From 746e19b1545f085d6970a6d66ee480823b190bac Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Mon, 5 Jun 2023 15:26:39 +0100 Subject: [PATCH 01/26] Add data lifecycle management table --- docs/source/standard.md | 37 ++++++++++++++++++++++++++++++++++--- 1 file changed, 34 insertions(+), 3 deletions(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 5393de7f..8f53f61e 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -223,9 +223,40 @@ The ability of the organisation to manage data assets and ensure information rem The ability of the organisation to manage how and where data is stored, how it moves, changes and is removed. -| Statement | Guidance | -| --------- | -------- | -| | | +```{list-table} +:header-rows: 1 +:name: tab-data-lifecycle-management + +* - Statement + - Guidance +* - A TRE must have a data ingress process which enforces information governance rules/processess. + - The data ingress process needs to ensure that information governance is correctly followed. + in particular, it should require that an ingress request has been approved by all required par ties. +* - A TRE must have a data egress process which enforces information governance rules/processess. + - The data egress process needs to ensure that information governance is correctly followed. + in particular, it should require that an egress request has been approved by all required par ties. +* - A TRE could require independent approval for data ingress and egress events. + - A person indepdent to a project, for example a TRE admin or dedicated referee, could check ingress and egress requests to ensure information governance is correctly followed in the absence of an automated process. +* - A TRE must keep a record of what data it holds. + - Good records are important for ensuring compliance with legislation, understanding risk and aiding good data hygiene. + The record should include a description of the data, its source, contact details for the data owner, which projects use the data, the data it was recieved, when it is expected to no longer be needed. +* - A TRE must have a policy on data deletion. + - There should be a clear, published policy on when data will be deleted beyond at the conclusion of a project. + This may allow time for data owners to consider outputs they may want to extract from the TRE. + Any sensitive data, including all backups, should be deleted when they are no longer needed. + Having clear policy will help to avoid problems with data being kept longer than necessary or accidental deletion of outputs. +* - A TRE could keep backups of data and research environments + - Keeping backups could help reduce the impact of events like accidental deletion and data corruption on work in a TRE. + TRE developers may want to consider how different elements, for example sensitive input data or users workspaces, may be backed up or if they should be. +* - A TRE should log how input data is modified. + - If the input data is mutable a TRE should keep records of its modification. + For example when the data was modified and by who. +* - A TRE must, to a reasonable extent, prevent unathorised data ingress or egress + - Movement of data which has not been subject to information governance processes risks breaking rules and is more likely to result in a data breach. + However, it is difficult to control for every possibility. + For example, a user may take pictures of their computer screen to remove data, or using a device presnting as a USB HID keyboard to input large amounts of text. + An example of a reasonable measure would be for a remote desktop based TRE to prevent data being shared between a workspace's and local machine's clipboards. +``` ### 3.2 Identity and access management From 10a280d7aa7b5d9a3af70f55a95c61ba1b427074 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Mon, 5 Jun 2023 16:22:46 +0100 Subject: [PATCH 02/26] Add identity and access management table --- docs/source/standard.md | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 8f53f61e..140503a6 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -262,9 +262,28 @@ The ability of the organisation to manage how and where data is stored, how it m The ability of the organisation to ensure the right people (identities) can access the tools and data they need and no more. -| Statement | Guidance | -| --------- | -------- | -| | | +```{list-table} +:header-rows: 1 +:name: tab-identity-and-access-management + +* - Statement + - Guidance +* - A TRE must not create user accounts for use by more than one person. + - It is important that each user account should be used by one, and only one, person in order to facilitate the assignment of roles or permissions and to log the actions of individuals. +* - A TRE must be reasonably convinced of the identity of the person being granted an account. + - It is important to ensure access, via an account, has been given to the correct person. + For example, multiple credentials may be used in account creation to verify identitity or, when appropriate, photo ID checks may be required. +* - A TRE must restrict a users access to only data required in their work. + - There is no need to grant an individual access to data they do not require. + Access may be assigned in a