Introduction

The value of information

Academic research involves the collection and management of information from disparate sources to build upon or refine a body of knowledge. Although research in itself should have some intrinsic value to society, the costs of the associated activities can also be considerable. These cost are not merely financial since they also involve time and effort as well as potential ethical compromises “for the greater good”, as in animal experimentation or placebo-controlled trials.

Since research is costly then it follows that the component parts that are derived from or support this activity must be of value.  In everyday life most people understand the need to protect valuables and typically carry out their own personal risk assessment to determine how to secure their own possessions; in many cases locking doors, shredding papers or employing trusted third-party services. Generally, this is done without consciously thinking about the process, adopting societal norms (or ‘standards’) in respect of most security-related decisions.

Organizations are not individuals, and cannot carry out this instinctive risk assessment without a helping hand from some man-made constructs.  James Reason, in his 2000 BMJ article “Human error: models and management”[1] elegantly describes the need to apply a System Approach, based on the assumption of the inevitability of human error and the need to adapt the conditions within which humans work rather than embarking on futile attempts to change the human condition.

“When an adverse event occurs, the important issue is not who blundered, but how and why the defences failed.” Reason, J (2000)

Just as Reason’s paper has fundamentally affected our approach to risk management in UK healthcare, so it should also highlight the wider issues in relation to the risk of information security incidents in all aspects of the research data life-cycle. It clearly articulates the rationale for well understood standards to support information security, what would commonly referred to as an Information Security Management System (ISMS).

A standard for Information Security (ISO-27001)

Although it is perfectly reasonable to attempt to implement an ISMS without reference to existing standards it is highly desirable to do so.  A standard provides a well-established framework drawn from past experience (and mistakes) of others. More importantly, Standards offer reference points against which systems may be benchmarked and audited.  Although it is not possible to measure security, it is possible to measure conformance to a prescribed standard. By adopting a suitable information security standard and being audited successfully against this it is possible to assure others that appropriate controls with associated governance are in place within an organization.

The internationally recognized information security standard is called ISO-27001[2] and forms the ‘requirements’ of an ISMS. Each of these requirements specifies things that ‘shall’ be done.  ISO-27002 is the associated Code of Practice for information security management [3] which describes what ‘should’ be done to implement the standard. The subtle distinction is that this second document simply provides recommendations for implementation of an ISO-27001 compliant ISMS.

ISO-27001 provides a taxonomy of 138 security controls plus an introductory clause introducing risk assessment and treatment. Each of the security categories contains one or more controls that are designed to meet the control objective. The controls that are described within the standard are not an exhaustive list and, depending on the results of risk assessment, not all controls will be required for a given ISMS.

Properties of an ISO-27001 ISMS

Scope

Any meaningful discussion of information security must begin with a simple question: ‘what are we seeking to secure?’  Although this may seem to be a trivial statement it is actually of fundamental importance in that the scope of the system must be defined, in other words the boundaries must be clearly described for the information to be secured.

The development of an ISMS that complies with the complete ISO-27001 standard is a major challenge for any organization and success depends clearly defining the scope of such a system; too small and the process is rarely cost-effective but too large and it may be unachievable. In practice, an initial high-level   risk assessment and cost benefit analysis should help to identify the appropriate focus for such a system.

Risk Assessment

The cornerstone of an ISMS is effective risk assessment.  Risk assessments are difficult to carry out and there is no silver bullet. The key point is that risk assessment is part of an on-going process of continuous improvement. In basic terms there are a series of steps that need to be followed.

1. Identify the information assets that need to be protected.
2. Identify any vulnerabilities that relate to these assets
3. Identify threats that need to be guarded against.
4. Estimate the likelihood of threats exploiting vulnerabilities (otherwise known as risks)

To be systematic you need to define a threshold level of ‘acceptable risk’ above which additional controls will be required.

Controls

The ISO 27000 series documents provide a taxonomy of 138 control that are appropriate along with guidance on their implementation. A key facet of all controls is that they need to be owned by someone (i.e. a responsible party or organization) and it should be possible to define means by which the effectiveness of each control may be assured and audited. The list of 138 controls is not intended to be exhaustive and it’s important to consider additional controls, if required, that are not explicitly referred to in the standard.

Statement of Applicability (SoA)

ISO-27001 prescribes the creation of a summary document that itemizes all of the 138 controls plus any additional controls and clearly states whether each control has been selected with reference to where evidence of the control can be found. Where controls have not been selected there should be clearly stated reasons for this. The SoA acts as a summary reference document that, taken in conjunction with the Scope Statement, should provide an auditor with a high-level view of an ISMS.

