6. Corporate Security Management
6. Corporate Security Management
6.1 Establish an internal information security organization
6.1.1 Allocate information security roles and responsibilities
Data controllers have the main responsibility for data processing being in compliance with the regulations. To support this the Scandiatransplant office, as data processor, strive to comply with this by implementing the requirements from ISO 27001 and GDPR. The main responsibility for this, at the Scandiatransplant office, lies with the medical Director. However, for all employees at the office, security and integrity is a central part of the job descriptions, which means that best practice in these areas are a fundamental requirement in the everyday work.
Overview of assets and responsibility at the Scandiatransplant office are defined in point '8. Organizational Asset Management'
6.1.2 Segregate conflicting duties and responsibilities
- minimize the risk that a single position may have the opportunity to compromise an organization’s activities.
Segregation of all duties are impractical because the organization is too small to designate all functions to different persons as it will reduce efficiency and increase costs, complexity, and staffing requirements.
However it is a key point for the daily leaders of the office to secure that knowledge is shared and that major parts of the daily tasks are covered by more than one person.
Knowledge is shared
- at weekly obligatory internal meetings for all employees
- at weekly internal scrum/sprint/stand-up meetings for programmers
- at internal ad hoc meetings
- at all day staff meetings with selected meeting themes
- through internal Bugzilla and e-mails
- informing the whole organization by sending out statistics and newsletters
- by taking an active part in meetings and congresses in the organization
Daily tasks
Job descriptions are created so that more than one person covers the same primary tasks. This means that for running the essential parts of the IT system, programmers can cover other programmers and clinical data managers are able to cover other clinical managers.
This is effectuated in the daily work by taking turns to do updates of the database, working with different parts of the system, pair programming and standardized automatically and manually testing procedures.
The Scandiatransplant office is located at Aarhus University Hospital, Region Midtjylland (RM) and a cooperation agreement exist between the two parties (Cooperation agreement: AUH<-> Office & AUH<->Board).
The Service Level Agreement is a subcontact between Scandiatransplant office and IT RM it describes the responsibility for backup, network and access to serves. RM takes care of the hardware running the virtual servers. Hardware malfunction on the physical servers is detected by RM-personnel maintaining the data-centers. Corrections are performed in coordinated cooperation with RM-staff whenever necessary. The service level agreement is found here. Furthermore, Scandiatransplant has a subprocessor agreement with RM, which is related to the Service Level Agreement. The subprocessor agreement is found here
The Scandiatransplant office has request legal advise to confirm that Scandiatransplant is a legal entity also in relation to GDPR. This has been confirmed by cand. jur. Michael Sommer. Documentation is avaliable upon request.
6.1.3 Maintain contact with all relevant authorities
Competent authorities
Each year a meeting is held between the Competent authorities from each country and the Scandiatransplant board. At the meetings ongoing projects in Scandiatransplant, each country and EU are discussed.
Data controllers
Data Processor Agreements between Scandiatransplant office and each member hospitals specifies responsibility and tasks.
Data Processor Agreements:
Documents on accreditation
| Hospital | EFI | Virology | |
|---|---|---|---|
| Aarhus, Denmark | 2023-24 | DANAK | |
| Odense, Denmark | / | / | |
| Copenhagen, Denmark | 2022-23 | DANAK | |
| Oslo, Norway | 2023-24 |
ISO certificate, Oslo ISO certificate, Tromsø |
|
| Stockholm, Sweden | 2022-23 | SWEDAC | |
| Uppsala, Sweden | 2023-24 | SWEDAC | |
| Skåne, Sweden | 2023-24 | SWEDAC | |
| Gothenburg, Sweden | 2023-24 | SWEDAC | |
| Helsinki, Finland | 2023-24 | ||
| Reykjavik, Iceland | 2023-24 | ||
| Tartu, Estonia | 2023-24 | EAK + annex | |
| Riga, Latvia | Stradins Hospital ISO certificate April 21, 2021 to April 20, 2026 |
||
Data processor must keep a record listing of all processing carried out on behalf of data controllers
With the approval of the data controllers involved, the data processor can pass on data for quality development, quality ensurance, statistics and research. Data processor keeps and continuously updates a list with an overview of what and with who data extractions are sent/shared with and who has approved the extractions. The list can be shown by request by contacting the Scandiatransplant office.
6.1.4 Establish relationships with external organizations
Data is securely transferred by data processor to European Liver Transplant registry (ELTR) on behalf of the involved data controllers. Letters of agreement has been signed by each involved liver transplant center:
Copenhagen - Gothenburg - Oslo - Stockholm - Tartu - Helsinki.
Data transfer to International Society for Heart and Lung Transplantation (ISHLT) is on hold until further notice.
Data export of anonymized data from Scandiatransplant to ISHLT is currently being investigated and a data sharing agreement has been signed by all centers. Agreement with ISHLT signature
The unique identifier of 8 characters is generated using the md5-hash-functionality on a concatenation of a short-lived session (global) unique identifier and the database primary key (e.g. scandia number) of the master-object in the query.
An export of the transplantation table will generate identical id's when a patient has multiple transplantations on correspondingly multiple records.
It is a fingerprint of the given input, however it is a one-way transaction and as such it is not possible to reverse engineer the MD5 hash to retrieve the original string after session termination.
6.1.5 Make information security part of project management
The operation of running and developing the IT system constant involves execution of shorter and longer projects. Both internal projects to maintain and develop the structure and working processes and external projects to provide services to data controllers.
Projects concerning changes and developments in the IT system are described and managed internally by using the work tool 'Bugzilla'.
At the weekly obligatory internal meetings for all employees risk assessment, focused on information security, is discussed and analyzed to identify threats/vulnerabilities in ongoing projects, but also in relation to the existing facilities in the IT system. Discussions are documented in the risk assessment form and/or with description of initiatives in Bugzilla.
6.2 Protect your organization's mobile devices and telework
6.2.1 Establish a mobile device security risk management policy
This policy gives a framework for securing mobile devices, such as smartphones and tablet computers.
Introduction
Mobile devices, such as smartphones and tablet computers, are necessary tools for the Scandiatransplant office to support the activities in Scandiatransplant. However, mobile devices also represent a significant risk to data security if the appropriate security procedures are not applied. They can be a conduit for unauthorized access to the organization’s data and IT infrastructure and this can subsequently lead to data leakage and system failure.
Scope
All mobile devices, whether owned by Scandiatransplant or owned by employees, that are used for carrying out the daily work are governed by this mobile device security policy.
Policy
- Devices must be configured with a secure password, the password must not be the same as any other credentials used within the organization.
- A screen lock must be implemented to require a password or code to be entered after being idle for 2-5 minutes.
- Users must report all lost or stolen devices to the daily leader of the office.
- If a user suspects that unauthorized access to data has taken place via a mobile device, they must report the incident in alignment with a data breach.
6.2.2 Establish a teleworking security management policy
This policy relates to any arrangement where particular staff work at an offsite location, on a regular or long term basis
Document is found here
