From 0b95afc8ba17734993974ddb7aedf9e9d9e5956a Mon Sep 17 00:00:00 2001 From: Simon Li Date: Wed, 7 Jun 2023 17:32:06 +0100 Subject: [PATCH 1/8] Add `Mandatory?` column to all tables --- docs/source/standard.md | 177 +++++++++++++++++++++++++--------------- 1 file changed, 110 insertions(+), 67 deletions(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index bdcf54a5..97d293f2 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -41,19 +41,19 @@ What the TRE organisation does to ensure information risk is measured and manage _The ability of the TRE organisation to monitor compliance with internal and external requirements, agreements, laws and standards._ -| Statement | Guidance | Mandatory status | -| ------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -| You are able to audit your TRE organisation against relevant requirements and standards | If you are publicly accredited against a standard, for instance ISO27001, DSPT, CE+ etc., you must have processes in place to ensure you remain compliant | Mandatory | -| You report on and share outcomes of each audit of your TRE organisation with the required bodies | This may included regulatory bodies or the organisations that manage accreditations you have | Mandatory | +| Statement | Guidance | Mandatory? | +| ------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| You are able to audit your TRE organisation against relevant requirements and standards | If you are publicly accredited against a standard, for instance ISO27001, DSPT, CE+ etc., you must have processes in place to ensure you remain compliant | Mandatory | +| You report on and share outcomes of each audit of your TRE organisation with the required bodies | This may included regulatory bodies or the organisations that manage accreditations you have | Mandatory | ### 1.2 Policy regulation and management _How an organsation determines what policies and regulations are required and ensures alignment to changes in requirements._ -| Statement | Guidance | Manditory Status | -| ------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -| You have a process in place to ensure any new project requiring a TRE meets relevant legal, ethical and contractual requirements | For example national legislation such as GDPR, discipline specific regulation like GCP or contractural requirements from a specific data provider such as a company or research partner organisation | Mandatory | -| You have a process in place to monitor changes to any legal, ethical and contractual requirements, and to update your policies accordingly | | Mandatory | +| Statement | Guidance | Mandatory? | +| ------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| You have a process in place to ensure any new project requiring a TRE meets relevant legal, ethical and contractual requirements | For example national legislation such as GDPR, discipline specific regulation like GCP or contractural requirements from a specific data provider such as a company or research partner organisation | Mandatory | +| You have a process in place to monitor changes to any legal, ethical and contractual requirements, and to update your policies accordingly | | Mandatory | ### 1.3 Quality management @@ -61,17 +61,17 @@ _The ability of the TRE organisation to measure and control quality of processes #### Document management -| Statement | Guidance | Mandatory status | -| --------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -| All policies & standard operating procedures relevant to the TRE organisation are controlled | This may include measures like restricting edit access to relevant documents, and recording acceptance of policies for all TRE organisation members | Mandatory | -| All policies & standard operating procedures relevant to the TRE organisation are version controlled and have codified change processes | Version control includes recording dates of changes, person responsible for carrying out changes, and summary of changes | Mandatory | +| Statement | Guidance | Mandatory? | +| --------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| All policies & standard operating procedures relevant to the TRE organisation are controlled | This may include measures like restricting edit access to relevant documents, and recording acceptance of policies for all TRE organisation members | Mandatory | +| All policies & standard operating procedures relevant to the TRE organisation are version controlled and have codified change processes | Version control includes recording dates of changes, person responsible for carrying out changes, and summary of changes | Mandatory | #### Issue management -| Statement | Guidance | Mandatory status | -| --------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | ---------------- | -| You have a clear process in place for addressing activity within your TRE organisation that deviates from your policies and standard operating procedures | This can include measures like triage analysis and a process for updating policies | Mandatory | -| You have methods in place to record progress in resolving issues with, and deviations against, your policies | | Mandatory | +| Statement | Guidance | Mandatory? | +| --------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | ---------- | +| You have a clear process in place for addressing activity within your TRE organisation that deviates from your policies and standard operating procedures | This can include measures like triage analysis and a process for updating policies | Mandatory | +| You have methods in place to record progress in resolving issues with, and deviations against, your policies | | Mandatory | ### 1.4 Risk management @@ -79,12 +79,12 @@ _The ability of the TRE organisation to measure, forecast and evaluate risks to #### Risk assessment -| Statement | Guidance | Mandatory Status | -| ---------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -| You have a way to score risk to understand the underlying severity | You have a risk assesment methodology for scoring risks on multiple axes such as impact and likelihood | Mandatory | -| You have a process for mitigating risk using additional controls | Risks can be reduced to a level which brings it within agreed levels of appetite | Mandatory | -| You have an understanding of risk appetite | This includes understanding ownership of risk, and ability to accept risk which falls outside of the appetite should that become necessary | Mandatory | -| You carry out a data processing assessment for all projects requiring a TRE that are working with sensitive data | a data processing assessment is a process designed to identify risks arising out of the processing of sensitive data and to minimise these risks as far and as early as possible | Mandatory | +| Statement | Guidance | Mandatory? | +| ---------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| You have a way to score risk to understand the underlying severity | You have a risk assesment methodology for scoring risks on multiple axes such as impact and likelihood | Mandatory | +| You have a process for mitigating risk using additional controls | Risks can be reduced to a level which brings it within agreed levels of appetite | Mandatory | +| You have an understanding of risk appetite | This includes understanding ownership of risk, and ability to accept risk which falls outside of the appetite should that become necessary | Mandatory | +| You carry out a data processing assessment for all projects requiring a TRE that are working with sensitive data | a data processing assessment is a process designed to identify risks arising out of the processing of sensitive data and to minimise these risks as far and as early as possible | Mandatory | ### 1.5 Project management @@ -92,21 +92,21 @@ _The ability of the TRE organisation to manage projects effectively._ #### Project onboarding -| Statement | Guidance | Mandatory status | -| --------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------- | -| You have checks in place to ensure a project has the legal, financial and ethical requirements in place for the duration of the project | This includes checks that contracts are in place where required, adequate funding is available for the duration of the project, and responsibilities concerning data ownership are understood by all parties | Mandatory | +| Statement | Guidance | Mandatory? | +| --------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------- | +| You have checks in place to ensure a project has the legal, financial and ethical requirements in place for the duration of the project | This includes checks that contracts are in place where required, adequate funding is available for the duration of the project, and responsibilities concerning data ownership are understood by all parties | Mandatory | #### Project closure -| Statement | Guidance | Mandatory status | -| --------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ---------------- | -| You have standard processes in place for the end of a project, that follow all legal requirements and data security best practice | This includes the archiving of quality and log data along with the archiving or deletion of data sets | Mandatory | +| Statement | Guidance | Mandatory? | +| --------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ---------- | +| You have standard processes in place for the end of a project, that follow all legal requirements and data security best practice | This includes the archiving of quality and log data along with the archiving or deletion of data sets | Mandatory | #### Roles and responsibilities -| Statement | Guidance | Mandatory status | -| ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -| You have clearly defined roles and responsibilities within your TRE organisation for all members | This may include roles such as users, system administrators, system operators, data providers and more. Every member of your TRE organisation should have a pre-defined role with clear powers and responsibilities | Mandatory | +| Statement | Guidance | Mandatory? | +| ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| You have clearly defined roles and responsibilities within your TRE organisation for all members | This may include roles such as users, system administrators, system operators, data providers and more. Every member of your TRE organisation should have a pre-defined role with clear powers and responsibilities | Mandatory | ### 1.6 Member accreditation @@ -114,18 +114,18 @@ The ability of the TRE organisation to ensure that people with access to data ar #### Onboarding members -| Statement | Guidance | Mandatory status | -| -------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | ---------------- | -| You have clear onboarding processes in place for all roles within your TRE organisation | This may include all members signing role-specific terms of use, and completing role specific training | Mandatory | -| You have a robust method for identifying accredited members of your TRE organisation, prior to their accessing of sensitive data | This may include multi-factor authentication (MFA), ID checks or email/phone verification | Mandatory | +| Statement | Guidance | Mandatory? | +| -------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | ---------- | +| You have clear onboarding processes in place for all roles within your TRE organisation | This may include all members signing role-specific terms of use, and completing role specific training | Mandatory | +| You have a robust method for identifying accredited members of your TRE organisation, prior to their accessing of sensitive data | This may include multi-factor authentication (MFA), ID checks or email/phone verification | Mandatory | #### Training management and delivery -| Statement | Guidance | Mandatory status | -| -------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -| You have relevant training for all roles within the TRE organisation, and the ability to deliver this training | This may include: Cyber security training, GDPR training, and higher level training for system operators | Mandatory | -| All TRE organisation members have completed relevant training within the last 12 months | | Mandatory | -| You have a process in place to monitor all TRE organisation training completions & requirements | This process should document which members have completed which training, when the training was completed, and the date the training expires. It should also document how you will notify members when their training is about to expire, and ensure they do not have access to any TRE if relevant training is out-of-date | Mandatory | +| Statement | Guidance | Mandatory? | +| -------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| You have relevant training for all roles within the TRE organisation, and the ability to deliver this training | This may include: Cyber security training, GDPR training, and higher level training for system operators | Mandatory | +| All TRE organisation members have completed relevant training within the last 12 months | | Mandatory | +| You have a process in place to monitor all TRE organisation training completions & requirements | This process should document which members have completed which training, when the training was completed, and the date the training expires. It should also document how you will notify members when their training is about to expire, and ensure they do not have access to any TRE if relevant training is out-of-date | Mandatory | (standard_capability_computing_technology)= @@ -147,16 +147,21 @@ The interfaces used for interacting with the TRE management system and the TRE w * - Statement - Guidance * - A TRE must be