Hi Lisa,

If you want some assurance around "information assets" then look at the links below. This is something that has been uppermost in IG Manager's mind who work in the NHS, for some time!

I would suggest that leaving you to identify risk is not the right approach. The Cabinet Office in 2008 issued requirements following the HMRC debacle (Big up to the HMRC for the extra work) which involved the creation of "Information Asset Owners", "Information Asset Administrators" and right at the top a Senior Information Risk Officer.

In a nutshell IG ended up with the job of bringing all this together, but they did not assess the risk (at least not alone). The SIRO is responsible for all risks to information. The IAO is an "owner" of an identified information asset and the IAAs are senior users of those assets.

The idea is to create a structure whereby the owners know what to do in terms of identifying and quantifying risk (usually via the NHS standard risk matrix) and manage their risks locally. At key points the IAOs feed their risk registers to the SIRO - usually collated by an IG Manager. Any high risks are then take to the board and if necessary accepted onto the corporate risk register. The IG Manager helps everyone, but does not assess or own risks (unless they are an IAO for a system). It's fair to say that the IG Manager is usually more of a facilitator...

If you want to talk more about this drop me a message off list and I will happily have a chat with you about it. However, all the information you need is available via the NHS CFH website and other places. However, you may need some guidance in bringing the processes together.

One other thing. I wouldn't worry about threats to IT or human factors. Identify them as such and maybe section them off together, but they are all risks and so need managing through the same process.

Simon Howarth.

-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Lisa Percival
Sent: 13 May 2011 16:00
To: [log in to unmask]
Subject: [data-protection] Information Security and Information Assets/Processes

Dear All

I have recently been asked to carry out an exercise which I am not entirely happy about.  This is to identify our "information assets" and quantify the risk to those assets (among other things).  This means identifying blocks information and then identifying what possible threats there might be to those assets (and then giving them a rating).

By trying to do this, I have ended up conflating two things which I do not think should be bundled together: risks to ICT systems (which store the "assets") and the "human risks" of handling the information.  

There are two issues here: 

1 The audits on our IT systems should be adequate to ensure the security of the data on these systems and I am not sure why we have to go over all of this again in relation to each block of information that we hold.

2 So far as our processes are concerned, my chosen way of going about things would be to set out the processes and then identify the weak spots (e.g. when we copy the data to other areas, share it with third parties etc) for each stage in the process - the risks to information at one stage in a process are often quite different from those at another stage, as are the controls in place.

I will probably just have to go with the current exercise as it has become quite urgent but I am concerned that, if we don't approach this in a more structured and process-oriented way, the risks we "identify" will just be things we have thought of and the actual risks will remain off the radar.

I am looking for some expert opinions and advice to back up a more process-oriented approach and wondered whether anyone was aware of (or had written!) anything that might be useful?  Of particular interest would be something that showed such an approach saves time in the long run or copies of any actual risk-assessments using such an approach would be much appreciated.

Of course, if you can see problems with my approach, don't hesitate to say as well!  The approach I have been asked to use is the standard Cabinet Office/SIRO one and I am guessing that there must be a reason for this (although I have read the Security Policy Framework and didn't find it very enlightening).

Best regards

Lisa Percival

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^