Skip to main content

The Human Services Professionals

Go Search
Home
Our Products
Frontline Apps
About Us
Contact Us
Our Rates
  
> Resources > The Human Services Professionals > EMSOnline > EMSOnline data protection update  

EMSOnline data protection update

EMSOnline: data protection update
 
Preamble

The following data protection applies if data is to be stored, at you request, in Microsoft Access (our second preference) rather than SQL Server (our first preference). Having said that, very good security can be achieved using the former via your existing folder setup. The following can be adapted to your lcoal requirements at your request, and should be viewed as a template arising from a large organisation for which the template was created.

Updated: 6 December 2010      
Application / Information repository name: INSERT NAME OF APP      
       
       
Business Reason for handling sensitive data Control Question Response Control Status Comments
Access Controls      
Are there formal access controls in place? YES Documented in a Policy, Standard and in Procedures, Processes The Data Control Centre administrator controls top level permissions, and people with lower level permissions control permissions to other users on a need to access / need to know basis.
Do they articulate  who has access to what and why? YES Documented in a Policy, Standard and in Procedures, Processes The Data Control Centre administrator controls permissions to limited parts of the EMSOnline Data Control Centre. People given this permission are approved by the Management Teams relevant to the apps hosted and / or the project managers for apps hosted, and have limited access and / or control over data and permissions. These people grant access and / or control further down the hierarchy.
Is the access allocated to a particular role or an individual? YES Documented in a Policy, Standard and in Procedures, Processes Access is controlled by the Data Control Centre administrator, who delegates control further down the hierarchy as approved by the Management Teams relevant to the apps hosted and / or the project managers for apps hosted.
Are third parties permitted access to the application? NO Documented in a Policy, Standard and in Procedures, Processes All access is via the EMSOnline home page, with permissions controlled out of the Data Control Centre, see above.
Are users required to undergo security checks / vetting before being granted access to the application? YES Documented in a Policy, Standard and in Procedures, Processes People given this permission are approved by the Management Teams relevant to the apps hosted and / or the project managers for apps hosted, and have limited access and / or control over data and permissions. These people grant access and / or control further down the hierarchy.
Is a password required to access the application? YES Documented in a Policy, Standard and in Procedures, Processes EMSOnline permissions read the user's login name, which has a password maintained by the organisation.
Is access revoked when no longer needed? E.g. upon Termination? YES Documented in a Policy, Standard and in Procedures, Processes Management Teams relevant to the apps hosted and / or the project managers for apps hosted revoke access via a link on the EMSOnline home page.
       
Anti-virus Software      
Is there anti-virus software installed on the device hosting the application ? YES Documented in a Policy, Standard and in Procedures, Processes EMSOnline is wholly developed within Microsoft Office on the your network, and is a recipient of all your organisation's anti-virus software that is provided to Microsoft Office within your organisation.
Are files virus scanned before being opened? YES Documented in a Policy, Standard and in Procedures, Processes EMSOnline is wholly developed within Microsoft Office on the your organisation's network, and is a recipient of all your organisation's virus scanning of Microsoft Office files opened within your organisation.
       
Auditing, Monitoring and Reviewing       
Are file and user activity monitored for inappropriate and illegal activity? NO Documented in a Policy, Standard and in Procedures, Processes EMSOnline is wholly developed within Microsoft Office on the your organisation's network, and the rules that apply to data entry in Microsoft Office files in general within your organisation apply to data entered via EMSOnline.
Are there regular processes in place to audit user activity and information processes? YES Documented in a Policy, Standard and in Procedures, Processes Management Teams relevant to the apps hosted and / or the project managers for apps hosted commission all the auditing that is required for data entered into a given app.
When was the application last audited? N/A Documented in a Policy, Standard and in Procedures, Processes Audit reports are created daily / continuously, for the review of your organisation's Management Teams relevant to the apps hosted and / or the project managers for apps hosted.
       
