DMPOnline tools to assist with ISMS development

Plans are underway for the Digital Curation Centre’s innovative DMPOnline tool to be used in the creation of an information security management tool, designed for the medical research community. JISC has provided funding for a short 12 month project that seeks to adapt and extend features of DMPOnline within its own information security management system. If successful, the resulting tool will be made available to the wider research community.

The relationship between data management planning and information security management is interesting to consider. To some extent, both terms refer to similar concepts but may be directed at a slightly different audience. While data management planning focusses on the discipline of defining the course of action to take in order to meet a set of objectives, information security management considers everything that might act to impede or confound progress. Some people may find it easier to think through the data management planning approach since this is a check-list of what needs to be done, however and information security driven approach forces individuals to consider the risks associated with data management.

Best practice in information security is described in the international standard ISO-27001 and its accompanying code of practice ISO-27002. This standard provides guidance in the construction of an Information Security Management System (ISMS)

that may be independently audited and certified as meeting this standard. The process of building an ISMS and obtaining ISO-27001 certification is time consuming and resource intensive however its maintenance involves continuous re-examination and improvement. Users of such a system must engage in this process to ensure that their own data and processes are appropriately secured.

The DMP-SS project seeks to adopt and refine the DMPOnline tool to assist with project-specific risk assessment and ISMS curation. Lead researchers, using the DMPOnline approach, will be able to provide details of assets, threats, vulnerabilities associated with their research projects in combination with relevant safeguards (or ‘controls’) that must be implemented as part of their data management plan. By using the language of data management planning we anticipate that they will be more able to provide relevant and complete information, augmenting additional information within our ISMS.