accessed via a user interface accessible using commonly available applications. + - Mandatory? - TREs which allow users to connect from their own devices should not require the installation of any bespoke TRE application on the user's device. In practice a web browser is the most common way to achieve this. + - Recommended * - A TRE workspace should provide an environment familiar to the users of the TRE. - This may be in the form of a virtual Windows or Linux desktops, web applications, or a terminal. The use of custom developed TRE-specific software should be avoided when widely used open-source alternatives already exist. + - Recommended * - A TRE should take accessibility for users with disabilities into account. - The restricted nature of TREs means many assistive tools such as screenreaders in a virtual desktop may not be allowed, but other options such as colour schemes, font sizes, and resizing user interface elements, should be supported. + - Recommended * - Copying out data via the system clipboard must be disabled. - A TRE user must not be able to copy sensitive data out of a workspace using the system clipboard. A TRE may allow user to paste text into a workspace. + - Mandatory ``` #### 2.1.2 Software tools @@ -169,18 +174,23 @@ programming languages, IDEs, desktop applications etc. :name: tab-end-user-software-tools * - Statement - Guidance + - Mandatory? * - A TRE must provide software applications that are relevant to working with the data in the TRE. - The tools provided will depend on the types of data in the TRE, and the expectations of users of the TRE. This may include programming languages such as Python and R, integrated development environments, Jupyter notebooks, office type applications such as word processors and spreadsheets, command line tools, etc. The set of tools should be reviewed regularly to ensure they are up to date. + - Mandatory * - A TRE should provide tools to encourage best-practice in reproducibly analysing data. - Reproducibility of analyses improves auditability and accountability of how data has been used, as well as being best-practice in research. This may include version control software, and tools for developing and running data analysis pipelines. + - Recommended * - A TRE may provide shared services that are accessible to users in the same project. - This may include shared file storage, databases, collaborative writing, and other web applications. This must only be shared amongst users within the same project. + - Optional * - A TRE may provide limited access to some software repositories - For example, a TRE may allow installation of packages from Python or R repositories, or provide an internal mirror with approved packages. + - Optional ``` #### 2.1.3 Advanced or cluster computing @@ -192,17 +202,21 @@ The ability to run analyses requiring more compute resources, or more specialise :name: tab-end-user-advanced-cluster-computing * - Statement - Guidance + - Mandatory? * - A TRE should be able to provide access to high performance computing or other scaleable compute resource if required by users. - If a TRE supports users conducting computationally intensive research it should provide access to dynamically scaleable compute or the equivalent. For example this may be in the form of a batch scheduler on a HPC cluster, or a dynamically created compute nodes on a cloud platform. + - Recommended * - A TRE should be able to provide access to accelerators such as GPUs if required by users. - GPUs and other accelerators are commonly used in machine learning and other computationally intensive research. TREs should make it clear to users whether GPUs and other resources are available whilst projects are being assessed. + - Recommended * - Segregation of users and data must be maintained when using non-standard compute. - High performance or specialist compute is often shared amongst multiple users. Users and data must remain segregated at all times. For example, when using physical compute resources all sensitive data must be securely wiped before another user is given access to that same node. In a cloud hosted TRE virtual machines should be destroyed and recreated. + - Mandatory ``` #### 2.1.4 Databases @@ -215,9 +229,11 @@ SQL, noSQL, etc. :name: tab-end-user-software-tools * - Statement - Guidance + - Mandatory? * - A TRE may make data available to researchers using comonly used databases servers such as PostgreSQL, MSSQL, MongoDB, etc. - Databases must be secured and only accessible to users within the same project. If shared (multi-tenant) database servers are used database administrators must ensure the database server enforces segregation of users and databases. + - Optional ``` ### 2.2 Infrastructure analytics @@ -229,12 +245,16 @@ The ability of the TRE organisation to record and analyse data about the usage o :name: tab-end-user-software-tools * - Statement - Guidance + - Mandatory? * - A TRE must record usage of the TRE. - This may include the number of users, number of projects, the amount of data stored, number of datasets, the number of workspaces, etc. + - Mandatory * - A TRE should record which datasets are accessed, and when - This helps auditability of how sensitive data has been used + - Recommended * - A TRE should record computational resource usage at the user or aggregate level - This is useful for optimising allocation of resources, and managing costs. + - Recommended ``` ### 2.3 Network management @@ -246,15 +266,20 @@ The ability of the TRE organisation to administer and secure network infrastruct :name: tab-end-user-software-tools * - Statement - Guidance + - Mandatory? * - Networks must be managed and controlled to protect information in systems and applications - Network infrastructure must prevent unauthorised access to resources on the network. This may include firewalls, network segmentation, and restricting connections to the network. + - Mandatory * - Networks must be continually monitored for misconfigurations and vulnerabilities - This may include regular vulnerability scanning, and penetration testing. + - Mandatory * - Connectivity between users in different projects, or with access to different datasets, must not be allowed. - Connectivity between users in the same project may be allowed, for example to support shared network services within the project. + - Mandatory * - Outbound connections to the internet must be blocked by default. - Limited outbound connectivity may be allowed for some services. + - Mandatory ``` ### 2.4 Infrastructure lifecycle management @@ -270,7 +295,7 @@ _The ability of the TRE organisation to instantiate, deploy, change or remove de :name: tab-deployment-management * - Statement - Guidance - - Mandatory status + - Mandatory? * - You must have a documented procedure for deploying infrastructure. - This might, for instance, be a handbook that is followed or a set of automated scripts. - Mandatory @@ -301,7 +326,7 @@ _The ability of the TRE organisation to ensure the right amount of resources are :name: tab-capacity-management * - Statement - Guidance - - Mandatory status + - Mandatory? * - You must ensure that all projects understand what resources are available and what the associated costs will be before the project starts. - For on-premises systems this might be related to the available hardware, for cloud-based systems there might be limits on how many instances of a particular resource (_e.g._ GPUs) can be used. Projects should use this information to understand whether the available resources will be sufficient for their requirements. - Mandatory @@ -330,7 +355,7 @@ _The ability of the TRE organisation to identify, maintain, and verify informati :name: tab-configuration-management * - Statement - Guidance - - Mandatory status + - Mandatory? * - You must have a documented procedure for configuring infrastructure. - This might, for instance, be a handbook that is followed or a set of automated scripts. - Mandatory @@ -357,7 +382,7 @@ _The ability of the TRE organisation to ensure all IT infrastructure, processes, :name: tab-availability-management * - Statement - Guidance - - Mandatory status + - Mandatory? * - You should understand the availability and uptime guarantees of any providers that you rely on. - For remote TREs this might include your cloud provider(s) and/or data centre operators. For on-premises TREs, it might be worth considering your ISP and electricity provider. @@ -383,34 +408,43 @@ The ability of the TRE organisation to manage how and where data is stored, how * - Statement - Guidance + - Mandatory? * - A TRE must have a data ingress process which enforces information governance rules/processes. - The data ingress process needs to ensure that information governance is correctly followed. In particular, it should require that an ingress request has been approved by all required parties. + - Mandatory * - A TRE must have a data egress process which enforces information governance rules/processes. - The data egress process needs to ensure that information governance requirements are adhered to. In particular, it should require that an egress request has been approved by all required parties. + - Mandatory * - A TRE's data egress process could sometimes require project-independent approval. - There may be cases where there are multiple stakeholders for a piece of analysis including data providers, data analysts, data subjects, the TRE organisation. A data egress process may then require approval from people not on the project team, for example an external referee or TRE organisation representative + - Optional * - A TRE must keep a record of what data it holds. - Good records are important for ensuring compliance with legislation, understanding risk and aiding good data hygiene. The record should include a description of the data, its source, contact details for the data owner, which projects use the data, the date it was recieved, when it is expected to no longer be needed. + - Mandatory * - A TRE must have a policy on data deletion. - There should be a clear, published policy on when data will be retained or deleted. This may allow time for data owners to consider outputs they may want to extract from the TRE. Any sensitive data, including all backups, should be deleted when they are no longer needed. Having clear policies will help to avoid problems with data being kept longer than necessary or accidental deletion of outputs. + - Mandatory * - A TRE could keep backups of data and research environments, provided that this is permitted by law. - Keeping backups could help reduce the impact of events like accidental deletion and data corruption on work in a TRE. TRE developers may want to consider how different elements, for example sensitive input data or users workspaces, may be backed up or if they should be. + - Optional * - A TRE should log how input data is modified. - If the input data is mutable a TRE should keep records of its modification. For example, when the data was modified and by who. + - Recommended * - A TRE must, to a reasonable extent, prevent unauthorised data ingress or egress - Movement of data which has not been subject to information governance processes risks breaking rules and is more likely to result in a data breach. However, it is difficult to control for every possibility. For example, a user may take pictures of their computer screen to remove data, or use a device presenting as a USB HID keyboard to input large amounts of text. An example of a reasonable measure would be for a remote desktop based TRE to prevent data being copied from a local machine's clipboard to a workspace. + - Mandatory ``` ### 3.2 Identity and access management @@ -423,21 +457,27 @@ The ability of the TRE organisation to ensure the right people (identities) can * - Statement - Guidance + - Mandatory? * - A TRE must not create user accounts for use by more than one person. - It is important that each user account should be used by one, and only one, person in order to facilitate the assignment of roles or permissions and to log the actions of individuals. + - Mandatory * - A TRE must be reasonably convinced of the identity of the person being granted an account. - It is important to ensure access, via an account, has been given to the correct person. For example, multiple credentials may be used before account creation to verify identity or, when appropriate, photo ID checks may be required. + - Mandatory * - A TRE must restrict a users access to only data required in their work. - There is no need to grant an individual access to data they do not require. Access may be assigned in a manner appropriate to a TREs design, for example through roles granted to user accounts or through isolated project workspaces. + - Mandatory * - A TRE must ensure multi-factor authentication for users. - Multi-factor authentication ensures that to successfully connect a user must have more than one piece of evidence in different categories. Categories include something the user knows (_e.g._ a password), something the user possesses (_e.g._ a TOTP key) or something the user is (_e.g._ biometric data). A TRE does not need to implement multi-factor authentication checks itself if it is provided by a third-party identity provider. + - Mandatory * - A TRE could restrict access to particular locations. - Restricting access to a set of known, static, personal or institutional IP addresses can help avoid speculative attacks. When appropriate, access could also be restricted to physical locations with security controls and access requirements. + - Optional ``` ### 3.3 Output management @@ -450,14 +490,17 @@ The ability of the TRE organisation to ensure outputs are safely published and s * - Statement - Guidance + - Mandatory? * - A TRE should have a system to aid classifying outputs. - Removing data from a TRE can be a difficult process as there is potential for sensitive data to be revealed. Having guidance, processess and methods will help ensure that outputs are correctly classified and, furthermore, that outputs due to be openly published are identified. Encouraging openly published outputs rather than handing all outputs to the data provider will enhance a TRE's impact . + - Recommended * - A TRE should establish each project's intended outputs from the outset. - Identifying the purpose of a piece of work is important for compliance with data protection legislation. Results will be produced which address the project's purpose, some of which may be outputs that are removed from the TRE. Understanding what these outputs are likely to be and their sensitivity as early as possible will help prepare for their processing and publication. + - Recommended ``` (standard_capability_information_security)= @@ -482,12 +525,12 @@ These measures include vulnerability management of TRE infrastructure (whether p Vulnerability management describes the ability of the TRE organisation to identify, assess, report on, manage and remediate cyber vulnerabilities across endpoints, workloads, and systems. -| Statement | Guidance | -| -------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| All computing infrastructure belonging to the TRE should be kept up-to-date with security patches and antivirus (if appropriate) | This might involve scheduling regular automated scanning and application of updates. Infrastructure that is isolated from the internet or immutable in some way may not need to be updated. | -| Regular vulnerability scans of TRE infrastructure should be conducted | Ensuring that scans are done on a regular basis can enable TRE operators can identify and address weaknesses that may have been introduced during the operational lifetime of the TRE. | -| TREs should regularly check the compliance of machine and resource configurations | This might involve automated "desired state" enforcement, manual checks or checks over what is possible, for example ensuring that only certain network connections are allowed. | -| TREs should adhere to one or more external security standards | The TRE organisation should identify appropriate security standards and best practices that it will adhere too. These should be stated to all stakeholders in advance of any data being brought in to the TRE. | +| Statement | Guidance | Mandatory? | +| -------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| All computing infrastructure belonging to the TRE should be kept up-to-date with security patches and antivirus (if appropriate) | This might involve scheduling regular automated scanning and application of updates. Infrastructure that is isolated from the internet or immutable in some way may not need to be updated. | Recommended | +| Regular vulnerability scans of TRE infrastructure should be conducted | Ensuring that scans are done on a regular basis can enable TRE operators can identify and address weaknesses that may have been introduced during the operational lifetime of the TRE. | Recommended | +| TREs should regularly check the compliance of machine and resource configurations | This might involve automated "desired state" enforcement, manual checks or checks over what is possible, for example ensuring that only certain network connections are allowed. | Recommended | +| TREs should adhere to one or more external security standards | The TRE organisation should identify appropriate security standards and best practices that it will adhere too. These should be stated to all stakeholders in advance of any data being brought in to the TRE. | Recommended | (security-testing)= @@ -495,12 +538,12 @@ Vulnerability management describes the ability of the TRE organisation to identi Security testing enables the TRE organisation to gain assurance in the security of a TRE by testing or attempting to breach some or all of that system's security. -| Statement | Guidance | -| ------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Penetration tests should be carried out on TREs | By intentionally attempting to breach their TRE, organisations can proactively discover unnoticed vulnerabilities before they are exploited maliciously. Tests can evaluate the effectiveness of security controls in preventing data breaches, unauthorised access, or other security incidents | -| TRE security controls should be updated based on the results of security tests | Security testing can reveal bugs and discrepancies in the TRE architecture which should be addressed in advance of sensitive data being uploaded, or with urgency in the case of an operational TRE. Regular testing will allow organisations to refine their TRE security controls and incident response capabilities, enabling them to adapt to any new security concerns that may arise as a result of changes in the underlying software. | -| TRE operators must have procedures in place for rapid incident response | There may well be legal requirements to disclose details of any incidents, _e.g._ data breaches for organisations subject to GDPR. Having robust processes in place will ensure a swift and effective response when an incident occurs. | -| TREs should publish details of their security testing strategy and positive results or outcomes (e.g. security fixes) resulting from the testing | Knowledge that regular security testing occurs will help to ensure stakeholders, including researchers and data providers, can trust that the data they work with or are responsible for is secure within a TRE. | +| Statement | Guidance | Mandatory? | +| ------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| Penetration tests should be carried out on TREs | By intentionally attempting to breach their TRE, organisations can proactively discover unnoticed vulnerabilities before they are exploited maliciously. Tests can evaluate the effectiveness of security controls in preventing data breaches, unauthorised access, or other security incidents | Recommended | +| TRE security controls should be updated based on the results of security tests | Security testing can reveal bugs and discrepancies in the TRE architecture which should be addressed in advance of sensitive data being uploaded, or with urgency in the case of an operational TRE. Regular testing will allow organisations to refine their TRE security controls and incident response capabilities, enabling them to adapt to any new security concerns that may arise as a result of changes in the underlying software. | Recommended | +| TRE operators must have procedures in place for rapid incident response | There may well be legal requirements to disclose details of any incidents, _e.g._ data breaches for organisations subject to GDPR. Having robust processes in place will ensure a swift and effective response when an incident occurs. | Mandatory | +| TREs should publish details of their security testing strategy and positive results or outcomes (e.g. security fixes) resulting from the testing | Knowledge that regular security testing occurs will help to ensure stakeholders, including researchers and data providers, can trust that the data they work with or are responsible for is secure within a TRE. | Recommended | (encryption)= @@ -510,13 +553,13 @@ _The ability of the TRE organisation to deploy and manage encryption to protect Here we define 'project' data as the data brought in for work which is very likely to be sensitive and 'user' data, as the working files of a project which might hold copies of all or part of the project data or otherwise reveal sensitive data (_e.g._ through hard coded row/column names). -| Statement | Guidance | -| ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| TREs must encrypt project and user data at rest | This prevents unauthorised access to the data even if the storage media is compromised. This may involve encrypted filesystems or tools to encrypt and decrypt data on demand. The encryption keys may be managed by the TRE organisation or by a trusted external actor (_e.g._ a cloud services provider). | -| TREs must encrypt data when in transit between the TRE and the outside world | Data encryption must be used to safeguard against interception or tampering during transmission. This includes both data ingress and egress and users accessing the TRE, for example over a remote desktop or shell session | -| TREs should encrypt data when in transit inside the TRE | If possible, data transfers between different components of a TRE should also be encrypted | -| Encryption software should be updated | The latest security patches and updates should be applied to any encryption software being used by the TRE. This helps address any known vulnerabilities or weaknesses in the encryption implementation. | -| TREs should use secure key management | TREs should employ secure key management practices, including storing encryption keys separately from the encrypted data and implementing strong access controls (_e.g._ Single Sign On) for key management systems. | +| Statement | Guidance | Mandatory? | +| ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | +| TREs must encrypt project and user data at rest | This prevents unauthorised access to the data even if the storage media is compromised. This may involve encrypted filesystems or tools to encrypt and decrypt data on demand. The encryption keys may be managed by the TRE organisation or by a trusted external actor (_e.g._ a cloud services provider). | Mandatory | +| TREs must encrypt data when in transit between the TRE and the outside world | Data encryption must be used to safeguard against interception or tampering during transmission. This includes both data ingress and egress and users accessing the TRE, for example over a remote desktop or shell session | Mandatory | +| TREs should encrypt data when in transit inside the TRE | If possible, data transfers between different components of a TRE should also be encrypted | Recommended | +| Encryption software should be updated | The latest security patches and updates should be applied to any encryption software being used by the TRE. This helps address any known vulnerabilities or weaknesses in the encryption implementation. | Recommended | +| TREs should use secure key management | TREs should employ secure key management practices, including storing encryption keys separately from the encrypted data and implementing strong access controls (_e.g._ Single Sign On) for key management systems. | Recommended | (physical-security)= @@ -525,10 +568,10 @@ Here we define 'project' data as the data brought in for work which is very like The ability of the TRE organisation to manage and protect physical assets from unauthorised access, damage or destruction. Physical security controls can provide TREs using highly sensitive data an extra layer of security, even if technical controls are already in place for less sensitive data: -| Statement | Guidance | -| ------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| TREs could offer physical protection measures against data leakage or theft via physical means | Restricting access to research facilities containing computers logged into TREs can help prevent malicious actors from viewing or stealing sensitive data, for example by photographing a computer screen. Physical controls on access to a TRE could include surveillance systems, restricting access to locked rooms that limit entry to authorised personnel only, visitor management systems and employee training. | -| TREs hosting particularly sensitive data may need to comply with specific regulatory requirements | Regulatory frameworks such as GDPR emphasise the need for physical security controls to protect sensitive data. Compliance with these regulations could require organisations to implement specific physical security measures to safeguard their TRE from unauthorised access. | +| Statement | Guidance | Mandatory? | +| ------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| TREs could offer physical protection measures against data leakage or theft via physical means | Restricting access to research facilities containing computers logged into TREs can help prevent malicious actors from viewing or stealing sensitive data, for example by photographing a computer screen. Physical controls on access to a TRE could include surveillance systems, restricting access to locked rooms that limit entry to authorised personnel only, visitor management systems and employee training. | Optional | +| TREs hosting particularly sensitive data may need to comply with specific regulatory requirements | Regulatory frameworks such as GDPR emphasise the need for physical security controls to protect sensitive data. Compliance with these regulations could require organisations to implement specific physical security measures to safeguard their TRE from unauthorised access. | Optional | (standard_capability_supporting)= From 62f5561ed3811936a2c1d4186fa6abac833768a8 Mon Sep 17 00:00:00 2001 From: Simon Li Date: Wed, 7 Jun 2023 17:33:17 +0100 Subject: [PATCH 2/8] Typos spotted whilst setting the mandatory field --- docs/source/standard.