manner appropriate to a TREs design, for example through roles granted to user accounts or through isolated project workspaces. +* - A TRE must ensure multi-factor authentication for users. + - Multi-factor authentication ensures that to successfully connect a user must have more than one piece of evidence in different categories. + Categories include something the user knows (_e.g._ a password), something the user possesses (_e.g._ a TOTP key) or something the user is (_e.g._ biometric data). + A TRE does not need to implement multi-factor authentication checks itself if it is provided by a third-party identity provider. +* - A TRE could restrict access to particular locations. + - Restricting access to a set of known, static, personal or instiutional IP addresses can help avoid speculative attacks. + When appropriate, access could also be restricted to physical locations with security controls and access requirements. +``` ### 3.3 Output management From 8ac8031a60717b1afac9a10a77215a649f753089 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Tue, 6 Jun 2023 10:20:50 +0100 Subject: [PATCH 03/26] Remove information discovery section This feels very dependent on the TREs design and philosophy. In particular, it assumes a TRE hold a large number of 'browsable' data sets for users to discover, request, use. However, TREs may be designed to be ephemeral and contain only data required for a particular project. --- docs/source/standard.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 140503a6..5e7005f1 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -293,14 +293,6 @@ The ability of the organisation to ensure outputs are safely published and share | --------- | -------- | | | | -### 3.4 Information discovery - -The ability of the organisation to support users who want to browse the data available within an environment at various levels of abstraction. - -| Statement | Guidance | -| --------- | -------- | -| | | - (standard_capability_information_security)= ## 4. Information security From fdc4b334d026025b89575ff76e029dd1e9298f6a Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Tue, 6 Jun 2023 10:58:05 +0100 Subject: [PATCH 04/26] Add output management table --- docs/source/standard.md | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 5e7005f1..9a46d22c 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -289,9 +289,21 @@ The ability of the organisation to ensure the right people (identities) can acce The ability of the organisation to ensure outputs are safely published and shared. -| Statement | Guidance | -| --------- | -------- | -| | | +```{list-table} +:header-rows: 1 +:name: tab-output-management + +* - Statement + - Guidance +* - A TRE should have a system to aid classifying outputs. + - Removing data from a TRE can be a difficult process as there is potential for sensitive data to be revealed. + Having guidance, processess and methods to help will ensure that outputs are correctly classified and, furthermore, that outputs when may be openly published are identified. + Encouraging openly published outputs will enhance a TREs impact over handing all outputs to the data provider. +* - A TRE should establish projects intended outputs from the outset. + - Identifying the purpose of a piece of work is important for compliance with data protection legilation. + Results will be produced which address the projects purpose, some of which may be outputs removed from the TRE. + Understanding what these outputs are likely to be and their sensitivity as early as possible will help prepare for their processing and publication. +``` (standard_capability_information_security)= From 18505eb35f10d4882ed3466f41dc66be7c3f5d37 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 13:27:11 +0100 Subject: [PATCH 05/26] Update docs/source/standard.md Co-authored-by: James Robinson --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 743d19e2..1eca0141 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -229,7 +229,7 @@ The ability of the TRE organisation to manage how and where data is stored, how * - Statement - Guidance -* - A TRE must have a data ingress process which enforces information governance rules/processess. +* - A TRE must have a data ingress process which enforces information governance rules/processes. - The data ingress process needs to ensure that information governance is correctly followed. in particular, it should require that an ingress request has been approved by all required par ties. * - A TRE must have a data egress process which enforces information governance rules/processess. From 750b8a38887bc08192902be063f22a549039d771 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 13:27:18 +0100 Subject: [PATCH 06/26] Update docs/source/standard.md Co-authored-by: James Robinson --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 1eca0141..858f1274 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -232,7 +232,7 @@ The ability of the TRE organisation to manage how and where data is stored, how * - A TRE must have a data ingress process which enforces information governance rules/processes. - The data ingress process needs to ensure that information governance is correctly followed. in particular, it should require that an ingress request