Skip to content. | Skip to navigation

Personal tools
This is Lite Plone Theme
You are here: Home / Documentation / ISO27002 / 8. Organizational Asset Management

8. Organizational Asset Management

8.1 Establish responsibility for corporate assets

8.1.1 Compile an inventory of assets associated with information

 

AssetDescription Type
Homepage - public Organ allocation rules, meeting minutes, user manuals, quarterly stats. etc Public
Homepage - intranet Database structure, minutes, documentation etc Internal
Bugzilla System for handling bugs and enhancments in YASWA Internal
YASWA - application System for allocating organs according to rules of the Scandiatransplant organisation Restricted
YASWA - software Software of the YASWA-application versioned by GIT Internal
E-mail-systems (staff) Ingoing and outgoing information between the members of the Scandiatransplant organisation and collaborators Confidential
Computers (staff) Most important work tool Restricted
Mobile phones (staff) Ingoing and outgoing information between the members of the Scandiatransplant organisation and collaborators (including E-mail) Confidential
Portable storage devises (staff)

USB stick etc. Internal data transfer and information used in relation with participation in meetings
Virtuel servers 5 servers (sc36, 37, 38, 39, 40) used for development and production. Holds patient, donor and transplantation information Restricted
Server backup Daily backup of production data on Oracle and PostgreSQL Restricted
Network Network is delivered by RegionMidt
Old paper files Deceased donor reports, patient information, meeting minutes etc. Restricted

 

Type (Confidentiality):

Restricted, highly sensitive

Confidential, intermediate sensitive

Internal information, not meant for public disclosure

Public, data that must be freely distributed to the public

 

8.1.2 Select owners for all assets associated with your information

There will be a number of users for these assets. But the prime responsibility for accuracy will lie with the asset owner.

AssetOwner/responsibility
Homepage - public Staff
Homepage - intranet Staff
Bugzilla Staff
YASWA - application Members of SCTP
YASWA - software Staff
E-mail-systems (staff) Staff
Computers (staff) User of unit
Mobile phones (staff) User of unit
Portable storage devises (staff) User of unit
Virtuel servers Staff
Server backup Staff
Network Staff
Old paper files Staff

 

8.1.3 Prepare acceptable use rules for assets associated with information

Individuals must use SCTP-provided or authorized information technology resources as the business tools required to do their work.

Users must use information and technology resources in accordance with published service level agreements and applicable terms and conditions. The following conditions, and others that may be established by SCTP from time to time, apply to all individuals.

Individuals must not:

  1. Attempt to circumvent or subvert system or network security measures
  2. Propagate viruses knowingly or maliciously
  3. Detrimentally affect the productivity, integrity or security of SCTP systems
  4. Obtain or distribute files from unauthorized or questionable sources; e.g., racist material, pornography, file swapping sites
  5. Divulge, share or compromise their own or another's SCTP authentication credentials
  6. Transmit or otherwise expose sensitive or personal information to the internet
  7. Use information and technology resources for commercial solicitation or for conducting or pursuing business interests unrelated to the delivery of healthcare
  8. Distribute hoaxes, chain letters, or advertisements
  9. Send rude, obscene or harassing messages
  10. Send, forward and/or reply to large distribution lists concerning non-SCTP business. In addition, users must consider the impact on the network when creating and using large, work-related distribution lists
  11. Attempt to obscure the origin of any message or download material under an assumed internet address
  12. Knowingly enable inappropriate levels of information access by others
  13. Disclose any information you do not have a right to disclose

Individuals must:

  1. Comply with all applicable legislation, regulations, policies and standards
  2. Use all appropriate anti-virus precautions when accessing non-SCTP data and systems from the SCTP network
  3. Adhere to licensing agreements for all software used
  4. Respect copyright and other intellectual property rights in relation to both programs and data
  5. Only use the email account provided by SCTP when conducting SCTP business over email
  6. Use approved security measures when accessing the SCTP network from home or a non-SCTP computer
  7. Use the rules for complex passwords to create password

Any content created or transmitted using SCTP equipment or retained within the SCTP network may be monitored, captured and/or be subject to inspection.

All individuals have a responsibility to report violations of this policy. Inappropriate use of SCTP information technology resources will be investigated on a case-by-case basis. Individuals deemed responsible for violations of this policy may be subject to withdrawal of privileges.