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 97d293f2..7447948a 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -146,8 +146,8 @@ The interfaces used for interacting with the TRE management system and the TRE w :name: tab-end-user-user-interface * - Statement - Guidance -* - A TRE must be accessed via a user interface accessible using commonly available applications. - Mandatory? +* - A TRE should be accessed via a user interface accessible using commonly available applications. - TREs which allow users to connect from their own devices should not require the installation of any bespoke TRE application on the user's device. In practice a web browser is the most common way to achieve this. - Recommended @@ -226,7 +226,7 @@ SQL, noSQL, etc. ```{list-table} :header-rows: 1 -:name: tab-end-user-software-tools +:name: tab-end-user-databases * - Statement - Guidance - Mandatory? @@ -242,7 +242,7 @@ The ability of the TRE organisation to record and analyse data about the usage o ```{list-table} :header-rows: 1 -:name: tab-end-user-software-tools +:name: tab-end-user-infrastructure-analytics * - Statement - Guidance - Mandatory? @@ -263,7 +263,7 @@ The ability of the TRE organisation to administer and secure network infrastruct ```{list-table} :header-rows: 1 -:name: tab-end-user-software-tools +:name: tab-end-user-network-management * - Statement - Guidance - Mandatory? @@ -423,7 +423,7 @@ The ability of the TRE organisation to manage how and where data is stored, how - Optional * - A TRE must keep a record of what data it holds. - Good records are important for ensuring compliance with legislation, understanding risk and aiding good data hygiene. - The record should include a description of the data, its source, contact details for the data owner, which projects use the data, the date it was recieved, when it is expected to no longer be needed. + The record should include a description of the data, its source, contact details for the data owner, which projects use the data, the date it was received, when it is expected to no longer be needed. - Mandatory * - A TRE must have a policy on data deletion. - There should be a clear, published policy on when data will be retained or deleted. @@ -493,8 +493,8 @@ The ability of the TRE organisation to ensure outputs are safely published and s - Mandatory? * - A TRE should have a system to aid classifying outputs. - Removing data from a TRE can be a difficult process as there is potential for sensitive data to be revealed. - Having guidance, processess and methods will help ensure that outputs are correctly classified and, furthermore, that outputs due to be openly published are identified. - Encouraging openly published outputs rather than handing all outputs to the data provider will enhance a TRE's impact . + Having guidance, processes and methods will help ensure that outputs are correctly classified and, furthermore, that outputs due to be openly published are identified. + Encouraging openly published outputs rather than handing all outputs to the data provider will enhance a TRE's impact. - Recommended * - A TRE should establish each project's intended outputs from the outset. - Identifying the purpose of a piece of work is important for compliance with data protection legislation. From 25fc5cfdb218f948dbb7925323f5ef138b5ea972 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 8 Jun 2023 09:58:07 +0100 Subject: [PATCH 3/8] :recycle: Update compliance table --- docs/source/standard.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 7447948a..fd0992cf 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -41,10 +41,19 @@ What the TRE organisation does to ensure information risk is measured and manage _The ability of the TRE organisation to monitor compliance with internal and external requirements, agreements, laws and standards._ -| Statement | Guidance | Mandatory? | -| ------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| You are able to audit your TRE organisation against relevant requirements and standards | If you are publicly accredited against a standard, for instance ISO27001, DSPT, CE+ etc., you must have processes in place to ensure you remain compliant | Mandatory | -| You report on and share outcomes of each audit of your TRE organisation with the required bodies | This may included regulatory bodies or the organisations that manage accreditations you have | Mandatory | +```{list-table} +:header-rows: 1 +:name: tab-compliance-monitoring-reporting +* - Statement + - Guidance + - Mandatory? +* - You are able to audit your TRE organisation against relevant requirements and standards + - If you are publicly accredited against a standard, for instance ISO27001, DSPT, CE+ etc., you must have processes in place to ensure you remain compliant + - Mandatory +* - You report on and share outcomes of each audit of your TRE organisation with the required bodies + - This may included regulatory bodies or the organisations that manage accreditations you have + - Mandatory +``` ### 1.2 Policy regulation and management From 808fa024e76dadb6e2adf4c895a25730b38db0e9 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 8 Jun 2023 09:58:52 +0100 Subject: [PATCH 4/8] :recycle: Mandatory -> Importance --- docs/source/standard.md | 54 ++++++++++++++++++++--------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index fd0992cf..9180c957 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -46,7 +46,7 @@ _The ability of the TRE organisation to monitor compliance with internal and ext :name: tab-compliance-monitoring-reporting * - Statement - Guidance - - Mandatory? + - Importance * - You are able to audit your TRE organisation against relevant requirements and standards - If you are publicly accredited against a standard, for instance ISO27001, DSPT, CE+ etc., you must have processes in place to ensure you remain compliant - Mandatory @@ -59,7 +59,7 @@ _The ability of the TRE organisation to monitor compliance with internal and ext _How an organsation determines what policies and regulations are required and ensures alignment to changes in requirements._ -| Statement | Guidance | Mandatory? | +| Statement | Guidance | Importance | | ------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | | You have a process in place to ensure any new project requiring a TRE meets relevant legal, ethical and contractual requirements | For example national legislation such as GDPR, discipline specific regulation like GCP or contractural requirements from a specific data provider such as a company or research partner organisation | Mandatory | | You have a process in place to monitor changes to any legal, ethical and contractual requirements, and to update your policies accordingly | | Mandatory | @@ -70,14 +70,14 @@ _The ability of the TRE organisation to measure and control quality of processes #### Document management -| Statement | Guidance | Mandatory? | +| Statement | Guidance | Importance | | --------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | | All policies & standard operating procedures relevant to the TRE organisation are controlled | This may include measures like restricting edit access to relevant documents, and recording acceptance of policies for all TRE organisation members | Mandatory | | All policies & standard operating procedures relevant to the TRE organisation are version controlled and have codified change processes | Version control includes recording dates of changes, person responsible for carrying out changes, and summary of changes | Mandatory | #### Issue management -| Statement | Guidance | Mandatory? | +| Statement | Guidance | Importance | | --------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | ---------- | | You have a clear process in place for addressing activity within your TRE organisation that deviates from your policies and standard operating procedures | This can include measures like triage analysis and a process for updating policies | Mandatory | | You have methods in place to record progress in resolving issues with, and deviations against, your policies | | Mandatory | @@ -88,7 +88,7 @@ _The ability of the TRE organisation to measure, forecast and evaluate risks to #### Risk assessment -| Statement | Guidance | Mandatory? | +| Statement | Guidance | Importance | | ---------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | | You have a way to score risk to understand the underlying severity | You have a risk assesment methodology for scoring risks on multiple axes such as impact and likelihood | Mandatory | | You have a process for mitigating risk using additional controls | Risks can be reduced to a level which brings it within agreed levels of appetite | Mandatory | @@ -101,19 +101,19 @@ _The ability of the TRE organisation to manage projects effectively._ #### Project onboarding -| Statement | Guidance | Mandatory? | +| Statement | Guidance | Importance | | --------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------- | | You have checks in place to ensure a project has the legal, financial and ethical requirements in place for the duration of the project | This includes checks that contracts are in place where required, adequate funding is available for the duration of the project, and responsibilities concerning data ownership are understood by all parties | Mandatory | #### Project closure -| Statement | Guidance | Mandatory? | +| Statement | Guidance | Importance | | --------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ---------- | | You have standard processes in place for the end of a project, that follow all legal requirements and data security best practice | This includes the archiving of quality and log data along with the archiving or deletion of data sets | Mandatory | #### Roles and responsibilities -| Statement | Guidance | Mandatory? | +| Statement | Guidance | Importance | | ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | | You have clearly defined roles and responsibilities within your TRE organisation for all members | This may include roles such as users, system administrators, system operators, data providers and more. Every member of your TRE organisation should have a pre-defined role with clear powers and responsibilities | Mandatory | @@ -123,14 +123,14 @@ The ability of the TRE organisation to ensure that people with access to data ar #### Onboarding members -| Statement | Guidance | Mandatory? | +| Statement | Guidance | Importance | | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | ---------- | | You have clear onboarding processes in place for all roles within your TRE organisation | This may include all members signing role-specific terms of use, and completing role specific training | Mandatory | | You have a robust method for identifying accredited members of your TRE organisation, prior to their accessing of sensitive data | This may include multi-factor authentication (MFA), ID checks or email/phone verification | Mandatory | #### Training management and delivery -| Statement | Guidance | Mandatory? | +| Statement | Guidance | Importance | | -------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | | You have relevant training for all roles within the TRE organisation, and the ability to deliver this training | This may include: Cyber security training, GDPR training, and higher level training for system operators | Mandatory | | All TRE organisation members have completed relevant training within the last 12 months | | Mandatory | @@ -155,7 +155,7 @@ The interfaces used for interacting with the TRE management system and the TRE w :name: tab-end-user-user-interface * - Statement - Guidance - - Mandatory? + - Importance * - A TRE should be accessed via a user interface accessible using commonly available applications. - TREs which allow users to connect from their own devices should not require the installation of any bespoke TRE application on the user's device. In practice a web browser is the most common way to achieve this. @@ -183,7 +183,7 @@ programming languages, IDEs, desktop applications etc. :name: tab-end-user-software-tools * - Statement - Guidance - - Mandatory? + - Importance * - A TRE must provide software applications that are relevant to working with the data in the TRE. - The tools provided will depend on the types of data in the TRE, and the expectations of users of the TRE. This may include programming languages such as Python and R, integrated development environments, Jupyter notebooks, office type applications such as word processors and spreadsheets, command line tools, etc. @@ -211,7 +211,7 @@ The ability to run analyses requiring more compute resources, or more specialise :name: tab-end-user-advanced-cluster-computing * - Statement - Guidance - - Mandatory? + - Importance * - A TRE should be able to provide access to high performance computing or other scaleable compute resource if required by users. - If a TRE supports users conducting computationally intensive research it should provide access to dynamically scaleable compute or the equivalent. For example this may be in the form of a batch scheduler on a HPC cluster, or a dynamically created compute nodes on a cloud platform. @@ -238,7 +238,7 @@ SQL, noSQL, etc. :name: tab-end-user-databases * - Statement - Guidance - - Mandatory? + - Importance * - A TRE may make data available to researchers using comonly used databases servers such as PostgreSQL, MSSQL, MongoDB, etc. - Databases must be secured and only accessible to users within the same project. If shared (multi-tenant) database servers are used database administrators must ensure the database server enforces segregation of users and databases. @@ -254,7 +254,7 @@ The ability of the TRE organisation to record and analyse data about the usage o :name: tab-end-user-infrastructure-analytics * - Statement - Guidance - - Mandatory? + - Importance * - A TRE must record usage of the TRE. - This may include the number of users, number of projects, the amount of data stored, number of datasets, the number of workspaces, etc. - Mandatory @@ -275,7 +275,7 @@ The ability of the TRE organisation to administer and secure network infrastruct :name: tab-end-user-network-management * - Statement - Guidance - - Mandatory? + - Importance * - Networks must be managed and controlled to protect information in systems and applications - Network infrastructure must prevent unauthorised access to resources on the network. This may include firewalls, network segmentation, and restricting connections to the network. @@ -304,7 +304,7 @@ _The ability of the TRE organisation to instantiate, deploy, change or remove de :name: tab-deployment-management * - Statement - Guidance - - Mandatory? + - Importance * - You must have a documented procedure for deploying infrastructure. - This might, for instance, be a handbook that is followed or a set of automated scripts. - Mandatory @@ -335,7 +335,7 @@ _The ability of the TRE organisation to ensure the right amount of resources are :name: tab-capacity-management * - Statement - Guidance - - Mandatory? + - Importance * - You must ensure that all projects understand what resources are available and what the associated costs will be before the project starts. - For on-premises systems this might be related to the available hardware, for cloud-based systems there might be limits on how many instances of a particular resource (_e.g._ GPUs) can be used. Projects should use this information to understand whether the available resources will be sufficient for their requirements. - Mandatory @@ -364,7 +364,7 @@ _The ability of the TRE organisation to identify, maintain, and verify informati :name: tab-configuration-management * - Statement - Guidance - - Mandatory? + - Importance * - You must have a documented procedure for configuring infrastructure. - This might, for instance, be a handbook that is followed or a set of automated scripts. - Mandatory @@ -391,7 +391,7 @@ _The ability of the TRE organisation to ensure all IT infrastructure, processes, :name: tab-availability-management * - Statement - Guidance - - Mandatory? + - Importance * - You should understand the availability and uptime guarantees of any providers that you rely on. - For remote TREs this might include your cloud provider(s) and/or data centre operators. For on-premises TREs, it might be worth considering your ISP and electricity provider. @@ -417,7 +417,7 @@ The ability of the TRE organisation to manage how and where data is stored, how * - Statement - Guidance - - Mandatory? + - Importance * - A TRE must have a data ingress process which enforces information governance rules/processes. - The data ingress process needs to ensure that information governance is correctly followed. In particular, it should require that an ingress request has been approved by all required parties. @@ -466,7 +466,7 @@ The ability of the TRE organisation to ensure the right people (identities) can * - Statement - Guidance - - Mandatory? + - Importance * - A TRE must not create user accounts for use by more than one person. - It is important that each user account should be used by one, and only one, person in order to facilitate the assignment of roles or permissions and to log the actions of individuals. - Mandatory @@ -499,7 +499,7 @@ The ability of the TRE organisation to ensure outputs are safely published and s * - Statement - Guidance - - Mandatory? + - Importance * - A TRE should have a system to aid classifying outputs. - Removing data from a TRE can be a difficult process as there is potential for sensitive data to be revealed. Having guidance, processes and methods will help ensure that outputs are correctly classified and, furthermore, that outputs due to be openly published are identified. @@ -534,7 +534,7 @@ These measures include vulnerability management of TRE infrastructure (whether p Vulnerability management describes the ability of the TRE organisation to identify, assess, report on, manage and remediate cyber vulnerabilities across endpoints, workloads, and systems. -| Statement | Guidance | Mandatory? | +| Statement | Guidance | Importance | | -------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | | All computing infrastructure belonging to the TRE should be kept up-to-date with security patches and antivirus (if appropriate) | This might involve scheduling regular automated scanning and application of updates. Infrastructure that is isolated from the internet or immutable in some way may not need to be updated. | Recommended | | Regular vulnerability scans of TRE infrastructure should be conducted | Ensuring that scans are done on a regular basis can enable TRE operators can identify and address weaknesses that may have been introduced during the operational lifetime of the TRE. | Recommended | @@ -547,7 +547,7 @@ Vulnerability management describes the ability of the TRE organisation to identi Security testing enables the TRE organisation to gain assurance in the security of a TRE by testing or attempting to breach some or all of that system's security. -| Statement | Guidance | Mandatory? | +| Statement | Guidance | Importance | | ------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | | Penetration tests should be carried out on TREs | By intentionally attempting to breach their TRE, organisations can proactively discover unnoticed vulnerabilities before they are exploited maliciously. Tests can evaluate the effectiveness of security controls in preventing data breaches, unauthorised access, or other security incidents | Recommended | | TRE security controls should be updated based on the results of security tests | Security testing can reveal bugs and discrepancies in the TRE architecture which should be addressed in advance of sensitive data being uploaded, or with urgency in the case of an operational TRE. Regular testing will allow organisations to refine their TRE security controls and incident response capabilities, enabling them to adapt to any new security concerns that may arise as a result of changes in the underlying software. | Recommended | @@ -562,7 +562,7 @@ _The ability of the TRE organisation to deploy and manage encryption to protect Here we define 'project' data as the data brought in for work which is very likely to be sensitive and 'user' data, as the working files of a project which might hold copies of all or part of the project data or otherwise reveal sensitive data (_e.g._ through hard coded row/column names). -| Statement | Guidance | Mandatory? | +| Statement | Guidance | Importance | | ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | | TREs must encrypt project and user data at rest | This prevents unauthorised access to the data even if the storage media is compromised. This may involve encrypted filesystems or tools to encrypt and decrypt data on demand. The encryption keys may be managed by the TRE organisation or by a trusted external actor (_e.g._ a cloud services provider). | Mandatory | | TREs must encrypt data when in transit between the TRE and the outside world | Data encryption must be used to safeguard against interception or tampering during transmission. This includes both data ingress and egress and users accessing the TRE, for example over a remote desktop or shell session | Mandatory | @@ -577,7 +577,7 @@ Here we define 'project' data as the data brought in for work which is very like The ability of the TRE organisation to manage and protect physical assets from unauthorised access, damage or destruction. Physical security controls can provide TREs using highly sensitive data an extra layer of security, even if technical controls are already in place for less sensitive data: -| Statement | Guidance | Mandatory? | +| Statement | Guidance | Importance | | ------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | | TREs could offer physical protection measures against data leakage or theft via physical means | Restricting access to research facilities containing computers logged into TREs can help prevent malicious actors from viewing or stealing sensitive data, for example by photographing a computer screen. Physical controls on access to a TRE could include surveillance systems, restricting access to locked rooms that limit entry to authorised personnel only, visitor management systems and employee training. | Optional | | TREs hosting particularly sensitive data may need to comply with specific regulatory requirements | Regulatory frameworks such as GDPR emphasise the need for physical security controls to protect sensitive data. Compliance with these regulations could require organisations to implement specific physical security measures to safeguard their TRE from unauthorised access. | Optional | From d21f1ce937339032b3368c0337d74ad33d200e53 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 8 Jun 2023 10:00:50 +0100 Subject: [PATCH 5/8] :recycle: Update Policy regulation and management table --- docs/source/standard.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index 9180c957..f369b6a5 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -59,10 +59,19 @@ _The ability of the TRE organisation to monitor compliance with internal and ext _How an organsation determines what policies and regulations are required and ensures alignment to changes in requirements._ -| Statement | Guidance | Importance | -| ------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| You have a process in place to ensure any new project requiring a TRE meets relevant legal, ethical and contractual requirements | For example national legislation such as GDPR, discipline specific regulation like GCP or contractural requirements from a specific data provider such as a company or research partner organisation | Mandatory | -| You have a process in place to monitor changes to any legal, ethical and contractual requirements, and to update your policies accordingly | | Mandatory | +```{list-table} +:header-rows: 1 +:name: tab-policy-regulation-management +* - Statement + - Guidance + - Importance +* - You have a process in place to ensure any new project requiring a TRE meets relevant legal, ethical and contractual requirements + - For example national legislation such as GDPR, discipline specific regulation like GCP or contractural requirements from a specific data provider such as a company or research partner organisation + - Mandatory +* - You have a process in place to monitor changes to any legal, ethical and contractual requirements, and to update your policies accordingly + - + - Mandatory +``` ### 1.3 Quality management From 2a060fb4b9f80233b038a6077d6803da81e09519 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 8 Jun 2023 10:27:56 +0100 Subject: [PATCH 6/8] :recycle: Update remaining tables --- docs/source/standard.md | 323 ++++++++++++++++++++++++++++++---------- 1 file changed, 247 insertions(+), 76 deletions(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index f369b6a5..3e9aaa4e 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -79,17 +79,35 @@ _The ability of the TRE organisation to measure and control quality of processes #### Document management -| Statement | Guidance | Importance | -| --------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| All policies & standard operating procedures relevant to the TRE organisation are controlled | This may include measures like restricting edit access to relevant documents, and recording acceptance of policies for all TRE organisation members | Mandatory | -| All policies & standard operating procedures relevant to the TRE organisation are version controlled and have codified change processes | Version control includes recording dates of changes, person responsible for carrying out changes, and summary of changes | Mandatory | +```{list-table} +:header-rows: 1 +:name: tab-document-management +* - Statement + - Guidance + - Importance +* - All policies & standard operating procedures relevant to the TRE organisation are controlled + - This may include measures like restricting edit access to relevant documents, and recording acceptance of policies for all TRE organisation members + - Mandatory +* - All policies & standard operating procedures relevant to the TRE organisation are version controlled and have codified change processes + - Version control includes recording dates of changes, person responsible for carrying out changes, and summary of changes + - Mandatory +``` #### Issue management -| Statement | Guidance | Importance | -| --------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | ---------- | -| You have a clear process in place for addressing activity within your TRE organisation that deviates from your policies and standard operating procedures | This can include measures like triage analysis and a process for updating policies | Mandatory | -| You have methods in place to record progress in resolving issues with, and deviations against, your policies | | Mandatory | +```{list-table} +:header-rows: 1 +:name: tab-issue-management +* - Statement + - Guidance + - Importance +* - You have a clear process in place for addressing activity within your TRE organisation that deviates from your policies and standard operating procedures + - This can include measures like triage analysis and a process for updating policies + - Mandatory +* - You have methods in place to record progress in resolving issues with, and deviations against, your policies + - + - Mandatory +``` ### 1.4 Risk management @@ -97,12 +115,25 @@ _The ability of the TRE organisation to measure, forecast and evaluate risks to #### Risk assessment -| Statement | Guidance | Importance | -| ---------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| You have a way to score risk to understand the underlying severity | You have a risk assesment methodology for scoring risks on multiple axes such as impact and likelihood | Mandatory | -| You have a process for mitigating risk using additional controls | Risks can be reduced to a level which brings it within agreed levels of appetite | Mandatory | -| You have an understanding of risk appetite | This includes understanding ownership of risk, and ability to accept risk which falls outside of the appetite should that become necessary | Mandatory | -| You carry out a data processing assessment for all projects requiring a TRE that are working with sensitive data | a data processing assessment is a process designed to identify risks arising out of the processing of sensitive data and to minimise these risks as far and as early as possible | Mandatory | +```{list-table} +:header-rows: 1 +:name: tab-risk-assessment +* - Statement + - Guidance + - Importance +* - You have a way to score risk to understand the underlying severity + - You have a risk assesment methodology for scoring risks on multiple axes such as impact and likelihood + - Mandatory +* - You have a process for mitigating risk using additional controls + - Risks can be reduced to a level which brings it within agreed levels of appetite + - Mandatory +* - You have an understanding of risk appetite + - This includes understanding ownership of risk, and ability to accept risk which falls outside of the appetite should that become necessary + - Mandatory +* - You carry out a data processing assessment for all projects requiring a TRE that are working with sensitive data + - A data processing assessment is a process designed to identify risks arising out of the processing of sensitive data and to minimise these risks as far and as early as possible + - Mandatory +``` ### 1.5 Project management @@ -110,21 +141,42 @@ _The ability of the TRE organisation to manage projects effectively._ #### Project onboarding -| Statement | Guidance | Importance | -| --------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------- | -| You have checks in place to ensure a project has the legal, financial and ethical requirements in place for the duration of the project | This includes checks that contracts are in place where required, adequate funding is available for the duration of the project, and responsibilities concerning data ownership are understood by all parties | Mandatory | +```{list-table} +:header-rows: 1 +:name: tab-project-onboarding +* - Statement + - Guidance + - Importance +* - You have checks in place to ensure a project has the legal, financial and ethical requirements in place for the duration of the project + - This includes checks that contracts are in place where required, adequate funding is available for the duration of the project, and responsibilities concerning data ownership are understood by all parties + - Mandatory +``` #### Project closure -| Statement | Guidance | Importance | -| --------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ---------- | -| You have standard processes in place for the end of a project, that follow all legal requirements and data security best practice | This includes the archiving of quality and log data along with the archiving or deletion of data sets | Mandatory | +```{list-table} +:header-rows: 1 +:name: tab-project-closure +* - Statement + - Guidance + - Importance +* - You have standard processes in place for the end of a project, that follow all legal requirements and data security best practice + - This includes the archiving of quality and log data along with the archiving or deletion of data sets + - Mandatory +``` #### Roles and responsibilities -| Statement | Guidance | Importance | -| ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| You have clearly defined roles and responsibilities within your TRE organisation for all members | This may include roles such as users, system administrators, system operators, data providers and more. Every member of your TRE organisation should have a pre-defined role with clear powers and responsibilities | Mandatory | +```{list-table} +:header-rows: 1 +:name: tab-roles-responsibilities +* - Statement + - Guidance + - Importance +* - You have clearly defined roles and responsibilities within your TRE organisation for all members + - This may include roles such as users, system administrators, system operators, data providers and more. Every member of your TRE organisation should have a pre-defined role with clear powers and responsibilities + - Mandatory +``` ### 1.6 Member accreditation @@ -132,18 +184,38 @@ The ability of the TRE organisation to ensure that people with access to data ar #### Onboarding members -| Statement | Guidance | Importance | -| -------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | ---------- | -| You have clear onboarding processes in place for all roles within your TRE organisation | This may include all members signing role-specific terms of use, and completing role specific training | Mandatory | -| You have a robust method for identifying accredited members of your TRE organisation, prior to their accessing of sensitive data | This may include multi-factor authentication (MFA), ID checks or email/phone verification | Mandatory | +```{list-table} +:header-rows: 1 +:name: tab-onboarding-members +* - Statement + - Guidance + - Importance +* - You have clear onboarding processes in place for all roles within your TRE organisation + - This may include all members signing role-specific terms of use, and completing role specific training + - Mandatory +* - You have a robust method for identifying accredited members of your TRE organisation, prior to their accessing of sensitive data + - This may include multi-factor authentication (MFA), ID checks or email/phone verification + - Mandatory +``` #### Training management and delivery -| Statement | Guidance | Importance | -| -------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| You have relevant training for all roles within the TRE organisation, and the ability to deliver this training | This may include: Cyber security training, GDPR training, and higher level training for system operators | Mandatory | -| All TRE organisation members have completed relevant training within the last 12 months | | Mandatory | -| You have a process in place to monitor all TRE organisation training completions & requirements | This process should document which members have completed which training, when the training was completed, and the date the training expires. It should also document how you will notify members when their training is about to expire, and ensure they do not have access to any TRE if relevant training is out-of-date | Mandatory | +```{list-table} +:header-rows: 1 +:name: tab-training-management-delivery +* - Statement + - Guidance + - Importance +* - You have relevant training for all roles within the TRE organisation, and the ability to deliver this training + - This may include: Cyber security training, GDPR training, and higher level training for system operators + - Mandatory +* - All TRE organisation members have completed relevant training within the last 12 months + - + - Mandatory +* - You have a process in place to monitor all TRE organisation training completions & requirements + - This process should document which members have completed which training, when the training was completed, and the date the training expires. It should also document how you will notify members when their training is about to expire, and ensure they do not have access to any TRE if relevant training is out-of-date + - Mandatory +``` (standard_capability_computing_technology)= @@ -543,12 +615,25 @@ These measures include vulnerability management of TRE infrastructure (whether p Vulnerability management describes the ability of the TRE organisation to identify, assess, report on, manage and remediate cyber vulnerabilities across endpoints, workloads, and systems. -| Statement | Guidance | Importance | -| -------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| All computing infrastructure belonging to the TRE should be kept up-to-date with security patches and antivirus (if appropriate) | This might involve scheduling regular automated scanning and application of updates. Infrastructure that is isolated from the internet or immutable in some way may not need to be updated. | Recommended | -| Regular vulnerability scans of TRE infrastructure should be conducted | Ensuring that scans are done on a regular basis can enable TRE operators can identify and address weaknesses that may have been introduced during the operational lifetime of the TRE. | Recommended | -| TREs should regularly check the compliance of machine and resource configurations | This might involve automated "desired state" enforcement, manual checks or checks over what is possible, for example ensuring that only certain network connections are allowed. | Recommended | -| TREs should adhere to one or more external security standards | The TRE organisation should identify appropriate security standards and best practices that it will adhere too. These should be stated to all stakeholders in advance of any data being brought in to the TRE. | Recommended | +```{list-table} +:header-rows: 1 +:name: tab-vulnerability-management +* - Statement + - Guidance + - Importance +* - All computing infrastructure belonging to the TRE should be kept up-to-date with security patches and antivirus (if appropriate) + - This might involve scheduling regular automated scanning and application of updates. Infrastructure that is isolated from the internet or immutable in some way may not need to be updated. + - Recommended +* - Regular vulnerability scans of TRE infrastructure should be conducted + - Ensuring that scans are done on a regular basis can enable TRE operators can identify and address weaknesses that may have been introduced during the operational lifetime of the TRE. + - Recommended +* - TREs should regularly check the compliance of machine and resource configurations + - This might involve automated "desired state" enforcement, manual checks or checks over what is possible, for example ensuring that only certain network connections are allowed. + - Recommended +* - TREs should adhere to one or more external security standards + - The TRE organisation should identify appropriate security standards and best practices that it will adhere too. These should be stated to all stakeholders in advance of any data being brought in to the TRE. + - Recommended +``` (security-testing)= @@ -556,12 +641,25 @@ Vulnerability management describes the ability of the TRE organisation to identi Security testing enables the TRE organisation to gain assurance in the security of a TRE by testing or attempting to breach some or all of that system's security. -| Statement | Guidance | Importance | -| ------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| Penetration tests should be carried out on TREs | By intentionally attempting to breach their TRE, organisations can proactively discover unnoticed vulnerabilities before they are exploited maliciously. Tests can evaluate the effectiveness of security controls in preventing data breaches, unauthorised access, or other security incidents | Recommended | -| TRE security controls should be updated based on the results of security tests | Security testing can reveal bugs and discrepancies in the TRE architecture which should be addressed in advance of sensitive data being uploaded, or with urgency in the case of an operational TRE. Regular testing will allow organisations to refine their TRE security controls and incident response capabilities, enabling them to adapt to any new security concerns that may arise as a result of changes in the underlying software. | Recommended | -| TRE operators must have procedures in place for rapid incident response | There may well be legal requirements to disclose details of any incidents, _e.g._ data breaches for organisations subject to GDPR. Having robust processes in place will ensure a swift and effective response when an incident occurs. | Mandatory | -| TREs should publish details of their security testing strategy and positive results or outcomes (e.g. security fixes) resulting from the testing | Knowledge that regular security testing occurs will help to ensure stakeholders, including researchers and data providers, can trust that the data they work with or are responsible for is secure within a TRE. | Recommended | +```{list-table} +:header-rows: 1 +:name: tab-security-testing +* - Statement + - Guidance + - Importance +* - Penetration tests should be carried out on TREs + - By intentionally attempting to breach their TRE, organisations can proactively discover unnoticed vulnerabilities before they are exploited maliciously. Tests can evaluate the effectiveness of security controls in preventing data breaches, unauthorised access, or other security incidents + - Recommended +* - TRE security controls should be updated based on the results of security tests + - Security testing can reveal bugs and discrepancies in the TRE architecture which should be addressed in advance of sensitive data being uploaded, or with urgency in the case of an operational TRE. Regular testing will allow organisations to refine their TRE security controls and incident response capabilities, enabling them to adapt to any new security concerns that may arise as a result of changes in the underlying software. + - Recommended +* - TRE operators must have procedures in place for rapid incident response + - There may well be legal requirements to disclose details of any incidents, _e.g._ data breaches for organisations subject to GDPR. Having robust processes in place will ensure a swift and effective response when an incident occurs. + - Mandatory +* - TREs should publish details of their security testing strategy and positive