[Change]: Review of Data Management Page

[jawsgrant]

Summary

Suggestions/comments on data management

Source

Personal contribution

Detail

3. Data management

Data mangement appears to be structured differently. It seems it has statements directly under capabilities without groupings under components? In addition to maintaining consistency it would break up the groupings into more manageable chunks.

3.1. Data lifecycle management

3.1.3
Seems to be more about classificaiton of datasets by standards, than Data lifcycle?

3.1.4
is ingress lifecycle management, or as with output/egress is it a capability in its own right?

3.1.4..3.1.7
Egress? I am confused as to the distinction between egress here and the output management section. Seems to be overlap in purpose at least.

3.1.14
Importance: Should this not be mandatory, isn't this a tenet of Safe Data?

3.2 Identity and access management
*Why is this under data management? Some are IG and already there I think e.g. 3.2.1, 3.2.2 (why only reasonably convinced that a user is who they claim to be?) and 3.2.3. 3.2.4,3.2.5 seem to be IAM Computing technology and 3.2.5 is a networking component of Computing tech..

3.3. Output management

3.3.1
*Guidance: query. '... furthermore, that outputs due to be openly published are identified.' Wording is a little confusing, but should it be assumed that anything egressed is in the public domain, published or not?
I agree that 'Encouraging openly published outputs will enhance a TRE’s impact and transparency.' is a good thing but does it relate to systems to classifying outputs?

3.3.8
Should be a tenet of safe outputs. Really strong! In training focussed on working within TRE should there be a topic specifically on this in training for users.

3.5. Information security

The introduction breaks from the mould, is this necessary? The categories, in any other pillar would just be components. Why are they different here? Unless there is clear reason. I think it would be useful to map this onto the approach in the previous pillars.

Suggest ...Ability to... and slightly longer definition if required at the Category level and map the components (not categories) onto the previous 'This group of ***** components is a ...'

3.5.1,3.5.2
Do these belong under computing technology? If they do belong here, should there be a correspongin requirement in computing technology to provide for it?

3.5.3
Does this belong under IG?

3.5.4-3.5.7 Security testing
I am not questioning whether these should be included in the specification, but, as with vulnerability management (3.5.1-3.5.3) do these fall under the Data management pillar? Again if they are required here, shold there be correponding requirements to implement them under Computing Technology

On the above is it worth have a table of relations across pillars, e.g. IG pillar requirement is addressed by Computing Technologies refquirement to enable data management requirement?

3.6. Security Levels and Tiering

The ability of the TRE operator to configure ...

3.7,3.8,3.9 also have no aligned role

3.7, 3.8 and 3.4 seem aligned in purpose, could they be grouped more closely in the structure?

Where

https://satre-specification.readthedocs.io/en/latest/pillars/data_management.html

Proposal

3.1.3
Statement: typo. data sets->datasets

3.1.10
Guidance: typo. information-> Information
Guidance: suggested rephrasing, remove repeititon of statement
Information asset owners may require certification of file deletion and you should keep a record for auditing.

3.3.1
Guidance: suggested rephrasing
Removing data from a TRE can be a difficult process as there is potential for sensitive data to be revealed. Anything egressed is outside TRE control and should be considered suitable for being in the public domain. Having guidance, processes and methods will help ensure that outputs are correctly classified.

Who can help

No response