Incident Response      
Is there a documented process to deal with security incidents? YES Documented in a Policy, Standard and in Procedures, Processes Updates of the EMSOnline Continuous Improvement Program is circulated regularly to the project managers for apps hosted, and the latest project plan for each app is made available to the project managers for apps hosted. This document contains a standard list of risk management headings, and the response.
Has the application's security been breached  and information inappropriately accessed or disclosed in the last 12 months? NO Documented in a Policy, Standard and in Procedures, Processes No security breaches have been reported in the history of apps hosted at EMSOnline (since its launch in 2001/02)
       
Awareness      
Are users provided with an appropriate "user manual" and necessary security information? YES Documented in a Policy, Standard and in Procedures, Processes The home page of EMSOnline contains a clear statement regarding the fact that all data hosted at EMSOnline is subject to security permissions. Users with access to the Data Control Centre agree to read the standard data security guidelines on an intro screen every time they enter the Data Control Centre, and agree to receive orientation from Christine Tiernan, Manager User Support Systems EMSOnline, prior to using the Data Control Centre for the first time.
Do users know who to contact for security concerns? YES Documented in a Policy, Standard and in Procedures, Processes The home page of EMSOnline contains a user support system via which users are able to log a request regarding security or any other matter.
Is there a  clearly defined owner (and delegate) for the application? YES Documented in a Policy, Standard and in Procedures, Processes The home page of EMSOnline lists all hosted apps, and the project manager currently responsible for each. 
       
Backups, Business Continuity & Disaster Recovery      
       
Is the application backed up at regular intervals? YES Documented in a Policy, Standard and in Procedures, Processes Every night (recommended) on your organisation's backup tapes.
Is there an alternative that can be used if the application is unavailable ? NO Documented in a Policy, Standard and in Procedures, Processes If the application is unavailable (for example due to scheduled maintenance by your IT people), users receive a prompt asking them to "try again later" or similar. tailored responses can be arranged by request.
Is there a formal Business Continuity Plan / Disaster Recovery plan in place  and has it been tested within the last 12 months? YES Documented in a Policy, Standard and in Procedures, Processes The EMSOnline Continuous Improvement Program and, if specific additional measures are required, the project plan for a given app, contains information regarding disaster recovery. We have only ever once needed a formal recovery, due to a large move from one building to another by a government department in the early 2000s, and we needed to be called in to recover rosters that had been uploaded in that window of time.
       
Change Management      
       
Are formal change management processes used when making changes to the application? YES Documented in a Policy, Standard and in Procedures, Processes The EMSOnline Continuous Improvement Program has as a condition for upgrade for apps that a change management plan must be in place.
       
Patching      
       
Is the application up-to-date with known patches? YES Documented in a Policy, Standard and in Procedures, Processes EMSOnline is wholly developed within Microsoft Office on the your organisation's network, and receives all patches approved by your organisation for Microsoft Office generally.
Is there a structured process in place to ensure that application vulnerabilities are patched in a timely manner? YES Documented in a Policy, Standard and in Procedures, Processes EMSOnline is wholly developed within Microsoft Office on the your organisation's network, and receives all patches approved by your organisation for Microsoft Office generally.
       
