Research Infrastructure CoP Infrastructure and Capability Assessment
3. Infrastructure and Capability Assessment Topics
3.1 Cyber Security Risk Management
3.2 Skills, Roles, and Responsibilities
4.2 Skills, Roles, and Responsibilities Evaluation
1. Executive Summary
The Research Infrastructure Community of Practice (RICoP) aims to bring together research infrastructure providers who are, or intend to, deliver services for sensitive data and its analysis. The CoP provides a place to bring together shared content that helps the community to deliver solutions and provide an avenue for knowledge sharing.
2. Introduction
This document describes the minimal required Infrastructure and Capability Assessment material to safely manage and operate the Secure eResearch Platform (SeRP). By establishing a clear set of minimum required capabilities and methods to assess such capabilities, the RICoP can provide a foundation for knowledge sharing, best practice policies, governance procedures, and IT infrastructure and technology solutions.
2.1. Background
With an increasing number of researchers seeking to analyse sensitive data, such as clinical, social, ecological, or commercial data, purpose built systems are required to ensure that appropriate protections are in place to safeguard the data. There are a range of criteria that infrastructure service providers need to meet to successfully deliver research services suitable for handling and analysing sensitive data. These criteria encompass a broad spectrum, and include aspects such as governance, personnel, standards, security, certification, ethics, trust, authentication, authorisation, and technology. With respect to providing safe systems for researchers to use for their analysis, it is believed that better outcomes can be achieved by collaborating and sharing knowledge and experiences between participating research infrastructure service providers, rather than by developing systems in isolation.
2.2. Audience
The audience for this document are the organisations participating in the Research Infrastructure CoP, as part of the ARDC funded activity, to establish a set of Infrastructure and Capability Assessment material suitable for the management and operation of the Secure eResearch Platform (SeRP) environments to enable Australian researchers to analyse and share sensitive data. These organisations, which will establish the community of practice, are:
-
ARDC
-
Monash University
-
QCIF
-
Curtin University
-
University of Melbourne
-
University of New South Wales - Sydney
-
Sax Institute
The target audience for the Infrastructure and Capability Assessment material are research infrastructure service providers who have established, are establishing, or intend to establish services to provide researchers and research communities with the capabilities to securely share and analyse sensitive data.
2.3. Scope
SeRP provides a secure, collaborative environment that allows research groups to conform to best practises for data management, security and information governance. The system delivers remote access to a large scale IT infrastructure together with standard and bespoke analytical tools. Importantly, it leaves data ownership with the research cohort, provides devolved account and access controls, enabling cohorts to work with their own datasets.
ISO27001 requirements provide a standard for establishing, implementing, maintaining, and continually improving an information security management system within the context of an organisation. This International Standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation.
This document will leverage these standards to define required capabilities needed for operating a SeRP environment with an initial base level of maturity.
2.4. Goals
The aim of creating the Infrastructure and Capability Assessment material is to establish a clear set of minimum required capability levels and assessment methods to properly assess such capabilities, the RICoP can provide a foundation for knowledge sharing, best practice policies and governance procedures, and IT infrastructure and technology solutions.
3. Infrastructure and Capability Assessment Topics
3.1 Cyber Security Risk Management
To achieve successful rollout of an environment for the analysis of sensitive data, a robust risk management framework is required, particularly for cyber security and information security. This includes the ability to continuously identify risks, assess risk impacts and likelihoods, determine appropriate mitigation strategies, and to monitor for the occurrence of the identified risks and act appropriately. In addition, risk reporting is an essential element within the governance framework.
3.2 Skills, Roles, and Responsibilities
To achieve successful rollout of SeRP infrastructure and ongoing management and operations, specific knowledge and skills will be necessary.
Research Service Providers shall ensure that the responsibilities and authorities for roles are assigned and communicated.
3.3 Information Security
The organisation shall plan, implement, and control the processes needed to meet security requirements and to ensure the protection of information and its supporting information processing facilities.
The organisation shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur and shall retain documented information of the results of the information security risk assessments.
3.4 Data Governance Framework
Data Governance Framework will be the foundation of the policies and procedures that will systematically identify best practice in all data activities.
The Data Governance Framework will provide a common language that can be used across the university and amongst external stakeholders to effectively communicate about these activities. Whether it is a strategic review or the building of an IT system, a common language will be used by everyone – from IT specialists through to lawyers, clinicians and researchers.
3.5 Data Classification Framework
The Data Classification Framework provides a common language that can be used to describe the different security classes for data. Sensitive data analysis environments can use this classification framework to specify which classes of data their environments are tailored for. The data classification framework enables universities and stakeholders to assess the suitability of a specific sensitive data analysis environment for use with their respective data collections.
3.6 Support Capabilities
The organisation shall determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of a support capability to service platform end users.
The organisation shall have the capability to prioritise all Support Requests based on reasonable assessment of the severity level of the problem reported and respond to all Support Requests in accordance with the responses and response times specified.