8.1.4 Return all assets associated with information upon termination

Hardware, paper, etc. must be returned to the medical director/office manager link

8.2 Develop an information classification scheme

 

8.2.1 Classify your organization’s information

 

Classification

EffectLikelihood
1: Catastrophic, highly senstive data, if compromised it will have organizational and legal consequences A: Frequent, likely to occur very often and/or continuously
2: Major, if compromise it could mean critical loss in productivity and reputation
    		B: Likely, occurs several times
    3: Moderate, minor reduced productivity C: Occasional, occurs sporadically
    4: Minor, minimal impact in the ability to deliver services D: Seldom, remotely possible and would probably occur not more than once
    5: Insignificant, no effect E: Unlikely, Will probably never occur

     

    Likelihood combined with consequense

    1 2 3 4 5
    A Extreme Extreme Extreme High High
    B Extreme Extreme High High Moderate
    C Extreme Extreme High Moderate Low
    D Extreme High Moderate Low Low
    E High High Moderate Low Low

     

    Risks to the objective should be analysed and evaluated to determine a reasonable consequence and likelihood of the described event occurring. Application of the risk matrix determines the following rankings of risks in descending order of priority as:

    •   extreme (priority one)

    •   high (priority two)

    •   moderate (priority three)

    •   low (priority four)

    AssetDescription of eventsClassification
    Homepage - public

    1) Homepage is not accessible
    Action: Backup is made every week locally, which makes it possible to access important documents and restore homepage if necessary. Restore is described step by step.

    		 1) 4+D = Low
    Homepage - intranet

    Bugzilla

    1) Access to Bugzilla is compromised
    Action: Patient/donor identifiable information is never used to describe problems/enhancements

     

    		 1) 5+D = Low
    YASWA - application

    1) Users download extractions with person number etc.
    Action: This is needed locally, however on frontpage to system login the users are informed about their responsibility when they are working outside of the implemented security measures

    2) User password has been compromised
    Action: History of own logins can be seen by the user, if access has been compromised the user is instructed to changed password a.s.a.p., which is possible through the application.

    3) Users cannot connect to YASWA
    Action: Information through homepage, contact to RM (SLA).

    4) Erroneous deletion of data
    Action: As soon as a mistake is detected, collect data from logfiles/backup and restore/reconstruct data so they are as true as original data as possible. If massive changes are done in the database, programmers will receive an e-mail notification and it is obligatory to follow up and find the reason for the changes.

    5) DDOS attack, detection and solution
    Action: How this is handled by RM will be investigated and afterwards documented. Documentation provided by RM, has been added in point 9.1.2

    6) Security risk with 'forgot password' functionality if we inform the user, when the user name does not exist.
    When you need to     retrieve a new password, you will have to enter your username. The system will check for registration of that username and send an e-mail to the address registered on that specific user. The e-mail contains a link, with possibility to create a new password.
    Action: The system will not warn the user if the username does not exist, as this will be a valuable information for hackers.

     

    1) 4+A = High

    2) 2+D = High

    3)

    4) 1+C = Extreme

    5) 3 + D = Moderate

    6) 4+D = Low
    YASWA - software 1) OS-user get family-member on waitling-list. OS-user decides to manipulate system, in a way that family-member always gets prioritized.
    Action: No surveillance is possible as long as the OS-user has root-priviliges. Tampering with search-algorithm will very likely result in bad match and very likely detected by medical personal.
    E-mail-systems (staff) 1) E-mails are received with full patient/donor ID.
    Action: It was decided that a standard reply should be send:
    'Please know that according to GDPR it is not legal to send complete name and/or person number in an e-mail. I might be authorized when you send e-mails locally on internal mail servers, but not when you send to external e-mail addresses.

    When you send a message to me/Scandiatransplant, then it is fine and enough to include sc. No. and initials on the patient/donor.'

    		 1) 4 + B = High
    Computers (staff)

    1) Access to data on computer after job termination
    Action: Computers owned by Scandiatransplant is the property of Scandiatransplant and must be returned. link

    		 1) 1+D = Extreme
    Mobile phones (staff)

    Portable storage devises (staff)

     
    Virtuel servers

    Server backup

    Network
    Old paper files

    1) Printout with patient/donor ID is lost in public place
    Action: Limited printouts with ID and don't bring them outside the office

    2) Printout with only Scandia ID is lost in public place
    Action: You need password and userid to connect the information to a person

    3) Old paper files at the office
    Action: You need access to the department and the doors to the office are locked, when nobody is there. Old paper files are being digitised.

    1) 2+D = High

    2) 5+C = Low

    3) 2+E = High

    8.2.2 Establish information labeling procedures

    List of physical assets are found here

    8.2.3 Develop asset handling procedures

    8.3 Control how physical media are handled

    8.3.1 Manage removable media

    When reused then format properly. Otherwise dispose:

    8.3.2 Manage the disposal of media

    Disks must be physical destroyed, which RegionMidt has tools for.

    8.3.3 Manage the transfer of media

    Data transfer and information used in relation with participation in meetings