results or outcomes (e.g. security fixes) resulting from the testing + - Knowledge that regular security testing occurs will help to ensure stakeholders, including researchers and data providers, can trust that the data they work with or are responsible for is secure within a TRE. + - Recommended +``` (encryption)= @@ -571,13 +669,28 @@ _The ability of the TRE organisation to deploy and manage encryption to protect Here we define 'project' data as the data brought in for work which is very likely to be sensitive and 'user' data, as the working files of a project which might hold copies of all or part of the project data or otherwise reveal sensitive data (_e.g._ through hard coded row/column names). -| Statement | Guidance | Importance | -| ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | -| TREs must encrypt project and user data at rest | This prevents unauthorised access to the data even if the storage media is compromised. This may involve encrypted filesystems or tools to encrypt and decrypt data on demand. The encryption keys may be managed by the TRE organisation or by a trusted external actor (_e.g._ a cloud services provider). | Mandatory | -| TREs must encrypt data when in transit between the TRE and the outside world | Data encryption must be used to safeguard against interception or tampering during transmission. This includes both data ingress and egress and users accessing the TRE, for example over a remote desktop or shell session | Mandatory | -| TREs should encrypt data when in transit inside the TRE | If possible, data transfers between different components of a TRE should also be encrypted | Recommended | -| Encryption software should be updated | The latest security patches and updates should be applied to any encryption software being used by the TRE. This helps address any known vulnerabilities or weaknesses in the encryption implementation. | Recommended | -| TREs should use secure key management | TREs should employ secure key management practices, including storing encryption keys separately from the encrypted data and implementing strong access controls (_e.g._ Single Sign On) for key management systems. | Recommended | +```{list-table} +:header-rows: 1 +:name: tab-encryption +* - Statement + - Guidance + - Importance +* - TREs must encrypt project and user data at rest + - This prevents unauthorised access to the data even if the storage media is compromised. This may involve encrypted filesystems or tools to encrypt and decrypt data on demand. The encryption keys may be managed by the TRE organisation or by a trusted external actor (_e.g._ a cloud services provider). + - Mandatory +* - TREs must encrypt data when in transit between the TRE and the outside world + - Data encryption must be used to safeguard against interception or tampering during transmission. This includes both data ingress and egress and users accessing the TRE, for example over a remote desktop or shell session + - Mandatory +* - TREs should encrypt data when in transit inside the TRE + - If possible, data transfers between different components of a TRE should also be encrypted + - Recommended +* - Encryption software should be updated + - The latest security patches and updates should be applied to any encryption software being used by the TRE. This helps address any known vulnerabilities or weaknesses in the encryption implementation. + - Recommended +* - TREs should use secure key management + - TREs should employ secure key management practices, including storing encryption keys separately from the encrypted data and implementing strong access controls (_e.g._ Single Sign On) for key management systems. + - Recommended +``` (physical-security)= @@ -586,10 +699,19 @@ Here we define 'project' data as the data brought in for work which is very like The ability of the TRE organisation to manage and protect physical assets from unauthorised access, damage or destruction. Physical security controls can provide TREs using highly sensitive data an extra layer of security, even if technical controls are already in place for less sensitive data: -| Statement | Guidance | Importance | -| ------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| TREs could offer physical protection measures against data leakage or theft via physical means | Restricting access to research facilities containing computers logged into TREs can help prevent malicious actors from viewing or stealing sensitive data, for example by photographing a computer screen. Physical controls on access to a TRE could include surveillance systems, restricting access to locked rooms that limit entry to authorised personnel only, visitor management systems and employee training. | Optional | -| TREs hosting particularly sensitive data may need to comply with specific regulatory requirements | Regulatory frameworks such as GDPR emphasise the need for physical security controls to protect sensitive data. Compliance with these regulations could require organisations to implement specific physical security measures to safeguard their TRE from unauthorised access. | Optional | +```{list-table} +:header-rows: 1 +:name: tab-physical-security +* - Statement + - Guidance + - Importance +* - TREs could offer physical protection measures against data leakage or theft via physical means + - Restricting access to research facilities containing computers logged into TREs can help prevent malicious actors from viewing or stealing sensitive data, for example by photographing a computer screen. Physical controls on access to a TRE could include surveillance systems, restricting access to locked rooms that limit entry to authorised personnel only, visitor management systems and employee training. + - Optional +* - TREs hosting particularly sensitive data may need to comply with specific regulatory requirements + - Regulatory frameworks such as GDPR emphasise the need for physical security controls to protect sensitive data. Compliance with these regulations could require organisations to implement specific physical security measures to safeguard their TRE from unauthorised access. + - Optional +``` (standard_capability_supporting)= @@ -601,25 +723,46 @@ The ability of the TRE organisation to access suitable and timely legal advice. -| Statement | Guidance | -| --------- | -------- | -| | | +```{list-table} +:header-rows: 1 +:name: tab-legal +* - Statement + - Guidance + - Importance +* - + - + - +``` ### 5.2 Relationship management The ability of the TRE organisation to maintain engagement with its customers, stakeholders and other interested parties. -| Statement | Guidance | -| --------- | -------- | -| | | +```{list-table} +:header-rows: 1 +:name: tab-relationship-management +* - Statement + - Guidance + - Importance +* - + - + - +``` ### 5.3 Other The ability of the TRE organisation to access other supporting capabilities such as financial or business continuity. -| Statement | Guidance | -| --------- | -------- | -| | | +```{list-table} +:header-rows: 1 +:name: tab-other +* - Statement + - Guidance + - Importance +* - + - + - +``` (standard_capability_roles)= @@ -635,9 +778,16 @@ The researchers working on projects that involve logging into a TRE to access da -| Statement | Guidance | -| --------- | -------- | -| | | +```{list-table} +:header-rows: 1 +:name: tab-tre-role-user +* - Statement + - Guidance + - Importance +* - + - + - +``` ### 6.2 TRE administration roles @@ -646,9 +796,16 @@ These roles cover managing TRE computing infrastructure, but also administering -| Statement | Guidance | -| --------- | -------- | -| | | +```{list-table} +:header-rows: 1 +:name: tab-tre-role-administrator +* - Statement + - Guidance + - Importance +* - + - + - +``` ### 6.3 TRE developer roles @@ -656,9 +813,16 @@ The software engineers responsible for developing and maintaining TRE software, -| Statement | Guidance | -| --------- | -------- | -| | | +```{list-table} +:header-rows: 1 +:name: tab-tre-role-developer +* - Statement + - Guidance + - Importance +* - + - + - +``` ### 6.4 TRE governance roles @@ -666,9 +830,16 @@ Roles that uphold the governance of TREs. Such governance responsibilities typically involve establishing policies and procedures to ensure the responsible use of data, protecting the privacy and confidentiality of research participants, and promoting transparency and accountability in research activities. Typical roles might include data custodians, ethicists, an independent board or a lay panel. -| Statement | Guidance | -| --------- | -------- | -| | | +```{list-table} +:header-rows: 1 +:name: tab-tre-role-governance +* - Statement + - Guidance + - Importance +* - + - + - +``` ## Architecture From f5d23580c7c2a64812f44c61f0d33f159e638fe3 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 8 Jun 2023 10:29:52 +0100 Subject: [PATCH 7/8] :rotating_light: Standardise spacing in MyST tables --- docs/source/standard.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/docs/source/standard.md b/docs/source/standard.md index 3e9aaa4e..ed085f38 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -62,6 +62,7 @@ _How an organsation determines what policies and regulations are required and en ```{list-table} :header-rows: 1 :name: tab-policy-regulation-management + * - Statement - Guidance - Importance @@ -82,6 +83,7 @@ _The ability of the TRE organisation to measure and control quality of processes ```{list-table} :header-rows: 1 :name: tab-document-management + * - Statement - Guidance - Importance @@ -98,6 +100,7 @@ _The ability of the TRE organisation to measure and control quality of processes ```{list-table} :header-rows: 1 :name: tab-issue-management + * - Statement - Guidance - Importance @@ -118,6 +121,7 @@ _The ability of the TRE organisation to measure, forecast and evaluate risks to ```{list-table} :header-rows: 1 :name: tab-risk-assessment + * - Statement - Guidance - Importance @@ -144,6 +148,7 @@ _The ability of the TRE organisation to manage projects effectively._ ```{list-table} :header-rows: 1 :name: tab-project-onboarding + * - Statement - Guidance - Importance @@ -157,6 +162,7 @@ _The ability of the TRE organisation to manage projects effectively._ ```{list-table} :header-rows: 1 :name: tab-project-closure + * - Statement - Guidance - Importance @@ -187,6 +193,7 @@ The ability of the TRE organisation to ensure that people with access to data ar ```{list-table} :header-rows: 1 :name: tab-onboarding-members + * - Statement - Guidance - Importance @@ -203,6 +210,7 @@ The ability of the TRE organisation to ensure that people with access to data ar ```{list-table} :header-rows: 1 :name: tab-training-management-delivery + * - Statement - Guidance - Importance @@ -234,6 +242,7 @@ The interfaces used for interacting with the TRE management system and the TRE w ```{list-table} :header-rows: 1 :name: tab-end-user-user-interface + * - Statement - Guidance - Importance @@ -262,6 +271,7 @@ programming languages, IDEs, desktop applications etc. ```{list-table} :header-rows: 1 :name: tab-end-user-software-tools + * - Statement - Guidance - Importance @@ -290,6 +300,7 @@ The ability to run analyses requiring more compute resources, or more specialise ```{list-table} :header-rows: 1 :name: tab-end-user-advanced-cluster-computing + * - Statement - Guidance - Importance @@ -317,6 +328,7 @@ SQL, noSQL, etc. ```{list-table} :header-rows: 1 :name: tab-end-user-databases + * - Statement - Guidance - Importance @@ -333,6 +345,7 @@ The ability of the TRE organisation to record and analyse data about the usage o ```{list-table} :header-rows: 1 :name: tab-end-user-infrastructure-analytics + * - Statement - Guidance - Importance @@ -354,6 +367,7 @@ The ability of the TRE organisation to administer and secure network infrastruct ```{list-table} :header-rows: 1 :name: tab-end-user-network-management + * - Statement - Guidance - Importance @@ -383,6 +397,7 @@ _The ability of the TRE organisation to instantiate, deploy, change or remove de ```{list-table} :header-rows: 1 :name: tab-deployment-management + * - Statement - Guidance - Importance @@ -414,6 +429,7 @@ _The ability of the TRE organisation to ensure the right amount of resources are ```{list-table} :header-rows: 1 :name: tab-capacity-management + * - Statement - Guidance - Importance @@ -443,6 +459,7 @@ _The ability of the TRE organisation to identify, maintain, and verify informati ```{list-table} :header-rows: 1 :name: tab-configuration-management + * - Statement - Guidance - Importance @@ -470,6 +487,7 @@ _The ability of the TRE organisation to ensure all IT infrastructure, processes, ```{list-table} :header-rows: 1 :name: tab-availability-management + * - Statement - Guidance - Importance @@ -618,6 +636,7 @@ Vulnerability management describes the ability of the TRE organisation to identi ```{list-table} :header-rows: 1 :name: tab-vulnerability-management + * - Statement - Guidance - Importance @@ -644,6 +663,7 @@ Security testing enables the TRE organisation to gain assurance in the security ```{list-table} :header-rows: 1 :name: tab-security-testing + * - Statement - Guidance - Importance @@ -672,6 +692,7 @@ Here we define 'project' data as the data brought in for work which is very like ```{list-table} :header-rows: 1 :name: tab-encryption + * - Statement - Guidance - Importance @@ -702,6 +723,7 @@ Physical security controls can provide TREs using highly sensitive data an extra ```{list-table} :header-rows: 1 :name: tab-physical-security + * - Statement - Guidance - Importance @@ -726,6 +748,7 @@ The ability of the TRE organisation to access suitable and timely legal advice. ```{list-table} :header-rows: 1 :name: tab-legal + * - Statement - Guidance - Importance @@ -741,6 +764,7 @@ The ability of the TRE organisation