has been approved by all required par ties. -* - A TRE must have a data egress process which enforces information governance rules/processess. +* - A TRE must have a data egress process which enforces information governance rules/processes. - The data egress process needs to ensure that information governance is correctly followed. in particular, it should require that an egress request has been approved by all required par ties. * - A TRE could require independent approval for data ingress and egress events. From 1a8f24c5f7e2953e5426db0f26d158f9978ca8e1 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 13:27:30 +0100 Subject: [PATCH 07/26] Update docs/source/standard.md Co-authored-by: James Robinson --- docs/source/standard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 858f1274..ccdfe597 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -233,8 +233,8 @@ The ability of the TRE organisation to manage how and where data is stored, how - The data ingress process needs to ensure that information governance is correctly followed. in particular, it should require that an ingress request has been approved by all required par ties. * - A TRE must have a data egress process which enforces information governance rules/processes. - - The data egress process needs to ensure that information governance is correctly followed. - in particular, it should require that an egress request has been approved by all required par ties. + - The data egress process needs to ensure that information governance requirements are adhered to. + In particular, it should require that an egress request has been approved by all required parties. * - A TRE could require independent approval for data ingress and egress events. - A person indepdent to a project, for example a TRE admin or dedicated referee, could check ingress and egress requests to ensure information governance is correctly followed in the absence of an automated process. * - A TRE must keep a record of what data it holds. From 4e39964ba8c21cd7e83d43d95134b5fa796dc602 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 13:27:43 +0100 Subject: [PATCH 08/26] Update docs/source/standard.md Co-authored-by: James Robinson --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index ccdfe597..eb93b982 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -236,7 +236,7 @@ The ability of the TRE organisation to manage how and where data is stored, how - The data egress process needs to ensure that information governance requirements are adhered to. In particular, it should require that an egress request has been approved by all required parties. * - A TRE could require independent approval for data ingress and egress events. - - A person indepdent to a project, for example a TRE admin or dedicated referee, could check ingress and egress requests to ensure information governance is correctly followed in the absence of an automated process. + - A person independent to a project, for example a TRE admin or dedicated referee, could check ingress and egress requests to ensure information governance processes are correctly followed in the absence of an automated process. * - A TRE must keep a record of what data it holds. - Good records are important for ensuring compliance with legislation, understanding risk and aiding good data hygiene. The record should include a description of the data, its source, contact details for the data owner, which projects use the data, the data it was recieved, when it is expected to no longer be needed. From 6b08268bda3d75b8b45a26a7c0bad8e971b41818 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 13:27:55 +0100 Subject: [PATCH 09/26] Update docs/source/standard.md Co-authored-by: James Robinson --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index eb93b982..5b1767e9 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -245,7 +245,7 @@ The ability of the TRE organisation to manage how and where data is stored, how This may allow time for data owners to consider outputs they may want to extract from the TRE. Any sensitive data, including all backups, should be deleted when they are no longer needed. Having clear policy will help to avoid problems with data being kept longer than necessary or accidental deletion of outputs. -* - A TRE could keep backups of data and research environments +* - A TRE could keep backups of data and research environments, provided that this is permitted by law. - Keeping backups could help reduce the impact of events like accidental deletion and data corruption on work in a TRE. TRE developers may want to consider how different elements, for example sensitive input data or users workspaces, may be backed up or if they should be. * - A TRE should log how input data is modified. From 27c4e7a2bacf777d844f0fb10c62a39f80059b80 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 13:41:52 +0100 Subject: [PATCH 10/26] Update docs/source/standard.md Co-authored-by: James Robinson --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 5b1767e9..a81aef5a 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -281,7 +281,7 @@ The ability of the TRE organisation to ensure the right people (identities) can Categories include something the user knows (_e.g._ a password), something