 13. Media 14. UoL IT Services 15. Alcumus ISOQAR 16. NHS Digital (NHSD)

17. Public Health England

Details of the IRC’s communication with interested parties can be found in Clause

7.4.

4.3 Determining the Scope of the Information Security Management

System

The IRC is a UoL IT platform and is both shaped by and contributes to the UoL’s

strategy, research objectives, operational processes and management structures.

The IRC provides Leeds Institute of Data Analytics with infrastructure, training and

data services required for secure data handling in research


Page 11 of

29



The IRC systems, services and operations (See Figure 1.0.1) are designed to

prevent and minimise security incidents to avoid unauthorised disclosure that could

lead to commercial, personal or reputational damage. These include:

1. Data capture, review and release (gateway) services that are operated by the

DST.

2. Data storage facilities that are segregated from other University campus IT

systems. See Access to Networks and Network Services (A.9.1.2).

3. Data processing servers and services including data cleansing, transformation,

linkage, de-identification, backup and destruction.

4. Multi Factor Authenticated access to data in a VRE that is regulated and

monitored.

5. Secure File Transfer systems that are controlled by the DST.

There are a number of relevant internal and external issues, which may impact on

the IRC’s ability to meet the objectives of the ISMS. These include:

Internal External

Physical Security: Protection against theft from within the UoL.

Physical Security: Protection against theft from outside the UoL.

Culture: A commitment to information security amongst staff and researchers

Client/Customer Requirements: Protection of their information as specified within the Data Sharing Agreements.

Staff: Retention of key, competent employees to fulfil ISMS responsibilities

Legislative or Regulatory Change: Ability to adapt and react swiftly to change and adopt new standards and guidelines

Acceptable Use: Adherence by staff and researchers to the terms of the IRC agreement

Environmental Risks: Protection against fire, flood, or other disasters which could affect business continuity

Organisation Structure: Ability to adapt and react swiftly to change and adopt new standards and guidelines

Interruption to Utilities/Communications: Contingency in the event of power or telecoms failure

Risk Management: Ability to manage risk to an acceptable level, taking into account cost and the expectations of interested parties

Risk Management: Ability to manage risk to an acceptable level, taking into account cost and the expectations of clients and authorities

4.4 Information Security Management System

The IRC’s ISO27001:2013 Information Security Management System is being

implemented and continuously improved. The ISMS contains 14 security control

documents that collectively contain a total of 35 security categories. A set of 15


Page 12 of

29



documents makes up the ISMS that are named in Policies for Information Security

(A.5.1.1).

Where additional operational detail is required, these can be can be found in

separate work instructions as per the Documented Operating Procedures Policy

(A.12.1.1).

The ISMS is regularly audited and all findings, risks, incidents and vulnerabilities are

recorded along with recommended improvement plans for oversight by the IGMG.

5.0 Leadership

5.1 Leadership and Commitment

The IGMG is responsible for ensuring all information governance risks are

appropriately managed and monitored through the IRC ISMS. The IGMG comprises

of representatives from:

1. The UoL Information Governance Group.

2. The UoL IT Services.

3. The UoL IT Assurance Team.

4. The UoL Legal Affairs Team.

5. Partner representatives from Faculties, Centres and Users.

The UoL representatives bring the expertise to ensure that IGMG leads in

accordance with industry standards, legal requirements and UoL objectives. See 5.3

for Organisational Roles, Responsibilities and Authorities.

5.2 Policy

IGMG ensures the policies are relevant to the IRC, the University and that they

comply with the requirements of our data providers and interested parties.

The policy objectives (See Table 6.2.1: IS Objectives) of the ISMS are as follows:

1. Information is protected from a loss or breach, of confidentiality, integrity

and availability.

2. Information Security (IS) risks are identified, assessed and managed

through the risk assessment and treatment policy.

3. Policies and controls exist to mitigate against the risks identified and their

effectiveness is measured and reviewed.

4. Incidents are recorded and used to drive improvement.

5. Current regulatory and legislative requirements are met.

6. Training in all elements of the IS Management System is available to all

users, as relevant to their roles.


Page 13 of

29



7. The ISMS complies with the ISO 27001:2013 and the NHS Data

Protection and Security Toolkit and is regularly reviewed and continually

improved.