3.7 Certifications
ISO27001 International Standard specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organisation. This International Standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. The requirements set out in this International Standard are generic and are intended to be applicable to all organisations, regardless of type, size, or nature. This document will refine those requirements to allow research service providers to identify the most important requirements. The degree to which an a organisation conforms to ISO 27001 is linked to the capability maturity model, and could be on a scale that looks like:
-
No certification
-
No certification, with self-assessment
-
No certification, with independent third-party assessment
-
Certification
-
Certification, with on-going assessment
Other certifications may become in scope for consideration, and linked to the capability maturity of a system.
3.8 Capability maturity model
Whilst currently out of scope, it is envisaged that sensitive data analysis environments will evolve over time to expand their capabilities. This maturing in systems capability needs to be able to be captured, in a cohesive way, as it may influence which data sets are suitable for use within an environment. Future work for this RICoP will be to develop a maturity model that can be applied against existing and developing systems.
<div id=assessment-and-evaluation” />
4. Assessment and Evaluation
The following sections outline the assessment and evaluation steps for Research Infrastructure Service Providers. The following controls will be provided electronically in an online form to be submitted by the proposed research service provider.
4.1 Risk management
Evidence of current practice or procedures to be described by proposed research infrastructure service provider
| Control | Evidence | Status |
|---|---|---|
| A robust risk management framework is in place and followed. | ||
| There is a risk register in place that is reviewed in a defined and continuous way. | ||
| Identified risks have risk mitigation strategies in place and processes are defined that are triggered if a risk eventuates. | ||
| There is a defined way that risks are reported to the organisation and stakeholders. |
4.2 Skills, Roles, and Responsibilities Evaluation
Evidence of current practice or procedures to be described by proposed research infrastructure service provider
| Control | Evidence | Status |
|---|---|---|
| Strategic planning process and operating procedures that effectively support operations and infrastructure |
||
| Resourcing and skills Matrix | ||
| Assessment procedures for resource skills and capabilities | ||
| Operational roles and responsibilities including skills matrix and evaluation |
4.3 Information Security
Evidence of current practice or procedures to be described by proposed research infrastructure service provider
| Control | Evidence | Status |
|---|---|---|
| Strategic plans and procedures for threats and contingencies. | ||
| Disaster recovery/business continuity plans. | ||
| Intrusion detectors, scanning, and alarms. | ||
| Control of access to equipment, storage, and staff spaces and facilities. | ||
| Security Protocols and Procedures | ||
| Evaluation procedures of security vulnerabilities. | ||
| Accountability mechanisms to ensure network security. | ||
| Data security policies and procedures. | ||
Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. |
||
| Information security events shall be reported through appropriate management channels as quickly as possible. | ||
| The allocation and use of privileged access rights shall be restricted and controlled. | ||
| The allocation of secret authentication information shall be controlled through a formal management process. | ||
Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. |
||
| Secure areas shall be protected by appropriate entry controls to ensure that only authorised personnel are allowed access. | ||
| Logging facilities and log information shall be protected against tampering and unauthorised access | ||
| Procedures shall be implemented to control the installation of software on operational systems | ||
| Networks shall be managed and controlled to protect information in systems and applications. |
4.4 Data Governance Framework
Evidence of current practice or procedures to be described by proposed research infrastructure service provider
| Control | Evidence | Status |
|---|---|---|
| Privacy policy | ||
| Acceptable use policy and defined actions to be taken when there is deviation. | ||
| Data breach policy and procedures | ||
| Data access agreement | ||
| Data sharing agreement | ||
| End user account management | ||
| Data loss/corruption processes and procedures | ||
| Insurance coverage | ||
| Services agreement | ||
| Service level agreement |
4.5 Data Classification Framework
Evidence of current practice or procedures to be described by proposed research infrastructure service provider
| Control | Evidence | Status |
|---|---|---|
| Information is classified in terms of legal requirements, value, criticality, and sensitivity to unauthorised disclosure or modification. | ||
An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organisation. |
||
| Media containing information shall be protected against unauthorised access, misuse, or corruption during transportation. |
4.6 Support Capabilities
Evidence of current practice or procedures to be described by proposed research infrastructure service provider
| Control | Evidence | Status |
|---|---|---|
| A formal support desk process is to be implemented to enable management of end-users | ||
| A formal user registration and de-registration process shall be implemented to enable assignment of access rights. | ||
A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services |
||
| Asset owners shall review users’ access rights at regular intervals. | ||
| Users shall be required to follow the organisation’s practises in the use of secret authentication information. | ||
| Operating procedures shall be documented and made available to all users who need them. |
4.7 Certifications
Evidence of current practice or procedures to be described by proposed research infrastructure service provider
| Control | Evidence | Status |
|---|---|---|
| ISO 27001 Information Security Management |
||
| ISO 9001 Management Systems |
||
| ISO 31000 Risk Management |
||
| HIPAA compliance (Health Insurance Portability and Accountability Act - US) | ||
| ACSC self assessment (Australian Cyber Security Centre) | ||
| HECVAT | ||
| UK Cyber Essentials |
5. Review Process
The Research Infrastructure will evaluate the evidence provided and provide an assessment and recommendations for the proposed research to fulfil the requirements to effectively run, manage, and operate a Secure eResearch Platform.
This will assess the suitability in relation to the above mentioned topics in relation to the management of the proposed or current Infrastructure and the ability for support teams at both the Sub-Licensee and Partner sites to appropriately manage and govern a secure research environment.