to maintain engagement with its customers, s ```{list-table} :header-rows: 1 :name: tab-relationship-management + * - Statement - Guidance - Importance @@ -756,6 +780,7 @@ The ability of the TRE organisation to access other supporting capabilities such ```{list-table} :header-rows: 1 :name: tab-other + * - Statement - Guidance - Importance @@ -781,6 +806,7 @@ The researchers working on projects that involve logging into a TRE to access da ```{list-table} :header-rows: 1 :name: tab-tre-role-user + * - Statement - Guidance - Importance @@ -799,6 +825,7 @@ These roles cover managing TRE computing infrastructure, but also administering ```{list-table} :header-rows: 1 :name: tab-tre-role-administrator + * - Statement - Guidance - Importance @@ -816,6 +843,7 @@ The software engineers responsible for developing and maintaining TRE software, ```{list-table} :header-rows: 1 :name: tab-tre-role-developer + * - Statement - Guidance - Importance From d144de6254935f0a6d2b4599d845ddeadc088d32 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 8 Jun 2023 10:37:06 +0100 Subject: [PATCH 8/8] :recycle: Ensure that use of italics is standardised --- docs/source/standard.md | 75 ++++++++++++++++++++--------------------- 1 file changed, 36 insertions(+), 39 deletions(-) diff --git a/docs/source/standard.md b/docs/source/standard.md index ed085f38..8995ee95 100644 --- a/docs/source/standard.md +++ b/docs/source/standard.md @@ -35,7 +35,7 @@ There might be good reasons why any particular TRE does not possess one or more ## 1. Information governance -What the TRE organisation does to ensure information risk is measured and managed to an acceptable level. +This capability concerns what the TRE organisation does to ensure information risk is measured and managed to an acceptable level. ### 1.1 Compliance, monitoring and reporting @@ -57,7 +57,7 @@ _The ability of the TRE organisation to monitor compliance with internal and ext ### 1.2 Policy regulation and management -_How an organsation determines what policies and regulations are required and ensures alignment to changes in requirements._ +_How the TRE organisation determines what policies and regulations are required and ensures alignment to changes in requirements._ ```{list-table} :header-rows: 1 @@ -78,7 +78,7 @@ _How an organsation determines what policies and regulations are required and en _The ability of the TRE organisation to measure and control quality of processes, documentation and outputs._ -#### Document management +#### 1.3.1 Document management ```{list-table} :header-rows: 1 @@ -95,7 +95,7 @@ _The ability of the TRE organisation to measure and control quality of processes - Mandatory ``` -#### Issue management +#### 1.3.2 Issue management ```{list-table} :header-rows: 1 @@ -116,7 +116,7 @@ _The ability of the TRE organisation to measure and control quality of processes _The ability of the TRE organisation to measure, forecast and evaluate risks to information._ -#### Risk assessment +#### 1.4.1 Risk assessment ```{list-table} :header-rows: 1 @@ -143,7 +143,7 @@ _The ability of the TRE organisation to measure, forecast and evaluate risks to _The ability of the TRE organisation to manage projects effectively._ -#### Project onboarding +#### 1.5.1 Project onboarding ```{list-table} :header-rows: 1 @@ -157,7 +157,7 @@ _The ability of the TRE organisation to manage projects effectively._ - Mandatory ``` -#### Project closure +#### 1.5.2 Project closure ```{list-table} :header-rows: 1 @@ -171,7 +171,7 @@ _The ability of the TRE organisation to manage projects effectively._ - Mandatory ``` -#### Roles and responsibilities +#### 1.5.3 Roles and responsibilities ```{list-table} :header-rows: 1 @@ -186,9 +186,9 @@ _The ability of the TRE organisation to manage projects effectively._ ### 1.6 Member accreditation -The ability of the TRE organisation to ensure that people with access to data are identified correctly and they are suitably qualified. +_The ability of the TRE organisation to ensure that people with access to data are identified correctly and they are suitably qualified._ -#### Onboarding members +#### 1.6.1 Onboarding members ```{list-table} :header-rows: 1 @@ -205,7 +205,7 @@ The ability of the TRE organisation to ensure that people with access to data ar - Mandatory ``` -#### Training management and delivery +#### 1.6.2 Training management and delivery ```{list-table} :header-rows: 1 @@ -229,15 +229,15 @@ The ability of the TRE organisation to ensure that people with access to data ar ## 2. Computing technology -What the TRE organisation does to manage systems for storing, retrieving, analysing and sending information. +This capability concerns what the TRE organisation does to manage systems for storing, retrieving, analysing and sending information. ### 2.1 End user computing -The ability of the TRE organisation to provide and manage devices, workspaces, interfaces and applications used by researchers to interact with underlying systems and data. +_The ability of the TRE organisation to provide and manage devices, workspaces, interfaces and applications used by researchers to interact with underlying systems and data._ #### 2.1.1 User interface -The interfaces used for interacting with the TRE management system and the TRE workspace. +_The interfaces used for interacting with the TRE management system and the TRE workspace._ ```{list-table} :header-rows: 1 @@ -265,8 +265,7 @@ The interfaces used for interacting with the TRE management system and the TRE w #### 2.1.2 Software tools -The tools used by researchers inside a TRE -programming languages, IDEs, desktop applications etc. +_The tools used by researchers inside a TRE, such as programming languages, IDEs and desktop applications._ ```{list-table} :header-rows: 1 @@ -295,7 +294,7 @@ programming languages, IDEs, desktop applications etc. #### 2.1.3 Advanced or cluster computing -The ability to run analyses requiring more compute resources, or more specialised hardware, than is present in the user's workspace. +_The ability to run analyses requiring more compute resources, or more specialised hardware, than is present in the user's workspace._ ```{list-table} :header-rows: 1 @@ -322,9 +321,6 @@ The ability to run analyses requiring more compute resources, or more specialise #### 2.1.4 Databases -Provision of databases for users -SQL, noSQL, etc. - ```{list-table} :header-rows: 1 :name: tab-end-user-databases @@ -340,7 +336,7 @@ SQL, noSQL, etc. ### 2.2 Infrastructure analytics -The ability of the TRE organisation to record and analyse data about the usage of the TRE. +_The ability of the TRE organisation to record and analyse data about the usage of the TRE._ ```{list-table} :header-rows: 1 @@ -362,7 +358,7 @@ The ability of the TRE organisation to record and analyse data about the usage o ### 2.3 Network management -The ability of the TRE organisation to administer and secure network infrastructure using applications, tools and processes. +_The ability of the TRE organisation to administer and secure network infrastructure using applications, tools and processes._ ```{list-table} :header-rows: 1 @@ -388,7 +384,7 @@ The ability of the TRE organisation to administer and secure network infrastruct ### 2.4 Infrastructure lifecycle management -The ability of the TRE organisation to manage necessary physical or virtual infrastructure. +_The ability of the TRE organisation to manage necessary physical or virtual infrastructure._ #### 2.4.1 Deployment management @@ -504,11 +500,11 @@ _The ability of the TRE organisation to ensure all IT infrastructure, processes, ## 3. Data management -The ability of the TRE organisation to manage data assets and ensure information remains secure. +This capability concerns the ability of the TRE organisation to manage data assets and ensure information remains secure. ### 3.1 Data lifecycle management -The ability of the TRE organisation to manage how and where data is stored, how it moves, changes and is removed. +_The ability of the TRE organisation to manage how and where data is stored, how it moves, changes and is removed._ ```{list-table} :header-rows: 1 @@ -557,7 +553,7 @@ The ability of the TRE organisation to manage how and where data is stored, how ### 3.2 Identity and access management -The ability of the TRE organisation to ensure the right people (identities) can access the tools and data they need and no more. +_The ability of the TRE organisation to ensure the right people (identities) can access the tools and data they need and no more._ ```{list-table} :header-rows: 1 @@ -590,7 +586,7 @@ The ability of the TRE organisation to ensure the right people (identities) can ### 3.3 Output management -The ability of the TRE organisation to ensure outputs are safely published and shared. +_The ability of the TRE organisation to ensure outputs are safely published and shared._ ```{list-table} :header-rows: 1 @@ -615,7 +611,7 @@ The ability of the TRE organisation to ensure outputs are safely published and s ## 4. Information security -_The ability of the TRE organisation to protect against the unauthorized use of information, especially electronic data._ +This capability relates to the ability of the TRE organisation to protect against the unauthorized use of information, especially electronic data. Measures taken to ensure information security can be further categorised into: @@ -631,7 +627,7 @@ These measures include vulnerability management of TRE infrastructure (whether p ### 4.1 Vulnerability management -Vulnerability management describes the ability of the TRE organisation to identify, assess, report on, manage and remediate cyber vulnerabilities across endpoints, workloads, and systems. +_The ability of the TRE organisation to identify, assess, report on, manage and remediate technical vulnerabilities across endpoints, workloads, and systems._ ```{list-table} :header-rows: 1 @@ -658,7 +654,7 @@ Vulnerability management describes the ability of the TRE organisation to identi ### 4.2 Security testing -Security testing enables the TRE organisation to gain assurance in the security of a TRE by testing or attempting to breach some or all of that system's security. +_Security testing enables the TRE organisation to gain assurance in the security of a TRE by testing or attempting to breach some or all of that system's security._ ```{list-table} :header-rows: 1 @@ -717,7 +713,8 @@ Here we define 'project' data as the data brought in for work which is very like ### 4.4 Physical security -The ability of the TRE organisation to manage and protect physical assets from unauthorised access, damage or destruction. +_The ability of the TRE organisation to manage and protect physical assets from unauthorised access, damage or destruction._ + Physical security controls can provide TREs using highly sensitive data an extra layer of security, even if technical controls are already in place for less sensitive data: ```{list-table} @@ -741,7 +738,7 @@ Physical security controls can provide TREs using highly sensitive data an extra ### 5.1 Legal -The ability of the TRE organisation to access suitable and timely legal advice. +_The ability of the TRE organisation to access suitable and timely legal advice._ @@ -759,7 +756,7 @@ The ability of the TRE organisation to access suitable and timely legal advice. ### 5.2 Relationship management -The ability of the TRE organisation to maintain engagement with its customers, stakeholders and other interested parties. +_The ability of the TRE organisation to maintain engagement with its customers, stakeholders and other interested parties._ ```{list-table} :header-rows: 1 @@ -775,7 +772,7 @@ The ability of the TRE organisation to maintain engagement with its customers, s ### 5.3 Other -The ability of the TRE organisation to access other supporting capabilities such as financial or business continuity. +_The ability of the TRE organisation to access other supporting capabilities such as financial or business continuity._ ```{list-table} :header-rows: 1 @@ -791,13 +788,13 @@ The ability of the TRE organisation to access other supporting capabilities such (standard_capability_roles)= -## 6. Roles +## Roles A TRE conforming to the SATRE standard should provide a broadly similar experience for stakeholders operating in each of these defined roles. There is not necessarily a one-to-one mapping between roles and people. One person can have multiple roles. -### 6.1 TRE users +### TRE users The researchers working on projects that involve logging into a TRE to access data. @@ -815,7 +812,7 @@ The researchers working on projects that involve logging into a TRE to access da - ``` -### 6.2 TRE administration roles +### TRE administration roles The IT and related professionals who will be responsible for deploying and managing instances of a TRE conforming to the SATRE standard. These roles cover managing TRE computing infrastructure, but also administering the TRE itself (_e.g._ managing users and projects). @@ -834,7 +831,7 @@ These roles cover managing TRE computing infrastructure, but also administering - ``` -### 6.3 TRE developer roles +### TRE developer roles The software engineers responsible for developing and maintaining TRE software, including adding functionality, bug fixes and general maintenance. @@ -852,7 +849,7 @@ The software engineers responsible for developing and maintaining TRE software, - ``` -### 6.4 TRE governance roles +### TRE governance roles Roles that uphold the governance of TREs. Such governance responsibilities typically involve establishing policies and procedures to ensure the responsible use of data, protecting the privacy and confidentiality of research participants, and promoting transparency and accountability in research activities.