The policies are reviewed at least annually or following a significant change to

ensure there is ongoing continual improvement. The policies are shared and

communicated with all researchers and interested parties as needed.

5.3 Organisational Roles, Responsibilities and Authorities

Members of IGMG fulfil the roles defined in Figure 5.3.0, and have specific

responsibilities for ensuring that the ISMS is in place and policies are followed. Other

members provide advice through group meetings and proportionate reviews as

required.

Figure 5.3.0 Three key roles in the IG Management Group

5.3.1 Information Governance Management Group Chair The IGMG Chair is accountable for the IRC IG structure and its practice and ensures

that the ISMS is fit for purpose. They have overall responsibility for ensuring IS is in

line with industry best practice and for directing continual improvement in the ISMS.

5.3.2 The Data Protection Officer (DPO) The DPO brings expert knowledge of data protection law, standards and practices.

They ensure that the ISMS contains relevant policies for maintaining and auditing

data privacy.

High-level responsibility for IS across the IRC, through its infrastructure, processes and staff. Responsibility for ethical-legal policies and training that ensure appropriate data access, maintain confidentiality and data integrity, and information governance Responsibility for the development and implementation of policies regarding IS among staff and infrastructure, including monitoring, assessment and training

IG Management Group Chair

IRC Data Protection

Officer

IRC Information Governance

Manager


Page 14 of

29



5.3.3 Information Governance Manager (IGM) The IGM brings expert knowledge of ISO27001, the NHS Data Protection and

Security Toolkit, the requirements of sponsors and third parties that IRC is working

with. The IGM has knowledge of the practices and policies of IRC and ensures

audits are carried out to fulfil the ISMS requirements.

The IGM guides the IGMG in reviewing the ISMS to ensure the ongoing protection of

information assets, technologies and data privacy.

5.3.4 Accountability and lines of reporting The UoL IT Security Group and Information Protection Group

are responsible for ensuring the protection of information

assets within the University. The UoL Senior Information Risk

Owner (SIRO) is a member. The groups receive reports from

the IGMG chair regarding IRC activities, incidents and ISMS

reviews in relation to IT security and information protection.

In the context of the UoL Information Governance structure, the

IGMG is responsible for setting, maintaining and overseeing

the IRC ISMS.

The DST is accountable for delivery of the ISMS, under the

oversight of the IGMG. The team maintains an inventory of

information and assets associated with information and its

processing that are on the IRC. The team is accountable for

processing the ownership, use and return of these assets. The

DST ensure Information Security is assessed throughout

project management for all IRC projects.

Employees, users and contractors must adhere to the ISMS.

6.0 Planning

A project and project risk assessment work instruction defines the procedures for

identifying and classifying information risk for projects that propose to use IRC

resources. The mandatory clauses and supporting controls set the criteria against

which risk is considered and the risk acceptance level (Clause 8.2). The ISMS

contains a standardised approach for selecting appropriate controls for risk

management that also include when and how the assessments are performed and

reviewed. The ISMS does not cover non-technical or health and safety risk

assessment processes, which are set at UoL faculty level.


Page 15 of

29



6.1 Actions to Address Risks and Opportunities

Clause 8.2 defines when and how assessments are performed, treated, reviewed

and sets a standardised approach for selecting appropriate controls for risk

management.

6.2 Information Security Objectives

The IRC objectives are set out in Table 6.2.1: IS Objectives and summarised here:

1. Information is protected from a loss or breach of confidentiality, integrity and

availability.

2. IS risks are identified, assessed and managed through the IRC Risk Assessment

policy and IRC Risk Treatment policy.

3. Policies and controls exist to mitigate against the risks identified and their

effectiveness is measured and reviewed.


5. Training in all elements of the IS Management System is available to all

employees and researchers, as relevant to their roles.

6. The ISMS complies with the ISO 27001:2013 standard and is regularly reviewed

and continually improved.

7. The ISMS supports compliance with the NHS Data Security and Protection

Toolkit.

The IGMG reviews these objectives at least annually to ensure they remain current

and valid.

To measure these objectives, Key Performance Indicators (KPI) with targets have

been created and are reviewed at least annually by the IGMG. The Information

Governance Manager will ensure that the data is captured and made available at

quarterly IGMG meetings.


