The Data Management Plan (DMP) editor has just been released byMetadata Technology on their OpenMetadata portal.

http://www.openmetadata.org/site/?page_id=373

More content will be added soon, but for the time being the page has linkas to download the editor application, the source code repository and a developer’s guide.

Following our earlier post that epilab-SS service now meets the NHS criteria for information security and governance (Level 2). We can confirm that AIMES Grid Services CIC Ltd, the data centre provider for epiLab-SS, have recently been notified that their submission to NHS Information Governance Toolkit team has been reviewed and found to meet their requirements. This means that, in addition to their pre-existing ISO-27001 certification and G-Cloud Assured Services, AIMES  now also meets the NHS criteria for information security and governance (Level 2).

AIMES status can be viewed here

epilab-SS status can be found here.

This will add to the dual certification (cloud/institution) model of information security assurance that we have been collaborating on and we look forward to improving it even further during future projects.

The epiLab-SS secure service has recently been notified that it has successfully achieved “Level 2” compliance to the NHS information governance toolkit. This toolkit, based on the ISO-27001 information security standard, is a standardised assurance process that is mandated for all NHS organisations. Universities and other academic research groups have recently been required to adopt the toolkit to address aspects of personal information handling, in particular where access to unconsented identifiable datasets. More information on the epiLab-SS compliance can be found at the following link.

JANET’s Computer Security Incident Response Team’s (CSIRT) annual conference took place in the Royal Society of Medicine on 10th November 2011. I had already been asked to present the outcomes of our TSB funded SHARE project which involved the use of a secure private cloud to host epidemiology research computing services. This was of particular interest to the delegates since it outlines the practical issues that we faced with contracts and formal certification to ISO-27001 of the working environment. When I was writing the talk I realised that the DMP-SS project represented an important component of the whole picture and illustrates the iterative nature of our information security approach. The whole slide deck is available here but the key message that I was looking to make is best summed up below.

Illustration of the journey in the development of an ISMS showing the need for data management plans as a core component of domain knowledge

Essentially, the use of data management plans in the development and ongoing curation of an information security management system is one of the core issues being explored by this project and I was interested to see what the views of delegates to this meeting would be to this proposal. I think its fair to say that there was broad agreement that this approach seems to address one of the critical challenges in establishing good information security within an academic research environment. The delegates at the meeting had confidence that they understood the technical issues relating to security but acknowledged that the management issues we perhaps the most profound and enigmatic.

This was indeed the conclusion of the first speaker, Richard Walton, who spoke eloquently on his long career advising government agencies on information security. He clearly outlines the importance of management issues, suggesting that most of the breaches in information security should be from the inside of an organisation.

A surprising outcome from this presentation was the chance meeting with UCL’s Deputy Head of Information Security, Luci Thomas. We had an opportunity to discuss the SHARE and DMP-SS projects in more detail and agreed to work closely with her team to ensure that the ISMS that we develop within the DMP-SS project can be applied across the broader UCL context.

Plans are underway for the Digital Curation Centre’s innovative DMPOnline tool to be used in the creation of an information security management tool, designed for the medical research community. JISC has provided funding for a short 12 month project that seeks to adapt and extend features of DMPOnline within its own information security management system. If successful, the resulting tool will be made available to the wider research community.

The relationship between data management planning and information security management is interesting to consider. To some extent, both terms refer to similar concepts but may be directed at a slightly different audience. While data management planning focusses on the discipline of defining the course of action to take in order to meet a set of objectives, information security management considers everything that might act to impede or confound progress. Some people may find it easier to think through the data management planning approach since this is a check-list of what needs to be done, however and information security driven approach forces individuals to consider the risks associated with data management.

Best practice in information security is described in the international standard ISO-27001 and its accompanying code of practice ISO-27002. This standard provides guidance in the construction of an Information Security Management System (ISMS)

DMP-SS conceptual diagram showing the use of DDI as a central broker for data management plans, linked to both the DMPOnline service and a local information security management system

that may be independently audited and certified as meeting this standard. The process of building an ISMS and obtaining ISO-27001 certification is time consuming and resource intensive however its maintenance involves continuous re-examination and improvement. Users of such a system must engage in this process to ensure that their own data and processes are appropriately secured.

The DMP-SS project seeks to adopt and refine the DMPOnline tool to assist with project-specific risk assessment and ISMS curation. Lead researchers, using the DMPOnline approach, will be able to provide details of assets, threats, vulnerabilities associated with their research projects in combination with relevant safeguards (or ‘controls’) that must be implemented as part of their data management plan. By using the language of data management planning we anticipate that they will be more able to provide relevant and complete information, augmenting additional information within our ISMS.

The DMP-SS project website is due to be launched officially on 1st November 2011. This will coincide with the full launch of the new website for the MRC Centre of Epidemiology for Child Health, a site that has been in development over the last 5 months.

After a slight delay in finalising the contract, we’re finally under way. Yesterday it was confirmed that Metadata Technology have signed and returned the contract to work on the DMP-SS project. This just leaves the consortium agreement to be finalised between UCL and the Medical Research Council.