8. Organizational Asset Management
8.1 Establish responsibility for corporate assets
8.1.1 Compile an inventory of assets associated with information
Asset | Description | Type |
---|---|---|
Homepage - public | Organ allocation rules, meeting minutes, user manuals, quarterly stats. etc | Public |
Homepage - intranet | Database structure, minutes, documentation etc | Internal |
Bugzilla | System for handling bugs and enhancments in YASWA | Internal |
YASWA - application | System for allocating organs according to rules of the Scandiatransplant organisation | Restricted |
YASWA - software | Software of the YASWA-application versioned by GIT | Internal |
E-mail-systems (staff) | Ingoing and outgoing information between the members of the Scandiatransplant organisation and collaborators | Confidential |
Computers (staff) | Most important work tool | Restricted |
Mobile phones (staff) | Ingoing and outgoing information between the members of the Scandiatransplant organisation and collaborators (including E-mail) | Confidential |
Portable storage devises (staff) |
USB stick etc. Internal data transfer and information used in relation with participation in meetings |
|
Virtuel servers | 5 servers (sc36, 37, 38, 39, 40) used for development and production. Holds patient, donor and transplantation information | Restricted |
Server backup | Daily backup of production data on Oracle and PostgreSQL | Restricted |
Network | Network is delivered by RegionMidt | |
Old paper files | Deceased donor reports, patient information, meeting minutes etc. | Restricted |
Type (Confidentiality):
Restricted, highly sensitive
Confidential, intermediate sensitive
Internal information, not meant for public disclosure
Public, data that must be freely distributed to the public
8.1.2 Select owners for all assets associated with your information
There will be a number of users for these assets. But the prime responsibility for accuracy will lie with the asset owner.
Asset | Owner/responsibility |
---|---|
Homepage - public | Staff |
Homepage - intranet | Staff |
Bugzilla | Staff |
YASWA - application | Members of SCTP |
YASWA - software | Staff |
E-mail-systems (staff) | Staff |
Computers (staff) | User of unit |
Mobile phones (staff) | User of unit |
Portable storage devises (staff) | User of unit |
Virtuel servers | Staff |
Server backup | Staff |
Network | Staff |
Old paper files | Staff |
8.1.3 Prepare acceptable use rules for assets associated with information
Individuals must use SCTP-provided or authorized information technology resources as the business tools required to do their work.
Users must use information and technology resources in accordance with published service level agreements and applicable terms and conditions. The following conditions, and others that may be established by SCTP from time to time, apply to all individuals.
Individuals must not:
- Attempt to circumvent or subvert system or network security measures
- Propagate viruses knowingly or maliciously
- Detrimentally affect the productivity, integrity or security of SCTP systems
- Obtain or distribute files from unauthorized or questionable sources; e.g., racist material, pornography, file swapping sites
- Divulge, share or compromise their own or another's SCTP authentication credentials
- Transmit or otherwise expose sensitive or personal information to the internet
- Use information and technology resources for commercial solicitation or for conducting or pursuing business interests unrelated to the delivery of healthcare
- Distribute hoaxes, chain letters, or advertisements
- Send rude, obscene or harassing messages
- Send, forward and/or reply to large distribution lists concerning non-SCTP business. In addition, users must consider the impact on the network when creating and using large, work-related distribution lists
- Attempt to obscure the origin of any message or download material under an assumed internet address
- Knowingly enable inappropriate levels of information access by others
- Disclose any information you do not have a right to disclose
Individuals must:
- Comply with all applicable legislation, regulations, policies and standards
- Use all appropriate anti-virus precautions when accessing non-SCTP data and systems from the SCTP network
- Adhere to licensing agreements for all software used
- Respect copyright and other intellectual property rights in relation to both programs and data
- Only use the email account provided by SCTP when conducting SCTP business over email
- Use approved security measures when accessing the SCTP network from home or a non-SCTP computer
- Use the rules for complex passwords to create password
Any content created or transmitted using SCTP equipment or retained within the SCTP network may be monitored, captured and/or be subject to inspection.