Page 16 of

29



Table 6.2.1: IS Objectives

ISMS Objectives KPIs Target

1. Information is protected from a loss, or breach, of confidentiality, integrity and availability.

1.1 Number of 'High' incidents reported and recorded on the Incident Log

None over 1 month old that are neither accepted nor being addressed

1.2 Number of unaddressed CRITICAL & HIGH findings reported during penetration testing (shown as average per test)

None over 1 month old that are neither accepted nor being addressed

2. IS risks are identified, assessed and managed through the IRC Risk Assessment and Treatment processes

2.1 Number of Critical & High risks as percentage of total risks

0% over 6 months old that are neither accepted nor being addressed

2.2 Effectiveness of Risk Treatment Plans (percentage reduction in risk score total after treatment plan implemented)

100% of entries to have Treatment Plan & Review Date populated; Accept Date is no later than Review Date.

3. ISMS policies and controls exist to mitigate against the non-conformities identified and their effectiveness is measured and reviewed.

3.1 Number of internal ISMS audit findings that have not been addressed

Less than 8 over 6 months old that are neither accepted nor being addressed


4.1 Number of penalties enforced by any regulatory or governmental body

No Penalties

5. Training in all elements of the IRC IS Management System is available to all employees and researchers as relevant to their roles

5.1 IS-related training is delivered to all employees and researchers which is appropriate to their roles

Zero gaps or overdue training on the training register.

5.2 Number of issues on IS Incident Log with a training-related root cause, as percentage of all issues Less than 10%

6. The ISMS complies with the ISO 27001:2013 standard and is regularly reviewed and continuously improved

6.0 Number of non-conformities identified by a certification auditor in the annual audit. Baseline figure

6.1 Number of non-conformities identified by certification auditor that have not been addressed Less than 2

6.2 Evidence of findings and observations from audits being recorded and progressed via an NCR Log

100% of entries to have Preventive Action & Review Date populated; Close Date is no later than Review Date.


Page 17 of

29



7.0 Support

7.1 Resources

Refer to the Information Security Roles policy (A6.1.1) to view the resources

available for delivering the ISMS.

7.2 Competence

The minimum level of IS-related competence required for the specific roles listed

above is shown in Table 7.2.1.

Table 7.2.1 IS competences for specific roles

Role Minimum Competence IG Management Group Chair Understanding of the requirements of ISO27001

UoL Senior Information Risk Owner (SIRO)

Understanding of the requirements of ISO27001

Understanding of the requirements of the NHS Data Security and Protection Toolkit

Understanding of the General Data Protection Regulation (GDPR)

IRC Information Governance Manager


Understanding of the requirements of the NHS Data Security and Protection Toolkit

Understanding of the General Data Protection Regulation (GDPR)and other data protection laws

UoL Data Protection Officer

Understanding of all legislation governing data protection and information handling

Awareness of the requirements of ISO27001

Awareness of the requirements of the NHS Data Security and Protection Toolkit

Data services team

Understanding of the General Data Protection Regulation (GDPR)


Ability to use the tools and techniques to protect information

Users and Researchers

To have undertaken UoL IS essentials training

To have undertaken UoL IS advanced training

To have completed other risk based training as appropriate

7.3 Awareness

For the ISMS to be effective the ISMS and good IS practices must be communicated

and understood by all those to whom it is relevant. Where documents apply to all

IRC users these are:

1. Published on the Researcher Portal (Intranet).

2. Made available at induction.

3. Published as appropriate.


Page 18 of

29



4. Reminded through annual IS compliance refresher notices.

5. Communicated by email or the IRC portal as cyber threats/risks are

identified by the UoL Assurance group or by external groups.

Everyone has a responsibility for being appropriately competent in Information

Governance. Refer to IS Awareness, Education and Training (A7.2.2).

7.4 Communication

This policy defines the controls for formal communications regarding IS that relates

to elements within the scope of the IRC ISMS. The purpose is to ensure that relevant

issues of IS, (in particular new policies or significant changes) are communicated to

relevant individuals with clarity and consistency to ensure that people have the

necessary capacity to carry out their responsibilities for IS.

7.4.1 Communication Recipients and Triggers IS management communications are provided to those who are directly affected by

the matter being communicated or with responsibilities for any affected procedures.