the user possesses (_e.g._ a TOTP key) or something the user is (_e.g._ biometric data). A TRE does not need to implement multi-factor authentication checks itself if it is provided by a third-party identity provider. * - A TRE could restrict access to particular locations. - - Restricting access to a set of known, static, personal or instiutional IP addresses can help avoid speculative attacks. + - Restricting access to a set of known, static, personal or institutional IP addresses can help avoid speculative attacks. When appropriate, access could also be restricted to physical locations with security controls and access requirements. ``` From 7ea883754160c30f4554a47d742330180c7b4950 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 13:42:17 +0100 Subject: [PATCH 11/26] Update docs/source/standard.md Co-authored-by: James Robinson --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index a81aef5a..4353ec14 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -298,7 +298,7 @@ The ability of the TRE organisation to ensure outputs are safely published and s * - A TRE should have a system to aid classifying outputs. - Removing data from a TRE can be a difficult process as there is potential for sensitive data to be revealed. Having guidance, processess and methods to help will ensure that outputs are correctly classified and, furthermore, that outputs when may be openly published are identified. - Encouraging openly published outputs will enhance a TREs impact over handing all outputs to the data provider. + Encouraging openly published outputs rather than handing all outputs to the data provider will enhance a TRE's impact . * - A TRE should establish projects intended outputs from the outset. - Identifying the purpose of a piece of work is important for compliance with data protection legilation. Results will be produced which address the projects purpose, some of which may be outputs removed from the TRE. From 56c8c2de517de52cfdd55f7d3420a157756139a7 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 13:42:27 +0100 Subject: [PATCH 12/26] Update docs/source/standard.md Co-authored-by: James Robinson --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 4353ec14..fdb2c985 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -299,7 +299,7 @@ The ability of the TRE organisation to ensure outputs are safely published and s - Removing data from a TRE can be a difficult process as there is potential for sensitive data to be revealed. Having guidance, processess and methods to help will ensure that outputs are correctly classified and, furthermore, that outputs when may be openly published are identified. Encouraging openly published outputs rather than handing all outputs to the data provider will enhance a TRE's impact . -* - A TRE should establish projects intended outputs from the outset. +* - A TRE should establish each project's intended outputs from the outset. - Identifying the purpose of a piece of work is important for compliance with data protection legilation. Results will be produced which address the projects purpose, some of which may be outputs removed from the TRE. Understanding what these outputs are likely to be and their sensitivity as early as possible will help prepare for their processing and publication. From 1d85fa7ee4574d6963763f0fe6c9ead7b15c4bba Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 13:50:14 +0100 Subject: [PATCH 13/26] Add comma Co-authored-by: James Robinson --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index fdb2c985..76b33e74 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -250,7 +250,7 @@ The ability of the TRE organisation to manage how and where data is stored, how TRE developers may want to consider how different elements, for example sensitive input data or users workspaces, may be backed up or if they should be. * - A TRE should log how input data is modified. - If the input data is mutable a TRE should keep records of its modification. - For example when the data was modified and by who. + For example, when the data was modified and by who. * - A TRE must, to a reasonable extent, prevent unathorised data ingress or egress - Movement of data which has not been subject to information governance processes risks breaking rules and is more likely to result in a data breach. However, it is difficult to control for every possibility. From b6c00fe61c61ac69c19fee09ab45528ce848b96a Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 13:52:54 +0100 Subject: [PATCH 14/26] Improve grammar and spelling Co-authored-by: James Robinson --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 76b33e74..b92b4a38 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -254,7 +254,7 @@ The ability of the TRE organisation to manage how and where data is stored, how * - A TRE must, to a reasonable extent, prevent unathorised data ingress or egress - Movement of data which has not been subject to information governance processes risks breaking rules and is more likely to result in a data breach. However, it is difficult to control for every possibility. - For example, a user may take pictures of their computer screen to remove data, or using a device presnting as a USB HID keyboard to input large amounts of text. + For