With information governance recognised as an essential part of managing an efficient and high quality business, it is vital that organisations and individuals understand the importance of the concept and understand the way in which information is handled and transferred into and out of their organisation. Vital to understanding your own information management processes is the act of data mapping. This is now a key element for NHS bodies looking to demonstrate compliance against the information governance (IG) Toolkit standards.
Data mapping is an effective way to chart the flow of information into and out of an organisation and subsequently identify any high risk areas, allowing for the development of guidance to minimise these risks. The IG toolkit suggests that there are four key elements that need to be considered when mapping data;
1. Data Type
According to the Information Governance Toolkit guidelines, the types of data that should be mapped include such items as:
– Appointment letters – Birth notifications – Adoption records – Employment records – Personnel records – Payslips – Client surveys
This list is by no means exhaustive and as you start to think about the data that moves into and out of your organisation, you will appreciate that there is a great deal of information transferred.
There is also specific guidance available on the types of data that do not need to be mapped, an exclusion list, this includes items such as:
– Telephone conversations – Face to face discussions – Video conferencing
2. Data Format
The next thing to consider is the format that data is stored and transferred in; this includes both digital and hard copy data such as letters, x-rays, MP3 files, CDs, emails
3. Transfer methods
Again, the way in which data is transferred can include anything from courier delivery, faxes and internal documents being carried by staff to another department.
When considering locations you need to think exactly where data is coming from and where it is going to, both internally and externally. For example: Schools, patients’ homes, other NHS organisations or departments, prison services etc.
Once you have considered all of the above points the next step is to map all of the different combinations of the 4 elements so that ultimately you are able to produce a clear and easy to understand map of exactly what, how and where information is transferred.
But the task doesn’t stop there, the next step is to analyse this map to identify any high risk areas where information security procedures could potentially be breached, you should then go on to produce guidance to minimise these risks to ensure that following your data mapping exercise your systems and mechanisms for data transfer are secure, efficient and appropriate.
The IG toolkit guidance suggests that within smaller organisations, all of the above could be carried out by one individual, who knows all of the processes involved in transferring data. However in larger organisations it is advised that a number of individuals contribute to this exercise to ensure that knowledge around specific department practices and procedures is shared, to enable a full understanding of the data transfer processes throughout the organisation.
Dual-use items are any items that can have both military and commercial applications. These items may appear to be innocuous but, in the hands of the wrong people, can be used for destructive purposes. Examples of dual-use items include communications equipment, machine tools, handcuffs, information security, electronics, lasers, and encryption software. In addition, there are thousands of metals, compounds and chemicals that are controlled because they can be used for military applications.
Many firms whose primary business is not considered ‘sensitive’ are unaware of their obligations under the EAR. Companies are proud to export U.S. products overseas but many have never given much thought to the consequence of these activities.
The penalties for violations of export laws can be severe. Companies considered household names have paid significant fines for violations of U.S. export laws. Many smaller companies have been penalized as well. Recent examples include a Florida company having paid a $1,102,200 civil penalty for illegal exports of fingerprint equipment and other crime control items and a New Jersey-based freight forwarder was sentenced to a $250,000 criminal fine and five years probation as well as a $399,000 administrative penalty for the shipment of items to India without the required export license.
The penalties for violations have recently been increased in an effort to improve compliance with the BIS regulations. On October 16, 2007, President Bush signed into law the International Emergency Economic Powers (IEEPA) Enhancement Act. The Act provides for civil penalties amounting to the greater of $250,000, or twice the value of the transaction that is the basis of the violation, that may be imposed for each violation of IEEPA. Willful violators can expect criminal penalties including fines up to $1,000,000 and/or up to 20 years in prison.
Questions Every Exporter Must Ask
• Have we had all of our items, technology and software classified by the BIS or other competent expert?
• Do we know our customer (i.e. do we check our customers against the government lists of denied parties, specially designated nationals, and other required databases)?
• Have our employees involved in export transactions received the necessary training to ensure compliance?
• Do we have adequate recordkeeping practices in the event of a BIS enforcement audit?
• Do we have a formal export compliance program in place to ensure compliance to U.S. laws and regulations?
Maintaining control of your exports is not a cost of doing business. Aside from being the ‘right thing to do’, it can save money, avoid negative publicity and improve export shipment flows. What you don’t know can hurt you.
For more information on trade compliance or export compliance consulting visit https://www.wearecompliant.com
IT Security Governance
Better manage risk, compliance, and governance
What is Information Security Governance?
IT security governance is the system by which an organization directs and controls IT security (adapted from ISO 38500). IT security governance should not be confused with IT security management. IT security management is concerned with making decisions to mitigate risks; governance determines who is authorized to make decisions. Governance specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks. Management recommends security strategies. Governance ensures that security strategies are aligned with business objectives and consistent with regulations
NIST And IT Security Governance?
NIST describes IT governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.
Why Enterprise Governance?
Enterprise security governance results from the duty of care owed by leadership towards fiduciary requirements. This position is based on judicial rationale and reasonable standards of care. The five general governance areas are:
- Govern the operations of the organization and protect its critical assets
- Protect the organization’s market share and stock price (perhaps not appropriate for education)
- Govern the conduct of employees (educational AUP and other policies that may apply to use of technology resources, data handling, etc.)
- Protect the reputation of the organization
- Ensure compliance requirements are met
Governing for enterprise security means viewing adequate security as a non-negotiable requirement of being in business.
Why Use ITSecurity.Org For Your IT Security And Information Security Governance Requirements?
At ITSecurity.Org, Our Professional and Qualified Staff have decades of combined experience, expertise, qualifications and certifications gained through working in some of the largest enterprises. Our consultants have experienced many different requirements for IT Security Governance and Information Security Governance are able to help you with your Governance situation and needs in a unique way just to suit you.
We have experience on a practical basis of creating, building and managing Security Governance Frameworks so that they work for you.
What Is The Current Best Practice Regarding Enterperise IT Governance?
Three Lines Of Defence
Currently, the best practice for Enterprise IT Governance is to implement a layered approach. This layered approach is called the ‘Three Lines Of Defence‘.
In order to comply with legislative and regulatory requirements, a Three Lines of Defence approach is implemented is defined as follows:
1. First Line of Defence
The first line of defence will have responsibility for:
- Defining the IT Strategy to provide the strategic context within which IT will operate.
- Ensuring that IT Policies and Governance bodies form a system of controls for IT activities and the IT Strategy Implementation.
- Accountability for ensuring that the following are successfully implemented:
- IT Policy,
- IT Governance,
- IT Compliance,
- IT Risk Management
2. Second Line of Defence
The second line of defence will have responsibility for:
- Ensuring performance, compliance and risk oversight in relation to the IT Policy.
- Approving the IT Policy to be used by IT Governance bodies.
3. Third Line of Defence
The third line of defence will have responsibility for:
- Independently assuring compliance with Policy.