7.4.2 Communication Scope IS management communications of new and updated policies should be

communicated in a manner that is clear and comprehensive and may include some

of the following:

1. The purpose or objective of the policy.

2. Description of the policy as it relates to the recipient.

3. Responsibilities for implementing and managing the policy.

4. Feasible timeframe for implementation.

5. Review plan for the policy.

6. Opportunity for queries and comments.

However, information must not be disseminated where doing so may facilitate a

compromise to IS.

7.4.3 Communication Responsibilities Effective communications about IS are assigned to the following roles:

7.4.3.1 The Information Governance Management Group (IGMG):

1. To communicate the importance of effective IS management and of

conforming to ISMS requirements, and the consequences of not doing so.

2. To review communication policies for making information available to

relevant people in a timely manner and via appropriate channels.

3. To ensure the DST has the relevant information.

4. To maintain open channels of two-way communication and to listen to

feedback and comments from researchers.


Page 19 of

29



7.4.3.2 The IRC Information Governance Manager:

1. To maintain the ISMS.

2. To carry out internal audits of policies processes and systems relating to

the ISMS or to the NHS Data Security and Protection Toolkit.

3. To ensure policies, procedures are updated and communicated to those

who need to know.

4. To maintain risk, non-conformity, incident and vulnerability registers.

5. To communicate risks and issues to the LIDA SMT and the IGMG that

could undermine IS of the IRC.

6. To communicate good security practices to IRC users.

7. To monitor and record progress against outstanding incidents and actions,

vulnerabilities, risk treatments or security improvements.

7.4.3.3 The IRC Data Services Manager:

1. To communicate regularly with their team, preferably face to face, to ensure

information relating to the ISMS is available, understood and up to date.

2. To ensure they and their team are maintaining ISMS records.

3. To listen to feedback from their team and users and to keep the IGMG

informed.

4. To communicate the outcomes of any IRC Risk Assessment or Risk

Treatment Plan.

7.4.3.4 The DST:

1. To ensure they are informed and have access to information in order to be

as effective as possible in their role.

2. To ensure they are maintaining good communication practice as set out in

this document.

3. To keep line managers, colleagues and users aware of up to date

information.

4. To maintain user, project, information, data sharing agreements and

physical and/or virtual assets inventories.

7.4.3.5 IRC Users:

1. To keep the DST informed about their needs for data handling.

2. To address any IS requirements raised with them by the DST and to

communicate the outcome (for example, by completing any IS training).

7.4.4 Communication Channels The channel to be selected for communication is that which will most speedily and

comprehensibly convey the relevant information.

7.4.5 Audience The audience will influence the channel to be chosen. Consider the following:


Page 20 of

29



1. Location – a shared office may restrict what can be communicated. A

remote user may limit the channels available for use.

2. Role – a person’s role and relevant expertise may influence whether a

channel more conducive to interaction and feedback is appropriate.

3. Impact – directive conversation, training or detailed documentation may be

more suitable than site notifications for people whose daily working is highly

affected by the issue.

7.4.6 Communication actions Where actions are triggered as a result of IS management communication, these

should be followed up with a formal written notice of agreed action, and completion

date. Where actions arise from communication between DST staff, no formal notice

is required.

7.5 Documented Information

7.5.1 General Documents must be developed, maintained and archived in the ISMS folders and

standardised, as set out in the clause on Document Format (7.5.2)

7.5.2 Creating and Updating A document template is used to create standardised policies and procedures that

can be accurately cited. The documents contain the following:

Section Information Required

Front page IRC and UoL header

Document title, version number and date of version sign-off

Document information page

Header: IRC logo and “Information Security Management” (Arial, size 10)

Footer: Version number, published date and classification “Protect”

Document information: a. Reference: short name for referencing the document b. Category that the document is a part of c. Title d. Purpose e. Owner f. Author e. Compliance requirement f. Review Plan g. Related Documents.

Version History must include the version number, the updater, a change description, the sign-off name, role and the date of approval.

Footer

Page Number

Version

Title

Published date

Classification ( Normally Protect)


Page 21 of

29



Main Document

Header: IRC logo and ‘Information Security Management’ (Arial, size 10)

10. Footer: page and version number and date of version sign-off (Arial, size 10)

Numbered sections in the IRC Header format

Purpose section: introduces the scope and objective of the document

Applicability section: describes who the document relates to

Acronyms are fully written prior to first use, excluding first use within a document title or header

IRC and other UoL documents are linked to where referenced

External references are quoted with a superscript numeric (e.g. 1) and are listed in footnotes

The University of Leeds is written in the first instance and subsequently referred to as UoL

7.5.3 Control of Documented Information This applies to policies and work instructions:

1. New unapproved policies or work instructions start with version 0.

2. The first approved document will begin with version 1.0.

3. New proposals, data management plans and risk assessments from

researchers will always start at Version 1.0.