Dynamic characteristics

Like many similar management systems, an ISMS is dynamic and should follow the plan-do-check-act cycle (also known as the Deming Cycle). Made popular by Dr W. Edwards Deming, the father of modern quality control, the approach involves a process of continuous improvement through multiple iterations. It is worth noting that other management system standards, like ISO-9001, apply similar cyclical process models, and a suitably-designed ISMS should be able to accommodate many of the requirements of these other systems.

The standard outlines the requirements of each of these four steps in the cycle within concisely within just four pages before going on to provide requirements for:

1. Documentation (including document and record control)
2. Management responsibility in respect of their own commitment, provision of resources and programmes of training and awareness.
3. Internal audit
4. Management review
5. Continuous Improvement, including corrective and preventive action

In practice, the dynamic aspect of the management of an ISMS is often the most difficult part to get right but this is where the iterative technique allows for successive improvement over time.

References

1.            Reason J: Human error: models and management. BMJ 2000, 320(7237):768-770.

2.            BSI: Information technology. Security techniques. Information security management systems. Requirements. In: BS ISO/IEC 27001:2005/BS 7799-2:2005. Edited by IST/33: BSI; 2005.

3.            BSI: Information technology. Security techniques. Code of practice for information security management. In: BS ISO/IEC 27002:2005, BS 7799-1:2005,BS ISO/IEC 17799:2005. Edited by IST/33: BSI; 2005.

On Friday 28th September 2012 the epiLab-SS secure research environment passed its Stage 2 assessment as meeting the requirements of the ISO-27001 standard for Information Security. The resulting certificate, due to be formally issued by LRQA within weeks, is the result of rigorous third-party audit of the epiLab-SS Information Security Management System (ISMS). The auditor followed up his initial (Stage 1) assessment of the structural elements of the ISMS to examine in more detail the dynamic functional elements of the system and its wider context within UCL, involving interviews with a range of senior management personnel.

A critically important element in the process involved the demonstration that the ISMS design had been adapted to meet the needs of the domain of epidemiology research,  handling personal identifiable and sensitive data safely and securely. Our application of data management plans as a mechanism for assuring engagement of researchers with the ISMS has proved to be invaluable in this respect. These plans have allowed researchers to clearly enumerate all information assets and highlight concerns, vulnerabilities and legal obligations at key stages during their use of the service.

This achievement is highly significant since it demonstrates an effective and cost-efficient approach to provision of secure data handling services within an academic context and means that UCL has become one of the few academic institutions in the UK to provide independent assurance of information security provision for research datasets. We have been able to implement a secure private cloud-based service, using an accredited  UK government G-Cloud data centre (AIMES Grid Services CIC Ltd) with end-to-end ISO-27001 certification.

On Friday 13th July 2012 the epiLab-SS secure service underwent a Stage 1 ISO27001:2005 audit by LRQA. The auditor examined the associated Information Security management System that has been developed in conjunction with our cloud-based service. The service is already hosted within a ISO27001 certified data centre (AIMES Grid Services CIC Ltd) offering thin-client access to virtual desktops. Our risk assessment identified the need to develop a formal ISMS in respect of information security practices for users of this service at UCL. This ISMS is an example of the use of data management plans to underpin the risk assessment and continual improvement process for information security and we have chosen to adopt the MRC Data Management Plan template as a standard approach for all registered research projects.

Although this is only the first of two stages of initial audit, the signs are looking good. We satisfied the auditor that our ISMS contained no major non-conformities and, as such, was suitable for progressing to a Stage 2 audit in late September 2012.  A successful audit at Stage 2 then this will mean that the epilab-SS system will be certified as ISO27001 compliant, demonstrating an effective model for use of cloud-based secure services for research datasets that could be replicated in other university research units.

Attendees: Graham Hart (Chair), Tito Castillo (DMP-SS Principal Investigator), Stelios Alexandrakis (DMP-SS Project Manager and Lead Developer), Martin Donnelly (Project Manager DMPOnline, Digital Curation Centre), Jacky Pallas (Platform Technologies), Rachel Knowles (UK Birth Cohort Study), Trevor Peacock (AISC), Mike Sievwright (AISC), Peter Dukes (MRC Head Office), Julie Withey (MRC Unit of Lifelong Health and Ageing), Martin Moyle (UCL Library Service, Deputising for Paul Ayris)

On Friday 17th February 2012 we convened the first meeting of the Research Data Management Steering Group. Chaired by Professor Graham Hart, the Dean of the Faculty of Population Health Sciences at UCL, the Steering Group has been constituted to address issues that emerge from the DMP-SS project and our collaboration with the Digital Curation Centre.

The meeting drew from relevant expertise and stakeholders from both within UCL and the wider academic community, with representation from UCL Library Service, Advanced Information Systems Centre, Platform Technologies, UCL Centre for Health Informatics and Multi Professional Education, UCL Research & Innovations, MRC Head Office, UK Birth Cohort Study, MRC Centre of Epidemiology for Child Health and MRC Unit of Lifelong Health and Ageing.