example, a user may take pictures of their computer screen to remove data, or use a device presenting as a USB HID keyboard to input large amounts of text. An example of a reasonable measure would be for a remote desktop based TRE to prevent data being shared between a workspace's and local machine's clipboards. ``` From c28a414a662d202f2069bc0078135607d1dde55d Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 14:03:19 +0100 Subject: [PATCH 15/26] Update docs/source/standard.md Co-authored-by: Simon Li --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index b92b4a38..0a290d54 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -231,7 +231,7 @@ The ability of the TRE organisation to manage how and where data is stored, how - Guidance * - A TRE must have a data ingress process which enforces information governance rules/processes. - The data ingress process needs to ensure that information governance is correctly followed. - in particular, it should require that an ingress request has been approved by all required par ties. + in particular, it should require that an ingress request has been approved by all required parties. * - A TRE must have a data egress process which enforces information governance rules/processes. - The data egress process needs to ensure that information governance requirements are adhered to. In particular, it should require that an egress request has been approved by all required parties. From a8ef867580efd492e2ac4a161ddf3036a2a6cb07 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 14:03:53 +0100 Subject: [PATCH 16/26] Update docs/source/standard.md Co-authored-by: Simon Li --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 0a290d54..1b16e7d0 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -239,7 +239,7 @@ The ability of the TRE organisation to manage how and where data is stored, how - A person independent to a project, for example a TRE admin or dedicated referee, could check ingress and egress requests to ensure information governance processes are correctly followed in the absence of an automated process. * - A TRE must keep a record of what data it holds. - Good records are important for ensuring compliance with legislation, understanding risk and aiding good data hygiene. - The record should include a description of the data, its source, contact details for the data owner, which projects use the data, the data it was recieved, when it is expected to no longer be needed. + The record should include a description of the data, its source, contact details for the data owner, which projects use the data, the date it was recieved, when it is expected to no longer be needed. * - A TRE must have a policy on data deletion. - There should be a clear, published policy on when data will be deleted beyond at the conclusion of a project. This may allow time for data owners to consider outputs they may want to extract from the TRE. From f9791cf4d39e8e128f339e1bca0e03b91aeb07a2 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 14:04:32 +0100 Subject: [PATCH 17/26] Update docs/source/standard.md Co-authored-by: Simon Li --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 1b16e7d0..fb888ee1 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -241,7 +241,7 @@ The ability of the TRE organisation to manage how and where data is stored, how - Good records are important for ensuring compliance with legislation, understanding risk and aiding good data hygiene. The record should include a description of the data, its source, contact details for the data owner, which projects use the data, the date it was recieved, when it is expected to no longer be needed. * - A TRE must have a policy on data deletion. - - There should be a clear, published policy on when data will be deleted beyond at the conclusion of a project. + - There should be a clear, published policy on when data will be retained or deleted. This may allow time for data owners to consider outputs they may want to extract from the TRE. Any sensitive data, including all backups, should be deleted when they are no longer needed. Having clear policy will help to avoid problems with data being kept longer than necessary or accidental deletion of outputs. From 7e9231332698c2826582e287d347ba9f21338642 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 14:05:20 +0100 Subject: [PATCH 18/26] Update docs/source/standard.md Co-authored-by: Simon Li --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index fb888ee1..6479940c 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -244,7 +244,7 @@ The ability of the TRE organisation to manage how and where data is stored, how - There should be a clear, published policy on when data will be retained or deleted. This may allow time for data owners to consider outputs they may want to extract from the TRE. Any sensitive data, including all backups, should be deleted when they are no longer needed. - Having clear policy will help to avoid problems with data being kept longer than necessary or accidental deletion of outputs. + Having clear policies will help to avoid problems with data being kept longer than necessary or accidental deletion of outputs. * - A TRE could keep backups of data and research environments, provided that this