vvcb / pytgithub-test Goto Github PK

It is important to ensure that policies and SOPs are relevant, up-to-date and carefully controlled to maintain the integrity and security of your TRE organisation.

The number of authentication applications should be kept to a minimum with common controls and standards applied across all such as MFA, password complexity etc..

Details of all data assets (current and past) held by the system should be retained along with meta-data useful for ensuring compliance can be demonstrated. This would include ownership, data lifecycle, contracts, risk assessments and other quality data. This is likely to already exist within the wider organisation but may require augmenting for the TRE.

Large amounts of data will be produced by elements within the TRE. These data should be analysed with reports and dashboards provided to guide TRE implementer’s improvements and provide re-assurance to data consumers and data subjects.

Requirements will come from a variety of sources including legislation, contractual obligations and ethical standards. Requirements must be monitored to ensure the TRE controls remain appropriate.

A portal should automate as much of the processes within the capability as possible. Where processes are automated, process maturity is easier to achieve, with more consistent completion and automatic production of quality control and monitoring data.

If you are publicly accredited against a standard, for instance ISO27001, DSPT, CE+ etc., you must have processes in place to ensure you remain compliant.

You might choose to trust certifications provided by known training providers or your institution’s partner organisations.

These should be included as mandatory, non-functional requirements in during procurement and contracting. This will also include contractor staff contracts for example, legal liability and NDAs.

All TRE organisation members need to complete all relevant training and keep their training current. You may need to provide help or guidance to enable them to do so. Details of what training is needed will have been determined above.

This includes the archiving of quality and log data along with the archiving or deletion of data sets.

The Data Controller may choose to delegate this authority.

All physical assets should be maintained and covered by warranty if applicable. At the end of their lifetime, assets should be securely disposed of in such a way that data cannot be recovered from them.

You have a risk assessment methodology for scoring risks on multiple axes such as impact and likelihood.

The study register should contain all data related to a study including a reference to data assets, project team members, information asset owners and any compliance activities required.

Requirements will come from a variety of sources including legislation, contractual obligations and ethical standards. Requirements must be monitored to ensure the TRE controls remain appropriate.

This includes understanding ownership of risk, and ability to accept risk which falls outside of the appetite should that become necessary.

This may include reports and dashboards showing security incidents, quality management deviations and audit findings.

A basic QMS could be a set of spreadsheets or documents held in a repository which are manually maintained. More mature applications will provide workflows and generate quality data through manual and automated actions.

Ensuring information governance controls are suitable and enforced requires an investment of funding and people appropriate to the size of the TRE.

This may include ID checks or email/phone verification.

For remote TREs this might include your cloud provider(s) and/or data centre operators. For on-premises TREs, it might be worth using an uninterruptable power supply (UPS) and planning how you would deal with internet outages.

This may include, for instance, cyber security training, GDPR training, and higher level training for system operators. Specialised roles are likely to need more tailored training. Identification of these specialities should be done through a systematic training needs analysis. Specific training may also be required based on the data or information asset owner such as GCP.

This process could, for example, be tracked through an electronic record and workflow system with records retained.

This could be a simple content delivery platform or a more comprehensive LMS platform. It could also include a range of multimedia delivery formats, and accessible training modules for those with access requirements.

Support for standard formats such as SCORM allows courses to be shared between providers. This could help facilitate standardisation of training provision for TRE users across organisations.

A data processing assessment is a process designed to identify risks arising out of the processing of sensitive data and to minimise these risks as far and as early as possible. This may take the form of an existing regulatory requirements such as Data Protection Impact Assessment.

All issues should be analysed for their root cause and improvements put in place to prevent further occurrence.

This will include monitoring changes in the services and infrastructure being delivered and quality management within the contractor’s organisation. This may be done through formal audit or by monitoring change and quality documentation provided by the supplier.

This may include regulatory bodies or the organisations that manage accreditations you have.

This may include all members signing role-specific terms of use or confirming that they have completed role specific training.

The highest level of risk ownership is the Top Management of the TRE organisation (see Governance Roles). In order to ensure escalations to this level are rare, suitable structures should be put in place to own, mitigate and accept risk.

This includes checks that contracts are in place where required, adequate funding is available for the duration of the project, and responsibilities concerning data handling are understood by all parties.

The unique identifier and all associated records for a user should be traceable across the entire TRE. This will include training records, affiliations, contract agreements and ethics approvals where required.

Actions that are taken or not taken following a risk assessment must be recorded.

This includes ensuring contracts remain in valid and action is promptly taken should they expire. Any changes in the status of responsible persons should also be monitored, for example a data owner leaving an organisation.

Training is not a one-off event. Electronic reminders for refresher training should be considered. Ideally, training should remain relevant and so policies and processes should enable people to demonstrate competency rather than unnecessarily repeating training.

Where possible an LMS should support a variety of course content and testing.

This will include a security model for role based access with technical controls to ensure the principle of least privilege is enforced.

Understanding how and when the TRE might be unavailable will help your projects in planning their work.

This includes recording dates of changes, person responsible for carrying out changes, and summary of changes.

Removing unused infrastructure not only reduces costs and management burden but also reduces the attack surface of a TRE and reduces the risk of unaddressed vulnerabilities.

Control implementation should be systematic and directly aligned to the internal and stakeholder requirements.

If possible, you should automate application of changes between development and production environments. Consider the costs and practicality of whether this will work for your situation.

Training records should be tied to a user record and carefully maintained. Maintaining training records enables you to ensure all people have completed the required training and that repeat training happens regularly.

Network infrastructure must prevent unauthorised access to resources on the network. This may include firewalls, network segmentation, and restricting connections to the network.

Information asset owners and regulators may be required to audit historical records, e.g. for clinical trials. It may be necessary to retain copies of superseded training along with versions of certifications within the training record.