All individuals have a responsibility to report violations of this policy. Inappropriate use of SCTP information technology resources will be investigated on a case-by-case basis. Individuals deemed responsible for violations of this policy may be subject to withdrawal of privileges.
8.1.4 Return all assets associated with information upon termination
Hardware, paper, etc. must be returned to the medical director/office manager link
8.2 Develop an information classification scheme
8.2.1 Classify your organization’s information
Classification
Effect | Likelihood |
---|---|
1: Catastrophic, highly senstive data, if compromised it will have organizational and legal consequences | A: Frequent, likely to occur very often and/or continuously |
2: Major, if compromise it could mean critical loss in productivity and reputation
|
B: Likely, occurs several times |
3: Moderate, minor reduced productivity | C: Occasional, occurs sporadically |
4: Minor, minimal impact in the ability to deliver services | D: Seldom, remotely possible and would probably occur not more than once |
5: Insignificant, no effect | E: Unlikely, Will probably never occur |
Likelihood combined with consequense
1 | 2 | 3 | 4 | 5 | |
A | Extreme | Extreme | Extreme | High | High |
B | Extreme | Extreme | High | High | Moderate |
C | Extreme | Extreme | High | Moderate | Low |
D | Extreme | High | Moderate | Low | Low |
E | High | High | Moderate | Low | Low |
Risks to the objective should be analysed and evaluated to determine a reasonable consequence and likelihood of the described event occurring. Application of the risk matrix determines the following rankings of risks in descending order of priority as:
• extreme (priority one)
• high (priority two)
• moderate (priority three)
• low (priority four)
Asset | Description of events | Classification |
---|---|---|
Homepage - public |
1) Homepage is not accessible |
1) 4+D = Low |
Homepage - intranet | ||
Bugzilla |
1) Access to Bugzilla is compromised
|
1) 5+D = Low |
YASWA - application |
1) Users download extractions with person number etc. 2) User password has been compromised 3) Users cannot connect to YASWA 4) Erroneous deletion of data 5) DDOS attack, detection and solution 6) Security risk with 'forgot password' functionality if we inform the user, when the user name does not exist.
|
1) 4+A = High 2) 2+D = High 3) 4) 1+C = Extreme 5) 3 + D = Moderate 6) 4+D = Low |
YASWA - software | 1) OS-user get family-member on waitling-list. OS-user decides to manipulate system, in a way that family-member always gets prioritized. Action: No surveillance is possible as long as the OS-user has root-priviliges. Tampering with search-algorithm will very likely result in bad match and very likely detected by medical personal. |
|
E-mail-systems (staff) | 1) E-mails are received with full patient/donor ID. Action: It was decided that a standard reply should be send: 'Please know that according to GDPR it is not legal to send complete name and/or person number in an e-mail. I might be authorized when you send e-mails locally on internal mail servers, but not when you send to external e-mail addresses. When you send a message to me/Scandiatransplant, then it is fine and enough to include sc. No. and initials on the patient/donor.' |
1) 4 + B = High |
Computers (staff) |
1) Access to data on computer after job termination |
1) 1+D = Extreme |
Mobile phones (staff) | ||
Portable storage devises (staff) |
|
|
Virtuel servers | ||
Server backup | ||
Network | ||
Old paper files |
1) Printout with patient/donor ID is lost in public place 2) Printout with only Scandia ID is lost in public place 3) Old paper files at the office |
1) 2+D = High 2) 5+C = Low 3) 2+E = High |
8.2.2 Establish information labeling procedures
List of physical assets are found here
8.2.3 Develop asset handling procedures
8.3 Control how physical media are handled
8.3.1 Manage removable media
When reused then format properly. Otherwise dispose:
8.3.2 Manage the disposal of media
Disks must be physical destroyed, which RegionMidt has tools for.
8.3.3 Manage the transfer of media
Data transfer and information used in relation with participation in meetings