4. To edit an existing document, open it and save it as the same file name

with the next version number at the end of the name. For example “work

instruction-v1.1.docx”.

5. On completion the version number, date, change makers name and

change description is added to the version control table (see the example

table below).

6. For work instructions another member of the team must test the

instruction.

7. The IGM or the DST Manager will approve work instructions and the date

of approval must be recorded. Changes to policies are drafted by the IGM

or DST Manager and forwarded to the IGMG for approval.

8. Following approval the word document must be saved as a PDF to

prevent change.

9. The old work instruction or policy should be moved into the archive folder.

7.5.4 Document publication

PDFs of the current ISMS documents are disseminated freely. These publications

are made available to all users, staff via the intranet and data providers on request..

The read-only PDF versions of ISMS policies can be printed, copied or linked to as

required.

Documentation feedback is escalated to the IGMG and forwarded to relevant

document Author(s).


Page 22 of

29



8.0 Operation

8.1 Operational Planning and Control

Security processes are planned and conducted through processes agreed by IGMG,

which oversees the operations within the IRC and approves amendments to its

policies.

Planned maintenance schedules ensures there is a consistent and regular

maintenance window for service and system updates.

Control is maintained through the use of work instructions that provides operational

standards for the DST to action.

Change management ensures the stability of systems by the identification and

mitigation of associated implementation risks, minimisation of disruption to research

operations caused by system outages, and consequently improves upon the

services and service levels provided to the organisation. The IRC has adopted the

UoL standard for change management which is referenced in the IRC Change

Management Policy (A.12.1.2).

8.2 Information Security Risk Assessment

An IRC risk assessment considers all elements within the ISMS scope that handle

information and all factors that contribute or pose a risk to IS.

Data confidentiality, integrity and availability are the criteria against which risk is

evaluated. The IRC must manage risk so as to remain compliant with relevant

legislation and provide assurance that risks related to personal information are

managed according to internal and external standards. The assessment process and

justification for the application of risk controls will be captured in a risk log and

retained for scrutiny. Separate data protection risk assessments are carried out for

each project. Refer to the Information Security in Project Management Policy

(A.6.1.5). ISMS risks are calculated by the equation Risk = Likelihood x Impact:

Scale Likelihood Narrative Example

4 A risk that is almost certainly going to

arise (>90%)

Changes to the value of sterling affecting

buying and selling of goods abroad.

3 A risk that is likely to arise (50-90%) Increased costs of research

2 A possible risk that could happen (10-

50%) Major power cut on campus

1 A risk that is unlikely to occur (<10%) Terrorist attack on the UoL


Page 23 of

29



8.2.1 Impact Definition:

Scale Operations / Business Continuity

Compliance Reputation Financial loss or cost

4 Critical

Severe impact on all services University-wide or in the IRC

Critical breach leading to closure of the University or IRC service

Long term negative publicity in national and international media

> 5% of turnover

3 Major

Severe impact on some (but not all) services delivered by the University (or by the IRC)

Major breach leading to a suspension or partial closure of the IRC

Long term negative publicity in national media or short-term publicity in national and international media.

2-5% of turnover

2 Moderate

Significant impact on services

Significant breach leading to reprimand or sanctions

Short term negative publicity in regional media

1-2% of turnover

1 Minor

Minor impact on services

Minor only, no reprimand or sanction (save improvement notice)

No bad press < 1 % of Turnover

8.2.2 Risk assessment scope The scope includes anything that could affect IRC systems that handle sensitive

information which may include, but is not limited to:

1. Site, suppliers and organisational structure.

2. Hardware, software and networks and their supporting infrastructure.

3. Business processes and activities.

4. Data, analytical outputs and information.

5. ISMS non-conformity, vulnerability and weakness.

5. Legislation.

6. Personnel.

7. DSA’s, and other 3rd party contracts or licenses.

A Separate risk assessment process is carried out for each research project based

upon its data handling requirements and following the Project_Risk_Assessment

work instruction. The assessment will influence the controls that are needed to de-


Page 24 of

29



identify personal data and any conditions set by a data sharing contract. Refer to the

Information Security During Project Management Policy (A.6.1.5).