is permitted by law. - Keeping backups could help reduce the impact of events like accidental deletion and data corruption on work in a TRE. TRE developers may want to consider how different elements, for example sensitive input data or users workspaces, may be backed up or if they should be. From 4cfb3714c3693655a8792729fb214193f69e3aee Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 14:05:34 +0100 Subject: [PATCH 19/26] Update docs/source/standard.md Co-authored-by: Simon Li --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 6479940c..4c3dc38d 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -251,7 +251,7 @@ The ability of the TRE organisation to manage how and where data is stored, how * - A TRE should log how input data is modified. - If the input data is mutable a TRE should keep records of its modification. For example, when the data was modified and by who. -* - A TRE must, to a reasonable extent, prevent unathorised data ingress or egress +* - A TRE must, to a reasonable extent, prevent unauthorised data ingress or egress - Movement of data which has not been subject to information governance processes risks breaking rules and is more likely to result in a data breach. However, it is difficult to control for every possibility. For example, a user may take pictures of their computer screen to remove data, or use a device presenting as a USB HID keyboard to input large amounts of text. From 54062bce93c3a299301d583a6134d9e785d26a9f Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 14:06:02 +0100 Subject: [PATCH 20/26] Update docs/source/standard.md Co-authored-by: Simon Li --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 4c3dc38d..7ab4a9c5 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -272,7 +272,7 @@ The ability of the TRE organisation to ensure the right people (identities) can - It is important that each user account should be used by one, and only one, person in order to facilitate the assignment of roles or permissions and to log the actions of individuals. * - A TRE must be reasonably convinced of the identity of the person being granted an account. - It is important to ensure access, via an account, has been given to the correct person. - For example, multiple credentials may be used in account creation to verify identitity or, when appropriate, photo ID checks may be required. + For example, multiple credentials may be used before account creation to verify identity or, when appropriate, photo ID checks may be required. * - A TRE must restrict a users access to only data required in their work. - There is no need to grant an individual access to data they do not require. Access may be assigned in a manner appropriate to a TREs design, for example through roles granted to user accounts or through isolated project workspaces. From a78e43cf0c29afb0879e8fa3dd7fab479975fa7a Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 14:06:52 +0100 Subject: [PATCH 21/26] Update docs/source/standard.md Co-authored-by: Simon Li --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 7ab4a9c5..47926287 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -297,7 +297,7 @@ The ability of the TRE organisation to ensure outputs are safely published and s - Guidance * - A TRE should have a system to aid classifying outputs. - Removing data from a TRE can be a difficult process as there is potential for sensitive data to be revealed. - Having guidance, processess and methods to help will ensure that outputs are correctly classified and, furthermore, that outputs when may be openly published are identified. + Having guidance, processess and methods will help ensure that outputs are correctly classified and, furthermore, that outputs due to be openly published are identified. Encouraging openly published outputs rather than handing all outputs to the data provider will enhance a TRE's impact . * - A TRE should establish each project's intended outputs from the outset. - Identifying the purpose of a piece of work is important for compliance with data protection legilation. From 161b1d64b79bc0556a87d70b8394912b01d030a5 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 14:07:07 +0100 Subject: [PATCH 22/26] Update docs/source/standard.md Co-authored-by: Simon Li --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 47926287..85164de5 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -300,7 +300,7 @@ The ability of the TRE organisation to ensure outputs are safely published and s Having guidance, processess and methods will help ensure that outputs are correctly classified and, furthermore, that outputs due to be openly published are identified. Encouraging openly published outputs rather than handing all outputs to the data provider will enhance a TRE's impact . * - A TRE should establish each project's intended outputs from the outset. - - Identifying the purpose of a piece of work is important for compliance with data protection legilation. + - Identifying the purpose of a piece of work is important for compliance with data protection legislation. Results will be produced which address the projects purpose, some of which may be outputs removed from the TRE. Understanding what these outputs are likely to be and their sensitivity as early