The meeting began with an examination of the proposed Terms of Reference for the Group (see below) which were approved.

Mission

To encourage and aid the development of secure research data management, including tools and techniques for planning and execution, within the Faculty of Population Health Sciences at UCL and to share best practice with population health scientists throughout the UK.

Terms of Reference

To identify appropriate deliverables and metrics of success in the following domains:

1. awareness of the importance of information security and data management planning in the Faculty and beyond;
2. community involvement via consultation and engagement across appropriate UCL and UK population health constituencies;
3. sharing of best practice across population health science research community.

There followed a series of short presentations that were designed to set the scene for the group and provide background to the DMP-SS project. I started by giving an overview of the local epiLab service that we have established at the MRC Centre of Epidemiology for Child Health over the past 3 years. I described how the implementation of a secure virtual desktop environment has inevitably required that we develop ways of better describing users data management requirements and is of particular concern when cloud services are being considered.

Martin Donnelly, the project manager of DMPOnline, continued with a description of the service and outlined the ongoing development strategy, including the refinement and validation of mappings to funders requirements, the provision of flexible templates to accommodate funder and institutional requirements and the possible deployment of DMPOnline as a secure, independently hosted JANET service.

Mike Sievwright, the project manager of the UCL Identifiable Data Handling Project at UCL, outlined the approach that his group has taken in developing the strategy for management of identifiable research data at the UCL School of Life and Medical Sciences. A clear message from his work has been the need to significant cultural change through education and researcher engagement.

Discussion points:

1) Storage of Data Management Plans outside host institution.

the question was posed of whether there were any practical concerns held by the group in respect of the possibility of DMPs being stored on DMPOnline, at Edinburgh University.

MD expressed the view that no intellectual property should reside within a data management plan, however TC pointed out that institutions may want to capture a more detailed plan, including some local information that is not deemed relevant by the DCC. Furthermore, reduction in the need for multiple entry of information would be crucially important for uptake by researchers. JP said that there was value in having local templates that researchers could complete “off-line” rather than being forced to log into a website. PD confirmed that MRC’s view of data management plans is that they should be kept simple and typically take the form of a short Word document.

MD pointed out that discussions are on-going about the possibility of a JANET hosting service being created to host an instance of DMPOnline.

2) Data Management Planning at UCL

PD expressed his strong support for the engagement of UCL widely in the adoption of formal processes for the development of data management plans. The view of the group is that we need to achieve a firm academic basis for data curation, handling and information security generally. It was proposed that the project team set up a workshop to which interested stakeholders at UCL would be invited to discuss the challenges in DMP development at an institutional level – to include representation from the LSHTM. There may be an opportunity to link with Paul Ayris on the UCL Library Research Data strategy.

MD pointed out that the DCC has resource specifically to assist institutions with the development of DMPs and he would be happy to support this initiative.

3) Training and user engagement

Training and community engagement were identified across the group as critically important requirements for success and adequate resource should be identified to support this activity.

JANET’s Computer Security Incident Response Team’s (CSIRT) annual conference took place in the Royal Society of Medicine on 10th November 2011. I had already been asked to present the outcomes of our TSB funded SHARE project which involved the use of a secure private cloud to host epidemiology research computing services. This was of particular interest to the delegates since it outlines the practical issues that we faced with contracts and formal certification to ISO-27001 of the working environment. When I was writing the talk I realised that the DMP-SS project represented an important component of the whole picture and illustrates the iterative nature of our information security approach. The whole slide deck is available here but the key message that I was looking to make is best summed up below.

Illustration of the journey in the development of an ISMS showing the need for data management plans as a core component of domain knowledge

Essentially, the use of data management plans in the development and ongoing curation of an information security management system is one of the core issues being explored by this project and I was interested to see what the views of delegates to this meeting would be to this proposal. I think its fair to say that there was broad agreement that this approach seems to address one of the critical challenges in establishing good information security within an academic research environment. The delegates at the meeting had confidence that they understood the technical issues relating to security but acknowledged that the management issues we perhaps the most profound and enigmatic.

This was indeed the conclusion of the first speaker, Richard Walton, who spoke eloquently on his long career advising government agencies on information security. He clearly outlines the importance of management issues, suggesting that most of the breaches in information security should be from the inside of an organisation.

A surprising outcome from this presentation was the chance meeting with UCL’s Deputy Head of Information Security, Luci Thomas. We had an opportunity to discuss the SHARE and DMP-SS projects in more detail and agreed to work closely with her team to ensure that the ISMS that we develop within the DMP-SS project can be applied across the broader UCL context.