8.2.3 Risk log If there is risk of harm to individuals, a risk of breach of contract or where a risk could

hinder the operation of a project, the IRC or the UoL, the risks must be assessed and

logged in a risk log. Refer to the registers on SharePoint.

8.2.4 Frequency of risk assessment Existing risks are assessed no later than the review date or at least every 6 months.

New risks are considered if any of the following conditions arise:

Review the Risk Assessment:

After changes to infrastructure

After changes to processes

Following the identification of a weakness, non-conformity or incident

After changes to legislation

After changes to data sharing agreements or contracts

When new projects are being developed, but prior to becoming active in the IRC. Refer to the Information Security in Project Management Policy (A.6.1.5)

8.3 Information Security Risk Treatment

8.3.1 Applicability The Information Security Risk Treatment policy apply to users who treat IS and

governance risk within the scope of the IRC ISMS. They are also for use by the

IGMG, the IG Manager and the Data Protection Officer who oversee and prioritise

risk treatment plans and own residual risk.

8.3.2 Risk treatment Risk treatment involves reviewing, prioritising and implementing the risk-reducing

controls recommended from risk assessments. Risk treatment is cycle of

assessment and implementation, triggered by system, an incident, non-conformity,

legislation or improvement following an annual ISMS review. If relevant controls exist

these should be applied to minimise the risk. Further treatment in the form of new

controls should be submitted to the IGMG for approval. See Figure 8.3.2.1.


Page 25 of

29



Figure 8.3.2.1 Flow chart for risk treatment

While it is improbable that all risk are eliminated, the IGMG will ensure that the most

appropriate controls are employed to reduce risk to an acceptable level using the

least-cost approach, with minimal adverse impact to the IRC. The IGMG are

authorised to choose to “Accept a risk” if appropriate.


Page 26 of

29



8.3.3 Risk Treatment Options The following treatment options can be applied to mitigate risk:

1. Risk Acceptance: Make an informed acceptance of the risk and continue

system operations or apply controls to lower the risk to an acceptable level.

2. Risk Avoidance: Eliminate the risk cause and/or consequence (e.g. forgo

certain system functions or shut down the system when risks are identified).

3. Risk Managed: Controls in place to minimise the adverse impact of a

threat’s exercising a vulnerability.

4. Risk Treatment Plan: Develop a risk mitigation plan that prioritises,

implements, and maintains controls.

5. Risk Transference: Transfer the risk by using other options to compensate

for the loss.

The situation will determine which risk treatment options are appropriate – none are

mutually exclusive. The IGMG approves the appropriate option for each risk and the

prioritisation of treatments, based on the risks that have been assessed to pose

greatest risk to IRC objectives. Any vendor security products and administrative

measures to be utilised are also selected based on compatibility with IRC objectives.

8.3.4 Residual risk Having implemented the selected controls, the residual risk will be recalculated in the

ISMS Risk log.

8.3.5 Risk ownership and review The IGMG will review the risk log as part of the IGMG meetings. The IGM is

responsible for ensuring that the DST conduct risk assessments and implement risk

treatment plans. The IGMG Chair takes overall accountability for risk levels,

assessment and treatment.

9.0 Performance Evaluation

9.1. Monitoring, Measurement Analysis and Evaluation Individual IRC processes are controlled and monitored, as per the appropriate IS

Management policies and measurement data is collated, analysed and reported by

the Information Governance Manager as follows:

Results from internal and external audit findings and reports and actions

identified in the non-conformance log.

Measurements taken to prove the ISMS objectives are being met.

Feedback from researchers, staff and 3rd parties.

Issues reported in the Incident Log.

Reports from Vulnerability & Penetration Logs.

Risk Log.


Page 27 of

29



Changes in legislation.

The evaluation process shall document any decisions and actions relating to:

An improvement of the effectiveness of the ISMS and its processes.

An update of the Risk Assessment and Risk Treatment Plan.

A changes to any ISMS procedures and controls in response to, for example,

changing business requirements, contractual arrangements, legal/regulatory

requirements, etc.

The Identification and approval of resource needs.

Changes to the information that is gathered to produce the KPI reports.