as possible will help prepare for their processing and publication. ``` From a20f5a67f212fa376a24bf01c3b259846c95917d Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 14:07:46 +0100 Subject: [PATCH 23/26] Update docs/source/standard.md Co-authored-by: Simon Li --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 85164de5..42724b2e 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -301,7 +301,7 @@ The ability of the TRE organisation to ensure outputs are safely published and s Encouraging openly published outputs rather than handing all outputs to the data provider will enhance a TRE's impact . * - A TRE should establish each project's intended outputs from the outset. - Identifying the purpose of a piece of work is important for compliance with data protection legislation. - Results will be produced which address the projects purpose, some of which may be outputs removed from the TRE. + Results will be produced which address the project's purpose, some of which may be outputs that are removed from the TRE. Understanding what these outputs are likely to be and their sensitivity as early as possible will help prepare for their processing and publication. ``` From 0f49a83393e1b1aed7a1f2976485b638484fedb5 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 14:19:41 +0100 Subject: [PATCH 24/26] Update docs/source/standard.md Co-authored-by: Simon Li --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 42724b2e..1d7c47dd 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -255,7 +255,7 @@ The ability of the TRE organisation to manage how and where data is stored, how - Movement of data which has not been subject to information governance processes risks breaking rules and is more likely to result in a data breach. However, it is difficult to control for every possibility. For example, a user may take pictures of their computer screen to remove data, or use a device presenting as a USB HID keyboard to input large amounts of text. - An example of a reasonable measure would be for a remote desktop based TRE to prevent data being shared between a workspace's and local machine's clipboards. + An example of a reasonable measure would be for a remote desktop based TRE to prevent data being copied from a local machine's clipboard to a workspace. ``` ### 3.2 Identity and access management From b447b13c5e464b61acd71197e3debdb880c2b87c Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 15:36:33 +0100 Subject: [PATCH 25/26] Clarify project independent approval (maybe) --- docs/source/standard.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 1d7c47dd..fa5a1593 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -235,8 +235,9 @@ The ability of the TRE organisation to manage how and where data is stored, how * - A TRE must have a data egress process which enforces information governance rules/processes. - The data egress process needs to ensure that information governance requirements are adhered to. In particular, it should require that an egress request has been approved by all required parties. -* - A TRE could require independent approval for data ingress and egress events. - - A person independent to a project, for example a TRE admin or dedicated referee, could check ingress and egress requests to ensure information governance processes are correctly followed in the absence of an automated process. +* - A TRE's data egress process could sometimes require project-independent approval. + - There may be cases where there are multiple stakeholders for a piece of analysis including data providers, data analysts, data subjects, the TRE organisation. + A data egress process may then require approval from people not on the project team, for example an external referee or TRE organisation representative * - A TRE must keep a record of what data it holds. - Good records are important for ensuring compliance with legislation, understanding risk and aiding good data hygiene. The record should include a description of the data, its source, contact details for the data owner, which projects use the data, the date it was recieved, when it is expected to no longer be needed. From 40c3b48f47acfb68654790f876ccafa7de510004 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 7 Jun 2023 15:51:36 +0100 Subject: [PATCH 26/26] Capitalise letter --- docs/source/standard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index fa5a1593..b9feda7a 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -231,7 +231,7 @@ The ability of the TRE organisation to manage how and where data is stored, how - Guidance * - A TRE must have a data ingress process which enforces information governance rules/processes. - The data ingress process needs to ensure that information governance is correctly followed. - in particular, it should require that an ingress request has been approved by all required parties. + In particular, it should require that an ingress request has been approved by all required parties. * - A TRE must have a data egress process which enforces information governance rules/processes. - The data egress process needs to ensure that information governance requirements are adhered to. In particular, it should require that an egress request has been approved by all required parties.