Information Classification & Handling      
       
Is information being handled by the application assessed for integrity as well as confidentiality and availability requirements? YES Documented in a Policy, Standard and in Procedures, Processes All data entered into apps hosted at EMSOnline is data validated and screened to the level required by the project manager for the app.
Is Information handled by the application appropriately classified and labelled according to organisational requirements? YES Documented in a Policy, Standard and in Procedures, Processes The classification and labelling of data entered into apps hosted at EMSOnline is in line with data entry into any Microsoft Office file, with additional labels such as the login name of the user, and the user's permission level and position, and other details of the user, as the relevant manager may require.
Is Information handled by the application appropriately disposed of according to organisational requirements when no longer required? YES Documented in a Policy, Standard and in Procedures, Processes Please note that as far as we are aware, no data entered into EMSOnline should be disposed of.
Is the application information encrypted / protected in accordance with organisational requirements? YES Documented in a Policy, Standard and in Procedures, Processes Information is protected to the maximum level allowed to us by your IT people via the your organisation's permissions structure and, where relevant, by the project managers for apps hosted. As part of our continuous improvement plan, we also continuously seek access to additional protection via SQL Server, rather than by ourselves.
Can application information be downloaded to removable media such as USB drives? YES Documented in a Policy, Standard and in Procedures, Processes Certain apps and many reports allow for information to be detached in standalone Microsoft Office and other files for the purpose of, for example, sending rosters to house staff, or roster stats to managers.
Can  information be uploaded to the application from removable media such as USB drives? YES Documented in a Policy, Standard and in Procedures, Processes Certain apps allow for information to be submitted from standalone Microsoft Office files for the purpose of, for example, submitting roster information into EMSOnline databases.
       
Physical Security      
       
Where is the application hosted? - general organisational network? Dedicated network? Standalone device? YES Documented in a Policy, Standard and in Procedures, Processes The application is hosted entirely on the your organisation's Network.
Is the device hosting the application in a secure environment? E.g. a data centre? Computer room? YES Documented in a Policy, Standard and in Procedures, Processes The application is hosted in permissions controlled folders on the your organisation's Network.
       
Information Flows      
       
Are the information flows to and from the application documented? YES Documented in a Policy, Standard and in Procedures, Processes The EMSOnline Continuous Improvement Program contains a standard that the 'App Design' for an app is to contain all the screens in the app, and all data flows.
Does the documentation include details of information: creation, maintenance, storage, exchange and sharing, input ,output and processing validation? YES Documented in a Policy, Standard and in Procedures, Processes The business rules for creating an 'App Design' are specific in relation to all these types of information.
       
Remote and Wireless Access      
       
Are there controls governing the physical location from where the application can be accessed? YES Documented in a Policy, Standard and in Procedures, Processes The application can only be accessed when the user is logged in, and also has been granted the relevant permissions.
Is remote access to the application permitted? YES Documented in a Policy, Standard and in Procedures, Processes The application can only be accessed when the user is logged in, which for some managers can occur remotely. N.b. not all links work when logged in remotely, as the current scope of the application is that it should provide full access to users logged in locally (physically inside your organisation).
Is wireless access to the application permitted? NO Documented in a Policy, Standard and in Procedures, Processes Application by wireless is not permitted except where your organisation may allow a user to login using wireless.
       
Compliance      
       
Has the application been assessed for compliance with organisational policies and standards within the last 12 months? And what were the outcomes? NO Documented in a Policy, Standard and in Procedures, Processes EMSOnline has been audited twice in 2010, once by a large organisation where it is installed, and once (that audit is in progress) by an external auditor (Deloitte). To date, no issues raised, but we will in good time get a report arising from the latter.
Are the Application owner and users conversant with the relevant legislative and regulatory requirements pertaining to the information being handled by the application? YES Documented in a Policy, Standard and in Procedures, Processes The application ownerhas been working on this application and in particular the RosterCoster app since 1993, and is conversant to the extent that he has frequently been involved over the years in most issues relating to app development and maintenance. The EMSOnline Continuous Improvement Program contains a permanent application for the maximum level of compliance within the context of limited project budgets.
Is the application subject to legislative and /or regulatory compliance?
If so please indicate in appropriate column..
YES Documented in a Policy, Standard and in Procedures, Processes See above.
Has the application's compliance with the relevant legislative and regulatory requirements  been validated within the last 12 months? NO Documented in a Policy, Standard and in Procedures, Processes See above.
Have there been any compliance breaches  noted with the last 12 months, e.g. arising from a formal audit such as one conducted by VAGO or through other means and what were the outcomes if any? NO Documented in a Policy, Standard and in Procedures, Processes EMSOnline has never had a compliance breach since its introduction in 2001/02.

Last modified at 23/02/2011 23:49  by Damien Ryan-Green