The IGMG meets quarterly to review the measurement data, internal and external

audit findings and prioritise improvement.

9.2 Internal Audit

IRC internal audits are conducted as per the audit schedule to provide information on

whether the ISMS:

1) Conforms to Internal and external security requirements.

2) Meets the requirements of ISO27001:2013.

3) Is effectively implemented and maintained.

The IGM shall:

a) Plan, establish, implement and maintain an audit programme, including the

methods, responsibilities, planning requirements and reporting. The audit

programme shall take into consideration the importance of the processes

concerned and the results of previous audits.

b) Define the audit criteria and scope for each audit.

c) Select auditors and conduct audits that ensure objectivity and the impartiality

of the audit process.

d) Ensure that the results of the audits are reported to relevant management.

e) Retain documented information as evidence of the audit programme(s) and

the audit results.

9.3 Management Reviews

The IGMG reviews the ISMS documentation: the Statement of Applicability, the

ISMS Clauses and the controls.

Minimum attendance at each meeting is: the Chair or Deputy Chair, DPO, IRC IGM,

DST Manager, a representative from a partner or key service user, the UoL Ethics

Boards and IT Service Management (or substitutes). Attendance from further IRC


Page 28 of

29



core users, data sources and UoL IT Security Group, Information Governance Group

and Legal Affairs Team are encouraged but optional depending on the agenda.

Reviews consider changes to external standards, industrial best practice and the

needs of service users.

The standard agenda includes:

1. Actions since previous reviews.

2. Summary of IS performance and objectives.

3. Internal audit update and review of new non conformities or observations.

4. IS incidents and corrective actions.

5. Summary of the risk log, issues and treatment.

6. ISMS review.

7. Opportunities for continual improvement.

8. Annual: review the relevance of the group, its management or

membership.

9. Any other business

All members are invited before each meeting to submit agenda items and supporting

papers. The agenda and previous minutes are circulated ahead of each meeting.

Meetings are documented in terms of their occurrence, attendance, topics

discussed, agreed decisions and assigned actions.

The outputs of the management review shall include decisions related to continual

improvement opportunities and any needs for changes to the ISMS. The

organisation shall retain documented information as evidence of the results of

management reviews.

9.3.1 Review Initiation Meetings occur quarterly, but are also triggered if a significant changes occur that

changes the risk, ISMS scope or undermines any current systems that are in place.

9.3.2 Applicability IGMG can request to review any clause or control that is in scope of the ISMS.

9.3.3 Audit Schedule An annual audit schedule can be found on IRC SharePoint Site.

https://workspace.leeds.ac.uk/sites/IRC/SitePages/Home.aspx


Page 29 of

29



10.0 Improvement

10.1 Non-Conformity and Corrective Action

The non-conformity and corrective action policy covers all identified non-conformities

and corrective actions associated with the IRC and covers:

Identifying and controlling non-conformities.

Determining the cause(s) of non-conformities.

Taking the appropriate corrective action to eliminate non-conformities.

Recording the action taken.

Reviewing the effectiveness of the corrective action taken in accordance with

the requirements of the International Standards 27001:2013.

Communicating the action with interested parties.

10.1.1 Reporting If a non-conformity is identified, by whatever method (e.g. risk assessment, audit, or

post-implementation review), the user must report the issue through the Reporting of

Security Weaknesses policy (A.16.1.3). If a breach of IS was discovered then refer to

the Reporting Information Security Events policy (A.16.1.2).

10.1.2 Recording If a non-conformity is identified during an internal or external ISO27001 audit, the

issue should be recorded in the ISMS Non Conformities Log and reviewed for action.

10.1.3 Corrective Action Corrective action can be defined as the action taken to rectify something that has

gone wrong or is not performing in line with expectations.

Corrective actions, such as immediate replacement and verification of non-

conforming system or process, are a priority order to minimise the risk to the UoL.

Where issues are likely to take time to resolve, regular review dates must be set

within the Non-Conformities Log.

Following a corrective action, the non-conformities log must be updated with the root

cause, the corrective action taken and the date of closure.

10.2 Continual Improvement

The IG Manager and the IGMG uses audit results, corrective and preventative

actions, risk assessments, analysis on incidents, monitored events and management

reviews of key performance indicators to continually improve the ISMS and the

technical security controls that are in place.